Newsletter (120)
Welcome to this edition of the EDPS Newsletter. What makes AI at the border a privacy flashpoint? Wha did our Annual Report 2025 reveal about the year’s supervisory work? And what does the Digital Omnibus promise for data protection?
This issue covers all that, plus Europe Day, global AI leadership, upcoming events and more. Read on!
In this issue
Trainees’ conference to examine data protection and AI in hiring practices
From Omnibus to Opportunity: EDPS joins high-level debate on the future of EU
The EDPS at CPDP 2026: Driving the global privacy debate
EDPS comments on MyHealth@EU to safeguard cross-border health data
A look back at this year’s EU Open Day
Global leadership for safe and trustworthy AI: new blog post
EDPS authorises new data transfer framework for medicine safety
AI at the border: EDPS weighs in on EU visa platform chatbot
Trainees’ conference to examine data protection and AI in hiring practices
The upcoming trainees’ conference on 9 July will examine HR practices in the age of AI, and the implications for data protection.
‘Hired by an Algorithm: Data protection and AI regulation in modern HR practices’ is the work of Blue Book trainees of the EDPS and the European Data Protection Board (EDPB). It will mainly focus on automated tools such as CV screening, video interview analysis and performance prediction systems, and discuss what kind of personal data is involved, how it is used, and whether people are properly informed and able to exercise their rights.
- When: Thursday, 9 July 2026, 14:00-17:00
- Where: European Parliament, Brussels
From Omnibus to Opportunity: EDPS joins high-level debate on the future of EU digital regulation
The European Commission's Digital Omnibus proposals dominated a high-level debate on Monday 8 June, as regulators, legislators and industry voices gathered to examine what is at stake for the GDPR, the AI Act and the broader EU digital rulebook.
The event was co-organised by the EDPS, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), and the Bavarian Data Protection Commissioner (BayLfD), and hosted by the Representation of the Free State of Bavaria to the European Union. The expert panel addressed two central questions: whether the Omnibus proposals will genuinely simplify compliance without weakening fundamental rights protection, and what strategic priorities should guide the EU's digital legislative agenda in the years ahead.
Supervisor Wojciech Wiewiórowski participated as a panellist across both rounds of debate. On the first question – whether the proposals meet their stated objectives – the Supervisor set out the EDPS’s assessment of the Omnibus package from a data protection perspective, examining where simplification is genuinely achievable and where proposed changes risk undermining the coherence and protective force of the GDPR.
On the question of strategic priorities, he identified where further legislative action is needed to clarify the interplay between the GDPR and other elements of the EU digital acquis, including the AI Act and the EU Data Act.
The panel also heard from Marina Kaljurand and Michael McNamara, the European Parliament’s Rapporteurs on the Digital Omnibus for data protection and AI respectively, from Machi Tsokou of the Cypriot Presidency of the Council of the EU, Renate Nikolay of the European Commission’s DG CONNECT, Andreas Hartl of the BfDI, and Victoria de Posson of the European Tech Alliance.
See the event page (recordings from the event available soon)
The EDPS at CPDP 2026: Driving the global privacy debate
The annual Computers, Privacy and Data Protection (CPDP) conference in Brussels has wrapped up after another dynamic gathering of privacy experts, policymakers, and tech pioneers. As every year, the EDPS maintained a strong expert presence throughout the three-day conference.
Our subject matter specialists shaped discussions on some of the most pressing cutting-edge privacy issues currently facing the digital landscape. At this year’s event, the EDPS moderated three panels and provided regulatory and technical insight through nine speaking interventions on evolving data protection developments. Supervisor Wojciech Wiewiórowski delivered closing remarks, reflecting on the key takeaways from the conference.
Thank you to everyone who visited the EDPS booth in the main exhibition area to meet our team, share ideas and pick up our latest giveaways.
EDPS comments on MyHealth@EU to safeguard cross-border health data
MyHealth@EU is intended to become the central platform facilitating the exchange of electronic health data between EU Member States. The handling of sensitive health data demands strict accountability and clear governance structures.
As such, the EDPS issued formal comments on the draft Commission implementing regulation for MyHealth@EU reinforce the platform's data protection architecture:
- Define joint controller obligations: Clarify how National Contact Points for digital health will manage data protection principles and impact assessments.
- Tighten sub-processor oversight: Ensure joint controllers retain full visibility and veto power over any sub-processors engaged by the European Commission.
- Correct breach notification paths: Ensure the Commission, acting as data processor, directly notifies joint controllers – rather than the EDPS – of any detected personal data breaches.
- Support patient rights: Embed explicit procedures for how the Commission will assist joint controllers in handling data subject rights requests.
A look back at this year’s EU Open Day
On 9 May, the EDPS joined the European institutions in marking Europe Day by welcoming the public to our dedicated exhibition stands. This year, the European Parliament in Brussels welcomed over 13,000 visitors, and our team connected with hundreds of citizens throughout the day. A major highlight was the live demonstration of our face detection tool, which allowed citizens to interact directly with facial recognition technology and understand its privacy implications firsthand.
The celebrations extended to Strasbourg as well, where data protection enthusiasts put their knowledge to the test, with 150 participants joining our dedicated data protection quiz. Public outreach events like Europe Day remain vital to the EDPS mission to raise awareness about fundamental rights in the digital age.
Global leadership for safe and trustworthy AI: new blog post
To coincide with Europe Day, EDPS Secretary General Leonardo Cervera Navas published a new blog post focusing on European-led global efforts to develop safe, human-centric, and trustworthy Artificial Intelligence.
Reflecting on historical milestones like the Schuman Declaration, the piece draws a parallel between early European integration and today’s urgent need for shared rules in the digital age.
The EDPS is playing an active role in leading by example, both internally through initiatives like the AI Act Correspondents Network and a new regulatory sandbox pilot project, and externally through international cooperation with global networks such as UNESCO, the OECD, and the Council of Europe.
Annual Report 2025 is out!
The EDPS Annual Report 2025 landed on 7 May 2026, documenting a year defined by a record level of activity and the full operational launch of the EDPS’s expanded mandate under the EU’s updated Digital Rulebook.
Supervisor Wojciech Wiewiórowski presented the key findings directly to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), before facing questions at a public press conference later that day. As he put it, “2025 was about moving forward, turning strategic into active governance, particularly in the realm of artificial intelligence.”
The EDPS responded to 145 legislative consultations in 2025 – the highest in a single year to date. It activated a dedicated AI Unit, launched a landmark AI regulatory sandbox pilot project, and conducted high-profile supervisory work including the landmark investigation into the European Commission's use of Microsoft 365 and audits of large-scale IT systems operated by Europol, Frontex and Eurojust. The EDPS also became a permanent member of the new Inter-Institutional Cybersecurity Board.
The full report, together with executive summaries in English, French and German, is available now on the EDPS website. Summaries in all other official EU languages will follow shortly.
Read the Annual Report 2025 and executive summaries
EDPS authorises new data transfer framework for medicine safety
The EDPS issued a decision authorising a new administrative arrangement for personal data transfers between the European Medicines Agency (EMA) and the Council of Europe’s European Directorate for the Quality of Medicines & HealthCare (CoE-EDQM).
The new framework enables the secure data flows necessary for the EMA and CoE to execute their joint cooperation agreement on the sampling and testing programme for medicines. This programme plays a critical role in verifying that medicinal products across Europe meet the proper specifications. Data exchange between the two organisations helps them coordinate these efforts and avoid duplicate testing.
The newly authorised framework establishes robust data protection standards utilising the EDPS Model Administrative Arrangement tailored for international organisations.
Key dimensions of the decision include:
- Essentially equivalent protection: The combined safeguards within the administrative arrangement and the CoE’s Data Protection Regulations provide a level of data privacy fundamentally equivalent to EU law.
- Enforceable rights and remedies: The arrangement offers viable routes for independent oversight and effective legal remedies for the professionals involved.
- Co-controllership governance: There is explicit allocation of data protection responsibilities between the EMA and CoE.
AI at the border: EDPS weighs in on EU visa platform chatbot
The EDPS has issued formal comments on a draft Commission implementing decision regarding the chatbot being introduced for the upcoming EU visa application platform (EU VAP).
As a system designed to communicate with users and generate text-based answers, the chatbot officially qualifies as a system under the AI Act. But because it will limit its responses to publicly available information and will not assist in examining applications or identifying individuals, it is not classified as a ‘high-risk’ AI system.
However, the EDPS emphasises that because the system will be used by public authorities and affects individuals potentially in a vulnerable position, it must maintain the highest standards of transparency, trustworthiness and accountability.
To ensure a privacy-compliant rollout, the EDPS recommends the following:
- Clarify roles: Explicitly define the data protection and AI Act roles for eu-LISA and all other actors involved in developing and deploying the chatbot.
- Strict knowledge boundaries: Implement technical safeguards to prevent the chatbot from pulling information outside its specified knowledge base or providing original interpretation of the information on which it is based.
- Pre-launch and ongoing testing: Mandate rigorous pre-launch testing to verify accuracy and security, followed by regular audits of automated responses.
- User-centric transparency: Clearly notify users they are interacting with an AI system, with prominent disclaimers and signposting to human-led alternatives.
EDPS issues opinion on EU budget tracking and privacy
The EDPS published an opinion on the European Commission’s proposal to establish a budget expenditure tracking and performance framework. While welcoming the goal to streamline and harmonise financial reporting on expenditure of EU funds across EU programmes, the tracking of public funds must be provided while ensuring robust data protection.
To protect privacy and provide legal certainty to beneficiaries of public funds when providing accountability for the use of such funds, the EDPS recommended several key adjustments:
- Clear legal criteria: these should govern public disclosure of beneficiaries’ personal data, differentiated by the nature, frequency and amount of aid received.
- Data minimisation: Explicitly clarify what personal data needs to be processed, and in what form, for each specific purpose.
- Sensitive data safeguards: Specify precisely which special categories of personal data under Article 9 GDPR would be processed.
- Clear controller roles: Explicitly map the data protection roles of the Commission and Member State authorities for the processing of personal data to ensure transparency and reporting on EU funds.