EDPB and EDPS support streamlining AI Act implementation but call for stronger safeguards to protect fundamental rights.
1 Read the Joint Press releaseBrussels, 21 January - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s Proposal for the ‘Digital Omnibus on AI’. The Proposal seeks to simplify the implementation of certain harmonised rules under the AI Act to ensure their effective application.
The EDPB and the EDPS support the objective of addressing practical challenges relating to the implementation of the AI Act. Administrative simplification must not, however, lower the protection of fundamental rights. The Joint Opinion acknowledges the complexity of the AI landscape and welcomes efforts to ease burdens for organisations. However, certain proposed changes could undermine the protection of individuals in the context of AI.
“Innovation and efficiency are crucial and can coexist with maintaining accountability of AI providers. We welcome EU-level regulatory sandboxes and simplified procedures to promote innovation and support SMEs in Europe. However, Data Protection Authorities must maintain a central role when it comes to the processing of individuals’ personal data. Cooperation between Data Protection Authorities, the AI Office and Market Surveillance Authorities is essential to ensure legal certainty for organisations and foster innovation while upholding individuals’ fundamental rights.”
EDPB Chair, Anu Talus
“Simplification is welcome when it clarifies obligations, empowers individuals, and strengthens trust. A careful balance needs to be kept by reducing administrative burden where possible, without undermining the protection of fundamental rights. Furthermore, we must ensure that the role of the AI Office is clearly defined and does not affect the independent supervision of European Union Institutions’ own use of AI systems.”
European Data Protection Supervisor, Wojciech Wiewiórowski
The Proposal would extend the possibility to process special categories of personal data (such as ethnicity or health data) for bias detection and correction to providers and deployers of any AI systems and models, subject to appropriate safeguards. The EDPB and the EDPS recommend specifying that these data may be used for bias detection and correction only in circumscribed situations where the risk of adverse effects from such bias is considered sufficiently serious.
The EDPB and the EDPS advise against the proposed deletion of the obligation to register AI systems, when they fall under the categories listed as high-risk, even if the providers deem their systems to be ‘non-high risk’. The EDPB and the EDPS consider that this change would significantly undermine accountability and create an undesirable incentive for providers to unduly claim exemptions to avoid public scrutiny.
The EDPB and the EDPS welcome the creation of EU-level AI regulatory sandboxes to promote innovation. To ensure legal certainty, the Joint Opinion recommends the direct involvement of competent Data Protection Authorities (DPAs) in the supervision of data processing within sandboxes. In addition, the EDPB should be afforded an advisory role and the status of observer at the European Artificial Intelligence Board to ensure consistency in relation to EU-level sandboxes. Furthermore, the supervisory role of the AI Office with regard to AI systems based on a general-purpose AI model should be clearly delineated in the operative part and should not overlap with the independent supervision by the EDPS of AI systems developed or used by Union institutions, bodies, offices or agencies.
The EDPB and the EDPS support the goal of streamlining cooperation between fundamental rights authorities or bodies and Market Surveillance Authorities, and the reliance on a central point of contact to increase efficiency. However, they recommend clarifying the role of the MSAs as administrative points of contact for the execution and transmission of requests to providers and deployers, and ensuring that the independence and powers of DPAs are unaffected.
The EDPB and the EDPS also recommend maintaining a duty for AI providers and deployers to ensure AI literacy among their staff. Any new obligation to foster AI literacy placed on the Commission or Member States should complement, not replace, the responsibilities of the organisations actually developing and using these systems.
Finally, the EDPB and the EDPS express concerns regarding the proposed postponement of core provisions for high-risk AI systems. Given the rapid evolution of the AI landscape, they invite the co-legislators to consider whether the original timeline can be maintained for certain obligations, such as transparency requirements, and to minimise delays to the extent possible.
Brussels, 19 January - During its latest plenary, the EDPB adopted a report to support the European Commission’s evaluation of the Law Enforcement Directive (LED).
The Commission has to submit its public report* on the evaluation and review of this Directive to the European Parliament and to the Council by 6 May 2026. Ahead of this, the Commission gathered the views of the European Data Protection Authorities (DPAs) on the application and functioning of the LED over the period from January 2022 to 31 August 2025.**
“We welcome the European Commission’s regular evaluations of the application of the LED, and we are committed to providing our expertise for these evaluations to ensure that the LED continues to uphold high data protection standards in the law enforcement context.”
EDPB Chair, Anu Talus
The EDPB facilitates cooperation and coordination between DPAs when supervising law-enforcement processing. The EDPB Secretariat also provides the Secretariat of the Coordinated Supervision Committee (CSC) which ensures coordinated supervision of large-scale IT systems and EU bodies and agencies in the areas of law enforcement and criminal justice.
In its report, the EDPB highlights the key role of the LED in protecting personal data in the law enforcement context. DPAs have increasingly advised competent national authorities on mitigating data breaches, while many DPAs have also carried out awareness-raising activities and issued guidance.
The EDPB takes note of the request from DPAs to get more clarity on the scope of the LED, notably its boundary with the GDPR, and to address more thoroughly the challenges posed by the growing use of new technologies, such as AI, in the law enforcement context. The EDPB highlights the need for law enforcement authorities to use these tools in strict compliance with the LED, ensuring that their use is necessary, proportionate, and subject to adequate safeguards.
According to the EDPB, in the context of the case law that developed since the last evaluation of the directive, it is essential to further strengthen the national implementation of the LED across the European Union. In addition, the role of Data Protection Officers (DPOs) should be reinforced to ensure the effective and consistent application of data protection rules in law enforcement activities.
The report also points to the need for improved cooperation, both among competent authorities responsible for the LED and among law enforcement authorities more broadly.
Finally, the EDPB underlines that both DPAs and the EDPB need additional financial and human resources, to carry out new tasks arising from recent legal acts, including responsibilities linked to the CSC, whose activities now also include the supervision of systems such as the Visa Information System (VIS), Prüm II, and the Entry Exist System (EES).
Next, the EDPB adopted recommendations on the application for approval and on the elements and principles to be found in Processor Binding Corporate Rules (BCR-P).
These recommendations form an update of the existing BCR-P referential, which contains the criteria for BCR-P approval, and merge it with the standard application form for BCR-P.
BCR-Ps are a transfer tool that can be used by a group of undertakings or enterprises to transfer personal data outside the European Economic Area to processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to the one provided by the GDPR.
The new recommendations build upon the agreements reached and the experience gained by DPAs in the course of approval procedures on concrete BCR-P applications since the entry into application of the GDPR, as well as upon the work carried out in the context of the updated Recommendations on Controller Binding Corporate Rules (BCR-C).
The recommendations provide clear criteria and explanations to ensure that BCR-P developed by groups of undertakings or enterprises are compliant with the GDPR. The recommendations clarify when BCR-P can be used, namely only for intra-group transfers between processors, when the controller is not part of the group.
In addition, the recommendations clarify that the BCR-P are designed to meet the requirements of Article 28(4) GDPR. This means that any processor within the Group using BCR-P does not need to sign a separate sub-processing agreement with each sub-processor in the Group.
The recommendations will be open to public consultation until 2 March 2026.
The EDPB members also held an exchange of views on the upcoming joint opinion on the Digital Omnibus, which is scheduled for adoption at the February plenary meeting.
Note to editors
*The legal basis for the Commission’s action is Art. 62 of Directive (EU) 2016/680 (Law Enforcement Directive), which requires the Commission to evaluate and report on the application of the Directive.
**See also the European Commission Report on the application of the Law Enforcement Directive, COM(2022) 364 final, to which the EDPB contributed.
In this podcast series we are observing 6 AI trends from the TechSonar 2025-2026: covering agentic AI, AI companions, automated proctoring, AI-driven personalised learning, coding assistants, and confidential computing.
1 Better tune in.Read the Press Release on the EDPS' support of the targeted VAT data access to fight fraud at EU level, while warning against blurring administrative and criminal boundaries.
1 Read the Press ReleaseWith Christmas and a new year just around the corner, there is still time for one more catch-up on all things European data protection. In this issue, we have: horizon-scanning releases looking at emerging tech, a look at recent international meetings between data protection authorities, and privacy-focused events to kick off your 2026.
0Read the blogpost on audits in practice: a predictable and proportionate tool supporting compliance, risk management and trust across EU institutions.
1 Read blogpostNew TechDispatch publication on Digital Identity Wallet: The path towards a data protection by design and by default approach
1 Read hereOn 12 February 2026, the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) Trainees organise the conference Data takes flight: Navigating privacy at the airport. The conference will raise awareness about what happens to personal data when traveling by air and encourage a critical and informed discussion about data protection, security, and the usage of personal data in this context.
Register here.
Brussels, 4 December - During its latest plenary, the EDPB adopted recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites. In addition, the Board had a preliminary discussion on the Digital Omnibus proposal and appointed the new EDPB Deputy Chair.
Internet users visit e-commerce websites for a variety of reasons, including making online purchases, taking advantage of promotions, or simply browsing products. When interacting with these websites, they may be asked to create an account, which can result in the collection and processing of personal data, as well as increased privacy and security risks.
The EDPB adopted recommendations to clarify when e-commerce websites can require their users to create an account.
As a general rule, users should have the option to engage with e-commerce websites, including the ability to make purchases, without creating an account. In such cases, the EDPB recommends that e-commerce websites offer a choice: either a 'guest' mode, allowing users make purchases without creating an account, or the option to voluntarily create an account. This approach minimises the collection and processing of personal data, and therefore aligns with the GDPR's principle of data protection by design and by default.
However, mandatory account creation can be justified in a limited number of cases, including for example, offering a subscription service or providing access to exclusive offers.
The recommendations highlight the EDPB's efforts to promote pragmatic, user-friendly and privacy-protective practices in the e-commerce sector.
The recommendations are subject to public consultation, providing stakeholders with the opportunity to comment and provide feedback.
The EDPB had a preliminary discussion on the proposal for a Digital Omnibus, on which the EDPB and EDPS will issue a Joint Opinion.
In its Helsinki Statement, the EDPB made proposals in order to achieve enhanced clarity, support and engagement. The EDPB and the EDPS welcome the discussion on effective digital regulation and remain committed to finding solutions to make GDPR compliance easier, especially for small organisations.
The EDPB and the EDPS will focus on how the European Commission’s proposal will impact the fundamental rights of individuals and whether it will lead to simplification for organisations and more legal certainty.
While numerous points need to be analysed, at this stage, the EDPB and the EDPS can already underline that the proposed modification of the definition of personal data seems to go further than the recent CJEU case law, and beyond a targeted modification of the GDPR, which may risk to adversely affect the fundamental right to data protection.
The EDPB recalls its upcoming public stakeholder event on this topic on 12 December 2025 and underlines that the implementation of the CJEU case law through guidelines taking into account stakeholders' input ensures greater certainty.
At this week’s plenary, the members of the EDPB appointed Jelena Virant Burnik, Information Commissioner of the Republic of Slovenia, as new Deputy Chair of the Board.
“I am honoured to have been elected as Deputy Chair of the EDPB. I am pleased to have the opportunity to help strengthen the role of the EDPB as a central authority in EU data protection. I am committed to fostering cooperation among national Data Protection Authorities and providing a forum for their open discussions that help align the understanding and enforcement of the GDPR provisions.
In the ever-developing landscape of digital regulation, the EDPB must remain a regulator that understands the complex interplay of legislation and contributes productively to the discussions at European level. “
EDPB Deputy Chair, Jelena Virant Burnik
“Over the past years, the landscape in which we operate has fundamentally shifted, reshaping the EDPB’s role in Europe’s digital future. In this dynamic environment, the new EDPB Deputy Chair faces exciting challenges ahead. I am confident that the EDPB will greatly benefit from her expertise and dedication.
I look forward to collaborating with Jelena Virant Burnik to advance the EDPB’s shared mission: fostering innovation while safeguarding individuals’ fundamental rights."
EDPB Chair, Anu Talus
Over the coming years, Jelena Virant Burnik, will work closely with EDPB Chair Anu Talus and fellow Deputy Chair Zdravko Vukić to ensure the consistent application of EU data protection rules and promote effective cooperation among Data Protection Authorities across Europe.
The EDPS publishes the High-Risk AI Systems Mapping Report in European Institutions, Agencies and Bodies.
0EDPS hosts data protection authorities from Western Balkans and Eastern Partnership regions for a day of operational exchanges.
1 Read blogpostBrussels, 3 December - As part of its December’s plenary meeting, the European Data Protection Board (EDPB) held yesterday an online meeting with Commissioners and representatives of Data Protection Authorities (DPAs) from the countries and the organisation with an EU adequacy decision. This meeting marked the second of its kind, following the first gathering in October 2024.
An adequacy decision is a key-mechanism in EU data protection legislation which allows free flow of personal data from Europe to third countries or an international organisation offering an adequate level of data protection.* To date, the following countries and organisation benefit from this: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay, United States, and the European Patent Organisation. Data Protection Authorities from those countries and the European Patent Organisation are key partners for the EDPB, playing a key role in our joint efforts to strengthen data protection worldwide.
The Board organised a first meeting in October 2024 with Data Protection Authorities from the fifteen countries with an EU adequacy decision.
Following that meeting, the EDPB and the Data Protection Authorities from the countries and the organisation with an EU adequacy decision strengthened their cooperation by sharing information on some advisory works and gathering experiences on international data protection enforcement cooperation.
“Our first joint meeting in October 2024 paved the way for a stronger cooperation and valuable knowledge and experience sharing on data protection.
The high level of engagement shown in this second meeting by the EDPB and the Data Protection Authorities from the countries and the international organisation for which the EU adopted an adequacy decision is a clear sign of our commitment to continue working together in this shared direction.”
EDPB Chair, Anu Talus
Yesterday’s meeting was an opportunity for all participants to share views on past activities and updates on the next enforcement and advisory priorities.
Note to editors
The European Commission has the power to determine, on the basis of Art. 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.
The adoption of an adequacy decision involves: 1) a proposal from the European Commission; 2) an opinion of the European Data Protection Board; 3) approval from representatives of EU countries; 4) adoption of the decision by the European Commission.
Brussels, 28 November - The EDPB launched a call for expression of interest to establish a new reserve list for the Support Pool of Experts (SPE) programme. The objective is set up a reserve list of legal and technical experts.
The legal expertise sought includes a wide range of fields, such as data protection, policy monitoring, technology, cybersecurity, competition, healthcare, online intermediary services and content moderation.
As for the technical expertise, the relevant areas include IT auditing, website security, mobile OS and apps, Internet of Things, cloud-computing, behavioural advertising, anonymisation techniques, cryptology, artificial intelligence, User experience (UX) design, fintech, data science, social science (incl. economics, sociology, psychology), and development of applications and software.
Don’t miss this opportunity to participate in this EDPB’s key strategic initiative. Your work will help Data Protection Authorities (DPAs) across Europe increase their capacity to supervise and enforce data protection rules and strengthen the protection of individuals’ fundamental rights.
In 2022, the EDPB issued a call for expression of interest, which led to the establishment of a first SPE reserve list. As this list is set to expire in February 2026, the EDPB is inviting experts who were included in this first SPE reserve list to submit their application in response to the new call for expression of interest.
The call will be open until August 2030.
Learn how to submit your application.
The SPE was developed as part of the EDPB Strategy 2021-2023 to help DPAs increase their enforcement capacity by developing common tools and giving them access to a wide pool of experts.
The EDPB aims to carry out approximately ten projects per year with pre-eminent external experts in a given field. Projects are coordinated either by individual DPAs or by the EDPB.
More information on the SPE and on completed project is available here.
Blogpost on the 57th EDPS-DPO Meeting by Thomas Zerdick, Acting Secretary-General and Head of Supervision and Enforcement Unit.
1 Read blogpostWe are back and there is a lot to catch up on! Read on for events to register for; new EDPS publications and Opinions on AI and transatlantic data sharing; reflections on events on cross-border data protection, privacy tech and the AI Act; news on EDPS oversight of EU border systems; an update on a key court judgement; and more.
1 Read NewsletterThe TechSonar report 2025-2026 explores six trends: agentic AI, AI companions, automated proctoring, AI-driven personalised learning, coding assistants and confidential computing.
1 Read moreData Protection Day (28 January) celebrates the signing of Convention 108, the first legally binding treaty protecting privacy in the digital age. To mark the occasion, the Council of Europe (CoE) and the European Data Protection Supervisor (EDPS) are co-organising a one-day event focused on new frontiers in data protection.
Brussels, 17 November - The EDPB organises a remote event to collect stakeholders’ input on anonymisation and pseudonymisation on implications of the judgement of the Court of Justice of the European Union (CJEU) in EDPS v Single Resolution Board (SRB). The event will take place on 12 December 2025 (time to be confirmed).
This will be an opportunity to inform and support the EDPB’s ongoing work on these topics as per its work programme 2024-2025 and it reflects the EDPB’s commitment to stakeholder engagement, as outlined in the recent Helsinki statement.
Individuals representing sector associations, organisations or NGOs and individual companies, law firms or academics are invited to express their interest to participate in this event (one participant per organisation). The EDPB encourages all organisations interested in this matter to delegate a representative with technical knowledge of these topics.
As a general rule, participants will be registered on a first-come first-served basis. Nonetheless, the EDPB reserves the right to give precedence to specific stakeholders among those who expressed their interest, based on their relevance to the topics of the event, and to ensure diversity of views and a balanced representation of areas of interest, as well as geographical balance.
You can find further information and the instructions on how to register (link not available).
The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders.
If you have technical problems submitting the application, we invite you to refresh the page or open the form in a different browser.
Update on 17/11/2025, 12:57 pm: The call is now closed.
Thank you to all those who expressed their interest in taking part in the EDPB stakeholder event on ‘anonymisation and pseudonymisation’. We will carefully review all applications and communicate the results of the process to those who applied in the coming weeks.
The European Data Protection Supervisor (EDPS) is pleased to announce the publication of a new guidance document designed to support controllers in conducting data protection risk assessments when developing, procuring, and deploying Artificial Intelligence (AI) systems under Regulation 2018/1725 (EUDPR). This guide aims at providing valuable insights and practical recommendations to help identify and mitigate common technical risks associated with AI systems, helping in the protection of personal data.
While primarily intended for European Union Institutions, Bodies, Offices, and Agencies (EUIs), this guidance is also relevant and useful for private companies, industry stakeholders, and public organizations seeking to ensure compliance with data protection regulations.
The document begins by revisiting the risk management approach of the widely recognized ISO 31000:2018 standard. It then continues into the AI system lifecycle, to later explore the concepts of interpretability and explainability, which are essential for ensuring data protection. The core of the guidance presents a detailed analysis of risks and corresponding mitigation measures, organized around four fundamental data protection principles: fairness, accuracy, data minimisation, and security.
1 Read more