Förderverein Informationstechnik und Gesellschaft

Data protection: Commission proposes Regulation to protect

Data protection: Commission proposes Regulation to protect data within EU institutions and bodies

A proposal for a Regulation to protect personal data within European Union (EU) institutions and bodies has been put forward by the European Commission. The proposed Regulation would lay down rules to ensure a high level of protection for personal data processed by each of the Community institutions and bodies and establish an independent supervisory body to monitor application of these rules. The EU institutions are obliged to introduce such data protection safeguards by the new Article 286 of the EU Treaty (as amended by the Amsterdam Treaty). The proposed Regulation has to be adopted by the Council of Ministers and the European Parliament under the co-decision procedure.

EU institutions and bodies, and the Commission in particular, handle personal data as part of their everyday work. The Commission exchanges personal data with Member States in implementing the common agricultural policy and the Structural Funds, in administering the customs union and in pursuing other EU policies. The data protection Directive (95/46/EC) is addressed to the Member States and does not apply as such to the Commission or the other EU institutions and bodies. When the Directive was adopted in 1995, the Commission and the Council made a public declaration undertaking to comply with it. This undertaking has become binding with the entry into force of the Amsterdam Treaty.

The data protection rules in the proposed Regulation are based on the existing EU rules on data protection which apply to the Member States, in particular the Data Protection Directive 95/46/EC. However, the Directive itself is a framework law and it requires a more detailed Regulation, which is directly applicable, to lay down operational rules for the institutions. Under the proposed Regulation, personal data would have to be:

processed fairly and lawfully collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes adequate, relevant and not excessive in relation to the purposes for which they were collected and/or further processed accurate and, where necessary, kept up to date (every reasonable step would have to be taken to ensure that data which were inaccurate or incomplete in relation to the purposes for which they were collected or for which they were further processed, were erased or rectified) kept in a form which permitted identification of data subjects for no longer than was necessary for the purposes for which the data were collected or for which they were further processed.

Citizens would enjoy legally enforceable rights under the proposed Regulation, such as rights of access, rectification, blocking and deletion of personal data relating to them from the files held by each EU institution and body.

The proposal would establish a European Data Protection Authority, which would be a new independent EU body, responsible for monitoring the correct application of the data protection rules by the EU institutions and bodies. It will be a body comparable to the data protection authorities in the Member States as provided in the Data Protection Directive. Citizens would be able to lodge complaints directly with the European Data Protection Authority if they considered their data protection rights under the Regulation had not been respected.

Date: 15 July 1999 For further details: