The European Data Protection Supervisor (EDPS) has issued his second general report measuring progress made in the implementation of data protection rules and principles by Community institutions and bodies, as laid down in the Data Protection Regulation (Regulation (EC) No 45/2001).
The report shows that Community institutions have overall made good progress in meeting their data protection requirements. A lower level of compliance is observed in Community agencies, but the EDPS will be monitoring this closely and will encourage further compliance.
Peter Hustinx, EDPS, says: "I am pleased to see that compliance with data protection rules is developing in Community institutions and agencies. Further progress is however needed to fully translate those legal obligations in concrete technical and organisational arrangements that enable privacy safeguards to be ensured. In my role as supervisor, I will continue to encourage compliance in the EU administration by measuring progress, including more systematic verifications on the spot, and setting targets where needed".
As regards implementation of data protection rules in Community institutions, the report highlights the following main results:
The EDPS observes that positive progress has been made in the identification of processing operations and in the adoption of implementing rules concerning the tasks and duties of the DPO. However, the level of notifications of processing operations to the DPO and further notifications to the EDPS for prior checking is generally very low. Only one agency can claim that all identified operations have been notified to the EDPS.
The EDPS also notes that although there have been no or very few requests by concerned persons for access to data under the Regulation, the agencies are considering setting up monitoring tools to keep track of these requests. This gives a positive signal that the agencies are developing internal tools to monitor compliance with the Regulation.
The EDPS will encourage and closely monitor further progress, in particular in those institutions and agencies where compliance in the field of notification to the DPO and prior checking by the EDPS needs to be improved. The EDPS will put special emphasis on ensuring better compliance in agencies, notably by underlining the importance of complying with the Regulation at the level of agency management
The EDPS will increasingly proceed with on the spot inspections in institutions or agencies in view of checking the reality and encouraging compliance. Finally, further requests to measure compliance with the Regulation will follow at a later stage in order to assess further progress made.
(*) Data controller: person or administrative entity (for example a general director or a head of unit) that determines the purposes and means of the processing of personal data on behalf of an institution or body.
(**) Data protection officer: as provided by the Data Protection Regulation, every Community institution or body must appoint a data protection officer (DPO). The main task of the DPO is to ensure, in an independent manner, the internal application of the provisions of the Regulation in the institution concerned.
(***) Prior check: as provided by the Data Protection Regulation, processing operations likely to present specific risks for the rights and freedoms of data subjects by virtue of their nature, their scope or their purpose are subject to prior checking by the EDPS. This applies for example to processing of data relating to health or suspected offences, and to processing operations intended to evaluate personal aspects relating to the data subject, including his or her ability, efficiency or conduct.
The EDPS is responsible for monitoring and ensuring the application of the Data Protection Regulation in Community institutions and bodies (Article 41 of the Regulation). Following a similar exercise launched in 2007, this reporting operation is part of an ongoing exercise by the EDPS to ensure compliance with the Data Protection Regulation and to assess further progress made in this field.