Review of the European Data Protection Supervisor’s 2024 Budget and Activities

The European Parliament's Decision on the EDPS

The European Parliament has approved the European Data Protection Supervisor’s (EDPS) work and spending for the 2024 financial year. This approval, known as a “discharge,” means Parliament trusts that the EDPS used its funds legally, regularly, and efficiently. The decision also includes specific comments and observations for the EDPS to consider in the future.

What is the EDPS?

The EDPS is an independent authority responsible for ensuring that EU institutions—such as the Commission, Parliament, and Council—respect data protection rules. Its role includes:

• Giving advice on new EU laws that affect data protection.
• Helping individuals who believe their data rights have been violated.

Financial Overview

The EDPS received approval for a total budget of €24.3 million for 2024, representing a 7% increase from the previous year.

In terms of spending:

• The EDPS planned to spend 96% of its budget, and 91.9% of the money was overall executed.
• IT spending increased by 10% to cover cybersecurity and new tools.

Performance Highlights

The EDPS reported several key activities during 2024:

• Complaints: 663 complaints were received, though most were found to be inadmissible.
• Decisions: The EDPS finalized 77 decisions on complaints, a 33% increase from the previous year.
• Investigations: The office conducted multiple investigations, including a major one into Microsoft 365, where violations were found and a data flow stop was ordered.
• Audits: Audits were conducted focusing on sensitive areas like health data, data retention, and research involving minors.

Operational Areas

The EDPS reported on several internal and external functions:

• Staffing: The total staff increased by 6% to 137 people. However, the text noted that there is a need for more permanent staff and better retention strategies.
• Technology: The EDPS is upgrading to new IT systems and working on a cloud solution. IT spending rose to support cybersecurity efforts.
• Governance: The EDPS passed a full internal-control audit, confirming that all standards were met.
• Sustainability: The office uses a smart building with solar panels and promotes sustainable travel, with most travel occurring within the EU by train or video conference.
• Outreach: The EDPS increased spending on communication and organized major events, including Data Protection Day and a civil-society summit.

Key Areas for Improvement

The Parliament highlighted several areas where the EDPS should focus its efforts:

• Resources: The EDPS needs more resources to handle its growing duties related to Artificial Intelligence (AI).
• Complaints: The number of complaints is rising, requiring the EDPS to improve its handling time and transparency.
• Staffing: There is a need for more permanent staff and better strategies to keep employees.
• Digital Tools: The EDPS must secure enough IT staff to manage its own systems and keep pace with new technologies.
• Accountability: The EDPS should publish a list of all meetings held with interest groups to strengthen accountability.
• Environment: The office should aim for EMAS certification and continue reducing its carbon footprint.

Broader context

The discharge procedure is an annual ritual in the EU where the European Parliament reviews how every EU institution spent its budget the previous year. It is one of Parliament's main tools to hold EU bodies accountable. A refusal to grant discharge would be a serious political signal — it has happened before (most famously with the European Commission in 1999, which led to the entire Commission resigning).

The EDPS was created by a 2001 EU regulation and became fully operational in 2004. Its role grew significantly after the General Data Protection Regulation (GDPR) came into force in 2018, which set strict rules on how organisations handle personal data. The EDPS enforces these rules specifically for EU institutions — national data protection authorities handle companies and public bodies within each member state.

The mention of the Microsoft 365 investigation fits into a broader pattern: the EU has repeatedly clashed with US tech companies over data transfers to the United States, because US surveillance laws may allow American authorities to access that data, potentially violating EU privacy rights.

Impact on people living in the EU

If you are an EU resident and believe that an EU institution (not a company or your national government) has misused your personal data — for example, the European Commission shared your information without consent — you can file a complaint with the EDPS. In 2024, 663 people did exactly that.

The EDPS's investigation into Microsoft 365 is directly relevant to everyday life: many EU institutions use this software for emails, documents, and meetings. The finding that its use violated data-protection rules means EU institutions are being pushed to change how they use such tools, which could eventually affect staff and citizens who interact with those institutions.

The EDPS is also preparing guidelines on generative AI (tools like chatbots) for EU institutions. These guidelines will shape how EU bodies are permitted to use AI when processing citizens' data — an area with growing practical importance as AI tools become common in public administration.

Finally, the EDPS participates in overseeing large EU border and visa databases (Visa Information System, ETIAS). These systems store biometric and travel data on millions of people entering the EU, so independent oversight of them directly affects travellers' privacy rights.