European Data Protection Board


Generic picture derogation guidelines
30 May 2018

During its first plenary meeting, the EDPB adopted the final version of the Guidelines on derogations applicable to international transfers (art 49). The Article 29 Working Party conducted a public consultation on a draft of these guidelines. The EDPB took into consideration the replies received and integrated the appropriate changes into the adopted version. 

Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679

Generic picture certification guidelines
30 May 2018

During its first plenary meeting, the EDPB adopted a draft version of the Guidelines on certification. A public consultation is available for 6 weeks. If you are interested to contribute, please go to the “Public Consultations” section of our website or click the link bellow:

Public consultation: Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

Generic picture
28 May 2018

During its first plenary meeting of 25 May, the EDPB adopted a statement on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications.

This statement includes a call for a swift adoption of the new ePrivacy Regulation and some suggestions on some specific issues relating to proposed amendments by the co-legislators.

EDPB Statement on ePrivacy

Generic picture Icann
27 May 2018

The European Data Protection Board endorsed the statement of the WP29 on ICANN/WHOIS during its first plenary meeting on 25 May.


WP29 statement regarding WHOIS


“WP29 recognizes the important functions fulfilled by the WHOIS service. 
WP29 has been offering guidance to ICANN on how to bring WHOIS in compliance with European data protection law since 2003 (see WP29 opinion of 2003 available here). ICANN’s GDPR compliance process appears to have been formally initiated in the course of 2017, which may be part of the reason why stakeholders are concerned over the entry into application of the GDPR on 25 May 2018.
The GDPR does not allow national supervisory authorities nor the European Data Protection Board (the WP29 will become the EDPB on 25 May 2018) to create an “enforcement moratorium” for individual data controllers. Data protection is a fundamental right of individuals, who may submit complaints to their national data protection authority whenever they consider that their rights under the GDPR have been violated. 
Data protection authorities may, however, take into consideration the measures which have already been taken or which are underway when determining the appropriate regulatory response upon receiving such complaints.

As expressed also in earlier correspondence with ICANN (including this letter of December 2017 and this letter of April 2018),  WP29 expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data.


The WP29 recognizes the recent efforts undertaken by ICANN to ensure the compliance of the WHOIS system. The WP29 will continue to monitor ICANN’s progress closely and its members may engage further with ICANN to ensure that the legal requirements under EU data protection law are properly addressed.

Generic picture Press release
25 May 2018

Brussels, 25 May - Today the European Data Protection Board (EDPB) held its first plenary meeting. This new, independent EU decision-making-body with legal personality is created by the General Data Protection Regulation (GDPR), which enters into application as of today. The EDPB, which succeeds the Article 29 Working Party, brings together the EDPS (European Data Protection Supervisor) and the Member State supervisory authorities to ensure a consistent application of the GDPR throughout the European Union, as well as consistent protection of individuals.  In addition, the EDPB oversees the implementation of the Data Protection Law Enforcement Directive.

Andrea Jelinek, Chair of the EDPB: “This much awaited legislation gives individuals greater control over their personal data and provides a single set of rules applicable to everyone processing the personal data of individuals in the EU. In a world where data is treated as a currency, the rights of individuals were often overlooked or even flouted. We should not lose sight of the fact that personal data are inherent to human beings. I am convinced that the GDPR gives individuals and supervisory authorities the means to effectively protect and enforce this fundamental right.

“The new data protection requirements have often been narrowed down to focus on the risk of incurring high fines, but the GDPR is much more than that. It is about putting the rights of individuals first and upgrading the EU data protection rules so that they are efficient and ready for the future. At the same time, companies doing business in Europe will benefit from the GDPR as it provides legal certainty and makes it easier to operate across the internal market. In addition, being compliant with the GDPR will contribute to the good reputation of companies. In our data-driven economy a reputation can be destroyed within a few days if people loose trust in whether a company handles their data carefully.”

Andrea Jelinek concluded by underlining the importance of cooperation to make the GDPR a success: “It is crucial that as the EDPB we unite our forces to ensure a high and consistent level of data protection for individuals, wherever in the EU they are based. We will also promote awareness of data protection rights to the public. The EDPB is a newly created body of the EU that is equipped with a new governance and coordination model and the power to adopt binding decisions. This will allow us to play our role efficiently in giving guidance on key concepts of the GDPR.”

The GDPR is a new European law that tightens control over how people and organisations use and share individuals’ personal data. It also applies to organisations outside Europe targeting EU individuals or monitoring their behaviour. The GDPR replaces the EU Data Protection Directive which dates back to 1995, when the internet was still in its early stages. It replaces a patchwork of national laws with a single EU Regulation designed to make organisations more accountable, give individuals more control over their data and aims to improve legal certainty for businesses, so as to boost innovation and the future development of the digital single market.

Generic picture MoU
25 May 2018

A Memorandum of Understanding was signed between the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) during the first plenary meeting of the EDPB. This MoU outlines the way in which the EDPB and EDPS will cooperate.

Memorandum of Understanding

generic picture guidelines
25 May 2018

During its first plenary meeting the European Data Protection Board endorsed the GDPR related WP29 Guidelines(Corrigendum: In document nr 8 reference to the WP 259 has been replaced by the correct WP 244).

Generic picture Plenary
25 May 2018

On 25 May 2018, the greatly anticipated General Data Protection Regulation (GDPR) entered into application and its pre-decessor Directive 95/46/EC was repealed. On that date, the Article 29 Working Party, the body bringing together the independent data protection authorities, ceased to exist and was replaced by a new body: the European Data Protection Board or EDPB.

The Board is composed of the heads of national supervisory authorities and the European Data Protection Supervisor (EDPS). The Board also includes a representative of the European Commission who, however, does not have a right to vote.

The Board’s primary role is to safeguard the consistent application of the GDPR, but it has additional competences. It advises the European Commission on, for example, the level of data protection offered by third countries. In addition, the Board promotes cooperation between the national supervisory authorities and plays a role in conciliation procedures for disputes between national supervisory authorities. In exercising its powers, the Board issues guidelines, recommendations and statements of best practice on myriad topics.

During its first plenary meeting on 25 May the Board elected its Chair and two Vice-Chairs. The EDPB Chair will lead the Board for the coming five years and will exert an important influence on data protection in Europe and beyond. The Chair’s role will be crucial for the success and effectiveness of the GDPR.

Generic picture Press release
25 May 2018

Transparency and awareness are two core principles of the Board. Therefore, following the first plenary meeting of the Board, the newly elected EDPB Chair will hold a press conference on 25 May at 12.30 in the Brussels Press Club (Rue Froissart 95, Brussels). The press conference will be broadcast in EbS: 

Generic picture Secretariat
25 May 2018

The European Data Protection Board needs to rely on an effective Secretariat to be able to effectively accomplish all the tasks it is required to carry out under the GDPR. The EDPB Secretariat is composed of legal experts, communication and IT officers and administrative staff.

This brand-new team has worked hard to make the launch of the EDPB possible.  They will, without a doubt, have busy months ahead to organise the meetings of the Board and answer questions on the Board’s tasks and responsibilities.   


Generic picture Cocktail
24 May 2018

A new regulation and a new EU Body need to be celebrated! To do so, a cocktail reception took place on the 24th of May. Within the beautiful venue of the Bibliotheque Solvay in Brussels, Commissioner Vera Jourova, Jan Philipp Albrecht MEP, European Data Protection Supervisor Giovanni Buttarelli and WP29 Chair Andrea Jelinek held speeches looking back at the coming into application of the GDPR and the challenges ahead. Many of those who played an active role in the negotiations of the GDPR were present and proud to see the achievement of such a long process.