Brussels, 29 January - The EDPB organises a remote event to collect stakeholders’ input on its Guidelines on the processing of personal data to target or deliver political advertisements under the regulation on the transparency and targeting of political advertising. The event will take place on 27 March 2026 (time to be confirmed).

This will be an opportunity to inform and support the EDPB’s ongoing work on this topic as per its work programme 2024-2025 and it reflects the EDPB’s commitment to stakeholder engagement, as outlined in the recent Helsinki statement.  

 

Who can participate?

The EDPB invites  individuals or organisations with relevant expertise in the event's specific topic to take part in the event. 

 

How to take part?

Click here to find further information and express your interest

If you have technical problems submitting the application, we invite you to refresh the page or open the form in a different browser. 
The call for interest is open until 9 February.
 

Watch the video on online data protection risks for kids 

 

Brussels, 28 January - Every day, the European Data Protection Authorities (DPAs) that make up the EDPB work together to ensure the protection of individuals’ personal data. When it comes to children's data, extra vigilance is essential, particularly in today's fast-evolving digital environment where new risks emerge constantly.

Children are more at risk online than adults because they do not easily recognise dangers, tend to trust strangers too much, and may share personal data without realising. The apps they use often collect their data and, without adequate protections, they can be exposed to harmful content. These risks can follow them throughout their lives, affecting their privacy and leaving long-term digital footprints that are difficult to erase.

 

The EDPB’s commitment in action

Protecting children’s data is a strategic priority for the EDPB and the Board has delivered important advances in safeguarding children's digital rights.

In February 2024, the EDPB adopted a Statement on the legislative developments regarding the Proposal for a Regulation to prevent and combat child sexual abuse. The Statement follows the EDPB-EDPS Joint Opinion on the same proposal.

In February 2025, the EDPB has also adopted a Statement on age assurance aimed at helping organisations assess individuals’ age in a GDPR-complaint way. Age assurance is essential to ensure that children do not access content that is not appropriate for their age.  At the same time, the method to verify age must be the least intrusive possible and the personal data of children must be protected.

In its statement on age assurance, the EDPB lists ten principles for the compliant processing of personal data when determining the age or age range of an individual. The EDPB supports measures to determine whether someone is above a certain age threshold, but only when these measures are proportionate and follow key EU data protection principles such as protecting privacy by default.

In addition, as stated in the EDPB strategy 2024-2027,  the Board is currently working on Guidelines on the processing of children's data.

 

The EDPB is making data protection child’s play

The EDPB is taking a step forward by speaking directly to children about online privacy. By breaking down complex ideas into simple, relatable concepts and using colourful, interactive materials, the EDPB will help children understand their digital rights and the importance of protecting their personal data.

We will soon launch a dedicated hub, “Privacy for Kids”, where parents, teachers, and educators can find everything they need to help children understand and protect their digital privacy. The data protection hub will gather educational resources provided by DPAs from all over Europe. The content will be available in different languages.

In the spirit of Data Protection Day and while awaiting the launch of this new hub, today we are delighted to give you a sneak peek of this exciting project through our animated video.

Discover with us why it is so important for children to be aware of online data protection risks. Take a moment to watch this video with the children in your life and share it far and wide to help reach as many children as possible. It is the perfect way to start a meaningful conversation with them about privacy and responsible online behaviour. 

Sorry, your browser doesn't support embedded videos.

Brussels, 21 January - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s Proposal for the ‘Digital Omnibus on AI’. The Proposal seeks to simplify the implementation of certain harmonised rules under the AI Act to ensure their effective application.
The EDPB and the EDPS support the objective of addressing practical challenges relating to the implementation of the AI Act. Administrative simplification must not, however, lower the protection of fundamental rights. The Joint Opinion acknowledges the complexity of the AI landscape and welcomes efforts to ease burdens for organisations. However, certain proposed changes could undermine the protection of individuals in the context of AI. 

“Innovation and efficiency are crucial and can coexist with maintaining accountability of AI providers. We welcome EU-level regulatory sandboxes and simplified procedures to promote innovation and support SMEs in Europe. However, Data Protection Authorities must maintain a central role when it comes to the processing of individuals’ personal data. Cooperation between Data Protection Authorities, the AI Office and Market Surveillance Authorities is essential to ensure legal certainty for organisations and foster innovation while upholding individuals’ fundamental rights.”
EDPB Chair, Anu Talus

“Simplification is welcome when it clarifies obligations, empowers individuals, and strengthens trust. A careful balance needs to be kept by reducing administrative burden where possible, without undermining the protection of fundamental rights. Furthermore, we must ensure that the role of the AI Office is clearly defined and does not affect the independent supervision of European Union Institutions’ own use of AI systems.”
European Data Protection Supervisor, Wojciech Wiewiórowski

The Proposal would extend the possibility to process special categories of personal data (such as ethnicity or health data) for bias detection and correction to providers and deployers of any AI systems and models, subject to appropriate safeguards. The EDPB and the EDPS recommend specifying that these data may be used for bias detection and correction only in circumscribed situations where the risk of adverse effects from such bias is considered sufficiently serious.

The EDPB and the EDPS advise against the proposed deletion of the obligation to register AI systems, when they fall under the categories listed as high-risk, even if the providers deem their systems to be ‘non-high risk’. The EDPB and the EDPS consider that this change would significantly undermine accountability and create an undesirable incentive for providers to unduly claim exemptions to avoid public scrutiny.

The EDPB and the EDPS welcome the creation of EU-level AI regulatory sandboxes to promote innovation. To ensure legal certainty, the Joint Opinion recommends the direct involvement of competent Data Protection Authorities (DPAs) in the supervision of data processing within sandboxes. In addition, the EDPB should be afforded an advisory role and the status of observer at the European Artificial Intelligence Board to ensure consistency in relation to EU-level sandboxes. Furthermore, the supervisory role of the AI Office with regard to AI systems based on a general-purpose AI model should be clearly delineated in the operative part and should not overlap with the independent supervision by the EDPS of AI systems developed or used by Union institutions, bodies, offices or agencies.

The EDPB and the EDPS support the goal of streamlining cooperation between fundamental rights authorities or bodies and Market Surveillance Authorities, and the reliance on a central point of contact to increase efficiency. However, they recommend clarifying the role of the MSAs as administrative points of contact for the execution and transmission of requests to providers and deployers, and ensuring that the independence and powers of DPAs are unaffected.

The EDPB and the EDPS also recommend maintaining a duty for AI providers and deployers to ensure AI literacy among their staff. Any new obligation to foster AI literacy placed on the Commission or Member States should complement, not replace, the responsibilities of the organisations actually developing and using these systems.

Finally, the EDPB and the EDPS express concerns regarding the proposed postponement of core provisions for high-risk AI systems. Given the rapid evolution of the AI landscape, they invite the co-legislators to consider whether the original timeline can be maintained for certain obligations, such as transparency requirements, and to minimise delays to the extent possible.

Brussels, 19 January - During its latest plenary, the EDPB adopted a report to support the European Commission’s evaluation of the Law Enforcement Directive (LED). 

The Commission has to submit its public report* on the evaluation and review of this Directive to the European Parliament and to the Council by 6 May 2026. Ahead of this, the Commission gathered the views of the European Data Protection Authorities (DPAs) on the application and functioning of the LED over the period from January 2022 to 31 August 2025.**

“We welcome the European Commission’s regular evaluations of the application of the LED, and we are committed to providing our expertise for these evaluations to ensure that the LED continues to uphold high data protection standards in the law enforcement context.”
EDPB Chair, Anu Talus

The EDPB facilitates cooperation and coordination between DPAs when supervising law-enforcement processing. The EDPB Secretariat also provides the Secretariat of the Coordinated Supervision Committee (CSC) which ensures coordinated supervision of large-scale IT systems and EU bodies and agencies in the areas of law enforcement and criminal justice. 

In its report, the EDPB highlights the key role of the LED in protecting personal data in the law enforcement context. DPAs have increasingly advised competent national authorities on mitigating data breaches, while many DPAs have also carried out awareness-raising activities and issued guidance.

The EDPB takes note of the request from DPAs to get more clarity on the scope of the LED, notably its boundary with the GDPR, and to address more thoroughly the challenges posed by the growing use of new technologies, such as AI, in the law enforcement context. The EDPB highlights the need for law enforcement authorities to use these tools in strict compliance with the LED, ensuring that their use is necessary, proportionate, and subject to adequate safeguards. 

According to the EDPB, in the context of the case law that developed since the last evaluation of the directive, it is essential to further strengthen the national implementation of the LED across the European Union. In addition, the role of Data Protection Officers (DPOs) should be reinforced to ensure the effective and consistent application of data protection rules in law enforcement activities.

The report also points to the need for improved cooperation, both among competent authorities responsible for the LED and among law enforcement authorities more broadly.

Finally, the EDPB underlines that both DPAs and the EDPB need additional financial and human resources, to carry out new tasks arising from recent legal acts, including responsibilities linked to the CSC, whose activities now also include the supervision of systems such as the Visa Information System (VIS), Prüm II, and the Entry Exist System (EES). 

Next, the EDPB adopted recommendations on the application for approval and on the elements and principles to be found in Processor Binding Corporate Rules (BCR-P).

These recommendations form an update of the existing BCR-P referential, which contains the criteria for BCR-P approval, and merge it with the standard application form for BCR-P. 

BCR-Ps are a transfer tool that can be used by a group of undertakings or enterprises to transfer personal data outside the European Economic Area to processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to the one provided by the GDPR. 

The new recommendations build upon the agreements reached and the experience gained by DPAs in the course of approval procedures on concrete BCR-P applications since the entry into application of the GDPR, as well as upon the work carried out in the context of the updated Recommendations on Controller Binding Corporate Rules (BCR-C). 

The recommendations provide clear criteria and explanations to ensure that BCR-P developed by groups of undertakings or enterprises are compliant with the GDPR. The recommendations clarify when BCR-P can be used, namely only for intra-group transfers between processors, when the controller is not part of the group. 

In addition, the recommendations clarify that the BCR-P are designed to meet the requirements of Article 28(4) GDPR. This means that any processor within the Group using BCR-P does not need to sign a separate sub-processing agreement with each sub-processor in the Group.  

The recommendations will be open to public consultation until 2 March 2026. 

The EDPB members also held an exchange of views on the upcoming joint opinion on the Digital Omnibus, which is scheduled for adoption at the February plenary meeting.

Note to editors
*The legal basis for the Commission’s action is Art. 62 of Directive (EU) 2016/680 (Law Enforcement Directive), which requires the Commission to evaluate and report on the application of the Directive.

**See also the European Commission Report on the application of the Law Enforcement Directive, COM(2022) 364 final, to which the EDPB contributed.

Brussels, 4 December - During its latest plenary, the EDPB adopted recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites. In addition, the Board had a preliminary discussion on the Digital Omnibus proposal and appointed the new EDPB Deputy Chair.

Internet users visit e-commerce websites for a variety of reasons, including making online purchases, taking advantage of promotions, or simply browsing products. When interacting with these websites, they may be asked to create an account, which can result in the collection and processing of personal data, as well as increased privacy and security risks.

The EDPB adopted recommendations to clarify when e-commerce websites can require their users to create an account.

As a general rule, users should have the option to engage with e-commerce websites, including the ability to make purchases, without creating an account. In such cases, the EDPB recommends that e-commerce websites offer a choice: either a 'guest' mode, allowing users make purchases without creating an account, or the option to voluntarily create an account. This approach minimises the collection and processing of personal data, and therefore aligns with the GDPR's principle of data protection by design and by default. 

However, mandatory account creation can be justified in a limited number of cases, including for example, offering a subscription service or providing access to exclusive offers.

The recommendations highlight the EDPB's efforts to promote pragmatic, user-friendly and privacy-protective practices in the e-commerce sector.

The recommendations are subject to public consultation, providing stakeholders with the opportunity to comment and provide feedback.

 

Preliminary discussion on the Digital Omnibus proposal

The EDPB had a preliminary discussion on the proposal for a Digital Omnibus, on which the EDPB and EDPS will issue a Joint Opinion.

In its Helsinki Statement, the EDPB made proposals in order to achieve enhanced clarity, support and engagement. The EDPB and the EDPS welcome the discussion on effective digital regulation and remain committed to finding solutions to make GDPR compliance easier, especially for small organisations.

The EDPB and the EDPS will focus on how the European Commission’s proposal will impact the fundamental rights of individuals and whether it will lead to simplification for organisations and more legal certainty.

While numerous points need to be analysed, at this stage, the EDPB and the EDPS can already underline that the proposed modification of the definition of personal data seems to go further than the recent CJEU case law, and beyond a targeted modification of the GDPR, which may risk to adversely affect the fundamental right to data protection.

The EDPB recalls its upcoming public stakeholder event on this topic on 12 December 2025 and underlines that the implementation of the CJEU case law through guidelines taking into account stakeholders' input ensures greater certainty.

 

Jelena Virant Burnik elected new Deputy Chair of the EDPB

At this week’s plenary, the members of the EDPB appointed Jelena Virant Burnik, Information Commissioner of the Republic of Slovenia, as new Deputy Chair of the Board.

“I am honoured to have been elected as Deputy Chair of the EDPB. I am pleased to have the opportunity to help strengthen the role of the EDPB as a central authority in EU data protection.  I am committed to fostering cooperation among national Data Protection Authorities and providing a forum for their open discussions that help align the understanding and enforcement of the GDPR provisions.

In the ever-developing landscape of digital regulation, the EDPB must remain a regulator that understands the complex interplay of legislation and contributes productively to the discussions at European level. “

EDPB Deputy Chair, Jelena Virant Burnik

“Over the past years, the landscape in which we operate has fundamentally shifted, reshaping the EDPB’s role in Europe’s digital future. In this dynamic environment, the new EDPB Deputy Chair faces exciting challenges ahead. I am confident that the EDPB will greatly benefit from her expertise and dedication.

I look forward to collaborating with Jelena Virant Burnik to advance the EDPB’s shared mission: fostering innovation while safeguarding individuals’ fundamental rights."

EDPB Chair, Anu Talus

Over the coming years, Jelena Virant Burnik, will work closely with EDPB Chair Anu Talus and fellow Deputy Chair Zdravko Vukić to ensure the consistent application of EU data protection rules and promote effective cooperation among Data Protection Authorities across Europe.

Brussels, 3 December - As part of its December’s plenary meeting, the European Data Protection Board (EDPB) held yesterday an online meeting with Commissioners and representatives of Data Protection Authorities (DPAs) from the countries and the organisation with an EU adequacy decision. This meeting marked the second of its kind, following the first gathering in October 2024.

An adequacy decision is a key-mechanism in EU data protection legislation which allows free flow of personal data from Europe to third countries or an international organisation offering an adequate level of data protection.* To date, the following countries and organisation benefit from this:  Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay, United States, and the European Patent Organisation. Data Protection Authorities from those countries and the European Patent Organisation are key partners for the EDPB, playing a key role in our joint efforts to strengthen data protection worldwide.

Strengthening multilateral cooperation

The Board organised a first meeting in October 2024 with Data Protection Authorities from the fifteen countries with an EU adequacy decision.

Following that meeting, the EDPB and the Data Protection Authorities from the countries and the organisation with an EU adequacy decision strengthened their cooperation by sharing information on some advisory works and gathering experiences on international data protection enforcement cooperation.

“Our first joint meeting in October 2024 paved the way for a stronger cooperation and valuable knowledge and experience sharing on data protection.

The high level of engagement shown in this second meeting by the EDPB and the Data Protection Authorities from the countries and the international organisation for which the EU adopted an adequacy decision is a clear sign of our commitment to continue working together in this shared direction.”

EDPB Chair, Anu Talus

Yesterday’s meeting was an opportunity for all participants to share views on past activities and updates on the next enforcement and advisory priorities.

 

Note to editors

The European Commission has the power to determine, on the basis of Art. 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves: 1) a proposal from the European Commission; 2) an opinion of the European Data Protection Board; 3) approval from representatives of EU countries; 4) adoption of the decision by the European Commission.

Brussels, 28 November - The EDPB launched a call for expression of interest to establish a new reserve list for the Support Pool of Experts (SPE) programme. The objective is set up a reserve list of legal and technical experts.

The legal expertise sought includes a wide range of fields, such as data protection, policy monitoring, technology, cybersecurity, competition, healthcare, online intermediary services and content moderation.

As for the technical expertise, the relevant areas include IT auditing, website security, mobile OS and apps, Internet of Things, cloud-computing, behavioural advertising, anonymisation techniques, cryptology, artificial intelligence, User experience (UX) design, fintech, data science, social science (incl. economics, sociology, psychology), and development of applications and software.

Bring your expertise to the table

Don’t miss this opportunity to participate in this EDPB’s key strategic initiative. Your work will help Data Protection Authorities (DPAs) across Europe increase their capacity to supervise and enforce data protection rules and strengthen the protection of individuals’ fundamental rights.

In 2022, the EDPB issued a call for expression of interest, which led to the establishment of a first SPE reserve list. As this list is set to expire in February 2026, the EDPB is inviting experts who were included in this first SPE reserve list to submit their application in response to the new call for expression of interest.

The call will be open until August 2030.

Learn how to submit your application.

Apply now

Background

The SPE was developed as part of the EDPB Strategy 2021-2023 to help DPAs increase their enforcement capacity by developing common tools and giving them access to a wide pool of experts.  

The EDPB aims to carry out approximately ten projects per year with pre-eminent external experts in a given field.  Projects are coordinated either by individual DPAs or by the EDPB.

More information on the SPE and on completed project is available here. 
 

Brussels, 17 November - The EDPB organises a remote event to collect  stakeholders’ input on anonymisation and pseudonymisation on implications of the judgement of the Court of Justice of the European Union (CJEU) in EDPS v Single Resolution Board (SRB). The event will take place on 12 December 2025 (time to be confirmed).

This will be an opportunity to inform and support the EDPB’s ongoing work on these topics as per its work programme 2024-2025 and it reflects the EDPB’s commitment to stakeholder engagement, as outlined in the recent Helsinki statement.  

Who can participate?

Individuals representing sector associations, organisations or NGOs and individual companies, law firms or academics are invited to express their interest to participate in this event (one participant per organisation). The EDPB encourages all organisations interested in this matter to delegate a representative with technical knowledge of these topics.

As a general rule, participants will be registered on a first-come first-served basis. Nonetheless, the EDPB reserves the right to give precedence to specific stakeholders among those who expressed their interest, based on their relevance to the topics of the event, and to ensure diversity of views and a balanced representation of areas of interest, as well as geographical balance.

How to take part?

You can find further information and the instructions on how to register (link not available).

The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders.

If you have technical problems submitting the application, we invite you to refresh the page or open the form in a different browser. 

 

Update on 17/11/2025, 12:57 pm: The call is now closed.

Thank you to all those who expressed their interest in taking part in the EDPB stakeholder event on ‘anonymisation and pseudonymisation’. We will carefully review all applications and communicate the results of the process to those who applied in the coming weeks.
 

Brussels, 5 November - During its latest plenary, the EDPB adopted an opinion on the European Commission’s draft decision on the adequate level of protection of personal data in Brazil.* Once adopted, the decision will ensure that personal data can flow freely from Europe to Brazil and that individuals can retain control over their data.

In its opinion, requested by the Commission, the EDPB assesses whether the Brazilian data protection framework and the rules on government access to personal data transferred from Europe provide safeguards essentially equivalent to the ones in EU legislation. The Board positively notes the close alignment with EU legislation and the case law of the Court of Justice of the EU. The EDPB also examines whether the safeguards provided under the legal framework in Brazil are in place and effective.

“The EDPB welcomes the alignment between Brazil and Europe’s data protection frameworks. This is a pivotal moment that will strengthen legal certainty for organisations and competent authorities transferring personal data from Europe to Brazil.

We call on the European Commission to address a few remaining points to ensure the effective protection of individuals’ fundamental rights.”

EDPB Chair, Anu Talus

The EDPB also invites the Commission to provide further clarifications and monitor certain areas in relation to Data Protection Impact Assessments (DPIA), the limitations on transparency related to commercial and industrial secrecy, and the rules on onward transfers.

As a general rule, the Brazilian data protection law does not apply to data processed by Brazilian public authorities for the exclusive purposes of public safety, national defence, State security, or the investigation and prosecution of criminal offenses.

At the same time, the EDPB positively notes that the Brazilian data protection law partially applies to the processing of personal data in the context of criminal investigations and maintenance of public order, as interpreted by the Federal Supreme Court of Brazil in its case-law.

The Board invites the Commission to further specify the applicability of the Brazilian data protection law, as well as the Brazilian Data Protection Authority’s investigatory and corrective powers in relation to law enforcement authorities. Finally, the Board invites the Commission to further clarify the outline of Brazil’s concept of national security.

 

Note to editors:

* An adequacy decision is a key-mechanism in EU data protection legislation which allows the European Commission to determine whether a third country or an international organisation offers an adequate level of data protection. The European Commission has the power to determine, on the basis of Art. 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves: 1) a proposal from the European Commission; 2) an opinion of the European Data Protection Board; 3) approval from representatives of EU countries; 4) adoption of the decision by the European Commission.

Brussels, 5 November - The European Data Protection Board (EDPB) is taking an important step towards facilitating GDPR compliance for organisations by developing a series of ready-to-use templates. This initiative, announced following the Helsinki Statement on enhanced clarity, support, and engagement, aims to provide practical tools that organisations can readily implement to meet their data protection obligations.

To ensure these templates address the needs of organisations, the EDPB has launched a public consultation inviting stakeholders to share their suggestions. The consultation specifically seeks feedback on which types of templates would be most beneficial (for example, a template for privacy notices or a template for records of processing activities).

The EDPB will already work on templates for key GDPR requirements such as Data Protection Impact Assessments (DPIAs) and data breach notifications.

Contributions can be submitted here until 3 December 2025.

The EDPB encourages all interested parties to take part in this consultation and help create practical resources that make GDPR compliance more straightforward and accessible for everyone.

Brussels, 20 October - During its latest plenary, the EDPB adopted two opinions on the European Commission’s draft decisions on the extension of the validity of the UK adequacy decisions under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) until December 2031.*

The EDPB opinions, requested by the Commission as per Art. 70(1) (s) GDPR and Art. 51(1) (g) LED, address the proposed six-year extension of the two UK adequacy decisions which are set to expire in December 2025.

The extension of the validity of the UK adequacy decisions will allow organisations and competent authorities based in Europe to continue transferring data to UK-based organisations and authorities without implementing additional guarantees.**

“The EDPB welcomes the continuing alignment between the UK and Europe’s data protection framework, despite the recent changes in the UK legal framework.

I call on the European Commission to address the points highlighted by the Board and to ensure an effective monitoring once the decisions are adopted. This will increase the robustness of UK’s adequacy and ensure more legal certainty for organisations and competent authorities transferring personal data from Europe to the UK.”

EDPB Chair, Anu Talus

About the GDPR opinion

According to the Board, most of the changes introduced to the UK’s data protection framework aim to clarify and facilitate compliance with the law.

Some aspects of the draft decision could be further clarified.

The EDPB invites the European Commission to further analyse and monitor the changes to the Retained EU Law (Revocation and Reform) Act 2023, also known as REUL Act, in particular the removal of the principle of primacy of EU law and the removal of the direct application of the principles of EU law.

The EDPB notes that the Secretary of State has been granted new powers to introduce changes to the new data protection framework, via secondary regulations which require less Parliamentary scrutiny. This is the case for international transfers, automated decision-making, and the governance of the Information Commissioner’s Office (ICO). The EDPB invites the Commission to address possible risks of divergence by highlighting, in the final adequacy decision, the areas which they intend to carefully monitor.

The EDPB also encourages the Commission to further elaborate its assessment and monitor the rules on transfers from the UK to third countries. The new adequacy test, introduced by the Data (Use and Access) Act 2025, requires the level of protection of the third country to be not materially lower than the one provided for data subjects by the UK framework, but this test does not refer to the risk of government access, the existence of redress for individuals and the need for an independent supervisory authority.

The Commission should also further assess and monitor the purported use by the UK Government of Technical Capability Notices (“TCN”) requiring companies to circumvent encryption, as this would create systemic vulnerabilities and pose a risk to the integrity and confidentiality of electronic communications.

Finally, the EDPB calls on the Commission to further assess and monitor the changes to the structure of the ICO and the exercise of its corrective powers. In this context, the EDPB positively notes the transparency policy of the ICO and the availability of the statistical and analytical data of its enforcement activities.

The new adequacy decisions will add to the 2021 decisions, which will continue to apply to areas not covered in the 2025 draft decisions. The EDPB builds on its 2021 opinions (14/2021 and 15/2021). In particular, the close alignment between the GDPR framework and the UK legal framework on key provisions, highlighted in 2021, continues to hold true today (including, for example, transparency, data subject rights, and special categories of data).

About the LED opinion

The EDPB welcomes the continuous alignment between the data protection framework in Europe and the UK, and encourages the Commission to complement its assessment on aspects relating to national security exemptions. Such exemptions may waive most data protection principles and some international transfer rules for law enforcement authorities, and also limit ICO’s enforcement and inspection powers.

The EDPB invites the Commission to analyse the UK’s rules on transfers of personal data to third countries, in particular the new adequacy test, in the same way as in the GDPR opinion.

The Board also points out the more permissive approach for automated decision making and the new powers conferred to the Secretary of State in this matter. It recalls the importance of meaningful human review and urges the Commission to clarify and monitor possible exemptions from individuals’ right to obtain human intervention.

Finally, the EDPB acknowledges that the system of oversight of criminal law enforcement agencies as well as the redress mechanisms remain largely unchanged, and it reiterates the need for the Commission to closely monitor the application of corrective powers and remedies for individuals in the UK data protection framework.

 

Note to editors:

* On 22 July 2025, the European Commission issued two draft amending implementing decisions on the adequate protection of personal data by the United Kingdom pursuant to Article 45(3) GDPR and Article 36(3) LED. These draft decisions aim at extending the validity of the previous adequacy decisions adopted on 28 June 2021.
In May 2025, the Commission adopted a decision to extend the validity of the UK adequacy decision for six more months, from June until December 2025. The EDPB adopted an opinion on this extension in May 2025.

** An adequacy decision is a key-mechanism in EU data protection legislation which allows the European Commission to determine whether a third country or an international organisation offers an adequate level of data protection. The European Commission has the power to determine, on the basis of Art. 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves: 1) a proposal from the European Commission; 2) an opinion of the European Data Protection Board; 3) an approval from representatives of EU countries; 4) the adoption of the decision by the European Commission.

Brussels, 14 October - During its October plenary, the European Data Protection Board (EDPB) picked the topic for its fifth coordinated enforcement action, which will concern compliance with the obligations of transparency and information under the General Data Protection Regulation (GDPR).  The GDPR ensures that individuals are informed when their data is being processed (under Art. 12, 13 and 14). This right to be informed is a core element of transparency and ensures that individuals have more control over their data.

In a coordinated action, the EDPB prioritises a certain topic for Data Protection Authorities (DPAs) to work on at national level. The results of these national actions are then aggregated and analysed to generate deeper insight into the topic and allowing for targeted follow-up at both national and European level if needed.

Participating DPAs will join this new action on a voluntary basis in the coming weeks and the action itself will be launched over the course of 2026.

CEF achievements so far

In recent years, the EDPB has carried out various coordinated actions on different topics, publishing reports on their results. Specifically:

• use of cloud-based services by the public sector (2023)
• designation and position of Data Protection Officers (2024)
• implementation of the right of access by controllers (2025)

Earlier this year, the EDPB has launched a coordinated action on the right to erasure or the “right to be forgotten” (Art.17 GDPR). The report on the outcome of this action will be adopted in the coming months.

Background

This new coordinated action follows the EDPB’s decision to set up a Coordinated Enforcement Framework (CEF) in October 2020. The CEF is a key action of the EDPB under its 2024-2027 Strategy, together with the creation of a Support Pool of Experts (SPE). The two initiatives aim to streamline enforcement and cooperation among DPAs.
 

Brussels, 10 October -   On the occasion of the upcoming entry into operation of the EU Entry Exit System (EES) on 12 October 2025, the Coordinated Supervision Committee (CSC) will include the EES system under its scope. This system registers non-Schengen nationals travelling with a short stay visa or travellers who are visa exempt. The EES is a large scale IT systems developed by the EU to prevent irregular migration and enhance security in the Schengen area.

 

How it works 

The EES gradually replaces passport stamping at the external borders of the Schengen area, with the aim of making the border process more efficient. The system records which travellers from third countries, with or without a visa, enter and exit the Schengen area. 

The implementation of the EES will happen gradually.  European countries will have the option to progressively start using this system over a period of six months, starting with the registration of third country nationals at 10% of border crossings. By the end of the six months period, European countries should reach full registration of all individuals.

Processing of individuals’ personal data by the EES

The EES records personal data from travel documents such as name, date of birth, and place of birth. It also registers the dates of entry and exit of travellers, as well as biometric data such as a facial images and fingerprints. Given the sensitivity of the personal data processed by this system, it is crucial to ensure individuals can effectively exercise their rights and the processing of personal data is supervised.

 

Ensuring data subject rights

The protection of personal data is a fundamental right, which also applies to EES data processing. 
The EES regulation ensures that travellers must be properly informed about their rights regarding the processing of their personal data in the EES, and how to exercise these rights. Authorities processing personal data in the EES, such as border guards, migration services, and under certain conditions, law enforcement authorities must ensure that individuals can easily request access to their data, as well as rectification, completion, erasure and restriction.

 

Supervision of the data processing in the EES

With the upcoming entry into operation of the EES, the CSC will also focus its supervision, at both European and at national level, on the processing of personal data in the EES.

More information on the CSC supervision of the EES will be published on the CSC members’ websites.

 

Background

The CSC consists of European national Data Protection Authorities and the EDPS, which together ensure coordinated supervision of large scale IT systems, and of EU bodies, offices and agencies falling under its scope. These also include the Schengen information system (SIS), the Visa information system (VIS), Eurodac, and two new systems entering into operation at a later date: the European Travel Information and Authorisation System (ETIAS) and the European Criminal Records Information System on non EU-nationals (ECRIS-TCN).
The CSC enjoys an autonomous functioning and positioning and it adopts its own rules of procedure and working methods. The Committee was established within the framework of the EDPB.
 

Brussels, 9 October - The EDPB is organising a remote stakeholder event to collect stakeholders’ input on anonymisation and pseudonymisation following the clarification on the scope of the concept of personal data provided by the Court of Justice of the European Union (CJEU) in its judgement in EDPS v Single Resolution Board (SRB). The event will take place by the end of the year.
The event will inform and support the EDPB’s ongoing work on these topics as per its work programme 2024-2025 and it reflects the EDPB’s commitment to stakeholder engagement, as outlined in the recent Helsinki statement.  

Do you wish to participate to have your say? 

The EDPB will launch a call for expression of interest to participate in the stakeholder event in the following weeks. 
More details about the date and format will follow soon on the EDPB website.

Brussels, 09 October - The European Data Protection Board (EDPB) and the European Commission endorsed joint guidelines on the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). These are the first joint guidelines by the Board and the European Commission.

In line with its 2024-2027 Strategy and the recent Helsinki Statement’s objectives to make GDPR compliance easier and strengthen consistency, the EDPB has cooperated with the European Commission, each within their respective mandates, to facilitate the coherent application of the DMA*and GDPR and to increase legal certainty for gatekeepers, business users, beneficiaries and individuals.

EDPB Chair Anu Talus said:  “These joint guidelines are the result of a fruitful cooperation between the EDPB and the European Commission. This is the first time that the EDPB and the European Commission prepare guidelines jointly. This approach maximises usefulness of the guidance by simplifying compliance for businesses and bringing enhanced legal certainty to them. 

The guidelines will help gatekeepers, business users and individuals to better understand their obligations and rights under the DMA, and ensure a consistent, effective and complementary application of the DMA and EU data protection law.”

How the DMA and the GDPR interact

The DMA and the GDPR both protect individuals in the digital landscape, but their goals are complementary as they address interconnected challenges: individual rights and privacy in case of the GDPR and fairness and contestability of digital markets under the DMA.   

Several activities regulated by the DMA entail the processing of personal data by gatekeepers and, in several provisions, the DMA explicitly refers to definitions and concepts included in the GDPR. The joint guidelines clarify how gatekeepers can implement these DMA provisions in accordance with EU data protection law. For example, the EDPB and the Commission specify which elements gatekeepers should consider in order to comply with the requirements of specific choice and valid consent under Art. 5(2) DMA and the GDPR, and thus to lawfully combine or cross-use personal data in core platform services.

The EDPB and the Commission also address other provisions including those related to the distribution of third party apps and stores, data portability, data access requests and interoperability of messaging services.

 

Next steps

The Board and the Commission have just launched a joint public consultation on the first version of the guidelines which will be open until 4 December 2025.  This will be an opportunity for stakeholders to comment and provide feedback.

All submissions will be published on the DMA website to which a link will be included on the EDPB website, after the consultation period has closed.

The final text, incorporating input received during the consultation, will be prepared jointly by the Board and the Commission, and will be adopted by the EDPB and European Commission.

 

More guidelines on the way

Following these first joint guidelines with the Commission, further work is underway to clarify the new cross-regulatory landscape and maintain coherent and consistent safeguards for the protection of personal data. In this regard, the EDPB is working with the Commission, specifically with the AI Office, on joint guidelines on the interplay between the AI Act and EU data protection laws.

Note to editors:
The Digital Markets Act is one of the first regulatory tools that aims to tackle unfair practices of gatekeepers in digital markets. Gatekeepers are large digital platforms providing core platform services, such as online search engines, app stores, and messenger services. The main objective of the DMA is to make the markets in the digital sector fairer and more contestable. 
 

Brussels, 12 September - During its September plenary meeting, the European Data Protection Board (EDPB) has adopted guidelines on the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). These are the first set of EDPB guidelines on the interplay between the GDPR and the EU’s recently adopted digital laws.

The DSA aims to complement the rules of the GDPR to ensure the highest level of protection of fundamental rights in the digital space. Its main goal is to create a safer online environment in which the fundamental rights of all users, including the right to freedom of expression, are protected. It applies to online intermediary services, such as search engines and platforms.

Several provisions included in the DSA entail the processing of personal data by intermediary service providers. The EDPB guidelines contribute to the consistent application of the DSA and of the GDPR, insofar as some provisions of the DSA concern the processing of personal data by intermediary service providers and include references to GDPR concepts and definitions.

While it is up to the competent authorities under the DSA - with the support of the European Board for Digital Services and EU courts - to interpret the DSA, there are a number of provisions which relate to the GDPR.

These include:

• notice-and-action systems that help individuals or entities report illegal content
• recommender systems used by online platforms to automatically present specific content to the users of the platform with a certain relative order or prominence
• the provisions to ensure a high level of privacy, safety, and security of minors and prohibiting that profile-based advertising using their data is presented to them
• transparency of advertising by online platforms
• prohibition of profiling-based advertising using special categories of data 

The EDPB guidelines help to understand how the GDPR should be applied in the context of DSA obligations.

The EDPB also provides practical guidance relating to the cross-regulatory cooperation between authorities to coordinate enforcement which will provide more legal certainty for intermediary service providers and ultimately to protect the rights and freedoms of individuals.

The guidelines will be subject to public consultation, providing stakeholders with the opportunity to comment and provide feedback.

EDPB Chair Anu Talus said: “By clarifying the interplay between the DSA and the GDPR, these guidelines mark a significant step towards ensuring a coherent and effective EU digital rulebook, and they will help uphold the fundamental rights and freedoms of individuals.

I hope that stakeholders, including the competent authorities under the DSA, will make the most of the opportunity to contribute to the public consultation".

More work in the pipeline

Following these first guidelines on the interplay between the GDPR and the DSA, further work is underway with other regulators to clarify the new cross-regulatory landscape and maintain coherent and consistent safeguards for the protection of personal data. In this regard, the EDPB is working on joint guidelines with the European Commission on the interplay between the Digital Markets Act (DMA) and the GDPR, as well as on joint guidelines on the interplay between the AI Act and EU data protection laws.
 

Brussels, 9 July 2025 - The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issued today a Joint Opinion on the European Commission’s Proposal for a Regulation amending certain regulations, including the GDPR. 

The Proposal, part of the fourth simplification Omnibus, aims to simplify EU rules and reduce administrative burden, extending certain mitigating measures available for small and medium sized enterprises (SMEs) to small mid-cap enterprises (SMCs), and includes further simplification measures.  

The Proposal aims to modify Art.30 (5) GDPR, providing a derogation to the obligation to keep a record of data processing operations. Currently, this derogation only applies to enterprises and organisation under 250 employees, except in certain cases. Under the Proposal, the derogation would apply to an enterprise or organisation employing fewer than 750 people, unless the processing operation carried out is likely to result in a high risk to individuals’ rights and freedoms, within the meaning of Art.35 GDPR. 

In addition, the Proposal introduces a definition of SME and SMC in Art.4 GDPR and extends the scope of Art.40 (1) and 42 (1) GDPR to the SMCs, which refer to codes of conduct and certification. These tools are currently designed to help enterprises and organisations demonstrate compliance with the GDPR focusing on the specific needs of SMEs. 

Wojciech Wiewiórowski, EDPS, said: “We support the general objective of the Proposal to reduce the administrative burden for SMEs and SMCs as long as this does not lower the protection of individuals’ fundamental rights, in particular the rights to privacy and to the protection of personal data. To this end, we welcome that the proposed modifications to simplify and clarify the obligation to keep a record of processing are targeted and limited in nature, and do not affect the core principles and other obligations under the GDPR.”  

Anu Talus, EDPB Chair, said: “The EDPB supports the Proposal’s general objective to reduce the administrative burden for SMEs and SMCs and to ensure that, in practice, they can enjoy a derogation from the duty to keep records of processing activities. The current derogation did not always achieve its goal. At the same time, the record of processing activities is a useful tool to support compliance with other duties, such as the one of transparency or to give effect to data subject rights. The simplification will offer greater flexibility to SMEs and SMCs to choose the most appropriate method to be compliant.”

As regard the organisations being subject to the derogation, considering that the Proposal impacts legislation in other policy areas, the EDPB and the EDPS expect further clarifications on why the new threshold of enterprises or organisations employing fewer than 750 persons would be more appropriate under the GDPR, rather than the threshold of 500 employees initially considered. In addition, the new exemption in Art. 30 (5) refers to ‘enterprises employing fewer than 750 employees’ without referring to the newly introduced definitions of SME and SMC, which also includes financial criteria. In order to ensure that the exemption will benefit SMEs and SMCs, the EDPB and the EDPS’s Joint Opinion recommends referring to the newly introduced definitions of SME and SMC. 

The EDPB and EDPS also ask the co-legislators to clarify in the Proposal that the term ‘organisation’, falling within the scope of the proposed derogation under Art.30 (5) GDPR, does not include public authorities and bodies.  
 

A fundamental rights approach to innovation and competitiveness

Helsinki, 3 July 2025 – At a high-level meeting in Helsinki on 1–2 July 2025, the European Data Protection Board (EDPB) adopted a landmark Statement on enhanced clarity, support and engagement.

The Statement outlines new initiatives to make GDPR compliance easier, in particular for micro, small and medium organisations, strengthen consistency and boost cross-regulatory cooperation. 

EDPB Chair Anu Talus said: “The EDPB aims to ensure that compliance with the GDPR can be more easily achieved. By placing fundamental rights into the core of their digital transformation, organisations can ensure that technological advancements and the respect for European values go hand in hand, ultimately building a stronger and more resilient digital economy.”

Across its efforts, the EDPB will strengthen its dialogue with stakeholders, holding proactive and early engagement to identify areas where further support and clarification is required, and providing the opportunity for stakeholders to flag possible inconsistencies and give feedback. The EDPB will publicly report on the main outcomes of the public consultations. 

The EDPB will launch a series of direct and practical resources to simplify GDPR application.

EDPB Chair Anu Talus said: “The EDPB is committed to helping organisations in achieving GDPR compliance with greater ease and efficiency. Through timely and concise guidance and ready-to-use tools, like a common data breach notification template, checklists, how-tos and FAQs, we will continue to make GDPR alignment achievable and accessible for all.”

Among the measures agreed upon to ensure consistent GDPR interpretation and enforcement across Europe, EDPB Members will make continuous efforts to align national and EDPB guidance. They will also develop common practices, methods, tools and common actions review guidelines to ensure their real-world effectiveness. The EDPB will also publish positions by DPAs on priority issues to help organisations understand and act on regulatory expectations.

The EDPB recognises the growing complexity of the digital regulatory landscape and has renewed its commitment to fostering structured cooperation with non-data protection regulators to address legal and practical challenges in cross-sectoral cases.
 

Brussels, 05 June - During its latest plenary, the European Data Protection Board (EDPB) adopted the final version of its guidelines on Art.48 GDPR about data transfers to third country authorities, after public consultation. In addition, the Board presented two new Support Pool of Experts (SPE) projects providing training material on artificial intelligence and data protection. Finally, the Board discussed the European Commission’s request for a joint EDPB-EDPS opinion on the draft proposal on the simplification of record-keeping obligation under the GDPR. 

Data transfers to third country authorities 

Following public consultation, the EDPB has adopted the final version of the guidelines on data transfers to third country authorities. In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to requests for a transfer of personal data from third country authorities (i.e. authorities from non-European countries).

The EDPB explains that judgements or decisions from third country authorities cannot automatically be recognised or enforced in Europe. As a general rule, an international agreement may provide for both a legal basis and a ground for transfer. In case there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.

The modifications introduced in the updated guidelines do not change their orientation, but they aim to provide further clarifications on different aspects that were brought up in the consultation. For example, the updated guidelines address the situation where the recipient of a request is a processor. In addition, they provide additional details regarding the situation where a mother company in a third country receives a request from that third country authority and then requests the personal data from its subsidiary in Europe. 

 

Upskilling and reskilling on AI and data protection

During its June’s plenary, the EDPB also presented two new Support Pool of Experts (SPE) projects*: Law & Compliance in AI Security and Data Protection and Fundamentals of Secure AI Systems with Personal Data. The two projects, which have been launched at the request of the Hellenic Data Protection Authority (HDPA), provide training material on AI and data protection.

The report “Law & Compliance in AI Security & Data Protection” is addressed to professionals with a legal focus like data protection officers (DPO) or privacy professionals.

The second report, “Fundamentals of Secure AI Systems with Personal Data”, is oriented toward professionals with a technical focus like cybersecurity professionals, developers or deployers of high-risk AI systems.

The main aim of these projects is to address the critical shortage of skills on AI and data protection, which is seen as a key obstacle to the use of privacy-friendly AI. The training material will help equip professionals with essential competences in AI and data protection to create a more favourable environment for the enforcement of data protection legislation.

The Board decided to publish both documents as PDF files. Taking into account the very fast evolution of AI, the EDPB also decided to launch a new innovative initiative as a one-year pilot project consisting of a modifiable community version of the reports. The EDPB will start working with the authors of both reports to import them in its Git repository** to allow, in a near future, any external contributor, with an account on this platform and under the condition of the Creative Commons Attribution-ShareAlike license, to propose changes or add comments to the documents.

Simplification of record-keeping obligation under the GDPR ***

Finally, the Board discussed the European Commission's request for a joint opinion by the EDPB and the European Data Protection Supervisor (EDPS) on its proposal to simplify the record-keeping obligations of small and medium-sized enterprises (SMEs), small mid-caps (SMCs) and organisations with fewer than 750 employees, amounting to a targeted amendment of Art. 30(5) GDPR. The EDPB and EDPS will issue their joint opinion on this matter within eight weeks. 

 

Note to editors:

* The Support Pool of Experts (SPE) is an initiative included in the EDPB strategy 2024-2027 to help Data Protection Authorities (DPAs) increase their capacity to enforce by developing common tools and giving them access to a wide pool of experts.  

As part of the SPE programme, the EDPB may commission experts to provide reports and tools on specific topics. The views expressed in the deliverables are those of their authors and they do not necessarily reflect the official position of the EDPB.

** The reports will be available in the following months on the repository page.

***On 8 May 2025, the EDPB and the EDPS adopted a letter, addressed to the European Commission, to share preliminary views on the Commission’s proposal on the simplification of record-keeping obligation under the GDPR.

Brussels, 08 May - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a letter, addressed to the European Commission, on the upcoming proposal on the simplification of record-keeping obligation under the GDPR, amounting to a targeted amendment of Art. 30(5) GDPR.

The joint letter replies to the letter sent by the European Commission to the EDPB and the EDPS on 6 May 2025 where the Commission explained how it intends to introduce specific modifications to the GDPR. The EDPB and EDPS understand that a formal consultation will take place after the publication of the proposed legislative change.  

The EDPB and EDPS shared that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations. Nevertheless, the EDPB and EDPS asked the Commission to better evaluate the impact on the organisations subject to this change, to assess whether the draft proposal ensure a proportionate and fair balance between the protection of personal data and the interests of organisations with less than 500 employees.

EDPB-EDPS Letter on European Commission draft proposal on simplification of record-keeping under the GDPR

8 May 2025 Publication Type:

• Letters

Topics:

• Controller
• Processor
• Record of processing

English Download Simplification of record-keeping obligation: EDPB and EDPS adopt letter to EU Commission