1.   

Notes with satisfaction that the Court of Auditors (the ‘Court’), in its report on the European Data Protection Supervisor’s (EDPS) annual accounts for the financial year 2018, observed that no serious weaknesses had been identified with respect to the audited topics related to human resources and procurement;

2.   

Takes note of the fact that, according to the annual activity report of the EDPS, the Court examined one transaction from the financial year 2018 and this examination did not give rise to any observations;

3.   

Welcomes the conclusion of the Court that the payments as a whole for the year ended 31 December 2018 in relation to administrative expenditure of the EDPS were free from material error and that the supervisory and control systems examined were effective; notes the Court’s request to re-implement the ex post control, which is now again in place;

4.   

Regrets, as a general observation, that chapter 10 ‘Administration’ of the Court’s Annual Report has a rather limited scope and conclusions, notwithstanding the fact that Heading 5 ‘Administration’ of the Multiannual Financial Framework is considered to be low risk;

5.   

Notes that the Court selected a sample of 45 transactions for the Multiannual Financial Framework Heading 5 ‘Administration’ for all Union institutions and bodies; notes that the sample was designed to be representative of the range of spending under Heading 5, which represents 6,3 % of the Union budget; notes that the Court’s work indicates administrative expenditure as low risk; considers, however, that the number of transactions selected in relation to the ‘other institutions’ is not sufficient and asks the Court to increase the number of transactions to be examined by at least 10 %;

6.   

Recalls that the EDPS is not a decentralised Union agency and takes the view that despite the fact that its budget represents a very small percentage of the Union budget, the legality and regularity of EDPS transactions should, nevertheless, be properly examined by the Court, as transparency is vital for the appropriate functioning of all Union bodies; notes that the EDPS is neither covered by the report of the Court on the implementation of the Union budget for 2018 nor by the 2018 report on Union agencies and other bodies; stresses, however, that information regarding the results of external independent audits by the Court should be publicly available for all Union bodies; calls, therefore, on the Court to reconsider its position and start publishing audit reports covering the EDPS from the coming year onward; requests, therefore, that the Court issue separate annual activity reports on the annual accounts of this important Union body which aims to ensure that Union institutions and bodies fully respect the right to privacy and data protection;

7.   

Welcomes the overall prudent and sound financial management of the EDPS; notes that the EDPS made a clear distinction between so-called ‘current or new activities’; notes an increase of 1,54 % for current activities in line with its policy of austerity, with most budget lines frozen at 0 % increase; notes, however, the increase for new activities, mainly due to the setting up of a new Union entity called the European Data Protection Board (EDPB) and its related operations (which became operational asof 25 May 2018);

8.   

Notes that in 2018, the EDPS had a total allocated budget of EUR 14 449 068 (compared to EUR 11 324 735 in 2017), which represents an increase of 27,59 % compared to the 2017 budget (a 21,93 % budget increase from 2016 to 2017); welcomes the fact that 93,7 % of all appropriations were committed by the end of 2018 compared to 89 % in 2017; notes with concern that the budget implementation in terms of payment appropriations corresponds to 75,2 % (compared to 77 % in 2017) of all appropriations;

9.   

Recalls the necessity for budget estimates in order to ensure an efficient budgetary performance in the coming years; recognises the existence of matters which have a crucial impact, such as the EDPS salary budget with a share of more than 53 % whereby even a moderate staff turnover has a significant impact on the overall budget implementation rate; recognises that the budget estimates in respect of the recently created EDPB will achieve accuracy only after a few years of operation;

10.   

Notes with interest that the EDPS launched a new open competition to create a pool of highly qualified data protection experts to satisfy its future recruitment needs; acknowledges, in relation to staff recruitment planning, that the EDPS requested a moderate increase of six members of staff in the context of preparations for the setting up of the EDPB;

11.   

Recognises that 2018 was crucial for the EDPS due to the adoption of Regulation (EU) 2016/679 of the European Parliament and of the Council (1) and Directive (EU) 2016/680 of the European Parliament and of the Council (2) in 2016 in the context of the modernisation of data protection rules; notes that the new tasks and responsibilities arising from Regulation (EU) 2016/679 will require additional resources in future; notes that the EDPS had 97 members of staff in 2018 (compared to 55 in 2013); asks the EDPS, however, to analyse the situation in relation to potential efficiency gains arising solely from reorganisation and reallocation of tasks;

12.   

Notes that, as a result of this new legislation, the EDPB, made up of 28 Member State data protection authorities and the EDPS, was established to ensure the consistent implementation of Regulation (EU) 2016/679 across the Union; notes that a significant amount of the EDPS’s time and effort in early 2018 went into the support of the EDPB secretariat, as well as participating fully itself as a member of the board;

13.   

Notes that, following the new rules on the processing of personal data, the Union institutions and bodies also ensure their compliance with said rules, including the management and governance of their IT infrastructure and systems; acknowledges that the EDPS expanded its catalogue of specific guidelines and started a programme to verify compliance with rules among Union bodies;

14.   

Notes that there is a need for greater transparency and cooperation between European data protection authorities; underlines the importance of cooperation between the EDPS and the national data protection authorities in the Member States to ensure effective supervision and collaboration in the preparation for the new legal framework; calls on the EDPS to inform Parliament’s Committee on Budgetary Control in relation to all the results achieved;

15.   

Acknowledges the fact that the EDPS annually publishes data on their interinstitutional cooperation through service level agreements in respect of medical, translation/interpretation, catering and training services and in respect of administrative agreements for building, logistics, security services and IT, etc.; welcomes the agreement of a memorandum of understanding between the EDPS and the EDPB (mainly in relation to IT), which allows the new Union body to benefit from the work done by the EDPS over the recent years;

16.   

Welcomes the EDPS’s intention (in the context of the modernisation of its procurement processes) to install an electronic workflow in order to set up a paperless mode of functioning; reiterates the importance of the interinstitutional cooperation between the EDPS and the Commission in terms of procurement, financial management and human resources; welcomes the service level agreement with the Commission’s Directorate-General for Budget and Directorate-General for Informatics in relation to the IT tools ‘ABAC’ and ‘Sysper II’ as requested in the last discharge report; encourages the EDPS to make progress on a coherent policy for the digitalisation of its services;

17.   

Notes that the first action plan of the ethics officer was fully achieved and that the second report foresees several measures such as the revision of the codes of conduct for supervisors and staff, a revised decision on external activities and the possible adhesion to the new transparency register for Union institutions, etc.; invites the EDPS to implement such requested measures as soon as possible; welcomes the awareness raising sessions in line with the ethics framework; asks for detailed information on the achievements arising from the ethics framework to be presented in the next annual activity report;

18.   

Welcomes the fact that the internal rules concerning whistleblowing adopted in 2016 will be updated in order to strengthen the protection of whistleblowers and alleged wrongdoers; notes the existence of some protection measures such as a risk assessment and an access limitation of a strict ‘need to know basis’ to the related files; encourages the EDPS to ask its ethics officer to give special attention to this issue in the next awareness raising session organised for all staff; notes with satisfaction that the EDPS has had no case of whistleblowing so far;

19.   

Reiterates the importance of data protection in relation to cybersecurity; welcomes the efforts of the EDPS in providing guidance to the Union institutions on how to protect personal data when implementing cybersecurity measures, on how comprehensive information security management systems serve as the basis for fulfilling both data protection and cybersecurity obligations and on how to carry out data protection notification and information obligations in relation to personal data breaches; notes that the scandal over the misuse of Facebook data by Cambridge Analytica and the growing evidence of illegal interference in elections require responses from the EDPS; underlines that the EDPS must fight against the potential misuse of digital data;

20.   

Recognises the added value that free and open source software can bring to the EDPS; underlines in particular their role in increasing transparency and avoiding vendor lock-in effects; recognises also their potential in the improvement of security as they allow the identification and fixing of weaknesses; strongly recommends that any software developed for the institution be made publicly available under free and open-source software licences;

21.   

Welcomes the fact that the decision on anti-harassment has been made available to the entire staff via the EDPS intranet; notes with satisfaction the fact that the EDPS is currently working on revising the anti-harassment decision, as well as on a mandate to appoint additional confidential counsellors; notes that 69 % of colleagues acknowledged in the 2018 staff survey that they were aware of the existing policy on psychological and sexual harassment; welcomes the fact that in 2018 one confidential counsellor was trained;

22.   

Welcomes the fact that the CVs and declarations of interests of the supervisors are available on the EDPS website; notes that those declarations are necessarily of a self-declaratory nature and neither the EDPS nor its ethical officer have any investigating powers to ensure the veracity and the exhaustiveness of the declared data; calls on the EDPS to evaluate how to improve the system together with other Union institutions and bodies;

23.   

Calls on the EDPS to guarantee publication and regular updating on its website of all its guidelines and procedures related to the ethical framework; calls on the EDPS to continue its efforts to improve the information available online, in terms of transparency and public scrutiny;

24.   

Regrets the fact that more detailed information on concrete measures on how to improve well-being at work was not included in the annual activity report; welcomes, however, the fact that decisions and policies have been adopted and/or implemented in 2018, such as a staff survey report, a revised decision on teleworking and a revised decision on mentorship; asks the EPDS to provide more detailed information in the next annual activity report;

25.   

Welcomes the initiative of the EDPS in 2018 to in future offer paid traineeships only through the Blue Book trainee program; notes that this change in the EDPS recruitment process of trainees was made following a recommendation from the Ombudsman to adapt eligibility criteria in relation to paid traineeships; reiterates the need to guarantee that an appropriate allowance is paid to all Union institutions’ trainees in order to avoid the reinforcement of discrimination on economic grounds;

26.   

Notes with interest the representation of 20 Union nationalities among the staff of the EDPS (compared to 16 different Union nationalities in 2017); notes in relation to gender balance that there was a 40 % male (compared to 32 % in 2017) and 60 % female population at the EDPS; acknowledges the continuous efforts of the EDPS to achieve balance, taking into account the EDPS’s small size and specific core business activities;

27.   

Notes with interest that the EDPS was allocated four extra offices in the MTS building currently shared with the European Ombudsman; notes that the EDPS staff, including the EDPB secretariat, is expected to grow further in 2020 and therefore a greater expansion to the entire building is necessary; supports the EDPS in relation to this request and asks it to inform Parliament’s Committee on Budgetary Control in relation to all related steps and achievements;

28.   

Welcomes the targeted initiatives by the EDPS to reduce the environmental footprint of the institution; encourages the EDPS to put in place a concrete action plan to reduce its environmental footprint;

29.   

Welcomes the fact that the importance of the communication activities of the EDPS has increased considerably over the recent years; recognises the efforts to improve the impact of its online presence; notes the organisation of two important communication campaigns, namely the 2018 International Conference focusing on Debating Ethics (thereby reaching the widest possible audience for the debate on digital ethics), and, in December 2018, its communication campaign on the new data protection regulation for Union institutions;

30.   

Recalls that the EDPS uses a number of key performance indicators to help to monitor its work and the use of its resources; notes with satisfaction that in 2018 the EDPS met or exceeded the targets set in the majority of its key performance indicators (e.g. in relation to key performance indicator 4 ‘level of interest of stakeholders’ with a target of 10 consultations, a figure of 13 consultations was reached); notes that the implementation of the relevant strategic objectives is well on track and no corrective measures are needed; encourages the EDPS to continue working in this direction;

31.   

Welcomes the fact that the EDPS follows nearly all 16 internal control standards, which are regularly monitored to ensure the economic, efficient and effective achievement of the objectives; notes that the internal audit service carried out a follow-up audit on the recommendations outstanding of a review on the internal control standards and concluded that the level of internal control is satisfactory and effective;

32.   

Notes that the internal audit service carried out a survey concentrating on three main areas (the EDPS’s governance in connection with the EDPB, the framework for providing human resources, budget and financial administration, and the logistical support for the EDPB and EDPS support teams) which were the subject of close scrutiny; notes that the internal audit service issued a final report, in which all recommendations were deemed ‘issues for consideration’ only, and which will not be subject to any follow-up by the internal audit service;

33.   

Notes that the expenditure on translation amounts to EUR 337 057,35 for the EDPS and EUR 516 461,90 for EDPB activities; notes that the EDPB benefits from a quota of free translations performed by the Commission’s Directorate-General for Translation; takes note that the need for frequent translations in all official languages of the Union allied to the very small size of the institution makes the internalisation of translation impossible from a cost-benefit perspective;

34.   

Takes note that missions by staff are encoded in the missions integrated processing system and a mission report is uploaded as a supporting document in the statement of expenses; welcomes the data provided in the annual activity report as requested in the previous discharge report, which shows no significant differences in terms of the number and costs of missions in the past four years;

35.   

Welcomes the fact that the EDPS respects the best practice of setting a deadline for the submission of the annual activity report on 31 March of the year following the accounting year; welcomes, therefore, the fact that the EDPS adopted its annual activity report by 26 March 2019 in order to provide the discharge authority with more time to go into the report in depth and to better conduct the discharge procedure;

36.   

Highlights all the work achieved in the past few years in areas such as performance-based budgeting, the ethical framework with all its related rules and procedures, enhanced communication activities and the increasing number of measures to improve transparency; welcomes the significant number of interinstitutional service and cooperation agreements; underlines the importance of collaboration and sharing of experience among Union institutions and bodies; suggests that the possibility of formalized networking activities in different domains be analysed in order to share best practice and to develop common solutions.

37.   

Underlines that the withdrawal of the United Kingdom from the European Union will have a significant impact on the planned work of the EDPS; highlights the importance of a swift negotiation of a data deal with the United Kingdom.