Under Article 39(4) of Regulation (EU) 2018/1725, the EDPS shall adopt a list of the kinds of processing operations subject to a data protection impact assessment (DPIA). Under paragraph 5 of the same Article, the EDPS may adopt a list of the kinds of processing operations not subject to a DPIA. For further information on how to use this list, please see the Accountability on the ground toolkit.
Since the data protection implications of some functions common to all EU institutions, bodies and agencies are similar, we publish guidelines on specific subjects, such as recruitment, appraisals, use of IT equipment in the workplace and disciplinary procedures.
These consolidate our guidance from our prior check Opinions, consultations and also include relevant guidance by the Article 29 Working Party and the case law of the European courts.
Our guidelines may be a useful source of inspiration for other organisations outside the EU institutions or may supplement the guidance offered by national data protection authorities.
Accountability on the ground: Guidance on documenting processing operations for EU institutions, bodies and agencies (EUIs). These documents provide provisional guidance for controllers and DPO in the EUIs on how to generate records for their processing operations, how to decide whether they need to carry out data protection impact assessments (DPIAs), how to do DPIAs and when to do prior consultations to the EDPS (Articles 31, 39 and 40 of Regulation (EU) 2018/1725).
A provisional version of this text was published in February 2018. The current version 1.3 was published in July 2019.
As the independent advisor to the EU institutions and bodies under Regulation (EU) 1725/2018 on all matters concerning processing of personal data, the European Data Protection Supervisor (hereinafter, ‘the EDPS’) intends to issue Guidelines for assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data (hereinafter, ‘the Guidelines’).
The Guidelines complement the EDPS Necessity Toolkit and specify, having regard to the fundamental right to the protection of personal data enshrined under Article 8 of the Charter, the more wide-ranging guidance by the Commission and the Council to check compatibility of legislative measures with the Charter of Fundamental Rights of the European Union.
Through this exercise, the EDPS aims at assisting EU institutions and bodies in the task of ensuring that any limitation of the fundamental right to the protection of personal data is compliant with the requirements of EU primary law.
Before issuing the Guidelines in their final version, the EDPS is launching a stakeholders’ consultation on the draft version of the Guidelines, which you can find hereunder.
The deadline for receiving your input is 4 April 2019. The replies to the consultation should be sent to the Policy and Consultation Unit of the EDPS: POLICY-CONSULT@edps.europa.eu
EDPS guidelines on personal data breach notification for the European Union Institutions and Bodies.