transfers - DPO Hub

Binding Corporate Rules (BCRs)

members – 1 min read

The EDPB has updated the cooperation procedure for BCR approvals, detailing the roles of lead DPAs, review phases and the EDPB’s opinion process. 💡 This document replaces WP263rev.01.

Mar 20, 2025

Adequacy decisions

members – 1 min read

Latest: The Commission proposes to extend the UK's adequacy decisions until 27 December to allow time to complete the legislative process. Next up is EDPB's review.

Mar 19, 2025

CJEU GC EUDPR T‑354/22 Bindl v Commission 8 Jan 2025

members – 2 min read

Latest: The case has been appealed! The CJEU's General Court orders the European Commission to pay €400 in non-material damages for US transfers made in March 2022, when no adequacy decision or alternative safeguard was in place.

Mar 19, 2025

New SCCs on public consultation

members – 1 min read

Latest: The public consultations for new SCCs (third-country importers directly subject to the GDPR), announced in Sep 2024, are delayed from Q2 to Q3 2025. 🤔

Mar 19, 2025

Your OSS for the EU-US DPF

public – 7 min read

Time for an exit strategy? Must-read US transfer guidance from Datatilsynet (x2) and IMY. And we're discussing EEA alternatives in the Community. February update: Microsoft "completes EU Data Boundary".

Mar 8, 2025

CNIL shares transfer impact assessment (TIA) practical template

members – 1 min read

💬 "CNIL TIA template is one of the best templates available to the public!"

Feb 1, 2025

EDPS: the European Commission's use of MS365 is non-compliant

members – 10 min read

10 Dec: EC submits compliance report. (Both parties sought annulment in July, so stay tuned!) After the EDPS' second investigation into the EC's use of Microsoft 365, they found (again) several serious EUDPR violations, notably related to purpose limitation and transfers, which are still ongoing.

Dec 11, 2024

EDPB Guidelines 2/2024 Article 48 (public consultation)

members – 4 min read

EDPB Guidelines on Article 48 covering official requests from third country public authorities for personal data transfers.

Dec 6, 2024

Denmark Google Workspace for Education Chromebook case (Helsingørgate)

members – 9 min read

[15 July: Municipalities complies with Jan order + 🚨 DPA asks for EDPB opinion on the scope of a controller's documentation obligations regarding a processor's use of sub-processors] The Danish DPA's landmark decision of 2022 to ban certain use of Google products and US transfers, is still ongoing.

Jul 15, 2024

EU and Japan conclude "landmark deal on cross-border data flows"

members – 1 min read

🇪🇺 & 🇯🇵 agree cross-border data flows agreement which complement their existing adequacy arrangement.

May 2, 2024

EDPB clarifies implementation DPF redress mechanisms

members – 1 min read

📝 The EDPB clarifies implementation of the Data Protection.. errrr, I mean *Privacy* Framework redress mechanisms!

Apr 24, 2024

CJEU C-101/01 Bodil Lindqvist 6 Nov 2003

members – 4 min read

A key (Directive 95/46/EC) ruling broadly interpreting key definitions (personal and health data, processing) and narrowly applied exceptions, but found that simply putting a website online doesn't necessarily result in transfers.

Apr 9, 2024