transfers - DPO Hub

Your OSS for the EU-US DPF

public – 6 min read

Time to get your exit strategy in place: 🇳🇴 and 🇸🇪 DPAs US transfer guidance (should-read). Feb news: Microsoft "completes EU Data Boundary". 2024: EDPB adopts first review report. EC publishes first review report, concluding the DPF 'functions effectively'. New review in 3 years.

Mar 7, 2025

CNIL shares transfer impact assessment (TIA) practical template

members – 1 min read

💬 "CNIL TIA template is one of the best templates available to the public!"

Feb 1, 2025

CJEU GC EUDPR T‑354/22 Bindl v Commission 8 Jan 2025

members – 2 min read

The CJEU's General Court orders the European Commission to pay €400 in non-material damages for US transfers made in March 2022, when no adequacy decision or alternative safeguard was in place. Expect an appeal!

Jan 10, 2025

EDPS: the European Commission's use of MS365 is non-compliant

members – 10 min read

10 Dec: EC submits compliance report. (Both parties sought annulment in July, so stay tuned!) After the EDPS' second investigation into the EC's use of Microsoft 365, they found (again) several serious EUDPR violations, notably related to purpose limitation and transfers, which are still ongoing.

Dec 11, 2024

EDPB Guidelines 2/2024 Article 48 (public consultation)

members – 4 min read

EDPB Guidelines on Article 48 covering official requests from third country public authorities for personal data transfers.

Dec 6, 2024

Major news: 🇪🇺 EUC launched new SCCs public consultation

members – 1 min read

At last, the moment we've been dreading and waiting for: the European Commission has taken a step towards new SCCs for transfers where the importer is in a third country and directly subject to the GDPR. Planned for Q2 2025.

Sep 12, 2024

Denmark Google Workspace for Education Chromebook case (Helsingørgate)

members – 9 min read

[15 July: Municipalities complies with Jan order + 🚨 DPA asks for EDPB opinion on the scope of a controller's documentation obligations regarding a processor's use of sub-processors] The Danish DPA's landmark decision of 2022 to ban certain use of Google products and US transfers, is still ongoing.

Jul 15, 2024

EU and Japan conclude "landmark deal on cross-border data flows"

members – 1 min read

🇪🇺 & 🇯🇵 agree cross-border data flows agreement which complement their existing adequacy arrangement.

May 2, 2024

EDPB clarifies implementation DPF redress mechanisms

members – 1 min read

📝 The EDPB clarifies implementation of the Data Protection.. errrr, I mean *Privacy* Framework redress mechanisms!

Apr 24, 2024

CJEU C-101/01 Bodil Lindqvist 6 Nov 2003

members – 4 min read

A key (Directive 95/46/EC) ruling broadly interpreting key definitions (personal and health data, processing) and narrowly applied exceptions, but found that simply putting a website online doesn't necessarily result in transfers.

Apr 9, 2024

🔥 Swedish Tax Agency greenlights (?) US cloud services

members – 2 min read

Following the EU-US DPF, the 🇸🇪 Tax Agency approves using Microsoft Office 365 and Teams. Despite emphasising that everyone must do their own assessments, I'd say this could strengthen your own cloud services assessments.

Mar 22, 2024

Denmark DPA orders municipalities to ensure Google-sharing compliance

members – 1 min read

🔥 Danish DPA with new decision in their Helsingørgate/Chromebook case!

Jan 30, 2024