Friday, 21st March 2025
The CJEU has ruled that proof of gender surgery is not required for the rectification of data relating to gender identity.
In 2014, VP, an Iranian national, obtained refugee status in Hungary. According to their medical certificates, although that person was born female, their gender identity was male. That person was nevertheless registered as female in the asylum register, which is kept by the Hungarian asylum authority and contains identification data.
In 2022, the VP requested, inter alia, that the asylum authority rectify the entry in respect of their gender in that register, on the basis of Article 16 of the General Data Protection Regulation (GDPR). That request was rejected on the ground that VP had not proved that they had undergone gender reassignment surgery, and VP brought an action against that rejection before the Budapest High Court (Hungary).
The CJEU has ruled that for the purposes of exercising their right to rectification, a person may be required to provide relevant and sufficient evidence that could reasonably be required in order to establish that the data is inaccurate. However, a Member State may not, under any circumstances, make the exercise of the right to rectification conditional upon the production of evidence of gender reassignment surgery.
A requirement to produce gender reassignment surgery undermines, in particular, the essence of the right to the integrity of the person and the right to respect for private life, referred to in Articles 3 and 7 of the Charter Fundamental Rights of the European Union.
Today, the Information Commissioner John Edwards met with Chancellor of the Exchequer Rachel Reeves to discuss the ICO's commitments for the next year, aimed at driving economic growth.
The ICO has plans to:
• Publish a free data essentials training programme for small businesses, helping them save at least £9.1m over three years.
• Pilot an experimentation regime for data essentials training, to enable businesses to trial innovative new data-driven solutions under rigorous oversight.
• Introducing a statutory code of practice for private and public sector businesses developing or deploying AI, allowing them to unleash the possibilities of the technology while safeguarding the public’s privacy, and strengthening the UK’s position as a global AI leader.
• Cutting red tape for businesses by paving the way for privacy-friendly online advertising and driving investment in unintrusive advertising models.
• Publishing new guidance on international transfers of data (underpinning around 40% of UK exports and 20% of imports) and making it easier for UK businesses to access new markets and partners.
Children are increasingly being exposed to Internet feeds, whether that be a simple Google search or a TikTok video. While it can be helpful to receive personal recommendations, this can come with a trade-off.
From the moment a child opens a website or an app, large amounts of information are collected to potentially determine the content that will be shown. There is always an inherent risk that the content may be inappropriate for some children to see. This is why companies should be very transparent about how they use personal information to recommend content.
Due to this reason, the ICO has announced that they have launched three investigations looking into how TikTok, Reddit and Imgur protect the privacy of their child users in the UK. We look forward to the results of this investigation.
It is imperative that children engaging with online content are able to do so in a safe and lawful way.
As part of the Coordinated Enforcement Framework (CEF), Data Protection Authorities (DPAs) across Europe focus on one aspect of the GDPR every year to streamline enforcement and cooperation. The CEF creates a structure for DPAs to work together, coordinate or facilitate enforcement actions on a pre-defined topic and with an agreed-upon methodology.
Today, the EDPB has announced that the right to erasure, or the “right to be forgotten” (Art.17 GDPR), will be the focus in 2025. It is, by far, the most common GDPR right that individuals exercise, and the right with the most complaints from individuals that DPAs receive.
Throughout 2025, the European DPAs will:
- contact a number of controllers from different sectors across Europe, either by opening new formal investigations or doing fact-finding exercises.
- check how controllers handle and respond to the requests for erasure that they receive and, in particular, how they apply the conditions and exceptions for the exercise of this right.
- will stay in close contact to share and discuss their findings throughout the year. The results of these national actions will be aggregated and analysed together to generate deeper insight into the topic.
