Some of the procedures that EU institutions put in place pose risks to the data protection rights and freedoms of individuals.
EU institutions are obliged by the Regulation to notify us before putting in place these risky procedures or data processing operations. They are not required to notify us each time the processing takes place.
Article 27(1) of Regulation (EC) No 45/2001 outlines the types of processing that should be notified to us:
Where an EU institution is unsure whether to notify us, their data protection officer can consult us for advice to confirm.
Once we have received a notification, we issue recommendations as required, to help the EU institutions make the procedure comply with the data protection rules. Our follow up work includes verifying that our recommendations have been implemented by the institution.
In general, our prior checking Opinions are public, but we may delete sensitive elements where necessary, relating to security for example.
On average we receive around 130 such notifications per year.