The European Data Protection Supervisor (EDPS) published today the outcome of his remote audit on how European institutions, bodies and agencies (EUIs) inform individuals about the way their personal data is processed when signing up to newsletters and other similar subscriptions.
Wojciech Wiewiórowski, EDPS, said: “With the absence of in-person events and other outreach activities due to COVID-19, EUIs have increased their online presence. The sending of newsletters is an effective way of reaching out to individuals and stakeholders. EUIs should lead by example in providing transparent information to individuals on the way their personal data is being handled”.
The EDPS has found that most EUIs comply with the information and transparency requirements set out in the applicable data protection law, Regulation (EU) 2018/1725.
Even before receiving the EDPS’ recommendations following the audit, the majority of EUIs proactively took interim measures. Based on the letter announcing the audit, EUIs revised, for example, their data protection statements or improved the accessibility of information. These measures aim to ensure that individuals have easy access to clear information on the EUIs’ websites about how their personal data is processed when subscribing to newsletters.
This audit, for which no on-the-spot action was required, is part of a number of audits conducted remotely by the EDPS due to the ongoing COVID-19 crisis. This adapted audit format has allowed the EDPS to continue its supervisory work, by reaching out to a high number of EUIs, their data protection officers, and EUI staff processing individuals’ personal data in their day-to-day work.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.
About EDPS audits: As part of the EDPS’ supervisory work, we carry out audits in the EU institutions. Inspections allow us to verify how data protection is applied in practice at an EU institution. More information can be found on the EDPS’ website here.
Processing of personal data: According to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. See the glossary on the EDPS website.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
The powers of the EDPS are clearly outlined in Article 58 of Regulation (EU) 2018/1725.