Prior-checking Opinion regarding the use of thermal imaging cameras and the auto-track functionality of pan-tilt cameras at the European Central Bank (case 2015-0938)
This case marks the first prior-checking Opinion involving the assessment of a data protection impact assessment (DPIA).
The Opinion regards the use of thermal imaging cameras and the auto-track functionality of pan-tilt cameras at the European Central Bank (ECB). Under the EDPS Video-surveillance Guidelines such "high-tech video-surveillance tools" are subject to prior checking and permissible only subject to a DPIA. The DPIA conducted by the ECB allowed the EDPS to assess the permissibility of the technique used by the ECB.
The EDPS concluded that, because of the comprehensiveness of the information provided in the notification, of the outcome of the assessment and of the circumstances driving the ECB to apply these measures, operations may start before certain additionally recommended data protection safeguards have been implemented.
Accountability on the ground: Guidance on documenting processing operations for EU institutions, bodies and agencies (EUIs). These documents provide provisional guidance for controllers and DPO in the EUIs on how to generate records for their processing operations, how to decide whether they need to carry out data protection impact assessments (DPIAs), how to do DPIAs and when to do prior consultations to the EDPS (Articles 31, 39 and 40 of Regulation (EU) 2018/1725).
A provisional version of this text was published in February 2018. The current version 1.3 was published in July 2019.
When EU institutions and bodies process personal data, they must comply with the principle of accountability and the obligations set out in the EU Data Protection Regulation 45/2001. EDPS Factsheet 3 provides information on how the EDPS works with the EU insitutions to ensure they achieve compliance.
Data protection can support the European economy, said the European Data Protection Supervisor (EDPS) today, following the publication of his Guidelines on data protection in EU financial services regulation.
Under Article 39(4) of Regulation (EU) 2018/1725, the EDPS shall adopt a list of the kinds of processing operations subject to a data protection impact assessment (DPIA). Under paragraph 5 of the same Article, the EDPS may adopt a list of the kinds of processing operations not subject to a DPIA. For further information on how to use this list, please see the Accountability on the ground toolkit.
2018 was a busy year for the EDPS and a pivotal year for data protection in general. Under new data protection rules, the rights of every individual living in the EU are now better protected than ever, the European Data Protection Supervisor (EDPS) said today, as he presented his 2018 Annual Report to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE).
2018 will be a landmark year for data protection. As co-host of the 2018 International Conference of Data Protection and Privacy Commissioners (ICDPPC) and a key player in the reform and implementation of the new EU data protection framework, the EDPS will remain at the forefront of the global dialogue on data protection and privacy in the digital age, the European Data Protection Supervisor (EDPS) said today, as he presented his 2017 Annual Report to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE).
The new EU data protection framework consists of much more than just the GDPR. New rules for the EU institutions and ePrivacy are yet to be finalised, and remain a key focal point for EDPS work. As well as providing advice to the legislator on these new rules, the EDPS has started working with the EU institutions and bodies to prepare them for the changes to come. A particular focus of his efforts in 2016 was on promoting accountability, a central pillar of the GDPR which it is safe to assume will also be integrated into the new rules for EU institutions and bodies.
In 2016, the EDPS also made a considerable effort to help move the global debate on data protection and privacy forward and mainstream data protection into international policies. He advised the EU legislator on the Umbrella agreement and the Privacy Shield and engaged with data protection and privacy commissioners from every continent. He also continued to pursue new initiatives, such as the Ethics Advisory Group, through which he intends to stimulate global debate on the ethical dimension of data protection in the digital era.
The EDPS aims to make data protection as simple and effective as possible for all involved. This requires ensuring that EU policy both reflects the realities of data protection in the digital era and encourages compliance through accountability.
This report provides an overview of the activities carried out by the EDPS from 2015-2019. In particular, it focuses on how the EDPS has worked towards implementing the objectives set out in the EDPS Strategy 2015-2019, which relate to digitisation, global partnerships and the modernisation of data protection. This involved not only contributing historical pieces of legislation, such as the General Data Protection Regulation and Regulation 2018/1725, but also bringing the concepts of ethics and accountability to the forefront of data protection discourse and application.
Opinion on the Proposal for a Regulation of the European Parliament and of the Council on energy market integrity and transparency, OJ C 279/03, 23.09.2011, p.20
The main aim of the Proposal is to prevent market manipulation and insider trading on wholesale energy (gas and electricity) markets. The Proposal contains several provisions relevant to the protection of personal data, including those on market monitoring and reporting and investigation and enforcement. The EDPS recommendations included the following:
The Proposal should clarify whether any personal data may be processed in the context of market monitoring and reporting and which safeguards will apply. If, in contrast, no processing of personal data is expected (or such processing would only be exceptional and would be restricted to rare cases, where a wholesale energy trader might be an individual rather than a legal entity), this should be clearly set forth in the Proposal, at least in a recital.
Provisions on data protection, data security and accountability should be clarified and further strengthened, especially if the processing of personal data would play a more structural role. The Commission should ensure that adequate controls are in place to ensure data protection compliance and provide evidence thereof ("accountability").
The Proposal should clarify whether on-site inspections would be limited to a business property (premises and vehicles) of a market participant or also apply to private properties (premises or vehicles) of individuals. In the latter case, the necessity and proportionality of this power should be clearly justified and a judicial warrant and additional safeguards should be required. This should be clearly foreseen in the proposed Regulation.
The scope of the powers to require "existing telephone and existing data traffic records" should be clarified. The Proposal should unambiguously specify what records can be required and from whom. The fact that no data can be required from providers of publicly available electronic communications services should be explicitly mentioned in the text of the proposed Regulation, at least in a recital. The Proposal should also clarify whether the authorities may also require private records of individuals, such as employees or executives of the market participant under investigation (e.g. text messages sent from personal mobile devices or browsing history of home internet use). If this would be the case, the necessity and proportionality of this power should be clearly justified and the Proposal should also require a warrant from a judicial authority.
With regard to reporting of suspected market abuse, the Proposal should explicitly provide that any personal data contained in these reports should only be used for purposes of investigating the suspected market abuse reported. Unless a suspected market abuse has led to a specific investigation and the investigation is still on-going (or a suspicion has proved to be well-founded and has led to a successful investigation), all personal data related to the reported suspected market abuse should be deleted from the records of all recipients after the lapse of a specified period (unless otherwise justified, at the latest two years following the date of report). In addition, parties to an information exchange should also send each other an update in case a suspicion proves to be unfounded and/or an investigation has been closed without taking further action.
Opinion on the Communication from the Commission on "A comprehensive approach on personal data protection in the European Union", OJ C 181/01, 22.06.2011, p.1
See also the text of the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions - "A comprehensive approach on personal data protection in the European Union".