EUROPEAN COMMISSION
Brussels, 14.10.2022
COM(2022) 530 final
COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL
First report on the application of the Data Protection Regulation for European Union institutions, bodies, offices and agencies (Regulation 2018/1725)
Contents
1
Introduction
2
Separate data protection rules for EU institutions, bodies, offices and agencies aligned with EU data protection legislation
3
Implementation of the EUDPR in EUIBs
3.1
EUIB’s role as controllers
3.2
Exercise of data subjects’ rights
3.3
Restricting data subject rights through internal rules
3.4
Data protection officers
3.5
Data protection impact assessments
3.6
International data transfers
4
EDPS activities
4.1
The EDPS as the data protection supervisory authority for EUIBs
4.2
The EDPS as adviser to the EU legislator
4.3
Cooperation between the EDPS and national data protection authorities
4.4
EDPS resources
5
Commission’s use of empowerments to adopt delegated and implementing acts
6
Data protection rules for bodies and agencies dealing with police cooperation and judicial cooperation in criminal matters
6.1
Extending the application of the EUDPR’s law enforcement chapter
6.2
Clarifying the applicability of certain EUDPR provisions to the processing of operational data
6.3
The EDPS’s powers in supervising EU bodies and agencies
7
Way forward
ANNEX
1Introduction
The Data Protection Regulation for the European Union institutions, bodies, offices and agencies (‘EUDPR’) is the main data protection framework for the EU institutions, bodies, offices and agencies (‘EUIBs’) when they process personal data as controllers or processors. The Regulation forms a pillar of good governance and good administrative conduct at EU level. It has applied since 11 December 2018, when it repealed and replaced its predecessor, Regulation (EC) 45/2001.
This communication presents the first report on the application of the EUDPR, in line with Article 97 of the Regulation. It also reviews the legal acts adopted on the basis of the Treaties that regulate the processing of operational personal data by EU bodies, offices or agencies when carrying out activities within the scope of police cooperation and judicial cooperation in criminal matters, in line with Article 98 of the EUDPR.
The Commission has collected information on the application of the EUDPR through a survey launched in October 2021, where the EUIBs were invited to share their experience in applying the EUDPR. Altogether 56 EUIBs replied, and the statistics on EUIBs presented in the report are based on these replies. A separate request for contribution was sent to the European Data Protection Supervisor (EDPS) in its role as a supervisory authority. Lastly, the Commission also published a call for evidence, which allowed the public to comment as well. The issues raised in the very few submissions received in reply to the call for evidence are addressed in this report.
This report situates the EUDPR in the framework of EU data protection law, presents its application by the EUIBs and the EDPS’s activities, and analyses the application of the chapter applicable to EU bodies and agencies carrying out activities within the scope of police cooperation and judicial cooperation in criminal matters. The report concludes by outlining the way forward.
2Separate data protection rules for EU institutions, bodies, offices and agencies aligned with EU data protection legislation
The main data protection instruments in the EU are the General Data Protection Regulation (‘GDPR’), the Law Enforcement Directive (‘LED’) and the ePrivacy Directive. However, they do not apply to the processing of personal data by EUIBs. Therefore, separate, yet aligned data protection rules for the EUIBs are necessary. The EUDPR provides these rules.
To ensure a consistent approach to protecting personal data and their free movement in the EU, the EUDPR is aligned as far as possible with the data protection rules adopted for the public sector, laid down in the GDPR and the LED. Whenever the EUDPR follows the same principles as the GDPR, it should be interpreted in the same way, as it should be understood as equivalent to the GDPR. The same can be assumed with the rules aligned with the LED.
The EUDPR is adapted to the specific context of the EUIBs as described in the points below.
·As its scope of application is exclusively the EUIBs as public bodies, several provisions from the GDPR that are only relevant for the private sector have been omitted. For example, the possibility to process relying on the legal basis of ‘legitimate interests’ of the controller does not exist in the EUDPR.
·Several empowerments for the Commission to adopt implementing or delegated acts are not repeated as such, but instead the EUDPR refers to the GDPR or the LED. For example, the EUDPR does not contain a mechanism to adopt adequacy decisions for international transfers, but adequacy decisions adopted under the GDPR or the LED can also be relied upon by the EUIBs.
·The EUDPR also directly establishes the EDPS, setting out its tasks, powers and appointment procedures. Under the GDPR and the LED, the respective supervisory authorities are established under national law, in line with the requirements of these two acts.
·The EUDPR’s chapter applicable to EU bodies and agencies in the criminal law enforcement area is functionally equivalent to the LED for those bodies and agencies. However, as a directly applicable Regulation, it is formulated differently. It provides general rules to be supplemented by specific provisions in the establishing acts of bodies and agencies acting in this area where necessary. It provides a tailored regime for processing operational personal data taking into account the specific nature of this sector, for instance the rules on informing data subjects, which ensure that investigation are protected.
3Implementation of the EUDPR in EUIBs
3.1EUIB’s role as controllers
The general feedback from EUIBs shows that the first years of applying the EUDPR have successfully contributed to strengthening their general data protection culture. In this regard, 94% of EUIBs stated that the entry into force of the EUDPR increased their organisation’s awareness of data protection rules to some extent or a large extent. Generally, EUIBs indicated that the EUDPR has had a positive impact on their data protection policies, and the staff of EUIBs are more aware of their organisation’s accountability as data controllers and of the requirements to process personal data.
EUIBs mentioned carrying out data protection impact assessments, identifying and managing data breaches, and considering data protection by design and by default as the main impacts of the EUDPR compared to the repealed Regulation 45/2001. The EUDPR makes the possibility of joint controllership – multiple organisations together defining the purposes of and means for processing personal data – more visible, in the same way as the GDPR. The EDPS has provided guidelines on this topic and the Commission has developed internal templates for joint controllership arrangements.
While the additional accountability requirements necessary for demonstrating compliance with the EUDPR for EUIBs were generally welcomed, some EUIBs noted that the EUDPR rules have led to an increased workload. They also pointed out that the EUDPR sets out relatively complex rules that means more expertise is required in the EUIBs, including among their data protection officers (DPOs), as well as in the networks of data protection coordinators (DPCs) in those EUIBs that have such networks.
All EUIBs, except two of them, keep their records of processing operations in a central register. While this is not a specific requirement under the EUDPR, it is a good practice also recommended by the EDPS. Furthermore, 72% of EUIBs have converted into records all their notifications to the DPO under the previous Regulation. Those that have not yet completed this task should review and update their processing operations documentation to ensure that it is complete and up to date.
3.2Exercise of data subjects’ rights
The EUDPR provides data subjects with a broad set of rights on the processing of their personal data, consistent with the GDPR. The EUIBs as controllers have a specific obligation to make it easy to exercise these rights. As a result, 96% of EUIBs indicated they have conducted awareness-raising activities, such as updating publicly available information on their processing operations, information messages, or guides for data subjects.
A number of EUIBs, such as the Commission, the European Central Bank and the European External Action Service, reported a clear increase in requests received from individuals between 2018 and 2021. However, for others, such as the Court of Justice of the European Union, the European Economic and Social Committee and the European Union Agency for Asylum, the numbers were stable or fluctuated without a clear trend. It is not yet possible to discern a clear trend in the number of requests from data subjects following the entry into force of the EUDPR given the way recording different types of requests varies from one EUIB to another.
3.3Restricting data subject rights through internal rules
Similar to the GDPR, the EUDPR provides for the possibility of restricting certain data subjects’ rights. This can be done by legislative acts and through internal rules. Strict criteria apply to such internal rules. They have to be clear and precise and their application has to be foreseeable to persons subject to them. The rules must be published in the Official Journal and meet the requirements set out in the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms.
The restrictions based on internal rules can only relate to the operation of the EUIBs. They must respect fundamental rights, constitute necessary and proportionate measures in a democratic society and aim to safeguard one of the objectives specifically listed under the EUDPR. Any data subject whose rights have been restricted has the right to lodge a complaint with the EDPS.
A large majority (84%) of EUIBs have adopted internal rules. For example, such rules have been introduced to allow deferring providing information to a person concerned in an internal administrative investigation. In others, the objective of such rules has been to ensure continuing effective cooperation with the Member States in those areas where EUIBs activities rely on information received from Member States’ competent authorities. For example, internal rules adopted by the Commission for processing personal data in its competition, anti-fraud, and internal audit activities include the possibility of introducing restrictions on data subjects’ rights when personal data are obtained from the competent authorities of the Member States. Those rules set out the possibility of imposing similar restrictions when national authorities have imposed restrictions based on a legislative measure possible under the GDPR or the LED.
Where EUIBs have adopted internal rules allowing restricting data subjects’ rights, they are usually applied on a case-by-case basis as required by their respective internal rules. However, 69% of EUIBs with Article 25 rules in place report that they have not used them yet. Those that have used them have reported less than 10 cases of restrictions, except for the European Parliament and the Commission. The need for restrictions has arisen more often in OLAF’s activities, notably for deferring information to data subjects about the processing of their personal data when an investigation is still at an early stage so as not to prejudice the gathering of evidence. OLAF also applied several restrictions regarding data subjects’ access requests to their own personal data, which had been rejected only in order to protect rights and freedoms of others, e.g. when disclosing the data would put an informant at risk of retaliation.
EUIBs’ internal rules usually require them to inform their DPOs of any restrictions applied and to provide DPOs with access to the record and any documents about those restrictions.
3.4Data protection officers
The obligation to have a DPO in every EUIB was already laid down in the previous Regulation 45/2001. The EUDPR has given more visibility to this role by introducing the accountability principle. This means that the controller is responsible for and must be able to demonstrate compliance with data protection rules.
In 46% of EUIBs, their DPOs are supported by networks of DPCs or similar structures. Larger EUIBs are more likely to have such networks (e.g. the European Parliament, the General Secretariat of the Council, the Commission, and the European External Action Service [EEAS]). The EEAS also organises and maintains a network of data protection correspondents in EU Delegations.
A number of EUIBs noted the increase in their DPO’s (and by extension DPCs’) responsibilities and workload. They acknowledged the need to provide DPOs (and DPCs) with more resources to ensure they can effectively implement their EUIBs’ data protection policies. The need to ensure the independence of DPOs was mentioned as well.
There are two trends at play in this context: On the one hand, the EUDPR puts greater emphasis on the controller’s accountability, e.g. by removing the prior checking procedure that existed under the previous Regulation 45/2001, thus reducing administrative burden. On the other hand, controllers solicit more guidance from DPOs/DPCs on how best to comply with the EUDPR. In this regard, it was noted that the network of EUIB DPOs has provided an important forum for discussing and clarifying certain legal and technical aspects specific for data processing by EUIBs. This network provides a platform for exchanges between the DPOs and the EDPS and between the DPOs themselves. It cooperates on an ongoing basis and usually meets twice a year.
More than half (54%) of EUIBs have given more resources to their DPOs and data protection functions more generally. Most (84%) of EUIBs have adapted their internal processes to ensure that their staff inform and consult DPOs about new personal data processing operations. This is usually done by including DPOs for instance in change management processes or in project steering boards.
3.5Data protection impact assessments
The highest number of data protection impact assessments (DPIAs) was carried out by the European Central Bank, the European Investment Bank and the Commission. Compared to the previous system of ‘prior checking’ under Regulation 45/2001, the number of cases sent to the EDPS has decreased significantly. This was the expected consequence of this change, and reduced consultations of the EDPS on administrative processing operations such as staff appraisal.
Table 1 in the Annex provides an overview of the DPIAs carried out by EUIBs between 2019 and 2021.
Almost all (94%) EUIBs agreed that the EUDPR’s criteria for when they have to carry out DPIAs adequately cover high-risk processing operations. Those who disagreed stressed the need for the EDPS to take technological development into account when interpreting these criteria”. For example, cloud computing is no longer a ‘new’ technology and this should be considered when assessing whether DPIAs have to be conducted. The EUIBs that raised this point usually consider that the legal text itself is sufficiently clear, and that this is a matter of interpretation by the EDPS.
The EUDPR contains no specific obligation to publish the results of DPIAs. A large majority (84%) of EUIBs do not publish the DPIAs they have carried out, while 14% publish them in part or as a summary, removing information that could compromise the security safeguards adopted. Only one EUIB indicated that it publishes its DPIAs in full. Publication of DPIAs, where necessary removing information that would put the security of the processing operations at risk, improves transparency regarding EUIBs’ compliance with EUDPR rules and is a good practice recommended by the EDPS.
3.6International data transfers
Almost all (91%) EUIBs reported that their activities involve international transfers of personal data. This includes data transfers to non-EU/EEA countries as well as to international organisations. However, several EUIBs mentioned that these transfers are rare or only concern a limited amount of personal data. As regards the transfer tools used, the EUIBs mostly referred to adequacy decisions (adopted under the GDPR or the LED) and contractual instruments, for instance for data transfers to private companies. For data transfers to public bodies, other tools are also used, such as legally binding agreements and administrative arrangements. In addition, 51% of EUIBs mentioned that they carry out limited, occasional transfers, for instance to organise training, based on the statutory grounds for data transfers (the ‘derogations’).
In practice, data transfers are usually not performed directly by EUIBs, but by their processors (which are not EUIBs) acting on their behalf. The Commission has therefore specifically addressed this scenario in the standard contractual clauses adopted under the GDPR in June 2021 to help controllers and processors to comply with the requirements of both the GDPR and the EUDPR. In particular, processors in the European Economic Area (EEA) have the possibility to include these standard contractual clauses for international data transfers in the contracts with their sub-processors in third countries. This ensures compliance with the EUDPR rules concerning the engagement of sub-processors on behalf of EUIBs, as long as the data protection obligations are aligned in the contracts between: (i) the EUIB and the processor; and (ii) the processor and its sub-processor. In particular, EUIBs can ensure such an alignment by using the standard contractual clauses that have been adopted by the Commission for the relationship between controllers and processors.
To provide additional tools ensuring appropriate safeguards for direct data transfers from EUIBs to third countries (i.e. without the involvement of an EU/EEA processor), the Commission is currently developing standard contractual clauses under Article 48(2)(b) of the EUDPR. These clauses will, to the largest extent possible, be aligned with the existing clauses adopted under the GDPR.
Lastly, given the specific questions that arise when personal data are transferred to international organisations (for instance because of the status of international organisations and applicable privileges and immunities), the Commission is working together with EUIB DPOs to develop specific tools (e.g. administrative arrangements) that are adapted to such transfers.
4EDPS activities
4.1The EDPS as the data protection supervisory authority for EUIBs
The EDPS is the independent data protection supervisory authority for the EUIBs, mirroring the role of the national data protection supervisory authorities established in the Member States under the GDPR and the LED.
Table 2 in the Annex provides an overview of the EDPS supervisory activities from 2018 to 2021. Since the EUDPR entered into force on 11 December 2018, the figures for 2018 provide a baseline for comparison with the situation under the previous Regulation 45/2001.
The EDPS noted a shift towards EUIBs’ core business in the subjects of the consultations received from them since the EUDPR became applicable. This means a shift towards questions on processing personal data for the delivery of tasks assigned to EUIBs in the public interest and away from ‘administrative’ topics, such as staff management.
The number of inadmissible complaints received by the EDPS has increased between 2019 and 2021. Most of the complaints that were found inadmissible were directed against controllers in Member States, which are not supervised by the EDPS but by their national data protection authorities. The numbers for 2018 were higher most likely because the GDPR became applicable. This led to an increased awareness of data protection rules among the population but also to an increase in inadmissible complaints. The EDPS can also close admissible complaints where an amicable solution has been found.
On inspections and audits, 2019 showed an increase compared to the 2018 baseline, followed by a decrease in 2020 and 2021. This can be explained by the COVID-19 pandemic making on-site checks difficult and them being replaced with remote audits. The EDPS assesses risks to decide which EUIBs to inspect. This takes into account, for instance, the number of consultations submitted, especially when special categories of data are processed as part of a EUIB’s core business. The EDPS may also decide to carry out investigations on its own initiative, e.g. on the EUIB’s use of cloud service providers.
For data breaches, the EDPS reported that, in the majority of cases, human error was the underlying cause, followed by technical errors and external attacks.
The EDPS has used most of its powers under the EUDPR, including for example imposing temporary bans on processing operations. It has not used its new power to issue administrative fines so far, which is a measure of last resort under the EUDPR.
The EDPS also pointed out in its contribution to this report that it has invested in awareness-raising activities, such as training, with a peak of more than 4 600 estimated participants in 2019, following the entry into force of the EUDPR. While the numbers of participants in 2020 and 2021 have decreased from that peak, it is still significantly higher than the baseline of the estimated 1 000 participants in 2018.
The EUIBs gave largely positive feedback on the interactions with and guidance received from the EDPS, with 86% indicating that replies were always or mostly easy to understand. The EUIBs also appreciated the EDPS’s increased contacts with the DPO network.
However, some EUIBs noted that the EDPS’s advice sometimes arrived too late. They underlined the importance of continued support and advice from the EDPS and called for timely and practical guidance on certain data protection issues. These issues include implementing the risk-based approach for the controllers, international transfers, and the relationship between controllers (including joint controllers) and their processors.
4.2The EDPS as adviser to the EU legislator
The Commission formally consults the EDPS, in particular on legislative proposals with an impact on processing personal data, following their adoption by the College. The EDPS replies to these consultations with opinions or comments. The EDPS also issues own-initiative opinions, such as its preliminary opinion on the European Health Data Space. Where a proposal is of particular importance for data protection, the Commission may also consult the European Data Protection Board (EDPB). In that case, the EDPS and the EDPB should issue a joint opinion to ensure that the EU legislator gets consistent advice.
The Commission also consults the EDPS informally before acts subject to consultation requirements are adopted by the College. In reply to such consultations, the EDPS provides informal comments to the Commission. This possibility helps to ensure that Commission acts are fully in line with data protection rules before their adoption. Informal consultations are used particularly for acts which are sensitive or which have more significant impact on data protection.
The activity of the EDPS as an adviser to the EU legislator depends on the number of new proposals prepared by the Commission. Following lower numbers in the last year of the outgoing Commission, the marked increase in formal comments in 2021 is due to the increased number of legislative proposals and the Commission’s efforts to ensure a consistent implementation of the obligation to consult the EDPS. This includes implementing and delegated acts that involve processing of personal data. Following the EUDPR’s entry into force, the Commission’s Secretariat-General produced procedures and raised services’ awareness of the requirement to consult the EDPS. This has resulted in more systematic consultation, including for implementing and delegated acts. For planning purposes, the EDPS and the Commission services hold annual meetings on the upcoming work programme and proposals that will require consultation.
4.3Cooperation between the EDPS and national data protection authorities
The EDPS is a member of the EDPB and provides it with a secretariat. It also cooperates with national supervisory authorities in exercising their respective tasks in other ways. Examples include referring complaints to the competent data protection supervisory authority or cases involving external service providers that are used both by EUIBs and by controllers subject to the GDPR. The EDPS also actively contributes to the work of the EDPB by taking roles for instance as lead rapporteur or co-rapporteur for guidelines, or otherwise contributing to its work.
Several large-scale IT systems and agencies set up under EU law require that the EDPS and national supervisory authorities, each acting within the scope of their respective responsibilities, actively cooperate to ensure a coordinated supervision. In the past, the establishing acts of each system or agency included specific provisions to that end. The EUDPR creates a harmonised system for this supervision coordination that can be referred to in other acts. This is done for the Internal Market Information System, ECRIS-TCN, Eurojust and most recently, for Europol. Other systems still have supervision coordination groups with detailed rules in their establishing acts, or detailed references to meetings as part of the EDPB.
The EDPS also contributes to the Schengen evaluation mechanism set up under Council Regulation 1053/2013. Under that Regulation, the Commission may invite the EDPS to designate an observer to take part in an on-site visit concerning an area covered by its mandate, i.e. data protection evaluations. This corresponds to the possibility for Frontex and Europol to designate observers for evaluations of border management and police cooperation respectively. In the Commission’s view, the expertise of EDPS observers is a valuable asset to data protection evaluations.
4.4EDPS resources
The number of EDPS staff (including the EDPB secretariat) has steadily grown over the reporting period, reflecting the overall trend in national data protection supervisory authorities. The EDPB secretariat’s activities have increased over time with a growing output of EDPB guidelines, recommendations, opinions, and other documents to which the secretariat contributes. Providing sufficient resources for the EDPB secretariat is essential given the stronger role it is expected to have in effectively enforcing the GDPR. This concerns in particular the EDPB’s objective to develop closer cooperation on strategic work and to use new tools supporting cooperation between data protection authorities. In particular, having a strong and well-resourced secretariat to support the work of the EDPB is critical for ensuring that the EDPB can deliver its work as required, notably in the context of the consistency mechanism, the use of which is expected to continue growing.
In its contribution to this report, the EDPS considered, in particular, that should it be entrusted with additional tasks, e.g. as a market surveillance authority under the artificial intelligence legislative proposal, it should be provided with corresponding additional resources.
5Commission’s use of empowerments to adopt delegated and implementing acts
The EUDPR contains several empowerments for the Commission to adopt implementing acts and lay down standard clauses, as well as cross-references to empowerments under the GDPR.
The EUDPR contains provisions empowering it to lay down standard data protection contractual clauses for controller-processor contracts, corresponding to the empowerment in the GDPR. The Commission used this empowerment and adopted standard contractual clauses covering controller-processor relationships in June 2021 covering both the GDPR and the EUDPR. These clauses provide easy-to-use tools for controllers to effectively manage relationships with their processors.
The EUDPR also empowers the Commission to adopt standard data protection contractual clauses for providing appropriate safeguards for the transfer of personal data outside the EU/EEA. The Commission is currently preparing such clauses.
6Data protection rules for bodies and agencies dealing with police cooperation and judicial cooperation in criminal matters
Chapter IX of EUDPR contains rules for EUIBs processing operational personal data when carrying out activities in the scope of police cooperation and judicial cooperation in criminal matters (‘law enforcement chapter’). It aims to reduce fragmentation:
·between data protection regimes applicable to processing operational data by EU agencies in this field;
·with the data protection regime applicable to national criminal law enforcement activities under the LED.
To this end, the EUDPR law enforcement chapter provides a set of horizontal rules based on the LED. These rules can be supplemented, where necessary, by specific rules in the agencies’ founding acts, depending on their respective mandates and on the specific nature of their tasks and data processing operations.
The EUDPR states the need to ensure a uniform and consistent protection of natural persons when processing their personal data. To that end, it points explicitly to the objective of extending the application of the EUDPR law enforcement chapter to agencies that had separate data protection frameworks in their establishing acts when the EUDPR was adopted, namely Europol and the European Public Prosecutor's Office (EPPO). It also refers to the possible amendment of the law enforcement chapter, if required.
6.1Extending the application of the EUDPR’s law enforcement chapter
At the time of writing, the EUDPR law enforcement chapter applies to processing operational personal data by:
·Eurojust, complemented by specific rules included in the Eurojust Regulation;
·Europol, complemented by specific rules included in the Europol Regulation, which has been amended since the EUDPR’s entry into force;
·Frontex for the small part of its activities that are part of criminal law enforcement.
However, the EUDPR law enforcement chapter does not yet apply to the EPPO whose establishing Regulation was adopted before the EUDPR. The EPPO Regulation provides for a standalone regime for processing operational data. This has two consequences: First, some provisions in the EPPO Regulation differ in substance from the EUDPR law enforcement chapter, such as the processing of ‘restricted’ personal data. Second, some provisions of the EPPO Regulation, although similar in substance, are worded differently than the EUDPR law enforcement chapter, which could lead to different interpretations.
In the interest of consistency and in line with the general objective of minimising the fragmentation of data protection rules, a similar approach to the one adopted for Eurojust and Europol should be followed for the EPPO. The objective is to ensure the direct applicability of the EUDPR law enforcement chapter to the EPPO, keeping only necessary specifications in the EPPO Regulation. At the same time, given that the EPPO has been operational for only one year, in the short term, it is still necessary to gather more insight into the practical application of the EPPO data protection regime. This will enable precisely identifying those specifications, taking into account the nature of the EPPO as the EU’s independent public prosecution office.
6.2Clarifying the applicability of certain EUDPR provisions to the processing of operational data
The EUDPR states that ‘only Article 3 [definitions] and Chapter IX [law enforcement chapter] of this Regulation shall apply to the processing of operational personal data’.
The law enforcement chapter contains substantive provisions corresponding to most provisions of Chapters II to V of the EUDPR (general principles, rights of data subjects, certain obligations of controllers and processors, international data transfers), with some differences to take the specific nature of law enforcement into account (e.g. rules on informing data subjects and on their right of access to their data).
It is important to clarify, by amending the EUDPR, that the law enforcement chapter lays down specific rules only to the corresponding provisions of other chapters of EUDPR that have a direct equivalent in the law enforcement chapter . This way, if the legislator does not include specific rules in an agency’s establishing act, the provisions in chapters other than the law enforcement chapter that have no direct equivalent in the latter apply to the processing of operational data.
This amendment would improve legal certainty and would provide a complete framework (e.g. on the position of DPOs, cooperation with national data protection supervisory authorities), including for any future agencies in this field. Having such a complete framework would also reduce the risks of fragmentation.
6.3The EDPS’s powers in supervising EU bodies and agencies
Currently, the regulations establishing the EPPO, Eurojust, and Europol contain specific provisions on the powers of the EDPS.
The updated Europol Regulation gives powers to the EDPS that are aligned with those under Article 58 of the EUDPR. This is notably the case for the power to issue administrative fines and the power to order the controller or processor to bring processing operations into compliance, where appropriate, in a specified manner and within a specified period.
However, in the case of EPPO the powers of EDPS are formulated differently than in the EUDPR. The EDPS does not have the two powers mentioned above.
The Frontex Regulation, for the small part of Frontex’ activities subject to the law enforcement chapter, does not include any specific provisions on the EDPS’s powers, leading to uncertainties about those powers.
Providing the EDPS with the full range of powers set out under Article 58 of the EUDPR could be achieved by following the two steps below.
1.Clarifying that the EUDPR, as a default option, entrusts the EDPS with the supervision of the law enforcement chapter and with the powers granted to it under Article 58 of the EUDPR. This requires amending the EUDPR as proposed in the previous section.
This would also address the gap in the Frontex Regulation.
2.By removing the provisions on the EDPS’s powers from the founding acts of the agencies and bodies, the full range of the EDPS’s powers under the amended EUDPR would apply directly to Eurojust and the EPPO. The objective is to align them as much as possible to reduce fragmentation of data protection rules.
7Way forward
Overall, the EUDPR is working well and is fit for purpose. At this stage the Commission will not propose amendments on those parts that are equivalent to the corresponding rules in the GDPR, thus maintaining the closest possible alignment between the EUDPR and the GDPR. The possible amendments considered in this report concern other parts, notably the relation of the EUDPR’s law enforcement chapter to the other provisions of this Regulation.
In spring 2022, the Commission proposed rules to strengthen information security in the EUIBs, which will have a positive impact on information security, including on the protection of personal data. That proposal aims to further improve EUIBs’ resilience and ability to respond to incidents when faced with cybersecurity threats.
The Commission will also take the steps outlined in the points below:
-when updating the establishing acts for large-scale IT systems that still include detailed rules on a supervision coordination model, ensure that the EUDPR’s supervision coordination model will apply in order to streamline procedures;
-consider amendments to the EUDPR in order to:
oimprove legal certainty and complete the framework for the processing of operational data by clarifying in Article 2(2) that the general provisions of the EUDPR also apply to processing operational personal data, unless the law enforcement chapter contains specific provisions (such as on the right of access). This would also provide a ready-made framework for any future agencies in the fields of judicial cooperation in criminal matters and police cooperation;
oensure the participation of the EDPS as observer in all data protection evaluations under the Schengen evaluation mechanism;
-subsequently, consider amending the EPPO and Eurojust Regulations in a future revision to ensure the full application of the rules on processing operational personal data in the amended EUDPR, taking the specific nature of those bodies into account. This will also lead to harmonising the EDPS’ powers over these bodies and agencies with those it has over the other EUIBs;
-propose standard contractual clauses for international transfers of personal data for the EUIBs;
-continue the close cooperation with the EDPS (and, where relevant, the EDPB) to ensure a timely and targeted consultation on new proposals and also continue to consult the EDPS informally on important texts before they are adopted.
The EDPS is invited to:
-provide additional and timely practical guidance to the EUIBs, including on international data transfers;
-continue raising awareness of controllers and processors about their obligations under EUDPR, as well as advising DPOs;
-intensify efforts to effectively enforce the EUDPR to ensure the full protection of data subjects.
EU institutions, bodies, offices and agencies are invited to:
-continue and, when necessary, step up awareness-raising efforts to ensure a sufficient level of in-house expertise on EUDPR rules;
-consider publishing DPIAs, excluding information that could compromise the security safeguards adopted where necessary;
-ensure that DPOs (as well as DPCs) have sufficient resources and a position within the EUIBs that enable them to carry out their tasks efficiently and independently;
-finish converting their remaining notifications under the previous data protection regulation into data protection records.
ANNEX
Table 1 – Data protection impact assessments and prior consultations carried out by EUIBs
|
2019
|
2020
|
2021
|
Residual risk accepted
|
30
|
50
|
77
|
EDPS prior consultation
|
3
|
3
|
5
|
Project abandoned
|
2
|
2
|
0
|
Table 2 – EDPS supervisory activities
|
2018
|
2019
|
2020
|
2021
|
Consultations
|
50
|
75
|
59
|
52
|
Prior consultations
|
0
|
0
|
1
|
4
|
Transfer authorisations
|
0
|
1
|
0
|
4
|
Admissible complaints received
|
58
|
59
|
43
|
44
|
Decisions on admissible complaints
|
23
|
48
|
35
|
22
|
Inadmissible complaints received
|
240
|
151
|
203
|
269
|
Inspections/audits carried out
|
5
|
9
|
4
|
4
|
Formal investigations carried out
|
0
|
4
|
1
|
2
|
Data breach notifications received
|
7
|
95
|
121
|
82
|
Table 3 – EDPS advisory activities
|
2018
|
2019
|
2020
|
2021
|
Comments
|
13
|
3
|
19
|
72
|
Opinions
|
7
|
6
|
8
|
12
|
Own-initiative opinions
|
1
|
1
|
2
|
0
|
Joint opinions with EDPB
|
0
|
1
|
0
|
5
|
Informal comments
|
33
|
16
|
13
|
25
|
Table 4 - EDPS resources
|
2018
|
2019
|
2020
|
2021
|
2022 (estimated)
|
Total number of EDPS staff (including the EDPB secretariat)
|
98
|
100
|
118
|
126
|
139
|
EDPS staff in EDPB secretariat
|
19
|
22
|
27
|
34
|
38
|
Budget
|
EUR 13 539 302 (executed)
|
EUR 15 301 687 (executed)
|
EUR 14 211 719 (executed)
|
EUR 16 761 285 (executed)
|
EUR 20 202 000 (draft)
|