Protection of individuals with regard to the processing of personal data by EU institutions, bodies, offices and agencies

SUMMARY OF:

Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies, offices and agencies and on the free movement of such data

WHAT IS THE AIM OF THE REGULATION?

The regulation:

KEY POINTS

Personal data must be:

The controller2 is responsible for, and must be able to demonstrate compliance with, all the abovementioned data-processing principles.

In addition, personal data:

Requests for an individual’s consent to the use of their data must be in an intelligible and easily accessible form using clear and plain language. The consent must be a clear affirmative action by the individual.

Individuals (known as ‘data subjects’ in the legislation) have the right to:

Controllers:

The legislation creates the post of the EDPS, appointed for a once-renewable 5-year term of office. Based in Brussels, the holder of the post:

EDPS rules of procedure

A decision of adopts the rules of procedure of the EDPS. It lays down in detail:

Special rules for EU bodies, offices and agencies

Special rules apply to EU bodies, offices and agencies that process operational personal data4 for the purposes of law enforcement (e.g. Eurojust). They are covered by a specific chapter in the regulation. The rules in this chapter are aligned with the LED. Moreover, in the founding acts of these bodies, offices and agencies, more specific rules can be laid down to take into account their particular characteristics.

The processing of operational personal data by Europol and the European Public Prosecutor’s Office is excluded from the scope of the regulation and is instead governed by specific provisions in the legal acts establishing them. However, their administrative processing of personal data (e.g. for staff management) is subject to the regulation.

Data protection officers

Controllers also appoint a data protection officer for a 3- to 5-year term to:

Reports

The European Commission must submit its first report on the application of the regulation by .

FROM WHEN DOES THE REGULATION APPLY?

It has applied since , except with regard to the processing of personal data by Eurojust, where it has applied since .

BACKGROUND

Article 8 of the Charter of Fundamental Rights states that everyone has the right to personal data protection. Article 16 of the Treaty on the Functioning of the EU further develops that right. This article is the legal basis for any EU legislation on data protection.

For further information, see:

KEY TERMS

  1. Personal data. Any information on an identified or identifiable individual.
  2. Controller. Any EU institution, body, office or agency, or its organisational entity, that determines the means and purposes of processing personal data.
  3. Pseudonymisation. Processing personal data so that an individual cannot be identified without the use of additional information kept elsewhere.
  4. Operational personal data. All personal data processed for the purposes of carrying out law-enforcement tasks.

MAIN DOCUMENT

Regulation (EU) 2018/1725 of the European Parliament and of the Council of on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, , pp. 39–98).

last update