2014/333/EU: Commission Decision of 5 June 2014 on the protection of personal dat... (32014D0333)
EU - Rechtsakte: 19 Area of freedom, security and justice

COMMISSION DECISION

of 5 June 2014

on the protection of personal data in the European e-Justice Portal

(2014/333/EU)

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
After consulting the European Data Protection Supervisor,
Whereas:
(1) In its communication of May 2008(1), the Commission stated that it would design and set up the European e-Justice Portal (hereinafter ‘the Portal’), to be managed in close cooperation with the Member States.
(2) The Multi-annual European e-Justice Action Plan 2009–2013(2) of 8 November 2008 entrusted the European Commission with the implementation of the Portal. The Portal was launched on 16 July 2010. The adoption of this Decision has become necessary only now since the Portal is only now ready for the first interconnection of national registers involving the processing of personal data.
(3) The Portal's objective is to contribute to the achievement of the European judicial area by facilitating and enhancing access to justice and leveraging information and communication technologies to facilitate cross-border electronic judicial proceedings and judicial cooperation.
(4) The institutions, bodies, offices and agencies of the European Union as well as the Member States when they are implementing Union law must respect fundamental rights and observe the principles recognised by the Charter of Fundamental Rights of the European Union, in particular the right to the protection of personal data stipulated in Article 8 of that Charter.
(5) Since the various Portal-related tasks and functions of the Commission and the Member States will entail different responsibilities and obligations as regards data protection, it is essential to delimit them clearly.
(6) In accordance with the specific nature of activities linked to the e-Justice Portal, developed in cooperation between the Commission and the Member States, the role of the Commission in processing personal data through the Portal is limited. It should be clarified that the Commission has no responsibility for the content of interconnected national databases made available through the Portal.
(7) Regulation (EC) No 45/2001 of the European Parliament and of the Council(3) applies to the processing of personal data by the Commission in the Portal. In this context, the Commission is in particular responsible for providing the IT infrastructure for the Portal functionalities, including the interconnection of national databases.
(8) In accordance with Regulation (EC) No 45/2001 the purposes of processing of personal data should be explicitly specified. Therefore, the processing of personal data by the Commission in the portal should only take place if it is done to provide access to interconnected national databases holding personal data, to provide interactive services allowing users to communicate directly with the appropriate authorities in another Member State, to provide access to public information targeted towards registered users, or to provide contact information.
(9) The Commission should embed in the system technologies that reflect the concept of ‘data protection by design’. In implementing that concept, a privacy and data protection impact assessment should be carried out during the design phase of the functionality associated with the processing of personal data through the Portal, as well as of other Portal functionalities. That assessment will identify the potential data protection risks involved. It will also define the appropriate measures and safeguards to be incorporated in the system to protect personal data.
(10) The Commission should perform continuous and appropriate security assessments insofar as work related to the interconnection of national databases is carried out.
(11) Only publicly available information in the interconnected national databases can be accessed through the Portal. It should not be possible to combine information from different interconnected national databases for different purposes through the Portal,
HAS ADOPTED THIS DECISION:

Article 1

Subject matter

This Decision lays down the functions and responsibilities of the European Commission in relation to data protection requirements whilst processing personal data in the European e-Justice Portal (hereinafter ‘the Portal’).

Article 2

Definitions

For the purpose of this Decision, the definitions laid down in Regulation (EC) No 45/2001 shall apply. In addition, the following definitions shall also apply:
(a) ‘European e-Justice actor’ means any representative of a Member State or a European e-Justice partner organisation who has been granted authorisation to modify (parts of) the content of the Portal;
(b) ‘Interconnected national databases’ means databases containing publicly accessible information, operated by the Member States and other bodies such as professional associations and non-profit organisations, which are interconnected through the Portal in such a way that the information available at national level can be accessed via the Portal;
(c) ‘Publicly accessible information’ means information which is accessible to the public via the internet;
(d) ‘Registered user’ means a Portal user who has registered to the Portal via the European Commission Authentication Service (ECAS), such as a ‘European e-Justice actor’.

Article 3

Data processing

The Commission shall process personal data in the Portal only in so far as this is necessary for the purpose of:
(a) providing access to interconnected national databases holding personal data;
(b) providing interactive services allowing registered users to communicate directly with the appropriate authorities in another Member State;
(c) providing access to public information targeted towards registered users;
(d) providing contact information.

Article 4

Responsibilities of Data controller

1.   The Commission shall exercise the responsibilities of data controller pursuant to Article 2(d) of Regulation (EC) No 45/2001 in accordance with its respective responsibilities within the Portal as referred to in this Article.
2.   The Commission shall ensure the availability, maintenance and security of the IT infrastructure of the Portal.
3.   The Commission shall be responsible for the following processing operations:
(a) organisation;
(b) disclosure by transmission;
(c) dissemination or otherwise making available;
(d) alignment or combination of personal data derived from the interconnected national databases or of personal data on registered users.
4.   The Commission shall define the necessary policies and apply the appropriate technical solutions to fulfil its responsibilities within the scope of the function of data controller.
5.   The Commission shall implement the technical measures required to ensure the security of personal data while in transit and during their display on the Portal, in particular the confidentiality and integrity for any transmission to and from the Portal.
6.   The Commission shall not be responsible for any data protection aspects concerning
(a) the initial collection and storage of any data derived from the interconnected national databases;
(b) any decision taken by the Member States to make such data available via the Portal;
(c) the content of any data derived from the interconnected national databases made available through the Portal.
7.   The obligations of the Commission shall not affect the responsibilities of the Member States and other bodies for the content and operation of the interconnected national databases run by them.

Article 5

Information obligations

1.   The Commission shall provide the data subjects with the information specified in Articles 11 and 12 of Regulation (EC) No 45/2001, as regards information for which the Commission is responsible under this Decision.
2.   Notwithstanding the obligations towards data subjects of the Member States and other bodies operating the interconnected national databases, the Commission shall also provide data subjects with information on whom to contact for the effective exercise of their rights to information, to access, to rectify and to object according to the applicable data protection legislation. The Commission shall refer to specific privacy statements of the Member States and other bodies.
3.   The Commission shall also make available on the Portal:
(a) translations into the languages of the Portal of Member States' privacy notices referred to in paragraph 2;
(b) a comprehensive privacy notice concerning the Portal in accordance with Articles 11 and 12 of Regulation (EC) No 45/2001, in a clear and understandable form.

Article 6

Storage of personal data

1.   As regards information exchanges from interconnected national databases, no personal data relating to the data subjects shall be stored in the Portal. All such data shall be stored in the national databases operated by the Member States or other bodies.
2.   Personal data relating to or provided by Portal users shall not be stored in the Portal, other than in cases where they have signed up as registered users. Personal data of registered users shall be stored until they request the deletion of their registration. In accordance with Article 3, personal data on European e-Justice actors or contact points will only be stored for as long as these persons fulfil their function.

Article 7

Date of effect

This Decision shall enter into force on the 20th day after its publication in the
Official Journal of the European Union
.
Done at Brussels, 5 June 2014.
For the Commission
The President
José Manuel BARROSO
(1)  COM(2008)329 final, 30.5.2008.
(2)  
OJ C 75, 31.3.2009, p. 1
.
(3)  Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (
OJ L 8, 12.1.2001, p. 1
).
Markierungen
Leseansicht