New Government Inquiry May Broaden Swedish Employers’ Right to Background Checks, But Legislative Reform Will Likely Take Years
Background checks that involve criminal convictions and offences (i.e. personal data subject to Article 10 GDPR) have historically been difficult to process by Swedish employers. This has been particularly challenging in the private sector. The legal barriers to conduct background checks have increased due to recent developments in case law, such as the Swedish Supreme […]
No Revolution in Sight: EU Court Upholds Narrow Interpretation on Pseudonymised Data
On 4 September 2025, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C-413/23 P, European Data Protection Supervisor (EDPS) v. Single Resolution Board (SRB), clarifying when pseudonymised data may fall outside the scope of EU data protection law. The CJEU confirmed that pseudonymisation can, in principle, result in data […]
EU–U.S. Data Privacy Framework Survives Its First Major Test in Ruling by the EU General Court
Few topics in data protection spark as much debate as the transfer of personal data to the U.S. This issue has been at the centre of GDPR case law and regulatory guidance for years, with the Court of Justice of the European Union (CJEU) and regulators such as the European Data Protection Board (EDPB) frequently […]
Swedish DPA: Systematic Alcohol Tests May Qualify as Health Data
The Swedish DPA (IMY) has issued two decisions concerning the routine use of alcohol breath tests conducted on vessel captains operating within the regionally procured public transportation system in Stockholm. The tests were carried out systematically before and after each work shift, targeting personnel in safety-critical positions. Both the transport operator and the regional public […]
Commission Publishes Fourth Omnibus Proposal: Includes changes to record-keeping obligations under GDPR
The European Commission has today (21 May 2025) published its Fourth Omnibus Proposal, introducing targeted amendments, including changes to maintaining a Record of Processing Activities (ROPA) under Article 30 GDPR. These proposed changes align closely with the EDPB-EDPS joint letter of 8 May 2025 and confirm the Commission’s intent to change obligations relating to ROPA. […]
Opinion: EU Letter Hints at Potential Major Shift in GDPR Record-Keeping Obligations
The European Commission is preparing a proposal to simplify GDPR record-keeping obligations, specifically those related to the Record of Processing Activities (ROPA). This was recently hinted at in a joint letter from the EDPB and EDPS dated 8 May 2025. While the proposal has not yet been published and nothing is final, the letter provides […]
EDPB Supports Six-Month Extension of UK Data Adequacy Decisions Until December 2025
The European Data Protection Board (EDPB) has approved a six month extension of the EU’s data adequacy decisions for the United Kingdom. These decisions, which allow personal data to be transferred from the EU to the UK, were due to expire on 27 June 2025. They will now remain valid until 27 December 2025. The […]
EU Set to Approve First-Ever GDPR Adequacy Decision for an International Organisation
In a landmark move for international data transfers, the European Data Protection Board (EDPB) has endorsed the European Commission’s draft adequacy decision recognising the European Patent Organisation (EPO) as offering an adequate level of personal data protection. This is the first time such a decision concerns an international organisation rather than a country or territory. […]
Swedish DPA Issues First Decisions on Cookie Banners Under the GDPR
The Swedish Authority for Privacy Protection (IMY) has, for the first time, issued decisions specifically concerning cookie banners under the GDPR. The three cases examine how organisations inform users about and obtain consent for cookies that involve the processing of personal data, including for purposes such as profiling and targeted advertising. IMY found that none […]
Swedish DPA Sends Questionnaire to 20 Organisations About the Right to Erasure
The Swedish Authority for Privacy Protection (IMY) is sending a questionnaire to 20 large organizations in both the public and private sectors to examine how they handle personal data deletion requests. This is part of a Europe-wide initiative led by the European Data Protection Board, involving 32 data protection supervisory authorities. IMY has deliberately selected […]