The year 2025 has confirmed a clear trend across Europe: data protection authorities are increasingly imposing high administrative fines, while the argument of a “lack of intent” is losing its significance. Regulatory attention has focused in particular on:
-
cookies and online marketing practices,
-
personal data breaches,
-
the absence of proper documentation of controllers’ decisions,
-
incorrect or insufficient risk assessments.
In practice, this reflects a shift in focus from the question of “whether a data breach occurred” to the more fundamental issue of:
whether the controller is able to demonstrate compliance with the principle of accountability (Article 5(2) GDPR).
For organisations, this means the need for genuine, not merely declarative, implementation of:
-
incident response procedures,
-
risk assessment processes,
-
consent mechanisms and the ability to withdraw consent,
-
proper documentation of decisions related to personal data protection.