One of our core tasks is to supervise the EU institutions to help them be exemplary; public authorities must be beyond reproach when they process personal information.
As any employer of over 40,000 members of staff, the EU institutions need to develop procedures necessary for their effective management and smooth functioning. These might include evaluation and promotion of staff, access control to their buildings, working hours of employees, policies to prevent sexual and psychological harassment.
In addition to employment matters, EU institutions also process personal information for other purposes. Their core business activities reflect the issues relevant to European society; from food safety to disease prevention and financial stability.
We also supervise Europol, the EU body actively cooperating with law enforcement authorities to combat international crime and terrorism.
In line with the principle of accountability, being compliant with data protection rules is primarily the responsibility of EU institutions.
To support them, we provide guidance on how to be compliant and make sure that the rules are applied as they should be; our approach is to trust and verify.
In practice this includes issuing guidelines, investigating complaints and checking risky processing operations.
The current data protection rules for the EU institutions are laid down in Regulation (EC) 45/2001 (the Regulation). The role and responsibilities for the EDPS’ supervision work are also outlined in the Regulation.
The Regulation is very similar to the data protection rules for the Member States; we carry out our supervision work in a similar way to the national data protection authorities in the EU countries.
This Regulation is about to change. In January 2017, the European Commission published a proposal for a new Regulation, to bring the rules for the EU institutions in line with those that apply to Member States under the General Data Protection Regulation (GDPR).
We are preparing so that the EU institutions, including the EDPS, are ready when the new rules come into force on 25 May 2018.
In anticipation of the likely changes and the approach of the GDPR, we have already begun to take these into account in our supervision work, for example, with a greater focus on accountability.
When EU institutions do not comply with the data protection rules, the EDPS can use the enforcement powers set out in the Regulation, such as:
If you think that your rights have been infringed by an EU institution processing your personal information, you can lodge a complaint with the EDPS to investigate it.
We recommend that you first contact that EU institution to resolve the issue.
Please note that the EDPS has no supervisory powers for handling complaints on the processing of personal information by national authorities or private organisations.
If your complaint concerns one of these, you should contact the data protection authority in that country.