Supervisory Opinion on the use of social media monitoring for epidemic intelligence purposes by the European Centre for Disease Prevention and Control (ECDC)
Accountability is a common principle for organisations across many disciplines; the principle embodies that organisations live up to expectations for instance in the delivery of their products and their behaviour towards those they interact with. The General Data Protection Regulation (GDPR) integrates accountability as a principle which requires that organisations put in place appropriate technical and organisational measures and be able to demonstrate what they did and its effectiveness when requested.
Organisations, and not Data Protection Authorities, must demonstrate that they are compliant with the law. Such measures include: adequate documentation on what personal data are processed, how, to what purpose, how long; documented processes and procedures aiming at tackling data protection issues at an early state when building information systems or responding to a data breach; the presence of a Data Protection Officer that be integrated in the organisation planning and operations etc.
In 2015, in anticipation of the GDPR, the EDPS initiated a project to develop a framework for greater accountability in data processing to be applied to our own organisation, as an institution, a manager of financial resources and people - and a controller.
In addition, we have started to promote the accountability principle through visits to small, medium and large EU bodies to explain the new obligations resulting from the revised legal framework and the implications for EU institutions and the EDPS' work as their supervisory authority.
This report provides an overview of the activities carried out by the EDPS from 2015-2019. In particular, it focuses on how the EDPS has worked towards implementing the objectives set out in the EDPS Strategy 2015-2019, which relate to digitisation, global partnerships and the modernisation of data protection. This involved not only contributing historical pieces of legislation, such as the General Data Protection Regulation and Regulation 2018/1725, but also bringing the concepts of ethics and accountability to the forefront of data protection discourse and application.
Under Article 39(4) of Regulation (EU) 2018/1725, the EDPS shall adopt a list of the kinds of processing operations subject to a data protection impact assessment (DPIA). Under paragraph 5 of the same Article, the EDPS may adopt a list of the kinds of processing operations not subject to a DPIA. For further information on how to use this list, please see the Accountability on the ground toolkit.
Accountability on the ground: Guidance on documenting processing operations for EU institutions, bodies and agencies (EUIs). These documents provide provisional guidance for controllers and DPO in the EUIs on how to generate records for their processing operations, how to decide whether they need to carry out data protection impact assessments (DPIAs), how to do DPIAs and when to do prior consultations to the EDPS (Articles 31, 39 and 40 of Regulation (EU) 2018/1725).
A provisional version of this text was published in February 2018. The current version 1.3 was published in July 2019.