Today, the European Data Protection Supervisor (EDPS) adopted a Policy on Consultations in the field of Supervision & Enforcement which provides guidance to EU institutions and bodies and Data Protection Officers (DPOs) on consulting the EDPS when drawing up measures or internal rules which involve the processing of personal information – also known as personal data – in compliance with the Data Protection Regulation (EC) No. 45/2001.
Every day, personal information is processed within the EU administration in accordance with measures or internal rules developed by each EU institution or body that should ensure data protection in any processing that each of them carries out. Staff recruitment and evaluation activities, contract tenders, complaints or requests for information, video surveillance and maintenance of databases are a few examples of activities where the processing of personal information can affect staff and citizens.
Giovanni Buttarelli, Assistant EDPS, says “In order to effectively respect the fundamental right to data protection of staff and citizens, EU institutions and bodies must ensure accountability when developing and implementing internal measures and from the outset, seek the expert advice of their Data Protection Officer. If the DPO needs guidance, for example in cases of complexity or when related to appreciable risks to the rights and freedoms of data subjects, the DPO or the institution may refer a consultation to the EDPS.”
Thus, with this policy, the EDPS emphasises that EU institutions and bodies should be fully accountable for their data protection responsibilities. This principle ensures that when an EU institution or body draws up measures that affect data protection rights, it must first ensure that proper attention is paid to respecting its obligations under the Regulation before adopting the measure.
One of the most effective means of ensuring this is to involve the DPO right at the outset for his or her advice. The DPO ensures, in an independent manner, the internal application of the Regulation and that the rights and freedoms of individuals are unlikely to be adversely affected by the processing operations. Here to read more.