Your OSS for the EU-US DPF
public
–
7 min read
On 3 Sep 2025, the General Court dismissed Latombe's action for annulment – and the EU-US DPF is safe for now. Expect an appeal, though!
Lawfulness: Legitimate interests
members
–
2 min read
v1 of the legitimate interest topic page is ready, with key resources, CJEU rulings and DPA guidance - though only from ICO, CNIL, Datatilsynet and IMY. Have anything to share from your country? Submit your contribution and earn a gold star!
EDPB CEF 2025: Right to erasure (right to be forgotten)
members
–
2 min read
Updated 5 Mar 2025: Press release announcing the formal launch. The right to erasure is one of the most frequently exercised GDPR rights and a major source of DPA complaints. This CEF action aims to assess how controllers have implemented it in practice.
CJEU C-638/23 Amt der Tiroler Landesregierung 27 Feb 2025
members
–
2 min read
An entity without legal personality can be a controller if it can fulfil those obligations and national law at least implicitly defines the processing scope; it doesn’t need to precisely specify processing activities or purpose.
Rights: Access (DSAR, Right of access)
members
–
3 min read
[Latest: C-203/22 Dun & Bradstreet, updated elements table.] Got a DSAR? Start here for all things right of access: Article 15 elements table, DSAR flowchart and key CJEU rulings.
The Coordinated Supervision Committee (CSC)
members
–
2 min read
New Activities report (likely irrelevant for most). The CSC brings together DPAs and the EDPS to coordinate supervision of large-scale IT systems (e.g. IMI, Europol, SIS, Eurojust) and EU bodies under the EUDPR or relevant EU laws.
Member memos
members
–
32 min read
Important update: Member memos have moved to the DPO Hub Community (separate platform). If you’re not a member yet, reply to the last email update to request an invite, as the link isn’t shared publicly.
Dealing with access requests in practice
members
–
3 min read
Recommendations on how to deal with the Right of access - DSARs - in practice (with grumpy DSARs checklist).
EDPB meeting minutes 16 jan 2025
members
–
1 min read
Anonymisation Guidelines coming (no date yet), Revised DPO Guidelines due Q2 2026, IAB Europe TC String 🇧🇪 national ruling due 19 March, New Support Pool of Experts report: AI bias and data subjects’ rights.
EDPB meeting minutes 17 Dec 2024
members
–
1 min read
No big news - summary of their AI models Opinion discussion (where, interestingly, one EU member voted against adoption). You can safely skip this update.
Sweden DPA: DPIA practical guidance
members
–
1 min read
IMY has shared a DPIA guide, primarily for those with little or no experience. It sets out a clear 10-step process for conducting an "acceptable" DPIA, to be used alone or with their templates. Grab the documents here (Swedish and DeepL translation).
EDPB Guidelines 1/2025 Pseudonymisation (public consultation)
members
–
1 min read
The EDPB's recently shared pseudonymisation guidelines are on public consultation until 28 Feb. Today they've also shared a handy diagram.