Insights European Data Protection Board publishes Annual Report 2020: Ensuring data protection rights in a changing world


The Report provides a detailed overview of the work carried out by the EDPB in a year marked by the worldwide pandemic. During the COVID-19 pandemic, EEA Member States began taking measures to monitor, contain and mitigate the spread of the virus. The EDPB issued guidance on, amongst others: location and contact-tracing apps; processing health data for scientific research; restrictions on data subject rights in a state of emergency; and data processing in the context of reopening borders.

The Court of Justice of the European Union’s ruling in Schrems II had significant implications for EEA-based entities that transfer data to the US and other third countries. The EDPB issued an FAQ document, followed later by Recommendations for Supplementary Measures when using International transfer tools, to ensure compliance with the level of protection required under EU law, as well as Recommendations on European Essential Guarantees on the assessment of surveillance measures allowing access to personal data by public authorities in third countries. The Recommendations for Supplementary Measures were subject to a public consultation. The EDPB received over 200 contributions from various stakeholders, which it is currently analysing.

During 2020, the EDPB set out its Strategy for 2021-2023, which covers four main pillars:

  1. advancing harmonisation and facilitating compliance;
  2. supporting effective enforcement and efficient cooperation between national supervisory authorities;
  3. a fundamental rights approach to new technologies; and
  4. the global dimension.

In early 2021, the EDPB adopted its two-year work programme for 2021-2022, which follows the priorities set out in the 2021-2023 Strategy and will put the EDPB’s strategic objectives into practice.

In 2020, the EDPB adopted ten sets of Guidelines on various topics, including the concepts of controller and processor, and targeting of social media users. It also published three sets of Guidelines in their final, post-consultation versions (on video devices, the right to be forgotten and data protection by design and default).

In addition, in 2020 the EDPB issued 32 Opinions under Article 64 GDPR. Most of these Opinions concern draft accreditation requirements for a code of conduct monitoring body or a certification body, as well as Controller Binding Corporate Rules for various companies.

On 9 November 2020, the EDPB adopted its first dispute resolution decision on the basis of Article 65 GDPR. The binding decision addressed the dispute that arose after the Irish Supervisory Authority, acting as Lead Supervisor Authority, issued a draft decision regarding Twitter and the subsequent relevant and reasoned objections expressed by a few Concerned Supervisory Authorities.

The GDPR requires the EEA Supervisory Authorities to cooperate closely to ensure consistent application of the GDPR and the protection of individuals’ data protection rights across the EEA. The Annual Report sets out the number of cross-border cases, “One-Stop-Shop” collaborations and mutual assistance procedures undertaken by Supervisory Authorities during 2020. To read the EDPB’s press release in full and for a link to the Annual Report, click here.