In order to encourage data protection compliance, it is important for EU institutions to be held responsible for respecting obligations on the matter and for demonstrating proof of this. This is one of the main elements of the strategic document, adopted on 13 December by the European Data Protection Supervisor (EDPS), Peter Hustinx, which sets out the framework within which he monitors, measures and ensures data protection compliance in EU administration.

The EDPS seeks to encourage voluntary compliance and best practice and create sufficient incentives in this direction.

Hustinx notes that, by placing a strong emphasis on ‘accountability’, this new policy marks a significant change of approach. Accountability requires the EU institutions and bodies to put in place appropriate and effective measures to ensure compliance with data protection obligations and to demonstrate this to the EDPS. However, he says, “this must be backed up by a framework for dealing with those institutions and bodies that continue to fail to meet the required standards and demonstrate poor compliance records”.

The EDPS has to date adopted an approach that prefers to make recommendations and encourage compliance rather than warn or admonish or make legally binding orders. Following five years of such activity, Hustinx believes that the time has come to take a more robust approach to enforcement, particularly in cases of serious, deliberate or repeated non-compliance with data protection principles. This policy therefore introduces a set of criteria that will ensure a proactive approach.

The EDPS also emphasises that transparency and publicity are important tools both for stakeholders and in terms of good governance.

The document is available at www.edps.europa.eu