EDPS: greater accountability of EU institutions and bodies and involvement of DPOs for better data protection
Today, the European Data Protection Supervisor (EDPS) adopted a Policy on Consultations in the field of Supervision & Enforcement which provides guidance to EU institutions and bodies and Data Protection Officers (DPOs) on consulting the EDPS when drawing up measures or internal rules which involve the processing of personal information - also known as personal data - in compliance with the Data Protection Regulation (EC) No. 45/2001.
Every day, personal information is processed within the EU administration in accordance with measures or internal rules developed by each EU institution or body that should ensure data protection in any processing that each of them carries out. Staff recruitment and evaluation activities, contract tenders, complaints or requests for information, video surveillance and maintenance of databases are a few examples of activities where the processing of personal information can affect staff and citizens.
Giovanni Buttarelli, Assistant EDPS, says "In order to effectively respect the fundamental right to data protection of staff and citizens, EU institutions and bodies must ensure accountability when developing and implementing internal measures and from the outset, seek the expert advice of their Data Protection Officer. If the DPO needs guidance, for example in cases of complexity or when related to appreciable risks to the rights and freedoms of data subjects, the DPO or the institution may refer a consultation to the EDPS."
Thus, with this policy, the EDPS emphasises that EU institutions and bodies should be fully accountable for their data protection responsibilities. This principle ensures that when an EU institution or body draws up measures that affect data protection rights, it must first ensure that proper attention is paid to respecting its obligations under the Regulation before adopting the measure.
One of the most effective means of ensuring this is to involve the DPO right at the outset for his or her advice. The DPO ensures, in an independent manner, the internal application of the Regulation and that the rights and freedoms of individuals are unlikely to be adversely affected by the processing operations.
Background information
Article 28(1) of the Data Protection Regulation obliges EU institutions and bodies to inform the EDPS when drawing up administrative measures which relate to the processing of personal information. Article 46(d) of the Regulation imposes a duty upon the EDPS to advise all institutions and bodies, either on his or her own initiative or in response to a consultation, on all matters concerning the processing of personal information, in particular before they draw up internal rules relating to the protection of fundamental rights and freedoms with regard to the processing of personal information.
Personal data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data.
A data controller is the EU institution or body that determines the purposes and means of the processing of personal information on behalf of an institution or body. The data controller is also responsible for the security measures protecting the information.
Each institution or body has a data protection officer (DPO). A list of data protection officers can be found on the EDPS website.
The accountability principle has been enshrined in Article 22 of the Proposal for a Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, 25.1.2012, available at:
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf