The European Data Protection Supervisor (EDPS) is the data protection authority for the European Union institutions, bodies and agencies (EU institutions).
One of our core tasks is to supervise the EU institutions to help them be exemplary; public authorities must be beyond reproach when they process personal information.
We do this by monitoring those activities that use (process) personal data or information. The personal data could be yours or that of anyone else who works for or with the EU, including visitors, contractors or beneficiaries of grants, but not only.
The EU institutions process personal information for many purposes. Their core business activities reflect the issues relevant to European society: from food safety to disease prevention and financial stability. We also supervise EU institutions active in the police and justice area, namely Europol, the EU body actively cooperating with law enforcement authorities to combat international crime and terrorism, and Eurojust, the EU body supporting and improving the coordination and cooperation between the competent judicial authorities of Member States on matters of serious organised crime, and the European Public Prosecutor Office (EPPO), the EU body responsible for investigating, prosecuting and bringing to judgment the perpetrators of criminal offences affecting the financial interests of the EU.
Additionally, as an employer of over 40,000 members of staff, the EU institutions need to develop procedures necessary for their effective management and smooth functioning. These include evaluation and promotion of staff, access control to their buildings, working hours of employees, policies to prevent sexual and psychological harassment.
In line with the principle of accountability, being compliant with data protection rules is primarily the responsibility of EU institutions.
To support them, we provide guidance on how to be compliant and make sure that the rules are applied as they should be; our approach is to trust and verify.
In practice this includes issuing guidelines, investigating complaints, responding to consultations from the EU institutions and conducting data protection audits.
The data protection rules for the EU institutions are laid down in Regulation (EU) 2018/1725 (the Regulation). It is largely identical to the GDPR applying to private companies and most public administrations in the Member States. Specific rules are set out in the founding Regulations of EU bodies active in the police and justice area (Europol, Eurojust, the European Public Prosecutor Office).
The role and responsibilities for the EDPS’ supervision work are also outlined in the respective Regulations. We carry out our supervision work in a similar way to the national data protection authorities in the EU countries.
Data protection rules are nothing new for the EU institutions. Before the current Regulation, there was Regulation (EC) 45/2001, modelled on Directive 95/46/EC, the predecessor to GDPR. The EDPS has been supervising the EU institutions’ data protection compliance since it started operations in 2004.
How we carry out our supervision work
- EU institutions consult us for advice via their Data Protection Officers (DPOs). In some cases these consultations are mandatory (e.g. prior consultation when EU institutions are not sure about the safeguards identified in a data protection impact assessment or when drawing up internal rules restricting data subjects’ rights), while in others, they are voluntary;
- We give written or verbal advice to them either on request or on our own initiative:
o We provide general advice on topics that are relevant for all EU institutions in guidelines;
o Our verbal advice is offered via our DPO telephone hotline (reserved for the EU institutions);
- We raise awareness about data protection in the EU institutions and provide training;
- We conduct data protection audits to verify compliance in practice;
- We deal with complaints from individuals relating to the processing of their personal data by the EU institutions;
- We carry out investigations, either following information received from third parties or on our own initiative.
- We receive data breach notifications and follow up on them.
- We carry out periodic surveys to gather statistics to benchmark and compare EU institutions;
- Where our general or targeted stocktaking exercises highlight shortcomings, we may visit those institutions to encourage better compliance;
The EDPS has a wide range of powers for the performance of his tasks.
If you think that your rights have been infringed by an EU institution processing your personal information, you can lodge a complaint with the EDPS to investigate it. We recommend that you first contact that EU institution to resolve the issue. In many cases, you will be able to solve your issue at that level. Please note that the EDPS has no supervisory powers for handling complaints on the processing of personal information by national authorities or private organisations. If your complaint concerns one of these, you should contact the data protection authority in that country.
Personal data breach notification
From 12 December 2018, under Regulation (EU) 1725/2018 all European institutions and bodies have a duty to report certain types of personal data breaches to the EDPS. Every EU institution must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to pose a high risk of adversely affecting individuals’ rights and freedoms, the EU Institution must also inform the individuals concerned without unnecessary delay.