Logo European Date Protection Supervisor
QUICK LINKS: Q&A | Glossary | Legislation | Papers |
RSS Feed EDPS on Twitter
Home | Sitemap | Legal notice
The EDPS Supervision Consultation Cooperation
  Prior checking
  Opinions
  Non prior checks
  Register
  Consultations
  Complaints
  Administrative measures
  Inquiries
  Network of DPOs
  DPO Corner
  Eurodac
  Visa Information System
  Thematic guidelines
  Papers
 
 
02 May 2013

EDPS Supervision and Enforcement activities - watch our video!
30 April 2013

Newsletter 37

30 April 2013

Read our opinion on the Communication from the Commission to the European Parliament and the Council entitled 'Strengthening law enforcement cooperation in the EU: the European Information Exchange Model (EIXM)'
24 April 2013

Read the speech of Giovanni Buttarelli delivered at the conference on "The future of the regulation of personal data in Europe: A French-Italian dialogue" in Paris
18 April 2013

Visit our stand and chat with us at EU Open Day on 4 May!
News
News
 
print Print friendly

Prior checking


Article 27(1) of Regulation (EC) No 45/2001 lays down that all "processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes" are to be prior checked by the EDPS. Prior checks serve to determine whether the EU administration is planning to process personal data in compliance with the Regulation, or whether the system needs to be improved from a data protection point of view.

In principle, the opinion of the EDPS is to be delivered prior to the start of the processing operation. However, since some processing operations existed before the EDPS was appointed, the EDPS also carries out prior checking afterwards ("ex post prior check").

The Regulation lists the following areas as likely to present specific risks for the data subjects:

  • Processing of data relating to health and to suspected offences, offences, criminal convictions or security measures;
  • Processing intended to evaluate personal aspects relating to the data subject, including his or her ability, efficiency and conduct;
  • Processing allowing links, not provided for pursuant to national or Community legislation, between data processed for different purposes;
  • Processing for the purpose of excluding individuals from a right, benefit or contract.

The EDPS also considers that in certain cases, processing of biometric data and monitoring of electronic communications can pose specific risks and should therefore be prior checked.

Should the DPO have any doubts as to the need for prior checking, he or she may consult  the EDPS on the case. These consultations have proved to be a fundamental tool in developing criteria for determining which systems need to be prior checked.

Prior checks are carried out by the EDPS on the basis of a notification received from the DPO. The EDPS keeps a public register  of these notifications. This register also includes the follow up measures undertaken by the institution or body to comply with the opinion of the EDPS.

The findings of the EDPS take the form of a prior check opinion which is presented to the controller and to the DPO of the institution or body concerned. The opinions usually imply that the institution or body needs to adopt a set of recommendations. The EDPS makes sure that these recommendations are complied with.

The main areas where the EDPS has issued prior checking opinions include staff evaluation, administrative and disciplinary investigations, processing of health data, monitoring of electronic communications and social services.