The final EDPS-DPO meeting of 2025 brought together Data Protection Officers from across the EU institutions, bodies, offices and agencies at the European Food Safety Authority (EFSA) in Parma, Italy. Held in a hybrid format, the 57th meeting took place at a moment of significant regulatory and technological change for the EU administration. It offered DPOs and the EDPS an opportunity to reflect collectively on recent developments, share experience, and prepare for the challenges ahead.
Setting the scene: legislative change and digital transformation
In his opening remarks, the European Data Protection Supervisor, Wojciech Wiewiórowski, highlighted ongoing discussions around the Digital Omnibus proposal and the proposed amendments to Regulation 2018/1725. These reforms, he noted, will shape the future supervisory landscape and underline the need for continued coordination across the EU’s administrative framework.
The meeting then turned to an overview of recent EDPS work. Heads of Unit from Supervision & Enforcement (S&E) and Technology & Privacy (T&P) presented key activities from 2025 and priorities for the months ahead.
Supervisory priorities: investigations, guidance and case law
Thomas Zerdick, Head of the S&E Unit, provided an update on several major files. This included the closure of the EDPS investigation into the European Commission’s use of MS365, the update of the EDPS guidance on generative AI, and a series of recent cases concerning the dismissal of DPOs.
A dedicated agenda item focused on the forthcoming revised EDPS Supervisory Guidance on the role of DPOs in the EU institutions. The updated guidance will clarify expectations, strengthen good practice, and support both DPOs and the institutions that appoint them.
T&P Head of Unit Luís Velasco presented highlights from their recent activities. and introduced the presentations scheduled later in the day.
Returning to the floor later in the programme, Thomas Zerdick provided an overview of recent case law in the field of privacy and data protection, explaining how new rulings are likely to affect DPOs’ day-to-day responsibilities.
Technology, breaches and AI risk: insights from T&P
Two T&P presentations explored key technical developments. The first summarised notable trends in personal data breaches throughout 2025, identifying recurring weaknesses and the main factors shaping breach notifications. The second presented the results of the EDPS website awareness compliance campaign and introduced the EDPS methodology on AI risk, outlining how DPOs can integrate these considerations into their own institutional practices.
A networking session at the end of the first day allowed participants to continue the discussions in an informal setting.
From case law to practice: applying the CJEU ruling in Case C-413/23 P
The second day opened with an S&E-led workshop dedicated to the recent Court of Justice ruling in Case C-413/23 P (EDPS v SRB). Prepared in close cooperation with the DPO Support Group, the session examined the first practical lessons arising from the judgment and invited participants to consider how these findings can be implemented in their own institutions. The discussions were substantive and highlighted areas where further clarification or operational adjustments may be needed.
Open exchange: challenges and good practice from the network
As tradition, DPOs then participated in an open exchange of views, facilitated by Acting Secretary-General and Head of the S&E Unit, Thomas Zerdick. This interactive session allowed participants to raise current challenges, share practical solutions, and flag issues where further EDPS guidance or coordination would be valuable.
Looking ahead
In his concluding remarks, the Supervisor summarised the main points emerging from the two days and underscored the importance of continued collaboration between the EDPS and the DPO community.
The meeting confirmed once again the value of the EDPS–DPO network as a platform for dialogue, learning and joint problem-solving. As institutions navigate technological change, legislative updates and new supervisory expectations, this cooperation remains essential to ensuring a consistent and effective application of EU data protection rules across the Union’s administration.
We look forward to continuing this work together at the next meeting in 2026!