The European Court of Auditors is subject to specific legal obligations concerning the protection of personal data and its processing. These obligations are set by
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
Apart from specifying the legal principles governing the processing of personal data by the European Institutions, Regulation (EU) 2018/1725 requires each institution or body to appoint at least one person as Data Protection Officer (DPO).
The main task of the DPO is to work independently to ensure that the Regulation is applied in their institution.
The DPO shall have the following tasks:
inform and advise the responsible person for the processing of personal data, the staff and/or subcontractors that process the personal data regarding their obligations and rights concerning data protection;
monitor compliance with the data protection regulation and with other EU legislation containing data protection provisions;
monitor compliance with the policies of the responsible person or processor of the personal data in relation to the protection of personal data, including the assignment of responsibilities;
raise staff awareness and provide training for staff involved in processing personal data;
carry out or organise audits to verify compliance with data protection obligations;
ensure that persons whose personal data is processed are informed of their rights and obligations under the data protection regulation;
provide advice if a notification or communication is necessary in case of a personal data breach concerning confidentiality, integrity and/or availability;
provide advice when a data protection impact assessment is carried out, monitor its performance and consult the European Data Protection Supervisor (EDPS) in case of doubts as to the need for a data protection impact assessment;
provide advice as regards the need for prior consultation of the EDPS where the processing of personal data would result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in view of the available technologies and implementation costs;
respond to requests from the EDPS;
ensure that the rights and freedoms of persons whose personal data is processed are not adversely affected by the processing operations.
The Data Protection Officer will also keep a
register of all personal data processing by the European Court of Auditors. The register, which must contain information explaining the purpose and conditions of processing operations, is accessible to all interested parties.
The DPO may make practical recommendations to improve data protection at the ECA, and advise the Court and its data controllers and processors on data protection.
The staff committee, data controllers and processors, or any other individual, may consult the DPO on any matter concerning the interpretation or application of the Regulation, without going through the official channels.
The DPO may investigate matters and occurrences on his or her own initiative or at the request of the responsible of the treatment or the person that treats the personal data, the staff committee concerned or any individual, directly relating to his or her tasks which come to his or her notice, and report back to the person who commissioned the investigation or to the controller or the processor. .
Nobody shall suffer prejudice for contacting the DPO regarding an alleged breach of the Regulation.
Johan Van Damme
Data Protection Officer
Office K1 2/33
Tel.: +352 4398-47777