[buzer]

I would like to see that thread if possible just out of curiosity.

I looked a bit into EUDPR and the earlier 45/2001 regulation (EUDPR came in effect in December 2018 so a bit later than GDPR). EUDPR explicitly imports Article 5(3) of ePD (via Article 37) and thus whatever case law there is around it. The earlier regulation seems to do this more indirectly (references in recitals), but EDPS view from 2016 is that it effectively does import Article 5(3) as well.

Personally I haven't dealt with EU institutions so far. On general public sector side I did recently seek some clarifications from Finland's Ministry of Justice regarding one of their websites and their responses weren't exactly reassuring.

I asked for the GDPR Article 15(1) information regarding single visit (i.e. information about processing, not actual copies of data) and it took them almost 3 months to give official response. Even after that time they, for example, failed to identify if they are actually the controller or not for some of the processing (Cloudflare challenge). And their stance is that analytics (Matomo) does not need Article 6 legal basis at all, i.e. they seem to think that anonymization step itself is not processing.