Targeted modifications of the GDPR: EDPB & EDPS welcome simplification of record keeping obligations and request further clarifications julia Wed, 07/09/2025 - 12:39 Wed, 07/09/2025 - 12:00

EDPS and EDPB a Joint Opinion on the European Commission’s Proposal for a Regulation amending certain regulations, including the GDPR.

Read Press Release

Read Joint Opinion 

0

A fundamental rights approach to innovation and competitiveness

Helsinki, 3 July 2025 – At a high-level meeting in Helsinki on 1–2 July 2025, the European Data Protection Board (EDPB) adopted a landmark Statement on enhanced clarity, support and engagement.

The Statement outlines new initiatives to make GDPR compliance easier, in particular for micro, small and medium organisations, strengthen consistency and boost cross-regulatory cooperation. 

EDPB Chair Anu Talus said: “The EDPB aims to ensure that compliance with the GDPR can be more easily achieved. By placing fundamental rights into the core of their digital transformation, organisations can ensure that technological advancements and the respect for European values go hand in hand, ultimately building a stronger and more resilient digital economy.”

Across its efforts, the EDPB will strengthen its dialogue with stakeholders, holding proactive and early engagement to identify areas where further support and clarification is required, and providing the opportunity for stakeholders to flag possible inconsistencies and give feedback. The EDPB will publicly report on the main outcomes of the public consultations. 

The EDPB will launch a series of direct and practical resources to simplify GDPR application.

EDPB Chair Anu Talus said: “The EDPB is committed to helping organisations in achieving GDPR compliance with greater ease and efficiency. Through timely and concise guidance and ready-to-use tools, like a common data breach notification template, checklists, how-tos and FAQs, we will continue to make GDPR alignment achievable and accessible for all.”

Among the measures agreed upon to ensure consistent GDPR interpretation and enforcement across Europe, EDPB Members will make continuous efforts to align national and EDPB guidance. They will also develop common practices, methods, tools and common actions review guidelines to ensure their real-world effectiveness. The EDPB will also publish positions by DPAs on priority issues to help organisations understand and act on regulatory expectations.

The EDPB recognises the growing complexity of the digital regulatory landscape and has renewed its commitment to fostering structured cooperation with non-data protection regulators to address legal and practical challenges in cross-sectoral cases.
 

Collaboration & Consistent efforts: two cornerstones for data protection in EU institutions miriam Wed, 07/02/2025 - 15:56 Wed, 07/02/2025 - 12:00

The EDPS - Data Protection Network meeting meets twice a year to discuss data protection priorities and practices in the digital world. 

Read Blogpost by EDPS Secretary General Leonardo Cervera Navas. 

0

New TechDispatch Talks are out! miriam Tue, 07/01/2025 - 12:48 Thu, 07/03/2025 - 12:00

EDPS presents a brand new episode of TechDispatch Talks, a series to help you understand new and emerging technologies, their opportunities but also privacy challenges. Now you can watch it or have a listen!

0

Newsletter #115 miriam Fri, 06/27/2025 - 16:04 Wed, 07/02/2025 - 12:00

30 days of preserving privacy and data protection, what does that look like? Read our newsletter to find out. 

1 Read it now

From Cradle to Cloud: Surveillance and Digitalisation around Childhood ilucenfe Fri, 06/13/2025 - 16:22 Mon, 07/07/2025 - 12:00

EDPS and EDPB Trainees organised a conference to reflect and foster discussion on the digital rights of children.

Read the EDPS - EDPB trainees' blogpost.

Watch the recording. 

0 Learn more

TechDispatch - Federated Learning francesco Tue, 06/10/2025 - 09:39 Tue, 06/10/2025 - 12:00

The EDPS TechDispatch provides factual descriptions of a new technology and its implication for personal data protection. Learn more about Federated Learning in this new edition.

1 Read here

Brussels, 05 June - During its latest plenary, the European Data Protection Board (EDPB) adopted the final version of its guidelines on Art.48 GDPR about data transfers to third country authorities, after public consultation. In addition, the Board presented two new Support Pool of Experts (SPE) projects providing training material on artificial intelligence and data protection. Finally, the Board discussed the European Commission’s request for a joint EDPB-EDPS opinion on the draft proposal on the simplification of record-keeping obligation under the GDPR. 

Data transfers to third country authorities 

Following public consultation, the EDPB has adopted the final version of the guidelines on data transfers to third country authorities. In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to requests for a transfer of personal data from third country authorities (i.e. authorities from non-European countries).

The EDPB explains that judgements or decisions from third country authorities cannot automatically be recognised or enforced in Europe. As a general rule, an international agreement may provide for both a legal basis and a ground for transfer. In case there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.

The modifications introduced in the updated guidelines do not change their orientation, but they aim to provide further clarifications on different aspects that were brought up in the consultation. For example, the updated guidelines address the situation where the recipient of a request is a processor. In addition, they provide additional details regarding the situation where a mother company in a third country receives a request from that third country authority and then requests the personal data from its subsidiary in Europe. 

 

Upskilling and reskilling on AI and data protection

During its June’s plenary, the EDPB also presented two new Support Pool of Experts (SPE) projects*: Law & Compliance in AI Security and Data Protection and Fundamentals of Secure AI Systems with Personal Data. The two projects, which have been launched at the request of the Hellenic Data Protection Authority (HDPA), provide training material on AI and data protection.

The report “Law & Compliance in AI Security & Data Protection” is addressed to professionals with a legal focus like data protection officers (DPO) or privacy professionals.

The second report, “Fundamentals of Secure AI Systems with Personal Data”, is oriented toward professionals with a technical focus like cybersecurity professionals, developers or deployers of high-risk AI systems.

The main aim of these projects is to address the critical shortage of skills on AI and data protection, which is seen as a key obstacle to the use of privacy-friendly AI. The training material will help equip professionals with essential competences in AI and data protection to create a more favourable environment for the enforcement of data protection legislation.

The Board decided to publish both documents as PDF files. Taking into account the very fast evolution of AI, the EDPB also decided to launch a new innovative initiative as a one-year pilot project consisting of a modifiable community version of the reports. The EDPB will start working with the authors of both reports to import them in its Git repository** to allow, in a near future, any external contributor, with an account on this platform and under the condition of the Creative Commons Attribution-ShareAlike license, to propose changes or add comments to the documents.

Simplification of record-keeping obligation under the GDPR ***

Finally, the Board discussed the European Commission's request for a joint opinion by the EDPB and the European Data Protection Supervisor (EDPS) on its proposal to simplify the record-keeping obligations of small and medium-sized enterprises (SMEs), small mid-caps (SMCs) and organisations with fewer than 750 employees, amounting to a targeted amendment of Art. 30(5) GDPR. The EDPB and EDPS will issue their joint opinion on this matter within eight weeks. 

 

Note to editors:

* The Support Pool of Experts (SPE) is an initiative included in the EDPB strategy 2024-2027 to help Data Protection Authorities (DPAs) increase their capacity to enforce by developing common tools and giving them access to a wide pool of experts.  

As part of the SPE programme, the EDPB may commission experts to provide reports and tools on specific topics. The views expressed in the deliverables are those of their authors and they do not necessarily reflect the official position of the EDPB.

** The reports will be available in the following months on the repository page.

***On 8 May 2025, the EDPB and the EDPS adopted a letter, addressed to the European Commission, to share preliminary views on the Commission’s proposal on the simplification of record-keeping obligation under the GDPR.

High-Level Debate on Competition, Innovation and Data Protection klaudia Tue, 06/03/2025 - 15:52 Tue, 06/03/2025 - 12:00

On 3 June 2025, EDPS, BfDI and BayLfD organised a high-level debate to reflect on the EU's Digital Rulebook. The video recording of the debate is now available on:

Video highlights from the event.

Full recording

Learn more

0

Migration management: data protection is one of the last lines of defence for vulnerable individuals julia Wed, 05/28/2025 - 10:41 Wed, 05/28/2025 - 12:00

The EDPS published on 28 May 2025 an Opinion on the Proposal for a Regulation establishing a common system for the return of third-country nationals staying illegally in the EU.

The objective of the Proposal is to ensure the effective return and re-admission of third-country nationals illegally staying in the EU by providing Member States with simplified and common rules.

Read Press Release and Opinion 

0

EDPS at CPDP 2025 - The world is watching ilucenfe Tue, 05/20/2025 - 15:06 Tue, 05/20/2025 - 12:00

CPDP is back! Discover the EDPS involvement in this year's Conference on Computers, Privacy and Data Protection, taking place on May 21-23 in Brussels.

The EDPS will organise two panels on Artificial Intelligence and Data Protection. EDPS' experts will also participate as speakers in other panels and the Supervisor will deliver the conference's closing remarks.

1 Learn more

Newsletter is out! miriam Mon, 05/12/2025 - 11:52 Mon, 05/12/2025 - 12:00

In this issue, read about our trainees’ vision for Europe; our upcoming event on the future of data protection; current affairs on data protection law; our advice and tools for EU institutions, bodies, offices and agencies, and MORE! Read it here.

1 Read it now

Simplification of record-keeping obligation: EDPB and EDPS adopt letter to EU Commission julia Thu, 05/08/2025 - 18:05 Thu, 05/08/2025 - 12:00

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a letter, addressed to the European Commission, on the upcoming proposal on the simplification of record-keeping obligation under the GDPR, amounting to a targeted amendment of Art. 30(5) GDPR.

The joint letter replies to the letter sent by the European Commission to the EDPB and the EDPS on 6 May 2025 where the Commission explained how it intends to introduce specific modifications to the GDPR. The EDPB and EDPS understand that a formal consultation will take place after the publication of the proposed legislative change.

The EDPB and EDPS shared that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations. Nevertheless, the EDPB and EDPS asked the Commission to better evaluate the impact on the organisation subject to this change, to assess whether the draft proposal ensure a proportionate and fair balance between the protection of personal data and the interests of organisations with less than 500 employees.

Full letter here

0 Full letter here

Blogpost: Celebrating Schuman Day – Young Voices Speak for Europe miriam Thu, 05/08/2025 - 15:35 Fri, 05/09/2025 - 12:00

Every year at the EDPS, we celebrate Europe Day, the achievements and opportunities it made possible to Europeans. Honouring the legacy of those who advanced the European project is as important as looking ahead and listening to the generations that will shape its future. EDPS Supervisor has therefore asked them about how the EU has impacted their lives and what it means to be European today. 

Read on about what they had to say.

1 Read blogpost

Brussels, 08 May - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a letter, addressed to the European Commission, on the upcoming proposal on the simplification of record-keeping obligation under the GDPR, amounting to a targeted amendment of Art. 30(5) GDPR.

The joint letter replies to the letter sent by the European Commission to the EDPB and the EDPS on 6 May 2025 where the Commission explained how it intends to introduce specific modifications to the GDPR. The EDPB and EDPS understand that a formal consultation will take place after the publication of the proposed legislative change.  

The EDPB and EDPS shared that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations. Nevertheless, the EDPB and EDPS asked the Commission to better evaluate the impact on the organisations subject to this change, to assess whether the draft proposal ensure a proportionate and fair balance between the protection of personal data and the interests of organisations with less than 500 employees.

EDPB-EDPS Letter on European Commission draft proposal on simplification of record-keeping under the GDPR

8 May 2025 Publication Type:

• Letters

Topics:

• Controller
• Processor
• Record of processing

English Download Simplification of record-keeping obligation: EDPB and EDPS adopt letter to EU Commission

Guidance for co-legislators on key elements of legislative proposals francesco Thu, 05/08/2025 - 10:09 Tue, 05/13/2025 - 12:00

The EDPS has developed Guidance for co-legislators on the main elements to consider when developing legislative proposals that imply the processing of personal data.

Read Press Release

1 Read more

Brussels, 06 May - During its latest plenary, the European Data Protection Board (EDPB) adopted an opinion on the European Commission’s draft adequacy decision under the GDPR concerning the European Patent Organisation (EPO). In addition, the Board adopted an opinion on the European Commission’s proposal to extend the validity of the UK adequacy decisions under the GDPR and the Law Enforcement Directive (LED). Finally, the EDPB agreed to grant the status of observer to the Personal Data Protection Agency of Bosnia and Herzegovina.

 

Adequate protection of personal data by the EPO

At the European Commission’s request, the Board adopted an opinion on the Commission’s draft adequacy decision regarding the European Patent Organisation (EPO). Once formally adopted by the Commission, this will be the first adequacy decision concerning an international organisation and not a country or a region.
An adequacy decision is a key-mechanism in EU data protection legislation which allows the European Commission to determine whether a third country or an international organisation offers an adequate level of data protection. The effect of such a decision is that personal data can flow freely from Europe to that third country or international organisation.

EDPB Chair, Anu Talus, said: “The EDPB welcomes the Commission’s initiative to work on the first adequacy decision concerning an international organisation. This decision shows how the legal framework of such organisations can be recognised as ensuring an adequate level of protection on the basis of Art.45 GDPR.

The EDPB underlines the importance of ongoing dialogue between the Commission and international organisations, with a view to developing this category of adequacy decisions in addition to those relating to third countries.”

In its opinion, the Board positively notes that the EPO data protection framework is largely aligned with the European Union data protection framework, including on data protection rights and principles.

This shows that the GDPR and, in particular, its transfer provisions, can facilitate safe data flows from Europe to international organisations, while taking into account their status.

 

Six-month extension of the UK adequacy decisions

The EDPB opinion, requested by the European Commission, addresses the proposed extension of the two UK adequacy decisions under the GDPR and the LED, which are set to expire on 27 June 2025.

The opinion only concerns the proposed 6-month extension of these adequacy decisions and does not address the level of protection for personal data afforded in the UK, which will be examined by the EDPB following the Commission’s assessment, and if the renewal of the UK adequacy decisions is proposed.

Since the UK‘s data protection reform is still pending in the UK parliament, the EDPB recognises the need for a technical and time-limited extension of the adequacy decisions until 27 December 2025.This will give the European Commission sufficient time to evaluate the updated UK legal framework once it has been adopted.  

The EDPB stresses that this extension is exceptional and is due to the ongoing legislative developments in the UK. It should not, in principle, be further prolonged.

The Board recalls the validity of its opinions 14/2021 and 15/2021 on the two UK adequacy decisions, adopted in April 2021, and invites the European Commission to take them into account in its future assessments. 
The Board also recalls the Commission’s obligation to monitor all relevant developments in the UK during the extension period.

 

New observer to the EDPB’s activities

Finally, EDPB members agreed to grant observer status to the EDPB’s activities to the Bosnia and Herzegovina Data Protection Authority, in line with Art. 8 EDPB Rules of Procedure.
 

Every year, on 9 May, people across Europe celebrate the anniversary of the Schuman Declaration, which was a milestone to bring peace and solidarity in Europe. This year is particularly special as it marks the 75th anniversary of this historic moment.

Let’s celebrate together

To celebrate this occasion, the EDPB takes part in the EU Open Day, with an interactive stand hosted by volunteers from the EDPB Secretariat and national Data Protection Authorities (DPAs). Come and visit us to learn more about data protection and the EDPB’s activities.

You will find the EDPB and EDPS stands at the European Commission’s headquarters - the Berlaymont building - Village 1 “A Democratic Union”, on Saturday 10 May from 10:00 to 18:00. 

Do you want to learn more about privacy and data protection — and test your knowledge?
Come visit us for fun activities and quizzes designed just for you!

Further information about Europe Day 2025
 

Visit Europe in one day ilucenfe Thu, 04/24/2025 - 16:24 Mon, 04/28/2025 - 12:00

To celebrate Europe Day, the European institutions are opening their doors to the public on 10 May 2025! Come visit us to discover the engaging activities the EDPS and EDPB have prepared for you. Stop by the EDPS on EU Open Day!

Learn more. 

0 Learn more

Brussels, 23 April - The European Data Protection Board (EDPB) has published its 2024 Annual Report. The report provides an overview of the EDPB work carried out in 2024 and reflects on important milestones, such as the adoption of the 2024-2027 strategy, the increase in Art. 64(2) consistency opinions and the continued efforts to provide guidance and legal advice.

EDPB Chair Anu Talus said: “As I look back on the work carried out over the past year, I am proud to present our achievements. In 2024, we reaffirmed our commitment to safeguarding individuals’ fundamental rights to privacy and data protection in a fast-changing digital landscape.

We adopted a new strategy and continued to play a central role in providing guidance and ensuring a consistent application of the General Data Protection Regulation (GDPR) across Europe. To support understanding and implementation of data protection rights and duties, we expanded our outreach activities by devoting special attention to businesses and non-expert individuals. In addition, we acquired new roles in the framework of the new digital legislations.”

A new EDPB strategy

The EDPB strategy 2024-2027 outlines key priorities and actions to strengthen and modernise data protection across Europe, ensure consistent enforcement of the GDPR, and address emerging challenges, including cross-regulatory cooperation. The strategy also helps strengthen the EDPB’s global presence by engaging with global partners and representing the EU data protection model in key international fora.

 

EDPB’s central role in providing guidance and legal advice

The number of consistency opinions adopted under Art. 64(2) GDPR significantly increased. In 2024, the Board adopted eight Art. 64 (2) GDPR opinions, including on ‘Consent or Pay’ models used by large online platforms, the use of facial recognition at airports, and the use of personal data to train AI models. These opinions address a matter of general application and ensure consistency prior to enforcement.

The EDPB actively participated in legislative discussions by issuing statements highlighting data protection considerations and impacts. For example, the Board adopted statements on the draft procedural regulation for GDPR enforcement, and on the DPAs role in the AI Act framework.

The EDPB has also expanded its general guidance to help organisations achieve and maintain GDPR compliance. To this end, the Board adopted four new guidelines in 2024, such as the guidelines on legitimate interest and on data transfers to third country authorities.

 

Proactive engagement with stakeholders

In 2024, the EDPB continued to engage with stakeholders to foster open dialogue and mutual understanding between regulators, industry representatives, civil society organisations, and academic institutions.  To collect relevant insights from organisations that have expertise on data protection-related topics, the Board launched public consultations on its adopted guidelines and organised two stakeholder events, related to the upcoming guidelines on “Consent or Pay” models and to the preparation of the Opinion on AI models.

 

Contributing to cross-regulatory cooperation

New digital legislations, including the Digital Markets Act (DMA), the Digital Services Act (DSA), the AI Act, the Data Governance Act (DGA) and the Data Act, build on GDPR. To ensure consistency of application between the GDPR and these acts, the EDPB actively contributed to cross-regulatory cooperation by engaging with European and international partners, including the EU AI Office and the high-level group on the DMA.

 

Making the GDPR understandable and practical for all

Finally, the EDPB continued its efforts to provide information on the GDPR to a broader and non-expert audience by presenting it in a clear and non-technical language. To this end, the EDPB made the Data Protection Guide for Small Business available in 18 languages. In addition, the Board has launched a series of summaries of EDPB guidelines to help non-expert individuals and organisations identify in an easier way the most important points to consider. 
 

EDPB Annual Report 2024

23 April 2025 Publication Type:

• Annual report

English Download file 1 Bulgarian Czech Danish German Greek English Spanish Estonian Finnish French Croatian Hungarian Italian Lithuanian Latvian Dutch Polish Portuguese Romanian Slovak Slovenian Swedish Download file 2 EDPB annual report 2024: protecting personal data in a changing landscape