Tired of general newsletters that skim over your real concerns? DastraNews, offers legal and regulatory monitoring specifically designed for DPOs, lawyers, and privacy professionals.
Each month, we go beyond a simple recap: we select about ten decisions, news, or positions that have a concrete impact on your missions and organizations.
🎯 Targeted, useful monitoring grounded in the real-world realities of data protection and AI.
Here is our selection for July 2025:
European Commission releases mandatory AI data training disclosure template
The European Commission has published its long-awaited template for disclosing training data, now a mandatory requirement for providers of general-purpose AI (GPAI) models operating within the EU.
This development represents a significant regulatory milestone with potential global implications.
By making training data disclosures publicly accessible, the EU may inadvertently empower rights holders, including those outside the EU, to initiate copyright infringement claims.
This measure, unlike the voluntary Code of Practice, introduces a binding transparency obligation under the EU AI Act.
It complements the Code of Practice, as well as the Guidelines on the scope of the rules for GPAI models, as explained here.
European Commission publishes draft guidelines for GPAI providers
New draft guidelines of the European Commission to help general-purpose AI providers comply with the AI Act, particularly their obligations taking effect on August 2, 2025.
Key points in the guidelines include:
- Definition of general-purpose AI models: Those trained using over 10²³ FLOPs and capable of generating text, audio, images, or video from text prompts.
- Clarification of terms like “provider” and “placing on the market.”
- Exemptions for open-source models that meet transparency standards.
- Implications of adhering to the Code of Practice, and what compliance looks like in practice.
- Additional obligations for providers of powerful models that pose systemic risks, including risk assessment and mitigation duties.
These guidelines are yet to be validated and formally adopted by the EC & will only be applicable then.
They build on the GPAI Code of Practice, recently released.
The Code of pratice on General-purpose AI is here
A few days after finding out there will be no pause in the AI Act, the long-awaited Code of practice on General-Purpose AI (GPAI) is here!
On July 10, 2025, the European Commission published the long-awaited Code of Practice on AI, setting a new benchmark for how the AI ecosystem (from large model providers to start-ups and SMEs) can prepare for the upcoming GPAI obligations under the AI Act.
It’s a voluntary tool designed to help providers of general-purpose AI models demonstrate compliance with their obligations under Article 53 and 55 AI Act.
These obligations will apply from 2 August 2025, however some exceptions exist.
The Code focuses on three areas that are at the heart of responsible AI deployment:
- Transparency: Clear commitments on sharing information about how general-purpose AI models are trained, evaluated, and how they function.
- Copyright: Ensuring respect for IP rights, particularly how training data aligns with copyright protections.
- Safety & Security: Measures to mitigate systemic risks, prevent misuse, and uphold public trust.
🚀 What’s next?
The Code of Practice will be assessed by the AI Office and AI Board, which may approve it via an adequacy decision.
AEPD clarifies its role ahead of AI Act enforcement
The Spanish Data Protection Authority (AEPD) has released an analysis clarifying its role under the EU Artificial Intelligence Act (AI Act), ahead of key provisions entering into force on 2 August 2025.
While Spain has not yet enacted national legislation to formally designate a market surveillance authority, the AEPD notes that the current draft law foresees it taking on this responsibility in areas requiring functional independence, such as for prohibited AI systems.
In the meantime, the AEPD reaffirms its existing authority to supervise the use of personal data in AI systems, particularly where prohibited systems may infringe on data protection rights.
It advises organizations deploying or providing AI services to begin preparing for full compliance with the AI Act and highlights the need to strengthen its own internal capabilities in anticipation of expanded enforcement duties.
The CNIL finalizes recommendations on GPDR applicability for the development of AI systems
The CNIL has just published a set of recommendations aimed at ensuring that the development of AI technologies remains compatible with the requirements of the GDPR.
These guidelines are intended for a broad range of actors, whether you are working on machine learning models, general-purpose AI systems, or any other type of AI involving the processing of personal data.
The document specifically targets the development phase of AI systems — including the design of the system, the creation and structuring of the dataset, and the training process.
Importantly, the CNIL has also provided a compliance checklist to help developers and organizations identify the key points to verify throughout this stage of development.
The UK Data Use and Access Act (DUAA) received royal assent
The Data (Use and Access) Act of 2025 received royal assent on June 19, 2025 (DUAA & it reforms the UK Data Protection legislation including the UK GDPR, the DPA 2018, as well as the PECR.
The new law will be rolled out in stages, with most provisions set to take effect within two to six months, although certain measures could require up to a year to be fully implemented.
Check out What the DUAA means for your organization right here.
EU Commission publishes draft adequacy decision for the UK
The European Commission has released its draft adequacy decisions for data transfers to the UK, both under the GDPR and the Law Enforcement Directive (LED).
The key takeaway: Recent amendments introduced by the UK’s Data Use and Access Act (DUAA) do not undermine the UK's data protection framework. The UK is still considered to provide an adequate level of protection for personal data coming from the EU.
What’s next? The draft decisions will be reviewed by the European Data Protection Board (EDPB) and require committee approval before formal adoption.
EDPB & EPDS issued a joint opinion on the Proposal for GDPR simplification
The EDPB & EDPS issued a joint opinion on July 8th on the Proposal for a Regulation on simplification measures for SMEs and SMCs concerning the GDPR, of the European Commission.
They welcome the simplifications as long as it is proportionate, balanced and based on necessity, and most importantly, that it won't lower the protection of fundamental rights of individuals - which goes against the core principles of the GDPR.
Particularly, the record-keeping obligation (Art.30 (5) GDPR). The current derogation of the GDPR applies when organisations have under 250 employees (except when certain conditions are met). With the Proposal, the derogation will organizations employing fewer than 750 employees.
However, even with fewer than 750 people, the organisation will have to keep a record when the processing is likely to result in a high risk to the rights and freedoms of individuals.
The EDPB & EPDS also asked the co-legislators for some further clarifications.