EDPS issues Guidelines on the use of eCommunications and Mobile Devices
On 17 December 2015, the European Data Protection Supervisor (EDPS) published two sets of Guidelines for the EU institutions and bodies: one on personal data and electronic communications (eCommunications) and the other on personal data and mobile devices. These guidelines offer practical advice to organisations to integrate data protection principles in their management of email, internet and telephony for work purposes.
Wojciech Wiewiórowski, Assistant EDPS, said: “eCommunications is a complex and dynamic field of technology that plays a central role for most of us in our day-to-day professional and personal lives. The use of mobile devices adds to the complexity. Our guidelines aim to help EU institutions to comply with their data protection obligations. However, anyone or any organisation interested in data protection in these two fields might find these guidelines useful since the Data Protection Regulation applicable to the EU institutions, is similar in many respects to the data protection Directive which is implemented into the national laws of EU Member States."
Organisations using eCommunications process the personal information of their employees, for instance, in the management of the eCommunication services, billing and verifying authorised use. In most cases, the private use of work equipment is permitted so interference by an employer on the use of eCommunications by employees is likely to touch upon aspects directly relating to their private lives.
The convenience of mobile devices, such as phones, tablets, laptops and netbooks, is that they allow staff to work remotely. These devices present common risks due to their portability and small size; the measures to mitigate these risks - such as security access to office networks - need to be specifically tailored.
Mobile devices and eCommunications are complex subjects and require guidance. The domains are two of the most dynamic fields of technology and are subject to rapid change. These guidelines put a clear emphasis on the general principles of data protection that will help EU institutions comply with the data protection Regulation.
These guidelines build on the years of practical experience through the EDPS' supervision work, on previous EDPS decisions and Opinions (on administrative consultations, prior checks and complaints), as well as on the work done by the Article 29 Working Party.
Though they are based on the current data protection legal framework they will remain relevant when the new framework comes into force, particularly because of the focus on the accountability of organisations including, EU institutions, to demonstrate that they are complying with their data protection obligations.
Background information
Privacy and data protection are fundamental rights in the EU. Data protection is a fundamental right, protected by European law and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union.
More specifically, the rules for data protection in the EU institutions - as well as the duties of the European Data Protection Supervisor (EDPS) - are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
EDPS Strategy 2015-2019: Unveiled on 2 March 2015, the 2015-2019 plan summarises the major data protection and privacy challenges over the coming years and the EDPS' three strategic objectives and 10 accompanying actions for meeting them. The objectives are (1) Data protection goes Digital (2) Forging Global Partnerships and (3) Opening a New Chapter for EU Data Protection.
Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.
Electronic Communication/eCommunication tools include email, internet and telephony.
Mobile Device: is any portable computing device such as a smartphone or tablet computer.