transfers - DPO Hub

Adequacy decisions

members – 3 min read

5 Nov: EDPB Opinion on 🇧🇷 Brazil draft adequacy decision – up next: Member States reps approval and EP "right of scrutiny" | 20 Oct: EDPB adopts opinions on UK GDPR & LED | 16 Sep: Republic of Korea EU adequacy decision.

Nov 5, 2025

CJEU T-553/23 Latombe v Commission 3 Sep 2025

members – 4 min read

🔥 Latombe to appeal! New CJEU case number: C-703/25 P | "The General Court dismisses the action for annulment" and the EU-US DPF remains valid.

Oct 31, 2025

Your OSS for the EU-US DPF

public – 7 min read

EDPS opines on EU-US data exchanges for security screenings and identity verifications | The General Court dismissed Latombe's action for annulment – and the EU-US DPF is safe for now.

Sep 23, 2025

EDPS audit of the Commission's MS365 use

members – 11 min read

28 July: EDPS closes its investigation into the European Commission’s use of Microsoft 365, now deeming it compliant after previously finding serious EUDPR violations, notably on purpose limitation and international transfers.

Jul 29, 2025

🇮🇪 DPC fines TikTok €530m for China transfers

members – 3 min read

10 July: DPC launches new investigation into China transfers. Earlier: transparency breach by failing to disclose the third countries involved and didn't explain the nature of the transfers in its privacy policy --> get compliant in six months or stop the transfers (but order paused until Oct).

Jul 22, 2025

CNIL shares transfer impact assessment (TIA) practical template

members – 2 min read

NB: On 9 July, CNIL appears to have updated the webpage with that date, though there don’t seem to be any actual changes – and the PDFs are still from January. Either way, here’s a quick reminder! 💬 "CNIL TIA template is one of the best templates available to the public!"

Jul 22, 2025

EDPB Guidelines 2/2024 Article 48

members – 5 min read

Update 4 Jul: EDPB shared high-res diagram! Earlier: I've reviewed the final version – mostly clarifications and my annotations on the public consultation one are still valid | EDPB Guidelines on Article 48 covering official requests from third country public authorities for personal data transfers.

Jul 4, 2025

Binding Corporate Rules (BCRs)

members – 1 min read

The EDPB has updated the cooperation procedure for BCR approvals, detailing the roles of lead DPAs, review phases and the EDPB’s opinion process. 💡 This document replaces WP263rev.01.

Mar 20, 2025

CJEU GC EUDPR T‑354/22 Bindl v Commission 8 Jan 2025

members – 2 min read

[19 March: The case is appealed.] The CJEU's General Court orders the European Commission to pay €400 in non-material damages for US transfers made in March 2022, when no adequacy decision or alternative safeguard was in place.

Mar 19, 2025

New SCCs on public consultation

members – 1 min read

Latest: The public consultations for new SCCs (third-country importers directly subject to the GDPR), announced in Sep 2024, are delayed from Q2 to Q3 2025. 🤔

Mar 19, 2025

EDPB letter to the Commission on its review of 11 DPD adequacy decisions

members – 1 min read

EDPB Chair Anu Talus writes the Commissioner for Justice on the Commission's review of 11 adequacy decisions adopted under Directive 95/46/EC for: Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay. And isn't entirely happy.

Dec 6, 2024

Denmark Google Workspace for Education Chromebook case (Helsingørgate)

members – 9 min read

[15 July: Municipalities complies with Jan order + 🚨 DPA asks for EDPB opinion on the scope of a controller's documentation obligations regarding a processor's use of sub-processors] The Danish DPA's landmark decision of 2022 to ban certain use of Google products and US transfers, is still ongoing.

Jul 15, 2024