
EDPB adopted guidelines on the processing of personal data for scientific research for public consultation
In April 2026, the EDPB adopted Guidelines 1/2026 on the processing of personal data for scientific research for public consultation. The public consultation ran from 16 April to 25 June 2026, and the final version of the guidelines can be expected only after the comments have been assessed. The guidelines address, among other things, the definition of scientific research and the compatibility of further processing of personal data for research purposes. They also deal with the choice of an appropriate legal basis and the requirements for consent to the processing of personal data in a research context. They further address the allocation of roles between controllers and processors, the exercise of data subjects’ rights and appropriate safeguards. These safeguards include, in particular, anonymisation and pseudonymisation.
EDPB adopted a Data Protection Impact Assessment template for public consultation
On 14 April 2026, the EDPB adopted a Data Protection Impact Assessment template, the so-called DPIA Template, for public consultation. The template is not mandatory. However, it is intended to contribute to the harmonisation and better structuring of DPIAs across the EU. Once the consultation has been assessed, it should serve as a basic template with which national templates of supervisory authorities will be compatible. The public consultation ran until 9 June 2026.
EDPB adopted a common personal data breach notification template for public consultation
On 10 June 2026, the EDPB adopted a common template for notifying personal data breaches under Article 33 GDPR for public consultation. The aim is to harmonise and simplify the notification of security incidents to supervisory authorities across the EU. The template contains pre-prepared options and explanations for completing it. The public consultation runs until 5 August 2026.
The Czech Data Protection Authority and biometric identification at stadiums: a security purpose alone is not sufficient
On 20 May 2026, the Czech Data Protection Authority published its opinion on the use of camera systems with elements of biometric identification at football stadiums. The situation addressed concerned the use of technologies that would make it possible to identify undesirable persons and prevent them from entering a stadium. In this context, the Czech Data Protection Authority distinguished between ordinary camera recordings, which are assessed under Article 6 GDPR, and biometric identification, which involves the processing of a special category of personal data under Article 9 GDPR.
The main conclusion of the Czech Data Protection Authority is that a general reference to security, protection of property or prevention of unlawful conduct is not sufficient for the deployment of biometric identification. Such processing requires an appropriate legal basis under Article 9(2) GDPR. This basis must be sufficiently specific, proportionate to the objective pursued and must include safeguards to protect the rights of the persons concerned.
CJEU on the use of evidence obtained in breach of GDPR
In its judgment of 18 June 2026 in Case C-484/24, NTH Haustechnik, the CJEU dealt with the question of whether a national court may, in civil or employment-law proceedings, use evidence containing personal data if such data may have been obtained unlawfully by one of the parties. The dispute concerned a former employee against whom the employer brought a claim for damages in connection with the alleged sale of company property via a private account on the eBay platform. The employer obtained the information by accessing her private account, while the referring court did not rule out that the acquisition of the data may have been in breach of GDPR.
The CJEU held that GDPR does not, in itself, prevent a national court from using evidence containing personal data merely because the data had previously been obtained in breach of the right to privacy or personal data protection. There is therefore no automatic prohibition on using such evidence. However, the court must have its own legal basis for processing the data and must comply with the principle of data minimisation. Before disclosing the data to the parties or to third parties, it must verify whether the data are limited to what is necessary and, where appropriate, adopt measures to reduce the interference with the rights of the persons concerned, such as anonymisation or pseudonymisation. The CJEU also emphasised that Article 17(3)(e) GDPR, i.e. the exception from the right to erasure for the establishment, exercise or defence of legal claims, is not an independent legal basis for the processing of personal data.
Proposed GDPR amendments under the Digital Omnibus
Unlike the part of the Digital Omnibus concerning the AI Act, which is discussed below and is already awaiting publication in the Official Journal of the EU, the GDPR-related amendments have not yet been adopted. They remain a legislative proposal of the European Commission, which is being discussed under the ordinary legislative procedure under number 2025/0360(COD).
The Digital Omnibus significantly affects GDPR. The European Commission’s proposal provides for targeted amendments intended to simplify compliance with certain personal data protection obligations and to better align them with other digital regulation. This concerns, in particular, the definition of personal data and pseudonymised data, the use of personal data in the development and operation of AI systems, cookie rules, data protection impact assessments and personal data breach notifications. As regards incidents, the proposal aims in particular to raise the threshold for notification to supervisory authorities so that only cases likely to result in a high risk would be notified, and to extend the notification deadline from 72 to 96 hours.
From the personal data protection perspective, however, the proposal is controversial. While the EDPB and EDPS support the simplification of the administrative burden and greater harmonisation, they also strongly criticise, in particular, the proposed changes to the definition of personal data and the regime for pseudonymisation. According to the EDPB and EDPS, these changes could disproportionately narrow the material scope of GDPR and weaken the level of protection afforded to data subjects. At this stage, therefore, this is not an effective change to the rules, but a legislative proposal whose further development should be monitored, especially in projects involving AI, data sharing, anonymisation/pseudonymisation, cookies and incident reporting.
Summer Digital Legal Update 2026 here.