EU institutions, employing more than 60,000 people, approved and use their "own" GDPR. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by Union institutions, bodies, offices and agencies and on the free movement of such data (Regulation2018/1725) is basically the "GDPR for the public sector".

What differences does Regulation 2018/1725 bring?

For instance, it establishes the European Data Protection Supervisor as an independent supervisory authority to which EU institutions are obliged to immediately notify personal data protection violations. It also introduced an obligation for EU institutions to appropriately document the processing of personal data. Such documents must be publicly available in a central register. Other rules and policies mostly follow the principles of the "private" GDPR.  

To sum up, will the "private" GDPR also apply to EU institutions?

Yes, but only as a supplementary legal regulation where the "public" Regulation 2018/1725 lacks legal rules for a specific situation.  

Author: Vladěna Svobodová

‍