ESRs secondments at AGCM, GPDP and VUB

In this special edition of our blog posts, seven of our ESRs write about their experiences and insights they made during their secondments. ESR Cristian Lepore and Aizhan Abdrassulova share their secondment experiences in this post.


The Autorità Garante della Concorrenza e del Mercato (AGCM) is the Italian competition authority and is responsible for enforcing rules against anti-competitive agreements among undertakings, abuses of dominant positions, and concentrations that have anti-competitive effects.

ESR Cristian Lepore at the AGCM

During a one-month secondment at the Italian competition authority in Rome, I focused on various analytical and research tasks related to data management, online privacy, and information acquisition from major gatekeepers, such as Google, Facebook, and Amazon.

Activities were as follows:

  1. Data Analysis and Tool Development:

We firstly examined two distinct datasets, Orbis and Pitchbook. The analysis was streamlined by the following Python program (published on GitHub): This tool foresees its value in uncovering correlations within the datasets and enhancing the understanding of database differences.

  1. Information Solicitations and Online Privacy:

We investigated the information requests made during website access by key gatekeepers. While most of these requests aligned with established policies, we raised concerns about data collection through HTML scripts embedded in websites, which could impact online privacy. Additionally, we evaluated cookies and potential vulnerabilities that gatekeepers could use to acquire additional information. The results indicates that most of the information collected by gatekeepers came from open sessions with websites or mobile devices, where access keys (and personal identifiers) were periodically changed, maintaining a weak link to individuals, which is generally positive. For a clear view of the field, we conducted a comprehensive review of academic literature, revealing that while it’s technically possible to collect more information than allowed, most of this information relies on changing keys and has a limited connection to users.

  1. Network Traffic Analysis:

We used network traffic analysis to trace login tokens from web portals and cookies. However, some of the traffic was encrypted and required third-party authorization for access. As a result, the analysis was limited to the size of plaintext packets, revealing a significant surplus of information compared to web portals mandate.

In conclusion, my secondment at the Market Authority was an enlightening experience that significantly contributed to the understanding of the challenges associated with data protection and online privacy. The work conducted has laid a strong foundation for future studies and initiatives in this dynamic and evolving field.


The Garante per la protezione dei dati personali (GPDP) is the Italian Data Protection Authority and responsible for monitoring the application of the GDPR.


ESR Aizhana Abdrassulova at VUB and GPDP

ESR Aizhana completed her first academic secondment at the Vrije Universiteit Brussel (VUB) in the spring of 2023. This experience turned out to be very fruitful for her. During her stay, Aizhana expanded her knowledge of her topic, she had several offline meetings with Professor Gloria Gonzalez Fuster, discussing the topic of her research. Aizhana also participated in several seminars for the university’s doctoral students. She attended the doctoral seminar ‘With great power comes great responsibility: proportionality within the use of facial recognition technology’ and “ALTEP-DP case law round up” about the conflict of interests – the right to be forgotten versus freedom of expression.

On May 24-26, one of the most ambitious scientific events, organized by Professor Paul de Hert, took place in Brussels – CPDP 2023: Ideas that drive our digital world. The sponsors and speakers were representatives of prominent companies such as European Data Protection Supervisor (EDPS), Apple, Mozilla, Google, Microsoft, Uber, Tik Tok and others. Aizhana carried out volunteer activities at this conference. She helped with logistics and organization (duty in the halls during sessions, as well as registration of conference guests). In her free time from volunteering, she attended Conference sessions.

Furthermore, Aizhana attended the scientific event “Brussels Privacy Hub – EU Digital Finance Seminar Series: Session 3 Cryptocurrencies, decentralized finance, and data protection: an unsolvable problem?”.

The second non-academic secondment is currently taking place at the Italian Data Protection Authority GPDP in Rome. Over the past two months of secondment, Aizhana had several meetings with Dr. Roberto Lattanzi, discussing the directions of her research.

There was an acquaintance with colleagues, as well as with the work of the organization. Aizhan is studying an EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (Artificial Intelligence Act), which the Organization is currently working on.

Finally, during an offline meeting of the organization’s employees, Aizhana presented her research. Aizhan has access to the library directly next to the office, which makes it possible to study new sources of literature.