According to the European General Data Protection Regulation (GDPR), a Data Protection Impact Assessment (DPIA) is mandatory for all ongoing and planned processing of personal data if said processing is likely to affect the privacy and data protection rights and freedoms of the data subjects. However, upon examining the real-world implementation of this requirement, various approaches emerged, resulting in a heterogeneous landscape of DPIA processes. In this paper, we present the results of a survey that investigated the state of adoption of DPIA process methodologies in real-world organisations. Our survey reveals that handwritten DPIA reports and ad-hoc methods continue to dominate the DPIA landscape in Europe. Moreover, according to our data, processes involving multiple stakeholders are often not adequately assessed in terms of DPIA-related risks. 

When personal data is processed in a distributed manner by cooperating service providers, privacy risks may emerge solely from the choice of data processors included in the composition. For instance, different data processors may unknowingly rely on the same cloud provider, allowing for unintended linkability of personal data at that very provider. As such compositional risks to privacy are beyond the scope of each individual risk assessment, they are likely to be overseen when performing a data protection impact assessment. In this paper, we propose a novel protocol to detect and manage such compositional risks to privacy. Following an initial problem definition and requirements elicitation, we elaborate how our protocol identifies candidates for compositional risks and how this information may be used to improve the results of a data protection impact assessment over service compositions including multiple data processors. 

This open access book constitutes the refereed proceedings of the 13th Annual Privacy Forum on Privacy Technologies and Policy, APF 2025, held in Frankfurt am Main, Germany, during October 22-23, 2025.

The 9 full papers were carefully reviewed and selected from 27 submissions.They were organized into following topical sections: Supporting Laypeople and Users: Design Approaches, User Perceptions, and Problems; Emerging Risks from Upcoming Technologies, Misunderstandings, and Regulatory Derogation; Professional Methods & Tools for Analysis and Decision Making.

Ransomware is continuously evolving and has recently seen record-breaking payouts. This paper describes developments in corporate ransomware which have contributed to this continued rise. It provides an interdisciplinary case study of a ransomware campaign conducted in northern Europe during 2023 and 2024. We argue that underlying factors, including the broad rollout of personal cloud backups, have caused modern ransomware groups to shift towards expending more effort per attack in order to attack bigger targets. We perform an analysis of such an attack using a combination of internal and open sources, as well as using forensic techniques. The analysis shows how the attackers approach high-value targets, use both traditional crypto-ransomware tools and hacking, and utilize multiple avenues of extortion to negotiate the highest possible ransom. 

The current European data strategy foresees a novel ecosystem of data sharing and data trading among public and private sector organizations in the EU member states. The focus is on enabling and fostering data sharing among the stakeholders while maintaining compliance with existing EU and national data protection legislation, such as the European General Data Protection Regulation (GDPR). However, managing data sharing in such a compliant manner requires additional metadata to be exchanged amongst the actors in this ecosystem. Therefore, this paper proposes a novel data model for managing data sharing activities. This model takes current and planned regulations (e.g., the Data Governance Act) and the resulting data ecosystem architectures (e.g. data intermediaries) into account and is applicable to different actions that are necessary for compliant data exchange, like data subject rights requests or intellectual property enforcement. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.

The recent EU legislative initiatives promoting data sharing are sectoral and cross-sectoralinstruments that aim to make data available by regulating the reuse of publicly and privatelyheld data, including personal data. They also facilitate data sharing by creating of novelintermediaries and sharing environments where the parties involved can pool data and facilitiesin a trusted and secure way.Common European data spaces (EU data spaces) are a novel concept introduced in theEuropean strategy for data and elaborated further within the Data Governance Act (DGA). It isenvisioned that they will facilitate innovation, economic growth and digital transformation andrevolve around creating a framework for data sharing that respects privacy, security and otherapplicable regulatory considerations while promoting cross-sector collaboration andinteroperability.This report attempts to contextualise the main design principles regarding protection of personaldata and demonstrate how to engineer personal data protection through two use cases of anenvisioned EU data space in the pharmaceutical domain.Despite the potential of the EU data spaces, there are still considerations regarding appropriatetechnical and organisational measures and how to engineer them into practice, both from a dataprotection and from a cybersecurity point of view. Even if there are already a good number ofprivacy enhancing technologies that can support us in meeting specific data protection goals,we should not neglect the fact that we are called to address new processing operations, wherethe roles and responsibilities are not always clearly defined. 

When it comes to network forensics in modern cloud-edge-systems, network forensics has become an urgent yet challenging field of work. Especially forensics of software-defined networks (SDN) poses some unique challenges that need to be addressed. This article hence addresses the methodological and strategic challenges of network forensics in modern complex software-defined networks using the ZeroTier Network as a practical example. In this context, detailed strategies and methods for clarification and preservation of evidence in SDN after common IT security incidents are derived from existing best practices in digital forensics. In addition, typical technical and legal issues and obstacles for forensic work in SDN are addressed in connection with IT security measures, and possible solution approaches are presented. Using an advanced SDN example, characteristic workflows of network forensics in SDN are discussed. The result of the work is ultimately a presentation of adapted and individually adaptable strategies and methods for applying targeted digital forensics in advanced SDN.