According to Article 3 (13) of the Regulation (EU) 2018/1725 “‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; "

Notifications of processing operations have to comprise information on the recipients of the personal data. A recipient can be a third party (with the exception of authorities which in the framework of a particular inquiry receive data - in such cases, they shall only be regarded as a third party).

An illustrative example may be salary payments of officials of the EU institutions and bodies. The salary slip does not only go to the employee, but also to the institution or body where he or she works, and Eurostat receive the data (compiled).

See also: Q&A on Transfer of personal data



In order to demonstrate compliance with Regulation (EU) No 2018/1725, controllers should maintain records of processing activities under their responsibility and processors should maintain records of categories of processing activities under their responsibility.

Unless it is not appropriate taking into account the size of the Union institution or body, Union institutions and bodies shall keep their records of processing activities in a central register. They shall make the register publicly accessible (Article 31 Regulation (EU) No 2018/1725).


Regulation (EC) No 45/2001


Regulation (EC) No 45/2001 regulated the protection of individuals with regard to the processing of personal data by Community institutions and bodies.

The Regulation implemented Article 286 of the Treaty establishing the European Communities which requires the application of data protection rules to Community institutions and bodies, as well as the establishment of an independent supervisory authority.

The data protection rules in the Regulation were based on the existing Community rules on data protection which applied to the Member States, in particular the Data Protection Directive 95/46/EC and the E-privacy Directive 2002/58/EC. The Regulation was regrouping the rights of the data subjects and the obligations of those responsible for the processing into one legal instrument.

It also established the European Data Protection Supervisor as an independent supervisory authority with the responsibility of monitoring the processing of personal data by the Community institutions and bodies.

Regulation (EC) 45/2001 was repealed by the Regulation (EU) 2018/1725, which entered into force in 11 December 2018.


Regulation (EU) 2018/1725

Regulation (EU) 2018/1725 lays down the data protection obligations for the EU institutions and bodies when they process personal data and develop new policies.

The Regulation repeals Regulation (EC) 45/2001, and, in line with GDPR, adopts a principle-based approach.

The new legal instrument ensures that EU institutions and bodies provide transparent and easily accessible information on how personal data is used, as well as foresee clear mechanisms for individuals to exercise their rights; it also reconfirms, clarifies and enhances the role of data protection officers within each EU institution and of the EDPS.


Retention periods

Data retention refers to all obligations on the part of controllers to retain personal data for certain purposes.

To limit how long you keep personal data is part of data minimisation. The rule of thumb is "as long as necessary, as short as possible", although sometimes legal rules may impose fixed periods. Data that are no longer retained cannot fall into the wrong hands, nor be abused, meaning that defining and enforcing limited conservation periods helps to protect the people whose data are processed.




RFID stands for Radio Frequency IDentification. It is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders.

An RFID tag is an object that can be applied to or incorporated into a product, an animal or a person for the purpose of identification or remote tracking through the use of radio waves.

The EDPS released an opinion (pdf) on the issue in December 2007, in which he underlines that RFID systems could play a key role in the development of the European information society, but also that the wide acceptance of RFID technologies should be facilitated by the benefits of consistent data protection safeguards.



Right of access

The right of access is the right for any data subject to obtain from the controller of a processing operation the confirmation that data related to him/her are being processed, the purpose(s) for which they are processed, as well as the logic involved in any automated decision process concerning him or her.

This right also allows the data subject to receive communication in an intelligible form of the data undergoing processing and of information regarding the processing.

This right can be exercised without unnecessary constraints, at any time, and is free of charge. The data controller must respond to a data subject's request for access to their personal data without undue delay and in any event within 1 month from the receipt of the request  (which may be extended by 2 further months where necessary). See Articles 17 and 14 of Regulation (EU) 2018/1725.



Right of information

Everyone has the right to know that their personal data are processed and for which purpose. The right to be informed is essential because it determines the exercise of other rights.

The right of information refers to the information which shall be provided to a data subject whether or not the data have been obtained from the data subject.

The information which must be provided relates to the identity of the controller, the purpose(s) of the processing, the recipients, as well as the existence of the right of access to data and the right to rectify the data.

The right of information for the person concerned is limited in some cases, such as for public safety considerations or for the prevention, investigation, identification and prosecution of criminal offences, including the fight against money laundering.

In the context of processing operations within the EU institutions (see Articles 15 and 16 of Regulation (EU) 2018/1725), this right is often fulfilled by a privacy statement.



Right of rectification

The right of rectification is the right to obtain from the controller the rectification without delay of inaccurate or incomplete personal data (Article 18 of Regulation (EU) 2018/1725 ).

The right of rectification is an essential complement to the right of access and is important to maintain a high level of data quality.

To exercise the right of rectification, the data subject usually has to write to the controller of the processing operation. By way of illustration, if you need to change your personal address or if you find that information about you is inaccurate, you should exercise your right of rectification by contacting the controller who holds these data.



Right to object

According to Regulation (EU) 2018/1725 "The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (a) of Article 5(1), including profiling based on that provision. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims."

This right has to be brought to the attention of the data subject at the time of the first communication at the latest and shall be presented in a clear way separately from any other information (see Article 23 sub (2) of Regulation (EU) 2018/1725)

The data subject may use automated means by technical specifications in order to exercise their right to object in the context of the use of information society services, without prejudice to Articles 36 and 37 (see Article 23 sub (3) of Regulation (EU) 2018/1725 ).

According to Article 23 sub (4) of Regulation (EU) 2018/1725 "Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest."


Right to restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future..

As provided by Article 20 of Regulation (EU) 2018/1725, the data subject shall have the right to obtain from the controller the restriction of processing where:

  • their accuracy is contested by the data subject, enabling though the controller to verify the accuracy, including the completeness of the data;
  • or the processing is unlawful and the data subject opposes their erasure and demands their restriction of processing instead.
  • or the controller no longer needs them for the accomplishment of its tasks but they have to be maintained for purposes of proof;
  • or the data subject has objected to processing to Article 23(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Personal data restricted can only be processed with the data subject's consent, for purposes of proof, or or for the protection of the rights of a third party, or for reasons of important public interest of the Union or of a Member State.