Pasar al contenido principal



IPEN event on “Human oversight of automated decision-making”

3 días 2 horas ago
IPEN event on “Human oversight of automated decision-making” matthijs Thu, 06/13/2024 - 10:36 Tue, 09/03/2024 - 12:00

The EDPS and the University of Karlstad are hosting an Internet Privacy Engineering Network (IPEN) event on "Human supervision of automated decisions" on 3 September 2024.

Read more

When: 3 September 2024, 14:00-18:00 CEST

  • Physical Attendance: Eva Eriksson lecture hall, Universitetsgatan 2, 651 88 Karlstad, Sweden (registration required, link available soon)
  • Online Participation: Connection link will be provided before the event

Topic: Human oversight of automated decision-making


EU regulations such as the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AIA) mandate human oversight in automated decision-making processes to ensure fairness and accountability.

  • GDPR Article 22: Grants individuals the right to avoid decisions based solely on automated processing that significantly affects them.
  • AIA Article 14(2): Requires human oversight of high-risk AI systems to protect health, safety, and fundamental rights.
  • AIA Recital 73: Stresses the importance of identifying appropriate human oversight measures before AI systems are marketed or put into service.

Additionally, the 2019 Ethics guidelines for trustworthy AI advocate for "Human agency and oversight" as one of the seven ethical principles to ensure AI is trustworthy and ethically sound.






1 Read more
European Data Protection Supervisor

New episode of the Newsletter Digest is out!

1 semana 1 día ago
New episode of the Newsletter Digest is out! miriam Fri, 06/07/2024 - 14:47 Sat, 06/08/2024 - 12:00

Let’s explore topics such as: AI in the EU institutions; upcoming European Data Protection Summit: Rethinking Data in a Democratic Society; EU-Canada agreement on transfers of Passenger Name Record and latest talks. 

1 Have a listen
European Data Protection Supervisor

The final 5 of the 20 initiatives to mark our Anniversary!

1 semana 6 días ago
The final 5 of the 20 initiatives to mark our Anniversary! matthijs Mon, 06/03/2024 - 10:27 Mon, 06/03/2024 - 12:00

1- First EDPS Orientations for EUIs using Generative AI  
2- The Essence of the Fundamental Rights to Privacy and to the Protection of Personal Data: a Concept Paper
3- Improving privacy of European Institutions’ Websites
4- Meet #teamEDPS
5- Calling All Talent: EDPS elevates to leading employer 

Discover our 20 Initiatives 

European Data Protection Supervisor

Newsletter #109 is out!

2 semanas 2 días ago
Newsletter #109 is out! miriam Fri, 05/31/2024 - 12:08 Sat, 06/01/2024 - 12:00

30 days of data protection at the EDPS: what’s happened in our privacy world in May? This month we’ve worked on our plan for AI in the EU institutions and continued to plan for our EDPS Summit: Rethinking data in a democratic society. Sign up to this event and read about our work in this newsletter.  

1 Read it now
European Data Protection Supervisor

5 more of the 20 initiatives to mark our Anniversary!

1 mes 1 semana ago
5 more of the 20 initiatives to mark our Anniversary! alfredo Tue, 05/07/2024 - 10:20 Mon, 05/06/2024 - 12:00

1- Data Protection exPLAINed
2- The EDPS before the CJEU
3- Towards a Digital ClearingHouse 2.0
4- Launching a Data Protection Officer Certification Course for EUIs
5- Use of AI in the field of Criminal Justice and Law Enforcement

Discover our 20 Initiatives 

European Data Protection Supervisor

Newsletter #108

1 mes 2 semanas ago
Newsletter #108 julia Tue, 04/30/2024 - 15:16 Tue, 04/30/2024 - 12:00

In this issue: find out how to sign up to our EDPS Summit: Rethinking Data in a Democractic Society; watch our 20 talks video or podcast series with influential people discussing how privacy is shaping their respective fields of expertise; what does applying data minimisation mean in practice, and more.

European Data Protection Supervisor

Register now for the European Data Protection Summit

2 meses 1 semana ago
Register now for the European Data Protection Summit alfredo Mon, 04/08/2024 - 10:56 Mon, 04/08/2024 - 12:00

Registration is open for our European Data Protection Summit: “Rethinking Data in a Democratic Society”, taking place on 20 June 2024 in Brussels and online.


European Data Protection Supervisor

20 Talks - Towela Nyirenda Jere: Head of Infrastructure, Digitalisation and Energy Division at the African Union Development Agency

2 meses 3 semanas ago
20 Talks - Towela Nyirenda Jere: Head of Infrastructure, Digitalisation and Energy Division at the African Union Development Agency matthijs Fri, 03/22/2024 - 15:44 Tue, 04/02/2024 - 12:00

Our guest is Towela Nyirenda Jere, Head of Infrastructure, Digitalisation and Energy Division at the African Union Development Agency.

Watch the interview

Listen to this episode

European Data Protection Supervisor

20 Talks - Daniel J. Solove: Professor at the George Washington University Law School

3 meses ago
20 Talks - Daniel J. Solove: Professor at the George Washington University Law School matthijs Thu, 03/14/2024 - 16:11 Fri, 03/15/2024 - 12:00

In this Talk, our guest is Daniel J. Solove, Professor of Intellectual Property and Technology Law, George Washington University Law School and President & CEO of TeachPrivacy. 

Listen to this episode 

1 Watch the interview
European Data Protection Supervisor
46 minutos ago
Suscribirse a Fuente de noticias EDPS



Facial recognition at airports: individuals should have maximum control over biometric data

3 semanas 1 día ago

Brussels, 24 May - During its latest plenary, the EDPB adopted an Opinion on the use of facial recognition technologies by airport operators and airline companies to streamline the passenger flow at airports*. This Article 64(2) Opinion, following a request from the French Data Protection Authority, addresses a matter of general application and produces effects in more than one Member State.

EDPB Chair Anu Talus said: “More and more airport operators and airline companies around the world are piloting facial recognition systems allowing passengers to go more easily through the various checkpoints. It is important to be aware that biometric data are particularly sensitive and that their processing can create significant risks for individuals. Facial recognition technology can lead to false negatives, bias and discrimination. Misuse of biometric data can also have grave consequences, such as identity fraud or impersonation. Therefore, we urge airline companies and airport operators to opt for less intrusive ways to streamline passenger flows, when possible. In the view of the EDPB, individuals should have maximum control over their own biometric data.”

The Opinion analyses the compatibility of the processing with the storage limitation principle (Article 5(1)(e) GDPR), the integrity and confidentiality principle (Article 5(1)((f)) GDPR, data protection by design and default (Article 25 GDPR) and security of processing (Article 32 GPDR). Compliance with other GDPR provisions including regarding the lawfulness of the processing are not in scope of this Opinion.**

There is no uniform legal requirement in the EU for airport operators and airline companies to verify that the name on the passenger’s boarding pass matches the name on their identity document, and this may be subject to national laws. Therefore, where no verification of the passengers’ identity with an official identity document is required, no such verification with the use of biometrics should be performed, as this would result in an excessive processing of data.
In its Opinion, the EDPB considered the compliance of processing of passengers’ biometric data with four different types of storage solutions, ranging from ones that store the biometric data only in the hands of the individual to those which rely on centralised a storage architecture with different modalities. In all cases, only the biometric data of passengers who actively enrol and consent to participate should be processed.

The EDPB found that the only storage solutions which could be compatible with the integrity and confidentiality principle, data protection by design and default and security of processing, are the solutions whereby the biometric data is stored in the hands of the individual or in a central database but with the encryption key solely in their hands. These storage solutions, if implemented with a list of recommended minimum safeguards, are the only modalities which adequately counterbalance the intrusiveness of the processing by offering individuals the greatest control.

The EDPB found that the solutions based on the storage in a centralised database either within the airport or in the cloud, without the encryption keys in the hands of the individual, cannot be compatible with the requirements of data protection by design and default and, if the controller limits themselves to the measures described in the scenarios analysed, would not comply with the requirements of security of processing.

Regarding the principle of storage limitation, controllers need to ensure they have a sufficient justification for the envisaged retention period and limit it to what is necessary for the proposed purpose.

Next, a report was adopted by the DPAs on the work of the ChatGPT taskforce. This taskforce was created by the EDPB to promote cooperation between DPAs investigating the chatbot developed by OpenAI.

The report provides preliminary views on certain aspects discussed between DPAs and does not prejudge the analysis that will be made by each DPA in their respective, ongoing investigation***.

It analyses several aspects concerning common interpretation of the applicable GDPR provisions relevant for the various ongoing investigations, such as:

  • lawfulness of collecting training data (“web scraping”), as well as processing of data for input, output and training of ChatGPT.
  • fairness: ensuring compliance with the GDPR is a responsibility of OpenAI and not of the data subjects, even when individuals input personal data.
  • transparency and  data accuracy: the controller should provide proper information on the probabilistic nature of ChatGPT’s output and refer explicitly to  the fact that the generated text may be biased or made up.
  • The report points out that it is imperative that data subjects can exercise their rights effectively.

Taskforce members also developed a common questionnaire as a possible basis for their exchanges with Open AI, which is published as an annex to the report.

Furthermore, the EDPB decided to develop guidelines on Generative AI, focusing as a first step on data scraping in the context of AI training.

Finally, the EDPB adopted a statement on the Commission's "Financial data access and payments package" (which includes the proposals for the Regulation on the framework for Financial Data Access (FIDA), on the Payments Service Regulation (PSR) and on the Payment Services Directive 3 (PSD3)).
The EDPB takes note of the European Parliament’s reports on the FIDA and PSR proposals, but considers that, with regard to the prevention and detection of fraudulent transactions, additional data protection safeguards should be included in the transaction monitoring mechanism of the PSR Proposal. It is important to ensure that the level of interference with the fundamental right to the protection of personal data of persons concerned is necessary and proportionate to the objective of preventing payment fraud.


EDPB launches French and German versions of its Data Protection Guide for small business

4 semanas 1 día ago

The EDPB Data Protection Guide for small business is now available in French and German

The Guide provides practical information to SMEs about GDPR compliance and benefits in an accessible and easily understandable language.

The development of tools providing practical, easily understandable and accessible data protection guidance is key to reaching a non-expert audience and a strategic objective for the EDPB.

The EDPB Data Protection Guide for small business covers various aspects of the GDPR, from data protection basics, to data subject rights and measures to secure personal data. It contains videos, infographics, interactive flowcharts, and other practical materials to help SMEs on their way to become GDPR compliant

In the near future, the Guide will become available in 15 more European languages.


Europe Day 2024

1 mes 2 semanas ago

Europe Day commemorates the signing of the Schuman Declaration, to celebrate peace and solidarity in Europe. Every year, the EDPB takes part in Europe Day, with an interactive stand manned by volunteers from the EDPB Secretariat and national DPAs, to raise awareness of data protection and to provide information about the EDPB’s activities

This year, the EU institutions open their doors to the public in Brussels, Luxembourg and Strasbourg on Saturday 4 May. In Brussels, Europe Day will take place at the European Commission’s headquarters - the Berlaymont building - from 10:00 to 18:00.

EDPB and EDPS will welcome you in the village “Our strong digital Europe”, showcasing a variety of fun activities to help you learn more about privacy and data protection.

Further information about Europe Day 2024


EDPB Annual Report 2023: Safeguarding individuals’ digital rights

1 mes 3 semanas ago

The EDPB has launched its 2023 Annual Report. The report provides an overview of the work carried out by the EDPB in the previous year and reflects on important milestones, such as the election of Anu Talus as EDPB Chair; the adoption of two binding decisions and one urgent binding decision providing important common interpretations of data protection law and key legal principles that will shape the digital landscape; and the launch of the EDPB’s first outreach project for a general audience: the EDPB Data Protection Guide for small business. In addition, it includes examples of enforcement by data protection authorities (DPAs) at national level. 

EDPB Chair, Anu Talus said: “Looking back at the work carried out in the last year, I am proud to present this annual report. 2023 was another transformative year at the EDPB, full of notable achievements. We have built an impressive compendium of guidelines, created new cooperation methods for the DPAs, and adopted significant binding decisions which will help shape digital services. We also worked hard to raise awareness of the GDPR at the European and international level, so that individuals know their rights and exercise them, and that companies, even small ones, can understand how to comply with their legal duties.”


EDPB sets out priorities for 2024-2027 and clarifies implementation DPF redress mechanisms

1 mes 3 semanas ago

Brussels, 18 April - During its latest plenary, the EDPB adopted its strategy for 2024-2027. The strategy sets out the EDPB’s priorities, grouped around four pillars, as well as key actions per pillar to help achieve these objectives. These four pillars are:

  • Pillar 1 – Enhancing harmonisation and promoting compliance  
  • Pillar 2 – Reinforcing a common enforcement culture and effective cooperation      
  • Pillar 3 – Safeguarding data protection in the developing digital and cross-regulatory landscape      
  • Pillar 4 – Contributing to the global dialogue on data protection

EDPB Chair Anu Talus said: “The new strategy takes the existing vision in a new direction in order to respond to the data protection needs of today, and the ever evolving digital landscape. The strategy is the result of a collaborative effort, involving all EU data protection authorities (DPAs) and sets out common priorities for the years to come. ”

In the next four years, the EDPB will continue to promote compliance with data protection law by developing clear, concise and practical guidance on important topics, and by developing materials for a wider audience. In addition, enforcement cooperation will remain an important priority for the EDPB. The Board will continue building on the vision set out in its so-called Vienna Statement, and further develop EDPB initiatives in this area, such as the coordinated enforcement actions.

A new aspect of the strategy is the focus on the interplay with the new regulatory digital framework. New digital laws, such as the DMA or the DSA, have an impact on data protection and privacy. The EDPB will work to enhance cooperation with other regulatory authorities, with a view to embedding the right to data protection in the overall regulatory architecture. Furthermore, the EDPB will continue to pay special attention to challenges raised by new technologies, such as AI.

The strategy will be complemented by two work programmes, which will contain details about its implementation.

In addition, regarding the EU-US Data Privacy Framework (DPF), the EDPB adopted Rules of Procedure, a public information note and template complaint forms to facilitate the implementation of the redress mechanisms under the DPF.

The EDPB documents relate to two DPF redress mechanisms created to handle complaints by EU individuals. The redress mechanisms deal only with complaints concerning their respective competence - national security or commercial purposes - and only for data transmitted after 10 July 2023.


EDPB: ‘Consent or Pay’ models should offer real choice

1 mes 4 semanas ago

Brussels, 17 April - During its latest plenary, the EDPB adopted an Opinion following an Art. 64(2) GDPR request by the Dutch, Norwegian & Hamburg Data Protection Authorities (DPA). The Opinion addresses the validity of consent to process personal data for the purposes of behavioural advertising in the context of ‘consent or pay’ models deployed by large online platforms

EDPB Chair Anu Talus said: “Online platforms should give users a real choice when employing ‘consent or pay’ models. The models we have today usually require individuals to either give away all their data or to pay. As a result most users consent to the processing in order to use a service, and they do not understand the full implications of their choices.”

As regards ‘consent or pay’ models implemented by large online platforms, the EDPB considers that, in most cases, it will not be possible for them to comply with the requirements for valid consent, if they confront users only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.

The EDPB considers that offering only a paid alternative to services which involve the processing of personal data for behavioural advertising purposes should not be the default way forward for controllers. When developing alternatives, large online platforms should consider providing individuals with an ‘equivalent alternative’ that does not entail the payment of a fee. If controllers do opt to charge a fee for access to the ‘equivalent alternative’, they should give significant consideration to offering an additional alternative. This free alternative should be without behavioural advertising, e.g. with a form of advertising involving the processing of less or no personal data. This is a particularly important factor in the assessment of valid consent under the GDPR.

The EDPB stresses that obtaining consent does not absolve the controller from adhering to all the principles outlined in Art. 5 GDPR, such as purpose limitation, data minimisation and fairness. In addition, large online platforms should also consider compliance with the principles of necessity and proportionality, and they are responsible for demonstrating that their processing is generally in line with the GDPR. 

As regards the need for consent to be free, the following criteria should be taken into account: conditionality, detriment, imbalance of power and granularity. For instance, the EDPB points out that any fee charged cannot make individuals feel compelled to consent. Controllers should assess, on a case-by-case basis, both whether a fee is appropriate at all and what amount is appropriate in the given circumstances. Large online platforms should also consider whether the decision not to consent may lead the individual to suffer negative consequences, such as exclusion from a prominent service, lack of access to professional networks, or risk of losing content or connections.  The EDPB notes that negative consequences are likely to occur when large online platforms use a ‘consent or pay’ model to obtain consent for the processing.

Controllers also need to evaluate, on a case-by-case basis, whether there is an imbalance of power between the individual and the controller. The factors to be assessed include the position of the large online platforms in the market, the extent to which the individual relies on the service and the main audience of the service. 

Furthermore, the EDPB provides elements to assess the criteria of informed, specific and unambiguous consent that large online platforms should take into account when implementing ‘consent or pay’ models.

EDPB Chair, Anu Talus added: “Controllers should take care at all times to avoid transforming the fundamental right to data protection into a feature that individuals have to pay to enjoy. Individuals should be made fully aware of the value and the consequences of their choices.” 

In addition to this Art. 64(2) Opinion, the EDPB will also develop guidelines on ‘consent or pay’ models with a broader scope and will engage with stakeholders on these upcoming guidelines.


CSC elects 2nd Deputy Coordinator

2 meses ago

The Coordinated Supervision Committee (CSC) has elected Matej Sironic from the Slovenian Data Protection Authority (DPA) as its Deputy Coordinator for a term of two years. Sironic will be the second Deputy Coordinator, and will work along with Sebastian Hümmeler from the Federal German DPA. A second Deputy was elected in order to keep up with the CSC’s expanding mandate. Together with CSC Coordinator, Clara Guerra, they will lead the work of the Committee.

The CSC ensures the coordinated supervision of the large EU Information Systems and of EU bodies, offices and agencies in accordance with Article 62 of Regulation 2018/1725 or with the EU legal act establishing the large scale IT system or EU body, office or agency. It was created within the framework of the European Data Protection Board (EDPB) and brings together the EU data protection authorities (DPAs) and the European Data Protection Supervisor (EDPS), as well as the data protection authorities of the Non-EU Schengen Member States, when foreseen under EU law.

The CSC currently covers the Internal Market Information system (IMI), Eurojust, the European Public Prosecutor’s Office (EPPO), Europol and the Schengen Information System (SIS). Gradually, the Committee will also cover other IT systems, bodies, offices and agencies in the fields of Border, Asylum and Migration (EES, Eurodac, ETIAS, VIS, and their interoperability), Police and Justice Cooperation (ECRIS-TCN) and the next generation Prüm. You can find more information on the Committee here 

During its March meeting, the CSC also adopted recommendations for IMI actors on their data protection transparency obligations towards individuals. The recommendations aim to assist the IMI competent authorities in Member States, as data controllers, to better comply with their legal obligations. The recommendations will be disseminated to the national IMI coordinators by the relevant national DPAs. 


CEF 2024: Launch of coordinated enforcement on the right of access

3 meses 2 semanas ago

Brussels, 28 February - The European Data Protection Board has kicked off its Coordinated Enforcement Framework (CEF) action for 2024. Throughout the year, 31 Data Protection Authorities (DPAs), including 7 German State-level DPAs, across the EEA will take part in this initiative on the implementation of the right of access.

During its October 2023 plenary, the EDPB selected the right of access for its third coordinated enforcement action, as it is at the heart of data protection and one of the most frequently exercised data protection rights, and one which DPAs receive many complaints about. In particular, it enables individuals to check whether their personal data is processed in a compliant manner by organisations. In addition, it often enables the exercise of the other data protection rights, such as the right to rectification and erasure.

In 2023, the EDPB adopted Guidelines on data subject rights - Right of access to help organisations respond to data access requests from individuals in line with the requirements set out in the GDPR. To gauge how organisations are complying with the right of access in practice, participating DPAs will implement the CEF in a number of ways:

  • organisations will be sent questionnaires to aid fact-finding exercises or to identify if a formal investigation is warranted;
  • commencement of a formal investigation; and/or
  • follow-up of ongoing formal investigations.

The results of the joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further supervision and enforcement actions. In addition, all results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level. The EDPB will publish a report on the outcome of this analysis once the actions are concluded.

This series of actions is the third initiative under the Coordinated Enforcement Framework (CEF), which aims to streamline enforcement and cooperation among DPAs.

Previous coordinated actions looked into the use of cloud services by the public sector, in 2022, and the designation and position of Data Protection Officers, in 2023.


For further information:



January plenary - adopted documents

3 meses 2 semanas ago
46 minutos ago
Suscribirse a Fuente de noticias EDPB