Rie Aleksandra - DPO Hub

Denmark Google Workspace for Education Chromebook case (Helsingørgate)

members – 12 min read

[12 Feb: 🇩🇰 DPA webinar coming up!] [29 Jan: 🇩🇰 DPA applies dreaded EDPB Opinion and signal enforcement change. Must-read for 🇩🇰 folks but crucial to everyone using 🇺🇸 processors] Datatilsynet's landmark decision of 2022 to ban certain use of Google products and US transfers.

Feb 13, 2026

Events 2026

members – 6 min read

What's cooking in 2026? Several events added for the national DPO associations.

Feb 12, 2026

GDPR 2.0 - Digital Omnibus

members – 24 min read

11 Feb: EDPB & EDPS Joint Opinion ready! | Digital Omnibus: COM's proposal to simplify AI, cybersecurity and (personal) data rules to "save businesses up to €5bn by 2029".

Feb 11, 2026

EDPB Plenary meeting agendas and minutes

members – 10 min read

Agenda for 20 Jan and 10-11 Feb: EDPB & EDPS Digital Omnibus Joint Opinion due soon | New Joint Opinion on the European Biotech Act proposal | CEF erasure report | Privacy risks for EU citizens travelling to third countries (🇺🇸?) | Latest minutes: 2-3 Dec 2025

Feb 6, 2026

National DPA news

members – 6 min read

🇳🇴 Datatilsynet initiates comprehensive audit of every municipality's security measures.

Jan 28, 2026

Adequacy decisions

members – 4 min read

On 26 Jan, 🇪🇺🇧🇷 COM & Brazil adopted mutual adequacy decisions, allowing businesses, public authorities and researchers to freely exchange data.

Jan 27, 2026

noyb 🇦🇹 DPA Microsoft 365 Education complaints

members – 2 min read

[update – another win!] In 2024, noyb lodged two complaints against Microsoft's 365 Education platform on 1) lack of transparency and insufficient information, and 2) invasive and illegal cookie tracking of kids in schools. The Austrian DPA sided with noyb in both cases.

Jan 27, 2026

Your OSS for the EU-US DPF

public – 8 min read

EDPB shares updated DFP docs – added nuance on transfer of HR Data.

Jan 26, 2026

CJEU C-413/23 P EDPS v SRB (Concept of personal data) 4 Sep 2025 – Case closed!

members – 6 min read

Pseudonymised data isn’t always personal in every case to everyone – but measures must be effective. Comments are personal by nature – no need to assess content, purpose or effects. Whether a person can be identified must be assessed from the controller’s perspective, when collecting the data.

Jan 26, 2026

CJEU C-604/22 IAB Europe TC String 7 Mar 2024

members – 6 min read

[9 Jan: DPA must reassess] GDPR definitions are broad: information = personal data if someone can be identified using third-party data. Joint controllership doesn’t automatically cover further processing, but you are one if you set binding rules and jointly decide purposes and means.

Jan 23, 2026

DPO Hub 2.0 from 1 April

members – 3 min read

NB! If you'd like to keep access and get the 💰 Founding rate from 1 April, reply to my email. You can still purchase access later, though at a different rate. DPO Hub runs as normal until 31 March and then your subscription ends automatically. If you pre-paid for longer, you'll be refunded pro rata.

Jan 19, 2026

CJEU C-621/22 KNLTB (legitimate interests) 4 Oct 2024

members – 3 min read

Under Article 6(1)(f) you can disclose personal data for a commercial interest if the processing is strictly necessary and not outweighed by the data subjects' interests, rights or freedoms. The interest doesn't have to be determined by law, but it must be lawful. And CJEU nudges consent again.

Jan 19, 2026