Skip to main content
NormaGrid

Data protection for EU institutions/bodies

In force Data & Privacy Regulation Adopted: 23 October 2018 · Applies from: 11 December 2018

AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.

Summary

Regulation (EU) 2018/1725 lays down rules for the protection of natural persons with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and on the free movement of such data within the Union administration. It aligns the EU institutions’ data protection framework with the GDPR and sets out governance, accountability and enforcement mechanisms under the supervision of the European Data Protection Supervisor (EDPS). It also includes specific rules for processing in the context of operational cooperation in the area of police and judicial cooperation in criminal matters by Union bodies, offices and agencies.

Who is affected?

Union institutions, bodies, offices and agencies (including their staff and contractors) that process personal data in the course of their activities. Individuals whose personal data are processed by EU institutions benefit from the rights and safeguards set out in the Regulation.

Scope

Applies to the processing of personal data by all Union institutions, bodies, offices and agencies, including processing related to administrative activities and, with specific provisions, certain law-enforcement-related processing by Union bodies.

Key Points

  • Establishes GDPR-aligned principles, lawful bases, transparency duties and accountability obligations for EU institutions’ processing of personal data.
  • Sets out data subject rights (e.g., access, rectification, erasure, restriction, objection) and rules on automated decision-making.
  • Requires appropriate technical and organisational measures, including data protection by design and by default, security of processing, and breach notification obligations.
  • Provides for Data Protection Officers (DPOs) within EU institutions and cooperation/consistency mechanisms involving the EDPS.
  • Regulates international transfers and disclosures, including conditions and safeguards for transfers to third countries and international organisations.
  • Gives the EDPS supervisory and enforcement powers, including investigations, orders and administrative fines for EU institutions, bodies, offices and agencies.

Related Regulations

Frequently Asked Questions

Who must comply with Regulation (EU) 2018/1725?

All Union institutions, bodies, offices, and agencies, including their staff and contractors, must comply with this Regulation when processing personal data in the course of their activities.

What types of data processing does the Regulation cover?

The Regulation covers any processing of personal data by EU institutions, bodies, offices, and agencies, including both administrative and certain law-enforcement-related processing.

What rights do individuals have under this Regulation?

Individuals have rights such as access to their data, rectification, erasure, restriction of processing, objection to processing, and protection against automated decision-making.

What are the main obligations for EU institutions under this Regulation?

Key obligations include ensuring lawful and transparent processing, implementing data protection by design and by default, maintaining data security, notifying data breaches, and appointing a Data Protection Officer.

What is the role of the European Data Protection Supervisor (EDPS)?

The EDPS acts as the independent supervisory authority, overseeing compliance, handling complaints, conducting investigations, and enforcing the Regulation, including issuing orders and administrative fines.

How does this Regulation interact with the GDPR?

Regulation (EU) 2018/1725 aligns the data protection framework for EU institutions with the GDPR, ensuring consistency in principles, rights, and obligations, but applies specifically to Union bodies rather than private or national public entities.

What are the penalties for non-compliance?

The EDPS can impose administrative fines and other corrective measures on EU institutions, bodies, offices, and agencies that fail to comply with the Regulation.

Are there specific rules for law enforcement processing?

Yes, the Regulation contains tailored provisions for processing personal data in the context of operational cooperation in police and judicial matters by Union bodies.

What steps should EU institutions take to ensure compliance?

Institutions should appoint a Data Protection Officer, conduct data protection impact assessments where necessary, implement technical and organisational security measures, provide staff training, and establish procedures for handling data subject requests and breach notifications.

Does the Regulation address international data transfers?

Yes, it sets out conditions and safeguards for transferring personal data to third countries or international organisations, ensuring adequate protection of individuals' rights.

Key Terms

Personal Data
Any information relating to an identified or identifiable natural person processed by EU institutions, bodies, offices, or agencies.
Data Subject
An individual whose personal data is processed by an EU institution, body, office, or agency.
Data Protection Officer (DPO)
A designated individual within each EU institution responsible for monitoring compliance, advising on obligations, and acting as a contact point for the EDPS and data subjects.
European Data Protection Supervisor (EDPS)
The independent authority supervising the application of data protection rules by EU institutions, bodies, offices, and agencies.
Data Protection by Design and by Default
A requirement to integrate data protection measures into processing activities and systems from the outset and to ensure that, by default, only necessary personal data are processed.
Lawful Basis for Processing
The legal grounds under which personal data may be processed, such as consent, contractual necessity, legal obligation, or legitimate interests.
Data Breach Notification
An obligation to promptly inform the EDPS and, in some cases, affected individuals when a personal data breach occurs.
Data Subject Rights
The set of rights granted to individuals, including access, rectification, erasure, restriction, objection, and protection against automated decision-making.
International Data Transfers
The movement of personal data from EU institutions to third countries or international organisations, subject to specific safeguards and conditions.
Operational Cooperation in Criminal Matters
Processing of personal data by Union bodies in the context of police and judicial cooperation, governed by specific rules within the Regulation.