EDPS published revised eCommunications guidelines for EU institutions

On January 31, 2020 the EDPS published Revised Guidelines on personal data and electronic communications in the EU institutions (eCommunications guidelines).

Recognizing that for “most people, electronic communications (eCommunications) such as email, internet and telephony, occupy a central role in their day-to-day professional and personal activities” and that “eCommunications are essential for organisations to operate efficiently and the EU institutions, bodies, offices and agencies (EU institutions) are no exception”, the EDPS publishes these Guidelines “to provide practical advice and instruction to the EU institutions on the processing of personal information in the use of eCommunications tools, to ensure that they comply with their data protection obligations” with reference to Regulation (EU) 2018/1725 (processing of personal data by the Union institutions, bodies, offices and agencies).”Regulation”.

The EDPS notes that since the Regulation is similar to GDPR, Wwhile these guidelines are for EU institutions, other organisations might find them useful.

Summary of Recommendations

“Below is a list of the recommendations detailed in the guidelines. The EDPS will use these as a checklist to assess … [the organizations’s] compliance with the obligations laid out in the Regulation.

Recommendations for specific processing operations:

On systems security and traffic management:

  1. R1:  Define the content of security logs and their conservation periods according to the security needs of your institution
  2. R2:  Data collected for security monitoring purposes must only be used for those purposes
  3. R3:  Ensure that statistics generated are anonymous.
  4. R4:  Make sure that eCommunications are encrypted to the highest standards and update to

state-of-the-art encryption schemes.

On billing and budget management:

  1. R5:  Instruct external providers to minimise the amount of personal data provided to the institutions for billing purposes wherever possible
  2. R6:  Define conservation periods based on the periods for contesting invoices

On authorised use of eCommunications services:

R7: Adopt a progressive approach towards monitoring the authorised use of eCommunications Services.

On the recording of dedicated phone line:

  1. R8:  Adopt an administrative measure detailing how and why phone calls need to be recorded
  2. R9:  Inform both callers and staff about the (possible) recording of phone calls before it


On access to emails in the absence of the employee:

R10: Take precautionary measures to reduce the need for accessing personal mailboxes for business continuity purposes

R11: Adopt a policy on accessing the mailboxes of absent staff if there is a business need.

On administrative enquiries and disciplinary proceedings

R12: Make sure that access to eCommunications data is covered under the rules for administrative inquiries and disciplinary proceedings

R13: Provide adequate safeguards when planning covert surveillance, including internal rules under Article 25 of the Regulation.


Read complete Guidelines 20-01-31_guidelines_on_electronic_communications_en

2015 guidelines on eCommunications are available here.


For more information Francesca Giannoni-Crystal