The EDPB report provides an overview of the work carried out by the EDPB in the last year.

International transfers of personal data received a great deal of attention from the EDPB over the past year. In 2021, the EDPB adopted its final version of the Recommendations on supplementary measures following the Schrems II ruling by the CJEU, taking on board the input received from stakeholders during public consultation. In addition, the EDPB adopted opinions on the UK draft adequacy decisions, under both the GDPR and the Law Enforcement Directive (LED), and an opinion on the draft adequacy decision for the Republic of Korea. The EDPB also adopted guidance documents on other international transfer tools, such as Codes of Conduct, and adopted joint opinions with the EDPS on the new sets of Standard Contractual Clauses (SCCs) issued by the European Commission for the transfer of personal data to controllers and processors established outside the EEA.

Important work was also carried out on digital policy. The EDPB and EDPS adopted joint opinions on the proposal for a Data Governance Act (DGA) and the draft Artificial Intelligence Act. It also adopted a statement on the Digital Service Package and Data Strategy.

Law Enforcement was another priority area for the EDPB in 2021. The EDPB adopt its first opinion on an adequacy decision under the LED, as well as recommendations on adequacy under the LED, aiming to standardise the procedure. In addition, the EDPB carried out an evaluation of the LED itself.

In 2021, the EDPB adopted eight sets of guidelines and recommendations, including on personal data breach notifications, connected vehicles and virtual voice assistants, as well as six sets of final version guidelines and recommendations.

On ensuring consistency in enforcement and cooperation between national authorities, the EDPB adopted 35 Article 64 GDPR consistency opinions, most of which concerned binding corporate rules and accreditation requirements for certification bodies and code of conduct monitoring bodies.

In July 2021, the EDPB adopted its first Article 66 GDPR Urgent Binding Decision following a request from the Hamburg supervisory authority (SA), which had adopted provisional measures against Facebook Ireland.

In the same month, the EDPB adopted its second Article 65 GDPR binding decision which sought to address the lack of consensus on certain aspects of a draft decision issued by the Irish SA, acting as lead SA, regarding WhatsApp Ireland and the subsequent objections expressed by several concerned supervisory authorities. To read EDPB’s press release in full and for a link to the Annual Report, click here.