Data protection compliance in the EU administration: EDPS reports overall good progress and will step up verification in practice

The European Data Protection Supervisor (EDPS) has issued his second general report measuring progress made in the implementation of data protection rules and principles by Community institutions and bodies, as laid down in the Data Protection Regulation (Regulation (EC) No 45/2001).

The report shows that Community institutions have overall made good progress in meeting their data protection requirements. A lower level of compliance is observed in Community agencies, but the EDPS will be monitoring this closely and will encourage further compliance.

Peter Hustinx, EDPS, says: "I am pleased to see that compliance with data protection rules is developing in Community institutions and agencies. Further progress is however needed to fully translate those legal obligations in concrete technical and organisational arrangements that enable privacy safeguards to be ensured. In my role as supervisor, I will continue to encourage compliance in the EU administration by measuring progress, including more systematic verifications on the spot, and setting targets where needed".

Main results in institutions

As regards implementation of data protection rules in Community institutions, the report highlights the following main results:

• inventory of processing operations: the EDPS is satisfied that all but one institution now have an inventory of processing operations involving personal data, which allows a more systematic approach to implementation;
• notification of processing operations from data controllers^(*) to the data protection officer^(**) (DPO): the EDPS notes an increase in the number of institutions which have completed the process. By the end of 2008, at least six institutions could claim that all processing operations had been notified to the DPO, compared to only two institutions in the beginning of 2008;

• notification of processing operations to the EDPS for prior checking^(***): only two institutions have so far managed to notify all existing processing operations that present specific risks to the EDPS for prior checking. There is however a positive indication that in most institutions all identified processing operations will have been notified to the EDPS by the end of 2009.

Main results in agencies

The EDPS observes that positive progress has been made in the identification of processing operations and in the adoption of implementing rules concerning the tasks and duties of the DPO. However, the level of notifications of processing operations to the DPO and further notifications to the EDPS for prior checking is generally very low. Only one agency can claim that all identified operations have been notified to the EDPS.

The EDPS also notes that although there have been no or very few requests by concerned persons for access to data under the Regulation, the agencies are considering setting up monitoring tools to keep track of these requests. This gives a positive signal that the agencies are developing internal tools to monitor compliance with the Regulation.

Further steps

The EDPS will encourage and closely monitor further progress, in particular in those institutions and agencies where compliance in the field of notification to the DPO and prior checking by the EDPS needs to be improved. The EDPS will put special emphasis on ensuring better compliance in agencies, notably by underlining the importance of complying with the Regulation at the level of agency management

The EDPS will increasingly proceed with on the spot inspections in institutions or agencies in view of checking the reality and encouraging compliance. Finally, further requests to measure compliance with the Regulation will follow at a later stage in order to assess further progress made.

(*) Data controller: person or administrative entity (for example a general director or a head of unit) that determines the purposes and means of the processing of personal data on behalf of an institution or body.

^(***) Prior check: as provided by the Data Protection Regulation, processing operations likely to present specific risks for the rights and freedoms of data subjects by virtue of their nature, their scope or their purpose are subject to prior checking by the EDPS. This applies for example to processing of data relating to health or suspected offences, and to processing operations intended to evaluate personal aspects relating to the data subject, including his or her ability, efficiency or conduct.