The very nature of the EU project involves the processing of personal data in many fields. Notably, EU institutions process data in their role as employers, in the same way as any number of other public bodies in the EU, and face the same challenges that this task poses.
As data controllers, public institutions are responsible for many data processing operations relating to the staff they employ. This can cover a wide range of areas, such as recruitment, payroll and the management of human resources. As it involves personal information, this processing is subject to a number of rules.
Under the new GDPR for EU institutions (EUI), EU employees now have more rights than ever before when it comes to the processing of their personal data by their employer.
First, there is the right to information, since employees can only exercise their rights if they are informed about them. All EU staff members need to be told who is responsible for keeping their personal data, why their data is being processed and all other information needed to ensure fair and transparent processing. All of this has to be clear, easily accessible and understandable by the employee. In all contacts relating to their personal data, EU staff members have the right to communication in a clear, concise and transparent way.
Employees also have the right of access; they can ask if their institution is processing their personal data. If this is the case, employees can request access to their personal data and additional information, like the purpose, the categories of data involved and any recipients of that data.
If their personal data is inaccurate, employees have the right to rectification; they can ask their institution to correct any incorrect information about them. This includes if their personal details have changed over time. For example, if the employee changes their home address, they can ask their institution to update that information.
Employees also have the right to the erasure of their personal data, under some circumstances. For example, if the data is no longer needed for the purpose it was collected, and there is no legal obligation for the institution to keep it, EU staff members can ask their institution to erase it from their personal file.
All of the rights above add up to an extensive set of data protection rights specific to EU employees. It is the role of the EDPS to make sure that these rights are clearly understood and work for everyone, so that the EU institutions lead by example, processing employee personal data fairly and lawfully.