Data Protection Day 2026: Reset or refine? miriam Thu, 11/20/2025 - 15:24 Fri, 11/21/2025 - 12:00

Data Protection Day (28 January) celebrates the signing of Convention 108, the first legally binding treaty protecting privacy in the digital age. To mark the occasion, the Council of Europe (CoE) and the European Data Protection Supervisor (EDPS) are co-organising a one-day event focused on new frontiers in data protection.

• When: 28 January 2026
• Where: European Commission’s Charlemagne, Brussels
• Format: In person and remotely

Read a full programme

More information on how to register

0

Brussels, 17 November - The EDPB organises a remote event to collect  stakeholders’ input on anonymisation and pseudonymisation on implications of the judgement of the Court of Justice of the European Union (CJEU) in EDPS v Single Resolution Board (SRB). The event will take place on 12 December 2025 (time to be confirmed).

This will be an opportunity to inform and support the EDPB’s ongoing work on these topics as per its work programme 2024-2025 and it reflects the EDPB’s commitment to stakeholder engagement, as outlined in the recent Helsinki statement.  

Who can participate?

Individuals representing sector associations, organisations or NGOs and individual companies, law firms or academics are invited to express their interest to participate in this event (one participant per organisation). The EDPB encourages all organisations interested in this matter to delegate a representative with technical knowledge of these topics.

As a general rule, participants will be registered on a first-come first-served basis. Nonetheless, the EDPB reserves the right to give precedence to specific stakeholders among those who expressed their interest, based on their relevance to the topics of the event, and to ensure diversity of views and a balanced representation of areas of interest, as well as geographical balance.

How to take part?

You can find further information and the instructions on how to register (link not available).

The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders.

If you have technical problems submitting the application, we invite you to refresh the page or open the form in a different browser. 

 

Update on 17/11/2025, 12:57 pm: The call is now closed.

Thank you to all those who expressed their interest in taking part in the EDPB stakeholder event on ‘anonymisation and pseudonymisation’. We will carefully review all applications and communicate the results of the process to those who applied in the coming weeks.
 

New Guidance for Risk Management of Artificial Intelligence Systems francesco Tue, 11/11/2025 - 15:39 Tue, 11/11/2025 - 12:00

The European Data Protection Supervisor (EDPS) is pleased to announce the publication of a new guidance document designed to support controllers in conducting data protection risk assessments when developing, procuring, and deploying Artificial Intelligence (AI) systems under Regulation 2018/1725 (EUDPR). This guide aims at providing valuable insights and practical recommendations to help identify and mitigate common technical risks associated with AI systems, helping in the protection of personal data.

While primarily intended for European Union Institutions, Bodies, Offices, and Agencies (EUIs), this guidance is also relevant and useful for private companies, industry stakeholders, and public organizations seeking to ensure compliance with data protection regulations.

The document begins by revisiting the risk management approach of the widely recognized ISO 31000:2018 standard. It then continues into the AI system lifecycle, to later explore the concepts of interpretability and explainability, which are essential for ensuring data protection. The core of the guidance presents a detailed analysis of risks and corresponding mitigation measures, organized around four fundamental data protection principles: fairness, accuracy, data minimisation, and security.

1 Read more

PATRICIA Exercise 2025- Personal dATa bReach awareness In Cybersecurity Incident handling miriam Mon, 11/10/2025 - 11:24 Tue, 11/11/2025 - 12:00

Read the Executive Summary of the Report of the second edition of PATRICIA - Personal dATa bReach awareness in Cybersecurity Incident Handling, a table-top exercise focusing on personal data breach management. 

1 Read the Executive Summary

Brussels, 5 November - During its latest plenary, the EDPB adopted an opinion on the European Commission’s draft decision on the adequate level of protection of personal data in Brazil.* Once adopted, the decision will ensure that personal data can flow freely from Europe to Brazil and that individuals can retain control over their data.

In its opinion, requested by the Commission, the EDPB assesses whether the Brazilian data protection framework and the rules on government access to personal data transferred from Europe provide safeguards essentially equivalent to the ones in EU legislation. The Board positively notes the close alignment with EU legislation and the case law of the Court of Justice of the EU. The EDPB also examines whether the safeguards provided under the legal framework in Brazil are in place and effective.

“The EDPB welcomes the alignment between Brazil and Europe’s data protection frameworks. This is a pivotal moment that will strengthen legal certainty for organisations and competent authorities transferring personal data from Europe to Brazil.

We call on the European Commission to address a few remaining points to ensure the effective protection of individuals’ fundamental rights.”

EDPB Chair, Anu Talus

The EDPB also invites the Commission to provide further clarifications and monitor certain areas in relation to Data Protection Impact Assessments (DPIA), the limitations on transparency related to commercial and industrial secrecy, and the rules on onward transfers.

As a general rule, the Brazilian data protection law does not apply to data processed by Brazilian public authorities for the exclusive purposes of public safety, national defence, State security, or the investigation and prosecution of criminal offenses.

At the same time, the EDPB positively notes that the Brazilian data protection law partially applies to the processing of personal data in the context of criminal investigations and maintenance of public order, as interpreted by the Federal Supreme Court of Brazil in its case-law.

The Board invites the Commission to further specify the applicability of the Brazilian data protection law, as well as the Brazilian Data Protection Authority’s investigatory and corrective powers in relation to law enforcement authorities. Finally, the Board invites the Commission to further clarify the outline of Brazil’s concept of national security.

 

Note to editors:

* An adequacy decision is a key-mechanism in EU data protection legislation which allows the European Commission to determine whether a third country or an international organisation offers an adequate level of data protection. The European Commission has the power to determine, on the basis of Art. 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves: 1) a proposal from the European Commission; 2) an opinion of the European Data Protection Board; 3) approval from representatives of EU countries; 4) adoption of the decision by the European Commission.

Brussels, 5 November - The European Data Protection Board (EDPB) is taking an important step towards facilitating GDPR compliance for organisations by developing a series of ready-to-use templates. This initiative, announced following the Helsinki Statement on enhanced clarity, support, and engagement, aims to provide practical tools that organisations can readily implement to meet their data protection obligations.

To ensure these templates address the needs of organisations, the EDPB has launched a public consultation inviting stakeholders to share their suggestions. The consultation specifically seeks feedback on which types of templates would be most beneficial (for example, a template for privacy notices or a template for records of processing activities).

The EDPB will already work on templates for key GDPR requirements such as Data Protection Impact Assessments (DPIAs) and data breach notifications.

Contributions can be submitted here until 3 December 2025.

The EDPB encourages all interested parties to take part in this consultation and help create practical resources that make GDPR compliance more straightforward and accessible for everyone.

ETIAS Fundamental Rights Guidance Board: ensuring access to an effective judicial remedy miriam Mon, 11/03/2025 - 14:22 Mon, 11/03/2025 - 12:00

As the clock ticks down to the launch of a new EU large scale border management system, the European Travel Information and Authorisation System (ETIAS) in autumn 2026, momentum is building to prepare ETIAS for entry into operation and ensure its compliance with data protection law, and other fundamental rights under the EU Charter of Fundamental Rights. 

1 Read the blogpost by Wojciech Wiewiórowski

Secure multi-party computation: powering privacy through collaboration francesco Thu, 10/30/2025 - 10:54 Thu, 10/30/2025 - 12:00

Blogpost by Wojciech Wiewiórowski on the outcome of the 2025 IPEN event.

1 Read blogpost

Guidance on Generative AI, strengthening data protection in a rapidly changing digital era klaudia Tue, 10/28/2025 - 11:09 Tue, 10/28/2025 - 12:00

Read the Press Release on the revised Guidance on Generative AI, strengthening data protection in a rapidly changing digital era.

1 Read Press Release

Supervising the entry into operations of the Entry/Exit System miriam Wed, 10/22/2025 - 13:46 Fri, 10/24/2025 - 12:00

Read the Press Release on the implementation of the EU Entry/Exit System at both European and at national level and the EDPS' supervisory role.

1 Read Press Release

Brussels, 20 October - During its latest plenary, the EDPB adopted two opinions on the European Commission’s draft decisions on the extension of the validity of the UK adequacy decisions under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) until December 2031.*

The EDPB opinions, requested by the Commission as per Art. 70(1) (s) GDPR and Art. 51(1) (g) LED, address the proposed six-year extension of the two UK adequacy decisions which are set to expire in December 2025.

The extension of the validity of the UK adequacy decisions will allow organisations and competent authorities based in Europe to continue transferring data to UK-based organisations and authorities without implementing additional guarantees.**

“The EDPB welcomes the continuing alignment between the UK and Europe’s data protection framework, despite the recent changes in the UK legal framework.

I call on the European Commission to address the points highlighted by the Board and to ensure an effective monitoring once the decisions are adopted. This will increase the robustness of UK’s adequacy and ensure more legal certainty for organisations and competent authorities transferring personal data from Europe to the UK.”

EDPB Chair, Anu Talus

About the GDPR opinion

According to the Board, most of the changes introduced to the UK’s data protection framework aim to clarify and facilitate compliance with the law.

Some aspects of the draft decision could be further clarified.

The EDPB invites the European Commission to further analyse and monitor the changes to the Retained EU Law (Revocation and Reform) Act 2023, also known as REUL Act, in particular the removal of the principle of primacy of EU law and the removal of the direct application of the principles of EU law.

The EDPB notes that the Secretary of State has been granted new powers to introduce changes to the new data protection framework, via secondary regulations which require less Parliamentary scrutiny. This is the case for international transfers, automated decision-making, and the governance of the Information Commissioner’s Office (ICO). The EDPB invites the Commission to address possible risks of divergence by highlighting, in the final adequacy decision, the areas which they intend to carefully monitor.

The EDPB also encourages the Commission to further elaborate its assessment and monitor the rules on transfers from the UK to third countries. The new adequacy test, introduced by the Data (Use and Access) Act 2025, requires the level of protection of the third country to be not materially lower than the one provided for data subjects by the UK framework, but this test does not refer to the risk of government access, the existence of redress for individuals and the need for an independent supervisory authority.

The Commission should also further assess and monitor the purported use by the UK Government of Technical Capability Notices (“TCN”) requiring companies to circumvent encryption, as this would create systemic vulnerabilities and pose a risk to the integrity and confidentiality of electronic communications.

Finally, the EDPB calls on the Commission to further assess and monitor the changes to the structure of the ICO and the exercise of its corrective powers. In this context, the EDPB positively notes the transparency policy of the ICO and the availability of the statistical and analytical data of its enforcement activities.

The new adequacy decisions will add to the 2021 decisions, which will continue to apply to areas not covered in the 2025 draft decisions. The EDPB builds on its 2021 opinions (14/2021 and 15/2021). In particular, the close alignment between the GDPR framework and the UK legal framework on key provisions, highlighted in 2021, continues to hold true today (including, for example, transparency, data subject rights, and special categories of data).

About the LED opinion

The EDPB welcomes the continuous alignment between the data protection framework in Europe and the UK, and encourages the Commission to complement its assessment on aspects relating to national security exemptions. Such exemptions may waive most data protection principles and some international transfer rules for law enforcement authorities, and also limit ICO’s enforcement and inspection powers.

The EDPB invites the Commission to analyse the UK’s rules on transfers of personal data to third countries, in particular the new adequacy test, in the same way as in the GDPR opinion.

The Board also points out the more permissive approach for automated decision making and the new powers conferred to the Secretary of State in this matter. It recalls the importance of meaningful human review and urges the Commission to clarify and monitor possible exemptions from individuals’ right to obtain human intervention.

Finally, the EDPB acknowledges that the system of oversight of criminal law enforcement agencies as well as the redress mechanisms remain largely unchanged, and it reiterates the need for the Commission to closely monitor the application of corrective powers and remedies for individuals in the UK data protection framework.

 

Note to editors:

* On 22 July 2025, the European Commission issued two draft amending implementing decisions on the adequate protection of personal data by the United Kingdom pursuant to Article 45(3) GDPR and Article 36(3) LED. These draft decisions aim at extending the validity of the previous adequacy decisions adopted on 28 June 2021.
In May 2025, the Commission adopted a decision to extend the validity of the UK adequacy decision for six more months, from June until December 2025. The EDPB adopted an opinion on this extension in May 2025.

** An adequacy decision is a key-mechanism in EU data protection legislation which allows the European Commission to determine whether a third country or an international organisation offers an adequate level of data protection. The European Commission has the power to determine, on the basis of Art. 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves: 1) a proposal from the European Commission; 2) an opinion of the European Data Protection Board; 3) an approval from representatives of EU countries; 4) the adoption of the decision by the European Commission.

Towards a Digital Clearinghouse 2.0 lisa Thu, 10/16/2025 - 09:40 Tue, 01/27/2026 - 12:00

The digital regulatory landscape now extends beyond data protection, consumer protection and competition law. In response to rapid technological and regulatory developments, the EDPS invites you to discuss the future of cross-regulatory cooperation.

Effective cross-regulatory cooperation is necessary to ensure consistent application of recent laws such as the Data Governance Act, Digital Markets Act, Digital Services Act, Data Act, and Artificial Intelligence Act - each of which highlight the critical role of personal data in the digital economy and the need to protect individuals. The EDPS proposes a Digital Clearinghouse 2.0 to provide competent authorities with a forum to exchange and coordinate on issues of common interest.

When: 27 January 2026
Where: European Commission, Charlemagne building, Brussels

Read the speech by Supervisor 

More information

1 Watch it

Brussels, 14 October - During its October plenary, the European Data Protection Board (EDPB) picked the topic for its fifth coordinated enforcement action, which will concern compliance with the obligations of transparency and information under the General Data Protection Regulation (GDPR).  The GDPR ensures that individuals are informed when their data is being processed (under Art. 12, 13 and 14). This right to be informed is a core element of transparency and ensures that individuals have more control over their data.

In a coordinated action, the EDPB prioritises a certain topic for Data Protection Authorities (DPAs) to work on at national level. The results of these national actions are then aggregated and analysed to generate deeper insight into the topic and allowing for targeted follow-up at both national and European level if needed.

Participating DPAs will join this new action on a voluntary basis in the coming weeks and the action itself will be launched over the course of 2026.

CEF achievements so far

In recent years, the EDPB has carried out various coordinated actions on different topics, publishing reports on their results. Specifically:

• use of cloud-based services by the public sector (2023)
• designation and position of Data Protection Officers (2024)
• implementation of the right of access by controllers (2025)

Earlier this year, the EDPB has launched a coordinated action on the right to erasure or the “right to be forgotten” (Art.17 GDPR). The report on the outcome of this action will be adopted in the coming months.

Background

This new coordinated action follows the EDPB’s decision to set up a Coordinated Enforcement Framework (CEF) in October 2020. The CEF is a key action of the EDPB under its 2024-2027 Strategy, together with the creation of a Support Pool of Experts (SPE). The two initiatives aim to streamline enforcement and cooperation among DPAs.
 

Brussels, 10 October -   On the occasion of the upcoming entry into operation of the EU Entry Exit System (EES) on 12 October 2025, the Coordinated Supervision Committee (CSC) will include the EES system under its scope. This system registers non-Schengen nationals travelling with a short stay visa or travellers who are visa exempt. The EES is a large scale IT systems developed by the EU to prevent irregular migration and enhance security in the Schengen area.

 

How it works 

The EES gradually replaces passport stamping at the external borders of the Schengen area, with the aim of making the border process more efficient. The system records which travellers from third countries, with or without a visa, enter and exit the Schengen area. 

The implementation of the EES will happen gradually.  European countries will have the option to progressively start using this system over a period of six months, starting with the registration of third country nationals at 10% of border crossings. By the end of the six months period, European countries should reach full registration of all individuals.

Processing of individuals’ personal data by the EES

The EES records personal data from travel documents such as name, date of birth, and place of birth. It also registers the dates of entry and exit of travellers, as well as biometric data such as a facial images and fingerprints. Given the sensitivity of the personal data processed by this system, it is crucial to ensure individuals can effectively exercise their rights and the processing of personal data is supervised.

 

Ensuring data subject rights

The protection of personal data is a fundamental right, which also applies to EES data processing. 
The EES regulation ensures that travellers must be properly informed about their rights regarding the processing of their personal data in the EES, and how to exercise these rights. Authorities processing personal data in the EES, such as border guards, migration services, and under certain conditions, law enforcement authorities must ensure that individuals can easily request access to their data, as well as rectification, completion, erasure and restriction.

 

Supervision of the data processing in the EES

With the upcoming entry into operation of the EES, the CSC will also focus its supervision, at both European and at national level, on the processing of personal data in the EES.

More information on the CSC supervision of the EES will be published on the CSC members’ websites.

 

Background

The CSC consists of European national Data Protection Authorities and the EDPS, which together ensure coordinated supervision of large scale IT systems, and of EU bodies, offices and agencies falling under its scope. These also include the Schengen information system (SIS), the Visa information system (VIS), Eurodac, and two new systems entering into operation at a later date: the European Travel Information and Authorisation System (ETIAS) and the European Criminal Records Information System on non EU-nationals (ECRIS-TCN).
The CSC enjoys an autonomous functioning and positioning and it adopts its own rules of procedure and working methods. The Committee was established within the framework of the EDPB.
 

Brussels, 9 October - The EDPB is organising a remote stakeholder event to collect stakeholders’ input on anonymisation and pseudonymisation following the clarification on the scope of the concept of personal data provided by the Court of Justice of the European Union (CJEU) in its judgement in EDPS v Single Resolution Board (SRB). The event will take place by the end of the year.
The event will inform and support the EDPB’s ongoing work on these topics as per its work programme 2024-2025 and it reflects the EDPB’s commitment to stakeholder engagement, as outlined in the recent Helsinki statement.  

Do you wish to participate to have your say? 

The EDPB will launch a call for expression of interest to participate in the stakeholder event in the following weeks. 
More details about the date and format will follow soon on the EDPB website.

Brussels, 09 October - The European Data Protection Board (EDPB) and the European Commission endorsed joint guidelines on the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). These are the first joint guidelines by the Board and the European Commission.

In line with its 2024-2027 Strategy and the recent Helsinki Statement’s objectives to make GDPR compliance easier and strengthen consistency, the EDPB has cooperated with the European Commission, each within their respective mandates, to facilitate the coherent application of the DMA*and GDPR and to increase legal certainty for gatekeepers, business users, beneficiaries and individuals.

EDPB Chair Anu Talus said:  “These joint guidelines are the result of a fruitful cooperation between the EDPB and the European Commission. This is the first time that the EDPB and the European Commission prepare guidelines jointly. This approach maximises usefulness of the guidance by simplifying compliance for businesses and bringing enhanced legal certainty to them. 

The guidelines will help gatekeepers, business users and individuals to better understand their obligations and rights under the DMA, and ensure a consistent, effective and complementary application of the DMA and EU data protection law.”

How the DMA and the GDPR interact

The DMA and the GDPR both protect individuals in the digital landscape, but their goals are complementary as they address interconnected challenges: individual rights and privacy in case of the GDPR and fairness and contestability of digital markets under the DMA.   

Several activities regulated by the DMA entail the processing of personal data by gatekeepers and, in several provisions, the DMA explicitly refers to definitions and concepts included in the GDPR. The joint guidelines clarify how gatekeepers can implement these DMA provisions in accordance with EU data protection law. For example, the EDPB and the Commission specify which elements gatekeepers should consider in order to comply with the requirements of specific choice and valid consent under Art. 5(2) DMA and the GDPR, and thus to lawfully combine or cross-use personal data in core platform services.

The EDPB and the Commission also address other provisions including those related to the distribution of third party apps and stores, data portability, data access requests and interoperability of messaging services.

 

Next steps

The Board and the Commission have just launched a joint public consultation on the first version of the guidelines which will be open until 4 December 2025.  This will be an opportunity for stakeholders to comment and provide feedback.

All submissions will be published on the DMA website to which a link will be included on the EDPB website, after the consultation period has closed.

The final text, incorporating input received during the consultation, will be prepared jointly by the Board and the Commission, and will be adopted by the EDPB and European Commission.

 

More guidelines on the way

Following these first joint guidelines with the Commission, further work is underway to clarify the new cross-regulatory landscape and maintain coherent and consistent safeguards for the protection of personal data. In this regard, the EDPB is working with the Commission, specifically with the AI Office, on joint guidelines on the interplay between the AI Act and EU data protection laws.

Note to editors:
The Digital Markets Act is one of the first regulatory tools that aims to tackle unfair practices of gatekeepers in digital markets. Gatekeepers are large digital platforms providing core platform services, such as online search engines, app stores, and messenger services. The main objective of the DMA is to make the markets in the digital sector fairer and more contestable. 
 

TechDispatch Talks episode out! francesco Fri, 10/03/2025 - 09:40 Fri, 10/03/2025 - 12:00

A new episode of the Podcast series TechDispatch Talks to help you understand emerging technologies, their opportunities but also privacy challenges.

Watch the video podcast or listen to it.

0

EDPS Recognised for Accountability at GPA Awards francesco Wed, 10/01/2025 - 12:16 Wed, 10/01/2025 - 12:00

the EDPS has been awarded at the GPA Awards in the Accountability category for two strategic initiatives to enhance personal data breach management across EU institutions: The Data Breach Awareness Campaign and PATRICIA Exercise - Personal dATa bReach awareness In Cybersecurity Incident hAndling!

The Data Breach Awareness Campaign, targeted at selected participants, was structured to assess existing breach management practices, identify critical areas, evaluate process implementation, and provide tailored recommendations. 

In addition, together with the European Union Agency for Cybersecurity (ENISA), we jointly organised two table-top exercises in Brussels. The initiative was designed to raise awareness among staff from European Union Institutions on how to effectively manage personal data breaches.

This recognition by the Global Privacy Assembly highlights the value of joint initiatives where supervisory authorities build capacity, foster collaboration, and promote continuous improvement in data protection.

We thank the Global Privacy Assembly for this recognition and remain committed to strengthening cooperation and preparedness in the protection of personal data.

0

European Cybersecurity Month 2025 miriam Mon, 09/29/2025 - 21:12 Wed, 10/01/2025 - 12:00

2025 marks the 13th Anniversary of the European Cybersecurity Month. Join forces with the EU institutions, bodies and agencies in an annual awareness campaign to strengthen cybersecurity among Europeans.

Read our infographics on phishing, ransomware and pretexting.

Read more about what can the EU institutions, bodies and agencies do to tackle personal data breaches.

Watch the high-level panel discussion featuring EDPS Wojciech Wiewiórowski at the Inter-Institutional Kick-Off event.

Read, watch or listen to the Podcast episode of TechDispatch Talks - Human Oversight of Automated Decision-Making.

0

Data protection beyond borders: a milestone for international organisations francesco Fri, 09/26/2025 - 09:57 Fri, 09/26/2025 - 12:00

The International Organisations Workshop celebrates 20 years of fostering cooperation on key data protection aspects, bringing together global experts to address shared challenges.

1 Read blogpost by Wojciech Wiewiórowski