When it comes to handling personal data, blockchains present a significant challenge in respecting data subject rights. Its immutability, for example, contradicts the fundamental \u201cRight to be Forgotten\u201d. The global distribution of blockchain nodes also complicates regulatory supervision. Conducting a Data Protection Impact Assessment <\/strong>(DPIA) is not just a legal requirement for high-risk blockchain-based personal data processing<\/strong>, but is an important step towards responsible innovation. To help organisations meet these requirements, TechGDPR has created a free downloadable Blockchain DPIA Template<\/a>, which guides users through all required areas of GDPR compliance:<\/p>\n\n\n\n The pre-designed template includes ready-to-use sections, prompts, and examples, significantly saving time and ensuring that no critical aspect of your DPIA is overlooked.<\/p>\n\n\n\n <\/p>\n\n\n\n The European Data Protection Board, EDPB, has issued its opinion on the adequate protection of personal data by the United Kingdom. In July 2025, the European Commission started the process towards the adoption of its draft implementing decision on the adequate protection of personal data by the UK. It extends the validity of certain parts of the previous adequacy decision until December 2031<\/a>. In particular, the EDPB asks for the need to further clarify by the Commission recent changes in the UK post-Brexit legislation regarding: <\/p>\n<\/div><\/div>\n\n\n\n <\/p>\n\n\n\n The European Parliament has published a study<\/a> on the Interplay between the AI Act and the EU digital legislative framework, including the GDPR. In particular, the AI Act introduces requirements for fundamental rights impact assessments (FRIAs) in cases that often also trigger data protection impact assessments (DPIAs) <\/a>under the GDPR. These instruments differ in scope, supervision, and procedural requirements, creating duplication and uncertainty. Transparency and logging obligations are also redundant across both regimes. Moreover, there is ambiguity over how data controllers and AI providers should manage rights of access, rectification, and erasure when personal data becomes embedded in complex AI models. <\/p>\n\n\n\n In AI contexts, the GDPR-governed \u201clegitimate interests\u201d legal basis is widely regarded as the most relevant and frequently invoked basis<\/strong>, states the report. Meanwhile, consent is often impracticable and contractual or legal obligation bases rarely map neatly onto AI training or deployment scenarios. Finally, the AI Act introduces additional governance layers: the AI Office and the European AI Board at the EU level and the national GDPR supervisory bodies with respect to data protection issues, which produce a potentially overlapping set of competent supervisory bodies. <\/p>\n\n\n\n Dragi report: <\/strong>The Future of Privacy Forum takes a closer look at the report<\/a> on European competitiveness issued in 2024 by former Italian Prime Minister Mario Draghi, which calls for simplification of the GDPR, and criticizes \u201cheavy gold-plating\u201d by Member States in GDPR implementation. The Commission is now set to announce a Digital Omnibus<\/a> package with proposals to quickly reduce the burden on businesses. However, changes to the GDPR fundamental principles could bring any reform into conflict with the TFEU and the Charter<\/a> and lead to action before the Court of Justice. <\/p>\n\n\n\n GDPR enforcement: <\/strong>On 21 October, the European Parliament passed the regulation on additional procedural rules regarding the enforcement of the GDPR. The document aims to harmonise the criteria for assessing the admissibility of cross-border complaints and clarifies the rights of complainants and entities under investigation<\/a>. The regulation establishes the same admissibility standards no matter where in the EU the GDPR complaint was filed. Both complainants and companies involved will have the right to be heard at specific stages of the investigation and will receive preliminary findings to express their views before a final decision is issued. <\/p>\n\n\n\n Data for research: <\/strong>From 29 October, researchers can request data access from very large online platforms and search engines to study systemic risks. Access to public platform data has been available since the Digital Services Act (DSA) came into force in February 2024. Researchers now have the opportunity to request access to platforms’ internal data and to investigate its impact on society. Since datasets can allow direct or indirect inferences about individual users through their interactions, profiles, or other published content, researchers must comply with the requirements of the GDPR<\/a> when carrying out their projects.<\/p>\n\n\n\n <\/p>\n\n\n\n DSA and the GDPR: <\/strong>The EDPB has closed the consultation on the guidelines on the interplay between the Digital Services Act and the GDPR. One of its sections examines the limits on automated decision-making that involves the processing of personal data by intermediary service providers<\/a>. The paper also further examines the transparency of processing and deceptive design patterns prohibited by the DSA when these practices involve personal data. It also reviews the relationship between profiling restrictions and advertising technology, systematic risk assessments and minors’ data protection.<\/p>\n<\/div><\/div>\n\n\n\n China privacy updates: <\/strong>China has issued its first national standard for certification of cross-border personal information processing<\/a>. The standard, which takes effect on March 1, 2026, sets out fundamental principles, security requirements, and obligations for safeguarding individuals\u2019 rights in cross-border data processing. Reportedly, the certification is <\/strong>valid for three years<\/a>. The applicant may reapply for certification for continual use of such certification six months before its expiration. In general, under the Chinese Personal Information Protection Law (PIPL)<\/a>, a data handler may transfer personal information outside of China if one of the following three conditions (with some exemptions) is met:<\/p>\n\n\n\n Almost one in ten people affected by cybercrime in the previous year experienced unauthorised access to an online account or email. To provide targeted support to consumers in such cases, the German Federal Office for Information Security (BSI) published a guide – Emergency checklist: Hacked account<\/a> (in German). If a person can no longer log in despite having the correct password, their email account may have been hacked. Changes in settings or attempts to log in from new devices can also be signs. To protect your account, the BSI recommends securing it with either a strong password combined with two-factor authentication or with passkeys. <\/p>\n\n\n\n <\/strong>According to America\u2019s NIST, IoT products often lack product cybersecurity capabilities that their customers<\/a>, organisations and individuals can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by providing necessary cybersecurity functionality and the cybersecurity-related information they need. To that end, NIST closes public consultations and offers a public draft of Foundational Cybersecurity Activities for IoT Product Manufacturers<\/a>. This publication describes recommended activities that manufacturers should consider performing before their IoT products are sold to customers. <\/p>\n\n\n\n <\/p>\n\n\n\n\n
Stay up to date! Sign up to receive our fortnightly digest via email.<\/mark><\/a><\/h4>\n\n\n\n
UK Adequacy<\/h4>\n\n\n\n
![\"\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/11\/image-4-1024x655.jpeg\")
<\/figure>\n
AI Act and the GDPR<\/h4>\n\n\n\n
Legal updates<\/h4>\n\n\n\n
More from supervisory authorities<\/h4>\n\n\n\n
![\"\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/11\/image-3-1024x682.jpeg\")
<\/figure>\n
Hacked emails<\/h4>\n\n\n\n
IoT security<\/h4>\n\n\n\n
GenAI guidance<\/h4>\n\n\n\n
![\"blockchain\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/11\/image-6-1024x768.jpeg\")
<\/figure>