Reading time: 6 minutes
The European Data Protection Supervisor (EDPS) has published its 2025 Annual Report (hereinafter: the “Report“), providing a detailed account of its activities to protect personal data in a rapidly changing digital world. The Report clearly signals that the European data protection and digital regulatory environment has entered a new phase: the focus is no longer merely on formal GDPR policies, but on the actual operational controls of AI systems, cloud services, and international data transfers. The investigations typically center on tools and processes that most organizations use on a daily basis: Microsoft 365, cloud infrastructure, generative AI solutions, mobile applications, and HR systems. In this article, we present the main findings of the Report and outline the key aspects and recommendations necessary for compliance.
AI Governance: A new dimension of compliance
One of the most important messages of the Report is that corporate control over artificial intelligence (AI governance) will shortly develop into a standalone, high-priority compliance area. Artificial intelligence is no longer an experimental technology; it has become an integral part of daily operations within EU institutions and an increasing number of organizations. In preparation, the EDPS has already taken the first major steps:
Established a dedicated AI unit: It has strengthened its newly created AI unit to prepare for supervisory duties under the EU Artificial Intelligence Act.
Mapped generative AI usage: It assessed the current AI ecosystem regarding prohibited practices and high-risk systems, and published a report highlighting the dominant areas of AI use and enforcement priorities.
Launched an AI regulatory sandbox program: Within the framework of a pilot project, it created a safe regulatory testing environment for developing and testing innovative AI systems under supervisory oversight.
Issued a new AI risk management guide for identifying and mitigating technical risks associated with the development and deployment of AI systems.
Regulatory focus is intensifying particularly in the following specific areas:
the corporate use of generative AI tools;
the compliance of off-the-shelf AI solutions;
the strict control of high-risk AI systems;
the legal relationship between AI and personal data;
the technical risk management of AI systems.
In a corporate environment, this means that the use of AI is no longer exclusively an IT or innovation issue, but a key legal, compliance, and data protection risk area. Therefore, organizations must prepare now to introduce, document, supervise, and use AI solutions in their daily operations in accordance with the requirements of the GDPR and the EU Artificial Intelligence Act.
Microsoft 365 and enterprise IT systems
In 2025, the EDPS further strengthened its oversight over large IT systems, including cloud services similar to Microsoft 365. The lesson from previous investigations is that compliance is not solely a contractual matter but requires an assessment covering the entire lifecycle of data processing.
The investigations focused on issues that are also critical for large enterprises:
international data transfers to third countries;
the transparency of complex sub-processing chains;
the control of access to data;
the existence of appropriate technical and organizational guarantees.
A key message of the Report is that a service agreement or a “GDPR-compliant” label alone is no longer sufficient. Supervisory practice increasingly examines actual operational controls, technical measures, and documented risk assessments. For this reason, it is definitely recommended to conduct a limited review of supplier contracts from a data protection perspective – based on our recommendation, it is sufficient to do this once and then incorporate a control into the process that ensures compliance in the event of changes or that allows for periodic reviews and follow-up checks.
International data transfers
Data transfers to third countries remain a high-priority enforcement area. The EDPS emphasizes that appropriate contractual clauses are not sufficient on their own. In assessing compliance, an increasingly important role is played by the actual content of the Transfer Impact Assessment (TIA), the evaluation of the legal and practical environment of the third country, and the real-world operation of the applied technical and organizational measures. In modern cloud-based systems, according to data protection law, remote access also constitutes a data transfer. If a third-country IT engineer (e.g., from India or the United States) logs into a database stored in Europe for support or system maintenance purposes, the data legally leaves the EEA. These risks can only be meaningfully assessed by a TIA. This is particularly relevant in environments where global cloud infrastructures or centralized IT support operate. In practice, this means that companies should assess whether data transfers outside the EU occur due to the nature of the supplier’s operations or due to the processes required by the corporate group, and classify them accordingly.
The future of data protection will be technologically focused
Based on the EDPS Report, European data protection practice has definitively shifted in a technological direction. At the center of the supervisory focus stands the understandable and accountable operation of artificial intelligence, the continuous monitoring of cloud services, and the complete fusion of cybersecurity and data protection. Data protection compliance is thus no longer an isolated legal task, but a shared, daily responsibility of corporate management, procurement, digital transformation, and IT security.
Based on the EDPS Report, it is clearly visible: in the coming years, organizations that recognize this paradigm shift and build a real, auditable technological governance system – rather than just a formal, paper-based GDPR compliance – will hold a clear competitive advantage.
Photo source: pexels.com, Fotó: Jcmotive