Databescherming EU instellingen verbeterd, maar nog niet optimaal (en)

EDPS/08/5

EDPS reports on EU institutions and bodies' compliance with their data protection obligations

On 14 May, the European Data Protection Supervisor (EDPS) presented his general report measuring the implementation of Regulation (EC) 45/2001 on the protection of individuals with regard to the processing of personal data by the institutions and bodies of the Community.

This reporting operation, also known as the "Spring 2007" exercise, was launched in March 2007 as part of an effort to monitor and ensure the implementation of the Regulation in the various EU institutions and agencies, and to take stock of the progress made so far.

Main results

The report shows that the "Spring 2007" exercise has helped to boost compliance with the Regulation, if only because it has encouraged the appointment of a Data Protection Officer (DPO) in every EU institution and operational agency. In addition, it has prompted most institutions and agencies to draft an inventory of processing operations involving personal data, which allowed a more systematic approach to implementation. From a more general perspective, EU institutions and bodies have also devoted more efforts in raising awareness among EU staff on data protection issues.

The reporting exercise has also highlighted the following results:

• - 

  notification of processing operations from data controllers to the DPO: progress made in this area by the EU institutions is generally satisfactory, although the EDPS considers that full compliance should have been achieved at this point. However, a fairly low level of notifications has been observed in most of the agencies;
• - 

  notification of processing operations to the EDPS for prior checking: only four institutions have managed to notify all existing processing operations to the EDPS for prior checking. With regard to the other institutions, an average of 50% of processing operations subject to prior checking has been submitted to the EDPS. The level of notifications received from agencies is however generally rather low.

Further steps

The EDPS will therefore encourage and closely monitor further progress in those fields with a view to reaching full compliance as early as possible. In some cases where the level of compliance is inadequate, specific targets have already been set. In addition, the need for support for DPOs in order to obtain notifications from data controllers will be pointed out to the management of the institutions and bodies.

The EDPS also intends to proceed with on-the-spot inspections in several institutions or bodies. Further activities to measure compliance with the Regulation will be undertaken at a later stage in order to assess and where necessary ensure adequate progress.

The general report is available on our website.

For more information, please contact the EDPS Press Service at: +32 2 283 19 00

EDPS - The European guardian of personal data protection

www.edps.europa.eu