Alston & Bird Privacy, Cyber & Data Strategy Blog

Wim Nauwelaerts

Wim Nauwelaerts

About Wim Nauwelaerts

Wim Nauwelaerts is a partner in the Brussels office, leading Alston & Bird’s European Privacy, Cyber & Data Strategy Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.

[Read Bio]

Dutch DPA Fines Taxi App €100M Over Unlawful Transfers of Personal Data to Russia, Despite Use of EU Standard Contractual Clauses

By and

On April 1, 2026, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) imposed a €100 million fine on MLU B.V., the Dutch operator of the Yango taxi app. The AP found that personal data of EU users was unlawfully transferred to affiliated entities in Russia, despite the formal use of the EU Standard Contractual Clauses […]

EU Privacy Regulators Weigh in on the Proposed EU Biotech Act: Key Takeaways for Life Sciences Companies

By and

On March 10, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion on the European Commission’s proposed EU Biotech Act – a forthcoming legislative framework expected to materially affect how clinical trials are designed, conducted, and governed in the EU. The proposal, introduced in December 2025, […]

EU Moves Toward a Single Entry Point for Security Incident Reporting

By and

On March 17, 2026, the European Parliament published a briefing signalling continued momentum toward the creation of an EU‑wide Single Entry Point (SEP) for security incident reporting. The initiative is part of the European Commission’s proposed Digital Omnibus legislative package and is intended to simplify how organizations report incidents – including personal data breaches – […]

Spanish DPA Releases Agentic AI Guidance

By and

On 18 February 2026, the Spanish Data Protection Authority (Agencia Española de Protección de Datos or ‘AEPD’) published an 81‑page guidance document on the privacy aspects of AI systems operating as agents – commonly referred to as ‘agentic AI’. The guidance is aimed at companies that process personal data under the EU General Data Protection […]

European Commission Publishes Guidance For Companies Implementing the EU Cyber Resilience Act

By , and

On December 3, 2025, the European Commission published its first set of technical FAQs on the EU Cyber Resilience Act (‘CRA’). The CRA is an EU-wide law which lays down cybersecurity requirements for ‘products with digital elements’ (‘PDEs’), including IoT devices, hardware components, and certain software.  It becomes fully applicable on December 11, 2027, with […]