On 30 April, in his sixth year of activity, the European Data Protection Supervisor (EDPS) received the 500th prior-check notification on a processing of personal data in the EU administration. For reasons of transparency, a register of all notifications for prior checking received by the EDPS is now publicly available on the EDPS website.
Peter Hustinx (EDPS) says: "This 500th notification represents an important milestone in our supervisory activities. It not only shows that much work has been accomplished during our first five years, but also demonstrates the continued efforts and investments on the part of Community institutions and bodies in complying with data protection requirements. The public register of notifications on our website represents a key element in ensuring transparency of our supervision activities".
The EDPS takes this occasion to highlight a crucial part of his supervisory work on the basis of Regulation (EC) No 45/2001 ("Data Protection Regulation") and to look back on his activities in this area.
Data processing operations in the EU administration likely to present specific risks to the rights and freedoms of individuals must be notified to the EDPS for prior checking. The purpose is to determine whether the administration intends to process personal data in full respect of the Data Protection Regulation and to advise on any improvements that may be necessary from a data protection point of view. As a rule, notifications should be submitted prior to the processing. However, prior checks have initially also been performed ("ex post") to ensure compliance of existing systems.
Processing operations are notified to the EDPS by the data protection officer (DPO) appointed in the relevant institution or body. Sensitive processing operations concern for example a processing of data relating to health or suspected offences, processing operations intended to evaluate someone's ability or conduct, processing operations aimed at excluding individuals from a right, benefit or contract.
Upon the notification of a processing operation, the EDPS examines whether the processing fulfils the provisions of the Data Protection Regulation. In most cases, this exercise leads to a set of recommendations that the institution or body needs to implement, so as to ensure compliance with data protection rules. Once the EDPS has delivered his opinion, it is made public on his website with a summary of the case.
All processing operations notified to the EDPS are listed in a public register, which enables the information on a given processing operation to be kept up to date. The notification contains information about the controller, the purpose of the processing, the data subjects, the personal data processed, the legal basis, the recipients, the data retention period, and the rights of the data subjects to access, rectification and information.
The setting up of a public register of notifications therefore serves two objectives: the information on a given processing operation is kept up to date and this information is made available for public consultation. The register is now available on the EDPS website in the Supervision section.
Graphic 1: Notifications received by institution/body
The European Commission, including OLAF and EPSO, and the European agencies represent nearly 60% of the total number of notifications received by the EDPS. This is a logical outcome if we consider the institutions' size and number of processing operations.
The EDPS also welcomes the progress made following the "Spring 2007 exercise" - an operation launched by the EDPS to take stock of the implementation of the Data Protection Regulation in all Community institutions and agencies.
Graphic 2: Notifications received by category
The figures clearly show the predominance of "Evaluation", which mainly includes procedures on recruitment, evaluation, promotions, certification and attestation of EU staff, as well as flexitime and training.
"Health data" relates not only to medical data, but also to health related data the processing of which may be triggered during invalidity or allowances procedures, for example in the context of medical certificates and sickness insurance.
The category "suspected offences" relates to administrative inquiries, disciplinary procedures, harassment, OLAF cases, criminal offences and suspicions.
"Other areas" cover operations related to financial processing, such as early warning systems, public procurements and calls for tender. It also concerns video surveillance, security and linkage of databases.
The "non prior checks" mean that - after careful analysis - the EDPS considers that these processing operations are not considered to present a "specific risk" in the sense of Article 27 of the Data Protection Regulation.
The number of processing operations notified by the DPOs as well as their variety shows the importance of the supervisory role of the EDPS and the expertise developed in this field during recent years.