The EU institutions and bodies are making steady progress implementing data protection rules. This is the conclusion of the report published yesterday by the European Data Protection Supervisor (EDPS) on his latest stocktaking exercise.
Giovanni Buttarelli, EDPS, said: "As the EU’s independent supervisory authority, it is the EDPS’ role to keep EU institutions on track in fulfilling their data protection obligations. The institutions themselves are accountable for applying the rules and integrating data protection principles in their daily work. I am pleased that the results of our Survey confirm that they increasingly do.”
Every two years, the EDPS conducts a Survey on selected areas of data protection at all the EU institutions he supervises. 61 EU institutions were surveyed in the latest exercise on the state of registers and inventories. These contain information on each operation involving the processing of personal data (such as the collection, use, sharing and so on). The Survey also addressed other areas such transfers to non-EU countries and how data protection officers are involved in the development of new processing operations.
In general terms, the results of the Survey show high levels of compliance with data protection obligations and privacy principles across EU services. The older, more established institutions should now focus on maintaining proper inventories and notifying any new (or change in) processing operations to their data protection officers and the EDPS.
Younger institutions have made up ground with several agencies notifying 100% of their processing activities.
Other institutions are lagging behind and for these, the EDPS will follow-up and take action as appropriate. Such action could include targeted guidance activities, assistance and training or more robust action.
Wojciech Wiewiórowski, Assistant Supervisor, said: “Although the Survey is technical in nature and focussed on formal compliance with data protection rules, it is also useful for assessing the state of play and general trends as well. The survey and report indicate to the EU institutions, and any one else who may be interested, that they are being fairly assessed; as the results feed into the choices that we make about the EDPS supervision and enforcement activities for the year, the procedure promotes transparency. Where progress is slow or has slowed down, for instance in notifications to the EDPS, we will provide support to the institutions to ensure that data protection becomes a reflex.”
All EU institutions process personal information for administrative purposes, such as Human Resource management, and some do so as part of their core business, for instance, database management and fraud investigation. Therefore, the compliance of EU institutions with data protection rules concerns everyone whose personal data is processed by the institutions, be they EU staff, recipients of EU grants, registered in a database or others.
Privacy and data protection are fundamental rights in the EU. Data protection is a fundamental right, protected by European law and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union.
Article 28(1) of Regulation (EC) No 45/2001 obliges EU institutions and bodies to inform the EDPS when drawing up administrative measures that relate to the processing of personal information. Article 46(d) of the Regulation imposes a duty upon the EDPS to advise all institutions and bodies, either on his or her own initiative or in response to a consultation, on all matters concerning the processing of personal information, in particular before they draw up internal rules relating to the protection of fundamental rights and freedoms with regard to the processing of personal information.
Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about him or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Accountability: Under the accountability principle, EU institutions and bodies put in place all those internal mechanisms and control systems that are required to ensure compliance with their data protection obligations and should be able to demonstrate this compliance to supervisory authorities such as the EDPS.