Brussels, Tuesday 18 December 2012
EDPS: Status of DPOs is key to safeguarding data protection rights
Yesterday, the European Data Protection Supervisor (EDPS) published his Report on the Status of Data Protection Officers (DPOs) as part of his ongoing task to monitor the compliance of EU institutions and bodies with Article 24 of the European Data Protection Regulation, which obliges the appointment of DPOs.
The DPO plays a key role in ensuring the effective compliance with data protection principles for activities in organisations where personal information is collected and used, for example, staff recruitment and evaluation, contract tenders, requests for information, video surveillance and so on. In the EU administration, the DPO can also be the contact person for complaints from staff and citizens whose data protection rights have been infringed.
Giovanni Buttarelli, Assistant EDPS, says: "Ensuring the fundamental right to data protection of staff and citizens requires the commitment of the hierarchy within EU institutions and bodies. This can be clearly demonstrated by the appointment and support of their DPOs and also by the status that DPOs hold within the organisation. While we are delighted to report that the DPO function is well established within the EU administration, there are several areas of concern. As institutions are fully accountable for compliance with data protection rules, it is imperative that these concerns are addressed properly by the institutions and we intend to closely monitor and make recommendations as necessary."
The EDPS report outlines a number of issues. Under Article 24 of the Data Protection Regulation, individuals fulfilling the DPO position must be appointed for a minimum two year period. But the EDPS report highlights a high turnover of DPO staff and in some cases, shorter mandate terms both possibly linked to the contract status of the staff appointed to this position.
In addition, the conflicts of interest for those combining DPO tasks with other responsibilities and the lack of adequate resources in some cases for DPOs to perform their functions have serious implications for the effective application of the Regulation.
Discussions on the reform of the data protection rules applicable in Member States are underway at the European Parliament and the Council. It is likely that the appointment of DPOs will be made mandatory in the public sector and in certain private companies. The concerns highlighted in the EDPS report, which is based on the experience within the EU administration, should be taken into consideration by the EU legislator as well as those organisations that store and use personal information.
Article 24 of the Data Protection Regulation (EC) No 45/2001 provides that each EU institution/body has to appoint at least one Data Protection Officer (DPO) to ensure in an independent manner its internal application. Article 24 sets out the conditions of appointment of the DPOs, their status and the general conditions governing the performance of their duties.
Personal data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data.
DPO: Each institution or body has a data protection officer. It is the DPO's duty to ensure in an independent manner the internal application of the Regulation. This also involves other tasks such as ensuring that controllers and data subjects are informed of their rights and obligations, and cooperating with the EDPS at his request or at their own initiative. A list of data protection officers can be found on the EDPS website.
EU institutions and bodies/EU administration: all institutions, bodies, offices or agencies operating for the European Union (e.g. European Commission, European Parliament, Council of the European Union, European Central Bank, specialised and decentralised EU agencies).
EDPS position paper on the role of Data Protection Officers in ensuring effective compliance with Regulation (EC) 45/2001
Professional Standards for Data Protection Officers of the EU Institutions and bodies working under Regulation (EC) No 45/2001 (paper endorsed by the EDPS)
The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by:
EDPS - The European guardian of data protection