OPSG Paper on Typology of Multi-Pillar Pension Systems in Europe

The European Insurance and Occupational Pensions Authority (EIOPA) has published a paper detailing the typology of multi-pillar pension systems across Europe. This guidance aims to provide a framework for understanding the diverse pension landscape within the EU.

EIOPA DC Pensions Toolkit Development - OPSG Input

The Occupational Pensions Stakeholder Group (OPSG) has submitted its response to the European Insurance and Occupational Pensions Authority's (EIOPA) call for evidence regarding the development of a DC pensions toolkit. This input is intended to inform EIOPA's ongoing work in this area.

EU and UK Authorities MoU on DORA ICT Provider Oversight

The European Supervisory Authorities (ESAs) and the Bank of England, PRA, and FCA have signed a Memorandum of Understanding to enhance cooperation on overseeing critical ICT third-party service providers under DORA. This agreement facilitates joint oversight and equivalence assessments between EU and UK authorities.

EIOPA delegates DORA Q&A adoption to Chairperson

EIOPA, in cooperation with EBA and ESMA, has adopted a decision to delegate the adoption of answers to straightforward DORA questions to the EIOPA Chairperson. This aims to simplify procedures and optimize resource utilization.

European Commission notifies Meta over AI assistants exclusion from WhatsApp

The European Commission has sent a Statement of Objections to Meta, alleging a breach of EU antitrust rules by excluding third-party AI assistants from WhatsApp. The Commission intends to impose interim measures to prevent serious and irreparable harm to the market.

ESMA Notifications of Compliance with Guidelines Overview Table

The European Securities and Markets Authority (ESMA) has published an overview table detailing notifications of compliance with its guidelines. This document serves as a reference for market participants regarding adherence to ESMA's technical standards and guidelines.

MiCA Reverse Solicitation Guidelines Compliance Table

The European Securities and Markets Authority (ESMA) has published a compliance table for its Markets in Crypto-Assets (MiCA) Regulation reverse solicitation guidelines. This document aims to assist entities in understanding and adhering to the new requirements regarding unsolicited marketing of crypto-asset services.

MiCA Crypto-Asset Transfer Guidelines Compliance Table

The European Securities and Markets Authority (ESMA) has published a compliance table for its MiCA crypto-asset transfer guidelines. This document serves as a reference for entities to assess their adherence to the new regulatory framework for crypto-asset service providers.

Garante Privacy Fines Nursery, Approves IT-Wallet, CEREBRO, AI in Schools

The Italian Garante Privacy has fined a nursery school €10,000 for privacy violations related to children's photos and video surveillance. The authority also approved the experimentation of IT-Wallet, the use of CEREBRO for asset investigations, and issued guidelines for AI in schools.

GDPR Fines and Guidance on AI, Healthcare, and Public Transparency

The Italian Data Protection Authority (Garante privacy) issued a newsletter detailing several enforcement actions and guidance. Fines were issued to a bank (€100,000) and a municipality for transparency violations, and a hospital (€80,000) for improper access to patient health records. Global data protection authorities also affirmed that data protection fully applies to AI.

Hospital Fined €70k for Data Breach; FAQs on Public Tender Data Published

The Italian Data Protection Authority (Garante privacy) has fined a company managing a hospital €70,000 for the unauthorized disposal of a patient's tissue sample and failure to notify a data breach. The newsletter also announced new FAQs on data processing and transparency in public tenders.

Garante Privacy Fines Verisure Italia and Aimag for GDPR Violations

The Italian Data Protection Authority (Garante Privacy) has fined Verisure Italia €400,000 for unlawful marketing practices and Aimag for inadequate security measures. Both companies are ordered to cease unlawful data processing and comply with GDPR.

GDPR Fines for Employee Monitoring and Email Privacy

The Italian DPA has issued a €120,000 fine to an agricultural seed company for unlawfully monitoring employee driving habits via company vehicles. The newsletter also covers GDPR implications for accessing a dismissed employee's email and new tools against telemarketing.

EU Implementing Regulations and Decisions - February 2026

The EU Official Journal L series for February 9, 2026, includes several implementing regulations and decisions. These cover amendments to lists of third countries authorised for imports of fresh poultry meat, germinal products of equine animals, registration of geographical indications, and harmonised standards for construction products.

EU Official Journal L Series Daily View - February 10, 2026

The EU Official Journal L series for February 10, 2026, includes several new implementing and delegated regulations. These cover diverse areas such as mental health data, consumer product disclosure, rail transport interoperability, plant health, and anti-dumping measures on steel wires from China.

EU Official Journal C Series - February 10, 2026

The EU Official Journal C series for February 10, 2026, includes notices on State aid authorisations where no objections were raised, a non-opposition to a notified concentration, and communications from the Hungarian Ministry of Energy regarding hydrocarbon exploration and production authorisations.

EU Official Journal L Series Daily View - February 11, 2026

The EU Official Journal L series for February 11, 2026, has been published, including new regulations and implementing decisions. These cover various sectors such as securities supervision fees, greenhouse gas exemptions for semiconductor manufacturing, pesticide approvals, and animal health import requirements.

EU Legislation and Regulatory Notices - February 11, 2026

The EU Official Journal C series published several notices on February 11, 2026. These include communications on State aid, media service provider declarations under the European Media Freedom Act, renewable fuels in maritime transport, restrictive measures concerning Ukraine, and prior notifications of concentrations.

IMY Fines Trygg-Hansa SEK 35 Million for Data Exposure

The Swedish Authority for Privacy Protection (IMY) has issued an administrative fine of SEK 35 million against Trygg-Hansa. This action follows a data exposure incident where information for 650,000 customers was accessible to unauthorized persons via the internet for over two years.

Administrative Fine for Data Collection Without Security

The Swedish Privacy Protection Authority (IMY) has issued an administrative fine of SEK 100,000 against the Equality Ombudsman (DO) for insufficient security measures during personal data collection via a web form. The incident led to the inadvertent disclosure of approximately 500 tips and complaints.

GDPR Breach Fines for SL Group Companies

The Swedish Authority for Privacy Protection (IMY) has issued administrative fines of SEK 75,000 each to Aktiebolaget Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB). The fines were imposed for processing personal data related to employee sobriety tests in breach of the GDPR, specifically regarding excessive data storage and handling of potentially sensitive health data.

Apoteket and Apohem Fined for GDPR Violations

The Swedish Authority for Privacy Protection (IMY) has fined Apoteket AB SEK 37 million and Apohem AB SEK 8 million for GDPR violations. The companies improperly transferred sensitive personal data to Meta via the Meta Pixel tool, failing to implement adequate protective measures.

Sportadmin Fined SEK 6 Million for GDPR Data Leak

The Swedish Authority for Privacy Protection (IMY) has imposed an administrative fine of SEK 6 million on Sportadmin following a data leak that exposed personal data of over 2.1 million individuals. The authority found that Sportadmin did not maintain an appropriate level of security to protect the data, violating GDPR Article 32.

AEPD Resolves GDPR Breach: 492 Individuals' Data Published

The Spanish Data Protection Agency (AEPD) has initiated a sanctioning procedure against the Consejería de Hacienda y Administración Pública of the Junta de Extremadura for publishing the personal data (name, surname, and DNI) of 492 individuals on its website. The data was published without consent as part of a public employment selection process and has been accessible since September 2019.

Spanish DPA Resolution on Data Rights Claim

The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a data rights claim (EXP202517310). The claimant exercised their right of access, and after initial non-compliance, the respondent has now demonstrated that the right was attended to and a response was provided.

Data Protection Commission 2024 Annual Report

The Data Protection Commission (DPC) has published its 2024 Annual Report, detailing €652 million in administrative fines issued, including significant penalties against Meta and LinkedIn. The report also highlights the conclusion of numerous inquiries and breach notifications.

DPC Fines CDETB €125,000 for GDPR Data Breach

The Irish Data Protection Commission (DPC) has fined the City of Dublin Education and Training Board (CDETB) €125,000 for a GDPR data breach. The inquiry found CDETB infringed multiple GDPR articles related to security measures, breach notification to the DPC, and notification to data subjects.

DPC Inquiry into TikTok Data Transfers to China

The Irish Data Protection Commission (DPC) has opened an inquiry into TikTok Technology Limited regarding the transfer of EEA users' personal data to servers in China. This follows TikTok's admission that limited data was stored in China, contrary to previous evidence provided to the DPC.

Data Protection Commission Opens Inquiry into Children's Health Ireland

The Data Protection Commission (DPC) has opened a formal inquiry into Children's Health Ireland (CHI) concerning the security of children's health records at Tallaght University Hospital. The inquiry follows protected disclosures and a breach notification, and will examine CHI's GDPR compliance regarding physical data security.

CJEU Rules Pre-Ticked Checkboxes Invalid for Cookie Consent

The European Court of Justice (CJEU) ruled that pre-ticked checkboxes are invalid for obtaining cookie consent. This decision, welcomed by data protection authorities, clarifies that active user behavior is required for valid consent regarding data processing.

Bundestag Strengthens Data Protection Authority

The German Bundestag's Budget Committee has allocated an additional 67 posts to the Federal Commissioner for Data Protection and Freedom of Information (BfDI) for the upcoming year. This funding aims to enhance supervision of security authorities, support new digitalization tasks in the health sector, and improve international cooperation.

BfDI Fines 1&1 Telecom EUR 9.55M and Rapidata EUR 10k under GDPR

Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined 1&1 Telecom GmbH EUR 9.55 million for insufficient technical and organizational measures to protect customer data and Rapidata GmbH EUR 10,000 for failing to appoint a data protection officer. These actions underscore the enforcement of GDPR provisions.

EDPB Agrees on GDPR Evaluation and Suggests Cooperation Improvements

The European Data Protection Board (EDPB) has agreed to contribute to the European Commission's evaluation of the GDPR. The EDPB suggests improvements in cooperation between data protection authorities and revisions to standard contractual clauses for data transfers.

ECJ Invalidates Privacy Shield, Impacts International Data Transfers

The European Court of Justice (ECJ) has declared the EU-US Privacy Shield invalid, impacting international data transfers. The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) stated that companies and authorities can no longer rely on the Privacy Shield for data exchange with the USA, requiring special safeguards and adherence to fundamental rights.

France Travail fined €5 million for data security breach

The CNIL has fined FRANCE TRAVAIL (formerly Pôle Emploi) €5 million for failing to implement adequate security measures to protect job seeker data, following a hack in early 2024. The fine addresses inadequate technical and organizational measures, including weak authentication and logging.

CNIL Work Programme 2026-2028 on Data Economy

The CNIL has published its work programme for 2026-2028, focusing on understanding data-related business models and measuring the economic impact of its decisions. The programme aims to deepen expertise in data protection's economic implications and contribute to public debate on the data economy.

CNIL Annual Report: 2025 Fines and Sanctions

The CNIL reported imposing €486.8 million in fines and 83 sanctions in 2025, primarily for violations related to cookies, employee monitoring, and data security. The report details 143 compliance orders and 31 reminders of legal obligations issued during the year.

EDPB Guidelines on Article 48 GDPR

The European Data Protection Board (EDPB) has published final guidelines on Article 48 of the GDPR, concerning the recognition of judgments and decisions of public authorities of third countries. These guidelines clarify the conditions under which such judgments can be relied upon for international data transfers.

EDPB Consultation on DSA and GDPR Interplay Guidelines

The European Data Protection Board (EDPB) has opened a public consultation on its draft Guidelines 3/2025 concerning the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). The consultation period is open until October 31, 2025.

EDPB Joint Guidelines on DMA and GDPR Public Consultation

The European Data Protection Board (EDPB) and the European Commission have opened a public consultation on their Joint Guidelines concerning the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). Interested parties are invited to submit comments by December 4, 2025.

EDPB GDPR Compliance Templates Consultation

The European Data Protection Board (EDPB) has launched a public consultation to gather ideas for developing ready-to-use GDPR compliance templates for organizations. The consultation seeks input on the most useful template types and closes on December 3, 2025.

EDPB Consultation on User Accounts for E-commerce Websites

The European Data Protection Board (EDPB) has launched a public consultation on its Recommendations 2/2025 concerning the legal basis for requiring user accounts on e-commerce websites. The consultation is open for comments until February 12, 2026.

EDPB Public Consultation on Processor Binding Corporate Rules

The European Data Protection Board (EDPB) has launched a public consultation on its Recommendations 1/2026 concerning Processor Binding Corporate Rules. The consultation is open until March 2, 2026, and aims to gather feedback on the application, elements, and principles for these rules under GDPR.

Guidance on Reporting Scams Pretending to be Companies House

Companies House has published guidance on how to report scams that impersonate the agency. The guidance details how to identify and report suspicious phone calls and emails, providing examples of known scam tactics.

Companies House Transition Plan for Economic Crime Act

Companies House has published an outline transition plan for the Economic Crime and Corporate Transparency Act 2023. The plan details the indicative timeline for commencing key provisions, with updates indicating potential postponements for certain measures to prioritize identity verification and stakeholder feedback.

Companies House Identity Verification Legal Requirement

Companies House has issued guidance stating that identity verification for directors and persons with significant control will become a legal requirement from November 18, 2025. This marks the start of a 12-month transition period for companies to comply.

Companies House Fees and Powers Update

Companies House will implement new fee structures effective February 1, 2026, with digital filing fees for incorporation, confirmation statements, and voluntary strike-offs increasing. These changes, alongside new powers granted by the Economic Crime and Corporate Transparency Act, aim to enhance the UK's corporate registers and combat economic crime.

Insolvency Service Shuts Down UK Business Registration Services

The UK Insolvency Service has shut down three companies that facilitated the registration of over 11,000 UK businesses for overseas clients, primarily from China. These companies operated without proper registration and failed to conduct anti-money laundering checks, creating a false impression of UK presence for their clients.

S-Bank Fined EUR 1.8 Million for GDPR Violations

The European Data Protection Board reports that the Finnish Supervisory Authority has fined S-Bank EUR 1.8 million for GDPR violations related to a data security vulnerability. The bank failed to implement adequate safeguards, leading to a personal data breach affecting a significant proportion of its customers.

EDPB Strengthens Global Data Protection Cooperation

The European Data Protection Board (EDPB) held a meeting with Data Protection Authorities from countries and organizations with an EU adequacy decision to strengthen global data protection cooperation. This follows up on a previous meeting in October 2024 and focuses on sharing information and experiences in international data protection enforcement.