Publication document thumbnail

Annual Report 2020 - Executive Summary

This publication is available in the following format: PDF General Report


2020 was a challenging year, a year none of us were expecting.

The pandemic has not only dramatically changed the way we live and work; it has also brought at the centre of public debate the role and nature of our fundamental rights, including the rights to privacy and data protection.

With the pandemic came a new reality. From the perspective of a data protection authority, it was first and foremost a test. It was a challenge to ensure compliance in the ever-growing digitalised world and to provide timely advice to authorities, controllers and citizens on the data protection aspects of measures taken due to the pandemic.

The EDPS answered promptly to this task, having established an internal COVID-19 taskforce, composed of members of all the EDPS’ units and sectors, to coordinate and proactively undertake actions related to the interplay between privacy and the pandemic. Believing in the EDPS’ specific role in the EU institutional landscape, we called for a pan-European approach to combat the virus, in particular in the context of contact tracing apps.

With the teleworking regime, the EDPS had to adjust its approach when it came to carrying out its core activities. We took this as an opportunity to engage in an even closer dialogue with stakeholders, including public authorities, civil society and academia. We continued to be active in the field of investigations. Among others, we concluded the inquiry into the use of large datasets by Europol and we issued our findings and recommendations following an investigation into EUIs’ use of Microsoft products and services, which we presented at the second meeting of the Hague Forum.

The “Schrems II” Judgement, a landmark decision of the Court of Justice of the European Union (CJEU), has contributed to what has already been a particularly eventful year for a data protection authority. The EDPS has actively participated in, and contributed to, the EDPB‘s work resulting from the judgement, particularly regarding the measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. At the same time, we prepared our own strategy aimed at ensuring the compliance of EUIs with the CJEU’s Judgement.

Looking ahead, in June 2020, we presented the EDPS strategy for 2020-2024 ‘Shaping a Safer Digital Future’, based on Foresight, Action and Solidarity. In this spirit, the EDPS proposed, among other initiatives, the Support Pool of Experts which aims to bring together the EDPB members’ efforts to address the need for a stronger enforcement of EU data protection laws.

We continued to act as a trusted advisor to the European Commission, the Council and the European Parliament on the many legislative and nonlegislative proposals or other initiatives affecting the rights to privacy and data protection. This included, for example, our Opinions on the European strategy for data, on Artificial Intelligence or the proposed temporary derogations from the e-privacy framework. We also offered our expertise to the legislator with our own-initiative Opinions on the use of data for scientific research and health-related purposes, to name a few.

We have further developed our monitoring-related activities, analysing and acting as a reference point for clarifying technological issues related to privacy and data protection.

It is with particular satisfaction that I present this document: the summary and overview of everything we have done during these difficult months. The Annual Report 2020 shows the resilience, dedication and hard work of the EDPS staff to whom I would like to offer my heartfelt thanks

Wojciech Wiewiórowski
European Data Protection Supervisor

The EDPS’ 2020 Highlights

The year 2020 was unique for the world and, by extension, for the European Data Protection Supervisor (EDPS). Like many other organisations, the EDPS had to adapt its working methods as an employer, but also its work since the COVID-19 health crisis strengthened the call for the protection of individuals’ privacy, with the appearance of contact tracing apps and other technologies used for the fight against COVID-19. While technology can certainly contribute to limiting the spread of COVID-19, our priority remains to ensure that individuals’ personal data and right to privacy is protected.

2020 also marked new beginnings for the EDPS. On 30 June 2020, we presented our Strategy 2020-2024. The Strategy’s overarching aim is to shape a safer digital future, with three core pillars outlining the guiding actions and objectives for the EDPS to the end of 2024: Foresight, Action and Solidarity.

These three pillars, and our Strategy as a whole, were the driving force for our work in 2020.

Data protection in a global health crisis

The COVID-19 pandemic has taught us that privacy, like any other fundamental right, is nothing without solidarity. With this in mind, we have worked closely within the EDPS and with the European Data Protection Board (EDPB), the data protection officers (DPOs) of EU institutions, bodies, offices and agencies (EUIs), as well as with other European and international privacy and technology experts, to protect individuals and their personal data.

Our first initiative in this context was to immediately establish an internal task force to actively monitor and assess governmental and private sector responses to the COVID-19 pandemic. Throughout 2020, the COVID-19 task force has followed and anticipated future developments with an impact on data protection and privacy, allowing the EDPS to serve as a catalyst for a privacy-driven response and as a point of reference for stakeholders across and beyond Europe.

As the EU data protection authority of EUIs, we supported EUIs in their effort to safeguard their employees’ health in a privacy-compliant way by issuing our Orientations on body temperature checks, manual contact tracing, and reactions of EUIs as employers.

We also took on an active role at regional and international level with our participation and leadership in international fora such as the Global Privacy Assembly (GPA) (formerly the International Conference of Data Protection and Privacy Commissioners) and other conferences. In particular, we engaged with experts from the public health community in the European Union (EU) and other international organisations to better understand the needs for epidemiological surveillance and to accurately measure the efficiency and purpose of the tools being developed with regard to personal data protection, for example, by developing together practical guidance on data protection by design.

EUIs’ compliance with data protection law

Providing the necessary tools for EUIs

As the data protection authority for EUIs, the EDPS provides them with the necessary tools to comply with Regulation (EU) 2018/1725.

We have achieved this during 2020 through various initiatives, ranging from issuing strategic documents and publishing our investigations, to reinforcing our collaboration with the data protection officers of the EUIs by providing training to raise their awareness of data protection issues and their responsibilities.

The EDPS used existing, and developed new, tools and promoted a coherent approach to the application of data protection during 2020 in order to support EUIs to continue to lead by example in safeguarding digital rights and responsible data processing, according to the Action and Foresight pillars of our Strategy 2020-2024.

We have advised and guided EUIs with regard to tools, such as Data Protection Impact Assessments (DPIAs), and provided relevant training in order to share knowledge, expertise and contribute to the smart administration of the EUI environment. We have utilised a range of methods, such as our ‘DPIA in a nutshell’ Factsheet, a Report on how EUIs carry out DPIAs which contains lessons learned and best practices observed by the EUIs, a survey to determine specifically how EUIs have been using DPIAs and a video on the same subject for DPOs. We also continue to regularly update our Wiki, a resource created in November 2019 for data protection officers and data protection coordinators to help them comply with Regulation (EU) 2018/1725. We have also been working on developing version 1.0 of the Website Evidence Collector to help DPAs, data controllers, data protection practitioners and web developers to help them ensure that their websites are compliant with the General Data Protection Regulation (GDPR) and Regulation (EU) 2018/1725.

Supervising the Area of Freedom Security and Justice

We launched our supervision of the EU agency for judicial cooperation, Eurojust (12 December 2019) and are increasing the supervision of the European Public Prosecutor’s Office’s (EPPO) data protection- related activities.

On 5 October 2020, we rendered public our inquiry on the EU Agency for Law Enforcement Cooperation’s (Europol) big data challenge, namely Europol’s processing of large datasets received from EU Member States and other operational partners, or collected in the context of open source intelligence activities. We found that the processing did not comply with the provisions of Regulation 2016/794, in particular with the principle of data minimisation. We admonished Europol to implement all necessary and appropriate measures to mitigate the risks for individuals’ data created by the processing of large datasets.

The Hague Forum

On 2 July 2020, The Hague Forum, co-established by the EDPS, met for the second time, bringing together EUIs and other international organisations to exchange information and strengthen their negotiation power with ICT service providers, including cloud service and communications providers. On this occasion, we issued a Public Paper detailing our findings and recommendations on the use of Microsoft products and services by EUIs, in which we emphasise that, when EUIs enter into contractual relationships with IT service providers, the terms of these contracts should reinforce the EUIs control over how and why personal data is processed.

Compliance with “Schrems II” ruling

The EDPS issued its Strategy for EUIs to comply with the ‘Schrems II’ ruling following the judgment of the Court of Justice of the European Union on 16 July 2020. The judgement reaffirms, among other issues, the importance of maintaining a high level of protection of personal data transferred from the European Union to non-EU countries. The EDPS strategy includes a roadmap of actions for EUIs to ensure that ongoing and future international transfers are carried out in accordance with EU data protection law.

Safeguarding digital rights

The overarching objective of the EDPS is to promote a safer digital future for the EU. Our work on legislative consultations is instrumental to achieving this objective.

The EDPS promotes a positive vision of digitisation that enables us to value and respect all individuals, as per the Solidarity pillar of our Strategy 2020-2024. Therefore, we issue and address Opinions and recommendations to the EU legislators on the impact that their initiatives may have on individuals and their right to data protection to ensure that they promote digital justice and privacy for all within their initiatives.

The EDPS is also interested in policy initiatives to promote ‘digital sovereignty’ to help ensure that data generated in Europe is processed in accordance with European values. At the same time, we are committed to help overcome the detrimental vendor’s lock-in syndrome in the EUIs.

Opinion on a new EU-UK partnership

On 24 February 2020, the EDPS issued an Opinion on the opening of negotiations for a new partnership with the United Kingdom (UK). The EDPS supports a partnership which affirms the EU and UK commitment to and respect for a high level of data protection and the EU data protection rules. In its Opinion, the EDPS makes recommendations regarding commitments to respect fundamental rights (including data protection) equivalent to those for the economy and security, defining priorities for international cooperation other than law enforcement particularly between public authorities (including EUIs) and assessing transfers of personal data in the light of the CJEU Opinion 1/15 for the economic and security partnerships.

Opinion on the European strategy for data

The EDPS adopted an Opinion on 16 June 2020 to emphasise that the European strategy for data should stay true to European values, in particular respect for the fundamental rights of individuals such as the right to data protection.

Opinion on combatting child abuse online

On 10 November 2020, the EDPS issued an Opinion on a proposal for temporary derogations from the ePrivacy directive for the purpose of combatting child sexual abuse online. In its Opinion, the EDPS stresses that measures to detect, remove and report child abuse must be accompanied by a comprehensive legal framework which meets the requirements of Articles 7 and 8 of the Charter of Fundamental Rights of the EU. Moreover, in order to satisfy the requirement of proportionality, the legislation must set clear and precise rules governing the scope and application of the relevant measures and imposing minimum safeguards to provide sufficient guarantees of the protection of personal data against the risk of abuse.

Opinion on the New Pact on Migration and Asylum

On 30 November 2020, the EDPS issued an Opinion on the New Pact on Migration and Asylum to ensure that the proposal for more effective management of asylum and immigration incorporates a DPIA to help identify and address the relevant data protection implications.

Opinion on the European Health Data Space

The EDPS published a Preliminary Opinion on 17 November 2020 on the European Health Data Space (EHDS), to ensure that this platform for exchanging health data and fostering medical and scientific research prioritises the protection of individuals’ personal data within its development.

Monitoring technologies

The EDPS aims to be a recognised and respected centre of expertise that helps understand the impact of the design, deployment and evolution of digital technology upon the fundamental rights to privacy and data protection, and accordingly we have included this in the Foresight pillar of our Strategy 2020-2024. Therefore, we placed strategic importance during 2020 and for the foreseeable future upon integrating the technological dimension of data protection into our work. As a DPA, we also continue to closely examine the potential risks and opportunities offered by technological advances, seek to understand the possible benefits of new technologies and encourage the integration of data protection by design and data protection by default in the innovation process.

Examples include, but are not limited to, our contribution during 2020 to developing strong oversight, audit and assessment capabilities for technologies and tools that are increasingly ‘endemic’ to our digital ecosystem, such as artificial intelligence and facial recognition.


The EDPS also continued to build upon existing initiatives such as our TechDispatch reports, launched in July 2019, for the EDPS to contribute to the ongoing discussion on new technologies and data protection. Focusing on a different emerging technology each issue, we aim to provide information on the technology itself, an assessment of its possible impact on privacy and data protection and links to further reading on the topic.

Internet Privacy Engineering Network

The EDPS has also continued to organise sessions and workshops (albeit virtually) of the Internet Privacy Engineering Network (IPEN), which we founded in 2014, to allow us to bridge the gap between legal experts and engineers when implementing data protection safeguards and monitor the state of the art of privacy enhancing technologies. With this endeavour, we continue to develop core knowledge about how essential and emerging technologies work for privacy and data protection by exchanging views academia and innovators in the private sector, among other relevant actors.

The EDPS as a member of the EDPB

The EDPS believes that a strong expression of genuine European solidarity, burden sharing and common approach is necessary to ensure the enforcement of data protection rules. We strongly believe in this and have included this in our Action pillar of the Strategy 2020-2024.

As an example of how we put this conviction into practice, the EDPS, as a member of the EDPB, works closely with other DPAs for the consistent application of data protection laws across the EU.

In June 2020, the EDPS proposed the establishment of a Support Pool of Experts (SPE) within the EDPB, with the aim to assist DPAs in dealing with complex and resource intensive cases.

The EDPS also assisted the EDPB in other ways, for example in regard to the EDPB’s:

International cooperation in data protection

As per the Foresight pillar of our Strategy 2020-2024, the EDPS aims to be alert to and aware of the new trends in technology and data protection. In 2020, the EDPS has continued to dedicate substantial time in promoting global data protection convergence and cross-border dialogue. Despite the pandemic-related challenges, we have continued to exchange best practices and information with international organisations and interlocutors outside Europe, as well as developing European and international cooperation measures, and promoting joint enforcement actions and active mutual assistance.

In 2020, we have pursued this objective via fora, such as the GPA; the Computers, Privacy and Data Protection Conference (CPDP) and international organisations workshops, addressing the data protection challenges arising – among others – with the use of new technologies, within the fight against COVID-19 and in law enforcement.

Internal administration

The EDPS Human Resources, Budget and Administration Unit (HRBA) has provided support throughout 2020 to ensure that both the EDPS Management and operational teams have the financial, human and administrative resources and tools to achieve the goals set out in our Strategy 2020-2024.

In light of the COVID-19 pandemic, the HRBA has had to adapt its organisation during 2020 to ensure business continuity, by developing an innovative action plan to enhance the functioning of the EDPS and the wellbeing of its staff, in particular preparing the workforce for teleworking.

The EDPS continued to grow in 2020, both in terms of financial and human resources. This required agility, flexibility and creativity on the part of HRBA, particularly given the exceptionally difficult context of the COVID-19 pandemic.

HRBA introduced new initiatives in 2020 to enhance the well-being of EDPS staff – such as internal coaching and other support activities – and will continue to pursue these endeavours in 2021. This ensures that we remain a socially responsible organisation and manifests our belief that staff with higher levels of well-being learn and work more effectively, are more creative, have better relationships, are more social in their behaviour, and ultimately feel more satisfied with their working life.

Communicating data protection

Public interest in, and engagement with, data protection and the work of DPAs only continues to grow. This has and continues to be even more the case in light of the COVID-19 pandemic, which has increased the acceleration of the digitalisation of individuals’ daily lives. People feel more aware of and concerned about their digital footprint and the importance of protecting their personal data.

During the COVID-19 pandemic, it has been of particular importance to adapt and continue to strengthen the EDPS’ online presence in order to fully connect with the relevant audience and stakeholders. The EDPS Information and Communication Team has achieved this objective using a variety of methods, in particular via EDPS blogposts, social media campaigns and monthly newsletters.

The Team’s efforts focused on other objectives as well, in particular promoting the EDPS Strategy 2020-2024 and developing a new visual identity for the EDPS.

Key performance indicators

We use a number of key performance indicators (KPIs) to help us monitor our performance in light of the main objectives set out in the EDPS Strategy.

This ensures that we are able to adjust our activities, if required, to increase the impact of our work and the effective use of resources.

The KPI scoreboard below contains a brief description of each KPI and the results on 31 December 2020. These results are measured against initial targets, or against the results of the previous year, used as an indicator.

The outbreak of the COVID-19 pandemic, and its far-reaching consequences at every level, substantially changed the context and circumstances in which the EDPS had to operate. Therefore, the KPIs monitoring this year’s results should be read with this context in mind.

In 2020, we met or surpassed - in some cases significantly - the targets set in five out of eight KPIs. This includes, KPI 1 on the number of initiatives related to our technology and privacy work; KPI 2 measuring the number of activities on cross-disciplinary actions; KPI 3 concerning the number of cases dealt with at international level; KPI 4 on the number of Opinions and Comments issued in 2020; as well as KPI 6 demonstrating an increase of our followers on our social media platforms.

KPI 5, measuring EUIs level of satisfaction on guidance and training received in 2020 was not assessed; the vast majority of training and meetings were conducted remotely, and satisfaction surveys were not conducted due to the technical limitations that could not allow us to ensure anonymous feedback. The small number of in-person sessions that took place in 2020 are not sufficiently representative to draw meaningful conclusions; as a result, this KPI has not been assessed in 2020.

KPI 7 reflects the outcome of the periodic staff satisfaction survey, which occurs every two years. The survey was launched in June 2020, three months after the beginning of the COVID-19 crisis amid a climate of anxiety and uncertainty. These extraordinary circumstances may, in part, explain why we failed to reach the set target. In addition, the participation rate was rather low (45%) and there were quite a lot of newcomers for whom it may have been difficult to answer some of the questions in the survey.

KPI 8 on budget implementation shows that, in 2020, 72.97% of the EDPS’s allocated budget was implemented, a substantially lower figure compared to 2019’s budget implementation figure of 92% and well below the 90% target. This is mainly due to the COVID-19 pandemic which dramatically affected the activities of the EDPS. When the Belgian government declared the first lockdown in March 2020, severe (ongoing) restrictions were enforced on the movement of staff and other individuals. This directly impacted the missions’ expenses and experts’ reimbursements expenses which constitute a major part of the budget. Other budget items were indirectly affected as well (e.g. the interpretation expenses). There were some other external factors which also impacted budget execution to a lesser extent (delays in the availability of offices in the Montoyer 30 building and postponement of the related works). We expect that the pandemic will also have a substantial impact on the year 2021 as travel restrictions are expected to continue until the vaccination campaign is in its advanced stage.

Results on
Target 2020
KPI 1 Internal indicator Number of initiatives, including publications, on technology monitoring and on promoting technologies to enhance privacy and data protection organised or co-organised by EDPS
9 initiatives
9 initiatives
Internal & External Indicator
Number of activities focused on cross-disciplinary policy solutions (internal & external) 8 activities

8 activities
KPI 3 Internal indicator Number of cases dealt with at international level (EDPB, CoE, OECD, GPEN, International Conferences) for which EDPS has provided a substantial written contribution 42 Cases 10 Cases
KPI 4 External indicator Number of Opinions/Comments issued in response to consultation requests (COM, EP, Council, DPAs...)
6 Opinions
25 Formal
10 Opinions /
KPI 5 External indicator Level of satisfaction of DPO’s/DPC’s/controllers on cooperation with EDPS and guidance, including satisfaction of data subjects as to training
/ 70%
KPI 6 External indicator Number of followers on the EDPS social media accounts
(LI: 38400,
YT: 2077)
Previous year’s
results + 10%
KPI 7 Internal indicator Level of Staff satisfaction
71% 75%
KPI 8 Internal indicator Budget implementation
72,97% 90%

Getting in touch with the EU

In person

All over the European Union there are hundreds of Europe Direct information centres. You can find the address of the centre nearest you at:

On the phone or by email

Europe Direct is a service that answers your questions about the European Union. You can contact this service:

– by freephone: 00 800 6 7 8 9 10 11 (certain operators may charge for these calls),

– at the following standard number: +32 22999696 or

– by email via:

Finding information about the EU


Information about the European Union in all the official languages of the EU is available on the Europa website at:

EU publications

You can download or order free and priced EU publications at:

Multiple copies of free publications may be obtained by contacting Europe Direct or your local information centre (see

EU law and related documents

For access to legal information from the EU, including all EU law since 1952 in all the official language versions, go to EUR-Lex at:

Open data from the EU

The EU Open Data Portal ( provides access to datasets from the EU. Data can be downloaded and reused for free, both for commercial and non-commercial purposes.


Further details about the EDPS can be found on our website at

The website also details a subscription feature to our newsletter.
European Data Protection Supervisor


Waterford, Ireland – Brussels, Belgium: Trilateral Research Ltd, Vrije Universiteit Brussel, 2021

© Design and Photos: Trilateral Research Ltd, EDPS & European Union

© European Union, 2021

Reproduction is authorised provided the source is acknowledged.

For any use or reproduction of photos or other material that is not under the European Data Protection Supervisor copyright, permission must be sought directly from the copyright holders.


ISBN 978-92-9242-647-7

ISSN 1977-8333




ISBN 978-92-9242-671-2

ISSN 1831-0494




ISBN 978-92-9242-628-6

ISSN 1977-8333