On January 31, 2020 the EDPS published Revised Guidelines on personal data and electronic communications in the EU institutions (eCommunications guidelines).
Recognizing that for “most people, electronic communications (eCommunications) such as email, internet and telephony, occupy a central role in their day-to-day professional and personal activities” and that “eCommunications are essential for organisations to operate efficiently and the EU institutions, bodies, offices and agencies (EU institutions) are no exception”, the EDPS publishes these Guidelines “to provide practical advice and instruction to the EU institutions on the processing of personal information in the use of eCommunications tools, to ensure that they comply with their data protection obligations” with reference to Regulation (EU) 2018/1725 (processing of personal data by the Union institutions, bodies, offices and agencies).”Regulation”.
The EDPS notes that since the Regulation is similar to GDPR, Wwhile these guidelines are for EU institutions, other organisations might find them useful.
Summary of Recommendations
“Below is a list of the recommendations detailed in the guidelines. The EDPS will use these as a checklist to assess … [the organizations’s] compliance with the obligations laid out in the Regulation.
Recommendations for specific processing operations:
On systems security and traffic management:
state-of-the-art encryption schemes.
On billing and budget management:
On authorised use of eCommunications services:
R7: Adopt a progressive approach towards monitoring the authorised use of eCommunications Services.
On the recording of dedicated phone line:
On access to emails in the absence of the employee:
R10: Take precautionary measures to reduce the need for accessing personal mailboxes for business continuity purposes
R11: Adopt a policy on accessing the mailboxes of absent staff if there is a business need.
On administrative enquiries and disciplinary proceedings
R12: Make sure that access to eCommunications data is covered under the rules for administrative inquiries and disciplinary proceedings
R13: Provide adequate safeguards when planning covert surveillance, including internal rules under Article 25 of the Regulation.
Read complete Guidelines 20-01-31_guidelines_on_electronic_communications_en
2015 guidelines on eCommunications are available here.
For more information Francesca Giannoni-Crystal