On 6 July 2020, the European Data Protection Supervisor (EDPS) published a report on how EU institutions, bodies, and agencies (EUIs) carry out Data Protection Impact Assessments (DPIAs) when processing information that presents a high risk to the rights and freedoms of natural persons. DPIAs are an important new accountability tool set out in Regulation (EU) 2018/1725 – the basic data protection legal framework for EUIs (for the Regulation, see eucrim 4/2018, pp. 200-201).

The report is based on the replies to a questionnaire that the EDPS addressed to the EUIs’ data protection officers in February 2020. It mainly contains the lessons learned after approximately one year of application of Regulation 2018/1725 and the best practices recommended. The report provides further guidance on DPIAs in accordance with Art. 39 of the Regulation.

The EDPS will carry out targeted surveys such as this one more frequently in the future, as they are a useful way to monitor compliance with the Regulation. This is also particularly true in view of the limited ability of the EDPS to check the situation on-the-spot in the immediate aftermath of the COVID-19 crisis.