This document is an excerpt from the EUR-Lex website
Document 32025Q02608
Decision of the European Data Protection Supervisor of 25 November 2025 on records and archives management [2025/2608]
Decision of the European Data Protection Supervisor of 25 November 2025 on records and archives management [2025/2608]
Decision of the European Data Protection Supervisor of 25 November 2025 on records and archives management [2025/2608]
OJ L, 2025/2608, 23.12.2025, ELI: http://data.europa.eu/eli/proc_rules/2025/2608/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
In force
|
Official Journal |
EN L series |
|
2025/2608 |
23.12.2025 |
DECISION OF THE EUROPEAN DATA PROTECTION SUPERVISOR
of 25 November 2025
on records and archives management [2025/2608]
THE EUROPEAN DATA PROTECTION SUPERVISOR,
Having regard to Council Regulation (EEC, Euratom) No 354/83 of 1 February 1983 concerning the opening to the public of the historical archives of the European Economic Community and the European Atomic Energy Community (1), as amended by Council Regulation (EC, Euratom) No 1700/2003 (2) and Council Regulation (EU) 2015/496 (3), in particular Articles 1, 2, 8 and 9(1) thereof,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (4), and in particular Articles 13 and 25(4) thereof,
Whereas:
|
(1) |
Pursuant to Regulation (EEC, Euratom) No 354/83, as amended by Regulation (EC, Euratom) No 1700/2003 and by Regulation (EU) 2015/496, Union institutions are required to establish their historical archives, open them to the public after thirty years, and adopt internal rules for the application of the Regulation. These internal rules shall include rules for the preservation and opening to the public of historical archives and on the protection of personal data contained therein. |
|
(2) |
In its opinion of 10 October 2012 on the Commission Proposal for a Council Regulation amending Regulation (EEC, Euratom) No 354/83, the European Data Protection Supervisor (‘EDPS’) underlined the need to adopt adequate implementing rules to ensure that data protection concerns are effectively addressed in the context of legitimate record keeping for legal, financial, administrative, and archiving purposes, in accordance with data protection rules applicable to Union Institutions and bodies. |
|
(3) |
The records held by the EDPS are the basis of its operations and daily work. They are part of the EDPS organisational assets, and are important sources of administrative, evidential and historical information. They are essential for the organisation in its current and future operations, for the purposes of accountability and transparency, and for an awareness and understanding of its history and procedures. They must therefore be managed in accordance with effective rules applicable to all services and staff. |
|
(4) |
Internal rules on records management and archives should take into account relevant information security obligations, as laid down in particular in the EDPS Decision of 9 March 2020 (adapted on 11.11.2022) on the security rules for protecting EU classified information, as well as the EDPS digital transformation actions. They should leverage existing digital document management solutions and incorporate the latest advancements in electronic integrity and archiving as well as international standards and best practices. |
|
(5) |
Union institutions, bodies, offices and agencies are encouraged to recognise electronic identification and trust services covered by Regulation (EU) No 910/2014 of the European Parliament and of the Council (5) for the purpose of administrative cooperation capitalising, in particular, on existing good practice and the results of ongoing projects in the areas covered by this Regulation. |
|
(6) |
EDPS records should be electronic by default, although exceptions are possible. The EDPS keeps records that are created, received and managed in the course of its activities. All records, regardless of the format and technological environment in which they are collected, created or received, are captured and maintained in an official electronic repository of records. |
|
(7) |
Internal rules on records and archives management should cover the lifecycle of records and ensure the authenticity, reliability, integrity and usability of records and their metadata over time. |
|
(8) |
Effective and proper records and archives management enables the EDPS to ensure informed and efficient decision-making; to implement the principle of accountability of public actions; to meet transparency obligations and comply with legal obligations; to manage business risks; to protect rights and obligations of the EDPS, to provide evidentiary support in litigation; and to preserve the institutional memory. |
|
(9) |
Internal rules on records management and archives should be aligned with the obligation to provide access to documents held by the EDPS in accordance with the principles, arrangements and limits laid down in Regulation (EC) No 1049/2001 of the European Parliament and the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (6). |
|
(10) |
Internal rules on records management and archives should also comply with the data protection obligations set out in Regulation (EU) 2018/1725. Pursuant to this Regulation, the EDPS is required to provide information to data subjects on the processing of their personal data and it shall facilitate the exercise of data subject rights under Articles 17 to 24 thereof. These rights should be balanced with the objectives of archiving purposes in the public interest. |
|
(11) |
All members of staff should be accountable for the creation and correct management of records relating to policies, processes, procedures, and actions for which they are responsible according to applicable rules and procedures. |
|
(12) |
Data and information within the EDPS shall be made available and shared as broadly as possible to facilitate collaborative work among its staff, enhance retrieval and reuse of data and information, and promote the synergy of resources to improve overall efficiency. |
|
(13) |
Data and information access may be restricted where sensitive information or legal obligations require access to be limited. In particular, protection measures related to the level of confidentiality of information, personal data, or other clearly defined reasons may require more limited and targeted access based on the need-to-know principle. |
|
(14) |
The EDPS’ independent functions of the Data Protection Officer and Legal Service were consulted on the measures taken in the present Decision. |
|
(15) |
The European Data Protection Supervisor, as the supervisory authority for EU institutions, bodies and agencies, was consulted in accordance with Article 41(2) of Regulation (EU) 2018/1725 and delivered an opinion on 3 October 2025 (7). |
|
(16) |
For reasons of clarity and legal certainty, prior EDPS policies on records management and archives should be repealed and replaced by this Decision, |
HAS ADOPTED THIS DECISION:
CHAPTER I
General provisions
Article 1
Subject matter and scope
1. This Decision lays down rules concerning the management of the EDPS records and archives in paper or electronic format, and the preservation and opening to the public of the EDPS archives.
2. This Decision applies to records held by the EDPS and to its archives, regardless of their format, medium, age, or location.
3. This Decision is applicable to all staff members of the EDPS covered by the Staff Regulations and the Conditions of Employment of other servants of the European Union, i.e. officials, temporary agents and contract agents. It shall also apply to seconded national experts and trainees.
4. This Decision does not apply to staff members of the European Data Protection Board’s (‘EDPB’) Secretariat. As specified under section IV, paragraph 2, point (iv), of the Memorandum of Understanding between the European Data Protection Board and the European Data Protection Supervisor (8), records management is included in the list of tasks to be carried out by the EDPB Secretariat in accordance with Article 75(6) of Regulation (EU) 2016/679 of the European Parliament and of the Council (9).
Article 2
Definitions
For the purposes of this Decision, the following definitions shall apply:
|
(a) |
‘archives’ means records to be permanently preserved for their administrative, fiscal, legal, historical or informational value; |
|
(b) |
‘authenticity’ means the fact that a record can be proved to be what it purports to be, to have been created or sent by the person purported to have created or sent it and to have been created or sent when purported; |
|
(c) |
‘document’ means any content whatever its medium (written on paper or stored in electronic form or as a sound, visual or audio-visual recording) concerning a matter relating to the policies, activities and decisions falling within the EDPS’ sphere of responsibility; |
|
(d) |
‘EDPS’ means the European Data Protection Supervisor as a body of the Union; |
|
(e) |
‘electronic signature’ means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign; |
|
(f) |
‘electronic time stamp’ means data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time; |
|
(g) |
‘European Data Protection Supervisor’ or ‘the Supervisor’ means the person appointed as European Data Protection Supervisor by the European Parliament and the Council in accordance with Article 53 of Regulation (EU) 2018/1725; |
|
(h) |
‘file’ means a set of records and other related documents about a specific activity, organised for the purpose of evidentiary value, accountability or information and corporate institutional memory to support the efficiency of that activity; |
|
(i) |
‘filing plan’ or ‘classification scheme’ means the tool for linking records to the context of their creation. It is presented as a hierarchical structure of classification levels and is based on the business activities that generate records in a specific organisational business setting; |
|
(j) |
‘integrity’ means the fact that a record is complete and unaltered; |
|
(k) |
‘metadata’ means structured or semi-structured information, which enables the creation, management, and use of records through time and within and across domains; |
|
(l) |
‘official electronic repository of records’ means the records system(s) in which the records held by the EDPS are collected and organized to enable retrieval, distribution, use, disposal or preservation; |
|
(m) |
‘preservation’ means the technical processes and operations that make it possible to keep records over time, to maintain their integrity and authenticity and to guarantee access to their content; |
|
(n) |
‘qualified electronic seal’ means advanced electronic seal, which is created by a qualified electronic seal creation device, and that is based on a qualified certificate for electronic seal; |
|
(o) |
‘qualified electronic signature’ means advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures; |
|
(p) |
‘record(s)’ means information, regardless of form or medium, created, received and maintained as evidence and as an asset by the EDPS, in pursuit of legal obligations or in the course of conducting business; |
|
(q) |
‘records system’ or ‘records management system’ means information system which captures, manages and provide access to records over time. A records system can consist of technical elements, such as software, and non-technical elements, including policy, procedures, people and other agents, and assigned responsibilities; |
|
(r) |
‘registration’ means the act of capturing a record together with the relevant metadata into a records system; establishing that it is complete and properly constituted from an administrative and/or legal point of view; certifying that it has been sent by an author to an addressee on a given date and/or has been incorporated to one of the EDPS official repositories; |
|
(s) |
‘reliability’ means the fact that the content of a record can be trusted as a full and accurate representation of the transactions, activities and facts to which they attest and that the record can be depended upon in the course of subsequent transactions or activities; |
|
(t) |
‘retention schedule’ means a comprehensive instruction covering the disposition of records to ensure that they are retained for as long as necessary based on their administrative, fiscal, legal, historical or informational value; |
|
(u) |
‘usability’ means the fact that a record can be located, retrieved, presented and interpreted within a time period deemed reasonable by stakeholders. |
CHAPTER II
Records management
Article 3
Creation of records
1. The EDPS’ records shall be created as electronic records and shall be kept in its official electronic repositories. However, in exceptional circumstances, - such as for example because of legal or protocol obligations; when it is not possible to digitise a document due to format/size; or for the specific and unique value of the analogue version - records may be created in a different medium or kept in a different format.
2. Records in analogue format created or received by the EDPS shall be systematically digitised and captured in an official electronic repository. The resulting electronic digitised version replaces the validity of the analogue format from that moment onwards.
3. EDPS services shall ensure that e-mail records providing evidence of and information about their activities and transactions are identified, managed and preserved in accordance with the requirements for record-keeping set forth in the present Decision.
4. All records created or received by a staff member in connection with, or as a result of the official work of the EDPS, are the property of the EDPS.
Article 4
Capturing records
1. EDPS services shall regularly review the types of information created or received in the course of their respective activities, to identify which ones are to be captured in an official electronic repository and, taking account of the context in which they were produced, to organise their management throughout their life cycle.
2. The captured records shall not be altered. They may be removed or replaced by subsequent versions until the file they belong to is closed.
Article 5
Registration of documents
1. Documents drawn up or received by the EDPS must be registered in one of the records management systems if they contain important information, which is not short-lived, or if they may involve action or follow-up by the EDPS services.
2. Any document or content from collaborative working platforms that meets the criteria set out in paragraph 1 must be recorded in one of the official records management systems of the EDPS.
3. Records systems should generate unique identifiers for the registered records.
4. Classified documents shall only be registered in approved record-keeping systems designed for handling documents of the relevant classification level.
Article 6
Filing plan
1. The EDPS shall use and maintain a filing plan reflecting its activities.
2. Registered records are organised in files and these files are linked to the part of the filing plan that describe the activities in the context of their creation.
3. A single official file must be established for each matter falling within the remit of a given EDPS service. Each official file must be completed with records created or received in connection with the related matter.
Article 7
Electronic systems and processes
The EDPS services shall keep and manage their records by means of electronic processes and electronic systems and structures with interfaces to ensure storage of, access to, and recovery of records, unless required otherwise by the EDPS applicable rules.
Article 8
Validity of documents and procedures
1. A document created or received by the EDPS shall be considered valid or admissible for registration purposes when the following conditions are met:
|
(a) |
the person from whom it originates is identified; |
|
(b) |
the context in which the document was produced is reliable and the document meets the conditions that guarantee its integrity; |
|
(c) |
the document complies with the formal requirements set out in the applicable Union or national law; |
|
(d) |
in the case of an electronic document, the document is created in a way that guarantees the integrity, reliability and usability of its content and the accompanying metadata. |
2. An electronic rendition created by digitising an analogue document created or received by the EDPS shall be considered valid or admissible for registration purposes when the following conditions are fulfilled:
|
(a) |
no signature is required by a provision of Union law or the law of a Member State or third country concerned; |
|
(b) |
its format offers guarantees of integrity, reliability, durability, readability over time and ease of access to the information it contains. |
Where a signed analogue document is not required, such an electronic rendition may be used for any exchange of information and for any procedure within the EDPS.
3. Where a provision of Union or national law requires a signed original of a document, a document drawn up or received by the EDPS shall satisfy that requirement if the document contains any of the following:
|
(a) |
one or more handwritten or qualified electronic signatures; |
|
(b) |
one or more electronic signatures, other than qualified, providing sufficient guarantees about the identification of the signatory and the expression of their will in the signed document. |
4. Where a procedure specific to the EDPS requires the signature of an authorised person, or the approval of a person at one or more stages of the procedure, the procedure may be managed by computer systems, provided that each person is clearly and unambiguously identified and that the system in question provides guarantees that the content is not altered during the procedure.
Article 9
Electronic signatures, seals, timestamps
1. Where a procedure involves the EDPS and other entities, and requires the signature of an authorised person or the approval of a person at one or more stages of the procedure, the procedure may be managed by IT systems where use conditions and technical warranties are determined by agreement of the parties involved.
2. Electronic signatures, simple, advanced or qualified, shall replace handwritten signatures wherever possible.
3. The EDPS shall determine, in addition to existing legal requirement, the categories of documents that may require advanced or qualified signature.
4. A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.
5. A qualified electronic seal shall enjoy the presumption of integrity of the data and of correctness of the origin of the data to which it is linked.
6. A qualified electronic time stamp shall enjoy the presumption of the accuracy of the date and the time it indicates and the integrity of the data to which the date and time are bound.
7. In the implementation of this article and other articles related to the electronic signature, the EDPS shall apply Regulation (EU) No 910/2014 as amended by Regulation (EU) 2024/1183.
Article 10
Information security and protection
1. Records, files, information systems and archives shall be managed in accordance with the EDPS information security policy and associated applicable policies.
2. Classified information should be processed according to the EDPS applicable rules.
CHAPTER III
Preservation of records and historical archives
Article 11
Retention and storage criteria
1. The retention period for the various categories of files shall be set for the EDPS by way of administrative decisions, such as retention schedules drawn up on the basis of the organisational context, the existing legislation and the EDPS legal obligations.
2. Storage and preservation of records, for the duration required, shall take place under the following conditions:
|
(a) |
records shall be stored in the form in which they were created, sent or received or in a form which preserves the authenticity, reliability and integrity of their content and of the accompanying metadata; |
|
(b) |
the content of records and their relevant metadata must be readable throughout their period of storage by any person authorised to have access to them; |
|
(c) |
where records are sent or received electronically, the information required to determine the origin or destination of the record and the date and time of the capture or registration, shall be part of the minimum metadata to be stored; |
|
(d) |
as regards electronic procedures managed by IT systems, information about the formal stages of the procedure and its approval workflows shall be stored under such conditions as to ensure that those stages and the authors and participants can be identified for as long as required by applicable financial, legal, administrative requirement. |
Article 12
Digital preservation strategy
The EDPS shall establish and implement a digital preservation strategy to ensure long-term access to electronic records on the basis of the retention schedules referred in Article 11(1). The EDPS shall ensure that processes, tools, and resources are in place to guarantee the authenticity, reliability and integrity of records and their accessibility for the time necessary.
Article 13
Appraisal
1. The appraisal of EDPS records and files shall be conducted on a regular basis, to assess whether they shall be transferred to the archives or eliminated.
2. A set of metadata on appraised records and files shall be retained in the official electronic repository as evidence of such records and files and their transfer to the archives or elimination, and to be able to respond to internal or external search requests.
3. Records and files deemed of historical value shall be prepared for permanent preservation and transfer to the historical archives.
4. The responsibility of a service for the intellectual content of any record or file continues after the transfer to the EDPS Archives.
Article 14
Processing of personal data contained in the EDPS archives
1. When processing personal data for archiving purposes in the public interest, the EDPS shall implement appropriate safeguards to ensure compliance with Article 13 of Regulation (EU) 2018/1725. Such safeguards shall include technical and organisational measures, in particular, in order to ensure respect for the principle of data minimisation. The safeguards shall include:
|
(a) |
the selection of records and files for transfer to the historical archives shall be conducted based on the EDPS retention schedules. Prior to the closure and transfer of any record or file, the responsible department should assess, as part of the administrative closing procedure, that solely personal data necessary and proportionate for the purposes of historical archiving are retained. This assessment shall be conducted on a case-by-case basis, in accordance with the principle of data minimisation. The modalities and criteria of this assessment shall be further specified in the implementing rules of this Decision. All the other files, including structured personal data files, such as personal and medical records, or those referred to in Article 26 of the Staff Regulations of EU officials and the Conditions of Employment of Other Servants (10), shall not be transferred to the historical archives, but shall be eliminated at the end of their administrative retention period, as determined in the relevant applicable rules and according to the implementing rules of this Decision; |
|
(b) |
the EDPS retention schedules shall authorise the administrative elimination of specific types of records, identified therein, prior to the expiration of the administrative retention period applicable to the corresponding files. Consequently, these types of records shall be excluded from processing for archiving purposes in the public interest; |
|
(c) |
prior to appraising the files considered to be transferred to the EDPS archives, the EDPS services shall assess the potential presence of records containing special categories of personal data (as defined in Article 10(1) of the Regulation (EU) 2018/1725), Furthermore, they shall evaluate the necessity and proportionality of the processing for archiving purposes in the public interest, and consult with the EDPS archives service to determine the appropriate specific measures to be implemented in accordance with Article 10(2)(j). |
2. In accordance with Article 25(4) of the Regulation (EU) 2018/1725, the EDPS may apply derogations from the rights of data subjects referred to in Articles 17 (Right of access by the data subject), 18 (Right to rectification), 20 (Right to restriction of processing), 21 (Notification obligation regarding rectification or erasure of personal data or restriction of processing and 23 (Right to object) of Regulation (EU) 2018/1725, subject to appropriate conditions and safeguards as provided for in Article 13 of Regulation (EU) 2018/1725, insofar as applying a derogation is necessary to fulfil archiving purposes in the public interest and to preserve the integrity of the EDPS historical archives. Derogations from the following rights of data subjects may be applied in accordance with the provisions of Article 25(4) of Regulation (EU) 2018/1725:
|
(a) |
the right of access, as provided for in Article 17 of Regulation (EU) 2018/1725, insofar as the exercise of that right is likely to render impossible or seriously impair the achievement of the specific purposes for which the personal data are processed for archiving purposes in the public interest, and such derogation is necessary for the fulfilment of those purposes. In assessing and documenting the action to be taken regarding the data subject’s request, particular account shall be given to the information provided by the data subject, as well as the nature, scope and size of the records potentially affected; |
|
(b) |
the right to rectification, as provided for in Article 18 of Regulation (EU) 2018/1725, insofar as rectification renders it impossible to preserve the integrity and authenticity of records selected for permanent preservation in the historical archives. This is without prejudice to the possibility of a supplementary statement or annotation to the record concerned, unless this proves impossible or involves a disproportionate administrative effort; |
|
(c) |
the right to restriction of processing, as provided for in Article 20 of Regulation (EU) 2018/1725, insofar as the personal data are contained in records selected for permanent preservation in the EDPS historical archives as an integral and indispensable part of these records; |
|
(d) |
the obligation to notify the rectification or erasure of personal data or restriction of processing, as provided for in Article 21 of Regulation (EU) 2018/1725, insofar as this notification is likely to render impossible or seriously impair the achievement of the specific purposes for archiving in the public interest, and such derogation is necessary for fulfilling those purposes. In assessing and documenting the action to be taken on the notification requirement, special consideration shall be given to the available information and the specific nature and scope of the records potentially concerned; |
|
(e) |
the right to object to the processing, as provided for in Article 23 of Regulation (EU) 2018/1725, insofar as the personal data are contained in records selected for permanent preservation in the EDPS historical archives as an integral and indispensable part of these records. |
3. The EDPS shall file, for accountability purposes, a record describing the reasons for derogations applied, the data subject right from which it has been derogated from, and the outcome of the assessment made. Those records and, where applicable, the documents concerning the factual or legal context shall be part of an ad hoc register, which shall be made available, upon request, to the European Data Protection Supervisor, as data protection supervisory authority.
4. The EDPS shall consult the Data Protection Officer (DPO) when considering the application of derogations from data subject rights in accordance with this Decision in a particular case and, in any case, prior to taking a decision to apply such a derogation pursuant to this Decision. The DPO shall be granted access to the record and any documents underlying factual and legal elements. The involvement of the DPO in this process shall be duly documented.
Article 15
Deposit of the EDPS historical archives at the European University Institute (HAEUI)
1. In accordance with article 8(1) of Regulation (EEC, Euratom) No 354/83, as amended by Regulation (EU) 2015/496, the EDPS shall deposit the documents which are part of its historical archives and which it has opened to the public at the HAEUI.
2. The deposit may be physical for original paper files, or electronic for digitally born and preserved records. In the latter case, specific arrangements shall be made to ensure that the HAEUI in Florence has access to the electronic archives of the EDPS, in accordance with Article 1 of the Annex of Regulation (EEC, Euratom) No 354/83 as amended by Regulation (EU) 2015/496.
3. The EDPS shall provide the HAEUI, where possible, with access to digitised copies of records held in an analogue medium in order to promote the online consultation and transparency of the EDPS historical archives.
4. Due account shall be taken of records containing classified documents, or records covered by exceptions relating to the privacy and integrity of individuals, or the commercial interests of a natural or legal person, including intellectual property as referred to in Article 2 of Regulation (EEC, Euratom) No 354/83, as amended by Regulation (EC, Euratom) No 1700/2003.
5. The HAEUI shall be the main access point to the EDPS historical archives that are open to the public.
6. The EDPS Records and Archives Manager shall send to the HAEUI descriptions of the archives that are subject of the deposit at the HAEUI. In order to facilitate the exchange of metadata with the HAEUI, interoperability shall be used in accordance with international standards.
7. The HAEUI acts as a processor, in accordance with Article 8(11) of Regulation (EEC, Euratom) No 354/83, as amended by Regulation (EU) 2015/496, under instructions from the EDPS, which acts as the controller of personal data contained in its historical archives deposited at the HAEUI.
8. The EDPS provides the necessary instructions for the processing of personal data contained in the deposited archives at the HAEUI and monitors its performance.
CHAPTER IV
Governance and Implementation
Article 16
EDPS Internal structures
1. The EDPS shall ensure that the necessary organisational, administrative and physical structures are put in place for the implementation of this Decision, its implementing rules and any associated procedure.
2. A Records and Archives Manager (‘RAM’), with relevant competencies and skills in the field, shall be designated to promote and keep efficient records management processes and systems and to ensure coordination with all services.
3. A Deputy Records and Archives Manager (‘DRAM’) shall be designated to support the RAM in all his/her duties and to ensure the continuity of the function in his/her absence.
4. Each service shall have a Records and Archives Management Correspondent (‘RAMC’) in charge of coordinating the implementation of this Decision and its implementing rules.
The RAMCs from the different services will form an internal network chaired by the RAM and Deputy RAM.
The network will meet on a regular basis to address common issues and share best practices.
5. The RAM will collaborate with the Local Security Officer (‘LSO’), the Local Cybersecurity Officer, the Local Information Security Officer (‘LISO’), the Data Protection Officer (‘DPO’), or any other function in relation to records management matters and responsibilities to ensure a coherent and consistent approach and efficient information flow.
Article 17
Roles and responsibilities
1. The Head of the EDPS Secretariat shall be responsible for ensuring that this Decision and its implementing rules and associated procedures are implemented.
2. All the EDPS services and individual staff members have a duty of care to manage the documents and records they create or use in a responsible and adequate manner, in accordance with this Decision, other procedures in place and their respective tasks.
3. The RAM shall:
|
(a) |
coordinate and monitor the implementation of this Decision and associated rules and ensure that they are applied consistently throughout the EDPS; |
|
(b) |
be responsible for establishing and maintaining the EDPS filing plan and retention schedules in collaboration with the network of RAMC; |
|
(c) |
provide guidance and support the EDPS services on records and archive management matters; |
|
(d) |
chair the network of RAMCs; |
|
(e) |
be responsible for the management of the EDPS IT records/case management systems; |
|
(f) |
represent the EDPS (as an EU body) in other external fora; |
|
(g) |
ensure that records and files are transferred to the EDPS historical archives, and made available on request to the departments of the EDPS; |
|
(h) |
undertake, where necessary and in cooperation with the originating service or equivalent service or its successor, a second review of transferred records, files and archives; |
|
(i) |
ensure the deposit of the EDPS historical archives at the HAEUI, in order to make records more than 30 years old available to the public. |
The Deputy RAM shall support the RAM in the above-mentioned tasks and replace him/her in case of absence.
4. The RAMCs shall ensure information sharing and coordination on records management and archive matters within their respective services, and coordinate the implementation of this Decision and its implementing rules.
Article 18
Information, training and support
The RAM shall coordinate with the DPO, the LSO and all relevant functions, to ensure that the information, training and support measures necessary for the application of this Decision and related implementing rules are in place within the EDPS services.
CHAPTER V
Final provisions
Article 19
Implementing rules
This decision shall be accompanied by implementing rules.
The Secretary-General shall be responsible for adopting the implementing rules in coordination with the services and shall ensure their implementation.
Article 20
Review and update
This Decision and its implementing rules shall be regularly reviewed and updated taking account in particular of:
|
(a) |
developments regarding records and archives management, including the emergence of relevant standards; |
|
(b) |
the EDPS obligations as regards transparency, public access to documents and the opening to the public of archives; |
|
(c) |
developments in information and communication technologies; |
|
(d) |
the applicable rules on the probatory value of electronic records; |
|
(e) |
any new obligations by which the EDPS may be bound. |
Article 21
Repeal of prior EDPS policies on records management and archives
The EDPS Records Management Policy and the EDPS Archives Policy are repealed and replaced by this Decision.
Article 22
Entry into force
This Decision shall enter into force on the twentieth day following that of the publication in the Official Journal of the European Union.
Done at Brussels, 25 November 2025.
For the EDPS
Wojciech Rafał WIEWIÓROWSKI
European Data Protection Supervisor
(1) OJ L 43, 15.2.1983, p. 1, ELI: http://data.europa.eu/eli/reg/1983/354/oj.
(2) Council Regulation (EC, Euratom) No 1700/2003 of 22 September 2003 amending Regulation (EEC, Euratom) No 354/83 concerning the opening to the public of the historical archives of the European Economic Community and the European Atomic Energy Community (OJ L 243, 27.9.2003, p. 1, ELI: http://data.europa.eu/eli/reg/2003/1700/oj).
(3) Council Regulation (EU) 2015/496 of 17 March 2015 amending Regulation (EEC, Euratom) No 354/83 as regards the deposit of the historical archives of the institutions at the European University Institute in Florence OJ L 79, 25.3.2015, p. 1, ELI: http://data.europa.eu/eli/reg/2015/496/oj.
(4) OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj.
(5) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj), as amended by Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework (OJ L, 2024/1183, 30.4.2024, ELI: http://data.europa.eu/eli/reg/2024/1183/oj).
(6) OJ L 145, 31.5.2001, p. 43, ELI: http://data.europa.eu/eli/reg/2001/1049/oj.
(7) Supervisory Opinion 14/2025 of 3 October 2025 on the draft decision of the European Data Protection Supervisor (‘EDPS’) on records and archives management
(8) Memorandum of Understanding between the European Data Protection Board and the European Data Protection Supervisor of 25 May 2018.
(9) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).
(10) Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Economic Community and the European Atomic Energy Community (OJ 45, 14.6.1962, p. 1385, ELI: http://data.europa.eu/eli/reg/1962/31(1)/oj).
ELI: http://data.europa.eu/eli/proc_rules/2025/2608/oj
ISSN 1977-0677 (electronic edition)