EDPS welcomes adoption of new data protection rules for EU institutions
The adoption of new data protection rules for the EU institutions and bodies represents another vital step forward in the development of a comprehensive EU framework for data protection in the digital age, the European Data Protection Supervisor (EDPS) said today.
Giovanni Buttarelli, EDPS, said: “The new Regulation, which applies from today, brings the data protection rules for the EU institutions and bodies (EUI) in line with the standards imposed on other organisations and businesses by the General Data Protection Regulation (GDPR). Under the new rules, which we may refer to as the EUI-GDPR, the EDPS remains responsible for ensuring the effective protection of individuals’ fundamental rights and freedoms whenever their personal data is processed by the EU institutions or on their behalf, whether this is to ensure EU markets work better, to evaluate and supervise medicines in the EU or to fight against terrorism and organised crime. This role includes promoting public awareness and understanding of the risks to people’s rights and freedoms in relation to the processing of personal data, as well as increased cooperation with national data protection authorities. The EU institutions are expected to lead by example in applying the new rules and ensure compliance from day one onwards”.
As the supervisory authority for the 66 EU institutions, bodies, offices and agencies, the EDPS has been working hard over the past two years to ensure that the transition to the new Regulation is a resounding success. In addition to regular meetings and workshops with the Data Protection Officers (DPOs) of the EU institutions, the EDPS has carried out an extensive programme of visits, meetings with top management and training sessions covering the full spectrum of EU institutions, bodies and agencies. These sessions have focused not only on those EU employees known as controllers, who are directly involved in the processing of personal data, but also on raising awareness among management and EU staff in general.
The EDPS campaign has put particular emphasis on the importance of accountability, the idea that EU institutions not only comply with the new rules, but that they are able to demonstrate this compliance. The EDPS expects top management to set the tone here, by building data protection into their risk management plans and ensuring that data protection is ingrained into the culture of their organisations. To help them with this, the EDPS has updated and is producing new guidance documents, on topics such as accountability, risk assessment and Data Protection Impact Assessments (DPIAs), data breach notifications and transparency and information obligations.
As an EU institution, the EDPS is also subject to the new rules. An Internal Task Force on the Transition to the New Regulation has been hard at work ensuring that the EDPS is prepared to lead by example and act as an accountable controller, while also providing assistance to other EU institutions as they continue their preparations. Acting as an effective supervisory authority for EUROPOL, and preparing to take on the same role for EUROJUST and the European Public Prosecutor’s Office (EPPO) in the near future, are good examples of some of the challenges we face and are taking steps to tackle effectively.
The EDPS looks forward to working in close cooperation with the EU institutions and bodies in the coming weeks, months and years, in order to ensure that they continue to lead by example in the protection of personal data across the EU and globally. He welcomes the adoption of this new Regulation with great enthusiasm.
Background information
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in the new Regulation (EU) 2018/1725. These rules replace those set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossary on the EDPS website.