European Data Protection Supervisor
European Data Protection Supervisor

The Data Protection Officer at the EDPS

The Data Protection Officer at the EDPS

The EDPS, like other EU institutions, bodies, agencies and offices (EU institutions), may process your personal data (also known as personal information) for a number of reasons, from dealing with public requests for information, staff matters, visitor information to the handling of complaints to name but a few.

All EU institutions, including the EDPS, are obliged to comply with the data protection law specifically applicable to them.

In addition to specifying the legal principles for processing personal data, the law provides that each EU institution must appoint at least one Data Protection Officer (DPO).

The task of the DPO is to ensure, in an independent manner, that the data protection law is applied in the institution.

The DPO is also required to keep a register of all the operations that involve the processing (collection, use and/or storage) of your personal data carried out by the institution.

The register has to be publicly accessible and must contain information explaining the purpose and conditions of the processing operations.

The role of the DPO at the EDPS presents many challenges: being independent within an independent institution, meeting the high expectations of colleagues who are particularly aware and sensitive about data protection issues, and delivering solutions that can serve as benchmarks for other institutions.

The EDPS’ own rules on the role of the DPO and how to implement the law reflect these specificities and take into account both the EDPS Position paper and the DPO Network Paper on Professional Standards for Data Protection Officers.

The existing data protection rules applicable to the EU institutions are being reformed to be brought in line with the General Data Protection Regulation. The new rules aim to make the EU institutions more accountable in the way they process personal data. In preparation for this, we have launched our own accountability project.

Massimo Attoresi

Data Protection Officer


Your rights when we process your personal data

When your personal information is processed by the EDPS (or any EU institution), you have the right to know about it.

You have the right to access the information and have it rectified without delay if it is inaccurate or incomplete.

You can ask to have it blocked under certain circumstances.

You can also object to it being processed if you think the processing is unfair and unlawful and ask for it to be deleted.

You can request that any of the above changes be communicated to other parties to whom your data have been disclosed.

You have also the right not to be subject to automated decisions (made solely by machines) affecting you, as defined by law.

These rights are outlined in Articles 13 to 19 of the current data protection Regulation 45/2001.

You can also read our factsheet for more information.

For more information about how the EDPS uses your personal data, for example when you visit our website or engage with us on social media, please go to our data protection notice page.


How to exercise your data protection rights at the EDPS

  • If the EDPS is processing your personal data and you would like to exercise your data protection rights, please send us a written request;
  • In principle, we cannot accept verbal requests (telephone or face-to-face) as we may not be able to deal with your request immediately without first analysing it and reliably identifying you;
  • You can send your request to the EDPS by post in a sealed envelope or use our contact form;
  • Your request should contain a detailed, accurate description of the data you want access to;
  • You must provide a copy of an identification document to confirm your identity, for example, an ID card or passport. The document should contain an identification number, country of issue, period of validity, your name, address and date of birth;
  • Any other data contained in the copy of the identification document such as a photo or any personal characteristics, may be blacked out;
  • Our use of the information on your identification document is strictly limited: the data will only be used to verify your identity and will not be stored for longer than needed for this purpose;
  • In principle, we will not accept other means of assuring your identity. Should you wish to propose alternatives, we will assess their adequacy on a case-by-case basis;
  • You can read our data protection notice for more information on how we deal with your personal data when handling a written request from you.