As part of our supervisory work, we carry out audits in the EU institutions.

Inspections allow us to verify how data protection is applied in practice at an EU institution.

We choose to inspect an EU institution by taking into account a number of factors, including the results of our risk analysis, whether special categories of data are processed, the time elapsed since the last audit and whether there has been an increase in the numbers of complaints.

We also ensure that we cover institutions, bodies and agencies of all sizes in our annual audit planning.

Audits or other on-site checks (for example, as part of our investigations) may also be triggered by complaints, if they require verification on the spot.

Our supervisory work also requires us to regularly audit several large-scale IT systems : at least every four years for the Visa Information System and the Schengen Information System and at least every three years for EURODAC.

The reports of our audit are not made public, but we do periodically summarise these, for instance in our newsletter and annual report.

You may also want to check our Factsheet on the topic and the remote audit on Article 25.





Report on remote inspection of publicly accessible registers under Article 31(5) of the Regulation

The EDPS has published guidance to EU institutions and bodies (“EUIs”) regarding the records of processing operations. The EDPS had previously clarified that making the register “publicly available” means publication on the internet. While initially May 2020, i.e. two years after the entry into force of the GDPR, had initially been announced by the EDPS as target date for implementation of this obligation, the EDPS noticed upon entry into force of Regulation 2018/1725, that the new Regulation contained no grace period regarding this obligation.

First Interim Report
Available languages: English
Second Interim Report
Available languages: English