PURPOSE: to enhance the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: the protection of natural persons in relation to the processing of personal data is a fundamental right. Moreover, in Article 16(2) TFEU, the Lisbon Treaty introduced a specific legal basis for adopting rules on the protection of personal data.
Regulation (EC) No 45/2001 of the European Parliament and of the Council provides natural persons with legally enforceable rights, specifies the data processing obligations of controllers within the Community institutions and bodies, and creates an independent supervisory authority, the European Data Protection Supervisor, responsible for monitoring the processing of personal data by the Union institutions and bodies.
However, it does not apply to the processing of personal data in the course of an activity of Union institutions and bodies which fall outside the scope of Union law.
Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) and Directive (EU) 2016/680 of the European Parliament and of the Council were adopted on 27 April 2016. While the Regulation lays down general rules to protect natural persons in relation to the processing of personal data and to ensure the free movement of personal data within the Union, the Directive lays down the specific rules to protect natural persons in relation to the processing of personal data and to ensure the free movement of personal data within the Union in the fields of judicial cooperation in criminal matters and police cooperation.
Regulation (EU) 2016/679 stresses the need for the necessary adaptations of Regulation (EC) No 45/2001 in order to provide a strong and coherent data protection framework in the Union and to allow application at the same time as Regulation (EU) 2016/679.
It is in the interest of a coherent approach to personal data protection throughout the Union, and of the free movement of personal data within the Union, to align as far as possible the data protection rules for Union institutions and bodies with the data protection rules adopted for the public sector in the Member States.
CONTENT: in order to align the existing rules, which date back to 2001, with the newer and more stringent rules set out by the General Data Protection Regulation of 2016, the Commission has proposed the following:
Objective: this proposed Regulation has a two-fold objective:
- to protect the fundamental right to data protection and to guarantee the free flow of personal data throughout the Union;
- to provide for the main tasks of the European Data Protection Supervisor (EDPS).
Scope: the proposal shall apply to the processing of personal data, by automated means or otherwise, by all Union institutions and bodies insofar as such processing is carried out in the exercise of activities all or part of which fall within the scope of Union law. The material scope of this Regulation is technologically neutral. The protection of personal data applies to the processing of personal data by automated means, as well as to manual processing if the personal data are contained or are intended to be contained in a filing system.
Levels of protection: new principles of transparency and of integrity and confidentiality have been incorporated into the new text. Further conditions for the lawfulness of the processing of personal data of children in relation to information society services offered directly to them. It sets 13 years as the child's minimum age for valid consent. New rules are provided for a specific level of protection on the transmission of personal data to recipients, other than Union institutions and bodies. The proposal clarifies that, where it is the controller initiating the transmission, it should demonstrate necessity and proportionality of the transmission.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
Data controller’s obligations: the proposal specifies the controller's information obligations towards the data subject where personal data are collected from the data subject, providing information to the data subject, including on the storage period, the right to lodge a complaint and in relation to international transfers.
Personal data must remain confidential subject to an obligation of professional secrecy regulated by Union law. This could apply for example in proceedings by services competent for social security or health matters.
Further modalities are provided to facilitate the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object.
Obligations for EU institutions: the proposal provides for an obligation for Union institutions and bodies to inform the EDPS when drawing up administrative measures and internal rules relating to the processing of personal data. It also provides for an obligation for the Commission to consult the EDPS following the adoption of proposals for a legislative act and of recommendations or proposals to the Council and when preparing delegated acts or implementing acts that have an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data.
Provisions are also laid down concerning the transfer of personal data to third countries or international organisations.
EDPS: specific provisions are laid down as regards the appointment of the EDPS by the European Parliament and the Council, the duration of its term of office: five years; the general conditions governing the performance of duties of the EDPS and his or her staff and the financial resources.