Newsletter (114)
In this issue, read about our trainees’ vision for Europe; our upcoming event on the future of data protection; current affairs on data protection law; our advice and tools for EU institutions, bodies, offices and agencies, and MORE!
Read on.
In this issue
Celebrating Europe Day: young voices speak for Europe!
High-Level Debate on Competition, Innovation and Data Protection
Annual Report 2024: acting for the future of data protection
Delete my data: the right to erasure of personal data
What if global rules for digital trade and e-commerce became a reality?
Behind the scenes of automated-decision making processes
Trading partners for the EU: next stop Singapore
Website Evidence Collector: Enhancing Transparency and Accountability
Privacy in practice: EDPS supervision of the Area of Freedom, Security and Justice
Celebrating Europe Day: young voices speak for Europe!
75 years ago, Robert Schuman laid the foundations of today’s European Union in his visionary appeal for a Europe bound by cooperation and solidarity. The Schuman Declaration was a transformative document that provides a blueprint for the EU’s long-standing commitment to peace, freedom and human rights, including the fundamental rights to privacy and data protection.
Every year at the EDPS, we celebrate Europe Day, the achievements and opportunities it made possible to Europeans. Honouring the legacy of those who advanced the European project is as important as looking ahead and listening to the generations that will shape its future.
To mark the occasion, EDPS trainees have written a blogpost sharing their personal experiences and views about what Europe, and the European Union, mean to them. These are young people who were either born in the EU or witnessed their country joining the EU. Have a read on what they have to say.
Read blogpost written by EDPS trainees; young voices who represent the future of the EU and what it has to offer.
High-Level Debate on Competition, Innovation and Data Protection
The EDPS is partnering with the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the Bavarian Data Protection Commissioner (BayLfD) for a high-level debate on recent developments relating to the EU’s digital rulebook at the Representation of the Free State of Bavaria to the European Union.
The event will bring together key stakeholders to reflect on recent developments relating to the EU Digital Rulebook, such as the Digital Services Act, the Digital Markets Act, the Data Act and the Artificial Intelligence Act.
The event will focus on the need for a consistent and coherent implementation of the GDPR and the EU's Digital Rulebook and cooperation between the different competent digital regulators to ensure the effective protection of citizens, foster innovation, and support the Union's competitiveness.
Annual Report 2024: acting for the future of data protection
On 23 April, the EDPS published its Annual Report 2024, a year marked by actions taken for the future of data protection, preparing for diverse possibilities and risks that the digital landscape presents.
As examples of the EDPS’ impact throughout the year, the following actions were taken, based on the EDPS Strategy pillars of Foresight, Action and Solidarity:
- creating an AI Unit, preparing and executing an AI strategy;
- monitoring and analysing AI-led technologies;
- providing tools to EU institutions, bodies, offices and agencies to comply with EU data protection law;
- advising the EU-co legislators on upcoming EU regulations directly impacting people’s privacy and data protection.
More of our actions of the year 2024 can be found in our EDPS Annual Report and its executive summary, soon to be available in all languages of the EU.
Delete my data: the right to erasure of personal data
The EDPS is participating in the European Data Protection Board’s fourth coordinated enforcement action, alongside the 31 data protection authorities of the EU/EEA. This time on the right to erasure.
The right to erasure - or right to be forgotten - is enshrined in Article 19 of Regulation (EU) 2018/1725 (EUDPR), the EU data protection law for EUIs, and in Article 17 of the General Data Protection Regulation (GDPR) for EU/EEA countries, that have similarities. This right allows individuals to maintain control over their personal data, by requesting its deletion from EUIs or EU/EEA public or private entities that are processing this personal data. It is the most frequent rights that individuals ascertain.
Importantly, the right to erasure (or right to be forgotten) is not an absolute right; exceptions exist under the EUDPR and GDPR, such as in the case of compliance with a legal action, for public interest. Therefore, each request to erasure from individuals needs to be analysed on a case-by-case basis by controllers who decide on the processing of individuals’ personal data based on a justified and legal reasoning. The right to erasure therefore challenges the delicate balance between the right to data protection and the collective memory of society.
To carry out this Coordinated Enforcement Action, the EDPS will conduct a fact-finding exercise, including a questionnaire to EUIs’ controllers, based on the analysis of complaints by individuals regarding the right to erasure, to check how they apply the legal obligations of this right.
Partaking in the Coordinated Enforcement Action is one of the ways the EDPS continuously advocates for a coherent application of EU data protection law, and consistent protection of individuals’ personal data, across the EU/EEA.
What if global rules for digital trade and e-commerce became a reality?
The World Trade Organisation is working towards an Agreement on Electronic Commerce covering a wide range of digital trade disciplines, such as data flows, privacy, cybersecurity, consumer protection, and more.
The European Union is now preparing its position in the World Trade Organisation for the EU to join a possible consensus at the General Council of the World Trade Organisation on the adoption of the envisaged Agreement.
Since the planned Agreement would have an impact on data protection in the EU, the EDPS provided an Opinion on this matter on the 4th April 2025. The Opinion welcomes that the Agreement includes provisions on data protection, and respects the legal frameworks for the protection of the personal data of users of electroni1c commerce of the World Trade Organisation’s members.
Behind the scenes of automated-decision making processes
On 27 February 2025, the European Court of Justice issued a judgment on CK v Dun & Bradstreet Austria (C-203/22), following a complainant’s request to sought detailed information about the logic behind an automated decision-making process concerning their personal data in the context of a mobile phone contract and a credit assessment.
In its judgment, the Court ruled that individuals should be able to request and have access to relevant information, in a concise, transparent, illegible and easily accessible form that would allow them to understand how their personal data is used for a specific decision.
Automated-decision making may involve algorithms and mathematical formulas. These, the court states, do not always need to be disclosed, but, organisations, nevertheless, should explain the impact and consequences of this processing, with concrete examples.
Trading partners for the EU: next stop Singapore
The EDPS issued recommendations on the EU-Singapore Digital Trade Agreement on 21 March 2025. This comes as the next step of a series of initiatives between the EU and Singapore, including their joint Free Trade Agreement and the EU-Singapore Partnership and Cooperation Agreement.
The Digital Trade Agreement concerns a wide range of matters, such as cross-border data flows with trust, data localisation requirements and personal data protection.
Trading with other countries, including countries outside the EU/EEA opens up various opportunities for the EU and its citizens. However, transfers of personal data from the EU to Singapore have to comply with the EU’s data protection rules.
The EDPS recommends that the EU and Singapore consider ways to complement the Digital Trade Agreement by increasing convergence between the EU and Singaporean data protection regimes, for example by intensifying cooperation and dialogue on existing transfer mechanisms. This may lead to further alignment of their respective tools for personal data transfers, while ensuring that the high standards of data protection in the EU remain unaffected.
Website Evidence Collector: Enhancing Transparency and Accountability
The EDPS’ Website Evidence Collector (WEC) version 3.3.0 is now available, featuring major upgrades, new capabilities and important under-the-hood improvements.
Initially launched in 2019, the WEC is an open-source tool designed to help website owners, designers and operators—as well as data protection authorities (DPAs)—automatically detect and record what happens in users’ browsers during a site visit. For example, the WEC can capture evidence of cookies, third-party requests and other processing operations carried out while a user interacts with a website.
Over the last few months, the following enhancements have been introduced in version 3.3.0:
- Graphical user interface (GUI): users can now configure, launch and review evidence collection sessions directly in their browser. The web-based GUI also supports server deployment, so organisations can host the WEC centrally and delegate capture tasks to team members without any programming knowledge.
- Codebase refactoring and bug fixes: the entire application has been rewritten in TypeScript, modularised into discrete components and hardened against a range of edge-case issues. These changes boost performance, reliability and ease of maintenance.
- Foundation for a cloud-hosted SaaS offering: under the hood, services have been containerised and decoupled to pave the way for a forthcoming cloud-based version of the WEC. Once live, users will be able to run evidence-capture sessions via a secure web portal—no local installation or upkeep required.
System administrators can install the WEC on Linux, macOS and Windows using either the official NPM package or the provided Docker container. The new GUI then enables non-technical users to manage evidence captures entirely through their browser.
Download the tool, inspect the source code and submit issues on the EU’s open-source repository
For additional information on the WEC
Privacy in practice: EDPS supervision of the Area of Freedom, Security and Justice
If you are an avid reader or follow data protection affairs and the work that the EDPS does to protect your digital future, you know that we supervise the way EU institutions, bodies, offices, agencies - or EUIs - process personal data or the measures that may impact your privacy. But, did you know that this includes also supervising the EU bodies, offices and agencies of the area of freedom, security and justice.
The area of freedom, security and justice - or AFSJ - regroups a wide range of policy areas, including the management of EU borders, asylum and migration, police cooperation and the fight against crime, and judicial cooperation in civil and criminal matters.
This involves the processing of personal data, sometimes large volumes of it, which may have considerable, and negative, impacts if this information is mishandled, such as damaging an individual’s life, if they are wrongly linked to a crime for example.
It is therefore important that the EDPS supervises the processing of this data done by:
- the European Union Agency for Law Enforcement Cooperation (Europol);
- the European Union Agency for Criminal Justice Cooperation (Eurojust);
- the European Public Prosecutors’ Office (EPPO);
- the European Border and Coast Guard Agency (Frontex);
- the European Union Agency for Asylum (EUAA);
- the European Union Agency for the Operational Management of Large Scale IT Systems in the Area of Freedom, Security and Justice (euLISA).
These EU bodies, offices and agencies have specific powers and mandates, therefore our supervision efforts, year upon year, is tailored to their specific challenges.
Amongst our actions, in 2024, here is an overview of what we focused on.
We continued preparing for the supervision of the interoperability framework that will allow the exchange of information between multiple databases of information on AFSJ- related topics, such as the VISA Information System, Schengen Information System and European Asylum Dactyloscopic Database for fingerprints. In this area, we focused focus on monitoring and providing guidance on the development of ETIAS: the European Travel Information and Authorisation System; and deepening cooperation with national Data Protection Authorities for the supervision of data flows through this new data ecosystem.
Other of our activities included providing advice on the processing of personal data with the help of of Artificial Intelligence tools by AFSJ agencies, bodies and offices, including on machine learning in police and criminal justice matters.
We also reinforced our cooperation with EU data protection authorities to coordinate the supervision of large-scale IT systems and AFSJ agencies, bodies and offices, such as Europol and Eurojust, when investigating complaints or auditing databases.
Scroll smart: make privacy part of your routine
Have you ever wondered if:
- a shoe size is personal data?
- if downloading an app on your phone is really free?
- cyber threats can be detected before they happen?
Elevate your morning, afternoon or bedtime scroll with a few seconds of data protection news and entertaining videos on Instagram @eu_edps to learn - without even knowing -about how data protection and the EDPS’ work seeps into your everyday life.