Remote audit on Article 25

Regarding the remote audit on Article 25 (case 2021-0165) launched on 13 April 2021, WORD version of Annex 4 and Annex 5 of the Announcement Letter are available below.

Fundamental rights, enshrined in the Charter of Fundamental Rights of the European Union (‘Charter’), constitute the core values of the European Union. The conditions for possible limitations on the exercise of fundamental rights are of utmost importance, because they determine the extent to which the rights can effectively be enjoyed. Article 52(1) of the Charter states that any limitation on the exercise of the right to personal data protection (Article 8 of the Charter) must be necessary for an objective of general interest or to protect the rights and freedoms of others. In matters relating to the operation of the Union institutions and bodies (`EUIs´), Article 25 of Regulation (EU) 1725/2018 (`Regulation´) states that Internal Rules may restrict the application of data subjects´ rights, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard a certain number of legally protected interests. 

This remote audit aims at understanding how EUIs have taken into account the recommendations issued by the EDPS when drafting their Internal Rules. It further looks into the application of these Internal Rules in practice by examining actual cases of EUIs restricting data subjects´ rights. In assessing compliance, the EDPS takes into account in particular the EDPS Guidance on Article 25 of the Regulation of June 2020 (‘EDPS Guidance’).

The decision to carry out a remote audit on these topics was determined by taking into account the following points:

• The fact that decisions under Article 25 of the Regulation restrict fundamental rights, i.e. represent a high impact on data subjects;
• The high number EUIs concerned gives a horizontal view on a topic that has proven to be contentious, in particular in complaints relating to access requests under Article 17 of the Regulation.

Like any audit, this audit has been a learning exercise for the EDPS, which may in turn lead the EDPS to update existing guidance in due time. Against this background, this general report is published with a view to reporting on the overall results of the audit and providing guidance to all EUIs on best practices identified during the exercise.