20 March 2026 Intro Under Article 17 GDPR, individuals have the right to request erasure of their data (right to be forgotten). This right is not absolute, for example the data controller needs to retain the data to comply with a legal obligation or the data controller requires the data for the purpose of a legal claim. The European Data Protection Board (EDPB) selected the topic ‘Implementation of the right to erasure by controllers’ for its 2025 Coordinated Enforcement Act

25 February 2026 EDPB’s 2026 enforcement focus means it’s time to revisit your privacy notices—AI use included Intro In October 2025, the European Data Protection Board (EDPB) announced that transparency and information obligations under Articles 12–14 GDPR will be the focus of its 2026 Coordinated Enforcement Action (CEA). This means Data Protection Authorities (DPAs) across Europe will be examining how well organisations explain their processing activities to individuals. W

9 November 2025 Managing data breaches in the ‘silly season’ Halloween has passed and the countdown to Christmas has begun, with only 6 full working weeks remaining before many people turn off their laptops. This period before Christmas holidays can be intense. There is pressure to deliver projects and close out work before logging off, including social occasions, children’s concerts and prep for the big day. The frantic pace leads to rushed decision-making, multitasking to

2 October 2025 Yet another reminder from a supervisory authority of the importance of vendor due diligence. The Polish Supervisory Authority has fined both the data controller McDonald's and its processor 24/7 Communication for multiple GDPR infringements arising from a data breach of employee data. Of particular note: Obligations from legislation cannot be excluded by the Data Processing Agreement (DPA) The controller did not exercise proper supervision over the personal dat

11 September 2025 Noteworthy decision from the Greek Supervisory authority who fined both the data controller and data processor arising from the same incident. The controller was found to have infringed its obligations to select a suitable data processor and supervise them effectively. This case highlights the need for a robust vendor managements programme from onboarding assessments to contracts and DPAs and ongoing due diligence. See EDPB for further details: https://www.e

10 September 2025 How to improve the DPA process Introduction While we are 7 years into DPAs being a requirement for both processors and controllers under the EU General Data Protection Regulation (GDPR), they are still causing bottlenecks and can impact the overall execution of master services agreements or contracts if not managed appropriately. This article seeks to look at some of the bottlenecks and how to overcome them. Article 28 GDPR As per Article 28 of the GDPR (Art