Newsletter #86 (86)


Newsletter #86 (86)

In newsletter #86, learn more about data protection and social media, the EDPS and EDPB training on cybersecurity to stay safe online. Read our latest Press Release on the proposed Artificial Intelligence Act, the EDPS-EDPB joint Opinion on the Digital Green Certificate proposals and the EDPS Annual Report 2020.

EDPS audit on newsletter subscriptions: transparency is key

hand holding a magnifying glass over documents to symbolise EDPS audits

On 28 April 2021, the European Data Protection Supervisor (EDPS) published the outcome of his remote audit on how European institutions, bodies and agencies (EUIs) inform individuals about the way their personal data is processed when signing up to newsletters and other similar subscriptions.  

Wojciech Wiewiórowski, EDPS, said: “With the absence of in-person events and other outreach activities due to COVID-19, EUIs have increased their online presence. The sending of newsletters is an effective way of reaching out to individuals and stakeholders. EUIs should lead by example in providing transparent information to individuals on the way their personal data is being handled”.

The EDPS has found that most EUIs comply with the information and transparency requirements set out in the applicable data protection law, Regulation (EU) 2018/1725.

This audit, for which no on-the-spot action was required, is part of a number of audits conducted remotely by the EDPS due to the ongoing COVID-19 crisis. This adapted audit format has allowed the EDPS to continue its supervisory work, by reaching out to a high number of EUIs, their data protection officers, and EUI staff processing individuals’ personal data in their day-to-day work.

Continue to read Press Release

Read the EDPS Audit Report

10 myths about data anonymisation


On 27 April 2021, the European Data Protection Supervisor (EDPS) and the Spanish Data Protection Authority, Agencia Española de Protección de Datos (AEPD), published their Joint Paper on "10 misunderstandings related to anonymisation". With this paper, the EDPS and the AEPD aim to bring clarity on what data anonymisation means and to contribute to clearing up any misconceptions surrounding this topic.

The process of anonymising personal data ensures that the individual to whom this data relates to is not, or no longer, identifiable. This is a possible option that both public and private organisations are considering as a way to share information - for scientific research or public health matters for example - without infringing on individuals’ fundamental rights, such as their right to the protection of personal data.

In light of this, is data anonymisation the way forward; a bulletproof solution to ensure that individuals’ personal data is not compromised? Is this technique reversible and, if so, what impact does this have on individuals in the case of re-identification? What are the possible risks and challenges linked to anonymising data?

To find out more about the myths linked to data anonymisation, read the EDPS-AEPD Joint Paper in English: "10 misunderstandings related to anonymisation" or in Spanish: "10 malentendidos relacionados con la anonimización".


Artificial Intelligence Act: a welcomed initiative, but ban on remote biometric identification in public space is necessary

artificial intelligence

On 23 April 2021, the EDPS published a Press Release as a follow-up to the legislative proposal for an Artificial Intelligence Act issued by the European Commission. This proposal is the first initiative, worldwide, that provides a legal framework for Artificial Intelligence (AI).

The EDPS welcomes and supports the European Union’s (EU) leadership aiming to ensure that AI solutions are shaped according to the EU’s values and legal principles.

Wojciech Wiewiórowski, EDPS, said: “I am proud of this initiative and particularly welcome the horizontal approach in a Regulation, as well as the broad scope of its application which importantly includes the European Union institutions, bodies, offices and agencies (EUIs). The EDPS stands ready to fulfil its new role as the AI regulator for the EU public administration.

I also acknowledge the merits in the risk-based approach underpinning the proposal. Indeed, there are numerous Artificial Intelligence applications that present limited threat for the fundamental rights to data protection and privacy while giving the humanity a potentially powerful tool to fight against today’s problems.”

At the same time, the EDPS regrets to see that our earlier calls for a moratorium on the use of remote biometric identification systems - including facial recognition - in publicly accessible spaces have not been addressed by the Commission.

The EDPS will undertake a meticulous and comprehensive analysis of the Commission’s proposal to support the EU co-legislators in strengthening the protection of individuals and society at large. In this context, the EDPS will focus in particular on setting precise boundaries for those tools and systems which may present risks for the fundamental rights to data protection and privacy.

Continue to read Press Release


EDPS Annual Report 2020: data protection during COVID-19


On 19 April 2021, European Data Protection Supervisor Wojciech Wiewiórowski presented his Annual Report 2020. The Report presents how the EDPS continued to fulfil its role as the data protection authority for EU institutions, agencies and bodies (EUIs) in the context of the pandemic.

Wojciech Wiewiórowski, EDPS, said: "This report is a testimony to the resilience and professionalism of the EDPS staff, who, despite the difficulties we were all facing because of the pandemic, managed to strengthen the role of the EDPS as a supervisory authority and as an advisor to the EU lawmaker. I am very happy that the EDPS was not only able to address new challenges stemming from the pandemic, but also maintained strong oversight of the EUIs."

Continue to read Press Release

Read the EDPS Annual Report and its Executive Summary

Read Speech by Wojciech Wiewiórowski delivered before LIBE Committee

The Executive Summary of the EDPS Annual Report 2020 will be made available in all official languages of the EU in due course.

Outsourcing the processing of personal data and procuring products and services


At the request of their data protection officer, the Supervision & Enforcement (S&E) colleagues of the EDPS held two training sessions for Eurojust’s members of staff on data protection in procurement and outsourcing of personal data.

The first session, on 19 April 2021, was specifically addressed to Eurojust’s management staff, focusing on the responsibilities of the data controller and business units of EUIs to protect individuals’ personal data throughout the duration of the contract with an external organisation.

The second session, which took place on 20 April 2021, was for Eurojust’s members of staff. S&E colleagues delivered a session on the application of data protection requirements during the different stages of the procurement and outsourcing process: from the call for tender to signing the contract with an external organisation. To ensure that Eurojust’s staff is prepared for these procedures, S&E colleagues delivered their training session using several possible scenarios that may occur when managing contracts with external organisations.

Even before commencing the outsourcing of personal data processing or the procurement of products or services, Eurojust’s staff - as well as any other European institution, body, agency (EUI) - should have a clear plan of the processing they intend to carry out and the purpose and use that these tools will have, as well as the possible data protection implications and requirements this may entail. This will allow Eurojust to ensure a tailor-made contract during which they will have full control over how, when, why, where, what type of personal data is processed and by whom. EUIs must only use processors providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the EU data protection law for EUIs, Regulation 2018/1725, and ensure the protection of the rights of individuals. In this sense, Eurojust, or the EUI in question, should ensure clear documentation of the products and services used and the processing done on their behalf, evidence that these tools and processing operations will - and must - incorporate the privacy by design and privacy by default principles.

When contracting products and services from an external organisation that may involve the processing of personal data in a non-EU country, EUIs must ensure that the protection afforded to the transferred personal data in that country is essentially equivalent to that guaranteed in the EU.

The EDPS advises EUIs to periodically re-evaluate their processing operations, their tools, and their data protection safeguards and measures - this also includes data protection safeguards and measures in their contracts with external organisations - and readjusting these if necessary.

For more information, read the EDPS Cloud Computing Guidelines

Data for the public good: Building a healthier digital future


On 9 April 2021, the EDPS published a blogpost reflecting on the impact of the legal and technical measures taken in response to COVID-19, as a follow-up to his webinar organised on 25 January 2021: ‘Data for the public good: Building a healthier digital future’.

During the event, experts from various fields addressed three main themes, namely public health; digital transformation; and the impact on fundamental rights, such as freedom of movement, data protection and non-discrimination.

The first panel of experts discussed the EU’s and EU Member States’ initial approach to the pandemic, the role that data has played in monitoring its evolution in Europe and in the facilitation of risk management, but also the challenges linked to the increased reliance on and use of digital technologies.

The second panel of experts focused on the way data and technology may be used in the future, particularly from a health perspective. Experts highlighted the importance of data to create new opportunities; access to health data for primary use and also secondary use was referred to as being essential, but still complex to achieve in practice. At the same time, special attention must be paid to ensure that this data is only used for the public or the common good and not misused for other gains than societal ones.

The EDPS will continue to engage in productive discussions like these to inform his work and to ensure that the fundamental rights of data protection and privacy are embedded in each solution envisaged to overcome any obstacle to an effective and efficient use of data for the public good.

To find out more, read the EDPS Blogpost

EU data protection authorities adopt joint opinion on the Digital Green Certificate Proposals

pass, travelers, covid

On 6 April 2021, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a joint opinion on the Proposals for a Digital Green Certificate. The Digital Green Certificate aims to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, testing and recovery certificates.

With this Joint Opinion, the EDPB and the EDPS invite the co-legislators to ensure that the Digital Green Certificate is fully in line with EU personal data protection legislation. The data protection commissioners from all EU and European Economic Area countries highlight the need to mitigate the risks to fundamental rights of EU citizens and residents that may result from issuing the Digital Green Certificate, including its possible unintended secondary uses.

The EDPB and the EDPS underline that the use of the Digital Green Certificate may not, in any way, result in direct or indirect discrimination of individuals, and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness. Given the nature of the measures put forward by the Proposal, the EDPB and the EDPS consider that the introduction of the Digital Green Certificate should be accompanied by a comprehensive legal framework.

Andrea Jelinek, Chair of the EDPB, said: “A Digital Green Certificate that is accepted in all Member States can be a major step forward in re-starting travel across the EU. Any measure adopted at national or EU level that involves processing of personal data must respect the general principles of effectiveness, necessity and proportionality. Therefore, the EDPB and the EDPS recommend that any further use of the Digital Green Certificate by the Member States must have an appropriate legal basis in the Member States and all the necessary safeguards must be in place.”

Wojciech Wiewiórowski, EDPS, said: “It must be made clear that the Proposal does not allow for - and must not lead to - the creation of any sort of central database of personal data at EU level. In addition, it must be ensured that personal data is not processed any longer than what is strictly necessary and that access to and use of this data is not permitted once the pandemic has ended. I have always stressed that measures taken in the fight against COVID-19 are temporary and it is our duty to ensure that they are not here to stay after the crisis.”
Continue to read the EDPB-EDPS Press Release
Read the EDPB- EDPS Opinion


The use of fingerprints to attest physical presence at the workplace

fingerprint data

On 29 March 2021, the EDPS published its own-initiative Opinion on a proposed computerised system to register the attendance of Members of the European Parliament’s (MEPs) to Plenary sessions. Registering MEPs attendance is necessary, among other reasons, to document which MEPs are eligible for an allowance under the internal rules governing the status of MEPs.

Under the Proposal, the current paper-based signing system would be replaced with a solution based on an optical fingerprint scanner. For each Plenary session, MEPs would need to place their fingers on a local fingerprint reader which would scan the fingerprints to extract the necessary information and compare it to a previously recorded template of the fingerprints.

This proposed system touches on sensitive data protection topics, such as the use of biometric data - in this case fingerprints - which allows the unique identification of individuals; and automated decision-making - in this case the processing of individuals’ fingerprint data without human intervention.

In its own-initiative Opinion, the EDPS focusses on whether the system would be truly necessary and proportional to the objectives set out in the proposal - in particular to avoid fraudulent sign-ins. At the same time, it should also be considered whether this type of data and its processing can be justified under the EU data protection law for European institutions, bodies and agencies (EUIs), Regulation 2018/1725; and whether the European Parliament (EP) can rely on one of the exceptions under Article 10 of Regulation 2018/1725 which otherwise prohibits the processing of this type of data. Data controllers need to be able to demonstrate that such exception applies.

Before putting in place similar systems, data controllers should conduct a data protection impact assessment (DPIA) examining alternatives to the proposed system that do not require the same amount of sensitive data. When comparing the different alternatives, the controller should evaluate the impact and risks that each option may have on individuals’ personal data. In the case at stake, the EP conducted a DPIA, but the EDPS is of the view that the EP should further explore less intrusive alternatives in terms of data protection

To find out more about the interplay between biometrics and data protection, check out our publication jointly written by the Data Protection Authority of Spain, Agencia Española de Protección de Datos (AEPD), entitled "14 misunderstandings with regard to biometric identification and authentication".

Read the EDPS Opinion

Data protection and online communication

data protection sign

With other EDPS Units, S&E colleagues participated in the Inter-institutional Online Communication Committee on 25 March 2021 during which they discussed data protection and online communication, such as social media, to help European institutions, bodies and agencies (EUIs) navigate this topic.

EUIs, like many other organisations, have increasingly used social media, as well as other online tools, during the COVID-19 pandemic to connect with their audience, such as informing them on their activities or organising webinars.

In particular when using social media platforms, EUIs must consider:

  • whether the purpose for which they want to process individuals’ personal data on social media platforms can be justified under the EU data protection law, Regulation 2018/1725, and in light of the EUIs' tasks;
  • what data they can share or publish;
  • how to seek consent from individuals whose data may be published, and how to ensure that this data is correct;
  • how to delete individuals’ personal data if requested once published.  

In addition, S&E colleagues also emphasised that it is not because an individual’s personal data is public on social media platforms - in the case where the individual has made their pictures or posts on a social media platform public for example - that EUIs can reuse that individual’s public information.

Changing the practices and privacy policies of social media platforms takes a concerted effort. As a member of the European Data Protection Board (EDPB), the EDPS together with the other data protection authorities of the EU issued several guidelines on the application of data protection law and principles when using social media, for example, Guidelines on Social Networking, EDPB Guidelines on the targeting of social media users, as well as many others.

With similarities between the EU data protection law for EU institutions, Regulation 2018/1725, and the data protection law applicable to private and public organisations in the EU, the General Data Protection Regulation, these Guidelines aim to help all those who may process personal data when using social media.

For more information, read the EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects.

EDPS publishes three sets of Formal Comments on the European Health Union package


On 18th March 2021, the EDPS issued its Formal Comments on a package of three legislative proposals for a European Health Union which aims to improve the protection, prevention, preparedness and response to human health hazards at EU level. This includes:

In its three sets of Formal Comments, the EDPS welcomes the proposals’ overarching aim to provide for a European approach to tackle cross-border health threats, building on the lessons learned from the COVID-19 pandemic. In particular, regarding the importance of coordination among European countries to protect people’s health - both during a crisis and during normal times - when tackling underlying health conditions, investing in strong health systems and training the healthcare workforce. Given the role that the EMA and the ECDC played during the COVID-19 pandemic, the EDPS takes note of the positive steps envisaged to broaden their tasks to achieve the objectives set out in the proposal.

To find out more, read the EDPS’ three sets of Formal Comments available on the EDPS website.

Read the EDPS’ Formal Comments on the first Proposal, available in English, French and German
Read the EDPS’ Formal Comments on the second Proposal, available in English, French and German
Read the EDPS’ Formal Comments on the third Proposal, available in English, French and German

The use of ICT tools, remote working tools and social media by EUIs

The EDPS regularly organises training sessions for the staff of European institutions, bodies and agencies (EUIs) who deal with personal data in their day-to-day work. On 17 March 2021, the Supervision & Enforcement Unit (S&E) carried out a two-hour training session at the European School of Administration, focusing on the data protection implications of information and communications technology (ICT) tools, remote working tools and social media used by EUIs.

The first hour of the training session focused on the EUIs’ obligations when selecting ICT tools for their on-premises or remote work. Based on, but not limited to, the EDPS’ Orientations published in July 2020, S&E colleagues reiterated that:

  • EUI staff should follow their EUIs' established protocol(s) and involve their data protection officer(s) and IT department(s) when selecting ICT tools;
  • EUIs should carefully assess the security, confidentiality and privacy features of the proposed tools and evaluate their potential risks for individuals’ personal data, taking into accountant privacy-friendly alternatives that may suit the envisaged purpose of the tool(s). This assessment must also consider whether the tool(s) will be used on corporate and/or private devices; clear policies and user guides for the EUIs’ staff must be prepared accordingly so that they can protect themselves and the individuals’ personal data that they process;
  • the terms of contracts with ICT providers should reinforce EUIs' control over who processes individuals’ personal data and how this data is processed. Appropriate safeguards - such as technical and organisational measures - should be put in place when processing this data to minimise risks for the privacy of individuals;

As S&E colleagues moved to the second hour of the training session, they emphasised that the use of social media and videoconference tools should be considered like any other ICT tools when assessing their data protection implications and adopting the necessary measures to insure that individuals’ privacy is protected.

In addition, when using social media, EUIs should be aware that individuals’ data may be processed at different stages and by different actors, this includes:

  • users themselves publishing their own personal data;
  • users publishing the personal data of others;
  • the social media providers establishing users’ profiles and analysing information for various purposes;
  • third parties receiving information on social media users and combining this with other information that they already have;

These numerous processing operations of personal data increase the risks for individuals and their privacy. Ongoing court cases - both at EU level and in EU Member States - have sparked questions on the responsibilities of social media platforms’ providers and other actors involved in the processing of individuals’ data, whether social media users are sufficiently informed about the way their personal data is processed and, by extension, whether their consent for such processing operations is valid.

The EDPS intends to test privacy-friendly and open-source alternatives to major social media and videoconferencing tools.

EDPS welcomes EU Cybersecurity update

people, a lock, internet pages and a computer to symbolise cybersecurity

In his Opinion published on 11 March 2021, the EDPS welcomes the Proposal for the NIS 2.0 Directive, which aims to replace the existing Directive on security of network and information systems (NIS). The goal of the Proposal is to harmonise and strengthen cybersecurity practices across the European Union (EU). The Proposal is part of the EU’s Cybersecurity Strategy to ensure a global and open internet with strong safeguards to mitigate the risks for individuals’ fundamental rights, including the right to data protection. The EDPS’ Opinion includes remarks and recommendations on both the Strategy and the proposed Directive.

Wojciech Wiewiórowski, EDPS, said: “It is essential that privacy and data protection are embedded in the proposed Directive and in all future initiatives stemming from the EU’s Cybersecurity Strategy. This will allow a holistic approach when managing cybersecurity risks and protecting individuals’ personal data. In addition, to ensure that the Cybersecurity Strategy, and, by extension, the proposed Directive are effective, it is necessary to fully integrate the EU institutions, offices, bodies and agencies in the overall EU-wide cybersecurity framework to achieve a uniformed level of protection”.

Continue to read the EDPS Press Release
Read the EDPS Opinion on the Cybersecurity Strategy and the NIS 2.0 Directive

EDPB & EDPS adopt joint opinion on the Data Governance Act

interconnected icons to illustrate data protection

On 10 March 2021, the EDPB and EDPS adopted a joint opinion on the proposal for a Data Governance Act (DGA). The DGA aims to foster the availability of data by increasing trust in data intermediaries (providers of data sharing services) and by strengthening data-sharing mechanisms across the EU. In particular, the DGA intends to promote the availability of public sector data for reuse, sharing of data among businesses and allowing personal data to be used with the help of a ‘personal data-sharing intermediary’. The DGA also seeks to enable the use of data for altruistic purposes.

The EDPB and the EDPS acknowledge the legitimate objective of the DGA to improve the conditions for data sharing in the internal market. At the same time, the protection of personal data is an essential and integral element for trust in the digital economy. With this joint opinion, the EDPB and the EDPS invite the co-legislators to ensure that the future DGA is fully in line with the EU personal data protection legislation, thus fostering trust in the digital economy and upholding the level of protection provided by EU law under the supervision of the EU Member States’ supervisory authorities.  

Andrea Jelinek, Chair of the EDPB, said: “The EU's data protection legal framework does not stand in the way of developing the data economy. Quite the contrary, it enables it: trust in any kind of data sharing can only be achieved by respecting existing data protection legislation. The GDPR is the foundation on which the European data governance model must be built. That is why we underline the need to ensure consistency with the GDPR with regard to the competence of the supervisory authorities, the roles of the different actors involved, the legal basis for the processing of personal data, the necessary safeguards and the exercise of the rights of the data subjects.”

Wojciech Wiewiórowski, EDPS, said: “We understand the growing importance of data for the economy and society as outlined in the European Data Strategy. However, with “big data comes big responsibility”, therefore appropriate data protection safeguards must be put in place. The overarching framework for European data spaces should ensure that the data protection acquis is not affected.”

Continue reading the EDPB-EDPS Press Release
Read the EDPB-EDPS Opinion

EDPS Opinion on Europol’s mandate review

image symbolising Europol activities

On 8 March 2021, the EDPS published his Opinion on the proposed amendments to the Europol Regulation which aim, in part, to broaden the scope of Europol’s mandate in response to changes in the security landscape and increasingly complex threats.

The EDPS’ Opinion assesses the necessity and proportionality of these proposed amendments, taking into account the importance of aligning the data protection rules for Europol with the data protection rules for other European institutions, bodies and agencies (EUIs), under Regulation (EU) 2018/1725.  

In particular, the proposed exemptions related to the processing of large and complex datasets require further safeguards, so that the exemptions do not become the rule in practice. Effective protection of personal data requires the situations and conditions in which Europol may rely on the proposed exemptions to be clearly defined in the Europol Regulation.

As the supervisory authority of Europol and other EUIs, the EDPS calls for a full alignment of its powers with Regulation (EU) 2018/1725. When it comes to the protection of individuals’ personal data, a stronger mandate of Europol must go hand in hand with oversight powers that are at least as strong and effective as for any other EUIs.

Continue reading the EDPS Press Release
Continue reading the EDPS Opinion

Democratic Societies in the Digital Age: what role for data protection?

group of people working together on a project

On 4 March 2021, the EDPS and EDPB trainees published a blogpost reflecting on the podcast series they launched during their time at their respective institutions.

The podcast series, entitled Democratic Societies in the Digital Age, aims to tackle topics, such as mass surveillance, dark patterns and the impact of emerging technologies on data protection. To achieve this, the EDPS and EDPB trainees invited experts from wide-ranging professional backgrounds and nationalities to share their insights on data protection and to express their views on how citizens can stand up for their privacy rights.

When being confronted with political crises and societal issues, the common false assumption is that technology and personal data collection may solve every problem. However, some technological innovations are designed in a way that fails to accurately embed the principle of privacy by design and by default. Therefore it is often unclear to users how their personal data is used, as well as the extent of the impact of privacy's intrusions on individuals and society. Our distinguished guest speakers shed light on these deficiencies and explained that work should be done on developing a legal framework that provides appropriate rules in which any technological development will fit.

On the podcast, experts stressed that it is every individual’s duty to stand up for data protection. They advised that individuals take part in citizen-led initiatives - for example, the Reclaim your Face campaign - or to send freedom of information requests and data access requests. Spreading the word whenever you spot attempts of data manipulation via the use of dark patterns is also important.

For the future of Europe, it is pivotal that we do not forget that digital transformation needs to be rooted in European values and fundamental rights, not vice versa.

Continue to read the EDPS and EDPB trainees’ blogpost to learn more about the podcast series and how data protection affects our daily lives.

All podcast episodes are available on the EDPS website.

Listen to Episode 1: Mass Surveillance and Facial Recognition

Listen to Episode 2: Dark Patters and Online Manipulation

Listen to Episode 3: Emerging Technologies and Future Challenges


A cybersecurity training session for EDPS and EDPB staff

roundtable discussion

In March 2021, the European Data Protection Supervisor’s (EDPS) and the European Data Protection Board’s (EDPB) Local Information Security Officers organised a remote cybersecurity training session for the EDPS and the EDPB staff in collaboration with CERT-EU, the Computer Emergency Response Team for European institutions, bodies and agencies.  

The purpose of the training session was to raise awareness about possible cybersecurity threats and how the EDPS and the EDPB staff can protect themselves, their institution as well as other individuals, against such threats, especially in times of teleworking. 

With the use of interactive presentations and exercises, the EDPS and the EDPB staff were given an overview of:

  • the different types of hacking methods used, such as phishing, smishing and vishing;
  • the motivations behind hacking attempts, what hackers are looking for, and why members of staff are a target;
  • how to recognise hacking attempts based on the content of an email, links included in an email and the author of an email, for example.

CERT-EU colleagues also gave the EDPS and the EDPB staff some tips on how to better protect their personal data by creating stronger passwords, using multi-authentication methods to secure email accounts, and encrypting their data, to name a few suggestions.

The Local Information Security Officers of the EDPS and the EDPB will continue to collaborate with each other to propose other similar types of training sessions to ensure that staff have the necessary tools to protect their personal data.

EDPS on the ground: Eurodac Inspection Report



In March 2021, the EDPS issued its inspection report on Eurodac, an EU database that identifies asylum seekers applying for international protection by collecting their fingerprint data.

In its inspection report, the EDPS makes several recommendations addressed to the European Union Agency for the Operational Management of Large-Scale IT Systems (eu-LISA), the EU agency in charge of the operational management of Eurodac. The report was also sent to the European Parliament, the Council, the European Commission, and the national supervisory authorities in the Member States.

The EDPS addresses several recommendations to eu-LISA, including on the Eurodac-Central System and also on the retention periods of storing fingerprints in the system according to Articles 12(2) and 16(1) of the Eurodac Regulation (EU) No 603/2013. In its report, the EDPS reiterates several of its recommendations made during its previous inspection in 2016 which have not yet been implemented by eu-LISA.

As the independent data protection authority for European institutions, bodies, offices and agencies, the EDPS will continue to monitor whether eu-LISA follows the recommendations set out in the report within the set deadlines. The main findings of the report will also be presented and discussed during the next meetings of the Eurodac Supervision Coordination Group.


DG EMPL’s audit staff receive data protection training

a computer on a table with a mug and a phone to symbolise teleworking

At the request of the Directorate-General for Employment, Social Affairs and Inclusion (DG EMPL), the EDPS will deliver a tailor-made training of four group sessions to their audit staff.

These training sessions will take place between the end of April and the beginning of May. The goal of the training is to outline the data protection rules and principles that are relevant in the context of auditing, allowing auditors to put these principles into practice when carrying out audits. The training sessions include four case studies based on DG EMPL audits.

The EDPS intends to extend this type of training to a broader EU audit community in the future.

Data Protection Officers

roundtable of data protection officers
  • Luisa LOPEZ ALVARO DPO of Fundamental's Rights Agency
  • Ezio VILLA at European Global Navigation Satellite Systems Agency
  • Yolanda Arevalo Torres at European Health and Digital Executive Agency
  • Olli Kalha at CEPOL, the European Union Agency for Law Enforcement Training

What is a Data Protection Officer (DPOs)? Find out here

See full list of DPOs here


Speeches and Publications


Presentation of the EDPS Annual Report 2020 by Wojciech Wiewiórowski to the Committee on Civil Liberties, Justice and Home Affairs (LIBE). 

Presentation by Wojciech Wiewiórowski of the EDPB- EDPS Joint Opinion on the Digital Green Certificate Proposals to the Committee on Civil Liberties, Justice and Home Affairs (LIBE). 

Speech by Wojciech Wiewiórowski before Committee on Civil Liberties, Justice and Home Affairs (LIBE) in hearing on the Data Governance Act, Brussels, Belgium