Skip to main content
European Commission logo
European Commission

Public administrations and data protection

Main aspects of the GDPR that a public administration should be aware of, including rules on data processing, handling requests from individuals, and compliance.

Main aspects of the GDPR that a public administration should be aware of

What are the main aspects of the General Data Protection Regulation (GDPR) that a public administration should be aware of?

A public administration is subject to the rules of the GDPR when processing personal data relating to an individual. It is the responsibility of the national administrations to support regional and local administration in preparing for the application of the GDPR.

Most of the personal data held by public administrations is usually processed on the basis of a legal obligation or insofar as it is necessary to perform tasks carried out in the public interest or in the exercise of official authority vested in it.

When processing personal data a public administration must respect key principles, such as:

  • fair and lawful processing;
  • purpose limitation;
  • data minimisation and data retention.

In the case of processing on the basis of the law, this law should already ensure that these principles are observed (e.g. the types of data, storage period and appropriate safeguards).

Prior to processing personal data, individuals must be informed about the processing, such as its purposes, the types of data collected, the recipients, and their data protection rights.

A public administration is required to appoint a Data Protection Officer (DPO), however a single data protection officer may be assigned to several public bodies and therefore be shared amongst them or outsource this work to an external DPO. It must also ensure that appropriate technical and organisational measures have been implemented to secure personal data. If parts of the processing are outsourced to an external organisation (so-called ‘processor’) there must be a contract or another legal act guaranteeing that the processor provides sufficient guarantees to implement appropriate technical and organisational measures that meet the standards of the GDPR.

In cases where personal data held is disclosed accidentally or unlawfully to unauthorised recipients or is temporarily unavailable or altered, the breach must be notified to the Data Protection Authority (DPA) without undue delay and at the latest within 72 hours after having become aware of the breach. The public administration may also need to inform individuals about the breach.

You can find more information about the obligations of public administrations under the GDPR in the section Business and organisations.

References

Responding to individual requests

How should requests from individuals be dealt with?

Individuals may contact a public administration to exercise their rights under the GDPR (rights of access, rectification, erasure, restriction, objection, right not to be subject to automated decision-making).

Note that individuals have a right to object to the processing of personal data by the public administration on grounds of public interest. They must provide the public administration with reasons relating to their particular situation. The public administration may continue processing the data, and thus deny their request, if it demonstrates compelling legitimate grounds for the processing that override the interests and rights of the individual, or if the data is required for the establishment, exercise or defence of legal claims.

If a company is processing your personal data by automated means on the basis of your consent or a contract, you have the right that the company transmits to you your personal data which you provided them. You can also ask for your personal data to be transmitted directly to another company whose services you would like to use, when it’s technically feasible. However, this right does not apply, where the data which you provided are needed for the task carried out by a public authority or another organisation for the performance of their public tasks, laid down by law. For example, when you provide a public authority with your personal data for getting social benefits or a building licence, you have no right that the public authority transmit those data to you or to another organisation.

A public administration must reply to requests from individuals without undue delay, and in principle within 1 month of receipt of the request. It may ask for additional information in order to confirm the identity of the person making the request. If the request is rejected, the individuals must be provided with the reasons for rejection and informed of their right to file a complaint with the DPA and to seek a judicial remedy.

More information about your obligations under the GDPR is available in the section Business and organisations.

Reference

Failure of a public administration to comply with Data Protection rules

What if a public administration fails to comply with the data protection rules?

The Data Protection Authorities have different tools at their disposal in cases of non-compliance. In the case of a likely infringement, a warning may be issued. In the case of an infringement, the possibilities include: a reprimand or a temporary or definitive ban on the processing. In some countries, public bodies may also be subject to administrative fines. A public administration should check the national data protection law in its country.

Individuals can claim compensation where a public body is in breach of the GDPR and they have suffered material damages, for example financial loss, or non-material damages, for example reputational loss or psychological distress. The GDPR ensures that they will be provided with compensation, regardless of the number of organisations involved in the processing of their data. Compensation can be claimed directly from the public body or before the competent national courts of the EU Member State concerned.

References