Newsletter (108)


Newsletter (108)

In this issue: find out how to sign up to our EDPS Summit: Rethinking Data in a Democractic Society; watch our 20 talks video or podcast series with influential people discussing how privacy is shaping their respective fields of expertise; what does applying data minimisation mean in practice, and more? This issue is also part of our podcast series, the Newsletter Digest.

Have a listen now!

Europe day: one day to get to know the EDPS and EDPB

europe day logo

For just one day, get to know the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB). 

On 4 May 2024, come and see us at our stand in “Our Strong Digital Europe Village” to ask questions about our work and more. You will also have the opportunity to try out some of our Artificial Intelligence tools to understand the privacy challenges they may pose, and how the EDPS is tackling them. There will also be a chance to challenge yourself with our data protection quiz with prizes to win. 

We look forward to meeting you! 

All details can be found here.

Data minimisation for a maximum of privacy

data minimisation

On 12 April 2024, the EDPS issued a Decision concerning an EU institution, body, office or agency (EUI) and the application of the principle of data minimisation

Data minimisation means that the collection of an individual’s personal data should be limited to what is adequate, relevant and necessary to accomplish a specific processing operation.  Data minimisation is a legal obligation under the applicable data protection law for EUIs, Regulation (EU) 2018/1725. 

The EDPS’ Decision concerned a complaint by a staff member of an EUI, alleging that their EUI had transmitted their personal number, grade and step to another EUI without a legal basis. The purpose of transmission of this data was to calculate the payment of child allowances for the complainant’s ex-partner, employed by the EUI to which the data was transmitted.

It is important to note that in accordance with Recital 21 of Regulation (EU) 2018/1725, before every transmission of personal data within and between EUIs, the EUI in question is accountable for carrying out a necessity test, to ensure that it is truly necessary, relevant and proportionate to transmit this data for a given purpose.

Concerning this specific case, the EDPS found that the EUI transmitting this data had not carried out the necessity test as required under the data protection regulation for EUIs. A simple transmission of the decision on the payment of child allowances would have been sufficient. 

Following the EDPS’ Decision, the EUI adapted its procedures so that, in the future, only the minimum information that is necessary is transmitted in light of a specific purpose, to ensure data minimisation. 

EDPS Annual Report: adaptability in a changing world

people working

Presenting his Annual Report 2023 on 9 April 2024, European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski emphasised his institution’s adaptability in the face of an evolving digital and regulatory landscape. 

Wojciech Wiewiórowski, EDPS, said: “The year 2023 has been one of adaptability in light of digital and regulatory advancements. More than ever, multilateral and cross-border collaboration have proved crucial to achieve and elevate data protection standards in the EU and beyond. As we move to 2024, coinciding with the EDPS’ 20th Anniversary, my institution’s role is to anticipate and prepare for the data protection challenges of the next two decades”

Amongst its activities in the areas of Supervision & Enforcement, Policy & Consultation and Technology & Privacy, the EDPS focused on: 

  • steering the regulation of Artificial Intelligence 

  • advocating for the safety of communications 

  • addressing societal matters, in the Area of Freedom, Security and Justice 

  • investing resources in technology monitory and innovation.

Continue to read Press Release.

Read the EDPS Annual Report and its Executive Summary.

Read the EDPS Supervisor’s speech before the European Parliament’s Committee Civil Liberties, Justice and Home Affairs.

Sign up to our European Data Protection Summit!

european data protection summit

We invite you to our European Data Protection Summit: “Rethinking Data in a Democratic Society” on 20th June 2024, at Square Bruxelles, Mont des Arts in Brussels, and online. 

The Summit is part of our celebrations of the EDPS’ two decades of protecting personal data. To mark this occasion, the event will focus on debating on the role of a state in times of ever-growing collection of information about citizens, be it by private or public entities, and the part that data protection should play in modern democracies. 

In particular, the Summit will tackle the following 5 questions: 

  • What is ‘data protection’ protecting?

  • Is data protection law suitable for public authorities? 

  • Zooming out onto democracy and the rule of law. How to build a functioning democratic oversight? 

  • In the trap of reactiveness. Can data protection be in the driving seat? 

  • Fit for ’44. How to turn wishes into proposals? 

Take part in the debate. Join us now. Register here

20 Talks with leading voices: how does privacy impact different industries and spheres?

blue background

We have launched a series called “20 Talks”, in which we invite influential personalities and leading voices from all around the world, with diverse backgrounds - from technology, academia, international organisations, activists - to discuss how privacy is shaping their respective fields of expertise. 

More 20 Talks episodes are coming to you in 2024; in the meantime you can catch up on: 

  • our talk on fake identities in the digital world, fraud and online scams with Ayleen Charlotte, Scam Fighter Person of the year 2023 and Leading Voice in the Netflix Show, the Tinder Swindler. 

  • our discussion on the evolution of African digital societies, and the current environment of national data protection laws in African jurisdictions with Towela Nyirenda Jere, Head of Infrastructure, Digitalisation and Energy Division at the African Union Development Agency.

  • our conversation on international cooperation, Artificial Intelligence and digital humanism with Amandeep Singh Gill, UN Secretary General's Envoy on Technology. 

With our “20 Talks” diverse series, there is something for everyone. Find these talks and more episodes of our 20 Talks series on our EDPS 20th Anniversary Website

20 initiatives: on the path to strengthening individuals’ privacy rights

blue background with logo

As the data protection landscape continues to evolve, the EDPS strives to continuously adapt itself by modernising its approach and actions to anticipate and tackle future challenges. 

Building on our expertise of the last two decades, we are carving out 20 diverse initiatives - composed of actions and resolutions - that we commit to work on. 

These include: 

  • the creation of a support system for independent research projects on privacy and data protection; 

  • a guide for the EU’s co-legislators, the European Commission and the Council, on the main elements to consider when drafting legislative proposals with an impact on data protection and personal data;

  • setting up and building the supervision of the interoperability framework connecting the EU databases operating in the fields of borders, visa, police, judicial cooperation, asylum and migration.

We have worked on 10 initiatives so far, you can find them on our EDPS 20th Anniversary website. Keep your eyes peeled for more. 

European Commission’s use of Microsoft 365 infringes data protection law for EU institutions and bodies

computer with people sitting on it. Vectorial image.

Following its investigation, the EDPS has found that the European Commission (Commission) has infringed several key data protection rules when using Microsoft 365. In its decision, the EDPS imposes corrective measures on the Commission.

The EDPS has found that the Commission has infringed several provisions of Regulation (EU) 2018/1725, the EU’s data protection law for EU institutions, bodies, offices and agencies (EUIs), including those on transfers of personal data outside the EU/European Economic Area (EEA). In particular, the Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA. Furthermore, in its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365. The Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.

The EDPS has therefore decided to order the Commission, effective on 9 December 2024, to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision. The EDPS has also decided to order the Commission to bring the processing operations resulting from its use of Microsoft 365 into compliance with Regulation (EU) 2018/1725. The Commission must demonstrate compliance with both orders by 9 December 2024.

Continue to read Press Release.

Read Decision available here.

Coordinated Enforcement Action: the right of access to personal data

phone, lock, password to symbolise the right of access

The EDPS is participating in the European Data Protection Board’s (EDPB) Coordinated Enforcement Action on how individuals’ right of access is addressed specifically in the EU institutions, bodies, offices and agencies (EUIs), alongside the other 27 Data Protection Authorities (DPAs) across the European Economic Area (EEA).

The right of access lies at the heart of data protection, allowing individuals to check whether their personal data is processed in a compliant manner by organisations or EUIs, often enabling the exercise of their other rights, such as the right to rectification or erasure of data. Thus, it is one of the most frequently exercised data protection rights, and for which DPAs receive many complaints each year.

In this Coordinated Enforcement Action, the EDPS will focus on EUIs’ compliance with the right of access under the applicable data protection law, Regulation (EU) 2018/1725. 

Read Press Release.

One EDPS, multiple channels to follow


How do you want to follow the EDPS’ actions aimed at protecting your privacy and personal data? You decide! 

Want to grasp all the finer details of our work, our website includes our Opinions, Decisions, Investigations and other official documents with our legal analysis on the specific cases we encounter in our day-to-day work. 

Interested in receiving a monthly overview of our work, why not subscribe to our Newsletter? Each issue promises to give you a summary of our most relevant work in the areas of Supervision & Enforcement, Policy & Consultation, Technology & Privacy. From our inbox to yours, we condense our data protection and privacy news, so that you don’t miss the important information.

Looking for some interactive and behind-the-scenes content, you can follow us on our social media channels: X: @EU_EDPS, LinkedIn: EDPS, Youtube: European Data Protection Supervisor, Mastodon: EU Voice, Peertube: EU Video, Instagram: eu_edps.

On the move? Check out our podcast channel on Spotify at EDPS on Air, to grab your dose of the EDPS’ data protection news whilst on the go. 

Coming soon: Computers, Privacy and Data Protection Conference 2024

cpdp logo

The Computers, Privacy and Data Protection annual Conference is happening in Brussels between the 22 and 24 May. The event will gather academics, lawyers, practitioners, policy-makers, industry, civil society to converse about the following topic: "To govern or to be governed, that is the question".

Like every year, the EDPS will take active part in this conference. In particular, some of the EDPS' in-house experts in privacy and data protection are organising and taking part in two panels on Artificial Intelligence, one panel delving into the challenges and opportunities of open-source AI, and the other on personal data in the time of AI. 

For more information on these panel and the CPDP Conference, check out the dedicated website and official programme