As part of our supervisory work, we carry out audits in the EU institutions.

Inspections allow us to verify how data protection is applied in practice at an EU institution.

We choose to inspect an EU institution by taking into account a number of factors, including the results of our risk analysis, whether special categories of data are processed, the time elapsed since the last audit and whether there has been an increase in the numbers of complaints.

We also ensure that we cover institutions, bodies and agencies of all sizes in our annual audit planning.

Audits or other on-site checks (for example, as part of our investigations) may also be triggered by complaints, if they require verification on the spot.

Our supervisory work also requires us to regularly audit several large-scale IT systems : at least every four years for the Visa Information System and the Schengen Information System and at least every three years for EURODAC.

The reports of our audit are not made public, but we do periodically summarise these, for instance in our newsletter and annual report.

You may also want to check our Factsheet on the topic and the remote audit on Article 25.