This quarter brings concrete steps toward operational clarity on AI and data flows. At EU level, the EDPB moved on blockchain, DSA–GDPR interplay, and third-country requests, and flagged how record-keeping relief should work without weakening rights. National authorities increased inspections, guidance, and fines – Poland, the Netherlands, and Spain are active across public and private sectors – while Mexico and India progressed new frameworks and tooling. In Brazil, cooperation and sector regulation gained pace. The sections below distill what changed and what to check in your programs.

• Data protection in the EU
• Data protection in Poland
• Data protection in The Netherlands
• Data protection in Spain
• Data protection in Mexico
• Data protection in India
• Data protection in Brazil

• EDPB adopts guidelines on processing personal data through blockchains and is ready to cooperate with AI office on guidelines on AI Act and EU data protection law

During its April 2025 plenary, the European Data Protection Board (EDPB) has adopted guidelines on processing of personal data through blockchain technologies.  A blockchain is a distributed digital ledger system that can confirm transactions  and  establish  who  owned  a  digital  asset  (such  as cryptocurrency)  at  a  given  time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.

As the use of blockchain technologies is expanding, the Board considers it important to help organisations using these technologies to comply with the GDPR. 

In its guidelines, the EDPB explains how blockchains work, assessing the different possible architectures and their implications for the processing of personal data.

The guidelines highlight the importance of implementing technical and organisational measures at the earliest stages of the design of the processing. The EDPB also clarifies that the roles and responsibilities of the different actors in a blockchain-related processing of personal data should be assessed during the design of the processing.

In addition, organisations should carry out a Data Protection Impact Assessment (DPIA) before processing personal data through blockchain technologies, where the processing is likely to result in a high risk to the rights and freedoms of individuals.

According to the Board, organisations should also ensure the highest protection of individuals’ personal data during the processing so that they are not made accessible to an indefinite number of persons by default.

The guidelines provide examples of different techniques for data minimisation, as well as for handling and storing personal data. As a general rule, storing personal data in a blockchain should be avoided if this conflicts with data protection principles.

Finally, the Board highlights the importance of the rights of individuals especially regarding transparency, rectification and erasure of personal data. 

The guidelines will be subject to public consultation until 9 June 2025, providing stakeholders with the opportunity to comment.

During its latest plenary, the EDPB also decided to closely cooperate with the AI Office in relation to the drafting of the guidelines on the interplay between the AI Act and EU data protection legislation.

• EDPB publishes final version of guidelines on data transfers to third country authorities and SPE training material on AI and data protection

During its latest plenary, the European Data Protection Board (EDPB) adopted the final version of its guidelines on Art.48 GDPR about data transfers to third country authorities, after public consultation. In addition, the Board presented two new Support Pool of Experts (SPE) projects providing training material on artificial intelligence and data protection. Finally, the Board discussed the European Commission’s request for a joint EDPB-EDPS opinion on the draft proposal on the simplification of record-keeping obligation under the GDPR.

• Data transfers to third country authorities

Following public consultation, the EDPB has adopted the final version of the guidelines on data transfers to third country authorities. In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to requests for a transfer of personal data from third country authorities (i.e. authorities from non-European countries).

The EDPB explains that judgements or decisions from third country authorities cannot automatically be recognised or enforced in Europe. As a general rule, an international agreement may provide for both a legal basis and a ground for transfer. In case there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.

The modifications introduced in the updated guidelines do not change their orientation, but they aim to provide further clarifications on different aspects that were brought up in the consultation. For example, the updated guidelines address the situation where the recipient of a request is a processor. In addition, they provide additional details regarding the situation where a mother company in a third country receives a request from that third country authority and then requests the personal data from its subsidiary in Europe.

• Upskilling and reskilling on AI and data protection

During its June’s plenary, the EDPB also presented two new Support Pool of Experts (SPE) projects*: Law & Compliance in AI Security and Data Protection and Fundamentals of Secure AI Systems with Personal Data. The two projects, which have been launched at the request of the Hellenic Data Protection Authority (HDPA), provide training material on AI and data protection.

The report “Law & Compliance in AI Security & Data Protection” is addressed to professionals with a legal focus like data protection officers (DPO) or privacy professionals.

The second report, “Fundamentals of Secure AI Systems with Personal Data”, is oriented toward professionals with a technical focus like cybersecurity professionals, developers or deployers of high-risk AI systems.

The main aim of these projects is to address the critical shortage of skills on AI and data protection, which is seen as a key obstacle to the use of privacy-friendly AI. The training material will help equip professionals with essential competences in AI and data protection to create a more favourable environment for the enforcement of data protection legislation.

The Board decided to publish both documents as PDF files. Taking into account the very fast evolution of AI, the EDPB also decided to launch a new innovative initiative as a one-year pilot project consisting of a modifiable community version of the reports. The EDPB will start working with the authors of both reports to import them in its Git repository** to allow, in a near future, any external contributor, with an account on this platform and under the condition of the Creative Commons Attribution-ShareAlike license, to propose changes or add comments to the documents.

Simplification of record-keeping obligation under the GDPR 

Finally, the Board discussed the European Commission's request for a joint opinion by the EDPB and the European Data Protection Supervisor (EDPS) on its proposal to simplify the record-keeping obligations of small and medium-sized enterprises (SMEs), small mid-caps (SMCs) and organisations with fewer than 750 employees, amounting to a targeted amendment of Art. 30(5) GDPR. The EDPB and EDPS will issue their joint opinion on this matter within eight weeks.

• Targeted modifications of the GDPR: EDPB & EDPS welcome simplification of record keeping obligations and request further clarifications

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issued today a Joint Opinion on the European Commission’s Proposal for a Regulation amending certain regulations, including the GDPR. 

The Proposal, part of the fourth simplification Omnibus, aims to simplify EU rules and reduce administrative burden, extending certain mitigating measures available for small and medium sized enterprises (SMEs) to small mid-cap enterprises (SMCs), and includes further simplification measures.  

The Proposal aims to modify Art.30 (5) GDPR, providing a derogation to the obligation to keep a record of data processing operations. Currently, this derogation only applies to enterprises and organisation under 250 employees, except in certain cases. Under the Proposal, the derogation would apply to an enterprise or organisation employing fewer than 750 people, unless the processing operation carried out is likely to result in a high risk to individuals’ rights and freedoms, within the meaning of Art.35 GDPR. 

In addition, the Proposal introduces a definition of SME and SMC in Art.4 GDPR and extends the scope of Art.40 (1) and 42 (1) GDPR to the SMCs, which refer to codes of conduct and certification. These tools are currently designed to help enterprises and organisations demonstrate compliance with the GDPR focusing on the specific needs of SMEs. 

As regard the organisations being subject to the derogation, considering that the Proposal impacts legislation in other policy areas, the EDPB and the EDPS expect further clarifications on why the new threshold of enterprises or organisations employing fewer than 750 persons would be more appropriate under the GDPR, rather than the threshold of 500 employees initially considered. In addition, the new exemption in Art. 30 (5) refers to ‘enterprises employing fewer than 750 employees’ without referring to the newly introduced definitions of SME and SMC, which also includes financial criteria. In order to ensure that the exemption will benefit SMEs and SMCs, the EDPB and the EDPS’s Joint Opinion recommends referring to the newly introduced definitions of SME and SMC. 

The EDPB and EDPS also ask the co-legislators to clarify in the Proposal that the term ‘organisation’, falling within the scope of the proposed derogation under Art.30 (5) GDPR, does not include public authorities and bodies.  

• Interplay between the DSA and the GDPR: EDPB adopts guidelines

During its March 2025 plenary meeting, the European Data Protection Board (EDPB) adopted a statement on the implementation During its September plenary meeting, the European Data Protection Board (EDPB) has adopted guidelines on the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). These are the first set of EDPB guidelines on the interplay between the GDPR and the EU’s recently adopted digital laws.

The DSA aims to complement the rules of the GDPR to ensure the highest level of protection of fundamental rights in the digital space. Its main goal is to create a safer online environment in which the fundamental rights of all users, including the right to freedom of expression, are protected. It applies to online intermediary services, such as search engines and platforms.

Several provisions included in the DSA entail the processing of personal data by intermediary service providers. The EDPB guidelines contribute to the consistent application of the DSA and of the GDPR, insofar as some provisions of the DSA concern the processing of personal data by intermediary service providers and include references to GDPR concepts and definitions.

While it is up to the competent authorities under the DSA - with the support of the European Board for Digital Services and EU courts - to interpret the DSA, there are a number of provisions which relate to the GDPR.

The EDPB guidelines help to understand how the GDPR should be applied in the context of DSA obligations.

The EDPB also provides practical guidance relating to the cross-regulatory cooperation between authorities to coordinate enforcement which will provide more legal certainty for intermediary service providers and ultimately to protect the rights and freedoms of individuals.

• A resolution of the Supreme Administrative Court is necessary regarding the Act on the Institute of National Remembrance

There has been a discrepancy in administrative court rulings regarding whether GDPR provisions apply to data collected in the databases of the Institute of National Remembrance (IPN). Mirosław Wróblewski, President of the Personal Data Protection Office, has referred the matter to the Commissioner for Human Rights.

In accordance with the existing case law of administrative courts, Article 71 of the Act on the Institute of National Remembrance does not exclude the supervisory powers of the President of the Personal Data Protection Office established in the GDPR regarding the processing of personal data by the Institute of National Remembrance, but extends them to include data of deceased persons.

• Public broadcasters must ensure that data is processed in accordance with the law

In connection with the case of Polish Radio Szczecin, which was fined for the lack of standards in data processing , the President of the Personal Data Protection Office reminds Polish Radio of the principles of personal data protection and asks it to deal with this issue comprehensively.

The President of the Personal Data Protection Office (UODO) recalls that after the disclosure of the data of a child who later committed suicide, he conducted an inspection of Polish Radio Szczecin. It was found that the station had failed to comply with personal data protection standards. As a result, the Office imposed an administrative fine on the station.

• Personal data protection in education – activities of the Personal Data Protection Office and the Ministry of Education

As a result of efforts to raise awareness of personal data protection, content on this topic will be expanded into the core school curriculum. Recognizing the importance of privacy protection and secure data processing, the Ministry of Education has introduced new regulations that will better prepare young people to function consciously in the digital world .

According to information provided by the Ministry of Education, starting September 1, 2025, students will learn about personal data protection not only in computer science and ethics, but also in civic education and health education. This is a significant step that will allow young people to better understand issues related to privacy protection, responsible processing of personal data, and the safe use of digital technologies.

• The election campaign does not exempt from the protection of personal data

The President of the Personal Data Protection Office, Mirosław Wróblewski, appeals to politicians – candidates and their election committees – not to forget about the need to ensure personal data protection rules and not to disclose citizens' data when competing for the highest office in the country.

Being a public figure, especially a politician campaigning for the office of President of the Republic of Poland, does not exempt you from the need to comply with personal data protection rules. Quite the opposite. Politicians should be expected to uphold the highest standards and set good examples in the area of personal data protection.

• Registration for research must take into account data protection principles

Simplifying and accelerating registration for healthcare services and facilitating access to information about available appointments – these are the main objectives of the draft amendment to the Act on Healthcare Services Financed from Public Funds and Other Acts, which envisages the creation of a central medical registration system for tests and medical appointments. This system will utilize new technologies, so according to Mirosław Wróblewski, President of the Personal Data Protection Office (UODO), solutions in this area must take into account the personal data protection provisions of the GDPR.

The new regulations proposed by the Ministry of Health assume the use of new technologies to process health information, as well as voice processing for callers. The adoption of such solutions should be subject to a regulatory impact assessment for data protection reasons.

The President of the Personal Data Protection Office (UODO) presented his comments on these solutions to the Minister of Health.

The project assumes the maintenance of a central electronic registration system in which the following will be entered via an IT system:

•    personal data of natural persons,

•    including potentially biometric data, i.e. resulting from special technical processing, using a voice assistant.

• How to protect a data protection officer from dismissal. A case before the EFTA Court

The Republic of Poland's participation in the proceedings before the EFTA Court in Case E-5/25 Silbernagl (personal data protection – grounds for dismissal of the data protection officer) is justified. This position was conveyed by the President of the Personal Data Protection Office, Mirosław Wróblewski, to the Chancellery of the Prime Minister. The dispute concerns the dismissal of the data protection officer (DPO).

The plaintiff (Rainer Silbernagl) was appointed to the position of IOD and employed by the University of Liechtenstein. Subsequently, pursuant to an amendment, he was additionally employed as a postdoctoral fellow and chair professor.

Later, regulations came into effect that stipulated that the postdoctoral position could not be combined with other university employment. For this reason, Rainer Silbernagl's employment was terminated.

The plaintiff claims that the termination was without just cause and was invalid. The defendant argues that the GDPR and national regulations do not provide any protection against dismissal under labor law. The courts of first and second instance dismissed the plaintiff's claims. However, the case was brought before the Princely Supreme Court and the Constitutional Tribunal.

• The protection of personal data of natural persons should be the basis for risk analysis

The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed a fine of PLN 66,500 on the L. Zamenhof University Children's Clinical Hospital in Białystok for failure to implement appropriate technical and organizational measures.

Description of the circumstances of the case

The decision was issued in response to a security incident involving a breach of the hospital's IT infrastructure and its infection with ransomware. As a result, access to IT systems was blocked, resulting in a breach of the confidentiality and availability of the personal data of approximately 2,000 employees, including the possibility of unauthorized access. However, the systems responsible for processing patient personal data were not compromised.

Lack of a thoroughly conducted risk analysis

The definition of controller obligations under Regulation 2016/679 (GDPR) is based on risk criteria. Designing processing mechanisms should be a two-stage process. First, the controller must analyze the risk to the rights and freedoms of natural persons resulting from the processing of their personal data. The next step is to determine the appropriate technical and organizational measures to ensure compliance with Regulation 2016/679, including a level of security appropriate to this risk.

However, in the circumstances of this case, the risk analysis was not carried out correctly.

Firstly, the analysis was carried out on the basis of a flawed procedure, according to which the risk assessment of possible threats was carried out from the perspective of the Hospital as an organisation, and not from the perspective of protecting data subjects.

Secondly, the hospital did not specify which processing processes it analyzed, nor did it link these processes to identified threats, vulnerabilities, or the final risk assessment. To ensure an adequate level of protection, a very general indication of potential threats and their likelihood of occurrence is not sufficient; it is necessary to link them to the nature, scope, context, and purpose of personal data processing within a given organization.

Third, the hospital's description of the proposed risk management actions also demonstrates that the hospital conducted a risk analysis in an inaccurate manner. The supervisory authority found that the documents adopted by the hospital, intended to demonstrate the risk analysis, were inconsistent, full of ambiguities, and did not include specific organizational and technical solutions correlated, as indicated above, with appropriately identified threats.

Cybersecurity is not the same as personal data protection

When explaining the technical measures it used to secure its IT systems, the controller cited an audit conducted to assess compliance with the National Cybersecurity System Act. However, this act focuses primarily on ensuring a secure and uninterrupted service delivery system, and not—as is the case with Regulation 2016/679—on protecting the rights and freedoms of natural persons.

It is also significant that the hospital did not implement an appropriate procedure for performing and documenting recovery tests, and did not apply appropriate security measures for the backup copies created, which could have contributed to the fact that after the incident, the hospital was unable to fully restore the data lost as a result of the event.

Regular testing and documentation

The hospital's failure to regularly test, measure, and evaluate the effectiveness of its technical and organizational data security measures is another non-compliance with data protection regulations identified by the supervisory authority. In any case, the controller was unable to demonstrate any documentation of such security reviews, which not only contradicts the principle of accountability referred to in Article 5(2) of Regulation 2016/679 but also excludes the transparency of the remedial actions taken.

• AI policy should take privacy protection into greater consideration

Mirosław Wróblewski, President of the Personal Data Protection Office (UODO), presented his comments on the draft "Artificial Intelligence Development Policy in Poland until 2030," which was submitted for public consultation . These comments were developed following an internal debate between UODO experts and members of the Artificial Intelligence Working Group of the UODO President's Social Expert Team, as well as the UODO President's Social Expert Team. The resulting conclusions were forwarded to the Ministry of Digital Affairs. 

The planned goals and actions in the development of artificial intelligence in Poland should respond to the challenges in the area of security in all its aspects, also from the perspective of guaranteeing the right to personal data protection and the right to privacy.

According to the President of the Personal Data Protection Office (UODO), the general, horizontal approach to assessing personal data security presented in the "Artificial Intelligence Development Policy" is insufficient, and the proper setting of personal data protection standards requires consideration of the sectoral context for individual areas of state operation. The "Artificial Intelligence Development Policy" should include specific solutions regarding the plan to create a legal framework for the development of artificial intelligence in Poland, taking into account the EU regulatory system, both horizontally and sectorally. 

The implementation of artificial intelligence in specific areas of state functioning and public administration departments requires, first of all, a review of the applicable regulations and the creation of a legal basis for actions undertaken by public bodies or entities performing public tasks using artificial intelligence tools, consistent with the constitutional principle of the rule of law and with respect for individual rights in the law-making process.

• European data protection regulators to investigate right to data erasure

This year, the Dutch Data Protection Authority (DPA), together with other European data protection authorities, will investigate the extent to which organizations comply with the rules regarding the right to erasure. In the coming period, the DPA will monitor companies and government bodies in the Netherlands. The investigation is a joint project of the European data protection authorities, united in the European Data Protection Board (EDPB).

Right to delete data

People have the right to have their data erased personal data those organizations of this process. This right is intended to give people more control over their personal data. As soon as there is no longer a good reason to process someone's personal data, an organization must delete it.

Other privacy rights

Besides the right to erasure, people also have other privacy rights. These include the right to access their personal data, which the EDPB investigated in 2024. The EDPB concluded that many organizations do not handle access requests properly. Another important privacy right is the right to rectification . This allows people to ask organizations to rectify (change) their personal data if it is inaccurate.

Deleting data in practice

In practice, things often go wrong when people want their data erased. The Dutch Data Protection Authority (AP) frequently receives complaints about this. For example, about organizations that fail to respond or respond too late to a request for data erasure.

In the coming period, the Dutch Data Protection Authority (AP) will be contacting various organizations with a questionnaire. The aim is to explore how organizations implement the right to data erasure in practice. If the responses reveal potential violations, the AP can investigate further and take enforcement action where necessary.

The EDPB will aggregate and report on the results from all participating countries.

• AP to inspect municipalities

The Dutch Data Protection Authority (AP) will be conducting random inspections of various municipalities in the coming months. The purpose of these inspections is to monitor how municipalities handle citizens' personal data and privacy, and to guide municipalities in the right direction where necessary.

"Everyone has to deal with the municipality. It's the one-stop shop for many personal matters in your life," says AP vice-chair Monique Verdier. "Think of registering the birth of your child, the death of a family member, applying for a passport, or renewing your driver's license."

In short, municipalities use a great deal of data from their residents. Verdier: "You must be able to trust that the municipality will handle your data with the utmost care. The Dutch Data Protection Authority (AP) sometimes still sees municipalities struggling with this. With the random sample survey, the AP will draw attention to this issue in the coming period and help municipalities get on the right track. Perhaps things aren't clear enough yet, or municipalities are unsure about exactly what they should do. The AP can provide clarity in that regard. Many people know the AP from the fines we issue; less well-known is that we dedicate a great deal of our resources to helping. Hopefully, this will now become more visible."

• AP: Police cannot retain data longer than legally permitted

The Dutch Data Protection Authority (AP) has informed the House of Representatives that retaining police data longer than legally permitted is unacceptable. The police are currently exceeding the statutory retention periods for data on millions of innocent people, posing significant risks to the individuals concerned. If the House wants this data to be retained longer, this will only be possible if the law is amended.

The Council of State previously advised the Ministry of Justice and Security (JenV) to ensure that the police comply with the law in this regard. Several members of the House of Representatives urged the Minister not to destroy the data. In a letter to Parliament, the AP emphasized the crucial importance of the government—and especially the police—complying with the law. It also emphasized that this data is not necessary for investigating cold cases, but poses significant risks for millions of Dutch citizens if the police fail to comply with the retention periods.

• AP: Data theft by cybercriminals doubled

The number of data thefts by cybercriminals has almost doubled in 2024, according to the Dutch Data Protection Authority (AP) in its annual overview of data breaches in the Netherlands. Cybercriminals steal personal information and threaten to sell it or post it online.

"Be extremely vigilant about your data, where you store it, and who you share it with," warns AP director Katja Mur. "The worst things can happen if criminals get their hands on your data. Using your phone number or email address, they can send you fake messages that are barely distinguishable from the real thing, trying to scam you and steal your money. With a copy of your passport, someone can impersonate you online, for example, by signing up for a phone plan and running illegal businesses in your name. So be extremely vigilant."

• AP supports European efforts to reduce regulatory burden, but not at the expense of citizens

The European Commission wants to simplify regulations to reduce the regulatory burden on smaller businesses. Therefore, the Commission is amending several laws, including the General Data Protection Regulation (GDPR). This is a good goal, and it should certainly be implemented where possible, according to the Dutch Data Protection Authority (DPA) and other European privacy regulators. But only if this does not compromise the protection of people's fundamental rights.

This is stated in a joint opinion from the European data protection authorities , including the Dutch Data Protection Authority (AP). They are responding to a proposal from the European Commission to amend the GDPR to reduce the regulatory burden on companies with up to 750 employees.

No mandatory processing register

The rules regarding processing registers are being clarified, making it easier for companies to determine whether they are required to maintain a processing register. The Commission proposes that these companies will no longer have to maintain a processing register. Processing register need to keep more records, as long as there is no high-risk processing ('high-risk processing'). A processing register is an overview of all processing by personal data within an organization.

In addition, a new group of companies will fall under the exemption. Currently, this exemption only applies to organizations with fewer than 250 employees (unless there are certain situations that pose a risk to citizens). The Commission therefore wants to raise that threshold to 750, and the exemption will only not apply in cases of high risk, such as in the case of blacklists , credit scores, or systematic profiling .

Improvement proposals

The European privacy watchdogs consider this a good initiative. However, they do have areas for improvement, the most important of which are:

•    Make it clear that the exception does not apply to government organizations. Government organizations have a particularly significant responsibility towards citizens and must set an example. It is currently unclear from the text whether the new exception also applies to government organizations.

•    Make it clear that smaller companies should only register so-called high-risk processing operations in their processing register. A small company with one high-risk processing operation then doesn't have to register all other, less risky processing operations. This way, the regulatory burden for these companies remains limited as well.

The European Parliament and the European Council will now consider the proposal. This proposal to simplify the GDPR is part of a series of measures the European Commission intends to take to reduce the regulatory burden on small businesses. More proposals to amend the GDPR may follow. The data protection authorities will also review these proposals and issue recommendations where necessary.

• AP: Tax authorities must stop systems with privacy risks

The Dutch Data Protection Authority (AP) has ordered the Dutch Tax and Customs Administration to replace two systems as quickly as possible and to adapt four others as quickly as possible. The AP has determined that several of the Dutch Tax and Customs Administration's systems do not comply with privacy legislation. The AP reached this conclusion after examining five Dutch Tax and Customs Administration systems and one system.

This investigation was prompted by KPMG's February 7, 2025, report on the Risk Analysis Model (RAM). The Dutch Tax and Customs Administration (DPA) used this system in widespread violation of privacy legislation until May 25, 2018. KPMG deemed the systems investigated by the DPA to be "comparable to RAM" and therefore brought them to the DPA's attention.

• Algorithm registration in the Netherlands must be improved

Governments and organizations are making too little progress in registering the algorithms and AI systems they use. As a result, it's often unclear to citizens and customers what and how governments and organizations use AI and algorithms. A comprehensive algorithm register is the foundation for transparency, protection of fundamental rights, and explainability and verifiability in the use of algorithms and AI.

The Dutch Data Protection Authority (AP), as the coordinating supervisory authority for algorithms and AI, is therefore calling for mandatory algorithm registration for government organizations. The AP encourages other industries and sectors to work more intensively on establishing algorithm registers. To help government bodies and businesses get started, the AP is publishing eight guidelines in the document " Getting started with algorithm registration . "

Since the beginning of 2023, 1,000 algorithms have been included in the Dutch government's Algorithm Register. The City of Amsterdam and Customs are leading the way and, along with a group of other public organizations, are setting a good example.

However, the AP observes that most government organizations are missing. More than half of municipalities have not yet registered any algorithms. Of the independent administrative bodies, more than three-quarters have not registered anything at all. A fundamental rights assessment is missing for almost all registered algorithms. This has only been done in 5 percent of cases.

With 1,000 registered algorithms, the pioneering phase is over. To take the next step, the Dutch Data Protection Authority (AP) is therefore advocating for a registration requirement for government organizations.

• AP concerned about LinkedIn's AI training and calls on users to adjust settings

Users who do not want LinkedIn to use their data to train AI models must disable this before November 3rd. The Dutch Data Protection Authority (AP) is urging people to do so.

The Dutch Data Protection Authority (AP) is deeply concerned about LinkedIn's plans to use user data in Europe to train its own artificial intelligence (AI) starting November 3, 2025. This data includes profile information and public content shared in the past. Once this data is in LinkedIn's AI systems, it will be impossible to retrieve, and users will lose control over their data.

What data will LinkedIn use?

According to LinkedIn, this includes profile information such as name, photo, current job title, work experience, education, location, and skills. Public content, such as posts, articles, comments, and polls, is also included. Private messages are not used, according to LinkedIn. Exceptions apply for minors and educational accounts.

This is how you turn it off

The "Data for Generative AI Improvement" setting is enabled by default. This means that all LinkedIn users' data will automatically be used for AI training unless the setting is actively disabled. Anyone who does not want personal data used for LinkedIn AI training must opt out before November 3rd via this link or in the app under "Settings & Privacy → Data Privacy → Data for Generative AI Improvement" and disable the switch.

Concerns of the AP

Monique Verdier, vice-chair of the AP: "We see significant risks in the announced plans. LinkedIn wants to use data dating back to 2003, while people shared that information at the time without foreseeing it would be used for AI training. Once that data is in an AI model, you lose control: it's impossible to extract, and the consequences are difficult to predict. Caution is especially important with sensitive personal data—such as data on health, ethnicity, religion, or political affiliation. Therefore, we urge everyone to adjust their settings before November 3rd if you do not want data to be used for AI training."

Role of the AP

It's not yet a foregone conclusion whether LinkedIn will be allowed to do what it plans to do. LinkedIn's GDPR oversight falls under the jurisdiction of the Irish Data Protection Authority (DPC), as that's where its European headquarters are located. The Dutch Data Protection Authority (AP) is working closely with the DPC and other European data protection authorities regarding LinkedIn's announcement. The AP has already received complaints that are being addressed in collaboration with the DPC.

• The Agency and the European Supervisor discuss the advantages and challenges of federated learning for training AI models

The Spanish Data Protection Agency (AEPD) and the European Data Protection Supervisor (EDPS) have published a joint report analyzing the key role of Federated Learning as a tool to advance artificial intelligence models that are more respectful of the protection of personal data. 

The growing need to process large volumes of data has led to the development of technologies such as federated learning, which allows AI models to be trained using decentralized data. This technology is strategic at a time when organizations are seeking to balance technological innovation with data protection compliance .

Federated learning involves training models locally on each device or entity, and only the results are shared, without the need to send the original data to a central server. This feature helps mitigate privacy risks, especially in key scenarios. Among the most notable use cases highlighted in the report are the development of AI models in the healthcare sector—with particularly sensitive data—as well as in voice assistants and autonomous vehicles.  

Federated learning aligns with data protection principles such as minimization and purpose limitation , ensuring that information remains under the control of the data controller and is not exposed to third parties. It also improves compliance with proactive accountability and the auditability of processing operations. 

On the other hand, federated learning is considered a dual-use technology, both for protecting privacy and boosting the digital economy. Thus, it contributes to effective data governance, allowing various entities to collaborate on training AI models, even with data that, due to its strategic, sensitive, or confidential nature, would never be shared otherwise. The report also highlights the challenges facing Federated Learning. 

The report underscores the need to implement comprehensive security across the entire federated learning ecosystem and to ensure data quality, avoiding bias. In this regard, the report emphasizes that it is essential not to assume that the exchanged parameters or the resulting models are anonymous without a thorough technical and legal analysis.

To fully realize the potential of federated learning, the report emphasizes the importance of adopting an approach that prioritizes data protection by design . This involves implementing data processing solutions that reduce risk to individuals, enable access to data, and increase trust for diverse actors entering the digital economy.

• The AEPD informs that it is not permitted to request a copy of the DNI or passport in accommodations 

The Spanish Data Protection Agency (AEPD) has published a Information note that addresses various aspects related to the identification of people who are going to reserve or hire accommodation. The objective of the document, which was prepared by the Agency and previously submitted to both the Ministry of the Interior and the confederation that represents companies that provide accommodation services, is to avoid risks to people's privacy.

Royal Decree 933/2021 establishes the obligation of the owner of the accommodation activity to collect certain data from the people who use their services. The Agency establishes in the note that this collection of information does not authorize requesting a copy of the client's ID, as this would violate the principle of data minimization and constitute excessive processing. 

Documents such as the DNI include additional information beyond that required by law (such as a photograph, expiration date, National Identity Document (CAN), or parents' names), the handling of which increases the risk of identity theft. Furthermore, the DNI does not include all the information requested in Royal Decree 933/2021, so it is not a valid means of complying with the law. Furthermore, sending a copy of the document does not allow for the reliable verification of the identity of the person submitting it.

To comply with the legal obligation, the Agency believes that guests must provide the information detailed in the relevant sections of the Royal Decree, which can be collected using an in-person or online form. 

To authenticate the data provided, in the case of in-person verification, a visual verification of the document would suffice. If this is done online, we recommend using mechanisms such as digital certificates, verification with the data associated with the payment method, or authentication via codes sent to the customer's phone or email.

In any case, any other procedure used must be evaluated by the data controller, always ensuring its compatibility with data protection regulations.

• The AEPD reminds that it can now act against prohibited AI systems that process personal data, regardless of the entry into force of the AI Regulation

The Spanish Data Protection Agency (AEPD) has conducted an analysis of the scope and powers of this authority in accordance with Article 5 of Regulation 2024/1689 on Artificial Intelligence (RIA). As provided for in Article 113 of this regulation, a series of sections will come into force as of August 2, 2025 , including the supervisory and sanctioning regime applicable to Article 5 , relating to prohibited artificial intelligence systems. These systems include remote biometric identification in real time in public spaces.

In this regard, it should be noted that the Spanish draft AI law has not yet been approved. The current version of the law provides for the AEPD to assume market surveillance authority functions in areas where the Regulation requires functional independence, as is the case with certain categories of prohibited systems. In the absence of a national legal basis, the AEPD has not yet been formally assigned the status of market surveillance authority for the purposes of the RIA.

However, it is important to highlight that the AEPD's status as the competent authority for personal data protection remains unchanged . This includes, under its supervisory and control duties, processing carried out using artificial intelligence . Therefore, although this is not a direct application of the AI Regulation, the AEPD may supervise and act against processing of personal data carried out using prohibited systems, to the extent that it affects the right to data protection.

The Agency recommends that entities implementing or providing applications and services based on AI systems, as soon as they become obligated by the future full implementation of the RIA, be prepared to meet their obligations by taking appropriate measures to ensure full compliance.

Internally, in anticipation of the future functions assigned by the RIA, the AEPD also highlights the need to strengthen its technical, human, and budgetary capacities that the assumption of these new functions entails, so that it can progressively assume the new responsibilities arising from this regulatory development.

• The Agency and the Brazilian Data Protection Authority expand their institutional collaboration

The President of the Spanish Data Protection Agency (AEPD), Lorenzo Cotino , and the Director-President of the Brazilian National Data Protection Authority (ANPD), Waldemar Gonçalves , have signed the renewal of the existing Memorandum of Understanding (MOU), thus strengthening the foundations of institutional collaboration between both authorities. The renewal of the MOU took place within the framework of the Global Privacy Assembly (GPA), which is being held in Seoul, Korea, and in which more than 140 authorities from 90 countries are participating.

The MOU focuses on developing joint actions to promote the dissemination and practical application of data protection issues, and also aims to provide a framework for the exchange of technical knowledge and practices to strengthen their capacities.

Regarding commitments , the authorities have undertaken to promote specific technical cooperation mechanisms to exchange knowledge and experiences; encourage research, studies, analyses, and reports; collaborate on guides, tools, and other materials aimed at facilitating compliance with data protection legislation; and develop joint initiatives, primarily within the framework of international programs and projects.

Ibero-American Data Protection Network

One of the most outstanding achievements in the field of cooperation promoted within the framework of the Ibero-American Data Protection Network, a forum currently chaired by the ANPD and in which the Agency holds the permanent secretariat, was the approval of the "Ibero-American Data Protection Standards." These Standards establish that "Ibero-American states may adopt mechanisms aimed at promoting knowledge and sharing of best practices and experiences in the area of personal data protection."

• New Federal Law for the Protection of Personal Data in Possession of Private Parties

On March 20, 2025, the new Federal Law for the Protection of Personal Data in Possession of Private Parties (NFLPPDPPP) was published in the Official Gazette of the Federation, which entered into force on March 21st, 2025, therefore abrogating the previous Federal Law for the Protection of Personal Data in Possession of Private Parties (FLPPDPPP).

Through the publication of the NFLPPDPPP, its main purpose is to standardize rules, principles, bases and procedures in the exercise of the right to the protection of personal data held by private parties; establish that the Anti-Corruption and Good Governance Ministry (the “Ministry”) will be the protective authority of personal data in possession of private parties, replacing the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI); as well as to specify that against the resolutions issued by the Ministry, the amparo trial will proceed and will be heard by judges and courts specialized in the matter.

• Mexico: Ministry launches new institutions for transparency and personal data protection

On May 12, 2025, Mexico's Ministry of Anticorruption and Good Governance announced the creation of two new bodies, the Transparency for the People and the Personal Data Protection Unit, to assume 80% of INAI's functions. A Specialized Court will be established under the judiciary to enhance democracy in transparency and access to public information. The Ministry will oversee personal data violations, while the National Transparency Platform will remain operational and be improved. Efforts to address unresolved issues from the dissolved INAI will commence on June 4, 2025.

• The Impact of India’s New Digital Personal Data Protection Rules

The Ministry of Electronics and Information Technology (MeitY) has recently released the much-awaited draft of the Digital Personal Data Protection Rules, 2025 (Rules) for public consultation. These proposed Rules provide important insights into the upcoming implementation of India’s new data protection law, which has been under development for some time.

The enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant shift in India’s data privacy landscape, laying the foundation for a comprehensive framework governing the collection, use and management of personal data.

Key aspects of the draft Rules:

Phased Implementation

The draft Rules outline a gradual implementation strategy. Initially, provisions relating to the establishment of the enforcement body – the Data Protection Board (DP Board) – will come into effect immediately upon publication of the final version of the Rules in the Official Gazette. These include appointing the DP Board’s chairperson and members, as well as establishing regulations on compensation, meeting protocols and employment terms. More substantive provisions, including Rules 3 to 15, 21 and 22, will come into effect at a later date, as specified within the Rules.

Consent Is a Must

The Sensitive Personal Data or Information (SPDI) Rules require explicit written consent before collecting sensitive data. The DPDP Act builds upon this by mandating that data fiduciaries provide a clear and comprehensive notice to data principals before collecting personal data. This notice must include specific details about the data being processed, its purpose and the entities involved. Additionally, it must inform the data principal of the rights available to them under the DPDP Act. The draft Rules further stipulate that the notice should be in clear and plain language, which is easy to understand, itemized and include specific information about the goods or services resulting from the data processing.

The consent provided by the Data Principal must be free, specific, informed, unconditional and unambiguous. It should involve clear affirmative action, indicating agreement to the processing of their personal data solely for the specified purpose and limited to such personal data as is necessary for such specified purpose.

Reasonable Security Safeguards

The SPDI Rules already require businesses to implement security measures that protect sensitive personal data in line with global standards like ISO/IEC 27001. Similarly, the draft Rules require Data Fiduciaries to adopt baseline security measures, such as encryption, obfuscation, masking and access control, to protect personal data from breaches. Data fiduciaries must also ensure that contracts with data processors include provisions to maintain these safeguards.

Data Breach Notification

Under the IT Act and SPDI Rules, there has been no obligation to notify data owners or processors in the event of a data breach. However, the DPDP Act mandates breach notifications to both the DP Board and affected data principals. The draft Rules specify that these notifications must be clear, concise and timely, outlining the nature, scope, timing and impact of the breach, along with mitigation steps. Data fiduciaries are required to notify the DP Board within 72 hours of discovering a breach.  Although not a part of the DPDP, we note there are also obligations to notify the computer emergency response team in India within six hours of discovering a breach.

Data Retention

While the SPDI Rules limit the retention of sensitive data to the period necessary for its intended purpose, the DPDP Act introduces similar provisions, stating that personal data should be erased when consent is withdrawn or when it is no longer needed for the specified purpose. The draft Rules set a three-year retention period for certain types of data fiduciaries, such as e-commerce platforms, online gaming services and social media intermediaries, provided they meet user thresholds outlined in the Rules.

Data Protection Officers

The SPDI Rules mandated the appointment of a grievance officer. The DPDP Act goes further, requiring significant data fiduciaries to appoint a data protection officer (DPO) based in India. Smaller data fiduciaries can either appoint a DPO, or designate an individual to handle data processing queries. The draft Rules also mandate that businesses display the DPO’s contact information on their website and in communications with data principals.

Children and Their Personal Data

While the IT Act and SPDI Rules did not specifically address children’s personal data, the DPDP Act introduces more stringent provisions. Data fiduciaries must obtain verifiable parental consent before processing children’s data and are prohibited from using such data for specific purposes, like targeted advertising. The draft Rules clarify how consent should be obtained, including requirements for verified identity and age verification.

Cross-border Data Transfer

The SPDI Rules allowed the transfer of sensitive data outside India, provided that the receiving party adhered to adequate data protection standards. The DPDP Act imposes stricter restrictions on cross-border data transfers, requiring the government to issue guidelines outlining when such transfers are permissible. The draft Rules specify that data fiduciaries in India may transfer personal data abroad only in compliance with conditions set by the government.

Consent Managers

The DPDP Act introduces the concept of consent managers—entities that facilitate the management of consent between data principals and data fiduciaries. These managers must be registered with the DP Board and provide user-friendly platforms for individuals to manage their consent. The draft Rules provide detailed requirements for these consent managers, including financial and operational thresholds, security measures and record-keeping. The DP Board will also have the authority to audit their operations.

Conclusion

The DPDP Act represents a significant advancement in strengthening data privacy and security in India. The draft Rules provide further clarity on the law’s implementation, particularly around consent, data retention, security, breach notifications, children’s data and cross-border data transfers. While there are still areas that remain unclear, such as the practical implementation of consent managers and the impact of cross-border restrictions, the draft Rules pave the way for more robust data protection. Businesses must stay informed about the evolving regulatory framework to ensure compliance and protect the rights of data principals in this increasingly digital world.

• India publishes consent management rules under Digital Personal Data Protection Act

India’s Ministry of Electronics and Information Technology (MeitY) released in June 2025 a Business Requirement Document for Consent Management Under the DPDP Act, 2023 (BRD).

The BRD, while not legally binding, provides technical and functional guidance on implementing a consent management system (CMS) under India’s Digital Personal Data Protection (DPDP) Act.

The BRD offers a detailed breakdown of core components of a CMS, including consent lifecycle management, a user dashboard, notifications, and grievance redress mechanisms. It also outlines administrative capabilities, including user role management and data retention policy configuration to ensure operational efficiency and compliance.

While the DPDP Act has not yet come into force, the BRD provides a clear preview of the technical and procedural expectations that data fiduciaries and consent managers (as those terms are defined in the DPDP Act) have to meet once the law takes effect, making it a critical resource for early compliance planning and system design.

• Data Officer: after inspection, companies comply with LGPD obligation

The process is successfully completed and results in the regularization of obligations related to the function. Lack of response to the Municipality's communications and requests from the holders helped to identify failures.

After the action of the National Data Protection Authority (ANPD), which began last November, twenty companies had implemented the necessary measures to comply with the General Law for the Protection of Personal Data (LGPD). On Thursday (24), the process was completed with success, since all the companies were able to meet the needs of the company. were the determinations of the ANPD. 

The inspection covered legal entities frequently mentioned in the requests of the holders, due to deficiency in the indication of the person in charge or his contact channel, in addition to those that did not respond to demands sent by the ANPD. Priority was given to larger companies, considering the volume of personal data processed and the scope of their operations, with a view to ensuring greater impact and scope in the inspection.  

"The absence of a Person in Charge or an effective communication channel prevents data subjects from exercising their rights and compromises transparency in the processing of personal information. This scenario harms both the data subjects and the performance of the ANPD, which depends on this dialogue to ensure compliance with the LGPD", explains Fabrício Lopes, General Coordinator of Inspection at the ANPD. 

The initiative is part of the ANPD's regular monitoring actions and aims to promote legal compliance by processing agents and the consolidation of good practices in the processing of personal data.

• Portuguese-speaking countries structure reciprocal cooperation, define priorities and seek to harmonize legislation

In a parallel meeting to the 16th Seminar on Privacy Protection and Data Protection, members of the Lusophone Network create Working Groups to delve into issues related to digital privacy. Initiative now has a logo and will soon have a web page

Representatives of the data protection authorities of the Portuguese-speaking countries, which formally make up the Lusophone Data Protection Network (RLPD) met, this Tuesday (26), in parallel to the 16th Seminar on Privacy and Personal Data Protection, held in São Paulo, to outline the next steps of reciprocal collaboration. The agenda focused on structuring the network and defining priority topics, marking a significant advance for cooperation between Portuguese-speaking data protection authorities. 

During the event, the representatives approved the creation and operation of Working Groups (WGs) that will deepen discussions on critical issues of digital privacy. Among the topics defined as priorities, biometrics, neurodata, artificial intelligence, surveillance and international data transfer stood out. The meeting also initiated the proposal for a comparative study of national data protection regulations, aiming at the harmonization of legislation. 

In addition to the technical discussions, the meeting addressed organizational issues, such as the creation of a logo and an official website for the RLPD. The chosen brand was created by the ANPD's Communication Office employee, André Scofano and seeks to represent the group's linguistic identity, through a contemporary rereading of the traditional layout of the letters "R", for Rede; and "L", for Lusophone, from the way they were written in the fifteenth century, with personal data as the center of interest. 

In addition to the CEO of the National Data Protection Authority (ANPD), Waldemar Gonçalves; Faustino Varela Monteiro, from the National Data Protection Commission of Cape Verde; José Manuel Macumbo Costa Alegre, from the National Agency for the Protection of Personal Data of São Tomé and Príncipe; Maria das Dores Jesus Correa Pila, from the Angolan Data Protection Agency; Lourino Chemani, from the National Institute of Information and Communication Technologies of Mozambique; Paula Meira Lourenço, from the National Data Protection Commission of Portugal; and Joana Io, from Macau, China.

• ANPD defends transparent legislation for good AI governance

At a congress of the Brazil Governance Network, the Authority's CEO, Waldemar Gonçalves, details the Authority's initiatives and challenges towards regulation.

The CEO of the National Data Protection Authority (ANPD), Waldemar Gonçalves, participated, on the morning of Thursday (28), in the 1st Information Security and Data Privacy Governance Conference, held in São Paulo by the Brazil Governance Network (RGB). 

In his lecture on "Regulation of AI in Brazil from the perspective of governance", he highlighted the strategic role of the ANPD in the protection of rights and in the coordination of initiatives for a safer digital scenario. 

The CEO detailed the contributions of the authority to Bill 2,338/2023, emphasizing alignment with the LGPD to ensure that anyone affected by artificial intelligence systems has the right to contest and request the review of automated decisions. 

He also stressed that the ANPD is ready to assume the central role of coordinating the National System for Regulation and Governance of Artificial Intelligence (SIA), according to Article 45, paragraph 1, item I, of PL3. 

The presentation also addressed the principles and objectives of AI regulation, which include the safety, transparency and explainability of systems, as well as the protection of fundamental rights and algorithmic non-discrimination. 

The speaker also mentioned the ANPD's ongoing initiatives to regulate AI. Among them, the "regulatory sandbox", and the "Technological Radar", a periodic publication that analyzes emerging technologies, whose November 2024 edition focused on Generative AI. In addition, the CEO cited the cooperation with the Ibero-American Data Protection Network (RIPD), which approved a regulatory reference methodology in AI in May 2025, recommending that personal data used in automated processes be transparent, verifiable, and auditable. 

According to Waldemar Gonçalves, the ANPD's vision for AI governance is based on a collaborative and preventive approach, with active risk monitoring, transparency, and social participation. 

He concluded by highlighting that, despite regulatory challenges, such as the technical complexity of algorithms and the speed of innovation, the ANPD is prepared to support the process in Brazil, with dialogue, transparency and cooperation. 

The event, aimed at professionals and those interested in Information Security Governance, LGPD and data privacy, addressed topics such as LGPD and International Regulations, Risk Management and Business Continuity, Strategic Cybersecurity, among others.

• ANPD and ANM sign Technical Cooperation Agreement to promote data protection in mining

The agreement provides for educational actions, multilateral meetings and the production of technical documents on topics of common interest.

The National Data Protection Authority (ANPD) and the National Mining Agency (ANM) signed on Wednesday (10) a Technical Cooperation Agreement with the objective of strengthening the protection of personal data in the mining sector. The partnership, signed in Brasilia, will be valid for three years and will be conducted by the ANPD's General Coordination of Technology and Research (CGTP).

The agreement provides for educational actions, multilateral meetings and the production of technical documents, such as studies and reports, on topics of common interest. The activities may take place in a virtual environment or in the units of the institutions involved. 

Among the expected results are: 

•    Mutual collaboration to develop regulatory initiatives aimed at solving challenges related to data processing in mining, such as international transfer, interoperability, conservation, anonymization, sharing and deletion of data; 

•    The preparation of technical studies and reports on strategic issues for both institutions; 

•    The promotion of educational and guidance actions that contribute to the construction of knowledge and dissemination of best practices in personal data protection and information security. 

This is the second Technical Cooperation Agreement signed by the ANPD in 2025 — the first was with NIC.br — and marks the Authority's second partnership with a regulatory agency, the first with the National Supplementary Health Agency (ANS). 

The initiative reinforces the ANPD's commitment to expanding interinstitutional dialogue and fostering a culture of data protection in different sectors of public administration.

• ANPD participates in a panel at the Legal Committee of the American Chamber of Commerce for Brazil

Event brought together experts to discuss the challenges and advances in personal data governance.

The director of the National Data Protection Authority (ANPD) Iagê Miola was present at the Strategic Legal Committee of the American Chamber of Commerce for Brazil - Amcham Brasil, participating in a panel dedicated to data protection in the context of Brazil-United States relations. The event brought together experts to discuss the challenges and advances in the protection of personal data in an increasingly interconnected global scenario. 

During his presentation, the director outlined an overview of the National Data Protection Authority (ANPD), structure and regulatory approach. He highlighted the ANPD's risk-based performance, focusing on the balance between the protection of fundamental rights, the promotion of innovation and the strengthening of trust in the international data flow. 

Miola also addressed the advances in inspection, emphasizing the ANPD's action and the importance of interinstitutional coordination to ensure greater regulatory and inspection effectiveness. 

Another relevant point of the speech was the ANPD's experience with artificial intelligence. The director highlighted the challenges related to AI governance, the protection of children and adolescents, and the lessons learned through the regulatory sandbox, an initiative that allows controlled testing of innovative solutions under the authority's supervision. 

In the field of international data transfers, Iagê presented the progress achieved, such as the regulation on the subject, which brought the model of standard contractual clauses and the advancement of the adaptation process between Brazil and the European Union. According to him, this initiative has the potential to create the largest global area of free flow of data, underpinned by mutual trust and robust safeguards. 

Closing his participation, the director reinforced the importance of international and interinstitutional dialogue as a key element to consolidate the General Data Protection Law (LGPD) as an instrument of trust, competitiveness and sustainable economic development.

• ANPD and UAE authority sign agreement to improve regulatory practices

Initiative expands the international operations of the Brazilian Authority and aims to strengthen technical cooperation for the protection of personal data, privacy and legal certainty between the two organizations in the midst of a globalized economy.

The Chief Executive Officer of the National Data Protection Authority (ANPD), Waldemar Gonçalves, signed, the Understanding with the Dubai International Financial Centre Authority (DIFC), in the United Arab Emirates, represented by the United Arab Authority. by her Vice President, Lori Baker. The partnership, formalized during the 47th Global Privacy Assembly (GPA) in Seoul, South Korea, reinforces the ANPD's performance on the international scene and strengthens cooperation on privacy and personal data protection. 

The agreement establishes a mutual collaboration to promote the protection of personal data, the exchange of good regulatory practices and the strengthening of ties between Brazil and the United Arab Emirates on the digital agenda. According to the document, the partnership's main objective is mutual assistance and technical, regulatory and supervisory cooperation in data protection and privacy. 

The memorandum does not create legal obligations, and its implementation depends on the discretion of both parties. However, it lays the groundwork for joint actions, such as exchanging information on investigations, conducting joint inspections, and providing mutual technical support. In addition, the document provides for the development of education, training and awareness programs, as well as joint research projects. 

"International cooperation is seen by the ANPD as a strategic tool to face the challenges of the digital economy, ensure the effectiveness of privacy rules and strengthen Brazil's digital sovereignty," said the ANPD CEO about the agreement between the two countries. According to him, the signing of the agreement with DIFC contributes to consolidating the credibility of the General Data Protection Law (LGPD) and the ANPD's position as a regulatory authority committed to global privacy standards.

If you have any questions, please send us an email to datasecurity@catts.eu