Data Protection Authorities (DPA)
Regulatory bodies ensure compliance with data protection laws, oversee data privacy rights, investigate breaches, enforce regulations, and promote data security practices.
GDPR
Coordinated Enforcement Framework (CEF)
CEF: Strategy uniting agencies for efficient enforcement across jurisdictions, enhancing accountability, information sharing, improving compliance, and addressing violations systematically.
European Data Protection Board (EDPB)
EDPB: EU body ensuring GDPR compliance; guides data protection laws, issues guidelines, resolves disputes among member states, promotes consistent application of data privacy principles across Europe.
Coming Soon: Coordinated Pan-European Enforcement of the ‘Right to Erasure’
TLDR: EDPB launching 2025 Coordinated Enforcement Framework focusing on ‘Right to Erasure' under GDPR, engaging 32 European DPAs. Organizations face intensified scrutiny on compliance, needing to improve erasure request processes and overall GDPR compliance to mitigate risk.
Top Tips for SMEs Navigating GDPR and Data Protection in the UK
TLDR: SMEs in the UK should simplify GDPR compliance by understanding data use, ensuring transparency, clarity, and accountability in data handling. Key steps include: 1) Know the data collected and its purpose; 2) Follow core data protection principles; 3) Assess AI tool risks proactively; 4) Stay informed on evolving regulations. Embracing these practices early can simplify compliance and build trust, despite ongoing regulatory changes.
The Data Act: Six Months to Go — But What To Do?
The Data Act, effective September 12, 2025, mandates greater data access and sharing for IoT products in the EU, including medical devices. It requires manufacturers to design products for easy, secure data access, impacting how they handle both personal and non-personal data under GDPR. With six months until implementation, businesses should prepare technically and organizationally, updating contracts to comply with new data-sharing requirements.
Balancing GDPR Data Access Rights Against the Rights of Others
Balancing GDPR access rights has become challenging for controllers, particularly regarding the right of access versus competing rights, such as third-party privacy. Article 15(3) GDPR grants individuals access to their personal data, but Article 15(4) allows limitations if it affects others' rights. The EDPB provides guidelines emphasizing a case-by-case assessment to weigh rights and justify access limitations. The DPC recently highlighted that restrictions should be evidence-based, particularly in sensitive situations. Controllers must document decisions effectively and seek legal advice to navigate potential risks while adhering to GDPR.
https://www.arthurcox.com/knowledge/balancing-gdpr-data-access-rights-against-the-rights-of-others/
Dun & Bradstreet: a Pyrrhic Victory for the Contestation of AI Under the GDPR — AI Summer School
CJEU ruling on Dun & Bradstreet clarifies GDPR's ‘right to an explanation,' balancing understandability with trade secrets. The court restricts detailed disclosures, potentially limiting individuals' ability to contest AI decisions, resulting in a ‘pyrrhic victory.' While explanations must be clear, they may not substantively empower individuals against problematic AI, and data controllers could misuse disclosure processes to evade accountability. Thus, the practice of contestation faces challenges despite the ruling's intent.
Cross-Border Data Compliance: Navigating Public Security Regulations in a Connected World
Cross-border data compliance is increasingly influenced by national security concerns amid rising cyber threats. Governments are shifting focus from individual privacy to a balance with security needs, resulting in expanded access for law enforcement, data localization policies, and national security exemptions in regulations. The EU's GDPR is pivotal in cross-border data governance, but other regions lack unified frameworks. Data sovereignty, while necessary for national security, can hinder global innovation. Cooperation among nations and nuanced policies are essential for effective compliance and balanced data management.
ECJ Ruling on Automated Decision-Making and Data Subject Access : Clyde & Co
ECJ ruling (C-203/22) on GDPR access rights clarifies companies must provide “meaningful information” on automated decision-making. Key issues include balancing transparency with trade secrets. Data subjects can access pertinent details on decision-making processes while companies may protect sensitive information on a case-by-case basis. The ruling impacts AI-integrated industries, particularly in insurance, where transparency and regulatory compliance are emphasized.
https://www.clydeco.com/en/insights/2025/03/ecj-ruling-on-automated-decision-making-and-data-s