Guest editorial - Szymon Sieniewicz

I’m excited to introduce myself as the guest editor for this edition. My name is Szymon Sieniewicz, and I lead the TMT/IP practice at Addleshaw Goddard’s recently launched Warsaw office. In May, over 80 of my colleagues and I joined AG, marking an exciting chapter for the firm as we expand our European footprint. With 21 offices globally, AG is now even better positioned to support clients with their Polish and EU law needs.

At our Warsaw office, we provide a full-service offering, including expertise in TMT/ IP matters. Whether it’s regulatory advice, commercial contracts, or contentious data protection and cybersecurity matters, we’re here to help. Beyond TMT/IP, our team covers a wide range of areas, including corporate, real estate, banking, energy, competition, employment, tax, and litigation - both domestic and cross-border.

This edition of our newsletter dives into some of the most pressing developments in the privacy world. In Poland, we’ve seen our data protection authority impose a record GDPR fine of €4 million, underscoring the need for robust compliance. Meanwhile, in the UK, businesses are gearing up for the Data (Use and Access) Act, while across the EU, new laws such as the EU AI Act and the EU Data Act are reshaping the regulatory landscape. The latter starts to apply from 12 September 2025, and its implications are significant for businesses operating in or with the EU.

International data transfers remain a hot topic, with increasing complexity, particularly regarding transfers to China. In this edition, we offer a concise overview of these latest developments, designed to help you navigate the challenges and opportunities.

We hope you find this edition both informative and practical. For tailored advice on how these changes may affect your organisation, please don’t hesitate to reach out to me or any of my colleagues.

Szymon Sieniewicz is a Counsel in Addleshaw Goddard, leading the TMT/IP practice at Addleshaw Goddard Poland.

Click on the links below to read more:

• Polish Data Protection Office imposes record GDPR
• Data (Use and Access) Act 2025: update on its entry into force
• EU Al Act Update: the rules on general-purpose Al become applicable
• EU Data Act Update: the Act becomes applicable on 12 September
• International data transfers: focus on transfers to China

Poland: Record GDPR fine highlights risks of processor oversight failures

In July 2025, the Polish Data Protection Authority (PDPO) imposed the second highest GDPR fine to date in Poland’s private sector - PLN 16.9 million (approx. EUR 4 million) - on McDonald’s Polska Sp. z o.o. (Controller). The fine related to a data breach exposing employee information via a server used to manage staff schedules across restaurants.

Key takeaways 

1.    Controllers remain fully accountable for outsourced processing activities.

2.    Conducting a robust processor audit is a substantive obligation, not a mere formality.

Details of the breach

The breach was discovered when a publicly accessible file containing extensive personal data of employees and franchisee staff was identified. The exposed data included names, PESEL (national identity) numbers, passport details, restaurant identifiers, work schedules, and more.

The Controller had entered into a PR services agreement with an external provider (Processor) and a data processing agreement under Article 28 GDPR. However, the module used to manage schedules was hosted on a system entirely controlled by the Processor, with no oversight or configuration access by the Controller. Crucially, the Controller failed to exercise its audit rights or maintain adequate supervision over the Processor’s handling of personal data.

PDPO’s decision

The PDPO found multiple GDPR violations, including:

• Failure to conduct a proper risk assessment and implement adequate security measures.
• Neglecting audit obligations and enforcement of the data processing agreement.
• Failing to involve the DPO in key stages of the Processor relationship.
• Breaching the data minimisation principle by collecting excessive personal data.
• Failing to notify all affected data subjects of the breach.

Lessons learned

This decision underscores that outsourcing processing operations does not absolve controllers of their GDPR responsibilities. While outsourcing may enhance operational efficiency, it introduces significant risks if processors are not thoroughly vetted, supervised, or integrated into a comprehensive data protection strategy. Even large, well-resourced organisations can face severe regulatory consequences if they fail to implement fundamental governance tools such as risk assessments, processor audits, DPO involvement, and adherence to data minimisation principles.

Need Support?

If you operate in Poland or require advice on Polish or EU data protection laws, please contact Szymon Sieniewicz, the guest editor of this newsletter, for assistance.

UK: Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 (Act) received Royal Assent in June 2025 and will enter into force in stages over the next year. The Act reforms the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR). 

Click here to read our article or listen to our webinar recording to find out more about the Act and how it may impact your organisation.

More recently, the government has published guidance on the Act’s implementation timeline. While some provisions have already come into effect on 20 August 2025, most of the changes referred to in the article will come into force in December 2025 or January 2026 (exact date TBC). The requirement to implement a complaints procedure and the increase to PECR fines will come into effect at a later date, with dates to be announced.

For advice on how to prepare your organisation for the Act’s implementation, please contact one of our Data specialists in the UK.

Update on the EU AI Act 

While the EU AI Act (AI Act) entered into force on 1 August 2024, its requirements are becoming applicable in stages.  Although an EU regulation, the Act also applies to non-EU providers, importers and distributors of AI systems placed on the EU market, put into service or used in the EU. There had been speculation that the European Commission would delay the AI Act’s entry into applicability, but the Commission has recently confirmed that it will not pause the implementation and enforcement timetable. 

The first tranche of the AI Act's provisions, those prohibiting certain AI practices and introducing AI literacy requirements, became applicable on 2 February 2025 (read more in the April 2025 edition of Data Diaries).

On 2 August 2025 the obligations for providers of general-purpose AI (GPAI) models became applicable for GPAI models placed on the market after this date (by 2 August 2027, providers of GPAI models placed on the market before 2 August 2025 must also comply). These obligations were also covered in the April 2025 edition, but since then the Commission has published a number of documents to clarify the scope of the obligations on GPAI model providers.

General-Purpose AI Code of Practice

On 10 July 2025 the European Commission published its long-awaited General-Purpose AI (GPAI) Code of Practice (Code), which was originally intended to be published in early May. The Code is voluntary, but the Commission states that providers of GPAI models who sign the Code will be able to demonstrate compliance with the relevant AI Act obligations by adhering to the Code, and benefit from a reduced administrative burden as well as increased legal certainty compared to providers that prove compliance in other ways. On 17 July 2025, the Commission made available the signatory form that providers need to use to sign up to the Code and published a set of FAQs about the impact of signing.

The Code comprises three chapters which cover:

• Transparency
• Copyright
• Safety and Security

The first two chapters are relevant to all providers of GPAI models, but the third chapter is only relevant to the small number of providers of the most advanced models that are subject to the AI Act's obligations for providers of GPAI models with systemic risk under Article 55 AI Act. In addition, the Commission published a set of Q&A providing more information on the Code.

Guidelines on the scope of obligations for providers of GPAI models under the AI Act

On 18 July 2025, the European Commission published guidelines clarifying the scope of the AI Act’s obligations for GPAI models providers. Topics include:

• Defining GPAI models
• The lifecycle of a GPAI model
• Identifying GPAI models with systemic risk
• Obligations for providers placing GPAI models on the market
• Exemptions for certain open-source models
• Enforcement of obligations

AI Act materials

On 1 July 2025, some of our technology experts, including this edition’s guest editor Szymon Sieniewicz, presented a webinar on the AI Act, focused on the healthcare and life sciences sectors. Here's a link to the recording. We have also published a more detailed brochure about the AI Act, which you can access here. It outlines the key provisions of the AI Act, including its risk-based approach, prohibited practices, and timelines for compliance.  It also provides actionable steps to help businesses prepare for the changes ahead. If you would like advice about the AI Act, please contact a member of our international data team.

EU Data Act update

The EU Data Act (Data Act) starts to become applicable on 12 September 2025. It aims to ensure fairness in the allocation of value from data, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible to users. As an EU regulation, it is directly applicable in all EU Member States. However, due to its extraterritorial scope, it will also apply to many non-EU businesses that operate in EU markets. Most of the Data Act’s provisions enter into applicability on 12 September 2025, but others will become applicable in stages between then and September 2027.

The Data Act applies to:

• Product manufacturers and service providers placing connected products (Internet of Things or IoT devices) and related services on the EU market
• Data processing service providers who provide services, (e.g., cloud and edge services) that provide services to EU customers 
• Data holders who use and make data available
• EU data recipients to whom data is made available
• EU users of connected products or related services

The Data Act’s key provisions include requirements and conditions relating to:

• Access to and re-use of data generated by using connected products and related services
• Public sector access to privately-held data in exceptional cases 
• Data switching between data processing services (e.g., cloud and edge services)
• Business-to-business data sharing
• Smart contracts that execute data-sharing agreements
• Interoperability of data, data-sharing mechanisms and services, common European data spaces and tools for automating the execution of data sharing agreements, such as smart contracts

For advice on whether your products and services fall within the scope of the Data Act and how to ensure compliance, please contact one of our Data specialists. The Act complements existing EU laws, such as the GDPR, Digital Markets Act & Digital Services Act, as well as the forthcoming Digital Fairness Act – our team can help you to navigate the multiple pieces of legislation and devise a compliance strategy that works for your organisation. On 16 September some of our data experts, including this edition’s guest editor Szymon Sieniewicz, are presenting a webinar on the Data Act. You can find more information and register here.

International transfers update: Focus on transfers to China

In the April 2025 edition of Data Diaries we focused on developments affecting the EU-US Data Privacy Framework and the impact on data transfers from the EU and UK to the USA. In this edition, we take a look at some recent activity by EU data protection authorities, noyb and the US government concerning transfers to China.

Irish DPC inquiries and decision in relation to TikTok

On 2 May the Irish Data Protection Commission (DPC) announced its final decision following an Inquiry into the lawfulness of TikTok's transfers of personal data from the EEA to China. The DPC has not published its full decision, but has stated that TikTok infringed the GDPR in two respects:

• Transfers of EEA user data to China – failure to verify, guarantee and demonstrate that the supplementary measures and the Standard Contractual Clauses (“SCCs”) were effective to ensure that the personal data of EEA users transferred via remote access were afforded a level of protection essentially equivalent to that guaranteed within the EU.
• The transparency requirements in relation to such transfers – TikTok’s privacy notice did not name the third countries, including China, to which personal data was transferred, and did not explain the nature of the processing operations that constitute the transfer (i.e. that it included remote access to personal data stored in Singapore and the US by personnel based in China).

The DPC decision imposed administrative fines totalling €530 million, an order requiring TikTok to bring its processing into compliance within six months and an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe.

TikTok published a response stating that:

• the decision fails to fully consider Project Clover, its €12 billion industry-leading data security initiative that includes some of the most stringent data protections anywhere;
• the DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them; and
• TikTok planned to appeal.

The Irish High Court has given TikTok permission to appeal the DPC’s decision and adjourned the matter until October.

On 10 July 2025, the DPC announced that it has opened a new inquiry into TikTok’s transfers of EEA users’ personal data to servers located in China. These transfers were not covered by the previous investigation and decision, which was limited to remote access from China.

noyb complaints in relation to transfers to China

In January and July noyb (the organisation founded by privacy campaigner Max Schrems) announced that it had filed complaints against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi for allegedly unlawful data transfers to China. The complaints were filed in Greece, Italy, Belgium, the Netherlands and Austria and focus on the high risk of data access by the Chinese authorities and noyb’s claim that the companies failed to provide a satisfactory response to data subject access requests for information about data transfers.

Berlin DPA reports DeepSeek to Apple and Google as illegal content on the basis of transfers to China

In June the Berlin Data Protection Authority reported DeepSeek (the generative AI chatbot provided by a Chinese company) to Apple and Google as illegal content on the basis that it transfers personal data to China. The Berlin Commissioner said:

"DeepSeek has not been able to provide my office with convincing evidence that data of German users is protected in China at a level equivalent to that of the European Union. Chinese authorities have extensive access rights to personal data held by Chinese companies. In addition, DeepSeek users in China do not have enforceable rights and effective remedies as guaranteed in the European Union. I have therefore informed Google and Apple, as operators of the largest app platforms, about the violations and expect a prompt review of a blocking."

US Rule on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern

Data transfers to China are not solely a European concern. On 8 April 2025, the above rule came into effect, prohibiting certain cross-border personal data flows from the US to people and entities with certain connections to China, Cuba, Iran, North Korea, Russia or Venezuela.

For advice on international data transfers and the safeguards needed to ensure that these are lawful, please contact a member of our Data team.