Article 27(1) of Regulation (EC) No 45/2001 lays down that all "processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes" are to be prior checked by the EDPS. Prior checks serve to determine whether the EU administration is planning to process personal data in compliance with the Regulation, or whether the system needs to be improved from a data protection point of view.
In principle, the opinion of the EDPS is to be delivered prior to the start of the processing operation. However, since some processing operations existed before the EDPS was appointed, the EDPS also carries out prior checking afterwards ("ex post prior check").
The Regulation lists the following areas as likely to present specific risks for the data subjects:
- Processing of data relating to health and to suspected offences, offences, criminal convictions or security measures;
- Processing intended to evaluate personal aspects relating to the data subject, including his or her ability, efficiency and conduct;
- Processing allowing links, not provided for pursuant to national or Community legislation, between data processed for different purposes;
- Processing for the purpose of excluding individuals from a right, benefit or contract.
The EDPS also considers that in certain cases, processing of biometric data and monitoring of electronic communications can pose specific risks and should therefore be prior checked.
Should the DPO have any doubts as to the need for prior checking, he or she may
consult the EDPS on the case. These consultations have proved to be a fundamental tool in developing criteria for determining which systems need to be prior checked.
Prior checks are carried out by the EDPS on the basis of a notification received from the DPO. The EDPS keeps a public
of these notifications. This register also includes the follow up measures undertaken by the institution or body to comply with the opinion of the EDPS.
The findings of the EDPS take the form of a
prior check opinion
which is presented to the controller and to the DPO of the institution or body concerned. The opinions usually imply that the institution or body needs to adopt a set of recommendations. The EDPS makes sure that these recommendations are complied with.
The main areas where the EDPS has issued prior checking opinions include staff evaluation, administrative and disciplinary investigations, processing of health data, monitoring of electronic communications and social services.