European Data Protection Supervisor
European Data Protection Supervisor

Our role as a supervisor

Our role as a supervisor


Our role as a Supervisor
The European Data Protection Supervisor (EDPS) is the data protection authority for the European Union institutions, bodies and agencies (EU institutions).

One of our core tasks is to supervise the EU institutions to help them be exemplary; public authorities must be beyond reproach when they process personal information.

We do this by monitoring those activities that use (process) personal data or information. The personal data could be yours or that of anyone else who works for or with the EU, including visitors, contractors or beneficiaries of grants.

As any employer of over 40,000 members of staff, the EU insti­tutions need to develop proce­dures necessary for their effective management and smooth functioning. These might include eval­uation and promotion of staff, access control to their buildings, working hours of employees, poli­cies to prevent sexual and psychological harass­ment.  

In addition to employment matters, EU institutions also process personal information for other purposes. Their core business activities reflect the issues relevant to Euro­pean society; from food safety to disease preven­tion and financial stability.

We also supervise Europol, the EU body actively cooperating with law enforcement authorities to combat international crime and terrorism.

In line with the principle of accountability, being compliant with data protection rules is primarily the responsibility of EU institutions.

To support them, we provide guidance on how to be compliant and make sure that the rules are applied as they should be; our approach is to trust and verify.

In practice this includes issuing guidelines, investigating complaints and checking risky processing operations.

The current data protection rules for the EU institutions are laid down in Regulation (EC) 45/2001 (the Regulation). The role and responsibilities for the EDPS’ supervision work are also outlined in the Regulation.

The Regulation is very similar to the data protection rules for the Member States; we carry out our supervision work in a similar way to the national data protection authorities in the EU countries.

This Regulation is about to change. In January 2017, the European Commission published a proposal for a new Regulation, to bring the rules for the EU institutions in line with those that apply to Member States under the General Data Protection Regulation (GDPR).

We are preparing so that the EU institutions, including the EDPS, are ready when the new rules come into force on 25 May 2018.

In anticipation of the likely changes and the approach of the GDPR, we have already begun to take these into account in our supervision work, for example, with a greater focus on accountability.


How we carry out our supervision work

  • EU institutions consult us via their Data Protection Officers (DPOs) for advice when drawing up measures or internal rules that involve the processing of personal data;
  • We give written or verbal advice to them either on request or on our own initiative
  • We raise awareness about data protection in the EU institutions and provide training;
  • We conduct on-site inspections to verify compliance in practice;
  • We deal with complaints from individuals relating to the processing of their personal data by the EU institutions;
  • Before introducing a risky processing operation, EU institutions have to notify it to us, so that we can prior-check it and give advice to improve or stop it where necessary;
  • We carry out periodic surveys to gather statistics to benchmark and compare EU institutions;
  • Where our general or targeted stocktaking exercises highlight shortcomings, we may visit those institutions to encourage better compliance;
  • We carry out inquiries, either following information received from third parties or on our own initiative.



When EU institutions do not comply with the data protection rules, the EDPS can use the enforcement powers set out in the Regulation, such as:

  • Warn or admonish the European institution which is unlawfully or unfairly processing your personal information;
  • Order the European institution to comply with requests to exercise your rights (e.g. access to your own data);
  • Impose a temporary or definitive ban on a particular data processing operation;
  • Refer a case to the Court of Justice of the European Union.



If you think that your rights have been infringed by an EU institution processing your personal information, you can lodge a complaint with the EDPS to investigate it.

We recommend that you first contact that EU institution to resolve the issue.

Please note that the EDPS has no supervisory powers for handling complaints on the processing of personal information by national authorities or private organisations.

If your complaint concerns one of these, you should contact the data protection authority in that country.