On February 12, 2019, the European Data Protection Board (the “EDPB”) released its work program for 2019 and 2020 (the “Work Program”). Following the EDPB’s endorsement of the Article 29 Working Party guidelines and continued guidance relating to new EU General Data Protection Regulation (“GDPR”) concepts, the EDPB plans to shift its focus to more specialized areas and technologies.

The Work Program, which was designed based on priority areas for stakeholders, outlines a list of planned guidelines, consistency opinions and EDPB activities, as well as additional possible topics that the EDPB may tackle over the course of the next two years. The ambitious and very full Work Program seeks to deal with a range of topics, including:

International Transfers

  • Planned guidance on certifications and Codes of Conduct as a tool for transfers as well as on international transfers between public bodies for administrative cooperation purposes.
  • Finalizing the draft guidelines on the territorial scope of the GDPR.
  • The EDPB will also continue to provide opinions on relevant draft decisions from competent supervisory authorities on standard contractual clauses for international transfers under Article 46(2) GDPR, standard contractual clauses for processors under Article 28(8) GDPR and ad hoc contractual clauses for international transfers under Article 46(3) GDPR.
  • Other possible activities include guidance on the interaction between the Regulation on the free flow of non-personal data in the EU and the GDPR, an opinion on cross-border requests for e-evidence and further work on interoperability.

ePrivacy and Online Services

  • The EDPB plans to release a consistency opinion on the interplay between the GDPR and ePrivacy.
  • Guidance is planned on targeting social media users, video surveillance and connected vehicles.
  • The EDPB will also work on guidance relating to the use of contractual necessity as a legal basis for processing in the context of online services.
  • Other possible activity in this area includes work around blockchain and the use of new technologies, such as AI and connected assistants.

Individual Rights

  • Planned guidance on individual rights with an initial focus on rights of access, erasure, objection and restriction and limitations to these rights.
  • The EDPB will also work on guidelines relating to children’s data as well as guidance on delisting.


  • The EDPB plans to release its enforcement strategy and will also work on a reflection paper on international mutual assistance and other cooperation tools to enforce the GDPR outside the EU.
  • Guidance on the powers of supervisory authorities in accordance with Article 47 of the Law Enforcement Directive.
  • Other possible activity includes work regarding enforcement against controllers in third countries.

Financial Data and Regulation

  • Guidance is planned on the Revised Directive of Payment Services (PSD2) and its interaction with the GDPR.
  • Other possible activity surrounding financial data and regulation includes work around the use of credit cards for distant payments and post-transaction retention of card numbers, as well as e-invoices and the creation of centralized databases by the Ministry of Finance.

In addition to working on guidelines for previously unaddressed topics, the EDPB is planning to update the existing Article 29 Working Party Guidelines, including the concepts of controller and processor as well as the guidelines on the notion of legitimate interest of the controller.

To read about these planned activities along with all other topics the EDPB is planning to work on in 2019 and 2020, view the Work Program.