Brussels, 10 October -   On the occasion of the upcoming entry into operation of the EU Entry Exit System (EES) on 12 October 2025, the Coordinated Supervision Committee (CSC) will include the EES system under its scope. This system registers non-Schengen nationals travelling with a short stay visa or travellers who are visa exempt. The EES is a large scale IT systems developed by the EU to prevent irregular migration and enhance security in the Schengen area.

 

How it works 

The EES gradually replaces passport stamping at the external borders of the Schengen area, with the aim of making the border process more efficient. The system records which travellers from third countries, with or without a visa, enter and exit the Schengen area. 

The implementation of the EES will happen gradually.  European countries will have the option to progressively start using this system over a period of six months, starting with the registration of third country nationals at 10% of border crossings. By the end of the six months period, European countries should reach full registration of all individuals.

Processing of individuals’ personal data by the EES

The EES records personal data from travel documents such as name, date of birth, and place of birth. It also registers the dates of entry and exit of travellers, as well as biometric data such as a facial images and fingerprints. Given the sensitivity of the personal data processed by this system, it is crucial to ensure individuals can effectively exercise their rights and the processing of personal data is supervised.

 

Ensuring data subject rights

The protection of personal data is a fundamental right, which also applies to EES data processing. 
The EES regulation ensures that travellers must be properly informed about their rights regarding the processing of their personal data in the EES, and how to exercise these rights. Authorities processing personal data in the EES, such as border guards, migration services, and under certain conditions, law enforcement authorities must ensure that individuals can easily request access to their data, as well as rectification, completion, erasure and restriction.

 

Supervision of the data processing in the EES

With the upcoming entry into operation of the EES, the CSC will also focus its supervision, at both European and at national level, on the processing of personal data in the EES.

More information on the CSC supervision of the EES will be published on the CSC members’ websites.

 

Background

The CSC consists of European national Data Protection Authorities and the EDPS, which together ensure coordinated supervision of large scale IT systems, and of EU bodies, offices and agencies falling under its scope. These also include the Schengen information system (SIS), the Visa information system (VIS), Eurodac, and two new systems entering into operation at a later date: the European Travel Information and Authorisation System (ETIAS) and the European Criminal Records Information System on non EU-nationals (ECRIS-TCN).
The CSC enjoys an autonomous functioning and positioning and it adopts its own rules of procedure and working methods. The Committee was established within the framework of the EDPB.
 

Brussels, 9 October - The EDPB is organising a remote stakeholder event to collect stakeholders’ input on anonymisation and pseudonymisation following the clarification on the scope of the concept of personal data provided by the Court of Justice of the European Union (CJEU) in its judgement in EDPS v Single Resolution Board (SRB). The event will take place by the end of the year.
The event will inform and support the EDPB’s ongoing work on these topics as per its work programme 2024-2025 and it reflects the EDPB’s commitment to stakeholder engagement, as outlined in the recent Helsinki statement.  

Do you wish to participate to have your say? 

The EDPB will launch a call for expression of interest to participate in the stakeholder event in the following weeks. 
More details about the date and format will follow soon on the EDPB website.

Brussels, 09 October - The European Data Protection Board (EDPB) and the European Commission endorsed joint guidelines on the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). These are the first joint guidelines by the Board and the European Commission.

In line with its 2024-2027 Strategy and the recent Helsinki Statement’s objectives to make GDPR compliance easier and strengthen consistency, the EDPB has cooperated with the European Commission, each within their respective mandates, to facilitate the coherent application of the DMA*and GDPR and to increase legal certainty for gatekeepers, business users, beneficiaries and individuals.

EDPB Chair Anu Talus said:  “These joint guidelines are the result of a fruitful cooperation between the EDPB and the European Commission. This is the first time that the EDPB and the European Commission prepare guidelines jointly. This approach maximises usefulness of the guidance by simplifying compliance for businesses and bringing enhanced legal certainty to them. 

The guidelines will help gatekeepers, business users and individuals to better understand their obligations and rights under the DMA, and ensure a consistent, effective and complementary application of the DMA and EU data protection law.”

How the DMA and the GDPR interact

The DMA and the GDPR both protect individuals in the digital landscape, but their goals are complementary as they address interconnected challenges: individual rights and privacy in case of the GDPR and fairness and contestability of digital markets under the DMA.   

Several activities regulated by the DMA entail the processing of personal data by gatekeepers and, in several provisions, the DMA explicitly refers to definitions and concepts included in the GDPR. The joint guidelines clarify how gatekeepers can implement these DMA provisions in accordance with EU data protection law. For example, the EDPB and the Commission specify which elements gatekeepers should consider in order to comply with the requirements of specific choice and valid consent under Art. 5(2) DMA and the GDPR, and thus to lawfully combine or cross-use personal data in core platform services.

The EDPB and the Commission also address other provisions including those related to the distribution of third party apps and stores, data portability, data access requests and interoperability of messaging services.

 

Next steps

The Board and the Commission have just launched a joint public consultation on the first version of the guidelines which will be open until 4 December 2025.  This will be an opportunity for stakeholders to comment and provide feedback.

All submissions will be published on the DMA website to which a link will be included on the EDPB website, after the consultation period has closed.

The final text, incorporating input received during the consultation, will be prepared jointly by the Board and the Commission, and will be adopted by the EDPB and European Commission.

 

More guidelines on the way

Following these first joint guidelines with the Commission, further work is underway to clarify the new cross-regulatory landscape and maintain coherent and consistent safeguards for the protection of personal data. In this regard, the EDPB is working with the Commission, specifically with the AI Office, on joint guidelines on the interplay between the AI Act and EU data protection laws.

Note to editors:
The Digital Markets Act is one of the first regulatory tools that aims to tackle unfair practices of gatekeepers in digital markets. Gatekeepers are large digital platforms providing core platform services, such as online search engines, app stores, and messenger services. The main objective of the DMA is to make the markets in the digital sector fairer and more contestable. 
 

TechDispatch Talks episode out! francesco Fri, 10/03/2025 - 09:40 Fri, 10/03/2025 - 12:00

A new episode of the Podcast series TechDispatch Talks to help you understand emerging technologies, their opportunities but also privacy challenges.

Watch the video podcast or listen to it.

0

EDPS Recognised for Accountability at GPA Awards francesco Wed, 10/01/2025 - 12:16 Wed, 10/01/2025 - 12:00

the EDPS has been awarded at the GPA Awards in the Accountability category for two strategic initiatives to enhance personal data breach management across EU institutions: The Data Breach Awareness Campaign and PATRICIA Exercise - Personal dATa bReach awareness In Cybersecurity Incident hAndling!

The Data Breach Awareness Campaign, targeted at selected participants, was structured to assess existing breach management practices, identify critical areas, evaluate process implementation, and provide tailored recommendations. 

In addition, together with the European Union Agency for Cybersecurity (ENISA), we jointly organised two table-top exercises in Brussels. The initiative was designed to raise awareness among staff from European Union Institutions on how to effectively manage personal data breaches.

This recognition by the Global Privacy Assembly highlights the value of joint initiatives where supervisory authorities build capacity, foster collaboration, and promote continuous improvement in data protection.

We thank the Global Privacy Assembly for this recognition and remain committed to strengthening cooperation and preparedness in the protection of personal data.

0

European Cybersecurity Month 2025 miriam Mon, 09/29/2025 - 21:12 Wed, 10/01/2025 - 12:00

2025 marks the 13th Anniversary of the European Cybersecurity Month. Join forces with the EU institutions, bodies and agencies in an annual awareness campaign to strengthen cybersecurity among Europeans.

Read our infographics on phishing, ransomware and pretexting.

Read more about what can the EU institutions, bodies and agencies do to tackle personal data breaches.

Watch the high-level panel discussion featuring EDPS Wojciech Wiewiórowski at the Inter-Institutional Kick-Off event.

Read, watch or listen to the Podcast episode of TechDispatch Talks - Human Oversight of Automated Decision-Making.

0

Data protection beyond borders: a milestone for international organisations francesco Fri, 09/26/2025 - 09:57 Fri, 09/26/2025 - 12:00

The International Organisations Workshop celebrates 20 years of fostering cooperation on key data protection aspects, bringing together global experts to address shared challenges.

1 Read blogpost by Wojciech Wiewiórowski

TechDispatch - Human Oversight of Automated Decision-Making francesco Mon, 09/22/2025 - 16:39 Tue, 09/23/2025 - 12:00

The EDPS TechDispatch provides factual descriptions of a new technology and its implication for personal data protection. Check the latest edition.

0 TechDispatch

Sharing of personal data with the United States must be accompanied by comprehensive and effective safeguards miriam Thu, 09/18/2025 - 10:01 Thu, 09/18/2025 - 12:00

Read the Press Release on the EDPS Opinion on Recommendation on a framework agreement between EU and USA on the exchange of information for security screenings and identity verifications.

Read Press Release

Read Opinion

0

Brussels, 12 September - During its September plenary meeting, the European Data Protection Board (EDPB) has adopted guidelines on the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). These are the first set of EDPB guidelines on the interplay between the GDPR and the EU’s recently adopted digital laws.

The DSA aims to complement the rules of the GDPR to ensure the highest level of protection of fundamental rights in the digital space. Its main goal is to create a safer online environment in which the fundamental rights of all users, including the right to freedom of expression, are protected. It applies to online intermediary services, such as search engines and platforms.

Several provisions included in the DSA entail the processing of personal data by intermediary service providers. The EDPB guidelines contribute to the consistent application of the DSA and of the GDPR, insofar as some provisions of the DSA concern the processing of personal data by intermediary service providers and include references to GDPR concepts and definitions.

While it is up to the competent authorities under the DSA - with the support of the European Board for Digital Services and EU courts - to interpret the DSA, there are a number of provisions which relate to the GDPR.

These include:

• notice-and-action systems that help individuals or entities report illegal content
• recommender systems used by online platforms to automatically present specific content to the users of the platform with a certain relative order or prominence
• the provisions to ensure a high level of privacy, safety, and security of minors and prohibiting that profile-based advertising using their data is presented to them
• transparency of advertising by online platforms
• prohibition of profiling-based advertising using special categories of data 

The EDPB guidelines help to understand how the GDPR should be applied in the context of DSA obligations.

The EDPB also provides practical guidance relating to the cross-regulatory cooperation between authorities to coordinate enforcement which will provide more legal certainty for intermediary service providers and ultimately to protect the rights and freedoms of individuals.

The guidelines will be subject to public consultation, providing stakeholders with the opportunity to comment and provide feedback.

EDPB Chair Anu Talus said: “By clarifying the interplay between the DSA and the GDPR, these guidelines mark a significant step towards ensuring a coherent and effective EU digital rulebook, and they will help uphold the fundamental rights and freedoms of individuals.

I hope that stakeholders, including the competent authorities under the DSA, will make the most of the opportunity to contribute to the public consultation".

More work in the pipeline

Following these first guidelines on the interplay between the GDPR and the DSA, further work is underway with other regulators to clarify the new cross-regulatory landscape and maintain coherent and consistent safeguards for the protection of personal data. In this regard, the EDPB is working on joint guidelines with the European Commission on the interplay between the Digital Markets Act (DMA) and the GDPR, as well as on joint guidelines on the interplay between the AI Act and EU data protection laws.
 

International cooperation to fight crime should respect EU fundamental rights guarantees francesco Tue, 09/09/2025 - 09:23 Tue, 09/09/2025 - 12:00

Press release on the EDPS Opinion on the United Nations Convention against Cybercrime.

Read the press release

Read the Opinion

0

AI Act One Year On - What's next? agnieszka Wed, 07/30/2025 - 15:41 Sat, 08/02/2025 - 12:00

Exactly one year ago, on 2 August 2024, the AI Act entered into force. Today marks another important milestone as further provisions of the AI Act come into effect. Watch the video message of the Supervisor.

0

European Commission brings use of Microsoft 365 into compliance with data protection rules for EU institutions and bodies francesco Fri, 07/25/2025 - 09:21 Mon, 07/28/2025 - 12:00

Press release on the European Commission's compliance with the use of Microsoft 365.

1 Read more

Brussels, 9 July 2025 - The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issued today a Joint Opinion on the European Commission’s Proposal for a Regulation amending certain regulations, including the GDPR. 

The Proposal, part of the fourth simplification Omnibus, aims to simplify EU rules and reduce administrative burden, extending certain mitigating measures available for small and medium sized enterprises (SMEs) to small mid-cap enterprises (SMCs), and includes further simplification measures.  

The Proposal aims to modify Art.30 (5) GDPR, providing a derogation to the obligation to keep a record of data processing operations. Currently, this derogation only applies to enterprises and organisation under 250 employees, except in certain cases. Under the Proposal, the derogation would apply to an enterprise or organisation employing fewer than 750 people, unless the processing operation carried out is likely to result in a high risk to individuals’ rights and freedoms, within the meaning of Art.35 GDPR. 

In addition, the Proposal introduces a definition of SME and SMC in Art.4 GDPR and extends the scope of Art.40 (1) and 42 (1) GDPR to the SMCs, which refer to codes of conduct and certification. These tools are currently designed to help enterprises and organisations demonstrate compliance with the GDPR focusing on the specific needs of SMEs. 

Wojciech Wiewiórowski, EDPS, said: “We support the general objective of the Proposal to reduce the administrative burden for SMEs and SMCs as long as this does not lower the protection of individuals’ fundamental rights, in particular the rights to privacy and to the protection of personal data. To this end, we welcome that the proposed modifications to simplify and clarify the obligation to keep a record of processing are targeted and limited in nature, and do not affect the core principles and other obligations under the GDPR.”  

Anu Talus, EDPB Chair, said: “The EDPB supports the Proposal’s general objective to reduce the administrative burden for SMEs and SMCs and to ensure that, in practice, they can enjoy a derogation from the duty to keep records of processing activities. The current derogation did not always achieve its goal. At the same time, the record of processing activities is a useful tool to support compliance with other duties, such as the one of transparency or to give effect to data subject rights. The simplification will offer greater flexibility to SMEs and SMCs to choose the most appropriate method to be compliant.”

As regard the organisations being subject to the derogation, considering that the Proposal impacts legislation in other policy areas, the EDPB and the EDPS expect further clarifications on why the new threshold of enterprises or organisations employing fewer than 750 persons would be more appropriate under the GDPR, rather than the threshold of 500 employees initially considered. In addition, the new exemption in Art. 30 (5) refers to ‘enterprises employing fewer than 750 employees’ without referring to the newly introduced definitions of SME and SMC, which also includes financial criteria. In order to ensure that the exemption will benefit SMEs and SMCs, the EDPB and the EDPS’s Joint Opinion recommends referring to the newly introduced definitions of SME and SMC. 

The EDPB and EDPS also ask the co-legislators to clarify in the Proposal that the term ‘organisation’, falling within the scope of the proposed derogation under Art.30 (5) GDPR, does not include public authorities and bodies.  
 

Targeted modifications of the GDPR: EDPB & EDPS welcome simplification of record keeping obligations and request further clarifications julia Wed, 07/09/2025 - 12:39 Wed, 07/09/2025 - 12:00

EDPS and EDPB a Joint Opinion on the European Commission’s Proposal for a Regulation amending certain regulations, including the GDPR.

Read Press Release

Read Joint Opinion 

0

A fundamental rights approach to innovation and competitiveness

Helsinki, 3 July 2025 – At a high-level meeting in Helsinki on 1–2 July 2025, the European Data Protection Board (EDPB) adopted a landmark Statement on enhanced clarity, support and engagement.

The Statement outlines new initiatives to make GDPR compliance easier, in particular for micro, small and medium organisations, strengthen consistency and boost cross-regulatory cooperation. 

EDPB Chair Anu Talus said: “The EDPB aims to ensure that compliance with the GDPR can be more easily achieved. By placing fundamental rights into the core of their digital transformation, organisations can ensure that technological advancements and the respect for European values go hand in hand, ultimately building a stronger and more resilient digital economy.”

Across its efforts, the EDPB will strengthen its dialogue with stakeholders, holding proactive and early engagement to identify areas where further support and clarification is required, and providing the opportunity for stakeholders to flag possible inconsistencies and give feedback. The EDPB will publicly report on the main outcomes of the public consultations. 

The EDPB will launch a series of direct and practical resources to simplify GDPR application.

EDPB Chair Anu Talus said: “The EDPB is committed to helping organisations in achieving GDPR compliance with greater ease and efficiency. Through timely and concise guidance and ready-to-use tools, like a common data breach notification template, checklists, how-tos and FAQs, we will continue to make GDPR alignment achievable and accessible for all.”

Among the measures agreed upon to ensure consistent GDPR interpretation and enforcement across Europe, EDPB Members will make continuous efforts to align national and EDPB guidance. They will also develop common practices, methods, tools and common actions review guidelines to ensure their real-world effectiveness. The EDPB will also publish positions by DPAs on priority issues to help organisations understand and act on regulatory expectations.

The EDPB recognises the growing complexity of the digital regulatory landscape and has renewed its commitment to fostering structured cooperation with non-data protection regulators to address legal and practical challenges in cross-sectoral cases.
 

Collaboration & Consistent efforts: two cornerstones for data protection in EU institutions miriam Wed, 07/02/2025 - 15:56 Wed, 07/02/2025 - 12:00

The EDPS - Data Protection Network meeting meets twice a year to discuss data protection priorities and practices in the digital world. 

Read Blogpost by EDPS Secretary General Leonardo Cervera Navas. 

0

New TechDispatch Talks are out! miriam Tue, 07/01/2025 - 12:48 Thu, 07/03/2025 - 12:00

EDPS presents a brand new episode of TechDispatch Talks, a series to help you understand new and emerging technologies, their opportunities but also privacy challenges. Now you can watch it or have a listen!

0

Newsletter #115 miriam Fri, 06/27/2025 - 16:04 Wed, 07/02/2025 - 12:00

30 days of preserving privacy and data protection, what does that look like? Read our newsletter to find out. 

1 Read it now

From Cradle to Cloud: Surveillance and Digitalisation around Childhood ilucenfe Fri, 06/13/2025 - 16:22 Mon, 07/07/2025 - 12:00

EDPS and EDPB Trainees organised a conference to reflect and foster discussion on the digital rights of children.

Read the EDPS - EDPB trainees' blogpost.

Watch the recording. 

0 Learn more