A survey conducted in April and May 2023 revealed that around ** percent of the companies that do business in the European Union (EU) and the United Kingdom (UK) found it challenging to adapt to new or changing requirements of the General Data Protection Regulation (GDPR) or Data Protection Act 2018 (DPA). A further ** percent of the survey respondents said it was challenging to increase the budget because of the changes in the data privacy laws.

The European Union implemented data privacy laws in mid-2018 and the state of California enacted a similar law several weeks later. These regulations affect medical data collection and analysis. It is unclear if they achieve this goal in the realm of clinical trials. Here we investigate the effect of these laws on clinical trials through analysis of clinical trials recorded on the US's ClinicalTrials.gov, the World Health Organization's International Clinical Trials Registry Platform and scientific papers describing clinical trials. Our findings show that the number of phase 1 and 2 trials in countries not adhering to these data privacy laws rose significantly after implementation of these laws. The largest rise occurred in countries which are less free, as indicated by the negative correlation (−0.48, p = 0.008) between the civil liberties freedom score of countries and the increase in the number of trials. This trend was not observed in countries adhering to data privacy laws nor in the paper publication record. The rise was larger (and statistically significant) among industry funded trials and interventional trials. Thus, the implementation of data privacy laws is associated a change in the location of clinical trials, which are currently executed more often in countries where people have fewer protections for their data.

Since the EU's implementation of the General Data Protection Regulation (GDPR) in May 2018, numerous fines have been issued for violations or non-compliance. Of these, the fine of 1.2 billion euros received by Meta Platforms, Inc. in May 2023 has been by far the greatest. The company was issued such a penalty for personal data transfers to the United States without sufficiently complying with the EU regulation.

As of January 2025, The European Union (EU) had three fully operating and one upcoming law regarding online privacy and the usage of digital technologies. The first one, the General Data Protection Regulation (GDPR), was enacted in May 2018. The second law became effective on February 17, 2024, and is called the Digital Services Act (DSA). In March 2024, another law protecting consumer privacy, the Digital Markets Act, was enacted. The latest regulation adopted by the European Union (EU) is called the Cyber Resilience Act (CRA), which became active in December 2024.

Since the entry into force of the General Data Protection Regulation (GDPR), on 25 May 2018, only digital processing of the most sensitive personal data must be subject to prior formalities with the CNIL.

These formalities may take the form of simplified declarations (declarations of conformity with a reference framework proposed by the CNIL), requests for an opinion (for the sovereign activities of the State) or applications for authorisation (in the field of health). To find out more: cnil.fr.

In accordance with the amended Data Protection Act (Article 36), the CNIL keeps available to the public the list of these formalities in an open and easily reusable format, known as “List article 36”.

** Warnings:**

1/The published data are the result of the prior formalities completed, since May 25, 2018, by the controllers of personal data processing at the CNIL, via its dedicated teleservices. The CNIL cannot be held responsible for their content.

2/The processing carried out on behalf of the State may not appear in the dataset, the formalities having been completed in the form of requests for an opinion on a draft regulatory act (decree or decree) not submitted via the teleservices mentioned. The information relating to these treatments is available on Legifrance, the opinion of the CNIL being published with the act authorising the treatment (to access the deliberations of the CNIL: https://www.legifrance.gouv.fr/initRechExpCnil.do). In addition, some important treatments are subject to fiches on the CNIL website.

3/Exceptionally exempted from the publication of the regulatory act authorising them (decree or decree) are not included in the published data set, in accordance with article 36 of the amended Data Protection Act. The treatments referred to in Article 30 I and II may be exempted, by decree in the Council of State, from the publication of the regulatory act which authorises them. These treatments are mentioned in Decree n°2007-914 of 15 May 2007.

Questions about GDPR? Ecommerce managers everywhere are wondering how their online business will be affected by the General Data Protection Regulation. It is set to become law in the European Union (EU) on May 25, 2018. But your business isn’t headquartered in the EU? GDPR requirements will govern the way you interact with EU customers […]

Any person or association can submit a complaint to the CNIL for non-compliance with the Data Protection Act and, since May 25, 2018, for non-compliance with the General Data Protection Regulation (GDPR).

The CNIL can then contact the person in charge of the file to check its compliance with the law and request corrective actions if necessary. At the end, the complainant is informed of the actions taken.

This dataset presents the number of complaints received since 1981.

Disclaimer: for any questions about the operation of a file and the help that the CNIL can provide you, please do not use the "Discussions" below, which are visible to all and reserved for exchanges on published datasets; use the Need help service (https://www.cnil.fr/en/cnil-direct) or contact the CNIL on 01 53 73 22 22.

Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, Ireland has reported the highest amount of fines issued for violation of the regulation, over **** billion euros. Luxembourg ranked second, with around *** million euros, while France followed, issuing ****** million euros of fines for GDPR violations.

The CNIL may sanction a data controller who has not taken the necessary measures to comply with the Data Protection Act and, from 25 May 2018, the General Data Protection Regulation (GDPR).

The datasets presented concern the number of sanctions, pronounced by the restricted formation of the CNIL, notified each year since 2014 (and their breakdown by type of decision, which has evolved hence the publication of data with the new typology of sanctions as of 2019).

In addition to the distribution of this game, the content of the public sanctions is available on Legifrance.

Disclaimer: for any questions about the operation of a file and the help that the CNIL can provide you, please do not use the "Discussions" below, which are visible to all and reserved for exchanges on published datasets; use the Need help service (https://www.cnil.fr/en/cnil-direct) or contact the CNIL on 01 53 73 22 22.

Prior to the entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018, the Data Protection Correspondent (CIL) was responsible for ensuring compliance with the Data Protection Act within the company, group, association or administration that had designated it.

This designation was optional.

The CNIL publishes the list of private and public bodies that wished to engage in a compliance process by designating a CIL prior to the establishment, by the GDPR, of the DPO.

Collection of definitions of terms in English, French, German, Italian and Spanish extracted from the following data-related European laws:

1. Directive 2007/2/EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (INSPIRE)

2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

3. Commission Recommendation (EU) 2018/790 of 25 April 2018 on access to and preservation of scientific information

4. Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (Text with EEA relevance)

5. Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (Text with EEA relevance)

6. Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (recast) (Open Data Directive)

7. Regulation (EU) 2021/695 of the European Parliament and of the Council of 28 April 2021 establishing Horizon Europe – the Framework Programme for Research and Innovation, laying down its rules for participation and dissemination, and repealing Regulations (EU) No 1290/2013 and (EU) No 1291/2013 (Text with EEA relevance)

8. Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (Text with EEA relevance)

9. Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance)

10. Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (Text with EEA relevance)

11. Commission Implementing Regulation (EU) 2023/138 of 21 December 2022 laying down a list of specific high-value datasets and the arrangements for their publication and re-use (Text with EEA relevance)

12. Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)

13. Regulation (EU) 2024/903 of the European Parliament and of the Council of 13 March 2024 laying down measures for a high level of public sector interoperability across the Union (Interoperable Europe Act)

14. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) Text with EEA relevance.

15. Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)

As of February 2025, the largest fine issued for violation of the General Data Protection Regulation (GDPR) in the United Kingdom (UK) was more than 22 million euros, received by British Airways in October 2020. Another fine received by Marriott International Inc. in the same month was the second-highest in the UK and amounted to over 20 million euros.

List of personal data processing activities of the Government of Aragon that comply with data protection regulations (General Data Protection Regulation - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC and Royal Decree-Law 5/2018 of 27 July 2018 on urgent measures for the adaptation of Spanish law to European Union legislation on data protection).

Whilst this some of the requested information is held by the NHSBSA, we have exempted some of the figures under section 40(2) subsections 2 and 3(a) of the FOIA because it is personal data of applicants to the VDPS. This is because it would breach the first data protection principle as: a - it is not fair to disclose individual’s personal details to the world and is likely to cause damage or distress. b - these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the individual. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Information Commissioner Office (ICO) Guidance is that information is personal data if it ‘relates to’ an ‘identifiable individual’ regulated by the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018. The information relates to personal data of the VDPS claimants and is special category data in the form of health information. As a result, the claimants could be identified, when combined with other information that may be in the public domain or reasonably available. Online communities exist for those adversely affected by vaccines they have received. This further increases the likelihood that those may be identified by disclosure of this information. Section 40(2) is an absolute, prejudice-based exemption and therefore is exempt if disclosure would contravene any of the data protection principles. To comply with the lawfulness, fairness, and transparency data protection principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. The NHSBSA has considered this and does not have the consent of the data subjects to release this information and believes that it would not be possible to obtain consent that meets the threshold in Article 7 of the UK GDPR. The NHSBSA acknowledges that you have a legitimate interest in disclosure of the information to provide the full picture of data held by the NHSBSA; however, we have concluded that disclosure of the requested information would cause unwarranted harm and therefore, section 40(2) is engaged. This is because there is a reasonable expectation that patient data processed by the NHSBSA remains confidential, especially special category data. There are no reasonable alternative measures that could meet the legitimate aim. As the information is highly confidential and sensitive, it outweighs the legitimate interest in the information. Section 41 FOIA This information is also exempt under section 41 of the FOIA (information provided in confidence). This is because the requested information was provided to the NHSBSA in confidence by a third party - another individual, company, public authority or any other type of legal entity. In this instance, details have been provided by the claimants. For Section 41 to be engaged, the following criteria must be fulfilled:

In September 2024, the Irish Data Protection Commission fined Meta Ireland 91 million euros after passwords of social media users were stored in 'plaintext' on Meta's internal systems rather than with cryptographic protection or encryption. In May 2023, the EU fined Meta 1.2 billion euros for violating laws on digital privacy and putting the data of EU citizens at risk through Facebook's EU-U.S. data transfers. European privacy legislation is seen as being far stricter than American privacy law, and the sending of EU citizens’ data to the United States resulted in the record breaking penalty being issued to the tech giant. In January 2023, after it was discovered that Meta Platforms had improperly required that users of Facebook, Instagram, and WhatsApp accept personalized adverts to use the platforms, the company was issued a 390 million euro fine by the European Commission. EU regulators claim that the social media giant broke the General Data Protection Regulation (GDPR) by including the demand in its terms of service. In addition, Meta was fined 405 million euros by the Irish Data Protection Commission (DPC) in September 2022 for violating Instagram's children's privacy settings. In November 2022, the DPC fined Meta a further 265 million euros for failing to protect their users from data scraping. GDPR violations in 2022 Social media sites and companies are not the only types of online services upon which users' data can potentially be compromised. In 2022, the online service with the biggest fine for violating GDPR was e-commerce and digital powerhouse Amazon, which was issued a 746 million euro fine. Furthermore, in December 2021, Google was penalized 90 million euros for GDPR violations. What are the most common GDPR violations? Since GDPR went into effect in May 2018, fines have been imposed for a variety of reasons. As of June 2022, companies' non-compliance with general data processing principles accounted for the largest share of fines, resulting in over 845 million euros worth of penalties. Insufficient legal basis for data processing was the second most common violation, amounting to 447 million euros in fines.

Any person or association can submit a complaint to the CNIL for non-compliance with the Data Protection Act and, since May 25, 2018, for non-compliance with the General Data Protection Regulation (GDPR). The CNIL can then contact the person in charge of the file to check its compliance with the law and request corrective actions if necessary. At the end, the complainant is informed of the actions taken. This dataset presents the number of complaints received since 1981. Disclaimer: for any questions about the operation of a file and the help that the CNIL can provide you, please do not use the "Discussions" below, which are visible to all and reserved for exchanges on published datasets; use the Need help service (https://www.cnil.fr/en/cnil-direct) or contact the CNIL on 01 53 73 22 22.

I can confirm that we do hold the requested information however, we consider the name and General Medical Council (GMC) number to be personal data under section 3(2) of the Data Protection Act 2018. Disclosure of the medical assessor’s name or GMC number would result in the identification of the medical assessor when entered into the GMC public register. As the requested information would allow a medical assessor to be identified, I consider this information is exempt under section 40(2) and 40(3A)(a) of the FOIA (personal information). This is because it would breach the first data protection principle as: a) it is not fair to disclose medical assessors’ personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the medical assessor. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the medical assessor or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet that interest and finally, the disclosure must not cause unwarranted harm. In this case we do not have the consent of the medical assessor to disclose their personal information. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest in disclosing the information against the rights and freedoms of the medical assessor. Having reviewed the information you have provided I acknowledge that you have a legitimate interest in disclosure of the information. However, I agree with the previous decision that disclosure of the requested information would cause unwarranted harm. Whilst I acknowledge your comments on this, disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and/or GMC number will identify the medical assessor there is a reasonable expectation that this information would not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full - https://www.legislation.gov.uk/ukpga/2000/36/section/40

I can confirm that we do hold information on the names and General Medical Council (GMC) numbers for independent medical assessors. Please note that this response does not relate to a specific claim or claimant. The request is being answered more generally given requests under FOIA are requester-blind, that is to say the identity of the requester is not taken into account when considering a request for information under FOIA. We consider the name and GMC number to be personal data under the Data Protection Act 2018. Disclosure of their names or GMC numbers would result in their identification when entered into the GMC public register. Please be aware that I have decided not to release the names and GMC numbers of the independent medical assessors as this information falls under the exemption in section 40 subsections 2 and 3(A)(a) of the FOIA. As the requested information would allow an independent medical assessor to be identified, I consider this information is exempt. This is because it would breach the first data protection principle as: A. it is not fair to disclose their personal details to the world and is likely to cause damage or distress. B. these details are not of sufficient interest to the public to warrant an intrusion into their privacy. The requested information is exempt if disclosure would contravene any of the data protection principles. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest of the applicant in disclosure against the rights and freedoms of the independent medical assessor. While I acknowledge that you have a legitimate interest in disclosure of the information, the disclosure of the requested information would cause unwarranted harm. Disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the independent medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and/or GMC number will identify them, there is a reasonable expectation that this information will not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full: https://www.legislation.gov.uk/ukpga/2000/36/section/40 Qualifications and experience The NHSBSA does not hold information on the independent medical assessors' qualifications. This is because their medical qualifications and experience are the responsibility of the third-party medical assessment supplier. I hope, however, that the following information provides reassurance on this point: All claims are assessed by the independent medical assessment company with a consistent approach. Each case is considered on its own merits, by an experienced independent medical assessor. The contract with our supplier does not require them to tell us details of their qualifications or their experience.

Energy Performance Data for Non-domestic Buildings:This dataset presents data from every valid non-domestic EPC assessment held by the Scottish EPC Register (SEPCR) from commencement of central lodgement of the current EPC format to the SEPCR in October 2014 to September 2024. The data was extracted from the register on 25 October 2024.The data is published as a single file. Historic records (where a newer assessment of a building is lodged) and records lodged but subsequently marked ‘not for issue’ (usually due to an error in lodged data) are not reported. The data published in this extract is made available as Environmental Information for data analysis and to enable research into energy efficiency issues. The data must not be relied upon to verify if a valid EPC exists for a building, nor as the basis for the provision of energy improvement advice for a building. To check for compliance with regulatory requirements, a search for a valid EPC for a building should be undertaken at the Scottish Energy Performance Certificate Register. Please note that this data is not personal data in its published form. Persons accessing this dataset should be aware that if processing falls within the scope of the United Kingdom General Data Protection Regulation, or The Data Protection Act 2018, they will become a data controller and must comply with the data protection legislation. In line with the Scottish Government's Open Data Strategy, this data is published in a three-star format (data which is made available online, in an open and machine-readable format – see below for copyright information).