News

English Summary }}}} The DPA fined the Polish national postal operator €232k for a DPO conflict of interest. The DPO concurrently served as a Security Director and company proxy, effectively monitoring their own decisions regarding the means of data processing.The DPA fined the national postal operator €232,000 for appointing a DPO with a conflict of interest. The DPO concurrently served as a Security Director and representative of the controller, effectively monitoring their own decisions regar

Legal Text: Commentary ==Commentary====Commentary== Article 41 GDPR complements [[Article 40 GDPR]] by providing that compliance with any approved code of conduct must be monitored by an accredited body with the appropriate level of expertise in the sector covered by the code. Although the Data Protection Directive 95/46/EC (DPD) included a provision on codes of conduct (Article 27(1) DPD), this did not include any information on how compliance with such codes should be monitored. Accordingly, i

Juridische tekst: Toelichting ==Toelichting====Toelichting== Artikel 41 van de AVG vult [[Artikel 40 van de AVG]] aan door te bepalen dat de naleving van een goedgekeurd gedragscode moet worden gecontroleerd door een erkende instantie met het juiste niveau van expertise in de sector die door de code wordt bestreken. Hoewel de Richtlijn gegevensbescherming 95/46/EG (AVG) een bepaling bevatte over gedragscodes (artikel 27(1) AVG), bevatte deze geen informatie over hoe de naleving van dergelijke codes moest worden gecontroleerd. Daarom, i

Legal text: Explanation ==Explanation====Explanation== Article 41 of the GDPR supplements [[Article 40 of the GDPR]] by stipulating that compliance with an approved code of conduct must be monitored by a recognized body with the appropriate level of expertise in the sector covered by the code. While the Data Protection Directive 95/46/EC (GDPR) contained a provision regarding codes of conduct (article 27(1) GDPR), it did not provide information on how compliance with such codes should be monitored. Therefore, i

Brussels, 3 December - As part of its December’s plenary meeting, the European Data Protection Board (EDPB) held yesterday an online meeting with Commissioners and representatives of Data Protection Authorities (DPAs) from the countries and the organisation with an EU adequacy decision. This meeting marked the second of its kind, following the first gathering in October 2024. An adequacy decision is a key-mechanism in EU data protection legislation which allows free flow of personal data from Eu

Brussels, December 3rd - During its plenary meeting in December, the European Data Protection Board (EDPB) held an online meeting yesterday with commissioners and representatives from national data protection authorities (DPAs) from the countries and organizations that have made a decision regarding adequate protection within the EU. This meeting was the second of its kind, following the first meeting in October 2024. A decision on adequate protection is an important instrument in EU data protection legislation, enabling the free flow of personal data from within the EU.

Brussel, 3 december - Tijdens de plenaire vergadering van december heeft het Europees Comité voor gegevensbescherming (EDPB) gisteren een online bijeenkomst gehouden met commissarissen en vertegenwoordigers van nationale autoriteiten voor gegevensbescherming (DPAs) uit de landen en de organisatie die een besluit hebben over voldoende bescherming binnen de EU. Deze bijeenkomst was de tweede van dit soort, na de eerste bijeenkomst in oktober 2024. Een besluit over voldoende bescherming is een belangrijk instrument in de EU-wetgeving inzake gegevensbescherming, dat de vrije uitwisseling van persoonsgegevens mogelijk maakt vanuit de EU.

Brussel, 17 november - Het EDPB organiseert een online evenement om input van belanghebbenden te verzamelen over anonimisering en pseudonimisering, en over de implicaties van het vonnis van het Gerechtshof van de Europese Unie (HvEU) in de zaak EDPS tegen het Single Resolution Board (SRB). Het evenement zal plaatsvinden op 12 december 2025 (tijdstip volgt). Dit biedt een gelegenheid om het EDPB te informeren en te ondersteunen bij zijn lopende werk op deze onderwerpen, zoals uiteengezet in het werkprogramma 2024-2025, en het weerspiegelt de toewijding van het EDPB aan de betrokkenheid van belanghebbenden.

Brussels, November 17th - The European Data Protection Board (EDPB) is organizing an online event to gather input from stakeholders on the topics of anonymization and pseudonymization, and on the implications of the judgment of the General Court of the European Union (GC EU) in the case of EDPS vs. the Single Resolution Board (SRB). The event will take place on December 12, 2025 (time to be confirmed). This provides an opportunity to inform and support the EDPB in its ongoing work on these topics, as outlined in the 2024-2025 work program, and reflects the EDPB's commitment to stakeholder engagement.

Brussels, 17 November - The EDPB organises a remote event to collect stakeholders’ input on anonymisation and pseudonymisation on implications of the judgement of the Court of Justice of the European Union (CJEU) in EDPS v Single Resolution Board (SRB). The event will take place on 12 December 2025 (time to be confirmed). This will be an opportunity to inform and support the EDPB’s ongoing work on these topics as per its work programme 2024-2025 and it reflects the EDPB’s commitment to stakehold

Legislation.

We are one step closer to the ratification of Treaty 108+! On September 30th, the Dutch House of Representatives approved the treaty, including the motion proposed by members Kathmann and White regarding equal privacy protection throughout the Kingdom. This motion was also approved.

Legislation.

House of Representatives letter providing "Additional information following the debate on the law introducing the BSN [citizen service number] and digital government services for the Caribbean Netherlands" (May 19, 2025). Includes an architectural sketch of the BSN system for the Caribbean Netherlands.

Government.

Normally, I rarely draw attention to reports from written consultations in the House of Representatives, but this report deserves special attention: "Report on a written consultation regarding the results of an external research and risk analysis model (RAM)." For those who are interested, the attachments to this report include...

Government.

House of Representatives Documents II 2024–2025, 36 719, no. 2: Initiative note from members Ceder and Six Dijkstra regarding online children's rights. Three specific proposals are highlighted: (1) Develop a proof of concept for online age verification, (2) Introduce a "red button" for data deletion, (6) [The text is incomplete here].

The Court of Audit has sent a letter to the House of Representatives pointing out obstacles in the implementation of the General Data Protection Regulation (AVG) in the Netherlands. Implementing organizations are struggling with the AVG and this can lead to negative consequences for citizens. Recommendations are made to enable data sharing and pay attention to data sharing between implementers to prevent zoonoses and address healthcare fraud. The AVG provides room to process personal data, but t

A rundown of the fine on IAPP: https://iapp.org/news/a/a-rundown-of-the-greek-dpas-clearview-ai-fine-findings

Een overzicht van de boete die aan IAPP is opgelegd: https://iapp.org/news/a/a-rundown-of-the-greek-dpas-clearview-ai-fine-findings

De Commissie heeft met enthousiasme een recent Amerikaans besluit gesteund om een nieuw kader te implementeren ter bescherming van de privacy van persoonlijke gegevens die worden uitgewisseld tussen de VS en Europa. Dick Roche is het daar niet mee eens. https://iapp.org/news/a/the-redress-mechanism-in-the-privacy-shield-successor-on-the-independence-and-effective-powers-of-the-dprc/

The Commission has endorsed enthusiastically a recent US order to implement a new framework to protect the privacy of personal data shared between the US and Europe. Dick Roche begs to differ. https://iapp.org/news/a/the-redress-mechanism-in-the-privacy-shield-successor-on-the-independence-and-effective-powers-of-the-dprc/

Zelfvoorzienende identiteit is een technologie in een vroeg stadium van ontwikkeling, waarvan de voordelen voor vluchtelingen nog onzeker zijn. Het kan hen mogelijk meer autonomie geven, maar het riskeert ook de macht van staten en bedrijven ten opzichte van hen te versterken, zo stelt dit artikel.

Self-sovereign identity is an embryonic technology with uncertain benefits for refugees. It may help to empower them, but it also risks reinforcing the power of states and corporations over them, according to this article.

The European Digital Rights (EDRi) network published a position paper on the proposed Regulation on automated data exchange for police cooperation, known as “Prüm II”. This currently primarily consists of a data-sharing network (interlinking national DNA, fingerprint and vehicle registration databases). It foresees the expansion of the data-sharing network to the interconnection of facial images and, on a voluntary basis, “police records”. The position paper raises several critical issues of t

Het netwerk European Digital Rights (EDRi) heeft een position paper gepubliceerd over het voorgestelde Europees regelgevend kader voor geautomatiseerde gegevensuitwisseling ter bevordering van de samenwerking tussen politie, bekend als "Prüm II". Dit omvat momenteel voornamelijk een netwerk voor gegevensuitwisseling (waarbij nationale DNA-databases, vingerafdrukken en voertuigregistraties met elkaar worden verbonden). Het voorziet in een uitbreiding van dit netwerk, waarbij gezichtsherkenningstechnologie wordt toegevoegd en, op vrijwillige basis, "politiedossiers". Het position paper werpt verschillende belangrijke vragen op over...

The EDPB adopted a statement on the European Commission’s proposal for an EU Police Cooperation Code. This proposal aims to enhance law enforcement cooperation across Member States, in particular the information exchange between the competent authorities. The code is comprised of three main measures: proposal for a Prüm II Regulation, proposal for a Police Information Exchange Directive and the proposal for a Council Recommendation on operational police cooperation.

Het EDPB heeft een verklaring aangenomen over het voorstel van de Europese Commissie voor een EU-code voor politiële samenwerking. Dit voorstel heeft als doel de samenwerking op het gebied van handhaving van de wet tussen de lidstaten te verbeteren, met name de uitwisseling van informatie tussen de bevoegde autoriteiten. De code omvat drie belangrijke maatregelen: een voorstel voor een Prüm II-verordening, een voorstel voor een richtlijn over de uitwisseling van politiegegevens en een voorstel voor een aanbeveling van de Raad over operationele politiële samenwerking.

An association representing consumer interests may bring a representative action against the alleged perpetrator of a personal data breach. A specific breach of a data subject's right to the protection of his or her personal data is not required to bring such a claim. In addition, such a claim can be brought independently of whether a data subject has given an order to do so. This is the EU Court's answer to questions from a German court.

> DeFine is a translation into a calculator of part of the methodology proposed by the European Data Protection Board to calculate GDPR fines (see EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 May 2022, available online; it was subject to a public consultation until 27 June 2022).

> Do we need an Chief Privacy Officer, a Data Protection Officer, or do we need both?In the following article, I will examine the benefits of both roles, but I will also look at some of the challenges related to each of the roles and why these have impelled both Data Protection Officers and organisations to question what the ideal setup is for them.