EDPS: Difference between revisions

European Data Protection Supervisor
Name:	European Data Protection Supervisor
Abbreviation:	EDPS
Jurisdiction:	European Union
Head:	Wojciech Wiewiórowski
Deputy:	n/a
Adress:	Rue Wiertz 60, 1047 Bruxelles, Belgium
Webpage:	www.edps.europa.eu
Email:	edps@edps.europa.eu
Phone:	+32 2 283 19 00
Twitter:	n/a
Procedural Law:	n/a
Decision Database:	n/a
Translated Decisions:	Category:EDPS
Head Count:	n/a
Budget:	n/a

The European Data Protection Supervisor (EDPS) is the Data Protection Authority for European Union Institutions. The EDPS is in charge of enforcing Regulation (EU) 2018/1725. In 2024, the EDPS also became the market surveillance authority notifying body and notifying authority for EU Institutions under the AI Act Regulation (EU) 2024/1689.

Structure

History

A data protection regulation for EUIs (European Institutions) came into force in 2001 under Regulation (EC) 45/2001. Under this regulation the EDPS was created and designated as the independent data protection authority in charge of supervising how European Union Institutions (EUIs) process personal data. The regulation additionally laid down the tasks and powers of the EDPS.

The EDPS started its work under the leadership of Peter Hustinx as the first European Data Protection Supervisor and Joaquín Bayo Delgado as the Assistant Supervisor. 2004 marked the first of many EDPS initiatives: first Prior Check Opinions, first complaints addressed, first investigations, and first legislative Opinions. The EDPS counted 15 members of staff working in three sectors: the Administration, Personnel, Budget sector, the Policy and information sector and the Supervision sector. It's offices were located at 63 Rue Montoyer in Brussels.

In 2005, the EDPS had its first intervention before the Court of Justice. Specifically on a case concerning international transfers of Passenger Name Record data of airline passengers to the United States.

In 2009, The Treaty on the Functioning of the EU, or the Lisbon Treaty., entered into force on 1 December, ensuring a strong legal basis for comprehensive data protection in all EU policy areas. Data protection became a directly enforceable right for everyone.

In 2012, a new sector, Information and Technology Policy (IT Policy Unit), was created in the organisation, to focus on the impact of technologies on data protection. Similarly, other organisational changes were made within the previously existing units: Supervision & Enforcement, Policy & Consultation and Human Resources, Budget & Administration. Head of activities (now heads of sector) were also created. The EDPS counted more than 52 privacy professionals and other experts working to protect individuals and their personal data. The EDPS also moved into its headquarters to 30 Rue Montoyer in Brussels, Belgium, these are still the EDPS' headquarters.

In 2013, the EDPS made oral submissions at the hearing before the Grand Chamber of the Court of Justice in joint preliminary references C-293/12 and C-594/12 Digital Rights Ireland and Others. Both cases concern the validity of the Data Retention Directive 2006/24/EC. It is the first time that the Court decides, on the basis of Article 24 of its Statute, to invite the EDPS to attend a hearing in a preliminary reference procedure and to provide answers to specific questions.

In 2017, with the new Europol Regulation, the EDPS began to supervises Europol (the European Union Agency for Law Enforcement Cooperation) whose remit is to help make Europe safer by assisting law enforcement authorities in EU Member States. The new Regulation also provided for the establishment of the Europol Cooperation Board, for which the EDPS provided the secretariat. The Board facilitates cooperation between the EDPS and EU Member States' data protection authorities on its supervisory activities.

In 2018, Regulation (EU) 2018/1725, or EUDPR, repealing Regulation (EC) 45/2001 was adopted. This Regulation provides the new data protection rules for EUls and must be read in parallel alongside the GDPR. By the end of 2018, the EDPS reached 100 employees.

In 2019, the EDPS started to supervise Eurojust (an EU agency in charge of combating serious forms of crime) in its processing of operational personal data.

In 2021, the EDPS became responsible for supervising the European Public Prosecutor's Office (EPPO) in its operational capacity, the independent European body in charge of investigating and prosecuting criminal offences against the European Union's financial interests.

In 2023, the EDPS opened a new office in the European Parliament in Strasbourg, France. With this new office, the EDPS provided additional support to the European Parliament in their legislative process. The year also marked organisational changes within the EDPS. Specialised sectors were created to tackle ongoing and future data protection challenges, including a sector to monitor the EU's Area of Freedom, Security, and Justice; one to address individuals' complaints; another to ensure that technologies embed privacy principles throughout their development, as well as a Legal Service.

In 2024, the EDPS celebrated 24 years since its creation. With the implementation of the AI Act it also became the market surveillance authority, notifying body and notifying authority of EUIs that fall within the scope of the AI Act. To carry out its tasks under the AI Act without prejudice to the competences, tasks, powers and independence under Regulation (EU) 2018/1725, a new AI Unit was created.

Organisational Structure

The EDPS is composed of seven main groups:

The Supervisor

The Secretary General

Policy and Consultation Unit

Supervision and Enforcement Unit

Technology and Privacy Unit

AI Unit

Human Resources, Budget and Administration

Procedural Information

Applicable Procedural Law

The EDPS updated its procedural rules in 2024.^[1] Previously, the EDPS would issue a decision which could be reviewed upon request (a type of de-facto appeal). This was replaced in 2024 with the concept of a preliminary assessment.

The EDPS will investigate a case to the extent appropriate and then draft a preliminary assessment. This assesment is very similar to the final decision. It contains the relevant established facts, references to supporting evidence, initial legal assessment, whether the controller has complied or not with Regulation 2018/1725 and any envisaged use of powers. This is be communicated to any party who is adversely affected by the assessment to allow for their right to be heard. In practice, this usually means communication of the assessment to the controller. However, it will also be communicated to the complainant where the EDPS has preliminarily found that it will dismiss either the whole or parts of the complaint. The EDPS will request views in writing from the adversely affected party/parties and set a time limit for reply (Recital 9 and Article 18(6) of the 2024 Rules of Procedure). No new evidence can be presented unless the affected party can clearly demonstrate that it could not have provided such evidence at an earlier stage of the investigation. The EDPS will then proceed to issue a final decision. Given that there is no round of review after the decision has been issues, any appeals will be directly to the General Court of the European Union.

If the preliminary assessment has not been communicated to the complainant it is because the EDPS has determined that they have not been adversely affected (e.g. the EDPS has agreed with the complaint). Should the complainant still want access to the assessment, they can submit a parallel access to the file request. An access to the file request can be limited by the EDPS under Article 18(5) of the 2024 Rules of Procedure. However, even if the complainant receives the assessment, they will not be able to submit comments. This is unless the complainant can prove that they are also adversely affected (e.g. that the EDPS has dismissed their complaint).

The final decision is communicated to all parties.

Note that the above described procedure will differ for complaints submitted under Chapter 9 of Regulation 2018/1725, which deal with operational personal data.

Appeals

A data subject has a right to a judicial remedy against a decision taken by the EDPS (Recital 79 and Article 64 2018/1725). In practice, this means that the General Court becomes the first instance court against a decision taken by the EDPS. The decision of the General Court can be appealed further to the Court of Justice (CJEU) for a final decision.

Article 64 states:

1.   The Court of Justice shall have jurisdiction to hear all disputes relating to the provisions of this Regulation, including claims for damages.

2.   Actions against decisions of the European Data Protection Supervisor, including decisions under Article 63(3), shall be brought before the Court of Justice.

3.   The Court of Justice shall have unlimited jurisdiction to review administrative fines referred to in Article 66. It may cancel, reduce or increase those fines within the limits of Article 66.

The EDPS, as an independent institution, must fund its own legal defence. As it is enforcing the law against other European Union institutions, bodies, offices and agencies, it cannot rely on, for example, the Commission's legal service. It therefore, also has its own legal service who goes to Court in the institutions's behalf. The Supervision and Enforcement Unit (often the unit responsible for the appealed decision) cooperates closely with the legal service.

Under Article 58 Regulation 2018/1725 the EDPS has the power to refer matters directly to the CJEU and to intervene in actions brought before the CJEU (Article 58(4) Regulation 2018/1725).

In practice, the EDPS rarely intervenes in cases that, while relevant to data protection, do not directly involve the EDPS. In these cases, the CJEU can invite the EDPS as a specialist party to give an opinion, but this does not happen often.

Practical Information

You can help us filling this section!

Statistics

You can help us filling this section!