On 23 May 2018, representatives of the Council and the Parliament agreed on a new regulation on the handling of personal data by EU institutions and other EU bodies. The new rules are aligned with the general data protection regulation (GDPR) which enters into force on 25 May 2018.
The new provisions will apply to data processing by Union institutions, bodies, offices and agencies. They will increase the protection of personal data and ensure a free flow of that data between the institutions and the different bodies, insofar as it is necessary.
The new rules on data protection for EU institutions further update the Union's data protection regime. It is an important signal for citizens: tighter rules on data protection are for everybody, including the EU institutions themselves. I am pleased that we could agree on these a couple of days before the general data protection regulation enters into force on 25 May.
Tsetska Tsacheva, Bulgarian minister of Justice
As in the GDPR, the new regulation provides for a number of principles to be followed in the processing of data and a number of rights guaranteed to individuals whose data are collected. These include, for example, the right of individuals to access, correct or delete their personal data. In line with the GDPR, institutions and other bodies must also ensure that they provide transparent and easily accessible information on how personal data is used, and foresee clear mechanisms for individuals to exercise their rights.
The new legal instrument also reconfirms, clarifies and enhances the role of data protection officers within each EU institution and of the European data protection supervisor. The objective is also to try to simplify the procedures in this field.
In line with the agreement reached by the co-legislators today, processing of personal data by the Union agencies in the field of law enforcement and judicial cooperation (e.g. Eurojust) is covered by the regulation through a specific chapter. The rules in this chapter are aligned with the Law Enforcement Directive. More specific rules can also be laid down in the founding acts of these agencies to take into account their particular circumstances. Europol and the European Public Prosecutor's Office are, for the time being, excluded from this regulation. A review will be conducted by the Commission in 2022.
“It was a challenge to have these new rules running together with the kick off of the GDPR”,
Ventsislav Karadjov, Chair of DAPIX and Head of the Bulgarian Commission for Personal Data Protection said. He reiterated that
“the new framework will not only enable the data flow, but also will contribute to the consistency of the legislation. Together with the GDPR and the Law Enforcement Directive Europe is becoming a model to follow up, worldwide.”
After confirmation of the political agreement reached today by representatives of the Council and the Parliament, the text will undergo linguistic revision and subsequently be formally adopted by the two institutions. The new rules will then apply as of Autumn 2018.