Protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and the free movement of such data

2017/0002(COD)

PURPOSE: to enhance the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies.

LEGISLATIVE ACT: Regulation (EU) 2018/1725 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

CONTENT: the Regulation lays down rules on the protection of individuals with regard to the processing of personal data by the Union's institutions and bodies and rules on the free movement of personal data between those institutions and bodies or to other recipients established in the Union. It aims to:

- protect the fundamental right to data protection and ensure the free movement of personal data throughout the Union;

- allow the European Data Protection Supervisor (EDPS) to monitor the application of the provisions of the Regulation to all processing operations carried out by a Union institution or body.

General principles

Personal data shall be:

- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’). In the case of children under 13 years of age, the processing shall only be lawful if the consent is given or authorised by the holder of parental responsibility for the child;

- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 13, not be considered to be incompatible with the initial purposes;

- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The Regulation prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religion or beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.

Transmission of personal data between Union institutions and bodies

Personal data shall be processed on the basis of the necessity for the performance of a task carried out in the public interest. The controller shall determine whether there are grounds to believe that such transmission could harm the legitimate interests of the data subject. In such cases, the controller shall demonstrably weigh the various competing interests in order to assess the proportionality of the requested transmission of personal data.

Rights of the data subject

Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.

The Regulation provides that the legal acts adopted on the basis of the Treaties or, in matters relating to the operation of the Union institutions and bodies, internal rules laid down by the latter may restrict the exercise of the rights of the person concerned.

The internal rules shall be clear and precise acts of general application, adopted at the highest level of management of the Union institutions and bodies and published in the Official Journal of the European Union. These rules shall be foreseeable to persons subject to them, in particular when adopted by Union institutions.

In particular, any legal act or internal rule shall contain specific provisions, where relevant, as to: (i) the purposes of the processing or categories of processing; (ii) the categories of personal data; (iii) the scope of the restrictions introduced; (iv) the safeguards to prevent abuse or unlawful access or transfer; (v) the specification of the controller or categories of controllers; (vi) the storage periods and the applicable safeguards; (vii) the risks to the rights and freedoms of data subjects.

Obligations of the controller

The Regulation specifies the information obligations of the controller towards the data subject when personal data are obtained from that person, by providing information to the data subject, including information on the period of data storage, the right to lodge a complaint and international transfers of data.

Personal data must remain confidential and be subject to an obligation of professional secrecy regulated by Union law. This may apply, for example, in social security or health procedures.

Obligations of the EU institutions

The Regulation provides for an obligation for the Union institutions and bodies to inform the European Data Protection Supervisor when drawing up administrative measures and internal rules relating to the processing of personal data. It also provides for the Commission to consult the EDPS following the adoption of proposals for legislative acts and recommendations or proposals to the Council and when preparing delegated or implementing acts having an impact on the protection of rights and freedoms with regard to the processing of personal data.

ENTRY INTO FORCE: 11.12.2018. The Regulation shall apply to the processing of personal data by Eurojust from 12.12.2019.