Second of July 2025, time for the first EDPS - DPO Network meeting of the year.
The 56th meeting since its creation back in 2004, over twenty years ago.
For those of you who do not know, the EDPS - Data Protection Network meeting meets twice a year to discuss data protection priorities and practices in the digital world. A platform for the EDPS to meet with the data protection officers (DPOs) of the EU institutions, bodies, offices and agencies (EUIs).
Over the years, it has become an essential forum to foster consistent application of EU data protection law, protect the privacy of people whose data is processed by EUIs, and a support system for DPOs to share their best practices, but also challenges of prioritising data protection in a rapidly evolving digital landscape.
For this edition, the meeting was hosted by the Council of the European Union. The DPO network takes on a collaborative approach to its activities: each meeting is organised, in turn, by one of the EUI’s DPO. Additionally, the programme of the day, which includes workshops, presentations, and other sessions, is structured with a rotating DPO Support Group, that makes suggestions to the EDPS on the most pressing issues that DPOs face in their line of work. That way, the EDPS ensures that its DPO network meeting is useful for EUIs, having therefore a direct impact on how they protect the privacy of individuals when their EUIs process personal data.
Here are some of the top takeaways of this meeting.
Settling into the day’s activities, the EDPS’ Technology and Privacy Unit (T&P) provided an update on its efforts to monitor emerging technologies, highlighting both their opportunities and privacy risks. They presented the latest TechDispatch on Federated Learning, a decentralised AI training technique that supports privacy enhanced data processing. Two new TechDispatches are expected this autumn, one focusing on Human Monitoring of Automated Decisions and one on Digital Identity Wallets.
T&P also shared progress made concerning their handling of personal data breaches. It is worth noting that the EDPS has cleared the backlog of personal data breach cases. Whilst some cases are ongoing, pending additional information or action from the affected institutions, significant catch up has been made.
As part of the EDPS’ efforts to enhance EUIs’ preparedness to prevent, mitigate and handle personal data breaches, T&P reported on the successful completion of its second edition of the PATRICIA exercise (Personal Data Breach Awareness In Cybersecurity Incident Handling). This initiative strengthens EUIs’ capacity to respond effectively to data breaches through practical workshops and realistic scenarios that they may encounter in their work. Both editions of the exercise have been highly successful, receiving excellent feedback from participants.
T&P is now working on developing a version of the exercise tailored to larger institutions, with a specific focus on engaging Data Protection Coordinators (DPCs).
It was then time for the EDPS’ S&E Unit to provide an update on ongoing files, emphasising on recent issues concerning the independence of DPOs, and other topics for which the EDPS has been consulted or received complaints about. Further to this task, the EDPS is updating its Position Paper on the role of the DPOs in EUIs to reflect recent case law concerning the independence of DPOs, and EDPS practice on the matter. The EDPS is also using the information gathered from its surveyon the role of DPOs to complement its review of the Position Paper.
After this brief session taking stock of the EDPS’ work in specific areas impacting DPOs, the rest of the morning session was dedicated to the DPO role, with case studies on selected topics discussed in subgroups, followed by a discussion in plenary. The case studies encouraged DPOs and the EDPS to reflect on the challenges and complexities of situations where conflicts of interests may arise for DPOs and their liability be raised. This activity, and its outcome, will also feed into the EDPS’ revised guidance on the role of DPOs in EUIs.
This session was followed by a presentation on the aggregated results of the second edition of the EDPS Website Awareness Compliance Campaign. Because an EUIs’ website is often the most visible and most prominent tool for their digital presence and a key indicator of compliance with data protection rules. The results of this second edition of the campaign demonstrated that EUIs had made progress on making their website compliant with data protection law, but room for improvement remains necessary overall.
To support these efforts, the EDPS developed the Website Evidence Collector (WEC) Online tool, created in 2018. This tool aims to help developers, controllers, and DPOs identify potential compliance issues by automatically browsing websites, detect the use of cookies or similar technologies, websites’ enforcement of secure connections and third-party content. WEC Online has a web interface and does not require installation. By making such evidence easily accessible, WEC Online facilitates more effective and targeted improvements to website compliance.
Next, it was time for the customary presentation of recent case law on privacy and data protection, a session that is always much appreciated by the DPO network members, because it provides possible answers to problems, situations or issues they may encounter.
Ending the network meeting on a practical note, DPOs were invited to share their views on issues they encounter in their day-to-day work when upholding EU data protection standards and principles. Now a permanent, and non-negotiable item on the EDPS-DPO Network meeting agenda, this activity is highly constructive and enriching to ensure that we, the EDPS, support DPOs according to their needs, for better personal data protection.
Much of the meeting was dedicated to the role of the DPO. It is therefore with great enthusiasm that I welcome another important initiative of the DPO network: the setup of a Working Group to reflect on the DPO’s fundamental role within their organisation, but also the challenges this unique position brings.
Strong and continuous collaboration coupled with consistent and impactful efforts: two true cornerstones of data protection culture in the EUIs that will help us tackle the challenges that we face now and in the future.
I sincerely thank all DPOs for their hard work.