EDPB Publishes Draft Guidelines on Blockchains
The European Data Protection Board (EDPB) has published its draft Guidelines 02/2025 on the processing of personal data through blockchain technologies. The guidelines aim to clarify how GDPR applies to blockchain-based data processing. The document is currently open for public consultation and may be subject to change before final adoption. Key excerpts from the draft […]
European Commission adopts Decision (EU) 2025/628 laying down internal rules for its data processing activities under the enforcement of the DSA
On 31 March 2025, the European Commission adopted a decision establishing internal rules relating to the Commission’s processing of personal data for purposes such as supervision, investigation, enforcement and monitoring under Regulation (EU) 2022/2065, known as the Digital Services Act (DSA). The decision applies to data subjects such as suspects, victims, whistleblowers, informants, witnesses, and […]
Swedish DPA Initiates Audits on Providers of Online Criminal Offence Databases Following Supreme Court Ruling
The Swedish Authority for Privacy Protection (IMY) has announced that it has initiated audits against Legal Newsdesk Sweden AB (Lexbase.se) and Fuplex AB (krimfup.se) – two Swedish companies with publication certificates that provide searchable databases with information on criminal offences. Following complaints to IMY about certain services that publish personal data, in particular about criminal […]
Swedish DPA Outlines 2025 Priorities for Supervision and Regulatory Guidance
Following the Swedish DPA’s (IMY) announcement in its 2024 annual report to adopt a more risk-based approach to supervision, IMY has now identified five key areas for 2025. These priorities aim to provide clearer regulatory guidance and strengthen enforcement efforts. These five focus areas include: You can find the full report here (in Swedish only).
New Swedish Camera Surveillance Rules Take Effect on 1 April 2025
As of 1 April 2025, new rules will apply for the Swedish Camera Surveillance Act (2018:1200). The new rules will simplify camera surveillance procedures for businesses and organizations in Sweden. The most significant change is the removal of the requirement to obtain a permit from the Swedish Authority for Privacy Protection (IMY) for camera surveillance […]
US Data Transfers in the Trump Era – What’s Not Said Can Be Just as Important
Here we go again… Over the past few weeks, changes introduced by the new U.S. administration have had a significant impact—too many to cover in a short post, but I’m sure most of you are aware. One of the effects of these changes is a shift in EU-U.S. relations, and unfortunately, not in a positive […]
EDPB Launches 2025 Coordinated Action on Right to Erasure
The European Data Protection Board (EDPB) has launched its 2025 Coordinated Enforcement Framework (CEF) action, focusing on the enforcement of the right to erasure under Article 17 GDPR. This initiative follows the 2024 action on the right of access and aims to assess how organizations handle requests to delete personal data. The Swedish Authority for […]
Swedish Supreme Court’s Landmark Decision on Public Disclosure of Criminal Judgments
The Swedish Supreme Court has issued two significant decisions on the public disclosure of criminal judgments, emphasizing the precedence of the GDPR over Sweden’s constitutional laws relating to public access to information. Click here to read the court decisions (in Swedish only). Background The first case involved a news agency that requested a large number […]
Swedish DPA Publishes Annual Report for 2024
The Swedish Authority for Privacy Protection (IMY) has published their annual report for 2024. IMY reported an increase in both the number of audits initiated and completed in 2024 compared to the previous year. The majority of these audits were triggered by individual complaints. Six administrative sanctions totalling approximately 60.5 million SEK were issued by […]
Swedish Guidelines on Data Protection Impact Assessments
The Swedish Authority for Privacy Protection (IMY) has provided guidance on conducting Data Protection Impact Assessments (DPIAs) for organizations processing personal data under the GDPR. The goal is to simplify the DPIA process and reduce uncertainty about the steps involved and how the regulations should be interpreted. The guidance includes a practical guide outlining a […]