On 26 February 2019, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, published his first annual report since the General Data Protection Regulation (GDPR) came into force last year.

This is a short overview of some of the key themes in the EDPS’s annual report:

  1. Overview of 2018:
  • GDPR: This is the first annual report of the EDPS since the GDPR ((EU) 2016/679) came into force on 25 May 2018, bringing in new data protection legislation for a new era.
  • Establishing the European Data Protection Board: The GDPR established the European Data Protection Board (EDPB), replacing the Article 29 Working Party. The EDPB took over the Article 29 Working Party’s responsibilities in issuing guidelines, recommendations and statements of best practice. The EDPB is also tasked with ensuring the consistent application of the GDPR in each EU member state.
  • Publishing opinions: The EDPS publishes opinions to inform how EU institutions make decisions about personal data ranging from big data and fundamental rights to consumer and data protection law. In particular, the latter opinion was identified by the EDPS as a highlight for him last year.
  • The ePrivacy Directive (ePR): The proposed ePR will align the EU’s ePrivacy regime more closely with the GDPR. The EDPS continues to support the efforts of EU legislators in reaching agreement on the final text of the ePR. Progress was made last year with the Council of the European Union publishing amendments to the draft ePR. It is hoped that the ePR will come into force in 2019.

2. Objectives for 2019:

  • Regulation 2018/1725: This regulation sets out data protection obligations for EU institutions when they process personal data and develop new policies. It came into force on 11 December 2018. The EDPS continues to ensure that EU institutions comply with it.
  • Continuing guidance: In 2018, the EDPS issued guidelines on the protection of personal data in several key areas. The EDPS will continue to harmonise guidance provided by other EU bodies. In-scope areas include data protection and financial services regulation, data breach notifications, and cloud computing.
  • Interoperability of large-scale IT systems in the EU: The EDPS published an opinion on this topic in 2018. In 2019, the EDPS will continue to facilitate debate on the future of these systems and coordinated supervision by EU institutions.


Any business that processes personal data in the European Union or interacts with EU institutions should keep an eye on the EDPS’s guidance. These are just a few of the pertinent themes we have selected from the EDPS’s annual report.

Keep an eye on Technology Law Dispatch throughout 2019. We will continue to cover the EDPS’s guidance and the topics that he has mentioned in this annual report.