EDPB 2025 Annual Report: Recent Trends

The European Data Protection Board (the "EDPB") recently published its 2025 Annual Report (the “Report”).

The Report is framed around the theme of "Clarity in action: Supporting stakeholders through guidance and dialogue.", and reflects a year defined by four central themes: (1) cross-regulatory cooperation, (2) simplification and accessibility of GDPR compliance, (3) cross-border cooperation, and (4) variation in enforcement activity.

Some key figures relating to the EDPB activity outlined in the Report are as follows:

• 5 sets of Guidelines: Pseudonymisation, blockchain technologies, the DSA-GDPR interplay, Article 48 GDPR, and joint DMA-GDPR Guidelines;
• 2 sets of Recommendations;
• 29 Art. 64(1) (non-binding) consistency opinions;
• 1 stakeholder event;
• 6 legislative consultation opinions;
• 15 cases before the CJEU to which the EDPB was a party, and 2 appeals submitted;
• 1 Coordinated Enforcement Framework on the right of erasure under Article 17 GDPR;
• 414 cross-border cases; and
• 1,299 procedures initiated under the One-Stop-Shop mechanism.

Cross-Regulatory Cooperation

A central focus of 2025 was clarifying the interplay between data protection and other EU digital legislation. The EDPB adopted Guidelines on the DSA-GDPR interplay and, in a first for the EDPB, the EDPB and the European Commission endorsed joint DMA-GDPR Guidelines in October 2025, setting out how GDPR principles apply in the context of DMA obligations. Work is ongoing with the European Commission and the AI Office on joint guidelines addressing the interplay between the AI Act and EU data protection laws, expected in 2026. The EDPB also published a position paper on the intersection of data protection and competition law. Furthermore, the EDPB Support Pool of Experts published deliverables from 7 projects (including on AI and LLMs) and launched 9 new projects; the ChatGPT Taskforce mandate was broadened to cover generative AI more generally, serving as a platform for the exchange of information on investigations related to generative AI cases and facilitating coordination of external communication by national supervisory authorities on AI enforcement activities.

The growing body of cross-regulatory guidance underscores the fact that data protection responsibilities cannot be considered in a silo. Clients should adopt a holistic approach to digital regulatory compliance, ensuring that their data protection, platform, AI, and competition law strategies are coherent and mutually reinforcing.

Simplification and Accessibility of GDPR Compliance

The EDPB engaged actively with the Commission's Digital Omnibus proposal. In its joint opinion with the EDPS (adopted in February 2026), the EDPB strongly opposed the proposed changes to the definition of personal data, warning that these would significantly narrow the concept. It did, however, support other elements of the proposal, including the increased threshold for data breach notification and the introduction of common templates.

Alongside this engagement with the legislative agenda, in July 2025 the EDPB adopted the Helsinki Statement on Enhanced Clarity, Support, and Engagement. The Helsinki Statement represents a formal commitment to make GDPR compliance more practicable through the provision of standardised templates (e.g. DPIA templates and data breach notification forms), stakeholder engagement events, and clearer drafting of guidance documents. The trajectory of these initiatives reflects a clear trend towards a desire to reduce the administrative burden associated with compliance. At the same time, the EDPB Chair stated in the Report that it is the EDPB’s task as regulator to ensure that ”simplification does not amount to deregulation and that core data protection rights are safeguarded”.

While controllers should take advantage of emerging templates and tools, they would be well advised not to interpret the simplification agenda as signalling any relaxation of substantive obligations.

Cross-Border Cooperation

As mentioned above, the Report records 414 cross-border cases and 1,299 One-Stop-Shop procedures in 2025, of which 572 led to final decisions. This is a notable increase from 2024 (350 cross-border cases and 982 One-Stop-Shop procedures). There were also no binding decisions adopted under Arts. 65 or 66 GDPR in 2025, marking the second consecutive year without such decisions. The EDPB interprets this as evidence of progress in consensus-building among national supervisory authorities, suggesting that they are increasingly aligned in their approaches and able to resolve areas of disagreement without recourse to the formal dispute resolution mechanism under the GDPR.

Variation in Enforcement Activity

The Report includes a table setting out the total number and value of fines issued by supervisory authorities in the EU Member States (some of which are subject to appeal and therefore variation if they are overturned). According to the table, supervisory authorities collectively issued approximately €1.15 billion in fines in 2025, suggesting that fine levels have stabilised following the first year-on-year reduction since the GDPR's entry into force, which was observed in 2024.

• Fine concentration in Ireland and France: Ireland (~€531 million, driven primarily by the €530 million TikTok transfer decision) and France (~€487 million) together accounted for approximately 89% of all fines issued across Europe. The TikTok fine alone comprises just under half (46%) of the total fines issued for 2025.
• Divergence between low-volume/high-impact and high-volume/lower-impact enforcement: Ireland issued just 4 fines, averaging ~€133 million each, whereas Germany issued 499 fines averaging ~€96,000 and Spain 324 fines averaging ~€139,000.
• Widespread but modest enforcement elsewhere: Fines were issued across virtually every EEA jurisdiction, yet total values remain very low in many Member States (e.g. Denmark €13,300; Sweden €23,350; Norway €22,000).
• Key themes: From the selection of national cases within the Report, key themes include data security, international data transfers, biometric data and facial recognition, surveillance, and automated decision making.

The enforcement data reveals a market in which regulatory risk is unevenly distributed but remains substantial. The concentration of high-value fines in Ireland and France, particularly the TikTok fine, underscores the particular exposure of large-scale technology and data-driven businesses.