The European Data Protection Board (EDPB) recently held its plenary session in Brussels on June 5th. During this session, the EDPB adopted the final version of its guidelines concerning Article 48 of the GDPR, which addresses data transfers to authorities in third countries. This adoption followed a period of public consultation. Additionally, the Board unveiled two new Support Pool of Experts (SPE) projects designed to provide training material on artificial intelligence and data protection. Finally, the EDPB discussed a request from the European Commission for a joint opinion, together with the European Data Protection Supervisor (EDPS), regarding a draft proposal aimed at simplifying GDPR record-keeping obligations.
Regarding data transfers to third country authorities, the EDPB's adopted guidelines clarify how organizations can lawfully respond to requests for personal data transfers from non-European countries, specifically under Article 48 GDPR. The EDPB emphasizes that judgments or decisions from third-country authorities cannot be automatically recognized or enforced within Europe. While an international agreement can provide both a legal basis and a ground for transfer, in its absence or if the agreement is insufficient, other legal bases or grounds may be considered in exceptional, case-by-case scenarios. The updated guidelines, while maintaining their core orientation, introduce clarifications on various aspects raised during consultation, such as situations involving a processor as the recipient of a request or a parent company in a third country requesting data from its European subsidiary.
In the area of AI and data protection, the EDPB presented two new SPE projects, launched at the request of the Hellenic Data Protection Authority (HDPA). These projects include "Law & Compliance in AI Security & Data Protection" and "Fundamentals of Secure AI Systems with Personal Data," both offering valuable training material. The first report targets legal professionals like data protection officers (DPOs) and privacy professionals, while the second is aimed at technical professionals such as cybersecurity experts, developers, or deployers of high-risk AI systems. The primary goal of these initiatives is to address the critical skills gap in AI and data protection, fostering a more favorable environment for enforcing data protection legislation. To facilitate wider access and collaboration, the EDPB decided to publish both documents as PDF files and, recognizing the rapid evolution of AI, will launch a one-year pilot project for a modifiable community version. This innovative initiative will involve importing the reports into the EDPB's Git repository, allowing external contributors to propose changes or add comments under a Creative Commons Attribution-ShareAlike license.
Finally, the Board addressed the European Commission's proposal to simplify record-keeping obligations under GDPR Article 30(5) for small and medium-sized enterprises (SMEs), small mid-caps (SMCs), and organizations with fewer than 750 employees. The EDPB and EDPS are set to issue their joint opinion on this matter within eight weeks.
Note to editors: The Support Pool of Experts (SPE) is a key initiative within the EDPB's 2024-2027 strategy. It aims to bolster Data Protection Authorities' (DPAs) enforcement capacity by developing common tools and providing access to a broad network of experts. Under the SPE program, the EDPB may commission experts to produce reports and tools on specific topics. It's important to note that the views expressed in these deliverables are solely those of their authors and do not necessarily reflect the official position of the EDPB. The reports will be made available on the repository page in the coming months. On May 8, 2025, the EDPB and EDPS had already sent a letter to the European Commission, sharing preliminary views on the simplification of record-keeping obligations.