COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation

1. This Communication from the European Commission evaluates the application and functioning of the General Data Protection Regulation (GDPR) in the EU Member States. The report was produced in accordance with Article 97 of the GDPR, which obliges the European Commission to report to the European Parliament and European Council two years after the date the GDPR was implemented (i.e. 25 May 2020) and every four years thereafter. As required by Article 97, the review must concentrate, in particular, on international transfers of personal data and the cooperation mechanism between national data protection authorities.
Summary of the Commission’s evaluation
2. The Commission notes that two years after it came into force, the GDPR has successfully met its objectives of strengthening the protection of the individuals’ rights to data protection and guaranteeing the free flow of personal data within the EU. The Commission says that the implementation of GDPR has begun a global trend and that some countries outside the EU are modelling their own laws on the EU’s high data protection standards. It also acknowledges that there have been some barriers to implementation across Member States and there is room for improvement in certain areas. Some of the key areas the Commission identifies for further development, and other areas it cites as examples of good practice, are summarised below.

Topic  Data 
Department  DCMS 
Council Reference   
COM Reference  COM(20)264 
SEC Reference   
PE Cons   
JOIN   
SWD  SWD(20)115 
C Reference   

Associated file(s)


  1. COM(20)264 - 459 KB - PDF
  2. EM COM(20)264 - 67 KB - pdf

Search by reference numbers or topic