Home » Comunicat_Presa_27.06.2024
 Română | English | Francais

27.06.2024

FRA Report – RGDP in practice - Experiences of data protection authorities

 

On 11 June 2024, the European Union Agency for Fundamental Rights (FRA) has published the report “RGDP in practice - Experiences of data protection authorities”, 6 years (25 May 2018) after the implementation of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

Following the request of the European Commission, the FRA has collected information on the experiences, challenges and practices of data protection authorities, following the adoption of the GDPR.

This report is based on 70 interviews with representatives of data protection authorities in all 27 EU Member Staes, which were carried out between June 2022-June 2023.

In this context, according to the report, some of the challenges that most data protection authorities face when implementing the GDPR include the high number of requests, the lack of human and financial resources and a rising work volume.

Thus, FRA calls on the EU Member States to ensure that national data protection authorities have the necessary resources to guarantee the protection of personal data of natural persons.

The FRA report, “RGDP in practice - Experiences of data protection authorities”, highlights key-issues, provides best practice examples and suggests solutions.

According to the report, the lack of resources and underfunding hinder nation al data protection authorities (DPA) to fully fulfil their mandates. The new regulations of the European Union, such as the Artificial Intelligence Act or the EU systems for managing borders, will bring additional tasks for DPAs. Their implementation will be difficult without proper resources. EU Member States should secure the necessary financial, human and technical resources to allow DPAs to perform their role.

At the same time, it was noted the national DPAs need more tools to strengthen their monitoring capacity. The European Commission and the European Data Protection Board (EDPB) should evaluate which tools are necessary, and strengthen the legal framework, if needed.

The same report mentions that due to the lack of human and financial resources, national DPAs should often prioritise managing complaints rather than other tasks. In order to improve the support for authorities who receive more complaints, the EDPB should provide more guidelines and facilitate the exchange of best practices. This may also require additional EDPB resources.

At the same time, it was noted that national DPAs are not consulted on new legislation or they receive very tight deadlines for analyses. To ensure that data protection principles are taken into account in draft laws, the EU Member States should consult data protection authorities and ask for their opinion in advance. Moreover, Member States should encourage public institutions to consult national DPAs more systematically.

Simultaneously, EU institutions and EU Member States should promote awareness on rules and obligations pertaining to personal data protection. EDPB should draft specific guidelines on the processing of personal data involving new technologies.

Therefore, the report “RGDP in practice - Experiences of data protection authorities” provides Member States, data protection authorities, national institutions and EU institutions with a detailed overview of the practical challenges faced by staff working in national data protection authorities when implementing the tasks assigned to them by the GDPR.

The Report of the European Union Agency for Fundamental Rights, RGDP in practice - Experiences of data protection authorities, can be consulted at https://fra.europa.eu/en/publication/2024/gdpr-experiences-data-protection-authorities.

Legal and Communication Department

A.N.S.P.D.C.P.