Regulation (EU) 2018/1725

Regulation (EU) 2018/1725
Title	Regulation (EU) 2018/1725
Type	Regulation
Adopted	2018
In force	2018
Repeals	Council Decision 2001/497/EC
Scope	European Union institutions and bodies
Citation	2018/1725

Contents

Regulation (EU) 2018/1725 is a legal instrument of the European Union that governs the protection of personal data processed by European Parliament, European Commission, Council of the European Union, and other European Union Agency for Fundamental Rights-related bodies. It aligns institutional practice with the Charter of Fundamental Rights of the European Union and harmonises rules following developments from the General Data Protection Regulation and jurisprudence of the Court of Justice of the European Union and the European Court of Human Rights. The Regulation updates prior frameworks established under Council of the European Union decisions and interfaces with instruments such as the Treaty on European Union and the Treaty on the Functioning of the European Union.

Background and legislative context

The Regulation was adopted amid a legislative environment shaped by the General Data Protection Regulation and landmark case law from the Court of Justice of the European Union, notably decisions interpreting data protection rights in contexts litigated by parties like Google LLC and national actors such as the Bundesrepublik Deutschland and République française. Negotiations involved institutional stakeholders including the European Commission, the European Parliament, the Council of the European Union, and advisory bodies such as the European Data Protection Supervisor and the European Economic and Social Committee. The instrument replaces earlier instruments such as Council Decision 2001/497/EC and responds to policy initiatives promoted by the Juncker Commission and successive Commissioners including Věra Jourová and Margrethe Vestager.

The Regulation applies to processing carried out by EU institutions and bodies such as the European Medicines Agency, the European Banking Authority, the European Investment Bank, and the European Central Bank when acting in their institutional capacity. It defines principles of lawful processing, data minimisation, purpose limitation and storage limitation in ways coherent with the General Data Protection Regulation. Key provisions set rules for legal bases for processing, special categories of personal data, profiling, automated decision-making, and records of processing activities—issues central to controversies in cases before the Court of Justice of the European Union and debated within the European Parliament committees such as the Committee on Civil Liberties, Justice and Home Affairs.

Data subjects within the Regulation enjoy rights including access, rectification, erasure, restriction of processing, and data portability similar to rights under the General Data Protection Regulation, and may exercise these rights vis‑à‑vis controllers such as the European Commission, the European External Action Service, and the European Council. Controllers and processors must implement technical and organisational measures, appoint contacts or data protection officers akin to posts at the European Data Protection Supervisor, and conduct data protection impact assessments in contexts involving entities like the European Border and Coast Guard Agency or the European Union Agency for Cybersecurity. The Regulation also prescribes safeguards for transfers to third countries and international organisations, implicating arrangements with states like the United States and organisations such as the North Atlantic Treaty Organization in cross-border operations.

Supervision under the Regulation is exercised by the European Data Protection Supervisor with powers to investigate, issue opinions, and impose corrective measures. The enforcement framework interacts with supervisory authorities of Member States such as the Commission nationale de l'informatique et des libertés and the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit when matters touch on cooperation with national administrations like the French Government or the Federal Republic of Germany. Dispute resolution may invoke remedies before the General Court of the European Union or the Court of Justice of the European Union and interfaces with the European Ombudsman on maladministration allegations.

The Regulation is designed to operate in parallel with the General Data Protection Regulation for private and public-sector actors, and it complements sectoral instruments including directives on electronic privacy debated in the European Parliament and proposals from the European Commission. It aligns with the standards set by the Charter of Fundamental Rights of the European Union and developments in the jurisprudence of the European Court of Human Rights and the Court of Justice of the European Union. The text also interfaces with policies advanced by the European Council on digital single market initiatives and cybersecurity agendas promoted by the European Union Agency for Cybersecurity.

Implementation required institutions such as the European Commission, the European Parliament, the European Central Bank, and decentralised agencies like the European Medicines Agency and the European Banking Authority to revise internal rules, procedures, and IT systems, and to train staff including members of services such as EUROPOL and the European Anti-Fraud Office. The Regulation has affected administrative practices in areas from human resources to research units like those at the European Research Council, influencing interactions with external partners such as the World Health Organization and multinational corporations including Microsoft Corporation and Amazon (company). Its adoption has fed into broader EU policy debates in forums like the Council of the European Union and the European Parliament on digital rights, transparency, and institutional accountability.