2023/2717
5.12.2023
EUROPEAN INVESTMENT BANK DECISION
of 9 October 2023
laying down internal rules concerning the processing of personal data by the Human Resources Directorate of the European Investment Bank in relation to the provision of information to data subjects and the restriction of certain of their rights [2023/2717]
THE EUROPEAN INVESTMENT BANK (EIB),
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 309,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1),
Whereas:
(1) Under Article 38 of the EIB Staff Regulations I and II, disciplinary measures may be adopted against members of staff who fail to fulfil their obligations towards the EIB pursuant to the procedure set out in Article 40 of these regulations. Under Article 41 of the EIB Staff Regulations I and II, staff members may submit a request for review of an act adversely affecting them. In the context of this request, the EIB may, in some cases, offer to seek an amicable settlement with the member of staff before a Conciliation Board. The Implementing Rules on the Administrative Review further define the scope of the administrative review mechanism as well as the procedure to be followed. Pursuant to the EIB’s Policy on Dignity at Work, the EIB must deal with harassment complaints.
(2) The organisation and management of the procedures set out in Articles 40 and 41 of the EIB Staff Regulations I and II as well as in the EIB’s Policy on Dignity at Work and in the Implementing Rules on the Administrative Review is the primary responsibility of the Human Resources Directorate of the EIB.
(3) While carrying out its tasks, the Human Resources Directorate is bound to respect the rights of natural persons in relation to the processing of personal data recognised by Article 8(1) of the Charter of Fundamental Rights of the European Union and by Article 16(1) of the Treaty on the Functioning of the European Union, as well as by legal acts based on those provisions. At the same time, the Human Resources Directorate is required to comply with strict rules of confidentiality and professional secrecy referred to in the EIB Staff Regulations and in the EIB Staff Code of Conduct and to ensure the respect of procedural rights of persons concerned and witnesses, in particular the right of persons concerned to due process, the rights of defence and the presumption of innocence.
(4) In certain circumstances, it is necessary to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 with the purposes and needs of the Human Resources Directorate’s tasks, as well as with full respect for fundamental rights and freedoms of other data subjects. To that effect, Article 25 of this regulation provides the Human Resources Directorate with the possibility to restrict the application of Articles 14 to 21 and 35 as well as Article 4 thereof insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 21.
(5) In order to ensure the effectiveness of the procedures carried out by the Disciplinary Committee set up pursuant to Article 40 of the Staff Regulations I and II, by the service in charge of the administrative review pursuant to Article 41 of the Staff Regulations I and II and, if applicable, by the Conciliation Board set up to seek an amicable arrangement, as well as by the Dignity at Work Panel set up pursuant to the EIB’s Dignity at Work Policy while respecting the standards of protection of personal data under Regulation (EU) 2018/1725, it is necessary to adopt internal rules under which the Human Resources Directorate may restrict data subjects’ rights in accordance with Article 25(1)(c)(g) and (h) of Regulation (EU) 2018/1725.
(6) The internal rules should apply to all processing operations carried out by the Human Resources Directorate in the performance of its mandate pursuant to Articles 40 and 41 of the EIB Staff Regulations I and II and pursuant to the EIB’s Policy on Dignity at Work. Those rules should apply to processing operations carried out prior to the initiation of the procedures carried out by the Disciplinary Committee, by the service in charge of the administrative review and/or the Conciliation Board and the Dignity at Work Panel, while these procedures are ongoing and in the course of the follow-up to the outcome of these procedures.
(7) In order to comply with Articles 14, 15 and 16 of Regulation (EU) 2018/1725, the data controller should inform all individuals of its activities involving processing of their personal data and of their rights in a transparent and coherent manner in the form of the data protection notices published on the EIB intranet, as well as individually inform data subjects concerned by its activities, namely persons concerned, parties and witnesses.
(8) In addition, in order to maintain effective cooperation, the Human Resources Directorate may need to apply restrictions to data subjects’ rights to protect information containing personal data originating from other European Union institutions, bodies, offices and agencies, competent authorities of Member States and third countries, as well as from international organisations. To that effect, the Human Resources Directorate should consult those other European Union institutions, bodies, offices, agencies, authorities and international organisations on the relevant grounds for and the necessity and proportionality of the restrictions.
(9) The Human Resources Directorate should handle all restrictions in a transparent manner and register each application of restrictions in the corresponding record system.
(10) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, controllers may defer, omit or deny providing information on the reasons for the application of a restriction to the data subject if this would in any way compromise the purpose of the restriction. This is, in particular, the case of restrictions to the rights provided for in Articles 16 and 35 of Regulation (EU) 2018/1725. In order to ensure that the data subject’s right to be informed in accordance with Article 16 and 35 of Regulation (EU) 2018/1725 is restricted only as long as the reasons for the deferral last, the Human Resources Directorate should regularly review its position.
(11) Where a restriction of other data subjects’ rights is applied, the Human Resources Directorate should assess on a case-by-case basis whether the communication of the restriction would compromise its purpose.
(12) The Data Protection Officer (DPO) of the EIB may carry out an independent review of the application of the restrictions, with a view to ensuring compliance with this Decision,
HAS ADOPTED THIS DECISION:
Article 1
Subject matter and scope
1. This Decision lays down the rules to be followed by the data controller, as defined in Article 2(1), to inform data subjects of the processing of their data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725.
It also lays down the conditions under which the relevant data controller may restrict the application of Articles 14 to 21 and 35 as well as Article 4, of the Regulation, in accordance with Article 25(1)(c), (g) and (h) of that Regulation.
2. This Decision applies to the processing of personal data by the Human Resources Directorate for the purpose of or in relation to the activities carried out in order to fulfil its tasks referred to in Articles 40 and 41 of the EIB Staff Regulations I and II, as well as in the EIB’s Policy on Dignity at Work and subsequent amendments thereof.
3. In the framework of its mandate, the Human Resources Directorate processes several categories of personal data, particularly identification data, contact data, professional data and case involvement data.
Article 2
Specification of the controller and safeguards
1. The controller of the processing operations is the Director General of Human Resources.
2. The personal data are stored in a secured electronic and physical environment, which prevents unlawful access or transfer of data to persons who do not have a need to know.
3. The personal data processed are retained for at least six months from the starting point defined in the retention schedule. Further details on the exact length of the retention periods per procedure can be found in the Retention Schedule of the Human Resources Directorate.
Article 3
Applicable exceptions and restrictions
1. Where the Human Resources Directorate exercises its duties with respect to the data subjects’ rights pursuant to Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that regulation apply.
2. Subject to Articles 4 to 7 of this Decision, the Human Resources Directorate may restrict the application of Articles 14 to 21 and 35 of Regulation (EU) 2018/1725, as well as Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 of this regulation where the exercise of those rights and obligations would jeopardise the purpose of the procedures set out in Articles 40 and 41 of the EIB Staff Regulations I and II as well as in the EIB’s Policy on Dignity at Work or would adversely affect the rights and freedoms of other data subjects.
3. Subject to Articles 4 to 7 of this Decision, the Human Resources Directorate may restrict the rights and obligations referred to in paragraph 2 of this Article in relation to personal data obtained from other European Union institutions, bodies, agencies and offices, competent authorities of Member States or from international organisations, in the following circumstances:
(a) where the exercise of those rights and obligations could be restricted by other European Union institutions, bodies, agencies and offices on the basis of other acts provided for in Article 25 of the Regulation or in accordance with Chapter IX of that Regulation;
(b) where the exercise of those rights and obligations could be restricted by competent authorities of Member States on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council (2), or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council (3);
(c) where the exercise of those rights and obligations could jeopardise the Human Resources Directorate’s cooperation with third countries and international organisations in the conduct of its tasks.
Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, the Human Resources Directorate shall consult the relevant European Union institutions, bodies, agencies, offices or the competent authorities of Member States unless it is clear to the Human Resources Directorate that the application of a restriction is provided for by one of the acts referred to in those points.
Point (c) of the first subparagraph shall not apply where the interest of the European Union to cooperate with third countries or international organisations is overridden by the interests or fundamental rights and freedoms of the data subjects.
4. Paragraphs 1, 2 and 3 are without prejudice to the application of other EIB decisions (4) laying down internal rules concerning the provision of information to data subjects and the restriction of certain rights under Article 25 of Regulation (EU) 2018/1725.
Article 4
Provision of information to data subjects
1. The Human Resources Directorate shall publish on the EIB intranet data protection notices that inform all data subjects of its activities involving processing of their personal data, including a general data protection notice on the potential restrictions of their rights. The information shall cover the rights that may be restricted, the grounds on which restrictions may be applied and their potential duration.
2. The Human Resources Directorate shall individually inform data subjects who are parties to a procedure, persons concerned by a procedure or witnesses, by a specific data protection notice, which shall include information relating to the rights that may be restricted, the reasons for such restriction(s) and the potential duration of the restriction(s).
3. Where the Human Resources Directorate restricts, wholly or partly, the provision of information to the data subjects referred to in paragraph 2, it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction. This assessment shall also document the risks for the respective procedure and for the rights and the freedoms of the data subjects.
In particular, the record shall state how the provision of the information would cancel the effect of the restriction(s) applied pursuant to Articles 3(2) and 3(3), or would adversely affect the rights and freedoms of other data subjects.
The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor (EDPS) upon request.
4. The restriction referred to in paragraph 3 shall continue to apply as long as the reasons justifying it remain applicable.
Where the reasons for the restriction no longer apply, the Human Resources Directorate shall provide the information concerned and the reasons for the restriction to the data subject. At the same time, the Human Resources Directorate shall inform the data subject of the possibility of lodging a complaint with the EDPS at any time or of seeking a judicial remedy in the Court of Justice of the European Union.
The Human Resources Directorate shall review the application of the restriction at least every six months from its adoption and at the closure of the relevant procedure. Thereafter, the controller shall monitor the need to maintain any restriction every six months.
Article 5
Right of access by data subject
1. Where the Human Resources Directorate restricts, wholly or partly, the right of access, referred to in Article 17 of this regulation, it shall take the following steps:
(a) it shall inform the data subject concerned, in its reply to the request for access, of the restriction applied, of the principal reasons thereof, of the duration of the restriction and of the possibility of lodging a complaint with the EDPS or of seeking a judicial remedy in the Court of Justice of the European Union;
(b) it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction; to that end, the record shall state how the provision of the information and exercise of the right would jeopardise the purpose of the respective procedure or cancel the effect of the restrictions applied pursuant to Articles 3(2) and 3(3), or would adversely affect the rights and freedoms of other data subjects.
The provision of information referred to in point (a) may be deferred, omitted or denied in accordance with Article 25(8) of Regulation (EU) 2018/1725.
2. The record referred to in point (b) of the first subparagraph of paragraph 2 and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the EDPS on request. Article 25(7) of Regulation (EU) 2018/1725 shall apply.
3. The restriction referred to in paragraph 1 shall continue to apply as long as the reasons justifying it remain applicable.
Where the reasons for the restriction no longer apply, the Human Resources Directorate shall provide the information concerned and the reasons for the restriction to the data subject. At the same time, the Human Resources Directorate shall inform the data subject of the possibility of lodging a complaint with the EDPS at any time or of seeking a judicial remedy before the Court of Justice of the European Union.
The Human Resources Directorate shall review the application of the restriction at least every six months from its adoption and at the closure of the relevant procedure. Thereafter, the controller shall monitor the need to maintain any restriction every six months.
Article 6
Right of rectification, erasure and of restriction of processing
Where the Human Resources Directorate restricts, wholly or partly, the application of the right to rectification, erasure or the right to restriction of processing, referred to in Articles 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, it shall take the steps set out in Article 5(2) and 5(3) of this Decision.
Article 7
Communication of personal data breaches to the data subject
Where the Human Resources Directorate restricts the communication of a personal data breach to the data subject, referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 4(3) of this Decision. Article 4(4) of this Decision shall apply.
Article 8
Review by the Data Protection Officer
The Human Resources Directorate shall inform, without undue delay, the DPO before it restricts the application of data subjects’ rights in accordance with this Decision. The record and the assessment of the necessity and proportionality of the restriction shall be reviewed by the DPO. The review of the DPO will be documented.
The DPO may request the Human Resources Directorate in writing to review the application of the restrictions. The Human Resources Directorate shall inform the DPO in writing about the outcome of the requested review.
Article 9
Entry into force
This Decision, approved by the EIB’s Board of Directors on 9 October 2023, replaces the EIB’s decision laying down internal rules concerning the processing of personal data by the Human Resources Directorate of the European Investment Bank in relation to the provision of information to data subjects and the restriction of certain of their rights that was approved by EIB’s Board of Directors on 26 February 2019. The decision shall enter into force on the twentieth day after its publication in the
Official Journal of the European Union
.
Done at Luxembourg, 9 October 2023.
(1)
OJ L 295, 21.11.2018, p. 39
.
(2) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(3) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (
OJ L 119, 4.5.2016, p. 89
).
(4) Such as similar decisions adopted by other Directorates within the EIB.
ELI: http://data.europa.eu/eli/proc_rules/2023/2717/oj
ISSN 1977-0677 (electronic edition)
Feedback