EDPB 2025 Annual Report: Guidance and Dialogue for Stakeholder Support

Brussels, 09 April - The European Data Protection Board (EDPB) has published its 2025 Annual Report. The report provides an overview of the EDPB work carried out in 2025 and reflects on important milestones, such as the adoption of the Helsinki Statement on Enhanced Clarity, Support, and Engagement. In 2025, the data protection landscape changed significantly. The EU’s digital regulatory framework expanded rapidly, adding complexity to the ecosystem. To help organizations navigate this and support compliance, the EDPB focused on enhancing legal certainty. This made compliance more achievable in practice. The EDPB also worked on strengthening cooperation among Data Protection Authorities and with other regulators. This approach aimed to simplify the complex regulatory environment for all stakeholders involved. We also prioritised meaningful dialogue with stakeholders to ensure our work reflected real-world needs. Our achievements support economic growth while continuing to protect individuals’ fundamental rights to privacy and data protection.” EDPB Chair, Anu Talus The Helsinki’s statement initiatives leading the way. In 2025, the EDPB worked actively to address the demand for regulatory simplification to support innovation and economic growth, while ensuring the protection of individuals’ personal data. With this in mind, the Board adopted the Helsinki Statement on Enhanced Clarity, Support, and Engagement, which outlines new initiatives to make GDPR compliance easier, strengthen consistency, enhance the dialogue and improve transparency with stakeholders and boost cross-regulatory cooperation. For example, the Board launched a public consultation to ask organisations which templates would be most useful, organised several stakeholder events to consult organisations on upcoming guidelines and systematically published reports on stakeholder input. Easing compliance for organizations and providing legal advice was a key focus. Amid EU-level discussions on regulatory simplification, the EDPB actively contributed to legislative initiatives. These aimed at reducing administrative burden and streamlining requirements for businesses. The Board adopted a joint opinion with the European Data Protection Supervisor (EDPS). This opinion concerned the Commission’s Proposal for a Regulation amending certain regulations, specifically including the GDPR. In addition, the Board held important discussions on this matter during plenary meetings, which subsequently informed the EPDB/EDPS joint opinions on the Commission’s proposals on the Digital Omnibus and on the Digital Omnibus on AI adopted at the beginning of 2026. The Board also delivered five adequacy-related opinions concerning United Kingdom, Brazil and the European Patent Organisation (EPO). In addition, the Board adopted Recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites, and Recommendations on the 2027 WADA World Anti-Doping Code upon request from the Commission. Strengthening cross-regulatory cooperation was a key focus for the EDPB last year. The EDPB worked together with the European Commission to clarify how data protection and digital laws interact and to address legal and practical challenges in cross-sectoral cases. In 2025, the EDPB adopted its first set of joint guidelines with the Commission on the interplay between the Digital Markets Act (DMA) and the GDPR. The Board also worked with the Commission on joint guidelines on the interplay between the AI act and EU data protection laws for adoption in 2026. In addition, the EDPB adopted guidelines on the interplay between the Digital Services Act (DSA) and the GDPR. Placing stakeholders at the heart of EDPB work was crucial. In 2025, a public consultation launched on joint guidelines with the Commission regarding the DMA and GDPR. The Board also organized public consultations on EDPB guidelines for DSA and GDPR. Further consultations covered blockchain technologies, pseudonymisation, and recommendations on the legal basis for requiring user accounts on e-commerce websites. These initiatives aimed to gather diverse input. In addition, in line with the Helsinki statement’s objectives to make GDPR compliance easier, the EDPB organised a public consultation to understand which templates organisations consider would be most useful for them (e.g. privacy notice template, record of processing activities template, etc.). In December 2025, a stakeholder event on anonymisation and pseudonymisation took place, which was followed by a report on the input collected during the event. Promoting high standards of data protection worldwide is a core mission. In line with its Strategy 2024-2027, the EDPB engaged with the international community. This promoted a high level of data protection and ensured effective personal data protection beyond EU borders. The Board participated in international fora, including the G7 Data Protection Authorities Roundtable and the Global Privacy Assembly. These engagements reinforced global data protection efforts. In December 2025, the EDPB also held online the second meeting with Commissioners and representatives of Data Protection Authorities (DPAs) from the countries and the organisation with an EU adequacy decision. Providing guidance and ensuring consistency. In 2025, three new set of guidelines focusing on pseudonymisation, blockchains technologies and on the DSA and the GDPR, and guidelines following public consultation on data transfers to third country authorities were adopted. 29 Art. 64(1) GDPR opinions were adopted, reflecting the Board’s continued commitment to promoting harmonisation. Supporting consistent and effective enforcement. Strengthening cooperation among DPAs was another key priority in 2025. This took place through multiple instruments aimed at facilitating joint actions and knowledge-sharing, including the Coordinated Enforcement Framework (CEF), the Support Pool of Experts (SPE) and dedicated taskforces. The Board improved cross-border cooperation, supporting DPAs in complex cases. It ensured alignment in enforcement practices. In 2025, 414 cross-border cases were created in the EDPB’s register. Additionally, 1299 One-Stop-Shop procedures were triggered. Out of these, 572 led to final decisions. This demonstrates a significant effort in streamlining and resolving cross-border data protection issues effectively. Finally, at national level DPAs issued a total of €1,15 bn worth in fines.