Your OSS for the EU-US DPF
public
–
8 min read
EDPB shares updated DFP docs – added nuance on transfer of HR Data.
CJEU C-413/23 P EDPS v SRB (Concept of personal data) 4 Sep 2025 – Case closed!
members
–
6 min read
Pseudonymised data isn’t always personal in every case to everyone – but measures must be effective. Comments are personal by nature – no need to assess content, purpose or effects. Whether a person can be identified must be assessed from the controller’s perspective, when collecting the data.
CJEU C-604/22 IAB Europe TC String 7 Mar 2024
members
–
6 min read
[9 Jan: DPA must reassess] GDPR definitions are broad: information = personal data if someone can be identified using third-party data. Joint controllership doesn’t automatically cover further processing, but you are one if you set binding rules and jointly decide purposes and means.
DPO Hub 2.0 from 1 April
members
–
3 min read
NB! If you'd like to keep access and get the 💰 Founding rate from 1 April, reply to my email. You can still purchase access later, though at a different rate. DPO Hub runs as normal until 31 March and then your subscription ends automatically. If you pre-paid for longer, you'll be refunded pro rata.
CJEU C-621/22 KNLTB (legitimate interests) 4 Oct 2024
members
–
3 min read
Under Article 6(1)(f) you can disclose personal data for a commercial interest if the processing is strictly necessary and not outweighed by the data subjects' interests, rights or freedoms. The interest doesn't have to be determined by law, but it must be lawful. And CJEU nudges consent again.
Norway DPA orders Helseplattformen to rectify shortcomings
members
–
3 min read
Weird DPA conclusion on controller's responsibility 🤔, will wait for the final decision | 🇳🇴 Datatilsynet notifies Helseplattformen of their intent to order fixes to serious organisational and (less serious) technical deficiencies.
Best of 2025 and what's coming in 2026
members
–
3 min read
Enjoy the quiet period ahead to catch up on must-reads from 2025 and prepare for 2026. Check out who won the 🏆 DPO Hub Community Member of the Year Award and don't miss your special Founding rate if you decide to keep your DPO Hub access from 1 April. 💰
New SCCs on public consultation (delayed again)
members
–
1 min read
Latest: The consultations for new SCCs (third-country importers directly subject to the GDPR) announced in Sep 2024, are now delayed to Q1 2026. 🧐
CJEU C-422/24 Storstockholms Lokaltrafik 18 Dec 2025
members
–
3 min read
If public transport ticket inspectors process personal data using body cams, they must inform data subjects under Article 13 – not Article 14 – because the data's collected directly from the data subject.
EDPB meeting minutes 16 Oct and 4 Nov 2025
members
–
2 min read
2 x meeting minutes today! 🚨 Guidelines: Joint AI Act ↔ EU data protection law interplay; Political advertisements; Web scraping in the context of generative AI | 🚨 Irish, French & Dutch DPAs investigate data brokers | 🇧🇷 & 🇬🇧 adequacy decisions
CJEU C-492/23 Russmedia Digital and Inform Media Press 2 Dec 2025
members
–
5 min read
🧨 CJEU rules contrary to the AG: marketplace operators are *controllers* for ads data instead. This has major implications for marketplaces. (And what about DSA?) Also check out CJEU's recorded debrief with President Lenaerts.
'Pay or OK' – 'Consent or Pay' resources
members
–
5 min read
Meta to launch new model in Jan | ICO shares guidance for the public