[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article_59454":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":7,"nbDownloads":11,"excerpt":12,"lang":13,"url":14,"intro":8,"featured":15,"state":16,"author":17,"authorId":18,"datePublication":22,"dateCreation":23,"dateUpdate":24,"mainCategory":25,"categories":41,"metaDatas":47,"imageUrl":48,"imageThumbUrls":49,"id":57},true,"Tired of general newsletters that skim over your real concerns? **DastraNews,** offers legal and regulatory monitoring **specifically designed for DPOs, lawyers, and privacy professionals**.\r\n\r\nEach month, we go beyond a simple recap: we select about ten decisions, news, or positions **that have a concrete impact on your missions and organizations**.\r\n\r\n🎯 **Targeted, useful monitoring grounded in the real-world realities of data protection and AI.**\r\n\r\nHere is our selection for **July 2025**:\r\n\r\n## **European Commission releases mandatory AI data training disclosure template** \r\n\r\nThe European Commission has published its long-awaited [**template for disclosing training data**, ](https://digital-strategy.ec.europa.eu/en/library/explanatory-notice-and-template-public-summary-training-content-general-purpose-ai-models)now a **mandatory requirement** for providers of general-purpose AI (GPAI) models operating within the EU. \r\n\r\nThis development represents a **significant regulatory milestone** with potential **global implications**. By making training data disclosures publicly accessible, the EU may inadvertently empower rights holders, including those outside the EU, to **initiate copyright infringement claims**. \r\n\r\nThis measure, unlike the voluntary Code of Practice, introduces a **binding transparency obligation** under the EU AI Act.\r\n\r\nIt complements the Code of Practice, as well as the Guidelines on the scope of the rules for GPAI models,[ as explained here. ](https://www.dastra.eu/en/article/ai-act-phase-two-what-changes-on-august/59455)\r\n\r\n## European Commission publishes draft guidelines for GPAI providers\r\n\r\nNew draft [guidelines of the European Commission to help general-purpose AI providers](https://digital-strategy.ec.europa.eu/en/library/guidelines-scope-obligations-providers-general-purpose-ai-models-under-ai-act) comply with the AI Act, particularly their obligations taking effect on August 2, 2025.Key points in the guidelines include:\r\n\r\n- Definition of general-purpose AI models: Those trained using over 10²³ FLOPs and capable of generating text, audio, images, or video from text prompts.\r\n- Clarification of terms like “provider” and “placing on the market.”\r\n- Exemptions for open-source models that meet transparency standards.\r\n- Implications of adhering to the Code of Practice, and what compliance looks like in practice.\r\n- Additional obligations for providers of powerful models that pose systemic risks, including risk assessment and mitigation duties.\r\n\r\nThese guidelines are yet to be validated and formally adopted by the EC & will only be applicable then. They build on the GPAI Code of Practice, recently released.\r\n\r\n## The Code of pratice on General-purpose AI is here\r\n\r\nA few days after finding out there will be no pause in the AI Act, the long-awaited [Code of practice on General-Purpose AI (GPAI)](https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai) is here!On July 10, 2025, the European Commission published the long-awaited Code of Practice on AI, setting a new benchmark for how the AI ecosystem (from large model providers to start-ups and SMEs) can prepare for the upcoming GPAI obligations under the AI Act.It’s a voluntary tool designed to help providers of general-purpose AI models demonstrate compliance with their obligations under Article 53 and 55 AI Act. These obligations will apply from 2 August 2025, however some exceptions exist.The Code focuses on three areas that are at the heart of responsible AI deployment:\r\n\r\n1. Transparency: Clear commitments on sharing information about how general-purpose AI models are trained, evaluated, and how they function.\r\n2. Copyright: Ensuring respect for IP rights, particularly how training data aligns with copyright protections.\r\n3. Safety & Security: Measures to mitigate systemic risks, prevent misuse, and uphold public trust.\r\n\r\n🚀 What’s next?The Code of Practice will be assessed by the AI Office and AI Board, which may approve it via an adequacy decision. \r\n\r\n## AEPD clarifies its role ahead of AI Act enforcement\r\n\r\nThe[ Spanish Data Protection Authority (AEPD) has released](https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/la-aepd-recuerda-que-ya-puede-actuar-ante-sistemas-de-ia?mkt_tok=MTM4LUVaTS0wNDIAAAGbs7_dasuaJGa9KK98JvZuVADVU0cUr_-S8RU0lwYndcjQHEYdfRPz0wXKdlFqpBnMhqClLflFkrX3ZKyn5OqKdTyB_E-dCleMB10XVM7mAJd5wQ) an analysis clarifying its role under the EU Artificial Intelligence Act (AI Act), ahead of key provisions entering into force on **2 August 2025**.\r\n\r\nWhile Spain has not yet enacted national legislation to formally designate a **market surveillance authority**, the AEPD notes that the current draft law foresees it taking on this responsibility in areas requiring **functional independence**, such as for **prohibited AI systems**.\r\n\r\nIn the meantime, the AEPD reaffirms its existing authority to **supervise the use of personal data in AI systems**, particularly where prohibited systems may infringe on data protection rights.\r\n\r\nIt advises organizations deploying or providing AI services to begin preparing for full compliance with the AI Act and highlights the need to strengthen its own internal capabilities in anticipation of expanded enforcement duties.\r\n\r\n## The CNIL finalizes recommendations on GPDR applicability for the development of AI systems\r\n\r\nThe CNIL has just published [a set of recommendations](https://www.cnil.fr/en/ai-cnil-finalises-its-recommendations-development-artificial-intelligence-systems) aimed at ensuring that the development of AI technologies remains compatible with the requirements of the GDPR.\r\n\r\nThese guidelines are intended for a broad range of actors, whether you are working on machine learning models, general-purpose AI systems, or any other type of AI involving the processing of personal data.\r\n\r\nThe document specifically targets the **development phase** of AI systems — including the design of the system, the creation and structuring of the dataset, and the training process.\r\n\r\nImportantly, the CNIL has also provided a **compliance checklist** to help developers and organizations identify the key points to verify throughout this stage of development.\r\n\r\n## The UK Data Use and Access Act (DUAA) received royal assent\r\n\r\nThe Data (Use and Access) Act of 2025 received royal assent on June 19, 2025 (DUAA & it reforms the UK Data Protection legislation including the UK GDPR, the DPA 2018, as well as the PECR.The new law will be rolled out in stages, with most provisions set to take effect within two to six months, although certain measures could require up to a year to be fully implemented. Check out [What the DUAA means for your organization right here.](https://www.dastra.eu/en/article/what-the-duaa-means-for-your-organization/59414)\r\n\r\n## EU Commission publishes draft adequacy decision for the UK\r\n\r\nThe European Commission has released its draft adequacy decisions for data transfers to the UK, both [under the GDPR ](https://commission.europa.eu/document/download/6f636fa0-30d4-4c05-a713-64484ad913fa_en?filename=Draft%20Renewal%20of%20EU%20adequacy%20decision%20for%20the%20UK%20under%20the%20GDPR.pdf)and [the Law Enforcement Directive (LED).](https://commission.europa.eu/document/download/0c943f80-7616-436c-b44f-afad98e97022_en?filename=Draft%20Renewal%20of%20EU%20adequacy%20decision%20for%20the%20UK%20under%20the%20LED.pdf)The key takeaway: Recent amendments introduced by the UK’s Data Use and Access Act (DUAA) do not undermine the UK's data protection framework. The UK is still considered to provide an adequate level of protection for personal data coming from the EU.What’s next? The draft decisions will be reviewed by the European Data Protection Board (EDPB) and require committee approval before formal adoption.\r\n\r\n## EDPB & EPDS issued a joint opinion on the Proposal for GDPR simplification\r\n\r\nThe EDPB & EDPS issued a [joint opinion on July 8th on the Proposal for a Regulation](https://www.edpb.europa.eu/system/files/2025-07/edpb_edps_jointopinion_202501_proposalsimplification_en.pdf) on simplification measures for SMEs and SMCs concerning the GDPR, of the European Commission. They welcome the simplifications as long as it is proportionate, balanced and based on necessity, and most importantly, that it won't lower the protection of fundamental rights of individuals - which goes against the core principles of the GDPR. Particularly, the record-keeping obligation (Art.30 (5) GDPR). The current derogation of the GDPR applies when organisations have under 250 employees (except when certain conditions are met). With the Proposal, the derogation will organizations employing fewer than 750 employees.However, even with fewer than 750 people, the organisation will have to keep a record when the processing is likely to result in a high risk to the rights and freedoms of individuals. The EDPB & EPDS also asked the co-legislators for some further clarifications.","\u003Cp>Tired of general newsletters that skim over your real concerns? \u003Cstrong>DastraNews,\u003C/strong> offers legal and regulatory monitoring \u003Cstrong>specifically designed for DPOs, lawyers, and privacy professionals\u003C/strong>.\u003C/p>\r\n\u003Cp>Each month, we go beyond a simple recap: we select about ten decisions, news, or positions \u003Cstrong>that have a concrete impact on your missions and organizations\u003C/strong>.\u003C/p>\r\n\u003Cp>🎯 \u003Cstrong>Targeted, useful monitoring grounded in the real-world realities of data protection and AI.\u003C/strong>\u003C/p>\r\n\u003Cp>Here is our selection for \u003Cstrong>July 2025\u003C/strong>:\u003C/p>\r\n\u003Ch2 id=\"european-commission-releases-mandatory-ai-data-training-disclosure-template\">\u003Cstrong>European Commission releases mandatory AI data training disclosure template\u003C/strong>\u003C/h2>\r\n\u003Cp>The European Commission has published its long-awaited \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/library/explanatory-notice-and-template-public-summary-training-content-general-purpose-ai-models\" rel=\"nofollow\">\u003Cstrong>template for disclosing training data\u003C/strong>, \u003C/a>now a \u003Cstrong>mandatory requirement\u003C/strong> for providers of general-purpose AI (GPAI) models operating within the EU.\u003C/p>\r\n\u003Cp>This development represents a \u003Cstrong>significant regulatory milestone\u003C/strong> with potential \u003Cstrong>global implications\u003C/strong>. \u003Cbr />\r\n\u003Cbr />\r\nBy making training data disclosures publicly accessible, the EU may inadvertently empower rights holders, including those outside the EU, to \u003Cstrong>initiate copyright infringement claims\u003C/strong>.\u003C/p>\r\n\u003Cp>This measure, unlike the voluntary Code of Practice, introduces a \u003Cstrong>binding transparency obligation\u003C/strong> under the EU AI Act.\u003C/p>\r\n\u003Cp>It complements the Code of Practice, as well as the Guidelines on the scope of the rules for GPAI models,\u003Ca href=\"https://www.dastra.eu/en/article/ai-act-phase-two-what-changes-on-august/59455\"> as explained here. \u003C/a>\u003C/p>\r\n\u003Ch2 id=\"european-commission-publishes-draft-guidelines-for-gpai-providers\">European Commission publishes draft guidelines for GPAI providers\u003C/h2>\r\n\u003Cp>New draft \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/library/guidelines-scope-obligations-providers-general-purpose-ai-models-under-ai-act\" rel=\"nofollow\">guidelines of the European Commission to help general-purpose AI providers\u003C/a> comply with the AI Act, particularly their obligations taking effect on August 2, 2025.\u003Cbr />\r\n\u003Cbr />\r\nKey points in the guidelines include:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Definition of general-purpose AI models: Those trained using over 10²³ FLOPs and capable of generating text, audio, images, or video from text prompts.\u003C/li>\r\n\u003Cli>Clarification of terms like “provider” and “placing on the market.”\u003C/li>\r\n\u003Cli>Exemptions for open-source models that meet transparency standards.\u003C/li>\r\n\u003Cli>Implications of adhering to the Code of Practice, and what compliance looks like in practice.\u003C/li>\r\n\u003Cli>Additional obligations for providers of powerful models that pose systemic risks, including risk assessment and mitigation duties.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>These guidelines are yet to be validated and formally adopted by the EC & will only be applicable then. \u003Cbr />\r\n\u003Cbr />\r\nThey build on the GPAI Code of Practice, recently released.\u003C/p>\r\n\u003Ch2 id=\"the-code-of-pratice-on-general-purpose-ai-is-here\">The Code of pratice on General-purpose AI is here\u003C/h2>\r\n\u003Cp>A few days after finding out there will be no pause in the AI Act, the long-awaited \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai\" rel=\"nofollow\">Code of practice on General-Purpose AI (GPAI)\u003C/a> is here!\u003Cbr />\r\n\u003Cbr />\r\nOn July 10, 2025, the European Commission published the long-awaited Code of Practice on AI, setting a new benchmark for how the AI ecosystem (from large model providers to start-ups and SMEs) can prepare for the upcoming GPAI obligations under the AI Act.\u003Cbr />\r\n\u003Cbr />\r\nIt’s a voluntary tool designed to help providers of general-purpose AI models demonstrate compliance with their obligations under Article 53 and 55 AI Act. \u003Cbr />\r\n\u003Cbr />\r\nThese obligations will apply from 2 August 2025, however some exceptions exist.\u003Cbr />\r\n\u003Cbr />\r\nThe Code focuses on three areas that are at the heart of responsible AI deployment:\u003C/p>\r\n\u003Col>\r\n\u003Cli>Transparency: Clear commitments on sharing information about how general-purpose AI models are trained, evaluated, and how they function.\u003C/li>\r\n\u003Cli>Copyright: Ensuring respect for IP rights, particularly how training data aligns with copyright protections.\u003C/li>\r\n\u003Cli>Safety & Security: Measures to mitigate systemic risks, prevent misuse, and uphold public trust.\u003C/li>\r\n\u003C/ol>\r\n\u003Cp>🚀 What’s next?\u003Cbr />\r\nThe Code of Practice will be assessed by the AI Office and AI Board, which may approve it via an adequacy decision.\u003C/p>\r\n\u003Ch2 id=\"aepd-clarifies-its-role-ahead-of-ai-act-enforcement\">AEPD clarifies its role ahead of AI Act enforcement\u003C/h2>\r\n\u003Cp>The\u003Ca href=\"https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/la-aepd-recuerda-que-ya-puede-actuar-ante-sistemas-de-ia?mkt_tok=MTM4LUVaTS0wNDIAAAGbs7_dasuaJGa9KK98JvZuVADVU0cUr_-S8RU0lwYndcjQHEYdfRPz0wXKdlFqpBnMhqClLflFkrX3ZKyn5OqKdTyB_E-dCleMB10XVM7mAJd5wQ\" rel=\"nofollow\"> Spanish Data Protection Authority (AEPD) has released\u003C/a> an analysis clarifying its role under the EU Artificial Intelligence Act (AI Act), ahead of key provisions entering into force on \u003Cstrong>2 August 2025\u003C/strong>.\u003C/p>\r\n\u003Cp>While Spain has not yet enacted national legislation to formally designate a \u003Cstrong>market surveillance authority\u003C/strong>, the AEPD notes that the current draft law foresees it taking on this responsibility in areas requiring \u003Cstrong>functional independence\u003C/strong>, such as for \u003Cstrong>prohibited AI systems\u003C/strong>.\u003C/p>\r\n\u003Cp>In the meantime, the AEPD reaffirms its existing authority to \u003Cstrong>supervise the use of personal data in AI systems\u003C/strong>, particularly where prohibited systems may infringe on data protection rights.\u003C/p>\r\n\u003Cp>It advises organizations deploying or providing AI services to begin preparing for full compliance with the AI Act and highlights the need to strengthen its own internal capabilities in anticipation of expanded enforcement duties.\u003C/p>\r\n\u003Ch2 id=\"the-cnil-finalizes-recommendations-on-gpdr-applicability-for-the-development-of-ai-systems\">The CNIL finalizes recommendations on GPDR applicability for the development of AI systems\u003C/h2>\r\n\u003Cp>The CNIL has just published \u003Ca href=\"https://www.cnil.fr/en/ai-cnil-finalises-its-recommendations-development-artificial-intelligence-systems\" rel=\"nofollow\">a set of recommendations\u003C/a> aimed at ensuring that the development of AI technologies remains compatible with the requirements of the GDPR.\u003C/p>\r\n\u003Cp>These guidelines are intended for a broad range of actors, whether you are working on machine learning models, general-purpose AI systems, or any other type of AI involving the processing of personal data.\u003C/p>\r\n\u003Cp>The document specifically targets the \u003Cstrong>development phase\u003C/strong> of AI systems — including the design of the system, the creation and structuring of the dataset, and the training process.\u003C/p>\r\n\u003Cp>Importantly, the CNIL has also provided a \u003Cstrong>compliance checklist\u003C/strong> to help developers and organizations identify the key points to verify throughout this stage of development.\u003C/p>\r\n\u003Ch2 id=\"the-uk-data-use-and-access-act-duaa-received-royal-assent\">The UK Data Use and Access Act (DUAA) received royal assent\u003C/h2>\r\n\u003Cp>The Data (Use and Access) Act of 2025 received royal assent on June 19, 2025 (DUAA & it reforms the UK Data Protection legislation including the UK GDPR, the DPA 2018, as well as the PECR.\u003Cbr />\r\n\u003Cbr />\r\nThe new law will be rolled out in stages, with most provisions set to take effect within two to six months, although certain measures could require up to a year to be fully implemented. \u003Cbr />\r\n\u003Cbr />\r\nCheck out \u003Ca href=\"https://www.dastra.eu/en/article/what-the-duaa-means-for-your-organization/59414\">What the DUAA means for your organization right here.\u003C/a>\u003C/p>\r\n\u003Ch2 id=\"eu-commission-publishes-draft-adequacy-decision-for-the-uk\">EU Commission publishes draft adequacy decision for the UK\u003C/h2>\r\n\u003Cp>The European Commission has released its draft adequacy decisions for data transfers to the UK, both \u003Ca href=\"https://commission.europa.eu/document/download/6f636fa0-30d4-4c05-a713-64484ad913fa_en?filename=Draft%20Renewal%20of%20EU%20adequacy%20decision%20for%20the%20UK%20under%20the%20GDPR.pdf\" rel=\"nofollow\">under the GDPR \u003C/a>and \u003Ca href=\"https://commission.europa.eu/document/download/0c943f80-7616-436c-b44f-afad98e97022_en?filename=Draft%20Renewal%20of%20EU%20adequacy%20decision%20for%20the%20UK%20under%20the%20LED.pdf\" rel=\"nofollow\">the Law Enforcement Directive (LED).\u003C/a>\u003Cbr />\r\n\u003Cbr />\r\nThe key takeaway: Recent amendments introduced by the UK’s Data Use and Access Act (DUAA) do not undermine the UK's data protection framework. The UK is still considered to provide an adequate level of protection for personal data coming from the EU.\u003Cbr />\r\n\u003Cbr />\r\nWhat’s next? The draft decisions will be reviewed by the European Data Protection Board (EDPB) and require committee approval before formal adoption.\u003C/p>\r\n\u003Ch2 id=\"edpb-epds-issued-a-joint-opinion-on-the-proposal-for-gdpr-simplification\">EDPB & EPDS issued a joint opinion on the Proposal for GDPR simplification\u003C/h2>\r\n\u003Cp>The EDPB & EDPS issued a \u003Ca href=\"https://www.edpb.europa.eu/system/files/2025-07/edpb_edps_jointopinion_202501_proposalsimplification_en.pdf\" rel=\"nofollow\">joint opinion on July 8th on the Proposal for a Regulation\u003C/a> on simplification measures for SMEs and SMCs concerning the GDPR, of the European Commission. \u003Cbr />\r\n\u003Cbr />\r\nThey welcome the simplifications as long as it is proportionate, balanced and based on necessity, and most importantly, that it won't lower the protection of fundamental rights of individuals - which goes against the core principles of the GDPR. \u003Cbr />\r\n\u003Cbr />\r\nParticularly, the record-keeping obligation (Art.30 (5) GDPR). The current derogation of the GDPR applies when organisations have under 250 employees (except when certain conditions are met). With the Proposal, the derogation will organizations employing fewer than 750 employees.\u003Cbr />\r\n\u003Cbr />\r\nHowever, even with fewer than 750 people, the organisation will have to keep a record when the processing is likely to result in a high risk to the rights and freedoms of individuals. \u003Cbr />\r\n\u003Cbr />\r\nThe EDPB & EPDS also asked the co-legislators for some further clarifications.\u003C/p>\r\n","DastraNews: what happened in Privacy & AI in July? ","Privacy & AI insights from the Dastra hub: actionable updates for pros who work daily in the field.",1263,7,0,null,"en","dastranews-what-happened-in-privacy-ai-in-july",false,"Published",{"id":18,"displayName":19,"avatarUrl":20,"bio":12,"blogUrl":12,"color":12,"userId":18,"creationDate":21},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","2025-03-03T11:08:22","2025-07-28T08:56:00","2025-07-23T08:56:07.2907239","2025-07-25T13:39:32.7310367",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":31},2,"Blog","A list of curated articles provided by the community","article","#28449a",[32,35,38],{"lang":33,"name":27,"description":34},"fr","Une liste d'articles rédigés par la communauté",{"lang":36,"name":27,"description":37},"es","Una lista de artículos escritos por la comunidad",{"lang":39,"name":27,"description":40},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[42],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":43},[44,45,46],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},[],"https://static.dastra.eu/content/5c8c8807-8c2f-47ab-b983-fa784fbc0a39/20-original.jpg",[50,51,52,53,54,55,56],"https://static.dastra.eu/content/5c8c8807-8c2f-47ab-b983-fa784fbc0a39/20-1000.webp","https://static.dastra.eu/content/5c8c8807-8c2f-47ab-b983-fa784fbc0a39/20.webp","https://static.dastra.eu/content/5c8c8807-8c2f-47ab-b983-fa784fbc0a39/20-1500.webp","https://static.dastra.eu/content/5c8c8807-8c2f-47ab-b983-fa784fbc0a39/20-800.webp","https://static.dastra.eu/content/5c8c8807-8c2f-47ab-b983-fa784fbc0a39/20-600.webp","https://static.dastra.eu/content/5c8c8807-8c2f-47ab-b983-fa784fbc0a39/20-300.webp","https://static.dastra.eu/content/5c8c8807-8c2f-47ab-b983-fa784fbc0a39/20-100.webp",59454]