Annexes to COM(2024)357 -

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2024)357 - .
document COM(2024)357
date July 25, 2024
agreement has been achieved provide for enhanced portability rights in specific fields, such as the Platform Work Directive (105), the European Health Data Space (106) and the Framework for Financial Data Access (107).


3. The right to lodge a complaint

As evidenced by the large number of complaints, there is broad awareness of the right to lodge a complaint with a data protection authority. Civil society organisations highlight unjustified differences in national practices for handling complaints, an issue which is tackled by the Commission’s proposal on procedural rules. Few Member States have exercised the option under the GDPR to provide a non-profit body with the right to take actions independently of the mandate of a data subject (Article 80(2)). However, the Representative Actions Directive (108), adopted in 2020, will lead to more harmonisation in this respect by facilitating collective actions by individuals for breach of the GDPR. National measures implementing the Directive became applicable in June 2023.


4. The protection of children’s personal data

Children require specific protection when their personal data are processed (109). The GDPR is part of a comprehensive legal framework that ensures that children are protected offline as well as online (110). Given the increased presence of children online, a number of actions at EU and national level have been taken in recent years to support the protection of children online. Data protection authorities have imposed significant fines on social media companies for violation of the GDPR when processing children’s data. They also cooperate with other authorities to call for more protection of children in the area of advertising. In the 2020 report, the Commission invited the Board to adopt guidelines on the processing of children’s data and this work is currently under way (111). The Digital Services Act includes specific provisions to ensure a high level of privacy, safety and security of children using online platforms.

Some stakeholders report challenges with the exercise of data subject rights, when the data subjects are children. In particular, they report that children do not fully understand their rights, lack digital literacy skills and may be subject to undue influence (112). The Commission has funded several initiatives at national level on the protection of children’s data and on promoting data protection awareness among children (113). Under the Better Internet for Kids (BIK+) strategy, the Commission is providing awareness-raising resources and trainings to children on their digital rights, including data protection (e.g. digital consent) (114). There is increasing focus on the need for effective and privacy-friendly age verification tools. In early 2024, the Commission set up a taskforce on age verification with Member States, the Board and the European Regulators Group for Audiovisual Media Services, with the aim of discussing and supporting the development of a EU-wide approach to age verification. This work will now continue under the Digital Services Act Board, in the Protection of Minors Working Group. In the context of the EU Digital Identity Regulation (115), which entered into force in May 2024, the Commission is working to ensure that the European Digital Identity Wallet is offered to all EU citizens and residents in 2026, including for age verification. Meanwhile, before the Wallet ecosystem is fully operational, a short-term solution for age verification will be developed and become available across the EU.

5. Opportunities and challenges for organisations, in particular SMEs

The GDPR has created a level playing field for businesses operating in the internal market, and its technology-neutral, innovation-friendly approach allows businesses to reduce red tape and to benefit from greater consumer trust (116). Many businesses have developed an internal culture of data protection and view privacy and data protection as key parameters of competition. Businesses value the risk-based approach of the GDPR as a guiding principle allowing for flexibility and scalability of their obligations (117).


1. Toolbox for businesses

The GDPR provides a toolbox of instruments to enable organisations to flexibly manage and demonstrate their compliance, including codes of conduct, certification mechanisms and standard contractual clauses. As announced in the 2020 report, the Commission adopted standard contractual clauses on the controller-processor relationship in 2021 (118). These standard contractual clauses provide a ready-made and easy-to-implement voluntary compliance tool, which is particularly useful for SMEs or organisations that may not have the resources to negotiate individual contracts with their commercial partners. Businesses report mixed feedback on the use of the standard contractual clauses, in the sense that some companies (mainly SMEs) use them entirely or partially, while others (mostly larger companies) tend not to use them because they prefer to use their own clauses.

Businesses emphasise that codes of conduct have major potential as a sector-specific and cost-effective compliance tool (119). However, the development of codes of conduct has been limited (120). According to the information available to date, only two EU-wide codes have been approved (both in the cloud sector), while six codes have been approved at national level (121). Stakeholders report burdensome requirements (including the need to set up an accredited monitoring body), lack of engagement from data protection authorities, and a lengthy approval process as the main factors limiting the uptake of codes of conduct (122).

There is a need for increased transparency in the process and for clear approval timelines. Data protection authorities and, in the case of EU-wide codes, the Board, should more actively encourage the drawing up of the codes of conduct by collaborating with the associations developing the codes. This will help to resolve differences in interpretation and to speed up the approval process. Stakeholders regret the long delays in the adoption of codes of conduct, brought about by issues being discussed in parallel as part of the work on guidelines. Businesses similarly report that certification is not widely used because the process for development is slow and complex. As with codes of conduct, data protection authorities should provide clearer timelines for the review and approval of certifications.

The Board has committed in its 2024-2027 strategy to continue to support compliance measures such as certification and codes of conduct, including by engaging with key groups of stakeholders to explain how the tools can be used (123).


2. Specific challenges for SMEs and small operators

In the 2020 report, the Commission called for efforts to support SMEs’ compliance with the GDPR to be intensified. In recent years, data protection authorities and the Board have continued to develop compliance tools for SMEs, supported in part by funding from the Commission (124). In April 2023, the Board launched a data protection guide for small business (125), which provides practical information for SMEs in an accessible and easily understandable format.

SMEs in many Member States underline the benefits of tailored support from their local data protection authorities. However, varying approaches to awareness raising and guidance by data protection authorities means that SMEs in certain Member States perceive compliance as complex and fear enforcement (126). Data protection authorities should redouble their efforts to address these challenges, including by proactively engaging with SMEs to allay any unfounded compliance concerns. Data protection authorities should focus on providing tailor-made support and practical tools, such as templates (e.g. for conducting data protection impact assessments), helplines, illustrative examples, checklists, and guidance on specific processing operations (e.g. billing or newsletters) and technical and organisational measures. Since most SMEs do not have in-house data protection expertise, any guidance directed at SMEs should be easily understood by those without legal training (127).

In line with the GDPR’s risk-based approach, SMEs carrying out low-risk processing activities do not bear a substantial compliance burden. While the derogation to maintain records of processing activities (128) applies in limited circumstances (129), SMEs carrying out low-risk processing may comply by maintaining simplified records based on templates provided by data protection authorities. Furthermore, such records should be seen as a useful tool for SMEs to take stock of their processing activities.


3. Data protection officers

Data protection officers play an important role in ensuring GPDR compliance in the organisations in which they work. In general, data protection officers operating in the EU have the necessary knowledge and skills to perform their tasks under the GDPR, and their independence is respected (130). However, several challenges remain, including: (i) difficulties in appointing data protection officers with the required expertise; (ii) the lack of EU-wide standards for education and training; (iii) failure to adequately integrate data protection officers in organisational processes; (iv) lack of resources; (v) additional tasks outside of data protection; and (vi) insufficient seniority (131). The Board noted that there is a need for data protection authorities to step up awareness-raising activities, as well as their information and enforcement actions to ensure that data protection officers can fulfil their role under the GDPR (132).

6. The GDPR as a cornerstone for EU policy in the digital sphere

1. Digital policy building on the GDPR

In the 2020 report, the Commission committed to support the consistent application of the data protection framework in relation to new technologies, in order to support innovation and technological developments. The EU has since adopted a range of initiatives, some of which complement the GDPR or specify how it should be applied in specific areas, in order to pursue particular objectives, as presented below.

- The Digital Services Act (133), which aims to provide a safe online environment for individuals and business, prohibits online platforms from showing advertisements based on profiling using ‘special categories of personal data’, as defined in the GDPR.

- To make digital markets fairer and more contestable, the Digital Markets Act (134) prohibits operators designated as ‘gatekeepers’ from ‘combining’ and ‘cross-using’ personal data between their core platform services and other services unless the user has provided their consent, as defined in the GDPR.

- The AI Act (135) specifies the EU data protection rules in specific areas where AI is used, for example in remote biometric identification systems, the processing of special categories of data to detect bias and the further processing of personal data in regulatory sandboxes.

- The Directive on Platform Work (136) complements the GDPR in the area of employment by laying down rules on automated monitoring and decision-making systems used by digital labour platforms, and in particular limitations on processing of personal data, transparency human oversight and review and portability.

- The Political Advertising Regulation (137) prohibits the use of special categories of personal data in political advertising and requires greater transparency on the targeting and amplification techniques used.

- The European Digital Identity Regulation enables the creation of a universal, trustworthy and secure European digital identity wallet. This will allow individuals to prove personal attributes like age, driving licences, diplomas and bank accounts, with full control over their personal data and without unnecessary data sharing.

The proposal for an e-Privacy Regulation (138) to replace the current e-Privacy Directive (139) and complement the privacy and data protection legislative framework has been under negotiation for several years. Reflection is needed on the next steps for this initiative, including its relation with the GDPR.

The Interoperable Europe Act (140) aims at making digital public services interoperable across the EU. It supports the cooperation between data protection authorities in particular through interoperability regulatory sandboxes.

Several EU initiatives provide a legal basis for the processing of personal data by private entities for the prevention, investigation, detection or prosecution of criminal offences. Any such legislation must be carefully targeted to minimise interference with the right to protection of personal data and must be proportionate to the aim pursued (141). The Charter, the GDPR and the case law of the Court of Justice provide a framework against which these initiatives should be measured. The proposed anti-money laundering package (142) contains substantial safeguards for the protection of personal data, without compromising the objective of mitigating money laundering and terrorist financing risks and effectively detecting criminal attempts to misuse the EU financial system.

In this context, the Council has stressed that any new EU legislation containing provisions on the processing of personal data should be consistent with the GDPR and the case law of the Court of Justice.


2. A legal framework to enhance data sharing

The data strategy aims to create a single market for data, where data flows freely within the EU and across sectors for the benefit of businesses, researchers and public administrations. A key goal of the data strategy is the creation of common European data spaces which facilitates data pooling, access and sharing. Regarding personal data, the GDPR provides the framework for all initiatives that seek to enhance the free flow of data in the EU – which is itself an objective of the GDPR. As far as personal data is concerned, the protections of the GDPR are not touched upon.

The Data Governance Act (143) and Data Act (144) are pillars of the data strategy. The Data Governance Act stipulates concrete rules in the context of the re-use of public sector data containing personal data, lays down a legislative framework for data intermediation services - including personal information management services (PIMS) or personal data clouds offered in order to empower data subjects when exercising their rights under the GDPR. It also frames the conditions for use of data for altruistic purposes. The Data Act strengthens data subjects’ control over the data they generate through the use of smart objects they own, rent or lease by mandating technical requirements for data access and portability.

The European Health Data Space (EHDS) (145) reflects the specific needs identified in the health data sector while also building upon the GDPR. It allows individuals to easily access their health data in an electronic format and share them with health professionals, including in other Member States, thereby improving healthcare delivery and increasing patients’ control over their data. It also puts in place a common legal framework for the re-use of health data for purposes such as research, innovation and public health, based on a permit issued by a health data access body. To ensure the protection of personal data, the EHDS will provide a trustworthy setting for secure access to and processing of health data. The Commission continues to support work on the development of common European data spaces across 14 sectors by implementing the new legislative framework and funding sector-specific initiatives.


3. Governance of new digital rules

The development of digital regulations raises the need for close cooperation across regulatory fields (146). Such cooperation is all the more necessary since data protection issues increasingly intersect with questions of, for example, competition law, consumer law, digital markets rules, electronic communications regulation and cybersecurity. This is for instance the case when assessing the compatibility of ‘pay or OK’ models with EU law.

In some cases, data protection authorities are tasked with enforcing specific provisions of new EU digital legislation (147). New digital regulations also create bespoke structures which bring together competent regulators to ensure coherent enforcement, such as the Digital Markets Act high-level group, the European Data Innovation Board (set up under the Data Governance Act) and the European Board for Digital Services (set up under the Digital Services Act). The NIS2 Directive (148) sets out more detailed rules on cooperation between regulatory authorities and data protection authorities on handling security incidents which constitute personal data breaches.

Outside of these formal structures, data protection authorities are taking steps to ensure their actions are complementary and coherent with other regulatory fields. In July 2020, consumer and data protection authorities set up a ‘group of volunteers’ to determine best practices and share enforcement experiences. Data protection authorities continue to participate in joint workshops with the Consumer Protection Cooperation Network. In 2023, the Board set up a taskforce on the interplay between data protection, competition and consumer protection.

While these developments are positive, there is a need for more structured and efficient means of cooperation, in particular to address situations that affect a large number of individuals in the EU and involve several regulators (149). Any such structures should ensure that authorities remain at all times responsible for all questions concerning compliance with rules within their areas of competence. Member States should also work to ensure that appropriate cooperation takes place at national level (150).

7. International transfers and global cooperation

1. The GDPR transfer toolbox

Data flows have become integral to the digital transformation of society and to the globalisation of the economy. More than ever before, respecting privacy is a condition for stable, secure and competitive commercial flows, as well as an enabler for many forms of international cooperation. The GDPR transfer toolbox provided by its Chapter V offers a variety of instruments to address different transfer scenarios, while ensuring that data continues to benefit from a high level of protection when leaving the EU. 

Since the 2020 report, requirements for data transfers set out in EU data protection legislation have been further clarified and the transfer toolbox has continued to evolve. An important clarification concerns the notion of ‘international transfer’, which has been defined by the Board (151) as encompassing any disclosure of personal data by a controller or processor whose processing is subject to the GDPR to another controller or processor in a third country, regardless of whether or not the processing by the latter is subject to the GDPR (152). This guidance of the Board was particularly important to provide legal certainty to European controllers and processors on the scenarios in which a transfer tool under Chapter V GDPR is needed.

Further clarifications have also been provided by the Court of Justice in its Schrems II judgment (153) on the protection that has to be provided by different transfer instruments to ensure that the level of protection guaranteed by the GDPR is not undermined (154). In particular, these instruments must ensure that individuals whose data are transferred outside the EU are afforded a level of protection essentially equivalent to that guaranteed within the EU (155). It is the responsibility of the EU data exporter to assess whether this is the case, taking into account the specific circumstances of its transfers (156).

To assess the level of protection, data exporters must consider both the data protection safeguards set out in the transfer instrument concluded with a non-EU data importer (e.g. a contract), as well as relevant aspects of the legal system of the country where the data importer is located, in particular as regards possible access to the data by public authorities in that country (157). The latter must be assessed in light of the criteria for adequacy assessments set out in Article 45 GDPR. The Court also further elaborated on these criteria, in particular with respect to the rules on access to personal data by public authorities for law enforcement and national security purposes.

This interpretation has also been reflected in the guidance of the Board, which updated its ‘adequacy referential’ (158) (that provided guidance on the elements the Commission must take into account when carrying out an adequacy assessment). The Board also adopted new guidance providing further clarifications on: (i) the elements to be taken into account by individual data exporters when assessing the level of protection; (ii) an overview of potential sources that can be used; and (iii) examples of possible supplementary measures (e.g. contractual and technical safeguards) (159). The guidance specifically highlights that each assessment carried out by data exporters is unique, and that they therefore need to take into account the specific features of each transfer which can differ depending on the purpose of the data transfer, the types of entities involved, the sector in which the transfer occurs, the categories of personal data transferred, etc. (160).

Taking into account these different clarifications on the requirements for international data transfers, significant steps have been taken in the past years to further develop and operationalise the GDPR transfer toolbox.



1. Adequacy decisions

As also reflected in the feedback received from stakeholders, adequacy decisions continue to play a key role in the GDPR transfer toolbox (161), by providing a straightforward and comprehensive solution for data transfers without the need for the data exporter to provide further safeguards or obtain any authorisation. By enabling the free flow of personal data, these decisions have opened up commercial channels for EU operators, including by complementing and amplifying the benefits of trade agreements, and eased collaboration with foreign partners in a broad range of fields, from regulatory cooperation to research.

Since the 2020 report, the number of countries that have put in place modern data protection laws - providing among others for key data protection principles, individual rights, and effective enforcement by independent regulators - has continued to grow. This trend (162) has also allowed the Commission to intensify its adequacy work. This includes the adoption of an adequacy decision for the United Kingdom (163), which is central to ensuring the proper functioning of the various agreements concluded with the UK following Brexit. To ensure that it remains future proof, the adequacy decision includes a ‘sunset clause’ that is set to expire in 2025, after which it may be renewed if the level of protection continues to be adequate. The Commission also adopted an adequacy decision for the Republic of Korea (164), which complements the EU-Korea Free Trade Agreement on personal data flows and facilitates regulatory cooperation. A first review of the adequacy decision is planned towards the end of 2024.

In addition, following the invalidation of the adequacy decision for the EU-US Privacy Shield, the Commission entered into talks with the United States (US) Government to develop a successor arrangement in compliance with the requirements as clarified by the Court (165). The US President adopted a new Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, which introduced new binding and enforceable safeguards to ensure that data can be accessed for national security purposes only to the extent necessary and proportionate, and that effective redress is available to Europeans. On that basis, the Commission adopted its adequacy decision on the EU-US Data Privacy Framework (DPF) (166), allowing personal data to flow freely from the EU to US companies joining the DPF. Since the safeguards put in place by the US Government in the area of national security apply to all data transfers to companies in the US, regardless of the GDPR transfer mechanism used, the use of other tools, such as standard contractual clauses and binding corporate rules, has been significantly facilitated. A first review of the functioning of the DPF will take place in the summer of 2024 in order to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.

Adequacy negotiations are currently under way with Brazil and Kenya, as well as, for the first time, with several international organisations (adequacy talks are for instance at an advanced stage with the European Patent Organisation) (167). In line also with the calls of various stakeholders (168), the Commission has actively engaged in exploratory talks with countries in different regions of the world.

The Commission also continuously monitors developments in the countries that already benefit from adequacy findings and periodically reviews existing decisions, in accordance with its corresponding obligations under the GDPR (169). In April 2023, the Commission adopted its report on the first periodic review of the adequacy decision for Japan (170), which concluded that Japan continues to ensure an adequate level of protection (171). The review demonstrated that the EU and Japanese data protection frameworks further converged since the adoption of the mutual adequacy decisions.

In addition, in accordance with Article 97 of the GDPR, the first review of the 11 adequacy decisions (172) adopted under the former EU data protection framework (the Data Protection Directive) was initiated as part of the 2020 evaluation of the application and functioning of the GDPR. The conclusion of this aspect of the review was postponed, notably to take into account the judgment of the Court of Justice in the Schrems II case and subsequent interpretation by the Board. The above-mentioned clarifications of the Court on key elements of the adequacy standard led to detailed exchanges with the countries and territories concerned on relevant aspects of their legal framework, as well as oversight and enforcement mechanisms.

On 15 January 2024, the Commission published its report on these 11 decisions, together with detailed country reports describing developments in each of the countries and territories since the adoption of the adequacy decisions, as well as the rules that apply to access to data by public authorities, in particular for law enforcement and national security purposes (173). The report concludes that all 11 countries and territories continue to provide an adequate level of protection for personal data transferred from the EU. It reflects that all the countries and territories concerned have in different ways modernised and strengthened their privacy legal framework. Moreover, in order to address relevant differences in the level of protection, additional safeguards for personal data transferred from Europe have been - when needed to ensure the continuity of the adequacy decision - negotiated and agreed with some of them.

These reviews also show that adequacy decisions have, rather than being an ‘end point’, laid the foundation for closer cooperation and further regulatory convergence between the EU and these likeminded partners. For example, the report on the first review of the adequacy decision for Japan recognises that the further strengthening of the Japanese data protection framework can pave the way to extend the adequacy decision beyond commercial exchanges, to cover transfers currently excluded from its scope, such as in the area of regulatory cooperation and research. Talks to explore such a possible extension are ongoing. In general, adequacy decisions have become a strategic component of the overall relationship of the EU with these foreign partners and are recognised as a major enabler for deepening cooperation in a broad range of areas.

Beyond providing a strong basis for increased bilateral cooperation, the growing network of countries and territories for which the EU has adopted an adequacy decision presents new opportunities to maximise the benefits of safe and free data flows and to cooperate more closely among likeminded partners on the enforcement of data protection rules. In March 2024, the Commission therefore hosted the first ever high-level meeting on safe data flows, gathering responsible Ministers and heads of the data protection authorities of 15 countries and territories for which the EU has adopted an adequacy decision, as well as the Chair of the European Data Protection Board (174). Several concrete action points were identified at the meeting on which follow-up work is ongoing within this group.

More generally, through their ‘network effect’, adequacy decisions adopted by the European Commission are increasingly relevant also beyond the EU, as they not only allow for the free flow of data with the 30 economies of the EEA, but also with many more jurisdictions around the globe that recognise countries for which there is an EU adequacy decision as ‘safe destinations’ under their own data protection rules (175).



2. Instruments providing for appropriate safeguards

Since the 2020 report, additional tools providing for appropriate safeguards have been developed and practical guidance has been issued to facilitate their use.

As announced in the 2020 report, the Commission has adopted modernised standard contractual clauses (SCCs) (176), developed relying extensively on feedback from various stakeholders (177). The new SCCs have replaced the three sets of SCCs that were adopted under the Data Protection Directive. The main innovations include: (i) updated safeguards in line with the GDPR; (ii) a modular approach offering a single entry-point covering a broad range of transfer scenarios; (iii) increased flexibility for the use of SCCs by multiple parties; and (iv) a practical toolbox to comply with the Schrems II judgment.

The modernised SCCs have been welcomed by stakeholders, and the feedback received confirms that SCCs remain by far the most used tool for transfers by EU data exporters (178). To assist data exporters with their compliance efforts, the Commission has developed a Q&A that provide further guidance on the use of the clauses (179), which will be further updated if new questions arise, including in light of the further feedback received as part of this evaluation.

Many data exporters report experiencing difficulties with carrying out ‘transfer impact assessments’ required by the Schrems II judgment, referring in particular to their complexity, as well as to the costs and time needed to perform them (180). While welcoming the guidance of the Board and the SCCs, they call for additional guidance (e.g. on the responsibilities of involved parties and the level of detail required in transfer impact assessments) and additional tools to assist with performing such assessments (e.g. templates, general country-assessments, risk catalogues). Although stakeholders mainly provided such feedback on the SCCs, the same assessments are also required for other transfer instruments (such as binding corporate rules). It is therefore important that the Board - building on the experience with applying the Schrems II requirements in the past years, including as part of the enforcement activities of national data protection authorities - considers exploring ways/tools to further assist data exporters in their compliance efforts in this context.

To complement the existing SCCs, the Commission is developing additional sets of clauses to provide EU data exporters with a comprehensive and coherent package. This will include SCCs under Regulation (EU) 2018/1725 for data transfers by EU institutions and bodies to commercial operators in third countries (181) and SCCs for data transfers to third country data importers whose processing operations are directly subject to the GDPR. The latter respond to the call from stakeholders to specifically cover scenarios where the data importer falls within the territorial scope of application of the GDPR (for instance because the processing in question targets the EU market in accordance with Article 3(2) GDPR) (182). As clarified by the Board, a transfer tool under Chapter V GDPR is required also in this case, because of the increased risks for personal data processed outside the EU, for example due to possibly conflicting national laws or disproportionate government access in the third country (183). The new SCCs being developed by the Commission will specifically address this scenario and will fully take into account the requirements that already apply directly to those controllers and processors under the GDPR (184).

As also recognised by different types of stakeholder (185), model clauses play an increasingly central role in facilitating data flows around the world. Several jurisdictions have endorsed the EU SCCs as a transfer mechanism under their own data protection laws, with limited formal adaptations to their domestic legal order (186). A number of other countries have adopted their own model clauses that share important common features with the EU SCCs (187). A particularly relevant example is the creation of model clauses by other international/regional organisations or networks, such as the Council of Europe Consultative Committee of Convention 108, the Ibero-American Data Protection Network and the Association of Southeast Asian Nations (ASEAN) (188). This opens up new opportunities to facilitate data flows between different regions of the world on the basis of model clauses. A concrete example is the EU-ASEAN Guide on the EU SCCs and ASEAN model clauses which, building on input from companies, assists them in their compliance efforts under both sets of clauses (189).

In addition to SCCs, binding corporate rules (BCRs) continue to be widely used for data flows between members of corporate groups or among enterprises engaged in a joint economic activity. Since the GDPR applies, the Board adopted 80 positive opinions on national decisions approving BCRs (190). The Board also issued guidance on the elements to be included in BCRs for controllers (and the information to be provided as part of a BCR application), which has been updated to reflect GDPR requirements and the Schrems II judgment (191). Updated guidance on BCRs for processors is also being developed (192). Because BCRs aim at putting binding data protection policies/programmes in place in companies, many stakeholders consider them to be a particularly useful compliance tool and a trustworthy transfer instrument (193). At the same time, stakeholders continue to report that the length and complexity of the approval process by national data protection authorities is preventing a broader uptake of BCRs. It is therefore important that the authorities continue to work on streamlining and shortening the approval process.

Since the 2020 report, steps have also been taken to facilitate the use of certification and codes of conduct as tools for transfers, e.g. through the adoption of dedicated guidelines on both tools by the Board (194). At the same time, stakeholders report the same issues concerning the timeline and complexity of the approval process as the ones mentioned above with respect to certification and codes of conduct as accountability tools.

Finally, the GDPR also provides for specific instruments - international agreements and administrative arrangements approved by data protection authorities - to be used by public authorities to transfer personal data to their counterparts in third countries, or to international organisations. The Board adopted guidelines on the safeguards that should be included in such instruments (195), which can support the negotiation of such agreements and arrangements.



3. Ensuring complementarity with other policies

As data flows have become essential for so many activities, ensuring that data protection policies and other policies complement one another is key. The inclusion of data protection safeguards in international instruments is not only often a precondition for data flows, but also an important enabler for stable and trustworthy cooperation.

For instance, international agreements providing for the necessary data protection safeguards, including by ensuring continuity of protection on the side of a requesting authority, are essential to ensure comity and facilitate cross-border access by law enforcement to electronic evidence held by companies and, in this way, a more effective fight against crime. This approach is reflected in the Second Additional Protocol to the Cybercrime Convention (196), which enhances existing rules to obtain cross-border access to electronic evidence in criminal investigations while ensuring appropriate data protection safeguards. The Protocol has in the meantime been signed by several EU Member States. Similarly, bilateral negotiations are progressing between the EU and the US on an agreement on cross-border access to electronic evidence for cooperation in criminal matters (197).

The exchange of Passenger name record (PNR) data is another area of the EU security policy that has benefited from the development of strong data protection safeguards. In 2023, the EU and Canada concluded their negotiations on a new PNR Agreement in line with the requirements set out by the Court of Justice in its Opinion 1/15 (198). Similar safeguards have been introduced in the PNR chapter of the EU-UK Trade and Cooperations Agreement. The inclusion of enhanced privacy protections in these agreements, which can serve as a template for future agreements with other partners, brings legal certainty to air carriers while ensuring the stability of important exchanges of information for combating terrorism and other serious transnational crimes.

The Commission is also a proponent of strong provisions to protect privacy and boost digital trade at the World Trade Organisation in the ongoing negotiations on the Joint Statement Initiative on electronic commerce. Similar provisions on fighting unjustified obstacles to digital trade, while protecting the Parties’ necessary policy space in the area of data protection, have been consistently included in the free trade agreements concluded by the EU following the entry into application of the GDPR, notably in the EU-UK TCA and in the agreements with Chile, Japan and New Zealand. Provisions for privacy and data flows are also being discussed in the ongoing digital trade negotiations with Singapore and South Korea.


2. International cooperation on data protection

1. The bilateral dimension

The Commission has continued to engage in dialogue with countries and international organisations on the development, reform and implementation of privacy rules, including by making submissions to public consultations on draft legislation or regulatory measures in the area of privacy (199), testifying before competent parliamentary bodies (200) and participating in dedicated meetings with government representatives, parliamentary delegations and regulators from many regions of the world (201). A number of these activities have been carried out through the EU-funded ‘Enhanced Data Protection and Data Flows’ project, which supports countries intending to develop modern data protection frameworks or to strengthen the capacity of their regulatory authorities, through training, knowledge sharing, capacity building and exchange of best practices. The Commission also contributed to other initiatives, such as the EU-CELAC Digital Alliance.

Data protection will also continue to play a key role in the Commission’s enlargement-related work. EU data protection legislation is an important component of the overall effort of enlargement countries to align their legal frameworks with those of the EU (especially since the processing and exchanging of personal data are at the core of so many policies). Moreover, the independence and proper functioning of a data protection authority is a key element of overall checks and balances and rule of law, and will become increasingly important as the EU gradually integrates enlargement countries into the single market (as envisaged by initiatives such as the Western Balkans Growth Plan).

An increasingly important aspect of the EU’s dialogue with third countries focuses on the exchanges between regulators. As announced in the 2020 report, the Commission has created a ‘Data Protection Academy’, to foster exchanges between EU and third country data protection authorities and, in this way, contribute to capacity building and improve cooperation ‘on the ground’. The Academy offers tailor-made trainings at the request of third country authorities and brings together the expertise of representatives of the enforcement community, academia, the private sector and European institutions. The added value of the trainings lies in the tailoring of the different components to the interests and needs of the requesting authority. Moreover, these trainings allow EU and third country data protection authorities to establish contacts, share knowledge, exchange experience and best practices, and identify potential areas for cooperation. The Academy has so far provided training to the data protection authorities of Indonesia, Brazil, Kenya, Nigeria and Rwanda, and is currently in the process of preparing trainings for several other countries.

Beyond the importance of maintaining a dialogue between regulators, there is an increasing need, as also recognised in the feedback received from the Council and the Board (202), to develop appropriate legal instruments for closer forms of cooperation and mutual assistance, including by allowing the necessary exchange of information in the context of investigations. Indeed, as privacy violations increasingly produce effects across borders, they can often only be effectively investigated and addressed through cooperation between EU and non-EU regulators. The Commission will therefore seek authorisation to open negotiations to conclude enforcement cooperation agreements with relevant third countries (as also provided for in Article 50 of the GDPR). In this respect, the Commission notes the Board’s request to specifically consider countries with the most operators directly subject to the GDPR as potential counterparts, in particular G7 countries and/or countries that benefit from adequacy decisions (203).

Putting in place such enforcement cooperation and mutual assistance agreements would also help to ensure compliance by, and effective enforcement against, foreign operators subject to the GDPR, for instance because they specifically target the EU market by offering goods or services. The Council notes the importance of enforcing compliance with the GDPR in such cases, and raises concerns about the level playing field with entities in the EU, as well as the effective protection of the rights of individuals (204). The Commission agrees with the call of the Council to explore different ways to facilitate enforcement in this scenario. While more formal forms of cooperation with third country regulators could certainly play an important role, the use of other - already existing - avenues should also be pursued more vigorously. This includes making full use of the enforcement toolbox of Article 58 of the GDPR, and involving representatives of foreign companies in the EU (appointed in accordance with Article 27 of the GDPR).



2. The multilateral dimension

The Commission also continues to actively participate in a number of international fora to promote shared values and build convergence at regional and global level.

This for instance includes actively contributing to the work of the Consultative Committee on the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), the only legally binding multilateral instrument in the area of personal data protection. So far, 31 states have ratified the Amending Protocol to modernise Convention 108 (205), including many EU Member States, as well as some non-members of the Council of Europe (Argentina, Mauritius and Uruguay). Among EU Member States, only the signature of one Member State (206) is still outstanding, while eight Member States (207) have so far signed, but not ratified the modernised Convention. The Commission urges the one remaining Member State to sign the modernised Convention and others to swiftly proceed to ratification, to allow for its entry into force in the near future. Beyond that, it continues to proactively encourage accession by third countries.

At the level of the G20 and G7, discussions on privacy and data flows have focused on operationalising the concept of ‘data free flow with trust’ (DFFT), originally proposed by Japan, which acknowledges that data protection and security can contribute to trust in the digital economy and facilitate data flows (208). The OECD plays a particularly important role in this context, by providing a forum for a DFFT Expert Community, bringing together a wide range of stakeholders (governments, regulators, industry, civil society, academia) to provide input on specific projects and questions related to DFFT. In addition, a significant result of the DFFT initiative, to which the Commission significantly contributed, is the adoption by the OECD of a Declaration on Government Access to Personal Data Held by Private Sector Entities, the first international instrument in this area. It contains a series of shared requirements to safeguard privacy when accessing personal data for national security and law enforcement purposes. Against the background of increasing worldwide recognition that confidence in data transfers is negatively affected by disproportionate government access, this Declaration is an important contribution to facilitating trusted data flows. The Commission will continue to encourage countries to join the Declaration, which is also open to non-OECD members.

The Commission is also engaging with different regional organisations and networks that shape common data protection safeguards. This concerns for instance ASEAN, the African Union, the Asia Pacific Privacy Authorities forum, the Ibero-American Data Protection Network and the Network of African Data Protection Authorities (NADPA – RADPD). The development of the above-mentioned EU-ASEAN Guide on model clauses is a concrete example of such fruitful cooperation.

Finally, the Commission maintains a dialogue with different international organisations, including to explore ways to further facilitate data flows between the EU and such organisations. As many organisations have modernised their data protection frameworks in recent years, or are in the process of doing so, new opportunities are also arising to exchange experience and best practices. In this respect, the annual workshops with international organisations and a dedicated taskforce on international data transfers organised by the European Data Protection Supervisor have proven to be particularly useful fora to exchange and explore concrete instruments for cooperation, including the exchange of personal data (209).

8. conclusion

In the 6 years since the GDPR became applicable, it has empowered people by allowing them to have control over their data. It has also helped create a level playing field for businesses, and provided a cornerstone for the panoply of initiatives that are driving the digital transition in the EU.

To fully achieve the twin aims of the GDPR, namely- strong protection for individuals while ensuring the free flow of personal data within the EU and safe data flows outside the EU, there needs to be focus on:

- a robust enforcement of the GDPR, starting with the swift adoption of the Commission’s proposal on procedural rules to deliver quick remedies and legal certainty in cases affecting individuals across the EU;

- proactive support by data protection authorities to stakeholders in their compliance efforts, especially SMEs and small operators;

- a consistent interpretation and application of the GDPR across the EU;

- effective cooperation between regulators at both national and EU level to guarantee the consistent and coherent application of the growing body of EU digital rules;

- further advancing the Commission’s international strategy on data protection.

To support the effective application of the GDPR and inform further reflections on data protection, several actions identified here are needed. The Commission will support and monitor their implementation also in view of the next report in 2028.

Developing effective cooperation structures

The European Parliament and the Council are invited to swiftly adopt the proposal on GDPR procedural rules.

The Board and data protection authorities are invited to:

- establish regular cooperation with other sectoral regulators on issues with an impact on data protection, in particular those established under new EU digital legislation, and actively participate in EU-level structures designed to facilitate cross-regulatory cooperation;

- make fuller use of the tools for cooperation provided by the GDPR, so that dispute resolution is used only as a last resort;

- implement more efficient and targeted working arrangements for guidelines, opinions and decisions and prioritise key issues in order to reduce the burden on data protection authorities and to respond more quickly to market developments.

Member States need to:

- ensure the effective and full independence of national data protection authorities;

- allocate sufficient resources to data protection authorities to enable them to fulfil their tasks, in particular by providing them with technical resources and expertise necessary to deal with emerging technologies and to fulfil new responsibilities under digital legislation;

- equip data protection authorities with the investigatory tools required for them to effectively use the enforcement powers provided by the GDPR;

- support the dialogue between data protection authorities and other national regulators, in particular those established under the new digital legislation.

The Commission will:

- actively support the swift adoption of the proposal on GDPR procedural rules by the co-legislators;

- continue to closely monitor the effective and full independence of national data protection authorities;

- build synergies and consistency between the GDPR and all legislation touching upon the processing of personal data based on experience and, if necessary, take appropriate actions to provide legal certainty;

- reflect on how to better address the need for structured and efficient cross-regulatory cooperation to guarantee the effective, consistent and coherent application of EU digital rules, while respecting the competence of data protection authorities for all questions concerning the processing of personal data.

Implementing and complementing the legal framework

Member States need to:

- ensure data protection authorities are consulted in a timely manner prior to the adoption of legislation on the processing of personal data.

The Commission will:

- continue to make use of all the tools at its disposal, including infringement procedures, to ensure that Member States comply with the GDPR;

- continue to support exchanges of views and national practices between Member States, including through the GDPR Member States Expert Group;

- pursue actions to ensure that children are protected, empowered and respected online;

- reflect on the possible next steps concerning the e-privacy Regulation proposal, including its relationship with the GDPR.

Supporting stakeholders

The Board and data protection authorities are invited to:

- engage in constructive dialogue with controllers and processors on compliance with the GDPR;

- further increase efforts to support the compliance of SMEs, by providing tailor-made guidance and tools, allaying any unfounded compliance concerns of SMEs that do not have processing of personal data as their core business, and accompanying them in their compliance efforts;

- support the implementation of effective compliance measures by businesses, such as certification and codes of conduct (including as tools for transfers), by engaging with stakeholders during the approval process, providing clear timelines for approvals, and, as pledged in the Board’s 2024-2027 strategy, explaining to key groups of stakeholders how these tools can be used;

- ensure that national guidelines and the application of the GDPR at national level are consistent with the guidelines of the Board and the case law of the Court of Justice;

- resolve diverging interpretations of the GDPR between data protection authorities, including between authorities within the same Member State;

- provide guidelines that are concise, practical and accessible to the relevant audience, as pledged in the Board’s 2024-2027 strategy;

- ensure earlier and more meaningful consultation on guidelines and opinions in order to better understand market dynamics and business practices, give adequate consideration to the feedback received, and factor in the concrete application of the interpretations adopted;

- complete the ongoing work on guidelines on children’s data, scientific research, anonymisation, pseudonymisation and legitimate interest as a priority;

- step up awareness-raising activities, information and enforcement actions to ensure that data protection officers can fulfil their role under the GDPR.

The Commission will:

- continue to provide financial support for activities of data protection authorities that facilitate implementation of GDPR obligations by SMEs;

- use all available means to deliver expedient clarifications on matters of importance to stakeholders, including SMEs, in particular by requesting opinions of the Board.

Further developing the toolkit for data transfers and international cooperation

The Board and data protection authorities are invited to:

- complete the work on streamlining and shortening the approval process for binding corporate rules, as well as on updating the guidance on elements to be found in processor binding corporate rules;

- explore ways/tools to further assist data exporters in their compliance efforts in relation to the Schrems II requirements;

- explore further ways to ensure effective enforcement against operators established in third countries falling within the GDPR’s territorial scope of application.

Member States need to:

- ensure the remaining signature and ratifications of the modernised Convention 108+ of the Council of Europe as soon as possible, with a view to allow its entry into force.

The Commission will:

- make further progress in ongoing adequacy talks, explore the further development of existing adequacy findings and pursue new adequacy dialogues with interested partners;

- support increased cooperation among the network of countries benefiting from adequacy decisions;

- finalise the work on additional standard contractual clauses, in particular for data transfers to data importers whose processing is directly subject to the GDPR and transfers under Regulation (EU) 2018/1725 for data transfers by EU institutions and bodies;

- cooperate with international partners on facilitating data flows on the basis of model contractual clauses;

- support ongoing reform processes in third countries on new or modernised data protection rules by sharing experience and best practices;

- engage with international and regional organisations such as the OECD and G7 to promote trusted data flows based on high data protection standards, including in the context of the Data Flow with Trust initiative;

- facilitate and support exchanges between European and international regulators, including through its Data Protection Academy;

- contribute to facilitating international enforcement cooperation between supervisory authorities, including through the negotiation of cooperation and mutual assistance agreements.

1() Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation, 24.6.2020 COM(2020) 264 final.

2() https://data.consilium.europa.eu/doc/document/ST-15507-2023-INIT/en/pdf

3() A summary of the input of the GDPR Multi-stakeholder expert group is available here: Report from Multistakeholder Expert group on GDPR application - June 2024.pdf. The input received in response to the public call for evidence and through bilateral meetings with stakeholders largely echoes the views expressed by members of the GDPR Multi-stakeholder expert group.

4() https://ec.europa.eu/info/law/better-regulation/

5() Contribution of the EDPB to the evaluation of the GDPR under Article 97 | European Data Protection Board (europa.eu).

6() GDPR in practice – Experiences of data protection authorities | European Union Agency for Fundamental Rights (europa.eu)

7() Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (COM/2023/348 final).

8()https://edpb.europa.eu/our-work-tools/our-documents/letters/edpb-letter-eu-commission-procedural-aspects-could-be_en.

9()Through the GDPR Multi-stakeholder expert group and a call for evidence launched in February 2023.

10()Notably through the GDPR Member States expert group: https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&do=groupDetail.groupDetail&groupID=3461

11()Article 61 GDPR.

12()internal_edpb_document_1_2021_on_art_62_joint_operations_en.pdf (europa.eu)

13()Article 62 GDPR.

14()Article 65 GDPR.

15() As of 3 November 2023 (contribution of the Board).

16() Under Article 60(3) GDPR.

17() As of 3 November 2023.

18() The Irish authority made the most formal requests (246) while the German authorities received the most requests (516).

19() The Irish authority made the most informal requests (4 245) followed by German authorities (2 036).

20() Of 289 relevant and reasoned objections reported by authorities, 101 (35%) were raised by German authorities. The rate of success in reaching consensus on relevant and reasoned objections ranges from 15% (of objections raised by German authorities) to 100% (of objections raised by the Polish authority).

21() Respectively Articles 64, 65 and 66 GDPR.

22()Opinions under Article 64(2) GDPR.

23() Under Article 65(1)(a) GDPR.

24() Pursuant to Article 66(2) GDPR.

25()See 5.3.4 contribution of the Board.

26()FRA report, page 36.

27()Procedural rules proposal, Article 5.

28() In Romania all 26 decisions finding an infringement were challenged in court, while in the Netherlands the rate of challenge was 23%. The rate of success for challenges was highest in Belgium (39%).

29() Data protection authorities in Germany launched the highest number of own-initiative investigations (7 647), followed by Hungary (3 332), Austria (1 681), and France (1 571).

30() In 2022, nine data protection authorities received over 2000 complaints. The highest number of complaints were registered by Germany (32 300), Italy (30 880), Spain (15 128), the Netherlands (13 133), and France (12 193), while the lowest number were registered by Liechtenstein (40), Iceland (140), and Croatia (271).

31() All authorities imposed administrative fines, except Denmark, which does not provide for administrative fines. The highest number of fines were imposed in Germany (2 106) and Spain (1 596). The fewest fines were imposed in Liechtenstein (3), Iceland (15) and Finland (20).

32() FRA report, page 38.

33() FRA report pages 20 and 23. See also Council position and findings, paragraph 17.

34() Article 70(1) GDPR.

35() FRA report, page 64.

36() FRA report, page 67. In 2023, German data protection authorities dedicated the most resources to activities of the Board (26 full-time equivalents (FTEs)), followed by Ireland (16) and France (12) (contribution of the Board).

37() FRA report, page 67.

38() FRA report, page 67; summary of the feedback of the GDPR Multi-stakeholder expert group.

39() Summary of the feedback of the GDPR Multi-stakeholder expert group.

40() See also Council position and findings, paragraph 45.

41() See also Council position and findings, paragraph 34.

42()https://www.edpb.europa.eu/system/files/2024-04/edpb_strategy_2024-2027_en.pdf

43() See also Council position and findings, paragraph 31(d).

44() They require clarity in particular on the meaning of the term ‘scientific research’, the role of consent to processing of personal data for research, the relevant legal basis, and the roles and responsibility of the actors involved.

45() See also Council position and findings, paragraph 31(b).

46() Council position and findings, paragraphs 27-28.

47() Article 52 GDPR.

48() FRA report, page 31.

49()See section 4.4.1 contribution of the Board, also for the absolute figures.

50() Just five data protection authorities consider they have adequate human resources (contribution of the Board, page 33).

51() FRA report, page 20. Some data protection authorities outsource certain tasks to external contractors, such as complaint handling, legal analysis and forensic analysis.

52() FRA report, page 24.

53() FRA report, page 22.

54() See section 4.4.5 contribution of the Board.

55() Contribution of the Board, page 32.

56()FRA Report, page 48.

57() FRA report, page 45. Data protection authorities consider ex officio investigations particularly important, since complainants may not be aware of many breaches of the GDPR.

58() FRA report, page 8.

59() FRA report, page 39.

60() FRA report, page 41.

61() Recital 9 GDPR.

62()Summary of the feedback of the GDPR Multi-stakeholder expert group.

63() Summary of the feedback of the GDPR Multi-stakeholder expert group.

64() Summary of the feedback of the GDPR Multi-stakeholder expert group.

65()Respectively Articles 6(1)(f) and 6(1)(a) GDPR.

66() Article 22(2) GDPR.

67()Recital 4.

68() Summary of the feedback of the GDPR Multi-stakeholder expert group.

69()e.g. the minimum age for child’s consent in relation to information society services (Article 8(1) GDPR).

70()Article 8(1)GDPR.

71()A possibility provided for by Article 9(4) GDPR.

72()Article 10 GDPR.

73()Council position and findings, paragraph 30.

74()Article 36 GDPR.

75() FRA report, page 11.

76()Belgium (2021/4045) and Belgium (2022/2160).

77()Finland (2022/4010) and Sweden (2022/2022).

78()With information on the case reference, the investigation type (own initiative or complaint based), a summary of the investigation scope, the concerned data protection authorities, the key procedural steps taken and dates, the investigatory or any other measures taken and dates.

79()https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&do=groupDetail.groupDetail&groupID=3461

80()https://ec.europa.eu/transparency/expert-groups-register/screen/meetings/consult?lang=en&meetingId=31754&fromExpertGroups=3461

81()Case C‑319/22, ECLI:EU:C:2023:837.

82()Cases C-184/20, ECLI:EU:C:2022:601; C-252/21, ECLI:EU:C:2023:537.

83()Cases C-683/21, ECLI:EU:C:2023:949; C-604/22, ECLI:EU:C:2024:214; C-231/22, ECLI:EU:C:2024:7.

84()Case C-61/19, ECLI:EU:C:2020:901.

85()Cases C-597/19, ECLI:EU:C:2021:492; C-252/21, ECLI:EU:C:2023:537.

86() Cases C-307/22, ECLI:EU:C:2023:811; C-154/21, ECLI:EU:C:2023:3.

87()Case C-460/20, ECLI:EU:C:2022:962.

88() Case C-300/21, ECLI:EU:C:2023:370; Case C-687/21, ECLI:EU:C:2024:72; Case C-667/21, ECLI:EU:C:2023:1022.

89()Joined Cases C‑26/22 and C‑64/22, ECLI:EU:C:2023:958.

90() Cases C-807/21, ECLI:EU:C:2023:950; Case C-683/21, ECLI:EU:C:2023:949.

91()Case C‑453/21, ECLI:EU:C:2023:79.

92()Cases C-439/19, ECLI:EU:C:2021:504; C-184/20, ECLI:EU:C:2022:601.

93()Cases C-33/22, ECLI:EU:C:2024:46; C‑272/19, ECLI:EU:C:2020:535.

94() Council position and findings, paragraph 13.

95()Contribution of the Board, section 6.

96()https://commission.europa.eu/law/law-topic/data-protection/eu-funding-supporting-implementation-general-data-protection-regulation-gdpr_en

97()FRA report, pages 9 and 48.

98()Summary of the feedback of the GDPR Multi-stakeholder expert group.

99()Article 10, Regulation (EU) 2022/868 (Data Governance Act), OJ L 152, 3.6.2022, p. 1–44.

100() Article 12(5) GDPR.

101() However, the Court of Justice has clarified that the data subject is not required to state the reasons for requesting access to personal data: Case C-307/22, ECLI:EU:C:2023:811, paragraph 38.

102()Summary of the feedback of the GDPR Multi-stakeholder expert group.

103() Council position and findings, paragraphs 27-28.

104()https://www.edpb.europa.eu/news/news/2024/cef-2024-launch-coordinated-enforcement-right-access_en.

105()Platform workers: Council confirms agreement on new rules to improve their working conditions - Consilium (europa.eu).

106()Proposal for a Regulation on the European Health Data Space (COM/2022/197 final).

107()Proposal for a Regulation on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 (COM/2023/360 final).

108()Directive (EU) 2020/1828 of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC - OJ L 409, 4.12.2020, p. 1–27.

109() Recital 38 GDPR.

110() Recommendation on developing and strengthening integrated child protection systems in the best interests of the child: https://commission.europa.eu/strategy-and-policy/policies/justice-and-fundamental-rights/rights-child/combating-violence-against-children-and-ensuring-child-protection_en.

111() See also Council position and findings, paragraphs 31(a).

112()Summary of the feedback of the GDPR Multi-stakeholder expert group.

113()https://commission.europa.eu/law/law-topic/data-protection/eu-funding-supporting-implementation-general-data-protection-regulation-gdpr_en.

114()https://digital-strategy.ec.europa.eu/en/policies/strategy-better-internet-kids.

115() Regulation (EU) 2024/1183 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework OJ L, 2024/1183, 30.4.2024.

116() As recognised by the report of the ‘Fit for future’ platform, a high-level expert group set up to help the Commission in its efforts to simplify EU laws and to reduce related unnecessary costs: https://commission.europa.eu/law/law-making-process/evaluating-and-improving-existing-laws/refit-making-eu-law-simpler-less-costly-and-future-proof/fit-future-platform-f4f_en. See also the summary of the feedback of the GDPR Multi-stakeholder expert group and Council position and findings, paragraph 12.

117() Summary of the feedback of the GDPR Multi-stakeholder expert group.

118()Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) GDPR and Article 29(7) GDPR (C/2021/3701) - OJ L 199, 7.6.2021, p. 18–30.

119() Summary of the feedback of the GDPR Multi-stakeholder expert group.

120()Council position and findings, paragraph 25.

121()https://www.edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en?f%5B0%5D=coc_scope%3Anational

122() Summary of the feedback of the GDPR Multi-stakeholder expert group.

123()https://www.edpb.europa.eu/system/files/2024-04/edpb_strategy_2024-2027_en.pdf

124()https://commission.europa.eu/law/law-topic/data-protection/eu-funding-supporting-implementation-general-data-protection-regulation-gdpr_en

125() https://edpb.europa.eu/sme-data-protection-guide/home_en

126() Summary of the feedback of the GDPR Multi-stakeholder expert group.

127() See Council position and findings, paragraph 24; summary of the feedback of the GDPR Multi-stakeholder expert group.

128()Article 30(5) GDPR.

129()Where the organisation employs fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) GDPR or personal data relating to criminal convictions and offences referred to in Article 10 GDPR.

130() Council position and findings, paragraph 26; EDPB 2023 Coordinated Enforcement Action Designation and Position of Data Protection Officers: https://www.edpb.europa.eu/system/files/2024-01/edpb_report_20240116_cef_dpo_en.pdf

131()Summary of the feedback of the GDPR Multi-stakeholder expert group.

132() See recommendations in EDPB Coordinated Enforcement Action.

133() Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) OJ L 277, 27.10.2022, p. 1–102.

134() Regulation (EU) 2022/1925 (Digital Markets Act) OJ L 265, 12.10.2022, p. 1–66.

135() Regulation (EU) 2024/1689 (Artificial Intelligence Act) OJ L, 2024/1689, 12.07.2024.

136() Platform workers: Council confirms agreement on new rules to improve their working conditions - Consilium (europa.eu).

137() Regulation (EU) 2024/900 on the transparency and targeting of political advertising OJ L, 2024/900, 20.3.2024.

138()Proposal for a Regulation on Privacy and Electronic Communications - COM/2017/010 final.

139() Directive 2002/58/EC (ePrivacy Directive) - OJ L 201, 31/07/2002 P. 0037 - 0047

140()Regulation (EU) 2024/903 (Interoperable Europe Act) OJ L, 2024/903, 22.3.2024.

141() See Council position and findings, paragraph 31(f).

142()https://finance.ec.europa.eu/publications/anti-money-laundering-and-countering-financing-terrorism-legislative-package_en.

143() Regulation (EU) 2022/868 (Data Governance Act) OJ L 152, 3.6.2022, p. 1–44.

144() Regulation (EU) 2023/2854 (Data Act) OJ L, 2023/2854, 22.12.2023.

145()https://www.europarl.europa.eu/doceo/document/TA-9-2024-0331_EN.html.


146()See Council position and findings, paragraphs 40-41; Summary of the feedback of the GDPR Multi-stakeholder expert group.

147()See for example Article 37(3) of the Data Act.

148() Directive (EU) 2022/2555 (NIS 2 Directive) OJ L 333, 27.12.2022, p. 80-152.

149() See Council position and findings, paragraphs 18, 40-41 and the summary of the feedback of the GDPR Multi-stakeholder expert group.

150() Germany has established a ‘digital cluster’, which includes regulators from various fields, with the aim of expanding their cooperation on all aspects of digitalisation and sharing knowledge and best practices: https://www.dataguidance.com/news/germany-bsi-announces-formation-digital-cluster-bonn

151() EDPB Guidelines 05/2021.

152() Section 2 of EDPB Guidelines 05/2021.

153() Case C-311/18, ECLI:EU:C:2020:559 (Schrems II).

154() Schrems II, point 93.

155() Schrems II, points 96 and 105.

156() Schrems II, point 131.

157() Schrems II, point 105.

158() EDPB Recommendations 02/2020 and Adequacy Referential, WP 254 rev. 01.

159() EDPB Recommendations 01/2020, complemented by Recommendations 02/2020.

160() See e.g. paras. 8-13, 32-33 of EDPB Recommendations 01/2020.

161() See e.g. contribution of the Board, pages 7-8; Council position and findings paragraph 36; Summary of the feedback of the GDPR Multi-stakeholder expert group.

162()Implementing Commission Communication ‘Exchanging and Protecting Personal Data in a Globalised World’, 10.1.2017 (COM(2017) 7 final).

163() Commission Implementing Decision (EU) 2021/1772, OJ L 360, 11.10.2021, p. 1–68.

164()Commission Implementing Decision (EU) 2022/254, OJ L 44, 24.2.2022, p. 1–90.

165() https://commission.europa.eu/news/joint-press-statement-european-commissioner-justice-didier-reynders-and-us-secretary-commerce-wilbur-2020-08-10_en

166()Commission Implementing Decision EU 2023/1795, OJ L 231, 20.9.2023, p. 118–229.

167() The European Patent Organisation is an intergovernmental organisation set up on the basis of the European Patent Convention. Its main task is the granting of European patents. In that context, it cooperates closely with companies and public authorities in EU Member States, as well as with different EU institutions and bodies.

168() Contribution of the Board, pages 7-8.

169()Article 45(4) and (5) GDPR. See also Schrems I, point 76.

170() Commission Implementing Decision (EU) 2019/419, OJ L 76, 19.3.2019, p. 1–58. See also https://ec.europa.eu/commission/presscorner/detail/en/IP_19_421. This decision constituted the first adequacy decision adopted under the GDPR and the first reciprocal adequacy arrangement.

171() Commission report on the first review of the functioning of the adequacy decision for Japan, 3.4.2023, COM(2023) 275 final (and SWD(2023) 75 final).

172() Andorra, Argentina, Canada (for commercial operators), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.

173() Commission report on the first review of the functioning of the adequacy decisions adopted pursuant to Article 25(6) of Directive 95/46/EC, 15.1.2024, COM(2024) 7 final (and SWD(2024) 3 final).

174() https://ec.europa.eu/commission/presscorner/detail/en/mex_24_1307#11

175() Such as Argentina, Colombia, Israel, Morocco, Switzerland and Uruguay.

176() Commission Implementing Decision (EU) 2021/914, OJ L 199, 7.6.2021, p. 31–61.

177() This included for instance EDPB-EDPS Joint Opinion 2/2021 as part of the adoption procedure for the SCCs.

178() Council position and findings para. 37, Contribution of the Board page 9, Summary of the feedback of the GDPR Multi-stakeholder expert group.

179() https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en.

180() See e.g. summary of the feedback of the GDPR Multi-stakeholder expert group.

181() In accordance with Article 48(2)(b) of Regulation (EU) 2018/1725.

182() Council position and findings paragraph 37, Contribution of the Board, page 9, Summary of the feedback of the GDPR Multi-stakeholder expert group.

183() EDPB Guidelines 05/2021, p. 3.

184() As also set out in the EDPB Guidelines 05/2021, Section 4.

185() Contribution of the Board, page 9, Summary of the feedback of the GDPR Multi-stakeholder expert group.

186() E.g. the UK (https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) and Switzerland (https://www.edoeb.admin.ch/edoeb/en/home/datenschutz/arbeit_wirtschaft/datenuebermittlung_ausland.html).

187() E.g. New Zealand (https://privacy.org.nz/responsibilities/your-obligations/disclosing-personal-information-outside-new-zealand/) and Argentina (https://servicios.infoleg.gob.ar/infolegInternet/anexos/265000-269999/267922/norma.htm).

188() See https://rm.coe.int/t-pd-2022-1rev10-en-final/1680abc6b4; https://www.redipd.org/sites/default/files/2023-02/anexo-modelos-clausulas-contractuales-en.pdf and https://asean.org/wp-content/uploads/3-ASEAN-Model-Contractual-Clauses-for-Cross-Border-Data-Flows_Final.pdf.

189()https://commission.europa.eu/document/download/df5cd5a0-7387-4a2a-8058-8d2ccfec3062_en?filename=%28Final%29%20Joint_Guide_to_ASEAN_MCC_and_EU_SCC.pdf.

190() Contribution of the Board, page 9.

191() EDPB Recommendations 1/2022.

192() Contribution of the Board, page 9.

193() Summary of the feedback of the GDPR Multi-stakeholder expert group.

194()EDPB Guidelines 07/2022 and Guidelines 04/2021.

195() EDPB Guidelines 2/2020.

196() Second Additional Protocol to the Cybercrime Convention on enhanced co-operation and disclosure of electronic evidence (CETS No. 224).

197() https://commission.europa.eu/news/eu-us-announcement-resumption-negotiations-eu-us-agreement-facilitate-access-electronic-evidence-2023-03-02_en.

198() Commission proposal for a Council Decision on the signing, on behalf of the European Union, of an agreement between Canada and the European Union on the transfer and processing of Passenger Name Record (PNR) data, COM/2024/94 final.

199() This concerned consultations organised by, for example, Australia, China, Rwanda, Argentina, Brazil, Ethiopia, Indonesia, Peru, Malaysia and Thailand.

200() For example, before the parliamentary bodies of Chile, Ecuador and Paraguay.

201() This also included the organisation of seminars and study visits, for example with Kenya, Indonesia, and Singapore.

202() Contribution of the Board, page 8; Council position and findings, para. 38.

203() Contribution of the Board, page 8.

204() Council position and findings, paragraph 39.

205() Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223).

206()Denmark.

207()Belgium, Czechia, Greece, Ireland, Latvia, Luxembourg, the Netherlands and Sweden.

208() See e.g. https://www.g7germany.de/resource/blob/974430/2062292/fbdb2c7e996205aee402386aae057c5e/2022-07-14-leaders-communique-data.pdf?download=1

209()https://www.edps.europa.eu/data-protection/our-work/edps-worldwide/data-protection-and-international-organisations_en

EN EN