Brussels, 24 June – The EDPB has launched a dedicated contact form for stakeholders to report possible inconsistencies in how the GDPR is interpreted across Europe. This initiative reflects the commitments set out in the EDPB Helsinki Statement on enhanced clarity, support and engagement, aimed at strengthening the dialogue with stakeholders and ensuring consistent GDPR enforcement across Europe. The new tool enables stakeholders to report alleged divergences between national positions, as well as between national positions and those of the EDPB. The EDPB will not respond to individual

Brussels, 22 June - Since its establishment in 2018, the core mission of the EDPB has been to uphold and safeguard the right to data protection. Over the years, the EDPB has played a key role in ensuring the consistent application of the GDPR across Europe, by providing guidance on key GDPR concepts and the interaction of the GDPR with other digital laws, as well as through the adoption of consistency opinions and binding decisions. The EDPB is also committed to making GDPR compliance easier for organisations and enhancing its dialogue with stakeholders. The EDPB is glad to announce today the

Brussels, 25 June - The EDPB has published an update of the One-Stop-Shop (OSS) case digest on right to object and right to erasure. This project has been developed in the framework of the of the Support Pool of Experts programme, which aims to support cooperation among Data Protection Authorities (DPAs). Thematic one-stop-shop case digests are drafted on the basis of one-stop-shop decisions taken from the EDPB’s public register (based on Art.60 GDPR). Such case digests complement the EDPB's public register by selecting and presenting the most important decisions on a given theme and providing

Brussels, 12 June – As of today, coordinated supervision of the European Union’s asylum and migration database (Eurodac) will be carried out by the Coordinated Supervision Committee (CSC). Eurodac is an information system initially designed to compare the fingerprints of asylum applicants and irregular migrants, which has evolved into a full asylum and migration management system. It plays a key role in implementing the Dublin III Regulation, which aims at determining the Member State responsible for examining an asylum application. Operational since 15 January 2003, this system is currently

Brussels, 10 June – During its latest plenary, the EDPB met with Michael McGrath, Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection. In addition, the Board has adopted a common data breach notification template. The Board held a meeting with Commissioner McGrath, engaging in a fruitful discussion about common priorities and ongoing work on areas of mutual interest. The Digital Omnibus was among the key topics that shaped the discussion. The Board reiterated that, while several proposed changes have been welcomed by the Board, it is crucial not to adopt the proposed

Background information Date of final decision: 26 January 2026 National case Controller: Sportadmin i Skandinavien AB Legal Reference(s): Article 32 (Security of processing), Article 83 (General conditions for imposing administrative fines) Decision: Administrative fine Key words: Administrative fine, Children, Data security, Hacker attack, Sensitive data Summary of the Decision Origin of the case The Swedish Supervisory Authority for Privacy Protection (IMY) has initiated an investigation of the company Sportadmin following a cyber attack in which the attacker gained access to data relating

Background information Date of final decision: 15 October 2025 National case Legal Reference(s): Article 31 (Co-operation with the supervisory authority), Article 34 (Communication of a personal data breach to the data subject) Decision: Administrative fine, Warning Key words: Administrative fine, Cooperation with the supervisory authority, Data subject rights Summary of the Decision Origin of the case A Medical Centre dealing, inter alia, with the treatment of infertility, sent confirmation of the execution of the return transfer under the title of which the name of the genetic test was

Background information Date of final decision: 12 September 2025 National case Legal Reference(s): Article 38 (Position of the data protection officer) Decision: Administrative fine Key words: Administrative fine, Data protection officer Summary of the Decision Origin of the case A company whose activities are focused on the provision of medical services notified an incident with data in 2023 to the President of the Personal Data Protection Office: someone else’s documents were issued to the patient. According to the notification, the chairman of the company was also the DPO. The President of

Background information Date of final decision: 11 February 2026 National case Controller: Vodafone-Panafon S.A Hellenic Telecommunications Company Legal Reference: Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject, Article 12.2: Facilitation of the exercise of the rights of the data subject, Article 12.3: Time limit for responding to a request, Article 12.4: Information to be provided where no action is taken on the request, Article 15: Right of access by the data subject, Article 18: Right to restriction of processing Decision

Background information Date of final decision: 10 July 2025 National case Controller: Magna PT S.p.A. Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 13 (Information to be provided where personal data are collected from the data subject) Decision: Administrative fine, Definitive ban on data processing Key words: Administrative fine, Principles relating to processing of personal data, Transparency, Retention time, Lawfulness of processing, Employment