Newsletter (116)
We are back and there is a lot to catch up on! Read on for events to register for; new EDPS publications and Opinions on AI and transatlantic data sharing; reflections on events on cross-border data protection, privacy tech and the AI Act; news on EDPS oversight of EU border systems; an update on a key court judgement; and more.
In this issue
Cross-regulatory coordination: Save the date for our Digital Clearinghouse 2.0 event
Ensuring access to judicial remedies relating to Europe’s border systems
EDPS unveils Guidance on Generative AI
EDPS oversight: EU Entry-Exit System enters into force
Secure multi-party computation: EDPS hosts an event on a key emerging privacy technology
Supporting AI compliance within the EUIs
Human oversight in an age of automated decisions
EDPS honoured at the GPA Awards
Sharing of personal data with the USA must be accompanied by comprehensive and effective safeguards
International cooperation to fight crime should respect EU fundamental rights guarantees
EDPS publishes Guidance on Risk Management of AI Systems
Landmark CJEU judgment in EDPS v SRB case
EDPS-UNESCO host workshop on cross-border data protections
Cross-regulatory coordination: Save the date for our Digital Clearinghouse 2.0 event
You are invited to join the discussion on the future of cross-regulatory cooperation. At this event, you will have the chance to learn from existing cross-regulatory forums in different countries and identify the main challenges that make cooperation across regulatory silos difficult. With the digital regulatory landscape extending beyond data protection, consumer protection and competition law - and with technology and regulation developing rapidly - it is important to discuss effective cooperation and ensure consistent application of recent laws across regulatory regimes.
When: 27 January 2026
Where: European Commission, Charlemagne Building, Brussels
Regulators and other stakeholders will be joining the event to remark on what they need to make an EU-level forum like the Digital Clearinghouse 2.0 work to its full potential.
EDPS publishes Guidance on Risk Management of AI Systems
The newly issued Guidance for Risk Management of Artificial Intelligence Systems (11 November 2025) is designed to support controllers in conducting data protection risk assessments when developing, procuring and deploying AI systems under Regulation 2018/1725 (EUDPR). The guide aims to provide valuable insights and practical recommendations to help identify and mitigate common technical risks, helping in the protection of personal data. While primarily intended for EU institutions (EUIs), this guidance is also relevant and useful for private companies, industry stakeholders and public organisations seeking to ensure compliance with data protection regulations.
Ensuring access to judicial remedies relating to Europe’s border systems
The European Travel Information and Authorisation System (ETIAS) is set to launch in autumn 2026. This new EU border management system will pre-screen travellers from visa-exempt countries, assessing risks related to irregular immigration, security or health, using their personal details, including travel plans, family information and passport data.
The ETIAS Fundamental Rights Guidance Board (EFRGB), of which the EDPS is a member, was created to address concerns about privacy and fundamental rights, particularly around automated cross-checking against sensitive databases, algorithmic profiling, and the creation of watchlists. EDPS Wojciech Wiewiórowski has penned a blog post on how the EFRGB is helping to ensure individuals’ access to judicial remedies in this context.
EDPS oversight: EU Entry-Exit System enters into force
The EU Entry/Exit System (EES) entered into operation on 12 October 2025. The EES is a large-scale, automated system developed to prevent irregular migration and enhance security in the Schengen area. Travellers from third countries, with or without a visa, are required to provide personal data from travel documents, dates of entry and exit, and biometric data. The Coordinated Supervision Committee, a group of national supervisory authorities and the EDPS, is tasked with oversight of personal data protection relating to the EES. The EDPS is also responsible for auditing actions and measures taken to maintain the EES security architecture, as well as the communication network that connects the Member States to the central system.
Secure multi-party computation: EDPS hosts an event on a key emerging privacy technology
On the 21 October, it was once again time for an Internet Privacy Engineering Network (IPEN) event. Organised by the EDPS and Goethe University Frankfurt, this edition was devoted to secure multi-party computation (SMPC). Experts from the industry, academia and non-profit organisations came together to discuss the growing role of SMPC in solving some of the most pressing challenges in data privacy, digital sovereignty and cross-border data collaboration.
In today’s data-centric world, collaboration across varied stakeholders is essential while privacy concerns remain critical. SMPC allows several parties to perform joint computations on private data without disclosing the underlying information to each other. This makes it particularly valuable for secure data handling, especially in high-stakes areas like finance, healthcare, national security and AI development.
EDPS unveils Guidance on Generative AI
The EDPS issued a set of guidelines relating to Artificial Intelligence for use by EU institutions, bodies, offices and agencies (EUIs). The revised and updated guidelines on the use of Generative AI (28 October) include practical advice for the responsible use of generative AI, featuring: a clearer definition of generative AI; a compliance checklist to ensure lawful data processing; guidance on roles and responsibilities, clarifying whether EUIs act as controllers, joint controllers, or processors; and detailed advice on lawful bases, purpose limitation and handling individuals’ rights in AI contexts.
Supporting AI compliance within the EUIs
On 7 October 2025, the second AI Act Correspondents Network meeting convened over a hundred representatives online and in Brussels at the European Parliament’s premises. The event underscored a unified approach among EU institutions (EUIs) to implement the AI Act, promoting responsible AI use while protecting fundamental rights.
We introduced the EDPS’s efforts, including the AI Unit’s preparation for enforcement powers by August 2026, focusing on safeguarding rights and enhancing efficiency within EUIs. Our guests, such as Professor Alessandro Mantelero, highlighted the importance of assessing AI’s societal impacts to prevent rights violations. Killian Gross from the European Commission shared updates on the AI Act’s practical implementation, emphasising guidelines for high-risk AI systems.
The meeting reinforced the network’s role as a collaborative space for sharing expertise, shaping a trustworthy, human-centric AI ecosystem across the EU.
Save the date: The third AI Act Correspondents Network meeting is scheduled for 10 February 2026!
Human oversight in an age of automated decisions
Propelled by advances in AI, automation has expanded across many sectors and now includes systems that not only carry out tasks but also make decisions. From credit approvals to medical diagnoses, automated decision-making (ADM) systems are increasingly relied upon to make consequential decisions that affect people’s lives and rights. While these systems can improve efficiency and bring innovation, they also carry risks of bias, opacity and discrimination.
The EDPS has released a new TechDispatch building on the insights from the IPEN event in September 2024, which focused on the topic of human oversight of ADM. The report examines questions related to the complex dynamics between humans and automated systems, including:
- Why does human supervision of ADM systems often fail?
- Why shouldn’t you expect the ‘best of both worlds’ when humans and systems work together?
- What conditions are necessary to have meaningful oversight?
If you’re curious, you can read or listen to the full discussion on this topic.
EDPS honoured at the GPA Awards
Time to celebrate! The EDPS has been awarded at the Global Privacy Assembly (GPA) Awards in the Accountability category for two strategic initiatives designed to enhance personal data breach management across EU institutions: the Data Breach Awareness Campaign and the PATRICIA Exercise (Personal dATa bReach awareness In Cybersecurity Incident hAndling)!
The Data Breach Awareness Campaign was structured to assess existing breach management practices, identify critical areas, evaluate process implementation, and provide tailored recommendations.
In addition, together with the European Union Agency for Cybersecurity (ENISA), we jointly organised two table-top exercises in Brussels. The initiative was designed to raise awareness among staff from EU institutions (EUIs) on how to effectively manage personal data breaches.
This recognition by the GPA highlights the value of joint initiatives where supervisory authorities build capacity, foster collaboration, and promote continuous improvement in data protection.
Sharing of personal data with the USA must be accompanied by comprehensive and effective safeguards
On 17 September 2025, the EDPS issued an Opinion on the negotiating mandate for a framework agreement between the European Union and the United States of America on the exchange of information for security screenings and identity verifications.
The proposed framework agreement would establish an important precedent, as it would be the first agreement concluded by the EU to entail large-scale sharing of personal data, including biometric data (fingerprints), for the purpose of border and immigration control by a third country. Therefore, among other important recommendations, the EDPS recommends that the envisaged data sharing is defined as narrowly as possible in personal and the material scope.
International cooperation to fight crime should respect EU fundamental rights guarantees
On 4 September 2025, the EDPS released an Opinion on two Proposals related to the United Nations Convention against Cybercrime. This Convention aims to establish universal standards to strengthen international cooperation in combating cybercrime and gathering electronic evidence for legal investigations. While global cooperation is vital, it should not compromise the data protection and privacy rights enshrined in EU law. EU Member States are urged to ensure compliance with the Law Enforcement Directive before any data transfer, maintaining consistency with international human rights obligations.
The EDPS recommended continuous evaluation of the Convention’s effects, involving data protection experts in its reviews, and firmly opposing any future proposals that conflict with EU laws or values. This proactive approach aims to safeguard fundamental rights while fostering effective international collaboration against cybercrime.
Landmark CJEU judgment in EDPS v SRB case
On 4 September 2025, the Court of Justice of the European Union (CJEU) delivered a landmark judgment in the EDPS v Single Resolution Board (SRB) case, overturning a General Court decision and ruling in favour of the EDPS. The case originated from the SRB transferring pseudonymised comments from individuals to Deloitte without informing them. The CJEU’s ruling confirmed several key points:
- Personal opinions are inherently related to individuals.
- Pseudonymised data, when transferred, may not constitute personal data from the recipient’s perspective.
- A controller’s obligation to inform data subjects applies at the moment the data is collected.
This judgment is a significant win for the EDPS, reaffirming our position on the right to information. Both the EDPS and the other DPAs in the EDPB are now assessing possible consequences of that ruling for their supervisory and advisory work
EDPS-UNESCO host workshop on cross-border data protections
Twenty years ago, the EDPS held its first International Organisations Workshop (IOW). Now, in 2025, the workshop remains as relevant as ever, with personal data flowing faster and farther across borders than ever before, whether handled by humanitarian organisations, global health agencies or digital platforms.
During 25-26 September 2025, the workshop, co-organised by the EDPS and UNESCO, was attended by 180 representatives from 86 organisations. We explored urgent privacy challenges in today's geopolitical context, including AI’s impact. Discussions emphasised balancing efficiency with ethics, independence with interoperability, and security with rights. The workshop also offered critical reflection on best practices, gaps, and building trust with the public. In our interconnected world, protecting privacy is essential for legitimacy and trust in public institutions.
EDPS' Tips & Tricks: Not every treat is sweet!
Cybersecurity month has come to an end, but stay alert, cybercriminals might still try to trick you. Cybersecurity plays a crucial role in safeguarding personal data, especially as cyber threats continue to grow in scale and sophistication.
Under the EUDPR, all EU Institutions, bodies and agencies have a duty to report a personal data breach to the EDPS within 72 hours, unless it is unlikely to pose a risk to the rights and freedoms of the affected individuals. Since the beginning of this year, the EDPS has received 79 notifications of personal data breaches. While human error remains the leading cause of such incidents, external cyberattacks now represent the second most common source of breaches.
We work closely with EU institutions (EUIs) through awareness-raising initiatives, training and practical exercises. Thanks to this close cooperation, EUIs continue to strengthen their resilience by:
- Regularly reviewing and updating their personal data breach procedures and cybersecurity awareness plans
- Providing targeted trainings to colleagues on how to prevent and respond to personal data breaches and cyberattacks
- Enhancing cooperation between data protection teams, IT departments, incident response teams, and CERT-EU
What can you do to protect yourself as an individual?
Each of us has a role to play in keeping data secure. You can help by:
- Regularly changing your passwords and using strong, unique combinations
- Keeping your anti-malware tools and software up to date
- Double-checking emails or messages that seem suspicious or ‘too good to be true’
- Reporting potential security issues promptly and collaborating with your IT department, incident response team, and CERT-EU
Don’t get tricked, read our factsheet how to tackle personal data breaches.
Read our infographics on phishing, ransomware and pretexting.
News from the investigation into EC’s use of Microsoft 365
Following enforcement proceedings by the EDPS, the European Commission has shown compliance with Regulation (EU) 2018/1725 concerning its use of Microsoft 365. This comes after the EDPS Decision of 8 March 2024, which identified several infringements and imposed corrective measures on the Commission.
After receiving a compliance report in December 2024, the EDPS engaged with the Commission for clarifications. On 11 July 2025, the EDPS concluded that the Commission had remedied the infringements through additional measures implemented alongside Microsoft. The EDPS therefore closed its enforcement proceedings against the Commission.
Through thorough investigation and collaboration, significant improvements in data protection compliance have been achieved in the Commission's use of Microsoft 365. Microsoft’s alignment with the Commission’s requirements represents a shared success.
Key improvements include:
- Purpose limitation: The Commission specified the types of personal data processed and the purposes of that processing. The Commission also ensured Microsoft processes data only under the Commission's documented instructions and for specific purposes in the public interest.
- Transfers to third countries: The Commission limited data transfers outside the EU/EEA to specific recipient countries listed in the amended contract (generally countries with adequacy decisions, and only exceptionally certain non-adequate countries).
- Disclosures and notifications: Contractual provisions, in addition to other measures, ensure that data processed within the EU/EEA will only be disclosed in line with EU or Member State law. Data processed outside the EU/EEA will only be disclosed in line with third-country laws that offer equivalent protection for personal data.
The Commission’s improvements to its agreement with Microsoft are available to other EU institutions. The Supervisor urged them to adopt similar measures to ensure compliance with Regulation (EU) 2018/1725.