EESC Decision No 160/21 A laying down internal rules concerning restrictions ... (32021Q0712(01))
EU - Rechtsakte: 01 General, financial and institutional matters

EESC Decision No 160/21 A laying down internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the framework of activities carried out by the European Economic and Social Committee

THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1) (hereinafter "the Regulation"), and in particular Article 25 thereof,
Having consulted the European Data Protection Supervisor (hereinafter "the EDPS"),
Whereas:
(1) the European Economic and Social Committee (hereinafter "the EESC") is empowered to conduct administrative investigations, pre-disciplinary, disciplinary and suspension proceedings in accordance with the Staff Regulations of Officials of the European Union (hereinafter "the Staff Regulations") and the Conditions of Employment of Other Servants of the European Union (hereinafter "the CEOS"), laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (2), and pursuant to EESC Decision No 635/05 A of 7 December 2005 laying down general implementing provisions governing disciplinary procedures and administrative investigations;
(2) under Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council (3), the European Anti-Fraud Office (hereinafter "OLAF") conducts internal investigations in all the EU institutions, bodies, offices and agencies. On 13 January 2016, the EESC and OLAF signed joint administrative arrangements aimed at providing a structured framework for cooperation and facilitating the timely exchange of information between them;
(3) in accordance with Articles 22a and 22b of the Staff Regulations and Articles 11 and 81 of the CEOS, EESC staff members are under an obligation to report potentially illegal activities, including fraud and corruption, which are detrimental to the interests of the Union. Staff members are also obliged to report conduct relating to the discharge of professional duties which may constitute a serious failure to comply with the obligations of officials of the Union. This is regulated internally by EESC Decision No 053/16 A of 2 March 2016 laying down rules on whistleblowing;
(4) the EESC has put in place a policy to prevent and deal effectively with actual or potential cases of psychological or sexual harassment in the workplace, as provided for in EESC Decision No 200/14 A of 26 September 2014 concerning the procedures for preventing and dealing with psychological and sexual harassment at work within the Secretariat of the EESC. The Decision establishes an informal procedure and a formal procedure. In the informal procedure, the person who believes they are the victim of harassment can contact the EESC’s confidential counsellors and the Appointing Authority can take measures before opening a formal administrative investigation if needed;
(5) in accordance with Article 24 of the Staff Regulations and Articles 11 and 81 of the CEOS, EESC staff members are entitled to assistance in proceedings against any person perpetrating threats, insulting or defamatory acts or utterances, or any attack to person or property to which they or a member of their family are subjected by reason of their position or duties. EESC staff members are entitled to submit requests to the Appointing Authority pursuant to Article 25 of the Staff Regulations and Articles 11 and 81 of the CEOS, or Article 90(1) of the Staff Regulations and Articles 46 and 124 of the CEOS. In accordance with Article 90(2) of the Staff Regulations and Articles 46 and 124 of the CEOS, EESC staff members are also entitled to lodge complaints against acts affecting them adversely;
(6) the EESC carries out selection procedures for the selection, recruitment, appointment and evaluation of its staff, pursuant to Articles 29 and 43 of the Staff Regulations and Articles 12 and 82 of the CEOS;
(7) EESC staff members have the right to acquaint themselves with their medical files pursuant to Article 26a of the Staff Regulations and Articles 11 and 81 of the CEOS;
(8) the EESC is empowered to carry out internal investigations pursuant to Article 74(8) of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (4) (hereinafter "the Financial Regulation") and verifications within the meaning of Article 116(4) of the Financial Regulation;
(9) the EESC is subject to internal audits concerning its activities, carried out by the internal auditor in accordance with Article 118 of the Financial Regulation;
(10) the EESC carries out procurement procedures pursuant to Title VII of the Financial Regulation;
(11) in the context of such administrative investigations, audits and verifications, the EESC cooperates with other Union institutions, bodies, offices and agencies;
(12) the EESC can cooperate with third country national authorities and international organisations, either at their request or on its own initiative;
(13) the EESC can also cooperate with EU Member State public authorities, either at their request or on its own initiative. Such cooperation may also include an exchange of information in the context of criminal or financial investigations;
(14) the EESC is involved in cases that come before the Court of Justice of the European Union when it refers a matter to the Court, defends a decision it has taken and which has been challenged before the Court, or intervenes in cases relevant to its tasks. In this context, the EESC might need to preserve the confidentiality of personal data contained in documents obtained by the parties or the interveners;
(15) the EESC carries out the necessary activities in order to ensure security of persons, assets and information. These activities, for example inquiries to establish whether there has been an infringement of Decision 222/19 A (5), may be handled internally or with external involvement;
(16) in accordance with the second sentence of Article 45(2) of the Regulation, the data protection officer (hereinafter "the DPO"), on their own initiative or at the request of the controller or the processor, the Staff Committee or any individual concerned, may investigate matters and occurrences directly relating to their tasks which come to their notice;
(17) to fulfil its tasks, the EESC collects and processes information and several categories of personal data, including identification data of natural persons, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data. The EESC, represented by its president, acts as data controller;
(18) under the Regulation, the EESC is therefore obliged to provide information to data subjects on those processing activities and to respect their rights as data subjects;
(19) the EESC might be required to reconcile those rights with the objectives of administrative investigations, audits, verifications and court proceedings. It might also be required to balance a data subject’s rights against the fundamental rights and freedoms of other data subjects. To that end, Article 25 of the Regulation gives the EESC the possibility to restrict, under strict conditions, the application of Articles 4, 14 to 22, 35, as well as, in extraordinary circumstances, Article 36 of the Regulation, in so far as its provisions correspond to the rights and obligations laid down in Articles 14 to 22. Unless restrictions are provided for in a legal act adopted on the basis of the Treaties, it is necessary to adopt internal rules under which the EESC is entitled to restrict those rights;
(20) the EESC might, for instance, need to restrict the information it provides to a data subject about the processing of their personal data in the framework of activities preliminary to the decision to open an administrative investigation or during the investigation itself, prior to the possible dismissal of the case or at the pre-disciplinary stage. In certain circumstances, providing such information might seriously affect the EESC’s capacity to conduct the investigation in an effective way, for example whenever there is a risk that the person concerned might destroy evidence or interfere with potential witnesses before they are interviewed. The EESC might also need to protect the rights and freedoms of witnesses as well as those of other persons involved;
(21) it might be necessary to protect the anonymity of a witness or whistleblower who has asked not to be identified. In such a case, the EESC might decide to restrict access to the identity, statements and other personal data of such persons, in order to protect their rights and freedoms;
(22) it might be necessary to protect confidential information concerning a staff member who has contacted the EESC confidential counsellors under the informal procedure. In such cases, the EESC might need to restrict access to the identity, statements and other personal data of the person who believes they are the victim of harassment, the alleged harasser and other persons involved, in order to protect the rights and freedoms of all persons concerned. The same restriction might be necessary also in the case of the formal procedure;
(23) in relation to staff selection, recruitment, appointment and evaluation procedures, as well as in relation to public procurement procedures, the right to access, rectification, erasure and restriction might be exercised only at certain points in time and under the conditions provided for in the relevant procedures in order to safeguard the rights of other data subjects and to respect the principles of equal treatment and the secrecy of deliberations;
(24) the EESC should apply restrictions only when they respect the essence of fundamental rights and freedoms, are strictly necessary and are a proportionate measure in a democratic society. The EESC’s decision to impose such restrictions should be reasoned;
(25) in keeping with the principle of accountability, the EESC should keep a record of its application of restrictions;
(26) when processing personal data exchanged with other organisations in the context of its tasks, the EESC and those organisations should consult each other on potential grounds for imposing restrictions and on the necessity and proportionality of those restrictions, unless this would jeopardise the activities of the EESC;
(27) Article 25(6) of the Regulation obliges the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the EDPS;
(28) pursuant to Article 25(8) of the Regulation, the EESC is entitled to defer, omit or deny the provision of information to the data subject on the reasons for the application of a restriction if this would in any way cancel out the effect of the restriction. The EESC should assess on a case-by-case basis whether notifying the data subject of the restriction would cancel out its effect;
(29) the EESC should lift the restriction as soon as the conditions justifying it no longer apply, and should assess those conditions on a regular basis;
(30) to guarantee the utmost protection of the rights and freedoms of data subjects and in accordance with Article 44(1) of the Regulation, the DPO should be consulted in good time of any restrictions that may be applied and should verify their compliance with this Decision;
(31) Articles 15(4) and 16(5) of the Regulation provide for exceptions to the right of data subjects to information. Where exceptions apply, the EESC does not need to apply a restriction under this Decision,
HAS ADOPTED THIS DECISION:

Article 1

Subject matter and scope

1.1.   This Decision lays down rules relating to the conditions under which the EESC may restrict the application of Articles 4, 14 to 22, and 35, as well as, in extraordinary circumstances, Article 36 of the Regulation based on Article 25 of the Regulation.
1.2.   The EESC, as the controller, is represented by the EESC president.

Article 2

Restrictions

2.1.   The EESC may restrict the application of the rights enshrined in Articles 4, 14 to 22, and 35, as well as, in extraordinary circumstances, Article 36 of the Regulation, on the following grounds and for the purposes referred to below:
a)
pursuant to Article 25(1)(b), (c), (f), (g) and (h) of the Regulation, when conducting administrative investigations, activities preliminary to the decision to open administrative investigations, pre-disciplinary, disciplinary or suspension proceedings under Article 86 and Annex IX of the Staff Regulations and EESC Decision No 635/05 A of 7 December 2005 laying down general implementing provisions governing disciplinary procedures and administrative investigations;
b)
pursuant to Article 25(1)(b), (c), (f), (g) and (h) of the Regulation, when cooperating with OLAF, particularly when providing OLAF with information and documents, notifying cases to OLAF or processing information and documents from OLAF;
c)
pursuant to Article 25(1)(h) of the Regulation, when ensuring that EESC staff members are able to report facts confidentially where they believe there are serious irregularities, as set out in EESC Decision 053/16 A of 2 March 2016 on the internal rules on whistleblowing;
d)
pursuant to Article 25(1)(h) of the Regulation, when ensuring that EESC staff members are able to contact the confidential counsellors under the informal procedure and, subsequently and where appropriate, the Appointing Authority under the formal procedure, as defined in EESC Decision 200/14 A of 26 September 2014 concerning the procedures for preventing and dealing with psychological and sexual harassment at work within the Secretariat of the EESC;
e)
pursuant to Article 25(1)(h) of the Regulation, when processing a request for assistance within the meaning of Article 24 of the Staff Regulations, a request within the meaning of Article 25 of the Staff Regulations, a request within the meaning of Article 90(1) of the Staff Regulations or a complaint within the meaning of Article 90(2) of the Staff Regulations;
f)
pursuant to Article 25(1)(c) and (h) of the Regulation, when conducting selection, recruitment, appointment and evaluation procedures concerning staff;
g)
pursuant to Article 25(1)(c) and (h) of the Regulation, when conducting procurement procedures;
h)
pursuant to Article 25(1)(h) of the Regulation, when processing medical data contained in the data subjects’ medical files managed by the EESC Medical and Social Service;
i)
pursuant to Article 25(1)(c), (g) and (h) of the Regulation, when conducting verifications within the meaning of Article 116(4) of the Financial Regulation or in the framework of the treatment of financial irregularities within the meaning of Article 93 of the Financial Regulation;
j)
pursuant to Article 25(1)(c), (g) and (h) of the Regulation, when conducting internal audits in relation to activities or departments of the EESC in accordance with Article 118 of the Financial Regulation;
k)
pursuant to Article 25(1)(c), (d), (g) and (h) of the Regulation, when providing or receiving assistance to or from other Union institutions, bodies, offices and agencies or cooperating with them in the context of activities under points (a) to (j) of this paragraph and pursuant to the relevant service level agreements, memoranda of understanding and cooperation agreements;
l)
pursuant to Article 25(1)(c), (g) and (h) of the Regulation, when providing or receiving assistance to or from third country national authorities and international organisations or cooperating with such authorities and organisations, either at their request or on its own initiative;
m)
pursuant to Article 25(1)(c), (g) and (h) of the Regulation, when providing or receiving assistance and cooperation to or from EU Member State public authorities, either at their request or on its own initiative;
n)
pursuant to Article 25(1)(e) of the Regulation, when processing personal data in documents obtained by the parties or interveners in the context of proceedings before the Court of Justice of the European Union;
o)
pursuant to Article 25(1)(c), (d) and (h) of the Regulation, when carrying out activities in order to ensure the security of persons, assets and information in relation to activities or departments of the EESC;
p)
pursuant to Article 25(1)(c), (g) and (h) of the Regulation, when carrying out investigations on matters and occurrences relating to data protection issues in accordance with the last sentence of Article 45(2) of the Regulation.
2.2.   Any restriction shall respect the essence of fundamental rights and freedoms and be necessary and proportionate in a democratic society.
2.3.   A necessity and proportionality test shall be carried out on a case-by-case basis before restrictions are applied. Restrictions shall be limited to what is strictly necessary to achieve their objective.
2.4.   For accountability purposes, the EESC shall draw up a record describing the reasons for restrictions that are applied, which grounds among those listed in paragraph 1 apply, and the outcome of the necessity and proportionality test. Those records shall be part of a register, which shall be made available on request to the EDPS.
2.5.   When processing personal data received from other organisations in the context of its tasks, the EESC shall consult those organisations on potential grounds for imposing restrictions and the necessity and proportionality of the restrictions concerned, unless this would jeopardise the activities of the EESC.

Article 3

Risks to the rights and freedoms of data subjects

3.1.   Whenever the EESC assesses the necessity and proportionality of a restriction it shall consider the potential risks to the rights and freedoms of the data subject.
3.2.   Assessments of the risks to the rights and freedoms of data subjects of imposing restrictions and details of the period of application of those restrictions shall be registered in the record of the relevant processing activities maintained by the EESC under Article 31 of the Regulation. They shall also be recorded in any data protection impact assessments regarding those restrictions conducted under Article 39 of the Regulation.

Article 4

Safeguards and storage periods

4.1.   The EESC shall implement safeguards to prevent abuse and unlawful access to or transfer of personal data in respect of which restrictions apply or could be applied. Such safeguards shall include technical and organisational measures and shall be specified as necessary in the EESC’s internal decisions, procedures and implementing rules. The safeguards shall include:
a)
a clear definition of roles, responsibilities and procedural steps;
b)
if appropriate, a secure electronic environment to prevent unlawful or accidental access to or transfer of electronic data to unauthorised persons;
c)
if appropriate, secure storage and processing of paper documents;
d)
due monitoring of restrictions and a periodic review of their application.
The reviews referred to in point (d) shall be conducted at least every six months.
4.2.   Restrictions shall be lifted as soon as the circumstances justifying them no longer apply.
4.3.   The personal data shall be retained in accordance with the applicable EESC retention rules, to be defined in the records kept under Article 31 of the Regulation. At the end of the retention period, the personal data shall be deleted, anonymised or transferred to the archives in accordance with Article 13 of the Regulation.

Article 5

Involvement of the Data Protection Officer

5.1.   The EESC DPO shall be informed without undue delay whenever data subject rights are restricted in accordance with this Decision. They shall be given access to the corresponding records and any documents concerning the factual or legal context.
5.2.   The EESC DPO may request a review of the application of a restriction. The EESC shall inform the DPO in writing of the outcome of the review.
5.3.   The EESC shall document the involvement of the DPO in the application of restrictions, including what information is shared with them.

Article 6

Information to data subjects on restrictions of their rights

6.1.   The EESC shall include a section in the data protection notices published on its intranet or internet website providing general information to data subjects on the potential restriction of their rights pursuant to Article 2(1). The information shall cover which rights may be restricted, the grounds on which restrictions may be applied and their potential duration.
6.2.   The EESC shall inform data subjects individually, in writing and without undue delay, of ongoing or future restrictions of their rights. The EESC shall inform the data subject of the principal reasons on which the application of the restriction is based, of their right to consult the DPO with a view to challenging the restriction and of their right to lodge a complaint with the EDPS.
6.3.   The EESC may defer, omit or deny the provision of information concerning the reasons for a restriction and the right to lodge a complaint with the EDPS for as long as necessary to prevent it from cancelling out the effect of the restriction. Assessment of whether this would be justified shall take place on a case-by-case basis. As soon as it would no longer cancel out the effect of the restriction, the EESC shall provide the information to the data subject.

Article 7

Notifying a data subject of a breach of their personal data

7.1.   Where the EESC is under an obligation to notify a data subject of a data breach under Article 35(1) of the Regulation, it may, in exceptional circumstances, restrict such notification wholly or in part. It shall document in a note the reasons for the restriction, the legal grounds for it under Article 2 and an assessment of its necessity and proportionality. The note shall be sent to the EDPS at the time of the notification of the personal data breach.
7.2.   Where the reasons for the restriction no longer apply, the EESC shall notify the data subject of the breach of their personal data and inform them of the principal reasons for the restriction and of their right to lodge a complaint with the EDPS.

Article 8

Confidentiality of electronic communications

8.1.   In extraordinary circumstances, the EESC may restrict the right to confidentiality of electronic communications under Article 36 of the Regulation. Such restrictions shall comply with Directive 2002/58/EC of the European Parliament and of the Council (6).
8.2.   Notwithstanding Article 6(3) of the present Decision, allowing the EESC, in extraordinary circumstances, to restrict the right to confidentiality of electronic communications, it shall inform the data subject concerned, in its reply to any request from the data subject, of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the EDPS.

Article 9

Entry into force

This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at Brussels, on 21 June 2021.
Christa SCHWENG
The President
(1)  
OJ L 295, 21.11.2018, p. 39
.
(2)  Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (
OJ L 56, 4.3.1968, p. 1
).
(3)  Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (
OJ L 248, 18.9.2013, p. 1
).
(4)  Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (
OJ L 193, 30.7.2018, p. 1
).
(5)  Decision of the Secretary-General of the EESC (No 229/19 A) and of the Secretary-General of the CoR (No 177/2019) of 4 September 2019 on general rules for use of the IT system.
(6)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (
OJ L 201, 31.7.2002, p. 37
).
Markierungen
Leseansicht