EDPS comments on the application of the proposed General Data Protection Regulation GDPR to EU institutions and bodies
PETER HUSTINX, Application of the proposed General Data Protection Regulation GDPR to EU institutions and bodies (to Viviane Reding), Brussel 09 december 2013.
As you are well aware, the issue of the application of the proposed General Data Protection Regulation (“GDPR”) to EU institutions and bodies has been raised in the context of the discussions on the reform package, both in the European Parliament and in the Council.
By letter of 25 July 2013 (your ref. Ares(2013) 3038864s), your services announced the intention of the Commission to start the process of aligning with the proposed general EU data protection framework. Our services have meanwhile responded (our ref. D(2013)2176 C 2013-0713) to a request for information by DG JUST anticipating the possible revision of Regulation (EC) No 45/2001 (“Regulation 45/2001”) by outlining the various activities of the EDPS, and identifying areas in which specific provisions of Regulation 45/2001 proved to be helpful in the exercise of our tasks, as well as difficulties encountered in the application of the Regulation.
(...) Of course, and independently of the architecture chosen, the specific legal and institutional setting of the EU institutions and bodies also requires certain additional rules which should complement the generally applicable provisions of the GDPR. Such additional rules should ideally be set out in a separate chapter of the GDPR and should include at least the following elements.
1. The advisory role of the EDPS and consultations on legislative proposals
2. Role of the EDPS vis-à-vis the Court of Justice of the EU
3. International cooperation
4. Coordinated supervision of large-scale IT systems and EU bodies
5. Data Protection Officer (DPO) and Data Protection Coordinator (DPC)
6. Inventory
7. Transfers to recipients subject to Directive 95/46
8. Establishment and independence