2. The categories of data include identification data of a natural person, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data.

3. Any restriction shall respect the essence of the fundamental rights and freedoms and be necessary and proportionate in a democratic society.

4. A necessity and proportionality test shall be carried out on a case-by-case basis before restrictions are applied. Restrictions shall be limited to what is strictly necessary to achieve the set objectives.

5. The EDPS shall file, for accountability purposes, a record describing the reasons for the restrictions applied, which grounds among those listed in paragraph 1 apply and the outcome of the necessity and proportionality test. Those records shall be part of an ad hoc register, which shall made available on request to the EDPS. A report on the application of Article 25 of the Regulation shall be made available periodically.

6. When processing personal data exchanged with other organisations in the context of its tasks, the EDPS shall consult and shall be consulted by those organisations on the possible relevant grounds for imposing restrictions and the necessity and proportionality of the restrictions, unless this would jeopardise the activities of the EDPS.

Article 3

Risks to the rights and freedoms of data subjects

The assessment of the risks to the rights and freedoms of data subjects whose personal data may be subject to restrictions, as well as their retention period, are referenced in the record of the relevant processing activities in accordance with Article 31 of the Regulation and, if applicable, in relevant data protection impact assessments based on Article 39 of the Regulation.

Article 4

Storage periods and safeguards

The EDPS shall implement safeguards to prevent abuse or unlawful access or transfer of personal data that may be subject to restrictions. These safeguards shall include technical and organisational measures and be detailed, as necessary, in EDPS internal decisions, procedures and implementing rules. The safeguards shall include:

(a) an adequate definition of roles, responsibilities and procedural steps;

(b) if applicable, a secure electronic environment which prevents unlawful or accidental access or transfer of electronic data to unauthorised persons;

(d) due monitoring of restrictions and a periodical revision, which shall be done at least every six months. A revision must also be carried out when essential elements of the case at hand change. The restrictions shall be lifted as soon as the circumstances that justify them no longer apply.

Article 5

Information to and review by the Data Protection Officer

1. The EDPS DPO shall be informed without undue delay whenever the data subject rights are restricted in accordance with this Decision and shall be provided access to the record and any documents underlying factual and legal elements.

2. The EDPS DPO may request to review the application of the restriction. The EDPS shall inform its DPO in writing about the outcome of the requested review.

3. The involvement of the EDPS DPO in the restrictions procedure, including information exchanges, shall be documented in the appropriate form.