Aligning With EU Data Processing Standards

The European Data Protection Board (EDPB) has released its Guidelines on the interplay between the Digital Services Act (DSA) and the GDPR. This document is a cornerstone for organisations navigating the increasingly complex regulatory environment of digital platforms in Europe. It clarifies how the DSA’s obligations on transparency, accountability, and user rights intersect with existing GDPR requirements on data protection and privacy. Key takeaways from the guidelines include: ✅ How DSA provisions on content moderation, recommender systems, and risk assessments must align with GDPR principles such as lawfulness, fairness, and transparency. ✅ The importance of data minimisation and purpose limitation when implementing DSA-mandated obligations. ✅ The EDPB’s view on the shared responsibilities of platforms and service providers when processing user data under both frameworks. ✅ Practical guidance on ensuring compliance without creating overlaps or contradictions between the two regimes. This guidance will be vital for platforms, online intermediaries, and compliance professionals seeking to harmonise their approach to the DSA and GDPR while protecting user rights.

in the words of #privacyRickyRicardo: Data Processor, you've got some 'splainin to do! New draft CNIL - Commission Nationale de l'Informatique et des Libertés guidance on GDPR certification for data processors may raise the standard for what controllers (in the EU or not) ask from data processors to ensure compliance with privacy laws (especially after the new European Data Protection Board guidance https://shorturl.at/501f6) Things we are discussing with clients that somewhat exceed what we see in DPAs: Pre-Contractual Phase 🔹 Inform controller of purpose & compliance measures with any ex-EU data transfers 🔹 Provide information on general and specific security measures Controller instructions: Establish a procedure for receiving and implementing instructions including: (1) written and dated instructions; (2) informing controller of legal obligations that impact processing; (3) assessing any new instructions for compliance with GDPR. Secondary processing: If you perform processing as a data controller: (1) ensure explicit authorization for secondary processing; (2) notify controller of any legally required processing. Security Measures: Assess and document whether implemented security measures are adequate for the risks associated with processing (Risk analysis frameworks or Pre-filled templates). DPIA Support conducting DPIAs by: (1) Providing relevant details on processing activities and risks; (2) Documenting measures that ensure compliance with GDPR principles (e.g., data minimization, consent management). Policies and training 🔹 Ensure all personnel involved in processing activities are aware of: (1) responsibilities under GDPR; (2) importance of protecting personal data; (3) Procedures for reporting incidents or risks 🔹 Provide training for staff including: Regular updates on data protection regulations; Practical instructions; Specialized training for sensitive data. 🔹 Provide educational resources to raise awareness and ensure compliance 🔹 Maintain register of security incidents Deletion of data at end of contract: 🔹 Delete all personal data from active databases. 🔹 Document deletion process, confirm it in writing to controller & provide proof of deletion upon request. 🔹 Ensure permanent deletion of personal data using secure deletion methods that prevent recovery; including backup systems unless legally required to retain. 🔹 Notify subcontractors about termination; ensure they comply with instructions re: deletion Data governance: 🔹 Action plan to address & improve security of personal data; including: risks, corrective measures; monitoring mechanisms 🔹 Evaluation plan to ensure compliance of subsequent subcontractors including: selection criteria; Processes for monitoring compliance; Corrective actions 🔹 Continuous improvement plan to enhance compliance with data protection regulations 🔹 Monitor & update all policies, procedures, & measures #dataprivacy #dataprotection #privacyFOMO pic by Grok

Is your AI Ready for the Challenges of GDPR and EU Data Sovereignty? In Europe, data sovereignty is no longer a minor detail - it’s a critical legal requirement that could make or break your AI strategy. Today, to comply with European data regulations, executives need to ensure that data is stored within Europe, is operated by Europeans and that the cloud service is owned by European shareholders. The penalties for non-compliance are steep — just ask Uber, which recently faced a €300 million fine for transferring EU data to U.S. servers via a well-known public cloud provider, violating GDPR and EU sovereignty regulations. And Uber isn’t alone; European governments are starting to enforce their various data protection legislations as AI in the corporate setting is on the rise. ⭐️ What is Data Sovereignty? In the context of AI processing, data sovereignty refers to the principle that digital information is subject to the laws of the country where it’s stored or processed, as well as a few other important metrics. ⭐️ European Data Sovereignty Considerations for GDPR Data Processed in AI Systems: 1. Data Location and Legal Jurisdiction The geographic location of your data storage determines the legal framework under which it falls. Storing sensitive data outside the EU or with cloud providers based in non-EU jurisdictions, such as the US, can expose it to foreign legal oversight, including US laws like the US CLOUD Act. 2. EU-Based Cloud Operators   Cloud operations for AI systems processing sensitive data should be managed by companies with a strong European presence and governance. 3. EU Ownership and Control of Cloud Services  To ensure EU sovereignty, cloud providers handling sensitive data must be fully owned and controlled by entities within the EU. This mitigates the risk of foreign government access or influence and ensures that the provider operates under EU laws and policies without foreign shareholder pressure. ⭐️ The Solution: NEBUL & NVIDIA – The European Sovereign AI Cloud At Nebul, we’ve designed a ground-up solution with NVIDIA that combines AI innovation with complete EU data sovereignty for European companies. As an official EU Sovereign NVIDIA Cloud Provider, Nebul powers European organizations with an accelerated and private AI Cloud & AI Factory that’s fully compliant with European Sovereignty, GDPR and other EU regulations (like the EU AI Act) as well as being ½ the cost, and 15-20 faster for AI workloads vs public cloud. 👉 Learn more about how Nebul can help you navigate European Private AI and EU data sovereignty at http://nebul.com – or ping me directly.

How to balance data sharing and data minimization under the Data Act and the GDPR? 🤔 The Data Act aims to foster fair access and use of data in the EU. It also aims to create a comprehensive framework for the European data economy. Does the objective of the Data Act conflict with the GDPR principle of data minimization, which requires data controllers to limit the collection and processing of personal data to what is necessary and relevant for a specific purpose? For instance, the Data Act introduces new rules on data portability and data sharing, allowing users of connected devices to access, use, and share the data generated by their products or services. This could increase the amount and variety of data, including personal data, that is transferred and reused across different sectors and actors, potentially raising privacy risks and compliance burdens. How can you ensure that data minimization is not compromised by data sharing? Here are some possible solutions: 1️⃣ Implement data protection by design and by default (GDPR), ensuring that data is collected and processed in a way that respects the rights and preferences of data subjects, and that appropriate technical and organizational measures are in place to safeguard data security and confidentiality. 2️⃣ Apply data anonymization or pseudonymization techniques when possible, reducing the identifiability of personal data and minimizing the impact of data breaches or misuse. Keep in mind that anonymized data is not regulated under GDPR. 3️⃣ Adopt data quality standards, ensuring that data is accurate, complete, and compatible with the intended purpose and context of data processing. 4️⃣ Use model contract clauses or codes of conduct, providing clear and fair terms and conditions for data sharing and data trading, and establishing mechanisms for dispute resolution and redress. Sounds easy, right? These tips may require a lot of work if your organization has not implemented a proper privacy program. However, it is not too late to start. By following these tips, you can achieve a balance between the Data Act and the GDPR, and leverage the benefits of data sharing while respecting the principle of data minimization. What do you think? #gdpr #dataact #dataprotection #datasharing