Entries submitted
B1 – Entry by: Autoridade Nacional de Proteção de Dados – ANPD
Description of the initiative:
The initiative involved the creation and public availability of interactive dashboards on the ANPD website, developed by the Security Incident Treatment Coordination of the General Coordination for Oversight (TIS/CGF/ANPD).
The primary objective is to provide information on security incidents reported to the Authority, while also fostering active transparency by enabling the public to monitor and understand the Coordination’s work in analyzing and handling such incidents.
These dashboards are updated in real time and offer stakeholders a clear and categorized view of key information, such as:
- Location where the security incident occurred (federative unity) – Estado.
- Public or private sector involved – Setor.
- Market segment – Segmento.
- Type of incident – Tipo de incidente.
- Type of communication (preliminary, supplementary or complete) – Tipo de comunicação.
In addition, there is a dashboard that specifically addresses the Incident Investigation Procedures (PAI) investigations initiated ex officio, triggered by complaints, or media reports — in which ANPD investigates whether a security incident occurred. The data covers the period from 2021 to the current year, providing both a historical and up-to-date overview.
The page hosting the dashboards was completely redesigned to enhance user experience, adopting a more user-friendly and functional interface for the public.
With this initiative, the Security Incident Treatment Coordination (TIS) strengthens communication with society, expands access to information and prioritizes best practices in transparency and accountability in public administration.
Most importantly, it advances the continuous pursuit of improvement and innovation in public services, always aiming at the effective implementation of public policies within the institution.
The central idea behind the development of the interactive dashboards emerged as a response to the high volume of information requests regarding security incidents received by ANPD — whether through the Ombudsman via Fala.br, or via emails sent directly to the Coordination.
Why the initiative deserves to be recognised by an award?
This initiative represents a significant advancement in the sharing of information related to security incidents, strengthening active transparency and accountability to society, especially considering the sensitive nature and public interest surrounding the topic. By providing up-to-date data directly to interested parties, ANPD demonstrates public confidence in its work, offering valuable insights for citizens, researchers, the press, and organizations concerned with the subject.
Interactive dashboards enhance data navigation and understanding, making information accessible to all audiences. They empower citizens to verify whether personal data breaches have occurred in their respective Federative Units (UF/Estado), enabling them to assess potential risks involving organizations with which they have relationships.
Such efforts also reflect institutional maturity by documenting and publicly communicating ANPD’s ongoing work in the investigation and handling of incidents.
In addition, the user-centered redesign of the webpage, combined with the continuous maintenance of up-to-date information, positions the initiative as a potential model of best practices – one that can be replicated by other data protection enforcers in Brazil and internationally.
B2 – Entry by: Autoridade Nacional de Proteção de Dados – ANPD
Description of the initiative:
Between June 2023 and March 2024, ANPD and the Executive Consulting Unit “Simplifica” of the Ministry of Management and Innovation in Public Services worked on mapping and redesigning the “Request Handling” process, under the responsibility of the Monitoring Division within the General Coordination for Supervision.
This initiative took place within the scope of another program that offered mentoring for process simplification projects across the Federal Government.
To that end, the following methodology was applied:
(1) Process prioritization;
(2) Schedule (WBS);
(3) Diagnosis;
(4) Process modeling;
(5) Problem and Solution Matrix;
(6) Process redesign;
(7) Standardization;
(8) Creation of artifacts;
(9) Automation;
(10) Final report.
The pilot project was implemented in February 2024.
The “Request Handling” process deals with submissions by data subjects reporting violations of their rights or breaches of the LGPD.
One of the main challenges faced by data subjects was the need to register in ANPD’s electronic system in order to file a request. This process was slow and involved:
(1) filling out an online form,
(2) emailing a signed statement and copies of identification documents,
(3) verification of the information by the protocol team, and
(4) creation of a password.
If everything went smoothly, it could take up to three days—time the individual had to wait before being able to officially submit a request. In short, it was a procedure that discouraged people from submitting their claims. At that time, ANPD received an average of 120 requests per month.
The old system used for receiving requests was not integrated with other platforms and was not intuitive or widely understood by citizens.
The new service, along with the solutions implemented during the process redesign, has positively contributed to the efficiency and transparency of internal workflows, enabling clearer communication, operational execution, and decision-making.
Following the implementation of the service, ANPD began receiving an average of 750 requests per month—a 525% increase.
The most significant changes involved simplifying the registration process and improving the request form.
The service now accepts the federal government’s unified login system (with over 150 million registered users) for accessing digital public services.
Why the initiative deserves to be recognised by an award?
In the words of Minister Hélio Beltrão (Decentralization and Freedom, 2002), “Landing in the real Brazil involves […] simple and inexpensive solutions, tailored to our realities […] and, above all, to the low standard of living of the majority of our people.”
The collaborative network-based approach has enabled the rational use of public resources, preventing rework and waste.
The service not only improved the institution’s internal processes but also added value to the Public Administration and, most importantly, to society—resulting in a more efficient, transparent, and responsive service. It reflects the commitment of the Brazilian public sector to building a fairer and more inclusive society.
By integrating with the federal government’s unified login system (with over 150 million registered users), the new service has made it easier for data subjects to exercise their rights and communicate with the ANPD. This progress is evident in the number of requests received. Following the implementation of the service, ANPD went from an average of 120 requests per month to 750—an increase of 525%.
Alongside the new service, ANPD also redesigned its webpage, providing step-by-step instructions in plain language on how to submit complaints or petitions (see link 1 in item e).
B3 – Entry by: Autorité de Protection des Données Personnelles (APDP – Monaco)
Description of the initiative:
Named Céos, “he who thinks”, in reference to the Titan of intelligence in Greek mythology, the APDP’s virtual assistant can answer the users’ questions in many different languages about personal data protection and security in the Principality of Monaco.
Developed in a dedicated, secure, isolated environment hosted in France, Céos does not collect any personal data. The users’ IP address is not collected. Conversations are encrypted and anonymized. They are kept for a maximum of 7 days to improve the operation of Céos. Only administrators have access.
The Céos operating database is made up mainly of information available on the APDP website.
Deployment is to take place in 2 stages.
In the 1st phase (current phase), it provides users with quick detailed answers on Law no. 1.565, which was recently passed (December 3, 2024) and data protection in the Principality. In particular, it informs data controllers of their obligations and individuals of their rights. It also tells them where to find the various documents available on the brand new APDP website (practical information sheets, model letters for lodging complaints, model registers of activities and processing, etc.).
In a second phase (end 2025), it will support data controllers in achieving compliance. By means of simple questions to answer and direct links to relevant information documents (definitions, examples, practical information sheets, etc.), it will guide them in filling in the register of processing activities and the register of data breaches, as well as in carrying out their impact analysis.
Why the initiative deserves to be recognised by an award?
Law no. 1.565 of December 3, 2024 governing data protection in the Principality of Monaco is very recent, and people – data controllers and individuals alike – have a lot of questions. In early 2025, the APDP launched a new website, which it regularly updates with documents (fact sheets, guides, etc.) and tools (forms, register templates, etc.).
To make this information more accessible and easier to use, the APDP decided to equip itself with an AI virtual assistant that enables users to quickly find available information and all the help they need to fill in the various documents, all in strict respect of their privacy since not personal data is collected. Its operating database is made up mainly of information available on the APDP website.
The aim is not to replace the legal or technical advice provided by APDP agents, but to use AI technology to help users navigate the site and make the most of the tools at their disposal.
B4 – Entry by: Croatian Personal Data Protection Agency
Description of the initiative:
Although the General Data Protection Regulation (GDPR) has been in force since May 2018, achieving full compliance remains a significant challenge, particularly for small and medium-sized enterprises (SMEs). To address these challenges, the Croatian Personal Data Protection Agency, in cooperation with its partners, developed Olivia: an innovative, open source, user-friendly, and interoperable digital tool specifically designed to support SMEs throughout their GDPR compliance journey.
Olivia offers a comprehensive package of educational and practical resources. It includes fifteen data protection courses that address all key obligations of data controllers and processors as defined by the GDPR. Each course consists of both theoretical and practical components. In the theoretical part, users can explore lessons explaining specific GDPR obligations, view educational videos, and take quizzes to assess their knowledge. The practical modules provide data controllers with templates and tools to generate internal documentation that demonstrates compliance and accountability. Additionally, the Olivia platform hosts twenty webinars covering a range of data protection topics. These webinars are permanently accessible and free of charge to all interested stakeholders.
Olivia is a virtual teacher and assistant at the same time. Olivia contains a small online academy that offers to SMEs, but also to all data controllers, a series of learning modules to improve their knowledge in the field of personal data protection, and also serves as a practical tool to help organisations create internal documents to prove their compliance and accountability. It was successfully launched in 2024 and will be regularly updated to ensure its continued relevance and effectiveness. The Croatian DPA is now working on the development of modules on the interplay between GDPR and Artificial Intelligence.
To further support users, a detailed user manual, handbook, and an instructional video have been developed and uploaded to the Olivia platform to serve as a lasting educational resource. The “Olivia” digital tool has empowered SMEs, but also data protection officers across the EU, to improve GDPR compliance through user-friendly support, educational resources, and international collaboration. It enhances SMEs’ expertise, encourages a culture of privacy, and promotes EU-wide engagement through its open-source, multilingual design. Olivia is adaptable and scalable, enabling the seamless integration of new modules and language versions to support GDPR compliance across diverse national contexts.
Why the initiative deserves to be recognised by an award?
Olivia deserves recognition because it represents a pioneering, practical, and sustainable response to a genuine need among SMEs for GDPR compliance support. Despite being in force since 2018, the GDPR remains challenging, especially for smaller businesses with limited resources. Olivia bridges this gap through an open-source, interoperable, user friendly digital tool that combines high-quality educational resources with practical compliance support, empowering SMEs to meet their legal obligations confidently and effectively.
The initiative goes beyond traditional training by offering fifteen structured data protection courses, practical templates to generate internal compliance documents, twenty permanently accessible webinars, and educational videos, all freely available in English. This innovative approach fosters a culture of privacy, strengthens the data protection ecosystem, and supports the consistent application of GDPR principles across various national contexts.
Moreover, Olivia promotes international cooperation and future-proofs its impact by enabling seamless integration of new modules. By combining education, practical tools, and international collaboration, Olivia sets a unique and replicable standard for raising awareness and improving compliance across the EU and wider. This makes Olivia truly worthy of recognition as an outstanding and innovative data protection initiative.
B5 – Entry by: European Data Protection Supervisor
Description of the initiative:
In response to the rapid pace of development of artificial intelligence, and increasing risks to fundamental rights on large online platforms, countries around the world are passing laws that intersect with privacy and data protection frameworks. Some of these laws provide the various competent authorities with new tools to promote a sustainable and rights-oriented digital economy. However, they also lead to parallel investigations by various authorities into the same practices of the same entities, with a potential for regulatory conflicts and inconsistencies in relation to data-related practices. Therefore, the EDPS observes a need for greater cross-regulatory cooperation to avoid an inconsistent application of legal requirements in this complex landscape.
To this end, the EDPS has identified key areas to work on, based on current initiatives rolled out in the EU and beyond and the feedback received from various stakeholders. This encompasses the need for a coherent and consistent application of EU law in the digital economy, in particular of the so-called ‘EU Digital Rulebook’ (including the Digital Services Act, the Digital Markets Act, the Data Act and the Artificial Intelligence Act); the need for cross-regulatory cooperation between competent regulators; and the need to uphold data protection as the backbone of this digital regulatory framework.
Building on an earlier experience that ran from 2017 to 2021, the EDPS proposes the establishment of a Digital Clearinghouse ‘2.0’ that would provide authorities and bodies with a forum to exchange and coordinate on issues of common interest. This forum should facilitate proactive, collaborative efforts among participating authorities to address potential issues before they become practical problems, ensuring that different authorities are aligned on goals, methods, and responsibilities to avoid duplication of efforts or inconsistencies in their actions.
A Digital Clearinghouse 2.0 should promote cooperation in ‘variable geometry’, providing relevant authorities, bodies and networks the flexibility to join only discussions and working groups on issues where they have or need relevant expertise. This Clearinghouse should have a permanent Secretariat to assist in the timely delivery of concrete outcomes, such as joint statements and guidelines that garner each participant’s expertise. The Digital Clearinghouse 2.0 should also become a forum where participating authorities lawfully share information about their ongoing enforcement actions.
Why the initiative deserves to be recognised by an award?
The EDPS’s initiative acknowledges the proliferation of legal requirements that companies operating in the digital economy need to comply with – data protection being key among them – and proposes a pragmatic solution for the various competent regulators to align and increase legal certainty.
The Digital Clearinghouse 2.0 would be a forum to promote cross-regulatory cooperation at EU level, building upon initiatives for cross-regulatory cooperation that are operating in different regions (Australia, Canada, the UK, Ireland, the Netherlands, France, and Germany). This initiative is aligned with the strategic objectives of the GPA to:
- Map cases of intersection between personal data protection, competition, consumer protection, and other intersecting regulatory spheres;
- Identify barriers to cross-regulatory cooperation and develop or advocate for solutions where they do not exist;
- Encourage and facilitate greater bilateral or multilateral cross-regulatory cooperation between DPAs and other regulatory authorities.
This proposal of the EDPS feeds the current discussion between the European Commission, the European Parliament and EU Member States on how to ensure simplification and competitiveness for businesses. One of the ways to pursue such goals is through enhanced dialogue, cooperation, and coordination among regulatory bodies to ensure a predictable and effective legal environment that places fundamental rights at the core.
B6 – Entry by: Garante per la Protezione dei dati personali (GPDP)
Description of the initiative:
In 2020, the GPDP launched a pilot program to prevent the dissemination of intimate content on social media platforms. This initiative marked the first institutional attempt to use technology in support of victims of non-consensual pornography, focusing on the early identification and blocking of sexually explicit content before it could be shared online.
To this end, the GPDP also established a dedicated internal taskforce to handle cases involving the non-consensual disclosure of intimate images and developed a fast-track emergency procedure to prevent their dissemination.
With the adoption of Law No. 205/2021 on “revenge porn,” this procedure was formally recognized and incorporated into national legislation, giving the GPDP an explicit legal mandate to act in this area. The law amended the Italian Privacy Code (Legislative Decree No. 196/2003) by introducing Article 144-bis, thus consolidating the Authority’s role in protecting individuals from the unlawful sharing of sexually explicit images and videos without their consent.
The initiative adopts a preventive and victim centered approach. Individuals can submit a report via a simplified online form, accessible without legal assistance. The GPDP promptly assesses each case and, where appropriate, issues urgent measures within 48 hours to prevent the dissemination of the content. To ensure maximum confidentiality, materials are processed and shared with platforms in hash format only.
This tool is available to both adults and minors, with particular attention to the heightened vulnerability of younger users. Accessibility, confidentiality, and timeliness are its defining features, enabling intervention before harm occurs.
The GPDP has also established direct, structured channels with major online platforms and digital service providers, ensuring prompt compliance with removal or blocking orders. In parallel, it has promoted awareness campaigns and educational activities – especially in schools – aimed at fostering a culture of respect, consent, and digital dignity.
Since June 2024, reports submitted through the dedicated channel have increased by 70%, reflecting growing public trust and awareness. The initiative has enabled hundreds of timely interventions and has become a key reference point for those seeking immediate protection from digital abuse.
Why the initiative deserves to be recognised by an award?
This initiative is a clear and effective response to a serious and growing problem: the non-consensual sharing of intimate images online. It is a harmful form of digital violence, often targeting women and minors, with serious emotional and personal consequences.
The GPDP created a simple, fast, and accessible tool that allows people—even very young users—to act quickly and stop the spread of such content before damage is done. It’s a practical system that works and has already helped many individuals.
Since June 2024, reports have increased by 70%, showing how urgent the issue is and how valuable and trusted this initiative has become.
This project shows that a data protection authority can play a key role not only in enforcing rules, but also in protecting people’s rights and preventing real-world harm.
The approach is innovative and, with the ongoing development of technology, is expected to deliver increasingly concrete results. It can serve as a model for other countries. This initiative combines efficiency, speed, and a strong focus on individuals, contributing to the creation of a safer and more respectful digital environment.
B7 – Entry by: Hellenic Data Protection Authority
Description of the initiative:
Τhe Hellenic Data Protection Authority developed a comprehensive privacy education initiative specifically tailored for children, focusing on the safe and informed use of online services, as part of the project ‘byDefault‘, funded by the European Union’s CERV program.
In its initial phase, the project developed educational resources that featured clear learning objectives and age-appropriate messaging. These materials were then evaluated and refined to ensure pedagogical effectiveness, incorporating a variety of learning methods to engage diverse student needs and learning styles.
An educational tool was developed to train primary and secondary school students, with the goal of strengthening their understanding of privacy and data protection. This tool is a hybrid physical-digital augmented reality (AR) game called Tzimanious (meaning “smart cookie”). Through gameplay, students learn to navigate the Internet wisely and cleverly, gradually developing a form of digital expertise.
The AR game combines both physical and digital (“phygital”) features: it consists of physical components, such as a board, pawns and cards, as well as digital elements (an app must be installed on the mobile or tablet to be used during the game process) and aims to make students aware of how to protect their personal data. It is played by 2 to 6 players or groups. The goal of each player/group is to move their pawn through the eight stations of the game, answering questions about personal data and collecting as many diamonds as possible.
Ultimately, the AR game and the accompanying educational material are expected to be incorporated into the school curriculum at both primary and secondary levels. This development stems from a proposal submitted by the Hellenic Data Protection Authority to the Minister of Education, who proved to be an enthusiastic supporter of the initiative.
Furthermore, as part of the project, a training and support program for teacher development has been created in order to establish a culture of responsibility and respect for personal data within the educational community. This is achieved by enhancing teachers’ knowledge and skills, thereby increasing their ability to promote these issues among their students.
Why the initiative deserves to be recognised by an award?
The interactive AR game combines a traditional board game format with modern technology to keep children engaged and encourage organic peer-to-peer sharing, thereby enhancing learning outcomes.
It addresses key topics such as Internet and social media use, the concept of personal data, and risks related to sharing children’s data online. It also offers practical guidance on navigating social networks, recognizing suspicious behavior, understanding cookies, and identifying manipulation tactics online.
The game was pilot-tested in real classroom settings after a 4-hour webinar that trained participating teachers. Over 500 students from more than 20 classrooms across public and private schools in Greece took part in the pilot phase. Results showed a positive impact on both learning and classroom dynamics.
Combining Augmented Reality (AR) with Game-Based Learning (GBL) proved pedagogically effective: AR enables interaction with real-world learning objects like maps and books, while GBL introduces a playful element. Together, they create an immersive and engaging educational experience.
The game is ready for use in schools, and the HDPA plans to make it accessible to any other interested stakeholders.
B8 – Entry by: Information and Privacy Commissioner of Ontario (IPC)
Description of the initiative:
The Office of the Information and Privacy Commissioner of Ontario launched the Transparency Challenge to encourage government openness and provide a unique and creative forum for institutions to showcase their innovative projects that advance open data and government transparency in ways that improve Ontarians’ lives.
This year’s showcase focuses on model ways that government institutions are building trust with their citizens by balancing privacy and transparency in the way they collect, use, and disclose personal information.
The exhibits are each represented by a unique piece of artwork. This collection has been specially curated to shine a light on best-in-class efforts in transparency and access to government information for the benefit of Ontarians.
The IPC’s Transparency Showcase illustrates the importance of access rights, transparency and open government. The virtual gallery offers visitors a chance to browse the projects through captivating audio and video, graphics, and descriptions that bring the initiatives to life.
The breadth and quality of exhibits from across Ontario’s public institutions, including, provincial ministries, municipalities, schools, universities, and police services, provide inspiring models for other institutions to follow.
Featured exhibits include:
- City of Toronto’s Public Walking Tour educates the community on sensor technology and privacy implications through an interactive walk in the Entertainment District.
- Town of Innisfil’s Technology in Public Spaces provides interactive signage to inform residents about technology embedded in public spaces, such as sensors in park waste bins.
- McMaster University’s “AI Dialogues” podcast series explores the ethical and practical questions of generative artificial intelligence (AI) in higher education, complementing consultations that are shaping new guidance
data-contrast=”auto”>Today, more than 30 projects are featured in two virtual galleries, providing a remarkable range of initiatives aimed at increasing understanding and appreciation for open data and access to government information. The goal is to inspire others towards greater transparency as well.
Why the initiative deserves to be recognised by an award?
Transparency is about empowerment and helps build public trust. It equips people with the information they need to participate meaningfully in the democratic process, engage in constructive discourse, and hold their governments accountable. It’s the bedrock that democracy is built on, inspiring public trust and providing trustworthy, evidence-based information to shape public policies, programs, and services that improve peoples’ lives.
As data protection regulators, our role is not only to sanction bad behaviour, but to encourage good behaviour too. The IPC’s Transparency Showcase celebrates the beauty and benefits of government transparency and open data for the day-to-day lives of Ontarians, inspiring other institutions towards greater transparency too. Ultimately, we believe this unique initiative builds a culture of compliance and underscores just how important transparency is to a healthy democracy.
B9 – Entry by: Information Commissioners Office
Description of the initiative:
We recognised that social media and video streaming is a rapidly evolving market. We first identified apps of interest. We selected 34 social media and video streaming platforms with Terms of Services which allow under 18s to use them. We focused on creating accounts for a 13-17 year old and attempted sign-up as an under 13 year old so that we could have better understanding of the real-life experiences of children.
Over 4 weeks of testing we created new user accounts using proxies for children of different ages to replicate the sign-up processes that children would follow. We recorded the steps a child would need to take to set up an account, the default settings platforms offered, any privacy information provided to users and basic app functionality (including making a post).
Prior to the research started we created a walkthrough methodology, template log to record actions and series of proxy users details and email addresses. We did not interact with other users. We used proxy information to create each account with a different persona and individual contact details. We trained a small multidisciplinary team to undertake testing on real devices.
We used a mix of Android and iOS devices to test real-world experience. We logged each action we took to create a written time-stamped record, in addition to making screen recordings and screenshots. This methodical approach created a baseline of understanding from which we could also assess any future changes made.
Once data was recorded it was assessed and RAG rated over 4 different areas:
- Targeted advertising,
- Accounts being private by default,
- Geolocation settings, and
- Age assurance measures.
In our first tranche of testing we undertook 92 separate tests. We used this work to focus engagement and regulatory action. We also created a comparison table which we’ve published providing information to the public on each platform.
We’ve subsequently developed this work in certain cases setting up multiple proxy accounts to understand what data is processed and shared when users interact with each other. We’ve also developed a framework to assess harmful material that we’ve observed through testing.
Why the initiative deserves to be recognised by an award?
This work has added to the current understanding of what children are doing online and directly links that to where we can improve the landscape. This has provided us with real world experience which framed our understanding alongside other academic, regulatory, governmental and civil society sources.
Transparency has been a key driver of this work. Not only has it informed strategy and engagement, it’s also been used to inform the public and push publicly for change. Through this work we’ve published high level findings and a comparison table.
We created a methodology for testing that is robust, replicable with a fast turnaround. We were able to manage this process with existing internal resources – something that
other DPAs could do.
We have a much better understanding of what we hear from stakeholders as we’ve directly experienced it. This has allowed us to move at pace and be targeted in our work, focussing on areas of highest impact and allowed us to secure tangible changes across a range of areas (including targeted advertising, geolocation processing and default privacy settings). This also provides us with a better understanding of the impact of our work on real life experiences.
B10 – Entry by: UK Information Commissioner’s Office
Description of the initiative:
Generative AI poses novel challenges to people’s information rights and to the application of data protection law. These challenges include:
- the vast scale of web-scraping that occurs to build some of the most widely used datasets for training generative AI models – often without people knowing their data has been used in this way;
- the purpose(s) that people’s data is used for and how these are determined and justified;
- the accuracy of the data used to train these models, and the accuracy of outputs produced by them;
- how people can exercise their information rights, particularly if they don’t know their data has been processed in the first place; and
- who is responsible for complying with data protection law when models are accessed by deployers in different ways (such as through an application programming interface or by downloading an openly available model).
To understand these challenges better and test our thinking on how data protection law applies in these circumstances, we wanted to engage widely and put our initial approaches to each challenge into the public domain. In 2024 we ran a consultation
series, gathering views from the public, tech companies, legal firms, the creative industries and trade bodies. We sought input on the following:
(1) the lawful basis for web-scraping to train a generative AI model
(2) purpose limitation in the generative AI lifecycle
(3) accuracy of training data and model outputs
(4) engineering individual rights in generative AI models, and
(5) allocating controllership across the generative AI supply chain.
We published the results of the consultation in December 2024. We retained our positions on (2), (3) and (5), and refined our positions on (1) and (4). A key finding of the consultation was a serious lack of transparency, especially in relation to training data within the industry, which the consultation responses show is negatively impacting the public’s trust in AI. Without transparency, it is hard for people to exercise their information rights and hard for developers to use legitimate interests as their lawful basis to use web-scraped data to train their models.
Why the initiative deserves to be recognised by an award?
This consultation and final report represented the first detailed guidance from any data protection authority on generative AI. Our open, engaging consultation process meant that this was well-received by stakeholders including AI developers, the creative industries and civil society. Our positions have been mirrored in subsequent EDPB guidance, and the Spanish data protection authority has translated the section on ‘Tackling Misconceptions’ into Spanish (see here).
The iterative nature of the consultation provided a wide range of stakeholders with space to consider each issue in depth. It also allowed the ICO to understand each issue from a variety of viewpoints, and enabled us to consider the impact of generative AI and data protection law on different sectors.
As generative AI scales across the economy, our final report enables actors across the generative AI chain to understand how data protection law applies to this novel technology, allowing them to innovate in a compliant way.
B11 – Entry by: Information Commissioner’s Office
Description of the initiative:
Our helpline and website data showed that privacy notices were one of the most asked about topics. We had a privacy notice guide and template on our website, but it didn’t seem to be meeting our customers’ needs.
SMEs told us they weren’t always sure what to put in their privacy notice, and others didn’t feel confident that their existing one was robust.
A key ICO mission is to make it easier for all organisations to comply with data protection law, so we knew we could, and should, do more to help. We wanted to create a solution that meant SMEs could spend less time worrying about their privacy notice, and more time doing what they do best – serving their customers.
SMEs and sole traders don’t have the same in house legal and compliance expertise as larger organisations, so our solution needed to give them confidence that their privacy notice was robust, and save them time and money.
We conducted customer focus groups, which revolutionised our initial concept and took us back to the drawing board! SMEs loved the idea but wanted more speed and simplicity.
This feedback guided our agile working group of colleagues from across the ICO’s legal, policy, business services, economic, digital and communications teams.
Through much collaboration, the beta version of the privacy notice generator launched in April 2024 to a great reception from users, and further user feedback helped us evolve the tool for full launch in August 2024.
Since April 2024, the privacy notice generator is the most popular page on the advice for small organisations section of the ICO website, with 43,601 visits to the tool landing page. So far, 10,009 organisations have used it to create their own privacy notice – and counting!
Feedback is overwhelmingly positive. Organisations from a range of sectors are using it, including retail, manufacturing, charity, voluntary, health, social care, education and childcare.
In less than a year, the tool has not only helped save SMEs time and money, it’s made iteasier for them to respect the public’s right to be informed.
Why the initiative deserves to be recognised by an award?
The privacy notice generator demonstrates how regulators can ease the burden of legislation requirements on SMEs, leading to fewer constraints on industry growth and better consumer protection.
The initiative was user led, we identified a problem from user feedback, re-designed the tool to address it, and evolved it using user feedback.
We’ve had strong results to date:
- 89% increase in average monthly visits compared to the privacy notice template (3,114 v’s 1,646)
- 69% who visit their sector start page generate a privacy notice, exceeding our 20% target
- All target sectors have used the tool. The breakdown of generated notices by sector is:
- 30% professional services
- 39% general business / retail / manufacture (option to be chosen if other categories are unsuitable)
- 14% charity and voluntary
- % health and social care
- 6% education and childcare
We’ve had great feedback. This is one example from a small business:
“The privacy notice generator is incredibly user-friendly, with a handful of questions it created a privacy document for my website. Legal jargon can be tricky to navigate, but it covers all the necessary elements. The fact it’s free [of charge] is mind-blowing.”
B12 – Entry by: Information Commissioner’s Office, UK
Description of the initiative:
UK BCRs are an ‘appropriate safeguard’ under Article 47 UK GDPR. When approved by the ICO, they allow multinational organisations to freely transfer personal data internationally within their corporate group.
Post Brexit, many BCR holders who had BCRs approved in the EU could no longer use their BCRs for restricted transfers from the UK if the ICO was not involved in the original approval decision. They had to submit a new standalone UK BCR application even though this was duplicative and costly. At the time, the application and approval process was lengthy; it could take years to obtain an approval.
To solve this problem, the ICO drafted and introduced the Addendum and supporting guidance.
The Addendum is the legally binding instrument which underpins the UK BCRs. It simply adapts an approved EU BCR to form a new standalone UK BCR. The terms of the Addendum ensure that UK BCRs comply with all requirements of Article 47 UK GDPR. The Addendum can be used as a template, which applicants can adapt (in parts) to suit their business needs, or it can be used as a standard form. Using the Addendum as a standard form speeds up the approval process considerably.
The application process using the Addendum is simple. Applicants fill out the template Addendum (using the guidance for support) and produce a short UK BCR Summary (which explains to UK data subjects the impact of the UK BCRs on them). Applicants submit the Addendum to the ICO for approval. The approval process is significantly quicker than the traditional UK BCRs approval process and has reduced approval times considerably.
Many BCR holders are represented by legal teams. Feedback since introduction of the Addendum amongst the legal community has been extremely positive.
Why the initiative deserves to be recognised by an award?
UK BCRs are regarded as the gold standard of international transfer mechanisms. They ensure that UK data subjects can easily seek redress (for breach by a third country group member) within the UK courts, and the UK lead group member will take on full liability as if they committed the breach themselves. The ability to speed up and extend the use of UK BCRs is an extremely positive step.
There are many barriers to the free flow of data with trust, not least because of the diverse array of privacy systems and jurisdictions around the world. Simplifying the process for UK BCRs helps to bridge this gap in a small but meaningful way.
It is hopeful that the Addendum could be used as a model and example for other jurisdictions to follow to help facilitate international transfers.
Ultimately, the introduction of the Addendum promotes growth and innovation for businesses and supports the safe flow of personal data internationally whilst providing data subjects with considerable protection and redress.
B13 – Entry by: Instituto de Transparencia, Acceso a la Información Pública, Protección de Datos Personales y Rendición de Cuentas de la Ciudad de México
Description of the initiative:
SIVER (Personal Data Verification System) is an innovative, open-source digital platform developed by INFO CDMX to monitor compliance with personal data protection obligations by public institutions in Mexico City. Created in response to the COVID-19 pandemic, SIVER emerged as a strategic technological solution to ensure the continuity and strengthening of verification procedures in a digital, secure, and efficient way.
SIVER is structured around five core stages—initiation, review, accompaniment, follow-up, and compliance—aligned with regulatory deadlines. It enables:
- Virtual planning and execution of personal data verifications and audits
- Role-based access for six distinct user types, including IT administrators, data protection directors, verifiers, advisors, and regulated entities
- Centralized archiving and storage of verification files and outcomes
- Automated notifications to ensure compliance with legal timeframes
- Direct communication channels between the supervisory authority and regulated entities
- Real-time dashboards and statistics for better monitoring and institutional diagnostics
- Generation of qualitative and quantitative reports, supporting the development of risk-based work plans
Since its implementation in 2022, SIVER has delivered tangible benefits in the field of personal data protection oversight:
- Efficiency: Verification time has been reduced by 60%, increasing the annual number of verified institutions and processing operations
- Sustainability: Eliminated the need for physical files and reduced institutional travel by 95%, significantly lowering environmental impact
- Cost-effectiveness: Lower operational costs thanks to digitalization of procedures
- Accountability and transparency: Objective, traceable, and standardized results strengthen regulatory certainty and institutional trust
- Strategic insight: Comparative metrics and evaluations allow authorities to identify compliance gaps and areas for improvement. Verification data serves as the foundation for diagnostics, targeted action plans, and evidence-based policymaking to strengthen personal data protection.
Moreover, SIVER’s open-source development has enabled INFO CDMX to share it freely with other data protection authorities in Mexico. Through the 2023 initiative “SIVER in your local authority”, 10 local data protection authorities signed cooperation agreements to adopt the platform. This reinforces a model of cooperative federalism, leveraging technology as a public good to strengthen the right to personal data protection across jurisdictions.
Why the initiative deserves to be recognised by an award?
SIVER exemplifies how innovation and public interest can converge to transform regulatory practices. Beyond improving oversight, it strengthens compliance with the principles, duties, and obligations established in the legal framework, ensuring the privacy and protection of individuals’ personal data.
What began as a response to the COVID-19 pandemic has evolved into a scalable and sustainable platform with proven benefits. Its open-source and modular design allows authorities to adopt and adapt it according to local needs, without financial or technical barriers, and opens the door to continuous improvement through emerging technologies such as artificial intelligence.
The success of the “SIVER in your local data protection authority” initiative—through which 10 subnational authorities have already implemented the platform—demonstrates its flexibility, scalability, and national relevance. This experience also reinforces cooperative federalism by promoting shared tools and standards.
Given its positive outcomes, SIVER is now well positioned to be shared at the international level, offering a replicable model for enhancing transparency, accountability, and regulatory efficiency in personal data protection.
Recognizing SIVER means acknowledging a broader vision of collaborative digital innovation that makes data governance more inclusive, effective, and resilient in a global context.
B14 – Entry by: Irish Data Protection Commission (DPC)
Description of the initiative:
The DPC took an innovative approach to AI through placing a focus on establishing consensus among data protection authorities on matters central to the training and operation of AI models at an early stage of AI deployment in Europe, and following up with companies deploying AI to ensure that they knew the requirements for such processing under the GDPR.
First, the DPC engaged the European Data Protection Board (EDPB) to provide a formal GDPR Opinion, to achieve Europe-wide regulatory harmonisation and clarity on a number of key AI model training and deployment related questions. The AI Opinion, which was issued in December 2024, provided general criteria that the DPC and all other EU DPAs would take into account when assessing compliance of the processing of personal data for the development and the deployment of AI models.
Secondly, the EU wide harmonised approach achieved through the AI Opinion allowed the DPC to provide clear, consistent advice to companies deploying AI models in Ireland and across Europe, which enabled innovation. The DPC’s goal at pre-processing stage was to ensure that companies innovate responsibly, mitigate identified harms and risk to individuals and appropriately consider individuals’ rights by balancing their interests against the companies’ interests. DPC engagement resulted in numerous companies implementing improvements and additional safeguards e.g. DPC provided 97 recommendations for pre-processing improvements to multiple controllers including Pinterest, Google, Apple, OpenAI, Microsoft, Meta, LinkedIn, Airbnb, TikTok, and Riot.
The engagement approach meant that DPC could encourage responsible innovation in AI. Notably, the DPC used its full range of regulatory functions as part of this engagement, ranging from a recommendation to pause roll out to obtaining court orders to cease processing relating to AI. The fact that the DPC had obtained the AI Opinion as a first step meant that companies, knew that the advice provided was an agreed and harmonised approach across Europe.
Why the initiative deserves to be recognised by an award?
Through positive engagement with peer regulators and companies, the DPC considers we have demonstrated how innovation and privacy can work hand in hand. We consider this approach should be recognised by the GPA in a context where data protection and privacy are often incorrectly charaterised by some as being responsible for stifling innovation.
The DPC approach seeks to ensure a new product or service (at high level) meets data protection requirements before it goes live to avoid difficulties after product launch. As previously mentioned the DPC has engaged intensively with many of the leading technology companies at the forefront of AI developments in particular concerning the use of personal data to train Large Language Models in the EU/EEA for the past few years.
Whilst acknowledging that aspects of the application of GDPR to this fast changing technology remain complex, through engagement with peer supervisory authorities and companies, the DPC has ensured that companies understand that innovation and technological developments can work simultaneously with reducing the risk of harm to individuals. We consider this is a very positive example and a blueprint for how data protection authorities can work to deliver their mandate while faced with new technologies.
B15 – Entry by: The Office of the Data Protection Commissioner
Description of the initiative:
As Artificial Intelligence (AI) continues to be a key technological enabler offering a wide range of new opportunities to break down existing barriers to human development and social inclusion in data protection, The Office in partnership with GIZ leveraged the Opportunity to address the gap and achieve the Sustainable Development Goals (SDGs) through a sustainable, affordable and easily accessible AI solution.
The Objective of the was to:
i. Address awareness gaps around data protection and privacy, especially enquiries of data subjects, processors and controllers; and
ii. Improve the overall state of compliance with the Data Protection Act (DPA) 2019.
The Solution was launched on 28th February 2024 during commemoration of annual data privacy day making the Office the first data protection authority and government institution to leverage AI.
The Office has been able to realize the following benefits through the innovation:
i. Instant Response and 24/7 Availability: The chatbot is available round the clock, providing instant access to important data protection information at any time, irrespective of geographical locations or time zones.
ii. Personalized Engagement: ODPC chatbot has been programmed to understand user preferences and tailored to their responses, accordingly, delivering targeted information, making awareness campaigns more relevant and effective for individual users.
iii. Scalability: The chatbot can handle a large volume of data protection queries simultaneously, making it scalable for widespread awareness campaigns.
iv. Sustainability and Cost-Effectiveness: Use of the chatbot for awareness creation is sustainable and cost-effective compared to traditional methods. It can operate autonomously, reducing the need for human intervention and associated costs.
v. Multilingual Support: The chatbot has been programmed to support multiple languages (English, Swahili among others), breaking down language barriers and reaching diverse audiences.
vi. Integration with Multiple Platforms: AI chatbot has been integrated into various digital platforms, including websites, social media, and messaging apps. This versatility ensures that awareness campaigns can leverage multiple channels to reach a wider audience.
vii. Feedback Mechanism: ODPC chatbot can collect feedback from users, allowing the commission to gauge the effectiveness of their awareness campaigns.
Why the initiative deserves to be recognised by an award?
The AI Chatbot created by the Office of the Data Protection Commissioner (ODPC) deserves recognition for its significant impact on data protection services in Kenya. As a 24/7 virtual assistant, the chatbot greatly improves public access to information. This allows citizens, no matter where they are, to understand and exercise their data privacy rights. It also streamlines operations by managing routine inquiries, which lets ODPC staff focus on more complex regulatory tasks. As a result, this has improved efficiency and response times.
The initiative shows innovation in public service by ethically using artificial intelligence in regulatory work. It sets a strong example for digital governance. The chatbot also helps raise awareness and compliance, especially for small organizations and data controllers who may not be familiar with the law. Built with user-friendliness and accessibility in mind, it supports multiple languages and serves diverse communities.
Furthermore, its scalable and cost-effective nature makes it a sustainable model for other government agencies. Ultimately, the chatbot highlights how new technologies can support transparency, accountability, and citizens’ rights. This makes it an outstanding initiative in digital public service and deserving of recognition through an innovation or public service excellence award.
B16 – Entry by: Personal Data Protection of Mali (APDP-MALI)
Description of the initiative:
The symposium on “Personal Data Protection: Achievements, Challenges, and Opportunities for Africa” is both ambitious and highly relevant. It resonates deeply in our time, as digital technologies continue to reshape our lifestyles, social interactions, economies, and systems of governance.
Today, personal data has become the raw material of the digital economy. Its collection and use raise immense challenges—especially regarding privacy, security, and digital sovereignty. Protecting personal data is not about hindering technological progress, but about ensuring its ethical, controlled, and rights-respecting use. It is a democratic imperative, a matter of public trust, and a key condition for building a sovereign and responsible digital future for our continent.
Through the Authority for the Protection of Personal Data (APDP), Mali is committed to fostering a culture of data protection. This political will has led to major progress in recent years, including the constitutional recognition of the right to personal data protection in the Constitution of July 23, 2023, and the criminalization of data breaches under Law No. 2024-027 of December 13, 2024, with strong deterrent penalties.
However, despite these advances, many challenges remain. They mirror the exponential growth of digital usage in our societies. We must continuously adapt our legal frameworks, strengthen technical and human capacities, guide young people in their digital practices, regulate organizational behaviors, and ensure that personal data protection is not a privilege for a few, but a real and accessible right for all.
In this context, the symposium takes on its full meaning. Over two days, scientific discussions, shared experiences, and cross-sector reflections have helped provide a realistic assessment of achievements across our countries. More importantly, they have clarified the challenges ahead and revealed the opportunities we can collectively seize to shape an African digital future that is ethical, inclusive, and grounded in respect for human rights.
Why the initiative deserves to be recognised by an award?
The symposium on “Personal Data Protection: Achievements, Challenges, and Opportunities for Africa” is a strategic initiative that fully deserves recognition through an award, both for the relevance of its theme and its pan-African scope.
As the continent undergoes rapid digital transformation, this high-level forum provided a vital platform to assess progress in data protection while identifying common challenges faced by African countries, such as weak legal frameworks, limited technical resources, and insufficient public awareness.
The symposium also highlighted the opportunities offered by tailored data governance in connection with digital sovereignty, the digital economy, and regional cooperation. It facilitated meaningful dialogue among data protection authorities, academics, public policymakers, and private sector actors, encouraging the sharing of best practices and the harmonization of legal frameworks across the continent.
By initiating such a collective and inclusive reflection, the symposium has played a key role in strengthening African capacities for ethical data management. Through its intellectual, institutional, and strategic impact, it stands as a model of continental integration and forward-thinking. For these reasons, it is fully deserving of an excellence award.
B17 – Entry by: Personal Data Protection Authority of Mali (APDP-MALI)
Description of the initiative:
This Master’s program, developed through a partnership between the Authority for the Protection of Personal Data (APDP) and the Kurukanfuga University of Bamako (UKB), aims to equip students with three key competencies:
- Supporting technological development while ensuring the ethical and responsible use of new technologies. These skills will be developed through a combination of theoretical coursework, practical exercises, and internships in companies or institutions specialized in digital affairs.
- Training specialized legal professionals capable of regulating the digital sector and protecting citizens’ rights in an increasingly connected world.
- Positioning Mali as a key regional player in the governance and regulation of digital activities.
With modules designed to anticipate both global and local transformations driven by digital technologies, this program offers updated content delivered by national and international experts. Its pragmatic approach blends academic rigor with real-world application, ensuring that graduates are not only well-informed but also ready to act.
The curriculum reflects the evolving challenges of the digital era, including data protection, cybersecurity, digital identity, artificial intelligence, and the legal frameworks needed to govern these domains. It responds to the urgent need for professionals who can navigate the complex intersection of law, technology, and public policy.
By combining legal expertise with a deep understanding of digital innovation, this Master’s program prepares students to address regulatory challenges, support digital entrepreneurs, and contribute to inclusive and sustainable digital transformation in Mali and beyond.
In doing so, it contributes to building a future where technology serves development, human rights, and the public interest.
Why the initiative deserves to be recognised by an award?
The Master’s in Digital Law in Mali deserves an award for its pioneering role and strategic impact. As the first of its kind in Mali and only the second in West Africa, it addresses urgent challenges linked to the rise of digital technologies, including cybersecurity, data protection, and digital regulation.
The program exemplifies effective collaboration between academia and public institutions. This model is essential for training legal professionals capable of navigating the complex digital landscape.
By equipping a new generation of experts, the program reinforces the rule of law in digital spaces, supports national digital sovereignty, and promotes ethical, inclusive development. Its curriculum combines theoretical and practical approaches, guided by national and international experts, to prepare students for real-world challenges.
Innovative, relevant, and impactful, the Master’s in Digital Law contributes to Mali’s leadership in digital governance and offers a blueprint for other countries in the region. For its originality and transformative potential, it is a strong candidate for recognition through an excellence award.
B18 – Entry by: Spanish Data Protection Authority (Agencia Española de Protección de Datos – AEPD)
Description of the initiative:
The AEPD’s initiative addresses a core challenge: ensuring data subjects’ rights, particularly the right to erasure, in immutable blockchain infrastructures processing personal data. While blockchain technologies pose unique challenges for data protection, the AEPD has demonstrated that compliance is feasible without undermining operational integrity.
This initiative develops and implements a Proof of Concept (PoC) using the official Ethereum blockchain, it means, a cutting-edge and widely used Blockchain. It is configured with a Proof of Authority (clique) consensus protocol. The PoC shows how a blockchain node’s database can be updated through a Hard Fork agreed upon by validator nodes. A simplified version of Bitcoin’s BIP-0009 signalling protocol was implemented to orchestrate this consensus. The solution has been developed using open-source tools, custom modifications of the official Ethereum client, and detailed technical documentation to ensure full reproducibility.
The procedure enables a node to overwrite all references to a user’s account (an identifier and thus personal data) in transactions, smart contract storage, and transaction logs, ensuring full erasure. These changes are reflected in the node’s local database and verified during the resynchronization of new or recovering nodes.
The technical strategy is complemented by a governance framework defining roles, procedures, and traceability measures for executing the right to erasure. This includes organizational procedures for validating requests, generating new software versions, and monitoring implementation.
This approach not only addresses personal data in transactions, like previous theorical proposals, but also in smart contract storage and logs, an aspect often overlooked, and in a practical way. It demonstrates the feasibility of GDPR compliance in blockchain infrastructures through documented, transparent, and reproducible technical and organizational mechanisms.
This initiative stands out not just for its technical implementation, but also for its regulatory foresight and commitment to privacy by design in blockchain infrastructures. It sets a benchmark for supervisory authorities and developers globally and serves as a functional demonstrator that encourages them to integrate data protection by design and by default. It debunks prejudices and misconceptions that pretend to limit the technologies and allows to give legal certainty to personal data processing based on Blockchain.
Why the initiative deserves to be recognised by an award?
This initiative is the first of its kind by a data protection authority to demonstrate, with transparency and reproducibility, that the right to erasure can be implemented in blockchain infrastructures processing personal data. It offers a new perspective by showing that privacy by design is feasible, encouraging innovation aligned with legal obligations.
By using an Ethereum-based infrastructure and adapting widely known blockchain mechanisms, the AEPD provides a solution that is realistic and understandable to developers and regulators. The project offers a valuable reference for any organization building or auditing blockchain infrastructures, fostering dialogue between technology and regulation.
This initiative is referenced throughout the EDPB’s Guidelines 02/2025 on blockchain and personal data in relation to GDPR principles and data subject rights. It is also highlighted in the second EU Blockchain Sandbox Best Practices Report as a concrete example of GDPR compliance in blockchain, particularly the right to erasure.
The initiative has inspired interest beyond regulators, for example, the ALASTRIA blockchain consortium expressed intent to build on the AEPD’s work and explore its integration into real-world infrastructures.
It contributes to regulatory innovation and shows that blockchain can be fully compliant with GDPR, proving that data protection is not a barrier for innovation.