Published date | 21 November 2018 |
Official Gazette Publication | Gazzetta ufficiale dell’Unione europea, L 295, 21 novembre 2018,Diario Oficial de la Unión Europea, L 295, 21 de noviembre de 2018,Journal officiel de l'Union européenne, L 295, 21 novembre 2018 |
21.11.2018 | EN | Official Journal of the European Union | L 295/39 |
REGULATION (EU) 2018/1725 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 23 October 2018
on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2) thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee (1),
Acting in accordance with the ordinary legislative procedure (2),
Whereas:
(2) | Regulation (EC) No 45/2001 of the European Parliament and of the Council (3) provides natural persons with legally enforceable rights, specifies the data processing obligations of controllers within the Community institutions and bodies, and creates an independent supervisory authority, the European Data Protection Supervisor, responsible for monitoring the processing of personal data by the Union institutions and bodies. However, it does not apply to the processing of personal data in the course of an activity of Union institutions and bodies which fall outside the scope of Union law. |
(3) | Regulation (EU) 2016/679 of the European Parliament and of the Council (4) and Directive (EU) 2016/680 of the European Parliament and of the Council (5) were adopted on 27 April 2016. While the Regulation lays down general rules to protect natural persons with regard to the processing of personal data and to ensure the free movement of personal data within the Union, the Directive lays down the specific rules to protect natural persons with regard to the processing of personal data and to ensure the free movement of personal data within the Union in the fields of judicial cooperation in criminal matters and police cooperation. |
(5) | It is in the interest of a coherent approach to personal data protection throughout the Union, and of the free movement of personal data within the Union, to align as far as possible the data protection rules for Union institutions, bodies, offices and agencies with the data protection rules adopted for the public sector in the Member States. Whenever the provisions of this Regulation follow the same principles as the provisions of Regulation (EU) 2016/679, those two sets of provisions should, under the case law of the Court of Justice of the European Union (the ‘Court of Justice’), be interpreted homogeneously, in particular because the scheme of this Regulation should be understood as equivalent to the scheme of Regulation (EU) 2016/679. |
(6) | Persons whose personal data are processed by Union institutions and bodies in any context whatsoever, for example, because they are employed by those institutions and bodies, should be protected. This Regulation should not apply to the processing of personal data of deceased persons. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person. |
(7) | In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. |
(8) | This Regulation should apply to the processing of personal data by all Union institutions, bodies, offices and agencies. It should apply to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation. |
(9) | In Declaration No 21 on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, annexed to the final act of the intergovernmental conference which adopted the Treaty of Lisbon, the conference acknowledged that specific rules on the protection of personal data and on the free movement of personal data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 TFEU could prove necessary because of the specific nature of those fields. A distinct Chapter of this Regulation containing general rules should therefore apply to the processing of operational personal data, such as personal data processed for the purposes of a criminal investigation by Union bodies, offices or agencies when carrying out activities in the fields of judicial cooperation in criminal matters and police cooperation. |
(10) | Directive (EU) 2016/680 sets out harmonised rules for the protection and the free movement of personal data processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. In order to ensure the same level of protection for natural persons through legally enforceable rights throughout the Union and to prevent divergences hampering the exchange of personal data between Union bodies, offices or agencies when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU and competent authorities, the rules for the protection and the free movement of operational personal data processed by such Union bodies, offices or agencies should be consistent with Directive (EU) 2016/680. |
(11) | The general rules of the Chapter of this Regulation on the processing of operational personal data should apply without prejudice to the specific rules applicable to the processing of operational personal data by Union bodies, offices and agencies when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU. Such specific rules should be regarded as lex specialis to the provisions in the Chapter of this Regulation on the processing of operational personal data (lex specialis derogat legi generali). In order to reduce legal fragmentation, specific data protection rules applicable to the processing of operational personal data by Union bodies, offices or agencies when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU should be consistent with the principles underpinning the Chapter of this Regulation on the processing of operational personal data, as well as with the provisions of this Regulation relating to independent supervision, remedies, liability and penalties. |
(12) | The Chapter of this Regulation on the processing of operational personal data should apply to Union bodies, offices and agencies when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU, whether they exercise such activities as their main or ancillary tasks, for the purposes of the prevention, detection, investigation or prosecution of criminal offences. However, it should not apply to Europol or to the European Public Prosecutor’s Office until the legal acts establishing Europol and the European Public Prosecutor’s Office are amended with a view to rendering the Chapter of this Regulation on the processing of operational personal data, as adapted, applicable to them. |
(13) | The Commission should conduct a review of this Regulation, in particular the Chapter of this Regulation on the processing of operational personal data. The Commission should also conduct a review of other legal acts adopted on the basis of the Treaties which regulate the processing of operational personal data by Union bodies, offices or agencies when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU. After such a review, in order to ensure uniform and consistent protection of natural persons with regard to the processing of personal data, the Commission should be able to make any appropriate legislative proposals, including any necessary adaptations of the Chapter of this Regulation on the processing of operational personal data, with a view to applying it to Europol and to the European Public Prosecutor’s Office. The adaptations should take into account provisions relating to independent supervision, remedies, liability and penalties. |
(14) | The processing of administrative personal data, such as staff data, by Union bodies, offices or agencies carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part |
...
Get this document and AI-powered insights with a free trial of vLex and Vincent AI