In line with the principle of accountability, EU institutions with the support of their DPOs are primarily responsible for complying with their data protection obligations.
To support them, the EDPS provides guidance on how to be compliant and we make sure that the rules are applied as they should be; our approach is to trust and verify.
When complex or novel issues arise, we will offer advice as necessary to guide and navigate through the complexities to ensure compliance.
Article 57(1)(g) of Regulation (EU) 2018/1725 outlines that EU institutions and DPOs can consult the EDPS for advice when drawing up measures or internal (administrative) rules that involve the processing of personal information, if they are complex or may pose risks to the rights and freedoms of individuals.
In any case, the EU institutions are obliged to inform or consult the EDPS when they adopt administrative rules that involve the processing of personal data (Article 41 of the Regulation (EU) 2018/1725) regardless of the level of risk.
We have issued a policy paper to guide EU institutions and bodies as to when they must consult us.
Our Opinions on administrative consultations have covered a diverse range of subjects such as the publication of personal data on the internet, the use of email in the workplace, the transfers of personal data to non-EU countries and the billing of individual users for non‑work related phone calls.
Not all of our replies to consultations are made public; those that we believe are useful for other institutions and the persons affected are published on this website.
In addition, some of the measures we are consulted on are sensitive and must therefore be treated confidentially.