Logo European Date Protection Supervisor
QUICK LINKS: Q&A | Glossary | Legislation | Papers |
RSS Feed
Home | Sitemap | Legal notice
The EDPS Supervision Consultation Cooperation
  Prior checking
  Opinions
  Non prior checks
  Register
  Consultations
  Complaints
  Administrative measures
  Inquiries
  Network of DPOs
  Eurodac
  Thematic guidelines
 
 
04 May 2012

Annual Conference of European data protection Commissioners in Luxembourg - Resolution on the European data protection reform
24 April 2012

ACTA measures to enforce IP rights in the digital environment could threaten privacy and data protection if not properly implemented. Please read our press release and opinion.
18 April 2012

EDPS calls for data protection safeguards before public sector information containing personal data can be re-used. See our press release and the opinion.
30 March 2012

Newsletter 32

28 March 2012

EDPS Opinion on the proposal for a decision on serious cross-border threats to health

News
News
 
print Print friendly

Prior checking


Article 27(1) of Regulation (EC) No 45/2001 lays down that all "processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes" are to be prior checked by the EDPS. Prior checks serve to determine whether the EU administration is planning to process personal data in compliance with the Regulation, or whether the system needs to be improved from a data protection point of view.

In principle, the opinion of the EDPS is to be delivered prior to the start of the processing operation. However, since some processing operations existed before the EDPS was appointed, the EDPS also carries out prior checking afterwards ("ex post prior check").

The Regulation lists the following areas as likely to present specific risks for the data subjects:

  • Processing of data relating to health and to suspected offences, offences, criminal convictions or security measures;
  • Processing intended to evaluate personal aspects relating to the data subject, including his or her ability, efficiency and conduct;
  • Processing allowing links, not provided for pursuant to national or Community legislation, between data processed for different purposes;
  • Processing for the purpose of excluding individuals from a right, benefit or contract.

The EDPS also considers that in certain cases, processing of biometric data and monitoring of electronic communications can pose specific risks and should therefore be prior checked.

Should the DPO have any doubts as to the need for prior checking, he or she may consult  the EDPS on the case. These consultations have proved to be a fundamental tool in developing criteria for determining which systems need to be prior checked.

Prior checks are carried out by the EDPS on the basis of a notification received from the DPO. The EDPS keeps a public register  of these notifications. This register also includes the follow up measures undertaken by the institution or body to comply with the opinion of the EDPS.

The findings of the EDPS take the form of a prior check opinion which is presented to the controller and to the DPO of the institution or body concerned. The opinions usually imply that the institution or body needs to adopt a set of recommendations. The EDPS makes sure that these recommendations are complied with.

The main areas where the EDPS has issued prior checking opinions include staff evaluation, administrative and disciplinary investigations, processing of health data, monitoring of electronic communications and social services.