EU Privacy Supervisor Unveils Inspection Secrets



European Union institutions are getting some heads-up from the European Data Protection Supervisor (EDPS) on what to expect if and when their data processing practices are inspected.

The EDPS—which acts as the internal data protection regulator for the EU—released a handy factsheet on the ground rules it employs when choosing which EU institution to inspect and how institutions can prepare for inspections.

With allegations of Russian hacking into the U.S. and other western governments, the data protection practices of EU institutions and bodies may be under particularly harsh scrutiny.

To decide which EU institutions to inspect, EDPS publishes an Annual Inspection Plan based a risk analysis and inspection resources it has available, and inspects in accordance with the Plan and a number of factors: categories of data an institution possesses; number of complaints received; whether an institution transfers data and to whom; an institutions compliance with EDPS decisions; and its history of cooperation.

EDPS inspections generally begin with a notification at least four weeks in advance, at which point the institution’s data protection officer may need to provide the EDPS with requested information. The inspection itself involves a meeting with the institution’s staff members that are responsible for data processing, and requests for information or demonstrations. EDPS will then follow-up with an inspection report and possibly recommendations.

The EDPS office is an independent institution that monitors the personal data processing practices of EU bodies and institutions, and advises EU bodies and institutions on privacy policies. It ensures that EU institutions fulfill their obligations to comply with the data protection rules of Regulation (EC) No. 45/2001 and to demonstrate their compliance.

Its oversight mandate includes visiting and inspecting EU institutions under its jurisdiction—which includes the European Commission, European Parliament and Court of Justice of the European Union—for the purpose of enforcing data protection rules and raising aware of data protection issues.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.