European Data Protection Supervisor

Last updated

European Data Protection Supervisor
European Data Protection Supervisor Logo.svg
Digital single market conference on the free movement of data Wojciech Wiewiorowski (35980419735).jpg
Incumbent
Wojciech Wiewiórowski
since 6 December 2019
Nominator European Commission
Appointer European Parliament and Council
Constituting instrument Regulation (EU) 2018/1725
Formation17 January 2004
First holder Peter Hustinx
Website edps.europa.eu

The European Data Protection Supervisor (EDPS) is an independent supervisory authority whose primary objective is to monitor and ensure that European institutions and bodies respect the right to privacy and data protection when they process personal data and develop new policies. [1]

Contents

Wojciech Wiewiórowski has been appointed European Data Protection Supervisor (EDPS) by a joint decision of the European Parliament and the Council. [2] Appointed for a five-year term, he took office on 6 December 2019.

Regulation (EU) 2018/1725 [3] describes the duties and powers of the European Data Protection Supervisor (Chapter VI) as well as the institutional independence of the EDPS as a supervisory authority. It also lays down the rules for data protection in the EU institutions.

Activities

The duties and powers of the EDPS, as well as the institutional independence of the supervisory authority, are set out in the "Data Protection Regulation". [4] In practice the EDPS' activities can be divided into three main roles: supervision, consultation, and cooperation.

Supervision

In the "supervisory" role the EDPS' core task is to monitor the processing of personal data in European institutions and bodies. [5] The EDPS does so in cooperation with the data protection officers (DPO) [6] present in each European institution and body. The DPO has to notify the EDPS about any processing operations involving sensitive personal data or likely to pose other specific risks. The EDPS then analyses this processing in relation to the Data Protection Regulation and issues a "prior check" opinion. [6] In most cases, this exercise leads to a set of recommendations that the institution or body needs to implement so as to ensure compliance with data protection rules.

In 2009, for instance, the EDPS adopted more than a hundred prior check opinions, mainly covering issues such as health data, staff evaluation, recruitment, time management, telephone recording performance tools, and security investigations. These opinions are published on the EDPS website and their implementation is followed up systematically.

The implementation of the Data Protection Regulation in the EU administration is also closely monitored by regular stock-taking of performance indicators, involving all EU institutions and bodies. In addition to this general monitoring exercise, the EDPS also carries out on-site inspections to measure compliance in practice.

The supervisory role of the EDPS also involves investigating complaints [7] lodged by EU staff members or any other individual who feels that their personal data have been mishandled by a European institution or body. Examples of complaints include alleged violations of confidentiality, access to data, the right of rectification, erasure of data, and excessive collection or illegal use of data by the controller.

The EDPS has also developed other forms of supervision, such as advice on administrative measures and the drafting of thematic guidelines. [8]

Consultation

In the "consultative" role the EDPS advises the European Commission, the European Parliament, and the Council of the European Union on data protection issues in a range of policy areas. [9] This consultative role relates to proposals for new legislation as well as other initiatives that may affect personal data protection in the EU. It usually results in a formal opinion, but the EDPS may also provide guidance in the form of comments or policy papers. Technological developments having an impact on data protection are also monitored as part of this activity.

Some recent significant issues to which the EDPS has given special attention include international data transfers, [10] internet governance, rebuilding trust between the EU and the US, [11] eCommunications, cybersecurity, and the future of the area of freedom, security, and justice (Stockholm Programme).

The EDPS is also closely following the ongoing review of the legal framework for data protection aimed at modernising the Data Protection Directive in response to new globalisation and technological challenges. [12] Realising this critical objective will be the dominant item on the EDPS' agenda over the coming years.

As part of his consultative role, the EDPS also intervenes in cases before the European Court of Justice that are relevant to his tasks. In June 2009 for instance, he intervened in a case concerning the relationship between transparency and data protection – the so-called "Bavarian Lager" case. [13]

Cooperation

The EDPS cooperates with other data protection authorities in order to promote a consistent approach to data protection throughout Europe.

The main platform for cooperation between data protection authorities in Europe is the Article 29 Data Protection Working Party. The EDPS takes part in the activities of the Working Party, which plays an important role in the uniform application of the Data Protection Directive and the superseding General Data Protection Regulation (GDPR). The EDPS and the Working Party have cooperated effectively on a range of subjects, but particularly on the implementation of the Data Protection Directive and on the challenges raised by new technologies. The EDPS also strongly supported initiatives taken to ensure that international data flows respect European data protection principles

One of the most important cooperative tasks of the EDPS involves Eurodac where the responsibilities for supervision are shared with national data protection authorities.

The EDPS cooperates with data protection authorities in the former "third pillar" – the area of police and judicial cooperation – and with the Working Party on Police and Justice.

Cooperation also takes place through participation in two major annual data protection conferences: a European Conference that gathers data protection authorities from the EU Member States and the Council of Europe, and an International conference attended by a wide range of data protection experts, both from the public and private sectors.

List of European Data Protection Supervisors

TermEuropean Data Protection SupervisorAssistant Supervisor
2004–2009 [14]
Peter Hustinx b9dn603 5002.jpg
Peter Hustinx Joaquín Bayo Delgado
2009–2014 [15] Giovanni Buttarelli
2014–2019 [2]
Giovanni Buttarelli (49090586307).jpg
Giovanni Buttarelli Wojciech Wiewiórowski
2019– [16]
Digital single market conference on the free movement of data Wojciech Wiewiorowski (35980419735).jpg
Wojciech Wiewiórowski Post discontinued

See also

Related Research Articles

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. They were overturned on October 6, 2015, by the European Court of Justice (ECJ), which enabled some US companies to comply with privacy laws protecting European Union and Swiss citizens. US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EU Data Protection Directive and with Swiss requirements. The US Department of Commerce developed privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland.

A framework decision was a kind of legislative act of the European Union used exclusively within the EU's competences in police and judicial co-operation in criminal justice matters. Framework decisions were similar to directives in that they required member states to achieve particular results without dictating the means of achieving that result. However unlike directives, framework decisions were not capable of direct effect, they were only subject to the optional jurisdiction of the European Court of Justice and enforcement proceedings could not be taken by the European Commission for any failure to transpose a framework decision into domestic law.

The Revised Payment Services Directive (PSD2, Directive (EU) 2015/2366, which replaced the Payment Services Directive (PSD), Directive 2007/64/EC) is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). The PSD's purpose was to increase pan-European competition and participation in the payments industry also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users. The key objectives of the PSD2 directive are creating a more integrated European payments market, making payments more secure and protecting consumers.

<span class="mw-page-title-main">European Insurance and Occupational Pensions Authority</span>

The European Insurance and Occupational Pensions Authority (EIOPA) is a European Union financial regulatory agency. It was established in 2011 under EU Regulation 1094/2010.

The Committee of European Banking Supervisors (CEBS) was an independent advisory group on banking supervision in the European Union (EU), active from its establishment in 2004 to its replacement on 1 January 2011 by the European Banking Authority (EBA) which took over all its tasks and responsibilities following Regulation (EC) No. 1093/2010 of the European Parliament and of the Council of 24 November 2010.

<span class="mw-page-title-main">Body of European Regulators for Electronic Communications</span>

The Body of European Regulators for Electronic Communications (BEREC) is the body in which the regulators of the telecommunications markets in the European Union work together. Other participants are the representatives of the European Commission, as well as telecommunication regulators from the member states of the EEA and of states that are in the process of joining the EU.

<span class="mw-page-title-main">Area of freedom, security and justice</span> EUs home affairs and justice policies

The area of freedom, security and justice (AFSJ) of the European Union (EU) is a policy domain concerning home affairs and migration, justice as well as fundamental rights, developed to address the challenges posed to internal security by collateral effects of the free movement of people and goods in the absence of border controls or customs inspection throughout the Schengen Area, as well as to safeguard adherence to the common European values through ensuring that the fundamental rights of people are respected across the EU.

The Internal Market Information System (IMI) is an IT-based network that links public bodies in the European Economic Area. It was developed by the European Commission together with the Member States of the European Union to speed up cross-border administrative cooperation. IMI allows public administrations at national, regional and local level to identify their counterparts in other countries and to exchange information with them. Pre-translated questions and answers as well as machine translation make it possible for them to use their own language to communicate.

The Article 29 Working Party, in full the Working Party on the Protection of Individuals with regard to the Processing of Personal Data, was an independent European Union advisory body on data protection and privacy. It was made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission.

The German Bundesdatenschutzgesetz (BDSG) is a federal data protection act, that together with the data protection acts of the German federated states and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.

<span class="mw-page-title-main">European Banking Supervision</span> Supranational banking supervisory framework

European Banking Supervision, also known as the Single Supervisory Mechanism (SSM), is the policy framework for the prudential supervision of banks in the euro area. It is centered on the European Central Bank (ECB), whose supervisory arm is referred to as ECB Banking Supervision. EU member states outside of the euro area can also participate on a voluntary basis, as was the case of Bulgaria as of late 2023. European Banking Supervision was established by Regulation 1024/2013 of the Council, also known as the SSM Regulation, which also created its central decision-making body, the ECB Supervisory Board.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

The banking union refers to the transfer of responsibility for banking policy from the national to the European Union (EU) level in several EU member states, initiated in 2012 as a response to the Eurozone crisis. The motivation for banking union was the fragility of numerous banks in the Eurozone, and the identification of a vicious circle between credit conditions for these banks and the sovereign credit of their respective home countries. In several countries, private debts arising from a property bubble were transferred to the respective sovereign as a result of banking system bailouts and government responses to slowing economies post-bubble. Conversely, weakness in sovereign credit resulted in deterioration of the balance sheet position of the banking sector, not least because of high domestic sovereign exposures of the banks.

<span class="mw-page-title-main">Giovanni Buttarelli</span>

Giovanni Buttarelli was an Italian civil servant, who served as the European Data Protection Supervisor (EDPS). On 4 December 2014, he was appointed by a joint decision of the European Parliament and the Council. He was due to serve a five-year term in this position. Previously, he served as Assistant EDPS, from January 2009 until December 2014. He was also a member of the Italian judiciary with the rank of judge of the Court of Cassation.

<span class="mw-page-title-main">European Data Protection Board</span> EU body for implementing the GDPR

The European Data Protection Board (EDPB) is a European Union independent body with juridical personality whose purpose is to ensure consistent application of the General Data Protection Regulation (GDPR) and to promote cooperation among the EU’s data protection authorities. On 25 May 2018, the EDPB replaced the Article 29 Working Party.

<span class="mw-page-title-main">Regulation of pesticides in the European Union</span>

A pesticide, also called Plant Protection Product (PPP), which is a term used in regulatory documents, consists of several different components. The active ingredient in a pesticide is called “active substance” and these active substances either consist of chemicals or micro-organisms. The aims of these active substances are to specifically take action against organisms that are harmful to plants. In other words, active substances are the active components against pests and plant diseases.

The Dutch Data Protection Authority is the data protection authority for the Netherlands and an independent administrative body that has been appointed by law as the supervisory authority for the processing of personal data. The organization is therefore concerned with privacy. The duties of the AP derive from the Data Protection Directive that applies to all countries of the EU. This directive has been replaced by the General Data Protection Regulation. The Implementation Act General Data Protection Regulation has replaced the Personal Data Protection Act and appointed the AP as supervisor. All EU Member States have their own body, similar to the AP.

References

  1. "About | European Data Protection Supervisor". edps.europa.eu. Retrieved 8 November 2021.
  2. 1 2 Decision 2014/886/EU, OJ L 351, 9.12.2014, p. 9
  3. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance.), 21 November 2018, retrieved 9 October 2019
  4. Regulation (EC) No 45/2001, OJ L 8, 12.1.2001, p. 1–22
  5. "EDPS Homepage | European Data Protection Supervisor".
  6. 1 2 "Glossary | European Data Protection Supervisor". edps.europa.eu. Retrieved 2 November 2022.
  7. "Complaints | European Data Protection Supervisor".
  8. "Guidelines | European Data Protection Supervisor".
  9. "Our role as an advisor | European Data Protection Supervisor". edps.europa.eu. Retrieved 2 November 2022.
  10. "Data protection".
  11. "Archived copy" (PDF). Archived from the original (PDF) on 4 January 2017. Retrieved 6 January 2015.{{cite web}}: CS1 maint: archived copy as title (link)
  12. Data Protection Directive, Directive 95/46/EC, OJ L 281, 23.11.1995, p. 31–50
  13. "Archived copy" (PDF). Archived from the original (PDF) on 9 March 2012. Retrieved 12 October 2010.{{cite web}}: CS1 maint: archived copy as title (link)
  14. Decision 2004/55/EC, OJ L 12, 17.1.2004, p. 47
  15. Decision 2009/30/EC, OJ L 11, 16.1.2009, p. 83
  16. "Wojciech Wiewiórowski replacing EDPS". European Data Protection Supervisor. 26 August 2019. Retrieved 1 September 2019.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.