EU institutions are better at complying with data protection rules and privacy principles than ever before. This is the overall message of the EDPS report on his latest general stocktaking exercise, published today.
Peter Hustinx, EDPS, says: "I’m delighted with the progress that the EU institutions have made. 10 years of our active supervision have resulted in significantly higher levels of compliance with data protection obligations across EU services. This is a powerful indication that institutions are recognising that they are accountable for applying data protection rules."
62 EU institutions supervised by the EDPS were surveyed on how they process personal information. The survey included questions on, among other things, staff training, transfers to third countries and how data protection officers are involved in the design of new processing operations.
In general, the EU institutions have made considerable progress since the last EDPS survey in 2011. The European Training Foundation (ETF) and the European Centre for Disease Control (ECDC) are among those institutions that have shown the most improvement.
Giovanni Buttarelli, Assistant EDPS, says: "Most institutions are on the right track now, although some are still lagging behind on their compliance with data protection rules. We will follow those up as appropriate - some may require assistance and training, while others will benefit from more robust action."
Based on the results of the survey, the EDPS will keep a close eye on the European Investment Fund (EIF), the European Institute for Security Studies (EUISS), the European Union Satellite Centre (EUSC), the ENIAC Joint Undertaking and the European GNSS Agency (GSA). The EDPS will also use the results of this survey in planning further supervision and enforcement activities. This programme includes developing guidance for the institutions, for example on transfers of personal data to third countries.
Every two years, the EDPS conducts a general stocktaking exercise, in the form of surveys, of all EU institutions. EU institutions process personal data both in their core business activities and in their administrative duties. This concerns everyone whose personal information is processed by the institutions - whether they are EU staff, recipients of EU grants or persons registered in large-scale EU IT systems such as EURODAC.
The EDPS surveys take stock of the state of the registers and inventories of processing operations established by EU institutions and several other compliance aspects. These surveys allow the EDPS to chart progress over time and to plan his activities.
Privacy and data protection are fundamental rights in the EU. Data protection is a fundamental right, protected by European law and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union.
Article 28(1) of Regulation (EC) No 45/2001 obliges EU institutions and bodies to inform the EDPS when drawing up administrative measures that relate to the processing of personal information. Article 46(d) of the Regulation imposes a duty upon the EDPS to advise all institutions and bodies, either on his or her own initiative or in response to a consultation, on all matters concerning the processing of personal information, in particular before they draw up internal rules relating to the protection of fundamental rights and freedoms with regard to the processing of personal information.
Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about him or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Accountability: Under the accountability principle, EU institutions and bodies put in place all those internal mechanisms and control systems that are required to ensure compliance with their data protection obligations and should be able to demonstrate this compliance to supervisory authorities such as the EDPS.