General information

The European Data Protection Board (EDPB) is the EU body responsible for the application of the General Data Protection Regulation (GDPR) as from May 25th 2018. The Board replaced the Article 29 Data Protection Working Party, established under Directive 95/46/EC. Established in Art. 68 of the GDPR as a body of the European Union with legal personality. The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives. The European Commission shall have the right to participate in the activities and meetings of the Board without voting right. The Board’s Secretariat is provided by the EDPS.

According to Article 70 of the GDPR the Board shall in particular:

  1. monitor and ensure the correct application of the GDPR;
  2. advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of the GDPR;
  3. advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules
  4. issue guidelines, recommendations, and best practices on procedures on the relevant issues of the GDPR;
  5. encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks;
  6. provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organisation no longer ensures an adequate level of protection;
  7. issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism;
  8. promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;
  9. promote common training programmes and facilitate personnel exchanges between the supervisory authorities;

It should also be pointed out that the GDPR grants the European Data Protection Board full independence for the purposes of fulfilling the obligations imposed by the Regulation. Article 69 of the GDPR informs that the Board shall act independently when performing its tasks or exercising its powers and it shall, in the performance of its tasks or the exercise of its powers, neither seek nor take instructions from anybody.

More information is available at the Board’s website at