Article 58 of Regulation (EU) 2018/1725 confers the EDPS a wide range of powers for the performance of his tasks. The Europol Regulation, the EPPO Regulation and the Eurojust Regulation confer the EDPS specific powers.
When deciding on the use of our powers, we follow the approach that we consider to be the most likely to produce positive results for the data subjects, on a case-by-case basis. We choose from a scale ranging from providing informal advice to using our enforcement powers, including our investigative powers.
Our investigative powers include audits to verify compliance; we choose the targets of our audits from a risk-based annual plan. We also carry out investigations into topics of interest. The triggers for such investigations can be either information received from third parties (complaints, press reports, etc.) or our own initiative.
When EU institutions do not comply with the data protection rules, the EDPS can use corrective powers, such as:
- Warn or admonish the EU institution which is unlawfully or unfairly processing your personal information;
- Order the European institution to comply with requests to exercise your rights (e.g. access to your own data);
- Impose a temporary or definitive ban on a particular data processing operation;
- Impose an administrative fine on EU institutions;
- Refer a case to the Court of Justice of the European Union.