EDPS Report: EU Institutions’ use of Data Protection Impact Assessments
Today, the European Data Protection Supervisor (EDPS) published a Report on how EU institutions, bodies and agencies (EUIs) carry out Data Protection Impact Assessments (DPIAs) when processing information that presents a high risk to the rights and freedom of natural persons.
Wojciech Wiewiórowski, EDPS, said: “Data Protection Impact Assessments are one of the new and valuable accountability tools that EUIs use when they process sensitive personal data to measure the impact and risks to individuals. DPIAs also help to better understand how the data processing is changing in practice. Our Report, along with the replies received from our survey, allows the EDPS to provide further guidance on DPIAs in accordance with Article 39 of the Regulation applicable to EU institutions”.
In February 2020, the EDPS conducted a survey to determine how the EUIs have been using DPIAs since the entry into force of Regulation (EU) 2018/1725. The EDPS Report contains the lessons learned and best practice by the EUIs.
The nature of processing operations for which DPIAs are carried out varies widely, with the main reasons for conducting a DPIA being the processing of sensitive or highly personal data, personal data processed on a large scale or the innovative use or application of new technology.
The EDPS will carry out targeted surveys such as this one, more frequently in the future, as they are a useful way to monitor compliance with the Regulation.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, offices and agencies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction". See the glossary on the EDPS website.
The powers of the EDPS are clearly outlined in Article 58 of Regulation (EU) 2018/1725.