On April 15, 2026, the European Data Protection Board (EDPB) published draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (Guidelines). The Guidelines are open for public consultation until 25 June 2026. They aim to clarify how the GDPR applies to academic, public‑sector, and commercial research, including research that relies on AI, large data sets, and the reuse of personal data. The Guidelines do not cover the application of other EU or Member State law regulating scientific research or the processing of genetic, biometric, or health data specifically.
Continue Reading New EDPB Guidelines on the Use of Personal Data in Scientific ResearchEDPB
EDPB Publishes Report on Stakeholder Event on Anonymisation and Pseudonymisation
On February 18, 2026, the European Data Protection Board (“EDPB”) published its Report on Stakeholder Event on Anonymisation and Pseudonymisation of 12 December 2025 (the “Report”). The Report summarises feedback from a remote stakeholder event convened to inform the EDPB’s ongoing work on Guidelines 01/2025 on Pseudonymisation (version for public consultation available here) and forthcoming guidance on anonymisation. The event gathered input from 115 participants spanning industry, NGOs, academia, law firms, and public sector bodies.
The objective of the Report is to capture stakeholder insights on how the General Data Protection Regulation (“GDPR”) applies to anonymisation and pseudonymisation, particularly following the Court of Justice of the European Union’s (“CJEU”) judgment in EDPS v SRB (C‑413/23 P). (See our previous blog post here.)
Continue Reading EDPB Publishes Report on Stakeholder Event on Anonymisation and PseudonymisationEU Regulators Issue Opinion on Revisions of GDPR and Other Data Laws
Posted in EU Data Protection, European Union
On February 11, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) (jointly, the Authorities) issued a Joint Opinion on the European Commission’s proposed Digital Omnibus Regulation (Digital Omnibus). This follows their Joint Opinion of January 20, 2026 on the Digital Omnibus on AI.
The Digital Omnibus, as with the other “omnibuses” released by the Commission, aims to streamline several EU laws, reduce administrative burdens for covered entities, and enhance competitiveness in the EU. Once adopted, it should reshape how organizations handle personal data generally, including in relation to AI development, scientific research, and incident reporting. The Authorities welcome efforts to simplify and to promote consistent interpretations of key concepts found in the GDPR, the ePrivacy Directive, the NIS2 Directive, and the remaining Data Acquis. At the same time, they caution that this initiative launched by the Commission must not weaken fundamental rights protections, including data protection.
Below is an overview of the Authorities’ positions. It covers only the key amendments discussed in our previous blog post on the Digital Omnibus.
Continue Reading EU Regulators Issue Opinion on Revisions of GDPR and Other Data LawsEuropean Data Protection Authorities Issue Joint Opinion on the Digital Omnibus on AI
EDPB to Focus on Transparency in 2026 Enforcement
Posted in EU Data Protection
On October 14, 2025, the European Data Protection Board (“EDPB”) announced that its 2026 coordinated enforcement action (“CEA”) will focus on transparency and information obligations — the rules that require organizations to clearly explain how they collect, use, and share personal data — under Articles 12-14 of the General Data Protection Regulation (“GDPR”).
Continue Reading EDPB to Focus on Transparency in 2026 EnforcementEDPB Launches Coordinated Enforcement on the Right to Erasure
Posted in European Union, GDPR Rights
Updated
On March 5, 2025, the European Data Protection Board (“EDPB”) announced that EU Supervisory Authorities (“SAs”) will undertake a coordinated enforcement action in 2025 regarding data subjects’ right to erasure under Art. 17 of the GDPR. For context, the EDPB selects a particular topic each year as its focus for pan-EU coordinated enforcement.
Continue Reading EDPB Launches Coordinated Enforcement on the Right to ErasureEDPB adopts draft guidelines on requirements when responding to requests from non-EU public authorities
By Marty Hansen & Paul Maynard on
On 2 December 2024, the European Data Protection Board (“EDPB”) adopted its draft guidelines on Article 48 GDPR (the “Draft Guidelines”). The Draft Guidelines are intended to provide guidance on the GDPR requirements applicable to private companies in the EU that receive requests or binding demands for personal data from public authorities (e.g., law enforcement or national security agencies, as well as other regulators) located outside the EU.
Continue Reading EDPB adopts draft guidelines on requirements when responding to requests from non-EU public authoritiesEU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPR
On September 12, 2024, the European Commission announced that it will launch a public consultation on additional standard contractual clauses for international transfers of personal data to non-EU controllers and processors that are subject to the EU GDPR extra-territorially (“Additional SCCs”), something that has been promised by the European Commission as far back as 2022. The public consultation is planned for the last quarter of 2024.
Continue Reading EU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPREDPB 2023 Coordinated Enforcement Framework on DPOs: What Are the Key Takeaways for Organizations?
On January 17, 2024, the European Data Protection Board (“EDPB”) published its report on the 2023 Coordinated Enforcement Framework (“CEF”), which examines the current landscape and obstacles faced by data protection officers (“DPOs”) across the EU. In particular, the report provides a snapshot of the findings of each supervisory authority (“SA”) on the role of DPOs, with a particular focus on (i) the challenges DPOs face and (ii) recommendations to mitigate and address these obstacles in light of the GDPR. This blog post summarizes the key findings of the EDPB’s 2023 CEF report.
Continue Reading EDPB 2023 Coordinated Enforcement Framework on DPOs: What Are the Key Takeaways for Organizations?EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?
Posted in European Union, GDPR Rights
On February 28, the European Data Protection Board (“EDPB”) announced that EU supervisory authorities (“SAs”) will undertake a coordinated enforcement action in 2024 regarding data subjects’ right of access under the GDPR. For context, the EDPB selects a particular topic each year to serve as the focus for pan-EU coordinated enforcement.
In 2023, regulators focused upon data protection officers’ designation and role. And, on January 17, 2024, the EDPB published its report providing an overview of the actions SAs took in the context of the 2023 action. This blog post provides an overview of what you can expect from the coordinated enforcement action in 2024, based on the lessons learned from 2023.
Continue Reading EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?