Protection of individuals with regard to the processing of personal data by EU institutions, bodies, offices and agencies

 

SUMMARY OF:

Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies, offices and agencies and on the free movement of such data

WHAT IS THE AIM OF THE REGULATION?

The regulation:

KEY POINTS

Personal data must be:

The controller* shall be responsible for, and be able to demonstrate compliance with, all the abovementioned data-processing principles (see below).

Personal data:

Requests for an individual’s consent to the use of their data must be in an intelligible and easily accessible form using clear and plain language. The consent must be a clear affirmative action by the individual.

Individuals (known as ‘data subjects’ in the legislation) have the right to:

Controllers:

The legislation creates a European Data Protection Supervisor, appointed for a once renewable 5-year term of office. Based in Brussels, the holder of the post:

Special rules apply to:

The Commission must report to the European Parliament and to the Council no later than 30 April 2022 — and every 5 years thereafter — on how the legislation is being applied.

FROM WHEN DOES THE REGULATION APPLY?

It has applied since 11 December 2018, except with regard to the processing of personal data by Eurojust, where it applies from 12 December 2019.

BACKGROUND

Article 8 of the Charter of Fundamental Rights states that everyone has the right to personal data protection. Article 16 of the Treaty on the Functioning of the EU further develops that right. This article is the legal basis for any EU legislation on data protection.

For more information, see:

KEY TERMS

Personal data: any information on an identified or identifiable individual.
Controller: any EU institution, body, office or agency, or its organisational entity, that determines the means and purposes of processing personal data.
Pseudonymisation: processing personal data so that an individual cannot be identified without the use of additional information kept elsewhere.
Operational personal data: all personal data processed for the purposes of carrying out law enforcement tasks.

MAIN DOCUMENT

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, pp. 39-98)

RELATED DOCUMENTS

European Data Protection Supervisor Decision of 2 April 2019 on internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the framework of activities carried out by the European Data Protection Supervisor (OJ L 99I, 10.4.2019, pp. 1-7)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation) (OJ L 119, 4.5.2016, pp. 1-88)

Successive amendments to Regulation (EU) 2016/679 have been incorporated into the original text. This consolidated version is of documentary value only.

Legislation specifically applying to EU institutions

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89-131)

See consolidated version.

Decision No 1247/2002/EC of the European Parliament, of the Council and of the Commission of 1 July 2002 on the regulations and general conditions governing the performance of the European Data-protection Supervisor’s duties (OJ L 183, 12.7.2002, pp. 1-2)

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, pp. 1-22)

See consolidated version.

last update 12.03.2019