Protection of individuals with regard to the processing of personal data by EU institutions, bodies, offices and agencies
Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies, offices and agencies and on the free movement of such data
lays down rules on how EU institutions, bodies, offices and agencies should treat the personal data* they hold on individuals;
upholds an individual’s fundamental rights and freedoms, especially the right to protection of personal data and the right to privacy;
aligns the rules for EU institutions, bodies, offices and agencies with those of the general data protection regulation (GDPR) and of Directive (EU) 2016/680, known as the data protection law enforcement directive (LED), which have applied since May 2018;
repeals Regulation (EC) No 45/2001, which previously contained the rules on personal data processing by EU institutions, bodies, offices and agencies, and ensures that these comply with the same strict standards as set out in the GDPR;
repeals Decision No 1247/2002/EC regarding the European Data Protection Supervisor (EDPS).
Personal data must be:
processed in a lawful, fair and transparent way;
collected for specific, explicit and legitimate purposes;
adequate, relevant and limited to what is necessary;
accurate and, where necessary, kept up to date;
stored in a way that identification of the individuals concerned is possible for no longer than necessary;
processed with appropriate confidentiality.
The controller is responsible for, and must be able to demonstrate compliance with, all the abovementioned data-processing principles.
In addition, personal data:
may be transmitted to a recipient in the EU that is not an EU institution, body, office or agency only subject to additional safeguards;
may be transferred outside of the EU only under strict conditions;
revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation must not be processed except under special circumstances;
need appropriate safeguards if archived in the public interest or for scientific, historical or statistical purposes.
Requests for an individual’s consent to the use of their data must be in an intelligible and easily accessible form using clear and plain language. The consent must be a clear affirmative action by the individual.
Individuals (known as ‘data subjects’ in the legislation) have the right to:
withdraw their consent at any time, which should be as easy as giving it;
know whether or not their personal data is being processed and to have access to it;
obtain the correction of any inaccurate personal data;
remove or restrict any personal data from processing provided that certain conditions are met;
receive their personal data provided to the controller in a structured, commonly used and machine-readable format and transmit it to another controller;
object to the use of their personal data for public-interest purposes, because of their particular situation;
not be subject to a decision based solely on automated processing, which has legal consequences for them;
complain to the EDPS if they feel their personal data is being processed in a way that violates the regulation;
be compensated for any material or non-material damage they suffer because of the actions of an EU institution, body, office or agency;
mandate a not-for-profit organisation to lodge a complaint with the EDPS.
have to inform data subjects, in plain language and with factual information, such as contact details of the data controller and the purpose of the personal data processing, when such data is collected;
must reply to any requests from data subjects, such as requests to access or correct their personal data, as soon as possible and no later than 1 month;
apply appropriate technical and organisational measures, including pseudonymisation*, to ensure that processing of personal data complies with the regulation;
must only use data processors that meet EU requirements;
keep a detailed record of data processing under their responsibility;
cooperate with the EDPS;
notify the EDPS and, in some cases, also the individual concerned, as soon as possible of any personal data breach;
carry out data protection impact assessment for certain high-risk processing of personal data;
ensure the confidentiality and security of their electronic communication networks;
inform the EDPS when drawing up administrative measures or internal rules on the processing of personal data.
The legislation creates the post of the EDPS, appointed for a once-renewable 5-year term of office. Based in Brussels, the holder of the post:
acts with complete independence;
treats all confidential information with professional secrecy;
monitors how EU institutions, bodies, offices and agencies apply the legislation;
promotes public understanding and awareness of the processing of personal data;
handles complaints and conducts investigations;
warns and sanctions data controllers;
refers issues to the Court of Justice, which handles any disputes over the legislation;
submits an annual report to the European Parliament, the Council and the European Commission;
cooperates with national data protection supervisory authorities.
EDPS rules of procedure
A decision of 15 May 2020 adopts the rules of procedure of the EDPS. It lays down in detail:
the EDPS’s mission, guiding principles and organisation;
how it will monitor and ensure the application of the regulation;
procedures for its legislative consultation, technology monitoring, research projects and court proceedings; and
procedures for cooperation with national supervisory authorities and international cooperation.
Special rules for EU bodies, offices and agencies
Special rules apply to EU bodies, offices and agencies that process operational personal data* for the purposes of law enforcement (e.g. Eurojust). They are covered by a specific chapter in the regulation. The rules in this chapter are aligned with the LED. Moreover, in the founding acts of these bodies, offices and agencies, more specific rules can be laid down to take into account their particular characteristics.
The processing of operational personal data by Europol and the European Public Prosecutor’s Office is excluded from the scope of the regulation and is instead governed by specific provisions in the legal acts establishing them. However, their administrative processing of personal data (e.g. for staff management) is subject to the regulation.
Data protection officers
Controllers also appoint a data protection officer for a 3- to 5-year term to:
give independent advice on personal data processing;
monitor compliance with the data protection rules.
The European Commission must submit its first report on the application of the regulation by 30 April 2022.
It has applied since 11 December 2018, except with regard to the processing of personal data by Eurojust, where it has applied since 12 December 2019.
Article 8 of the Charter of Fundamental Rights states that everyone has the right to personal data protection. Article 16 of the Treaty on the Functioning of the EU further develops that right. This article is the legal basis for any EU legislation on data protection.
For further information, see:
Data protection in the EU (European Commission).
Personal data. Any information on an identified or identifiable individual.
Controller. Any EU institution, body, office or agency, or its organisational entity, that determines the means and purposes of processing personal data.
Pseudonymisation. Processing personal data so that an individual cannot be identified without the use of additional information kept elsewhere.
Operational personal data. All personal data processed for the purposes of carrying out law-enforcement tasks.
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, pp. 39–98).
Commission Decision (EU) 2020/969 of 3 July 2020 laying down implementing rules concerning the Data Protection Officer, restrictions of data subjects’ rights and the application of Regulation (EU) 2018/1725 of the European Parliament and of the Council, and repealing Commission Decision 2008/597/EC (OJ L 213, 6.7.2020, pp. 12–22).
Decision of the European Data Protection Supervisor of 15 May 2020 adopting the Rules of Procedure of the EDPS (OJ L 204, 26.6.2020, pp. 49–59).
European Data Protection Supervisor Decision of 2 April 2019 on internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the framework of activities carried out by the European Data Protection Supervisor (OJ L 99I, 10.4.2019, pp. 1–7).
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88).
Successive amendments to Regulation (EU) 2016/679 have been incorporated into the original text. This consolidated version is of documentary value only.
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89–131).