This document is an excerpt from the EUR-Lex website
Document 02020Q0626(01)-20240818
Decision of the European Data Protection Supervisor of 15 May 2020 adopting the Rules of Procedure of the EDPS
Consolidated text: Decision of the European Data Protection Supervisor of 15 May 2020 adopting the Rules of Procedure of the EDPS
Decision of the European Data Protection Supervisor of 15 May 2020 adopting the Rules of Procedure of the EDPS
ELI: http://data.europa.eu/eli/proc_rules/2020/626/2024-08-18
02020Q0626(01) — EN — 18.08.2024 — 002.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
DECISION OF THE EUROPEAN DATA PROTECTION SUPERVISOR of 15 May 2020 adopting the Rules of Procedure of the EDPS (OJ L 204 26.6.2020, p. 49) |
Amended by:
|
|
Official Journal |
||
No |
page |
date |
||
DECISION OF THE EUROPEAN DATA PROTECTION SUPERVISOR (EDPS) of 14 October 2022 |
L 274 |
78 |
24.10.2022 |
|
DECISION OF THE EUROPEAN DATA PROTECTION SUPERVISOR of 18 July 2024 |
L 2022 |
1 |
29.7.2024 |
DECISION OF THE EUROPEAN DATA PROTECTION SUPERVISOR
of 15 May 2020
adopting the Rules of Procedure of the EDPS
TITLE I
MISSION, DEFINITIONS, GUIDING PRINCIPLES AND ORGANISATION
CHAPTER I
Mission and definitions
Article 1
The EDPS
The EDPS shall act in accordance with the provisions of Regulation (EU) 2018/1725, any other relevant Union legal act and this Decision, and follow the strategic priorities which the European Data Protection Supervisor may set out.
Article 2
Definitions
For the purposes of this Decision, the following definitions apply:
‘the Regulation’ means Regulation (EU) 2018/1725;
‘GDPR’ means Regulation (EU) 2016/679;
‘‛institution’ means a Union institution, body, office or agency subject to the Regulation or to any other Union legal act providing for tasks and powers for the European Data Protection Supervisor;
‘EDPS’ means the European Data Protection Supervisor as a body of the Union;
‘European Data Protection Supervisor’ means the European Data Protection Supervisor appointed by the European Parliament and the Council in accordance with Article 53 of the Regulation;
‘EDPB’ means the European Data Protection Board as a body of the Union established by Article 68(1) of the GDPR;
‘EDPB’ secretariat’ means the secretariat of the EDPB established by Article 75 of the GDPR.
CHAPTER II
Guiding principles
Article 3
Good governance, integrity and good administrative behaviour
Article 4
Accountability and transparency
Article 5
Efficiency and effectiveness
Article 6
Cooperation
The EDPS shall promote cooperation among data protection supervisory authorities as well as with any other public authority whose activities may have an impact on privacy and personal data protection.
CHAPTER III
Organisation
Article 7
Role of the European Data Protection Supervisor
The European Data Protection Supervisor shall decide the strategic priorities of the EDPS and adopt the policy documents corresponding to the tasks and powers of the EDPS.
Article 8
EDPS secretariat
The European Data Protection Supervisor shall determine the organisational structure of the EDPS secretariat. Without prejudice to the Memorandum of Understanding between the EDPS and the EDPB of 25 May 2018, in particular relating to the EDPB secretariat, the structure shall reflect the strategic priorities set by the European Data Protection Supervisor.
▼M1 —————
Article 10
Management Meeting
Article 11
Delegation of tasks and deputising
▼M1 —————
TITLE II
MONITORING AND ENSURING THE APPLICATION OF THE REGULATION
Article 13
Monitoring and ensuring the application of the Regulation
The EDPS shall guarantee effective protection of rights and freedoms of individuals through monitoring and enforcement of the Regulation and of any other Union legal act providing for tasks and powers for the European Data Protection Supervisor. To that end, in the exercise of the investigative, corrective, authorisation and advisory powers, the EDPS may conduct compliance visits, surveys, bi-monthly visits, informal consultations or facilitate amicable settlements of complaints.
Article 14
Transparency of replies to consultations by institutions on their processing of personal data and to requests for authorisations
The EDPS may publish the replies to consultation by institutions on their processing of personal data in full or in part, taking applicable confidentiality and information security requirements into account. Authorisation decisions shall be published, taking applicable confidentiality and information security requirements into account.
Article 15
Data Protection Officers notified by the institutions
Article 16
Handling of complaints
The EDPS shall decide how to handle a complaint taking into account:
the nature and gravity of the alleged violations of data protection rules;
the importance of the damage that one or more data subjects have or may have suffered as result of the violation;
the potential overall importance of the case, also in relation to other public and private interests involved;
the likelihood of establishing that the violation has occurred;
the exact date on which the underlying events occurred, the conduct in question stopped generating effects, the effects were removed or an appropriate guarantee of such a removal was provided.
The EDPS shall declare inadmissible and not handle complaints lodged more than two years after the complainant became aware of the alleged breach, except in duly justified and exceptional circumstances.
Article 17
Outcome of complaints
Article 18
Preliminary assessment and right to be heard
Before adopting a decision:
containing finding of an infringement of the Regulation or of any other Union act relating to the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data by a Union institution or body; or
exercising corrective powers pursuant to Article 58(2) of the Regulation; or
imposing an administrative fine pursuant to Articles 58(2)(i) and 66 of the Regulation, or pursuant to point (l) of Article 43(3) of Regulation (EU) 2016/794 of the European Parliament and of the Council ( 1 ); or
exercising powers against the European Union Agency for Law Enforcement Cooperation (Europol) pursuant to points (b), (c), (d) (e), (f), (g), (j), and (k) of Article 43(3) of Regulation (EU) 2016/794; or
exercising powers against the European Public Prosecutor’s Office (EPPO) pursuant to points (b), (d) and (e) of Article 85(3)(b) of Council Regulation (EU) 2017/1939 ( 2 ) ; or
exercising powers against the European Union Agency for Criminal Justice Cooperation (Eurojust) pursuant to points (b), (d) and (e) of Article 40(3) of Regulation (EU) 2018/1727 of the European Parliament and of the Council ( 3 );
the EDPS shall draft a preliminary assessment and communicate it to the controller or processor which is the subject of the proceedings conducted by the EDPS (“the controller or processor”).
Before adopting a decision in cases where the EDPS intends to partially or wholly dismiss a complaint lodged pursuant to:
Articles 63 and 68 of the Regulation; or
Article 47 of Regulation (EU) 2016/794; or
Article 88 of Regulation (EU) 2017/1939;
Article 43 of Regulation (EU) 2018/1727; or
the EDPS shall draft a preliminary assessment and communicate it to the complainant.
The preliminary assessment shall contain:
the relevant established facts and references to supporting evidence on which the EDPS intends to rely on to reach its decision;
the EDPS’ initial legal assessment of the facts, and any alleged infringement of the applicable data protection rules; and
any corrective powers envisaged by the EDPS, having considered aggravating or mitigating factors.
The EDPS may restrict the information provided to the complainant in the preliminary assessment referred to in paragraphs 2 and 3, to protect any of the interests referred to in:
Article 25(1) of the Regulation; or
Articles 79(3), 81(1) or 84(2) of the Regulation; or
Articles 58(3), 60(1) and 61(5) of Regulation (EU) 2017/1939; or
any other legitimate interests of confidentiality or of professional and business secrecy.
In such cases, the EDPS shall inform the complainant at least about the part(s) of the complaint that it intends to dismiss, and of the justification for applying any of the restrictions referred to in the first subparagraph. In cases of restriction of information for interests referred to in points (b) and (c) of the first subparagraph, the EDPS may omit information regarding the justification for applying any of the restrictions where the provision thereof would undermine these interests. In such cases, the EDPS shall inform the complainant in accordance with Article 84(3) of the Regulation and Article 62(3) of Regulation (EU) 2017/1939.
Article 19
Notification of a personal data breach to the EDPS by institutions
TITLE III
LEGISLATIVE CONSULTATION, TECHNOLOGY MONITORING, RESEARCH PROJECTS, COURT PROCEEDINGS
Article 20
Legislative consultation
Article 21
Technology monitoring
The EDPS, in monitoring the development of information and communication technologies insofar as they have an impact on the protection of personal data, shall promote awareness and advise in particular on the principles of data protection by design and data protection by default.
Article 22
Research projects
The EDPS may decide to contribute to the Union’s Framework Programmes and to serve on the advisory committees of research projects.
Article 23
Action against institutions for breach of the Regulation
The EDPS may refer the matter to the Court of Justice of the European Union, in case of non-compliance by an institution with the Regulation, in particular where the EDPS has not been consulted in cases provided for by Article 42(1) of the Regulation and in case of failure to effectively respond to enforcement action taken by the EDPS under Article 58 of the Regulation.
Article 24
EDPS intervention in actions brought before the Court of Justice of the European Union
When deciding whether to request leave to intervene or whether to accept an invitation from the Court of Justice of the European Union to do so, the EDPS shall take into account in particular:
whether the EDPS has been directly involved in the facts of the case in performing its supervisory tasks;
whether the case raises data protection issues that are either substantial in themselves or decisive to its outcome; and
whether intervention by the EDPS is likely to affect the outcome of the proceedings.
TITLE IV
COOPERATION WITH NATIONAL SUPERVISORY AUTHORITIES AND INTERNATIONAL COOPERATION
Article 25
EDPS as a member of the European Data Protection Board
The EDPS as a member of the EDPB shall aim to promote the Union perspective, and in particular the shared values referred to in Article 2 of the Treaty of the European Union.
Article 26
Cooperation with national supervisory authorities under Article 61 of the Regulation
The EDPS shall cooperate with national supervisory authorities and with the joint supervisory authority established under Article 25 of Council Decision 2009/917/JHA ( 4 ) with a view to, in particular:
exchanging all relevant information, including best practices, as well as information in relation to requests to exercise monitoring, investigative and enforcement powers by competent national supervisory authorities;
developing and maintaining contact with relevant members and staff of the national supervisory authorities.
Article 27
International cooperation
TITLE V
GENERAL PROVISIONS
Article 28
Consultation with the Staff Committee
▼M1 —————
Article 29
Data Protection Officer
Article 30
Public access to documents and Transparency Officer of the EDPS
The EDPS shall designate a Transparency Officer to ensure compliance with Regulation (EC) No 1049/2001 of the European Parliament and of the Council ( 5 ), without prejudice to the handling of public access to documents requests by the EDPB secretariat in accordance with point IV(2)(iii) of the Memorandum of Understanding between the EDPS and the EDPB.
Article 31
Languages
Article 32
Support services
The EDPS may enter into cooperation agreements or service level agreements with other institutions, and may participate in inter-institutional calls for tenders resulting in framework contracts with third parties for the provision of support services to the EDPS and the EDPB. The EDPS may also sign contract with external service providers in accordance with the procurement rules applicable to the institutions.
Article 33
Authentication of decisions
Article 34
Remote working at EDPS and electronic documents
Article 35
Rules for the calculation of periods, dates and time limits
The EDPS shall apply the rules for calculation of periods, dates and time limits established under Regulation (EEC, Euratom) No 1182/71 of the Council ( 6 ).
TITLE VI
FINAL PROVISIONS
Article 36
Supplementary measures
The European Data Protection Supervisor may further specify the provisions of this Decision by adopting implementing rules and supplementary measures relating to the functioning of the EDPS.
Article 37
Repeal of Decision 2013/504/EU of the European Data Protection Supervisor
Decision 2013/504/EU of the European Data Protection Supervisor ( 7 ) is repealed and replaced by this Decision.
Article 38
Entry into force
This Decision shall enter into force on the day following its publication in the Official Journal of the European Union.
( 1 ) Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).
( 2 ) Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (“the EPPO”) (OJ L 283, 31.10.2017, p. 1).
( 3 ) Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138).
( 4 ) Council Decision 2009/917/JHA of 30 November 2009 on the use of information technology for customs purposes (OJ L 323, 10.12.2009, p. 20).
( 5 ) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
( 6 ) Regulation (EEC, Euratom) No 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits OJ L 124, 8.6.1971, p. 1).
( 7 ) Decision 2013/504/EU of the European Data Protection Supervisor of 17 December 2012 on the adoption of Rules of Procedure (OJ L 273, 15.10.2013, p. 41).