Europrivacy and the European Centre for Certification and Privacy were delighted to participate at the Privacy Symposium conference in Venice, Italy during May 12-16, 2025. The conference brought together close to a thousand experts and authorities in data governance and regulation. The conference provided an opportunity to discuss the future of data protection certification and […]

The post Europrivacy at the Privacy Symposium appeared first on Europrivacy Community.

The EDPS published on 28 May 2025 an Opinion on the Proposal for a Regulation establishing a common system for the return of third-country nationalsstaying illegally in the EU.

The objective of the Proposal is to ensure the effective return and re-admission of third-country nationals illegally staying in the EU by providing Member States with simplified and common rules.

Read Press Release and Opinion 

We are excited to announce that a new Europrivacy European Data Protection Seal has been formally delivered to Centre d’accès sécurisé aux données (CASD) in a ceremony at the Privacy Symposium conference in Venice! CASD have successfully completed a Europrivacy certificate for a methodology of accessing various data, including personal data for statistical or research […]

The post New European Data Protection Seal for CASD appeared first on Europrivacy Community.

Background information

• Date of final decision: 15 May 2025
• National case
• Controller:  SOLOCAL MARKETING SERVICES
• Legal Reference(s): Article 7 (Conditions for consent), Article 6 (Lawfulness of processing)
• Decision: administrative fine and an order to cease electronic commercial prospecting in the absence of valid consent, together with a penalty of 10 000 € per day overdue after a period of 9 months
• Key words: administrative fine, consent,  unsolicited communication

Summary of the Decision

Origin of the case  

As the French Supervisory Authority (SA) made commercial prospecting a priority topic for investigations in 2022, it focused on the practices of professionals in the sector, particularly those who resell data, including the many intermediaries in this ecosystem known as data brokers. The French SA carried out investigations on SOLOCAL MARKETING SERVICES which got prospect data mainly from data brokers, publishers of game contests and product testing sites (these actors are the first links in the chain, the primary collectors, who are responsible for collecting prospect data). SOLOCAL MARKETING SERVICES used this data to operate commercial prospecting by SMS or e-mail to individuals concerned, on behalf of its advertiser customer. It may also pass on some of this data to its customers, so that they can carry out their own commercial prospecting by telephone or post.

Key Findings 

Failure to comply with the obligation to obtain the consent of individuals to receive commercial prospecting by electronic means (Article L.34-5 of the French Post and Electronic Communications Code): The restricted committee considered that the misleading appearance of the forms used by data brokers made it impossible to obtain free and unambiguous consent, in compliance with the requirements of the GDPR, which would have formed the basis for the prospecting operations carried out by the company.
Failure to demonstrate that the data subject has consented to processing of his or her personal data (Article 7 of the GDPR): The company failed to provide the French SA with proof of consent from individuals whose data has been transferred to it by one of its main suppliers. As a result, the French SA was unable to examine the collection forms used by this supplier and, therefore, the validity of the consent of the data subjects.

Decision 

Based on the findings of the inspection, the restricted committee – the French SA body responsible for issuing sanctions – considered that the company had failed to comply with obligations under the French Post and Electronic Communications Code (CPCE) and the General Data Protection Regulation (GDPR) regarding the collection and proof of consent. 
It imposed on SOLOCAL MARKETING SERVICES: 

• a 900 000 € fine which was made public; and
• an order to cease electronic commercial prospecting in the absence of valid consent, together with a penalty of 10 000 € per day overdue after a period of 9 months. 

The amount of this fine takes into account the very large number of people concerned (several million), the company's historical position on the market, the financial benefit derived from the breaches, and the measures taken by the company to comply with some of its obligations since the checks were carried out.

For further information: 
•  Courtiers en données : sanction de 900 000 euros à l’encontre de la société SOLOCAL MARKETING SERVICES (French)
•  Data brokers: SOLOCAL MARKETING SERVICES fined €900,000 (English)
 

CPDP is back! Discover the EDPS involvement in this year's Conference on Computers, Privacy and Data Protection, taking place on May 21-23 in Brussels.

The EDPS will organise two panels on Artificial Intelligence and Data Protection. EDPS' experts will also participate as speakers in other panels and the Supervisor will deliver the conference's closing remarks.

In this issue, read about our trainees’ vision for Europe; our upcoming event on the future of data protection; current affairs on data protection law; our advice and tools for EU institutions, bodies, offices and agencies, and MORE! Read it here.

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a letter, addressed to the European Commission, on the upcoming proposal on the simplification of record-keeping obligation under the GDPR, amounting to a targeted amendment of Art. 30(5) GDPR.

The joint letter replies to the letter sent by the European Commission to the EDPB and the EDPS on 6 May 2025 where the Commission explained how it intends to introduce specific modifications to the GDPR. The EDPB and EDPS understand that a formal consultation will take place after the publication of the proposed legislative change.

The EDPB and EDPS shared that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations. Nevertheless, the EDPB and EDPS asked the Commission to better evaluate the impact on the organisation subject to this change, to assess whether the draft proposal ensure a proportionate and fair balance between the protection of personal data and the interests of organisations with less than 500 employees.

Full letter here

Every year at the EDPS, we celebrate Europe Day, the achievements and opportunities it made possible to Europeans. Honouring the legacy of those who advanced the European project is as important as looking ahead and listening to the generations that will shape its future. EDPS Supervisor has therefore asked them about how the EU has impacted their lives and what it means to be European today. 

Read on about what they had to say.

Brussels, 08 May - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a letter, addressed to the European Commission, on the upcoming proposal on the simplification of record-keeping obligation under the GDPR, amounting to a targeted amendment of Art. 30(5) GDPR.

The joint letter replies to the letter sent by the European Commission to the EDPB and the EDPS on 6 May 2025 where the Commission explained how it intends to introduce specific modifications to the GDPR. The EDPB and EDPS understand that a formal consultation will take place after the publication of the proposed legislative change.  

The EDPB and EDPS shared that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations. Nevertheless, the EDPB and EDPS asked the Commission to better evaluate the impact on the organisations subject to this change, to assess whether the draft proposal ensure a proportionate and fair balance between the protection of personal data and the interests of organisations with less than 500 employees.

EDPB-EDPS Letter on European Commission draft proposal on simplification of record-keeping under the GDPR

• Letters

• Controller
• Processor
• Record of processing

The EDPS has developed Guidance for co-legislators on the main elements to consider when developing legislative proposals that imply the processing of personal data.

Read Press Release

Brussels, 06 May - During its latest plenary, the European Data Protection Board (EDPB) adopted an opinion on the European Commission’s draft adequacy decision under the GDPR concerning the European Patent Organisation (EPO). In addition, the Board adopted an opinion on the European Commission’s proposal to extend the validity of the UK adequacy decisions under the GDPR and the Law Enforcement Directive (LED). Finally, the EDPB agreed to grant the status of observer to the Personal Data Protection Agency of Bosnia and Herzegovina.

Adequate protection of personal data by the EPO

At the European Commission’s request, the Board adopted an opinion on the Commission’s draft adequacy decision regarding the European Patent Organisation (EPO). Once formally adopted by the Commission, this will be the first adequacy decision concerning an international organisation and not a country or a region.
An adequacy decision is a key-mechanism in EU data protection legislation which allows the European Commission to determine whether a third country or an international organisation offers an adequate level of data protection. The effect of such a decision is that personal data can flow freely from Europe to that third country or international organisation.

EDPB Chair, Anu Talus, said: “The EDPB welcomes the Commission’s initiative to work on the first adequacy decision concerning an international organisation. This decision shows how the legal framework of such organisations can be recognised as ensuring an adequate level of protection on the basis of Art.45 GDPR.

The EDPB underlines the importance of ongoing dialogue between the Commission and international organisations, with a view to developing this category of adequacy decisions in addition to those relating to third countries.”

In its opinion, the Board positively notes that the EPO data protection framework is largely aligned with the European Union data protection framework, including on data protection rights and principles.

This shows that the GDPR and, in particular, its transfer provisions, can facilitate safe data flows from Europe to international organisations, while taking into account their status.

Six-month extension of the UK adequacy decisions

The EDPB opinion, requested by the European Commission, addresses the proposed extension of the two UK adequacy decisions under the GDPR and the LED, which are set to expire on 27 June 2025.

The opinion only concerns the proposed 6-month extension of these adequacy decisions and does not address the level of protection for personal data afforded in the UK, which will be examined by the EDPB following the Commission’s assessment, and if the renewal of the UK adequacy decisions is proposed.

Since the UK‘s data protection reform is still pending in the UK parliament, the EDPB recognises the need for a technical and time-limited extension of the adequacy decisions until 27 December 2025.This will give the European Commission sufficient time to evaluate the updated UK legal framework once it has been adopted.  

The EDPB stresses that this extension is exceptional and is due to the ongoing legislative developments in the UK. It should not, in principle, be further prolonged.

The Board recalls the validity of its opinions 14/2021 and 15/2021 on the two UK adequacy decisions, adopted in April 2021, and invites the European Commission to take them into account in its future assessments. 
The Board also recalls the Commission’s obligation to monitor all relevant developments in the UK during the extension period.

New observer to the EDPB’s activities

Finally, EDPB members agreed to grant observer status to the EDPB’s activities to the Bosnia and Herzegovina Data Protection Authority, in line with Art. 8 EDPB Rules of Procedure.
 

Every year, on 9 May, people across Europe celebrate the anniversary of the Schuman Declaration, which was a milestone to bring peace and solidarity in Europe. This year is particularly special as it marks the 75th anniversary of this historic moment.

Let’s celebrate together

To celebrate this occasion, the EDPB takes part in the EU Open Day, with an interactive stand hosted by volunteers from the EDPB Secretariat and national Data Protection Authorities (DPAs). Come and visit us to learn more about data protection and the EDPB’s activities.

You will find the EDPB and EDPS stands at the European Commission’s headquarters - the Berlaymont building - Village 1 “A Democratic Union”, on Saturday 10 May from 10:00 to 18:00. 

Do you want to learn more about privacy and data protection — and test your knowledge?
Come visit us for fun activities and quizzes designed just for you!

Further information about Europe Day 2025
 

To celebrate Europe Day, the European institutions are opening their doors to the public on 10 May 2025! Come visit us to discover the engaging activities the EDPS and EDPB have prepared for you. Stop by the EDPS on EU Open Day!

Learn more. 

Brussels, 23 April - The European Data Protection Board (EDPB) has published its 2024 Annual Report. The report provides an overview of the EDPB work carried out in 2024 and reflects on important milestones, such as the adoption of the 2024-2027 strategy, the increase in Art. 64(2) consistency opinions and the continued efforts to provide guidance and legal advice.

EDPB Chair Anu Talus said: “As I look back on the work carried out over the past year, I am proud to present our achievements. In 2024, we reaffirmed our commitment to safeguarding individuals’ fundamental rights to privacy and data protection in a fast-changing digital landscape.

We adopted a new strategy and continued to play a central role in providing guidance and ensuring a consistent application of the General Data Protection Regulation (GDPR) across Europe. To support understanding and implementation of data protection rights and duties, we expanded our outreach activities by devoting special attention to businesses and non-expert individuals. In addition, we acquired new roles in the framework of the new digital legislations.”

A new EDPB strategy

The EDPB strategy 2024-2027 outlines key priorities and actions to strengthen and modernise data protection across Europe, ensure consistent enforcement of the GDPR, and address emerging challenges, including cross-regulatory cooperation. The strategy also helps strengthen the EDPB’s global presence by engaging with global partners and representing the EU data protection model in key international fora.

EDPB’s central role in providing guidance and legal advice

The number of consistency opinions adopted under Art. 64(2) GDPR significantly increased. In 2024, the Board adopted eight Art. 64 (2) GDPR opinions, including on ‘Consent or Pay’ models used by large online platforms, the use of facial recognition at airports, and the use of personal data to train AI models. These opinions address a matter of general application and ensure consistency prior to enforcement.

The EDPB actively participated in legislative discussions by issuing statements highlighting data protection considerations and impacts. For example, the Board adopted statements on the draft procedural regulation for GDPR enforcement, and on the DPAs role in the AI Act framework.

The EDPB has also expanded its general guidance to help organisations achieve and maintain GDPR compliance. To this end, the Board adopted four new guidelines in 2024, such as the guidelines on legitimate interest and on data transfers to third country authorities.

Proactive engagement with stakeholders

In 2024, the EDPB continued to engage with stakeholders to foster open dialogue and mutual understanding between regulators, industry representatives, civil society organisations, and academic institutions.  To collect relevant insights from organisations that have expertise on data protection-related topics, the Board launched public consultations on its adopted guidelines and organised two stakeholder events, related to the upcoming guidelines on “Consent or Pay” models and to the preparation of the Opinion on AI models.

Contributing to cross-regulatory cooperation

New digital legislations, including the Digital Markets Act (DMA), the Digital Services Act (DSA), the AI Act, the Data Governance Act (DGA) and the Data Act, build on GDPR. To ensure consistency of application between the GDPR and these acts, the EDPB actively contributed to cross-regulatory cooperation by engaging with European and international partners, including the EU AI Office and the high-level group on the DMA.

Making the GDPR understandable and practical for all

Finally, the EDPB continued its efforts to provide information on the GDPR to a broader and non-expert audience by presenting it in a clear and non-technical language. To this end, the EDPB made the Data Protection Guide for Small Business available in 18 languages. In addition, the Board has launched a series of summaries of EDPB guidelines to help non-expert individuals and organisations identify in an easier way the most important points to consider. 
 

EDPB Annual Report 2024

• Annual report

The EDPS Annual Report 2024 is about acting for the future of data protection, preparing for diverse possibilities and risk that the digital landscape represents. 

Guided by our 2020 - 2024 strategy and its principles: Foresight, Action and Solidarity, the EDPS has:

• unveiled and taken steps to start executing its Strategy for AI
• monitored and analysed technologies, including AI- led technologies
• advised EU-co legislator on upcoming EU regulations directly impacting people’s privacy and data protection
• providing tools to EUIs to ensure their compliance with EU data protection laws
• influence the development of data protection globally.

You can consult the EDPS Full Annual Report 2024, and its Executive Summary, to find out more about our supervisory actions, policy and legislative advice, and technology monitoring activities.

Read Annual Report

Read Annual Report - Executive Summaries

Read EDPS Press Release

Read Speech by Supervisor

Brussels, 14 April - During its April 2025 plenary, the European Data Protection Board (EDPB) has adopted guidelines on processing of personal data through blockchain technologies.  A blockchain is a distributed digital ledger system that can confirm transactions  and  establish  who  owned  a  digital  asset  (such  as cryptocurrency)  at  a  given  time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.

As the use of blockchain technologies is expanding, the Board considers it important to help organisations using these technologies to comply with the GDPR. 
In its guidelines, the EDPB explains how blockchains work, assessing the different possible architectures and their implications for the processing of personal data.

The guidelines highlight the importance of implementing technical and organisational measures at the earliest stages of the design of the processing. The EDPB also clarifies that the roles and responsibilities of the different actors in a blockchain-related processing of personal data should be assessed during the design of the processing.
In addition, organisations should carry out a Data Protection Impact Assessment (DPIA) before processing personal data through blockchain technologies, where the processing is likely to result in a high risk to the rights and freedoms of individuals.

According to the Board, organisations should also ensure the highest protection of individuals’ personal data during the processing so that they are not made accessible to an indefinite number of persons by default.

The guidelines provide examples of different techniques for data minimisation, as well as for handling and storing personal data. As a general rule, storing personal data in a blockchain should be avoided if this conflicts with data protection principles.

Finally, the Board highlights the importance of the rights of individuals especially regarding transparency, rectification and erasure of personal data. 

The guidelines will be subject to public consultation until 9 June 2025, providing stakeholders with the opportunity to comment.

During its latest plenary, the EDPB also decided to closely cooperate with the AI Office in relation to the drafting of the guidelines on the interplay between the AI Act and EU data protection legislation.
 

With our involvement in this fourth Coordinated Enforcement Action, we walk the talk by continuously advocating for a coherent application of EU data protection law, and the consistent protection of individuals’ personal data, across the EU/EEA. 

Read Press Release

Brussels, 14 March - During its March 2025 plenary meeting, the European Data Protection Board (EDPB) adopted a statement on the implementation of the Passenger Name Record Directive (PNR) in light of the Court of Justice of the EU (CJEU) judgment C-817/19*. 

In its second statement on the implementation of the PNR Directive, which follows the one of 15 December 2022, the Board gives further guidance to the Passenger Information  Units (PIUs)** on the necessary adaptions and limitations to the processing of PNR data, following the PNR judgment. PNR data is personal information provided by passengers, and collected and held by air carriers that includes the names of the passengers, travel dates, itineraries, seats, baggage, contact details and means of payment.

The statement includes practical recommendations for the national laws transposing the PNR Directive in order to give effect to the findings of the CJEU in the PNR judgment. The recommendations cover some of the key aspects of the PNR judgement such as how European countries should select the flights from which PNR data is collected, or how long PNR data should be retained. According to the Board, the retention period of all PNR data should not exceed an initial period of six months. After this period, European countries may only store PNR data as long as needed and proportionate to the objectives of the PNR Directive.

EDPB Chair Anu Talus said: “The EDPB recognises the importance of the PNR Directive in improving the security of passengers across Europe and in helping prevent, detect and prosecute terrorist offences and serious crime. The transfer of PNR data in Europe should take place in a harmonised way and in full respect of data protection principles.”

The Board is aware that some European countries have already started the adaptation process, but there is still a substantial lack of implementation efforts throughout the Member States. Therefore, in its statement, the EDPB outlines the urgent need to implement the necessary changes and to amend national laws by taking into account the PNR judgment as soon as possible.

Note to editors
* On 21 June 2022, on a referral from the Belgian Constitutional Court, the CJEU rendered its judgment C-817/19 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, under the PNR Directive 2016/681. While the Court found that the validity of the PNR Directive was not affected, it ruled that, in order to ensure compliance with the EU Charter of Fundamental Rights (the Charter), the PNR Directive needs to be interpreted as including important limitations to the processing of personal data. Some of these limitations are the application of the PNR system only to terrorist offences and serious crime, having an objective link with the carriage of passengers by air, and the non-indiscriminate application of the general retention period of five years to all passengers’ personal data.
** The PIUs are specific entities in European countries which are responsible for the collection, storage, and processing of PNR data.
 

The EDPS mandate has been synonymous with adaptability and resilience, with challenges and opportunities in a fast-paced digital landscape. 

• Supervision & Enforcement of data protection laws within EUIs
• Policy & Consultations to the EU Legislator
• Technology & Privacy benefits and risks for now and in the future
• Preparing ourselves for AI... and more.

Read EDPS Mandate Review on key actions to protect people’s privacy.

Brussels, 05 March - The European Data Protection Board (EDPB) has launched its Coordinated Enforcement Framework (CEF) action for 2025. Following a year-long coordinated action on the right of access in 2024, the CEF's focus this year will shift to the implementation of another data protection right, namely the right to erasure or the “right to be forgotten” (Art.17 GDPR).

The Board selected this topic during its October 2024 plenary as it is one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals.
 

Next steps

During 2025, 30 Data Protection Authorities (DPAs) across Europe, as well as the European Data Protection Supervisor (EDPS), will take part in this initiative.

Participating DPAs will soon contact a number of controllers from different sectors across Europe, either by opening new formal investigations or doing fact-finding exercises. In the latter case, they might also decide to undertake additional follow-up actions if needed. 

DPAs will check how controllers handle and respond to the requests for erasure that they receive and, in particular, how they apply the conditions and exceptions for the exercise of this right. 

DPAs will also stay in close contact to share and discuss their findings throughout this year. The results of these national actions will be aggregated and analysed together to generate deeper insight into the topic, allowing for targeted follow-ups on both national and EU levels.
 

Background

The CEF is a key action of the EDPB under its 2024-2027 strategy, aimed at streamlining enforcement and cooperation among DPAs.
In the past three years, three previous CEF actions on different topics were carried out: 

1. the use of cloud-based services by the public sector,
2. the designation and position of Data Protection Officers, and
3. the implementation of the right of access by controllers.

For further information:

• AT DPA: Coordinated Enforcement Framework 2025 (CEF 2025) - EDSA
• BG DPA: Започва координирано действие по изследване на приложението на правото на изтриване (право „да бъдеш забравен“)
• CS DPA: Evropský sbor pro ochranu osobních údajů zahájil další společnou koordinovanou dozorovou akci
• DA DPA: EDPB igangsætter koordineret indsats om retten til sletning
• DE DPA (Baden-Wuerttemberg): Europaweite Aktion zum Recht auf Löschung
• DE DPA (Berlin):  PRESSEMITTEILUNG der Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder vom 5. März 2025
• DE DPA (Brandenburg): Brandenburgische Datenschutzaufsicht beteiligt sich an europaweiter Prüfung zum Recht auf Löschung mit Schwerpunkt Wohnungsunternehmen
• EDPS: EDPS participates in fourth Coordinated Enforcement Action: focus on the right to erasure of personal data
• EL DPA: Έναρξη συντονισμένης δράσης του ΕΣΠΔ 2025 σχετικά με το δικαίωμα διαγραφής
• ES DPA: La AEPD participa en una acción europea para analizar la aplicación del derecho de supresión
• FI DPA: Tietosuojavaltuutetun toimisto selvittää henkilötietojen poisto-oikeuden toteutumista osana EU:n laajuista toimenpidettä
• HR DPA: Započela nova koordinirana akcija EDPB-a: pravo na brisanje
• IE DPA: Launch of coordinated enforcement action on the right to erasure
• IT DPA: GDPR, il Garante italiano partecipa al CEF 2025 sul diritto alla cancellazione
• LI DPA: Europäische Initiative zum Recht auf Löschung
• MT DPA: Launch of Coordinated Enforcement Action on the Right to Erasure
• SI DPA: Informacijski pooblaščenec bo v letu 2025 nadzoroval upoštevanje pravice do izbrisa