Brussels, 25 June - The EDPB has published an update of the One-Stop-Shop (OSS) case digest on right to object and right to erasure. This project has been developed in the framework of the of the Support Pool of Experts programme, which aims to support cooperation among Data Protection Authorities (DPAs).

Thematic one-stop-shop case digests are drafted on the basis of one-stop-shop decisions taken from the EDPB’s public register (based on Art.60 GDPR). Such case digests complement the EDPB's public register by selecting and presenting the most important decisions on a given theme and providing aggregate results of relevant decisions on this theme.

The one-stop-shop thematic case digest on the right to object and right to erasure offers insights into how DPAs analyse the internal processes implemented within organisations to comply with these rights. It also lists the most frequent infringements and gives an overview of which corrective measures have been issued. Cases cover for example the exercise of the right to object to direct marketing or the wish of individuals to erase their account or online data profile.

Since the original case digest was finalised, DPAs have adopted hundreds of new OSS decisions on the rights to object and to erasure. The initial case digest has been revised to reflect these developments.

Background

The Support Pool of Experts (SPE) is a key initiative of the EDPB, which is part of the EDPB 2024-2027 Strategy.

The main objective of this programme is to help European DPAs increase their capacity to supervise and enforce data protection rules by developing common tools and giving them access to a wide pool of experts.

Brussels, 24 June – The EDPB has launched a dedicated contact form for stakeholders to report possible inconsistencies in how the GDPR is interpreted across Europe. This initiative reflects the commitments set out in the EDPB Helsinki Statement on enhanced clarity, support and engagement, aimed at strengthening the dialogue with stakeholders and ensuring consistent GDPR enforcement across Europe.

The new tool enables stakeholders to report alleged divergences between national positions, as well as between national positions and those of the EDPB. The EDPB will not respond to individual submissions, but the information received will be compiled regularly and discussed at a high level by the Board members to consider possible steps to improve consistency.

Brussels, 22 June - Since its establishment in 2018, the core mission of the EDPB has been to uphold and safeguard the right to data protection. Over the years, the EDPB has played a key role in ensuring the consistent application of the GDPR across Europe, by providing guidance on key GDPR concepts and the interaction of the GDPR with other digital laws, as well as through the adoption of consistency opinions and binding decisions. The EDPB is also committed to making GDPR compliance easier for organisations and enhancing its dialogue with stakeholders.

The EDPB is glad to announce today the launch of its newly redesigned website and updated brand identity.

The EDPB’s new website: enhanced accessibility and user experience

The new website offers stakeholders an improved user experience, more intuitive navigation, tailored to different user groups, better access to key information, and clearer routes for interaction. The site has been developed in line with accessibility standards to ensure a more inclusive experience for all users, while continuing to provide multilingual support for the EDPB’s diverse audiences. Both general users and specialists can now benefit from well-organised and thematic navigation, complemented by advanced search functions.

Document accessibility has been significantly improved. While maintaining downloadable formats, new documents will now also be available in an enhanced web format with interactive navigation sidebars, allowing users to browse lengthy texts more efficiently. This approach will help ensure optimal readability, clarity and usability across all devices.

The streamlined contact system provides targeted support for all visitors. Users can quickly find FAQs, identify how to submit complaints or data breach reports to the relevant authorities, or contact the EDPB for media inquiries. In addition, the site offers contact options for access to documents requests, DPO-related matters, and other specialised assistance.

The EDPB website now serves as a fully integrated digital resource, which also incorporates the “Data Protection Guide for Small Business” and the redesigned Coordinated Supervision Committee (CSC) website, and will bring together upcoming projects such as the “Privacy for Kids” hub.

A stronger EDPB brand identity

The new brand identity will help reinforce the EDPB’s role in protecting fundamental rights.

The tagline “protecting European individuals in our digital world” embodies the EDPB’s commitment to maintaining transparent and universally accessible data protection standards.

The new colour palette represents EDPB unity and cooperation, drawing inspiration from the eight colours referring to the flags of the countries of all European Data Protection Authorities.

Explore the new EDPB’s look and feel

Curious to discover the new EDPB website and updated brand identity? Take some time to explore. We hope you will enjoy the experience.

Brussels, 12 June – As of today, coordinated supervision of the European Union’s asylum and migration database (Eurodac) will be carried out by the Coordinated Supervision Committee (CSC). Eurodac is an information system initially designed to compare the fingerprints of asylum applicants and irregular migrants, which has evolved into a full asylum and migration management system. It plays a key role in implementing the Dublin III Regulation, which aims at determining the Member State responsible for examining an asylum application.

Operational since 15 January 2003, this system is currently used by all EU Member States as well as Iceland, Liechtenstein, Norway and Switzerland. National DPAs supervise the processing of personal data by national authorities and its transmission to the Eurodac database (central unit), whereas the European Data Protection Supervisor (EDPS) is responsible for the supervision of the processing of personal data at the central unit and its transmission to the Member States. Coordinated supervision will now be ensured by the CSC, comprising representatives from the national DPAs and the EDPS.

Background

The CSC is a group of DPAs, which together ensure coordinated supervision of large-scale IT systems, and of EU bodies, offices and agencies falling under its scope.

The CSC enjoys an autonomous functioning and positioning, and it adopts its own rules of procedure and working methods. The Committee is established within the framework of the EDPB and the EDPB Secretariat provides the Secretariat of the CSC.

You can find more information about the CSC here.

Brussels, 12 June – As of today, coordinated supervision of the European Union’s asylum and migration database (Eurodac) will be carried out by the Coordinated Supervision Committee (CSC). Eurodac is an information system initially designed to compare the fingerprints of asylum applicants and irregular migrants, which has evolved into a full asylum and migration management system. It plays a key role in implementing the Dublin III Regulation, which aims at determining the Member State responsible for examining an asylum application.

Operational since 15 January 2003, this system is currently used by all EU Member States as well as Iceland, Liechtenstein, Norway and Switzerland. National DPAs supervise the processing of personal data by national authorities and its transmission to the Eurodac database (central unit), whereas the European Data Protection Supervisor (EDPS) is responsible for the supervision of the processing of personal data at the central unit and its transmission to the Member States. Coordinated supervision will now be ensured by the CSC, comprising representatives from the national DPAs and the EDPS.

Background

The CSC is a group of DPAs, which together ensure coordinated supervision of large-scale IT systems, and of EU bodies, offices and agencies falling under its scope.

The CSC enjoys an autonomous functioning and positioning, and it adopts its own rules of procedure and working methods. The Committee is established within the framework of the EDPB and the EDPB Secretariat provides the Secretariat of the CSC.

You can find more information about the CSC here.

Brussels, 10 June – During its latest plenary, the EDPB met with Michael McGrath, Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection. In addition, the Board has adopted a common data breach notification template.

The Board held a meeting with Commissioner McGrath, engaging in a fruitful discussion about common priorities and ongoing work on areas of mutual interest.

The Digital Omnibus was among the key topics that shaped the discussion. The Board reiterated that, while several proposed changes have been welcomed by the Board, it is crucial not to adopt the proposed amendments to the definition of personal data, as they risk significantly weakening individual data protection.

“The digital ecosystems we regulate are dynamic, multilayered, and evolving at unprecedented pace. In an increasingly digital and competitive world, the EDPB supports simplification, but never at the expense of fundamental rights.

Promoting a human-centric approach to digital regulation—one that balances innovation with dignity, growth with rights, and efficiency with trust, remains central to our mission.”

EDPB Chair, Anu Talus

The importance of cross-regulatory cooperation was another central theme of the discussion. Commissioner McGrath and the Board explored ways to further strengthen this cooperation and enhance their ability to collaborate effectively within the evolving digital landscape.

The meeting was also an opportunity to exchange on other critically important areas of common interest, including the protection of children. The EDPB is currently working on guidelines on processing children’s data. This week, EDPB representatives also took part in a meeting with the Co-Chairs of the Special Panel on Child Safety Online organised by the European Commission.

Discussions furthermore covered progress in the field of political advertisement, with a focus on the EDPB guidelines on the processing of personal data to target or deliver political advertisements under the regulation on the transparency and targeting of political advertising. In the context of this ongoing work, at its latest plenary, the EDPB has adopted the report on the dedicated stakeholder event held on 27 March 2026.

The discussions also addressed international data transfers and emphasised the importance of cooperation with third countries, which is particularly crucial in reinforcing worldwide data protection standards.
During the discussions, the Board emphasised that adequate funding and staffing of DPAs is essential to fulfil their tasks properly.

Making GDPR compliance easier while enhancing consistency

In line with the EDPB’s Helsinki Statement to make GDPR compliance easier and strengthen consistency across Europe, the EDPB has adopted a common template for data breach notifications, which will be subject to implementation process.

The EDPB common template for data breach notifications has been conceived to help organisations and Data Protection Authorities (DPAs) to structure, harmonise, and unify their data breach notification processes*.

The template will help ensure that notifications contain the information required by Art. 33 GDPR (on the notification of a personal data breach to the DPA), making it easier for organisations to submit a timely notification and facilitating the assessment of the case by the responsible DPAs.

The template provides predefined options to choose from, and further guidance on how to fill in the fields. This will help save time and costs, particularly for smaller organisations lacking dedicated Data Protection Officers (DPOs) or legal resources.

The template will be subject to public consultation until 5 August 2026, providing stakeholders with the opportunity to share their comments and feedback on the content of the template. Following the public consultation, the EDPB will decide on the timeline for the practical implementation of the template by all DPAs.

Note to editors:
You can find more information on when a data breach should be notified here.

Brussels, 10 June – During its latest plenary, the EDPB met with Michael McGrath, Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection. In addition, the Board has adopted a common data breach notification template.

The Board held a meeting with Commissioner McGrath, engaging in a fruitful discussion about common priorities and ongoing work on areas of mutual interest.

The Digital Omnibus was among the key topics that shaped the discussion. The Board reiterated that, while several proposed changes have been welcomed by the Board, it is crucial not to adopt the proposed amendments to the definition of personal data, as they risk significantly weakening individual data protection.

“The digital ecosystems we regulate are dynamic, multilayered, and evolving at unprecedented pace. In an increasingly digital and competitive world, the EDPB supports simplification, but never at the expense of fundamental rights.

Promoting a human-centric approach to digital regulation—one that balances innovation with dignity, growth with rights, and efficiency with trust, remains central to our mission.”

EDPB Chair, Anu Talus

The importance of cross-regulatory cooperation was another central theme of the discussion. Commissioner McGrath and the Board explored ways to further strengthen this cooperation and enhance their ability to collaborate effectively within the evolving digital landscape.

The meeting was also an opportunity to exchange on other critically important areas of common interest, including the protection of children. The EDPB is currently working on guidelines on processing children’s data. This week, EDPB representatives also took part in a meeting with the Co-Chairs of the Special Panel on Child Safety Online organised by the European Commission.

Discussions furthermore covered progress in the field of political advertisement, with a focus on the EDPB guidelines on the processing of personal data to target or deliver political advertisements under the regulation on the transparency and targeting of political advertising. In the context of this ongoing work, at its latest plenary, the EDPB has adopted the report on the dedicated stakeholder event held on 27 March 2026.

The discussions also addressed international data transfers and emphasised the importance of cooperation with third countries, which is particularly crucial in reinforcing worldwide data protection standards.

During the discussions, the Board emphasised that adequate funding and staffing of DPAs is essential to fulfil their tasks properly.

Making GDPR compliance easier while enhancing consistency

In line with the EDPB’s Helsinki Statement to make GDPR compliance easier and strengthen consistency across Europe, the EDPB has adopted a common template for data breach notifications, which will be subject to implementation process.

The EDPB common template for data breach notifications has been conceived to help organisations and Data Protection Authorities (DPAs) to structure, harmonise, and unify their data breach notification processes*.

The template will help ensure that notifications contain the information required by Art. 33 GDPR (on the notification of a personal data breach to the DPA), making it easier for organisations to submit a timely notification and facilitating the assessment of the case by the responsible DPAs.

The template provides predefined options to choose from, and further guidance on how to fill in the fields. This will help save time and costs, particularly for smaller organisations lacking dedicated Data Protection Officers (DPOs) or legal resources.

The template will be subject to public consultation until 5 August 2026, providing stakeholders with the opportunity to share their comments and feedback on the content of the template. Following the public consultation, the EDPB will decide on the timeline for the practical implementation of the template by all DPAs.

Note to editors:
You can find more information on when a data breach should be notified here.

Background information

• Date of final decision: 27 November 2025
• National case
• Controller:    Verisure Italia srl
• Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 7 (Conditions for consent), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 21 (Right to object)
• Decision: Administrative fine, Compliance order, Erasure order
• Key words: Administrative fine, Principles relating to processing of personal data, Consent,
  Transparency, Right to object, Data retention, Direct marketing, Exercise of data subject rights

Summary of the Decision

Origin of the case  

The Italian Supervisory Authority (SA), received a complaint from a former customer who had continued to receive unsolicited promotional text messages even after objecting to the processing of his data, and a report from a potential customer who, after requesting a quotation, had started receiving advertising calls, emails, and text messages. In both cases, the communications had persisted despite the exercise of the right to object provided for by the GDPR.

Key Findings

The company handled object requests late, beyond the deadlines set out in the GDPR, and did not correctly collect - via the form on its website - the consent of potential customers for direct marketing purposes. In fact, in addition to not providing adequate information, this consent was effectively combined with the potential customer's request for a price quote. In other words, the fact of providing one's telephone number to obtain a personalized quotation was considered by the company as equivalent to consent to receive advertising calls.
Furthermore, the SA considered the period for storing potential customers' data for telesales purposes (12 months) to be excessive, as this was the period within which the company believed it could contact the potential customer again if they did not accept the quote offered.

Decision

In addition to the imposition of a 400 000 EUR fine, the Italian SA prohibited Verisure Italia from further processing the personal data acquired unlawfully, ordered the deletion of data collected without valid consent, and required the company to bring its privacy policy into compliance with GDPR. The company must also notify the SA, within sixty days, of all measures taken to comply with the EU regulations on the lawful processing of personal data.
The Italian SA has taken note of the measures already undertaken by the company during the investigation.

For further information: Marketing indesiderato: Garante sanziona Verisure Italia per 400mila euro  

Background information

• Date of final decision: 10 July 2025
• National case
• Controller: Magna PT S.p.A.
  Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 9 (Processing of special categories of personal data),  Article 13 (Information to be provided where personal data are collected from the data subject)
• Decision: Administrative fine, Definitive ban on data processing
• Key words: Administrative fine, Principles relating to processing of personal data, Transparency,
  Retention time, Lawfulness of processing, Employment

Summary of the Decision

Origin of the case  

A trade union report highlighted a widespread practice within an automotive company: after an absence due to illness, accident or hospitalisation, workers were interviewed and asked to complete a questionnaire. The document, completed by a direct supervisor, was then sent to the Human Resources Department, which, together with the supervisor and/or the competent doctor, assessed, on the basis of the company's representations, any initiatives to protect the health of workers, such as modifying the workstation or intervening in working relationships.

Key Findings 

During the investigation, the Italian Supervisory Authority (SA) found several infringements of the EU Regulation (GDPR), including the lack of clear and transparent information for employees and the lack of a legal basis for data processing, including health data. The Italian SA also found that workers' data were being stored in an irrelevant (absences from work) and disproportionate (up to ten years) manner, and that the data processing was not relevant for assessing the professional skills of the employees.

Decision

The Italian SA imposed a definitive ban on data processing and ordered the company to delete any data already collected and stored. The Italian SA also issued an administrative fine of 50 000 Euro.

For further information: Lavoro, il Garante privacy sanziona un’azienda per questionari post-malattia 
 

Background information

• Date of final decision: 27 November 2025
• National case
• Controller: Pioneer Hi-Bred Italia Sementi s.r.l.
  Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 13 (Information to be provided where personal data are collected from the data subject),  Article 28 (Processor), Article 88
• Decision: Administrative fine, Compliance order, Erasure order 
• Key words:  Administrative fine, Principles relating to processing of personal data, Lawfulness of processing, Transparency,  Definition of controller, Employment

Summary of the Decision

Origin of the case  

Following a complaint, the Italian Supervisory Authority (SA), became aware that a company had installed a satellite tracking device on company vehicles assigned to its employees, which was able to detect their behavior (times, mileage, fuel consumption, and driving style), both during work and private trips. The data collected were used to assign a rating score and take any corrective action. Given the sensitivity of the matter raised, the Italian SA ordered an on-site inspection.

Key Findings

Inspections and subsequent checks revealed that the satellite device, installed at the request of the Swiss parent company, allowed for tracking of workers' activities without the safeguards provided by the Italian workers Charter (Regulations on the protection of the freedom and dignity of workers). Furthermore, the information provided to workers covered all the group's affiliated companies, including those based outside the EU, without clearly indicating the purposes of the processing, legal bases, or entities qualifying as data controllers, processors, and recipients.

The investigations also revealed that access to the information collected via the devices installed in company cars was also granted to staff from other companies in the group, without the appropriate authorization.

Decision

The Italian SA issued a fine of 120 000 EUR to the company as data processor. 
In determining the amount of the fine, the Italian SA took into account both the limited number of employees involved and the immediate suspension of the unlawful data processing, implemented by the company immediately after the complaint was filed. The Italian SA also ordered the deletion of data relating to employees' journeys, collected and used to assign driving behavior.

For further information: Garante privacy: no al controllo dello stile di guida dei lavoratori. Sanzione di 120mila euro a società che monitorava 5 dipendenti con auto aziendale 
 

Background information

• Date of final decision: 11 February 2026
• National case
• Controller: Vodafone-Panafon S.A Hellenic Telecommunications Company
• Legal Reference: Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject, Article 12.2: Facilitation of the exercise of the rights of the data subject, Article 12.3: Time limit for responding to a request, Article 12.4: Information to be provided where no action is taken on the request, Article 15: Right of access by the data subject, Article 18: Right to restriction of processing
• Decision: Infringement of the GDPR; fine imposed; order to comply 
  Key words: Transparent information, communication and exercise of the rights of the data subject 

Summary of the Decision

Origin of the case

A complaint was submitted to the Greek SA against Vodafone-Panafon S.A Hellenic Telecommunications Company for

1. violation of the right of access to recorded calls,
2. violation of the right to restriction of processing,
3. obstacles placed by the respondent during the exercise of the aforementioned right of access, and
4. contradictory information regarding the procedure for satisfying the exercised right of access.

Key Findings

The Authority found that the respondent company infringed the provisions of Articles 12(1), (2), (3), (4), 15 and 18 of the GDPR pursuant to Articles 58(2)(i) and 83(5)(b) of the GDPR. 

Decision

The Greek SA imposed on the telecommunications company, an administrative fine of EUR 30.000 for violating Articles 12(1), (2), (3), (4), 15 and 18 of the GDPR. 
It also ordered, pursuant to Article 15(4)(b) of national Law 4624/2019, the respondent company to adopt appropriate technical and organisational measures to ensure the proper and timely examination of data subjects’ rights, including more effective training of its representatives, and to provide the Authority with relevant documentation within six months.

For further information: national decision in Greek Επιβολή προστίμου σε πάροχο υπηρεσιών τηλεπικοινωνίας  

Background information

• Date of final decision: 10 July 2025
• National case
• Controller: Poste Vita s.p.a.
  Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 33 (Notification of a personal data breach to the supervisory authority)
• Decision: Administrative fine
• Key words: Administrative fine, Clients, Data security, Insurance, Personal data breach

Summary of the Decision

Origin of the case  

The investigation was initiated following a complaint from an insurance company (Poste Vita) customer who complained about the unlawful disclosure of personal data to an unauthorised third party who had then used it in legal proceedings. The data related to three life insurance policies held by the complainant.

Key Findings 

During the investigation, the Italian Supervisory Authority (SA) verified that the data breach had occurred due to a series of errors committed by the company's operators. They had responded to requests for information regarding the data subject's policies without first verifying that the email address from which the requests were sent matched the contact details provided by the customer. The requests came from two email addresses which, although they had the name and surname of the data subject, who had never provided any email address to the company, were in fact linked to third parties.

Decision

Noting that in the meantime the insurance company had implemented corporate procedures aimed at rigorously verifying the identity of the person concerned, the Italian SA imposed a fine of 80,000 EUR, without taking further measures.

For further information: Data breach, il Garante sanziona Poste Vita per 80mila euro

Background information

• Date of final decision: 18 December 2025
• National case
• Controller: LTL S.p.A.
  Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 15 (Right to access by the data subject)
• Decision:  Administrative fine,  Compliance order,  Erasure order or Add here your free text for the decision
• Key words: Administrative fine, Principles relating to processing of personal data, Transparency,
  Right of access,  Employment, Data subject rights

Summary of the Decision

Origin of the case  

In a complaint submitted to the Italian Supervisory Authority (SA), an individual complained that, after receiving a disciplinary letter followed by dismissal, the company had denied him access to his company' email account, which remained active. Exercising his rights, the data subject asked the company to disable the email account, forward any messages received in the meantime to his personal email address, and activate an automatic reply informing any senders of his new email address. However, this request remained unfulfilled, even though it was formulated in compliance with the GDPR.

Key Findings 

During the investigation, the Italian SA found that the company not only continued to receive emails addressed to the employee, but also forwarded them to another company email account. This unlawful practice had been going on for about two months, exceeding the 30-day limit set by the company's internal rules.

Decision

The Italian SA fined the company 40 000 EUR.
In determining the amount of the fine, the SA took into account the type and duration of the violations, the failure to respond to the employee's request to exercise his rights, and the absence of previous violations of data protection regulations by the company.
The Authority therefore ordered the company to allow the employee access to his company email account and ordered its subsequent deletion, without prejudice to the retention of what was necessary for the protection of company's rights in court.

For further information: Garante: l’accesso alla email del lavoratore licenziato vìola la privacy
 

Brussels, 19 March 2026 – The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s proposal for a Cybersecurity Act 2 (CSA2) and the proposal on amendments to the Network and Information Security 2 (NIS2) Directive.

On 20 January 2026, the Commission published a cybersecurity package proposal to further strengthen cybersecurity in Europe while making compliance with cybersecurity laws easier for organisations. In their joint opinion, issued at the request of the Commission*, the EDPB and the EDPS address the proposed revision of the CSA and the targeted amendments to the NIS2 Directive.

“The relationship between data protection and cybersecurity is reciprocal and deeply interconnected. While cybersecurity supports the protection of personal data by limiting the risks of unwanted access, modification or unavailability of data, it is crucial to ensure that security controls are implemented in a way that does not undermine individuals’ fundamental rights and freedoms.”

EDPB Chair Anu Talus

“While maximizing the effectiveness of cybersecurity measures is vital, we must ensure that the processing of personal data remains limited to what is strictly necessary. We welcome the reinforced role of ENISA to promote digital resilience; our hope is that this new mandate fosters the synergies needed to create a robust ecosystem where security and privacy go hand in hand.”

European Data Protection Supervisor, Wojciech Wiewiórowski

Regarding the Proposal for the CSA2, the EDPB and the EDPS support the general objective to strengthen the role of the European Union Agency for Cybersecurity (ENISA) and to facilitate uptake of cybersecurity certification, as well as the objective to further address the various risks to ICT supply chains, including non-technical ones.

The proposal to provide further clarification on the way ENISA gives support to different stakeholders is well received. The EDPB and the EDPS specifically welcome that ENISA’s advice would be issued upon a prior request from the EDPB, thus ensuring a clear coordination and a clear division of responsibilities. They also suggest adding the EDPS as a possible requestor of advice from ENISA.

In the joint opinion, the EDPB and the EDPS recall that in case the Management Board of ENISA decides to adopt additional measures necessary for the application of the EU Data Protection Regulation, such decisions should be limited to very technical (practical) details related to the processing of personal data. The Proposal should also provide for a prior consultation with the EDPS before adoption of such rules.

The joint opinion welcomes the synergies that might arise from the cooperation between ENISA and other EU institutions and bodies, and also recommends adding an explicit reference to the EDPS as an EU body with which ENISA would cooperate.

While the objective of facilitating uptake of cybersecurity certification is welcome, the scope of the European Cybersecurity Certification Framework and its relationship with GDPR certification should be further clarified. To ensure consistency, ENISA should consult with the EDPB before adopting a certification scheme relating to the security of processing of personal data. Furthermore, certification schemes for products, services and processes that are likely to be used in data processing operations, should take into account security controls that can help to demonstrate the fulfilment of GDPR requirements, to the extent possible.

The EDPB and the EDPS recommend that the European Cybersecurity Skills Framework is not only limited to cybersecurity professionals, but also includes a general workforce profile.

In line with the recent EDPB-EDPS joint opinion on the Digital Omnibus Regulation Proposal, the EDPB and EDPS express their support for the establishment of a single-entry point for the notification of personal data breaches, as it would reduce the administrative burden for notifying organisations without affecting the level of protection for individuals.

Regarding the proposed amendments to the NIS2 Directive, the EDPB and the EDPS welcome the designation of European Digital Identity Wallets and European Business Wallets providers as 'essential entities'.

Note to editors:
* On 21 January 2026, the Commission formally consulted the EDPB and the EDPS and requested a joint opinion on the European Commission’s proposal for a CSA2 and the proposal on amendments to the NIS2 Directive in accordance with Art. 42(2) of Regulation (EU) 2018/1725.

Brussels, 5 May – On 9 May each year, Europeans celebrate the anniversary of the Schuman Declaration, the key moment which led to the creation of the EU as we know it today. To mark this special occasion, the European institutions will open their doors to the public on 9 May 2026, and we would be delighted to welcome you.

Come and visit us

We invite you to our interactive booth to discover and enjoy the activities we have prepared together with the European Data Protection Supervisor (EDPS).

•    When:  9 May 2026, from 10:00 to 18:00 (CET)
•    Where: European Parliament (Rue Wiertz 60, Brussels)

You will find us on the ground floor, in the cybersecurity area.

Test your skills and discover more

During your visit, you will get the chance to enjoy fun activities tailored just for you. This includes a:

•    EU Survey Quiz to test your knowledge of EU institutions 
•    Roulette that will test your skills with fun data protection-related challenges

This year, we are also bringing along a new friend: our mascot “Eddy the beaver”. Do not hesitate to come and greet him and make sure to bring along the little ones.

We are looking forward to meeting you! 
 

Brussels, 27 April – Today marks the 10th anniversary of the GDPR’s adoption, the first comprehensive data protection framework spanning an entire continent, establishing clear rights for individuals and obligations for organisations across Europe.

The moment that led to the creation of the EDPB

The GDPR led to the establishment of the European Data Protection Board (EDPB) on 25 May 2018, replacing the Article 29 Working Party that was previously in charge of dealing with issues relating to the protection of personal data.

The GDPR gave the Data Protection Authorities (DPAs) stronger enforcement powers and expanded the scope of their work from focusing mainly on national compliance complaints to routinely dealing with cross-border cases.

In the past 10 years, the 31 European DPAs comprising the EDPB have worked together to ensure the consistent enforcement of the GDPR and a harmonised data protection approach across Europe.  

A key role in an evolving digital landscape

Today, the GDPR is part of a broader and evolving European digital framework, alongside other digital laws such as the Digital Services Act, the Digital Markets Act, and the AI Act. In a world shaped by artificial intelligence, platform economies, and increasing data-driven innovation, the GDPR ensures that technological progress goes hand in hand with the protection of individuals’ fundamental rights.

An inspiration for the rest of the world

The impact of the GDPR has extended far beyond Europe’s borders, inspiring similar frameworks across the globe and contributing to a growing international recognition of privacy as a fundamental right.  

How the GDPR has shaped the data protection landscape: insights from Data Protection Authorities

Have you ever wondered what the data protection landscape looked like before the GDPR and how DPAs prepared for its entry into force? How has life for Europeans changed since its adoption? Watch the video for insights and testimonies from Data Protection Authorities which contributed to the shaping of the data protection landscape in Europe.
 

Sorry, your browser doesn't support embedded videos.

Brussels, 23 April – The EDPB is organising a remote stakeholder event in the context of its joint work with the European Commission on upcoming guidelines on the interplay between competition and data protection. 

The event is an opportunity for stakeholders to inform and support the ongoing work on this topic. It also reflects the EDPB’s commitment to stakeholder engagement and cross-regulatory cooperation, as outlined in the Helsinki statement and in the EDPB Strategy 2024-2027.

Join the event to have your say

This is your chance to contribute directly to a fast-evolving and highly relevant policy area. The EDPB will launch a call for expressions of interest to participate in the stakeholder event. Further details on the date and format will be published on the EDPB website.

Brussels, 16 April – During its latest plenary, the EDPB has adopted Guidelines on processing of personal data for scientific research purposes. In addition, the Board has created a team to speed up the finalisation of the guidelines on anonymisation. The EDPB has also adopted two opinions on the two sets of the Europrivacy certification criteria for approval as European Data Protection Seals, one of which to be used as a tool for transfers.

Many areas of scientific research rely on the processing of individuals’ personal data, and this has driven significant scientific breakthroughs that benefit society. The rise of new technologies, such as artificial intelligence, also contributes to scientific progress by enabling researchers to use and analyse data in innovative ways.

The main objective of the EDPB guidelines on scientific research is to provide more clarity for researchers and make GDPR compliance easier, while ensuring the protection of individuals’ fundamental rights.

“Scientific research can drive societal progress and improve our daily lives. 
Our guidelines facilitate innovative research by helping researchers to navigate the GDPR.

The EDPB is committed to supporting the scientific community and unlocking the full potential of scientific research in the EU while upholding data protection rights."

EDPB Chair, Anu Talus

In its guidelines, the Board provides clarifications on the concept of ‘scientific research’. To determine if the processing takes place for scientific research purposes in the meaning of the GDPR, the Board provides six key-indicative factors that should be considered, in addition to the nature, scope, context and purposes of processing. These are: 1) methodical and systematic approach, 2) adherence to ethical standard, 3) verifiability and transparency, 4) autonomy and independence, 5) objectives of the research, and 6) potential to contribute to existing scientific knowledge or apply existing knowledge in novel ways. If the research activities meet these six factors, they can be presumed to constitute scientific research. Otherwise, the controller should justify and be able to demonstrate why the activities should be considered scientific research, within the meaning of the GDPR.

Further processing for scientific research purposes is presumed to be compatible with the initial purpose for collecting individuals’ personal data. Therefore, controllers are not obliged to do the purpose compatibility test under the GDPR to determine if the new processing is compatible with the original purpose of collection. However, controllers must still make sure that the legal basis of the initial processing is also suitable for the further processing of personal data for scientific research purposes.

Controllers can rely on “broad consent” where the purposes of research are not fully known at the time of collecting the personal data. In this case, researchers should respect ethical standards for scientific research and put additional safeguards in place to compensate for the lack of purpose specification. Controllers can also ask individuals to consent to different individual research projects separately, as soon as the purposes of those projects become known (dynamic consent). A combination of both broad and dynamic consent is also possible.

In addition, the EDPB clarifies rights of individuals when their personal data are processed for scientific purposes. This includes the rights to erasure and object for which limitations may apply when personal data are processed for scientific research purposes. The Board provides examples to explain when the right to erasure can be considered likely to render impossible or seriously impair the objective of conducting scientific research. The EDPB also explains when controllers may reject an individuals’ objection to the processing of their personal data for scientific research purposes. This can be the case when processing is necessary for the performance of a task carried out for reasons of public interest.

The Board recalls that when several entities are involved in the processing of personal data for scientific research purposes, it is necessary to assess and document how responsibilities are allocated among the entities. In this regard, the Guidelines provide useful examples to clarify in which situations entities can qualify as controller, joint controllers or processor.

Finally, the Board explains how controllers can assess the appropriate technical and organisational measures, such as anonymisation or pseudonymisation, when processing personal data for scientific research purposes. The EDPB provides examples of other safeguards that could be implemented depending on the risks posed by the research activities carried out. These include independent or ethical oversight, secure processing environments, privacy enhancing technologies, protective measures for publication of research results, confidentiality arrangements, and conditions for further use.

The guidelines will be subject to public consultation until 25 June, providing stakeholders with the opportunity to comment and provide feedback.

A “sprint team” to finalise the work on anonymisation

To speed up the finalisation of the upcoming guidelines on anonymisation, the Board created a dedicated "sprint team" that will complete the work by the summer.

Europrivacy opinions

The EDPB adopted an Opinion approving the updated set of Europrivacy certification criteria as European Data Protection Seal* pursuant to Art. 42 (5) GDPR. The Board had first approved the Europrivacy certification criteria on 10 October 2022 as the first European Data Protection Seal through the EDPB Opinion 28/2022. The scope of the Europrivacy certification scheme has been extended to include controllers and processors established outside Europe who are subject to Art. 3(2) GDPR, either because they provide goods or services to individuals in Europe or because they monitor their behaviour.

In addition, for the first time, the Board adopted an Opinion recognising the Europrivacy certification criteria as European Data Protection Seal to be used as a tool for transfers in accordance with Art. 42 and 46 GDPR.  Data importers outside Europe who are not subject to the GDPR can now apply to the Europrivacy certification scheme for the transfers of data they receive. This certification will facilitate the fulfillment of the obligation of the controllers and processors in Europe to demonstrate that they provide appropriate safeguards for personal data transfers to third countries or international organisations.

These approvals bring further light on the GDPR certification mechanisms, confirming their key role as GDPR compliance tool.

Note to editors

*The European Data Protection Seal is a GDPR-certification mechanism recognised all over Europe. The Seal must satisfy specific criteria approved by the EDPB and must be granted by a certification body accredited under Art. 43 GDPR to prove compliance with GDPR standards. 
 

Brussels, 14 April - In line with the EDPB’s Helsinki Statement to make GDPR compliance easier and strengthen consistency across Europe, the EDPB has adopted a template for Data Protection Impact Assessments (DPIA). The template will help organisations structure, harmonise and evidence their DPIA reporting processes. The template is complemented by an explainer document providing concise explanations for completing this template effectively, by breaking down key concepts in a simple language and addressing possible questions and knowledge gaps controllers might have.

A DPIA is a process required in situations where the processing is likely to result in a high risk, to describe how personal data will be processed, assess whether the processing is necessary and appropriate, and identify and reduce risks to individuals’ rights and freedoms. The EDPB template has been conceived to support organisations step by step in this process while filling the template.

Controllers can conduct their risk analysis and management processes as they prefer, using the DPIA methodology of their choice. While it is not mandatory for organisations to use the EDPB template, it allows them to benefit from predefined fields that prompt complete and structured responses. This will help ensure that all necessary information is captured accurately while minimising the risk of errors and saving time.

The template will be subject to public consultation until 9 June, providing stakeholders with the opportunity to comment and provide feedback. Following the public consultation, all Data Protection Authorities will initiate the necessary steps to adopt this template either as their sole standard or as a ‘meta-template’ to which national-specific templates will align. In the meantime, organisations are encouraged to use this template and to provide feedback in the context of the public consultation.

Brussels, 09 April - The European Data Protection Board (EDPB) has published its 2025 Annual Report. The report provides an overview of the EDPB work carried out in 2025 and reflects on important milestones, such as the adoption of the Helsinki Statement on Enhanced Clarity, Support, and Engagement.

“In 2025, we saw the data protection landscape change significantly. The rapid expansion of the EU’s digital regulatory framework has added complexity to the data protection ecosystem. To help organisations navigate this complexity and support compliance, the EDPB focused on enhancing legal certainty, making compliance more achievable in practice, and strengthening cooperation, both among Data Protection Authorities and with other regulators. 

We also prioritised meaningful dialogue with stakeholders to ensure our work reflected real-world needs.

Our achievements support economic growth while continuing to protect individuals’ fundamental rights to privacy and data protection.”

EDPB Chair, Anu Talus

The Helsinki’s statement initiatives leading the way

In 2025, the EDPB worked actively to address the demand for regulatory simplification to support innovation and economic growth, while ensuring the protection of individuals’ personal data. 

With this in mind, the Board adopted the Helsinki Statement on Enhanced Clarity, Support, and Engagement, which outlines new initiatives to make GDPR compliance easier, strengthen consistency, enhance the dialogue and improve transparency with stakeholders and boost cross-regulatory cooperation.  

For example, the Board launched a public consultation to ask organisations which templates would be most useful, organised several stakeholder events to consult organisations on upcoming guidelines and systematically published reports on stakeholder input. 

Easing compliance for organisations and providing legal advice

In the context of ongoing discussions on regulatory simplification at EU level, the EDPB actively contributed to legislative initiatives aimed at reducing administrative burden and streamlining requirements. The Board adopted a joint opinion with the European Data Protection Supervisor (EDPS) on the Commission’s Proposal for a Regulation amending certain regulations, including the GDPR. 

In addition, the Board held important discussions on this matter during plenary meetings, which subsequently informed the  EPDB/EDPS joint opinions on the Commission’s proposals on the Digital Omnibus and on the Digital Omnibus on AI adopted at the beginning of 2026.

The Board also delivered five adequacy-related opinions concerning United Kingdom, Brazil and the European Patent Organisation (EPO). 

In addition, the Board adopted Recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites, and Recommendations on the 2027 WADA World Anti-Doping Code upon request from the Commission.

Strengthening cross-regulatory cooperation

Cross-regulatory cooperation was a key focus for the EDPB last year. The EDPB worked together with the European Commission to clarify how data protection and digital laws interact and to address legal and practical challenges in cross-sectoral cases.

In 2025, the EDPB adopted its first set of joint guidelines with the Commission on the interplay between the Digital Markets Act (DMA) and the GDPR. The Board also worked with the Commission on joint guidelines on the interplay between the AI act and EU data protection laws for adoption in 2026. 

In addition, the EDPB adopted guidelines on the interplay between the Digital Services Act (DSA) and the GDPR.

Placing stakeholders at the heart of the EDPB work

In 2025, a public consultation was launched on the joint guidelines with the Commission on the DMA and the GDPR. The Board has also organised public consultations on the EDPB guidelines on DSA and GDPR, blockchain technologies, pseudonymisation and on the recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites.

In addition, in line with the Helsinki statement’s objectives to make GDPR compliance easier, the EDPB organised a public consultation to understand which templates organisations consider would be most useful for them (e.g. privacy notice template, record of processing activities template, etc.).

In December 2025, a stakeholder event on anonymisation and pseudonymisation took place, which was followed by a  report on the input collected during the event. 

Promoting high standards of data protection worldwide

In line with its Strategy 2024-2027, the EDPB continued to engage with the international community to promote a high level of data protection and to ensure effective protection of personal data beyond EU borders. To this end, the Board participated in international fora such as the G7 Data Protection Authorities Roundtable and the Global Privacy Assembly.

In December 2025, the EDPB also held online the second meeting with Commissioners and representatives of Data Protection Authorities (DPAs) from the countries and the organisation with an EU adequacy decision.

Providing guidance and ensuring consistency 

In 2025, three new set of guidelines focusing on pseudonymisation, blockchains technologies and on the DSA and the GDPR, and guidelines following public consultation on data transfers to third country authorities were adopted. 

29 Art. 64(1) GDPR opinions were adopted, reflecting the Board’s continued commitment to promoting harmonisation.

Supporting consistent and effective enforcement 

Strengthening cooperation among DPAs was another key priority in 2025. This took place through multiple instruments aimed at facilitating joint actions and knowledge-sharing, including the Coordinated Enforcement Framework (CEF), the Support Pool of Experts (SPE) and dedicated taskforces. 

The Board contributed to improving cross-border cooperation, supporting DPAs in handling complex cases and ensuring alignment in enforcement practices. In 2025, 414 cross-border cases were created in the EDPB’s case register, and 1299 procedures related to the One-Stop-Shop (Art. 60 GDPR) were triggered, out of which 572 let to final decisions.

Finally, at national level DPAs issued a total of €1,15 bn worth in fines.