Categories
Regulatory Updates

Global Updates – April 2025

Global updates – a quick glance

Australia:

  • The government has announced the maximum superannuation guarantee contributions base and rate for the 2025–26 income year, effective from 1 July 2025.
  • The Federal Budget 2025 introduces amendments to personal income tax rates for 2026–27 and 2027–28 and updates to Medicare levy thresholds.

Bulgaria:

  • The 2025 State Budget introduces changes to minimum and maximum insurance bases and a lower VAT registration threshold.
  • A phased implementation of the Standard Audit File for Tax (SAF-T) will commence from 2026.

Canada:

  • Quebec’s 2025 budget includes revised individual income tax thresholds, enhanced tax credits for e-business development, and a new R&D-focused tax credit system.

Chile:

  • Major pension reforms enacted, including a gradual increase in employer contributions through to 2035.

China:

  • New Personal Information Protection Compliance Audit Measures come into effect on 1 May 2025, mandating audits for entities processing data of over 10 million individuals.

Costa Rica:

  • Deadline for mandatory e-invoicing extended to 1 September 2025.

Denmark:

  • Amendments to the Danish Companies Act are effective from 1 January 2025.

European Union:

  • The European Council formally adopts the VAT in the Digital Age (ViDA) package. Implementation will span from 2025 to 2035, structured across three key pillars.

France:

  • Finance Bill 2025 includes:
    • CVAE now scheduled for full elimination by 2030.
    • Gradual reduction in CET rates.
    • Personal income tax brackets adjusted for inflation.
    • Introduction of a 20% minimum tax for high-income earners (over €250,000 per individual/€500,000 per couple) in 2025.

Germany:

  • Intrastat reporting thresholds for arrivals and dispatches increased as of 1 January 2025.

Greece:

  • The cap on monthly social security contribution bases raised to €7,572.62 effective from 1 January 2025.

Hong Kong:

  • Budget 2025–26 introduces:
    • 100% tax relief on profits and salaries tax (capped at HKD 1,500),
    • Property rate concessions,
    • A new Global Minimum Tax bill.
  • The Inland Revenue Department extends 2024/25 profit tax return deadlines.
  • Compensation for work injuries and related cases increased by 3.8% to 86.3%, effective 17 April 2025.

Honduras:

  • Individual income tax rates for 2025 published.

Hungary:

  • Expanded tax exemptions for mothers, commencing 1 October 2025, to be rolled out in phases.

India:

  • Finance Act 2025 introduces:
    • Revised tax slabs under the default regime for FY 2025–26,
    • Enhanced rebate threshold from INR 700,000 to INR 1,200,000,
    • Extension of start-up tax benefits through to April 2030.
  • Draft Digital Personal Data Protection Rules, 2025 released to support implementation of the DPDP Act.
  • A new Income Tax Bill, 2025 is proposed to replace the existing 1961 Act from 2026.

Indonesia:

  • Global Minimum Tax comes into force from 1 January 2025.
  • New corporate beneficial ownership regulations effective from 4 February 2025.

Japan:

  • 2025 tax reform introduces:
    • A 4% defense-related corporate tax surcharge from 2026,
    • Increase in SME corporate tax rate (for income up to JPY 8 million) from 15% to 17% if total income exceeds JPY 1 billion.

Lithuania:

  • Adopts EU VAT Scheme for small businesses.
  • Amends Labour Code with new rules on overtime, public holiday pay, and workplace safety, effective 1 January 2025.

Malaysia:

  • New qualifying thresholds for audit exemption for private companies introduced.

Mexico:

  • Federal Data Protection Law enacted, effective from 21 March 2025.

Poland:

  • Introduces supplementary maternity leave for parents of premature or hospitalized newborns, effective 19 March 2025.

Serbia:

  • Increased contribution bases for social security, effective 2025.
  • Law on the Central Register of Beneficial Owners enacted on 14 March 2025.

Singapore:

  • Budget 2025 extends corporate support through:
    • Corporate Income Tax Rebate,
    • New R&D tax deductions,
    • Extensions of DTDi and M&A schemes.

South Africa:

  • Global Minimum Tax effective retroactively from 1 January 2024.
  • Companies Act amended (from 27 December 2024) to tighten governance rules.
  • Proposed two-stage VAT increase pending parliamentary approval.
  • BCEA earnings threshold increased to ZAR 261,748.45 as of 1 April 2025.

South Korea:

  • Amendments to the Personal Information Protection Act will require foreign entities operating in Korea to designate a local representative, effective 2 October 2025.

Turkey:

  • VAT refund threshold increased from TRY 2,000 to TRY 10,000 for claims on or after 1 April 2025.
  • Social security contribution bases adjusted to TRY 26,005.50 (minimum) and TRY 195,041.40 (maximum), effective 1 January 2025.

United Kingdom:

  • Joint filing of company accounts and tax returns via HMRC online services to be discontinued from 31 March 2026.
  • Implementation of Autumn Statement measures, including:
    • Higher employer NIC contributions,
    • A transition to a new residence-based taxation regime, replacing the non-dom remittance system.

Data Protection Fines Table
Country Authority Name Fine imposed on Reason for Fine Related to Data Protection Failure Amount of Fine and Penalty
France The French Competition Authority (“Autorité de la Concurrence”) & French Data Protection Authority (“CNIL”) Apple Inc., a US multinational company, engaged in consumer electronics, software and operating systems, and digital services and offering a wide range of products such as iPhones, Macs, iOS, iCloud, and more. Apple was fined for abusing its dominant position in mobile app advertising through the use of Apple’s App Tracking Transparency (“ATT”) framework, a privacy control tool. The fine was imposed due to its complicated process of obtaining user consent through multiple window pop-ups, before tracking their data. The Apple did not enforce the same strict rules for its own services, thereby gaining an unfair competitive advantage. This practice was found to be in violation of the EU’s General Data Protection Regulation (“GDPR”) and the French Data Protection Act. EUR 150 million
Italy Italian Data Protection Authority (“Garante”) E.ON SE, a multinational electric utility company engaged in energy distribution grid, infrastructure solutions, and energy sales. The Garante investigated E.ON after two individuals complained about receiving repeated unwanted calls and E.ON’s failure to address their requests for exercising rights under the GDPR. The investigation revealed that a company employee had incorrectly transcribed the consents given during account activation, and the consents given through the Facebook campaign were also deemed invalid. Reasons for the fine are as follows:
(i) Failed to establish a valid legal basis for data collection and processing.
(ii) Failure to implement technical and organizational measures that are insufficient to ensure and demonstrate compliance with GDPR.
(iii) Failure to implement procedures to ensure timely and adequate responses to individuals’ requests for exercising rights under the GDPR. 		EUR 890,000
Italy Italian Data Protection Authority (“Garante”) Energia Pulita S.r.l., a company engaged in the generation, transmission, and distribution of electric energy. The Garante investigated Energia Pulita after receiving numerous complaints about aggressive telemarketing, misleading marketing, and unwanted calls to individuals registered in Italy’s Do Not Call list. The investigation revealed that the consent collection method was flawed, resulting in invalid consent and uncontrolled data sharing with third parties. The fine was imposed under GDPR for:
(i) Failure to ensure a valid and informed consent.
(ii) Failure to provide a clear, specific consent form for sharing data with third parties for marketing.
(iii) Failure to properly identify, train, direct, and monitor internal and external personnel. 		EUR 300,000
Poland The Polish data protection authority (“UODO”) Toyota Bank Polska SA, a company operating in the Financial Services industry. UODO investigated Toyota Bank for conducting extensive customer profiling for credit scoring and obtaining potential customer data. Fine was imposed for:
(i) Failure to properly document profiling activities in the register of processing operations.
(ii) Failure to conduct a Data Protection Impact Assessment (“DPIA”) for profiling activities affecting personal data. The scope, context and purposes of profiling should have been specifically covered by a DPIA.
(iii) Data Personal Officer (“DPO”) was not fully independent in his work. 		PLN 576,220
Poland The Polish data protection authority (“UODO”) (i) Polish Post Poczta Polska SA, a company operating in the transportation, communications, electric, gas, and sanitary services sector, and
(ii) Polish Digital Affairs Minister, the Polish Ministry of Administration and Digitization. 		UODO investigated citizens’ complaints and court rulings from 2020 to 2024 concerning the unlawful handling of personal data by both parties during preparations for the May 2020 presidential elections.
Fine was imposed for:
(i) Processing of 30 million Polish residents’ data without a legal basis during the organization of the 2020 “envelope elections” for the President of Poland. The data contained voters’ national identification numbers, names, addresses, and other personal information.
(ii) Failure on the part of the Digital Affairs minister to download the personal data and made it available to the Polish Post for the vote-by-mail process.
(iii) Failure to destroy the data when the elections did not take place. 		PLN 27.1 million And PLN 100,000, respectively
Poland The Polish data protection authority (“UODO”) Polish Medical Center, Ujastek Sp. z o.o., a company operating in the hospitals and healthcare industry. UODO investigated Ujastek Medical Center for illegal surveillance and unlawful video monitoring of newborns and their mothers during private moments such as breastfeeding and care. Patients and staff were not informed, and the monitored children did not require intensive care. The fine was imposed for:
(i) Failure to establish a legal basis for processing personal data through video surveillance.
(ii) Failure to fulfil the obligation to inform individuals subject to video surveillance.
(iii) Failure to apply appropriate technical and organizational measures to ensure a security level appropriate to the risks of processing data on external storage devices, including protection against loss, destruction, damage, or unauthorized access. 		PLN 1,145,891
Poland The Polish data protection authority (“UODO”) Panek S.A., a company operating in car rental service industry UODO investigated a data breach incident that occurred during a website update, when a subcontractor’s employee accidentally exposed personal data of customers and employees. The fine was imposed for:
(i) Failure to apply adequate security measures in IT systems to avoid accidental access or disclosure of personal data,
(ii) Failure to conduct a risk assessment that appropriately considered technical standards, implementation costs, processing context, and potential impact on individuals’ rights.
(iii) Failure to implement measures for regular testing and evaluation of IT system security, including checks for vulnerabilities, errors, updates, and actions to reduce related risks.
(iv) Failure to verify whether the subcontractor ensured adequate technical and organizational measures to meet GDPR requirements and protect data subjects’ rights. 		PLN 1.5 million
South Korea The Personal Information Protection Commission (“PIPC”) Kakao Pay, a South Korean company, is a financial platform that specializes in money transfers, peer-to-peer transactions, bill payments, and web banking solutions. Apple Distributions International Ltd, is an Irish company engaged in distribution of apple products to retailers and other partners. PIPC fined Kakao Pay and Apple for the unauthorized overseas transfer of personal data. Kakao Pay was fined for sending the data of around 40 million users to Alipay without consent to develop NSF scores (used to predict payment failures), including data from non-Apple users, violating privacy laws. Alipay provided integrated services for Apple’s payment system to whom Apple had outsourced processing of data including the calculation of NSF scores. Apple was fined for not disclosing Alipay as an its overseas trustee in its privacy policy. Alipay was ordered to destroy the NSF model which was built using the user’s data obtained without consent. Kakao Pay: –
Fine – KRW 5.968 billion
And
Apple Distributions International Ltd –
Fine – KRW 2.45 billion; and
Penalty – KRW 2.2 million
South Korea The Personal Information Protection Commission (“PIPC”) Modetour Network Inc. (“Modetour Network”) is a Korea-based travel agency. Unknown hackers had exploited vulnerability of Modetour Network’s website and uploaded web shell files resulting in leakage of personal information of 3.06 million people. The fine was imposed for the following reasons:
(i) Failed to delete personal data for which retention purpose or retention period was expired,
(ii) Failed to notify data breaches.
(iii) failed to implement appropriate safety measures, which resulted in the leak of personal information. 		KRW 757.2 million
Spain Spanish Data Protection Authority (“AEPD”) Línea Directa Aseguradora, S.A – An insurance company Fine was imposed for accessing and processing the personal data without any legal basis. The complainant had given access for issuance of car insurance policy to personal data viz., issue date of the driver’s license and ID number, but instead the information was used for additional purposes. The fine was imposed for violations of following GDPR principles relating to:
(i) Not having a legitimate basis for processing of personal data of the complainant;
(ii) Not disclosing the true purpose of processing the personal data;
(iii) Unauthorized access to the state government’s data by the data controller;
(iv) Not providing proper instructions for processing of personal data and processing the data without obtaining valid consent of the complainant. 		EUR 300,000
Spain Spanish Data Protection Authority (“AEPD”) Correo Inteligente Postal, S.L. (CI POSTAL) – A postal service provider. The data breach incidence due to leak of personal data occurred by abandoning thousands of postal letters in fields and a river containing personal information of many users. The company was fined for violation of principles of GDPR relating to:
(i) Failure in implementing adequate technical and organizational measures for prevention of data leak and to safeguard the personal data;
(ii) Failure in applying the principles of integrity and confidentiality for processing and sending postal letters;
(iii) Absence of a system to track the path of the letters sent. 		EUR 200,000
Spain Spanish Data Protection Authority (“AEPD”) CARTONAJES BAÑERES, S.A. – A manufacturing company in Spain Fine was imposed for unlawful processing of employees’ biometric data which was used by the company for the purpose of timekeeping record. The complainant had made an access request for knowing the exact purpose and category of data that was collected and processed, which was denied. The fine was imposed for violations of the following GDPR principles relating to:
(i) not having a legitimate basis and unlawful processing of personal data of the complainant;
(ii) failure to conduct data protection impact assessments;
(iii) violating the complainant’s right to access own data. 		EUR 220,000
Spain Spanish Data Protection Authority (“AEPD”) Generali Espana, S.A. de Seguros y Reaseguros – An insurance company providing insurance services The company was subject to fine since an unauthorized third party was able to access the data of many former clients of the company due to inadequate security measures. The data contained personal information viz., name, national number, telephone number, date of birth, birthplace, civil status etc. The fine was imposed for violations of the following GDPR principles relating to:
(i) failure to protect the data subject’s confidentiality;
(ii) failure to implement appropriate and adequate technical and organizational measures to ensure security of the data;
(iii) failure to conduct data protection impact assessments; and
(iv) violating the principle of data minimization. 		EUR 4 million
Spain Spanish Data Protection Authority (“AEPD”) Orange Espagne S.A. – A telecom company/ mobile network operating company. Fine was imposed related to a SIM-swapping fraudulent incident whereby the fraudster stole EUR 9,000 from the complainant’s bank account by way of issuing a duplicate SIM card and impersonating as the complainant. The fine was imposed for violation of the following GDPR principles relating to:
(i) failure to implement adequate measures for preventing the issuance of a duplicate SIM.
(ii) failure to implement data protection by design and default and for compromising the data security of the data subject. 		EUR 1.2 million
Spain Spanish Data Protection Authority (“AEPD”) Ibermutua Mutua Colaboradora – An Insurance company Fine was imposed for leakage of consumer personal data relating to name, social security numbers, health data, due to a program error or error in the source code of e-mail notification to different recipients. The fine was imposed for failure to implement technical and organizational measure to protect the personal data. EUR 600,000
Sweden Swedish Authority for Privacy Protection Integritetsskyddsmyndigheten”) (“IMY”) Bonnier News AB (now known as Expressen Lifestyle AB as a result of merger), a media company in Sweden. Bonnier News AB was fined for unlawfully collecting and processing personal data of customers and website visitors for extensive profiling and targeted marketing without obtaining the necessary consent from the data subjects.
A fine was imposed for:
(i) collecting personal data through cookies and other means including browsing behavior and purchase history of data subjects;
(ii) transferring the collected data to group-wide databases for extensive profiling and creating profiles of individuals, which was used for targeted marketing;
(iii) failure to adequately consider the privacy interests of the data subjects; and
(iv) failure to demonstrate valid legal basis for processing such as consent, contract, legal obligation, and incorrect reliance on legitimate interests. 		SEK 13 million
United Kingdom The Information Commissioner’s Office (“ICO”) Advanced Computer Software Group, engaged in providing IT and software services to companies including NHS and other healthcare providers, and processing people’s personal information on behalf of these organizations. A fine was imposed due to the failure to implement adequate security measures which violated the UK GDPR rules. The fine relates to a ransomware attack in August 2022, whereby hackers accessed data of 79,404 people, including sensitive details of 890 home care recipient, through a system which did not have multi-factor authentication system. GBP 3.07 million

CLICK HERE FOR FULL REPORT