This update concerns general data protection governance and GDPR guidance with no specific connection to payment services, payment institutions, or payments-related regulatory frameworks.
While data protection is foundational to all financial services including payments, this update addresses GDPR legitimate interest assessments broadly and does not target payment-specific data handling, safeguarding, or account regulations.
Specialism
The update focuses on EDPB guidance and case digest examining how data protection authorities assess legitimate interest claims under GDPR, which directly concerns personal data protection rules and regulatory interpretation.
Low confidence — requires human review. While the EDPB issued opinions on cybersecurity legislation, the primary content is administrative/guidance-focused rather than establishing new cybersecurity obligations for payment firms.
2026-04-10 08:02:54·adavies@vixio.com
Meta Id
3049288
Content ID
3057770
GUID
8acc7737ea3c0b39bf1486e517621ec1
Pipeline Progress
🔄 Pipeline Journey
⏱
10s
total
✓
Queued08:02:44
+0s
✓
Metadata08:02:44
+0s
✓
S3 Content08:02:44
+0s
✓
Extracted08:02:44
+4s
✓
LLM Gen08:02:48
+6s
✓
Stored08:02:54
TITLE: European Data Protection Board Publishes 2025 Annual Report and Guidance on Legitimate Interest Legal Basis
BODY:
On 9 April 2026, the European Data Protection Board (EDPB) published its Annual Report 2025, titled "Clarity in action: Supporting stakeholders through guidance and dialogue". The report outlines the EDPB's activities and priorities for the year, focusing on providing clarity and support to stakeholders navigating data protection requirements.
Alongside the annual report, the EDPB released a one-stop-shop case digest on 26 March 2026 examining how Data Protection Authorities (DPAs) assess controllers' reliance on "legitimate interest" as a legal basis under the General Data Protection Regulation (GDPR). The case digest, commissioned as part of the EDPB's Support Pool of Experts programme, analyses one-stop-shop decisions from the EDPB's public register and presents practical examples of how DPAs apply the three-step test for assessing legitimate interest claims. The digest complements EDPB Guidelines 1/2024 on Processing of Personal Data Based on Article 6(1)(f) GDPR and includes relevant Court of Justice of the European Union cases, DPA decisions, and national court judgments. The project was conducted by external expert Dr. TJ McIntyre and completed in December 2025.
The EDPB also issued joint opinions with the European Data Protection Supervisor (EDPS) on emerging legislative proposals, including Opinion 4/2026 on the proposed Cybersecurity Act 2 and amendments to the NIS 2 Directive (19 March 2026), and Opinion 3/2026 on the proposed European Biotech Act (12 March 2026). Additionally, the EDPB sent a letter to the European Commission on 12 March 2026 addressing privacy implications of proposed legislative changes regarding entry conditions to the United States for European Economic Area citizens.
REFERENCES:
European Data Protection Board. Annual Report 2025. Available at: https://www.edpb.eu/