The European Data Protection Board (EDPB) has published its work program for the next two years. The program lists the guidelines, consistency opinions, and other types of activities the EDPB intends to carry out. The program is based on the needs identified by the EDPB as priority for individuals, stakeholders, as well as the EU legislator planned activities. The Guidelines due to be published over the coming two years include:

  • Guidelines on reliance on Art. 6(1) b in the context of online services (i.e. the contractual necessity legal basis)
  • Guidelines on concepts of controller and processor (Update of the WP29 Opinion)
  • Guidelines on the notion of legitimate interest of the data controller (Update of the WP29 Opinion)
  • Guidelines on the Territorial Scope of the GDPR (finalisation after the public consultation)

  • Guidelines on Codes of Conduct and Monitoring Bodies
  • Guidelines on delisting
  • Guidelines on PSD2 and GDPR
  • Guidelines on international transfers between public bodies for administrative cooperation purposes
  • Guidelines Certification and Codes of Conduct as a tool for transfers
  • Guidelines on Connected vehicles
  • Guidelines on Certification (finalisation after the public consultation)
  • Guidelines on video surveillance
  • Guidelines on Data Protection by Design and by Default
  • Guidelines on Targeting of social media users
  • Guidelines on children’s data
  • Guidelines on the powers of DPAs in accordance with Art. 47 of the Law Enforcement Directive
  • Guidelines on data subjects rights

The EDPB has also indicated that it may publish guidelines on other topics such as on: cross-border requests for e-evidence, and the interpretation of Article 48 GDPR (concerning requests from a court, tribunal or administrative authority in a third country to an EU controller or processor to transfer personal data).  In addition, the EDPB intends to publish an Opinion on the interplay between the GDPR & e-Privacy, an issue which has been causing companies some confusion.