The European Data Protection Supervisor (EDPS) is the data protection authority for the European Union institutions, bodies and agencies (EU institutions).
The General Data Protection Regulation (GDPR) recognises and strengthens the powers of all data protection supervisory authorities to advise national parliaments, governments and other institutions and bodies on legislative and administrative measures relating to the protection of personal data.
Currently being revised to be brought in line with the GDPR, Regulation (EC) 45/2001 lays down the roles and responsibilities for the EDPS.
Our advisory mandate
In addition to our supervision of the EU institutions, the EDPS also has a role as advisor on data protection issues in a wide range of policy areas and all matters concerning the processing of personal data.
This broad mandate was confirmed by the Court of Justice of the European Union who said that the advisory role of the EDPS did not only extend to the processing of personal data by EU institutions (Orders of 17 March 2005 in the so-called PNR-cases).
A legislative proposal does not have to directly impact EU data protection rules in order to trigger scrutiny by the EDPS; it is enough that the proposal has implications for the fundamental right to data protection (as laid down in the EU Charter of Fundamental Rights).
Our objective is to ensure that data protection is integrated into proposals for legislation that affect privacy and personal data protection in the EU. We also advise on EU initiatives that are not legally binding (so-called EU soft law instruments).
To this end, we provide guidance on proposed legislation to both the European Commission, as the most frequent initiator and the European Parliament and the Council, as co-legislators.
Such proposals and initiatives may be necessary and supported politically. Nevertheless if there are data protection implications, our role is to ensure that these implications are addressed by policy makers before adoption to avoid a legal challenge of the legislation before the Court of Justice of the European Union and possibly being struck down.
Some guiding principles
- Similar to our approach in our supervision work, we aim to develop a culture of accountability whereby the institutions recognise their own responsibility to ensure the protection of personal data when developing new EU policies and legislation;
- We provide support to the EU institutions to be accountable: to help the legislators carry out their own assessment of proposed measures implying the processing of personal data, we have developed a toolkit on the concept of necessity;
- We aim to provide pragmatic advice by analysing the complexity of a proposal and take advantage of the experience gained in our supervision cases with the EU institutions; we look for constructive and workable solutions;
- As an advisor on all data protection matters at EU level, in addition to providing advice on a consultation by the Commission (or other institution), we also issue advice on our own initiative, when there is a matter of particular significance.
- We are not for or against any measure involving the processing of personal data and base our assessment and advice on the evidence justifying its need.
Read the EDPS Policy Paper of 2014 for more detail on our advisory role and proposed new legislation.
How do we carry out our advisory task?
- Each year, we publish a list of priorities for our policy and consultation work for the coming year. Our annual plan is based on the work programme of the European Commission; given the significant number of proposals adopted by the Commission each year, we are selective in our approach. In addition, the work programme of the Article 29 Working Party is an important point of reference.
- To be most effective, we provide input at an early stage of the legislative process. In accordance with a well-established practice, the EDPS is consulted by the European Commission before it adopts a proposal for new legislation that is likely to have an impact on individuals’ right to the protection of their personal data.
We reply to this prior consultation with informal comments. These contain our initial data protection recommendations before the proposal is formally adopted. We do not publish our informal comments.
- Our formal Opinions relate to proposals for legislation and are addressed to all three EU institutions involved in the legislative process, with the aim of flagging our main data protection concerns together with our recommendations. These Opinions are made public and are available to read on this website as well as the Official Journal of the EU.
We actively follow the developments in the European Parliament and the Council after providing advice, and we are available to them for further consultation during all stages of the legislative process (e.g. during meetings of shadow rapporteurs of the Parliament or of working groups of the Council).
- Our formal comments also address the data protection implications of proposals and soft law instruments in a different format to our Opinions. Our formal comments are available to read on this website.
- We may also intervene before the EU courts either at the Court’s invitation or on behalf of one of the parties in a case to offer our data protection expertise. At the Court of Justice of the European Union or the General Court, we can highlight specific data protection issues to ensure that individuals' fundamental rights to privacy and data protection are respected.
- The EDPS also monitors new technologies or other societal changes that may have an impact on data protection. Where appropriate we will issue an Opinion on our own initiative. However useful and attractive these technologies or changes may be, our aim is to highlight if the fundamental rights to protection of privacy and personal data in the EU are at risk and recommend ways to safeguard these rights.