Press Releases EDPS Annual Report 2020: data protection during COVID-19

EDPS Annual Report 2020: data protection during COVID-19

Today, European Data Protection Supervisor Wojciech Wiewiórowski presented his Annual Report 2020. The Report presents how the EDPS continued to fulfil its role as the data protection authority for EU institutions, agencies and bodies (EUIs) in the context of the pandemic.

Wojciech Wiewiórowski, EDPS, said: This report is a testimony to the resilience and professionalism of the EDPS staff, who, despite the difficulties we were all facing because of the pandemic, managed to strengthen the role of the EDPS as a supervisory authority and as an advisor to the EU lawmaker. I am very happy that the EDPS was not only able to address new challenges stemming from the pandemic, but also maintained strong oversight of the EUIs.”

Acknowledging the particular challenge and responsibility posed by the pandemic to data protection authorities, the EDPS established an internal COVID-19 taskforce, composed of members of all the EDPS’ units and sectors, to coordinate and proactively undertake actions related to the interplay between privacy and the pandemic. Believing in the need for a unified response at EU level, the EDPS called for a pan-European approach to combat the virus, especially in the context of contact tracing apps.

While almost all core activities were performed remotely, the EDPS, nevertheless, maintained strong oversight of the EUIs concerning the processing of individuals’ personal data. Examples demonstrating this include, the conclusion of the investigation into the use of cloud products and services by EUIs and the investigation into the processing of large data sets by Europol, followed by the use of corrective powers. Remote audits further contributed to the strong supervision of EUIs and, through the use of online tools, the EDPS was able to carry out more audits than ever before.

In 2020, the EDPS also demonstrated its commitment to ensuring that EUIs comply with the “Schrems II” Judgement of the Court of Justice by publishing its own strategic document. Protecting the data of EU citizens when processed in non-EU countries will remain a top priority for the EDPS in 2021.

Despite the pandemic, the EDPS issued a record number of legislative Opinions and Comments as a trusted advisor to the European Commission, the Council and the European Parliament. Examples of these include, the Opinions on the European strategy for data, on Artificial Intelligence, or on the proposed temporary derogations from the e-privacy framework. The EDPS also issued Opinions on its own initiative on the use of data for scientific research and health-related purposes to name a few.

The EDPS further increased its monitoring of technologies, acting as a reference point when it comes to analysing technological developments and their impact on privacy and data protection. In the past year, the EDPS also developed open source software tools for the automation of privacy and personal data protection inspections of websites.

The EDPS also continued to contribute to the activities of the European Data Protection Board (EDPB). Answering the calls for a closer cooperation between data protection authorities, the EDPS proposed the establishment of the Support Pool of Experts which aims to bring together the EDPB members’ efforts to address the need for a stronger enforcement of EU data protection laws.

2020 also marked the beginning of a new EDPS mandate and the unveiling of the EDPS Strategy 2020-2024. As such, the EDPS started to work towards meeting its objectives according to three strategic pillars: Foresight, Action, Solidarity. The overarching priority of the EDPS, as set out in its Strategy, is to shape a safer digital future.

Within its specific role in the EU institutional landscape, and equipped with the unique expertise and knowledge of his staff, the EDPS is even more committed to acting as a centre of gravity and as a global leading institution for the promotion and protection of the fundamental rights to privacy and data protection in Europe and beyond.

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.

The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.

Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.

About the Annual Report: According to Article 60 of Regulation (EU) 2018/1725, “the European Data Protection Supervisor shall submit an annual report on his or her activities to the European Parliament, to the Council and to the Commission and at the same time make it public.” “The European Data Protection Supervisor shall forward the report to other institutions and bodies, which may submit comments with a view to possible examination of the report by the European Parliament”.

Processing of personal data: According to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. See the glossary on the EDPS website.

Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content – related to or provided by end-users of communications services – are also considered as personal data.

Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).


The powers of the EDPS are clearly outlined in Article 58 of Regulation (EU) 2018/1725.

The Annual Report 2020 and its Executive Summary are available on the EDPS website.

Questions can be directed to:

EDPS – Shaping a safer digital future

Follow us on Twitter: @EU_EDPS

Leave a Reply

Your email address will not be published. Required fields are marked *