As part of the action plan laid out in his Strategy 2013-2014 to provide guidance to the EU administration, the European Data Protection Supervisor (EDPS) has published Guidelines on the Rights of Individuals with Regard to the Processing of Personal Data.
Assistant EDPS Giovanni Buttarelli said: “EU institutions and bodies are accountable for compliance with data protection rules and our objective is to promote a data-protection culture amongst them to help implement this obligation. The Guidelines contribute to this strategic objective and will help to build awareness that data protection as a fundamental right is a vital part of good public policy and administration.”
The Guidelines are addressed to all services within the EU administration that process personal data. They also aim to guide data-protection officers, data-protection co-ordinators and staff representatives, as well anyone whose personal data will be handled by the institutions, such as EU staff or recipients of EU grants and the general public.
The EDPS Factsheet 1: Your personal information and the EU administration: What are your rights? contains a brief summary of these rights and how to exercise them.
While the EDPS Guidelines have been developed for the EU institutions and bodies, they may offer valuable general guidance on fundamental rights for other public sector bodies. For instance, the Guidelines highlight the delicate balance that the EDPS strikes between the rights of individuals whose personal information is processed and the rights and freedoms of others, such as whistle blowers or informants, who also need to be protected.
The content of the Guidelines is based on our positions in the area of data subjects’ rights, as developed in a series of EDPS Opinions on EU data processing operations. The Guidelines describe our positions and recommendations on the relevant principles of Regulation 45/2001 and provide information on current best practice and other pertinent issues. For example, they highlight the broad concept of personal data under the Regulation, according to which personal data refers to much more than just the name of a particular individual.
Articles 41(2) and 46(d) of Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data confer the power on the European Data Protection Supervisor (the ‘EDPS’) to issue Guidelines. Sections 5 (‘Rights of the Data Subject’) and 6 (‘Exemptions and Restrictions’) of Regulation (EC) 45/2001 stipulate various rights of individuals as regards the processing of their personal data by the EU administration – as well as certain exceptions applicable to these rights.
Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e‑mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data.
Privacy: The right of an individual to be left alone and in control of information about his or herself.
The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
EU institutions and bodies/EU administration: All institutions, bodies, offices or agencies operating for the European Union (e.g. European Commission, European Parliament, Council of the
European Union, European Central Bank, specialised and decentralized EU agencies).
Accountability: Under the accountability principle, EU institutions and bodies should put in place all those internal mechanisms and control systems that are required to ensure compliance with their data protection obligations and should be able to demonstrate such compliance to supervisory authorities such as the EDPS.
Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.”
Personal data may be processed in many activities which relate to the professional life of a data subject. Examples from within the EU institutions and bodies include: the procedures relating to staff appraisals and to the billing of an office phone number, lists of participants at a meeting, the handling of disciplinary and medical files, as well as compiling and making available on-line a list of officials and their respective field of responsibilities.
Personal data relating to other natural persons than staff may also be processed. Such examples may concern visitors, contractors, petitioners, etc.
The EDPS Strategy 2013-2014 can be found on the EDPS website.
The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by:
- Monitoring the EU administration’s processing of personal data;
- advising on policies and legislation that affect privacy, and;
- co-operating with similar authorities to ensure consistent data protection.