Decision of the High Representative of the Union for Foreign Affairs and Security Policy

of 1 October 2019

on implementing rules relating to the protection of personal data by the European External Action Service and the application of Regulation (EU) 2018/1725 of the European Parliament and of the Council

(2019/C 370/05)

THE HIGH REPRESENTATIVE OF THE UNION FOR FOREIGN AFFAIRS AND SECURITY POLICY,

Having regard to the Council Decision 2010/427/EU of 26 July 2010 establishing the organisation and functioning of the European External Action Service (1) (‘the EEAS Council Decision’), and in particular Article 11(3) thereof,

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (2) (‘the Regulation’), and in particular Articles 43, 44 and 45 thereof,

Whereas:

(1) The enhanced accountability of the data controllers established in the Regulation requires the adoption of a new implementing decision replacing the Decision PROC HR(2011) 016 of the High Representative of the Union for Foreign Affairs and Security Policy of 8 December 2011 on the rules regarding data protection in the EEAS.

(2) The role of the data protection officer and the responsibilities of the data controller within the European External Action Service need to be clearly established and adapted to the requirements of the Regulation,

HAS DECIDED AS FOLLOWS:

SECTION 1 GENERAL PROVISIONS

Article 1

Subject matter and scope

1. In accordance with Article 45(3) of the Regulation, this Decision sets out the tasks, duties and powers of the data protection officer (hereinafter referred to as the ‘DPO’) within the EEAS.

2. This Decision also further specifies internal procedures and the responsibilities of data controllers and processors as well as the role, tasks and duties of data protection coordinators and correspondents, in particular pursuant to Article 26 and 29 of the Regulation.

Article 2

Definitions

For the purpose of this Decision and without prejudice to the definitions provided by the Regulation:

(a) ‘data controller’ shall mean the EEAS or its organisational entities, including EU Delegations that, alone or jointly with others, determine the purposes and means of processing personal data;

(b) ‘representative of the data controller’ shall mean members of the EEAS management or heads of organisational entities who supervise the data controller entities referred to in point (a) above and who are responsible and accountable for the processing of personal data;

(c) ‘delegated controller’ shall mean a service or staff within the data controller organisational entity which is entrusted with managing the personal data processing activity;

(d) ‘joint controllers’ shall mean two or more organisational entities who determine together the purposes and means of the processing of personal data, and the roles and responsibilities of the controllers, including their duties in relation to exercising the rights of the data subject, in particular when the EEAS jointly controls the processing with other EU institutions, bodies, agencies, offices, or any other entities;

(e) ‘data protection officer (“DPO”)’ shall mean the EEAS staff member designated by the EEAS, in accordance with Article 43 of the Regulation, to support, inform and advise the data controllers;

(f) ‘data protection coordinator and correspondent (“DPC”)’ shall respectively mean EEAS staff members in Headquarters and in EU Delegations, designated to assist their data controllers in data protection matters;

(g) ‘processor’ shall mean an entity, inside or outside the EEAS, which processes personal data on behalf of the data controller;

(h) ‘data protection notices’ are notices, such as privacy statements, by which the data controller provides information to data subjects under Article 15 and 16 of the Regulation;

(i) ‘EEAS staff’ shall mean, in accordance with Article 6 of the EEAS Council Decision, officials and other servants of the EU working for the EEAS, including personnel from the diplomatic services of EU Member States, seconded national experts and trainees.

SECTION 2 THE DATA PROTECTION OFFICER

Article 3

Designation of the data protection officer

1. The Secretary-General of the EEAS shall designate the DPO from the EEAS staff, in accordance with Article 43 of the Regulation, and register him or her with the European Data Protection Supervisor (hereinafter referred to as the ‘EDPS’).

2. In addition to the requirements of Article 43(3) of the Regulation, the DPO shall have a sound knowledge of the EEAS services, their structure, information systems, administrative rules and procedures. The DPO shall have expertise in data protection, sound judgement and the ability to maintain an impartial and objective stance in accordance with the Staff Regulations.

3. The DPO shall be designated for a term of five years and shall be eligible for reappointment.

4. The DPO may be dismissed from the post only with the consent of the EDPS if he or she no longer fulfils the conditions required for the performance of his or her duties.

5. The DPO shall be administratively attached to the Secretary-General.

6. The DPO contact details shall be published on the EEAS intranet and on the EEAS external website and communicated to the EDPS.

Article 4

Position of the data protection officer

1. The DPO shall act independently and in cooperation with the EDPS. The EEAS shall not issue any instructions to the DPO with regard to the exercise of his or her tasks.

2. The DPO shall not be dismissed or penalised for performing his or her tasks.

3. The DPO shall be informed of all contacts with external parties concerning the application of the Regulation and this Decision, in particular, of any interaction with the EDPS and the members of the DPO network in EU institutions, bodies, offices and agencies.

4. Data subjects may contact the DPO on any issue related to processing of their personal data or the exercise of their rights under the Regulation.

5. The DPO may be consulted by the data controller or by his or her representative, by the Staff Committee and by any staff member on any matter concerning the interpretation or application of the Regulation, without the need for them to go through official channels. No one shall suffer prejudice as a result of bringing a matter to the attention of the DPO.

Article 5

Tasks of the data protection officer

The DPO shall:

(a) be consulted on all issues which relate to the protection of personal data;

(b) provide guidance and pro-actively advise EEAS entities and their contractors who carry out personal data processing activities, on how to implement the Regulation and this Decision, including consultation on data breach notifications, impact assessments and the necessity of prior consultation with the EDPS;

(c) keep regular contact with the data controllers to monitor data protection compliance, and support them in their tasks, in particular to contribute to preparing and publishing data protection notices and replying to the requests from data subjects;

(d) maintain regular contact with the DPCs of the EEAS Headquarters and EU Delegations and manage the DPC Network within the EEAS;

(e) raise general data protection awareness, organise trainings and information sessions;

(f) cooperate with DPOs of other EU institutions, bodies, offices and agencies, in particular by exchanging experience and best practices;

(g) keep a central register of processing activities carried out by the EEAS based on the records prepared by the data controllers in accordance with Article 31 of the Regulation and making the register publicly available;

(h) assist in ensuring the representation of the High Representative or the EEAS at international level on all data protection related issues.

Article 6

Powers

In performing his or her tasks the DPO:

(a) shall have access at all times to the data processed by EEAS entities and their contractors and to all offices, data processing centres and data carriers;

(b) shall provide his or her opinion to the Appointing Authority prior to any decision is taken on matters relating to the application of data protection provisions;

(c) may propose administrative measures and issue general recommendations on the appropriate application of the Regulation and of this Decision;

(d) may make recommendations for the practical improvement of data protection to the EEAS management, staff and any relevant external party;

(e) may investigate data protection matters and, in addition to the person who requested the investigation or lodged the complaint, may report the result of the investigation to the data controller, and to any relevant member of the EEAS management;

(f) may develop templates and internal procedures, instructions or policies to provide guidance to data controllers and processors;

(g) may use the services of external experts, including IT specialists;

(h) may bring to the attention of the EEAS Appointing Authority any failure by a staff member to comply with the obligations under the Regulation and this Decision and suggest the launch of an administrative investigation;

(i) may issue internal guidelines on data protection (DPO Guidance Notes) that shall be taken into account when processing personal data.

Article 7

Resources

1. The DPO shall be provided with adequate staff and resources necessary to carry out the tasks referred to in Article 5 of this Decision.

2. All EEAS staff shall support the DPO in carrying out the tasks referred to in Article 5 of this Decision, in particular the data controllers and processors shall provide requested information about data processing activities, access to personal data and prepare draft replies to the requests of the data subjects exercising their right of access, modification and deletion received by the DPO but related to the processing activities for which the data controller is responsible.

3. The DPO may have a deputy or an assistant DPO as well as administrative staff and secretarial support, as required. The DPO may also use other EEAS or contracted entities and external experts.

4. When designated, the deputy or assistant DPO shall support the DPO in carrying out his or her tasks and may represent the DPO in the event of his or her absence. Article 4, 5 and 6 of this Decision shall also apply to the deputy or assistant DPO.

5. The DPO shall have appropriate premises where the security and confidentiality of information, including personal data, can be guaranteed and where adequate storage and archiving of data and documents can be ensured.

6. The DPO shall have at their disposal an electronic tool which can (i) manage the records of personal data processing activities in accordance with Article 31 of the Regulation and (ii) store data protection notices, data breach notifications, data protection impact assessments, data subject requests and records of data transfers.

7. The EEAS shall support the DPO in maintaining and expanding their expert knowledge, among others, by facilitating participation in inter-institutional or external training courses, conferences or events related to data protection and in meetings and trainings organised by the EDPS and the DPO Network of EU institutions, bodies, offices and agencies.

SECTION 3 ACTORS INVOLVED IN PROCEDURES IN RELATION TO DATA PROTECTION

Article 8

Data controllers and processors

1. The delegated controllers, the representatives of the controllers and of the processors are responsible, on behalf of the data controller, for ensuring that all processing activities under their control comply with the Regulation, in particular Article 26 thereof, and with the provisions of this Decision. They may, as required, entrust data processing tasks to EEAS staff working under their responsibility or to contracted entities, in accordance with Article 29 of the Regulation.

2. In particular, data controllers shall:

(a) be accountable, ensure and demonstrate that processing is carried out in compliance with the Regulation and this Decision;

(b) record any processing activity and any substantial changes to an existing processing activity;

(c) ensure that the data subjects are informed about the processing of their data in accordance with Articles 15 and 16 of the Regulation by making the data protection notices available;

(d) cooperate with the DPO and the EDPS, in particular by providing information in reply to their requests within 14 calendar days of the date of the request;

(e) inform the DPO when a contractor is used to process personal data on behalf of the data controller;

(f) appoint a DPC, support them in fulfilling their duties and inform the DPO about any change of the person or function of the DPC;

(g) consult the DPO on whether processing activities comply with the Regulation and this Decision. They may consult the DPO or other experts on issues relating to the confidentiality, availability and integrity of the processing activities and on the security measures taken pursuant to Article 33 of the Regulation.

3. Data controllers may use other entities in the EEAS or contracted entities as processors in compliance with the provisions of the Regulation, as long as they document in their records who the processor is, specify the tasks entrusted to them and the security measures taken.

4. The data controller shall ensure that the DPO is informed without delay:

(a) of all issues that have, or might have, data protection implications;

(b) of all EEAS management communication and decisions in relation to the application of the Regulation, in particular any interaction with the EDPS.

Article 9

Data protection coordinator and correspondent

1. Depending on their size and on the type of personal data processed, EEAS organisational entities shall have a DPC who would act as a focal point for data protection. Each managing directorate or directorate in the EEAS Headquarters and each EU Delegation shall designate a data protection coordinator or a data protection correspondent. All divisions that regularly process a large quantity of personal data, special categories of data or sensitive personal data, the processing of which presents high risk, shall also designate their own DPC. The DPC function shall be assigned to a position that has an overview on the activities of the entity.

2. The DPC shall have the necessary skills and acquire knowledge about data protection. They shall receive a data protection induction training and may attend information sessions and DPC Network meetings.

3. The DPC shall:

(a) without prejudice to the responsibilities of the DPO, assist the data controllers in complying with their obligations;

(b) facilitate communication between the DPO and the data controllers.

(d) inform and support their colleagues on matters related to the processing of personal data;

(e) forward information to staff on awareness-raising events and training sessions;

(f) work with the DPO to create and update an inventory of existing and new processing activities of personal data;

(g) contact and notify the DPO regarding any personal data processed within the service;

(h) assist in identifying the relevant delegated data controllers and processors;

(i) develop records in their area of expertise;

(j) support data controllers in establishing and reviewing records and creating data protection notices;

(k) to contribute to compliance verifications and impact assessments;

(l) ensure that the relevant data protection notices are published and correctly used by their service;

(m) notify the DPO of any data breaches;

(n) prepare, in cooperation with the DPO, the reply to requests from data subjects exercising their rights, handle complaints and questions relating to the data processing activities in their service.

4. The DPC has the right to obtain necessary information required to identify personal data processing activities and consult the DPO on behalf of their service. This does not include the right to access personal data processed under the responsibility of the data controller.

Article 10

Appointing Authority

The Appointing Authority shall consult the DPO on any request or complaint pursuant to Article 90 of the Staff Regulations in relation to the application of the Regulation.

Article 11

EEAS staff

1. All EEAS staff shall apply the confidentiality and security rules for the processing of personal data as set out in Articles 33, 34 and 35 of the Regulation. No EEAS staff member with access to personal data shall process the data other than on instructions from the data controllers.

2. All EEAS staff members shall indicate to their line manager when they need to process personal data in order for data controllers to document the processing in their data protection records and to prepare the necessary data protection notices.

3. Any EEAS staff member may submit a request or raise a concern, including an alleged data breach, to the DPO, or may lodge a complaint with the EDPS regarding an alleged breach of the Regulation or of this Decision, without the necessity to inform its hierarchical superiors.

4. If any staff member considers that a third country, a territory or one or more specified sectors within a third country, or an international organisation does not ensure an adequate level of protection within the meaning of Article 45(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council (3) or to Article 36(3) of Directive (EU) 2016/680 of the European Parliament and of the Council (4), they shall notify the DPO.

SECTION 4 MEASURES AND PROCEDURES

Article 12

Security measures and data protection by design and by default

1. The safeguards, technical and organisational measures to avoid data breaches, leakages or unauthorised disclosure shall include:

(a) an adequate definition of roles, responsibilities and procedural steps;

(b) a secure electronic environment which prevents unlawful or accidental access or transfer of electronic data to unauthorised persons with safety measures built in the various IT applications used;

(d) electronic and physical access only to authorised staff with access rights to be granted individually;

2. Before designing data processing activities, data controllers shall implement data protection by design and by default as referred to in Article 27 of the Regulation. In order to implement data protection by design and default, the data controller may consult the DPO and other relevant services, including IT and IT security.

Article 13

Data breach notifications

After becoming aware of any incident, in particular a breach of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transferred, stored, or otherwise processed (‘personal data breach’), the data controller or processor shall immediately notify the DPO and within 72 hours the EDPS and shall appropriately document the incident.

Article 14

Investigations and handling requests and complaints by the DPO

1. The DPO may open an investigation concerning an alleged breach of the obligations under the Regulation on his or her own initiative or upon request. Requests shall be addressed to the DPO in writing.

2. The DPO may request a written statement on the matter from the data controller responsible for the relevant data processing activity. The data controller shall provide the response to the DPO within 14 calendar days of receiving this request. The DPO may request access to complementary information, documents, data carriers, data centres, premises and systems from other EEAS services, in particular the IT division, the security directorate, and the directorate-general dealing with administrative inquiries and disciplinary procedures. The DPO shall be provided with the information or opinion within 14 calendar days.

3. In the case of manifestly unfounded, abusive and excessive requests, in particular where requests of repetitive character have been made by the same data subject, the DPO may refuse to act on the request pursuant to Article 14 of the Regulation. The requestor shall be informed accordingly.

SECTION 5 PROCEDURE FOR DATA SUBJECTS TO EXERCISE THEIR RIGHTS

Article 15

General provisions

1. Data subjects may contact the data controller or the DPO to exercise their rights in accordance with Articles 14 to 24 of the Regulation.

2. Requests to exercise data subjects’ rights shall be made in writing. If necessary, the DPO shall assist the data subject in identifying the relevant data controller. The DPO shall forward any requests received to the relevant data controller who may consult the DPO.

3. The data controllers shall process the request and reply directly to the data subject.

Article 16

Processing requests for exercising data subject rights

1. Data controllers shall act on the request only after the requestor’s identity has been verified or in case of a request by a representative of the data subject, the authorisation from the data subject has been provided.

2. The data controller responsible for the data processing activity shall send to the requestor an acknowledgement of receipt within 14 calendar days of the receipt of the request by the EEAS. Unless otherwise provided, the data controller shall reply to the request within 1 month of the registration of the request. The data controller shall either give a positive reply to the request or state in writing the reasons for a complete or partial refusal. The period for reply may be extended by up to 2 further months, taking into account the complexity of the matter and the number of requests made, in accordance with Article 14(3) of the Regulation.

3. The data subject’s request can be refused, if

(a) the request is not justified;

(b) an exception established in the Regulation applies;

(c) a restriction applies in accordance with the internal rules (5) adopted on the basis of Article 25 of the Regulation.

4. In the case of manifestly unfounded, abusive and excessive requests, in particular where requests of repetitive character have been made by the same data subject, the data controller, after having consulted the DPO, may refuse to act on the request pursuant to Article 14 of the Regulation. The requestor shall be informed accordingly.

Article 17

Exceptions and restrictions

Restrictions in accordance with the internal rules adopted on the basis of Article 25 of the Regulation and exceptions established in Articles 15-19 and 21-24 of the Regulation shall be applied only after having consulted the DPO.

SECTION 6 FINAL PROVISIONS

Article 18

Communication about this Decision

1. In accordance with Article 41 of the regulation, the EDPS shall be informed about this Decision.

2. This decision shall be made available to the EEAS staff through appropriate means, in particular by publishing it on the internal website of the EEAS.

Article 19

Repeal

Decision PROC HR(2011) 016 of the High Representative of the Union for Foreign Affairs and Security Policy of 8 December 2011 on the rules regarding data protection is hereby repealed.

Article 20

Effect

This Decision shall take effect on the day following its adoption.

Done at Brussels, 1 October 2019.

Federica MOGHERINI

The High Representative

(1)

OJ L 201, 3.8.2010, p. 30

(2)

OJ L 295, 21.11.2018, p. 39

(3) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (

OJ L 119, 4.5.2016, p. 1

(4) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (

OJ L 119, 4.5.2016, p. 89

(5) Decision of the High Representative of the Union for Foreign Affairs and Security Policy on internal rules concerning restrictions of certain rights of data subjects in relation to processing of personal data in the framework of the functioning of the European External Action Service (ADMIN(2019) 10).