Fundamentals of IT Law

EU;

- That they have a right to a copy of the data and other basic rights in the

field of data protection;

- Their right to lodge a complaint with a Data Protection Authority (DPA);

- Where applicable, the existence of automated decision-making and the

logic involved, including the consequences thereof.

information provided electronic communications

The may be by the IT



company must do that in a concise, transparent, intelligible and easily

accessible way, in clear and plain language and free of charge.

entities involved in data

EU data protection law identifies two different

processing:

Data controller

1. determines the purposes for which and the means by



which personal data is processed;

Data processor

2. manages personal data on behalf of the controlled, it



is usually a third party external to the IT company/data controller. The

duties of the processor towards the controller must be specified in a

contract or another legal act.

joint controlling

We can also have the situation of the data when more

organizations determine “why” and “how” personal data should be processed,

arrangement setting out their respective

joint controllers must enter into an

responsibilities main aspects of the

for complying with the GDPR rules. The

arrangement communicated to the individuals

must be whose data is being

processed.

Companies implement technical organizational

are encourages to and

measures, earliest stages of the processing operations,

at the in such a way

that safeguards privacy and data protection principles right from the start 

data protection by design the use of pseudonymization is a typical



example because it creates the condition to protect the confidentiality of the

data by using a method which soon after the data are collected in whatever

ways.

Companies should ensure processed highest

that personal data is with the

privacy protection isn’t made accessible

so that by default personal data to an

indefinite number of persons data protection by default when a social

 

media platform sets users’ profile settings in the most privacy-friendly setting

by limiting from the start the accessibility of the users’ profile so that it isn’t

accessible by default to an indefinite number of people.

data breach data company is responsible

A occurs when the for which the

suffers a security incident result in a breach of confidentiality, availability or

company has to notify the supervisory authority

integrity. If that occurs the

without undue delay, and at the latest within 72 hours after having become

aware of the breach. If the company is a data processor it must notify every

data breach to the data controller.

high risk individuals affected

If the data breach poses a to those then they

should all informed,

also be unless there are effective technical and

organizational protection measures that have been put in place, or other

measures that ensure that the risk is no longer likely to materialize.

Data Protection Officer (DPO) DPO

A company needs to appoint a whether it’s a controller or a processor, if

core activities involve processing of sensitive data

its on a large scale or

involve large scale, regular and systematic monitoring of individuals. In that

respect, monitoring the behavior of individuals includes all forms of tracking

and profiling on the internet, including for the purposes of behavioral

advertising.

Public administration always obligation to appoint a DPO,

have an expect for

courts acting in their judicial capacity.

staff member contracted

The DPO may be a of the company or may be

externally on the basis of a service contact.

The DPO assists the controller or the processor in all issues relating to the

DPO must:

protection of personal data. In particular the

Inform controller or processor,

- and advise the as well as their employees,

obligation

of their under data protection law;

Monitor compliance of the company legislation

- with all in relation to data

protection, including in audits, awareness-raising activities as well as

training of staff involved in processing operations;

Act as a contact point

- for requests from individuals regarding the

processing of their personal data and the exercise of their rights.

not receive any instruction controller

The DPO must from the of processor for

the exercise of their tasks and it reports directly to the highest level of

management of the company.

Sanctions

GDPR provides the Data Protection Authorities (DPA) with different options in

data protection rules:

case of non-compliance with the

Likely infringement

- a warning may be issues;



Infringement

- the possibilities include a reprimand, a temporary or



definitive ban on processing and a fine of up to 20 million or 4% of the

business’s total annual worldwide turnover.

infringement, monetary fine

In the case of an the DPA may impose a instead of,

or in addition to, the reprimand and/or ban on processing.

fines imposed

The authority must ensure that in each individual case are

effective, proportionate and dissuasive. It will take into account a number of

nature, gravity duration of the infringement,

factors such as the and it

intentional or negligent character, any action taken to mitigate the damage

suffered by individuals, the degree of cooperation of the organization…

eContracts

The association between contracts and information technology can be

differently shaped: standard software

- the object of a contract can be (license contracts);

tailor made software

- the contract can provide for a (service contract +

license contract); IT device

- the object of a contract can be an or in general a hardware

(sale contract + license contract);

software/hardware assistance

- the contract can provide for (service

contract); digital context

- the contract can be concluded in a (digital contract).

E-commerce general use from business

is the name usually given to the and

sell provide online goods and services.

professional subjects to and It is made

of all the legal and commercial issues connected to the use of online digital

technologies in contracts.

Artificial intelligence

Introduction:

AI is transforming industries like healthcare, finance, and transportation, but it

also raises complex issues around accountability, transparency, privacy, and

ethics.

Historical Context:

IT law has evolved significantly since the 1970s, starting with basic data

security and intellectual property concerns. Today, regulations such as the

GDPR (2018) and the EU AI Act (2021) address the broader implications of AI,

focusing on risk management and ethics.

Ethical Considerations:

To prevent discrimination and privacy breaches, AI systems must prioritize

fairness, transparency, and accountability. Addressing biases in data and

ensuring systems operate ethically are essential steps.

Key Legal Challenges:

Data Privacy: AI relies heavily on data, making consent and GDPR

o compliance critical.

Intellectual Property: Questions about the ownership of AI-

o generated content challenge traditional IP frameworks.

Liability: Determining responsibility for AI-driven decisions

o remains complex.

Bias and Fairness: AI systems risk perpetuating existing biases if

o not properly managed.

Regional Approaches:

European Union: The AI Act classifies systems by risk level and

o mandates transparency and accountability from providers.

Asia: Approaches vary widely—China emphasizes government

o control, Japan focuses on ethics, and India is developing AI-specific

legislation.

United States: While no comprehensive federal AI law exists,

o initiatives like the National AI Initiative Act (2020) and the Blueprint

for an AI Bill of Rights (2022) guide ethical AI development.

Case Studies:

Notable cases highlight AI’s impact on law, including lawsuits against OpenAI

and Meta for copyright infringement and concerns over data misuse leading to

automated discrimination.

Conclusion:

AI is reshaping IT law, pushing beyond data protection to address fairness,

privacy, and human rights. While different regions adopt varied regulatory

approaches, the shared goal is clear: fostering innovation while safeguarding

public trust and ethical standards.

Smart products:

The document explores the growing integration of smart products, driven by

the Internet of Things (IoT) and artificial intelligence (AI), and the legal, ethical,

and security challenges they pose.

Definition and Impact of Smart Products

Smart products are physical devices enhanced with digital technology, enabling

data collection, processing, and automation (e.g., smart thermostats,

wearables). They enhance convenience and efficiency but raise concerns about

privacy, security, and ethical practices.

Regulatory Landscape

General Data Protection Regulation (GDPR): EU law ensuring

o personal data protection and user control.

NIS2 Directive: Strengthens cybersecurity for critical sectors in

o the EU.

California Consumer Privacy Act (CCPA): Grants California

o residents rights over their personal data, including control over

collection, deletion, and sale.

Risks, Ethics, and Legal Challenges

Data Protection: IoT devices often collect sensitive data without

o user awareness, risking misuse for profiling, advertising, or identity

theft. Transparency and consent are crucial.

Cybersecurity: Devices are vulnerable to hacking, posing risks like

o unauthorized surveillance or data breaches. Regulations like the EU

Cybersecurity Act and U.S. IoT Security laws aim to mitigate these

threats.

Liability: Determining responsibility for autonomous smart devices

o is complex, involving manufacturers, developers, and users. EU

consumer protection laws, such as the Product Liability Directive,

aim to clarify accountability.

Case Study: Las Vegas Casino Breach (2018)

Hackers exploited a smart aquarium thermostat to access a casino’s network,

demonstrating the significant risks posed by unsecured IoT devices. The

incident underscores the need for robust security frameworks and coordinated

vulnerability management.

Conclusion

While smart products offer substantial benefits, they also introduce risks

related to privacy, security, and consumer rights. Effective regulation, ethical

practices, and collaboration between developers and lawmakers are essential

to balance innovation with safety and trust.

The document emphasizes that the future of smart products depends on

aligning technological advancements with strong ethical standards and

comprehensive legal frameworks to ensure societal well-being.

Crypto currencies

This document analyzes the European Union's (EU) regulatory