The European Data Protection Board today published its 2025 Annual Report, documenting a year of dense regulatory output, record enforcement totals, and the first joint guidelines ever drafted with the European Commission. The report, announced on 9 April 2026, covers activities carried out throughout 2025 and reflects the organisation's response to an expanding digital rulebook that now encompasses the GDPR, the Digital Markets Act, the Digital Services Act, and a nascent AI Act framework.

According to the annual report, national data protection authorities across Europe issued a combined total of 1,145,760,374 euros in fines during 2025. Ireland alone accounted for 530,773,000 euros of that sum - almost entirely driven by the April 2025 decision against TikTok Technology Limited for unlawful transfers of European user data to China, a case covered extensively by PPC Land. France contributed 486,854,500 euros across 84 fines, while Germany's combined DPA actions produced 499 fines totalling 48,117,083 euros. Spain issued 324 fines for a combined 45,203,465 euros. Slovakia stands out statistically: 542 fines, yet totalling only 468,953 euros, indicating a high volume of smaller cases rather than major corporate penalties.

The annual fine total represents a material increase over prior years and arrives as the GDPR has accumulated, since 2018, over 6,680 fines worth roughly 4.2 billion euros across its history - as tracked on PPC Land.

edpb-annual-report-2025_en
edpb-annual-report-2025_en.pdf
3 MB
download-circle

The Helsinki Statement and what it actually changed

The most consequential structural development of 2025 was a two-day high-level meeting held in Helsinki on 1 and 2 July. According to the annual report, the EDPB there agreed on new initiatives to make GDPR compliance easier, strengthen consistency, enhance stakeholder dialogue, and reinforce cross-regulatory cooperation. The resulting document - the Helsinki Statement on Enhanced Clarity, Support, and Engagement - is not legislation, but it has already produced concrete outputs.

Among the commitments made in Helsinki and delivered by year-end: in December 2025, the Board created internal guidance and best practices to ensure its documents are timely, concise, and practical; a stakeholder event on anonymisation and pseudonymisation took place that same month, drawing over 100 participants from sector associations, NGOs, and law firms. In October 2025, the joint DMA-GDPR guidelines were endorsed with the European Commission - the first co-authored guidance document in EDPB history.

Further work is already in the pipeline. According to the report, a Data Protection Impact Assessment (DPIA) template was due in early 2026, followed by a data breach notification template, a form for flagging inconsistencies between national and EDPB guidance, and a summer 2026 template for cross-regulatory cooperation agreements. Joint guidelines on the interplay between the AI Act and GDPR are to be published throughout 2026.

EDPB Chair Anu Talus, in the report's foreword, framed the year in these terms: according to her foreword, the rapid expansion of the EU's digital regulatory framework added complexity to the data protection ecosystem, and the EDPB took steps to reduce unnecessary administrative burden while ensuring that simplification does not lower the protection of individuals' fundamental rights.

DMA-GDPR joint guidelines: a technical first

The October 2025 joint guidelines on the interplay between the Digital Markets Act and the GDPR represent the most technically significant output of the year, not only for data protection but for digital advertising. These are the first guidelines ever jointly prepared by the EDPB and the European Commission, and they address precisely the overlap that has driven enforcement actions against Meta, Apple, and others.

According to the annual report, the guidelines clarify how GDPR principles apply in the context of DMA obligations that entail the processing of personal data by gatekeepers - a category that includes Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft. In particular, the guidelines explain how gatekeepers can implement DMA provisions that explicitly reference GDPR concepts, such as requirements for specific choice and valid consent under Article 5(2) DMA, when lawfully combining or cross-using personal data across core platform services. The guidelines also address data portability, access to data, third-party app distribution, and the interoperability of messaging services.

The public consultation on these guidelines opened on 9 October 2025 and closed on 4 December 2025. PPC Land reported that more than 100 responses were published in March 2026 following the consultation's closure. The final version of the guidelines will be prepared jointly by the EDPB and the Commission.

For the marketing community, the DMA-GDPR interplay guidance is directly relevant to consent architecture, behavioural advertising infrastructure, and data combination practices. The prohibition on relying on legitimate interests or contractual necessity as lawful grounds for combining user data across platform services forces changes to the default targeting logic on major platforms.

DSA-GDPR guidelines: advertising transparency in scope

On 11 September 2025, the EDPB adopted Guidelines 3/2025 on the interplay between the Digital Services Act and the GDPR. PPC Land covered the guidelines at the time of adoption, noting that the 38-page document outlined specific scenarios where advertising obligations under DSA Article 26 and GDPR processing requirements come into conflict.

According to the annual report, these are the first guidelines adopted by the EDPB specifically addressing the interaction between the GDPR and the EU's digital legislation. They address notice-and-action mechanisms for reporting illegal content, recommender systems, transparency of advertising, deceptive design patterns, and measures to protect minors. Notably, they address the prohibition on profile-based advertising directed at minors, as well as the prohibition on profiling using special categories of personal data.

The guidelines were submitted to public consultation. The Board also published a factsheet summarising the guidelines.

Pseudonymisation and blockchain: new technical guidance

Two additional sets of guidelines adopted in 2025 have direct implications for data infrastructure across the ad tech and martech ecosystems.

On 16 January 2025, the EDPB adopted Guidelines 1/2025 on pseudonymisationPPC Land reported on these guidelines in January 2025, noting that pseudonymised data remains personal data under GDPR Article 4(5) even when the additional information enabling re-identification is held by different entities. According to the annual report, the guidelines explain how pseudonymisation can help organisations meet obligations relating to data protection by design and default, and security. Technical measures and safeguards are analysed to ensure confidentiality and prevent unauthorised identification.

On 8 April 2025, the EDPB adopted Guidelines 02/2025 on processing of personal data through blockchain technologies, covered by PPC Land. According to the annual report, the guidelines address all major blockchain architectures and their implications for personal data processing. As a general rule, storing personal data in a blockchain should be avoided if this conflicts with data protection principles. The guidelines clarify roles and responsibilities of different actors, provide examples of data minimisation techniques, and highlight the importance of implementing technical and organisational measures at the earliest stages of design.

Cross-border enforcement: 414 cases, 572 final decisions

Quantitatively, the enforcement picture is substantial. According to the annual report, in 2025, 414 cross-border cases were created in the EDPB's case register. Of 1,299 procedures related to the One-Stop-Shop mechanism under Article 60 GDPR, 572 led to final decisions. There were 376 mutual assistance procedures and 4,200 voluntary assistance exchanges. No binding decisions were adopted by the EDPB during the year - a development the Board attributed to progress in building consensus among national authorities.

The EDPB Secretariat organised over 500 meetings throughout the year and processed over 10,000 inquiries across EDPB IT systems, up from 4,200 in 2024. More than 800 of those concerned the Internal Market Information (IMI) system. The EDPB was a party in 15 cases before the Court of Justice of the European Union (CJEU) during 2025.

The EDPB's annual 2025 Coordinated Enforcement Framework (CEF) action focused on the right to erasure under GDPR - one of the most frequently exercised rights and one that DPAs receive the most complaints about. According to the annual report, 32 DPAs participated and 764 controllers across Europe responded, ranging from SMEs to large corporations and public entities. The resulting EDPB report, published in February 2026, analyses recurring issues and provides non-binding recommendations. The 2024 CEF action had focused on the right of access; its report was published in January 2025.

AI oversight: LLM risks, auditing tools, and a new taskforce

The growing presence of artificial intelligence systems in data-intensive environments prompted several dedicated EDPB initiatives in 2025. The Support Pool of Experts (SPE) published a report on privacy risks and mitigations specific to Large Language Models, completed by external expert Isabel Barbera in April 2025. According to the report, LLMs are deep learning models trained on extensive datasets, with applications ranging from text generation to sentiment analysis. The report puts forward a risk management methodology and practical mitigation measures, illustrated through three use cases: a virtual assistant for customer queries, an LLM system for monitoring student progress, and an AI assistant for travel and schedule management.

In October 2025, the EDPB organised its third Bootcamp on AI and AI Auditing, bringing together 50 participants from 24 countries. The event included hands-on sessions on SDK analysis and algorithm creation.

The mandate of the ChatGPT Taskforce was extended during 2025 to cover Generative AI more broadly. According to the annual report, the scope of the Taskforce on Generative AI Enforcement is to serve as a platform for exchanging information on investigations related to generative AI cases, with a focus on entities without an establishment in Europe.

The EDPB's work on AI intersects directly with the digital advertising sector, where the use of legitimate interest as a legal basis for processing has come under sustained scrutiny. As the EDPB and European Commission advance joint guidelines on the AI Act-GDPR interplay - due throughout 2026 - questions around AI-driven targeting, profiling, and automated decision-making will move to the centre of regulatory debate.

Adequacy decisions: UK extended, Brazil assessed, EPO first

The EDPB delivered five adequacy-related opinions during 2025. The most notable operationally was Opinion 06/2025, which addressed a proposed six-month extension of the UK adequacy decisions under the GDPR and the Law Enforcement Directive - decisions that were set to expire on 27 June 2025. According to the annual report, the EDPB recognised the need for a technical and time-limited extension to 27 December 2025, to allow the European Commission to evaluate the updated UK legal framework. The EDPB characterised the extension as exceptional.

Opinion 26/2025, adopted in October 2025, addressed the UK adequacy decision under the GDPR with a proposed validity through December 2031. The Board positively noted continuing alignment between the UK and EU frameworks, but flagged concerns including the rules on transfers from the UK to third countries, the restructuring of the Information Commissioner's Office, and the use of technical capability notices requiring companies to circumvent encryption.

Opinion 07/2025 concerned the European Patent Organisation - the first adequacy decision ever addressed to an international organisation rather than a country. Opinion 28/2025, adopted in November 2025, covered Brazil's data protection framework. According to the annual report, the EDPB positively noted that the Brazilian framework is closely aligned with the GDPR and CJEU case law, though it flagged limitations on transparency related to commercial secrecy and questions about the applicability of Brazil's LGPD to criminal law enforcement processing.

Digital Omnibus and GDPR procedural regulation

The European Commission launched the Digital Omnibus proposal in November 2025, seeking to simplify aspects of the digital rulebook. The EDPB held plenary discussions on the proposal, and a joint EDPB-EDPS opinion was adopted in early 2026. PPC Land reported on the joint opinion's publication, noting that the EDPB and EDPS strongly urged co-legislators not to adopt proposed changes to the definition of personal data, characterising them as going far beyond a technical amendment and potentially narrowing GDPR protections significantly. The opinion also supported several elements of the proposal, including higher thresholds for data breach notification obligations and proposed common templates.

Separately, Regulation 2025/2518 - laying down additional procedural rules on the enforcement of GDPR - was adopted on 26 November 2025. According to the annual report, the regulation harmonises aspects of the enforcement procedure and introduces new legal definitions, steps, and deadlines. The EDPB adopted a practical implementation plan on 4 November 2025 to ensure DPAs are ready when the regulation becomes applicable on 2 April 2027.

E-commerce accounts and WADA: sector-specific recommendations

Two recommendations published in 2025 carry direct relevance for digital commerce and global organisations.

On 4 December 2025, the EDPB adopted Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites. According to the annual report, as a general rule, users should be able to make purchases without being required to create an account. The Board recommended that e-commerce websites offer alternatives such as a "guest" mode or voluntary account creation, in line with data protection by design and default. Mandatory account creation may be justified in limited circumstances, such as subscription-based services.

The EDPB also adopted Recommendations 1/2025 on the 2027 WADA World Anti-Doping Code on 11 February 2025. According to the annual report, the EDPB welcomed certain positive changes since its 2019 letter to WADA, but raised concerns about consent, purpose limitation, and attribution of roles.

Why this matters for the marketing community

The EDPB's 2025 annual report is not primarily a document about marketing, but its implications for anyone operating digital advertising infrastructure in Europe are substantial. The DMA-GDPR joint guidelines - once finalised - will set binding expectations for how large platforms structure consent for personalised advertising. The DSA-GDPR guidelines directly address advertising transparency, recommender systems, and profiling restrictions for minors. The pseudonymisation and blockchain guidelines affect how data publishers and ad tech companies design privacy-preserving architectures.

The record fine total reflects continued enforcement intensity. Ireland's 530 million euro TikTok fine - nearly half the European total for the year - illustrates the scale of penalties attached to international data transfer violations. The DMA-GDPR consultation process drew submissions from advertising watchdogs, civil society groups, and industry bodies, all seeking to shape rules that will govern how the largest platforms monetise European user data.

The EDPB's budget for 2025 was 8.823 million euros. The Secretariat comprised 47 staff members and organised over 500 meetings. The EDPB website attracted 317,187 visits and 1,516,687 page views during the year.

Timeline

  • 16 January 2025 - EDPB adopts Guidelines 1/2025 on pseudonymisation; position paper on interplay between data protection and competition law also adopted. PPC Land coverage
  • 11 February 2025 - EDPB adopts Statement 1/2025 on age assurance and Recommendations 1/2025 on the 2027 WADA World Anti-Doping Code. PPC Land on age verification
  • 29 January 2025 - General Court issues judgments in Joined Cases T-70/23, T-84/23 and T-111/23 (Data Protection Commission v EDPB)
  • 8 April 2025 - EDPB adopts Guidelines 02/2025 on blockchain technologies. PPC Land coverage
  • 30 April 2025 - Irish Data Protection Commission issues 530 million euro fine against TikTok for unlawful data transfers to China. PPC Land coverage
  • 5 May 2025 - EDPB adopts Opinion 06/2025 on UK adequacy extension and Opinion 07/2025 on the EPO adequacy decision
  • 4 June 2025 - EDPB adopts final version of Guidelines 02/2024 on Article 48 GDPR (data transfers to third-country authorities)
  • 8 July 2025 - EDPB and EDPS adopt Joint Opinion 01/2025 on the SME simplification regulation; EDPB adopts consistency opinions including on Nokia, Statkraft, and TUV certification criteria. PPC Land on TUV opinion
  • 1-2 July 2025 - High-level meeting in Helsinki; EDPB adopts Helsinki Statement on Enhanced Clarity, Support, and Engagement
  • 11 September 2025 - EDPB adopts Guidelines 3/2025 on DSA-GDPR interplay. PPC Land coverage
  • 9 October 2025 - EDPB and European Commission endorse joint guidelines on DMA-GDPR interplay; public consultation opens
  • 16 October 2025 - EDPB adopts Opinions 26/2025 and 27/2025 on UK adequacy decisions (GDPR and LED)
  • 4 November 2025 - EDPB adopts practical implementation plan for Procedural Regulation 2025/2518
  • 4 November 2025 - EDPB adopts Opinion 28/2025 on Brazil adequacy decision
  • 5 November 2025 - Public consultation opens on GDPR templates; closes 3 December 2025
  • 19 November 2025 - European Commission adopts Digital Omnibus proposal
  • 26 November 2025 - Regulation 2025/2518 on GDPR procedural rules adopted
  • 4 December 2025 - EDPB adopts Recommendations 2/2025 on user accounts on e-commerce websites; DMA-GDPR consultation closes with over 100 submissions. PPC Land on DMA-GDPR responses
  • December 2025 - Stakeholder event on anonymisation and pseudonymisation; second meeting of EDPB initiative with countries holding EU adequacy decisions
  • 9 April 2026 - EDPB publishes 2025 Annual Report

Summary

Who: The European Data Protection Board (EDPB), an independent EU body chaired by Anu Talus, composed of representatives from national data protection authorities across the European Economic Area and supported by a Secretariat of 47 staff.

What: The EDPB published its 2025 Annual Report, documenting over 1.14 billion euros in GDPR fines issued by national DPAs, the adoption of four new sets of guidelines (pseudonymisation, blockchain, DSA-GDPR, and joint DMA-GDPR), five adequacy opinions, 29 consistency opinions under Article 64(1) GDPR, 414 cross-border cases, and 572 One-Stop-Shop final decisions.

When: The report was published on 9 April 2026 and covers activities carried out throughout the 2025 calendar year.

Where: The EDPB is based in Brussels. Its work applies across all 27 EU member states and the European Economic Area, with global implications for companies processing data of EU residents.

Why: The report reflects the EDPB's response to an expanding digital regulatory framework - encompassing the GDPR, DSA, DMA, and AI Act - and the corresponding demand for clarification on how those frameworks interact. The Helsinki Statement, DMA-GDPR joint guidelines, and procedural regulation all represent efforts to reduce legal uncertainty for organisations while maintaining fundamental rights protections for individuals.

Share this article
The link has been copied!