European Data Protection Supervisor
European Data Protection Supervisor




CCTV stands for "closed circuit television". It is a television system comprised of a camera or a set of cameras monitoring a specific protected area, with additional equipment used for viewing and/or storing the CCTV footage. The term itself originates from the fact that, as opposed to broadcast television, CCTV is usually a "closed" rather than "open" system with a limited number of viewers.

CCTV has been traditionally used for surveillance in specific locations with increased security needs such as banks, airports, military installations. In addition, in industrial plants, CCTV equipment has been used to remotely observe processes, for example, in hazardous environments. Increasing use of CCTV in public places has caused debate over public surveillance versus privacy.

See also: Video-surveillance



Cloud computing

Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand. It is a "paradigm shift" following the shift from mainframe to client–server in the early 1980s. Cloud computing describes a new consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically scalable and often virtualised resources as a service over the Internet. It is a by-product and consequence of the ease-of-access to remote computing sites provided by the Internet.




According to Article 32.2 of Regulation (EC) No 45/2001, "Every data subject may lodge a complaint with the European Data Protection Supervisor if he or she considers that his or her rights under Article 286 of the Treaty have been infringed as a result of the processing of his or her personal data by a Community institution or body."

Article 33 of the Regulation also provides that "Any person employed with a Community institution or body may lodge a complaint with the European Data Protection Supervisor regarding an alleged breach of the provisions of this Regulation governing the processing of personal data, without acting through official channels".

Anyone who believes that an EU institution or body violates his/her rights with regard to the processing of personal data may file a complaint with the European Data Protection Supervisor (EDPS). A staff member of an EU institution or body may also lodge a complaint with the EDPS even if he or she is not directly concerned by the violation.

In general, complainants are recommended to turn to the EDPS only after having contacted the controller and/or the Data protection officer of the institution or body concerned. However, complaints can also be lodged directly with the EDPS if this is deemed necessary.

Complaints to the EDPS must be in writing, either on paper or electronically, in principle using the complaint submission form available on the EDPS website. This form can be completed and sent electronically. Alternatively, it can be sent by fax or post including all relevant information as well as any supporting evidence.

If a complaint is found admissible, the EDPS will conduct an inquiry if he finds this appropriate. If the case is not resolved satisfactorily during the course of his inquiry, the EDPS will try to find a friendly solution which satisfies the complainant. If the attempt at conciliation fails, the EDPS may order the rectification, blocking, erasure or destruction of data or even impose a ban on a particular data processing.

The EDPS is not competent to deal with issues involving national authorities or private entities in the EU countries, and has no power to compensate the person concerned by the violation of data protection rules.

In order to ensure the consistent treatment of complaints concerning data protection and to avoid unnecessary duplication, the European Ombudsman and the EDPS have signed a Memorandum of Understanding (pdf). It stipulates, among other things, that a complaint that has already been brought forward should not be reopened by the other institution unless significant new evidence is submitted.




Confidentiality in a general sense refers to the duty not to share information with persons who are not qualified to receive that information. In a more specific sense, it refers to the confidentiality of communications provided for in Article 5 of the E-privacy Directive 2009/136/EC and in Article 36 of Regulation (EC) No 45/2001.

Confidentiality of processing also refers to the obligation of any person acting under the authority of the controller or the processor, who has access to personal data, not to process them except on instructions from the controller, unless he is required to do so by law (see Article 16 of Directive 95/46/EC and Article 21 of Regulation (EC) No 45/2001).




In data protection terminology, consent refers to any freely given, specific and informed indication of the wishes of a data subject, by which he/she agrees to personal data relating to him/her being processed (see Article 2 sub (h) of Data Protection Directive 95/46/EC and Article 2 sub (h) of Regulation (EC) No 45/2001.

Consent is an important element in data protection legislation, as it is one of the conditions that can legitimise processing of personal data. If it is relied upon, the data subject must unambiguously have given his/ her consent to a specific processing operation, of which he/she shall have been properly informed. The obtained consent can only be used for the specific processing operation for which it was collected, and may in principle be withdrawn without retroactive effect.

See also: Q&A on Consent




See Data controller



Convention 108 (Council of Europe) 

Convention 108 refers to the Convention for the Protection of Individuals with regard to automatic processing of personal data which was adopted by the Council of Europe in 1981.

This Convention is the first legally binding international instrument adopted in the field of data protection.

It sets out minimum standards aimed at protecting the individuals against abuses which may accompany the collection and processing of personal data. It also seeks to regulate the transborder flow of personal data.

A total of 40 European states have ratified the Convention so far.




Short text files stored on the user’s device by a web site.  Cookies are normally used to provide a more personalised experience and to remember user profile without the need of a specific login. Also it can be placed by third parties (such as an advertising network) in end users´ devices and maybe be used to track users when surfing across different websites associated to that third party.

See also E-privacy Directive 2009/136/EC.


Council Working Party on Data Protection 

The Council Working Party on Data Protection was originally set up to deal with the foundations of the EC policy on data protection, such as Directive 95/46/EC, Directive 97/66/EC and Regulation EC (No) 45/2001. It allows for a more horizontal approach in first pillar matters.

Organisation of meetings and their frequency depend on the Presidency of the Council. More recent meetings have included discussions on Commission's initiatives in the field of PETs or RFID, and other subjects like Member States' experience with Directive 95/46/EC. The EDPS priorities for consultation on new legislation as well as his Annual Report have also been on the agenda of the meetings.