A public administration is subject to the rules of the GDPR when processing personal data relating to an individual. It is the responsibility of the national administrations to support regional and local administration in preparing for the application of the GDPR.
Most of the personal data held by public administrations is usually processed on the basis of a legal obligation or insofar as it is necessary to perform tasks carried out in the public interest or in the exercise of official authority vested in it.
When processing personal data a public administration must respect key principles, such as:
- fair and lawful processing;
- purpose limitation;
- data minimisation and data retention.
In the case of processing on the basis of the law, this law should already ensure that these principles are observed (e.g. the types of data, storage period and appropriate safeguards).
Prior to processing personal data, individuals must be informed about the processing, such as its purposes, the types of data collected, the recipients, and their data protection rights.
A public administration is required to appoint a Data Protection Officer (DPO), however a single data protection officer may be designated for several public bodies and therefore be shared amongst them or outsource this work to an external DPO. It must also ensure that appropriate technical and organisational measures have been implemented to secure personal data. If parts of the processing are outsourced to an external organisation (so-called ‘processor’) there must be a contract or another legal act guaranteeing that the processor provides sufficient guarantees to implement appropriate technical and organisational measures that meet the standards of the GDPR.
In cases where personal data held is disclosed accidentally or unlawfully to unauthorised recipients or is temporarily unavailable or altered, the breach must be notified to the Data Protection Authority (DPA) without undue delay and at the latest within 72 hours after having become aware of the breach. The public administration may also need to inform individuals about the breach.
You can find more information about the obligations of public administrations under the GDPR in the section ‘Business and organisations’.