New EU Regulation refreshed the legal regime for data processing by European institutions

Reading Time: 2 minutes
Regulation for European institutions resized


Trilateral Research |

Date: 25 February 2019

The European Union recently enacted a new Regulation that refreshes the data protection regime applicable to European Union institutions and organs. Issued as a replacement of the legacy Regulation (EC) 45/2001, the new Regulation (EU) 2018/1725 (EU DPR) adds a new tile to the continental data protection mosaic.

The new Regulation is essentially an adaptation of Regulation 2016/679 (General Data Protection Regulation – GDPR) to the needs and practices of the European Union as an institution. While the GDPR innovated in terms of rules applicable to national organisations in the private and public sectors, the EU DPR targets EU institutions and bodies only. In essence, the two regimes are very similar, and items such as the accountability principle, lawfulness of processing requirement, data breach notification obligation, and the new rights of the data subjects, made their way into this text as well.

Nonetheless, the GDPR and the EU DPR are not identical, and one should not assume that knowledge of one Regulation implies knowledge of the other. Among the various differences in the texts, an important one is the different set of lawful bases for processing available to EU institutions. In fact, the new regulation excludes legitimate interest as a viable lawful basis for processing. Also, national supervisory authorities have no competence over the EU institutions and body, and the European Data Protection Supervisor will continue to serve as the competent supervisory authority.

Another key element of the new EU DPR is its Article 25, which provides that the data controller cannot apply restrictions to the rights of individuals unless they have adopted a legal act in line with the EU Treaties or they have adopted internal rules at the highest management level of their institution. This means that EU institutions will have to make it transparent to data subjects that restrictions on their rights exist in the specific context.

While the Regulation is already in force, there is a grace period in place until 11 December 2019 to allow institutions to complete their audits and get the new processes in place.

The EU DPR applies to the processing of EU institutions including political institutions (European Parliament, European Council, European Commission), to the EU judiciary (the Court of Justice of the European Union), the European Central Bank, the Court of Auditors, the EDPS itself, as well as the myriad of European agencies dealing with specialized matters.

With this new Regulation in place alongside the GDPR and Directive 2016/680 on data protection in the context of law enforcement, the only missing piece seems to be the recast ePrivacy Regulation, which is in draft and should be issued later this year.

For more information visit the Trilateral Data Governance page and contact our team.

Related posts