Newsletter (119)

In a recent blogpost, Supervisor Wojciech Wiewiórowski explains the value of prior consultation. This is the mechanism by which EU institutions, bodies, offices and agencies responsible for data processing consult the EDPS before proceeding with operations likely present a high risk to individuals’ rights and freedoms.

Prior consultations are particularly significant in the field of law enforcement and judicial cooperation in criminal matters, where data processing can have far-reaching consequences for individuals.

In the blogpost, the Supervisor explains what makes prior consultations meaningful instruments that help shape lawful and proportionate data processing in areas of significant public interest. You’ll also find links to 10 examples of prior consultations carried out by the EDPS in 2025 within the Area of Freedom, Security and Justice.

Read the blogpost

The European Data Protection Board (EDPB) and EDPS have adopted a joint opinion on the European Commission's cybersecurity package, which includes a revised Cybersecurity Act (CSA2) and targeted amendments to the Network and Information Security 2 (NIS2) Directive.

The package aims to further strengthen cybersecurity across Europe while easing compliance for organisations. The two bodies broadly welcome the proposal's objectives, including the strengthened role of the EU Agency for Cybersecurity (ENISA) in supporting digital resilience and facilitating uptake of cybersecurity certification.

At the same time, they recall that security controls should be implemented in a way that does not undermine individuals’ fundamental rights and freedoms. Against this background, they welcome the opportunities for synergies and cooperation with ENISA to create a robust ecosystem where security and privacy go hand in hand.

The EDPB and EDPS also offer specific recommendations in relation to cybersecurity, such as:

• greater clarity on the relationship between the European Cybersecurity Certification Framework and GDPR certification;
• take into account that certification schemes for products and services likely to be used in data processing may also help to demonstrate GDPR compliance;
• ENISA to consult the EDPB before adopting any certification scheme relating to the security of personal data processing.

Consistent with the earlier EDPB-EDPS position on the Digital Omnibus, the joint opinion also reiterates support for a single-entry point for notifying personal data breaches. This measure would reduce the administrative burden on organisations without weakening protection for individuals.

On the proposed NIS2 amendments, the two bodies welcome the designation of European Digital Identity Wallet and European Business Wallet providers as ‘essential entities’, bringing with it more rigorous risk management requirements and supervisory oversight.

Read the joint opinion here

Read the press release here

In a joint opinion, the EDPB and EDPS welcomed the European Commission’s proposal for a European Biotech Act, which aims to strengthen Europe’s biotechnology and biomanufacturing sectors by streamlining the regulatory framework and updating the rules for clinical trials.

The two bodies welcome the proposal’s steps towards reducing fragmentation in the application of the Clinical Trials Regulation (CTR) and establishing a single legal basis for the processing of personal data by sponsors and investigators.

At the same time, they underlined the sensitivity of health and genetic data. Processing such data in the context of clinical trials requires a high standard of protection.

Key recommendations include:

• clarifying the data protection roles of actors involved in funding and conducting trials;
• limiting data retention;
• clearly defining when further processing of trial data for scientific research is allowed;
• requiring pseudonymisation of data whenever directly identifiable personal data isn’t necessary.

The joint opinion also addresses coherence with the AI Act.

Read the joint opinion

Read the press release