The European Data Protection Board (“EDPB”) recently published its Annual Report for 2025 (the “Report”). The Report includes an overview of the EDPB’s activities throughout 2025, as well as its objectives for the year to come. As usual, the Report reveals some interesting trends and statistics, and highlights key enforcement activities taken by Data Protection Authorities (“DPAs”) across the EU last year.
In this article, we consider some of the key highlights of the Report.
Data protection trends in 2025 and beyond
Evolving digital landscape
The Report highlights how the data protection landscape has changed significantly over the past year, with the rapid expansion of the EU’s digital regulatory framework and technological developments, particularly in artificial intelligence (“AI”), adding an additional layer of complexity to the data protection ecosystem.
In this regard, the EDPB acknowledges its responsibility to clarify the interplay between data protection rules and other digital laws, and to ensure legal certainty and consistency. This highlights the importance for companies to consider their data protection compliance obligations in the context of the broader EU regulatory landscape.
As the regulatory landscape has grown more complex, there has been a corresponding demand for the EU legislature to simplify regulation, in order to allow for greater innovation and economic growth.
EDPB simplification efforts – Helsinki Statement
With these simplification demands in mind, the EDPB adopted the “Helsinki Statement” in July 2025. The Helsinki Statement outlines new initiatives to make GDPR compliance easier, strengthen consistency, enhance dialogue and improve transparency with stakeholders, and boost cross-regulatory cooperation. The EDPB has committed to provide clearer, more practical and accessible guidance, and update its working methods accordingly. New tools will include harmonised templates, practical resources, such as checklists and FAQs, and a common data breach notification template.
In addition, the EDPB has improved stakeholder consultation processes by organising stakeholder events such as a December 2025 event on anonymisation and pseudonymisation, and by systematically publishing reports on stakeholder input. Separately, the EDPB has also been working on interplay guidelines to help businesses understand their obligations under the GDPR and other digital legislation and how the rules fit together (further discussed below).
EU simplification efforts – EU Digital Omnibus Proposal
In parallel with the EDPB’s efforts to simplify and support GDPR compliance, the European Commission, in November 2025 published the draft Digital Omnibus Regulations with the aim of simplifying the EU’s digital laws (previously discussed here). The Report highlights how the Digital Omnibus Regulations have launched an important debate on how to best foster innovation through trimming unnecessary regulatory requirements. The EDPB and the EDPS, in a joint opinion, have highlighted their general support for these proposals, whilst also raising concerns regarding certain aspects of the proposals (previously discussed here and here).
Protecting children online
The Report notes that there has been increasing public awareness and debate around the need to protect children online. As digital services and AI-driven systems become omnipresent, ensuring that children’s rights and well-being are appropriately safeguarded has become a priority worldwide. In 2025, Australia became the first country in the world to introduce a ban on social media access for users under 16 years of age (previously discussed here). The EU legislature has not yet confirmed any similar legally enforceable measures at an EU level. Rather, the Report notes that the current aim is to “protect children effectively while avoiding generalised identification or surveillance”.
EDPB guidelines and recommendations
Last year, the EDPB adopted a number of new guidelines, including on the following areas:
- Pseudonymisation of Personal Data (Guidelines 01/2025) – These guidelines explain the definition and role of pseudonymisation, as a safeguard that may be appropriate to meet data protection obligations.
- Processing Personal Data through Blockchain Technologies (Guidelines 02/2025) – As the use of blockchain technologies is expanding, these guidelines are addressed to organisations who plan to make use of blockchain technologies. They outline the key elements to consider to ensure compliance with several provisions of the GDPR.
- Interplay between the EU Digital Services Act (“DSA”) and the GDPR (Guidelines 03/2025) – These guidelines are the first adopted by the EDPB addressing the interaction between the GDPR and the EU’s digital legislation. They aim to ensure a consistent and coherent interpretation and application of the DSA and the GDPR where DSA obligations involve the processing of personal data by online intermediary service providers, including online platforms and search engines.
- Interplay between the EU Digital Markets Act (“DMA”) and the GDPR (Joint Guidelines by the EU Commission & EDPB) – These are the first guidelines jointly prepared by the EDPB and the Commission and are intended to facilitate a coherent and consistent application of the DMA and the GDPR. The guidelines aim to increase legal certainty for gatekeepers, business users, beneficiaries and individuals, while simplifying compliance with EU digital and data protection rules.
- Data transfers to third country authorities under Article 48 GDPR (Guidelines 02/2024) -The EDPB also adopted the final version of these guidelines following a public consultation, which clarify how organisations can lawfully respond to requests for a transfer of personal data from third country authorities (ie authorities from non-EU countries). The guidelines highlight that that judgments or decisions from third country authorities cannot automatically be recognised or enforced in the EU. As a general rule, an international agreement may provide for both a legal basis and a ground for transfer. In exceptional circumstances, other legal bases or other grounds for transfer could be considered on a case-by-case basis.
The EDPB also published two sets of recommendations last year, including on:
- Recommendations on the 2027 WADA World Anti-Doping Code (01/2025), and
- Recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites (02/2025).
In addition, the EDPB issued a range of consistency opinions in 2025. The Report notes that consistency opinions are a driving force of the EDPB’s mission to ensure the uniform interpretation and application of the GDPR across the EU. Established under Article 64 GDPR, these opinions provide authoritative, non-binding recommendations that align DPAs decisions with a common EU framework.
Once issued, these opinions serve as guiding documents, enabling DPAs to finalise their decisions while ensuring alignment with the GDPR standards. In 2025, the EDPB adopted 29 opinions under Article 64(1) GDPR, reflecting its continued commitment to promoting harmonisation.
What’s coming down the track in 2026?
Interplay between EU Artificial Intelligence (“AI”) Act and the GDPR
The EDPB have confirmed that new joint guidelines with the EU Commission (including the newly established AI Office) on the interplay between the AI Act and the GDPR will be published in 2026. AI appears to be a major focus of the EDPB. In 2025, the mandate of the EDPB’s ChatGPT taskforce was expanded in order to cover Generative AI.
The scope of the Taskforce on Generative AI Enforcement is to serve as a platform for the exchange of information on investigations related to Generative AI cases in order to enhance cooperation between DPAs and ensure compliance with the GDPR. The substantive content of these exchanges relates to investigations involving entities without an establishment in Europe. In this context, the Taskforce also aims at facilitating coordination of external communication by DPAs on enforcement activities concerning Artificial Intelligence.
Other projects
The Report also highlights a range of other projects which the EDPB expect to progress in 2026, including:
- New Data Protection Impact Assessment (“DPIA”) template (already published and subject to public consultation – see here) and Data Breach Notification template;
- Report on the public consultation on the EDPB’s Blockchain Technologies guidelines;
- Report on the stakeholder event on Anonymisation and Pseudonymisation (this event was aimed at collecting input from stakeholders on implications of the CJEU’s ruling of 4 September 2025 in Case C-413/23 P – EDPS v. Single Resolution Board);
- New form on the EDPB website to signal inconsistencies between national and EDPB GDPR guidance;
- Workshop on complaint-handling among DPAs;
- Template for cross-regulatory cooperation agreements; and
- New practical resources such as checklists and FAQs.
GDPR enforcement
EU DPA enforcement activities
In 2025, DPAs issued total fines of €1.1 billion. The Irish Data Protection Commission (“DPC”) issued four fines. Despite the small number of fines issued by the Irish DPC, these fines represented almost half of the total value of fines imposed by DPAs in 2025, amounting to a total of €530.8 million The bulk of this figure comes from the €530 million fine imposed on TikTok in April 2025 for unlawful data transfers of personal data to China.
The French DPA, namely the CNIL, imposed the second highest total value of fines, amounting to a total of €486.8 million. Together, Ireland and France represent close to 90% of the data protection fines in the EU by monetary value. By contrast, certain Member States such as Germany and Spain have a much higher total number of fines (499 and 324 respectively), but the average monetary value of fines imposed was much smaller. This aligns with trends in past years and may reflect a greater willingness to impose fines for more minor breaches of data protection law in certain jurisdictions.
The Report contains a non-exhaustive list of national enforcement actions in different Member States. The cases listed illustrate the diverse regulatory responses to GDPR infringements, ranging from investigations and compliance orders to significant sanctions and fines. Enforcement action was taken for a range of infringements, including, for example, unlawful sharing of personal data about website visitors to third parties without a legal basis, inadequate security for personal data being processed, failure to respond to data access requests, and improper handling of personal data breaches.
EDPB activity
The Report highlights how the EDPB plays a critical role in resolving disputes between DPAs and ensuring the consistent application of the GDPR through its binding decision-making powers under Articles 65 and 66 GDPR. These powers help resolve disagreements in cross-border cases under the one-stop-shop mechanism. The Report sets out two infographics explaining how the one-stop-shop procedure and urgency procedures under Articles 65 and 66 respectively, work in practice. There were no binding decisions adopted by the EDPB in 2025, marking the second year in a row in which no binding decisions were adopted. The Report notes that this shows “progress in building consensus and cooperation among DPAs”. Looking ahead, however, the EDPB warns that it remains prepared to exercise its binding decision-making powers as necessary to uphold the uniform application of the GDPR and address any unresolved disputes that may arise in the future.
In 2020, the EDPB set up a Coordinated Enforcement Framework (“CEF”), with the aim of streamlining enforcement and cooperation among DPAs. In January 2025, the EDPB adopted a report on the implementation of the right of access by controllers under Article 15 GDPR. This report summarises the outcome of a series of coordinated national actions carried out in 2024 under the CEF. For its 2025 CEF Action, the EDPB selected the right to erasure as the focus of its CEF action as it is one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals. The EDPB report (published in February 2026) analyses some of the most recurring issues observed by DPAs during the year in respect to compliance with the right to erasure, and includes non-binding recommendations for controllers (previously discussed here). The CEF action for 2026 will focus on compliance with transparency and information obligations under Articles 12-14 GDPR.
Litigation
In 2025, the EDPB’s role in litigation before the Court of Justice of the European Union continued to expand, with the EDPB acting as a party in 15 cases. Most of the cases concerned applications for annulment against binding decisions adopted by the EDPB.
The two cases submitted in 2025 were appeals: one in relation to an application for annulment against an urgent binding decision, another in relation to a complainant’s right to access the file under Article 41(2)(b) of the EU Charter. The Report includes an overview of the litigation involving the EDPB as a main party which were still ongoing or closed in 2025.
Contact us
For more information, please contact any member of our Technology and Innovation Group or your usual Matheson contact.