ADL #72: Data Privacy for Digital Nomads

Happy Europe Day?

I’ll be honest. I planned today’s issue with a lot more positivity and optimism in mind. I was gonna write about the privilege we have to be able to work from all around the world, from the EU, and dive in a bit into the regulations for digital nomads around the EU. It seemed fitting considering tomorrow (Friday, May 9th) we’re celebrating Europe Day – while we still can.

And now it doesn’t seem so easy to write about it. And maybe it wouldn’t be easy for you to read it either. We’re overwhelmed. We’re hopeless. We’re burnt out socially and politically. We don’t really wanna hear, read or think about traveling, digital nomads and data privacy.

But then the spiraling stopped for me and I thought: “I need a break.” And I’m sure a lot of you here need one too. And maybe it’s a good idea to sit down and read about anything else rather than politics – at least for 5-10 minutes.

So here I am.

I’ll keep it short, but hopefully still relevant, and maybe a bit refreshing while talking about:

1. Quick Tips: 5 Essential Privacy Policies for Digital Nomads in the EU

2. Legal Updates: Recent changes in EU cross-border data protection laws

Enjoy! And Happy Europe Day!

Quick Tips: "5 Essential Privacy Policies for Digital Nomads in the EU"

I’ve seen a lot of sweet and sour jokes around the internet these days that say: “I’m packing my bags and moving to Spain / Italy / Greece” – you name it. Maybe that’s your plan too. Or maybe you’re just thinking about taking a few weeks to travel and work as a digital nomad in the EU. If either of those things are part of your plans, keep reading.

Operating a business – even a lean, location-independent one – within or targeting the EU comes with legal obligations under GDPR. And no, the size of your business or your “solo founder” status doesn’t exempt you.

So make sure you’re checking these 5 boxes with privacy essentials every digital nomad doing business in the EU or with EU citizens should have in place:

1. A GDPR-Compliant Privacy Policy on Your Website

Maybe your website is just a simple landing page – it still must clearly explain what data you collect, how it's processed, and who it’s shared with. This isn’t just a best practice, but a legal requirement. And take it from a lawyer: please avoid templates that are overly generic or copy-pasted from other sites! Tailor it to your business activities and tools. Ask for help if you need it.

2. A Valid Cookie Consent Mechanism

Using tracking tools like Google Analytics, Facebook Pixel, or Hotjar? You’ll need a cookie banner that doesn’t just inform users, but asks for their explicit consent (and the ability to change or withdraw it). That includes having a cookie policy that describes each type of cookie and its purpose. If you need more info, please read this older issue (in Romanian) or reach out to me to discuss your specific needs.

Practical tip: Even if it can feel like an easy job that a Google search can solve, ANY cookie policy must be revised from time to time, just like any other Policy. No, you can’t just upload it and forget about it.

3. Data Processing Agreements (DPAs) with Your Providers

When you use third-party providers that process personal data you collect (or that they collect in your name) – think website developers, marketing agencies, accountants – you’re legally required to have a DPA in place. You must make sure these are signed and actually understood!

4. Proper Consent Collection for Email Marketing

If you collect email addresses for newsletters, courses, or lead magnets, you need freely given, specific, informed consent – and proof of it. There are some exceptions, but MOST of newsletters don’t fit those. Also: make sure every email includes a clear unsubscribe link. Yes, even those automated welcome sequences.

5. An Internal Data Inventory (a.k.a. Know Where Your Data Lives)

You should be able to map out what data you collect, why you collect it, where it’s stored, and who has access to it. This isn’t just helpful for audits or data breaches – it’s critical if a customer exercises their right to access or delete their data: exercising their right to be forgotten.

A good thing to remember

Digital freedom doesn’t mean skipping digital responsibility. These five elements are foundational, not optional. They help you stay compliant, build trust with your audience, and avoid unnecessary legal risk as your business grows.

Next time you open your laptop in a new country, ask yourself: is your privacy policy keeping up with your passport stamps?

P.S.: Does this matter when you’re a digital nomad in the EU?

Yes! Your business is established in the EU, even if your clients aren’t.

GDPR applies not just based on where your clients are – but also where you are (or where your business is located) while processing personal data. So even if your audience is international, having your business in the EU (say, Spain, Italy, Greece or Estonia) places you under EU jurisdiction.

And yes – it matters even if you work as a freelancer.

Legal Updates: Recent changes in EU cross-border data protection laws

1. European Health Data Space (EHDS) Regulation Enters into Force

The European Health Data Space Regulation came into effect (on March 26, 2025), establishing a framework for the use and exchange of electronic health data across the EU. The regulation aims to provide EU citizens with better control over their personal health data and to facilitate access for research and policy-making purposes. Implementation will occur in stages, with full cross-border functionalities expected by March 2029.

2. EU Proposes Encryption Backdoors Under the ProtectEU Strategy

The European Commission unveiled the ProtectEU initiative, aiming to grant law enforcement agencies lawful access to encrypted communications. This proposal has raised significant concerns among privacy advocates and VPN providers, who argue that introducing encryption backdoors could compromise cybersecurity and user privacy. The initiative also considers data retention requirements that may impact VPN services' no-log policies, potentially affecting their operations within the EU.

3. Court of Justice of the EU Clarifies GDPR Fine Calculations

The Court of Justice of the European Union ruled that GDPR fines should be calculated based on a percentage of the undertaking's total worldwide annual turnover from the preceding business year. This decision provides clarity on the methodology for determining fines, ensuring consistency across the EU.

4. EDPB Issues Guidelines on Age Verification

The European Data Protection Board released guidelines in February 2025 outlining principles for age verification processes. The guidelines emphasize that age assurance methods must be lawful, fair, and transparent, and should not introduce unnecessary data protection risks. This is particularly relevant for digital services accessed by minors, ensuring compliance with data protection regulations – so maybe Instagram and TikTok will be a little safer now?

Something extra

Some words of encouragement I’ve heard these past few days for each and everyone of you who might feel anxious, angry or frightened:

“When people ask me “what are we going to do?” I try to breathe in and just tell them: “we’re gonna get by”. People are still strong willed, we are still consistently fighting through all the struggles we have and we will still fight through the one to come. We overcame a lot of things and I trust wholeheartedly that we will find a way through, no matter the circumstances. We can still fight so let’s fight!”

Not a word by word quote, but the idea belongs to Dragoș Pătraru, from Starea Nației. I recommend you watch the work they do, especially now.

Photo source for web version: Jay Lamm on Unsplash