Privacy in the EU Institutions

The new EU data protection framework consists of much more than just the GDPR. New rules for the EU institutions and ePrivacy are yet to be finalised, and remain a key focal point for EDPS work. As well as providing advice to the legislator on these new rules, the EDPS has started working with the EU institutions and bodies to prepare them for the changes to come. A particular focus of his efforts in 2016 was on promoting accountability, a central pillar of the GDPR which it is safe to assume will also be integrated into the new rules for EU institutions and bodies.

In 2016, the EDPS also made a considerable effort to help move the global debate on data protection and privacy forward and mainstream data protection into international policies. He advised the EU legislator on the Umbrella agreement and the Privacy Shield and engaged with data protection and privacy commissioners from every continent. He also continued to pursue new initiatives, such as the Ethics Advisory Group, through which he intends to stimulate global debate on the ethical dimension of data protection in the digital era.

The EDPS aims to make data protection as simple and effective as possible for all involved. This requires ensuring that EU policy both reflects the realities of data protection in the digital era and encourages compliance through accountability.

Prior checking notification concerning promotion and reclassification at the European Maritime Safety Agency (Case 2016-0396)

Prior-checking opinion regarding internal mobility at the European Investment Fund (Case 2015-1102)

Prior check opinion on the notification of the OIB’s "360° tool - feedback and leadership competencies” (Case 2016-1130 / DPO-3868.1)

The Office for Infrastructure and Logistics in Brussels (OIB) has a development programme for managers using a 360° feedback tool. Managers participate on a voluntary basis in the exercise, in which their staff members, peers and superiors who agree to give feedback get to rate the manager. This allows managers to obtain anonymous feedback on their management and leadership style and to improve their management and leadership skills.

Two external providers cooperate with OIB in this exercise: a subcontractor collects individual evaluation responses per line manager through an online questionnaire and automatically generates reports; the contractor provides for individual coaching sessions to the managers. The specific roles and tasks of these two processors should be are clearly mentioned in the data protection statement. The subcontractor’s data centre is located in the United Kingdom. Forwardlooking, the EDPS highlights that future transfers might come under Article 9 of the Regulation requiring an adequate level of protection within the recipient's legal framework for transfers to third countries. In this issue, see pp.12-13 of EDPS Position paper on transfers to third countries and international organisations by EU institutions and bodies.

Prior-check Opinion on ENISA’s Whistleblowing Policy (Case 2017-0109)