This is an HTML version of an attachment to the Freedom of Information request 'FP6 & FP7 calls for proposals and negotiations, personal data processing, DG RTD DPO-978 & DPO-2382'.



 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

The EDPS and EU Research and Technological Development  
  
Policy paper 
 
 
 
 
 
 
 
 
 
 
 

Brussels, 28 April 2008
Postal address: rue Wiertz 60 - B-1047 Brussels 
Offices: rue Montoyer 63 
E-mail : xxxx@xxxx.xxxxxx.xx - Website: www.edps.europa.eu  
Tel.: 02-283 19 00 - Fax : 02-283 19 50 

link to page 2  
The EDPS and EU Research and Technological Development 
 
 

 
1. Introduction 
 
Regulation (EC) No. 45/20011 of the European Parliament and of the Council provides a 
general framework for the tasks of the European Data Protection Supervisor (EDPS), also 
with regard to EU research and technological development (RTD) projects.  
 
According to Article 41 of Regulation 45/2001, the EDPS shall be responsible for ensuring 
that the fundamental rights and freedoms of natural persons, and in particular their right to 
privacy, are respected by the Community institutions and bodies, with respect to the 
processing of personal data. Article 41 specifies that the EDPS shall be responsible for 
monitoring and ensuring compliance as to the processing of personal data by Community 
institutions and bodies, and for advising Community institutions and bodies and data subjects, 
on all matters concerning the processing of personal data. This means that the EDPS has a 
general mission of promoting a data protection culture and respect for data protection 
principles in all Community policies. 
 
Article 46 sub (e) also mentions specifically that the EDPS shall monitor relevant 
developments, insofar as they have an impact on the protection of personal data, in particular 
the development of information and communication technologies. Following new 
technological developments that may impact on data protection, is therefore part of the EDPS’ 
mission, as stated in the Annual Report 2006.   
 
Privacy and data protection requirements need to be highlighted and applied as soon as 
possible in the life cycle of new technological developments in order to contribute to a better 
implementation of the data protection legal framework. The European RTD efforts constitute 
a very good opportunity to accomplish these goals and the EDPS considers that the principle 
of ‘privacy by design’ should represent an inherent part of these RTD initiatives. 
 
At the end of 2006, the Commission announced and launched the Seventh Framework 
Programme for research and technological development (FP7), which is the European Union'

chief instrument for funding research over the period 2007-2013. A major part of FP7 is 
devoted to stimulating the development and uptake of Information and Communication 
Technologies (ICT) for the advancement of a free, open and inclusive European Information 
Society.   
 
In order to follow the Seventh Framework Programme closely, the EDPS decided to take an 
active part in the FP7 launching event, the Information Society Technologies (IST) 2006 
Conference held in Helsinki, by having a stand. The aims of that action were the following: 
•  identify at an early stage, the emerging trends which will drive these ambitious RTD 
efforts;  
•  establish fruitful contacts with forthcoming research projects;  
•  raise awareness among the main stakeholders for the possible data protection aspects 
of their future research project; 
                                                 
1 Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the 
protection of individuals with regard to the processing of personal data by the Community institutions and bodies 
and on the free movement of such data,  OJ L 8, 12.1.2001, p. 1 (hereinafter Regulation 45/2001).  
 
 
2

 
•  provide advice on the way to include data protection concerns in future proposals and 
research activities. 
 
On the basis of this experience, the EDPS decided to develop several possible models of 
contribution to targeted research projects of the ongoing FP7 as well as future Framework 
Programmes for research and technological development. The aim of these contribution 
models is to advise the Commission and/or project developers in their efforts to use privacy 
and data protection friendly RTD methodologies and of course to develop technologies and 
processes that will promote and reinforce the effectiveness of the EU data protection legal 
framework. This paper sets out the main elements of the EDPS policy in this area.  
 
 
2. Role of the EDPS 
 
It has to be borne in mind that the EDPS is an independent authority, established by 
Regulation 45/2001, and its role in research projects will therefore have to preserve this very 
characteristic. In this respect, the participation of the EDPS as partner of a consortium can not 
be envisaged.  
 
Any RTD project of specific interest to the EDPS must directly or indirectly involve a subject 
within the material scope of application of Regulation 45/2001 – or more generally: Directive 
95/46/EC and other related Community legislation – that is the "processing of personal data".  
 
 
3. EDPS's contributions to EU research and technological development  
 
The EDPS provides focused contributions at various steps of a research Framework 
Programme, from the definition and design of its main lines of research, during the life cycle 
of targeted projects, and to the final deliverables of these RTD efforts.  
 
3.1 Framework Programme and call for proposals 
 
The EDPS may participate in workshops and conferences aiming at identifying future 
challenges which can be relevant for the EU RTD policy.  The EDPS includes as well in his 
annual report a part identifying emerging technological trends expected to have a determinant 
impact on the EU data protection framework.  
 
The EDPS may, furthermore, contribute to research advisory boards launched by the 
Commission in connection with the Framework programme. Participating as an observer, he 
currently provides opinions on data protection matters to the Advisory Board on Research and 
Innovation for Security, Privacy and Trustworthiness in the Information Society (RISEPTIS), 
a high-level reflection group created by DG INFSO of the Commission.  This group provides 
recommendations on the policy environment and the research agenda in the field of security 
and trust in the Information Society.  
 
The EDPS is also available to assist the Commission in the evaluation process of proposals. 
This support may consist in reading proposals which have already reached all thresholds and 
in providing targeted advice about possible data protection issues these proposals might 
trigger.  
 
 
 

 
3

 
3.2 RTD projects 
 
The EDPS may also give an opinion - or might consider any other involvement - in relation to 
individual RTD projects. This may happen in two ways: 
 
(a) A consortium of a project can request an opinion from the EDPS. Although the EDPS will 
not contribute to a proposal for a project, the proposal can envisage to ask for an EDPS 
opinion during the life cycle of the project in the case it is awarded. In this case, the EDPS has 
to be informed and has to give his agreement for introducing a reference to a future EDPS 
opinion before the submission of the answer to the call for proposals. The consortium will 
have to clarify in the submitted documents relating to its proposal that the EDPS opinion will 
be given in his role as an independent authority. The moment for issuing the opinion 
(according to the schedule of the project) will be decided by the EDPS in consultation with 
the consortium of the project. 
 
(b) The EDPS can also decide at his own initiative to look into an RTD project, but only in 
special cases raising important data protection issues not yet addressed in other ways. 
 
The criteria for the EDPS contribution will be based mainly on:  
 
(a) The relevance of the project to ‘data protection issues’. This relevance can be due to the 
development of new capabilities or technologies which might have a critical impact - either 
positive or negative - on the protection of personal data. The project can also be relevant from 
the EDPS' point of view because sensitive processing of personal data might take place within 
the research activities themselves. 
 
(b) The EDPS priorities: each year, the EDPS establishes a list of priorities which are 
published in his Annual Report. 
 
In any case, the EDPS will decide, at his own discretion, which projects to accept for 
consideration according to available resources and priorities.  
 
Although most of the RTD projects dealing with or raising data protection issues will belong 
to the ICT Theme of a Framework Programme, the EDPS does not exclude the possibility to 
select projects from other Themes, such as Security Research, Health, Transport or others.  
 
The contributions of the EDPS could take different forms, for instance: 
 
(a) Opinions on the methodologies implemented or on the results obtained. This kind of 
opinions could be triggered at different stages of the project: 
•  at the beginning of the project, but in any case after it has been awarded 
•  at important milestones of the project   
•  at the end of the project and therefore mainly focused on its results and its possible 
follow-up.  
 
Any such opinion will normally be published on the EDPS website and mentioned in the 
relevant annual report. A draft of the opinion will in any case be submitted to the consortium 
for comments before its final adoption. The final text of the opinion will be sent to the 
corresponding programme management unit of the Commission for their information.  
 
(b) Since research projects of an EU Framework Programme usually have the obligation to 
involve partners from several Member States, the EDPS could also, in this case, contribute to 
 
4

 
and facilitate the cooperation between the corresponding Member States or third country data 
protection authorities which might be involved.  
 
The overall objective of these contributions is for the EDPS to promote and reinforce the 
application of the principle of ‘privacy by design’ to European RTD projects and to facilitate 
therefore the implementation of the EU data protection regulatory framework.  
 
 
 
 
5