Regulation 2018/1725

The EDPS’ role is to ensure effective protection of people’s fundamental rights and freedoms against the (mis)use of technologies, in particular in relation to the processing of personal data by the EU institutions, bodies, offices and agencies (collectively ‘EUIs’). More specifically, under Article 57 of Regulation (EU) 2018/1725 on data protection for the EUIs, one of our main tasks is to ‘monitor and enforce the application of this Regulation’. This paper explains how we will act in that role, explaining both to individuals whose data EUIs process (the data subjects) and the EUIs themselves what they can expect from us as the supervisory authority for EUI’s processing of personal data and what we expect EUIs to do.

08/05/2020

May

2020

DPO News

47th Virtual Meeting of the Data Protection Officers and the EDPS

47th Meeting of the Data Protection Officers of the EU institutions and the European Data Protection Supervisor, virtual meeting.

Agenda

Public Communication

Use of social media by EU institutions and bodies

Monitoring social media - risks

Use of social media - technical aspects mitigating measures, privacy friendly social networks

Registers - best practices findings when inspecting

Microsoft findings and recommendations

Covid-19 and data protection

06/05/2020

May

2020

Consultations

Consultation on agreement for payroll services for local employees in a third country

EDPS Letter Consultation on agreement for payroll services for local employees in a third country

02/04/2020

Apr

2020

DPO News

Report on remote inspection of publicly accessible registers under Article 31(5) of the Regulation

The EDPS has published guidance to EU institutions and bodies (“EUIs”) regarding the records of processing operations. The EDPS had previously clarified that making the register “publicly available” means publication on the internet. While initially May 2020, i.e. two years after the entry into force of the GDPR, had initially been announced by the EDPS as target date for implementation of this obligation, the EDPS noticed upon entry into force of Regulation 2018/1725, that the new Regulation contained no grace period regarding this obligation.

First Interim Report

Second Interim Report

18/03/2020

Mar

2020

Annual Reports

2019 Annual Report - a year of transition

2019 could be described as a year of transition, across Europe and the world. With new legislation on data protection in the EU now in place, the greatest challenge moving into 2020 and beyond is to ensure that this legislation produces the promised results. Awareness of the issues surrounding data protection and privacy, and the importance of protecting these fundamental rights, is at an all-time high and this momentum cannot be allowed to decline.

This Annual Report provides an insight into all EDPS activities in 2019, which was the last year of a five-year EDPS mandate. EDPS activities therefore focused on consolidating the achievements of previous years, assessing the progress made and starting to define priorities for the future.

HTML version: EN

Summary (HTML): EN - FR - DE

Full text of Annual Report (PDF):

Summary (PDF):

26/02/2020

Feb

2020

Consultations

APPF’s powers and data protection obligations

Consultation by the Authority for European Political Parties and European Political Foundations (APPF) to the EDPS regarding data protection rules.

18/02/2020

Feb

2020

DPO News

Trainings on Regulation (EU) 2018/1725 for EUI's controllers

New thematic trainings in light of Regulation (EU) 2018/1725 for EUI's controllers at the European School of Administration (EUSA), Brussels:

You may enrol on EU learn.

18 February: controllers-processors / joint controllership
26 February: events management
4 March: controllers-processors / joint controllership (EUSA in Luxembourg!)
10 March: controllers-processors / joint controllership
1 July: Data protection in procurement and outsourcing processing of personal data
14 September: Arrangements with processors and how to use in practice SCCs for processors adopted by the EDPS
20 October: Transfers of data, in particular international transfers
18 November: International transfers

03/12/2019

Dec

2019

Strategy

Leading by Example: EDPS 2015-2019

This report provides an overview of the activities carried out by the EDPS from 2015-2019. In particular, it focuses on how the EDPS has worked towards implementing the objectives set out in the EDPS Strategy 2015-2019, which relate to digitisation, global partnerships and the modernisation of data protection. This involved not only contributing historical pieces of legislation, such as the General Data Protection Regulation and Regulation 2018/1725, but also bringing the concepts of ethics and accountability to the forefront of data protection discourse and application.

HTML: DE EN FR

HTML (Summary): DE EN FR

Full text of Leading by Example: EDPS 2015-2019:

Summary (PDF):

14/11/2019

Nov

2019

Consultations

Social media monitoring reports

Letter concerning a consultation on EASO's social media monitoring reports.

07/11/2019

Nov

2019

Guidelines

Concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725

When processing personal data, EU institutions and bodies (EUIs) must comply with specific data protection rules. Depending on their role, their obligations differ. The following guidelines provide explanation and practical advice to EU institutions and bodies on how to comply with Regulation (EU) 2018/1725 (‘the Regulation’).

27/09/2019

Sep

2019

Factsheets

Checklists and flowcharts on data protection

Administrative fines and sanctions under Regulation EU 2018/1725

Checklist 1: What are the duties of the controller?

Checklist 2: What are the duties of the processor?

Checklist 3: What is required in a processing agreement?

Flowchart: data transfers in the context of Brexit

Flowchart: Are you a processor, controller, or joint controller?

Powers of the EDPS under Regulation (EU) 2018/1725

Useful points and questions on data protection

05/09/2019

Sep

2019

Speeches & Articles

Presentation of EDPS Tasks and Activities - Wojciech Wiewiórowski

Presentation of EDPS Tasks and Activities, Speech by Wojciech Wiewiórowski before the Committee on Civil Liberties, Justice and Home Affairs, European Parliament, Brussels

17/07/2019

Jul

2019

Guidelines

Data Protection Impact Assessment List

Under Article 39(4) of Regulation (EU) 2018/1725, the EDPS shall adopt a list of the kinds of processing operations subject to a data protection impact assessment (DPIA). Under paragraph 5 of the same Article, the EDPS may adopt a list of the kinds of processing operations not subject to a DPIA. For further information on how to use this list, please see the Accountability on the ground toolkit.

16/07/2019

Jul

2019

Guidelines

Accountability on the ground: Guidance on documenting processing operations for EU institutions, bodies and agencies

Accountability on the ground: Guidance on documenting processing operations for EU institutions, bodies and agencies (EUIs). These documents provide provisional guidance for controllers and DPO in the EUIs on how to generate records for their processing operations, how to decide whether they need to carry out data protection impact assessments (DPIAs), how to do DPIAs and when to do prior consultations to the EDPS (Articles 31, 39 and 40 of Regulation (EU) 2018/1725).

A provisional version of this text was published in February 2018. The current version 1.3 was published in July 2019.

Summary

Part I: Records and threshold assessment

Part II: DPIAs and prior consultation

03/06/2019

Jun

2019

Press Release

Press Release - EDPS flags data protection issues on EU institutions’ websites

An inspection carried out by the European Data Protection Supervisor (EDPS) on the websites of major EU institutions and bodies revealed data protection and data security issues in seven out of the ten websites inspected. Each of the institutions concerned has received recommendations from the EDPS on how to ensure their websites are fully compliant with data protection rules and the relevant institutions have reacted swiftly to start rectifying the problems identified, the European Data Protection Supervisor said today.

16/05/2019

May

2019

Press Release

Press Statement - Europe votes 2019: Data protection is a prerequisite for fair and democratic elections

The European parliamentary elections are increasingly in the spotlight as the polls of 23-26 May approach. In the face of ongoing political turbulence, it is important that the EU continue to lead the way in promoting a healthy civic society through a robust election process.

10/04/2019

Apr

2019

Data Protection Notice

Data Protection Notice - Ipen Rome Workshop 2019

08/04/2019

Apr

2019

Press Release

EDPS investigates contractual agreements concerning software used by EU institutions

As the supervisory authority for all EU institutions, the European Data Protection Supervisor (EDPS) is responsible for enforcing and monitoring their compliance with data protection rules. In this capacity, the EDPS is undertaking an investigation into the compliance of contractual arrangements concluded between the EU institutions and Microsoft, the European Data Protection Supervisor said today.

Administrative notices
Authorisation Decisions for Transfers
DPO Meetings and Trainings
Podcasts
TechDispatch
Memorandum of Understanding
Resolutions
Reference Library
European Conferences
DPO News
Events
International Conferences
Legislation
Reports
Priorities
Press Releases
Opinions Prior Check
Other Documents
Papers
SCG Documents
Speeches & Articles
Strategy
Opinions Non Prior Check
Opinions
Code of Conducts
Comments
Consultations
Call for Tenders
Brochures
Annual Activity Reports
Annual Reports
Court Cases
Inquiries
Inspections
Newsletters
Guidelines
Forms
Ethical Framework
Factsheets
Administrative Measures

Agency for the Cooperation of Energy Regulators (ACER)
Body of European Regulators for Electronic Communications (BEREC)
Clean Sky Joint Undertaking (CSJU)
Committee of the Regions (CoR)
Community Plant Variety Office (CPVO)
Consumers, Health and Food Executive Agency (CHAFEA)
Council of the European Union
Court of Justice of the European Union (CJEU)
ECSEL Joint Undertaking (ECSEL)
Education, Audiovisual and Culture Executive Agency (EACEA)
eu-LISA
European Agency for Safety and Health at Work (EU-OSHA)
European Agency for the Management of Operational Cooperation at the External Border (FRONTEX)
European Anti-Fraud Office (OLAF)
European Asylum Support Office (EASO)
European Aviation Safety Agency (EASA)
European Banking Authority (EBA)
European Central Bank (ECB)
European Centre for Desease Prevention and Control (ECDC)
European Centre for the Development of Vocational Training (Cedefop)
European Chemicals Agency (ECHA)
European Commission
European Court of Auditors (ECA)
European Data Protection Board (EDPB)
European Data Protection Supervisor (EDPS)
European Defence Agency (EDA)
European Economic and Social Committee (EESC)
European Environment Agency (EEA)
European External Action Service (EEAS)
European Fisheries Control Agency (EFCA)
European Food Safety Authority (EFSA)
European Foundation for the Improvement of Living and Working Conditions (Eurofound)
European GNSS Agency (GSA)
European Institute for Gender Equality (EIGE)
European Institute of Innovation and Technology (EIT)
European Insurance and Occupations Pensions Authority (EIOPA)
European Investment Bank (EIB)
European Investment Fund (EIF)
European Maritime Safety Agency (EMSA)
European Medicines Agency (EMA)
European Monitoring Centre for Drugs and Drug Addiction
European Ombudsman (Ombudsman)
European Parliament
European Personnel Selection Office (EPSO)
European Police College (CEPOL)
European Police Office (EUROPOL)
European Public Prosecutor's Office (EPPO)
European Research Council Executive Agency (ERCEA)
European Securities and Markets Authority (ESMA)
European Systemic Risk Board (ESRB)
European Training Foundation (ETF)
European Union Agency for Fundamental Rights (FRA)
European Union Agency for Network and Information Security (ENISA)
European Union Agency for Railways (ERA)
European Union Institute for Security Studies (EUISS)
European Union Intellectual Property Office (EUIPO)
European Union Satellite Centre (EUSC)
Executive Agency for Small and Medium-sied Enterprises (EASME)
Fuel Cells & Hydrogen Joint Undertaking (FCHJU)
Fusion for Energy (F4E)
Innovation and Networks Executive Agency (INEA)
Innovative Medicines Initiative Joint Undertaking (IMI JU)
Joint Research Centre (JRC)
Office for Harmonisation in the Internal Market (OHIM)
Other
Research Executive Agency (REA)
SESAR Joint Undertaking (SESAR JU)
Single Resolution Board (SRB)
The European Union's Judicial Cooperation Unit (EUROJUST)
Translation Centre for the Bodies of the European Union (CdT)