Eleven months have passed since the Commission issued its proposal for the new Regulation governing data protection in the EU institutions and bodies. The proposal aims to align the provisions of the current Regulation (EC) 45/2001 with the rules of the General Data Protection Regulation (GDPR) to achieve a stronger and more coherent data protection framework in the Union. The EDPS issued an Opinion on the proposed Regulation, based on our experience of 12 years of independent supervision, international cooperation and policy advice. Since then, the European Parliament and the Council have reached their respective positions. Earlier this month, the negotiations entered a crucial trilogue phase.
Giovanni Buttarelli, EDPS, said: “We are 184 days from a historic day for data protection in the European Union: the GDPR will become fully applicable on 25 May 2018. EU institutions and bodies must embrace the big shift towards accountability and stronger enforcement that the GDPR represents. We call on the European Parliament, the Council and the Commission to find agreement on the new Regulation swiftly, so that EU institutions themselves can lead by example in the rules that they apply to themselves as controllers and processors.”
Wojciech Wiewiórowski, Assistant Supervisor, said: “Over the past two years the EDPS has met with senior managers at the EU institutions to raise awareness about the new challenges for data protection compliance, emphasising the new principle of accountability for how data is processed. We are working in tandem with DPOs and other stakeholders and we are confident that EU institutions will be ready by May 2018.”
Regulation 45/2001 must be aligned with the high levels of data protection provided for in the GDPR but also with the new approach that focuses on accountability and practical safeguards for individuals, rather than bureaucratic procedures.
As agreed by the co-legislator at the time of the adoption of the GDPR (see Article 98 and recital 17 GDPR), the new data protection rules for EU institutions and bodies should become applicable at the same time as the GDPR in May 2018. The EDPS is ready to provide any support considered necessary in this process.