BACK TO SCHOOL FOR PRIVACY PROFESSIONALS: RECENT CASE LAW AND DPA PORTAL LAUNCH

On 3 September 2025, the EU General Court ruled in a claim brought by French citizen Philippe Latombe against the European Commission’s 2023 decision that declares that the new EU-US data Protection Framework (replacing the older Privacy Shield) provides adequate protection for personal data transfers to the U.S.A.

The key issue

Latombe argued that the new framework still fell short of EU data protection standards, particularly regarding rights to independent judicial review and concerns over mass (bulk) data collection practices by U.S. intelligence agencies.

The Court’s conclusion:

• the Court dismissed Latombe’s challenge in full and found that the framework ensures a level of data protection substantially equivalent to EU standards;
• it emphasized that the U.S. Data Protection Review Court (DPRC, a new independent body created to handle EU individuals’ complaints about U.S. intelligence access to their data), offers sufficient independence and binding authority to protect individuals’ rights;
• while concerns about "bulk collection" of data in transit were raised, the Court accepted that such collection is strictly regulated and constrained under U.S. law, meaning the Commission’s adequacy finding was valid; and
• the Court also recalled that the legality of an EU Act must be assessed solely on the facts and Law existing at the time of its adoption. Later developments cannot retroactively affect the validity of the Commission’s adequacy decision.

Outcome and next steps

The adequacy decision therefore remains valid, ensuring legal certainty for companies transferring personal data to certified U.S. organisations. Businesses can continue to rely on the framework without the need for supplementary safeguards such as Standard Contractual Clauses.

However, the case is not necessarily over. An appeal before the CJEU remains possible. If lodged, the CJEU could revisit the framework’s validity in the coming months or years.

On 4 September 2025, the CJEU ruled on an appeal brought by the European Data Protection Supervisor (EDPS) against the Single Resolution Board (SRB, the EU authority responsible for managing bank failures under the Banking Union). The EDPS had challenged a decision finding that the SRB failed to inform data subjects (i.e., shareholders or creditors) about the transfer of pseudonymised data.

The key issue

The case arises from an appeal by the EDPS against a 2023 ruling of the General Court, which had annulled a prior EDPS decision. In that decision, the EDPS found that the SRB had breached Regulation 2018/1725 (EUI GDPR, the EU’s GDPR-equivalent rules applying to EU institutions and bodies) by failing to inform data subjects that their pseudonymized personal data, submitted as comments during a consultation on the proposed liquidation of a Spanish bank, had been disclosed to a consulting firm engaged by the SRB.

When in 2023 the General Court annulled the EDPS decision, it held that the data were not personal data for the consulting firm since it had no access to identity data and re-identification was not reasonably possible.

In turn, the EDPS appealed to the CJEU, arguing that the General Court misinterpreted the definition of ‘personal data’ and erred in law by assessing identifiability from the consulting firm’s perspective rather than the controller’s.

The Court’s conclusion:

The CJEU set aside the General Court’s judgment and confirmed that the consultation-phase comments transmitted to the consulting firm must be regarded as personal data. In summary the court ruled on the following elements:

• definition of pseudonymisation: the Court recalled that under EU law, pseudonymisation means data “can no longer be attributed to a specific person without the use of additional information,” provided that such information is kept separately and protected. Since the SRB retained the key linking codes to identities, the comments remained personal data from the controller’s perspective;
• identifiability not limited to the recipient’s view: the General Court had wrongly assessed identifiability from the consulting firm’s perspective alone. The CJEU clarified that pseudonymised data cannot be considered anonymous simply because the consulting firm could not re-identify the authors. If the controller (here SRB), or other potential third parties, reasonably has the means to link the data back to individuals, then the data remain personal data; and
• transparency obligations: the Court underlined that the duty to inform under Article 15 of EUI GDPR applies at the time of collection of the data. Data subjects must know who the potential recipients are so that they can decide, in full knowledge of the facts, whether to provide their data. By not naming the consulting firm, the SRB deprived data subjects of that choice and failed to ensure fair and transparent processing.

Why it matters for businesses

• privacy notices must be complete: all potential recipients of personal data should be listed, even if the data will be pseudonymised before transfer; and
• controller’s perspective matters: transparency duties are assessed from the controller’s ability to re-identify, not just the recipient’s.

On 10 July 2025, the Belgian DPA launched a new online portal designed to streamline the way organisations manage their data protection procedures and notifications.

Until now, organisations relied on static forms submitted via the DPA website. The new portal modernises this process, allowing organisations to:

• notify and manage data breaches; and
• handle DPO cases (e.g. notification, modification of details, withdrawal of appointment).

Data Breach Notifications: A Two-Step Process

The new procedure is more extensive and complex, requiring companies to be well-aware of the procedure and to delegate the roles in advance.

Notifications must now be introduced in two parts:

• part 1, which contains the most important information on the data breach, is to be filed within 72 hours of becoming aware of a breach; and
• part 2, a more extensive notification, where additional details have to be completed on the scope, cause and impact of the data breach, and where specific attachments are requested to provide the DPA further insights, is to be filed within 21 calendar days after the completion of Part 1.

Creating an Account

To use the portal, organisations are required to create a company account. The procedure is different for Belgian and non-Belgian companies:

• Belgian companies: for companies that are registered in the Belgian Company Register, it is required to delegate roles as a legal representative via the eGov platform. Only persons formally assigned the role “GBA_Documentum_Vertegenwoordiger”/ “APD_Documentum_Représentant” can access the portal;
• other companies (not registered in Belgium): for companies that are not registered in the Belgian Company Register, an account can be created using an email address and creating a password and including a EU VAT number or a unique national number.

Manuals and FAQ

To help organisations navigate the new system, the DPA has published several user manuals:

• Notification of a data breach;
• Management of a DPO-case; and
• Connecting to the  DPA portal.

In addition, the DPA has recently published a FAQ, offering further clarification on common issues and practical guidance.

It shall be noted that this new DPA portal is still work in progress and might be subject to changes in the future. The DPA has signalled that to keep the portal up to date and secure, regular maintenance will take place every second Wednesday of the month at 17:00. Maintenance may cause short interruptions or temporary unavailability of certain features, lasting up to four hours.

What this means in practice for businesses

• start assigning roles to the persons taking care of the data breach submission (including external counsels) to avoid delays in case of a breach;
• create a company account for the DPA portal;
• train backup persons to ensure coverage during absences;
• verify the DPO registrations; and
• keep track of updates from the DPA, as the portal’s functionalities are expected to mature.

Our Lydian Information Governance and Data Protection (Privacy) team is available to assist you with any questions you may have regarding the latest developments in the field of data protection. Please feel free to reach out to us for further assistance.