RegRally Insights: Personal Data Protection and ICT Regulation – July 2025

ECOVIS ProventusLaw invites you to its newest all-in-one essential GDPR newsletter, July 2025 edition, on personal data protection and ICT regulation.

EDPB Finalises Guidelines on Responding to Data Requests from Third Country Authorities

The European Data Protection Board (EDPB) has adopted its final guidelines on data transfers to third-country authorities, clarifying how organisations should assess requests from non-EU governments under Article 48 of the GDPR. The guidelines reaffirm that foreign judgments or decisions are not automatically enforceable in the EU. As a rule, only international agreements can provide a valid legal basis for such data transfers. In their absence, transfers may be allowed only in exceptional cases with proper safeguards. The updated version offers more detailed guidance on processor obligations and intra-group scenarios, such as when a non-EU parent company requests data from its EU subsidiary. The EDPB emphasises a case-by-case assessment to ensure GDPR compliance.

Key takeaways:

  • Third-country judgments or decisions cannot be automatically recognised or enforced within the EU. Data requests from foreign authorities must always be assessed in light of EU data protection rules.
  • International agreements (e.g., treaties or conventions) may serve as both the legal basis and transfer mechanism. However, in the absence of such agreements, transfers may only occur under very limited, case-by-case exceptions, and with appropriate safeguards in place.
  • The guidelines provide important clarifications for processors receiving such requests and for intragroup data transfers, such as when a parent company located outside the EU receives a request and turns to its EU-based subsidiary for the data.

EDPB Launches AI & Data Protection Training Projects to Bridge Legal and Technical Skill Gaps

The European Data Protection Board (EDPB) has introduced two new Support Pool of Experts (SPE) training projects—“Law & Compliance in AI Security & Data Protection” for legal professionals and “Fundamentals of Secure AI Systems with Personal Data” for technical experts. Requested by the Hellenic DPA, these projects aim to combat the critical shortage of AI and data protection expertise hindering the deployment of privacy-compliant AI systems. Both reports are available as PDFs, and the EDPB will soon launch a modular, open-source version via GitHub, allowing external contributors to update and improve the content under a Creative Commons license, fostering a collaborative, up-to-date knowledge base.

It is recommended that:

  • Compliance and legal teams review the first report to align AI-related activities with GDPR requirements and risk management standards.
  • Technology and cybersecurity teams examine the second report to strengthen the technical security posture of AI systems processing personal data.

NCSC Alerts Public to Massive Global Data Breach Affecting 16 Billion Active Accounts

The National Cyber Security Centre (NCSC) warns that one of the largest-ever data breaches has exposed login credentials from up to 16 billion active user accounts linked to major platforms like Apple, Google, Facebook, Telegram, GitHub, and Microsoft. Much of the data was stolen via “infostealer” malware, which covertly harvests sensitive information from infected devices. The breach poses serious risks of cyberattacks, financial fraud, and phishing. NCSC urges users—especially in Lithuania—to change passwords, activate 2FA, use password managers, and verify exposure via tools like haveibeenpwned.com. Vigilance and preventive action are essential.

Council and European Parliament reach deal to make cross-border GDPR enforcement work better for citizens

The Council, represented by the Polish presidency of the Council of the EU, and the European Parliament secured a provisional deal on a new law which will improve cooperation between national data protection authorities when they enforce the General Data Protection Regulation (GDPR) in cross-border cases.

The European co-legislators agreed on rules that will streamline administrative procedures relating to, for instance, the rights of complainants or the admissibility of cases, and thus make enforcement of the GDPR, which has been in application since 25 May 2018, more efficient.

Key Features of the New Regulation

1. Harmonized Admissibility Criteria

2. Rights of Complainants and Investigated Parties

3. Binding Deadlines for Investigations

4. Early Resolution Mechanism

5. Simple Cooperation Procedure

We recommend that financial market participants closely follow the developments related to the new GDPR procedural regulation, which aims to streamline the handling of cross-border data protection complaints. The regulation tackles long-standing challenges in enforcement by:

  • Clarifying the roles of supervisory authorities;
  • Harmonising complaint procedures across the EU
  • Introducing firm deadlines for investigations.

These changes are expected to significantly enhance legal certainty for organisations operating in multiple EU countries and improve the effectiveness of rights enforcement for data subjects.

The Bank of Lithuania hosted a consultation event focused on third-country risk management

On June 5, 2025, the Bank of Lithuania hosted a consultation event focused on third-country risk management. The event brought together financial market participants to discuss the evolving regulatory landscape under the Digital Operational Resilience Act (DORA) and related EU and national frameworks.

Key Topics Covered:

  • Regulatory updates
  • ICT services and contracts
  • Outsourcing of other critical or essential functions
  • Notification obligations
  • Ongoing monitoring and exit strategies
  • Sub-outsourcing and concentration risk

In light of the discussions held during the consultation event, the Bank of Lithuania strongly recommends that all financial market participants take the following steps to strengthen their third-country risk management practices:

  • Review and update outsourcing policies to align with the latest DORA requirements, especially Articles 28–30 concerning third-country ICT service providers.
  • Perform comprehensive risk assessments before entering into outsourcing agreements, including evaluations of concentration risk, geopolitical exposure, data protection, and sub-outsourcing chains.

Latvian Data Protection Authority Develops E-Learning Course Now Available in Lithuanian

The Data Protection Authority of Latvia (hereinafter – Latvian DPA), implementing the project “Remote Training Program in the Field of Data Protection,” with support from the European Commission’s funding programme “Citizens, Equality, Rights and Values,” has developed an interactive personal data protection training course (hereinafter – the Course). The Course is designed primarily for small and medium-sized enterprises. Still, it is also helpful for representatives of associations, foundations, sole proprietors, and anyone interested in learning more about data protection.

Please note that the course has been developed based on the legal framework applicable to Latvia. Therefore, some examples or theoretical material provided in the Course may not fully correspond to the legal regulations in force in Lithuania.

Newsletter SubscriptionGet in touch
Free initial advice now!

Have a question or need more information?

Send us an e-mail message!