CLVPartners

CLV-02
Menu

privacy

Current Activities of the European Data Protection Board to Support GDPR Compliance

Data protection, News / / , , , , , ,

Reading time: 7 minutes

The European Data Protection Board has published its Work Programme for 2026–2027 (hereinafter: the “Programme”), adopted on 11 February 2026, The Programme provides not only strategic directions but also concrete tools to support organisations’ day-to-day compliance. This article summarises the consultation results and the key plans set out in the European Data Protection Board’s Programme.

Background

In its 2024–2027 strategy, the European Data Protection Board identified four interlinked priorities. These include strengthening the consistent application of data protection rules and further priority is deepening supporting organisations in complying with the law. A cooperation among data protection authorities, particularly in cross-border cases. The strategy also emphasises ensuring that data protection is effective in a fast-evolving digital environment affecting multiple regulatory areas, including applications of artificial intelligence. Moreover, the European Data Protection Board aims to actively foster and shape international dialogue on privacy and personal data protection. The Programme supports the implementation of the European Data Protection Board’s 2024–2027 strategy, based on the identified priorities and the most important needs of stakeholders.

Main elements of the programme

The Programme builds on the consistent application of Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) and sets out the European Data Protection Board’s activities for 2026–2027 along four pillars: harmonisation and compliance, a common culture of enforcement, challenges in the digital regulatory environment, and global data protection dialogue.

Harmonisation and legal clarity

The European Data Protection Board will continue to issue detailed yet accessible guidance on topics considered critical by stakeholders during events and consultations, such as anonymisation and pseudonymisation, data processing based on legitimate interests, “consent or pay” models, and targeted updates on guidance for data protection officers.

The European Data Protection Board also intends to facilitate GDPR compliance with new practical tools, particularly for small and medium-sized enterprises (SMEs), including templates and guidance. To this end, a public consultation was conducted between 5 November and 3 December 2025 to identify which practical templates would most effectively support GDPR compliance.

The consultation highlighted the greatest demand for templates on records of processing activities, data protection impact assessments, legitimate interest assessments, privacy notices, transfer impact assessments, data processing agreements, data breach notification forms, and risk assessment templates. The European Data Protection Board has prioritised three templates in the Programme—legitimate interest assessment, records of processing activities, and privacy notices—to provide consistent, practical support, especially for organisations with limited resources.

In addition, the European Data Protection Board supports controllers and processors in developing and implementing compliance measures, for instance, through opinions on certification schemes, codes of conduct, and accreditation.

Stronger enforcement culture and cooperation

The second pillar aims to ensure consistency in the application and enforcement of the GDPR and to enhance cooperation among its members. The European Data Protection Board will continue to support the development of cooperation and enforcement tools and promote the sharing of expertise. Efforts will also focus on giving greater attention to priority issues and creating consistency.

In line with these objectives, the European Data Protection Board will focus on the consistent application of the GDPR and effective cooperation between authorities. To this end, it will update, among other things, its guidelines on handling cross-border cases, its principles on imposing fines, and its rules on mutual assistance and emergency procedures. As part of its action on the Coordinated Enforcement Framework (CEF), in 2026 it will focus on fulfilling the obligations under Articles 12-14 of the GDPR regarding transparent information, communication and measures for the exercise of data subjects’ rights. Where necessary, it will set up working groups to provide operational platforms for cases requiring cooperation on enforcement matters. To ensure the effective functioning of the consistency mechanism, it will adopt opinions addressed to national supervisory authorities with a view to supporting consistent decision-making.

Data protection at the intersection of digital legislation

The European Data Protection Board’s priority is to ensure coherence across EU digital legislation. In the rapidly evolving technological and market environment, data protection interacts closely with multiple other EU laws, such as the AI Regulation. This increases the importance of consistent interpretation, coordinated action by authorities, and clear guidance. The European Data Protection Board collaborates with other regulators, including competition and consumer protection authorities, to support the new cross-regulatory environment. Key technological topics include generative AI, telemetry and diagnostic data, and blockchain-related data protection issues.

Global data protection dialogue and data transfers

The European Data Protection Board continues to promote global dialogue on privacy and data protection, focusing on international cooperation between its members and third-country authorities, especially those with EU adequacy decisions.

Conclusion: more support, greater legal certainty

A key message of the Programme is that GDPR compliance is not merely a matter of regulatory oversight, but a process that can be actively supported and structured. Templates, harmonised guidance, and enhanced authority cooperation aim to make GDPR application more predictable and practical. At the same time, each organisation must tailor its data processing documents and procedures to its own business processes and risks. The European Data Protection Board seeks to strengthen fundamental rights, support organisational compliance, and ensure that European data protection remains coherent and competitive in a fast-changing digital environment.

Photo source: pexels.com, MART PRODUCTION

Current Activities of the European Data Protection Board to Support GDPR Compliance Read More »

Data protection considerations related to the development of AI models

Data protection, News / / , , , , , , , ,

Reading time: 5 minutes

Artificial intelligence (“AI“) is a rapidly evolving family of technologies that contributes to a wide range of economic, environmental, and social benefits across all sectors and social activities. By improving predictive accuracy, optimizing operational processes and the allocation of resources, and enabling the personalization of digital solutions available to individuals and organizations, the use of AI can confer a decisive competitive advantage on businesses while also delivering beneficial social and environmental outcomes.

The use of artificial intelligence, alongside its potential benefits, is also associated with certain risks. In order to mitigate these risks, Regulation (EU) 2024/1689 of the European Parliament and of the Council on artificial intelligence (“AI Act”) has been adopted, several provisions of which have already entered into force. At the same time, the development of many AI models involves the use of personal data, which raises the question of how the AI Act affects data processing activities related to AI systems.

The relationship between the AI Act and the GDPR

The AI Act makes it clear that it does not amend the application of existing EU rules on the processing of personal data, including the requirements set out in the GDPR. Accordingly, organizations falling within the scope of the AI Act must, in the course of their data processing activities, comply fully with the provisions of the GDPR.

Through the enforcement of the right to the protection of personal data, the GDPR also supports the effective exercise of other fundamental rights, including, inter alia, freedom of thought and expression, the right to information and education, and the freedom to conduct a business. On this basis, it can be concluded that the GDPR establishes a legal framework that facilitates responsible innovation, including the responsible development and deployment of AI-related technologies.

Data protection considerations in relation with the development of AI Models

In connection with the development of AI models, the European Data Protection Board (“EDPB”) adopted a standalone opinion on data protection aspects arising in relation to the processing of personal data in the context of artificial intelligence models (“Opinion”).

The Opinion examines how personal data may be used in the development of AI models and highlights the issues requiring particular attention when placing on the market AI systems developed using personal data.

Lifecycle of AI Models

The EDPB divides the lifecycle of AI models into two stages, emphasizing that data processing may occur in either of them. The first stage covers the processes preceding the deployment of the model (including e.g. its creation, development, the training, the fine-tuning). The second stage relates to the deployment phase, encompassing the use of the model following its development.

Existence of a legal basis for data processing by data controllers

One of the cornerstones of data protection regulation is that personal data may only be processed where a specific legal basis exists. The Opinion reiterates the general expectation that data controllers must determine the appropriate legal basis for their processing activities.

However, the EDPB found that, as a general rule, an AI model developer may rely on legitimate interest as a legal basis, provided that the existence of such legitimate interest is duly substantiated. For this purpose, a three-step test – already familiar to those with experience in data protection compliance practice – serves to properly assess whether a legitimate interest genuinely exists.

The EDPB emphasizes that the balancing test must take into account whether the data subjects can reasonably expect their personal data to be used. The Opinion is significant in this regard because it sets out several criteria intended to assist data protection authorities in assessing the “reasonably foreseeable” criteria

The Opinion also recalls that, where it appears that the interests, rights, and freedoms of data subjects override the legitimate interests of the data controller or of a third party, all is not lost. Namely, the data controller may consider the implementation of mitigating measures to limit such adverse effects. These may include, for example, pseudonymization, or measures aimed at masking personal data or replacing them with fictitious personal data within the training dataset. The introduction of appropriate data protection measures can make data processing lawful again.

Anonymity

The GDPR classifies as personal data any information relating to an identified or identifiable natural person, whether directly or indirectly. According to the position of the EU institution, in the context of AI model development, personal data may only be used where they are properly anonymized, such that even in the event of a potential reverse engineering of the model, the identification of data subjects is not possible. With regard to anonymization, the EDPB emphasizes that the competent data protection authorities must assess, on a case-by-case basis, whether the organization developing the AI model has complied with this requirement. The body also sets out several recommended technique that may be suitable for preserving anonymity (e.g. prevent or limit the extraction of personal data used for training purposes).

Summary

The EU body emphasizes in its Opinion that compliance with data protection requirements governing the processing of personal data must be ensured throughout both the development and deployment of AI models. It is evident that the expansion of AI and its potential risks are being treated and monitored as a priority in law enforcement, and therefore numerous regulatory guidelines from authorities can be expected in the near future.

Photo source: pexels.com, Tara Winstead

Data protection considerations related to the development of AI models Read More »

CLVPartners
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.