Privacy regulator to step up spot checks on EU bodies

The privacy regulator for European Union bodies will increase the number of on-the-spot checks of EU bodies and agencies to ensure that they are complying with data protection law, it has said.

The European Data Protection Supervisor (EDPS), which monitors EU bodies for data protection compliance and advises them on policy, said that it will increase its use of spot checks, but that it was happy with the progress of EU bodies in complying with the law.

The EDPS has produced a report on how well EU bodies and agencies are compying with data protection law. The report found that there had been a marked improvement since the first such report last year.

"Community institutions have overall made good progress in meeting their data protection requirements," said an EDPS statement. "A lower level of compliance is observed in Community agencies, but the EDPS will be monitoring this closely and will encourage further compliance."

The organisation said that despite the improvements it would step up its use of inspections. "The EDPS will increasingly proceed with on the spot inspections in institutions or agencies in view of checking the reality and encouraging compliance," it said.

The Data Protection Regulations which govern EU bodies' use of personal data recommend that each organisation should have a list of processes which use personal data. Almost all do, said the EDPS, though EU agencies fare less well.

"The EDPS is satisfied that all but one institution now have an inventory of processing operations involving personal data, which allows a more systematic approach to implementation," said the EDPS. Of the 22 EU agencies which responded to the report, 18 have such inventories, the EDPS said.

Some of the EU agencies whose data protection officers (DPOs) had not been notified about all personal data processing said that they did not have the resources to comply with the law. The EDPS said that those who run the agencies must make sure they are aware of their legal obligations.

"The EDPS takes note of the issue of lack of resources afforded to data protection within the agencies and will remind Directors of agencies not only of the legal obligation to respect the provisions laid down in [the Regulations]…but also of the obligation to provide the DPO with the necessary resources to carry out his/her functions," it said.

"I am pleased to see that compliance with data protection rules is developing in Community institutions and agencies," said Data Protection Supervisor Peter Hustinx. "Further progress is however needed to fully translate those legal obligations in concrete technical and organisational arrangements that enable privacy safeguards to be ensured."

"In my role as supervisor, I will continue to encourage compliance in the EU administration by measuring progress, including more systematic verifications on the spot, and setting targets where needed," he said.