The EDPS will launch a pilot campaign on a subset of EU institutions' (EUIs) websites. This website compliance awareness campaign (WCAC) is an initiative for helping acquire awareness of potential compliance issues, promoted by the EDPS in accordance with Article 57(1) (c) Regulation (EU) 2018/1725 (‘EUDPR’). It aims at supporting controllers in fulfilling their accountability obligations under Article 4(2) EUDPR.
The websites of EU institutions provide users with access to information and services. The accelerated digitalisation of EUIs has in turn increased the number, size and complexity (i.e. embedding of third party components such as maps, video or audio) of these websites.
In 2018, the EDPS developed the Website Evidence Collector (WEC) tool for its remote website audits. The EDPS made this tool publicly available so controllers and DPOs could identify potential issues and areas of improvement on their websites. However, despite the WEC’s availability, the knowledge and use of the WEC by EUIs is very limited.
In the initial phase of this campaign, the EDPS will employ the WEC to regularly (every 6 months) check one website of each EUI under its remit (around 70).
The WEC output will be fine-tuned to produce a factual simplified report per website. These reports will help DPOs and controllers to identify and assess elements that could be problematic from a data protection point of view and to take corrective actions if needed. These reports aim to provide EUIs useful information for assessing the websites’ compliance with the legal obligations arising from EUDPR, particularly Article 37, and Directive 2002/58/EC (‘ePrivacy Directive’), particularly Article 5(3).
The pilot phase of this campaign will start with a first wave of website scans in autumn 2024, continue with a second wave in spring 2025 and finalise with a third wave in autumn 2025. After each wave, each EUI will receive a notification including the report with the results of the execution of the WEC, information about next steps of the pilot and a reminder of the possibility to use the WEC tool proactively.
The inclusion of a website in this compliance awareness campaign is without prejudice to the supervisory powers of the EDPS, including the possibility of this website being the subject of an investigation at any given time.
At the end of the WCAC pilot phase (autumn 2025), the information collected by the EDPS during this activity might also be used as a risk indicator to include the controller in charge of a given website in an investigation or an audit.
If the pilot phase is successful and the necessary resources can be allocated, the EDPS will assess the possibility of scaling up this campaign to cover all websites under EUIs’ responsibility (+1.300).