GDPR News » CEPDO 2025 – Brussels

On 13 and 14 October, our team attended the annual CEDPO – Confederation of European Data Protection Organisations Conference in Brussels, where data protection officers, regulators, and policymakers from across Europe gathered to discuss the future of privacy and digital governance.

Here are some of the key takeaways from two days of rich discussions and forward-looking insights:

🔹 AI Governance & the DPO’s New Role

– The AI Act will redefine DPO responsibilities, introducing Fundamental Rights Impact Assessments alongside DPIAs.

– Calls emerged for a “right to reasonable inference”, ensuring individuals can challenge how AI draws conclusions about them.

– DPOs will need to integrate legal, ethical, and technical expertise as AI becomes part of every workflow.

🔹 Regulatory Coherence Across the Digital Rulebook

– The European Commission highlighted efforts to align the GDPR, AI Act, DMA, DSA, and the upcoming Data Act.

– Simplification for SMEs is on the table, but experts warned that reducing documentation must not weaken accountability.

🔹 Certification as a Trust Driver

– GDPR certification schemes for companies are gaining momentum.

– Certification now represents not just compliance, but a signal of accountability and reliability for partners and clients.

🔹 Digital Markets, Fairness & Design

– The EDPB-EU Commission joint guidance on the GDPR and DMA marks a milestone for coordinated digital regulation.

– The forthcoming Digital Fairness Act will address dark patterns and manipulative interfaces, putting ethical design at the heart of compliance.

🔹 Data Protection in the Age of AI

– The EU’s ambition to become an “AI continent” depends on embedding data protection in innovation.

– Agentic and generative AI challenge traditional safeguards, making explainability and transparency essential.

🔹 The Data Act & Data Governance

– The Data Act focuses on data sharing and re-use to promote innovation while preserving data protection.

– It introduces new concepts such as data holders, data users and data recipients, requiring organisations to clearly identify their roles.

– The regulation does not create a new legal basis for processing personal data, DPOs must continue to assess each sharing activity under the GDPR.

– Speakers underlined the importance of knowing your data: distinguishing between raw, inferred and derived data is essential for compliance.

🔹 Commissioner Michael McGrath’s Address

– Commissioner McGrath underlined that Europe’s strength lies in combining innovation with trust.

– He encouraged privacy professionals to lead the dialogue between AI, data, and ethics, keeping the human at the centre of Europe’s digital transformation.

We were happy to attend the CEDPO conference, see you all next year !