EDPS documents on CSAM proposal (‘Chat Control’) – compatibility with CFR and GDPR
Dear European Data Protection Supervisor,
Pursuant to Regulation (EC) No 1049/2001, Article 15 TFEU, and Article 42 of the Charter of Fundamental Rights, I hereby request access to:
– Any opinions, correspondence, internal notes, preparatory documents, or meeting records held by the EDPS concerning the compatibility of the proposed Regulation laying down rules to prevent and combat child sexual abuse (the ‘Chat Control’/CSAM proposal) with the Charter of Fundamental Rights and the General Data Protection Regulation (GDPR).
Specifically, I seek documents addressing:
– The impact of the proposal on Articles 7 and 8 CFR (private life and data protection),
– Its consistency with GDPR principles (necessity, proportionality, purpose limitation, data minimisation),
– Safeguards under Article 47 CFR (effective remedies and judicial protection).
Timeframe: 2020 to present.
If Article 4(2) or 4(3) exceptions are invoked, I submit there is an overriding public interest in disclosure: namely, enabling democratic scrutiny of surveillance measures with significant impact on EU fundamental rights. Where needed, I request partial access under Article 4(6).
Please acknowledge receipt and process this request within 15 working days in line with Article 7 of Regulation 1049/2001. I prefer electronic access.
Yours faithfully,
Andrej Magyar
Dear requester,
We acknowledge the receipt of your request, registered on 12.09.2025. In
accordance with Article 7(1) of Regulation (EU) No 1049/2001 regarding
public access to European Parliament, Council and Commission documents,
you will receive a reply within 15 working days (by 06.10.2025).
Your case number is 2025-0831.
Please note that your personal data will only be processed for the
purposes of replying to your request and in accordance with the privacy
statement set out below. More information on how the EDPS process personal
information can be found on our [1]website.
Yours sincerely,
EDPS Access to Documents
[2]cid:image001.png@01D4D8CD.D37C9700
[3]| Tel. (+32) 228 31900 |
Fax (+32) 228 31950 | › Email:
[4][email address]
European Data Protection Supervisor
Postal address: Rue Wiertz 60, B-1047
Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[5]Twitter [6]@EU_EDPS
[7]Website [8]www.edps.europa.eu
This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.
Data Protection Notice
According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the
Regulation), we are processing your personal data in order to reply to
your request. The controller is the European Data Protection Supervisor
(EDPS). The legal basis for this processing operation is Article 5(1)(b)
of the Regulation, since processing is necessary for compliance with a
legal obligation to which the EDPS is subject. The data processed include
your contact details, your request, as well as personal data that might be
collected during the investigation of your request. For the EDPS, case
handlers, administrative staff and hierarchy involved in the request
handling will have access to the case file containing your personal data
on a need-to-know basis. All access to case files is logged. Your data
will only be transferred to other EU institutions and bodies or to third
parties when it is necessary to ensure the appropriate investigation or
follow up of your request. Your data will be stored by the EDPS in
electronic files until the end of the reporting period of the current year
(as a rule, until mid-next year), unless legal proceedings require us to
keep them for a longer period. Afterwards, only a brief anonymous note
will be included in a file in order to keep record of the request.
You have the right of access to your personal data and to relevant
information concerning how we use it. You have the right to rectify your
personal data. Under certain conditions, you have the right to ask that we
delete your personal data or restrict its use. We will consider your
request, take a decision and communicate it to you. For more information,
please see Articles 14 to 21, 23 and 24 of the Regulation. Please note
that in some cases restrictions under Article 25 of the Regulation may
apply. Any request to exercise your rights should be addressed to the EDPS
at [9][EDPS request email]. You may also contact the data protection
officer of the EDPS ([10][email address]), if you have any remarks
or complaints regarding the way we process your personal data. You have
the right to lodge a complaint with the EDPS, as supervisory authority.
Any such request should be addressed to the EDPS at
[11][EDPS request email]. You can reach the EDPS in the following ways:
e-mail: [12][EDPS request email]; EDPS postal address: European Data
Protection Supervisor, Rue Wiertz 60, B-1047 Brussels, Belgium.
References
Visible links
1. https://edps.europa.eu/about-edps/data-p...
3. file:///tmp/tel:+3222831900
4. mailto:[email address]
6. http://@eu_edps/
8. http://www.edps.europa.eu/
http://www.edps.europa.eu/
9. mailto:[EDPS request email]
10. mailto:[email address]
11. mailto:[EDPS request email]
12. mailto:[EDPS request email]
Dear requester,
We are writing to you concerning your access to documents request case
number 2025-0831.
In accordance with Article 7 (1) of Regulation (EU) No 1049/2001 regarding
public access to European Parliament, Council and Commission documents,
you are entitled to receive a reply within 15 working days.
However, the EDPS will not be in a position to respond within the original
time limit of 15 working days. We have therefore decided to extend the
time limit by 15 working days in accordance with Article 7(3) of
Regulation (EU) 1049/2001.
You should expect to receive a reply from the EDPS by 27.10.2025 at the
latest.
Your sincerely,
EDPS Access to Documents
[1]cid:image001.png@01D4D8CD.D37C9700
[2]| Tel. (+32) 228 31900 |
Fax (+32) 228 31950 | › Email:
[3][email address]
European Data Protection Supervisor
Postal address: Rue Wiertz 60, B-1047
Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[4]Twitter [5]@EU_EDPS
[6]Website [7]www.edps.europa.eu
This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.
From: EDPS Access to Documents <[email address]>
Sent: 12 September 2025 18:56
To: Andrej Magyar <[FOI #16303 email]>
Subject: Acknowledgement of receipt access to documents, EDPS ref:
2025-0831 - D (2025) 3406
Dear requester,
We acknowledge the receipt of your request, registered on 12.09.2025. In
accordance with Article 7(1) of Regulation (EU) No 1049/2001 regarding
public access to European Parliament, Council and Commission documents,
you will receive a reply within 15 working days (by 06.10.2025).
Your case number is 2025-0831.
Please note that your personal data will only be processed for the
purposes of replying to your request and in accordance with the privacy
statement set out below. More information on how the EDPS process personal
information can be found on our [8]website.
Yours sincerely,
EDPS Access to Documents
[9]cid:image001.png@01D4D8CD.D37C9700
[10]| Tel. (+32) 228 31900 |
Fax (+32) 228 31950 | › Email:
[11][email address]
European Data Protection Supervisor
Postal address: Rue Wiertz 60, B-1047
Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[12]Twitter [13]@EU_EDPS
[14]Website [15]www.edps.europa.eu
This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.
Data Protection Notice
According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the
Regulation), we are processing your personal data in order to reply to
your request. The controller is the European Data Protection Supervisor
(EDPS). The legal basis for this processing operation is Article 5(1)(b)
of the Regulation, since processing is necessary for compliance with a
legal obligation to which the EDPS is subject. The data processed include
your contact details, your request, as well as personal data that might be
collected during the investigation of your request. For the EDPS, case
handlers, administrative staff and hierarchy involved in the request
handling will have access to the case file containing your personal data
on a need-to-know basis. All access to case files is logged. Your data
will only be transferred to other EU institutions and bodies or to third
parties when it is necessary to ensure the appropriate investigation or
follow up of your request. Your data will be stored by the EDPS in
electronic files until the end of the reporting period of the current year
(as a rule, until mid-next year), unless legal proceedings require us to
keep them for a longer period. Afterwards, only a brief anonymous note
will be included in a file in order to keep record of the request.
You have the right of access to your personal data and to relevant
information concerning how we use it. You have the right to rectify your
personal data. Under certain conditions, you have the right to ask that we
delete your personal data or restrict its use. We will consider your
request, take a decision and communicate it to you. For more information,
please see Articles 14 to 21, 23 and 24 of the Regulation. Please note
that in some cases restrictions under Article 25 of the Regulation may
apply. Any request to exercise your rights should be addressed to the EDPS
at [16][EDPS request email]. You may also contact the data protection
officer of the EDPS ([17][email address]), if you have any remarks
or complaints regarding the way we process your personal data. You have
the right to lodge a complaint with the EDPS, as supervisory authority.
Any such request should be addressed to the EDPS at
[18][EDPS request email]. You can reach the EDPS in the following ways:
e-mail: [19][EDPS request email]; EDPS postal address: European Data
Protection Supervisor, Rue Wiertz 60, B-1047 Brussels, Belgium.
References
Visible links
2. file:///tmp/tel:+3222831900
3. mailto:[email address]
5. http://@eu_edps/
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
8. https://edps.europa.eu/about-edps/data-p...
10. file:///tmp/tel:+3222831900
11. mailto:[email address]
13. http://@eu_edps/
15. http://www.edps.europa.eu/
http://www.edps.europa.eu/
16. mailto:[EDPS request email]
17. mailto:[email address]
18. mailto:[EDPS request email]
19. mailto:[EDPS request email]
Dear requester,
Attached you will find the letter and the 4 annexes, on the
above-mentioned subject, for your attention.
It was signed electronically by Ms Luisa Palla.
Best regards,
EDPS Access to Documents
[1]| Tel. (+32) 228 31900 | Fax (+32) 228 31950 | › Email:
[2][email address]
European Data Protection Supervisor
Postal address: Rue Wiertz 60, B-1047 Brussels
Office address: Rue Montoyer 30, B-1000 Brussels
[3]Twitter [4]@EU_EDPS [5]Website [6]www.edps.europa.eu
This email (and any attachment) may contain information that is internal
or confidential. Unauthorised access, use or other processing is not
permitted. If you are not the intended recipient please inform the
sender by reply and then delete all copies. Emails are not secure as
they can be intercepted, amended, and infected with viruses. The EDPS
therefore cannot guarantee the security of correspondence by email.
Data Protection Notice
According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the
Regulation), we are processing your personal data in order to reply to
your request. The controller is the European Data Protection Supervisor
(EDPS). The legal basis for this processing operation is Article 5(1)(b)
of the Regulation, since processing is necessary for compliance with a
legal obligation to which the EDPS is subject. The data processed include
your contact details, your request, as well as personal data that might be
collected during the investigation of your request. For the EDPS, case
handlers, administrative staff and hierarchy involved in the request
handling will have access to the case file containing your personal data
on a need-to-know basis. All access to case files is logged. Your data
will only be transferred to other EU institutions and bodies or to third
parties when it is necessary to ensure the appropriate investigation or
follow up of your request. Your data will be stored by the EDPS in
electronic files until the end of the reporting period of the current year
(as a rule, until mid-next year), unless legal proceedings require us to
keep them for a longer period. Afterwards, only a brief anonymous note
will be included in a file in order to keep record of the request.
You have the right of access to your personal data and to relevant
information concerning how we use it. You have the right to rectify your
personal data. Under certain conditions, you have the right to ask that we
delete your personal data or restrict its use. We will consider your
request, take a decision and communicate it to you. For more information,
please see Articles 14 to 21, 23 and 24 of the Regulation. Please note
that in some cases restrictions under Article 25 of the Regulation may
apply. Any request to exercise your rights should be addressed to the EDPS
at [7][EDPS request email]. You may also contact the data protection
officer of the EDPS ([8][email address]), if you have any remarks
or complaints regarding the way we process your personal data. You have
the right to lodge a complaint with the EDPS, as supervisory authority.
Any such request should be addressed to the EDPS at
[9][EDPS request email]. You can reach the EDPS in the following ways:
e-mail: [10][EDPS request email]; EDPS postal address: European Data
Protection Supervisor, Rue Wiertz 60, B-1047 Brussels, Belgium.
References
Visible links
1. file:///tmp/tel:+3222831900
2. mailto:[email address]
4. http://@eu_edps/
6. http://www.edps.europa.eu/
http://www.edps.europa.eu/
7. mailto:[EDPS request email]
8. mailto:[email address]
9. mailto:[EDPS request email]
10. mailto:[EDPS request email]
Dear EDPS Access to Documents,
I wish to express my sincere appreciation for the disclosure of the four documents identified in your reply of 27 October 2025 and for the references to additional relevant materials.
In reference to my original application of 8 September 2025, which requested access to:
“Any opinions, correspondence, internal notes, preparatory documents, or meeting records held by the EDPS concerning the compatibility of the proposed Regulation laying down rules to prevent and combat child sexual abuse (‘Chat Control’ / CSAM proposal) with the Charter of Fundamental Rights and the General Data Protection Regulation (GDPR).
Specifically, I sought documents addressing:
– the impact of the proposal on Articles 7 and 8 CFR (private life and data protection);
– its consistency with GDPR principles (necessity, proportionality, purpose limitation, data minimisation); and
– safeguards under Article 47 CFR (effective remedies and judicial protection).”
I have reviewed the following four disclosed documents:
- Document 1: Correspondence follow-up related to the Second CSA Shadow Meeting (14 December 2022) and its contents.
- Document 2: Joint EDPB/EDPS Opinion 04/2022 of 19 January 2023.
- Document 3: Briefing of the EDPS meeting with the Delegation of the Committee on Human Rights, Gender Equality, Religious Affairs and Minorities of the Romanian Senate (30 March 2023).
- Document 4: Briefing on the intervention by the EDPS in the meeting of the Law Enforcement Working Party (19 January 2023, Brussels), which cross-references Document 2.
After detailed analysis, I consider that these four documents fully satisfy the scope of my request as delivered, and that the public interest in understanding the EDPS’s assessment of the CSAM proposal’s compatibility with the Charter and GDPR has been fully met.
I would also like to note, with deep appreciation, the broader constitutional importance of the EDPS and EDPB’s contributions. The position expressed in the disclosed materials—particularly the 14 December 2022 statement before the LIBE Committee—played a vital role in ensuring that fundamental-rights safeguards remained central to the legislative process.
It is worth observing that, as of mid-October 2025, the proposed Regulation was not placed on the Council of the EU agenda, likely following the German Government’s opposition earlier that month. This development appears to confirm the enduring relevance of the EDPS and EDPB’s efforts in maintaining the European Union’s checks and balances and its commitment to the Charter of Fundamental Rights.
Please accept my thanks once again for the professional handling of this request and for the transparency shown by your institution.
Yours sincerely,
Andrej Magyar