Brussels, 09 April - The European Data Protection Board (EDPB) has published its 2025 Annual Report. The report provides an overview of the EDPB work carried out in 2025 and reflects on important milestones, such as the adoption of the Helsinki Statement on Enhanced Clarity, Support, and Engagement.

“In 2025, we saw the data protection landscape change significantly. The rapid expansion of the EU’s digital regulatory framework has added complexity to the data protection ecosystem. To help organisations navigate this complexity and support compliance, the EDPB focused on enhancing legal certainty, making compliance more achievable in practice, and strengthening cooperation, both among Data Protection Authorities and with other regulators. 

We also prioritised meaningful dialogue with stakeholders to ensure our work reflected real-world needs.

Our achievements support economic growth while continuing to protect individuals’ fundamental rights to privacy and data protection.”

EDPB Chair, Anu Talus

The Helsinki’s statement initiatives leading the way

In 2025, the EDPB worked actively to address the demand for regulatory simplification to support innovation and economic growth, while ensuring the protection of individuals’ personal data. 

With this in mind, the Board adopted the Helsinki Statement on Enhanced Clarity, Support, and Engagement, which outlines new initiatives to make GDPR compliance easier, strengthen consistency, enhance the dialogue and improve transparency with stakeholders and boost cross-regulatory cooperation.  

For example, the Board launched a public consultation to ask organisations which templates would be most useful, organised several stakeholder events to consult organisations on upcoming guidelines and systematically published reports on stakeholder input. 

Easing compliance for organisations and providing legal advice

In the context of ongoing discussions on regulatory simplification at EU level, the EDPB actively contributed to legislative initiatives aimed at reducing administrative burden and streamlining requirements. The Board adopted a joint opinion with the European Data Protection Supervisor (EDPS) on the Commission’s Proposal for a Regulation amending certain regulations, including the GDPR. 

In addition, the Board held important discussions on this matter during plenary meetings, which subsequently informed the  EPDB/EDPS joint opinions on the Commission’s proposals on the Digital Omnibus and on the Digital Omnibus on AI adopted at the beginning of 2026.

The Board also delivered five adequacy-related opinions concerning United Kingdom, Brazil and the European Patent Organisation (EPO). 

In addition, the Board adopted Recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites, and Recommendations on the 2027 WADA World Anti-Doping Code upon request from the Commission.

Strengthening cross-regulatory cooperation

Cross-regulatory cooperation was a key focus for the EDPB last year. The EDPB worked together with the European Commission to clarify how data protection and digital laws interact and to address legal and practical challenges in cross-sectoral cases.

In 2025, the EDPB adopted its first set of joint guidelines with the Commission on the interplay between the Digital Markets Act (DMA) and the GDPR. The Board also worked with the Commission on joint guidelines on the interplay between the AI act and EU data protection laws for adoption in 2026. 

In addition, the EDPB adopted guidelines on the interplay between the Digital Services Act (DSA) and the GDPR.

Placing stakeholders at the heart of the EDPB work

In 2025, a public consultation was launched on the joint guidelines with the Commission on the DMA and the GDPR. The Board has also organised public consultations on the EDPB guidelines on DSA and GDPR, blockchain technologies, pseudonymisation and on the recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites.

In addition, in line with the Helsinki statement’s objectives to make GDPR compliance easier, the EDPB organised a public consultation to understand which templates organisations consider would be most useful for them (e.g. privacy notice template, record of processing activities template, etc.).

In December 2025, a stakeholder event on anonymisation and pseudonymisation took place, which was followed by a  report on the input collected during the event. 

Promoting high standards of data protection worldwide

In line with its Strategy 2024-2027, the EDPB continued to engage with the international community to promote a high level of data protection and to ensure effective protection of personal data beyond EU borders. To this end, the Board participated in international fora such as the G7 Data Protection Authorities Roundtable and the Global Privacy Assembly.

In December 2025, the EDPB also held online the second meeting with Commissioners and representatives of Data Protection Authorities (DPAs) from the countries and the organisation with an EU adequacy decision.

Providing guidance and ensuring consistency 

In 2025, three new set of guidelines focusing on pseudonymisation, blockchains technologies and on the DSA and the GDPR, and guidelines following public consultation on data transfers to third country authorities were adopted. 

29 Art. 64(1) GDPR opinions were adopted, reflecting the Board’s continued commitment to promoting harmonisation.

Supporting consistent and effective enforcement 

Strengthening cooperation among DPAs was another key priority in 2025. This took place through multiple instruments aimed at facilitating joint actions and knowledge-sharing, including the Coordinated Enforcement Framework (CEF), the Support Pool of Experts (SPE) and dedicated taskforces. 

The Board contributed to improving cross-border cooperation, supporting DPAs in handling complex cases and ensuring alignment in enforcement practices. In 2025, 414 cross-border cases were created in the EDPB’s case register, and 1299 procedures related to the One-Stop-Shop (Art. 60 GDPR) were triggered, out of which 572 let to final decisions.

Finally, at national level DPAs issued a total of €1,15 bn worth in fines.

Brussels, 23 March - On 17 March 2026, the EDPB conference “Cross-regulatory interplay and cooperation in the EU: a data protection perspective” took place in Brussels. The event showcased high-level discussions, featuring contributions from representatives of key EU institutions, European Data Protection Authorities, academia and industry. 

Key takeaways from the panel discussions

Throughout the day, three panels were held, focusing on 1) data protection and competition, 2) the Digital Markets Act (DMA) and the GDPR, and 3) the Digital Services Act (DSA) and the GDPR. 

During the first panel, speakers emphasised the critical need for cooperation between regulatory bodies in the fields of data protection and competition and shared views on what regulators in the two fields can learn from each other, especially in the aftermath of the Bundeskartellamt ruling. A speaker emphasized that regulators should align their approaches and recognize synergies between the two fields, such as protecting consumers and data subjects. Others pointed out that fixing harm to end users does not always solve competition issues, and that data protection should be considered in competition analysis only when relevant, on a case-by-case basis. Panellists also highlighted the need to cooperate not just on individual cases, but on broader concepts and legal principles.  In this context, the EDPB has recently agreed to develop joint guidelines with the European Commission to address the interplay between competition law and data protection.

The discussions in the second panel centred on the joint guidelines on the DMA and the GDPR, which were developed by the European Commission and the EDPB and recently underwent public consultation. The joint guidelines are an unprecedented work and a good example of regulatory cooperation paving the way for further examples ahead, in line with the EDPB Strategy 2024-2027 and Helsinki Statement’s objectives to strengthen cross-regulatory cooperation. A crucial goal of the guidelines is the development of a coherent and compatible interpretation of the DMA and the GDPR while respecting the regulatory competences. It was emphasised that these guidelines help break silos, strengthen consistency, and provide further clarity and legal certainty. All of this contributes to easier compliance, which is valued by stakeholders and increases trust. At the same time, certain speakers suggested improvements to the final version of the guidelines, bearing in mind the DMA should not be given primacy over the GDPR and that the measures companies have to comply with should be proportionate.  Other examples of cooperation in this domain were also mentioned, such as the participation in the High Level Group for the Digital Markets Act and specific instances of cooperation on concrete cases. 

The last panel of the day explored how the Digital Services Act (DSA) and the GDPR interact. Panellists provided the example of the protection of minors: age verification should be effective yet fully in line with data protection legislation.  They highlighted the growing need for strong coordination between the two frameworks, including the role of the European Board for Digital Services and other ways for the Commission and the EDPB to work together. A speaker also underlined the challenges and ongoing work on cross-regulatory cooperation from the perspective of a national authority. Another speaker urged regulators to work on building a fully coherent interpretation of the two frameworks and more globally of the digital legislation. Panellists also stressed that emerging technologies such as artificial intelligence are reshaping online ecosystems and, as a result, the role of the DSA and the GDPR.  The panel concluded with a clear message: online safety under the DSA and the lawful processing of personal data are two sides of the same coin, both calling for the DSA and the GDPR to be read coherently. 

Highlights from the keynote speeches

The event also featured the participation of the Executive Vice-President of the European Commission for Technological Sovereignty, Security, and Democracy Henna Virkkunen and the European Parliament’s LIBE Committee Chair Javier Zarzalejos. 

Vice President Virkkunen welcomed the EDPB’s commitment to clarity, support and engagement in its Helsinki statement, aiming to ensure the work of the EDPB is clear, practical and consistent with the policy choice to protect individuals. EVP Virkkunen underlined the Commission’s commitment to seamless cooperation between different frameworks, mentioning several examples of successful cooperation, and highlighted that the Commission and the EDPB have heard the stakeholders’ call to provide support to compliance through stronger cooperation among regulators.  

LIBE Chair Zarzalejos underlined that close cross-regulatory cooperation is essential to ensure consistency, to maximise the effectiveness of enforcement efforts and to ensure trust. Chair Zarzalejos highlighted the intersections between data protection law on the one hand, and, on the other hand, competition law, the DMA, and the DSA, emphasizing the interconnected challenges for policymakers and businesses. He ended his speech with a call in favour of EU digital sovereignty.

A forward-looking approach

EDPB Chair Anu Talus closed the conference by reiterating that the EDPB and European Data Protection Authorities are committed to continue supporting stakeholders in navigating the new cross-regulatory landscape.

The EDPB will continue working with the Commission on joint guidelines on the interplay between the AI Act and the GDPR, as well as on the final version of the joint guidelines on the interplay between the DMA and the GDPR. Moreover, work will start on the recently announced Joint Guidelines on the interplay between data protection and competition law. 

In this process, stakeholders play a key role and, as stated in the Helsinki statement, the EDPB remains fully committed to further strengthening the dialogue with them.

Cross-regulatory cooperation is the future: speakers weigh in

During the conference, we took the opportunity to ask several speakers about the importance of cross-regulatory cooperation and how they see the role of Data Protection Authorities evolving in the years to come. Watch the video to hear what they have to say.

Sorry, your browser doesn't support embedded videos.

Brussels, 19 March 2026 – The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s proposal for a Cybersecurity Act 2 (CSA2) and the proposal on amendments to the Network and Information Security 2 (NIS2) Directive.

On 20 January 2026, the Commission published a cybersecurity package proposal to further strengthen cybersecurity in Europe while making compliance with cybersecurity laws easier for organisations. In their joint opinion, issued at the request of the Commission*, the EDPB and the EDPS address the proposed revision of the CSA and the targeted amendments to the NIS2 Directive.

“The relationship between data protection and cybersecurity is reciprocal and deeply interconnected. While cybersecurity supports the protection of personal data by limiting the risks of unwanted access, modification or unavailability of data, it is crucial to ensure that security controls are implemented in a way that does not undermine individuals’ fundamental rights and freedoms.”

EDPB Chair Anu Talus

“While maximizing the effectiveness of cybersecurity measures is vital, we must ensure that the processing of personal data remains limited to what is strictly necessary. We welcome the reinforced role of ENISA to promote digital resilience; our hope is that this new mandate fosters the synergies needed to create a robust ecosystem where security and privacy go hand in hand.”

European Data Protection Supervisor, Wojciech Wiewiórowski

Regarding the Proposal for the CSA2, the EDPB and the EDPS support the general objective to strengthen the role of the European Union Agency for Cybersecurity (ENISA) and to facilitate uptake of cybersecurity certification, as well as the objective to further address the various risks to ICT supply chains, including non-technical ones.

The proposal to provide further clarification on the way ENISA gives support to different stakeholders is well received. The EDPB and the EDPS specifically welcome that ENISA’s advice would be issued upon a prior request from the EDPB, thus ensuring a clear coordination and a clear division of responsibilities. They also suggest adding the EDPS as a possible requestor of advice from ENISA.

In the joint opinion, the EDPB and the EDPS recall that in case the Management Board of ENISA decides to adopt additional measures necessary for the application of the EU Data Protection Regulation, such decisions should be limited to very technical (practical) details related to the processing of personal data. The Proposal should also provide for a prior consultation with the EDPS before adoption of such rules.

The joint opinion welcomes the synergies that might arise from the cooperation between ENISA and other EU institutions and bodies, and also recommends adding an explicit reference to the EDPS as an EU body with which ENISA would cooperate.

While the objective of facilitating uptake of cybersecurity certification is welcome, the scope of the European Cybersecurity Certification Framework and its relationship with GDPR certification should be further clarified. To ensure consistency, ENISA should consult with the EDPB before adopting a certification scheme relating to the security of processing of personal data. Furthermore, certification schemes for products, services and processes that are likely to be used in data processing operations, should take into account security controls that can help to demonstrate the fulfilment of GDPR requirements, to the extent possible.

The EDPB and the EDPS recommend that the European Cybersecurity Skills Framework is not only limited to cybersecurity professionals, but also includes a general workforce profile.

In line with the recent EDPB-EDPS joint opinion on the Digital Omnibus Regulation Proposal, the EDPB and EDPS express their support for the establishment of a single-entry point for the notification of personal data breaches, as it would reduce the administrative burden for notifying organisations without affecting the level of protection for individuals.

Regarding the proposed amendments to the NIS2 Directive, the EDPB and the EDPS welcome the designation of European Digital Identity Wallets and European Business Wallets providers as 'essential entities'.

Note to editors:
* On 21 January 2026, the Commission formally consulted the EDPB and the EDPS and requested a joint opinion on the European Commission’s proposal for a CSA2 and the proposal on amendments to the NIS2 Directive in accordance with Art. 42(2) of Regulation (EU) 2018/1725.

Brussels, 19 March - The EDPB has launched its Coordinated Enforcement Framework (CEF) action for 2026*. Following a year-long coordinated action on the right to erasure in 2025, the CEF's focus this year will shift to compliance with the obligations of transparency and information under the GDPR.

The GDPR ensures that individuals are informed when their data is being processed (under Art. 12, 13 and 14). This right to be informed is a core element of transparency and ensures that individuals have more control over their data.

Next steps

During 2026, 25 Data Protection Authorities (DPAs) across Europe will take part in this initiative. They will look closely to assess the compliance of controllers with their transparency obligations under the GDPR.

Participating DPAs will soon contact controllers from different sectors across Europe, either through enforcement actions or fact-finding exercises. In the latter case, they might also decide to undertake additional follow-up actions if needed.

During the second half of the year, participating DPAs will share and discuss their findings together, with a view to aggregate the results of their national actions and generate deeper insight into the topic. A consolidated report will then be drafted and submitted for adoption by the EDPB, allowing for targeted follow-ups on both national and EU levels.

Background

The CEF is a key action of the EDPB under its 2024-2027 Strategy, aimed at streamlining enforcement and cooperation among DPAs.

In 2023, the EDPB published the report on its first coordinated action on the use of cloud-based services by the public sector.

In 2024, the EDPB also published the report on the outcome of the second coordinated action on the designation and position of Data Protection Officers.

In 2025, the EDPB issued the report on its third coordination action on the implementation of the right of access.

In 2026, the EDPB has adopted a report on its Coordinated Enforcement Framework (CEF) action on the right to be forgotten (Art.17 GDPR).

Note to editors:
*The Board selected this topic during its October 2025 plenary.

For further information:

• AT DPA: Europäischer Datenschutzausschuss kündigt CEF-Maßnahme für 2026 an
• DA DPA:  EDPB iværksætter koordineret indsats om oplysningspligten 
• DE DPA (Brandenburg): Brandenburgische Datenschutzaufsicht beteiligt sich an europaweiter Prüfung zu Transparenzpflichten mit Schwerpunkt Personalvermittlungen
• DE DPA (Niedersachsen):Niedersachsen beteiligt sich an europaweiter Datenschutzprüfung zu Transparenz- und Informationspflichten
• FR DPA: Le CEPD lance une action coordonnée concernant les obligations de transparence et d'information
• EL DPA: Έναρξη συντονισμένης δράσης του ΕΣΠΔ 2026 σχετικά με τη διαφάνεια και την υποχρέωση ενημέρωσης των υποκειμένων
• ES DPA: La AEPD participa en una acción europea para analizar el cumplimiento de las obligaciones de transparencia e información por parte de las organizaciones
• IT DPA: Garanti europei, focus sugli obblighi di informazione e trasparenza 
• MT DPA: Launch of Coordinated Enforcement Framework 2026 – IDPC
• SL DPA: Ali obdelujete osebne podatke transparentno? Usklajena akcija EDPB v letu 2026
• SK DPA: CEF 2026: Spoločná dozorová akcia EDPB zameraná na transparentnosť informovania do ktorej sa Úrad na ochranu osobných údajov Slovenskej republiky zapojí v priebehu roka 2026
• PT DPA: CNPD participa na ação de supervisão coordenada europeia sobre as obrigações de transparência e informação

Brussels, 12 March 2026 – The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s Proposal for a European Biotech Act. The Proposal aims to strengthen Europe’s biotechnology and biomanufacturing sectors, particularly in the area of health, by streamlining the regulatory framework and updating the rules for clinical trials.

The EDPB and the EDPS support the Proposal’s objective of fostering the EU’s competitiveness and addressing existing fragmentation in the application of the Clinical Trials Regulation (CTR). In particular, they welcome the aim to establish a single legal basis for the processing of personal data by sponsors and investigators, which will significantly improve legal clarity across Europe.

At the same time, the EDPB and the EDPS underline that the sensitivity of health and genetic data processed in the context of clinical trials requires a high standard of protection. The Joint Opinion provides several recommendations to ensure that the proposed simplifications do not lower the level of protection for clinical trial participants.

Key recommendations include:

• Clarifying controller roles: The Proposal should specify whether the actors involved in funding and conducting clinical trials act as sole or joint data controllers, to ensure a clear allocation of responsibilities.
• Limiting data retention: The mandatory 25-year minimum retention period should expressly apply only to the clinical trial master file, rather than to all personal data processed during a trial.
• Further processing for other clinical trials or for scientific research: As the Proposal aims to provide a legal basis under Union law for the further processing of trial data by the same controller, the Biotech Act should clearly define the purposes, as well as specific safeguards for such processing.
• Coherence with the AI Act: While promoting the use of AI in biotechnology, the Biotech Act should ensure that obligations for sponsors complement the existing requirements under the AI Act to ensure a consistent regulatory environment.
• Appropriate technical and organisational measures: The CTR should explicitly require the use of pseudonymisation whenever it is not necessary to process directly identifiable personal data.
• Regulatory sandboxes: If needed, the Commission's implementing acts regarding sandboxes in the specific context of clinical trials should provide for the legal basis for the processing of personal data, as well as for the derogation under Art. 9(2) for the processing of sensitive data; regarding other sandboxes, the processing of personal data should always be based on a legal basis under the GDPR. 

“Europe’s ambition to lead in medical innovation must go hand in hand with trust. Our opinion makes recommendations to the co-legislators aiming to ensure that the pursuit of new treatments respects the fundamental rights of individuals. This will help build a framework that protects clinical trial participants and will ensure further legal certainty for researchers.”
EDPB Chair, Anu Talus

“A competitive biotechnology sector in Europe requires a predictable and harmonised legal environment. We welcome the Proposal’s move towards a single legal basis for clinical trials, which will facilitate GDPR compliance and strengthen consistency across the Union. However, this harmonisation must be accompanied by strong safeguards, including a clear definition of the roles and responsibilities of all actors involved to ensure trust and accountability in scientific research.”
European Data Protection Supervisor, Wojciech Wiewiórowski
 

Brussels, 6 March - The EDPB organises a remote event to collect stakeholders’ input on its Guidelines on the processing of personal data to target or deliver political advertisements under the regulation on the transparency and targeting of political advertising, on 27 March 2026.

The agenda is available below

This will be an opportunity to inform and support the EDPB’s ongoing work on this topic as per its work programme 2024-2025 and it reflects the EDPB’s commitment to stakeholder engagement, as outlined in the recent Helsinki statement. 

Find out more: discussion paper.

The conference "Cross- regulatory interplay and cooperation in the EU: a data protection perspective” takes place on 17 March 2026 from 9.15 to 15.30. 
This event will offer a high-level overview of the EDPB’s work in the EU’s cross-regulatory landscape, focusing in particular on how regulatory frameworks interact and how cooperation between authorities is ensured.

• See the full conference programme

Registration is now closed, but the event will be livestreamed on our website.

Access the EDPB conference livestream

Brussels, 23 February - EDPB Chair Anu Talus has signed a Joint Statement on AI-Generated Imagery and the Protection of Privacy on behalf of the EDPB. The statement, coordinated by the Global Privacy Assembly's (GPA) International Enforcement Cooperation Working Group (IEWG), represents the united position of 61 authorities across the world. This reflects the Board’s commitment to contributing to the global dialogue on data protection as outlined in the fourth pillar of its  work programme 2026-2027.

The statement addresses serious concerns about AI systems that generate realistic images and videos depicting identifiable individuals without their knowledge or consent. Whilst AI has the potential to bring numerous benefits for individuals and society, recent developments - particularly AI image and video generation integrated into widely accessible social media platforms - have enabled the creation of non-consensual intimate imagery, defamatory depictions, and other harmful content featuring real individuals. The co-signatories are especially concerned about potential harms to children and other vulnerable groups, such as cyber-bullying and/or exploitation.

Expectations for organisations

The co-signatories remind organisations developing and using AI content generation systems that these systems must be developed and used in compliance with applicable legal frameworks, including data protection and privacy rules.  

Although specific legal requirements vary by jurisdiction, fundamental principles should guide all organisations developing and using AI content generation systems. These principles include: 

1. implementing robust safeguards,
2. ensuring meaningful transparency,
3. providing effective and accessible mechanisms to protect individuals, and
4. addressing specific risks to children.

Joining forces to address a global risk

The harms arising from the non-consensual generation of intimate, defamatory, or otherwise harmful content depicting real individuals are significant and warrant urgent regulatory attention. The co-signatories are committed to addressing this global risk and will join efforts. To achieve this, the co-signatories aim to share information on their approaches to addressing these concerns.

Finally, the co-signatories call on organisations to engage proactively with regulators, implement robust safeguards from the outset, and ensure that technological advancements do not come at the expense of privacy, dignity, safety, and other fundamental rights - particularly for the most vulnerable members of our global society.
 

Brussels, 18 February - The European Data Protection Board (EDPB) has adopted a report on its Coordinated Enforcement Framework (CEF) action on the right to be forgotten (Art.17 GDPR).  The Board selected this topic as it is one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals.

The main objectives of this coordinated action are to ensure that the right to erasure is effectively exercised by individuals in Europe and understand how controllers comply with this right in practice. In addition, the EDPB identified good practices and the most important related challenges, with the aim of providing further guidance on this topic. 

Throughout 2025, 32 DPAs across Europe took part in this initiative. More specifically, 9 DPAs have initiated new formal investigations or have continued ongoing ones, and 23 DPAs carried out a fact-finding exercise. A total of 764 controllers across Europe responded to the action, ranging from small and medium-sized enterprises (SMEs) to big companies active in many different industries and fields, as well as various types of public entities.

The results of these national actions have been aggregated and analysed together allowing for targeted follow-up on both national and EU level.

Areas of improvement and main challenges

The report lists the issues that were identified, along with a series of recommendations addressed to controllers, to help them implement the right to erasure.

Seven recurring main challenges were identified by DPAs. The results confirmed some of the findings of the 2024 coordinated action on the right of access, for example when it comes to the lack of appropriate internal procedures to handle requests, or the lack of sufficient information provided to individuals. In addition, participating DPAs reported specific findings related to the reliance by some controllers on inefficient anonymisation techniques to handle erasure requests as an alternative to deletion. DPAs also noted inconsistent practices, and the difficulties faced by controllers regarding the determination of retention periods and the deletion of personal data in the context of back-ups.

In addition, as the right to erasure is not an absolute right, some controllers face difficulties in assessing and applying the conditions for the exercise of this right, including in carrying out the different balancing tests between the right to erasure and other rights and freedoms.

Follow-up to help organisations comply 

Extensive guidance, documents and templates exist at national level to help controllers comply with the right of erasure and help individuals exercise this right. In line with the Helsinki Statement’s objectives of making GDPR compliance easier and ensuring consistent interpretation and enforcement across Europe, the extensive guidance and templates already available at national level will be leveraged at EDPB level where appropriate.

Background and next steps

The CEF is a key action of the EDPB under its 2024-2027 Strategy, aimed at streamlining enforcement and cooperation among DPAs. 

In 2023, the EDPB published the report on its first coordinated action on the use of cloud-based services by the public sector.

In 2024, the EDPB also published the report on the outcome of the second coordinated action on the designation and position of Data Protection Officers.

In 2025, the EDPB issued the report on its third coordination action on the implementation of the right of access.

The CEF 2026 action will be on the obligations of transparency and information under the GDPR.

For further information:

• DA DPA:  EDPB vedtager rapport om dataansvarliges overholdelse af retten til sletning
• DE-BW DPA: „Coordinated Enforcement Framework“ (CEF) 2025: Ergebnisse der europaweiten Aktion zum „Recht auf Löschung“ liegen vor
• DE LDA DPA: Brandenburgische Datenschutzbeauftragte beteiligte sich an europaweiter Prüfaktion zur Umsetzung des Rechts auf Löschung
• EL DPA: Ολοκλήρωση της συντονισμένης δράσης του ΕΣΠΔ για την εφαρμογή του δικαιώματος διαγραφής
• ES DPA: Resultados de la acción europea que ha analizado la atención del ejercicio del derecho de supresión por parte de los responsables
• FI DPA: Raportti henkilötietojen poisto-oikeutta koskevasta selvityksestä on julkaistu – täydensimme ohjeistusta
• IE DPA: DPC welcomes publication of EDPB CEF implementation report on right to be forgotten
• IT DPA: Garanti europei, le sfide per una piena attuazione del diritto alla cancellazione
• MT DPA: Information and Data Protection Commissioner welcomes publication of the European Data Protection Board’s report on the Right to Erasure
• SE DPA: EDPB publicerar rapport om rätten till radering
• SI DPA: Ali ponudniki digitalnih storitev spoštujejo pravico do izbrisa osebnih podatkov? Poročilo skupne evropske akcije CEF 2025
• PL DPA: EROD wskazuje wyzwania utrudniające pełną realizację prawa do usunięcia danych
• PT DPA: CNPD participou na ação de supervisão coordenada europeia em 2025 dedicada ao direito ao apagamento

Brussels, 13 February - The EDPB has recently adopted its work programme for 2026-2027,  which is grounded in the four pillars of the EDPB strategy 2024-2027.

The work programme is based on the priorities set out in the EDPB strategy and it also takes into account the commitments made in the Helsinki Statement on enhanced clarity, support and engagement aimed at making GDPR compliance easier, strengthening consistency, and boosting cross-regulatory cooperation.

Easing compliance is at the top of the EDPB agenda

The work programme reaffirms the commitment of the EDPB to simplifying GDPR compliance for organisations, which includes the development of a series of ready-to-use templates for organisations. Following the public consultation on this,  the EDPB decided to develop templates for legitimate interest assessment, record of processing activities and privacy notice/policy in addition to the already announced templates for data breach notifications and data protection impact assessment.

This is also in line with both the Helsinki Statement’s objectives of strengthening dialogue with stakeholders and facilitating GDPR compliance for organisations.

More information about the EDPB work programme can be found here.

Brussels, 12 February - During its latest plenary, the EDPB adopted its work programme for 2026-2027.  This is the second work programme to support the implementation of the EDPB strategy 2024-2027*.

The work programme is based on the priorities set out in the EDPB strategy and the needs identified as most critical for stakeholders. It also takes into account the commitments made in the Helsinki Statement on enhanced clarity, support and engagement aimed at making GDPR compliance easier, strengthening consistency, and boosting cross-regulatory cooperation.

Built on the four pillars of the EDPB strategy, the work programme focuses on 1) enhancing harmonisation and promoting compliance, 2) reinforcing a common enforcement culture and effective cooperation, 3) safeguarding data protection in the developing digital and cross-regulatory landscape, and 4) contributing to the global dialogue on data protection.

Enhancing harmonisation and promoting compliance

The EDPB will continue to provide timely and clear guidance on key issues and concepts of EU data protection law to make GDPR compliance easier. For example, the EDPB is working on guidelines on Consent or Pay, guidelines on anonymisation, guidelines on pseudonymisation and guidelines on children’s data. The Board will also develop and promote tools for a broader audience, by producing content for non-experts, such as templates, illustrative examples, checklists, FAQs and “how to” guides.

The EDPB will support the implementation of compliance measures for controllers and processors. 

The EDPB will advise the EU legislature on important issues related to the protection of personal data in the EU. This includes giving advice on legislative proposals, together with the EDPS in the context of joint opinions such as with the Digital Omnibus, in response to any requests from the European Commission.

Reinforcing a common enforcement culture and effective cooperation

“We will continue working together to ensure greater consistency across Europe and to strengthen cooperation among Data Protection Authorities.
The commitments we made last year in our Helsinki statement will be our compass going forward. We will also embrace the opportunities that come with the recently adopted Regulation on GDPR procedural rules.”
EDPB Chair, Anu Talus

The EDPB will remain fully committed to fulfil its role as a forum to regularly exchange information on ongoing cases, expertise and best practices among DPAs. The Board will also continue to support the development of enforcement and cooperation tools and will focus on ensuring the smooth functioning of the consistency mechanism.

The IT tools and systems used by the Board will be evaluated and enhanced.

Safeguarding data protection in the developing digital and cross-regulatory landscape

The EDPB will continue to promote a human-centric approach to new technologies, including via the adoption of guidelines on generative AI and data-scraping. 

The EDPB will proactively engage with other regulatory authorities on matters relating to data protection to support the new cross-regulatory landscape. The Board will continue to take an active role in relevant forums, including the Digital Markets Act (DMA) High Level Group, the European Board for Digital Services and the European Data Innovation Board. 

The Board will establish common positions and guidance in the cross-regulatory and interdisciplinary landscape, while maintaining coherent and consistent safeguards for the protection of personal data. Guidance in this regard will include joint guidelines on the Interplay between the AI Act and the GDPR and guidelines on political advertising. 

Contributing to the global dialogue on data protection

The EDPB commits to promoting global dialogue on privacy and data protection, focusing on international cooperation in enforcement among its members and also with authorities of third countries. It will continue its initiative of close cooperation with DPAs from the countries or organisations with an adequacy decision. 

The EDPB will also continue to work on the GDPR and Law Enforcement Directive (LED) transfer mechanisms and provide further guidance on their practical implementation.

The EDPB will be engaged with the international community, making sure to facilitate the exchange of information and cooperation among the EDPB members active in international forums. 

Note to editors:
* The first work programme supporting the EDPB strategy 2024-2027 can be found here.
 

Brussels, 11 February - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the Digital Omnibus Regulation proposal.* This proposal aims to simplify the EU's digital regulatory framework, reduce administrative burden and enhance the competitiveness of European organisations.

The EDPB and the EDPS focus on the aspects concerning the GDPR, the EUDPR, the ePrivacy Directive, and the Data Acquis.** More specifically, they assess whether the proposal 1) leads to real simplification and facilitates compliance, 2) brings more legal certainty and 3) affects individuals’ fundamental rights.

Changes to the GDPR and the EUDPR

Changes raising significant concerns

Some proposed changes raise significant concerns as they can adversely affect the level of protection enjoyed by individuals, create legal uncertainty and make data protection law more difficult to apply.

The EDPB and the EDPS strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data as they go far beyond a targeted or technical amendment of the GDPR. In addition, they do not accurately reflect and clearly go beyond the CJEU jurisprudence, and they would result in significantly narrowing the concept of personal data. The European Commission should not be entrusted to decide by an implementing act what is no longer personal data after pseudonymisation as it directly affects the scope of application of EU data protection law.  

“Simplification is essential to cut red tape and strengthen EU competitiveness — but not at the expense of fundamental rights. We welcome the Commission’s steps toward greater harmonisation, consistency, and legal certainty. However, we strongly urge the co-legislators not to adopt the proposed changes in the definition of personal data, as they risk significantly weakening individual data protection.”

EDPB Chair, Anu Talus

“We strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data. These changes are not in line with the Court’s case law and would significantly narrow the concept of personal data.  We must make sure that any changes to the GDPR and EUDPR actually clarify obligations and bring legal certainty while maintaining trust and a high level of protection of individual rights and freedoms."

European Data Protection Supervisor, Wojciech Wiewiórowski

Steps in the right direction

The EDPB and the EDPS are in favour of the increase of the threshold of risk leading to the obligation to notify a data breach to the competent Data Protection Authority (DPA) and the extension of the deadline to submit such a notification. This would significantly reduce the administrative burden for organisations without affecting the protection of individuals’ personal data. In addition, the proposed common templates and lists for data breaches and data protection impact assessments are positive.

The EDPB and the EDPS also welcome the proposed introduction of a new derogation to process special categories of data for biometric authentication, where the verification means are under the individual’s sole control.

Lastly, they support the harmonisation of the notion of ‘scientific research’ and other related changes, since they enhance legal certainty and help to bring more harmonisation.

Changes that need fine-tuning

As stated in the EDPB Opinion 28/2024 on AI models, legitimate interest may be used, in some cases, as a legal basis in the context of the development and deployment of AI models or systems. Therefore, the EDPB and the EDPS do not consider it necessary to include a specific provision on this in the GDPR.

The EDPB and the EDPS welcome the proposal’s aim to introduce a specific derogation to the prohibition to process sensitive data, subject to conditions, covering the incidental and residual processing of such data in the context of the development and operation of AI systems or models. However, they recommend several improvements, such as clarifying the scope of the derogation and ensuring safeguards throughout the whole lifecycle.

The EDPB and the EDPS agree with the Commission’s aim to provide legal clarity to controllers where they face abuse of rights by data subjects. However, they consider that the exercise of the right to access for purposes other than the protection of personal data should not be an element defining what an abuse is. Concerning the new derogation for transparency, the EDPB and the EDPS support simplifying information requirements and reducing administrative burden, in particular for SMEs, but suggest clarifications to ensure legal certainty and ensure that individuals may still receive relevant information about their data when necessary.

Lastly, changes brought to the provision on automated individual decision-making should be clarified to make these changes meaningful and legally sound.

Changes to the ePrivacy Directive

The EDPB and the EDPS strongly support the objective of providing for a regulatory solution to address consent fatigue and the proliferation of cookie banners. This relates, for instance, to the proposed requirements on the use of automated and machine-readable indications of individuals’ choices regarding the processing of their data. The use of technical means can simplify compliance by controllers and support individuals in making their online choices effective.

The EDPB and the EDPS also welcome the limited additional derogations to the general prohibition to store or gain access to personal data in the terminal equipment and further invite the co-legislators to incentivise contextual advertising rather than behavioural advertising, by adding a specific exception surrounded by some safeguards.

The EDPB and the EDPS welcome the fact that the oversight of such matters will be entrusted to DPAs. 
At the same time, the EDPB and the EDPS highlight the legal and technical difficulties raised by the co-existence of two different regimes for personal and non-personal data. They also provide additional recommendations to enhance legal certainty, minimise the risk and foster responsible innovation.

Changes to the Data Acquis

The EDPB and the EDPS support the simplification of the Data Acquis through the integration into the Data Act of the Data Governance Act and Open Data Directive rules on the re-use of data and documents held by public sector bodies.

In relation to access granted by public bodies for re-use, they recommend maintaining the clarity offered by the current legal framework, namely that it does not oblige public sector bodies to allow re-use, nor does it provide a legal basis for granting access.

Regarding public emergencies, the EDPB and the EDPS recommend affirming that personal data can be shared only in pseudonymised form with public sector bodies, in cases where anonymous data is insufficient to respond to the public emergency.

Concerning data intermediation services and data altruism organisations, the EDPB and the EDPS highlight the importance of trustworthy and responsible data sharing. They recommend maintaining specific safeguards, favouring transparency and oversight.

The EDPB and the EDPS recommend streamlining further the provisions on enforcement (e.g. by enabling cross-regulatory exchange of information on enforcement including with DPAs and clarifying the role of DPAs in enforcing the Data Act).

The EDPB and the EDPS welcome the proposal’s confirmation of the European Data Innovation Board (EDIB)’s role in supporting the consistent application of the Data Act. On the development of guidelines, they recommend empowering the Commission to issue guidelines on any topic concerning the Data Act and clarifying the EDIB’s role in assisting the Commission in this process. This would enable the Commission to develop joint guidelines with the EDPB and allow the EDIB to advise and assist the Commission in the development of such guidelines.

Note to editors:

*On 19 November 2025, the Commission adopted a Digital Omnibus proposal amending a large corpus of the EU’s digital legislation, including the GDPR, the EUDPR, the Data Act, the ePrivacy Directive, the NIS 2 Directive.

On 25 November 2025, the Commission formally consulted the EDPB and the EDPS in accordance with Article
42(2) EUDPR and requested an opinion on the aspects concerning the GDPR, the EUDPR, the ePrivacy Directive, and the Data Acquis.

On 20 January 2026, at the request of the Commission, the EDPB and EDPS have also adopted a  Joint Opinion on the ‘Digital Omnibus on AI'’.

** The “data acquis”, part of the Digital Omnibus proposal, aims to repeal the Data Governance Act (“DGA”), Open Data Directive (“ODD”) and the Free Flow of Non-Personal Data Regulation (“FFNPR”) and integrates amended relevant provisions of those acts into the Data Act.

The European Data Protection Board (EDPB) invites you to register for its conference, “Cross-regulatory interplay and cooperation in the EU: a data protection perspective”, taking place on 17 March 2026 in Brussels.

This event will offer a high-level overview of the EDPB’s work in the EU’s cross-regulatory landscape, focusing in particular on how regulatory frameworks interact and how cooperation between authorities is ensured.

Registration is now closed.

There will also be a possibility to follow the event remotely.

Brussels, 29 January - The EDPB organises a remote event to collect stakeholders’ input on its Guidelines on the processing of personal data to target or deliver political advertisements under the regulation on the transparency and targeting of political advertising. The event will take place on 27 March 2026 (time to be confirmed).

This will be an opportunity to inform and support the EDPB’s ongoing work on this topic as per its work programme 2024-2025 and it reflects the EDPB’s commitment to stakeholder engagement, as outlined in the recent Helsinki statement.  

Find out more: Discussion paper.

Watch the video on online data protection risks for kids 

Brussels, 28 January - Every day, the European Data Protection Authorities (DPAs) that make up the EDPB work together to ensure the protection of individuals’ personal data. When it comes to children's data, extra vigilance is essential, particularly in today's fast-evolving digital environment where new risks emerge constantly.

Children are more at risk online than adults because they do not easily recognise dangers, tend to trust strangers too much, and may share personal data without realising. The apps they use often collect their data and, without adequate protections, they can be exposed to harmful content. These risks can follow them throughout their lives, affecting their privacy and leaving long-term digital footprints that are difficult to erase.

The EDPB’s commitment in action

Protecting children’s data is a strategic priority for the EDPB and the Board has delivered important advances in safeguarding children's digital rights.

In February 2024, the EDPB adopted a Statement on the legislative developments regarding the Proposal for a Regulation to prevent and combat child sexual abuse. The Statement follows the EDPB-EDPS Joint Opinion on the same proposal.

In February 2025, the EDPB has also adopted a Statement on age assurance aimed at helping organisations assess individuals’ age in a GDPR-complaint way. Age assurance is essential to ensure that children do not access content that is not appropriate for their age.  At the same time, the method to verify age must be the least intrusive possible and the personal data of children must be protected.

In its statement on age assurance, the EDPB lists ten principles for the compliant processing of personal data when determining the age or age range of an individual. The EDPB supports measures to determine whether someone is above a certain age threshold, but only when these measures are proportionate and follow key EU data protection principles such as protecting privacy by default.

In addition, as stated in the EDPB strategy 2024-2027,  the Board is currently working on Guidelines on the processing of children's data.

The EDPB is making data protection child’s play

The EDPB is taking a step forward by speaking directly to children about online privacy. By breaking down complex ideas into simple, relatable concepts and using colourful, interactive materials, the EDPB will help children understand their digital rights and the importance of protecting their personal data.

We will soon launch a dedicated hub, “Privacy for Kids”, where parents, teachers, and educators can find everything they need to help children understand and protect their digital privacy. The data protection hub will gather educational resources provided by DPAs from all over Europe. The content will be available in different languages.

In the spirit of Data Protection Day and while awaiting the launch of this new hub, today we are delighted to give you a sneak peek of this exciting project through our animated video.

Discover with us why it is so important for children to be aware of online data protection risks. Take a moment to watch this video with the children in your life and share it far and wide to help reach as many children as possible. It is the perfect way to start a meaningful conversation with them about privacy and responsible online behaviour. 

Sorry, your browser doesn't support embedded videos.

Brussels, 21 January - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s Proposal for the ‘Digital Omnibus on AI’. The Proposal seeks to simplify the implementation of certain harmonised rules under the AI Act to ensure their effective application.
The EDPB and the EDPS support the objective of addressing practical challenges relating to the implementation of the AI Act. Administrative simplification must not, however, lower the protection of fundamental rights. The Joint Opinion acknowledges the complexity of the AI landscape and welcomes efforts to ease burdens for organisations. However, certain proposed changes could undermine the protection of individuals in the context of AI. 

“Innovation and efficiency are crucial and can coexist with maintaining accountability of AI providers. We welcome EU-level regulatory sandboxes and simplified procedures to promote innovation and support SMEs in Europe. However, Data Protection Authorities must maintain a central role when it comes to the processing of individuals’ personal data. Cooperation between Data Protection Authorities, the AI Office and Market Surveillance Authorities is essential to ensure legal certainty for organisations and foster innovation while upholding individuals’ fundamental rights.”
EDPB Chair, Anu Talus

“Simplification is welcome when it clarifies obligations, empowers individuals, and strengthens trust. A careful balance needs to be kept by reducing administrative burden where possible, without undermining the protection of fundamental rights. Furthermore, we must ensure that the role of the AI Office is clearly defined and does not affect the independent supervision of European Union Institutions’ own use of AI systems.”
European Data Protection Supervisor, Wojciech Wiewiórowski

The Proposal would extend the possibility to process special categories of personal data (such as ethnicity or health data) for bias detection and correction to providers and deployers of any AI systems and models, subject to appropriate safeguards. The EDPB and the EDPS recommend specifying that these data may be used for bias detection and correction only in circumscribed situations where the risk of adverse effects from such bias is considered sufficiently serious.

The EDPB and the EDPS advise against the proposed deletion of the obligation to register AI systems, when they fall under the categories listed as high-risk, even if the providers deem their systems to be ‘non-high risk’. The EDPB and the EDPS consider that this change would significantly undermine accountability and create an undesirable incentive for providers to unduly claim exemptions to avoid public scrutiny.

The EDPB and the EDPS welcome the creation of EU-level AI regulatory sandboxes to promote innovation. To ensure legal certainty, the Joint Opinion recommends the direct involvement of competent Data Protection Authorities (DPAs) in the supervision of data processing within sandboxes. In addition, the EDPB should be afforded an advisory role and the status of observer at the European Artificial Intelligence Board to ensure consistency in relation to EU-level sandboxes. Furthermore, the supervisory role of the AI Office with regard to AI systems based on a general-purpose AI model should be clearly delineated in the operative part and should not overlap with the independent supervision by the EDPS of AI systems developed or used by Union institutions, bodies, offices or agencies.

The EDPB and the EDPS support the goal of streamlining cooperation between fundamental rights authorities or bodies and Market Surveillance Authorities, and the reliance on a central point of contact to increase efficiency. However, they recommend clarifying the role of the MSAs as administrative points of contact for the execution and transmission of requests to providers and deployers, and ensuring that the independence and powers of DPAs are unaffected.

The EDPB and the EDPS also recommend maintaining a duty for AI providers and deployers to ensure AI literacy among their staff. Any new obligation to foster AI literacy placed on the Commission or Member States should complement, not replace, the responsibilities of the organisations actually developing and using these systems.

Finally, the EDPB and the EDPS express concerns regarding the proposed postponement of core provisions for high-risk AI systems. Given the rapid evolution of the AI landscape, they invite the co-legislators to consider whether the original timeline can be maintained for certain obligations, such as transparency requirements, and to minimise delays to the extent possible.

Brussels, 19 January - During its latest plenary, the EDPB adopted a report to support the European Commission’s evaluation of the Law Enforcement Directive (LED). 

The Commission has to submit its public report* on the evaluation and review of this Directive to the European Parliament and to the Council by 6 May 2026. Ahead of this, the Commission gathered the views of the European Data Protection Authorities (DPAs) on the application and functioning of the LED over the period from January 2022 to 31 August 2025.**

“We welcome the European Commission’s regular evaluations of the application of the LED, and we are committed to providing our expertise for these evaluations to ensure that the LED continues to uphold high data protection standards in the law enforcement context.”
EDPB Chair, Anu Talus

The EDPB facilitates cooperation and coordination between DPAs when supervising law-enforcement processing. The EDPB Secretariat also provides the Secretariat of the Coordinated Supervision Committee (CSC) which ensures coordinated supervision of large-scale IT systems and EU bodies and agencies in the areas of law enforcement and criminal justice. 

In its report, the EDPB highlights the key role of the LED in protecting personal data in the law enforcement context. DPAs have increasingly advised competent national authorities on mitigating data breaches, while many DPAs have also carried out awareness-raising activities and issued guidance.

The EDPB takes note of the request from DPAs to get more clarity on the scope of the LED, notably its boundary with the GDPR, and to address more thoroughly the challenges posed by the growing use of new technologies, such as AI, in the law enforcement context. The EDPB highlights the need for law enforcement authorities to use these tools in strict compliance with the LED, ensuring that their use is necessary, proportionate, and subject to adequate safeguards. 

According to the EDPB, in the context of the case law that developed since the last evaluation of the directive, it is essential to further strengthen the national implementation of the LED across the European Union. In addition, the role of Data Protection Officers (DPOs) should be reinforced to ensure the effective and consistent application of data protection rules in law enforcement activities.

The report also points to the need for improved cooperation, both among competent authorities responsible for the LED and among law enforcement authorities more broadly.

Finally, the EDPB underlines that both DPAs and the EDPB need additional financial and human resources, to carry out new tasks arising from recent legal acts, including responsibilities linked to the CSC, whose activities now also include the supervision of systems such as the Visa Information System (VIS), Prüm II, and the Entry Exist System (EES). 

Next, the EDPB adopted recommendations on the application for approval and on the elements and principles to be found in Processor Binding Corporate Rules (BCR-P).

These recommendations form an update of the existing BCR-P referential, which contains the criteria for BCR-P approval, and merge it with the standard application form for BCR-P. 

BCR-Ps are a transfer tool that can be used by a group of undertakings or enterprises to transfer personal data outside the European Economic Area to processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to the one provided by the GDPR. 

The new recommendations build upon the agreements reached and the experience gained by DPAs in the course of approval procedures on concrete BCR-P applications since the entry into application of the GDPR, as well as upon the work carried out in the context of the updated Recommendations on Controller Binding Corporate Rules (BCR-C). 

The recommendations provide clear criteria and explanations to ensure that BCR-P developed by groups of undertakings or enterprises are compliant with the GDPR. The recommendations clarify when BCR-P can be used, namely only for intra-group transfers between processors, when the controller is not part of the group. 

In addition, the recommendations clarify that the BCR-P are designed to meet the requirements of Article 28(4) GDPR. This means that any processor within the Group using BCR-P does not need to sign a separate sub-processing agreement with each sub-processor in the Group.  

The recommendations will be open to public consultation until 2 March 2026. 

The EDPB members also held an exchange of views on the upcoming joint opinion on the Digital Omnibus, which is scheduled for adoption at the February plenary meeting.

Note to editors
*The legal basis for the Commission’s action is Art. 62 of Directive (EU) 2016/680 (Law Enforcement Directive), which requires the Commission to evaluate and report on the application of the Directive.

**See also the European Commission Report on the application of the Law Enforcement Directive, COM(2022) 364 final, to which the EDPB contributed.

Brussels, 4 December - During its latest plenary, the EDPB adopted recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites. In addition, the Board had a preliminary discussion on the Digital Omnibus proposal and appointed the new EDPB Deputy Chair.

Internet users visit e-commerce websites for a variety of reasons, including making online purchases, taking advantage of promotions, or simply browsing products. When interacting with these websites, they may be asked to create an account, which can result in the collection and processing of personal data, as well as increased privacy and security risks.

The EDPB adopted recommendations to clarify when e-commerce websites can require their users to create an account.

As a general rule, users should have the option to engage with e-commerce websites, including the ability to make purchases, without creating an account. In such cases, the EDPB recommends that e-commerce websites offer a choice: either a 'guest' mode, allowing users make purchases without creating an account, or the option to voluntarily create an account. This approach minimises the collection and processing of personal data, and therefore aligns with the GDPR's principle of data protection by design and by default. 

However, mandatory account creation can be justified in a limited number of cases, including for example, offering a subscription service or providing access to exclusive offers.

The recommendations highlight the EDPB's efforts to promote pragmatic, user-friendly and privacy-protective practices in the e-commerce sector.

The recommendations are subject to public consultation, providing stakeholders with the opportunity to comment and provide feedback.

Preliminary discussion on the Digital Omnibus proposal

The EDPB had a preliminary discussion on the proposal for a Digital Omnibus, on which the EDPB and EDPS will issue a Joint Opinion.

In its Helsinki Statement, the EDPB made proposals in order to achieve enhanced clarity, support and engagement. The EDPB and the EDPS welcome the discussion on effective digital regulation and remain committed to finding solutions to make GDPR compliance easier, especially for small organisations.

The EDPB and the EDPS will focus on how the European Commission’s proposal will impact the fundamental rights of individuals and whether it will lead to simplification for organisations and more legal certainty.

While numerous points need to be analysed, at this stage, the EDPB and the EDPS can already underline that the proposed modification of the definition of personal data seems to go further than the recent CJEU case law, and beyond a targeted modification of the GDPR, which may risk to adversely affect the fundamental right to data protection.

The EDPB recalls its upcoming public stakeholder event on this topic on 12 December 2025 and underlines that the implementation of the CJEU case law through guidelines taking into account stakeholders' input ensures greater certainty.

Jelena Virant Burnik elected new Deputy Chair of the EDPB

At this week’s plenary, the members of the EDPB appointed Jelena Virant Burnik, Information Commissioner of the Republic of Slovenia, as new Deputy Chair of the Board.

“I am honoured to have been elected as Deputy Chair of the EDPB. I am pleased to have the opportunity to help strengthen the role of the EDPB as a central authority in EU data protection.  I am committed to fostering cooperation among national Data Protection Authorities and providing a forum for their open discussions that help align the understanding and enforcement of the GDPR provisions.

In the ever-developing landscape of digital regulation, the EDPB must remain a regulator that understands the complex interplay of legislation and contributes productively to the discussions at European level. “

EDPB Deputy Chair, Jelena Virant Burnik

“Over the past years, the landscape in which we operate has fundamentally shifted, reshaping the EDPB’s role in Europe’s digital future. In this dynamic environment, the new EDPB Deputy Chair faces exciting challenges ahead. I am confident that the EDPB will greatly benefit from her expertise and dedication.

I look forward to collaborating with Jelena Virant Burnik to advance the EDPB’s shared mission: fostering innovation while safeguarding individuals’ fundamental rights."

EDPB Chair, Anu Talus

Over the coming years, Jelena Virant Burnik, will work closely with EDPB Chair Anu Talus and fellow Deputy Chair Zdravko Vukić to ensure the consistent application of EU data protection rules and promote effective cooperation among Data Protection Authorities across Europe.

Brussels, 3 December - As part of its December’s plenary meeting, the European Data Protection Board (EDPB) held yesterday an online meeting with Commissioners and representatives of Data Protection Authorities (DPAs) from the countries and the organisation with an EU adequacy decision. This meeting marked the second of its kind, following the first gathering in October 2024.

An adequacy decision is a key-mechanism in EU data protection legislation which allows free flow of personal data from Europe to third countries or an international organisation offering an adequate level of data protection.* To date, the following countries and organisation benefit from this:  Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay, United States, and the European Patent Organisation. Data Protection Authorities from those countries and the European Patent Organisation are key partners for the EDPB, playing a key role in our joint efforts to strengthen data protection worldwide.

Strengthening multilateral cooperation

The Board organised a first meeting in October 2024 with Data Protection Authorities from the fifteen countries with an EU adequacy decision.

Following that meeting, the EDPB and the Data Protection Authorities from the countries and the organisation with an EU adequacy decision strengthened their cooperation by sharing information on some advisory works and gathering experiences on international data protection enforcement cooperation.

“Our first joint meeting in October 2024 paved the way for a stronger cooperation and valuable knowledge and experience sharing on data protection.

The high level of engagement shown in this second meeting by the EDPB and the Data Protection Authorities from the countries and the international organisation for which the EU adopted an adequacy decision is a clear sign of our commitment to continue working together in this shared direction.”

EDPB Chair, Anu Talus

Yesterday’s meeting was an opportunity for all participants to share views on past activities and updates on the next enforcement and advisory priorities.

Note to editors

The European Commission has the power to determine, on the basis of Art. 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves: 1) a proposal from the European Commission; 2) an opinion of the European Data Protection Board; 3) approval from representatives of EU countries; 4) adoption of the decision by the European Commission.

Brussels, 28 November - The EDPB launched a call for expression of interest to establish a new reserve list for the Support Pool of Experts (SPE) programme. The objective is set up a reserve list of legal and technical experts.

The legal expertise sought includes a wide range of fields, such as data protection, policy monitoring, technology, cybersecurity, competition, healthcare, online intermediary services and content moderation.

As for the technical expertise, the relevant areas include IT auditing, website security, mobile OS and apps, Internet of Things, cloud-computing, behavioural advertising, anonymisation techniques, cryptology, artificial intelligence, User experience (UX) design, fintech, data science, social science (incl. economics, sociology, psychology), and development of applications and software.

Bring your expertise to the table

Don’t miss this opportunity to participate in this EDPB’s key strategic initiative. Your work will help Data Protection Authorities (DPAs) across Europe increase their capacity to supervise and enforce data protection rules and strengthen the protection of individuals’ fundamental rights.

In 2022, the EDPB issued a call for expression of interest, which led to the establishment of a first SPE reserve list. As this list is set to expire in February 2026, the EDPB is inviting experts who were included in this first SPE reserve list to submit their application in response to the new call for expression of interest.

The call will be open until August 2030.

Learn how to submit your application.

Apply now

Background

The SPE was developed as part of the EDPB Strategy 2021-2023 to help DPAs increase their enforcement capacity by developing common tools and giving them access to a wide pool of experts.  

The EDPB aims to carry out approximately ten projects per year with pre-eminent external experts in a given field.  Projects are coordinated either by individual DPAs or by the EDPB.

More information on the SPE and on completed project is available here.