European Data Protection Supervisor
European Data Protection Supervisor

Our role as a supervisor

Our role as a supervisor

/file/supervisorminijpg_ensupervisor_mini.jpg

Our role as a Supervisor
The European Data Protection Supervisor (EDPS) is the data protection authority for the European Union institutions, bodies and agencies (EU institutions).

One of our core tasks is to supervise the EU institutions to help them be exemplary; public authorities must be beyond reproach when they process personal information.

We do this by monitoring those activities that use (process) personal data or information. The personal data could be yours or that of anyone else who works for or with the EU, including visitors, contractors or beneficiaries of grants.

The EU institutions process personal information for many purposes. Their core business activities reflect the issues relevant to European society: from food safety to disease prevention and financial stability. We also supervise Europol, the EU body actively cooperating with law enforcement authorities to combat international crime and terrorism.

Additionally, as an employer of over 40,000 members of staf, the EU institutions need to develop procedures necessary for their efective management and smooth functioning. These include evaluation and promotion of staf, access control to their buildings, working hours of employees, policies to prevent sexual and psychological harassment. 

In addition to employment matters, EU institutions also process personal information for other purposes. Their core business activities reflect the issues relevant to European society; from food safety to disease prevention and financial stability.

In line with the principle of accountability, being compliant with data protection rules is primarily the responsibility of EU institutions.

To support them, we provide guidance on how to be compliant and make sure that the rules are applied as they should be; our approach is to trust and verify.

In practice this includes issuing guidelines, investigating complaints, responding to consultations from the EU institutions and conducting data protection audits.

The data protection rules for the EU institutions are laid down in Regulation (EU) 2018/1725 (the Regulation). It is largely identical to the GDPR applying to private companies and most public administrations in the Member States. The role and responsibilities for the EDPS’ supervision work are also outlined in the Regulation. We carry out our supervision work in a similar way to the national data protection authorities in the EU countries.

Data protection rules are nothing new for the EU institutions. Before the current Regulation, there was Regulation (EC) 45/2001, modeled on Directive 95/46/EC, the predecessor to GDPR. The EDPS has been supervising the EU institutions’ data protection compliance since it started operations in 2004.

How we carry out our supervision work

  • EU institutions consult us for advice via their Data Protection Officers (DPOs). In some cases these consultations are mandatory (e.g. prior consultation when EU institutions are not sure about the safeguards identified in a data protection impact assessment or when drawing up internal rules restricting data subjects’ rights), while in others, they are voluntary;
  • We give written or verbal advice to them either on request or on our own initiative: 

o Our written advice is contained in Opinions, comments, Decisions, letters or papers;

o We provide general advice on topics that are relevant for all EU institutions in guidelines;

o Our verbal advice is ofered via our DPO telephone hotline (reserved for the EU institutions);

o We also ofer useful resources and documents to assist DPOs in general, for instance case-law & guidance, in a dedicated section on this website called DPO Corner.

  • We raise awareness about data protection in the EU institutions and provide training;
  • We conduct data protection audits to verify compliance in practice;
  • We deal with complaints from individuals relating to the processing of their personal data by the EU institutions;
  • We carry out inquiries, either following information received from third parties or on our own initiative.
  • We receive data breach notifications and follow up on them.
  • We carry out periodic surveys to gather statistics to benchmark and compare EU institutions;
  • Where our general or targeted stocktaking exercises highlight shortcomings, we may visit those institutions to encourage better compliance;

Enforcement

When EU institutions do not comply with the data protection rules, the EDPS can use the enforcement powers set out in the Regulation, such as:

  • Warn or admonish the EU institution which is unlawfully or unfairly processing your personal information;
  • Order the European institution to comply with requests to exercise your rights (e.g. access to your own data);
  • Impose a temporary or definitive ban on a particular data processing operation;
  • Impose an administrative fine on EU institutions;
  • Refer a case to the Court of Justice of the European Union.

Complaints

If you think that your rights have been infringed by an EU institution processing your personal information, you can lodge a complaint with the EDPS to investigate it. We recommend that you first contact that EU institution to resolve the issue. In many cases, you will be able to solve your issue at that level. Please note that the EDPS has no supervisory powers for handling complaints on the processing of personal information by national authorities or private organisations. If your complaint concerns one of these, you should contact the data protection authority in that country.

Personal data breach notification

From 12 December 2018, under Regulation (EU) 1725/2018 all European institutions and bodies have a duty to report certain types of personal data breaches to the EDPS. Every EU institution must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to pose a high risk of adversely affecting individuals’ rights and freedoms, the EU Institution must also inform the individuals concerned without unnecessary delay.

More information