The European Data Protection Supervisor (EDPS) is the data protection authority for the European Union institutions, bodies and agencies (EU institutions).
The General Data Protection Regulation (GDPR) recognises and strengthens the powers of all data protection supervisory authorities to advise national parliaments, governments and other institutions and bodies on legislative and administrative measures relating to the protection of personal data. Similarly, Regulation (EU) 2018/1725 lays down the tasks and responsibilities of the EDPS in terms of legislative consultation.
Our advisory mandate
In addition to our supervision of the EU institutions, the EDPS also has a role as advisor on all matters relating to the processing of personal data.
The new Regulation 2018/1725 strengthens the consultative role of the EDPS, in line with the GDPR on the one hand, and consolidating the practices developed over the past 10+ years on the basis of Article 28(2) of Regulation 45/2001 on the other hand.
In particular, Article 42(1) explicitly requires the Commission to consult the EDPS following the adoption of proposals for a legislative act, of recommendations and of proposals to the Council pursuant to Article 218 TFEU (i.e. international agreements) or when preparing delegated acts or implementing acts with “an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data”. Such advice has to be provided within eight weeks. Article 42(2) provides for the possibility to issue joint opinions with the European Data Protection Board (EDPB).
Our approach
We constructively engage with the Commission and with the EDPB to ensure appropriate procedures are put in place to facilitate the application of this consultation obligation in practice.
We also continue our mission to provide advice to the EU legislator on other initiatives (e.g. soft law, communications and other policy instruments, positions of the EU and its institutions and bodies in international fora) that affect fundamental rights to personal data protection and privacy. We remain at the disposal of the European Parliament, the Council and the Commission in order to provide advice at any stage of the decision-making process.
Some guiding principles
- Similar to our approach in our supervision work, we aim to develop a culture of accountability whereby the institutions recognise their own responsibility to ensure the protection of personal data when developing new EU policies and legislation;
- We provide support to the EU institutions to be accountable: to help the legislators carry out their own assessment of proposed measures implying the processing of personal data, we have developed a toolkit on the concept of necessity;
- We aim to provide pragmatic advice by analysing the complexity of a proposal and take advantage of the experience gained in our supervision cases with the EU institutions; we look for constructive and workable solutions;
- As an advisor on all data protection matters at EU level, in addition to providing advice on a consultation by the Commission (or other institution), we also issue advice on our own initiative, when there is a matter of particular significance.
- We are not for or against any measure involving the processing of personal data and base our assessment and advice on the evidence justifying its need.
How do we carry out our advisory task?
- Pursuant to recital 60 to the new Regulation 2018/1725, the Commission should endeavour to consult the EDPS “when preparing proposals or recommendations”. We therefore remain at the disposal of the Commission services, as it was the case in the past, to be consulted informally at an early stage of internal decision-making procedures, so as to be able to address any data protection issues in the most efficient manner. We do not publish our informal comments.
- Our Opinions and EDPS-EDPB Joint Opinions relate to proposals for legislation and are addressed to all three EU institutions involved in the legislative process, with the aim of flagging our main data protection concerns together with our recommendations. These Opinions are made public and are available to read on this website. Summaries of the EDPS Opinions are also published in the Official Journal of the EU. We actively follow the developments in the European Parliament and the Council after providing advice, and we are available to them for further consultation during all stages of the legislative process (e.g. during meetings of shadow rapporteurs of the Parliament or of working groups of the Council).
- Our formal comments also address the data protection implications of proposals and soft law instruments in a different format to our Opinions. Our formal comments are available to read on this website.
- We may also intervene before the EU courts either at the invitation of the Court of justice of the EU or on behalf of one of the parties in a case to offer our data protection expertise. At the Court of Justice or the General Court, we can highlight specific data protection issues to ensure that individuals' fundamental rights to privacy and data protection are respected.
- The EDPS also monitors new technologies or other societal changes that may have an impact on data protection. Where appropriate we issue an Opinion on our own initiative. However useful and attractive these technologies or changes may be, our aim is to highlight if the fundamental rights to protection of privacy and personal data in the EU are at risk and recommend ways to safeguard these rights.