Start OneTrust-to-PrivacyEngine migration today 🔁 Effortless switch now available Learn More!

CEDPO DPO Conference 2025: ‘Europe: On the Verge of Digital Transformation?’

Privacy Engine
Nov 17, 2025
Dr Maria Moloney by PrivacyAssist

    Need world class privacy tools?

    Schedule a Call >

    Overview of the Conference

    Day 1

    The CEDPO Conference took place over a two-day period, on the 13th and 14th of October 2025. The conference was kicked off by the managing director of CEDPO, Paul Jordan welcoming everyone to the conference and giving an insight into what we could all expect to enjoy over the forthcoming two days.

    Paul’s introduction was followed by a very engaging keynote speech by a member of the executive committee of CEDPO, Jared Browne. His keynote discussion examined several challenges that we are currently facing in an age where artificial intelligence is becoming increasingly pervasive and easy to develop and use. He looked at the tension between the need to use personal data within AI systems and the potential unethical and unforeseen consequences this can result in for individuals, often bringing with it serious harm. An interesting anecdote about cocaine made the talk even more engaging! This, along with a sprinkling of irony and humour, made for a truly evocative and thought-provoking half-hour.

    The keynote speech was followed by the first panel discussion of the conference, moderated by Paul Jordan. The panel members included Karolina Mojzesowitcz, the Deputy Head of Unit for Data Protection at the European Commission; Dr. Stefan Brink, the Executive Director & Former State Data Protection Officer; Isabelle Stroot, a Lawyer and policy officer for data protection at Bitkom e.V. in Germany.

    The central topic of the panel was the changes to the GDPR under the proposed Digital Omnibus initiative launched by the EU Commission in September 2025. The panel not only engaged among themselves in a lively debate, with views about the changes conflicting substantially, but the audience had a lot to contribute also. The central issue was the elimination of the obligations under the GDPR to maintain a Registry of Processing Activities (RoPA) for companies of 750 employees or less. It was enlightening to hear from the commission the motivation for this decision, i.e. to lighten the burden of the GDPR for SMEs and the reaction of the audience to this loosening of the GDPR reigns.

    The second panel was moderated by Peter Craddock, a partner at Keller and Heckman LLP. The panel predominantly looked at recent rulings from the European Court of Justice (ECJ). Peter was accompanied by Yann Padova, partner at Wilson Sonsini Goodrich & Rosati, and Professor Herke Kranenborg, member of the European Commission Legal Service. The discussion looked particularly at the recent ECJ ruling where the court clarified the relative nature of personal data in the context of a transfer of pseudonymised data to third parties (EDPS v Single Resolution Board (Case C-413/23 P, on 4 Sept 2025). The complexity of when transferred data is and is not personal data was teased out perfectly among these three giants of European law. It was evident from the discussion these three legal experts were very comfortable with the subject matter and with each other. It made for a relaxed and engaging hour. To be honest, this was the most engaging panel of the conference in my opinion.

    The third panel of the day looked at the legal effects and overall benefits of certification under the GDPR. Sébastien Ziegler of the European Centre for Certification and Privacy; along with Giovanni Francescutti who is Global Technical Manager at DNV; Petra Ziegler, a Senior Privacy Expert at Allianz SE; and finally, Alain Herrmann, from Luxembourg’s Data Protection Authority, CNPD gave insights from various European projects that are currently shaping the next generation of compliance tools through certification. The panel discussed where certification adds value and how to prepare an organisation for assessment, and what lies ahead for harmonised EU-wide trust mechanisms.

    The first day of the conference was wrapped up with a fireside chat between Paul Jordan, the managing director of CEDPO and Ernst Wilhelm who is the Data Protection Officer (DPO) at GFT Technologies SE. The chat covered issues of whether data protection officers need to adapt their role in the age of Artificial Intelligence (AI) and take on the responsibility of AI compliance or do they need to engage more with a collective of experts across their organisation to make the most appropriate decisions for their organisation in any given scenario. One thing that came from this discussion was that the role of the DPO is definitely changing, but into what we are still unsure.

    This rounded off the day with a DPO centred discussion that offered valuable clarity and guidance to the audience on the key challenges currently confronting data DPOs and led nicely into the cocktail hour that we all enjoyed afterwards.

    Day 2

    The Second day of the conference was opened with a talk given by Matteo Colombo, he looked at Europe’s digital transformation. This segued nicely into the first panel of the second day.

    Moderated by Jared Browne, this panel discussed how DPOs should interpret AI in their job roles. More specifically, it looked at the overlap of the GDPR with the EU AI Act. Jared and Joanna Juzak, Legal and Policy Officer at the AI Regulation and Compliance Unit of the AI Office; along with Anne-Gabrielle Haie, partner at Steptoe LLP; Cristina Dos Santos from the Labor Project srl; Ana Regidor, Head of Privacy Regulatory Affairs at Amadeus discussed the recent Helsinki Statement on Enhanced Clarity, Support and Engagement, which was adopted by the European Data Protection Board (EDPB) during a high-level meeting in Helsinki on 1–2 July 2025. The statement’s goal is to improve how GDPR compliance is presented and supported, especially for smaller organisations, and to enhance consistency in enforcement and cooperation among regulators across sectors. The panel also discussed the AI Continent Action Plan and the proposed guidelines on how the GDPR and the EU AI Act interact. These guidelines should be available before the August 2nd 2026, deadline for when the EU AI Act comes into full effect. The discussion also explored the contradictory messages many European companies feel that they are receiving from the EU Commission lately. The alphabet soup of regulation seems to be causing confusion. This made for a very frank and honest panel discussion that kept everyone engaged up until the end.

    The second panel of the day was equally engaging and relevant as it examined and dissected the interplay between the GDPR and the Digital Markets Act (DMA). This was moderated by Natascha Gerlach, Director of Privacy Policy at CIPL Brussels and featured a distinguished panel comprising Peter Craddock, a partner at Keller and Heckman LLP; Gwendal Le Grand, Deputy Head of the EDPB Secretariat and Borja Martínez Corral, Partner and Head of Competition and EU Law at Fieldfisher Spain. The panel kicked off with a discussion of the forthcoming joint guidelines from the EU Commission on the GDPR and the Digital Markets Act. This is the first time joint guidelines have been provided to explain two pieces of legislation and how they interact. This was done to maximise legal certainty around these two pieces of legislation. The guidelines aim to clarify how gatekeepers can implement the DMA provisions in accordance with EU data protection law. It focuses a lot on the lawful basis of consent and the notion of nudging from organisations to obtain consent from customers. This nudging, however, very often renders the consent invalid.

    After lunch, the highlight of the conference was a talk given by our very own Commissioner Michael McGrath. He spoke about the Digital Fairness Act and the need to fill certain gaps in legislation around consumers safety, especially child safety. He discussed Dark Patterns employed by a large percentage of companies across the EU and the idea of unfair personalisation. He distinguished between acceptable personalisation which is often needed and desired by consumers to make their lives easier and unfair personalisation that exploits the vulnerabilities of consumers. For instance, offering gambling content to known gambling addicts causes harm to that individual. This is not enhancing the lives of consumers but rather damaging them. The commissioner’s talk was considered and thought provoking and set the stage for the final afternoon discussions of the conference.

    The following panel was very closely linked to Commissioner McGrath’s talk on the Digital Fairness Act. CEDPO’s very own Florence Gauiller, co-founder of the Vercken & Gaullier Law Firm moderated this very interesting and relevant discussion that outlined the existing gaps in current EU law and more specifically consumer protection law around Dark Patterns and Unfair Personalisation. The panel discussed the best approaches to fill these gaps and to deal with these challenges. The DFA is still in its early stages, it is not clear what shape it will take, i.e. whether it will be a soft or hard law. The European Commission launched a public consultation or a “call for evidence” on the DFA that began on the 17th of July 2025 and was due to end on the 24th of October 2025. This discussion was a topic very close to my heart as it touched on ethics, security and the protection of the most vulnerable in our society.

    The final panel of the conference proved to be one of the most thought-provoking and analytically rich panels of the day. CEDPO’S exco member, Dr. Sachiko Scheuing, DPO at Acxiom and co-chair of FEDMA (Federation of European data & marketing) led this panel in a discussion of the Data Act and the GDPR. Her two panellists, Stefano Leucci who leads Data Governance at Mobilisights (Stellantis) and Dr. Frank Schemmel from DataGuard had extensive knowledge on the Data Act and their insights were invaluable in helping the audience grasp the nuances of this complex piece of legislation and understand how it complements the GDPR.

    Dr Schemmel explained how, thanks to the Data Act, we now have a very clear understanding of who actually owns personal and non-personal data at any given point of the data lifecycle. What was also clarified in the discussion that the obligations to share data under the Data Act cannot be used as a legal basis for sharing personal data. Data Controllers still need to find a lawful basis under the GDPR to share personal data. This has proven confusing for companies seeking to comply with both sets of rules. Stefano explained the difference between inferred data and derived data. Inferred data is data that is gathered from the raw data of a machine. The derived data is the information gathered from the inferred data that can be used to make decisions about the data. Derived data is more processed than inferred data.

    This final panel got quite technical in its discussion but proved to be a truly informative and detailed review of the Data Act and perfectly completed the close of the conferences.

    Overall Reflections

    Overall, the 2025 CEDPO Conference, through its topics and speakers, underscored how Europe is transitioning into a new digital era. This transition, however, is not without its challenges. The feeling from the conference was that Europe has over regulated, something that was once its strength in the world has now become somewhat of a burden that needs to be lessened, especially for the majority of EU businesses that are small to medium-sized enterprises. This environment of legislation-dense governance is one that challenges regulators, DPOs, and policymakers alike. The future now consists of refocussing on innovation while also ensuring accountability.

    Finally, what stood out most for me during these two event-filled days was the continued spirit of collaboration and transparency among our European counterparts that are shaping this transformation. The energy and enthusiasm has not waned, so onwards we march.

    Dr. Maria Moloney Senior Researcher and Consultant of PrivacyEngine

    About Dr. Maria Moloney

    Maria is the Chief Privacy Officer (CPO) for the European COST Action entitled “Fintech and Artificial Intelligence in Finance”. She also serves as Senior Privacy Researcher and Consultant at PrivacyEngine.

    She is a Fulbright scholar, and her interests now lie at the intersection of data protection and AI. She is vice-chair of the CEDPO (Confederation of European Data Protection Organisations) Working Group on AI, where she co-authored a series of policy papers on the potential impact of the EU’s proposed AI Act on the role of the data protection officer.

    She has published on privacy at the EU policy level and in multiple academic journals.

    Share this

    YOU MIGHT ALSO BE INTERESTED IN

    Check out these PrivacyEngine posts that are related to AI

    A Comprehensive Overview of the EU CSRD ESG Regulation for Businesses
    8 Minute Read

    A Comprehensive Overview of the EU CSRD ESG Regulation for Businesses
    Data Breach Management Simplified with PrivacyEngine Solution
    8 Minute Read

    Data Breach Management Simplified with PrivacyEngine Solution
    Mandatory AI Literacy: Compliance in the Age of Regulation
    8 Minute Read

    Mandatory AI Literacy: Compliance in the Age of Regulation

    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    Get Started For Free
    Schedule Demo
    PrivacyEngine Onboarding Screen