EU–U.S. Data Privacy Framework Survives Its First Major Test in Ruling by the EU General Court
Few topics in data protection spark as much debate as the transfer of personal data to the U.S. This issue has been at the centre of GDPR case law and regulatory guidance for years, with the Court of Justice of the European Union (CJEU) and regulators such as the European Data Protection Board (EDPB) frequently […]
Swedish DPA: Systematic Alcohol Tests May Qualify as Health Data
The Swedish DPA (IMY) has issued two decisions concerning the routine use of alcohol breath tests conducted on vessel captains operating within the regionally procured public transportation system in Stockholm. The tests were carried out systematically before and after each work shift, targeting personnel in safety-critical positions. Both the transport operator and the regional public […]
Commission Publishes Fourth Omnibus Proposal: Includes changes to record-keeping obligations under GDPR
The European Commission has today (21 May 2025) published its Fourth Omnibus Proposal, introducing targeted amendments, including changes to maintaining a Record of Processing Activities (ROPA) under Article 30 GDPR. These proposed changes align closely with the EDPB-EDPS joint letter of 8 May 2025 and confirm the Commission’s intent to change obligations relating to ROPA. […]
Opinion: EU Letter Hints at Potential Major Shift in GDPR Record-Keeping Obligations
The European Commission is preparing a proposal to simplify GDPR record-keeping obligations, specifically those related to the Record of Processing Activities (ROPA). This was recently hinted at in a joint letter from the EDPB and EDPS dated 8 May 2025. While the proposal has not yet been published and nothing is final, the letter provides […]
EDPB Supports Six-Month Extension of UK Data Adequacy Decisions Until December 2025
The European Data Protection Board (EDPB) has approved a six month extension of the EU’s data adequacy decisions for the United Kingdom. These decisions, which allow personal data to be transferred from the EU to the UK, were due to expire on 27 June 2025. They will now remain valid until 27 December 2025. The […]
EU Set to Approve First-Ever GDPR Adequacy Decision for an International Organisation
In a landmark move for international data transfers, the European Data Protection Board (EDPB) has endorsed the European Commission’s draft adequacy decision recognising the European Patent Organisation (EPO) as offering an adequate level of personal data protection. This is the first time such a decision concerns an international organisation rather than a country or territory. […]
Swedish DPA Issues First Decisions on Cookie Banners Under the GDPR
The Swedish Authority for Privacy Protection (IMY) has, for the first time, issued decisions specifically concerning cookie banners under the GDPR. The three cases examine how organisations inform users about and obtain consent for cookies that involve the processing of personal data, including for purposes such as profiling and targeted advertising. IMY found that none […]
Swedish DPA Sends Questionnaire to 20 Organisations About the Right to Erasure
The Swedish Authority for Privacy Protection (IMY) is sending a questionnaire to 20 large organizations in both the public and private sectors to examine how they handle personal data deletion requests. This is part of a Europe-wide initiative led by the European Data Protection Board, involving 32 data protection supervisory authorities. IMY has deliberately selected […]
The Swedish Consumer Agency initiates audits against over 50 influencers and advertisers
The Swedish Consumer Agency (Sw. Konsumentverket) has announced that it has initiated audits against over 50 influencers and advertisers. According to the agency, many influencers fail to clearly label promotional content, thereby violating marketing laws and placing young audiences—who are particularly vulnerable to subtle advertising—at risk. Advertisers who engage these influencers are also under review. […]
EDPB Publishes Draft Guidelines on Blockchains
The European Data Protection Board (EDPB) has published its draft Guidelines 02/2025 on the processing of personal data through blockchain technologies. The guidelines aim to clarify how GDPR applies to blockchain-based data processing. The document is currently open for public consultation and may be subject to change before final adoption. Key excerpts from the draft […]