Stronger data protection rules for EU institutions and agencies 

Press Releases 

MEPs approved new tightened data protection rules for EU institutions, bodies and agencies on Thursday.

The new rules ensure a strong and coherent framework for data processing in EU institutions, bodies, offices and agencies. The aim of the update is to bring the current rules dating from 2001 in to line with the General Data Protection Regulation (GDPR) as well as the proposed e-privacy rules to uphold citizens’ right to personal data protection.

Contrary to the past, the rules will also apply to Eurojust as soon as the reform of the agency will be completed. Furthermore, in 2022 the rules should be extended to Europol and the European Public Prosecutor's Office following to a review by the Commission.

The update strengthens the role of the European Data Protection Supervisor (EDPS), the authority that ensures the application of the rules. The European Data Protection Supervisor will also be able to fine EU institutions or bodies that do not live up to the data protection rules.


Rapporteur Cornelia Ernst (GUE/NGL, DE) said: "Three months after GDPR became fully applicable in the EU it is high time to make sure that the EU's institutions are bound by the same rules. This goes in particular for the EU's law enforcement agencies. I now urge the Council to speed up their work on the ePrivacy Regulation for full protection of privacy in the EU."

Next steps

The new rules were approved by 527 votes to 51, with 27 abstentions. They have already been agreed upon by the Parliament and Council negotiators in May, but still require the formal approval of the Council.

The regulation will enter into force 20 days after its publication and shall be applicable immediately.


The main current general data protection instrument in EU law is GDPR, applicable as of 25 May 2018. However, GDPR leaves room for implementation of its provisions in certain areas by Member States. A specific regulation is needed for the EU institutions to play a role comparable to a national law implementing GDPR