EDPB Work Programme 2024-2025

The European Data Protection Board (EDPB) is an independent European body established by the General Data Protection
Regulation (GDPR).
The EDPB has the following main tasks:
1. In line with the Article 29 of the EDPB Rules of Procedure. This Work Programme is valid from 8 October 2024 until 31 December 2025 and supersedes,
for the remaining part of 2024, the previous Work Programme 2023–2024.
2. https://www.edpb.europa.eu/system/files/2024-04/edpb_strategy_2024-2027_en.pdfEDPB
Work Programme
2024–2025
Adopted on 8 October 2024
• To issue opinions, guidelines, recommendations and best practices to promote
a common understanding of the GDPR and the Law Enforcement Directive (LED);
• To advise the European Commission on any issue related to the protection of personal data
in the Union;
• To contribute to the consistent application of the GDPR, in particular in cross-border data
protection cases; and
• To promote cooperation and the effective exchange of information and best practices
between national supervisory authorities.
The EDPB has developed a new work programme for 2024 and 2025 , the first of two which will implement the EDPB
Strategy for 2024–2027 . It is based on the priorities set out in the EDPB Strategy, and the needs identified by the members
as most important for stakeholders. 1
2
EDPB WORK PROGRAMME 2024-2025Developing further guidance on key issues and concepts of EU data protection law,
taking into account the practical experience of stakeholders as gathered through stakeholder
events and consultation. This guidance will cover a number of topics, including:
• Guidelines on anonymisation
• Guidelines on pseudonymisation
• Guidelines on legitimate interest*
• Guidelines on children’s data
• Guidelines on “consent or pay” models
• Guidelines on the processing of data for scientific research purposes
• Guidelines on data subject rights under the LED – right of access
• Follow-up on the implications of Judgment of the Court of Justice of the European Union
(CJEU) on Passenger Names Records (PNR)
• Document on Age verification criteria
Further develop information streams for a wider audience to complement the EDPB’s
technical and legally-focused publications (for non-experts and individuals, including
children). These may include factsheets which communicate a guideline’s core message
in an accessible way, further improvements and promotion of the EDPB Data Protection
Guide for Small Businesses , and other templates and checklists.KEY ACTION 1
KEY ACTION 2The EDPB will continue to provide concise, practical and clear guidance that is accessible to the relevant audience. In
addition, the EDPB will develop and promote tools for a wider audience and produce content that is accessible for non-
experts, SMEs and individuals, including particularly vulnerable data subjects such as children. As a further element
to pursue a consistent application and implementation of data protection law, the EDPB will continue supporting
the development of compliance measures, including through the engagement with stakeholders. The EDPB will also
continue to assess how personal data are being accessed and used by public authorities for law-enforcement purposes. Enhancing harmonisation
and promoting
compliancePILLAR
1
EDPB WORK PROGRAMME 2024-20253. CJEU judgment of 21 June 2022 C-817/19 Ligue des droits humains, regarding the implementation of the Directive (EU) 2016/681 on the
use of PNR in Member States (ECLI:EU:C:2022:491).
4. https://www.edpb.europa.eu/sme-data-protection-guide/home_en
*. These guidelines were already adopted in their version for public consultation at the October plenary meeting. 3
4Support the development and implementation of compliance measures for controllers
and processors, including:
Issuing opinions on:
• accreditation requirements for monitoring bodies of codes of conduct and for
certification bodies
• codes of conduct and on certification criteria , including the European
Data Protection Seal)
Engaging with stakeholders on compliance measures, including:
• collaboration concerning certification mechanisms pursuant to the GDPR
• cooperation on cybersecurity certification schemes
• interaction with key groups of stakeholders to raise awareness and foster their
understanding, for example, of how certification and codes of conduct can be
used
Advise the EU legislature on any important issue related to the protection of personal
data in the UnionKEY ACTION 3
KEY ACTION 46 5
5. Under Article 40(7) GDPR
6. Under Article 45(2) GDPR
EDPB WORK PROGRAMME 2024-2025Encourage and facilitate the use of the full range of cooperation tools enshrined
in Chapter VII of the GDPR and Chapter VII of the LED, continuously evaluating and
improving the efficiency and effectiveness of these tools, and further promoting a common
application of key concepts in the cooperation procedure. This will also include guidance
and work on a number of topics, including:
• Advice to the co-legislators on the Proposal on GDPR procedural rules and preparation of
the groundwork aimed to effectively apply the future regulation
• Guidelines on Article 61 GDPR – Mutual assistance
• Guidelines on Article 66 GDPR – Urgency procedure
• Update of the EDPB endorsed Article 29 Working Party Guidelines on the application and
setting of administrative fines for the purposes of the GDPR
• Development of commonly understood notions to enable a consistent and comparable
reporting of enforcement activities and facilitate statistics
• Assess the need to update the Internal EDPB Document 1/2021 on the application of
Article 62 GDPR – Joint Operations
Support enforcement and the exchanges of information and best practices, including:
• Implementing the Coordinated Enforcement Framework (CEF), including:
– The 2024 CEF on the implementation of the right of access by controllers
– A fourth coordinated action to be launched in 2025, on a topic to be determined once
the third action is completed
• Fostering identification of strategic cases for which cooperation will be prioritised
• Creating task forces, when needed, to provide operational platforms for cases requiring
cooperation on enforcement matters
• Continuing to develop and implement various actions and projects undertaken under the
Support Pool of Experts to provide material support to EDPB Members and to coordinate Reinforcing a common
enforcement culture
and effective
cooperation PILLAR
KEY ACTION 1
KEY ACTION 2The EDPB will further strengthen efforts to ensure effective enforcement of the GDPR and cooperation between the
members of the EDPB, building on its commitments made in the Vienna statement on enforcement cooperation and
on the opportunities arising from the future Regulation on GDPR procedural rules. The EDPB will actively endeavour
to fulfil its role as a forum for the regular exchange of information on ongoing cases, as well as continuing to support
the development of cooperation and enforcement tools, and the sharing of expertise. Efforts will also go to ensure the
smooth functioning of the consistency mechanism. 2
EDPB WORK PROGRAMME 2024-2025 exchanges between EDPB members on enforcement and inspection methodologies
• Continuing to develop EDPB secondment programme for staff exchanges between EDPB
members
• Organising trainings and workshops for EDPB members, such as on Certification, Binding
corporate rules or on enforcement matters
Ensure a robust functioning of the consistency mechanism, including by:
• Continuing to adopt opinions under Article 64(1) and (2) GDPR that are directly addressed
to national supervisory authorities and which aim to ensure consistency of their decisions
• Continuing to act as a dispute resolution body in disputes between EEA supervisory
authorities (Article 65 GDPR binding decisions) and by adopting decisions/opinions in
the context of urgency procedures under Article 66 GDPR
• Taking actions to ensure the application of the future Regulation on GDPR procedural
rules insofar as those rules concern the consistency mechanism
Evaluate and enhance the IT tools and systems used by the EDPB, including by:
• Exchanging and reviewing best practices in the use of the Internal Market Information
system (IMI)
• Developing an application to monitor GDPR procedures in IMI, and to automate statistics
and report generation by connecting to the existing IMI system’s API
• Evaluating and enhancing IT solutions provided by the EDPB SecretariatKEY ACTION 3
KEY ACTION 4
EDPB WORK PROGRAMME 2024-2025Continue to take an active role in relevant forums, including the DMA High Level Group
and the European Data Innovation Board.
Establish common positions and guidance in the cross-regulatory landscape on topics
including:
• Guidelines on the interplays between EU data protection law and other EU laws, including
separate guidelines for each of the AI Act, the Digital Services Act, the Digital Markets Act
• Position paper on the interplay between EU data protection and competition law
• Guidelines on the processing of personal data to target or deliver political advertisements
• Guidelines on transfers of personal data in the context of transfers of crypto assets
• Document concerning anti-money laundering and countering financing of terrorism
(AML/CFT) requirements, in particular on the information service providers used by
obliged entities in the context of the performance of their obligations in such sector.
Cooperate with other regulatory authorities on matters relating to data protection,
including competition authorities, consumer protection authorities and authorities
competent under other legal acts.
Monitor and assess new technologies, with the development of guidance to promote
a human-centric approach to topics including:
• Guidelines on generative AI – data scraping
• Document on the mandatory user accounts on online shopping websites
• Guidelines on telemetry and diagnostic data
• Guidelines on blockchain
• Guidelines on the use of social media by public bodiesPILLAR
KEY ACTION 1
KEY ACTION 2
KEY ACTION 3
KEY ACTION 4The EDPB will promote a consistent application of different regulatory frameworks and cooperation with other
regulatory authorities in the developing cross-regulatory and interdisciplinary landscape. The EDPB will also continue
to promote a human-centric approach to new technologies. 3
Safeguarding data protection
in the developing digital
and cross-regulatory
landscape
EDPB WORK PROGRAMME 2024-2025Engage and cooperate with the EU legislators and with other EU institutions and
bodies, including by reacting, where appropriate, to developments relating to the digital
euro and the financial data access and payments package.KEY ACTION 5Continue to work on the GDPR and LED data transfer mechanisms and provide further
guidance on their practical implementation. This will include:
• Opinions on and review of adequacy decisions
• Opinions on administrative arrangements
• Opinions on Binding Corporate Rules and streamlining the approval process
• Opinions on certification as a tool for transfers
• Opinions on standard contractual clauses and ad-hoc contractual clauses
• Guidelines on Article 48 GDPR
• Update of Referential for BCR Processor
Support the exchange of information and cooperation among EDPB members active
in international forums and continuing to engage with the international community
to promote high data protection standards.
Facilitate and strengthen cooperation between EDPB members and non-EU
authorities, increasing efforts related to the EDPB’s contributions on international
cooperation and supporting enforcement.PILLAR
KEY ACTION 1
KEY ACTION 2
KEY ACTION 3The EDPB will continue to promote a global dialogue on privacy and data protection, including a focus on the
international community supporting cooperation on enforcement between EU and non-EU authorities. The EDPB will
also continue working on GDPR and LED transfer mechanisms.4
Contributing to
the global dialogue
on data protection
EDPB WORK PROGRAMME 2024-2025