European Data Protection Supervisor Decision of 2 April 2019 on internal rule... (32019Q0410(01))
EU - Rechtsakte: 15 Environment, consumers and health protection

EUROPEAN DATA PROTECTION SUPERVISOR DECISION

of 2 April 2019

on internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the framework of activities carried out by the European Data Protection Supervisor

THE EUROPEAN DATA PROTECTION SUPERVISOR (EDPS),
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (hereinafter ‘the Regulation’), repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1), and in particular Article 25 and Chapter VI thereof,
Having consulted the Secretariat of the European Data Protection Supervisor on this decision, according to Article 41(2) of the Regulation,
Whereas:
(1) The EDPS may, in the context of its functioning, conduct administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings, on the basis of Article 86 of the Staff Regulations of Officials of the European Union (2) and in accordance with Annex IX thereto as well as EDPS Decision of 23 April 2015 adopting implementing provisions regarding the conduct of administrative inquiries and disciplinary proceedings, as well as the Service Level Agreement concerning the collaboration between DG HR of the European Commission and the EDPS signed on 29/1/2016, and may notify cases to IDOC or OLAF, which implies processing of information including personal data.
(2) EDPS staff members have the obligation to report possible illegal activities, including fraud or corruption, detrimental to the interests of the Union, or of conduct relating to the discharge of professional duties which may constitute a serious failure to comply with the obligations of official of the Union. This is regulated by the EDPS Decision on internal rules concerning whistleblowing of 14 June 2016.
(3) The EDPS has set out a policy to prevent and deal effectively and efficiently with actual or potential cases of psychological or sexual harassment at the workplace, as provided for in its Decision of 10 December 2014 adopting implementing measures regarding Articles 12a and 24 of Staff Regulations about the procedure relating to anti-harassment. The Decision establishes an informal procedure where the alleged victim of the harassment may contact EDPS confidential counsellors.
(4) The EDPS, pursuant to Article 57(1)(e) of the Regulation, handles complaints on processing activities carried out by the European institutions, bodies, offices and agencies. In this context, the EDPS may conduct investigations concerning the subject matter of the complaint.
(5) The EDPS, pursuant to Article 57(1)(f) of the Regulation, conducts investigations on the application of the Regulation to verify compliance of EU institutions, bodies, offices and agencies.
(6) The EDPS may conduct investigations on possible breaches of EUCI information, based on EDPS Decision of 18 February 2014 amending its rules on security for EUCI.
(7) The EDPS may conduct audits on its activities. This is currently performed through the Internal Audit Service of the European Commission (IAS hereinafter), based on the Service Level Agreement signed on 1 June 2012, as renewed. It may also be conducted by the Internal Control Coordinator in its full capacity.
(8) In the context of the tasks described in Recitals 1 to 7 the EDPS may provide and receive assistance and cooperation to and from other Union institutions, bodies, offices and agencies, as set in relevant service level agreements, memoranda of understanding and cooperation agreements.
(9) The EDPS may provide and receive assistance and cooperation to and from third countries national authorities and international organisations, upon their request or by its own initiative, as provided for in Article 51 of the Regulation.
(10) The EDPS may provide and receive assistance and cooperation to and from EU Member States public authorities, upon their request or by its own initiative.
(11) Based on Article 58(4) of the Regulation, the EDPS can be involved in cases before the Court of Justice of the European Union either to refer a matter to the Court, or to defend EDPS challenged decisions or to intervene in cases relevant to its tasks.
(12) In the context of the above-mentioned activities, the EDPS collects and processes relevant information and several categories of personal data, including identification data of a natural person, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data. The EDPS acts as data controller.
(13) Adequate safeguards are in place to protect personal data and prevent them from accidental or unlawful access or transfer, both if they are stored in a physical or in an electronic environment. After processing, the data are retained in accordance with the applicable EDPS retention rules, as defined in data protection records based on Article 31 of the Regulation. At the end of the retention period, the case related information, including personal data, is deleted, anonymised or transferred to the historical archives.
(14) Within this context, the EDPS is bound to fulfil its obligation to provide information to the data subjects in relation to the above processing activities and respect the rights of the data subjects, as laid down in the Regulation.
(15) It may be necessary to reconcile the rights of data subjects pursuant to the Regulation with the needs of the above-mentioned activities, while fully respecting fundamental rights and freedoms of other data subjects. To that effect, Article 25 of the Regulation provides, under strict conditions, the possibility to restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20. In this case it is necessary to adopt internal rules under which the EDPS may restrict those rights in line with the same Article of the Regulation.
(16) This might in particular be the case when providing information about the processing of personal data to the data subject at the preliminary assessment phase of an administrative enquiry or during the enquiry itself, prior to a possible dismissal of the case or a pre-disciplinary stage. In certain circumstances, providing such information might seriously affect the EDPS' capacity to conduct the enquiry in an effective way, whenever, for example, there is a risk that the person concerned destroys evidence or interferes with potential witnesses before they are interviewed. Furthermore, the EDPS might need to protect their rights and freedoms as well as the rights and freedoms of other persons involved.
(17) It might be necessary to protect the confidentiality of a witness or a whistle-blower who has asked not to be identified. In such a case, the EDPS may decide to restrict access to the identity, statements and other personal data of the whistle-blower and other persons involved, in order to protect their rights and freedoms.
(18) It might be necessary to protect the confidentiality of a staff member who has contacted EDPS confidential counsellors in the context of a harassment procedure. In such a case, the EDPS may decide to restrict access to the identity, statements and other personal data of the alleged victim, the alleged harasser and other persons involved, in order to protect their rights and freedoms.
(19) When handling complaints on processing activities carried out by the European institutions, bodies, offices and agencies, the EDPS might, in certain circumstances, need to preserve the effectiveness of its inquiries and to protect, as necessary, persons involved and their rights and freedoms.
(20) When conducting investigations on the application of the Regulation to verify compliance of EU institutions, bodies, offices and agencies with the Regulation, the EDPS, in certain circumstances, might need to preserve the effectiveness of its inquiries and to protect, as necessary, persons involved and their rights and freedoms.
(21) When conducting investigations on possible breaches of EUCI information, the EDPS, in certain circumstances, might need to preserve the effectiveness of its inquiries and protect, as necessary, the internal security of Union institutions, bodies, offices and agencies, including of their electronic communication networks, as well as rights and freedoms of data subjects involved.
(22) When providing or receiving assistance and cooperation to other Union institutions, bodies, offices and agencies, EU Member States public authorities, third countries national authorities and international organisations in the context of the above-mentioned activities, the EDPS, in certain circumstances, might need to preserve the effectiveness of its inquiries or of those carried out by the entity it cooperates with, and protect, as necessary, persons involved and their rights and freedoms.
(23) When referring matters to or intervening before the Court of Justice of the European Union, the EDPS may need to preserve the confidentiality of personal data contained in documents obtained by the parties or the interveners in the context of the case at stake.
(24) The EDPS should apply restrictions only when they respect the essence of the fundamental rights and freedoms, and are strictly necessary and a proportionate measure in a democratic society. The EDPS should give justifications explaining the grounds for those restrictions.
(25) Based on the principle of accountability, the EDPS should keep a record of the application of the restrictions.
(26) When processing personal data exchanged with other organisations in the context of its tasks, the EDPS should consult and should be consulted by those organisations on the possible relevant grounds for imposing restrictions and the necessity and proportionality of the restrictions, unless this would jeopardise the activities of the EDPS.
(27) Article 25(6) of Regulation (EU) No 2018/1725 obliges the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the EDPS;
(28) Pursuant to Article 25(8) of the Regulation, the EDPS may defer, omit or deny the provision of information on the reasons for the application of a restriction to the data subject if this would in any way cancel the effect of the restriction. The EDPS should assess on a case-by-case basis whether the communication of the restriction would cancel its effect.
(29) The EDPS should lift the restriction as soon as the conditions that justify the restriction no longer apply, and assess those conditions on a regular basis.
(30) To guarantee the utmost protection of the rights and freedoms of data subjects and in accordance with Article 44(1) of the Regulation, the DPO should be informed in due time of any restrictions being applied and verify compliance with this Decision.
(31) The application of the above-mentioned restrictions is without prejudice to the possible application of the provisions of Article 16(5) and 17(4), relating, respectively, to the right of information when data have not been obtained from the data subject, and to the right of access by the data subject.
HAS ADOPTED THIS DECISION:

Article 1

Subject matter and scope

This Decision lays down rules relating to the conditions under which the EDPS may restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 thereof based on Article 25 of the Regulation.

Article 2

Restrictions

1.   In accordance with Article 25(1) of the Regulation, the EDPS may restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 thereof, in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20, when:
(a) conducting administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings, on the basis of Article 86 of the Staff Regulations of Officials of the European Union (3) and in accordance with Annex IX thereto as well as EDPS Decision of 23 April 2015, and may notify cases to IDOC or OLAF. Relevant restrictions may be based on Article 25(1)(c),(g)(h) of the Regulation;
(b) ensuring that EDPS staff members may confidentially report facts where they believe there are serious irregularities as regulated by the EDPS Decision on internal rules concerning whistleblowing of 14 June 2016. Relevant restrictions may be based on Article 25(1)(h) of the Regulation;
(c) ensuring that EDPS staff members may confidentially report to confidential counsellors in the context of a harassment procedure as defined by the EDPS Decision of 10 December 2014. Relevant restrictions may be based on Article 25(1)(h) of the Regulation;
(d) conducting investigations on subject matters of complaints on processing activities carried out by the European institutions, bodies, offices and agencies, pursuant to Article 57(1) (e) of the Regulation. Relevant restrictions may be based on Article 25(1)(c),(g)(h) of the Regulation;
(e) conducting investigations on the application of the Regulation to verify compliance of EU institutions, bodies, offices and agencies, pursuant to Article 57(1)(f) of the Regulation. Relevant restrictions may be based on Article 25(1)(c),(g)(h) of the Regulation;
(f) conducting investigations on possible breaches of EUCI information, based on EDPS Decision of 18 February 2014 amending its rules on security for EUCI. Relevant restrictions may be based on Article 25(1)(c),(d)(g)(h) of the Regulation;
(g) conducting internal audits in relation to all the activities and departments of the EDPS. Relevant restrictions may be based on Article 25(1)(c),(g)(h) of the Regulation;
(h) providing or receiving assistance and cooperation to and from other Union institutions, bodies, offices and agencies, in the context of the above-mentioned activities, as set out in relevant service level agreements, memoranda of understanding and cooperation agreements; Relevant restrictions may be based on Article 25(1)(c),(d)(g)(h) of the Regulation;
(i) providing or receiving assistance and cooperation to and from third countries national authorities and international organisations, upon their request or by its own initiative, as provided for in Article 51 of the Regulation. Relevant restrictions may be based on Article 25(1)(c),(g)(h) of the Regulation;
(j) providing or receiving assistance and cooperation to and from EU Member States public authorities, upon their request or by its own initiative. Relevant restrictions may be based on Article 25(1)(c),(g)(h) of the Regulation;
(k) processing personal data in documents obtained by the parties or the interveners in the context of the case at stake when referring matters to or intervening before the Court of Justice of the European Union, based on Article 58(4) of the Regulation. Relevant restrictions may be based on Article 25(1)(e) of the Regulation;
2.   The categories of data include identification data of a natural person, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data.
3.   Any restriction shall respect the essence of the fundamental rights and freedoms and be necessary and proportionate in a democratic society.
4.   A necessity and proportionality test shall be carried out on a case-by-case basis before restrictions are applied. Restrictions shall be limited to what is strictly necessary to achieve the set objectives.
5.   The EDPS shall file, for accountability purposes, a record describing the reasons for the restrictions applied, which grounds among those listed in paragraph 1 apply and the outcome of the necessity and proportionality test. Those records shall be part of an ad hoc register, which shall made available on request to the EDPS. A report on the application of Article 25 of the Regulation shall be made available periodically.
6.   When processing personal data exchanged with other organisations in the context of its tasks, the EDPS shall consult and shall be consulted by those organisations on the possible relevant grounds for imposing restrictions and the necessity and proportionality of the restrictions, unless this would jeopardise the activities of the EDPS.

Article 3

Risks to the rights and freedoms of data subjects

The assessment of the risks to the rights and freedoms of data subjects whose personal data may be subject to restrictions, as well as their retention period, are referenced in the record of the relevant processing activities in accordance with Article 31 of the Regulation and, if applicable, in relevant data protection impact assessments based on Article 39 of the Regulation.

Article 4

Storage periods and safeguards

The EDPS shall implement safeguards to prevent abuse or unlawful access or transfer of personal data that may be subject to restrictions. These safeguards shall include technical and organisational measures and be detailed, as necessary, in EDPS internal decisions, procedures and implementing rules. The safeguards shall include:
(a) an adequate definition of roles, responsibilities and procedural steps;
(b) if applicable, a secure electronic environment which prevents unlawful or accidental access or transfer of electronic data to unauthorised persons;
(c) if applicable, secure storage and processing of paper-based documents.
(d) due monitoring of restrictions and a periodical revision, which shall be done at least every six months. A revision must also be carried out when essential elements of the case at hand change. The restrictions shall be lifted as soon as the circumstances that justify them no longer apply.

Article 5

Information to and review by the Data Protection Officer

1.   The EDPS DPO shall be informed without undue delay whenever the data subject rights are restricted in accordance with this Decision and shall be provided access to the record and any documents underlying factual and legal elements.
2.   The EDPS DPO may request to review the application of the restriction. The EDPS shall inform its DPO in writing about the outcome of the requested review.
3.   The involvement of the EDPS DPO in the restrictions procedure, including information exchanges, shall be documented in the appropriate form.

Article 6

Information to data subjects on restrictions to their rights

1.   The EDPS shall include in the data protection notices published on its website general information to the data subjects related to the potential restrictions of all data subjects' rights described in Article 2(1). The information shall cover which rights may be restricted, the reasons and the potential duration of the restriction.
2.   Additionally, the EDPS shall inform data subjects individually on present or future restrictions of their rights without undue delay and in a written form, as further specified in Articles 7, 8 and 9.

Article 7

Right to information to be provided to data subjects and communication on data breaches

1.   Where in the context of the activities mentioned in this Decision, the EDPS restricts, wholly or partly, their rights mentioned in Articles 14 to 16 and 35 of the Regulation, data subjects shall be informed of the principal reasons on which the application of the restriction is based, and of their right to lodge a complaint with the EDPS as well as seeking a judicial remedy before the Court of Justice of the European Union.
2.   The EDPS may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 for as long as it would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis.

Article 8

Data subjects' right of access, rectification, erasure and restriction of processing

1.   Where in the context of the activities mentioned in this Decision, the EDPS restricts, wholly or partly, the right of access to personal data, the right to rectification, erasure, and restriction of processing, as referred to in Articles 17 to 20 respectively of the Regulation, it shall inform the data subject concerned, in its reply to their request, of the principal reasons on which the application of the restriction is based, and of the possibility of lodging a complaint with the EDPS or of seeking a judicial remedy before the Court of Justice of the European Union.
2.   Where the right of access is wholly or partly restricted, the EDPS, when investigating the complaint, shall only inform the data subject of whether the data have been processed correctly and, if not, whether any necessary corrections have been made, in accordance with Article 25(7) of the Regulation.
3.   The EDPS may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 and 2 if it would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis.

Article 9

Confidentiality of electronic communication

1.   The EDPS, under exceptional circumstances, and in line with the provisions and the rationale of Directive 2002/58/EC, may restrict the right to confidentiality of electronic communications, as referred to in Article 36 of the Regulation. In this case, the EDPS shall detail circumstances, grounds, relevant risks and related safeguards in specific internal rules.
2.   Where the EDPS restricts the right to confidentiality of electronic communications, it shall inform the data subject concerned, in its reply to their request, of the principal reasons on which the application of the restriction is based, and of the possibility of lodging a complaint with the EDPS or of seeking a judicial remedy before the Court of Justice of the European Union.
3.   The EDPS may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 and 2 for as long as it would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis.

Article 10

Entry into force

This Decision shall enter into force on the day of its publication in the
Official Journal of the European Union
.
Done at Brussels, 2 April 2019
For the European Data Protection Supervisor
Giovanni BUTTARELLI
(1)  
OJ L 295, 21.11. 2018, p. 39
.
(2)  Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (
OJ L 56, 4.3.1968, p. 1
).
(3)  Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (
OJ L 56, 4.3.1968, p. 1
).
Markierungen
Leseansicht