Personal data protection /

What data protection challenges do we face in 2025?

In 2024, key issues regarding GDPR in Poland and the EU included increased scrutiny of compliance with data processing rules, especially in the context of the development of new technologies and artificial intelligence, which increase the risk of privacy breaches. Increased awareness of individuals’ rights, such as the right to be forgotten, was also an important aspect, resulting in more requests from citizens and the obligation for organizations to adapt their systems to handle these requests.

In addition, data protection authorities across the EU have been conducting more intensive inspection activities, imposing significant fines for violations of GDPR, highlighting the need for organizations to strengthen their internal compliance policies and procedures.

Artificial Intelligence Act

In the wave of artificial intelligence hype, it is important to keep an eye on the new regulation in this area – an EU regulation called the AI Act. Although the application of this regulation itself has been pushed back to August 2, 2026, Chapter I (General Provisions) and Chapter II (Prohibited Practices) will apply as early as February 2, 2025. Accordingly, 2025 will undoubtedly be an important milestone for businesses in implementing solutions to meet their obligations under the Artificial Intelligence Act.

AI entrepreneurs who develop their own solutions using artificial intelligence technology will be subject to a number of documentation requirements, including the development of technical documentation, documentation of real-world testing, and declarations of conformity, among others. An important legal issue will be the classification of systems in terms of meeting the relevant criteria set forth in the Artificial Intelligence Act, such as whether a general-purpose AI model has capabilities or impacts equivalent to those specified in Article 51(1)(a) and (b), or whether the model meets the high-risk criteria.

The Artificial Intelligence Act applies not only to suppliers, but also to those using AI systems, which are subject to transparency obligations – and therefore the need to report on the use of the relevant technologies.

Naturally, following the model of EU standards already developed, a whole range of sanctions, including fines, are provided for non-compliance with the AI Act.

Should we expect the interaction of the Artificial Intelligence Act with the regulations introduced on the grounds of GDPR? Certainly!

The European Data Protection Board (EDPB) has even already issued an opinion that addresses emerging issues, including the question of the anonymity of artificial intelligence models, the application of an appropriate legal basis for processing personal data in connection with the development and deployment of artificial intelligence systems, and the consequences of violations in this regard.

Digital Services Act

The Digital Services Act (DSA) is an EU regulation aimed at regulating digital platforms in Europe. While its main focus is on user protection and transparency in the digital environment, it also introduces a number of obligations that indirectly affect the protection of personal data.

The main issue in this area is the transparency of targeted advertising. Interesting in this regard is the prohibition of targeting ads based on profiling according to the use of special categories of personal data within the meaning of GDPR. Although the catalog of special categories of personal data is enumerated in GDPR, the CJEU’s progressive interpretation of this concept will gradually expand the scope of the ban to increasingly broader subject areas.

The special protection of minors guaranteed by the DSA will require online platform providers to put in place appropriate mechanisms, which will affect their obligations under the GDPR. Moreover, the DSA explicitly prohibits ad profiling using the personal data of underage users, which is a significant interference with ad targeting mechanisms. 

DSA explicitly prohibits ad profiling using the personal data of underage users, which is a significant interference with ad targeting mechanisms.

The solutions introduced by DSA are very likely to affect the way the entire Internet marketing industry operates.

Data Act

The Data Act is an EU legislative proposal to regulate access, sharing and use of data in the European Union. Its main goal is to enable the fair distribution of the value generated by data among businesses, consumers and public administrations, while supporting innovation and competitiveness in the digital economy. The regulation will apply from September 12, 2025.

The Data Act covers personal and non-personal data insofar as it is generated through the use of IoT-based products or services. The Data Act significantly affects the management of personal and non-personal data, although its main purpose is to regulate the use of data generated by IoT devices and other systems. Its provisions are complementary to GDPR, which remains the key piece of legislation governing the protection of personal data.

A new feature introduced by the Data Act is the definition of who has the right to access data (both personal and non-personal) and what conditions must be met when sharing it. When personal data is shared under the Data Act, it must be processed in accordance with GDPR principles such as user consent, transparency and purposeful processing. The Data Act extends protection to non-personal data that is not covered by GDPR, but may be critical from a privacy perspective (e.g., data on IoT devices used at home).

In the case of IoT technologies and devices, distinguishing between personal and non-personal data can be problematic, which will pose challenges for Data Act obligated entities. For businesses within the Data Act’s circle of addressees, this will mean the need to align data sharing practices with the principles of minimization and anonymization, as well as develop tools to easily manage data access and sharing in accordance with the regulations.

Ready for change in 2025?

The dynamically changing legal environment poses a challenge to entrepreneurs, who are confronted with more and more new obligations, forcing changes in the way they operate, their business model or customer service principles. Supporting entrepreneurs in these complex tasks as legal advisors, we always try to look for regulatory and business-optimal solutions. For cooperation, we invite you to contact us.

Author team leader DKP Legal Alicja Mruczkiewicz
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Alicja Mruczkiewicz

Contact us

Flaga Polski.POZNANPOLAND
Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.WROCLAWPOLAND
Swobodna 1
50-088 Wrocław
+48 61 853 56 48[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]