These EDPS Guidelines explore in greater depth, and provide relevant examples of, issues relating to the impact on the fundamental rights to privacy and the protection of personal data, focusing on and complementing in particular Tool#28 of the Commission Better Regulation Toolbox and the Operational Guidance on taking account of Fundamental Rights in Commission Impact Assessments. The Guidelines also complement the EDPS Necessity Toolkit.
Since the data protection implications of some functions common to all EU institutions, bodies and agencies are similar, we publish guidelines on specific subjects, such as recruitment, appraisals, use of IT equipment in the workplace and disciplinary procedures.
These consolidate our guidance from our prior check Opinions, consultations and also include relevant guidance by the Article 29 Working Party and the case law of the European courts.
Our guidelines may be a useful source of inspiration for other organisations outside the EU institutions or may supplement the guidance offered by national data protection authorities.
When processing personal data, EU institutions and bodies (EUIs) must comply with specific data protection rules. Depending on their role, their obligations differ. The following guidelines provide explanation and practical advice to EU institutions and bodies on how to comply with Regulation (EU) 2018/1725 (‘the Regulation’).
Information note on international data transfers after Brexit.
Under Article 39(4) of Regulation (EU) 2018/1725, the EDPS shall adopt a list of the kinds of processing operations subject to a data protection impact assessment (DPIA). Under paragraph 5 of the same Article, the EDPS may adopt a list of the kinds of processing operations not subject to a DPIA. For further information on how to use this list, please see the Accountability on the ground toolkit.