Tasks and Competences

The tasks of the European Data Protection Supervisor comprise:

  • monitoring and enforcing the application of the Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereinafter referred to as the “Regulation”) by Union institutions and bodies, with the exception of the processing of personal data by the Court of Justice acting in its judicial capacity;

  • promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to processing;

  • promoting the awareness of controllers and processors of their obligations under the Regulation;

  • upon request, providing information to any data subject concerning the exercise of their rights under the Regulation and, if appropriate, cooperating with the national supervisory authorities to that end;

  • handling complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 67 of the Regulation, and investigating, to the extent appropriate, the subject matter of the complaint and informing the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;

  • conducting investigations on the application of the Regulation, including on the basis of information received from another supervisory authority or other public authority;

  • advising, on his or her own initiative or on request, all Union institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to the processing of personal data;

  • monitoring relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies;

  • adopting standard contractual clauses referred to in Article 29(8) and in point (c) of Article 48(2) of the Regulation;

  • establishing and maintaining a list in relation to the requirement for data protection impact assessment pursuant to Article 39(4) of the Regulation;

  • participating in the activities of the European Data Protection Board;

  • providing the secretariat for the European Data Protection Board, in accordance with Article 75 of Regulation (EU) 2016/679;

  • giving advice on the processing referred to in Article 40(2) of the Regulation;

  • authorising contractual clauses and provisions referred to in Article 48(3) of the Regulation;

  • keeping internal records of infringements of the Regulation and of measures taken in accordance with Article 58(2) of the Regulation;

  • fulfilling any other tasks related to the protection of personal data; and

  • establishing his or her Rules of Procedure.