Over one hundred data protection officers from across Catalonia take part in the 2nd ‘DPD en xarxa’ Meeting

Coinciding with the second anniversary of the network of data protection officers of Catalonia, ‘DPD en xarxa’, the Catalan Data Protection Authority (APDCAT), promoter of this community, has organized its 2nd in-person Meeting, with the aim of fostering the exchange of criteria, experiences, and knowledge among professionals who ensure the protection of personal data in organizations across Catalonia.

This year, over one hundred data protection officers from across the territory gathered at Espai Bital, in L’Hospitalet de Llobregat, to take part in the conferences and working groups scheduled throughout the day. In her address, the director of the APDCAT, Meritxell Borràs i Solé, expressed her gratitude for the work carried out under the 2023–2028 Strategic Plan of the APDCAT, which has made possible the creation of Catalonia’s first DPD community, now comprising over 300 members.

Borràs highlighted the participation and commitment of the network’s members in the working groups that promote the exchange of expertise and knowledge. One example is the working group on impact assessments on fundamental rights, led by expert Alessandro Mantelero, which made possible the Catalan FRIA Model — a pioneering methodology that has already received wide international recognition. Borràs also emphasized the ongoing effort to ensure continuous training for professionals responsible for compliance with data protection regulations within organizations, with dozens of online sessions organized throughout the year.

The impact of AI on privacy

Meanwhile, Josep Domingo Ferrer, Professor of Computer Engineering at the Universitat Rovira i Virgili and Chair of the Data Protection Advisory Council, argued that the main challenge lies in correctly assessing the impact of AI on data protection, avoiding overly cautious regulation or control that could unnecessarily reduce the competitiveness of Catalonia and Europe. His remarks were part of the lecture “AI and Data Protection: A New Challenge for DPOs.”

Domingo analyzed the effectiveness of privacy attacks against machine learning under real-world conditions and concluded that such attacks are, in general, less dangerous than suggested in scientific literature. This, he added, is good news for jurisdictions such as the European Union, which are committed to reconciling AI regulation with the competitiveness of their artificial intelligence industry.

Prototype of a new application of the FRIA model

In the framework of the APDCAT’s presentation, the Coordinator of Technology and Information Security, Albert Serra Pagès, introduced the prototype of the APDCAT’s application of the Catalan FRIA model for conducting impact assessments on fundamental rights in the use of AI. The application is being developed with the aim of transferring the model, originally presented last January in paper format, to a parameterized digital environment that guides users step by step through the process. He also recalled that last October, the Authority launched a renewed version of its application designed to help organizations carry out impact assessments for high-risk data processing.

For his part, the Head of the Legal Advisory Service, Xavier Urios Aparisi, spoke about video surveillance and security, as well as the proper use of AI in the public sector regarding personal data protection. In addition, the Head of the Inspection and Technical Area, Fina Valls Vila, focused her presentation on procedures for the protection of rights, legitimate use, and potential cases of misuse.

Six working groups

Finally, there was also space for debate. In this context, DPOs shared their views on topics such as ethical and responsible artificial intelligence, FRIA–PIA impact assessments, the European Health Data Space, international data transfers (IDT), future challenges for ‘DPD en xarxa’, and algorithmic governance, through six dedicated working groups.

The aim is to provide space for exchange among data protection officers to help build consensus, tools, and resources that facilitate the proper application of data protection regulations. One example is the FRIA–PIA group, which is developing a new model to integrate the impact assessment on fundamental rights in the use of AI (FRIA) — mandatory from August 2026 for high-risk AI systems — with the data protection impact assessment (DPIA), required since the General Data Protection Regulation (GDPR) came into force in 2018 for high-risk data processing activities.

Second anniversary of a pioneering network

The first learning and collaboration community of DPOs in Catalonia was created in July 2023, promoted by the APDCAT with the aim of providing a pioneering exchange space for DPOs across the region. In its second year, ‘DPD en xarxa’ already has more than 300 registered members who have access to training, debates, and working groups to foster collaboration and synergies.

Throughout 2025, five online seminars have been held on topics such as the Artificial Intelligence Regulation (main concepts and practical applications, in two sessions), mechanisms to ensure control by data controllers over processors and sub-processors, the European Health Data Space, and another on AI applied to mental health: ethical and legal challenges of the STOP project.

Currently, five working groups are also active: on the European Health Data Space, on international transfers of personal data, on how to integrate the FRIA model with data protection impact assessments (DPIA), on ethical and responsible AI, and on the future challenges of ‘DPD en xarxa’.