Privacy in the EU Institutions

The EDPS will consider hereinafter the main data protection issues concerning the processing of personal data at stake, having regard to the measures envisaged by the European Public Prosecutor's Office (EPPO) to address data protection risks.

Disclaimer: Please note that parts of this document were redacted to protect public security and the internal decision making process of the EPPO.

The present comments from the EDPS refer to the draft revised rules on processing of personal data by the European Public Prosecutor's Office (EPPO).

Disclaimer: Please note that parts of this document were redacted to protect the internal decision making process of the EPPO. The full text of the final document referred to in this opinion, as adopted by the EPPO College, can be found at: https://ec.europa.eu/info/law/cross-border-cases/judicial-cooperation/networks-and-bodies-supporting-judicial-cooperation/european-public-prosecutors-office_en#decisions-of-the-college-of-the-eppo.

These comments from the EDPS refer to the draft internal rules of procedure of the European Public Prosecutor's Office (EPPO).

Disclaimer: Please note that parts of this document were redacted to protect the internal decision making process of the EPPO. The full text of the final document referred to in this opinion, as adopted by the EPPO College, can be found at: https://ec.europa.eu/info/law/cross-border-cases/judicial-cooperation/networks-and-bodies-supporting-judicial-cooperation/european-public-prosecutors-office_en#decisions-of-the-college-of-the-eppo.

A number of European institutions, agencies and bodies (EUIs) have implemented body temperature checks as part of the health and safety measures adopted in the context of their “return to the office” strategy as an appropriate complementary measure, among other necessary health and safety measures, to help prevent the spread of COVID-19 contamination.

At the same time, systematic body temperature checks of staff and other visitors to filter access to EUIs premises may constitute an interference into individuals’ rights to private life and/or personal data protection. The EDPS observes that body temperature checks can be implemented through a variety of devices and processes that should be subject to careful assessment. The EDPS has decided to issue the present orientations to help EUIs and Data Protection Officers (DPOs) meet the requirements of Regulation (EU) 2018/1725 (the Regulation), where applicable.

Informal consultation from an EU Agency on whether a particular number of data subjects concerned by a processing should be considered as “large scale” in the sense of Article 39(3)(b) of the Regulation.

The EDPS notes that the Regulation itself does not define what constitutes “large-scale”, analyses existing guidance on the matter and concludes that in the case of the processing underlying the informal consultation, the proportion of the relevant population as well as the nature of the personal data processed and possible resulting risks cumulatively advocate for conducting a DPIA in the case at hand.