European Data Protection Supervisor
European Data Protection Supervisor

Guidelines

Guidelines

Guidelines

Since the data protection implications of some functions common to all EU institutions, bodies and agencies are similar, we publish guidelines on specific subjects, such as recruitment, appraisals, use of IT equipment in the workplace and disciplinary procedures.  

These consolidate our guidance from our prior check Opinions, consultations and also include relevant guidance by the Article 29 Working Party and the case law of the European courts.

Our guidelines may be a useful source of inspiration for other organisations outside the EU institutions or may supplement the guidance offered by national data protection authorities.

Filters

Pages

01/09/2020
1
Sep
2020

Orientations from the EDPS: Body temperature checks by EU institutions in the context of the COVID-19 crisis

A number of European institutions, agencies and bodies (EUIs) have implemented body temperature checks as part of the health and safety measures adopted in the context of their “return to the office” strategy as an appropriate complementary measure, among other necessary health and safety measures, to help prevent the spread of COVID-19 contamination.

At the same time, systematic body temperature checks of staff and other visitors to filter access to EUIs premises may constitute an interference into individuals’ rights to private life and/or personal data protection. The EDPS observes that body temperature checks can be implemented through a variety of devices and processes that should be subject to careful assessment. The EDPS has decided to issue the present orientations to help EUIs and Data Protection Officers (DPOs) meet the requirements of Regulation (EU) 2018/1725 (the Regulation), where applicable.

15/07/2020
15
Jul
2020

Orientations from the EDPS: Reactions of EU institutions as employers to the COVID-19 crisis

The European institutions, bodies and agencies have had to react to the COVID-19 crisis not only in their policy roles, but also in their roles as employers. Changes in operations, such as moving the vast majority of staff to remote working have raised numerous questions on which EUIs consulted the EDPS. 

This document compiles the advice given on questions such as teleworking tools, staff management, health data aspects and replying to data subject access requests. 

This document builds on the experience of the past months and addresses the issues that were raised to us or encountered by us and is still relevant because telework will most likely be a big part of the ‘new normal’ for EUIs work. 

24/06/2020
24
Jun
2020

Guidance on Art. 25 of the Regulation 2018/1725

EDPS Guidance on Article 25 of the Regulation 2018/1725 and internal rules updated on 24 June 2020.

31/01/2020
31
Jan
2020

Guidelines on personal data and electronic communications in the EU institutions (eCommunications guidelines)

Revised guidelines on personal data and electronic communications in the EU institutions (eCommunications guidelines).

2015 guidelines on eCommunications are available here.

19/12/2019
19
Dec
2019

Assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data.

These EDPS Guidelines explore in greater depth, and provide relevant examples of, issues relating to the impact on the fundamental rights to privacy and the protection of personal data, focusing on and complementing in particular Tool#28 of the Commission Better Regulation Toolbox and the Operational Guidance on taking account of Fundamental Rights in Commission Impact Assessments. The Guidelines also complement the EDPS Necessity Toolkit.

17/12/2019
17
Dec
2019

Guidelines on processing personal information within a whistleblowing procedure

The following guidelines are an update of the guidance on whistleblowing published in July 2016.

07/11/2019
7
Nov
2019

Concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725

When processing personal data, EU institutions and bodies (EUIs) must comply with specific data protection rules. Depending on their role, their obligations differ. The following guidelines provide explanation and practical advice to EU institutions and bodies on how to comply with Regulation (EU) 2018/1725 (‘the Regulation’).

18/07/2019
18
Jul
2019

International data transfers after Brexit

Information note on international data transfers after Brexit.

17/07/2019
17
Jul
2019

Data Protection Impact Assessment List

Under Article 39(4) of Regulation (EU) 2018/1725, the EDPS shall adopt a list of the kinds of processing operations subject to a data protection impact assessment (DPIA). Under paragraph 5 of the same Article, the EDPS may adopt a list of the kinds of processing operations not subject to a DPIA. For further information on how to use this list, please see the Accountability on the ground toolkit.

16/07/2019
16
Jul
2019

Accountability on the ground: Guidance on documenting processing operations for EU institutions, bodies and agencies

Accountability on the ground: Guidance on documenting processing operations for EU institutions, bodies and agencies (EUIs). These documents provide provisional guidance for controllers and DPO in the EUIs on how to generate records for their processing operations, how to decide whether they need to carry out data protection impact assessments (DPIAs), how to do DPIAs and when to do prior consultations to the EDPS (Articles 31, 39 and 40 of Regulation (EU) 2018/1725).

A provisional version of this text was published in February 2018. The current version 1.3 was published in July 2019.

SummaryPDF icon
Part I: Records and threshold assessmentPDF icon
Part II: DPIAs and prior consultationPDF icon
25/02/2019
25
Feb
2019

EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data

As the independent advisor to the EU institutions and bodies under Regulation (EU) 1725/2018 on all matters concerning processing of personal data, the European Data Protection Supervisor (hereinafter, ‘the EDPS’) intends to issue Guidelines for assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data (hereinafter, ‘the Guidelines’).

The Guidelines complement the EDPS Necessity Toolkit  and specify, having regard to the fundamental right to the protection of personal data enshrined under Article 8 of the Charter, the more wide-ranging guidance by the Commission and the Council to check compatibility of legislative measures with the Charter of Fundamental Rights of the European Union.

Through this exercise, the EDPS aims at assisting EU institutions and bodies in the task of ensuring that any limitation of the fundamental right to the protection of personal data is compliant with the requirements of EU primary law.

Before issuing the Guidelines in their final version, the EDPS is launching a stakeholders’ consultation on the draft version of the Guidelines, which you can find hereunder.

The deadline for receiving your input is 4 April 2019. The replies to the consultation should be sent to the Policy and Consultation Unit of the EDPS: POLICY-CONSULT@edps.europa.eu

07/12/2018
7
Dec
2018

Guidelines on Personal Data Breach Notification

EDPS guidelines on personal data breach notification for the European Union Institutions and Bodies.

23/03/2018
23
Mar
2018

IT governance and IT management

Guidelines on the protection of personal data in IT governance and IT management of EU institutions.

16/03/2018
16
Mar
2018

Guidelines on the use of cloud computing services by the European institutions and bodies

The EU institutions, bodies and agencies (“the EU institutions”) have been considering the use of cloud computing services because of advantages such as costs savings and flexibility gains. They are nevertheless faced with the specific risks that the cloud computing paradigm involves and remain fully responsible regarding their data protection obligations. For cloud services, the EU institutions should ensure an equivalent level of protection of personal data as for any other type of IT infrastructure model.

Topics:
15/01/2018
15
Jan
2018

Articles 14-16 of the new Regulation 45/2001: Transparency rights and obligations

EDPS Guidance on Articles 14 - 16 of the proposal for a Regulation on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

Topics:
18/11/2016
18
Nov
2016

Administrative Inquiries and Disciplinary Procedures

Guidelines on processing personal information in administrative inquiries and disciplinary proceedings

07/11/2016
7
Nov
2016

Mobile Applications

Guidelines on the protection of personal data processed by mobile applications provided by European Union institutions

Topics:
07/11/2016
7
Nov
2016

Web Services

Guidelines on the protection of personal data processed through web services provided by EU institutions

18/07/2016
18
Jul
2016

Whistleblowing Procedure

Guidelines on processing personal information within a whistleblowing procedure

21/03/2016
21
Mar
2016

Security Measures for Personal Data Processing

Guidance on Security Measures for Personal Data Processing - Article 22 of Regulation 45/2001

Pages