Use of EDPS Powers

Article 58 of Regulation (EU) 2018/1725 confers the EDPS a wide range of powers for the performance of his tasks. The Europol Regulation, the EPPO Regulation and the Eurojust Regulation confer the EDPS specific powers.

When deciding on the use of our powers, we follow the approach that we consider to be the most likely to produce positive results for the data subjects, on a case-by-case basis. We choose from a scale ranging from providing informal advice to using our enforcement powers, including our investigative powers. 

Our investigative powers include audits to verify compliance; we choose the targets of our audits from a risk-based annual plan. We also carry out investigations into topics of interest. The triggers for such investigations can be either information received from third parties (complaints, press reports, etc.) or our own initiative. 

When EU institutions do not comply with the data protection rules, the EDPS can use corrective powers, such as:

  • Warn or admonish the EU institution which is unlawfully or unfairly processing your personal information;
  • Order the European institution to comply with requests to exercise your rights (e.g. access to your own data);
  • Impose a temporary or definitive ban on a particular data processing operation;
  • Impose an administrative fine on EU institutions;
  • Refer a case to the Court of Justice of the European Union.

Learn more with our infographic.

Other Documents

Referral to the European Parliament of the EDPS request to Europol to repeal four Management Board Decisions on Articles 18(2), 18(6), 18(6a) and 18a of the amended Europol Regulation

On 15 July 2022 the EDPS referred to Europol a breach of the amended Europol Regulation following Europol's failure to consult the EDPS before adopting four Management Board decisions implementing Articles 18(2), 18(6), 18(6a) and 18a of the amended Europol Regulation. On 19 July 2022, the EDPS also referred this matter to the European Parliament, as well as the Council and the Commission, in accordance with Article 43(3)(g) of the amended Europol Regulation.

Letter of 19 July
Available languages: English
Letter of 12 September
Available languages: English



Investigation on the personal data processing activities of the European Parliament’s Wi-Fi network services

EDPS Decision on the own initiative investigation on the personal data processing activities of the European Parliament’s Wi-Fi network services (case 2019-0971)

"Redacted version for public release"

Available languages: English




Outcome of own-initiative investigation into EU institutions’ use of Microsoft products and services

This paper presents the issues raised by the EDPS’ own-initiative investigation into European institutions’, bodies’, offices’ and agencies’ (‘EU institutions’) use of Microsoft products and services. These findings and recommendations from the investigation are likely to be of wider interest than just of the EU institutions: they may be of particular interest to all public authorities in EU/EEA Member States.

Available languages: English
Available languages: English
Available languages: English



EDPS closes investigation into European Parliament’s 2019 election activities

The European Data Protection Supervisor (EDPS) has closed its investigation into the European Parliament’s use of a US-based political campaigning company to process personal data as part of its activities relating to the 2019 EU parliamentary elections. The contract between the European Parliament and NationBuilder came to a natural end in July 2019 and all data collected has been transferred to the European Parliament’s servers, the EDPS announced today.

Available languages: English