The EDPS and the Data Protection Officers (DPO) network of the EU institutions, bodies, offices and agencies (EUIs) met for the second time this year on 27 November 2024, at the Court of Justice of the European Union, in Luxembourg.
This is the 55th meeting held since its creation. The network serves as a collaborative platform to foster dialogue, cooperation and knowledge sharing between the EDPS and the DPOs to ensure consistent compliance with the applicable data protection law, Regulation (EU) 2018/1725, within the EUIs. As such, the network plays a pivotal role in strengthening compliance with data protection laws and promoting a unified approach to safeguarding personal data across the EU’s administrative framework.
The meeting opened with the EDPS’ Heads of Units from Supervision & Enforcement (S&E) and Technology & Privacy giving an update on their ongoing work. The head of the S&E Unit, Thomas Zerdick, gave a detailed update on current data protection case law followed by T&P’s presentation of their technology-monitoring efforts. This included a presentation of the latest TechSonar Report 2025 dedicated to Artificial Intelligence technologies such as Retrieval-augmented generation (RAG), On-device AI, Machine unlearning, Multimodal AI, Scalable oversight and Neuro-symbolic AI. I strongly recommend its reading.
The EDPS-DPO Network meetings are also an opportunity to take time to look at the concrete and practical application of data protection measures to day-to-day cases and problems EUIs may or have commonly encountered. This is done through the organisations of targeted workshops with the DPO Support Group, which is made up of volunteering DPOs who have hands-on experience. For this meeting, several workshops were organised, one on storage limitation, during which the EDPS reminded DPOs of the importance of limiting the amount of data kept and processed to what is strictly necessary. The other workshop was on the use of DPIAs, or data protection impact assessments, as an effective tool for accountability, following a survey completed by DPOs. The latter examined the reasons and circumstances in which a DPIA must be carried out, looking at the possible high-risk processing operations.
The following session of the meeting focused on artificial intelligence, in particular the application of the AI Act in synergy with Regulation (EU) 2018/1725. We took this window to detail the initiatives and plans we have started putting in place as the designated AI supervisor for the use, development and deployment of AI tools by EUIs. This includes our strategic plan based on governance, risks management and supervision. Part of our strategy involves the establishment of a network of AI correspondents, represented in each EUI. Composed of diverse people, not just legal experts or data protection experts, but also experts in human rights, ethics and intellectual property, AI correspondents would contribute to steering the development and use of AI in a human-centric way that benefits the EU and minimises risks, reflecting society’s diversity to limit biases. On this note, the EDPS encourages Data Protection Officers that are not the designated AI Correspondent to collaborate with the AI Correspondent in their organisation to ensure that AI tools embed privacy when used for the processing of personal data.
The last session of the EDPS - DPO network meeting was on data breaches. We reiterated EUIs’ obligation to report personal data breaches to the EDPS within 72 hours of becoming aware of the breach. We also reviewed the possible mechanisms that can be put in place to prevent and detect personal data breaches.
As the digital landscape continues to rapidly evolve, with its diverse twists and turns, the EDPS and DPOs’ collaboration remains a top priority so privacy and data protection stays at the centre and ahead of technology.