Search

Guidelines 1/2026 on Processing Personal Data for Scientific Research

Euroopan tietosuojaneuvosto on julkaissut ohjeistuksen henkilötietojen käytöstä tieteellisessä tutkimuksessa. Ohjeet selkeyttävät tutkimusdatan uusiokäytön sääntöjä, laajentavat suostumusmahdollisuuksia "laajaan suostumukseen" ja "dynaamiseen suostumukseen" sekä määrittelevät kuusi kriteeriä tieteellisen tutkimuksen tunnistamiseksi. Kommentit ohjeistuksen luonnokseen otetaan vastaan 25. kesäkuuta 2026 asti.

New HMS Card Contract Signed With Tieto, Three Years, Starts January 2027

Arbeidstilsynet has signed a new three-year contract with Tieto (formerly Tietoevry) for the delivery of HMS cards, the work-authorisation cards required in Norway's covered industries. The contract, signed 31 March 2026, begins January 2027 and has an estimated annual value of approximately 50 million Norwegian kroner, with options to extend for up to two additional years. The new agreement will introduce a unified physical card across industries, improved security using bank-card technology, a more user-friendly ordering solution, and stricter information-security and privacy requirements.

Europrivacy Certification Now Covers Non-EU Organizations

The European Data Protection Board approved updated Europrivacy certification criteria at its April 2026 plenary session and endorsed the use of Europrivacy certification as a tool for international personal data transfers under Articles 42 and 46 GDPR. The certification scheme has been expanded to cover non-EU controllers and processors subject to GDPR, including organizations offering products or services to Europeans or processing personal data for behavioral monitoring of EU residents. Non-EU data importers not directly subject to GDPR can now apply for Europrivacy certification to validate appropriate safeguards for data transfers they receive from the EU. The original Europrivacy criteria were approved in October 2022 as the first EU-wide data protection seal.

EDPB Publishes Template for Data Protection Impact Assessments – Provide Feedback

The European Data Protection Board (EDPB) published a template for Data Protection Impact Assessments (DPIAs) to support organizations in reporting and consistent GDPR compliance across the EU. The template provides a step-by-step structure for presenting DPIA results and includes guidance on key concepts. A public consultation is open until 9 June 2026, after which EU national data protection authorities will adopt the template either as-is or as a national version.

Workplace Alcohol Testing and Personal Data Guidance

Finland's Data Protection Authority (Tietosuoja) has published guidance on workplace alcohol and drug testing and the collection of personal data from employees and job applicants. The guidance clarifies that occupational health care may not disclose an employee's health information to the employer without the employee's consent; the information remains secret and confidential. It also reiterates the core data minimisation principle: employers may only process personal data that is strictly necessary with regard to the employment relationship, and unnecessary data may not be processed even with the employee's consent.