EDPS Opinion on the proposal for a regulation on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
Overall, the EDPS considered the proposal successful in aligning the rules for EU institutions with the General Data Protection Regulation (GDPR), while taking the specificities of the EU public sector into account. The high level of protection regarding data processing by EU institutions is generally preserved in the proposal.
The EDPS considered that the proposal should be further improved, notably regarding:
The modalities for restrictions of the person concerned: the proposal would need to be amended to the effect that only legal acts adopted on the basis of the Treaties should be able to restrict fundamental rights.
The EU legislator is called upon to ensure that the possible restrictions of the fundamental right to privacy of communications by EU institutions in their own operations follows the same standards as laid down in Union law as interpreted by the Court of Justice in this domain.
The possibility for the EU institutions to use, in certain contexts, certification mechanisms: the EDPS considered that certification mechanisms may be a very useful instrument for EU institutions and they are already being used in certain contexts, e.g. certifying compliance with generally accepted standards.
Therefore, references to the use of certification should therefore be added to the provisions on the ‘Responsibility of the controller’, ‘Data protection by design and by default’, as well as to ‘Security’.
Further recommendations: the EDPS welcomed the fact that the proposal includes a separate article dedicated to the role of the EDPS as an advisor to EU institutions. He suggested however the addition of a recital in which the Commission should reaffirm its long-standing commitment to consult the EDPS on draft proposals in an informal manner.
The EDPS also considered that the possibility to outsource the function of a Data Protection Officers is not suitable for EU institutions exercising public authority.
It is essential that the revised rules become fully applicable at the same time as the GDPR i.e. on 25 May 2018. It encouraged the EU legislator to reach agreement on the proposal as swiftly as possible so as to allow EU institutions to benefit from a reasonable transition period before the new Regulation can become applicable at the same time as the GDPR.