Adequacy decisions
members
–
4 min read
On 26 Jan, 🇪🇺🇧🇷 COM & Brazil adopted mutual adequacy decisions, allowing businesses, public authorities and researchers to freely exchange data.
noyb 🇦🇹 DPA Microsoft 365 Education complaints
members
–
2 min read
[update – another win!] In 2024, noyb lodged two complaints against Microsoft's 365 Education platform on 1) lack of transparency and insufficient information, and 2) invasive and illegal cookie tracking of kids in schools. The Austrian DPA sided with noyb in both cases.
Your OSS for the EU-US DPF
public
–
8 min read
EDPB shares updated DFP docs – added nuance on transfer of HR Data.
CJEU C-413/23 P EDPS v SRB (Concept of personal data) 4 Sep 2025 – Case closed!
members
–
6 min read
Pseudonymised data isn’t always personal in every case to everyone – but measures must be effective. Comments are personal by nature – no need to assess content, purpose or effects. Whether a person can be identified must be assessed from the controller’s perspective, when collecting the data.
CJEU C-604/22 IAB Europe TC String 7 Mar 2024
members
–
6 min read
[9 Jan: DPA must reassess] GDPR definitions are broad: information = personal data if someone can be identified using third-party data. Joint controllership doesn’t automatically cover further processing, but you are one if you set binding rules and jointly decide purposes and means.
DPO Hub 2.0 from 1 April
members
–
3 min read
NB! If you'd like to keep access and get the 💰 Founding rate from 1 April, reply to my email. You can still purchase access later, though at a different rate. DPO Hub runs as normal until 31 March and then your subscription ends automatically. If you pre-paid for longer, you'll be refunded pro rata.
CJEU C-621/22 KNLTB (legitimate interests) 4 Oct 2024
members
–
3 min read
Under Article 6(1)(f) you can disclose personal data for a commercial interest if the processing is strictly necessary and not outweighed by the data subjects' interests, rights or freedoms. The interest doesn't have to be determined by law, but it must be lawful. And CJEU nudges consent again.
Norway DPA orders Helseplattformen to rectify shortcomings
members
–
3 min read
Weird DPA conclusion on controller's responsibility 🤔, will wait for the final decision | 🇳🇴 Datatilsynet notifies Helseplattformen of their intent to order fixes to serious organisational and (less serious) technical deficiencies.
Best of 2025 and what's coming in 2026
members
–
3 min read
Enjoy the quiet period ahead to catch up on must-reads from 2025 and prepare for 2026. Check out who won the 🏆 DPO Hub Community Member of the Year Award and don't miss your special Founding rate if you decide to keep your DPO Hub access from 1 April. 💰
New SCCs on public consultation (delayed again)
members
–
1 min read
Latest: The consultations for new SCCs (third-country importers directly subject to the GDPR) announced in Sep 2024, are now delayed to Q1 2026. 🧐
CJEU C-422/24 Storstockholms Lokaltrafik 18 Dec 2025
members
–
3 min read
If public transport ticket inspectors process personal data using body cams, they must inform data subjects under Article 13 – not Article 14 – because the data's collected directly from the data subject.
Privacy, data protection & security legal landscape
members
–
8 min read
COM shares CRA FAQ 3 Dec | ✅ Procedural rules on GDPR enforcement Regulation effective 12 Dec | COM fines X €120m under DSA | Political ads Regulation Article 13(6) public consultation planned Q2 2026 | CSAM Regulation: Council agrees position – next is negotiations with Parliament.