Data Protection Officer

​​In order to ensure the compliance with both Article 18.2 (a) of eu-LISA's establishing Regulation and Article 43 of the Regulation (EU) 2018/1725 on the processing of personal data by European Union bodies, eu-LISA appointed a Data Protection Officer (DPO).

The main task of the DPO is to ensure, in an independent manner, the internal application of data protection requirements imposed by Regulation (EU) 2018/1725 within the Agency.

The DPO's main functions are to:

  • inform data controllers and individuals regarding their obligations and rights;

  • establish a link between eu-LISA and the EDPS. The EDPS supervises the processing of personal data by the Agency. On this subject, the DPO must notify the EDPS about every high risk processing operation and respond to the EDPS requests;

  • guarantee the transparency of eu-LISA's processing operations. In this regard, the DPO keeps a register of all personal data processing operations performed in eu-LISA. This public document contains detailed information regarding the processing of personal data made by eu-LISA. Extracts of the register can be requested by any person in writing to the DPO. A reply must be provided within 15 working days;

  • advise on how to lawfully process personal data, ensuring that data controllers respect the rights to privacy and data protection in the course of their work. The DPO provides recommendations, develops guidelines to enhance good practice, organises training and awareness session for eu-LISA staff;

  • support the data subject on the exercise of his or her rights;

  • investigate any data protection related breaches;

  • ensure in an independent manner the internal application of the Regulation (EU) 2018/1725.

DPO Annual Work Reports:

Regarding eu-LISA's three large-scale IT systems (Eurodac, SIS and VIS), the Agency can not access the content of the databases without a valid technical reason. eu-LISA is the data processor, meaning that it only manages the database and acts in accordance with the specific legal framework of each large-scale IT system. For more information, please refer to the data subject rights section.


According to Article 31 of Regulation (EU) 2018/1725, eu-LISA has a legal obligation to keep a register of all personal data processing operations under its responsibility and a register of data processing activities carried out on behalf of a controller. Records are notified to the Data Protection Officer (DPO), who maintains the register centrally. The register aims at ensuring transparency to the public and it is accessible to any interested person. Information in the register includes, but is not limited to:

  • eu-LISA Department/Unit/Sector processing personal data;

  • Name and Date of the processing operation;

  • Purpose of the processing operation; 

The list displays documents in reverse chronological order and is monthly updated. In order to have further information regarding processing operations at eu-LISA, contact the DPO (