EU institutions and bodies deal with a wide variety of personal data, and often in complex ways. EU law requires that they are able to ensure, verify and demonstrate compliance with data protection rules when handling this data. According to a report published today by the European Data Protection Supervisor (EDPS), there has been continuous and steady progress in the way that they deliver on this obligation.
Giovanni Buttarelli, EDPS, said: "Our latest stock-taking exercise confirms a largely positive trend among EU institutions and bodies. As their independent supervisory authority, it is the role of the EDPS to make sure they remain accountable in their compliance with data protection rules. The publication of this report will help us to establish priorities for EDPS activities in 2018, a year which, with the entry into force of the new General Data Protection Regulation (GDPR), as well as a Proposal to amend the current rules governing data protection in the EU institutions, will mark the beginning of a new era in data protection.”
All EU institutions process personal information in their administrative duties and for some it even constitutes part of their core business activities. Their compliance with data protection rules therefore concerns anyone whose personal data is processed by the institutions, including EU staff, recipients of EU grants or anyone registered in large-scale EU databases.
As part of our efforts to ensure this compliance, every two years the EDPS conducts a Survey of all EU institutions under its supervision, focusing on selected data protection topics. For this edition, we surveyed 64 EU institutions on the state of their registers and inventories of processing operations and several other compliance aspects, such as the increasing number of data transfers to third countries.
Although the EDPS Survey is technical in nature and focuses on formalities, it provides us with valuable information to assess trends, promotes transparency and feeds into the choices the EDPS makes regarding our supervision and enforcement activities. In line with the EDPS enforcement policy, we publish the report in order to encourage greater accountability on the part of EU institutions in their compliance with data protection rules.
Wojciech Wiewiórowski, Assistant EDPS, said: "This Survey provides a state of play in relation to the compliance of EU institutions with data protection rules, whilst also illustrating the role of the EDPS as their independent supervisory authority. The report is part of our efforts to train and guide EU institutions on how best to respect data protection rules in practice, whilst focusing on processing activities that present a high risk to individuals. We emphasise progress made in comparison to previous Surveys, and underline shortcomings. We also take follow-up action, ranging from targeted assistance, guidance and training to more robust action, where appropriate.”
Privacy and data protection are fundamental rights in the EU. Data protection is a fundamental right, protected by European law and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union.
Article 28(1) of Regulation (EC) No 45/2001 obliges EU institutions and bodies to inform the EDPS when drawing up administrative measures that relate to the processing of personal information. Article 46(d) of the Regulation imposes a duty upon the EDPS to advise all institutions and bodies, either on his or her own initiative or in response to a consultation, on all matters concerning the processing of personal information, in particular before they draw up internal rules relating to the protection of fundamental rights and freedoms with regard to the processing of personal information.
Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about him or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Accountability: Under the accountability principle, EU institutions and bodies put in place all those internal mechanisms and control systems that are required to ensure compliance with their data protection obligations and should be able to demonstrate this compliance to supervisory authorities such as the EDPS.
The EDPS Survey 2017 is available on the EDPS website.