EU institutions and bodies deal with a wide variety of personal data, and often in complex ways. EU law requires that they are able to ensure, verify and demonstrate compliance with data protection rules when handling this data. According to a report published by the European Data Protection Supervisor (EDPS),

there has been continuous and steady progress in the way that they deliver on this obligation.

Giovanni Buttarelli, EDPS, said: "Our latest stock-taking exercise confirms a largely positive trend among EU institutions and bodies. As their independent supervisory authority, it is the role of the EDPS to make sure they remain accountable in their compliance with data protection rules. The publication of this report will help us to establish priorities for EDPS activities in 2018, a year which, with the entry into force of the new General Data Protection Regulation (GDPR), as well as a Proposal to amend the current rules governing data protection in the EU institutions, will mark the beginning of a new era in data protection.”

All EU institutions process personal information in their administrative duties and for some it even constitutes part of their core business activities. Their compliance with data protection rules therefore concerns anyone whose personal data is processed by the institutions, including EU staff, recipients of EU grants or anyone registered in large-scale EU databases.

As part of our efforts to ensure this compliance, every two years the EDPS conducts a Survey of all EU institutions under its supervision, focusing on selected data protection topics. For this edition, we surveyed 64 EU institutions on the state of their registers and inventories of processing operations and several other compliance aspects, such as the increasing number of data transfers to third countries.

Although the EDPS Survey is technical in nature and focuses on formalities, it provides us with valuable information to assess trends, promotes transparency and feeds into the choices the EDPS makes regarding our supervision and enforcement activities. In line with the EDPS enforcement policy, we publish the report in order to encourage greater accountability on the part of EU institutions in their compliance with data protection rules.


Wojciech Wiewiórowski, Assistant EDPS, said: "This Survey provides a state of play in relation to the compliance of EU institutions with data protection rules, whilst also illustrating the role of the EDPS as their independent supervisory authority. The report is part of our efforts to train and guide EU institutions on how best to respect data protection rules in practice, whilst focusing on processing activities that present a high risk to individuals. We emphasise progress made in comparison to previous Surveys, and underline shortcomings. We also take follow-up action, ranging from targeted assistance, guidance and training to more robust action, where appropriate.”