ERA Academy of European Law’s Post

One of the most frequent and challenging questions I have always received from businesses and data scientists alike is: how to reuse a dataset in compliance with #GDPR? Uncertainty about the reuse of previously collected personal data is perceived as one of the major regulatory obstacles to the development of new data-driven products and services. However, although criticism may lead to improvements, we should not believe the ones who claim that European data protection legislation is the reason why Europe lags behind in innovation. Art. 5(b) GDPR establishes the principle of ‘purpose limitation’, which sets clear that personal can be processed for one purpose at the time. Hence, the first question to reuse personal data is to what extent the secondary use is in line, or compatible, with the first one. Here, we have some room for interpretation. From a data subject perspective, information (#transparency) matters. Some would call it the principle of #NoSurprises, where possible reuse was communicated, and data subject’s own expectations are kept into account. Safeguards, such as #pseudonymization, are also decisive to establish legitimate reuse, while full anonymization would remove the dataset from the scope of GDPR and allow carte blanche. All in all, addressing this question requires a mix of legal expertise (i.e., compatibility test) and elaboration of suitable safeguards. Working within the #RuleOfTheLaw to foster innovation is not only possible, but also the only way to ensure the rights and freedom of everyone!

From GDPR to Data Act – the questions are changing For years, the GDPR has shaped the way organizations think about data: minimization, purpose limitation, lawful basis. Now, with the EU Data Act in force, the conversation is shifting. Suddenly, companies that were focused on restricting data flows are being told to enable data sharing. The result? ❓ Misunderstandings about when GDPR still applies. ❓ Confusion between personal and non-personal data. ❓ Technical solutions that miss the legal safeguards. ❓ Strategies that look compliant on paper, but create risk in practice. We see it clearly: GDPR and the Data Act are tied together – and that tie creates new challenges. The old playbook is no longer enough. I’m working with clients right now on exactly these questions – helping them find practical ways to bridge GDPR and Data Act requirements. If this is a challenge for you too, let’s talk. #DataAct #GDPR Wolfgang Schmid Matthias Gleich Michelle Pradel Büşra Aydin Anna Hornischer

↪️ Understanding GDPR: What It Means for Businesses and Consumers ↩️ Since its enforcement in May 2018, the General Data Protection Regulation (GDPR) has transformed the way organizations handle personal data. https://lnkd.in/gKdDfPtJ

If your organisation processes EU personal data but lacks an establishment in the EEA, appointing an EU GDPR representative isn't optional - it’s a legal obligation under Article 27. This guide outlines: • Who needs an EU representative • What the representative must do • What non-compliance means • How to appoint a representative – and what to look for in a provider Clear, practical insight for organisations managing cross-border data flows post-Brexit. Read the full article: https://ow.ly/RMWj50X62bl #GDPR #EURepresentative #DataProtection

📢 Türkiye to Complete Harmonization of Personal Data Protection Code with the EU GDPR by 2026 The Presidential Decree No. 10376 approving the Medium-Term Program (2026–2028), published in the Official Gazette on 7 September 2025, outlines Türkiye’s updated economic and legal objectives for the coming years. ⚖️ Key Legal Development As part of efforts to enhance the regulatory framework, Türkiye aims to complete the harmonization of the Code on the Protection of Personal Data (Law No. 6698 – “KVKK”) with the EU General Data Protection Regulation (GDPR) by the third quarter of 2026. 🤖 Additionally, the alignment of national legislation with the European Union Artificial Intelligence Regulation is also among the government’s stated priorities. 💡 These steps mark a significant milestone in Türkiye’s data protection and digital governance reforms, strengthening both compliance and cross-border data flow compatibility with the EU. 📄 Full briefing available in PDF and on our website. © 2025 Cailliau & Colakel Attorney Partnership, all rights reserved. #DataProtection #GDPR #KVKK #PrivacyLaw #Compliance #Türkiye #ArtificialIntelligence #LawUpdate #CailliauColakel #LegalInsights

Many businesses still believe GDPR only applies to Europe. In 2022, a U.S. company — Clearview AI — was fined and banned across multiple EU countries for violating GDPR norms. Their mistake? Scraping images of EU citizens without consent to build a facial recognition database. 💭 Here’s the truth: If your business handles personally identifiable data of EU citizens, GDPR applies — no matter where you operate. From email lists to website sign-ups, every touchpoint matters. GDPR isn’t about restricting data — it’s about using it responsibly. It turned the wild west of data collection into a rulebook for ethical digital practices. 🔹 Key takeaway: GDPR is not a European problem; it’s a global responsibility. 📹 Watch the full video to learn how GDPR shapes global data practices — and what non-compliance could cost your business. Featuring Tony Paul #GDPR #DataPrivacy #Compliance #DataProtection #DigitalEthics #WebScraping #MarketingCompliance #DataSecurity #Regulations #LinkedInLearning

Many businesses still think GDPR is just “a Europe thing.” But here’s a wake-up call — In 2022, Clearview AI, a U.S. company, was fined and banned from collecting data across several EU countries for violating GDPR. Their mistake? Scraping images of EU citizens without consent to build a facial recognition database. 💭 The truth is: If you handle any personally identifiable data of EU citizens — even if your business is outside Europe — GDPR applies to you. From email lists to website sign-ups, every single data touchpoint matters. GDPR isn’t about restricting data. It’s about using data responsibly — turning the wild west of data collection into a playbook for ethical digital practices. 📹 Watch the full video to see how GDPR is shaping global data practices — and what non-compliance could cost your business.

Legislation Update: The Data Use and Access Act 2025 The Data Use and Access Act (DUAA) 2025 received Royal Assent in June and introduces some important changes to UK data protection law. Key changes include: - Greater transparency and human oversight in AI-driven decisions - Faster, simpler subject access requests - Stronger protections for children’s online data - Expanded recognition of commercial research within scientific frameworks - A new “Recognised Legitimate Interests” basis for data innovation - Stronger internal complaint handling requirements The changes will be phased in between now and June 2026, and our GDPR UK: Essentials, Advanced, and Education courses are being updated to reflect these requirements. Explore all business compliance courses here: https://lnkd.in/eMbHb7ft #DataProtection #DUAA2025 #GDPR #Compliance #iHasco

The European Commission and the European Data Protection Board (EDPB) have launched a public consultation to gather feedback on draft guidelines on the interplay between the Digital Markets Act (#DMA) and the General Data Protection Regulation (#GDPR). https://lnkd.in/dpSPJPyy