The European Data Protection Supervisor (EDPS) is the European Union’s (EU) independent data protection authority.
The Supervisor, Wojciech Wiewiórowski, was appointed by a joint decision of the European Parliament and the Council on 6 December 2019 for a five-year term.
Data protection is a fundamental right, protected by European law and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union. We defend and promote the privacy of individuals and data protection in our day-to-day work.
The EDPS’ mission, power and aims are established in accordance with Regulation (EU) 2018/1725, on the basis of Article 16 of the Treaty on the Functioning of the European Union.
To this end, the EDPS has the powers of investigation, corrective powers and sanctions, and authorisation and advisory powers. In particular in case of complaints from individuals, as well as powers to bring infringements of this Regulation to the attention of the Court of Justice and powers to engage in legal proceedings in accordance to the primary law.
You can find more detailed explanations on the EDPS’ powers in our dedicated factsheet here.
Our work is guided by the following values and principles.
The EDPS is responsible for monitoring the processing of personal data by the EU institutions, bodies, offices and agencies (EUIs) as well as providing advice on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
More specifically, the EDPS has four main fields of work:
Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
EUIs consult us for advice via their Data Protection Officers (DPOs). Some of these consultations are mandatory, while others are voluntary.
You can find out more about the EDPS’ Supervisory role here.
If EUIs do not comply with data protection rules, the EDPS can use the enforcement powers set out in the Regulation, such as:
More information on the factors the EDPS takes into account when imposing administrative fines or sanctions can be found here.
The European Data Protection Board (EDPB) is established by the General Data Protection Regulation (GDPR). It is an independent European body, contributing to the consistent application of data protection rules throughout the European Union (EU Member States), and promotes cooperation between the EU’s Data Protection Authorities (DPA).
The EDPS provides an independent secretariat to the EDPB. The Secretariat offers administrative and logistic support for the EDPB as well as performing analytical work and contribute to the EDPB’s tasks.
A Memorandum of Understanding determines the terms of cooperation between the EDPB and the EDPS.
At the beginning of each mandate, the EDPS adopts a strategy outlining the priorities for the next five years. On 30 June 2020, Supervisor Wojciech Wiewiórowski unveiled its strategy: Shaping a Safer Digital Future: a new Strategy for a new decade. The EDPS Strategy sets out the guiding actions and objectives till the end of 2024 under three core pillars: Foresight, Action, and Solidarity.
To ensure that the EDPS’ actions are aligned with its objectives and goals, the strategy is kept under regular review as a reference point for our staff and stakeholders.
Each year, around April, the EDPS presents and makes public its Annual Report highlighting the main actions and achievements of the past year. Our latest Annual Report 2019 can be found here.
The EDPS also published on 3 December 2019 a mandate review detailing and explaining the work achieved during its mandate 2015-2019. This mandate review is called Leading by Example: EDPS 2015-2019.
Personal data is any information that relates to an identified or identifiable natural person.
In practice this can mean your name, email address, contact details, should you participate to an event, such as a study visit for example, within the institutions.
If you are a member of EU staff or trainee, this can also include your salary, medical records, performance evaluation, telecommunications data, for example.
When an individual gives consent for their personal data to be processed, this consent must be freely given, specific, informed by a clear and unambiguous statement that indicates such an agreement.
Processing personal data, means any operation or set of operations, which is performed on personal data, either by manual or automated means, such as collecting, recording, organisation, structuring, storage, adaptation or alteration, transmission, for example.
In practice this might mean when a EUI collects your contact details.
EUIs may process your data in the context of various administrative procedures such as recruitment and employment, tenders and open calls for expressions of interests, study visits.
Your data can only be processed if it serves a legitimate purpose, a necessity and proportionality test must always be carried out beforehand.
As an individual, you have the right of access, right to rectification, right to erasure of your personal data, the right to restriction of processing, right to object to the processing of personal data.
Alongside our monitoring, supervising and enforcement powers, we regularly produce factsheets and flowcharts on various aspects of data protection to guide Data Protection Officers (DPOs) and Data Protection Authorities (DPAs). You can find them here.
A Data Protection Officer, as defined in Chapter IV Section 6 of Regulation 2018/1725, is usually a member of staff of the EU institution, office, body or agency designated for a term of three to five years. They must be independent, impartial, respect confidentiality and provide advice to the controller especially in the context of carrying a Data Protection Impact Assessment (DPIAS), for example. A complete list of the EU institutions, bodies, offices and agencies’ DPOs can be found here.
A controller is responsible for determining the purposes and means for the processing of personal data. The controller must check whether the processing of data complies with a certain number of principles, such as lawfulness, fairness, transparency, purpose limitation etc. Joint-controllers means there is more than one controller in the EU institution, body or agency as outlined in Article 28 of Regulation 2018/1725. You can find more information on the duties of a controller here.
A processor processes personal data under documented instructions of the controller, governed by a binding contract or legal act. They must maintain records of the processing and only process data with prior authorisation and legitimate purposes. You can find more information on the duties of a processor here.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The scope of the competences of the EDPS covers the processing of personal information of the EU institutions, bodies, offices and agencies only.
If an individual believes his or her data is inaccurate or has been wrongfully processed by a company or organisation whose activities are carried out in the EU, he or she should first contact the national Data Protection Authority of their home country.
The EDPS recommends that you first notify the EUI responsible for processing your data and ask them to take action.
If you do not obtain a response or are unsatisfied with it, you should contact the Data Protection Officer (DPO) of the EUI concerned.
You can also lodge a complaint with the EDPS, who will examine your request and adopt the necessary measures.
You can also bring an action before the Court of Justice of the European Union.
The EDPS complaint form and relevant information can be found here.
In their daily activities, EU institutions and bodies may need to transfer personal data to recipients outside the European Union. These activities can include dealings with foreign public entities (for anti-fraud or competition investigations, for example), the outsourcing of services to external providers located outside the EU and/or processing the data outside the EU (e.g. cloud computing, web-services), or when arranging staff work trips to non-EU countries. More information on international data transfers.
The EDPS regularly publishes various Press Releases, Publications, Factsheets and other content to keep the data protection community up-to-date with our work on our website and social channels Twitter, LinkedIn and YouTube.
You can also subscribe to our monthly newsletter, which gives you a recap of all the EDPS’ activities in a short, concise and informative way.
We try and make our work in the field of data protection as accessible as possible, but, if you are still unsure about certain legal terms we use, you can find more information in our Glossary.
If you have any further questions, please Contact Us.