Author: Stephanie Schiedermair
1. The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission.
2. The annual report shall include a review of the practical application of the guidelines, recommendations and best practices referred to in point (l) of Art. 70 para. 1 as well as of the binding decisions referred to in Art. 65.
I. Background
Report-related duties were imposed by the DPD (Art. 30 para. 6), under which the Art. 29 WP was required to prepare an annual report including two key items of information: the matters tackled by the Art. 29 WP (during a given year); and relevant developments in Member States (referring to law, including case law, and the activities of SAs). Moreover, Art. 33 DPD imposed on the Comm an obligation to report on the implementation of the DPD. Furthermore, the CJEU has dealt with the duty to report in Comm v Federal Republic of Germany: SAs may be compelled by the legislator to report to the parliament.
The report required by the GDPR Art. 71 para. 1 is, in essence, the same as that of the DPD. Yet, the GDPR, aimed at enhancing transparency and accountability, added: a specific reference to ‘international organisations’ (in Art. 71 para. 1); and the obligation under Art. 71 para. 2 of reviewing the ‘practical application of the guidelines, recommendations and best practices referred to in point (l) of Art. 70 para. 1 as well as of the binding decisions referred to in Art. 65’.
II. Analysis
The mandatory duties of the EDPB include drawing up an annual report on the protection of natural persons with regard to processing in the Union and in third countries and international organisations. The report must be made public by the Board and transmitted to the EP, the Council and the Comm. The annual report is one of the mandatory duties of the Board, whose function as a communication platform also implies a duty to perform public relations work. The Board is in principle free to determine the structure of its annual report. The annual report must, however, include a review of the practical application of the guidelines, recommendations and best practices referred to in lit. l of Art. 70 para. 1, as well as of the binding decisions referred to in Art. 65. This means that the report is based on the Board’s key duty to make a considerable contribution to the uniform application of the GDPR. At the same time, the report serves to further develop data protection, not only with regard to such protection in the EU, but also in terms of international protection. As a result, same as the report of the Art. 29 WP, the annual report is a status report on data protection within the Union.