Brussels, 23 April - The European Data Protection Board (EDPB) has published its 2024 Annual Report. The report provides an overview of the EDPB work carried out in 2024 and reflects on important milestones, such as the adoption of the 2024-2027 strategy, the increase in Art. 64(2) consistency opinions and the continued efforts to provide guidance and legal advice.

EDPB Chair Anu Talus said: “As I look back on the work carried out over the past year, I am proud to present our achievements. In 2024, we reaffirmed our commitment to safeguarding individuals’ fundamental rights to privacy and data protection in a fast-changing digital landscape.

We adopted a new strategy and continued to play a central role in providing guidance and ensuring a consistent application of the General Data Protection Regulation (GDPR) across Europe. To support understanding and implementation of data protection rights and duties, we expanded our outreach activities by devoting special attention to businesses and non-expert individuals. In addition, we acquired new roles in the framework of the new digital legislations.”

A new EDPB strategy

The EDPB strategy 2024-2027 outlines key priorities and actions to strengthen and modernise data protection across Europe, ensure consistent enforcement of the GDPR, and address emerging challenges, including cross-regulatory cooperation. The strategy also helps strengthen the EDPB’s global presence by engaging with global partners and representing the EU data protection model in key international fora.

EDPB’s central role in providing guidance and legal advice

The number of consistency opinions adopted under Art. 64(2) GDPR significantly increased. In 2024, the Board adopted eight Art. 64 (2) GDPR opinions, including on ‘Consent or Pay’ models used by large online platforms, the use of facial recognition at airports, and the use of personal data to train AI models. These opinions address a matter of general application and ensure consistency prior to enforcement.

The EDPB actively participated in legislative discussions by issuing statements highlighting data protection considerations and impacts. For example, the Board adopted statements on the draft procedural regulation for GDPR enforcement, and on the DPAs role in the AI Act framework.

The EDPB has also expanded its general guidance to help organisations achieve and maintain GDPR compliance. To this end, the Board adopted four new guidelines in 2024, such as the guidelines on legitimate interest and on data transfers to third country authorities.

Proactive engagement with stakeholders

In 2024, the EDPB continued to engage with stakeholders to foster open dialogue and mutual understanding between regulators, industry representatives, civil society organisations, and academic institutions.  To collect relevant insights from organisations that have expertise on data protection-related topics, the Board launched public consultations on its adopted guidelines and organised two stakeholder events, related to the upcoming guidelines on “Consent or Pay” models and to the preparation of the Opinion on AI models.

Contributing to cross-regulatory cooperation

New digital legislations, including the Digital Markets Act (DMA), the Digital Services Act (DSA), the AI Act, the Data Governance Act (DGA) and the Data Act, build on GDPR. To ensure consistency of application between the GDPR and these acts, the EDPB actively contributed to cross-regulatory cooperation by engaging with European and international partners, including the EU AI Office and the high-level group on the DMA.

Making the GDPR understandable and practical for all

Finally, the EDPB continued its efforts to provide information on the GDPR to a broader and non-expert audience by presenting it in a clear and non-technical language. To this end, the EDPB made the Data Protection Guide for Small Business available in 18 languages. In addition, the Board has launched a series of summaries of EDPB guidelines to help non-expert individuals and organisations identify in an easier way the most important points to consider. 
 

EDPB Annual Report 2024

• Annual report

Brussels, 14 April - During its April 2025 plenary, the European Data Protection Board (EDPB) has adopted guidelines on processing of personal data through blockchain technologies.  A blockchain is a distributed digital ledger system that can confirm transactions  and  establish  who  owned  a  digital  asset  (such  as cryptocurrency)  at  a  given  time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.

As the use of blockchain technologies is expanding, the Board considers it important to help organisations using these technologies to comply with the GDPR. 
In its guidelines, the EDPB explains how blockchains work, assessing the different possible architectures and their implications for the processing of personal data.

The guidelines highlight the importance of implementing technical and organisational measures at the earliest stages of the design of the processing. The EDPB also clarifies that the roles and responsibilities of the different actors in a blockchain-related processing of personal data should be assessed during the design of the processing.
In addition, organisations should carry out a Data Protection Impact Assessment (DPIA) before processing personal data through blockchain technologies, where the processing is likely to result in a high risk to the rights and freedoms of individuals.

According to the Board, organisations should also ensure the highest protection of individuals’ personal data during the processing so that they are not made accessible to an indefinite number of persons by default.

The guidelines provide examples of different techniques for data minimisation, as well as for handling and storing personal data. As a general rule, storing personal data in a blockchain should be avoided if this conflicts with data protection principles.

Finally, the Board highlights the importance of the rights of individuals especially regarding transparency, rectification and erasure of personal data. 

The guidelines will be subject to public consultation until 9 June 2025, providing stakeholders with the opportunity to comment.

During its latest plenary, the EDPB also decided to closely cooperate with the AI Office in relation to the drafting of the guidelines on the interplay between the AI Act and EU data protection legislation.
 

Brussels, 14 March - During its March 2025 plenary meeting, the European Data Protection Board (EDPB) adopted a statement on the implementation of the Passenger Name Record Directive (PNR) in light of the Court of Justice of the EU (CJEU) judgment C-817/19*. 

In its second statement on the implementation of the PNR Directive, which follows the one of 15 December 2022, the Board gives further guidance to the Passenger Information  Units (PIUs)** on the necessary adaptions and limitations to the processing of PNR data, following the PNR judgment. PNR data is personal information provided by passengers, and collected and held by air carriers that includes the names of the passengers, travel dates, itineraries, seats, baggage, contact details and means of payment.

The statement includes practical recommendations for the national laws transposing the PNR Directive in order to give effect to the findings of the CJEU in the PNR judgment. The recommendations cover some of the key aspects of the PNR judgement such as how European countries should select the flights from which PNR data is collected, or how long PNR data should be retained. According to the Board, the retention period of all PNR data should not exceed an initial period of six months. After this period, European countries may only store PNR data as long as needed and proportionate to the objectives of the PNR Directive.

EDPB Chair Anu Talus said: “The EDPB recognises the importance of the PNR Directive in improving the security of passengers across Europe and in helping prevent, detect and prosecute terrorist offences and serious crime. The transfer of PNR data in Europe should take place in a harmonised way and in full respect of data protection principles.”

The Board is aware that some European countries have already started the adaptation process, but there is still a substantial lack of implementation efforts throughout the Member States. Therefore, in its statement, the EDPB outlines the urgent need to implement the necessary changes and to amend national laws by taking into account the PNR judgment as soon as possible.

Note to editors
* On 21 June 2022, on a referral from the Belgian Constitutional Court, the CJEU rendered its judgment C-817/19 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, under the PNR Directive 2016/681. While the Court found that the validity of the PNR Directive was not affected, it ruled that, in order to ensure compliance with the EU Charter of Fundamental Rights (the Charter), the PNR Directive needs to be interpreted as including important limitations to the processing of personal data. Some of these limitations are the application of the PNR system only to terrorist offences and serious crime, having an objective link with the carriage of passengers by air, and the non-indiscriminate application of the general retention period of five years to all passengers’ personal data.
** The PIUs are specific entities in European countries which are responsible for the collection, storage, and processing of PNR data.
 

Brussels, 05 March - The European Data Protection Board (EDPB) has launched its Coordinated Enforcement Framework (CEF) action for 2025. Following a year-long coordinated action on the right of access in 2024, the CEF's focus this year will shift to the implementation of another data protection right, namely the right to erasure or the “right to be forgotten” (Art.17 GDPR).

The Board selected this topic during its October 2024 plenary as it is one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals.
 

Next steps

During 2025, 30 Data Protection Authorities (DPAs) across Europe, as well as the European Data Protection Supervisor (EDPS), will take part in this initiative.

Participating DPAs will soon contact a number of controllers from different sectors across Europe, either by opening new formal investigations or doing fact-finding exercises. In the latter case, they might also decide to undertake additional follow-up actions if needed. 

DPAs will check how controllers handle and respond to the requests for erasure that they receive and, in particular, how they apply the conditions and exceptions for the exercise of this right. 

DPAs will also stay in close contact to share and discuss their findings throughout this year. The results of these national actions will be aggregated and analysed together to generate deeper insight into the topic, allowing for targeted follow-ups on both national and EU levels.
 

Background

The CEF is a key action of the EDPB under its 2024-2027 strategy, aimed at streamlining enforcement and cooperation among DPAs.
In the past three years, three previous CEF actions on different topics were carried out: 

1. the use of cloud-based services by the public sector,
2. the designation and position of Data Protection Officers, and
3. the implementation of the right of access by controllers.

For further information:

• AT DPA: Coordinated Enforcement Framework 2025 (CEF 2025) - EDSA
• BG DPA: Започва координирано действие по изследване на приложението на правото на изтриване (право „да бъдеш забравен“)
• CS DPA: Evropský sbor pro ochranu osobních údajů zahájil další společnou koordinovanou dozorovou akci
• DA DPA: EDPB igangsætter koordineret indsats om retten til sletning
• DE DPA (Baden-Wuerttemberg): Europaweite Aktion zum Recht auf Löschung
• DE DPA (Berlin):  PRESSEMITTEILUNG der Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder vom 5. März 2025
• DE DPA (Brandenburg): Brandenburgische Datenschutzaufsicht beteiligt sich an europaweiter Prüfung zum Recht auf Löschung mit Schwerpunkt Wohnungsunternehmen
• EDPS: EDPS participates in fourth Coordinated Enforcement Action: focus on the right to erasure of personal data
• EL DPA: Έναρξη συντονισμένης δράσης του ΕΣΠΔ 2025 σχετικά με το δικαίωμα διαγραφής
• ES DPA: La AEPD participa en una acción europea para analizar la aplicación del derecho de supresión
• FI DPA: Tietosuojavaltuutetun toimisto selvittää henkilötietojen poisto-oikeuden toteutumista osana EU:n laajuista toimenpidettä
• HR DPA: Započela nova koordinirana akcija EDPB-a: pravo na brisanje
• IE DPA: Launch of coordinated enforcement action on the right to erasure
• IT DPA: GDPR, il Garante italiano partecipa al CEF 2025 sul diritto alla cancellazione
• LI DPA: Europäische Initiative zum Recht auf Löschung
• MT DPA: Launch of Coordinated Enforcement Action on the Right to Erasure
• SI DPA: Informacijski pooblaščenec bo v letu 2025 nadzoroval upoštevanje pravice do izbrisa

Brussels, 13 February - The EDPB published the Coordinated Supervision Committee's (CSC) biannual activity report (July 2022 - December 2024).

Over the last two years, the CSC worked on the integration of the large-scale EU information technology (IT) systems within its scope. During the reporting period, it took over the supervision of the upgraded Schengen Information System (SIS) and the Visa Information System (VIS).

In addition, the Committee prepared for the arrival of new systems and for the implementation of interoperability regulations.

The Committee has also published a set of recommendations on the Internal Market Information System (IMI) transparency obligations for data controllers.

In addition, in July 2023, the CSC published ‘Europol’s information systems - a guide for exercising data subjects’ rights: the right of access, rectification, erasure and restriction’.

Following the 2022 Audit Report of the EDPS on Europol’s processing of personal data of minors under 15 years old, provided to Europol by third countries and international organisations and marked as suspects, the CSC undertook a coordinated activity to analyse the input from several Member States.

During the past two years, the Committee also promoted dialogue and engagement with stakeholders, particularly with civil society.

Update: Brussels, 27 February - The CSC has also adopted its work programme 2025-2026. To ensure a continuous high level of protection of individuals’ rights, the Committee will dedicate closer attention to following topics:

• allocation of roles (controller, joint controller, processor) in the systems falling under the Justice and Home Affairs (JHA) interoperability framework
• streamlined cooperation when handling complaints (JHA interoperability framework and Europol, Eurojust, European Public Prosecutor’s Office).

CSC’s future work

Looking forward to the coming years, the CSC is ready to welcome more EU IT systems and EU bodies, offices or agencies within its scope. As the range of the CSC’s activities continues to expand, the Committee will keep its organisation and operation under constant review to ensure an effective and efficient supervision.

In addition, the CSC will continue to assist national data protection authorities (DPAs) in their work, by providing further clarification on the interpretation of EU and national laws. The Committee will also foster the exchange of information and best practices, and provide support for joint audits and coordinated inspections.

Taking advantage of its unique framework and broad perspective, the CSC will ensure the proper monitoring of multiple data flows among systems, transversal interactions and sharing of information between EU agencies and bodies. To this end, and to guarantee a high level of data protection, the Committee will keep developing coordinated supervisory activities.

Background

The CSC is a group of DPAs, which together ensure coordinated supervision of large scale IT systems, and of EU bodies, offices and agencies falling under its scope.

The CSC enjoys an autonomous functioning and positioning and it adopts its own rules of procedure and working methods. The Committee was established within the framework of the EDPB.
 

Brussels, 12 February - During its February 2025 plenary meeting, the European Data Protection Board (EDPB) adopted a statement on age assurance and decided to create a taskforce on AI enforcement. In addition, the Board also adopted recommendations on the 2027 World Anti-Doping Agency (WADA) World Anti-Doping Code.

In a statement on age assurance, the EDPB lists ten principles for the compliant processing of personal data when determining the age or age range of an individual. The statement aims to ensure a consistent European approach to age assurance, to protect minors while complying with data protection principles. 

EDPB Chair Anu Talus said: “Age assurance is essential to ensure that children do not access content that is not appropriate for their age.  At the same time, the method to verify age must be the least intrusive possible and the personal data of children must be protected. The principles put forward by the EDPB will help the industry to assess an individual’s age in a way that is compliant with data protection principles, while protecting children’s wellbeing.”

The EDPB is also cooperating with the European Commission on age verification in the context of the Digital Services Act (DSA) working group.

During the plenary, the Board also decided to extend the scope of the ChatGPT task force to AI enforcement. In addition, the EDPB members underlined the need to coordinate DPAs' actions regarding urgent sensitive matters and for that purpose will set up a quick response team. 

EDPB Chair Anu Talus said: “The GDPR is a legal framework that promotes responsible innovation. The GDPR has been designed to maintain high data protection standards while fully leveraging the potential of innovation, such as AI, to benefit our economy. The EDPB’s task force on AI enforcement and the future quick response team will play a crucial role in ensuring this balance, coordinating the DPAs' actions and supporting them in navigating the complexities of AI while upholding strong data protection principles.”

During the plenary, the EDPB also adopted recommendations on the 2027 WADA World Anti-Doping Code. When processing personal data for anti-doping purposes, it is essential to respect and safeguard the personal data of athletes. In many cases, this will involve the processing of sensitive personal data, such as health data derived from biological samples.

The EDPB’s main objective is to assess the compatibility of the WADA Anti-doping Code and International Standard for Data Protection (ISDP) with the GDPR. The Anti-doping Code and Standards should hold the National Anti-Doping Organisations (NADOS) subject to a standard equivalent to that of the GDPR when processing personal data for anti-doping purposes. 
The EDPB’s recommendations address key principles of data protection, such as the need for an appropriate legal basis for the processing of personal data and purpose limitation. The recommendations also address the fact that individuals need to be fully informed about the processing of their personal data and can effectively exercise their rights.

Note to editors:
The recommendations on the 2027 World Anti-Doping Agency (WADA) World Anti-Doping Code, adopted during the EDPB Plenary, are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once the process has been completed.
 

If someone asked you to answer 100 questions about your personal life to sell the answers, would you agree? Most likely not.

It can be difficult  to keep in control over your personal data and to keep it safe. From online shopping and browsing to social media, with every click, share and login-in you leave behind a digital trail. The GDPR ensures that your data can only be used in ways you agree to and that you can access any information about yourself.

But do people actually know how to protect their data? 
We asked passers-by on the streets of Brussels.

Happy Data Protection Day!

Sorry, your browser doesn't support embedded videos.

Brussels, 20 January - The European Data Protection Board (EDPB) has adopted a report on the implementation of the right of access by controllers. The report summarises the outcome of a series of coordinated national actions carried out in 2024 under the Coordinated Enforcement Framework (CEF). It lists the issues that were observed for some controllers, along with a series of recommendations to help them implement the right of access. A central element is controllers’ awareness of the EDPB Guidelines 01/2022 on data subjects rights – Right of access and whether these guidelines were followed in practice.

EDPB Deputy Chair Zdravko Vukíc said: “The CEF is a valuable initiative that helps strengthen the cooperation among Data Protection Authorities (DPAs): by tackling selected topics in a coordinated fashion, they achieve greater efficiency and more consistency. How controllers implement the right of access lies at the heart of data protection and it is one of the most frequently exercised data subject rights.”

Throughout 2024, 30 DPAs across Europe launched coordinated investigations into the compliance of controllers with the right of access, by opening formal investigations, assessing whether a formal investigation was warranted and/or carrying out fact-finding exercises.  A total of 1,185 controllers, consisting of small and medium-sized enterprises (SMEs) and big companies active in different industries and fields, as well as various types of public entities, responded to the action.

Areas of improvement and main challenges

The results suggest that more awareness raising about Guidelines 01/2022 is necessary, both at national and EU level, as the guidelines help controllers implement the right of access, explain how exercising this right can be made easier, and list the exceptions and limitations of the right to access.

As a result of the 2024 CEF action, seven challenges were identified. One of them is the lack of documented internal procedures to handle access requests. In addition, inconsistent and excessive interpretations of the limits to the right of access were also observed, such as overly relying on certain exceptions to automatically refuse access requests. Another example is the barriers that individuals could encounter when exercising their right of access, such as  formal requirements or being requested to provide excessive identification documents. For each challenge identified, the report provides a list of non-binding recommendations to be taken into account by controllers and DPAs.

Positive findings

Despite the existing challenges, two thirds of participating DPAs evaluated the level of compliance of responding controllers with respect to the right of access from ‘average’ to ‘high’. One important factor identified as having an impact on the level of compliance was the volume of access requests received by controllers, as well as the size of the organisation. More specifically, large-sized controllers or controllers receiving more requests were more likely to reach a higher level of compliance than small organisations with less resources.

Positive findings were observed across Europe. These include the implementation of best practices by controllers, such as user-friendly online forms enabling individuals to submit an access request easily as well as self-service systems to allow individuals to autonomously download their personal data in a few clicks and at any time.

Background and next steps

The CEF is a key action of the EDPB under its 2024-2027 Strategy, aimed at streamlining enforcement and cooperation among DPAs. 
In the past three years, two previous CEF actions were carried out.

The results of these national actions are aggregated and analysed together to generate deeper insight into the topic and allowing for targeted follow-up on both national and EU level.

In 2023, the EDPB published the report on its first coordinated action on the use of cloud-based services by the public sector.
In 2024, the EDPB also published the report on the outcome of the second coordinated action on the designation and position of Data Protection Officers.

The CEF 2025 action will be on the implementation of the right to erasure.
 

For further information:

• AT DPA: Schwerpunktprüfung 2024: Datenschutzbehörde zieht positive Bilanz für den Telekomsektor
• CS DPA: EDPB přijal závěrečnou zprávu ke společné kontrolní akci CEF 2024
• DA DPA:DPB vedtager rapport om dataansvarliges overholdelse af indsigtsretten
• DE DPA (Brandenburg): Brandenburgische Datenschutzbeauftragte beteiligte sich an europaweiter Prüfaktion zur Umsetzung des Auskunftsrechts
• DE DPAs (DSK): Pressemitteilung der Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder vom 22. Januar 2025
• EDPS: Coordinated Enforcement Action: EDPS findings highlight challenges on right of access to personal data
• EL DPA: Υλοποίηση της 3ης συντονισμένης δράσης του Ευρωπαϊκού Συμβουλίου Προστασίας Δεδομένων για το δικαίωμα πρόσβασης
• ES DPA: Resultados de la acción europea que ha analizado la atención del ejercicio del derecho de acceso por parte de los responsables 
• FI DPA: Raportti omien henkilötietojen tarkastusoikeutta koskevasta selvityksestä on julkaistu – täydensimme ohjeistusta verkkosivuillamme 
• FR DPA: Droit d’accès : bilan des contrôles de la CNIL dans le cadre d’une action coordonnée européenne
• HU DPA: Közlemény az Európai Adatvédelmi Testület által a 2024. évre prioritásként meghatározott, a hozzáférési jog érvényesítésére fókuszáló összehangolt intézkedés eredményéről 
• IE DPA: DPC welcomes publication of the European Data Protection Board’s report on the implementation of the right of access by controllers and DPC national report findings under the Coordinated Enforcement Framework for 2024
• LU DPA: Le droit d’accès en pratique : observations et recommandations du cadre d’action coordonnée européen (FR), The right of access in practice: observations and recommendations from the European Coordinated Enforcement Framework (EN), Das Auskunftsrecht in der Praxis: Beobachtungen und Empfehlungen des koordinierten Durchsetzungsrahmen (CEF) (DE)
• MT DPA: CEF 2024: IDPC Report on Coordinated Enforcement Action 2024 on Right of Access
• SI DPA: Ali ustrezno obravnavate zahteve za dostop do lastnih osebnih podatkov? Poročilo usklajene akcije EOVP
• PT DPA: Comité Europeu emite recomendações para simplificar o direito de acesso aos dados

Brussels, 17 January - During its January 2025 plenary meeting, the European Data Protection Board (EDPB) has adopted guidelines on pseudonymisation, as well as a statement on the interplay of competition law and data protection.

EDPB clarifies the use of pseudonymisation for GDPR compliance

The GDPR introduces the term ‘pseudonymisation’* and refers to it as a safeguard that may be appropriate and effective to meet data protection obligations. In its guidelines, the EDPB clarifies the definition and applicability of pseudonymisation and pseudonymised data, and the advantages of pseudonymisation.

The guidelines provide two important legal clarifications:

1. Pseudonymised data, which could be attributed to an individual by the use of additional information, remains information related to an identifiable natural person and is therefore still personal data. Indeed, if the data can be linked back to an individual by the data controller or someone else, it remains personal data.
    
2. Pseudonymisation can reduce risks and make it easier to use legitimate interests as a legal basis (Art. 6(1)(f)  GDPR), as long as all other GDPR requirements are met. Likewise, pseudonymisation can aid in securing compatibility with the original purpose (Art. 6(4) GDPR).

The guidelines also explain how pseudonymisation can help organisations meet their obligations relating to the implementation of data protection principles (Art. 5 GDPR), data protection by design and default (Art. 25 GDPR) and security (Art. 32 GDPR).

Finally, the guidelines analyse technical measures and safeguards, when using pseudonymisation, to ensure confidentiality and prevent unauthorised identification of individuals.

The guidelines will be subject to public consultation until 28 February 2025, providing stakeholders with the opportunity to comment and allowing for the incorporation of future developments in case law.

Interplay between data protection law and competition law: the EDPB’s take on how to improve cooperation between regulators

During the plenary meeting, the EDPB also adopted a position paper on the interplay between data protection law and competition law.

The CJEU Meta vs. Bundeskartellamt ruling of 4 July 2023 clearly indicated that data protection and competition authorities are required to work together, in some cases, to achieve effective and coordinated enforcement of data protection and competition law. While these are separate areas of law pursuing different goals in different frameworks, they may in some cases apply to the same entities. It is therefore important to assess situations where the laws may intersect.

In this position paper, the EDPB explains how data protection and competition law interact. It suggests steps for incorporating market and competition factors into data protection practices and for data protection rules to be considered in competition assessments. It also provides recommendations for improving cooperation between regulators. For example: authorities should consider creating a single point of contact to manage coordination with other regulators.

EDPB Deputy Chair Zdravko Vukíc said: “As business models evolve, the need to protect personal data is becoming increasingly central. The EDPB promotes coherence among separate but interacting areas of regulation, to ensure the best possible protection of individuals. To this end, we will continue to work together with Competition Authorities to strengthen the ability of Data Protection Authorities (DPAs) to take into account the economic context, and the ability of Competition Authorities to incorporate data protection considerations in their assessments and decisions.”

Note to editors:

*’ Pseudonymisation’ is defined in Art. 4 (5) GDPR as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”