Continue Reading CNIL Publishes Recommendation on Email Tracking Pixels
Spain’s Supervisory Authority Issues New Guidance on AI‑Based Voice Transcription
On April 20, 2026, the Spanish Data Protection Agency (AEPD) has published new guidance on how to comply with the GDPR when using AI‑powered voice transcription tools. The guidance builds on earlier AEPD guidance on this topic from January 2026. This blog post sets out the key takeaways of both guidance documents, which are only available in Spanish.
The AEPD’s guidance confirms a risk‑based approach to AI‑powered voice transcription. Organizations using these tools should not treat transcription as a purely technical feature, but as a processing activity that requires continuous governance, clear transparency, and proactive safeguards. Given the widespread and growing use of transcription tools across business functions, this guidance is likely to be relevant well beyond Spain.
Continue Reading Spain’s Supervisory Authority Issues New Guidance on AI‑Based Voice TranscriptionNew EDPB Guidelines on the Use of Personal Data in Scientific Research
On April 15, 2026, the European Data Protection Board (EDPB) published draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (Guidelines). The Guidelines are open for public consultation until 25 June 2026. They aim to clarify how the GDPR applies to academic, public‑sector, and commercial research, including research that relies on AI, large data sets, and the reuse of personal data. The Guidelines do not cover the application of other EU or Member State law regulating scientific research or the processing of genetic, biometric, or health data specifically.
Continue Reading New EDPB Guidelines on the Use of Personal Data in Scientific ResearchEU Court Defines Limits to the GDPR Right of Access
On March 19, 2026, the CJEU issued its judgment in the Brillen Rottler case (C‑526/24). The case concerns the GDPR right of access and the conditions for claiming damages. In the underlying facts, an Austrian individual subscribed to Brillen Rottler’s newsletter and, two weeks later, exercised his right of access.
Continue Reading EU Court Defines Limits to the GDPR Right of AccessItalian DPA Fines Bank over the Transfer of Customer Data in the Context of a Corporate Transaction
On March 12, 2026, the Italian Data Protection (“Garante”) adopted a decision concerning the transfer of personal data of banking customers from Intesa Sanpaolo S.p.A. (the “Bank”) to Isybank S.p.A., a newly established digital bank within the same corporate group. The Garante found that the Bank’s processing in connection with the transfer of approximately 2.4 million customers to Isybank was unlawful.
We set out the decision’s key findings below.
Continue Reading Italian DPA Fines Bank over the Transfer of Customer Data in the Context of a Corporate TransactionFrance’s Highest Administrative Court Upholds CNIL’s Standard On Anonymization
On February 13, 2026, France’s highest administrative court (“Conseil d’État”) delivered an important decision clarifying the boundary between pseudonymization and anonymization under the GDPR. The ruling confirms that data which remain re‑identifiable in practice—even with some effort—must be treated as personal data under the GDPR by service providers, unless the risk of re‑identification by such providers can genuinely be regarded as insignificant.
Continue Reading France’s Highest Administrative Court Upholds CNIL’s Standard On AnonymizationEDPB Publishes Report on Stakeholder Event on Anonymisation and Pseudonymisation
On February 18, 2026, the European Data Protection Board (“EDPB”) published its Report on Stakeholder Event on Anonymisation and Pseudonymisation of 12 December 2025 (the “Report”). The Report summarises feedback from a remote stakeholder event convened to inform the EDPB’s ongoing work on Guidelines 01/2025 on Pseudonymisation (version for public consultation available here) and forthcoming guidance on anonymisation. The event gathered input from 115 participants spanning industry, NGOs, academia, law firms, and public sector bodies.
The objective of the Report is to capture stakeholder insights on how the General Data Protection Regulation (“GDPR”) applies to anonymisation and pseudonymisation, particularly following the Court of Justice of the European Union’s (“CJEU”) judgment in EDPS v SRB (C‑413/23 P). (See our previous blog post here.)
Continue Reading EDPB Publishes Report on Stakeholder Event on Anonymisation and PseudonymisationEU Regulators Issue Opinion on Revisions of GDPR and Other Data Laws
On February 11, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) (jointly, the Authorities) issued a Joint Opinion on the European Commission’s proposed Digital Omnibus Regulation (Digital Omnibus). This follows their Joint Opinion of January 20, 2026 on the Digital Omnibus on AI.
The Digital Omnibus, as with the other “omnibuses” released by the Commission, aims to streamline several EU laws, reduce administrative burdens for covered entities, and enhance competitiveness in the EU. Once adopted, it should reshape how organizations handle personal data generally, including in relation to AI development, scientific research, and incident reporting. The Authorities welcome efforts to simplify and to promote consistent interpretations of key concepts found in the GDPR, the ePrivacy Directive, the NIS2 Directive, and the remaining Data Acquis. At the same time, they caution that this initiative launched by the Commission must not weaken fundamental rights protections, including data protection.
Below is an overview of the Authorities’ positions. It covers only the key amendments discussed in our previous blog post on the Digital Omnibus.
Continue Reading EU Regulators Issue Opinion on Revisions of GDPR and Other Data LawsBelgian High Court Confirms Full Judicial Review of Supervisory Authority Decisions
On 15 January 2026, the Belgian High Court delivered a judgment in proceedings initiated by the Belgian Supervisory Authority, in which it challenged the scope of judicial review exercised by the Market Court over its enforcement decisions. The authority was unsuccessful on both grounds of appeal.
Continue Reading Belgian High Court Confirms Full Judicial Review of Supervisory Authority DecisionsGerman Government Proposes GDPR Reform to Shift Responsibility to Manufacturers
On December 4, 2025, the German Federal Government published its Federal Modernization Agenda, setting out a series of suggested amendments to the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz). Among the key measures, Germany seeks to shift certain responsibilities from users to manufacturers and providers of standard IT products—following the model of the Cyber Resilience Act (CRA) and the AI Act—so that organizations can deploy standard solutions more easily and in compliance with the law.
The German Data Protection Conference (Datenschutzkonferenz, DSK)—the body of federal and state data protection authorities—has adopted a resolution strongly supporting this approach. The resolution builds on recommendations the DSK first made in its 2019 evaluation of the GDPR.
Continue Reading German Government Proposes GDPR Reform to Shift Responsibility to Manufacturers