New EU Regulation 2018/1725 on the processing of personal data for European Institutions

Regulation (EU) 2018/1725 (the Regulation) is the new Data Protection Regulation applicable to the EU Institutions (EUIs). The Regulation entered into force on 11 December 2018 and replaced the Regulation (EC) 45/2001. By adopting this Regulation, the EU legislator brings the data handling rules and practices of the EUIs in line with the General Data Protection Regulation (GDPR), which is applicable to data controllers and processors other than EUIs.

The key novelties brought by the Regulation include:

• New obligations and responsibilities for the controllers (EUIs);
• Emphasis on the accountability principle:
  • Document the processing activities by generating records;
  • Keep track of, and maintain, the records of processing activities; 
  • Demonstrate compliance with the general principles;
  • Implement data protection by design and by default principles;
  • Perform Data Protection Impact Assessments (DPIAs);
• New obligation to notify personal data breaches to the EDPS;
• New investigative and corrective powers of the EDPS.

Data Protection Impact Assessment (DPIA)

The Regulation introduces a new obligation for the EUIs, to perform DPIAs. A DPIA is an analysis of the risks that the processing operations may introduce to the data subjects. Accordingly, the EUIs shall not conduct the DPIA for all processing operations, but only for those that:

• Are on the list of highly risky processing operations to be issued by the EDPS under Art. 39 (4);
• Are likely to pose a high risk to the rights and freedoms of the data subjects according to the threshold assessment done by the EUIs.

If the processing operation that is planned by a EUI is not on the list mentioned above, and the person responsible behalf of the controller considers that there could be a high risk, the EUIs should conduct and document a threshold assessment.

Sanctions

In accordance with the Art. 66 of the Regulation, the EDPS is empowered to impose administrative fines on the EUIs as a sanction of a last resort, and only when the EUIs fail to comply with the Regulation (e.g. non-compliance with the EDPS order to communicate data breach to the data subject). Fines under Art. 66 are lower than those provided under Art. 83(4) to (6) of the GDPR. This can be explained by the fact that unlike the GDPR, the Regulation does not target operators pursuing lucrative activities.

How to get ready

Next steps for the person responsible on behalf of the controller:

• Introduce privacy by design and by default;
• Use the privacy notifications based on Art. 25 under the Regulation 45/2001 as a basis for generating new records for all processing activities that involve personal data;
• Upload information items in the new records such as names and contact details of the controller, the purpose of the processing, a description of the categories of data subjects, etc.;
• Perform a compliance check with respect to Art. 4 and Art.5 of the Regulation;
• Ensure that an information security risk management process is in place;
• Assess which processing operations are likely to result into a “high risk to the rights and freedom of data subjects”;
• Check if the privacy statements are up to date and are written in a clear and plain language.

Next steps for the DPO:

• Monitor compliance with applicable Regulation (EU) 2018/1725 and any other applicable EU Law in respect to data protection;
• Provide feedback on the draft records and any other draft documentation;
• Keep the central register of the new records similar to the “inventory” of all processing operations that was kept according to the Art. 25 under the Regulation (EC) 45/2001;
• Ensure that some parts of the records are publicly accessible;
• Guide and assist the person responsible on behalf of the controller in preparing the DPIA.