Rie Aleksandra - DPO Hub

DPO Hub 2.0 from 1 April

members – 3 min read

NB! If you'd like to keep access and get the 💰 Founding rate from 1 April, reply to my email. You can still purchase access later, though at a different rate. DPO Hub runs as normal until 31 March and then your subscription ends automatically. If you pre-paid for longer, you'll be refunded pro rata.

Jan 19, 2026

CJEU C-621/22 KNLTB (legitimate interests) 4 Oct 2024

members – 3 min read

Under Article 6(1)(f) you can disclose personal data for a commercial interest if the processing is strictly necessary and not outweighed by the data subjects' interests, rights or freedoms. The interest doesn't have to be determined by law, but it must be lawful. And CJEU nudges consent again.

Jan 19, 2026

EDPB meeting agendas and minutes

members – 10 min read

[[New post format]] Minutes for 2-3 Dec 2025 + agenda for 15 Jan 2026 | 🇪🇺🇺🇸 DPF docs update | EDPB & EDPS Digital Omnibus Joint Opinion due Feb – and new personal data definition concerns | SPE legitimate interest digest | 🇫🇷 CNIL FantomApp

Jan 18, 2026

Norway DPA orders Helseplattformen to rectify shortcomings

members – 3 min read

Weird DPA conclusion on controller's responsibility 🤔, will wait for the final decision | 🇳🇴 Datatilsynet notifies Helseplattformen of their intent to order fixes to serious organisational and (less serious) technical deficiencies.

Jan 14, 2026

National DPA news

members – 5 min read

DPA's 2026 focus areas starting to trickle in – first out is 🇩🇰!

Jan 14, 2026

Data breaches

members – 3 min read

❌ Norwegian DPA with incorrect breach "requirement" | 🇳🇴 DPA with significant breach page change | Upcoming topic page for breaches, prompted by EDPB's summary document. Links so far: Denmark, Finland, France, Greece, Ireland, Italy, Norway, Spain, Sweden, ICO, EDPB, EDPS, EC.

Jan 14, 2026

CJEU C-604/22 IAB Europe TC String 7 Mar 2024

members – 7 min read

[9 Jan: DPA must reassess] GDPR definitions are broad: information = personal data if someone can be identified using third-party data. Joint controllership doesn’t automatically cover further processing, but you are one if you set binding rules and jointly decide purposes and means.

Jan 13, 2026

Best of 2025 and what's coming in 2026

members – 3 min read

Enjoy the quiet period ahead to catch up on must-reads from 2025 and prepare for 2026. Check out who won the 🏆 DPO Hub Community Member of the Year Award and don't miss your special Founding rate if you decide to keep your DPO Hub access from 1 April. 💰

Jan 8, 2026

New SCCs on public consultation (delayed again)

members – 1 min read

Latest: The consultations for new SCCs (third-country importers directly subject to the GDPR) announced in Sep 2024, are now delayed to Q1 2026. 🧐

Jan 7, 2026

Events 2026

members – 6 min read

What's cooking in 2026? Several events added for the national DPO associations.

Dec 20, 2025

CJEU C-422/24 Storstockholms Lokaltrafik 18 Dec 2025

members – 3 min read

If public transport ticket inspectors process personal data using body cams, they must inform data subjects under Article 13 – not Article 14 – because the data's collected directly from the data subject.

Dec 18, 2025

Privacy, data protection & security legal landscape

members – 8 min read

COM shares CRA FAQ 3 Dec | ✅ Procedural rules on GDPR enforcement Regulation effective 12 Dec | COM fines X €120m under DSA | Political ads Regulation Article 13(6) public consultation planned Q2 2026 | CSAM Regulation: Council agrees position – next is negotiations with Parliament.

Dec 12, 2025