A new Regulation is born!

Wojciech Wiewiórowski

In my blogpost on the May 2018 EDPS - DPO meeting, I expressed my strong belief that by the time our next meeting took place, the new Regulation for EU institutions and bodies would already be in force. How satisfying it is to see that this is indeed the case!

The EDPS welcomed 100 Data Protection Officers (DPOs) and assistant DPOs to Brussels today for the second EDPS-DPO meeting of the year, just one day after the long awaited Regulation (EU) 2018/1725 became fully applicable. The new Regulation brings the data protection rules applicable to the EU institutions in line with the rules for all companies and organisations operating in the EU, set out in the General Data Protection Regulation (GDPR).

With many things set to change under the new rules, the meeting was a chance to reflect on the new challenges we face. We kicked-off with some ice-breaking activities and then I took the floor, emphasising once again the importance the new rules place on the principle of accountability. Simple compliance is no longer sufficient. EU institutions must now also ensure that they are able to demonstrate their compliance.

I also highlighted the role of the DPO as the guardian of the data protection rules within their institution. The processing of personal data, even when done lawfully, can put the rights and freedoms of individuals at risk. Data protection rules minimise these risks and it is our role, as the EDPS and as DPOs, to identify, understand and explain these risks to those responsible for handling personal data in our institutions, known as controllers.

We strongly believe that case studies are the best way of ensuring that what the DPOs are taught in theory can later be applied in practice. The day’s activities were therefore planned around a selection of case studies, aimed at ensuring that the DPOs could gain hands-on experience of how to deal with some of the new challenges they will face.

In addition to accountability, another notable change in the rules which generated significant debate among the DPOs was Article 25 of the new data protection framework. This specifies that the controller cannot apply restrictions to the rights of individuals unless they have adopted a legal act in line with the EU Treaties or they have adopted internal rules at the highest management level of their institution.

The EDPS has published Guidelines on Article 25 and internal rules. DPOs also discussed how to draft internal rules as part of their own meeting on 11 December 2018. We therefore invited them to consider a specific case study and put theory into practice.

The obligation of controllers to notify the EDPS in case of a personal data breach is another one of the changes introduced by the new rules. After working through the advice outlined in our Guidelines on breach notifications, we invited DPOs to tackle another case study. This gave them the chance to practice the procedure they would use in the case of a breach at their own institution.

In a third case study, inspired by a recent ruling by the EU Court of Justice (CJEU) on the role of the controller, DPOs were tasked with addressing the issue of joint controllership. The ruling shows that joint responsibility does not necessarily imply equal responsibility. The ultimate meaning of joint controllership is to ensure complete and effective protection of the rights of the individual. It is important that the EU institutions are familiar with the concept, as there are many cases in which they share data processing responsibilities with national or other authorities.

To end the meeting, DPOs were asked to reflect on the recurrent problems, themes and issues that they face in their daily work. This could be related to their position as DPO in their organisation or to questions they face from controllers in their respective institutions. The DPOs of the ten EU agencies dealing with justice and home affairs issues were also invited to share any specific problems they face working in their unique environment. Our final session was dedicated to working through these problems together to try and find solutions to what proved to be a wide range of challenging issues.  

This first meeting in Brussels was a chance to touch on some of the new challenges we all face and make them feel more manageable. We wanted to encourage all DPOs to see our new data protection Bible not as a burden, but as a reference tool on how to ensure respect for the rights of those individuals whose data the EU institutions use every day to carry out their tasks and responsibilities. We plan to continue the good work together over the coming months and years to make sure that, with specific guidance and support, all EU institutions are able to implement accountability in practice.