European Data Protection Supervisor
Le Contrôleur Européen de la Protection des Données

A digital Europe needs data protection

A digital Europe needs data protection


A digital Europe needs data protection

The successful implementation of an EU-wide once-only principle to enable the lawful exchange of data across EU borders depends on ensuring that the relevant data protection principles are respected, the European Data Protection Supervisor (EDPS) said today, as he published his Opinion on the Commission’s proposal for a Regulation establishing a single digital gateway and the once-only principle.

Giovanni Buttarelli, EDPS, said:This proposal is one of the first EU instruments that explicitly refers to the once-only principle, which aims to ensure that citizens and businesses do not need to submit the same information to a public administration more than once. I welcome this initiative, but also recommend that the Commission take into account some key issues related to data protection in their continued development of the once-only principle. Additional clarity on important data protection principles, such as the legal basis of the processing, purpose limitation and data minimisation will reinforce the protection of the rights of individuals.”

The Commission’s proposal aims to modernise administrative services by facilitating the availability, quality and accessibility of information across the EU. It foresees the exchange of evidence for specified cross-border procedures, such as a request for recognition of a diploma, through a technical system, which will allow authorities to exchange data directly, at the explicit request of the individuals concerned and without these individuals having to re-submit documents that are already available in another Member State.

The EDPS supports the efforts made to ensure that individuals remain in control of their personal data. He also welcomes the amendments to the Internal Market Information System (IMI) Regulation, which the proposal introduces. These clarify the coordinated supervision mechanism foreseen for IMI and would enable the new European Data Protection Board to benefit from the technical possibilities offered by IMI for information exchange under the General Data Protection Regulation (GDPR).

However, the EDPS also asks for additional clarity on some subjects. In particular, the proposal should not provide a legal basis for the exchange of information for purposes other than those it specifies, and it should not provide a restriction on the principle of purpose limitation as set out under the GDPR. He also requests clarification on a range of issues relating to the practical implementation of user control.

The Commission’s proposal is a necessary and welcome development in the modernisation of administrative services throughout the EU, which also respects relevant data protection principles. As such, it represents a promising step towards achieving the digital Europe, based on the free movement of data, envisioned by the Estonian Presidency of the Council, whilst also demonstrating the compatibility of data protection with this vision.

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.

Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.

Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.

EU Data Protection Reform package:
On 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals:
•    a general Regulation on data protection which was adopted on 24 May 2016, applicable as of 25 May 2018; and
•    a specific Directive on data protection in the area of police and justice, adopted on 5 May 2016, applicable as of 6 May 2018.

The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU). Member States have two years to ensure that they are fully implementable in their countries by May 2018.