EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Protection of individuals with regard to the processing of personal data by EU institutions, bodies, offices and agencies

Protection of individuals with regard to the processing of personal data by EU institutions, bodies, offices and agencies

 

SUMMARY OF:

Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies, offices and agencies and on the free movement of such data

WHAT IS THE AIM OF THE REGULATION?

The regulation:

  • lays down rules on how EU institutions, bodies, offices and agencies should treat the personal data* they hold on individuals;
  • upholds an individual’s fundamental rights and freedoms, especially the right to protection of personal data and the right to privacy;
  • aligns the rules for EU institutions, bodies, offices and agencies with those of the general data protection regulation (GDPR) and of Directive (EU) 2016/680, known as the law enforcement directive (LED), which have been applicable since May 2018;
  • repeals Regulation (EC) No 45/2001, which previously contained the rules on personal data processing by EU institutions, bodies, offices and agencies, and ensures that these comply with the same strict standards as set out in the GDPR;
  • repeals Decision No 1247/2002/EC regarding the European Data Protection Supervisor (EDPS).

KEY POINTS

Personal data must be:

  • processed in a lawful, fair and transparent way;
  • collected for specific, explicit and legitimate purposes;
  • adequate, relevant and limited to what is necessary;
  • accurate and, where necessary, kept up to date;
  • stored in a way that identification of the individuals concerned is possible for no longer than necessary;
  • processed with appropriate confidentiality.

The controller* shall be responsible for, and be able to demonstrate compliance with, all the abovementioned data-processing principles (see below).

Personal data:

  • may be transmitted to a recipient in the EU that is not an EU institution, body, office or agency only subject to additional safeguards;
  • may be transferred outside of the EU only under strict conditions;
  • must not be processed — except under special circumstances — if they reveal a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation;
  • need appropriate safeguards if archived in the public interest or for scientific, historical or statistical purposes.

Requests for an individual’s consent to the use of their data must be in an intelligible and easily accessible form using clear and plain language. The consent must be a clear affirmative action by the individual.

Individuals (known as ‘data subjects’ in the legislation) have the right to:

  • withdraw their consent at any time, which should be as easy as giving it;
  • know whether or not their personal data are being processed and to have access to them;
  • ensure the correction of any inaccurate personal data;
  • remove or restrict any personal data from processing provided certain conditions are met;
  • receive their personal data in a structured, commonly used and machine-readable format;
  • object, because of their particular situation, to the use of their personal data for public interest purposes;
  • not be subject to a decision based solely on automated processing, which has legal consequences for them;
  • complain to the EDPS if they feel their personal data is being processed in a way that violates the regulation;
  • be compensated for any material or non-material damage they suffer because of the actions of an EU institution, body, office or agency;
  • mandate a not-for-profit organisation to lodge a complaint with the EDPS.

Controllers:

  • have to inform individuals, in plain language and with factual information such as contact details and the aim of the exercise, when personal data are collected;
  • must reply to any request from a data subject, such as access to their personal data or their rectification or correction of its contents, as soon as possible and no later than 1 month;
  • apply appropriate technical and organisational measures, including pseudonymisation*, to ensure that processing of personal data complies with the regulation;
  • must only use data processors that meet the EU requirements;
  • keep a detailed record of data processing under their responsibility;
  • cooperate with the EDPS;
  • notify the EDPS and the individual concerned as soon as possible of any personal data breach;
  • assess the impact of new processing technologies on the protection of personal data;
  • ensure the confidentiality and security of their electronic communication networks;
  • inform the EDPS when drawing up administrative measures or internal rules on the processing of personal data;
  • appoint a data protection officer for a 3- to 5-year term to:
    • give independent advice on personal data processing;
    • monitor compliance with the data protection rules.

The legislation creates a European Data Protection Supervisor, appointed for a once renewable 5-year term of office. Based in Brussels, the holder of the post:

  • acts with complete independence;
  • treats all confidential information with professional secrecy;
  • monitors how EU institutions, bodies, offices and agencies apply the legislation;
  • promotes public understanding and awareness of the processing of personal data;
  • handles complaints and conducts investigations;
  • warns and sanctions data controllers;
  • refers issues to the Court of Justice, which handles any disputes over the legislation;
  • submits an annual report to the European Parliament, the Commission and the Council;
  • cooperates with national data protection supervisory authorities.

Special rules apply to:

  • EU bodies, offices and agencies that process operational personal data* for the purposes of law enforcement (e.g. Eurojust) are covered by a specific chapter in the regulation. The rules in this chapter are aligned with the LED. Moreover, in the founding acts of these bodies, offices and agencies, more specific rules can be laid down to take into account their specificities. Europol and the European Public Prosecutor's Office are excluded from the regulation. The Commission will review the legislative framework for EU bodies, offices and agencies that process operational data for the purposes of law enforcement by April 2022.

The Commission must report to the European Parliament and to the Council no later than 30 April 2022 — and every 5 years thereafter — on how the legislation is being applied.

FROM WHEN DOES THE REGULATION APPLY?

It has applied since 11 December 2018, except with regard to the processing of personal data by Eurojust, where it applies from 12 December 2019.

BACKGROUND

Article 8 of the Charter of Fundamental Rights states that everyone has the right to personal data protection. Article 16 of the Treaty on the Functioning of the EU further develops that right. This article is the legal basis for any EU legislation on data protection.

For more information, see:

KEY TERMS

Personal data: any information on an identified or identifiable individual.
Controller: any EU institution, body, office or agency, or its organisational entity, that determines the means and purposes of processing personal data.
Pseudonymisation: processing personal data so that an individual cannot be identified without the use of additional information kept elsewhere.
Operational personal data: all personal data processed for the purposes of carrying out law enforcement tasks.

MAIN DOCUMENT

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, pp. 39-98)

RELATED DOCUMENTS

European Data Protection Supervisor Decision of 2 April 2019 on internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the framework of activities carried out by the European Data Protection Supervisor (OJ L 99I, 10.4.2019, pp. 1-7)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation) (OJ L 119, 4.5.2016, pp. 1-88)

Successive amendments to Regulation (EU) 2016/679 have been incorporated into the original text. This consolidated version is of documentary value only.

Legislation specifically applying to EU institutions

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89-131)

See consolidated version.

Decision No 1247/2002/EC of the European Parliament, of the Council and of the Commission of 1 July 2002 on the regulations and general conditions governing the performance of the European Data-protection Supervisor’s duties (OJ L 183, 12.7.2002, pp. 1-2)

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, pp. 1-22)

See consolidated version.

last update 12.03.2019

Top