Today, the General Data Protection Regulation (GDPR) becomes fully applicable to all companies and organisations operating within the EU. The European Data Protection Supervisor welcomes the news that the EU legislator has now reached a political agreement on equivalent rules on data protection in the EU institutions and bodies and they will continue to support the EU institutions to ensure that they are ready to implement these rules from day one, the European Data Protection Supervisor (EDPS) said today.
Giovanni Buttarelli, EDPS, said: “We are now only two days away from what will be an historic day for data protection in the European Union. The GDPR will become fully applicable on 25 May 2018, bringing with it a big shift towards the principle of accountability and stronger powers of enforcement. We welcome today’s announcement of a political agreement on equivalent rules for the EU institutions and bodies and call for their swift adoption and publication, to ensure that they become applicable without further delay. As the supervisory authority responsible for monitoring and ensuring the protection of personal data in the EU institutions and bodies, the EDPS has undertaken to ensure that the EU institutions will be adequately prepared.”
Who has to apply GDPR?
The GDPR applies to all companies and organisations that process personal data within the EU. It does not, however, apply to the EU institutions and bodies, which must adhere to separate rules, currently set out in Regulation 45/2001. The revised rules on data protection in the EU institutions, agreed upon by EU lawmakers today, bring Regulation 45/2001 in line with the high standards of data protection provided for in the GDPR. They reflect the new emphasis on accountability, requiring the EU institutions to actively demonstrate their compliance with data protection rules, and prioritise practical safeguards for individuals rather than bureaucratic procedures.
In anticipation of the revised rules, the EDPS has been working closely with Data Protection Officers (DPOs) and other representatives from all EU institutions, bodies and agencies to prepare them for the changes to come. These activities not only include interactive workshops organised as part of our twice-yearly DPO meetings, but also targeted visits, training sessions and conferences aimed at ensuring that all EU staff involved in the processing of personal data, no matter their place in the EU hierarchy, are aware of the new rules and what they entail. With the revised rules now finalised, the EDPS will continue to intensify these efforts as part of an awarenessraising campaign, aimed at ensuring that the EU institutions have the necessary knowledge and tools to apply the new rules in an exemplary fashion.
EU citizens must be able to enjoy the same strengthened rights when dealing with the EU institutions as they will enjoy under the GDPR. The revised rules on data protection in the EU institutions and bodies agreed upon today will ensure that they are able to do so.