Interaction with Article 28 Digital Services Act (DSA) – EDPB Comments
CURRENT STATUS
The European Data Protection Board (EDPB) issued its comments on the European Commission’s draft guidelines on the protection of minors online under the Digital Services Act. The Board recommends highlighting in the draft guidelines that all measures adopted by providers of online platforms to comply with Article 28(1) DSA should also comply with the GDPR and that DPAs are solely competent to assess such compliance. It suggests that a reference to the importance of cooperation between all competent regulators and authorities might be beneficial to ensure that Article 28(1) DSA and GDPR requirements are applied in a consistent and coherent manner.
WHY IS THIS APPLICABLE TO CLIENTS?
The commentary provided on the Commission’s draft Guidelines provide an insight into its views on the issues at play when offering products and services to minors online.
NEXT STEPS
Notably, the EDPB intends to provide additional guidance on data protection compliance in the context of its ‘Children’s guidelines’ and its ‘Guidelines on the interplay between GDPR and DSA’, (see the EDPB Strategy for 2024 to 2027).
Adequacy Decision - UK
DATE OF UPDATE: 24 June 2025
CURRENT STATUS
The European Commission adopted a six-month extension of the two adequacy decisions with the United Kingdom, allowing personal data to continue to flow to the UK until 27 December 2025.
WHY IS THIS APPLICABLE TO CLIENTS?
Organisations transferring personal data from Ireland to the UK under the adequacy decision will welcome this extension. The key safeguards in the UK legal framework that were found adequate in 2021 remain in place and continue to apply to data transferred from the EU until 27 December 2025.
NEXT STEPS
The extension will allow the Commission time to assess the UK Data Bill, and whether the new legal framework continues to provide an adequate level of protection for personal data. On the basis of this assessment, the Commission will decide whether to renew the UK adequacy decisions.
DPC Enforcement – Decision in inquiry concerning City of Dublin Education and Training Board (CDETB)
DATE OF UPDATE: 23 June 2025
CURRENT STATUS
The Data Protection Commission’s own-volition inquiry started in July 2019 following a personal data breach notified by CDETB in November 2018. CDETB discovered that its web server was retaining the personal data of student grant applicants who had uploaded information related to their grant applications through CDETB’s website, as well as the discovery of malware on the web server. The DPC found that CDETB infringed a number of Articles of the GDPR. It reprimanded CDETB, imposed administrative fines totalling €125,000 and ordered CDETB to bring its processing into compliance with the security requirements of the GDPR.
WHY IS THIS APPLICABLE TO CLIENTS?
Notably the DPC commended the tenor and tone of CDETB’s engagement with it, stating that the fines were substantially lower than the fining range proposed in the draft Decision. This was due to the CDETB accepting each of the findings of infringements, acknowledging full responsibility for the breach, apologising to both the data subjects affected and the DPC and in proactively taking steps.
DPC – Annual Report 2024
CURRENT STATUS
The DPC launched its Annual Report for 2024 and released the results of its first Public Attitudes Survey.
WHY IS THIS APPLICABLE TO CLIENTS?
The report will be of interest to data controllers, data processors, and data subjects in Ireland. In particular, the case studies offer insights into the application of the GDPR and its enforcement by the DPC.
DPC Enforcement – Decision in inquiry concerning Department of Social Protection (DSP)
CURRENT STATUS
The inquiry examined the DSP’s processing of biometric facial templates and usage of associated facial matching technologies as part of the registration process for the Public Services Card.
A number of provisions of the GDPR were found to have been breached.
The DSP was issued with a reprimand and administrative fines totalling €550,000, and required to cease the processing at issue unless a valid lawful basis under the GDPR is identified.
WHY IS THIS APPLICABLE TO CLIENTS?
The Decision will be of interest to data controllers intending to process biometric data.
EDPB – Guidelines on Article 48 GDPR
DATE OF UPDATE: 5 June 2025
CURRENT STATUS
The European Data Protection Board has adopted the final version of its guidelines on Article 48 GDPR about data transfers to third-country authorities, after public consultation.
WHY IS THIS APPLICABLE TO CLIENTS?
The Guidelines aim to set out how organisations can best assess under which conditions they can lawfully respond to requests for a transfer of personal data from third-country authorities (i.e. authorities from non-European countries).
DPC – Enforcement - TikTok
DATE OF UPDATE: 5 June 2025
CURRENT STATUS
The High Court has granted TikTok a stay on a decision by the DPC that TikTok must suspend data transfers to China by 29 November 2025.
TikTok is challenging the DPC’s decision announced on 2 May 2025.
WHY IS THIS APPLICABLE TO CLIENTS?
This challenge to the DPC’s Decision will be of interest to data controllers, in particular those making third-country data transfers.
Enforcement - Training Large Language Models (LLMs)
DATE OF UPDATE: 21 May 2024
CURRENT STATUS
The Data Protection Commission issued a statement on Meta AI. It refers to the EDPB Opinion issued in December 2024 that sets out general criteria that Data Protection Supervisory Authorities should take into account when assessing data protection compliance in relation to the development and deployment of AI models.
WHY IS THIS APPLICABLE TO CLIENTS?
The application of the GDPR to new technologies such as LLMs raises complex challenges. The DPC states that it has required Meta to compile a report on the measures and safeguards it has introduced regarding the processing taking place. This report, which is expected in October 2025, will be of interest to other deployers of this technology.
GDPR Revision – Omnibus IV
DATE OF UPDATE: 21 May 2025
CURRENT STATUS
Following the recent Competitiveness Compass and Mario Draghi's report on the future of European competitiveness, the EU has launched a series of initiatives to support business activity and reducing regulatory burdens.
Omnibus IV introduces targeted amendments to eight legislative acts, including the GDPR and Critical Entities Resilience Directive.
The EDPB and the EDPS had already adopted a letter addressed to the European Commission on the proposal expressing preliminary support for the revisions and suggesting that the impact of the proposal and the number of entities that would benefit from the revisions be further explored.
WHY IS THIS APPLICABLE TO CLIENTS?
For small mid-cap companies and organisations with fewer than 750 employees, the change will mean that they will no longer need to create or update their existing records of activities (ROPAs) involving the processing of personal data in cases where these activities are not likely to result in a high risk to the rights and freedoms of data subjects.
NEXT STEPS
The proposal has been submitted to the ordinary legislative procedure (i.e. joint adoption of legislative acts by the European Parliament and the Council of the European Union).
DPC – Enforcement - TikTok
CURRENT STATUS
The DPC has fined TikTok Technology Limited (TikTok) €530 million and ordered it to bring its processing into compliance within six months. The decision also includes an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe. The sanctions follow its inquiry into the lawfulness of TikTok’s transfers of personal data of users of the TikTok platform in the EEA to the People’s Republic of China.
WHY IS THIS APPLICABLE TO CLIENTS?
The full decision in the case will be of interest to controllers transferring personal data to third countries. In this decision the DPC examined the supplementary measures and the Standard Contractual Clauses used by TikTok and found that they did not guarantee a level of protection essentially equivalent to that guaranteed within the EU.
EDPB Annual Report
DATE OF UPDATE: 23 April 2025
CURRENT STATUS
The European Data Protection Board has published its 2024 Annual Report. The report provides an overview of the EDPB work carried out in 2024 and reflects on important milestones.
WHY IS THIS APPLICABLE TO CLIENTS?
The report reflects on the EDPB’s 2024-2027 strategy as well as its consistent opinions adopted under Art. 64(2) GDPR and may offer useful insights for data controllers.
Blockchain Technologies
DATE OF UPDATE: 14 April 2025
IMPLEMENTATION/DEADLINE DATE:
The guidelines were subject to public consultation until 9 June 2025.
CURRENT STATUS
The EDPB has adopted guidelines on the processing of personal data through blockchain technologies.
WHY IS THIS APPLICABLE TO CLIENTS?
The Guidelines are designed to assist organisations in ensuring the highest protection of individuals’ personal data during blockchain-related processing of personal data.
DPC Inquiry – ‘X’
CURRENT STATUS
The DPC has started an inquiry into the processing of personal data comprised in publicly accessible posts posted on the ‘X’ social media platform by EU/EEA users, for the purposes of training generative artificial intelligence models, in particular the Grok Large Language Models.
WHY IS THIS APPLICABLE TO CLIENTS?
Last year, the DPC welcomed the decision by Meta to pause its plans to train its large language model using public content shared by adults on Facebook and Instagram across the EU/EEA.
The Irish supervisory authority subsequently issued a statement on LLMs addressing the data protection issues that can arise. The DPC continues to monitor activity in this area.
AI - Large Language Models
DATE OF UPDATE: 10 April 2025
CURRENT STATUS
The EDPB has published an AI Privacy Risks & Mitigations Large Language Models report, putting forward a comprehensive risk management methodology for LLM systems with a number of practical mitigation measures for common privacy risks in LLM systems.
WHY IS THIS APPLICABLE TO CLIENTS?
The report will be useful for organisations engaging with and developing LLMs.
High Court Decision – Breach on Work Phone
CURRENT STATUS
In McShane -v- Data Protection Commission [2025] IEHC 191, Judge Barry O’Donnell refused an application for judicial review of the applicant’s complaint on the basis that the DPC clearly engaged in an appropriate and proportionate investigation of the individual complaint that had been made. The DPC found that the HSE was not a controller as it had not authorised or permitted the applicant to use his work phone for personal use.
WHY IS THIS APPLICABLE TO CLIENTS?
The case illustrates that employers’ responsibility for loss of personal data stored on work devices that are used within the workplace may be successfully excluded in certain limited circumstances where appropriate policies are in place.
CJEU Decision - Public Access to Official Documents
CURRENT STATUS
In Case C‑710/23, L.H. v Ministerstvo zdravotnictví, the court considered a request for information about individuals representing companies that contracted with the Ministry of Health regarding COVID-19 screening tests.
This decision clarifies how the GDPR applies to the disclosure of information about individuals acting as representatives of legal entities within the context of public access to official documents.
WHY IS THIS APPLICABLE TO CLIENTS?
The case highlights the importance of balancing the fundamental right to personal data protection with the public interest in transparency.
Find out more: