Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao El Salvador Guatemala Honduras Mexico Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
Contact Us
home News
people

European Data Protection Day

1/28/2026
people

GDPR is evolving, while international data transfers remain under scrutiny. On the occasion of the European Data Protection Day (28 January), we provide an overview of key regulatory topics that will shape data protection in 2026.

 

I. The Digital Omnibus – What is Changing and Why It Matters?

The European Commission has announced the Digital Omnibus package, aimed at simplifying and harmonizing the European Union’s digital regulatory framework. In the context of the GDPR, proposed changes may include:

  • amending the definition of “personal data” to narrow its scope,
  • extending the notification period for personal data breaches from 72 to 96 hours,
  • introducing standardised templates for Data Protection Impact Assessments (DPIAs),
  • adjusting data subject rights, including the right of access, etc.

Although these are currently proposals in the early stages of the legislative process, it is clear that the EU continues to develop the regulatory framework to ensure GDPR keeps pace with rapid technological developments.

 

II. Transfers of Personal Data to the U.S. - Current Framework

Transfers of personal data from the EU to third countries are only permitted if the level of protection is essentially equivalent to that of the EU, in accordance with the GDPR.

The GDPR provides two main mechanisms for lawful data transfers:

  • adequacy decisions by the European Commission,
  • appropriate safeguards, including Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), codes of conduct, and certification mechanisms.

In July 2023, the European Commission adopted an adequacy decision for the EU - US Data Privacy Framework, allowing transfers to the U.S. companies certified under this framework.

For U.S. companies that are not certified, organisations typically rely on Standard Contractual Clauses (SCCs). Following the Schrems II ruling, applying SCCs usually requires conducting a Transfer Impact Assessment (TIA) to evaluate whether the laws and practices of the third country provide a level of protection that is essentially equivalent to the EU standard.

 

What This Means for Companies in Croatia?

To ensure compliance and reduce regulatory risks, we recommend to:

  • verify whether personal data is being transferred to the U.S. and whether the U.S. entity is certified under the EU - US Data Privacy Framework,
  • update the Standard Contractual Clauses and the Transfer Impact Assessment (TIA) where applicable,
  • implement appropriate technical and organizational measures,
  • monitor the development of the Digital Omnibus and proposed GDPR changes.

 

If you require additional support or advice regarding these obligations, please feel free to contact us - we can assist in understanding and implementing the necessary measures.