Council Regulation 2725/2000 of 11 December 2000 (pdf) establishes a system known as "Eurodac", i.e. a fingerprint database that assists the asylum procedure. It mainly helps to determine which Member State is competent for asylum applications (see Council Regulation 407/2002 (pdf) laying down certain rules to implement Regulation 2725/2000 concerning the establishment of "Eurodac" for the comparison of fingerprints for the effective application of the Dublin Convention).

The system consists of a central unit, a computerised central database for comparing the fingerprint data of asylum applicants, and means of data transmission between the Member States and the central database. The EDPS is responsible for supervision of the system in cooperation with the competent national data protection authorities.

Read more on the supervision of Eurodac

When a participating country sends a set of prints to Eurodac, it knows immediately if they match up with others already on the database. If so, it can choose to send the individual back to the country where he or she first arrived or applied for asylum; the authorities there are responsible for making a decision about the candidate’s right to stay. If not, the country that submitted the prints handles the case.

Read more on the Commission's Freedom, Security and Justice website



The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Economic Area (EEA), and promotes cooperation between the EEA’s data protection authorities. 

The EDPB is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS). The supervisory authorities of the EFTA EEA States are also members with regard to the GDPR related matters and without the right to vote and being elected as chair or deputy chairs. The EDPB is established by the General Data Protection Regulation (GDPR), and is based in Brussels. The European Commission and -with regard to the GDPR related matters- the EFTA Surveillance Authority have the right to participate in the activities and meetings of the Board without voting right.

The EDPB has a Secretariat, which is provided by the EDPS. A Memorandum of Understanding determines the terms of cooperation between the EDPB and the EDPS. In addition to providing the Secretariat of the EDPB, the EDPS is also a full member of the EDPB and contribute actively to the discussions and drafting of documents published by the EDPB. The EDPS participates on a regular basis in the plenary and Expert subgroup meetings of the EDPB.


European Conference

The European Conference of data protection authorities of EU Member States and other European countries meets every year in spring. The Conference takes stock of important developments and usually adopts resolutions. The Conference set up the Working Party on Police and Justice, an advisory body on data protection in these areas.

Read more on the European Conference




The European Data Protection Supervisor (EDPS) is an independent supervisory authority established in accordance with Regulation (EU) No 2018/1725, on the basis of Article 16 TFEU.

The EDPS' mission is to ensure that the fundamental rights and freedoms of individuals - in particular their privacy - are respected when the EU institutions and bodies process personal data.

The EDPS is responsible for:

  • monitoring and ensuring the protection of personal data and privacy when EU institutions and bodies process the personal information of individuals;
  • advising EU institutions and bodies on all matters relating to the processing of personal information. We are consulted by the EU legislator on proposals for legislation and new policy developments that may affect privacy;
  • monitoring  new technology that may affect the protection of personal information;
  • intervening  before the Court of Justice of the EU to provide expert advice on interpreting data protection law;
  • cooperating  with national supervisory authorities and other supervisory bodies to improve consistency in protecting personal information.


EDPS Powers

Data protection authorities are empowered to conduct investigations, enquiries and inspections, either on their own initiative or on the basis of a complaint. Those are efficient tools to verify facts and collect more information where needed.

The EDPS, as a supervisory authority, is responsible for monitoring and ensuring the implementation of Regulation (EU) No 2018/1725. In this respect, the European Data Protection Supervisor has a lot of the same tasks and effective powers as the national supervisory authorities, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, powers to bring infringements of this Regulation to the attention of the Court of Justice and powers to engage in legal proceedings in accordance with the primary law. The powers of the EDPS are listed in article 58 of Regulation (EU) No 2018/1725, while his tasks can be found in article 57.


E-privacy Directive 2009/136/EC

Directive 2009/136/EC  which came into force in May 2011, concerns the processing of personal data and the protection of privacy in the electronic communications sector (pdf). It is usually referred to as the "E-privacy Directive" and is an amendment of Directive 2002/58/EC.

The E-privacy Directive covers processing of personal data and the protection of privacy including provisions on:

  • the security of networks and services;
  • the confidentiality of communications;
  • access to stored data;
  • processing of traffic and location data;
  • calling line identification;
  • public subscriber directories; and
  • unsolicited commercial communications ("spam").

The main changes to the 2002 Directive include a rule requiring the notification of data breaches (for instance someone whose personal data are lost, modified or accessed unlawfully while being treated by its electronic communications provider should be notified if this breach is likely to affect him/her negatively) and an extension of the Directive to also cover various electronic tags, strengthened enforcement rules, etc.