European Data Protection Supervisor
Le Contrôleur Européen de la Protection des Données

Règlement (UE) 2018/1725

Règlement (UE) 2018/1725

Le règlement (UE) 2018/1725 prévoit des obligations de protection des données pour les institutions et organes de l’UE lorsqu’ils traitent des données à caractère personnel et élaborent de nouvelles politiques.

Ce règlement abroge le règlement (CE) 45/2001 et, conformément au RGPD, il adopte une approche fondée sur des principes.

Le nouvel instrument juridique garantit que les institutions et organes de l’UE fournissent des informations transparentes et facilement accessibles sur la manière dont les données à caractère personnel sont utilisées et qu’ils prévoient des mécanismes clairs permettant aux personnes d’exercer leurs droits; il confirme également une nouvelle fois, précise et renforce le rôle des délégués à la protection des données au sein de chaque institution de l’UE ainsi que le rôle du CEPD.




Orientations from the EDPS: Body temperature checks by EU institutions in the context of the COVID-19 crisis

A number of European institutions, agencies and bodies (EUIs) have implemented body temperature checks as part of the health and safety measures adopted in the context of their “return to the office” strategy as an appropriate complementary measure, among other necessary health and safety measures, to help prevent the spread of COVID-19 contamination.

At the same time, systematic body temperature checks of staff and other visitors to filter access to EUIs premises may constitute an interference into individuals’ rights to private life and/or personal data protection. The EDPS observes that body temperature checks can be implemented through a variety of devices and processes that should be subject to careful assessment. The EDPS has decided to issue the present orientations to help EUIs and Data Protection Officers (DPOs) meet the requirements of Regulation (EU) 2018/1725 (the Regulation), where applicable.


Body temperature checks by EU institutions: Careful assessment and data protection safeguards are necessary

The European Data Protection Supervisor issued today orientations on the use of body temperature checks by Union institutions, bodies, offices and agencies (EUIs) in the context of the COVID-19 crisis, highlighting that a careful assessment and appropriate data protection safeguards are necessary.  


Informal Consultation on the application of Article 39(3)(b) of Regulation (EU) 2018/1725

Informal consultation from an EU Agency on whether a particular number of data subjects concerned by a processing should be considered as “large scale” in the sense of Article 39(3)(b) of the Regulation.

The EDPS notes that the Regulation itself does not define what constitutes “large-scale”, analyses existing guidance on the matter and concludes that in the case of the processing underlying the informal consultation, the proportion of the relevant population as well as the nature of the personal data processed and possible resulting risks cumulatively advocate for conducting a DPIA in the case at hand.


Guidance on Art. 25 of the Regulation 2018/1725

EDPS Guidance on Article 25 of the Regulation 2018/1725 and internal rules updated on 24 June 2020.


Monitoring and enforcing compliance with Regulation (EU) 2018/1725

The EDPS’ role is to ensure effective protection of people’s fundamental rights and freedoms against the (mis)use of technologies, in particular in relation to the processing of personal data by the EU institutions, bodies, offices and agencies (collectively ‘EUIs’). More specifically, under Article 57 of Regulation (EU) 2018/1725 on data protection for the EUIs, one of our main tasks is to ‘monitor and enforce the application of this Regulation’. This paper explains how we will act in that role, explaining both to individuals whose data EUIs process (the data subjects) and the EUIs themselves what they can expect from us as the supervisory authority for EUI’s processing of personal data and what we expect EUIs to do.


47th Virtual Meeting of the Data Protection Officers and the EDPS

47th Meeting of the Data Protection Officers of the EU institutions and the European Data Protection Supervisor, virtual meeting.

AgendaPDF icon
Public CommunicationPDF icon
Use of social media by EU institutions and bodiesPDF icon
Monitoring social media - risksPDF icon
Use of social media - technical aspects mitigating measures, privacy friendly social networksPDF icon
Registers - best practices findings when inspectingPDF icon
Microsoft findings and recommendationsPDF icon
Covid-19 and data protectionPDF icon

Consultation on agreement for payroll services for local employees in a third country

EDPS Letter Consultation on agreement for payroll services for local employees in a third country


Report on remote inspection of publicly accessible registers under Article 31(5) of the Regulation

The EDPS has published guidance to EU institutions and bodies (“EUIs”) regarding the records of processing operations. The EDPS had previously clarified that making the register “publicly available” means publication on the internet. While initially May 2020, i.e. two years after the entry into force of the GDPR, had initially been announced by the EDPS as target date for implementation of this obligation, the EDPS noticed upon entry into force of Regulation 2018/1725, that the new Regulation contained no grace period regarding this obligation.

First Interim ReportPDF icon
Second Interim ReportFile

2019 Annual Report - a year of transition

2019 could be described as a year of transition, across Europe and the world.  With new legislation on data protection in the EU now in place, the greatest challenge moving into 2020 and beyond is to ensure that this legislation produces the promised results. Awareness of the issues surrounding data protection and privacy, and the importance of protecting these fundamental rights, is at an all-time high and this momentum cannot be allowed to decline.

This Annual Report provides an insight into all EDPS activities in 2019, which was the last year of a five-year EDPS mandate. EDPS activities therefore focused on consolidating the achievements of previous years, assessing the progress made and starting to define priorities for the future.

HTML version: EN

Summary (HTML): EN - FR - DE

Full text of Annual Report (PDF):PDF icon

APPF’s powers and data protection obligations

Consultation by the Authority for European Political Parties and European Political Foundations (APPF) to the EDPS regarding data protection rules.


Trainings on Regulation (EU) 2018/1725 for EUI's controllers

New thematic trainings in light of Regulation (EU) 2018/1725 for EUI's controllers at the European School of Administration (EUSA), Brussels:

You may enrol on EU learn.

  • 18 February: controllers-processors / joint controllership
  • 26 February: events management
  • 4 March: controllers-processors / joint controllership (EUSA in Luxembourg!)
  • 10 March: controllers-processors / joint controllership
  • 1 July: Data protection in procurement and outsourcing processing of personal data
  • 14 September: Arrangements with processors and how to use in practice SCCs for processors adopted by the EDPS
  • 20 October: Transfers of data, in particular international transfers
  • 18 November: International transfers


Leading by Example: EDPS 2015-2019

Le présent rapport fournit une vue d'ensemble des activités menées par le CEPD de 2015 à 2019. En particulier, il met l'accent sur la manière dont le CEPD a travaillé à la mise en œuvre des objectifs définis dans sa stratégie 2015-2019, qui concernent la numérisation, les partenariats mondiaux et la modernisation de la protection des données. Cela impliquait non seulement de contribuer à des textes législatifs historiques, tels que le règlement général sur la protection des données (RGPD) et le règlement 2018/1725, mais également de porter les concepts d'éthique et de responsabilisation au premier plan du discours et de l'application de la protection des données.



HTML:    DE   EN   FR 

HTML (Résumé):    DE    EN    FR

Full text of Leading by Example: EDPS 2015-2019:PDF icon
Résumé (PDF):PDF icon

Social media monitoring reports

Letter concerning a consultation on EASO's social media monitoring reports.


Concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725

When processing personal data, EU institutions and bodies (EUIs) must comply with specific data protection rules. Depending on their role, their obligations differ. The following guidelines provide explanation and practical advice to EU institutions and bodies on how to comply with Regulation (EU) 2018/1725 (‘the Regulation’).

Friday, 4 Octobre, 2019

Newsletter (N°

In this edition of the EDPS Newsletter we cover Data Protection Impact Assessments (DPIAs), the first EDPS-EDPB Joint Opinion and the new EDPS website inspection software, among many other topics.

Checklists and flowcharts on data protection

Administrative fines and sanctions under Regulation EU 2018/1725PDF icon
Checklist 1: What are the duties of the controller?PDF icon
Checklist 2: What are the duties of the processor?PDF icon
Checklist 3: What is required in a processing agreement?PDF icon
Flowchart: data transfers in the context of BrexitPDF icon
Flowchart: Are you a processor, controller, or joint controller?PDF icon
Powers of the EDPS under Regulation (EU) 2018/1725PDF icon
Useful points and questions on data protectionPDF icon

Presentation of EDPS Tasks and Activities - Wojciech Wiewiórowski

Presentation of EDPS Tasks and Activities, Speech by Wojciech Wiewiórowski before the Committee on Civil Liberties, Justice and Home Affairs, European Parliament, Brussels


Data Protection Impact Assessment List

Under Article 39(4) of Regulation (EU) 2018/1725, the EDPS shall adopt a list of the kinds of processing operations subject to a data protection impact assessment (DPIA). Under paragraph 5 of the same Article, the EDPS may adopt a list of the kinds of processing operations not subject to a DPIA. For further information on how to use this list, please see the Accountability on the ground toolkit.


Accountability on the ground: Guidance on documenting processing operations for EU institutions, bodies and agencies

Accountability on the ground: Guidance on documenting processing operations for EU institutions, bodies and agencies (EUIs). These documents provide provisional guidance for controllers and DPO in the EUIs on how to generate records for their processing operations, how to decide whether they need to carry out data protection impact assessments (DPIAs), how to do DPIAs and when to do prior consultations to the EDPS (Articles 31, 39 and 40 of Regulation (EU) 2018/1725).

A provisional version of this text was published in February 2018. The current version 1.3 was published in July 2019.

SummaryPDF icon
Part I: Records and threshold assessmentPDF icon
Part II: DPIAs and prior consultationPDF icon

Press Release - EDPS flags data protection issues on EU institutions’ websites

An inspection carried out by the European Data Protection Supervisor (EDPS) on the websites of major EU institutions and bodies revealed data protection and data security issues in seven out of the ten websites inspected. Each of the institutions concerned has received recommendations from the EDPS on how to ensure their websites are fully compliant with data protection rules and the relevant institutions have reacted swiftly to start rectifying the problems identified, the European Data Protection Supervisor said today.