Annual Report 2021 - Executive Summary

This publication is available in the following format:


During my closing remarks at the Computers, Data Protection and Privacy conference in January 2021, I shared with participants my feelings of hope. Hope that we will come out of the solitude of lockdowns with a shared, common experience of having gone through this for each other; that the solidarity we had been experiencing will make us stronger as a society; and that this shared experience is something that we will build on in the future.

When I write these words, trying to think of this past year, I find it difficult not to think about the present. In the atrocities of the war, like in the tragedy of the pandemic, we see how solidarity brings us closer and helps us defeat the darkest hours.

Not by coincidence, solidarity is one of the main pillars of the EDPS Strategy 2020-2024. I am proud that in 2021 our words were followed by actions. Our supervision of the EU institutions, agencies and bodies (EU institutions) is founded on a deep belief that high standards of legal compliance of EU public authorities is a necessary condition for their effectiveness. An efficient administration is an administration that respects the rule of law and acts on the basis of law, not around it.

The EDPS is committed to supporting the EU institutions in this endeavour. We note with satisfaction, as proven by remote inspections, guidelines and trainings, the overall high level of compliance with data protection principles regarding measures undertaken to combat the pandemic.

The EDPS’ Decision to order Europol to delete datasets with no established links to criminal activity should also be seen in the context of our respect for the rule of law and mature checks and balances system. The EDPS wants strong EU institutions. This strength, however, can only be based on the full compliance with the mandate given to them by the EU legislator. No other foundation can bring results in the long term.

In the field of policy advice, amongst examples which can be found in the Annual Report 2021, our efforts can be seen in the Opinions we delivered on a number of the EU legislators’ initiative that have an impact on the protection of individuals’ personal data, such as the Digital Services Act or the Digital Markets Act. Our Opinions are based on the conviction that data generated in Europe is converted into value for European companies and individuals, and processed according to European values, to shape a safer digital future.

The EDPS has always been an institution that looks beyond the landscape of the EU institutions. We are committed to the success of the EU in the field of the fundamental rights to privacy and to data protection. Looking to the future, believing that the success of the GDPR is also our responsibility, we continued our active participation in the European Data Protection Board’s work, as reflected in the number of initiatives we proposed or took part in.

Above everything else, we see the European Union as a community defined by values, not borders. For the EDPS, this belief is a motivation to further our efforts.

We hope that this belief will be shared more broadly across the European Union.

I dedicate the Annual Report 2021 to the EDPS staff whom I cannot thank enough for their work.

Wojciech Wiewiórowski

European Data Protection Supervisor

This chapter presents the main activities and achievements of the EDPS in 2021.

The EDPS' 2021 Highlights

International transfers of personal data

Following the Court of Justice of the European Union’s Schrems II judgment, the EDPS pursued and launched various activities and initiatives in the framework of the EDPS’ Strategy for EU institutions, bodies, offices and agencies (EUIs) to comply with the “Schrems II” judgment (EDPS’ Schrems II Strategy), published on 29 October 2020.

The strategy aims to ensure and monitor the compliance of EUIs with the judgment concerning transfers of personal data outside the EU and the European Economic Area (EEA), in particular the United States of America. As part of the strategy, we are pursuing three types of actions: investigations; authorisations and advisory work; and general guidance to assist the institutions in discharging their duty of accountability.

Notably, in May 2021, we launched two investigations: one on the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by EUIs, and one on the use of Microsoft Office 365 by the European Commission. With these investigations, the EDPS aims to help EUIs improve their data protection compliance when negotiating contracts with their service provider.

In addition, we issued a number of decisions on transfers of personal data to non-EU/EEA countries. Our decisions are based on assessing whether the tools that the EUI in question envisages to use to transfer personal data outside of the EU/EEA affords an essentially equivalent level of protection for individuals’ personal data as in the EU/EEA.

To find out more about the EDPS’ work on transfers of personal data, read Chapter 3 part 1: Transfers of personal data to non-EU/EEA countries, and Chapter 3 part 6: EDPS investigations of the Annual Report 2021.

COVID-19 and data protection, our efforts continue

Throughout 2021, the EDPS continued to monitor the COVID-19 pandemic and its impact on data protection through its dedicated COVID-19 task force, initially set up in 2020. As the data protection authority of EUIs and as an employer itself, we produced guidelines, and other initiatives to support EUIs in their processing activities during this time.

As EUIs developed strategies for their return to the office, we published guidelines on 9 August 2021 titled, Return to the Workplace and EUIs’ screening of COVID immunity or infection status. Our guidelines include recommendations on a variety of matters, such as EUIs’ possible use of COVID antigen test results, the use of employees’ vaccination status and EU COVID certificates.

The dynamic evolution of the COVID-19 pandemic means that EUIs must continually adapt their processes. As such, we conducted a survey asking all EUIs about how they have changed or developed new processing operations due to COVID-19. The survey included question on EUIs’ new processing operations; IT tools EUIs put in place or enhanced to enable teleworking; and new processing operations put in place by EUIs in charge of tasks related to public health. The results of the survey, shared with the data protection officers of EUIs and later on with the public, will feed into updating existing EDPS guidelines, or contribute to the development of new guidelines, depending on the evolution of the pandemic and the new practices that will continue once it is over.

We also felt it was necessary to provide training on the use of social media, remote working tools and other ICT tools used by EUIs, due to the increase in the use of these tools to connect both internally and with their audience during COVID-19. During our training sessions, we emphasised that the use of social media and videoconference tools should be considered like any other ICT tools when assessing their data protection implications and adopting necessary measures to ensure that individuals’ privacy is protected. Compliance with the EU’s data protection framework in this context was regularly checked by the EDPS.

Supervising the Area of Freedom, Security and Justice

In 2021, the EDPS continued to supervise the bodies and agencies that are part of the Area of Freedom Security and Justice (AFSJ), which covers policy areas that range from the management of the European Union’s external borders to the judicial cooperation in civil and criminal matters. The AFSJ also includes asylum and immigration policies, police cooperation and the fight against crime, such as terrorism; organised crime; trafficking of human beings; drugs.

Supervising Europol

Some of our notable work in the Area of Freedom, Security and Justice, include our supervision activities regarding the processing of personal data by Europol, the EU Agency for Law Enforcement Cooperation.

In particular, we supervised Europol over their use of machine learning tools, which we initially started in 2019. In line with our Strategy, our work focused, and continues to focus, on the use of operational data for the development, including training, testing, validation, and use of machine learning models for data science purposes. Our supervision work consisted of an own-initiative inquiry, followed by a prior consultation that we issued in February 2021, which led us to deliver an opinion of 21 recommendations that Europol should follow in order to avoid possible breaches of the Europol Regulation. Our Opinion suggested, in particular, that Europol establishes an internal governance framework to ensure that, in the course of developing machine learning models, Europol identifies the risks to fundamental rights and freedoms posed by the use of these innovative technologies, even if Europol might not always be in a position to mitigate all of them, on the basis of the current state-of-the-art. The development and use of such models was also one of the topics of Europol’s Annual Inspection in September 2021. The inspection covered Europol’s machine learning tool development process and the related data protection risk assessment process.

Another important part of our work in 2021 concerned our inquiry into Europol’s processing of large datasets, initially launched in 2019. In December 2021, we decided to use our corrective powers by issuing an order - formally communicated to Europol on 3 January 2022 - to delete data concerning individuals with no established link to a criminal activity (Data Subject Categorisation). More specifically, we impose a 6-month retention period for Europol to filter and to extract the personal data and a 12-month period to comply with the EDPS Decision. This Decision comes after the EDPS admonished Europol in September 2020 for the continued storage of large volumes of data with no Data Subject Categorisation, which poses a risk to individuals’ fundamental rights.

Supervising Eurojust

In 2021, the EDPS continued to work closely with the DPO and other operational staff of Eurojust, the European Union Agency for Criminal Justice Cooperation, by providing them with informal advice when needed.

Following the adoption of the EU-UK Trade and Cooperation Agreement, we contributed to the fine-tuning of Eurojust’s relations with competent UK authorities. The EDPS provided advice on practical data protection questions and delivered opinions on the working arrangements between Eurojust and the UK’s Home Office.

Our first data protection audit of Eurojust’s data protection activities, initially scheduled for 2020 and postponed due to the pandemic, took place in October 2021. The EDPS’ audit focused on the processing of operational personal data by Eurojust and looked at data transfers in Eurojust’s external relations; the functioning of the counter terrorism register and data security; and the use and performance of Eurojust’s Case Management System, in particular. Following the onsite visit of the EDPS as part of the audit, we found that, overall; Eurojust’s compliance with the data protection framework was satisfactory, with no critical compliance issues.

Supervising EPPO

The European Public Prosecutor’s Office (EPPO), the independent European body with the power to investigate and prosecute criminal offences against the EU’s financial interests, became operational in June 2021.

To this end, our work and efforts in 2021 focused on supporting EPPO to establish itself before it became operational. For an effective collaboration, the Supervisor of the EDPS met with the European Chief Prosecutor, Ms Laura Kövesi, to discuss their ongoing and future cooperation.

Supervising Frontex

In 2021, we also supported the activities of Frontex, the European Border Coast Guard Agency, which contributes to the effective management of European borders.

We provided guidance on Frontex’s activities in assisting EU Member States when returning migrants - who do not fulfil the conditions to stay in the EU - are sent back to their home country. In particular, we gave our advice on the technical tools Frontex and EU Member States are using in this context, and provided advice on the transfers of personal data about these migrants by Frontex to non-EU countries.

To find out more about the EDPS’ work in the Area of Freedom, Security and Justice, read Chapter 4: The Supervision of the Area of Freedom, Security and Justice of the Annual Report 2021.

Shaping Europe's Digital Future

As set out in our EDPS Strategy 2020-2024, we value initiatives where data generated in Europe is converted into value for European companies and individuals, and processed in accordance with European values, to shape a safer digital future. Amongst other examples, which can be found in the Annual Report 2021, our efforts can be seen in the Opinions we delivered on a number of the EU legislators’ initiative having an impact on the protection of individuals’ personal data.

The Digital Markets Act and Digital Services Act

In February 2021, the EDPS published two Opinions, one on the EU’s Digital Markets Act and one on the EU’s Digital Services Act.

We welcomed the proposal for a Digital Services Act that seeks to promote a transparent and safe online environment. We recommended that additional measures are put in place to better protect individuals when it comes to content moderation, online targeted advertising and recommender systems used by online platforms, such as social media and marketplaces.

Concerning the Digital Markets Act, we highlighted the importance of fostering competitive digital markets, so that individuals have a wider choice of online platforms and services that they can use.

Artificial Intelligence

In June 2021, with the European Data Protection Board (EDPB), we issued a Joint Opinion on the European Commission’s Proposal on the Artificial Intelligence Act. With individuals’ privacy rights and safety in mind, we called for a general ban on any use of AI for automated recognition of human features in publicly accessible spaces.

The EU’s Cybersecurity Strategy

In March 2021, we issued an Opinion on the EU legislator’s Proposal for the NIS 2.0 Directive, which aims to replace the existing Directive on security of network and information systems (NIS) and is part of the EU’s Cybersecurity Strategy. In our Opinion, we underlined that it is essential that privacy and data protection are embedded in the proposed Directive and in all future initiatives stemming from the EU’s Cybersecurity Strategy. This will allow for a holistic approach when managing cybersecurity risks and protecting individuals’ personal data.

The Digital Green Certificate

In April 2021, together with the EDPB, we adopted a Joint Opinion on the Proposals for a Digital Green Certificate. The Digital Green Certificate aims to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, testing and recovery certificates.

With this Joint Opinion, we invited the co-legislators to ensure that the Digital Green Certificate is fully in line with EU personal data protection legislation. Our Joint Opinion underlined that the use of the Digital Green Certificate may not, in any way, result in direct or indirect discrimination of individuals, and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness.

An increase in legislative consultations

Since the entry into application of the data protection regulation for EUIs, Regulation (EU) 2018/1725, the number of legislative consultations has increased significantly.

In 2021, the EDPS responded to 88 Formal Legislative Consultations, compared to 27 in 2020. The 88 legislative consultations include 12 Opinions and 76 Formal Comments, in addition to 5 Joint Opinions issued with the EDPB.

This steep increase can be explained by several factors.

There has been a greater number of legislative initiatives containing provisions that have an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data. Therefore, more EU institutions and organisations have contacted the EDPS for legislative consultation.

This increase is also due to the strengthening of the EDPS’ consultative role under Article 42 of Regulation (EU) 2018/1725, which establishes a clear positive obligation for the European Commission to consult us on legislative proposals and other proposals with an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data.

Amongst other factors, there is a growing awareness of data protection issues within the European Commission’s departments. This awareness raising is due to both the outreach undertaken by the EDPS, and clarifications made internally by the European Commission.

In 2021, a series of significant EDPS Opinions have been issued on three themes in particular: digital platforms, financial services and justice and home affairs.

Our Joint Opinions with the EDPB include the topics of Artificial Intelligence, the Digital Green Certificate, Standard Contractual Clauses, to name a few examples.

Our key Formal Comments issued in 2021 concern, amongst others, Justice and Home Affairs and the European Health Union Package.

To find out more about the EDPS' Legislative Consultations of the year 2021, read Chapter 6: Legislative Consultations of the Annual Report 2021.

Pleadings before the Court of Justice of the European Union

Throughout 2021, the EDPS participated in four hearings before the Court of Justice of the European Union (CJEU) concerning different matters. Our interventions in cases that are pending before the CJEU is one of the tangible ways we fulfil our advisory role. In our interventions, we can highlight specific data protection issues to ensure that individuals' fundamental rights to privacy and data protection are respected.

Passenger Name Records

In July 2021, the EDPS replied to written questions by the CJEU and participated in an oral hearing in a case concerning the validity and interpretation of the EU Directive 2016/681 on the use of passenger name record data (PNR) - which includes passengers’ booking details when travelling - for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (Case C-817/19).

The claimant before the Belgian Constitutional Court which referred the case, the Ligue des droits humains, a Belgian non-governmental organisation, claimed that the Belgium PNR Law, which transposed the PNR Directive, unlawfully interfered with individuals’ right to privacy and right to the protection of their personal data. The claimant considered, in particular, that the processing operations of individuals’ data that it entailed was not necessary and proportionate in light of the criteria set out in data protection law.

During the hearing, the EDPS stressed the need for effective safeguards to mitigate the risks stemming from the processing of PNR data, bearing in mind its large-scale, systematic and intrusive nature. The EDPS also expressed doubts about the compatibility of the processing of PNR data from intra-EU flights and from other intra-EU cross-border means of public transport with the Treaties and the EU Charter of Fundamental Rights.

Data retention

In September 2021, the EDPS participated in two CJEU hearings in cases concerning data retention.

The first hearing addressed the compatibility of German and Irish laws on retention of personal data for law enforcement purposes with article 15 of the ePrivacy directive, which governs restrictions of individuals’ rights to privacy and to the protection of personal data in electronic communications (C-793/19, C-794/19 and C-140/20).

During the hearing, the EDPS reiterated that it might be possible to envisage clear and precise legislation providing for a limited but effective regime for the retention and access to traffic and location data of electronic communications, including data of users that at first sight have no objective connection with the objective pursued, in a manner compatible with the EU Charter of Fundamental Rights, and that retention and access to stored data should not be considered in watertight isolation from each other.

The second hearing concerned two French cases related to the use of data retention to investigate insider dealings and market manipulations under the EU’s Market Abuse Directive and Market Abuse Regulation (C-339/20 and C-397/20). One of the issues in question was whether this legislation allows the national legislator to require general retention of personal data to enable competent authorities to access this data when investigating insider dealings and market manipulations.

At the hearing, the EDPS took the view that these provisions did not aim at establishing a data retention legal basis.

Anti-money laundering

In October 2021, the EDPS took part in a CJEU hearing in a case concerning EU Directive 2018/843 on the prevention of money laundering and terrorist financing (C-601/20). Specifically, the hearing focused on how to interpret the relevant provisions of this EU Directive concerning the regime of public access to information on beneficial ownership and whether this interpretation complies with the EU Charter of Fundamental Rights and the General Data Protection Regulation.

In line with our Opinion on anti-money laundering published in September 2021, we argued that access of the general public to information on beneficial ownership, as set out in the Directive is not necessary and proportionate.

A new initiative, TechSonar

One of the EDPS’ achievements of the year 2021 was the launch of a new initiative, TechSonar, in September.

With our TechSonar report, we aim to anticipate emerging technology trends to better understand their future developments, especially their potential implications on data protection and individuals’ privacy.

This new initiative comes after some reflections within the EDPS. The COVID-19 pandemic, amongst other factors, has accelerated technological change, with the appearance of new technologies and tools. Often, we do not know the real main uses that these technologies will have until they are applied in specific contexts. It is only then that we are able to understand the value and risks that these technologies may have on society. To this end, the EDPS firmly believes that it is necessary to act in advance, meaning that, instead of reacting to new emerging technologies when their added value and risks for society are already developed, we should be able to anticipate their developments. This would allow us to ensure that these technologies are developed, from the earliest stages of their conception, according to individuals’ fundamental rights, including the rights to privacy and data protection.

In light of this, TechSonar is a process that aims to empower the EDPS to continuously analyse the technology arena with the aim of selecting tech trends we foresee for the following year.

With Tech Sonar, we are able, and will continue, to determine which technologies are worth monitoring today in order to be prepared for a more sustainable digital future where the protection of personal data is efficiently guaranteed.

In our first 2021 TechSonar report, our team of in-house experts chose to explore the following six foreseen technology trends: Smart vaccination certificates; Synthetic data; Central bank digital currency; Just walk out technology; Biometric continuous authentication; Digital therapeutics.

To find out more about TechSonar and the EDPS’ work in the area of technology and privacy, read Chapter 5: Technology and Privacy of the Annual Report 2021.

Human Resources, Budget and Administration

Throughout 2021, the EDPS’ Human Resources, Budget and Administration Unit (HRBA) has provided support to the Management and Operational teams of the EDPS. The aim is to ensure that they have sufficient financial, human and administrative resources and tools to achieve the goals set out in the EDPS Strategy 2020-2024.

Managing the COVID-19 pandemic

Amongst the work and initiatives pursued in 2021, the HRBA unit put in place an internal strategy for a gradual and safe return to the EDPS’ premises, aligned with the Belgian’s COVID-19 measures and the measures adopted by the other EUIs. As such, HRBA orchestrated the return to the EDPS offices in phases over the course of the pandemic, with specific working arrangements and health and safety rules.

Well-being at work

As an organisation, we focus on creating a positive impact in our society. One of our core values is to treat individuals, including our staff, with respect. To build a positive, respectful and safe working environment, HRBA continued a number of initiatives, already started in 2021, to ensure high levels of well-being at work amongst EDPS staff, by working closely with the EDPS’ Well-being Coordinator.

Recruiting data protection experts

One of the priorities set out in our EDPS Strategy 2020-2024 is to invest in knowledge management to ensure the highest quality of our work and to recruit a diverse, inter-disciplinary and talented workforce. As such, in 2021, we concentrated our efforts to recruit data protection experts to meet the EDPS’ needs.

Adapting our working conditions

The changes in our working environment caused by the pandemic and the full-time teleworking regime called for a deep reflection on the adaptation of our working conditions. We considered factors including working time, hybrid working and telework from abroad. The HRBA unit began this reflection and will propose new rules, which will be discussed and agreed upon by our staff committee. The aim is to adopt these rules by mid - 2022.

Looking forward: creating the European House of Data Protection

The EDPS and the EDPB became the sole occupants of its current premises in Brussels following the departure of the European Ombudsman at the end of October 2021. This paved the way for us to start creating and establishing our premises as “The European House of Data Protection”, with the aim to become the EU’s Brussels-based hub for privacy and data protection. This project started in 2021 and will continue throughout 2022.

To find out more, read Chapter 12: Human Resources, Budget and Administration of the Annual Report 2021.

The EDPS’ Communication Activities

Public interest in and engagement with data protection and the work of data protection authorities (DPAs) continues to grow, more so in light of the increasing digitalisation of individuals’ daily lives. People are more aware of and concerned about their digital footprint and the importance of protecting their personal data. The EDPS Information and Communication Sector (I&C Sector) aims to, therefore, ensure that EDPS activities and messages reach the relevant audiences at the right time.

The role of the I&C Sector, reinforced in the EDPS Strategy 2020-2024, is to explain and promote the work of the EDPS. This commits us to making data protection issues, in particular the impact that processing operations and technologies might have on individuals and their personal data, more accessible to a large audience by providing information on the EDPS’ day-to-day work in clear language and via appropriate communication tools.

To this end, our work in 2021 focused on developing and modernising the EDPS’ visual identity. With our new corporate identity, we aim to reflect the role of the EDPS as a global leader in data protection and privacy not only in the EU, but also beyond, and to mark a new era in the history of the EDPS, which will focus more on shaping a safer digital future.

A large part of I&C’s time and effort is invested in promoting the EDPS’ activities on our three well-established social media channels: Twitter, LinkedIn, and YouTube. This may include developing social media campaigns centred on specific themes, promoting the Supervisor’s participation at important events, and more. We have also continued to produce and publish content on the EDPS Website. This includes the publication of Factsheets, our ever-growing Newsletter, blogposts on an array of subject matters, and EDPS press releases, to name a few examples.

To find out more, read Chapter 11: The EDPS’ Communication Activities of the Annual Report 2021.

Key Performance Indicators

We use a number of key performance indicators (KPIs) to help us monitor our performance in light of the main objectives set out in the EDPS Strategy. This ensures that we are able to adjust our activities, if required, to increase the impact of our work and the effective use of resources.

The KPI scoreboard below contains a brief description of each KPI and the results on 31 December 2021. These results are measured against initial targets, or against the results of the previous year, used as an indicator. This set of KPIs were partly revised at the end of 2020, to ensure that the performance metrics adapt to developments in EDPS activities.

In 2021, we met or surpassed - in some cases significantly - the targets set in eight out of nine KPIs, with one KPI, KPI8 on the occupancy rate of the establishment plan, just falling short of the set target.

These results clearly illustrate the positive outcome we have had in implementing our strategic objectives throughout the year, notwithstanding the challenging circumstances in which the EDPS still had to operate in the context of the COVID-19 Pandemic.

KPI 1 Internal indicator Number of initiatives, including publications, on technology monitoring and on promoting technologies to enhance privacy and data protection organised or co-organised by the EDPS 16 initiatives 10 initiatives
KPI 2 Internal & External Indicator Number of activities focused on cross-disciplinary policy solutions (internal & external) 8 activities 8 activities
KPI 3 Internal Indicator Number of cases dealt with in the context of international cooperation (GPA, CoE, OECD, GPEN, Spring Conference, international organisations) for which the EDPS has provided a substantial written contribution 17 cases 5 cases
KPI 4 External Indicator Number of files for which the EDPS acted as a lead rapporteur, rapporteur, or a member of the drafting team in the context of the EDPB 23 cases 5 cases
KPI 5 External Indicator Number of Article 42 Opinions and Joint EDPS-EDPB Opinions issued in response to the European Commission’s legislative consultation requests 17 Previous year as benchmark
KPI 6 External Indicator Number of audits/visits carried out physically or remotely 4 audits + 1 visit
43 EUIs impacted
3 different audits/visits
30 EUIs impacted
KPI 7 External Indicator Number of followers on the EDPS social media accounts Twitter: 25826
LinkedIn: 49575
Results of previous year + 10%
KPI 8 Internal Indicator Occupancy rate of establishment plan 88% 90%
KPI 9 Internal Indicator Budget implementation 86,12% 80%

Getting in touch with the EU

In person

All over the European Union there are hundreds of Europe Direct information centres. You can find the address of the centre nearest you at:

On the phone or by email

Europe Direct is a service that answers your questions about the European Union. You can contact this service:

Finding information about the EU


Information about the European Union in all the official languages of the EU is available on the Europa website at:

EU publications

You can download or order free and priced EU publications at:

Multiple copies of free publications may be obtained by contacting Europe Direct or your local information centre (see

EU law and related documents

For access to legal information from the EU, including all EU law since 1952 in all the official language versions, go to EUR-Lex at:

Open data from the EU

The EU Open Data Portal ( provides access to datasets from the EU. Data can be downloaded and reused for free, both for commercial and non-commercial purposes.


Further details about the EDPS can be found on our website at

The website also details a subscription feature to our newsletter.


Waterford, Ireland – Brussels, Belgium: Trilateral Research Ltd, Vrije Universiteit Brussel, 2022

© Design and Photos: Trilateral Research Ltd, EDPS & European Union

© European Union, 2022

Reproduction is authorised provided the source is acknowledged.

For any use or reproduction of photos or other material that is not under the European Data Protection Supervisor copyright, permission must be sought directly from the copyright holders.


ISBN 978-92-9242-772-6

ISSN 1977-8333




ISBN 978-92-9242-785-6

ISSN 1977-8333