On 6 July 20201, the European Commission ("Commission") published its decision 2020/969 "laying down implementing rules concerning the Data Protection Officer, restrictions of data subjects' rights and the application of Regulation (EU) 2018/1725 of the European Parliament and of the Council".

This decision is taken in the context of the aforementioned Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.

The Regulation sets out rules and principles governing the processing of personal data within EU institutions while relying on the similar principles as those provided under the (EU) Regulation 2016/679 ("GDPR").

Comparable to certain principles contained in the GDPR, this Regulation (EU) 2018/1725 establishes rules so that each Union institution or body shall be able to designate a data protection officer ("DPO").

Content of the decision

Based on the foregoing, this decision sets out various principles governing the appointment of a DPO for the Commission.

The decision also lays down the rules to be followed by the Commission, in relation to the monitoring, investigative, auditing or consultative tasks of the DPO, to inform data subjects of the processing of their personal data in accordance with informational requirements set out under the aforementioned Regulation (EU) 2018/1725.

While the decision describes all such DPO's powers, it also provides for certain operational explanations regarding how the DPO may be consulted. Indeed, the DPO may be consulted by and provided with reports from "delegated controllers2" and "operational controllers3" as appointed within the Commission.

Furthermore, the Commission's DPO shall ensure that the register of processing operations of the Commission is accessible through the website of the DPO on the Europa website4.


1 See Official Journal of the European Union here

2 'Delegated controller' means the Head of the Directorate-General, Service or Cabinet, which carries out a processing operation on behalf of the Commission in fulfilment of the mission of that Directorate-General, Service or Cabinet.

3 'Operational controller' means the Commission staff member of middle or senior management level, designated by the delegated controller to ensure record keeping for the processing operation and to serve as primary contact point for data subjects in relation to that processing operation.

4 See here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.