EDPS and DPOs meet in Brussels to tackle data protection priorities
The 58th meeting of the EDPS-DPO network took place on 18 June 2026 in Brussels. Hosted by the Executive Agencies of the European Commission (many thanks for that!), the meeting brought together Data Protection Officers (DPOs) from across the EU institutions, bodies, offices and agencies (EUIs) at a time of significant regulatory and technological change. I believe that this gave us a great opportunity to reflect together on current priorities, share experience and strengthen cooperation across the network.
I would like to share with you the main take-aways so you can also take the pulse of current discussions on data protection inside the EU institutions.
Opening remarks: DPO independence, AI and the year ahead
In his opening remarks, Wojciech Wiewiórowski, European Data Protection Supervisor, stressed that DPO independence must be protected in practice, pointing to recent action taken by the EDPS and to new guidance and procedures designed to safeguard the role. He also looked back at key developments in 2025, including the closure of the investigation into the European Commission’s use of Microsoft 365, the rise in complaints and the growing impact of AI-generated submissions.
Looking ahead to ongoing legislative developments, he welcomed simplification where it genuinely reduces burdens, while warning against reforms that could weaken fundamental rights. Throughout, he underlined the central role of DPOs in ensuring that data protection is built into decisions from the outset and reaffirmed the EDPS’s commitment to supporting the network through guidance, dialogue and the defence of its independence.
Supervision and Enforcement: follow-up tracker and key developments
Thomas Zerdick, Head of the Supervision and Enforcement (S&E) Unit, introduced the follow-up tracker, a new feature aimed at strengthening continuity and ensuring that important issues raised at the previous EDPS-DPOs meeting remain on the agenda over time. On this occasion, the tracker focused on the EDPS Supervisory Guidance on the role of DPOs in EUIs and the EDPS Decision on prior consent to DPO dismissal.
Building on that first item, Zerdick then presented other key developments from the S&E Unit, giving participants a broader overview of recent work across the unit. The update covered complaint-handling and compliance issues affecting several EUIs, as well as progress on practical tools and guidance, including on international transfers (notably the adoption of a Model Administrative Arrangement for transfers from EUIs to public authorities in third countries) and data protection impact assessments (DPIAs).
Zerdick also reported on developments in the Area of Freedom, Security and Justice, including audits, opinions and preparations linked to upcoming systems.
Technology and Privacy: AI governance, automated systems and cybersecurity
Luis Velasco, Head of the Technology and Privacy (T&P) Unit, then outlined two initiatives intended to help EUIs meet compliance requirements for automated systems and AI. Firstly, he announced that an updated version of the Guidance for Risk Management of Artificial Intelligence Systems would be published this summer.
Secondly, he referred to the recent publication of a practical checklist on human intervention, designed to help organisations put in place effective safeguards for automated systems.
Finally, he warned of the growing threat of cyberattacks targeting EUIs and the serious risks these incidents posed to individuals’ personal data. He stressed the importance of prevention as well as swift action in the event of a personal data breach. In particular, he emphasised the need to inform affected individuals without undue delay where a breach was likely to present a high risk, rather than allowing lengthy assessments to render the communication ineffective. Several DPOs took the floor to explain the numerous challenges that growing cybersecurity attacks and data breaches represent for EU institutions and DPOs.
Workshop: developing a common DPIA template
The first practical session of the day, led by the S&E unit, focused on the development of a common DPIA template under the EU Data Protection Regulation (EUDPR), based on an adaptation of the template recently published by the European Data Protection Board.
Using a case study to test the draft EUDPR template in practice, participants worked in smaller groups on questions linked to necessity, proportionality and risk assessment. The aim was to have a first exchange and identify possible improvements to the tool. The format was particularly well received, with participants clearly appreciating the opportunity to exchange views in more detail before sharing the main outcomes of their discussions in plenary.
Afternoon sessions: data breaches, case law and website compliance
The afternoon part of the meeting opened with a session on the 2024 European Agency for Law Enforcement Training (CEPOL) data breach, during which the DPO of CEPOL and the EDPS Data Breach Notification Team shared their experiences with the DPO community. The discussion showed that a major data breach was not only a compliance issue, but also a human and organisational challenge affecting staff at every level. At the same time, it offered valuable lessons and highlighted areas for improvement.
The session on privacy and data protection in the courts offered more than a summary of recent judgments. Presented by Thomas Zerdick, it focused on the EDPS’s reading of the case law and, in particular, on what the rulings meant in practice for supervisory work and for controllers. By looking not only at what had changed, but also at what had not, the session aimed at providing DPOs with clear and operational takeaways that they could use in their own institutions.
The meeting also included an update on the EDPS Website Compliance Awareness Campaign (WCAC). Following the pilot phase carried out in 2024-2025, staff from the T&P Unit presented preliminary findings from the first wave of the campaign’s second phase, which involved automated scans of public-facing EUI websites. They also introduced new dashboards to help EUIs manage the increased volume of data and make better use of the results.
Concluding remarks
The Brussels meeting showed me once again the value of bringing the DPO community together in a dynamic network around concrete challenges and shared priorities. At a time when both the technological and regulatory environments are evolving quickly, practical and face-to-face exchanges of this kind remain essential to supporting compliance and strengthening data protection across the EU administration.