European Data Protection Supervisor
European Data Protection Supervisor

EDPS Annual Report 2019: new EU data protection rules must produce promised result

EDPS Annual Report 2019: new EU data protection rules must produce promised result

18/03/2020
18
Mar
2020

EDPS Annual Report 2019: new EU data protection rules must produce promised result

With new legislation on data protection in the EU now in place, our greatest challenge moving into 2020 and beyond is to ensure that this legislation produces the promised results, the European Data Protection Supervisor (EDPS) said today, as he published his 2019 Annual Report.

Wojciech Wiewiórowski, EDPS, said:Awareness of the issues surrounding data protection and privacy, and the importance of protecting these fundamental rights, is at an all-time high and we cannot allow this momentum to decline. With a new European Parliament and Commission now in place, developing an effective response to the challenges of the digital era is a top priority, and must include ensuring that new rules on ePrivacy remain firmly on the agenda. The EDPS intends to contribute fully to these efforts, while also ensuring that the EU institutions themselves maintain the highest standards of data protection practice.

The Annual Report provides an insight into all EDPS activities in 2019, which was the last year of a five-year EDPS mandate. EDPS activities therefore focused on consolidating the achievements of previous years, assessing the progress made and starting to define priorities for the future. Of particular note were EDPS efforts to ensure that new EU rules on data protection are put into practice.

As the data protection supervisory authority for the EU institutions and bodies, the EDPS has dedicated much time and effort to ensuring that the institutions are adequately equipped to implement the new rules, set out in Regulation 2018/1725. Over the course of 2019, this included conducting training sessions, issuing Guidelines and continuing to work closely with the Data Protection Officers (DPOs) of the EU institutions, among other activities. The EDPS also stepped up enforcement activities, launching several investigations into the processing of personal data by EU institutions. As well as holding the respective institutions accountable, these investigations have helped to increase cooperation and understanding between the EU institutions and the EDPS.

The EDPS also continued to work closely with the European Data Protection Board (EDPB) to both provide and support the EDPB secretariat and to contribute, as a member of the EDPB, to initiatives aimed at ensuring the consistent application of the General Data Protection Regulation (GDPR) across the EU. This included working with the EDPB to produce the first joint EDPS and EDPB Opinion and jointly issuing advice to the European Parliament.

In addition to this, a significant focus of EDPS work in 2019 was on developing and sharing technological expertise. Among other initiatives, the EDPS launched TechDispatch, a regular online publication providing information on new technologies and their data protection impact. The institution also developed and shared the Website Evidence Collector  (WEC), a tool that can be used to determine websites’ compliance with data protection rules.

The EDPS was expected to present the Annual Report to the European Parliament this week. However, the hearing was cancelled due to restrictions relating to the COVID-19 outbreak. Given that the situation is still evolving and the calendar of hearings at the European Parliament will be significantly disrupted, the EDPS made the decision to go ahead with the publication of the Annual Report, in order to provide a timely assessment of data protection in the EU institutions, bodies and agencies in 2019.

As we move into 2020, and the first year of a new mandate, the EDPS will continue to work with the EDPB, international organisations and others to ensure the success of EU and other efforts to advance the fundamental rights of individuals and to develop an effective response to the challenges of the digital era. In doing so, the EDPS will continue to honour and advance the work and vision of its late Supervisor, Giovanni Buttarelli, who sadly passed away in August 2019.

 

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in the new Regulation (EU) 2018/1725. These rules replaced those set out in Regulation (EC) No 45/2001 in December 2018.

The EDPS is an increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.

Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.


Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.

Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).

Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossary on the EDPS website.


The powers of the EDPS are clearly outlined in Article 58 of Regulation (EU) 2018/1725.