Brussels, 12 February - During its February 2025 plenary meeting, the European Data Protection Board (EDPB) adopted a statement on age assurance and decided to create a taskforce on AI enforcement. In addition, the Board also adopted recommendations on the 2027 World Anti-Doping Agency (WADA) World Anti-Doping Code.

In a statement on age assurance, the EDPB lists ten principles for the compliant processing of personal data when determining the age or age range of an individual. The statement aims to ensure a consistent European approach to age assurance, to protect minors while complying with data protection principles. 

EDPB Chair Anu Talus said: “Age assurance is essential to ensure that children do not access content that is not appropriate for their age.  At the same time, the method to verify age must be the least intrusive possible and the personal data of children must be protected. The principles put forward by the EDPB will help the industry to assess an individual’s age in a way that is compliant with data protection principles, while protecting children’s wellbeing.”

The EDPB is also cooperating with the European Commission on age verification in the context of the Digital Services Act (DSA) working group.

During the plenary, the Board also decided to extend the scope of the ChatGPT task force to AI enforcement. In addition, the EDPB members underlined the need to coordinate DPAs' actions regarding urgent sensitive matters and for that purpose will set up a quick response team. 

EDPB Chair Anu Talus said: “The GDPR is a legal framework that promotes responsible innovation. The GDPR has been designed to maintain high data protection standards while fully leveraging the potential of innovation, such as AI, to benefit our economy. The EDPB’s task force on AI enforcement and the future quick response team will play a crucial role in ensuring this balance, coordinating the DPAs' actions and supporting them in navigating the complexities of AI while upholding strong data protection principles.”

During the plenary, the EDPB also adopted recommendations on the 2027 WADA World Anti-Doping Code. When processing personal data for anti-doping purposes, it is essential to respect and safeguard the personal data of athletes. In many cases, this will involve the processing of sensitive personal data, such as health data derived from biological samples.

The EDPB’s main objective is to assess the compatibility of the WADA Anti-doping Code and International Standard for Data Protection (ISDP) with the GDPR. The Anti-doping Code and Standards should hold the National Anti-Doping Organisations (NADOS) subject to a standard equivalent to that of the GDPR when processing personal data for anti-doping purposes. 
The EDPB’s recommendations address key principles of data protection, such as the need for an appropriate legal basis for the processing of personal data and purpose limitation. The recommendations also address the fact that individuals need to be fully informed about the processing of their personal data and can effectively exercise their rights.

Note to editors:
The recommendations on the 2027 World Anti-Doping Agency (WADA) World Anti-Doping Code, adopted during the EDPB Plenary, are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once the process has been completed.
 

If someone asked you to answer 100 questions about your personal life to sell the answers, would you agree? Most likely not.

It can be difficult  to keep in control over your personal data and to keep it safe. From online shopping and browsing to social media, with every click, share and login-in you leave behind a digital trail. The GDPR ensures that your data can only be used in ways you agree to and that you can access any information about yourself.

But do people actually know how to protect their data? 
We asked passers-by on the streets of Brussels.

Happy Data Protection Day!

Sorry, your browser doesn't support embedded videos.

EDPS organises meeting of AI Correspondents Network to collaborate on three key pillars community, compliance and collaboration. Read Blogpost. 

Every year on 28 January, we celebrate Data Protection Day. This date marks the anniversary of the Council of Europe’s Convention 108, the first binding international law securing individuals' rights to protection of their personal data.

Read our factsheets to learn more about your rights

The post Comparing GDPR Instruments appeared first on Europrivacy Community.

EDPS released today its findings on the enforcement of individuals’ right of access to their personal data when processed by EU institutions, bodies, offices, and agencies (EUIs).

Read Press Release

Read EDPB Report 

Brussels, 20 January - The European Data Protection Board (EDPB) has adopted a report on the implementation of the right of access by controllers. The report summarises the outcome of a series of coordinated national actions carried out in 2024 under the Coordinated Enforcement Framework (CEF). It lists the issues that were observed for some controllers, along with a series of recommendations to help them implement the right of access. A central element is controllers’ awareness of the EDPB Guidelines 01/2022 on data subjects rights – Right of access and whether these guidelines were followed in practice.

EDPB Deputy Chair Zdravko Vukíc said: “The CEF is a valuable initiative that helps strengthen the cooperation among Data Protection Authorities (DPAs): by tackling selected topics in a coordinated fashion, they achieve greater efficiency and more consistency. How controllers implement the right of access lies at the heart of data protection and it is one of the most frequently exercised data subject rights.”

Throughout 2024, 30 DPAs across Europe launched coordinated investigations into the compliance of controllers with the right of access, by opening formal investigations, assessing whether a formal investigation was warranted and/or carrying out fact-finding exercises.  A total of 1,185 controllers, consisting of small and medium-sized enterprises (SMEs) and big companies active in different industries and fields, as well as various types of public entities, responded to the action.

Areas of improvement and main challenges

The results suggest that more awareness raising about Guidelines 01/2022 is necessary, both at national and EU level, as the guidelines help controllers implement the right of access, explain how exercising this right can be made easier, and list the exceptions and limitations of the right to access.

As a result of the 2024 CEF action, seven challenges were identified. One of them is the lack of documented internal procedures to handle access requests. In addition, inconsistent and excessive interpretations of the limits to the right of access were also observed, such as overly relying on certain exceptions to automatically refuse access requests. Another example is the barriers that individuals could encounter when exercising their right of access, such as  formal requirements or being requested to provide excessive identification documents. For each challenge identified, the report provides a list of non-binding recommendations to be taken into account by controllers and DPAs.

Positive findings

Despite the existing challenges, two thirds of participating DPAs evaluated the level of compliance of responding controllers with respect to the right of access from ‘average’ to ‘high’. One important factor identified as having an impact on the level of compliance was the volume of access requests received by controllers, as well as the size of the organisation. More specifically, large-sized controllers or controllers receiving more requests were more likely to reach a higher level of compliance than small organisations with less resources.

Positive findings were observed across Europe. These include the implementation of best practices by controllers, such as user-friendly online forms enabling individuals to submit an access request easily as well as self-service systems to allow individuals to autonomously download their personal data in a few clicks and at any time.

Background and next steps

The CEF is a key action of the EDPB under its 2024-2027 Strategy, aimed at streamlining enforcement and cooperation among DPAs. 
In the past three years, two previous CEF actions were carried out.

The results of these national actions are aggregated and analysed together to generate deeper insight into the topic and allowing for targeted follow-up on both national and EU level.

In 2023, the EDPB published the report on its first coordinated action on the use of cloud-based services by the public sector.
In 2024, the EDPB also published the report on the outcome of the second coordinated action on the designation and position of Data Protection Officers.

The CEF 2025 action will be on the implementation of the right to erasure.
 

For further information:

• AT DPA: Schwerpunktprüfung 2024: Datenschutzbehörde zieht positive Bilanz für den Telekomsektor
• CS DPA: EDPB přijal závěrečnou zprávu ke společné kontrolní akci CEF 2024
• DA DPA:DPB vedtager rapport om dataansvarliges overholdelse af indsigtsretten
• DE DPA (Brandenburg): Brandenburgische Datenschutzbeauftragte beteiligte sich an europaweiter Prüfaktion zur Umsetzung des Auskunftsrechts
• DE DPAs (DSK): Pressemitteilung der Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder vom 22. Januar 2025
• EDPS: Coordinated Enforcement Action: EDPS findings highlight challenges on right of access to personal data
• EL DPA: Υλοποίηση της 3ης συντονισμένης δράσης του Ευρωπαϊκού Συμβουλίου Προστασίας Δεδομένων για το δικαίωμα πρόσβασης
• ES DPA: Resultados de la acción europea que ha analizado la atención del ejercicio del derecho de acceso por parte de los responsables 
• FI DPA: Raportti omien henkilötietojen tarkastusoikeutta koskevasta selvityksestä on julkaistu – täydensimme ohjeistusta verkkosivuillamme 
• FR DPA: Droit d’accès : bilan des contrôles de la CNIL dans le cadre d’une action coordonnée européenne
• HU DPA: Közlemény az Európai Adatvédelmi Testület által a 2024. évre prioritásként meghatározott, a hozzáférési jog érvényesítésére fókuszáló összehangolt intézkedés eredményéről 
• IE DPA: DPC welcomes publication of the European Data Protection Board’s report on the implementation of the right of access by controllers and DPC national report findings under the Coordinated Enforcement Framework for 2024
• LU DPA: Le droit d’accès en pratique : observations et recommandations du cadre d’action coordonnée européen (FR), The right of access in practice: observations and recommendations from the European Coordinated Enforcement Framework (EN), Das Auskunftsrecht in der Praxis: Beobachtungen und Empfehlungen des koordinierten Durchsetzungsrahmen (CEF) (DE)
• MT DPA: CEF 2024: IDPC Report on Coordinated Enforcement Action 2024 on Right of Access
• SI DPA: Ali ustrezno obravnavate zahteve za dostop do lastnih osebnih podatkov? Poročilo usklajene akcije EOVP
• PT DPA: Comité Europeu emite recomendações para simplificar o direito de acesso aos dados