European Data Protection Board

Where can I find documents that were adopted during a recent/the latest EDPB plenary?

All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Once published, recently adopted documents will be listed under “latest publications” on the main page of this website.

You can also find overviews of the documents adopted per plenary on the EDPB news page.

Does the GDPR apply to my organisation?

Every organisation, regardless of the their size or sector, established in the European Economic Area (EEA) or offering products or services to individuals in the EEA, processing personal data whether or not by automated means needs to comply with the GDPR. The GDPR applies to the automated processing of personal data and to processing operations carried out manually from the moment the paper files are organised in a systematic manner, e.g. ordered alphabetically in a filing cabinet.

Examples of processing operations include collecting, recording, organising, using, modifying, storing, disclosing, altering and erasing individuals’ personal data.

Nevertheless, the application of the GDPR is modulated according to the nature, context, purposes and risks of the processing operations carried out. For SMEs whose core business is not the processing of personal data, the obligations can be less strict than for a large company.

What does the EDPB do?

The EDPB aims to ensure the consistent application of the General Data Protection Regulation and of the Law Enforcement Directive in the European Economic Area (EEA). The EDPB also looks into the application of certain aspects of the ePrivacy Directive.

Our main tasks and duties are:

providing general guidance (including guidelines, recommendations and best practices) to clarify the law and to promote a common understanding of EU data protection laws;
adopting opinions addressed to the European Commission or to the national Data Protection Authorities (DPAs):
- to advise the European Commission on any issue related to the protection of personal data and newly proposed legislation in the European Union (Art. 70 GDPR). In some instances, we issue Joint Opinions together with the EDPS (Art.42 of Regulation 2018/1725);
- to ensure consistency of the activities of national data protection authorities (DPAs) on cross-border matters (Art. 64 GDPR). If authorities fail to respect an opinion issued by the EDPB, we may adopt a binding decision;
adopting binding decisions addressed to the national DPAs and aiming to settle disputes between them when they cooperate in cross-border cases, with the purpose of ensuring the correct and consistent application of the GDPR in individual cases;
promoting and supporting the cooperation among national DPAs.

Who are the members of the Board?

The EDPB brings together the EU DPAs and the European Data Protection Supervisor (EDPS). The EEA EFTA countries (Iceland, Liechtenstein and Norway) are also members with regard to GDPR-related matters and without the rights to vote and to be elected as chair or deputy chair. The European Commission and - with regard to GDPR-related matters - the EFTA Surveillance Authority have the right to participate in the activities and meetings of the Board without voting rights.

You can find an overview of the EEA DPAs here.

What is the EDPB?

The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities (DPAs), as well as the DPAs of Iceland, Liechtenstein and Norway (the European Economic Area or EEA).