Publication document thumbnail

Leading by Example - EDPS 2015-2019 - Executive Summary

This publication is available in the following format: PDF General Report


Giovanni Buttarelli and I issued a Strategy for our mandate within 100 days of taking up our posts.

The content of this short document reflected our vision for privacy in the digital age. It was a vision of an EU with world-class data protection standards, leading by example. It saw the EDPS, in our role as a supervisory authority and policy advisor, as a centre of excellence for data protection.

Over the past five years, people and policymakers have become increasingly aware of the reality and potential of digital technology.

Edward Snowden’s revelations in 2013 exposed the depth and breadth of state intrusion into our private lives. The Facebook/Cambridge Analytica scandal in 2018 revealed the fragility of our democracy, where the public sphere has shifted onto a complex, unaccountable matrix of tracking, profiling and targeting. The most highly valued companies in the world are now those who have been most successful in collecting and monetising personal information, while acquiring thousands of start-ups that might have posed competition and diversified the business models available.

We now know that the hidden price of the much-vaunted convenience of digitisation is unsustainable and often unscrupulous data practices and a growing divide between winners and losers. The side effect of connecting the world has been opaque revenue-maximising algorithms, which serve as agents of social division and tools of oppression.

Many regions of the world, not only the EU, are now examining how they can give people more control over their data and digital lives, and introduce discipline into markets which, for almost 20 years, had been allowed to develop and disrupt with minimal oversight. At the beginning of our mandate, South Africa had just become the 101st country to adopt a comprehensive data privacy law. This year Nigeria became the 134th.

Our watchword over the past five years has been accountability. Accountability of controllers for what they do with the personal data of others, and accountability of supervisory authorities in exercising, with integrity and consistency, the enhanced powers entrusted to us by the General Data Protection Regulation (GDPR).

Our Strategy was also an exercise in accountability for the objectives we said we would pursue and the priority actions we said we would carry out – focusing on digitisation, global partnerships and modernising data protection. On many levels, I believe that we delivered.

We have investigated EU bodies’ contractual relationships with service providers, established a forum for agencies to exchange views on the regulation of digital markets and ensured that the new European Data Protection Board (EDPB) had the necessary resources to carry out its work. Above all, we have propelled the question of ethics and new technologies, particularly Artificial Intelligence, to the centre of public policy debate.

I would like to pay tribute to our excellent and dedicated staff who were instrumental in our efforts to turn our vision into a reality on the ground.

However, we must remember that this is only the start of what will be a very long process. Over the coming years, we face the challenge of ensuring that individuals are able to exercise more control over their digital lives and of making personal data work for society in general, not just for a handful of powerful private interests.

Wojciech Wiewiórowski
Assistant European Data Protection Supervisor


The European Data Protection Supervisor (EDPS) ensures that the European Union’s institutions, offices, bodies and agencies respect the fundamental rights to privacy and data protection, whether they process personal data or are involved in developing new policies that may involve the processing of personal data. The EDPS has four main fields of work:

  • Supervision: We monitor the processing of personal data by the EU administration and ensure that they comply with data protection rules. Our tasks range from conducting investigations to handling complaints and prior consultations on processing operations.
  • Consultation: We advise the European Commission, the European Parliament and the Council on proposals for new legislation and other initiatives related to data protection.
  • Technology monitoring: We monitor and assess technological developments, where they have an impact on the protection of personal data, from an early stage, with a particular focus on the development of information and communication technologies.
  • Cooperation: Among other partners, we work with national data protection authorities (DPAs) to promote consistent data protection across the EU. Our main platform for cooperation with DPAs is the European Data Protection Board (EDPB), for which we also provide the secretariat.

Up until 11 December 2018, the EU institutions had to comply with the data protection rules set out in Regulation 45/2001. On 11 December 2018, Regulation 45/2001 was replaced by Regulation (EU) 2018/1725. It is the job of the EDPS to enforce these rules.

Regulation 2018/1725 is the EU institutions’ equivalent to the General Data Protection Regulation (GDPR). The GDPR became fully applicable across the EU on 25 May 2018 and sets out the data protection rules with which all private and the majority of public organisations operating in the EU must comply. It also tasks the EDPS with providing the secretariat for the EDPB.

For Member State law-enforcement bodies, the applicable law is Directive 2016/680, on data protection in the police and criminal justice sectors. Article 3 and Chapter IX of Regulation 2018/1725 apply to the processing of operational personal data by EU bodies, offices and agencies involved in police and judicial cooperation, and these provisions are closely modelled on the rules set out in Directive 2016/680.

In addition to this, separate rules exist concerning the processing of personal data for operational activities carried out by the EU’s law enforcement agency, Europol. These activities include the fight against serious crime and terrorism affecting more than one Member State. The relevant legislation in this case is Regulation 2016/794, which also provides for EDPS supervision of these data processing activities. As for the other EU institutions and bodies, the EDPS is also responsible for supervising the processing of personal data relating to Europol’s administrative activities, including personal data relating to Europol staff, under Regulation 2018/1725. A similar, specific, data protection regime is in place for the European Public Prosecutor’s Office and Eurojust.


The EDPS Strategy 2015-2019 defined our priorities for the mandate and provided a framework through which to promote a new culture of data protection in the EU institutions and bodies. It summarised:

  • the major data protection and privacy challenges expected over the course of the mandate;
  • three strategic objectives and ten accompanying actions for meeting those challenges;
  • how to deliver the strategy, through effective resource management, clear communication and evaluation of our performance.

In order to achieve our vision of an EU that leads by example in the global dialogue on data protection and privacy in the digital age, we set out three strategic objectives and ten action points:

1 Data protection goes digital

  1. promoting technologies to enhance privacy and data protection;
  2. identifying cross-disciplinary policy solutions;
  3. increasing transparency, user control and accountability in big data processing.

2 Forging global partnerships

  1. developing an ethical dimension to data protection;
  2. speaking with a single EU voice in the international arena;
  3. mainstreaming data protection into international policies.

3 Opening a new chapter for EU data protection

  1. adopting and implementing up-to-date data protection rules;
  2. increasing the accountability of EU bodies collecting, using and storing personal information;
  3. facilitating responsible and informed policymaking;
  4. promoting a mature conversation on security and privacy.


#EDPS strategy envisions #EU as a whole not any single institution, becoming a beacon and leader in debates that are inspiring at global level


Data protection affects almost every EU policy area. It also plays a key role in legitimising and increasing trust in EU policies. Europe is the world’s leading proponent for the protection of fundamental rights and human dignity. It is therefore vital that the EU plays a leading role in shaping a global standard for privacy and data protection, centred on these values.

Giovanni Buttarelli was appointed European Data Protection Supervisor by joint decision of the European Parliament and the Council on 4 December 2014. Assistant Supervisor Wojciech Wiewiórowski was appointed on the same date. Set to serve for a five-year term, they faced the challenging task of facilitating the EU’s transition to a new era in data protection practice.

With this in mind, their first action as EDPS and Assistant Supervisor was to develop a strategy for the five-year mandate. On 2 March 2015, we published the EDPS Strategy 2015-2019, presenting it at an event attended by EU Commissioners and other influential stakeholders. The hard work of putting the Strategy into practice then began.

Seeing in a new era for EU data protection policy…

At the beginning of the mandate, talks on a new framework for EU data protection had stalled. One of our first priorities was therefore to assist the European Commission, the Parliament and the Council in resolving their differences and coming to an agreement.

Acting in our role as an advisor to the EU legislator, we not only published article-by-article recommendations on the proposed texts for the General Data Protection Regulation (GDPR), we also provided these recommendations in the form of a mobile app. Used by negotiators as a reference guide, the app also helped in promoting greater legislative transparency.

Agreement on the text of the GDPR and the Directive for data protection in the police and justice sectors came in December 2015 and the final texts were published in May 2016. Preparations therefore began in 2016 to ensure that the EU would be ready to implement the new rules when they became fully applicable in May 2018. This involved both drafting guidance on the new rules and setting up the new European Data Protection Board (EDPB), for which the EDPS would provide the secretariat.

Working in close cooperation with our colleagues in the Article 29 Working Party (WP29), we were able to ensure that the EDPB was up and running in time for the GDPR’s launch day on 25 May 2018. In addition to taking on several new tasks aimed at ensuring the consistent application of the GDPR across the EU, the EDPB replaced the WP29 as the main forum for cooperation between the EU’s national data protection authorities (DPAs) and the EDPS.


.@Buttarelli_G: #EDPS is proud to provide a modern and highly responsive secretariat to the new Data Protection Board #EDPB #data2016

The GDPR applies to organisations and businesses operating within the EU Member States. It does not, however, apply to the EU institutions themselves, who are subject to a different set of rules. In 2017, with preparations for the GDPR well underway, we stepped up our efforts to support the EU legislator in revising the rules applicable to the EU institutions, in order to bring them in line with the GDPR.

However, the legislators were not able to agree on what would become Regulation 2018/1725 until May 2018. The new rules for the EU institutions did not, therefore, come into force until 11 December 2018, just over six months after the GDPR became fully applicable.

The GDPR, the Directive for data protection in the police and criminal justice sectors and Regulation 2018/1725 follow the same principles. The EDPS, as the data protection supervisor for the EU institutions, was therefore able to make an educated guess at what the revised rules for the EU institutions would entail and to start preparing the EU institutions for their new responsibilities at an early stage.

Preparations included providing training sessions, visits and guidance on the new rules. Our main focus was on the principle of accountability, which involved ensuring that the EU institutions not only complied with the new rules, but that they could also demonstrate this compliance. We wanted to ensure that the EU institutions were ready to lead by example in applying data protection rules, setting the standard for others in the EU to follow.

Efforts to reach an agreement on a Regulation for electronic privacy (ePrivacy), were less successful, however. Though the EDPS went to great lengths to encourage the co-legislators to move forward with this file, coming to a final agreement on the text before the European Parliament elections in May 2019 ultimately proved impossible.

One area that Regulation 2018/1725 does not cover is the processing of operational personal data at the EU’s law enforcement body, Europol. Under the Europol Regulation, the EDPS took on responsibility for supervising this type of personal data processing on 1 May 2017. Over the past two-and-a-half years, the EDPS has built up a constructive relationship with Europol, helping them to fulfil their statutory tasks, without compromising the fundamental rights to data protection and privacy.

A guide to current EU data protection rules

EU data protection law is set out in a number of EU Regulations and Directives. Though the rules for private and public organisations operating in the Member States are similar to those governing data protection in the EU institutions, they are not the same. Here we list the rules currently in place in the EU and to which types of organisations they apply.

The General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679: Applicable to the majority of public and all private organisations operating in the EU’s Member States. These rules are enforced by the relevant Member State’s independent national data protection authority (DPA).

Regulation (EU) 2018/1725: Applicable to all EU institutions, bodies, offices and agencies. These rules are enforced by the European Data Protection Supervisor (EDPS).

Directive (EU) 2016/680 on data protection in the areas of police and criminal justice: Applicable to law enforcement activities carried out by the competent bodies in the EU Member States. Enforced by the relevant Member State’s independent national DPA.

Article 3 and Chapter IX of Regulation (EU) 2018/1725: Applicable to the processing of personal data for law enforcement purposes by an EU institution, body, office or agency. These rules are enforced by the EDPS.

Regulation (EU) 2016/794 on Europol: Sets out the rules for the processing of operational personal data at the EU’s law enforcement agency, Europol. These rules are enforced by the EDPS.

Regulation (EU) 2017/1939 on EPPO: Sets out the rules for the processing of operational personal data at the European Public Prosecutor’s Office. These rules will be enforced by the EDPS.

Regulation (EU) 2018/1727 on Eurojust: Sets out some specific rules that Eurojust will apply in certain specific cases, from 12 December 2019. In all other cases, Chapter IX of Regulation (EU) 2018/1725 will apply to its operational activities. These rules will be enforced by the EDPS.

Directive 2002/58/EC on data protection and privacy in electronic communications (ePrivacy): Sets out the rules for data protection and privacy in the electronic communications sector. Certain rules, such as those on the processing of traffic and location data, apply only to telecom operators and internet service providers. Other rules, such as confidentiality, online tracking and spam, are applicable to all public and private organisations operating in the Member States. Article (5(3)) applies directly to EU institutions.

An international approach to data protection…

In the digital world, however, legislation alone is no longer sufficient. Traditional frameworks used to ensure respect for fundamental rights may not be robust enough to withstand the challenges posed by the digital revolution. In the EDPS Strategy, we therefore committed to launching a global debate on how we can ensure the protection of fundamental rights and values in the digital age, through developing an ethical dimension to data protection.

To address this, we launched the EDPS Ethics Initiative. In an Opinion published on 11 September 2015, we called for the development of a new digital ethics, putting human dignity at the heart of personal, data-driven technological development. The Opinion also announced our intention to set up an Ethics Advisory Group (EAG), a group of experts from different backgrounds tasked with exploring the relationships between human rights, technology and markets, and identifying threats to the rights to data protection and privacy in the digital era.

The EAG was formed in early 2016, and in early 2018 they published their final report, reflecting on the issues at stake. We followed this up with a public consultation on digital ethics, designed to open up the debate to all sections of society, across the world.

As co-hosts of the 2018 International Conference of Data Protection and Privacy Commissioners, we decided to dedicate the public session of the conference to the topic of Digital Ethics. Our aim was to build on the work produced through the Ethics Initiative to instigate a global debate on the challenges of the digital age.


.@Buttarelli_G #GDPR represents an important inspiration worldwide. However, laws are not enough. “Debating #Digital #Ethics” Intl Conference aims at facilitating discussion on how technology is affecting us as individuals and our societies @icdppc2018

To capitalise on the success of the conference, in 2019 we launched a podcast. Each #DebatingEthics Conversation explored a specific area of concern identified at the conference and led to the publication of a second Opinion on Digital Ethics in late 2019. With the topic now firmly established on the international data protection agenda, we look forward to further developments in this area in the near future.

However, it is not only in the area of digital ethics that our efforts to engage with international partners have intensified. Better relationships with the European Commission, the European Parliament and the Council mean that we are now consulted much more frequently on proposed EU policy, including international policies, and that we do not hesitate to make our voice heard in cases where we have valid concerns that are not being taken into account.

With the EDPB now in place, the EU is also better able to coordinate its efforts and synchronise its messages on data protection, giving us a stronger voice on the international stage.

A collaborative response to the digital challenge…

Our technological capabilities are developing at an increasingly rapid pace. The progress made in the five years since the start of the EDPS mandate is astounding in itself. Yet, while new technologies have profoundly changed the way we live, determining how best to regulate the development of these technologies is not an easy task.

Through the Internet Privacy Engineering Network (IPEN), which brings together experts from a range of different areas, the EDPS has endeavoured to promote technologies that enhance privacy and data protection. By facilitating the implementation of the principles of data protection by design and by default, obligatory under the GDPR, the data protection Directive for the police and justice sectors and Regulation 2018/1725, the Network aims to ensure that data protection is built in to the design and development of all new technologies.

The EDPS also aims to develop and share technological expertise in the area of data protection, whether through Opinions, Comments, briefing papers or our TechDispatch Newsletter.

The Digital Clearinghouse is another of our collaborative initiatives. Set up by the EDPS in 2016, and officially launched the year after, the Clearinghouse meets twice a year and acts as a forum for cooperation between competition, consumer and data protection authorities. Through working together, it is hoped that regulators in these fields will be better able to address the challenges posed by the digital economy and coherently enforce EU rules relating to fundamental rights in the digital world.

Leading by example, however, starts with the EU institutions. As their supervisory authority, it is up to us to ensure that they set the standard for others to follow, by helping them to increase the accountability and transparency of their work. Through providing training and guidance and working in close cooperation with the data protection officers (DPOs) of the EU institutions, we aim to provide them with the tools to do this. We also monitor the activities of EU institutions and bodies closely and in 2019, we launched two high-profile investigations. These were aimed at ensuring that the EU institutions uphold the highest levels of data protection compliance, thus ensuring the highest levels of protection for all individuals living in the EU.

Through our work with the EU institutions, we hope not only to improve the data protection practices of the EU institutions, but to contribute to efforts to improve data protection across the EU and globally, by increasing awareness of data protection principles, as well as possible issues and concerns.


Time for #eudatap to go digital. Technology is not neutral and must not be allowed to dictate ethics #CPDP2015

Delivering the Strategy…

Careful resource management and effective communication were integral to achieving the objectives set out in the EDPS Strategy. In this way, we were able to ensure that we had adequate resources to carry out the work involved and that our messages reached the intended audiences.

At the very beginning of the mandate, we engaged in a re-branding project. We wanted to develop a new visual identity for the institution that would reflect our status as a leading global voice on data protection and privacy. The first stage of the project was completed in 2015, with the development of a new logo. We launched a new website, incorporating a new, user-friendly layout, in March 2017, and followed this with a new approach to our Newsletter in June 2017. New initiatives such as a blog and the EDPS app also contributed to providing greater transparency about the work of the EDPS and EU policy in general.


EDPS’ new logo - new era in the history of our organisation

In order to take on new responsibilities and perform them to a high standard, the EDPS needed to hire more data protection experts. Through the organisation of two competitions for data protection experts through the European Personnel Selection Office (EPSO), we were able to ensure that we had a list of competent data protection experts to draw from to fill any vacancies. This was particularly helpful in setting up the EDPB secretariat. In addition, we have invested time and effort in developing the skills and knowledge of our existing staff members to ensure that we are able to lead the way in data protection accountability.

As an EU institution itself, the EDPS is also bound by the new data protection rules for the EU institutions. Our credibility and authority as the EU data protection authority depends on us implementing these rules to the highest of standards. Institution-wide collaboration was therefore required in order to ensure we were prepared to lead the way in accountable data protection compliance.

Key Performance Indicators…

After the adoption of our Strategy 2015-2019 in March 2015, we re-evaluated our existing key performance indicators (KPIs) and established a new set of KPIs, reflecting our new strategic objectives and priorities. They were designed to help us to monitor and adjust, where needed, the impact of our work and the efficiency of our use of resources.

Throughout the mandate, we reported on our KPIs on a yearly basis, in our Annual Report. Some KPIs were adapted to reflect changes or relevant developments affecting the performance of some activities.

The KPIs referring to the first strategic objective (Data protection goes digital) focused on initiatives promoting technologies to enhance privacy and data protection and on cross-disciplinary policy solutions. They did not change throughout the mandate, and regularly met their set targets.

For KPIs referring to the second strategic objective (Forging global partnerships), we decided to streamline the monitoring of our work at international level and, in 2017, we changed from two KPIs to one. This meant that contributions on international agreements were monitored together with other contributions at international level. In all cases, we registered results above, or well above, the set target.

The KPIs referring to the third strategic objective (Opening a new chapter for EU Data Protection) covered both supervisory and consultative tasks.

For supervisory tasks, we maintained the same KPI over the whole mandate, on the level of satisfaction of DPOs, data protection coordinators (DPCs) and controllers on cooperation with EDPS and guidance. The results consistently exceeded the set targets, clearly demonstrating the satisfaction of our stakeholders.

For consultative tasks, the relevant KPIs saw a number of changes throughout the mandate. Firstly, the original KPI, on the impact of EDPS Opinions, depended on developments in the legislative process, which made it difficult to stay within the timeframe set for the monitoring of our KPIs. Secondly, the KPI referring to the EDPS inventory of relevant legislative proposals (based on the European Commission’s public Work Programme) was affected by changes, both external and internal, in the way in which we performed and monitored our policy advice activities, which also affected our ability to monitor this KPI. However, where measured, the results met or exceeded their targets.

Some changes also took place with regard to the KPIs relating to the Strategic Enablers (Communication and management of resources).

As regards communication activities, between 2017 and 2018 we launched a new website and then implemented changes in the cookie and tracking policy to increase user awareness and be more data-protection friendly. This had an impact on the way we monitored the KPI relating to visits to our website. After analysing our communications activities, we identified results relating to our social media activities as a more meaningful KPI, and will measure this in our KPI results for 2019.

For our KPIs relating to resource management, one - on staff satisfaction - has been monitored on a biennial basis, based on the results of our staff survey. The second KPI, on budget implementation rate, was introduced in 2018 in recognition of the importance of this activity. In both cases, results have matched or surpassed the set targets.

Getting in touch with the EU

In person
All over the European Union there are hundreds of Europe Direct information centres. You can find the address of the centre nearest you at:

On the phone or by email
Europe Direct is a service that answers your questions about the European Union. You can contact this service:

Finding information about the EU

Information about the European Union in all the official languages of the EU is available on the Europa website at:

EU publications
You can download or order free and priced EU publications at: Multiple copies of free publications may be obtained by contacting Europe Direct or your local information centre (see

EU law and related documents
For access to legal information from the EU, including all EU law since 1952 in all the official language versions, go to EUR-Lex at:

Open data from the EU
The EU Open Data Portal ( provides access to datasets from the EU. Data can be downloaded and reused for free, both for commercial and non-commercial purposes.


Further details about the EDPS can be found on our website at

Details on how to subscribe to the EDPS Newsletter can also be found on the website.
European Data Protection Supervisor


Luxembourg: Publications Office of the European Union, 2019

© Photos: iStockphoto/EDPS & European Union

© European Union, 2019

Reproduction is authorised provided the source is acknowledged.

For any use or reproduction of photos or other material that is not under the copyright on the European Union, permission must be sought directly from the copyright holders.

Print ISBN 978-92-9242-452-7 doi:10.2804/877202 QT-02-19-813-EN-C
PDF ISBN 978-92-9242-459-6 doi:10.2804/130756 QT-02-19-813-EN-N
HTML ISBN 978-92-9242-453-4 doi:10.2804/777633 QT-02-19-813-EN-Q