EDPB Annual Report for 2025

Back to News & Insights

Philipa Jane Farley, Head of Legal and Operations

This article accompanies Hour 1: Global Privacy Law Updates in our full-day CPD programme on XpertAcademy. Completion of the full one-hour session, including the related learning materials, contributes to the one-hour CPD certificate issued for that session. You can access the course here: CPD Event A: Full-Day Regulatory Privacy Training.

What the EDPB’s 2025 Annual Report Means for Organisations

The European Data Protection Board’s 2025 Annual Report is one of the clearest indications available of where European data protection regulation is moving in practice. Read alongside the Helsinki Statement on enhanced clarity, support and engagement, it shows an EDPB focused not only on consistency and enforcement, but also on making GDPR compliance more workable in an increasingly complex digital regulatory environment.

That matters because 2025 was not simply another year of GDPR guidance. It was a year in which the EDPB responded to a substantially more crowded regulatory landscape, with data protection increasingly intersecting with the Digital Services Act, the Digital Markets Act, the AI Act, competition law, adequacy decisions, procedural reform and proposals for simplification of regulatory obligations.

For organisations, the practical significance is straightforward. GDPR compliance can no longer be approached as a standalone legal exercise. Nor is it sufficient to rely on policies, privacy notices and internal guidance alone. The EDPB’s 2025 work points towards a model of compliance that is more integrated, more operational and more explicitly concerned with clarity, dialogue, consistency and practical implementation.

That is particularly relevant for in-house DPOs, compliance leads, legal teams and senior management. The deeper value of the report lies not only in what the EDPB did, but in what those activities suggest about how organisations are increasingly expected to govern privacy in practice.

The Helsinki Statement is more important than it first appears

The single most important framing point in the 2025 report is the Helsinki Statement, adopted on 2 July 2025. The Statement commits the EDPB to new initiatives to facilitate easier GDPR compliance, strengthen consistency, deepen stakeholder dialogue and develop stronger cross-regulatory cooperation in the evolving digital landscape. It also makes clear that these initiatives are intended in particular to support micro, small and medium organisations, enable responsible innovation and reinforce competitiveness in Europe.

This is not a retreat from strong privacy standards. The Statement expressly frames its approach as “a fundamental rights approach to innovation and competitiveness”. That formulation matters. The EDPB is not saying that privacy needs to give way to innovation. It is saying that innovation and competitiveness should be supported through a clearer and more usable regulatory environment, while fundamental rights remain central.

The Annual Report shows that this was not just aspirational language. The Board sought practical feedback from stakeholders on which templates organisations would find most useful, committed to publicly reporting the outcomes of consultations, and pushed forward work on more practical and more accessible guidance formats. The report is also explicit that the EDPB wants its guidance to be clearer, more practical and easier to understand, and that it has updated internal working methods accordingly.

The most useful illustration is the “Six months of progress since the Helsinki Statement” section on page 13. That timeline shows progress in four broad areas: making GDPR easier, improving consistency and enforcement, strengthening stakeholder dialogue and enhancing cross-regulatory cooperation. By December 2025 the EDPB had already produced internal guidance to improve the clarity and usability of its own outputs, held a stakeholder event on anonymisation and pseudonymisation, and endorsed joint DMA/GDPR guidance with the European Commission. It also set out a pipeline for 2026 that included a DPIA template, a common data breach notification template, a form to signal inconsistencies between national and EDPB guidance, and further joint AI/GDPR guidance.

This is worth taking seriously. Annual reports often describe activity after the event. Here, the EDPB is also signalling how it intends to work differently going forward.

In practice, many organisations do not primarily struggle because GDPR obligations are unclear in theory. They struggle because those obligations must be applied across real systems, suppliers, digital products, service environments, business timelines and governance structures. That is particularly evident where:

  • the privacy function is small
  • operational teams are moving quickly
  • procurement or product choices are made before privacy analysis is complete
  • several legal frameworks now apply to the same activity
  • the organisation needs something more practical than a long legal memo

One of the more useful aspects of the Helsinki Statement is that it reflects a growing regulatory recognition of this operational reality. Easier compliance, in this context, does not mean lower standards. It means guidance that can be translated into actual organisational behaviour more effectively.

One practical point worth adding is that simplification is only valuable if it improves judgement. Templates, summaries and checklists can be extremely useful, but only if they help organisations ask the right questions earlier and more consistently. Used badly, they can become a substitute for thinking. Used well, they are often what allows smaller or overstretched teams to make better decisions in time.

Regulatory direction: The EDPB is actively shifting towards more practical, usable and implementation-focused compliance support, while maintaining a fundamental rights-based approach. This suggests that privacy governance should increasingly be built around operational clarity and usable controls rather than documentation alone.

GDPR now needs to be understood within a broader digital regulatory landscape

A major theme in the report is the EDPB’s growing role in clarifying how GDPR interacts with other EU digital laws. The foreword states that the rapid expansion of the EU’s digital regulatory framework has added complexity to the data protection ecosystem and that regulators now have a responsibility to clarify the interplay between data protection rules and other digital laws, and to ensure legal certainty and consistency.

This is an important shift in emphasis. GDPR is not being displaced, but it is increasingly being interpreted as part of a wider digital rulebook. The report gives several concrete examples. In 2025, the EDPB:

  • adopted Guidelines 3/2025 on the interplay between the DSA and the GDPR
  • endorsed its first joint guidelines with the European Commission on the interplay between the DMA and the GDPR
  • continued work with the Commission and the AI Office on guidance addressing the interplay between the AI Act and EU data protection laws
  • adopted a position paper on the interplay between data protection and competition law

These are not merely institutional exercises. They indicate the kinds of legal and governance issues that organisations increasingly need to handle in joined-up ways.

The DSA/GDPR guidelines, for example, are said to address how GDPR principles and safeguards apply to notice-and-action mechanisms, recommender systems, transparency of advertising, deceptive design patterns, and privacy and safety protections for minors, including prohibitions on certain forms of profiling-based advertising. The DMA/GDPR guidance addresses specific choice, consent, data combination, portability and other obligations affecting gatekeepers, business users and individuals.

That is highly relevant even for organisations that are not gatekeepers or major platforms. The broader point is that privacy can no longer be assumed to sit on a separate compliance track. Product design, interface choices, ad-tech, platform functionality, AI deployments and user account models increasingly need to be understood across multiple legal frameworks.

In practice, the challenge is often not doctrinal but organisational. Different teams tend to own different parts of the problem:

  • privacy or legal may own GDPR
  • product or engineering may own user journeys and platform functionality
  • digital teams may own DSA or consumer-facing processes
  • AI or innovation teams may own model adoption
  • commercial teams may shape onboarding, consent journeys or personalisation features

Where these functions do not meet early enough, organisations can find themselves technically progressing in one area while creating avoidable exposure in another.

This can happen in very ordinary ways. An interface change designed to improve conversion may create a consent issue. A safety or moderation feature may affect rights or profiling analysis. A DMA-style data portability design may have implications for lawful basis, minimisation or transparency. A recommender system or advertising tool may need to be assessed through both DSA and GDPR lenses.

A distinctive point from practice is that many governance problems are no longer “privacy-only” problems. They are governance coordination problems. The relevant question is often less “what does GDPR say?” and more “who in the organisation is joining up privacy with the rest of the digital legal environment?”

That is particularly important in organisations dealing with higher-risk user groups, digital service delivery, education, health-related environments, children’s data, or AI-enabled decision support.

Cross-regulatory risk: GDPR compliance increasingly overlaps with other digital regulation, including the DSA, DMA and AI Act. Organisations should expect privacy, product and regulatory governance to become more integrated rather than more separate.

The guidance priorities are practical and implementation-focused

The EDPB’s 2025 guidance agenda is strikingly practical. In addition to the interplay guidance, the Board adopted:

The choice of topics is revealing. These are not primarily abstract questions about doctrine. They are questions about how organisations build systems, choose safeguards, structure services and minimise unnecessary friction or over-collection.

The pseudonymisation guidelines explain the role of pseudonymisation as a safeguard that may be appropriate and effective for meeting obligations under the GDPR, particularly in relation to data protection principles, privacy by design and default, and security. They also analyse the technical and organisational safeguards needed to preserve confidentiality and avoid unauthorised identification.

The blockchain guidance is similarly practical. It addresses architecture choices, role allocation, data minimisation, storage approaches and the handling of transparency, rectification and erasure in blockchain environments. The report states clearly that, as a general rule, storing personal data on a blockchain should be avoided where it conflicts with GDPR principles.

The recommendations on account creation for e-commerce websites are perhaps the most visibly user-oriented. The EDPB states that, as a general rule, users should be able to make purchases without being required to create an account, and that guest checkout or voluntary account creation should be offered wherever possible, with mandatory account creation only justifiable in limited cases such as subscription-based services or access to exclusive offers.

This matters because it illustrates a wider regulatory tendency. The EDPB is increasingly engaging with the practical design choices that shape data processing, not only the downstream legal justifications for them.

In practice, these are exactly the kinds of issues that tend to surface late:

  • is this safeguard actually effective?
  • is this architecture compatible with rights?
  • do we genuinely need persistent accounts?
  • are we collecting data because it is necessary, or because it makes the business model simpler?

We see privacy teams brought in after these choices have substantially hardened. At that point, the conversation becomes one of damage limitation rather than design improvement.

A useful perspective from practice is that privacy risk often becomes materially easier to manage where the organisation treats privacy analysis as part of design and procurement, rather than as a review stage after implementation decisions are already largely fixed. This is particularly relevant in outsourced digital services, AI-enabled workflows, health and care settings, education environments, public service delivery and products aimed at or accessible by children.

Operational design lesson: Recent EDPB guidance priorities suggest that privacy risk is increasingly being assessed through design choices, architecture, account models, safeguards and minimisation decisions. Early-stage design governance is therefore becoming more important.

AI moved from policy discussion to supervision and methodology

The EDPB’s 2025 report confirms that AI is no longer a peripheral policy topic. It is now part of mainstream supervisory and methodological work.

The report places AI at the centre of several activities:

  • ongoing joint work with the Commission and the AI Office on GDPR/AI Act interplay guidance
  • Support Pool of Experts projects on AI supervision and LLM privacy risks and mitigations
  • training curricula on AI security, AI compliance and secure AI systems handling personal data
  • an EDPB bootcamp on AI and AI auditing involving 50 participants from 24 countries
  • extension of the ChatGPT taskforce into a broader Taskforce on Generative AI Enforcement

The LLM risk project is especially significant. The report describes it as offering a comprehensive risk management methodology and practical mitigation measures for common privacy risks in LLM systems, illustrated through use cases such as customer service chatbots, student progress support tools and AI assistants for travel and schedule management.

This indicates a maturing supervisory posture. The EDPB is moving beyond general debate about AI and toward more structured evaluation of how AI systems are built, trained, deployed and audited.

In practice, AI adoption continues to outpace governance in many organisations. AI tools are already in use across customer support, analytics, drafting, workflow automation, education, compliance, HR, healthcare-adjacent settings and digital service delivery. But the visibility of those uses, and the consistency of governance around them, is often uneven.

Common issues include:

  • incomplete mapping of AI use
  • weak understanding of what personal data is involved
  • insufficient lawful basis analysis
  • underdeveloped vendor due diligence
  • unclear treatment of downstream or model-training implications
  • low visibility of AI risks at board or executive level
  • inconsistent decisions about when a DPIA, LIA or broader governance review is required

A distinctive point from practice is that AI risk often becomes most acute not where AI is technically most advanced, but where it is adopted most casually. Embedded AI features, low-friction productivity tools, trial deployments and vendor-enabled features can all create governance blind spots precisely because they do not always look like major AI projects.

From a practical DPO perspective, that means ordinary governance disciplines matter a great deal:

  • identifying where AI is already in use
  • understanding what personal data is involved
  • checking what vendors are doing with that data
  • escalating material use cases to proper review
  • updating records, notices and risk assessments where appropriate

AI governance: The EDPB’s 2025 work confirms that AI is now part of mainstream supervisory activity. Organisations should assume that AI-enabled processing requires structured privacy governance, clear accountability and proportionate escalation to senior management where risk or impact is significant.

Enforcement is becoming more thematic, better supported, and more methodical

Although the 2025 report gives more prominence to clarity and stakeholder dialogue, enforcement remains central. The “Supporting Enforcement” chapter shows that the EDPB continues to invest in the practical infrastructure of consistency and enforcement.

The Coordinated Enforcement Framework remains one of the clearest examples. In January 2025, the EDPB adopted a report on implementation of the right of access, based on coordinated national actions carried out in 2024. For 2025, the Board selected the implementation of the right to erasure as the focus of its coordinated action, with 32 DPAs participating and 764 controllers responding across Europe.

The Support Pool of Experts also remains significant. In 2025, the EDPB published the deliverables of seven projects launched in 2024 and launched nine new projects, including work on AI supervision, LLM privacy risk, training curricula, the digital euro, website auditing tools and AI auditing bootcamps.

The report also records that in 2025:

  • 414 cross-border cases were created in the EDPB case register
  • 1,299 One-Stop-Shop procedures were triggered
  • 572 of those led to final decisions

At national level, DPAs issued a total of €1.145 billion in fines, with France and Ireland accounting for the largest totals at €486.854 million and €530.773 million respectively.

In practice, organisations often pay close attention to large fines but less attention to how supervisory capability is evolving. That can be a mistake. Coordinated actions, expert tools, audit methodologies and cross-border procedures often signal where regulators are becoming more consistent and more prepared. If the EDPB is investing in areas such as access rights, erasure, AI supervision, website auditing and methodological support, that is often a better indicator of where scrutiny is deepening than any single headline decision.

A useful perspective from practice is that mature organisations tend to respond better to thematic regulatory signals than to isolated enforcement headlines. If a regulator is building tools and methodologies around a topic, it usually means expectations are becoming more structured. That is a strong reason to review those areas proactively rather than waiting for a specific complaint or incident.

Enforcement maturity: Enforcement is becoming more thematic and methodical, supported by coordinated actions, expert methodologies and cross-border processes. This suggests that organisations should pay attention not only to major fines, but also to the areas where supervisory capability is clearly deepening.

The EDPB is trying to make guidance easier to consume and use

A major theme running through both the Secretariat section and the core activities section is accessibility of guidance. The EDPB explains that in 2025 it intensified efforts to make GDPR information more accessible to a wider, non-technical audience, using clearer and more straightforward language, in line with the Helsinki Statement and the 2024 – 2027 Strategy.

The Board also published additional summaries of guidelines in 2025, covering pseudonymisation, personal data breaches, blockchain technologies, right of access and the DSA/GDPR interplay. It separately consulted on which ready-to-use templates organisations would find most useful, including privacy notices and RoPA templates.

This should not be dismissed as mere communications work. It reflects a deeper point: if guidance is to improve compliance in practice, it needs to be understandable, adaptable and capable of being used by people who are not specialist privacy lawyers.

One of the recurring barriers to operational privacy maturity is not resistance. It is translation. Many organisations have committed and capable teams, but they need guidance that can be turned into workflow, process design, internal controls and practical instructions. Where guidance remains too abstract, organisations tend either to over-engineer or under-implement. More usable formats can materially improve the ability of internal DPOs and compliance teams to engage productively with operations, procurement, HR, IT, education, care or service teams that do not work in privacy full-time.

A useful lesson here is that internal privacy support should often mirror the direction the EDPB itself is taking: shorter supporting materials, targeted guidance, templates, checklists and summaries can strengthen compliance when used to support sound judgement rather than replace it.

Guidance usability: The EDPB is increasingly prioritising guidance that is concise, practical and usable by non-experts. Internally, this suggests value in translating privacy requirements into clearer operational tools rather than relying solely on long-form legal documentation.

Stakeholder dialogue is becoming a more formal part of the regulatory model

The EDPB’s 2025 report gives unusual prominence to consultation and stakeholder dialogue. The Board launched five public consultations in 2025, including on pseudonymisation, blockchain, DSA/GDPR interplay, DMA/GDPR interplay and e-commerce account creation, and separately sought views on which templates organisations would find most useful.

The report also describes a stakeholder event on anonymisation and pseudonymisation involving over 100 participants from sector associations, organisations, companies, law firms and academia. In line with the Helsinki Statement, the EDPB says it will systematically publish reports on input received during such stakeholder events.

This matters because it suggests that stakeholder engagement is becoming part of how the EDPB builds legitimacy, improves practicality and strengthens consistency.

Organisations often assume that guidance is something regulators issue to them, rather than something they can shape through consultation, response and engagement. The EDPB’s 2025 approach suggests a more participative model, particularly where implementation questions matter. That may be especially relevant for sectors where data protection issues arise in distinctive operational settings, such as healthcare, education, charities, financial services, public bodies, AI-enabled services, and work involving children or vulnerable individuals.

Organisations with recurring compliance challenges should pay more attention to consultation opportunities. There is often value in engaging early where draft guidance touches lived operational issues. This is one of the clearest ways to help ensure that final guidance reflects practical realities.

Regulatory engagement: The EDPB is increasingly building consultation and stakeholder dialogue into how guidance is developed. Organisations in more regulated or higher-risk sectors may benefit from monitoring these processes more actively as part of horizon scanning and policy input.

International adequacy and global engagement remain active governance issues

The report also shows continuing EDPB attention to adequacy, international engagement and cross-border consistency. In 2025, the Board provided five adequacy-related opinions concerning the UK, Brazil and the European Patent Organisation. It also continued international engagement through fora such as the G7 DPA Roundtable and the Global Privacy Assembly, and held a second meeting with DPAs from countries and organisations with EU adequacy decisions.

This is useful context because it reinforces that international data governance remains a live topic, not a settled one. The opinion on Brazil, for example, positively noted substantial alignment in many respects, while still inviting the Commission to assess further issues such as onward transfers, secrecy-related limits and the treatment of public authority access in criminal law contexts.

Many organisations still treat international transfer compliance as a one-time legal implementation task. The EDPB’s ongoing adequacy work suggests a more dynamic reality. International data governance continues to evolve, particularly where cloud services, AI providers, outsourced support, global vendor chains or disclosure scenarios are involved. We also see that international governance issues often surface indirectly through procurement, system configuration, support models, managed services, AI tooling or incident response rather than through a discrete “international transfer” project.

International data governance problems often do not emerge as abstract transfer-law questions. They emerge as operational questions: who can access the data, from where, for what purpose, under what contractual structure, and with what onward-use implications.

International data governance: Adequacy, cross-border data use and onward transfer conditions remain active supervisory issues. Organisations should periodically review whether international data governance is still aligned with their actual service, supplier and technology footprint.

What this means for organisations now

Taken together, the EDPB’s 2025 report shows a regulator trying to do several things at once:

  • preserve strong protection of fundamental rights
  • make compliance easier in practice
  • reduce fragmentation across Europe
  • help organisations navigate overlapping digital laws
  • build better tools for supervision and enforcement
  • respond more concretely to AI and emerging technologies

That is a significant development. It means the European privacy framework is not simply becoming more demanding. It is also becoming more operational. For organisations, the practical implications are clear.

First, GDPR governance can no longer be isolated from broader digital compliance. The interplay with the DSA, DMA, AI Act and competition law is now part of the practical compliance picture.

Secondly, privacy maturity increasingly depends on usable implementation, not just formal documentation. The EDPB’s emphasis on templates, summaries, consultations and practical guidance reflects that reality.

Thirdly, AI governance should now be treated as part of mainstream privacy governance and not as a specialist or experimental side-stream.

Fourthly, organisations should pay closer attention to the EDPB’s enforcement-support work. Coordinated actions, expert methodologies and practical supervisory tools often indicate where scrutiny is becoming more structured.

Finally, organisations should expect privacy governance to be judged increasingly through its operational reality: how systems are designed, how rights are handled, how controls are evidenced, how risks are escalated and how legal obligations are translated into day-to-day practice.

What to take back to your organisation

A focused internal review after reading the 2025 report could reasonably include the following questions:

  • Do we understand where GDPR overlaps with other digital regulation that affects us?
  • Are our privacy controls being applied early enough in design, procurement and AI adoption?
  • Is our internal privacy guidance practical enough for non-specialist teams to use?
  • Are there areas where we are relying on policy statements without enough operational evidence?
  • Are board and executive visibility strong enough for digital and privacy risk areas that are changing quickly?

Conclusion

The EDPB’s 2025 Annual Report is not simply a record of activity. It is a statement of regulatory direction. Its core message is that data protection now operates in a more complex and interconnected regulatory environment, and that this complexity should be met with more practical guidance, stronger consistency, deeper stakeholder dialogue and more usable compliance tools, not weaker standards. For organisations, the challenge is no longer simply understanding GDPR in principle. It is integrating privacy governance into the wider reality of digital regulation, AI deployment, product design, supplier management, operational accountability and senior decision-making.

For many organisations, that requires a shift:

  • from privacy as documentation to privacy as governance
  • from siloed compliance to cross-functional coordination
  • from abstract policy to practical implementation
  • from reactive advice to earlier design-stage involvement

That is the deeper significance of the EDPB’s 2025 report. It is not only about what the Board did in 2025. It is about the kind of privacy governance environment European organisations are now being expected to build.

This article is intended to support the learning covered in Hour 1 of our XpertAcademy CPD programme. The relevant CPD certificate is issued for completion of the full one-hour session on XpertAcademy, rather than for reading this article on its own. You can return to the course here: CPD Event A: Full-Day Regulatory Privacy Training.

Related Articles

AI Governance and Data Protection Impact Assessments (DPIAs)
GDPR DPO

AI Governance and Data Protection Impact Assessments (DPIAs)

A practical guide for DPOs and compliance teams on using DPIAs to structure AI governance, manage risk, and build defensible, scalable processes...
bx-arrow
DPC and EDPB Annual Reports for 2024
Privacy CPD

DPC and EDPB Annual Reports for 2024

A practical reading of the DPC and EDPB Annual Reports for 2024, highlighting the compliance themes, operational risks and governance issues organisations...
bx-arrow
Transfer Impact Assessments in Practice
Privacy CPD

Transfer Impact Assessments in Practice

A strong TIA is not about completing a template. It tests whether an organisation understands the transfer, the foreign jurisdiction, and whether...
bx-arrow

Ready to start your Data Protect journey with us?

Get in Touch
Data Protection Officer Services