[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article_59556":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":7,"nbDownloads":11,"excerpt":12,"lang":13,"url":14,"intro":8,"featured":15,"state":16,"author":17,"authorId":18,"datePublication":22,"dateCreation":23,"dateUpdate":24,"mainCategory":25,"categories":41,"metaDatas":68,"imageUrl":69,"imageThumbUrls":70,"id":78},true,"Tired of general newsletters that skim over your real concerns? **DastraNews,** offers legal and regulatory monitoring **specifically designed for DPOs, lawyers, and privacy professionals**.\r\n\r\nEach month, we go beyond a simple recap: we select about ten decisions, news, or positions **that have a concrete impact on your missions and organizations**.\r\n\r\n🎯 **Targeted, useful monitoring grounded in the real-world realities of data protection and AI.**\r\n\r\nHere is our selection for **August 2025**:\r\n\r\n---\r\n\r\n## Luxembourg – Publication of guidelines on AI Literacy by the CNPD\r\n\r\nOn August 2, 2025, the National Commission for Data Protection (CNPD) released guidance regarding Article 4 of Regulation (EU) 2024/1689 on artificial intelligence (AI Act). This article requires all individuals involved in the operation or use of AI systems to have a sufficient level of AI Literacy.\r\n\r\nThe CNPD emphasizes a proportional approach: training must be tailored to the experience level of employees, the risks posed by the systems to individuals, and the supervision mechanisms that are in place.\r\n\r\nEffective since February 2, 2025, this requirement represents a major challenge for employers, who must ensure that their teams possess appropriate skills to use and supervise AI in a professional context. This requirement adds to other AI Act obligations, such as the prohibition of AI systems posing unacceptable risks.\r\n\r\n> 👉 Read the [CNPD article here.](https://cnpd.public.lu/fr/dossiers-thematiques/intelligence-artificielle/regulation-ia/ria-maitrise-ia.html)\r\n>\r\n> 👉 For more information, read our [article here on AI Literacy and Shadow AI.](https://www.dastra.eu/fr/article/comment-lutter-contre-le-shadow-ai/59536)\r\n\r\n## United Kingdom – The Law Commission opens the debate on the legal personality of AI\r\n\r\nThe **Law Commission** of the United Kingdom has released a major discussion paper on the question of the legal personality of AI systems. This report analyzes the unique characteristics of AI, including its autonomy, adaptability, and evolving learning modes, to assess whether these systems could eventually be recognized with a specific form of legal personality.\r\n\r\nThe study explores two scenarios: on one hand, granting legal personality to directly attribute rights and obligations to certain AI systems; on the other hand, maintaining the current framework, where responsibilities continue to rest exclusively with the natural or legal persons who design, deploy, or operate these technologies.\r\n\r\nThe Commission stresses the need for **legal evolution that matches the pace of technological innovation**, while warning against the risks of a status quo that could create blurred areas of responsibility in cases of harm caused by AI. The paper invites stakeholders (lawyers, businesses, public institutions) to contribute to this foundational debate for the future of law.\r\n\r\n> 👉 [Read the full report of the Law Commission](https://cloud-platform-e218f50a4812967ba1215eaecede923f.s3.amazonaws.com/uploads/sites/54/2025/07/AI-paper-PDF.pdf?utm_source=chatgpt.com)\r\n\r\n## The European Commission publishes the list of signatories of the GPAI Code of Conduct\r\n\r\nThe European Commission has unveiled the complete list of companies that have adhered to the **EU Code of Good Practice for Generative Artificial Intelligence**, also known as the **Code of Practices for General-Purpose AI (GPAI)**.\r\n\r\nThis voluntary code, developed through a multistakeholder process with independent experts, serves as a practical tool to assist the industry in complying with the obligations of the AI Regulation (AI Act) applicable to GPAI model suppliers. Published on July 10, 2025, it is accompanied by the Commission's guidelines on several key concepts related to these models.\r\n\r\nThe Commission and the AI Council have confirmed that this code constitutes an adequate instrument for voluntary compliance. By signing it, model suppliers can more easily demonstrate their adherence to the AI Act while benefiting from reduced administrative burdens and enhanced legal certainty.\r\n\r\n> 👉 [Check the complete list of signatories here](https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai#ecl-inpage-Signatories-of-the-AI-Pact)\r\n\r\n{% button href=\"https://www.dastra.eu/en/article/general-purpose-ai-code-of-practice-what-you-need-to-know/59438\" text=\"Click here for a breakdown of the Code\" target=\"\\_blank\" role=\"button\" class=\"btn btn-primary\" %}\r\n\r\n## AI Act: What changes on August 2, 2025\r\n\r\nAs of August 2, 2025, several essential provisions of Regulation (EU) 2024/1689 or the Regulation on Artificial Intelligence (AI Act) came into force and are now legally binding. These provisions include:\r\n\r\n- **Governance rules, namely governance at the Union level and the competent national authorities; and**\r\n\r\n- **Obligations concerning general-purpose AI models.**\r\n\r\n{% button href=\"https://www.dastra.eu/en/article/ai-act-phase-two-what-changes-on-august/59455\" text=\"Discover our analysis here\" target=\"\\_blank\" role=\"button\" class=\"btn btn-primary\" %}\r\n\r\n## Germany – Update of BfDI guidelines\r\n\r\nThe Federal Commissioner for Data Protection (BfDI) has published a new version of its guidelines.This document provides a comprehensive analysis of the relationship between the GDPR and the BDSG, details the legal bases for processing, recalls data protection principles, the obligations of the DPO, and the rights of data subjects, and illustrates each of these points with practical examples.\r\n\r\n> 👉 [Check the guidelines here](https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Broschueren/INFO1.html?nn=251928&utm_source=chatgpt.com)\r\n\r\n## United Kingdom – ICO consultations on the Data Use and Access Act (DUA)\r\n\r\nFollowing the entry into force of the **Data Use and Access Act 2025 (DUAA)**, the Information Commissioner’s Office (ICO) has opened a series of public consultations intended to prepare the publication of final guidelines.\r\n\r\nThe first consultation addresses the introduction of a new legal basis, \"acknowledged legitimate interest,\" as well as processing complaints related to data protection from organizations.\r\n\r\nThe ICO invites the concerned actors to submit substantive contributions to inform the development of clear and operational rules.\r\n\r\n{% button href=\"https://www.dastra.eu/en/article/what-the-duaa-means-for-your-organization/59414\" text=\"Check out what the DUAA means for your organisation \" target=\"\\_blank\" role=\"button\" class=\"btn btn-primary\" %}\r\n\r\n## CNIL sanction procedure: a constitutional turning point\r\n\r\nOn August 8, 2025, the Constitutional Council issued a major ruling (QPC n° 2025-1154) that modifies the sanction procedure before the CNIL. This evolution directly affects data controllers and their processors.\r\n\r\nUntil now, implicated entities could submit written comments or be heard, but without being informed of their right to remain silent. In practice, responding could lead to self-incrimination.\r\n\r\nCiting Article 9 of the Declaration of Rights of 1789, the Council ruled that the right to silence, recognized in criminal matters, should also apply to administrative sanctions of a punitive nature, such as the fines imposed by the CNIL. The failure to inform about this right was deemed unconstitutional.\r\n\r\nThe repeal of the relevant provisions is postponed to October 1, 2026. However, from now on, the CNIL must explicitly notify implicated companies of their right to silence. Sanctions imposed before August 8, 2025, remain final.\r\n\r\nThis decision aligns CNIL sanctions more closely with criminal logic and requires companies to adopt a defensive approach in their interactions with the regulator.\r\n\r\n> 👉 Check out [the decision here.](https://www.conseil-constitutionnel.fr/decision/2025/20251154QPC.htm)\r\n\r\n## Spain – €200,000 fine for violating the principle of data accuracy\r\n\r\nThe Spanish data protection authority (AEPD) imposed a fine of **€200,000** on **ENDESA ENERGÍA, S.A.U.**, a subsidiary of the ENDESA group, for a serious breach of the principle of data accuracy under Article 5.1(d) of the GDPR.\r\n\r\nThe case originated from a complaint filed in May 2023, after an individual had their electricity and gas contracts terminated without consent. The investigation revealed that the company mistakenly assigned the complainant's universal supply point codes (CUPS) to a third party due to a data entry error during a change of ownership. This unverified confusion before execution led to the abusive suspension of services.\r\n\r\nIn addition to the financial penalty, the AEPD ordered the company to implement enhanced procedures within six months to ensure the reliability of data processing during supplier or ownership changes. Failure to comply with this requirement could lead to further administrative violations.\r\n\r\n> 👉 [Check out the sanction here](https://www.aepd.es/documento/ps-00232-2024.pdf)","\u003Cp>Tired of general newsletters that skim over your real concerns? \u003Cstrong>DastraNews,\u003C/strong> offers legal and regulatory monitoring \u003Cstrong>specifically designed for DPOs, lawyers, and privacy professionals\u003C/strong>.\u003C/p>\r\n\u003Cp>Each month, we go beyond a simple recap: we select about ten decisions, news, or positions \u003Cstrong>that have a concrete impact on your missions and organizations\u003C/strong>.\u003C/p>\r\n\u003Cp>🎯 \u003Cstrong>Targeted, useful monitoring grounded in the real-world realities of data protection and AI.\u003C/strong>\u003C/p>\r\n\u003Cp>Here is our selection for \u003Cstrong>August 2025\u003C/strong>:\u003C/p>\r\n\u003Chr />\r\n\u003Ch2 id=\"luxembourg-publication-of-guidelines-on-ai-literacy-by-the-cnpd\">Luxembourg – Publication of guidelines on AI Literacy by the CNPD\u003C/h2>\r\n\u003Cp>On August 2, 2025, the National Commission for Data Protection (CNPD) released guidance regarding Article 4 of Regulation (EU) 2024/1689 on artificial intelligence (AI Act). This article requires all individuals involved in the operation or use of AI systems to have a sufficient level of AI Literacy.\u003C/p>\r\n\u003Cp>The CNPD emphasizes a proportional approach: training must be tailored to the experience level of employees, the risks posed by the systems to individuals, and the supervision mechanisms that are in place.\u003C/p>\r\n\u003Cp>Effective since February 2, 2025, this requirement represents a major challenge for employers, who must ensure that their teams possess appropriate skills to use and supervise AI in a professional context. This requirement adds to other AI Act obligations, such as the prohibition of AI systems posing unacceptable risks.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>👉 Read the \u003Ca href=\"https://cnpd.public.lu/fr/dossiers-thematiques/intelligence-artificielle/regulation-ia/ria-maitrise-ia.html\" rel=\"nofollow\">CNPD article here.\u003C/a>\u003C/p>\r\n\u003Cp>👉 For more information, read our \u003Ca href=\"https://www.dastra.eu/fr/article/comment-lutter-contre-le-shadow-ai/59536\">article here on AI Literacy and Shadow AI.\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"united-kingdom-the-law-commission-opens-the-debate-on-the-legal-personality-of-ai\">United Kingdom – The Law Commission opens the debate on the legal personality of AI\u003C/h2>\r\n\u003Cp>The \u003Cstrong>Law Commission\u003C/strong> of the United Kingdom has released a major discussion paper on the question of the legal personality of AI systems. This report analyzes the unique characteristics of AI, including its autonomy, adaptability, and evolving learning modes, to assess whether these systems could eventually be recognized with a specific form of legal personality.\u003C/p>\r\n\u003Cp>The study explores two scenarios: on one hand, granting legal personality to directly attribute rights and obligations to certain AI systems; on the other hand, maintaining the current framework, where responsibilities continue to rest exclusively with the natural or legal persons who design, deploy, or operate these technologies.\u003C/p>\r\n\u003Cp>The Commission stresses the need for \u003Cstrong>legal evolution that matches the pace of technological innovation\u003C/strong>, while warning against the risks of a status quo that could create blurred areas of responsibility in cases of harm caused by AI. The paper invites stakeholders (lawyers, businesses, public institutions) to contribute to this foundational debate for the future of law.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>👉 \u003Ca href=\"https://cloud-platform-e218f50a4812967ba1215eaecede923f.s3.amazonaws.com/uploads/sites/54/2025/07/AI-paper-PDF.pdf?utm_source=chatgpt.com\" rel=\"nofollow\">Read the full report of the Law Commission\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"the-european-commission-publishes-the-list-of-signatories-of-the-gpai-code-of-conduct\">The European Commission publishes the list of signatories of the GPAI Code of Conduct\u003C/h2>\r\n\u003Cp>The European Commission has unveiled the complete list of companies that have adhered to the \u003Cstrong>EU Code of Good Practice for Generative Artificial Intelligence\u003C/strong>, also known as the \u003Cstrong>Code of Practices for General-Purpose AI (GPAI)\u003C/strong>.\u003C/p>\r\n\u003Cp>This voluntary code, developed through a multistakeholder process with independent experts, serves as a practical tool to assist the industry in complying with the obligations of the AI Regulation (AI Act) applicable to GPAI model suppliers. Published on July 10, 2025, it is accompanied by the Commission's guidelines on several key concepts related to these models.\u003C/p>\r\n\u003Cp>The Commission and the AI Council have confirmed that this code constitutes an adequate instrument for voluntary compliance. By signing it, model suppliers can more easily demonstrate their adherence to the AI Act while benefiting from reduced administrative burdens and enhanced legal certainty.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>👉 \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai#ecl-inpage-Signatories-of-the-AI-Pact\" rel=\"nofollow\">Check the complete list of signatories here\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cdiv class=\"content-btn-container\">\u003Ca href=\"https://www.dastra.eu/en/article/general-purpose-ai-code-of-practice-what-you-need-to-know/59438\" target=\"_blank\" role=\"button\" class=\"btn btn-primary\">Click here for a breakdown of the Code\u003C/a>\u003C/div>\r\n\u003Ch2 id=\"ai-act-what-changes-on-august-2-2025\">AI Act: What changes on August 2, 2025\u003C/h2>\r\n\u003Cp>As of August 2, 2025, several essential provisions of Regulation (EU) 2024/1689 or the Regulation on Artificial Intelligence (AI Act) came into force and are now legally binding. These provisions include:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Governance rules, namely governance at the Union level and the competent national authorities; and\u003C/strong>\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Obligations concerning general-purpose AI models.\u003C/strong>\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cdiv class=\"content-btn-container\">\u003Ca href=\"https://www.dastra.eu/en/article/ai-act-phase-two-what-changes-on-august/59455\" target=\"_blank\" role=\"button\" class=\"btn btn-primary\">Discover our analysis here\u003C/a>\u003C/div>\r\n\u003Ch2 id=\"germany-update-of-bfdi-guidelines\">Germany – Update of BfDI guidelines\u003C/h2>\r\n\u003Cp>The Federal Commissioner for Data Protection (BfDI) has published a new version of its guidelines.\u003Cbr />\r\n\u003Cbr />\r\nThis document provides a comprehensive analysis of the relationship between the GDPR and the BDSG, details the legal bases for processing, recalls data protection principles, the obligations of the DPO, and the rights of data subjects, and illustrates each of these points with practical examples.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>👉 \u003Ca href=\"https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Broschueren/INFO1.html?nn=251928&utm_source=chatgpt.com\" rel=\"nofollow\">Check the guidelines here\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"united-kingdom-ico-consultations-on-the-data-use-and-access-act-dua\">United Kingdom – ICO consultations on the Data Use and Access Act (DUA)\u003C/h2>\r\n\u003Cp>Following the entry into force of the \u003Cstrong>Data Use and Access Act 2025 (DUAA)\u003C/strong>, the Information Commissioner’s Office (ICO) has opened a series of public consultations intended to prepare the publication of final guidelines.\u003C/p>\r\n\u003Cp>The first consultation addresses the introduction of a new legal basis, \"acknowledged legitimate interest,\" as well as processing complaints related to data protection from organizations.\u003C/p>\r\n\u003Cp>The ICO invites the concerned actors to submit substantive contributions to inform the development of clear and operational rules.\u003C/p>\r\n\u003Cdiv class=\"content-btn-container\">\u003Ca href=\"https://www.dastra.eu/en/article/what-the-duaa-means-for-your-organization/59414\" target=\"_blank\" role=\"button\" class=\"btn btn-primary\">Check out what the DUAA means for your organisation \u003C/a>\u003C/div>\r\n\u003Ch2 id=\"cnil-sanction-procedure-a-constitutional-turning-point\">CNIL sanction procedure: a constitutional turning point\u003C/h2>\r\n\u003Cp>On August 8, 2025, the Constitutional Council issued a major ruling (QPC n° 2025-1154) that modifies the sanction procedure before the CNIL. This evolution directly affects data controllers and their processors.\u003C/p>\r\n\u003Cp>Until now, implicated entities could submit written comments or be heard, but without being informed of their right to remain silent. In practice, responding could lead to self-incrimination.\u003C/p>\r\n\u003Cp>Citing Article 9 of the Declaration of Rights of 1789, the Council ruled that the right to silence, recognized in criminal matters, should also apply to administrative sanctions of a punitive nature, such as the fines imposed by the CNIL. The failure to inform about this right was deemed unconstitutional.\u003C/p>\r\n\u003Cp>The repeal of the relevant provisions is postponed to October 1, 2026. However, from now on, the CNIL must explicitly notify implicated companies of their right to silence. Sanctions imposed before August 8, 2025, remain final.\u003C/p>\r\n\u003Cp>This decision aligns CNIL sanctions more closely with criminal logic and requires companies to adopt a defensive approach in their interactions with the regulator.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>👉 Check out \u003Ca href=\"https://www.conseil-constitutionnel.fr/decision/2025/20251154QPC.htm\" rel=\"nofollow\">the decision here.\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"spain-200000-fine-for-violating-the-principle-of-data-accuracy\">Spain – €200,000 fine for violating the principle of data accuracy\u003C/h2>\r\n\u003Cp>The Spanish data protection authority (AEPD) imposed a fine of \u003Cstrong>€200,000\u003C/strong> on \u003Cstrong>ENDESA ENERGÍA, S.A.U.\u003C/strong>, a subsidiary of the ENDESA group, for a serious breach of the principle of data accuracy under Article 5.1(d) of the GDPR.\u003C/p>\r\n\u003Cp>The case originated from a complaint filed in May 2023, after an individual had their electricity and gas contracts terminated without consent. The investigation revealed that the company mistakenly assigned the complainant's universal supply point codes (CUPS) to a third party due to a data entry error during a change of ownership. This unverified confusion before execution led to the abusive suspension of services.\u003C/p>\r\n\u003Cp>In addition to the financial penalty, the AEPD ordered the company to implement enhanced procedures within six months to ensure the reliability of data processing during supplier or ownership changes. Failure to comply with this requirement could lead to further administrative violations.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>👉 \u003Ca href=\"https://www.aepd.es/documento/ps-00232-2024.pdf\" rel=\"nofollow\">Check out the sanction here\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n","DastraNews: what happened in Privacy & AI in August? ","Privacy & AI insights from the Dastra hub: actionable updates for pros who work daily in the field.",1281,7,0,null,"en","dastranews-what-happened-in-august",false,"Published",{"id":18,"displayName":19,"avatarUrl":20,"bio":12,"blogUrl":12,"color":12,"userId":18,"creationDate":21},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","2025-03-03T11:08:22","2025-09-01T15:26:00","2025-09-01T15:26:28.2004146","2025-12-09T09:10:38.8652549",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":31},2,"Blog","A list of curated articles provided by the community","article","#28449a",[32,35,38],{"lang":33,"name":27,"description":34},"fr","Une liste d'articles rédigés par la communauté",{"lang":36,"name":27,"description":37},"es","Una lista de artículos escritos por la comunidad",{"lang":39,"name":27,"description":40},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[42,47],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":43},[44,45,46],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},{"id":48,"name":49,"description":50,"url":51,"color":52,"parentId":26,"count":12,"imageUrl":12,"parent":53,"order":11,"translations":58},9,"News","Stay up to date with the latest news from data protection authorities: decisions, fines, guidelines, and regulatory trends in GDPR and privacy.","news","#1676ca",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":54},[55,56,57],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},[59,62,65],{"lang":33,"name":60,"description":61},"Actualités","Suivez les dernières actualités des autorités de protection des données (CNIL, EDPS, etc.) : décisions, sanctions, lignes directrices et tendances réglementaires en matière de RGPD et de privacy.",{"lang":36,"name":63,"description":64},"Actualidad","Todos los artículos relativos a las autoridades de protección de datos",{"lang":39,"name":66,"description":67},"Nachrichten","Alle Artikel mit Bezug zu Datenschutzbehörden",[],"https://static.dastra.eu/content/edddad19-8e47-4fe3-81f9-b2fee35b611a/dastractu-original.jpg",[71,72,73,74,75,76,77],"https://static.dastra.eu/content/edddad19-8e47-4fe3-81f9-b2fee35b611a/dastractu-1000.webp","https://static.dastra.eu/content/edddad19-8e47-4fe3-81f9-b2fee35b611a/dastractu.webp","https://static.dastra.eu/content/edddad19-8e47-4fe3-81f9-b2fee35b611a/dastractu-1500.webp","https://static.dastra.eu/content/edddad19-8e47-4fe3-81f9-b2fee35b611a/dastractu-800.webp","https://static.dastra.eu/content/edddad19-8e47-4fe3-81f9-b2fee35b611a/dastractu-600.webp","https://static.dastra.eu/content/edddad19-8e47-4fe3-81f9-b2fee35b611a/dastractu-300.webp","https://static.dastra.eu/content/edddad19-8e47-4fe3-81f9-b2fee35b611a/dastractu-100.webp",59556]