In order to ensure the compliance with both Article 11.2.a of eu-LISA's establishing Regulation and Article 24 of the Regulation (EC) 45/2001 on the processing of personal data by European Union bodies, eu-LISA appointed a Data Protection Officer (DPO).
The main task of the DPO is to ensure, in an independent manner, the internal application of data protection requirements imposed by Regulation (EC) 45/2001 within the Agency.
The DPO's main functions are to:
inform data controllers and individuals regarding their obligations and rights;
establish a link between eu-LISA and the EDPS. The EDPS supervises the processing of personal data by the Agency. On this subject, the DPO must notify the EDPS about every high risk processing operation and respond to the EDPS requests;
guarantee the transparency of eu-LISA's processing operations. In this regard, the DPO keeps a register of all personal data processing operations performed in eu-LISA. This public document contains detailed information regarding the processing of personal data made by eu-LISA. Extracts of the register can be requested by any person in writing to the DPO. A reply must be provided within 15 working days;
advise on how to lawfully process personal data, ensuring that data controllers respect the rights to privacy and data protection in the course of their work. The DPO provides recommendations, develops guidelines to enhance good practice, organises training and awareness session for eu-LISA staff;
support the data subject on the exercise of his or her rights;
investigate any data protection related breaches.
The current DPO is Fernando POÇAS DA SILVA, appointed in 2014.
DPO Annual Work Reports: 2014 and 2015.
Regarding eu-LISA's three large-scale IT systems (Eurodac, SIS II and VIS), the Agency can not access the content of the databases without a valid technical reason. eu-LISA is the data processor, meaning that it only manages the database and acts in accordance with the specific legal framework of each large-scale IT system. For more information, please refer to the data subject rights section.