European Union: European Commission adopted Decision (EU) 2025/628 including rules on data subject information and restrictions

On 31 March 2025, the European Commission adopted Commission Decision (EU) 2025/628, which established internal regulations concerning the provision of information to data subjects and the limitation of certain data subjects' rights in relation to personal data processing undertaken under the Digital Services Act (Regulation (EU) 2022/2065). The Decision applies to personal data processed during the Commission's supervisory, investigative, enforcement, and monitoring activities under the Digital Services Act. It encompasses the personal data of suspects, victims, whistleblowers, informants, witnesses, and staff of undertakings. The Decision enables the Commission to impose restrictions on data subjects' rights as outlined in Regulation (EU) 2018/1725, including the rights to information, access, rectification, erasure, and notification of breaches. These restrictions are permissible under the condition that such rights would jeopardise the Commission's investigative activities, affect the rights of others, or impair cooperation with Member States. Such restrictions must be deemed necessary and proportionate, and are subject to periodic review. The Commission is obliged to publish a data protection notice and to inform affected individuals where appropriate. The implementation of safeguards is required, including secure data handling, the involvement of the Commission's data protection coordinator and officer, and documentation requirements. Restrictions must be lifted when no longer justified. The decision will enter into force 20 days subsequent to its publication in the Official Journal of the European Union.