Data protection developments this quarter highlight a clear shift toward interoperability, large-scale system oversight, and the regulation of emerging technologies. In Global Data Protection Compliance FY25/04, we examine how regulators across the EU, Poland, the Netherlands, Spain, Mexico, India, and Brazil are addressing the growing use of biometric data, AI-driven systems, cross-border data flows, and public-sector data initiatives. From joint EU guidance on the interplay between the GDPR and the Digital Markets Act to new national frameworks for identity systems, political advertising, and AI governance, the updates reflect a continued effort to strengthen legal certainty, transparency, and accountability in an increasingly data-driven environment.

• Data protection in the EU
• Data protection in Poland
• Data protection in The Netherlands
• Data protection in Spain
• Data protection in Mexico
• Data protection in India
• Data protection in Brazil

• DMA and GDPR: EDPB and European Commission endorse joint guidelines to clarify common touchpoints

The European Data Protection Board (EDPB) and the European Commission endorsed joint guidelines on the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). These are the first joint guidelines by the Board and the European Commission.

In line with its 2024-2027 Strategy and the recent Helsinki Statement’s objectives to make GDPR compliance easier and strengthen consistency, the EDPB has cooperated with the European Commission, each within their respective mandates, to facilitate the coherent application of the DMA*and GDPR and to increase legal certainty for gatekeepers, business users, beneficiaries and individuals.

How the DMA and the GDPR interact

The DMA and the GDPR both protect individuals in the digital landscape, but their goals are complementary as they address interconnected challenges: individual rights and privacy in case of the GDPR and fairness and contestability of digital markets under the DMA.   

Several activities regulated by the DMA entail the processing of personal data by gatekeepers and, in several provisions, the DMA explicitly refers to definitions and concepts included in the GDPR. The joint guidelines clarify how gatekeepers can implement these DMA provisions in accordance with EU data protection law. For example, the EDPB and the Commission specify which elements gatekeepers should consider in order to comply with the requirements of specific choice and valid consent under Art. 5(2) DMA and the GDPR, and thus to lawfully combine or cross-use personal data in core platform services.

The EDPB and the Commission also address other provisions including those related to the distribution of third party apps and stores, data portability, data access requests and interoperability of messaging services.

• Strengthening Schengen security and preventing irregular migration: EU Entry Exit System enters into operation

On the occasion of the upcoming entry into operation of the EU Entry Exit System (EES) on 12 October 2025, the Coordinated Supervision Committee (CSC) will include the EES system under its scope. This system registers non-Schengen nationals travelling with a short stay visa or travellers who are visa exempt. The EES is a large scale IT systems developed by the EU to prevent irregular migration and enhance security in the Schengen area.

How it works 

The EES gradually replaces passport stamping at the external borders of the Schengen area, with the aim of making the border process more efficient. The system records which travellers from third countries, with or without a visa, enter and exit the Schengen area.

The implementation of the EES will happen gradually.  European countries will have the option to progressively start using this system over a period of six months, starting with the registration of third country nationals at 10% of border crossings. By the end of the six months period, European countries should reach full registration of all individuals.

Processing of individuals’ personal data by the EES

The EES records personal data from travel documents such as name, date of birth, and place of birth. It also registers the dates of entry and exit of travellers, as well as biometric data such as a facial images and fingerprints. Given the sensitivity of the personal data processed by this system, it is crucial to ensure individuals can effectively exercise their rights and the processing of personal data is supervised.

• Draft UK adequacy decisions: EDPB adopts opinions

During its latest plenary, the EDPB adopted two opinions on the European Commission’s draft decisions on the extension of the validity of the UK adequacy decisions under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) until December 2031.

The EDPB opinions, requested by the Commission as per Art. 70(1) (s) GDPR and Art. 51(1) (g) LED, address the proposed six-year extension of the two UK adequacy decisions which are set to expire in December 2025.

The extension of the validity of the UK adequacy decisions will allow organisations and competent authorities based in Europe to continue transferring data to UK-based organisations and authorities without implementing additional guarantees.

• Draft adequacy decision for Brazil: EDPB adopts opinion

During its latest plenary, the EDPB adopted an opinion on the European Commission’s draft decision on the adequate level of protection of personal data in Brazil.* Once adopted, the decision will ensure that personal data can flow freely from Europe to Brazil and that individuals can retain control over their data.

In its opinion, requested by the Commission, the EDPB assesses whether the Brazilian data protection framework and the rules on government access to personal data transferred from Europe provide safeguards essentially equivalent to the ones in EU legislation. The Board positively notes the close alignment with EU legislation and the case law of the Court of Justice of the EU. The EDPB also examines whether the safeguards provided under the legal framework in Brazil are in place and effective.

• Strengthening data protection worldwide: EDPB meets with the countries and organisation with an adequacy decision

As part of its December’s plenary meeting, the European Data Protection Board (EDPB) held yesterday an online meeting with Commissioners and representatives of Data Protection Authorities (DPAs) from the countries and the organisation with an EU adequacy decision. This meeting marked the second of its kind, following the first gathering in October 2024.

An adequacy decision is a key-mechanism in EU data protection legislation which allows free flow of personal data from Europe to third countries or an international organisation offering an adequate level of data protection.* To date, the following countries and organisation benefit from this:  Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay, United States, and the European Patent Organisation. Data Protection Authorities from those countries and the European Patent Organisation are key partners for the EDPB, playing a key role in our joint efforts to strengthen data protection worldwide.

• The government took into account the comments of the President of the Personal Data Protection Office in the e-registration project

The government has taken into account the comments of the President of the Personal Data Protection Office in the draft amendment to the Act on Healthcare Services Financed from Public Funds, which assumes the operation of a new IT system, the so-called central electronic registration.

Mirosław Wróblewski, President of the Personal Data Protection Office (UODO), noted that the proposed system will process personal data, including health data and biometric data, using a voice assistant. Therefore, in the opinion of the President of the UODO, GDPR requirements should be taken into account when designing regulations dedicated to e-registration.

With regard to the provision concerning the use of a voice assistant to conduct central electronic registration – which raised concerns of the President of the Personal Data Protection Office – it is worth noting that, in line with the comments of the President of the Personal Data Protection Office, the Ministry of Health has clarified this provision, specifying the purpose of data processing, the scope of data, and also indicating that the processing of personal data with biometric features in connection with the recording of patients’ conversations with a voice assistant cannot be used for the purposes of identifying and verifying natural persons.

• The President of the Personal Data Protection Office notified the prosecutor's office about the publication of photos of people without their knowledge and consent

The President of the Personal Data Protection Office, Mirosław Wróblewski, notified the prosecutor's office of the possibility of committing a crime consisting in the impermissible processing of personal data by posting images of people on an online service available to logged-in users without their knowledge or consent.

The notification concerns the website located at Zbiornik.com and Zbiornik.tv., and is the result of an article published on Wirtualna Polska's website ("I'll show my wife, who will judge?": Thousands of photos of naked Polish women online without their consent) . It describes situations in which users of the website, which contains sexually explicit material, share photos or videos of women, suggesting that they were taken without their knowledge. In some cases, the materials reveal not only faces but also other characteristic features of the individuals, such as tattoos.

The website's terms and conditions stipulate that the user also undertakes not to infringe the rights of third parties by using the website. In particular, the user declares that they hold the copyright to all content presented on the website, including text, images, and videos. By accepting the terms and conditions, the user also declares that they have the right to freely dispose of their image or the image of third parties depicted in the photos, and that they will retain these rights for as long as they continue to present such content on the website. The President of the Personal Data Protection Office (UODO) notes that the individuals visible in the recordings or photos may have been unaware not only that their image would be used, but also that they were photographed at all or recorded in an intimate situation.

• New rules on transparency and targeting of political advertising

From 10 October 2025, the provisions of Regulation (EU) 2024/900 of the European Parliament and of the Council on transparency and targeting of political advertising shall apply directly .

Regulation (EU) 2024/900 aims to ensure full respect for the fundamental rights and freedoms enshrined in the EU Charter of Fundamental Rights when disseminating political advertising in the digital sphere. It aims to help citizens make informed choices by making it easier to recognize political advertising, understand who is behind it, and whether it is targeted advertising.

Its scope of application includes:

•  Political advertising service providers – entities engaged in the provision of political advertising services, with the exception of purely ancillary services;

•  Political advertising publishers – political advertising service providers who publish, deliver or distribute political advertising through any medium;

•  Sponsors – entities at whose request or on their behalf political advertising material is prepared, posted, promoted, published, delivered or distributed;

Regulation (EU) 2024/900 introduces, among others:

•  The obligation to disclose the financing of political advertising, indicating who is behind it and who finances it;

•  The obligation to mark them in such a way that the recipient has no doubts about what type of message he or she is dealing with;

•  Targeting restrictions, which mainly boil down to a ban on profiling users based on specific categories of data;

•  Mechanisms to counteract disinformation and its spread in the digital space;

•  The obligation to maintain registers and a European repository of political advertising materials;

•  Prohibition of third-country interference in elections.

The Regulation supplements the GDPR with respect to targeting and advertising delivery techniques in the context of online political advertising that are based on the processing of personal data. This is regulated by Articles 18 and 19 of Regulation (EU) 2024/900.

• Strengthening Schengen security and preventing irregular migration

The Entry/Exit System (EES), a large-scale information system established to prevent irregular migration and enhance security in the Schengen Area, will come into effect on Sunday, October 12th. The system will record data on third-country nationals traveling with short-stay visas or who are visa-exempt.

How will the Entry/Exit System work?

The Entry/Exit System will replace the current practice of stamping passports at the external borders of the Schengen Area. By recording traveler data upon entry and exit, the system will enable more efficient border management and faster check-in.

The system will be implemented gradually. Schengen countries will be able to begin registering traveler data at 10% of border crossings. Within six months of the registration system's launch, all Schengen countries should have fully implemented it.

What data will be processed?

The system will record personal data from travel documents, including:

•  Name and surname, date and place of birth,

•  Entry and departure dates,

•  Biometric data – facial image and fingerprints.

Due to the particularly sensitive nature of this data, it is extremely important to ensure that individuals can effectively exercise their rights, as well as to constantly supervise the processing of personal data.

• Retransmission of the scientific conference "DGA – Innovative Data Management"

We invite you to watch the recording of the scientific conference "DGA – Innovative Data Management," which took place on October 24, 2025, at the Personal Data Protection Office (UODO). We encourage you to view the conference recording and the presentations provided by the speakers. During the conference, key topics related to the Data Management Act (DGA) were discussed, such as the reuse of protected data, data brokerage services, and data altruism.

Lectures delivered by representatives of science and practice will provide you with extensive knowledge of the DGA regulations.

The conference was organised by the Personal Data Protection Office, the Faculty of Law and Administration of the University of Lodz, the Faculty of Law and Administration of the Cardinal Stefan Wyszyński University and the Social Team of Experts at the President of the Personal Data Protection Office.

• The President of the Personal Data Protection Office (UODO) files another complaint against the prosecutor's office's decision regarding the entry on the X website

The President of the Personal Data Protection Office, Mirosław Wróblewski, filed another complaint against the decision of the District Prosecutor’s Office of Warsaw-Śródmieście to refuse to initiate an investigation into a case concerning a suspicion of committing a crime consisting in the posting on the X website by a Member of the Sejm of the Republic of Poland of a photo of a private person with a skin color indicating non-European origin.

The case began in March 2025, when Mirosław Wróblewski, President of the Personal Data Protection Office (UODO), notified the Warsaw-Śródmieście District Prosecutor's Office of a suspected offense involving the processing of personal data, even though their processing was not permitted. The offense concerned the posting on the X website by Mr. Artur Szałabawka, a Member of the Polish Parliament and a user of the website, without legal basis, of a photo of an individual with skin color indicating non-European origin. Was this a prohibited act under Article 107 of the 2018 Personal Data Protection Act?

The photograph was given to the MP by an unidentified person, and their message – regarding the route of the bus in Szczecin used by the man in the photograph and the detail about the scar on his cheek – was also published in the post.

After the photo was published, the person in the photo was identified by internet users. As a result, further information about her began appearing in the media, including her country of origin and profession.

• AP and ACM: chatbot may not completely replace humans in customer service

Organizations that use chatbots in their services must always offer people the option to speak with a representative. Organizations must also clearly indicate when a chatbot is being used and ensure that the chatbot does not provide incorrect, evasive, or misleading information.

The Dutch Data Protection Authority (AP) and the Netherlands Authority for Consumers and Markets (ACM) are urging organizations to take responsibility if they choose to use chatbots. The regulators will be paying extra attention to this in the coming period.

Privacy risks

Increased oversight of chatbot use is also necessary due to information security and privacy risks. Chatbots are a form of generative AI, trained using large amounts of information and data. This can include confidential information and documents. This can allow—for example, malicious actors—to force the chatbot to provide more information than necessary to answer "regular" customer queries, and to extract this confidential information. This jeopardizes data security and can even lead to data leaks to lead.

• Further building AI literacy

To help organizations get started, the Dutch Data Protection Authority (AP) is publishing the 'Continuing to build on AI literacy' guideline. 

This is an addition to the first guidance document, " Getting started with AI literacy ." The new guidance document elaborates on the legal obligation, and practical examples clarify the multi-year action plan that organizations can use to address AI literacy strategically and sustainably.

AI literacy is a requirement under the AI Regulation . Everyone working with AI systems within or on behalf of an organization must have skills, knowledge, and understanding of the technical operation of AI systems, as well as their social, ethical, and practical aspects.

AI literacy is a key requirement for the responsible development and deployment of AI and algorithms. With sufficient knowledge, skills, and understanding, organizations can optimally utilize opportunities, mitigate risks, and better assess the impact of systems. The Dutch Data Protection Authority emphasizes that the increasing use of AI also requires increased commitment to AI literacy.

• Three recommendations for a strong data processing agreement in the event of a cyber attack

Strong data processing agreements between organizations help adequately handle cyberattacks, and sometimes even prevent them. They thus strengthen the digital resilience of data breach victims. However, the Dutch Data Protection Authority (DPA) observes that good agreements are often lacking. Based on research, the DPA therefore offers organizations three recommendations for strong data processing agreements.

Organizations that collaborate with service providers must enter into a data processing agreement regarding the sharing and use of personal data. This agreement outlines agreements, for example, regarding security and the roles and responsibilities in the event of incidents such as data breaches.

Service providers are an attractive target

Service providers are an attractive target for cyberattacks. A service provider often works for multiple organizations. Consider, for example, an IT company that supplies software to hundreds of companies. A data breach at a service provider therefore affects multiple organizations, and thus large amounts of personal data. The damage from these attacks is therefore enormous. Organizations must assume that they or their service providers will eventually be affected by a major data breach. Therefore, proper preparation is crucial.

• AP will monitor data security in healthcare

In the coming months, the Dutch Data Protection Authority (DPA) will be conducting random visits to healthcare providers, such as hospitals and GP practices. The DPA wants to monitor how they handle information about patients and clients, including sensitive health data. The DPA will also provide information about the regulations and how healthcare providers must comply with them.

Healthcare uses and stores medical data about individuals, among other things. This data is sensitive, and healthcare providers have a significant responsibility to protect it. For example, only the treating physician and authorized staff may view a patient's medical record. Healthcare organizations must verify this. Healthcare organizations must also properly protect data against hackers and data leaks. This is stipulated in the General Data Protection Regulation (GDPR)The Dutch Data Protection Authority (AP) observes that not all healthcare providers have their security in order. Furthermore, things regularly go wrong when healthcare providers exchange patient data with each other.

• AP warns users: TikTok continues to send personal data to China

TikTok will continue to send user data to countries including China for the time being. The company is thus violating a joint decision by European data protection authorities, which determined that transferring the data is unlawful. Since yesterday, TikTok has been displaying a warning to users about what the company does with the data. The Dutch Data Protection Authority (DPA) believes it's important for people to understand what this means for their privacy.

The Dutch Data Protection Authority (AP) urges users and organizations to carefully consider whether they wish to continue using TikTok and other services that transfer personal data to countries outside the EU. The AP recognizes that this international transfer is a broader societal problem and is also investigating the risks associated with other online services.

• The Agency publishes a guide to help freelancers and SMEs handle personal information more securely

The Spanish Data Protection Agency (AEPD) has published a Encryption guide for freelancers and SMEs. This is a practical document that provides the tools and knowledge necessary for these sectors to implement this technique simply and effectively in different areas of their activity, such as sending emails, cloud storage, or information stored on devices.

Encryption involves transforming information into a format that makes it difficult for anyone without the decryption key to access it. This minimizes the risk of personal data breaches.

The guide analyzes real cases drawn from personal data breaches that have been reported to the Agency, and reflects situations in which the lack of measures has had serious consequences for people: lost or stolen devices, unintentional publication of personal data, erroneous sending of an email with confidential information or unauthorized access to personal data due to an abuse of access privileges, among others.

The document also provides concrete solutions that would have prevented or at least mitigated subsequent damage if they had been applied earlier, protecting the confidentiality, integrity, and availability of the information.

The guide also emphasizes the importance of adopting measures such as the minimization principle , so that only the personal information strictly necessary is processed at each stage of the processing and for its specific purpose, something that would reduce the impact on people in the event of a failure of security measures.

The General Data Protection Regulation states in Recital 83 that encryption of information is a tool to protect personal data and the security of communications, specifying that "the controller or the processor should assess the risks inherent in the processing and implement measures to mitigate them, such as encryption."

The launch of this guide is part of the Strategic Plan 2025-2030of the Agency, which includes in its third axis " promoting and supporting regulatory compliance ", especially among the self-employed, micro-enterprises and SMEs.

• The Agency publishes its internal policy on the use of Artificial Intelligence, the first of its kind in the public sector

The Spanish Data Protection Agency (AEPD) has published its General internal policy for the use of generative AI, a document that sets out the general guidelines for implementation, governance and responsible use of these systems within the internal environment.

This Policy, the first of its kind in the public sector, positions the Agency as a pioneering institution in the responsible, legal, and transparent use of artificial intelligence and automation in Public Administration. It has been approved in the exercise of the Spanish Data Protection Agency's (AEPD) powers as an Independent Administrative Authority and forms part of its Information Policy, promoting transparency, security, and trust in the guaranteed implementation of these systems . Its objective is to strengthen the Agency's technological and organizational capacity , ensuring a secure and ethical digital transformation that complies with the current regulatory framework.

The publication of this Policy is integrated into Axis 1 of Strategic Plan 2025-2030The Agency, which advocates for an AI first policy, promotes the safe and responsible use of artificial intelligence based on the conviction that these systems should be integrated as a normal process in the functioning of public administrations, as in other sectors.

The document provides a roadmap for addressing technological transformation in a controlled manner and in alignment with the public interest. The phased implementation of these systems under robust governance and human oversight aims to help the Agency continue improving its efficiency and technical capacity, while maintaining its functions and powers.

• Mexico’s proposed data-collection laws raise questions about privacy and oversight

Mexico has introduced a package of bills that would expand state access to personal data and allow authorities – including the military – to gather, combine, and analyse sensitive information about the entire population. According to ARTICLE 19, the international freedom-of-expression organisation, these measures pose serious risks to privacy and civil liberties and could set a troubling precedent across the region. (This article reports on the position of ARTICLE 19)

What the new laws would do

The legislative package would give government agencies broad powers to collect and interlink multiple categories of data, including:

•    biometric identifiers such as fingerprints and facial data

•    financial and tax records

•    health information

•    telecommunications and internet-use data

•    real-time geolocation

This information would be stored in centralised systems accessible to both civilian bodies and security forces.

A key element is the mandatory biometric Unique Population Registry Code (CURP). This identifier would sit in a government-run platform connected to public and private databases, effectively creating a unified national data profile for each resident.

Another measure would establish a Central Intelligence Platform. It would allow Mexico’s National Intelligence Center and National Guard to access personal data held by public agencies and private companies in real time — without requiring a court order.

Authorities would also retain powers to track individuals’ locations without judicial oversight, including through military institutions.

• Mexico drafts law to regulate AI

The Mexican government is preparing a law to regulate the use of AI in dubbing, animation, and voiceovers to prevent unauthorised voice cloning and safeguard creative rights.

Working with the National Copyright Institute and more than 128 associations, it aims to reform copyright legislation before the end of the year.

The plan would strengthen protections for actors, voiceover artists, and creative workers, while addressing contract conditions and establishing a ‘Made in Mexico’ seal for cultural industries.

A bill  is expected to prohibit synthetic dubbing without consent, impose penalties for misuse, and recognise voice and image as biometric data.

• New privacy challenges - The Unique Identity Platform and the future of data protection

On 27 November 2025, the Official Gazette of the Federation published the Guidelines for the Development and Operation of the Unique Identity Platform (PUI), in compliance with recent amendments to the General Population Law and the General Law on Forced Disappearance of Persons. These guidelines establish the regulatory, technical, and administrative framework for the management, interconnection, and security of the PUI, which will become the primary source for identity verification in Mexico, integrating biometric data and administrative records of both nationals and foreigners.

The Guidelines impose new obligations on all companies processing personal data, including enhanced requirements for data protection, cybersecurity, and cooperation with authorities. This includes mandatory notifications to regulators, stricter information security measures, and up-to-date documentation regarding personal data protection.

• India finalises first digital privacy law

On 13 November 2025, India officially notified the Digital Personal Data Protection Rules 2025 (the “Rules”) to operationalise the Digital Personal Data Protection Act 2023 (the “Act”).

The Act is India’s first comprehensive statute governing the processing of digital personal data. The Act is principles-based and sets out practical compliance requirements for organisations handling digital personal data in India. The Act will be implemented in phases over the next 12 to 18 months through a series of notifications to give businesses a transition period for compliance.  

The Rules establish the Data Protection Board (“DPB”) (the adjudicatory body established under the Act) and its operational procedures, which take effect immediately. Obligations of “Consent Managers” (regulated intermediaries tasked with managing consent for personal data processing) begin in 12 months. Core compliance requirements including provisions on consent notices, security safeguards, data retention, children’s data requirements, and data processing restrictions will take effect in 18 months, from 13 May 2027.

The Act applies to data processed within Indian territory or, if processed outside, in connection with any activity relating to the offering of goods and services to individuals within India. Those caught by the Act should begin mapping data flows, updating policies, and preparing for compliance, as enforcement and further government guidance are expected in the coming months.

• ANPD publishes the 5th Edition of the Technological Radar

This publication, focused on age verification in the digital environment, highlights the challenges of determining whether a user is a child, adolescent, or adult. The difficulty lies in processing the data while simultaneously maintaining privacy. 

The National Data Protection Agency (ANPD) launched, this Tuesday (14), the fifth volume of the Technological Radar series . This time, the study, prepared by the General Coordination of Technology and Research (CGTP), focuses on Age Verification in Digital Environments, a crucial topic for the protection of children and adolescents online . 

This document aims to deepen the understanding of different age verification techniques, their applications, and potential uses in the context of protecting the personal data of children and adolescents . With the increasing use of the internet by this population , and the recent enactment of the "Digital ECA" (Law No. 15.211 /2025), which assigns to the ANPD (National Data Protection Authority) the oversight of digital protection for these vulnerable groups, the discussion on how to verify age effectively and securely becomes even more relevant. 

The Technology Radar highlights the challenges posed by age verification technologies. When processing personal data to determine a user's age range, especially in a context of protecting children and adolescents, complex issues arise related to data protection and information security.

• ANPD opens public consultation for review of the regulatory agenda

The agency is preparing to include new topics due to the competencies assigned to it by the Digital ECA Law. This initiative also provides greater predictability, publicity, transparency, and efficiency to the agency's regulatory process for the 2025-26 biennium.

The National Data Protection Agency (ANPD) launched, last Friday (17), a Public Consultation with the objective of reviewing the Regulatory Agenda for the biennium 2025-2026. The initiative aims to  provide greater predictability, publicity, transparency and efficiency to the Authority's regulatory process. 

The review became necessary in a context of new competencies for the Agency, with the designation of the ANPD as the competent administrative authority to ensure compliance with Law No. 15.211/2025, known as the Digital ECA. Consulting with society assists the agency in aspects involving the legitimacy and prioritization of regulatory problems arising from this new law.

• ANPD and the European Commission are moving forward in the process towards a mutual adequacy decision

Another important step has been completed  in the negotiations for the mutual recognition of the Adequacy Decision  on personal data protection between Brazil and the European Union: the European Data Protection Board (  EDPB  )  issued ,  at the beginning of November ,  its opinion on  the  preliminary proposal for the  adequacy  decision presented by the European Commission on September 5.      

The EDPB's opinion represents a significant milestone   in the regulatory  process,  as  it assesses the degree of equivalence between the Brazilian legal framework – especially the General Data Protection Law (LGPD) and the actions of the  National Data Protection Agency (ANPD)  – and  the  General Data Protection Regulation (GDPR)  of the European Union. This technical analysis is a fundamental step for the European Commission to adopt the formal adequacy decision, recognizing Brazil as a country that ensures a level of personal data protection equivalent to that of Europe.

• ANPD launches Inspection Panel

A new tool, still under development, facilitates consultation on oversight actions, brings society closer to the Authority, and increases the transparency of the Agency's activities. The National Data Protection Agency (ANPD) launched , this Monday (10 ) , the Inspection Panel, a  new interactive tool developed to facilitate access to information about the Agency 's inspection activities.  

With this dashboard, the public can easily and dynamically view aggregated data on inspection procedures, preparatory procedures, and administrative sanctioning processes conducted by the ANPD (National Data Protection Authority). The goal is to increase transparency and bring society closer to the work carried out by the Agency in promoting compliance with the General Data Protection Law (LGPD). 

The Inspection Panel is part of a pilot project under development, which means that the data may still undergo adjustments and improvements.

If you have any questions, please send us an email to datasecurity@catts.eu