The European Data Protection Supervisor (EDPS) is the EU independent Data Protection Authority (DPA) having ample mission including monitoring and ensuring the protection of personal data at EU institutional level and cooperating with national supervisory authorities.
The legal framework of the EDPS aims at protecting both individuals and organisations that process data in the internet era. Its bedrock is the Regulation (EC) 45/2001 supported by other, more recent, provisions.
Designed to grapple with the realities of global, ubiquitous data in the internet era, the EU’s new data protection legislation should provide increased legal certainty for both individuals and organisations processing data and greater protection for the individual in general.
In this section you will find links to key pieces of current and new data protection legislation.
In particular, the reform of the EU’s data protection rules which began in January 2012, has resulted in two key pieces of legislation:
- a general Regulation on data protection (679/2016) which was adopted on 24 May 2016, applicable as of 25 May 2018; and
- a specific Directive (680/2016) on data protection in the area of police and justice, adopted on 5 May 2016, applicable as of 6 May 2018.
The official texts of the Regulation and the Directive are now recognised as law across the EU. Member States have two years to ensure that they are fully implementable in their countries by May 2018.
In the meantime, the existing legislation, Directive 95/46/EC for the private and most of the public sector and Council Framework Decision 2008/977/JHA for the law-enforcement sector, remain applicable across the EU.
Take a look at the the history of the General Data Protection Regulation on our GDPR timeline page for more information about its evolution. You can also download EU Data Protection, a free app for mobile devices from the EDPS to consult the new texts of these two pieces of legislation.
Below you will also find a link to the ePrivacy Directive 2002/58/EC which provides additional data protection rules for telecommunications networks and internet services. This Directive is due to be repealed. The European Commission adopted a proposal for a Regulation on 10 January 2017; it is currently under discussion in the European Parliament and the Council of the European Union.
You will also find a link to Regulation (EC) 45/2001 which lays down the rules for data protection in the EU institutions - as well as the duties of the European Data Protection Supervisor. The European Commission adopted a proposal on 10 January 2017 which repeals Regulation (EC) 45/2001 and brings it into line with the GDPR. The proposal is currently under discussion in the European Parliament and the Council of the European Union.
Both the ePrivacy and Regulation 45/2001 replacement texts should be adopted in time to become applicable at the same time as the GDPR. With this comprehensive reform, the EU will have a modern framework for protecting privacy and data protection.
Regulation (EC) No 45/2001
Regulation on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8, p. 1, 12.01.2001
Decision No 1247/2002/EC
Decision No 1247/2002/EC on the regulations and general conditions governing the performance of the European Data protection Supervisor's duties, OJ L 183, p. 1, 12.07.2002
Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, p. 31, OJ L 281, 23.11.1995
Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, p. 37, 31.07.2002
Directive 2009/136/EC amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws, OJ L 337, p. 11, 18.12.2009
Council framework Decision 2008/977/JHA
Council framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ L 350, p. 60, 30.12.2008
2009/136/EC amending Directive 2002/22/EC, amending Directive 2002/58/EC and Regulation (EC) No 2006/2004, OJ L 337, 18.12.2009, Council framework Decision 2008/977/JHA, OJ L 350, 30.12.2008.
Council of Europe Convention No. 108 on data protection
Convention for the protection of individuals with regard to automatic processing of personal data (ETS No. 108, 28.01.1981)
Other international instruments
OECD Guidelines governing the protection of privacy and transborder flows of personal data (July 2013)https://edps.europa.eu/sites/edp/files/publication/2013-09-09_oecd-privacy-guidelines_en.pdf
OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy (2007)
Core task of the EDPS is to supervise the EU institutions in order to make them a virtuous example for every public authority (DPA). At the same time, the EDPS can coordinate and share the supervision activities with the National DPAs on the data processing treatment modalities. Additionally, the Supervisor has an advisory role on a wide range of data protection topics.
-as a Supervisor:
The European Data Protection Supervisor (EDPS) is the data protection authority for the European Union institutions, bodies and agencies (EU institutions).
One of our core tasks is to supervise the EU institutions to help them be exemplary; public authorities must be beyond reproach when they process personal information.
We do this by monitoring those activities that use (process) personal data or information. The personal data could be yours or that of anyone else who works for or with the EU, including visitors, contractors or beneficiaries of grants.
As any employer of over 40,000 members of staff, the EU institutions need to develop procedures necessary for their effective management and smooth functioning. These might include evaluation and promotion of staff, access control to their buildings, working hours of employees, policies to prevent sexual and psychological harassment.
In addition to employment matters, EU institutions also process personal information for other purposes. Their core business activities reflect the issues relevant to European society; from food safety to disease prevenTion and financial stability.
We also supervise Europol, the EU body actively cooperating with law enforcement authorities to combat international crime and terrorism.
In line with the principle of accountability, being compliant with data protection rules is primarily the responsibility of EU institutions.
To support them, we provide guidance on how to be compliant and make sure that the rules are applied as they should be; our approach is to trust and verify.
In practice this includes issuing guidelines, investigating complaints and checking risky processing operations.
The current data protection rules for the EU institutions are laid down in Regulation (EC) 45/2001 (the Regulation). The role and responsibilities for the EDPS’ supervision work are also outlined in the Regulation.
The Regulation is very similar to the data protection rules for the Member States; we carry out our supervision work in a similar way to the national data protection authorities in the EU countries.
This Regulation is about to change. In January 2017, the European Commission published a proposal for a new Regulation, to bring the rules for the EU institutions in line with those that apply to Member States under the General Data Protection Regulation (GDPR).
We are preparing so that the EU institutions, including the EDPS, are ready when the new rules come into force on 25 May 2018.
In anticipation of the likely changes and the approach of the GDPR, we have already begun to take these into account in our supervision work, for example, with a greater focus on accountability.
How we carry out our supervision work
- EU institutions consult us via their Data Protection Officers (DPOs) for advice when drawing up measures or internal rules that involve the processing of personal data;
- We give written or verbal advice to them either on request or on our own initiative
- Our written advice is contained in Opinions, comments, Decisions, letters, papers or guidelines;
- Our verbal advice is offered via our DPO telephone hotline (reserved for the EU institutions);
- We also offer useful resources and documents to assist DPOs in general, for instance case-law & guidance, in a dedicated section on this website called DPO Corner.
- We raise awareness about data protection in the EU institutions and provide training;
- We conduct on-site inspections to verify compliance in practice;
- We deal with complaints from individuals relating to the processing of their personal data by the EU institutions;
- Before introducing a risky processing operation, EU institutions have to notify it to us, so that we can prior-check it and give advice to improve or stop it where necessary;
- We carry out periodic surveys to gather statistics to benchmark and compare EU institutions;
- Where our general or targeted stocktaking exercises highlight shortcomings, we may visit those institutions to encourage better compliance;
- We carry out inquiries, either following information received from third parties or on our own initiative.
When EU institutions do not comply with the data protection rules, the EDPS can use the enforcement powers set out in the Regulation, such as:
- Warn or admonish the European institution which is unlawfully or unfairly processing your personal information;
- Order the European institution to comply with requests to exercise your rights (e.g. access to your own data);
- Impose a temporary or definitive ban on a particular data processing operation;
- Refer a case to the Court of Justice of the European Union.
If you think that your rights have been infringed by an EU institution processing your personal information, you can lodge a complaint with the EDPS to investigate it.
We recommend that you first contact that EU institution to resolve the issue.
Please note that the EDPS has no supervisory powers for handling complaints on the processing of personal information by national authorities or private organisations.
If your complaint concerns one of these, you should contact the data protection authority in that country.
-as an Advisor:
The European Data Protection Supervisor (EDPS) is the data protection authority for the European Union institutions, bodies and agencies (EU institutions).
The General Data Protection Regulation (GDPR) recognises and strengthens the powers of all data protection supervisory authorities to advise national parliaments, governments and other institutions and bodies on legislative and administrative measures relating to the protection of personal data.
Currently being revised to be brought in line with the GDPR, Regulation (EC) 45/2001 lays down the roles and responsibilities for the EDPS.
Our advisory mandate:
In addition to our supervision of the EU institutions, the EDPS also has a role as advisor on data protection issues in a wide range of policy areas and all matters concerning the processing of personal data.
This broad mandate was confirmed by the Court of Justice of the European Union who said that the advisory role of the EDPS did not only extend to the processing of personal data by EU institutions (Orders of 17 March 2005 in the so-called PNR-cases).
A legislative proposal does not have to directly impact EU data protection rules in order to trigger scrutiny by the EDPS; it is enough that the proposal has implications for the fundamental right to data protection (as laid down in the EU Charter of Fundamental Rights).
Our objective is to ensure that data protection is integrated into proposals for legislation that affect privacy and personal data protection in the EU. We also advise on EU initiatives that are not legally binding (so-called EU soft law instruments).
To this end, we provide guidance on proposed legislation to both the European Commission, as the most frequent initiator and the European Parliament and the Council, as co-legislators.
Such proposals and initiatives may be necessary and supported politically. Nevertheless if there are data protection implications, our role is to ensure that these implications are addressed by policy makers before adoption to avoid a legal challenge of the legislation before the Court of Justice of the European Union and possibly being struck down.
Some guiding principles:
- Similar to our approach in our supervision work, we aim to develop a culture of accountability whereby the institutions recognise their own responsibility to ensure the protection of personal data when developing new EU policies and legislation;
- We provide support to the EU institutions to be accountable: to help the legislators carry out their own assessment of proposed measures implying the processing of personal data, we have developed a toolkit on the concept of necessity;
- We aim to provide pragmatic advice by analysing the complexity of a proposal and take advantage of the experience gained in our supervision cases with the EU institutions; we look for constructive and workable solutions;
- As an advisor on all data protection matters at EU level, in addition to providing advice on a consultation by the Commission (or other institution), we also issue advice on our own initiative, when there is a matter of particular significance.
- We are not for or against any measure involving the processing of personal data and base our assessment and advice on the evidence justifying its need.
Read the EDPS Policy Paper of 2014 for more detail on our advisory role and proposed new legislation. https://edps.europa.eu/sites/edp/files/publication/14-06-04_pp_edpsadvisor_en.pdf
How do we carry out our advisory task?
- Each year, we publish a list of priorities for our policy and consultation work for the coming year. Our annual plan is based on the work programme of the European Commission; given the significant number of proposals adopted by the Commission each year, we are selective in our approach. In addition, the work programme of the Article 29 Working Party is an important point of reference.
- To be most effective, we provide input at an early stage of the legislative process. In accordance with a well-established practice, the EDPS is consulted by the European Commission before it adopts a proposal for new legislation that is likely to have an impact on individuals’ right to the protection of their personal data.
- We reply to this prior consultation with informal comments. These contain our initial data protection recommendations before the proposal is formally adopted. We do not publish our informal comments.
- Our formal Opinions relate to proposals for legislation and are addressed to all three EU institutions involved in the legislative process, with the aim of flagging our main data protection concerns together with our recommendations. These Opinions are made public and are available to read on this website as well as the Official Journal of the EU.
- We actively follow the developments in the European Parliament and the Council after providing advice, and we are available to them for further consultation during all stages of the legislative process (e.g. during meetings of shadow rapporteurs of the Parliament or of working groups of the Council).
- Our formal comments also address the data protection implications of proposals and soft law instruments in a different format to our Opinions. Our formal comments are available to read on this website.
- We may also intervene before the EU courts either at the Court’s invitation or on behalf of one of the parties in a case to offer our data protection expertise. At the Court of Justice of the European Union or the General Court, we can highlight specific data protection issues to ensure that individuals' fundamental rights to privacy and data protection are respected.
- The EDPS also monitors new technologies or other societal changes that may have an impact on data protection. Where appropriate we will issue an Opinion on our own initiative. However useful and attractive these technologies or changes may be, our aim is to highlight if the fundamental rights to protection of privacy and personal data in the EU are at risk and recommend ways to safeguard these rights.
Supervision and coordination:
The European Union has set up a number of European large-scale IT systems whose supervision is shared between the national Data Protection Authorities ('DPAs') and the EDPS. In order to ensure a high and consistent level of protection, national DPAs and the EDPS work together in supervision coordination.
Currently, the following IT systems are subject to this supervision model:
• Visa Information System (VIS)
• Schengen Information System (SIS)
• Customs Information System (CIS)
• Internal Market Information System (IMI)
Some of these systems include vast amounts of data - for example, Eurodac contains fingerprints of more than two million persons and the VIS tracks millions of visa applications per year.
While there are slight differences between the legal bases for these systems, in general they establish that national DPAs and the EDPS shall cooperate to ensure coordinated supervision. To this end, representatives of the national DPAs and of the EDPS meet regularly - usually twice a year - to discuss common issues regarding supervision. Activities include inter alia joint inspections and inquiries and work on a shared methodology.
The Secretariat of those groups is provided by the EDPS.
A part of the EDPS website is dedicated to everything related to the Authority, such as its publications, networks and reports
The EDPS work to preserve the public interests in the field of information circulation. In order to do that, it cooperate closely with every single Data Protection Authority and in respect of the ethical dimension necessary in that field.
Established under Regulation (EC) No. 45/2001, the EDPS is the European Union’s independent data protection authority, tasked with ensuring that the institutions and bodies of the EU respect data protection law.
The EU as a policy making, legislating and judicial entity looks to the EDPS as an independent supervisor for impartial advice on policies and proposed laws which might affect the rights to privacy and data protection. The EDPS performs this function through developing itself as a centre of excellence in the law, but also in technology insofar as it affects or is affected by the processing of personal information.
We carry out our functions in close cooperation with fellow data protection authorities and aim to be as transparent as possible in our work serving the EU public interest.
In this section of our website, we have highlighted a number of areas of our work including Big Data & Digital Clearing House, EDPS Worldwide, Technology Monitoring, IPEN and Ethics.
By using our search function, you can search our work by document type (Opinions, comments, press releases etc.) or by subject.
In this section, you will find background and other practical documents, containing essential information for you to carry out your Data Protection Officer (DPO) tasks and mission.
The Position papers on Professional Standards for Data Protection Officers and on the role of a Data Protection Officer are complemented by a brief presentation on “The DPO at work” which gives tips and best practices for a professional Data Protection Officer.
Firstly, however, you may want to recap on what the decision appointing a DPO should contain. Thereafter, you can review the implementing rules concerning the tasks, duties and powers of the DPO adopted by your body. The guidelines contained here, illustrated with an example, are helpful in drafting these rules.
Article 26 of Regulation 45/2001 states that “A register of processing operations notified in accordance with Article 25 shall be kept by each Data Protection Officer”. To help you keep such a register, the EDPS advises that you first identify all the processing operations in an inventory.
It is then easier to identify processing operations that should be notified to you in accordance with Article 25. A template of an Article 27 notification together with instructions will also allow you to properly notify your risky processing operations to the EDPS.
Please include an editable version of the notification form (not only a pdf version). In areas for which the EDPS has issued Guidelines, controllers and DPOs are invited to use the EDPS Guidelines as a practical reference. Notifications submitted for prior checking in these fields should include a cover letter highlighting specific aspects vis à vis the position of the EDPS as expressed in the concerned thematic Guidelines. Indeed, in accordance with the procedure followed for a thematic approach, the EDPS will issue a "mini prior check opinion" which will analyse and highlight only those practices which do not seem to be in conformity with the principles of the Regulation and with the thematic Guidelines. Please note that until receipt of such a cover letter the processing of the concerned notification will be suspended by the EDPS.
We also thought it would be useful for you if we included some tips and presentations on how to raise awareness within your institution as well as templates of privacy statements .
Lastly, there is also an e-learning module available on data protection. This module offers learners a practical introduction to Personal Data Protection and the Regulation (EC) N° 45/2001 (Course code: CTO_EL00DATAPROX). Those who are interested should address their request to their training manager in order to enrol in Syslog.
All information contained in this page is of official source, accessible at the European Data protection Supervisor webpage: https://edps.europa.eu/data-protection/data-protection/legislation_en
Reports, Opinions, and other Policy Documents
EDPS, Opinion on the Proposals for two Regulations establishing a framework for interoperability between EU large-scale information systems, Opinion 4/2018, 16 April 2018
EDPS, Guidelines on the protection of personal data in IT governance and IT management of EU institutions, 23 March 2018
EDPS, 2017 Annual Report - Data Protection and Privacy in 2018: going beyond the GDPR, 19 March 2018
EDPS, Opinion on online manupulation and personal data, Opinion 3/2018, 19 March 2018
EDPS, Guidelines on the use of cloud computing services by the European institutions and bodies, 16 March 2018
EDPS, Accountability on the ground: Provisional guidance on documenting processing operations for EU institutions, bodies and agencies (EUIs), 6 February 2018
EDPS, Opinion on eight negotiating mandates to conclude international agreements allowing the exchange of data between Europol and third countries, Opinion 2/2018, 14 Marc 2018
EDPS, Opinion on the proposal for a recast of Brussels IIa Regulation, Opinion 1/2018, 15 February 2018
EDPS, Opinion on the proposal for a Regulation on ECRIS-TCN, Opinion 11/2017, 12 December 2017
EDPS, Opinion on safeguards and derogations under Article 89 GDPR in the context of a proposal for a Regulation on integrated farm statistics, Opinion 10/2017, 20 November 2017
EDPS, Opinion on the proposal for a Regulation on the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA), Opinion 9/2017 9 October 2017
EDPS, Recommendations on specific aspects of the proposed ePrivacy Regulation, 5 October 2017
EDPS, Opinion on the proposal for a Regulation establishing a single digital gateway and the ‘once-only’ principle, Opinion 8/2017, 1 August 2017
EDPS, Opinion on the new legal basis of the Schengen Information System, Opinion 7/2017, 2 May 2017
EDPS, Opinion on the Proposal for a Regulation on Privacy and Online Electronic Communications (ePrivacy Regulation), Opinion 6/2017, 24 April 2017
EDPS, Opinion on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content, Opinion 4/2017, 14 March 2017
EDPS, Opinion on coherent enforcement of fundamental rights in the age of Big Data, Opinion 8/2016, 23 September 2016
EDPS, Case Law Overview 1 December 2014-31 December 2015, Relevant case-law of CJEU, ECHR and national courts of EU Member States on the right to the protection of personal data, the right to the protection of private life, access to documents and the right to freedom of expression. Includes reference to pending cases, Working document, 15 March 2016
EDPS, The EDPS Strategy 2015-2019, Leading by example, 2 Marzo 2015
EDPS, Europe’s big opportunity EDPS recommendations on the EU’s options for data protection reform, Opinion 3/2015 with addendum, 9 October 2015
EDPS, Position paper on the transfer of personal data to third countries and international organisations by EU institutions and bodies, Brussels,14 July 2014
EDPS, Opinion on the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions — ‘A comprehensive approach on personal data protection in the European Union, OJ C 181/01, Brussels, 22.6.2011