Brussels, 22 June - Since its establishment in 2018, the core mission of the EDPB has been to uphold and safeguard the right to data protection. Over the years, the EDPB has played a key role in ensuring the consistent application of the GDPR across Europe, by providing guidance on key GDPR concepts and the interaction of the GDPR with other digital laws, as well as through the adoption of consistency opinions and binding decisions. The EDPB is also committed to making GDPR compliance easier for organisations and enhancing its dialogue with stakeholders.

The EDPB is glad to announce today the launch of its newly redesigned website and updated brand identity.

The EDPB’s new website: enhanced accessibility and user experience

The new website offers stakeholders an improved user experience, more intuitive navigation, tailored to different user groups, better access to key information, and clearer routes for interaction. The site has been developed in line with accessibility standards to ensure a more inclusive experience for all users, while continuing to provide multilingual support for the EDPB’s diverse audiences. Both general users and specialists can now benefit from well-organised and thematic navigation, complemented by advanced search functions.

Document accessibility has been significantly improved. While maintaining downloadable formats, new documents will now also be available in an enhanced web format with interactive navigation sidebars, allowing users to browse lengthy texts more efficiently. This approach will help ensure optimal readability, clarity and usability across all devices.

The streamlined contact system provides targeted support for all visitors. Users can quickly find FAQs, identify how to submit complaints or data breach reports to the relevant authorities, or contact the EDPB for media inquiries. In addition, the site offers contact options for access to documents requests, DPO-related matters, and other specialised assistance.

The EDPB website now serves as a fully integrated digital resource, which also incorporates the “Data Protection Guide for Small Business” and the redesigned Coordinated Supervision Committee (CSC) website, and will bring together upcoming projects such as the “Privacy for Kids” hub.

A stronger EDPB brand identity

The new brand identity will help reinforce the EDPB’s role in protecting fundamental rights.

The tagline “protecting European individuals in our digital world” embodies the EDPB’s commitment to maintaining transparent and universally accessible data protection standards.

The new colour palette represents EDPB unity and cooperation, drawing inspiration from the eight colours referring to the flags of the countries of all European Data Protection Authorities.

Explore the new EDPB’s look and feel

Curious to discover the new EDPB website and updated brand identity? Take some time to explore. We hope you will enjoy the experience.

On 18 June 2026, the 58th EDPS-DPO meeting took place in Brussels, bringing together DPOs from across the EU institutions, bodies, offices and agencies at a time of significant regulatory and technological change.

Welcome to the latest edition of the EDPS Newsletter, featuring active AI governance and major supervisory milestones. Catch up on our Annual Report 2025, recommendations for the EU visa platform chatbot, insights from the Digital Omnibus high-level debate, and a preview of our upcoming trainees' conference on AI in hiring practices!

The use of unauthorised AI tools that can expose personal data, create regulatory blind spots, and open security vulnerabilities.

On 9 July, together with the EDPB trainees, we invite you to the conference on AI in recruitment. It will look at how artificial intelligence is increasingly used in HR and recruitment processes, along with the data protection questions this raises.

Brussels, 12 June – As of today, coordinated supervision of the European Union’s asylum and migration database (Eurodac) will be carried out by the Coordinated Supervision Committee (CSC). Eurodac is an information system initially designed to compare the fingerprints of asylum applicants and irregular migrants, which has evolved into a full asylum and migration management system. It plays a key role in implementing the Dublin III Regulation, which aims at determining the Member State responsible for examining an asylum application.

Operational since 15 January 2003, this system is currently used by all EU Member States as well as Iceland, Liechtenstein, Norway and Switzerland. National DPAs supervise the processing of personal data by national authorities and its transmission to the Eurodac database (central unit), whereas the European Data Protection Supervisor (EDPS) is responsible for the supervision of the processing of personal data at the central unit and its transmission to the Member States. Coordinated supervision will now be ensured by the CSC, comprising representatives from the national DPAs and the EDPS.

Background

The CSC is a group of DPAs, which together ensure coordinated supervision of large-scale IT systems, and of EU bodies, offices and agencies falling under its scope.

The CSC enjoys an autonomous functioning and positioning, and it adopts its own rules of procedure and working methods. The Committee is established within the framework of the EDPB and the EDPB Secretariat provides the Secretariat of the CSC.

You can find more information about the CSC here.

Brussels, 12 June – As of today, coordinated supervision of the European Union’s asylum and migration database (Eurodac) will be carried out by the Coordinated Supervision Committee (CSC). Eurodac is an information system initially designed to compare the fingerprints of asylum applicants and irregular migrants, which has evolved into a full asylum and migration management system. It plays a key role in implementing the Dublin III Regulation, which aims at determining the Member State responsible for examining an asylum application.

Operational since 15 January 2003, this system is currently used by all EU Member States as well as Iceland, Liechtenstein, Norway and Switzerland. National DPAs supervise the processing of personal data by national authorities and its transmission to the Eurodac database (central unit), whereas the European Data Protection Supervisor (EDPS) is responsible for the supervision of the processing of personal data at the central unit and its transmission to the Member States. Coordinated supervision will now be ensured by the CSC, comprising representatives from the national DPAs and the EDPS.

Background

The CSC is a group of DPAs, which together ensure coordinated supervision of large-scale IT systems, and of EU bodies, offices and agencies falling under its scope.

The CSC enjoys an autonomous functioning and positioning, and it adopts its own rules of procedure and working methods. The Committee is established within the framework of the EDPB and the EDPB Secretariat provides the Secretariat of the CSC.

You can find more information about the CSC here.

Brussels, 10 June – During its latest plenary, the EDPB met with Michael McGrath, Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection. In addition, the Board has adopted a common data breach notification template.

The Board held a meeting with Commissioner McGrath, engaging in a fruitful discussion about common priorities and ongoing work on areas of mutual interest.

The Digital Omnibus was among the key topics that shaped the discussion. The Board reiterated that, while several proposed changes have been welcomed by the Board, it is crucial not to adopt the proposed amendments to the definition of personal data, as they risk significantly weakening individual data protection.

“The digital ecosystems we regulate are dynamic, multilayered, and evolving at unprecedented pace. In an increasingly digital and competitive world, the EDPB supports simplification, but never at the expense of fundamental rights.

Promoting a human-centric approach to digital regulation—one that balances innovation with dignity, growth with rights, and efficiency with trust, remains central to our mission.”

EDPB Chair, Anu Talus

The importance of cross-regulatory cooperation was another central theme of the discussion. Commissioner McGrath and the Board explored ways to further strengthen this cooperation and enhance their ability to collaborate effectively within the evolving digital landscape.

The meeting was also an opportunity to exchange on other critically important areas of common interest, including the protection of children. The EDPB is currently working on guidelines on processing children’s data. This week, EDPB representatives also took part in a meeting with the Co-Chairs of the Special Panel on Child Safety Online organised by the European Commission.

Discussions furthermore covered progress in the field of political advertisement, with a focus on the EDPB guidelines on the processing of personal data to target or deliver political advertisements under the regulation on the transparency and targeting of political advertising. In the context of this ongoing work, at its latest plenary, the EDPB has adopted the report on the dedicated stakeholder event held on 27 March 2026.

The discussions also addressed international data transfers and emphasised the importance of cooperation with third countries, which is particularly crucial in reinforcing worldwide data protection standards.
During the discussions, the Board emphasised that adequate funding and staffing of DPAs is essential to fulfil their tasks properly.

Making GDPR compliance easier while enhancing consistency

In line with the EDPB’s Helsinki Statement to make GDPR compliance easier and strengthen consistency across Europe, the EDPB has adopted a common template for data breach notifications, which will be subject to implementation process.

The EDPB common template for data breach notifications has been conceived to help organisations and Data Protection Authorities (DPAs) to structure, harmonise, and unify their data breach notification processes*.

The template will help ensure that notifications contain the information required by Art. 33 GDPR (on the notification of a personal data breach to the DPA), making it easier for organisations to submit a timely notification and facilitating the assessment of the case by the responsible DPAs.

The template provides predefined options to choose from, and further guidance on how to fill in the fields. This will help save time and costs, particularly for smaller organisations lacking dedicated Data Protection Officers (DPOs) or legal resources.

The template will be subject to public consultation until 5 August 2026, providing stakeholders with the opportunity to share their comments and feedback on the content of the template. Following the public consultation, the EDPB will decide on the timeline for the practical implementation of the template by all DPAs.

Note to editors:
You can find more information on when a data breach should be notified here.

Brussels, 10 June – During its latest plenary, the EDPB met with Michael McGrath, Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection. In addition, the Board has adopted a common data breach notification template.

The Board held a meeting with Commissioner McGrath, engaging in a fruitful discussion about common priorities and ongoing work on areas of mutual interest.

The Digital Omnibus was among the key topics that shaped the discussion. The Board reiterated that, while several proposed changes have been welcomed by the Board, it is crucial not to adopt the proposed amendments to the definition of personal data, as they risk significantly weakening individual data protection.

“The digital ecosystems we regulate are dynamic, multilayered, and evolving at unprecedented pace. In an increasingly digital and competitive world, the EDPB supports simplification, but never at the expense of fundamental rights.

Promoting a human-centric approach to digital regulation—one that balances innovation with dignity, growth with rights, and efficiency with trust, remains central to our mission.”

EDPB Chair, Anu Talus

The importance of cross-regulatory cooperation was another central theme of the discussion. Commissioner McGrath and the Board explored ways to further strengthen this cooperation and enhance their ability to collaborate effectively within the evolving digital landscape.

The meeting was also an opportunity to exchange on other critically important areas of common interest, including the protection of children. The EDPB is currently working on guidelines on processing children’s data. This week, EDPB representatives also took part in a meeting with the Co-Chairs of the Special Panel on Child Safety Online organised by the European Commission.

Discussions furthermore covered progress in the field of political advertisement, with a focus on the EDPB guidelines on the processing of personal data to target or deliver political advertisements under the regulation on the transparency and targeting of political advertising. In the context of this ongoing work, at its latest plenary, the EDPB has adopted the report on the dedicated stakeholder event held on 27 March 2026.

The discussions also addressed international data transfers and emphasised the importance of cooperation with third countries, which is particularly crucial in reinforcing worldwide data protection standards.

During the discussions, the Board emphasised that adequate funding and staffing of DPAs is essential to fulfil their tasks properly.

Making GDPR compliance easier while enhancing consistency

In line with the EDPB’s Helsinki Statement to make GDPR compliance easier and strengthen consistency across Europe, the EDPB has adopted a common template for data breach notifications, which will be subject to implementation process.

The EDPB common template for data breach notifications has been conceived to help organisations and Data Protection Authorities (DPAs) to structure, harmonise, and unify their data breach notification processes*.

The template will help ensure that notifications contain the information required by Art. 33 GDPR (on the notification of a personal data breach to the DPA), making it easier for organisations to submit a timely notification and facilitating the assessment of the case by the responsible DPAs.

The template provides predefined options to choose from, and further guidance on how to fill in the fields. This will help save time and costs, particularly for smaller organisations lacking dedicated Data Protection Officers (DPOs) or legal resources.

The template will be subject to public consultation until 5 August 2026, providing stakeholders with the opportunity to share their comments and feedback on the content of the template. Following the public consultation, the EDPB will decide on the timeline for the practical implementation of the template by all DPAs.

Note to editors:
You can find more information on when a data breach should be notified here.

Background information

• Date of final decision: 27 November 2025
• National case
• Controller:    Verisure Italia srl
• Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 7 (Conditions for consent), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 21 (Right to object)
• Decision: Administrative fine, Compliance order, Erasure order
• Key words: Administrative fine, Principles relating to processing of personal data, Consent,
  Transparency, Right to object, Data retention, Direct marketing, Exercise of data subject rights

Summary of the Decision

Origin of the case  

The Italian Supervisory Authority (SA), received a complaint from a former customer who had continued to receive unsolicited promotional text messages even after objecting to the processing of his data, and a report from a potential customer who, after requesting a quotation, had started receiving advertising calls, emails, and text messages. In both cases, the communications had persisted despite the exercise of the right to object provided for by the GDPR.

Key Findings

The company handled object requests late, beyond the deadlines set out in the GDPR, and did not correctly collect - via the form on its website - the consent of potential customers for direct marketing purposes. In fact, in addition to not providing adequate information, this consent was effectively combined with the potential customer's request for a price quote. In other words, the fact of providing one's telephone number to obtain a personalized quotation was considered by the company as equivalent to consent to receive advertising calls.
Furthermore, the SA considered the period for storing potential customers' data for telesales purposes (12 months) to be excessive, as this was the period within which the company believed it could contact the potential customer again if they did not accept the quote offered.

Decision

In addition to the imposition of a 400 000 EUR fine, the Italian SA prohibited Verisure Italia from further processing the personal data acquired unlawfully, ordered the deletion of data collected without valid consent, and required the company to bring its privacy policy into compliance with GDPR. The company must also notify the SA, within sixty days, of all measures taken to comply with the EU regulations on the lawful processing of personal data.
The Italian SA has taken note of the measures already undertaken by the company during the investigation.

For further information: Marketing indesiderato: Garante sanziona Verisure Italia per 400mila euro  

Background information

• Date of final decision: 10 July 2025
• National case
• Controller: Magna PT S.p.A.
  Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 9 (Processing of special categories of personal data),  Article 13 (Information to be provided where personal data are collected from the data subject)
• Decision: Administrative fine, Definitive ban on data processing
• Key words: Administrative fine, Principles relating to processing of personal data, Transparency,
  Retention time, Lawfulness of processing, Employment

Summary of the Decision

Origin of the case  

A trade union report highlighted a widespread practice within an automotive company: after an absence due to illness, accident or hospitalisation, workers were interviewed and asked to complete a questionnaire. The document, completed by a direct supervisor, was then sent to the Human Resources Department, which, together with the supervisor and/or the competent doctor, assessed, on the basis of the company's representations, any initiatives to protect the health of workers, such as modifying the workstation or intervening in working relationships.

Key Findings 

During the investigation, the Italian Supervisory Authority (SA) found several infringements of the EU Regulation (GDPR), including the lack of clear and transparent information for employees and the lack of a legal basis for data processing, including health data. The Italian SA also found that workers' data were being stored in an irrelevant (absences from work) and disproportionate (up to ten years) manner, and that the data processing was not relevant for assessing the professional skills of the employees.

Decision

The Italian SA imposed a definitive ban on data processing and ordered the company to delete any data already collected and stored. The Italian SA also issued an administrative fine of 50 000 Euro.

For further information: Lavoro, il Garante privacy sanziona un’azienda per questionari post-malattia 
 

Background information

• Date of final decision: 27 November 2025
• National case
• Controller: Pioneer Hi-Bred Italia Sementi s.r.l.
  Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 13 (Information to be provided where personal data are collected from the data subject),  Article 28 (Processor), Article 88
• Decision: Administrative fine, Compliance order, Erasure order 
• Key words:  Administrative fine, Principles relating to processing of personal data, Lawfulness of processing, Transparency,  Definition of controller, Employment

Summary of the Decision

Origin of the case  

Following a complaint, the Italian Supervisory Authority (SA), became aware that a company had installed a satellite tracking device on company vehicles assigned to its employees, which was able to detect their behavior (times, mileage, fuel consumption, and driving style), both during work and private trips. The data collected were used to assign a rating score and take any corrective action. Given the sensitivity of the matter raised, the Italian SA ordered an on-site inspection.

Key Findings

Inspections and subsequent checks revealed that the satellite device, installed at the request of the Swiss parent company, allowed for tracking of workers' activities without the safeguards provided by the Italian workers Charter (Regulations on the protection of the freedom and dignity of workers). Furthermore, the information provided to workers covered all the group's affiliated companies, including those based outside the EU, without clearly indicating the purposes of the processing, legal bases, or entities qualifying as data controllers, processors, and recipients.

The investigations also revealed that access to the information collected via the devices installed in company cars was also granted to staff from other companies in the group, without the appropriate authorization.

Decision

The Italian SA issued a fine of 120 000 EUR to the company as data processor. 
In determining the amount of the fine, the Italian SA took into account both the limited number of employees involved and the immediate suspension of the unlawful data processing, implemented by the company immediately after the complaint was filed. The Italian SA also ordered the deletion of data relating to employees' journeys, collected and used to assign driving behavior.

For further information: Garante privacy: no al controllo dello stile di guida dei lavoratori. Sanzione di 120mila euro a società che monitorava 5 dipendenti con auto aziendale 
 

Background information

• Date of final decision: 11 February 2026
• National case
• Controller: Vodafone-Panafon S.A Hellenic Telecommunications Company
• Legal Reference: Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject, Article 12.2: Facilitation of the exercise of the rights of the data subject, Article 12.3: Time limit for responding to a request, Article 12.4: Information to be provided where no action is taken on the request, Article 15: Right of access by the data subject, Article 18: Right to restriction of processing
• Decision: Infringement of the GDPR; fine imposed; order to comply 
  Key words: Transparent information, communication and exercise of the rights of the data subject 

Summary of the Decision

Origin of the case

A complaint was submitted to the Greek SA against Vodafone-Panafon S.A Hellenic Telecommunications Company for

1. violation of the right of access to recorded calls,
2. violation of the right to restriction of processing,
3. obstacles placed by the respondent during the exercise of the aforementioned right of access, and
4. contradictory information regarding the procedure for satisfying the exercised right of access.

Key Findings

The Authority found that the respondent company infringed the provisions of Articles 12(1), (2), (3), (4), 15 and 18 of the GDPR pursuant to Articles 58(2)(i) and 83(5)(b) of the GDPR. 

Decision

The Greek SA imposed on the telecommunications company, an administrative fine of EUR 30.000 for violating Articles 12(1), (2), (3), (4), 15 and 18 of the GDPR. 
It also ordered, pursuant to Article 15(4)(b) of national Law 4624/2019, the respondent company to adopt appropriate technical and organisational measures to ensure the proper and timely examination of data subjects’ rights, including more effective training of its representatives, and to provide the Authority with relevant documentation within six months.

For further information: national decision in Greek Επιβολή προστίμου σε πάροχο υπηρεσιών τηλεπικοινωνίας  

Background information

• Date of final decision: 10 July 2025
• National case
• Controller: Poste Vita s.p.a.
  Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 33 (Notification of a personal data breach to the supervisory authority)
• Decision: Administrative fine
• Key words: Administrative fine, Clients, Data security, Insurance, Personal data breach

Summary of the Decision

Origin of the case  

The investigation was initiated following a complaint from an insurance company (Poste Vita) customer who complained about the unlawful disclosure of personal data to an unauthorised third party who had then used it in legal proceedings. The data related to three life insurance policies held by the complainant.

Key Findings 

During the investigation, the Italian Supervisory Authority (SA) verified that the data breach had occurred due to a series of errors committed by the company's operators. They had responded to requests for information regarding the data subject's policies without first verifying that the email address from which the requests were sent matched the contact details provided by the customer. The requests came from two email addresses which, although they had the name and surname of the data subject, who had never provided any email address to the company, were in fact linked to third parties.

Decision

Noting that in the meantime the insurance company had implemented corporate procedures aimed at rigorously verifying the identity of the person concerned, the Italian SA imposed a fine of 80,000 EUR, without taking further measures.

For further information: Data breach, il Garante sanziona Poste Vita per 80mila euro

Background information

• Date of final decision: 18 December 2025
• National case
• Controller: LTL S.p.A.
  Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 15 (Right to access by the data subject)
• Decision:  Administrative fine,  Compliance order,  Erasure order or Add here your free text for the decision
• Key words: Administrative fine, Principles relating to processing of personal data, Transparency,
  Right of access,  Employment, Data subject rights

Summary of the Decision

Origin of the case  

In a complaint submitted to the Italian Supervisory Authority (SA), an individual complained that, after receiving a disciplinary letter followed by dismissal, the company had denied him access to his company' email account, which remained active. Exercising his rights, the data subject asked the company to disable the email account, forward any messages received in the meantime to his personal email address, and activate an automatic reply informing any senders of his new email address. However, this request remained unfulfilled, even though it was formulated in compliance with the GDPR.

Key Findings 

During the investigation, the Italian SA found that the company not only continued to receive emails addressed to the employee, but also forwarded them to another company email account. This unlawful practice had been going on for about two months, exceeding the 30-day limit set by the company's internal rules.

Decision

The Italian SA fined the company 40 000 EUR.
In determining the amount of the fine, the SA took into account the type and duration of the violations, the failure to respond to the employee's request to exercise his rights, and the absence of previous violations of data protection regulations by the company.
The Authority therefore ordered the company to allow the employee access to his company email account and ordered its subsequent deletion, without prejudice to the retention of what was necessary for the protection of company's rights in court.

For further information: Garante: l’accesso alla email del lavoratore licenziato vìola la privacy
 

Brussels, 19 March 2026 – The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s proposal for a Cybersecurity Act 2 (CSA2) and the proposal on amendments to the Network and Information Security 2 (NIS2) Directive.

On 20 January 2026, the Commission published a cybersecurity package proposal to further strengthen cybersecurity in Europe while making compliance with cybersecurity laws easier for organisations. In their joint opinion, issued at the request of the Commission*, the EDPB and the EDPS address the proposed revision of the CSA and the targeted amendments to the NIS2 Directive.

“The relationship between data protection and cybersecurity is reciprocal and deeply interconnected. While cybersecurity supports the protection of personal data by limiting the risks of unwanted access, modification or unavailability of data, it is crucial to ensure that security controls are implemented in a way that does not undermine individuals’ fundamental rights and freedoms.”

EDPB Chair Anu Talus

“While maximizing the effectiveness of cybersecurity measures is vital, we must ensure that the processing of personal data remains limited to what is strictly necessary. We welcome the reinforced role of ENISA to promote digital resilience; our hope is that this new mandate fosters the synergies needed to create a robust ecosystem where security and privacy go hand in hand.”

European Data Protection Supervisor, Wojciech Wiewiórowski

Regarding the Proposal for the CSA2, the EDPB and the EDPS support the general objective to strengthen the role of the European Union Agency for Cybersecurity (ENISA) and to facilitate uptake of cybersecurity certification, as well as the objective to further address the various risks to ICT supply chains, including non-technical ones.

The proposal to provide further clarification on the way ENISA gives support to different stakeholders is well received. The EDPB and the EDPS specifically welcome that ENISA’s advice would be issued upon a prior request from the EDPB, thus ensuring a clear coordination and a clear division of responsibilities. They also suggest adding the EDPS as a possible requestor of advice from ENISA.

In the joint opinion, the EDPB and the EDPS recall that in case the Management Board of ENISA decides to adopt additional measures necessary for the application of the EU Data Protection Regulation, such decisions should be limited to very technical (practical) details related to the processing of personal data. The Proposal should also provide for a prior consultation with the EDPS before adoption of such rules.

The joint opinion welcomes the synergies that might arise from the cooperation between ENISA and other EU institutions and bodies, and also recommends adding an explicit reference to the EDPS as an EU body with which ENISA would cooperate.

While the objective of facilitating uptake of cybersecurity certification is welcome, the scope of the European Cybersecurity Certification Framework and its relationship with GDPR certification should be further clarified. To ensure consistency, ENISA should consult with the EDPB before adopting a certification scheme relating to the security of processing of personal data. Furthermore, certification schemes for products, services and processes that are likely to be used in data processing operations, should take into account security controls that can help to demonstrate the fulfilment of GDPR requirements, to the extent possible.

The EDPB and the EDPS recommend that the European Cybersecurity Skills Framework is not only limited to cybersecurity professionals, but also includes a general workforce profile.

In line with the recent EDPB-EDPS joint opinion on the Digital Omnibus Regulation Proposal, the EDPB and EDPS express their support for the establishment of a single-entry point for the notification of personal data breaches, as it would reduce the administrative burden for notifying organisations without affecting the level of protection for individuals.

Regarding the proposed amendments to the NIS2 Directive, the EDPB and the EDPS welcome the designation of European Digital Identity Wallets and European Business Wallets providers as 'essential entities'.

Note to editors:
* On 21 January 2026, the Commission formally consulted the EDPB and the EDPS and requested a joint opinion on the European Commission’s proposal for a CSA2 and the proposal on amendments to the NIS2 Directive in accordance with Art. 42(2) of Regulation (EU) 2018/1725.

On 9 May, Europeans celebrate Europe Day. Europe has continued to shape big ideas that unite people around shared values & fundamental rights. Our commitment to human-centric, transparent technology remains more important than ever.

Brussels, 5 May – On 9 May each year, Europeans celebrate the anniversary of the Schuman Declaration, the key moment which led to the creation of the EU as we know it today. To mark this special occasion, the European institutions will open their doors to the public on 9 May 2026, and we would be delighted to welcome you.

Come and visit us

We invite you to our interactive booth to discover and enjoy the activities we have prepared together with the European Data Protection Supervisor (EDPS).

•    When:  9 May 2026, from 10:00 to 18:00 (CET)
•    Where: European Parliament (Rue Wiertz 60, Brussels)

You will find us on the ground floor, in the cybersecurity area.

Test your skills and discover more

During your visit, you will get the chance to enjoy fun activities tailored just for you. This includes a:

•    EU Survey Quiz to test your knowledge of EU institutions 
•    Roulette that will test your skills with fun data protection-related challenges

This year, we are also bringing along a new friend: our mascot “Eddy the beaver”. Do not hesitate to come and greet him and make sure to bring along the little ones.

We are looking forward to meeting you! 
 

Curious about how the EU is tackling AI supervision, cybersecurity rules, and data protection in the health industry? Our newest episode breaks it all down.