The European Data Protection Board (EDPB) Wednesday published a cooperation procedure for approval of Binding Corporate Rules (BCRs) for data controllers and processors. The European Commission defines BCRs as "data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises." BCRs must include all general data protection principles and enforceable rights, and must be legally binding.
Acknowledging that data is one of Britain's most valuable assets, the U.K. government Monday sought public input on ensuring safe and secure access to data and building public trust.
The Czech Republic's Office for Personal Data Protection unveiled its 2025 priorities, saying it will focus on how data from public administration registers and information systems is used. In addition, the PDA will study retailers' practice of making discounts conditional on the processing of people's personal data.
The Swedish Authority for Privacy Protection will prioritize high-risk privacy areas this year. The watchdog said it's raising its game on guidance and risk-based supervision but is ready to shift focus if necessary.
The European Data Protection Board Friday issued additional guidance on processing air passenger name record (PNR) data under the EU PNR Directive.
The European Data Protection Supervisor published a review of its activities during its 2020-2024 term, describing its work during the COVID-19 crisis. In addition, the report includes content about EDPS' enforcement activities and efforts to create global privacy standards and a more coherent approach to data protection across the EU. The term was "synonymous with adaptability and resilience," wrote EDPS supervisor Wojciech Wiewiorowski.
The European Commission's adequacy decision permitting data flows from Europe to the U.K. expires June 27 and there are concerns about U.K. legislative reforms to data protection rules, a March Parliamentary Research Services memo said.
The Serbian Commissioner for Information of Public Importance and Personal Data Protection approved a 2025-2027 action plan for implementing its 2023-2030 privacy strategy. The plan will "significantly contribute" to better data protection for Serbians, it said.
The Irish Data Protection Commission posted a statement to organizations on how it deals with concerns from data subjects that an organization isn't handling their data access requests appropriately under the General Data Protection Regulation. It noted that it "regularly handles" such complaints.
Businesses trying to limit information they would otherwise have to disclose under data protection laws but consider trade secrets could be forced to disclose those secrets to a court or arbitrator under a recent decision by the European Court of Justice (ECJ), Pinsent Masons attorneys noted Friday. The decision involves the interplay between General Data Protection Act provisions on automated decision-making and EU trade secrets law, they wrote.