EDPS-DPO meeting: protecting individuals’ data during COVID-19


Today, on what should have been the 50th EDPS-DPO meeting with the 69 data protection officers (DPO) of the EU institutions, bodies and agencies (EUIs), we decided to hold a second 49th EDPS-DPO meeting online, which focused on data protection and COVID-19 in the EUIs.

While we were very much looking forward to mark the 50th anniversary of this strong cooperation between our institution and the network of DPOs in person, the current circumstances do not allow us to do so. Nevertheless, we hope that such celebrations can be organised in 2022.

Despite these constraints, this second 49th EDPS-DPO meeting led to fruitful discussions on how to protect individuals’ personal data in times of COVID-19. A brief summary of our meeting follows with some forward thinking at the end.

Our Supervisor started the meeting with an overview of the most recent and important developments and achievements of the EDPS and the EDPB. The Supervisor also touched on his plans for his upcoming Conference on 16-17 June 2022; he invited all DPOs to attend this event to contribute to the discussions on the future of data protection.

Delving straight into the meeting, we kicked off with a brief presentation on the results of our survey on the EUIs’ data processing operations in connection with COVID-19, launched in 2020. The purpose of the survey was to ensure that current and future data processing operations related to or carried out because of COVID-19 are compliant with Regulation (EU) 2018/1725, and therefore respect individuals’ right to data protection.

The meeting continued with two workshops, one on manual contact tracing and another on access control, both organised with the precious help of the DPO support group; in both cases, we reviewed the EDPS’ guidance on COVID-19 matters and EUI’s current practices.

On manual contact tracing, we considered, for example, the challenges resulting from enforcing data retention periods; the interplay between contact tracing within an EUI and national health authorities; whether individuals who have contracted COVID-19 should be obliged to declare this. DPOs asked questions on the contact tracing process, more specifically who should be informed in the event that an individual tests positive for COVID-19, should this tracing be limited to members of staff only, or should it also include families of staff and visitors to the EUI in question.

During the second workshop, we dealt with other complex issues, for example whether EUIs should carry out a manual or a digital verification of individuals’ COVID-19 certificates. The data protection risks of verifying COVID-19 certificates digitally, using QR-scanning applications for example, were examined during the workshop. We also discussed the issue of whether EUIs are obliged to follow national law when the latter mandates employers to impose COVID-19 certificate checks.

As the meeting drew to a close, both the EDPS and DPOs recognised the importance of DPO networks and the need for data protection professionals and data protection authorities to cooperate very closely. Ensuring compliance with data protection law is a joint endeavour in which the participation of data controllers and their DPOs is paramount. Our experience in the EU institutions’ network speaks volumes; our meetings have become increasingly interactive and therefore more meaningful.

This productive and successful meeting would not have been possible without the active participation of the EDPS’ Supervision & Enforcement Unit, the EDPS’ Technology & Privacy Unit, the DPO support group, and of course all of the EUIs’ DPOs.

As we prepare for the real 50th anniversary meeting of the EDPS and the network of DPOs, we ought to reflect together on the future of this network, which has brought so much value and pleasure to our work. We should build on these years of experiences and bring forward bold ideas that would make the network even more valuable in the years to come.

I am looking forward to continue building a strong network of DPOs and to celebrating our 17 years of close cooperation since the EDPS’ existence, in Alicante, in 2022. But until that moment comes, I take this opportunity, also on behalf of our Supervisor, Wojciech Wiewiorowski, to wish colleagues and friends of the data protection community in the EUIs and beyond a Merry Christmas and a Happy New Year.

Feliz Navidad y Próspero Año Nuevo.