Who are we?
The European Data Protection Supervisor (EDPS) is the European Union’s (EU) independent data protection authority.
The Supervisor, Wojciech Wiewiórowski, was appointed by a joint decision of the European Parliament and the Council on 6 December 2019 for a five-year term.
What are our powers?
Data protection is a fundamental right, protected by European law and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union. We defend and promote the privacy of individuals and data protection in our day-to-day work.
The EDPS’ mission, power and aims are established in accordance with Regulation (EU) 2018/1725, on the basis of Article 16 of the Treaty on the Functioning of the European Union.
The tasks of the EDPS are listed under Article 57 of Regulation (EU) 2018/1725, while its powers are listed under Article 58 of Regulation (EU) 2018/1725.
To this end, the EDPS has the powers of investigation, corrective powers and sanctions, and authorisation and advisory powers. In particular in case of complaints from individuals, as well as powers to bring infringements of this Regulation to the attention of the Court of Justice and powers to engage in legal proceedings in accordance to the primary law.
You can find more detailed explanations on the EDPS’ powers in our dedicated factsheet here.
What are our core values?
Our work is guided by the following values and principles.
- Impartiality - working within the legislative and policy framework given to us, being independent and objective, finding the right balance between the interests at stake.
- Integrity - upholding the highest standards of behaviour and to always do what is right.
- Transparency - explaining what we are doing and why, in clear language that is accessible to all.
- Pragmatism - understanding our stakeholders’ needs and seeking solutions that work in a practical way.
What is our role?
The EDPS is responsible for monitoring the processing of personal data by the EU institutions, bodies, offices and agencies (EUIs) as well as providing advice on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
More specifically, the EDPS has four main fields of work:
- Supervision: we monitor the processing of personal data by the EU administration and ensure that they comply with data protection rules. Our tasks range from conducting investigations to handling complaints and prior consultations on processing operations.
- Consultation: we advise the European Commission, the European Parliament, and the Council on proposals for new legislation and other initiatives related to data protection.
- Technology monitoring: we monitor and assess technological developments, where they have an impact on the protection of personal data, from an early stage, with a particular focus on the development of information and communication technologies.
- Cooperation: among other partners, we work with national data protection authorities (DPAs) to promote consistent data protection across the EU. Our main platform for cooperation with DPAs is the European Data Protection Board (EDPB) for which we provide the secretariat.
Other examples of European bodies and agencies that we supervise are Europol under Regulation 2016/794 and Eurojust under Regulation 2018/1727.
Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
What is our supervisory role?
EUIs consult us for advice via their Data Protection Officers (DPOs). Some of these consultations are mandatory, while others are voluntary.
Advice is given in our Opinions, comments, Decisions, letters or papers and guidelines.
You can find out more about the EDPS’ Supervisory role here.
What is our enforcement role?
If EUIs do not comply with data protection rules, the EDPS can use the enforcement powers set out in the Regulation, such as:
- warn or admonish the EUI;
- order the EUI to comply with the individuals’ right;
- impose a temporary or definitive ban on a particular data processing operation;
- impose administrative fines on EUIs.
More information on the factors the EDPS takes into account when imposing administrative fines or sanctions can be found here.
What is the EDPB?
The European Data Protection Board (EDPB) is established by the General Data Protection Regulation (GDPR). It is an independent European body, contributing to the consistent application of data protection rules throughout the European Union (EU Member States), and promotes cooperation between the EU’s Data Protection Authorities (DPA).
The EDPS provides an independent secretariat to the EDPB. The Secretariat offers administrative and logistic support for the EDPB as well as performing analytical work and contribute to the EDPB’s tasks.
A Memorandum of Understanding determines the terms of cooperation between the EDPB and the EDPS.
How do we work?
At the beginning of each mandate, the EDPS adopts a strategy outlining the priorities for the next five years. On 30 June 2020, Supervisor Wojciech Wiewiórowski unveiled its strategy: Shaping a Safer Digital Future: a new Strategy for a new decade. The EDPS Strategy sets out the guiding actions and objectives till the end of 2024 under three core pillars: Foresight, Action, and Solidarity.
How are we held accountable?
To ensure that the EDPS’ actions are aligned with its objectives and goals, the strategy is kept under regular review as a reference point for our staff and stakeholders.
Each year, around April, the EDPS presents and makes public its Annual Report highlighting the main actions and achievements of the past year. Our latest Annual Report 2019 can be found here.
The EDPS also published on 3 December 2019 a mandate review detailing and explaining the work achieved during its mandate 2015-2019. This mandate review is called Leading by Example: EDPS 2015-2019.
We also regularly publish Opinions, Guidelines, Papers informing and updating the data protection community and the general public of our work.
What is considered as personal data?
Personal data is any information that relates to an identified or identifiable natural person.
In practice this can mean your name, email address, contact details, should you participate to an event, such as a study visit for example, within the institutions.
If you are a member of EU staff or trainee, this can also include your salary, medical records, performance evaluation, telecommunications data, for example.
What does consent mean?
When an individual gives consent for their personal data to be processed, this consent must be freely given, specific, informed by a clear and unambiguous statement that indicates such an agreement.
What does processing personal data mean?
Processing personal data, means any operation or set of operations, which is performed on personal data, either by manual or automated means, such as collecting, recording, organisation, structuring, storage, adaptation or alteration, transmission, for example.
In practice this might mean when a EUI collects your contact details.
When do EU institutions, bodies, agencies (EUIs) process your data?
EUIs may process your data in the context of various administrative procedures such as recruitment and employment, tenders and open calls for expressions of interests, study visits.
Your data can only be processed if it serves a legitimate purpose, a necessity and proportionality test must always be carried out beforehand.
What are your rights when EUIs process your personal data?
As an individual, you have the right of access, right to rectification, right to erasure of your personal data, the right to restriction of processing, right to object to the processing of personal data.
How does the EDPS help the EUIs make responsible and informed choices when they process personal data?
Alongside our monitoring, supervising and enforcement powers, we regularly produce factsheets and flowcharts on various aspects of data protection to guide Data Protection Officers (DPOs) and Data Protection Authorities (DPAs). You can find them here.
What is a Data Protection Officer, a controller, a joint controller and a processor?
A Data Protection Officer, as defined in Chapter IV Section 6 of Regulation 2018/1725, is usually a member of staff of the EU institution, office, body or agency designated for a term of three to five years. They must be independent, impartial, respect confidentiality and provide advice to the controller especially in the context of carrying a Data Protection Impact Assessment (DPIAS), for example. A complete list of the EU institutions, bodies, offices and agencies’ DPOs can be found here.
A controller is responsible for determining the purposes and means for the processing of personal data. The controller must check whether the processing of data complies with a certain number of principles, such as lawfulness, fairness, transparency, purpose limitation etc. Joint-controllers means there is more than one controller in the EU institution, body or agency as outlined in Article 28 of Regulation 2018/1725. You can find more information on the duties of a controller here.
A processor processes personal data under documented instructions of the controller, governed by a binding contract or legal act. They must maintain records of the processing and only process data with prior authorisation and legitimate purposes. You can find more information on the duties of a processor here.
What is confidentiality?
Confidentiality means the duty to not share information with people who are not qualified to receive this information, as indicated in Article 4 of Regulation 2018/1725.
What is a data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
How can the EDPS help you?
The scope of the competences of the EDPS covers the processing of personal information of the EU institutions, bodies, offices and agencies only.
If an individual believes his or her data is inaccurate or has been wrongfully processed by a company or organisation whose activities are carried out in the EU, he or she should first contact the national Data Protection Authority of their home country.
How to make a complaint to the EDPS if a European institution, body, office or agency (EUIs) wrongfully processes your personal data?
The EDPS recommends that you first notify the EUI responsible for processing your data and ask them to take action.
If you do not obtain a response or are unsatisfied with it, you should contact the Data Protection Officer (DPO) of the EUI concerned.
You can also lodge a complaint with the EDPS, who will examine your request and adopt the necessary measures.
You can also bring an action before the Court of Justice of the European Union.
The EDPS complaint form and relevant information can be found here.
Can my personal data be transferred outside the European Union?
In their daily activities, EU institutions and bodies may need to transfer personal data to recipients outside the European Union. These activities can include dealings with foreign public entities (for anti-fraud or competition investigations, for example), the outsourcing of services to external providers located outside the EU and/or processing the data outside the EU (e.g. cloud computing, web-services), or when arranging staff work trips to non-EU countries. More information on international data transfers.
How can I keep up with the EDPS’ work?
The EDPS regularly publishes various Press Releases, Publications, Factsheets and other content to keep the data protection community up-to-date with our work on our website and social channels Twitter, LinkedIn and YouTube.
You can also subscribe to our monthly newsletter, which gives you a recap of all the EDPS’ activities in a short, concise and informative way.
We try and make our work in the field of data protection as accessible as possible, but, if you are still unsure about certain legal terms we use, you can find more information in our Glossary.
If you have any further questions, please Contact Us.