Data Privacy

ANPD Participates in First Datified Public Services Seminar in São Paulo

Brazil's ANPD participated in the first edition of the Datified Public Services Seminar held on April 16 in São Paulo, organized by CGI.br's Working Group on Datified Public Services. Director Lorena Giuberti spoke at the third panel and closed the event, emphasizing that Brazil's LGPD provides the regulatory framework for secure and protected data processing in the public sector. The seminar brought together experts, public managers, civil society representatives, universities, and the business sector to discuss the relationship between data processing in public services and its societal impact.

Privacy Commissioner Speeches and Statements Index

The Office of the Privacy Commissioner of Canada publishes this index of speeches and statements by the Privacy Commissioner and OPC officials. The page displays 114 total items spanning 2015–2026, with topics including artificial intelligence, consent, health information, privacy breaches, privacy at work, biometrics, and youth privacy. Filtering options allow browsing by 22 topic categories and delivery year. This is a navigation portal rather than a regulatory action.

Latest OPC Canada News and Announcements

The Office of the Privacy Commissioner of Canada published its latest news and announcements index, featuring items from April 2026 including appearances before Senate and Parliamentary committees on Bill S-5 and Canada-China EV arrangements, remarks on AI governance, and an ArriveCAN app investigation report. The page lists 741 total items across topics including children's privacy sweeps, health information protection, and cross-border data transfers. Notable commitments include Nova Scotia Power strengthening security measures and World Anti-Doping Agency limiting use of athletes' sensitive personal information.

EDPB 2025 Annual Report Stakeholder Guidance Focus

The European Data Protection Board published its 2025 Annual Report on 9 April 2026, covering the Helsinki Statement on enhanced clarity and stakeholder engagement, joint guidelines with the European Commission on the interplay between the Digital Markets Act and GDPR, and guidelines on the Digital Services Act and GDPR. The report also covers practical guidance on AI, pseudonymisation, and blockchain technologies.

EDPB Adopts Scientific Research Data Processing Guidelines

The EDPB adopted Guidelines on processing personal data for scientific research purposes, providing six indicative factors to determine if processing qualifies as scientific research under GDPR, and clarifying purpose compatibility, broad consent, and limitations on data subject rights. The Board also created a dedicated sprint team to accelerate finalisation of the upcoming anonymisation guidelines by summer. Two Europrivacy certification opinions were also adopted, including the first European Data Protection Seal approved as a transfer tool under Articles 42 and 46 GDPR. The scientific research guidelines are open for public consultation until 25 June 2026.

PPC Japan Releases Global Cross-Border Data Strategy

The Personal Information Protection Commission (PPC) of Japan has published its Global Cross-Border Data Strategy, effective 1 April 2026, outlining three pillars for international personal information protection and cross-border data transfer. The strategy prioritises expanding mutual adequacy arrangements with the EU and UK to cover academia and the public sector, promoting the Global CBPR Forum certification system, and developing Global Model Contractual Clauses (MCCs) in cooperation with like-minded jurisdictions. The PPC will also strengthen bilateral cooperative relationships through new Memoranda of Cooperation and support personal information protection legislation development in the Asia-Pacific region.

十部门联合公布《促进和规范电子单证应用规定》 9月施行

国家网信办、工业和信息化部、公安部、交通运输部、商务部、中国人民银行、海关总署、税务总局、市场监管总局、金融监管总局十部门联合发布《促进和规范电子单证应用规定》，自2026年9月1日起施行。《规定》涵盖促进和规范电子单证应用的原则、部门职责、促进措施、可靠性与安全性要求、监督管理及法律责任等内容，旨在提升货物贸易和运输的数字化、便利化水平，服务数字经济高质量发展。

China Cybersecurity Association Recruiting 2 Business Positions, Master's Required

中国网络空间安全协会于2026年4月18日发布公开招聘公告，面向社会招聘业务岗工作人员2名，报名截止时间为2026年5月15日。招聘要求包括硕士研究生及以上学历，年龄不超过38周岁，网络空间安全、信息安全、人工智能等相关专业优先。招聘程序包括简历投递、资格审查、笔试（占比40%）和面试（占比60%），计划于2026年6月至7月完成考察体检并办理入职手续。

2026优质网络主播中国行在山西晋城启动

2026年"行神州'播'天下——优质网络主播中国行"启动仪式在山西晋城举行，由中央网信办副主任牛一兵、山西省委常委张碧涌出席并致辞。启动仪式发布了2026年第一批优质直播间（主播）名单并现场颁发证书，同时发布了优质网络主播培育工程官网。活动聚焦红色传承、科技创新、非遗文化、和美乡村、兴边富民等主题开展学习实践，约150人参加启动仪式。

EDPB Guidelines on Lawful Personal Data Processing in Scientific Research

The European Data Protection Board (EDPB) adopted guidelines on 15 April 2026 clarifying the application of GDPR to scientific research, responding to practical questions from the research community. The guidelines define six indicative factors for determining when an activity qualifies as scientific research under GDPR and address legal bases including public interest, legitimate interest, and consent models (broad and dynamic consent) where initial research goals are not fully specified at data collection. Research organisations must document purpose, legal basis, and safeguards at project-design stage.

Information Commissioner Meets KPK President, Strengthens Rule of Law Cooperation

On 20 April 2026, Information Commissioner dr. Jelena Virant Burnik held an introductory meeting with Commission for the Prevention of Corruption (KPK) President Katarina Bervar Sternad. Both officials emphasized the importance of their independent institutions' roles in strengthening the rule of law and agreed to continued cooperation. The meeting represents standard inter-agency coordination between Slovenia's two transparency-focused bodies with no regulatory or compliance implications.

AEPD 2026 Action Plan: 32 Objectives, 115 Actions

The Spanish Data Protection Authority (AEPD) published its 2026 Action Plan and the 2025 execution report on 25 March 2026. The 2025 report shows five strategic axes achieved 100% execution and two exceeded 97%, with aggregate execution above 99%. The 2026 Plan contains 32 operational objectives and 115 actions spanning single, multi-year, and structural initiatives. Key 2026 priorities include AI tool integration through the Privacy Lab, enhanced compliance support for data controllers and processors, international cooperation, and automated process solutions.

EDPB Guidelines on Scientific Research Data Processing Open for Public Consultation

The European Data Protection Board (EDPB), of which the Spanish Data Protection Agency (AEPD) is a member, has adopted Guidelines 1/2026 on processing personal data for scientific research purposes, published for public consultation until June 25, 2026. The guidelines clarify the concept of 'scientific research' through six key factors, address compatibility of subsequent processing with initial collection purposes, and discuss 'broad consent' and 'dynamic consent' models for research. AEPD has supported the Digital Omnibus proposal recognizing legitimate interest as a valid legal basis for research data processing, and positively valued the European Biotech Act's secondary-use data provisions.

Spain Launches Public Privacy Research Network With Nearly 100 Groups

The Spanish Data Protection Agency (AEPD) has launched a public network of research groups and projects on privacy and emerging technologies, integrating nearly 100 teams, initiatives, and projects from universities, public and private research centres, foundations, and other entities across Spain. The network will hold regular specialist meetings, generate technical and educational content, and promote privacy culture among citizens. Through a collaboration agreement with Fundación ValgrAI, the network will be disseminated and coordinated to dynamize enrolled groups. This initiative positions AEPD as a connecting node between research, regulation, and society in privacy and emerging technologies.

University of Limerick Fined €98,000 for GDPR Data Breaches

The Data Protection Commission has published its final decision following an own-volition inquiry into University of Limerick, finding multiple GDPR violations arising from personal data breaches that occurred between November 2018 and January 2020. The DPC reprimanded University of Limerick and imposed administrative fines totalling €98,000 for failing to implement appropriate security measures, delay in informing affected persons of high-risk breaches, non-compliance with records of processing activity requirements, and untimely breach reporting to the DPC.

Tower Hamlets FOI 3 Upheld, 30 Days

The ICO has upheld a complaint against the London Borough of Tower Hamlets, finding that the council holds Rapid Reviews relating to child deaths or serious injuries for the purposes of FOIA. The council had refused disclosure on the basis that the Tower Hamlets Safeguarding Children Partnership is not a public authority. The Commissioner ruled this argument fails because the information is held by the council for FOIA purposes. The council must issue a fresh response within 30 calendar days of the decision notice, dated 16 April 2026. Non-compliance may result in the Commissioner certifying this to the High Court as contempt of court.

Badsworth Parish Council FOI Complaint Upheld - SID Data Request

The ICO has upheld a freedom of information complaint against Badsworth Parish Council regarding a request for Speed Indicator Device (SID) data. The council failed to adequately ascertain whether it holds further information falling within the scope of the request. The Commissioner requires the council to conduct searches aimed at identifying all information within scope and either disclose this information to the complainant or issue a refusal notice that complies with FOIA. The council must also identify if a third party overseeing the unit holds any information on the council's behalf within scope. Failure to comply within 30 calendar days may result in the Commissioner making written certification of this fact to the High Court pursuant to section 54 of the Act.

Plymouth City Council FOI Decision Notice: Information Not Held, Not Upheld

The Information Commissioner's Office has issued a Decision Notice finding that Plymouth City Council correctly confirmed it did not hold information requested about a referendum relating to a proposed mayoral election. The council explained that any information relating to the matter would in any event be held by the Returning Officer, a separate legal entity. The Commissioner determined the council complied with section 1(1) of the Freedom of Information Act 2000 and does not require any further steps to be taken.

Wandsworth Council SEN FOI Request Not Upheld

The ICO reviewed a complaint against Wandsworth Borough Council regarding a Freedom of Information request for Special Educational Needs (SEN) processes and complaint management procedures. The council provided some information and directed the complainant to published sources but withheld remaining information under FOIA sections 21(1) and 22(1). The Commissioner found that section 21(1) was properly engaged at the time and the council does not hold additional relevant unpublished information, resulting in no breach of section 16(1) concerning advice and assistance. No steps are required of the council.

Estyn Vexatious FOI Request Complaint Not Upheld

The Information Commissioner's Office issued a decision on 15 April 2026 finding that a Freedom of Information request made to Estyn (Her Majesty's Inspectorate for Education and Training in Wales) was vexatious under section 14(1) of FOIA. The complainant had requested information about Estyn's complaint responses, prior FOIA disclosures, and inspection processes relating to a specific school. The Commissioner determined that Estyn was entitled to rely on the vexatious request exemption to refuse the request. No further action is required by either party.

HMRC FOI 40(2) Third Party Personal Data Decision Upheld

The Information Commissioner's Office has issued a Decision Notice upholding HMRC's reliance on section 40(2) of FOIA to withhold information about the persons who conducted an internal review of a previous information request. The complainant had sought to identify the reviewers, but the Commissioner determined that disclosing their identities would constitute unfair disclosure of third-party personal data. This decision confirms that public authorities may withhold details identifying staff involved in internal review processes where disclosure would breach data protection principles.

Bracknell Forest Borough Council FOI Complaint Not Upheld

The ICO has upheld Bracknell Forest Borough Council's reliance on section 40(2) of FOIA to withhold third-party personal information from a four-part FOI request concerning senior officers. The Commissioner also found on the balance of probabilities that the council does not hold the information sought in part 1 of the request, despite the complainant's dispute. No further steps are required of the council.

University of Suffolk FOI Exemption Upheld

The ICO issued a Decision Notice finding that the University of Suffolk correctly relied on section 40(2) of FOIA to withhold student nationality data requested by a complainant. The Commissioner determined that the exemption for third-party personal information was properly applied, and no further compliance steps are required from the University. The decision relates to nationality information for students attending specific courses between September 2016 and 7 April 2025.

Dorset Police NCND Officer Info Not Upheld

The ICO has issued a Decision Notice regarding a Freedom of Information complaint against Dorset Police. The complainant requested information about two named officers, and Dorset Police applied a neither confirm nor deny (NCND) response under section 40(5) of FOIA. The Commissioner has determined that Dorset Police was correct to rely on this exemption and does not require the force to take any further steps.

Cambridgeshire County Council FOIA Section 30(1) Investigation Exemption Upheld

The Information Commissioner's Office has upheld Cambridgeshire County Council's refusal to disclose information about a Trading Standards investigation under section 30(1)(b) of the Freedom of Information Act 2000. The Commissioner found that the public interest in maintaining the exemption outweighs the public interest in disclosure, and therefore no further steps are required of the Council. This decision confirms that investigative records held by local authorities may be withheld where disclosure would prejudice ongoing or prospective proceedings.

North East London ICB FOI Dentist Info Not Upheld

The Information Commissioner's Office has issued a Decision Notice in case IC-397588-D4P0, dated 15 April 2026, finding that NHS North East London Integrated Care Board (ICB) has complied with section 1(1) of the Freedom of Information Act 2000. The complaint, which concerned a request for information about a specific dentist, was not upheld. The ICO has determined that no further steps are required of the ICB.

Home Office FOI Request on Migrant Housing at RAF Scampton Partly Upheld

The ICO's decision notice dated 15 April 2026 concerns a freedom of information complaint regarding the housing of migrants at RAF Scampton. While the Home Office was entitled to refuse the request under section 14(1) of FOIA (vexatious requests) and regulation 12(4)(b) of the EIR (manifestly unreasonable request), the ICO found the Home Office failed in its duty to provide advice and assistance. The ICO requires the Home Office to either advise the complainant on how to refine the request to make it less burdensome, or explain why no practical means of refinement exists.

Utah to Receive $10.7M from $773.7M Albertsons Opioid Settlement

Utah has joined a multistate agreement in principle requiring Albertsons Companies Inc. to pay more than $773.7 million to resolve claims related to the company's role in the opioid epidemic. Utah is expected to receive at least $10.7 million, which will flow through Utah's opioid abatement fund to support addiction treatment, recovery services, and prevention programs statewide. Negotiations over injunctive relief remain ongoing between the parties.

Reprimands Online Gaming Operator for GDPR Excessive Data Collection

The Information and Data Protection Commissioner (IDPC) reprimanded an online gaming operator for requesting excessive and disproportionate personal data from a data subject for the purpose of processing a fund withdrawal. The controller required a selfie holding proof of address in front of the complainant's residence and a PayPal statement showing the complainant's income for August, despite already holding the complainant's valid ID and proof of address. The Commissioner determined that these additional requirements exceeded what was necessary under GDPR Article 5(1)(c) data minimisation principles, as the controller failed to demonstrate that each category of information collected was strictly justified for the stated purpose. The controller argued the measures were necessary due to fraud-suspicion indicators detected by its Fraud Team, including a low face-match score and a face mismatch between the ID document and selfie.

EU Opens €63.2M Digital Europe Programme Calls for AI in Health, Digital Skills, Online Safety

The European Commission has opened seven funding calls under the Digital Europe Programme worth €63.2 million to support AI innovation in health, digital health services, digital skills training, and online safety. Funding allocations include €9 million for AI-powered medical image screening, €24 million for digital health systems under the European Health Data Space, €12.5 million for advanced digital skills training, €8.5 million for compliance-facilitating digital solutions, €6 million for online information integrity research, €1 million for an EDIC Support Hub, and €1.8 million for programme dissemination. All calls close on 1 October 2026.

AP Consultation on Automated Decision-Making Explanations Under GDPR

The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, is consulting on tools and guidance for how organisations should explain automated decision-making under the GDPR. The consultation requires organisations to state whether automated decision-making was used, the expected impact, the underlying logic, and what rights data subjects have. Responses are requested by 26 May 2026. The AP is also publishing a roadmap for organisations and an overview for data subjects alongside the final guidelines.

Tracking Pixel Email Guidelines: Mandatory Consent, Six-Month Compliance Window

The Italian Data Protection Authority (Garante) has adopted guidelines on tracking pixels in emails, establishing that prior, freely given, specific, and informed consent is required for their use under Article 122 of the Italian Privacy Code. Operators must comply within six months of publication in the Gazzetta Ufficiale. The guidelines apply to information society service providers, public online service operators, email providers, mass email platform operators, and any entity using tracking pixels.

PCPD Learning Session on National 15th Five-Year Plan

The Office of the Privacy Commissioner for Personal Data (PCPD) convened an internal learning session on the National 15th Five-Year Plan on 17 April 2026, hosted by Privacy Commissioner Ada Chung Lai-ling. CPPCC National Committee member Agnes Chan Sui-kuen spoke on Hong Kong's transition from deep integration to proactively contributing to overall national development, focusing on innovation, technology, and Northern Metropolis development. The Privacy Commissioner expressed full support for the first 'Hong Kong's Five-Year Plan' and committed PCPD to implementing six key initiatives for safeguarding national security.

CPPA Seeks Preliminary Comments on Notices Disclosures and Employee Data

The California Privacy Protection Agency (CPPA) has opened a preliminary comment period through May 20, 2026 at 5:00 p.m. PT, soliciting stakeholder input on potential regulatory changes relating to notices, disclosures, and employee data under CalPrivacy. Comments submitted are public records subject to disclosure and may be included in future rulemaking packages. The agency explicitly states these preliminary comments do not reflect any decisions regarding future rulemaking; a formal public comment period under the Administrative Procedure Act will follow if the agency decides to propose regulations.

CPPA Solicits Preliminary Comments on Employee Data Notices and Disclosures

The California Privacy Protection Agency (CalPrivacy) is soliciting preliminary written comments on notices, disclosures, and employee data through May 20, 2026 at 5:00 p.m. PT. The Agency is exploring whether regulatory changes relating to Employee Data are necessary and gathering stakeholder input to inform its preliminary rulemaking activities. Comments submitted are public records subject to disclosure and may be included in future rulemaking packages if CalPrivacy decides to proceed with formal rulemaking.

NHS North East London ICB FOI Dentist Complaint Not Upheld

The Information Commissioner's Office has issued a decision notice dated 15 April 2026 concerning a Freedom of Information Act complaint against NHS North East London Integrated Care Board regarding a specific dentist. The Commissioner found that the ICB provided the information it held and therefore complied with section 1(1) of the FOIA. No further steps are required of the ICB.

Cornwall Council Trees Request, EIR 13(5A) Not Upheld

The Information Commissioner's Office has upheld Cornwall Council's application of Regulation 13(5A) under the Environmental Information Regulations 2004, finding the council was correct to neither confirm nor deny whether information is held regarding planned tree felling. The decision, issued 13 April 2026, concludes the complaint with no further action required of the council. This ruling confirms the scope of the personal-data exception under EIR 13(5A) in the context of environmental information requests.

Haringey Council FOI Complaint Upheld - 30-Day Compliance Deadline

The ICO has upheld complaint FOI 10 against London Borough of Haringey Council, finding that the public authority failed to respond to a freedom of information request within the statutory 20 working days under FOIA. The Commissioner requires the council to provide the complainant with a response within 30 calendar days.

ICO Decision: FOI 36 Exemption Upheld for CPRC, Procedural Breach Found

The Information Commissioner's Office has issued a decision notice concerning an FOI complaint against the Civil Procedures Rule Committee. The CPRC withheld information relating to consultation reforms on court document provision to non-parties, citing section 36 (prejudice to effective conduct of public affairs) of FOIA. The ICO upheld the exemption under sections 36(2)(b)(i) and (ii), finding the public interest favours maintaining the exemption. However, the ICO found a procedural breach in how the CPRC handled the request. The Commissioner has determined that no steps are required to be taken as a result of this decision.

London Borough of Croydon Upheld for FOI Failure

The ICO has upheld a complaint against London Borough of Croydon for failing to respond to a Freedom of Information request regarding former Sanderstead Library within the statutory 20 working day timeframe. The Commissioner has ordered the council to provide the complainant with a substantive response within 30 calendar days. This decision confirms that local government bodies face binding compliance obligations under FOIA, with the ICO acting as enforcement arbiter.

HSE Gateway 2 EIR Disclosure Requirement Upheld by ICO

The ICO has upheld complaints against the Health and Safety Executive (HSE) regarding two breaches of the Environmental Information Regulations 2004. First, the HSE incorrectly applied regulation 12(5)(b) (course of justice and inquiries exception) to refuse a Gateway 2 submission request — the ICO found this exception was not engaged and disclosure is required. Second, the HSE breached regulation 11 by failing to allow proper representations and reconsiderations before refusing the request. The ICO has ordered the HSE to disclose the requested information, subject only to redactions under regulation 13 for personal data.

Metropolitan Police FOI Cost Limit Exemption Upheld Under Section 12

The ICO has upheld the Metropolitan Police Service's reliance on section 12(2) of FOIA to refuse a request for Operation Countryman records on cost-limit grounds. The Commissioner found the MPS correctly applied the exemption and did not breach its section 16(1) duty to provide advice and assistance. No compliance steps are required of the MPS.

Bradford City Council FOI Complaint Upheld by ICO

The ICO has upheld complaint reference IC-490042-S9X7 against Bradford City Council, finding that the authority failed to respond to a Freedom of Information request within the statutory 20 working days prescribed by FOIA. The Commissioner has issued a formal decision notice requiring the council to provide the complainant with a substantive response to the outstanding request within 30 calendar days. This is a standard ICO enforcement action enforcing the timeliness obligations under FOIA.

MOD RAF Flight FOI Complaint - ICO Decision Notice Upholds Section 10 Breach

The ICO has issued a Decision Notice concerning a Freedom of Information complaint against the Ministry of Defence regarding a request for information about a specific RAF flight alleged to have taken place in July 2025. While the ICO upheld the MOD's position that it does not hold information within the scope of the request (FOI 1: Not upheld), the complaint under section 10(1) was upheld (FOI 10: Upheld) because the MOD failed to inform the complainant within 20 working days that it did not hold the requested information. The MOD had initially claimed national security and defence exemptions under sections 24 and 26, but subsequently amended its position to state it held no information.

DSB Austria Activity Report 2025 Published

The Datenschutzbehörde (DSB Austria) announced the publication of its 2025 Activity Report (formerly titled 'Datenschutzbericht'). The report covers the authority's data protection activities and enforcement work during 2025. A PDF copy of the report is available via the DSB website.

EDPB Announces 2026 Coordinated Enforcement Framework on GDPR Transparency

The European Data Protection Board (EDPB) announced on 19 March 2026 its Coordinated Enforcement Framework (CEF) action for 2026, focused on transparency and information obligations under the GDPR. The Austrian Data Protection Authority (DSB) has confirmed it will participate in the coordinated action, with further details to be released at a later date. The CEF is an annual enforcement mechanism by which EU data protection authorities coordinate investigations on a common theme.

EDPB 2025 Annual Report Published by Austrian DPA

The Austrian Data Protection Authority (DSB Austria) announces the publication of the European Data Protection Board's (EDPB) 2025 Annual Report. The report, published on April 9, 2026 in English, covers the EDPB's activities in supporting stakeholders through guidance and dialogue under Article 71 GDPR. A link to the EDPB press release is provided for further information.

Poste Italiane Fined €6.6M, Postepay €5.9M for GDPR Violations

Italy's Garante per la protezione dei dati personali issued fines of €6,624,000 to Poste Italiane S.p.A. and €5,877,000 to Postepay S.p.A. (totaling over €12.5 million) for unlawful processing of personal data of millions of users. The investigation, launched in April 2024 following numerous complaints, examined the BancoPosta and Postepay mobile apps, which required users to authorize monitoring of device data—including installed and running applications—to detect malicious software. The authority determined that this intrusive surveillance was not strictly necessary for fraud prevention. Additional violations included deficient user disclosures, absence of a Data Protection Impact Assessment (DPIA), inadequate security measures, improper data retention policies, and irregularities in processor designation. The Garante ordered both companies to cease the contested data processing and comply with data retention requirements, notifying the authority of compliance.

EDPS Newsletter #119: AI Act, Cybersecurity, and European Biotech Act

The EDPS published Newsletter #119 covering four main items: (1) a blogpost by Supervisor Wiewiórowski on prior consultation in justice and law enforcement data processing, with links to 10 examples from 2025; (2) a June 8, 2026 high-level debate in Brussels co-organised with the BfDI and BayLfD on the Digital Omnibus and GDPR; (3) a joint EDPB/EDPS opinion broadly supporting the Cybersecurity Act 2 (CSA2) package and NIS2 amendments while recommending stronger privacy safeguards, including a single-entry point for personal data breach notifications; and (4) the EDPS Compass, which sets out the EDPS's role as market surveillance authority and notified body for EU institutions under the AI Act, built on the AI Preparedness Strategy and the new EDPS AI Unit. The newsletter also notes a joint opinion supporting the European Biotech Act while calling for enhanced safeguards on health and genetic data.

NDPC Kicks Off 2nd Edition of DPO Certification in Abuja and Lagos

The Nigeria Data Protection Commission (NDPC) has commenced the second edition of its Data Protection Officers (DPOs) training and certification programme in Abuja and Lagos. National Commissioner/CEO Dr Vincent Olatunji noted the global scarcity of DPOs and stated the Commission is committed to creating globally competitive human capital to position Nigeria as a hub for privacy experts. Participants in the first edition are now working as DPOs, and current participants will be offered internship opportunities upon completion, with a Faculty for DPOs to be established for ongoing guidance.