2023/2189
16.10.2023
GOVERNING BOARD OF THE GLOBAL HEALTH EDCTP3 JOINT UNDERTAKING DECISION N° GB/18/2023
laying down internal rules concerning restrictions of certain rights of data subjects in relation to processing of personal data in the framework of the functioning of the Global Health EDCTP3 Joint Undertaking [2023/2189]
THE GOVERNING BOARD OF THE GLOBAL HEALTH EDCTP3 JOINT UNDERTAKING,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC1 (‘Regulation (EU) 2018/1725’) (1), and in particular Article 25 thereof,
Having regard to the Council Regulation (EU) 2021/2085 of 19 November 2021 establishing the Joint Undertakings under Horizon Europe and repealing Regulations (EC) No 219/2007, (EU) No 557/2014, (EU) No 558/2014, (EU) No 559/2014, (EU) No 560/2014, (EU) No 561/2014 and (EU) No 642/2014 (2) (‘Single Basic Act’),
Having regard to the European Data Protection Supervisor (‘EDPS’) Guidance on Article 25 of Regulation (EU) 2018/1725 and internal rules of 24 June 2020 (3),
After having consulted the EDPS on the 12 June 2023, in accordance with Article 41(2) of Regulation (EU) 2018/1725,
Having regard to the recommendations of the EDPS of 19 June 2023,
After having informed the staff of Global Health EDCTP3 JU,
Whereas:
1)
Only legal acts adopted on the basis of the Treaties may provide for restrictions of data subjects’ rights. Where these restrictions cannot be founded on legal acts adopted based on the Treaties, Regulation (EU) 2018/1725 provides that, in matters relating to the operations of Global Health EDCTP3 JU, restrictions may be provided for by internal rules, following the assessment of the necessity and proportionality of such restrictions.
2)
In accordance with Article 25(1) of the Regulation (EU) 2018/1725 restrictions to the application of Articles 14 to 22, 35 and 36 of the Regulation, as well as Article 4 of that Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20, should be based on internal rules to be adopted by the Global Health EDCTP3 JU.
3)
Within the framework of its administrative functioning, the Global Health EDCTP3 JU may conduct administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings, carry out preliminary activities related to cases of potential irregularities reported to OLAF, process whistleblowing cases, process (formal and informal) procedures of harassment, process internal and external complaints, conduct internal and external audits, carry out investigations by the Data Protection Officer (‘the DPO’) in line with Article 45(2) of Regulation (EU) 2018/1725 and (IT) security investigations handled internally or with external involvement (e.g. CERT-EU).
4)
The Global Health EDCTP3 JU can also conduct investigations into potential breaches of security rules for European Union classified information (‘EUCI’), based on the Decision it intends to adopt on its security rules for protecting EUCI.
5)
In the context of such administrative inquiries, audits and investigations, the Global Health EDCTP3 JU cooperates with other Union institutions, bodies, offices and agencies.
6)
The Global Health EDCTP3 JU can cooperate with third countries’ national authorities and international organisations, either at their request or on its own initiative.
7)
The Global Health EDCTP3 JU can also cooperate with EU Member States’ public authorities, either at their request or on its own initiative.
8)
The Global Health EDCTP3 JU is involved in cases before the Court of Justice of the European Union when it either refers a matter to the Court, defends a decision it has taken and which has been challenged before the Court, or intervenes in cases relevant to its tasks. In this context, the Global Health EDCTP3 JU might need to preserve the confidentiality of personal data contained in documents obtained by the parties or the interveners.
9)
To fulfil its tasks, the Global Health EDCTP3 JU collects and processes several categories of personal data, such as identification data, contact data, professional data, administrative details, data received from specific sources, electronic communications and traffic data and data related to the case such as reasoning, behavioural data, appraisals, performance and conduct data and data related to or brought forward in connection with the subject matter of the procedure or activity (4).
10)
The Global Health EDCTP3 JU, represented by its Executive Director, acts as the data controller.
11)
The personal data are stored securely in an electronic environment or on paper preventing unlawful access or transfer of data to persons who do not have any lawful right to access such personal data. The personal data processed are retained for no longer than necessary and appropriate for the purposes for which the data are processed for the period specified in the data protection notices, privacy statements or records of the Global Health EDCTP3 JU.
12)
Under the Regulation (EU) 2018/1725, the Global Health EDCTP3 JU is therefore obliged to provide information to data subjects on those processing activities and to respect their rights as data subjects.
13)
The Global Health EDCTP3 JU might be required to reconcile those rights with the objectives of administrative inquiries, audits, investigations and court proceedings. It might also be required to balance a data subject’s rights against the fundamental rights and freedoms of other data subjects. To that end, Article 25 of the Regulation (EU) 2018/1725 gives the Global Health EDCTP3 JU the possibility to restrict, under strict conditions, the application of Articles 14 to 22, 35 and 36 of the Regulation (EU) 2018/1725, as well as its Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20.
14)
The internal rules should apply to such relevant processing operations carried out prior to the opening of the procedures referred to above, during these procedures, during the monitoring of the follow-up to the outcome of these procedures and throughout the period during which the restriction continues to apply. They should also be applicable to any assistance and cooperation provided by the Global Health EDCTP3 JU to national authorities and international organisations outside of its own administrative investigations.
15)
In cases where these internal rules apply, the Global Health EDCTP3 JU must provide justifications explaining why the restrictions are strictly necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms.
16)
Within this framework the Global Health EDCTP3 JU is bound to respect in full compliance with the relevant legislation and guidance, the fundamental rights of the data subjects during the above procedures, in particular, those relating to the right of provision of information, access and rectification, right to erasure, restriction of processing, right of communication of a personal data breach to the data subject or confidentiality of communication as enshrined in Regulation (EU) 2018/1725.
17)
However, the Global Health EDCTP3 JU may be obliged to restrict the information to data subjects and other data subjects’ rights to protect, in particular, its own investigations, the investigations and proceedings of other public authorities, as well as the rights of other persons connected to its investigations or other procedures.
18)
When considering whether to apply a restriction, the Global Health EDCTP3 JU shall weigh the risk to the rights and freedoms of the data subject in particular, against the risk to the rights and freedoms of other data subjects and the risk of cancelling the effect of the Global Health EDCTP3 JU’s investigations or procedures for example by destroying evidence. The risks to the rights and freedoms of the data subject concern primarily, but are not limited to, reputational risks and risks to the right of defence and the right to be heard.
19)
The Global Health EDCTP3 JU may thus restrict the information for the purposes of protecting the investigation, and the fundamental rights and freedoms of other data subjects.
20)
To guarantee utmost protection of the rights and freedoms of data subjects and in accordance with Article 44(1) of the Regulation (EU) 2018/1725, the DPO should be consulted in due time of any restrictions that may be applied and verify their compliance with this Decision.
21)
The Global Health EDCTP3 JU should periodically monitor that the conditions justifying the restriction apply, and lift the restriction as far as they no longer apply.
22)
The Controller should inform the DPO at the moment of deferral and during the revisions.
23)
This Decision shall be adopted by written procedure in accordance with Article 10 of the Global Health EDCTP3 Governing Board Rules of Procedure.
HAS DECIDED AS FOLLOWS:
Article 1
Subject-matter and scope
1. This Decision lays down rules relating to the conditions under which the Global Health EDCTP3 JU in the framework of its procedures set out in Article 3 of this Decision may restrict the application of Articles 14 to 22, 35 and 36 of the Regulation (EU) 2018/1725, as well as Article 4 thereof, following Article 25 of the Regulation (EU) 2018/1725.
2. The categories of data relevant to these procedures include identification data, contact data, professional data, administrative details, data received from specific sources, electronic communications and traffic data and data related to the case, such as reasoning, behavioural data, appraisals, performance and conduct data and data related to or brought forward in connection with the subject matter of the procedure or activity.
3. Where the Global Health EDCTP3 JU performs its duties with respect to data subject’s rights under Regulation (EU) 2018/1725, it shall consider whether any of the exemptions laid down in that Regulation apply.
Article 2
Specification of the controller
The controller of the processing operations is the Global Health EDCTP3 JU, represented by its Executive Director.
Article 3
Restrictions
1. The Global Health EDCTP3 JU may restrict the application of Articles 14 to 22, 35 and 36 of the Regulation (EU) 2018/1725 and Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20:
(a) pursuant to Article 25(1)(b), (c), (f), (g) and (h) of the Regulation (EU) 2018/1725, when conducting administrative inquiries, pre-disciplinary, disciplinary or suspension proceedings under Article 86 and Annex IX of the Staff Regulations and the Global Health EDCTP3 JU GB Decision No 17/2023, and when notifying cases to OLAF;
(b) pursuant to Article 25(1)(h) of the Regulation (EU) 2018/1725, when ensuring that Global Health EDCTP3 JU staff members may report facts confidentially where they believe there are serious irregularities, as set out in the Global Health EDCTP3 JU GB Decision No 12/2023 on internal rules concerning whistleblowing;
(c) pursuant to Article 25(1)(h) of the Regulation (EU) 2018/1725, when ensuring that Global Health EDCTP3 JU staff members are able to report to confidential counsellors in the context of a harassment procedure, as defined by the Global Health EDCTP3 JU GB Decision No 13/2023;
(d) pursuant to Article 25(1)(c), (g) and (h) of the Regulation (EU) 2018/1725, when conducting internal and external audits in relation to activities or departments of the Global Health EDCTP3 JU;
(e) pursuant to Article 25(1)(c), (d), (g) and (h) of the Regulation (EU) 2018/1725, when providing or receiving assistance to or from other Union institutions, bodies, offices and agencies or cooperating with them in the context of activities under points (a) to (d) of this paragraph and pursuant to relevant service level agreements, memoranda of understanding and cooperation agreements;
(f) pursuant to Article 25(1)(c), (g) and (h) of the Regulation (EU) 2018/1725, when providing or receiving assistance to or from third countries national authorities and international organisations or cooperating with such authorities and organisations, either at their request or on its own initiative
(g) pursuant to Article 25(1)(c), (g) and (h) of the Regulation (EU) 2018/1725, when providing or receiving assistance and cooperation to and from EU Member States’ public authorities, either at their request or on its own initiative;
(h) pursuant to Article 25(1)(e) of the Regulation (EU) 2018/1725, when processing personal data in documents obtained by the parties or interveners in the context of proceedings before the Court of Justice of the European Union;
(i) pursuant to Article 25(1)(c) and (h) of the Regulation (EU) 2018/1725, when processing personal data during the investigations carried out by the DPO in line with Article 45(2) of Regulation 2018/1725;
(j) pursuant to Article 25(1)(c), (d), (g) and (h) of the Regulation (EU) 2018/1725, when processing personal data during IT security investigations handled internally or with external involvement (e.g. CERT-EU);
(k) pursuant to Article 25(1)(c), (g) and (h) of the Regulation (EU) 2018/1725, when processing personal data within the framework of the grant management or procurement procedure, after the closing date of the submission of the calls for proposals or the application of tenders.
2. As a specific application of the restrictions described in paragraph 1 above, the Global Health EDCTP3 JU may apply restrictions in the following circumstances:
(a) in relation to personal data exchanged with Commission services or other Union institutions, bodies, agencies and offices;
i.
where such Commission service, Union institution, body or agency, is entitled to restrict the exercise of the listed rights on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or with the founding acts of other Union institutions, bodies, agencies and offices;
ii.
where the purpose of such a restriction by that Commission service, Union institution, body or agency would be jeopardised were the Global Health EDCTP3 JU not to apply an equivalent restriction in respect of the same personal data;
(b) in relation to personal data exchanged with competent authorities of Member States;
i.
where such competent authorities of Member States are entitled to restrict the exercise of the listed rights on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council (5), or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council (6);
ii.
where the purpose of such a restriction by that competent authority would be jeopardised were the Global Health EDCTP3 JU not to apply an equivalent restriction in respect of the same personal data.
(c) in relation to personal data exchanged with third countries or international organisations, where there is clear evidence that the exercise of those rights and obligations is likely to jeopardise the Global Health EDCTP3 JU’s cooperation with third countries or international organisations in the conduct of its tasks.
Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, the Global Health EDCTP3 JU shall consult the relevant Commission services, Union institutions, bodies, agencies, offices or the competent authorities of Member States unless it is clear to the Global Health EDCTP3 JU that the application of a restriction is provided for by one of the acts referred to in those points.
3. Where the Global Health EDCTP3 JU restricts, wholly or partly, the application of the rights referred to in paragraphs 1 and 2 above, it shall take the steps set out in Articles 5 and 6 of this Decision.
4. Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of Regulation (EU) 2018/1725, the Global Health EDCTP3 JU shall limit its assessment of the request to such personal data only.
Article 4
Specification of safeguards
1. The Global Health EDCTP3 JU shall implement safeguards to prevent abuse and unlawful access or transfer of the personal data in respect of which restrictions apply or could be applied. Such safeguards shall include technical and organisational measures and be detailed as necessary in Global Health EDCTP3 JU internal decisions, procedures and implementing rules. The safeguards shall include:
(a) clear definition of roles, responsibilities and procedural steps;
(b) paper documents shall be kept in secured cupboards and only accessible to authorised staff;
(c) all electronic data shall be stored in a secure IT application according to the Global Health EDCTP3 JU’s security standards, as well as in specific electronic folders accessible only to authorised staff. Appropriate levels of access shall be granted individually;
(d) all persons having access to the data are bound by the obligation of confidentiality;
(e) due monitoring of restrictions and a periodic review of their application.
2. In accordance with Article 5(3) of this Decision, the safeguards referred to in paragraph 1 should be subject to a periodic review.
3. The personal data shall be retained in accordance with the applicable Global Health EDCTP3 JU retention rules, to be defined in the data protection records maintained under Article 31 of the Regulation (EU) 2018/1725. The retention period shall in any event not be longer than necessary and appropriate for the purposes for which the data are processed.
Article 5
Necessity and proportionality of restrictions
1. Any restriction based on Article 3 of this Decision shall be necessary and proportionate taking into account the risks to the rights and freedoms of data subjects and respect the essence of the fundamental rights and freedoms in a democratic society.
2. If the application of restriction is considered, a necessity and proportionality test shall be carried out based on the present rules. The test shall also be conducted within the framework of the periodic review, following assessment of whether the factual and legal reasons for a restriction still apply. It shall be documented through an internal assessment note for accountability purposes on a case-by-case basis.
The Global Health EDCTP3 JU shall prepare periodic reports on the application of Article 25 of the Regulation (EU) 2018/1725.
3. Restrictions shall be temporary. They shall continue to apply as long as the reasons justifying them remain applicable, in particular, where it is considered that the exercise of the restricted right would no longer cancel the effect of the restriction imposed or adversely affect the rights or freedoms of other data subjects.
The Global Health EDCTP3 JU shall review the application of the restriction every six months from its adoption and at the closure of the relevant inquiry, procedure or investigation. Thereafter, the controller shall monitor the need to maintain any restriction every six months.
4. Where the Global Health EDCTP3 JU applies, wholly or partly, the restrictions based on Article 3 of this Decision, it shall record the reasons for the restriction, the legal ground(s) in accordance with Article 3 of this Decision, including an assessment of the necessity and proportionality of the restriction.
The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the EDPS on request.
Article 6
Obligation to Inform
1. The Global Health EDCTP3 JU shall include in the data protection notices, privacy statements or records in the sense of Article 31 of Regulation (EU) 2018/1725, published on its website and/or on the intranet informing data subjects of their rights in the framework of a given procedure, information relating to the potential restriction of these rights. The information shall cover which rights may be restricted, the reasons and the potential duration.
Without prejudice to the provisions of Article 5(4) of this Decision, the Global Health EDCTP3 JU, where proportionate, shall also inform individually all data subjects, which are considered persons concerned in the specific processing operation, of their rights concerning present or future restrictions without undue delay and in a written form.
2. Where the Global Health EDCTP3 JU restricts, wholly or partly, the rights laid out in Article 3 of this Decision, it shall inform the data subject concerned of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union.
The provision of information referred to in paragraph 2 above may be deferred, omitted or denied if it would cancel the effect of the restriction in accordance with Article 25(8) of Regulation (EU) 2018/1725.
Article 7
Involvement of the Data Protection Officer
1. The Global Health EDCTP3 JU shall, without undue delay, consult the DPO of the Global Health EDCTP3 JU (‘the DPO’) before and during the time the controller restricts the application of data subjects’ rights, or extends the restriction, in accordance with this Decision. The controller shall provide the DPO access to the record containing the assessment of the necessity and proportionality of the restriction and to any document concerning the factual or legal context.
2. The DPO may request the controller in writing to review the application of the restrictions. The controller shall inform the DPO in writing about the outcome of the requested review.
3. The DPO shall be involved throughout the procedure. The controller shall inform the DPO when the restriction has been lifted.
4. The Global Health EDCTP3 JU shall document in writing the involvement of the DPO in the application of restrictions, including what information is shared with him or her.
Article 8
Communication of a personal data breach to the data subject
1. Where the Global Health EDCTP3 JU is under an obligation to communicate a data breach under Article 35(1) of the Regulation (EU) 2018/1725, it may, in exceptional circumstances, restrict such communication wholly or partly. It shall document in a note the reasons for the restriction, the legal ground for it under Article 3 of this Decision and an assessment of its necessity and proportionality. The note shall be communicated to the EDPS at the time of the notification of the personal data breach.
2. Where the reasons for the restriction no longer apply, the Global Health EDCTP3 JU shall communicate the personal data breach to the data subject concerned and inform him or her of the principal reasons for the restriction and of his or her right to lodge a complaint with the EDPS.
Article 9
Confidentiality of electronic communications
1. In exceptional circumstances, the Global Health EDCTP3 JU may restrict the right to confidentiality of electronic communications under Article 36 of the Regulation (EU) 2018/1725. Such restrictions shall comply with Directive 2002/58/EC of the European Parliament and of the Council.
2. Where the Global Health EDCTP3 JU restricts the right to confidentiality of electronic communications, it shall inform the data subject concerned, in its reply to any request from the data subject, of the principal reasons on which the application of the restriction is based and of his or her right to lodge a complaint with the EDPS.
3. The Global Health EDCTP3 JU may defer, omit or deny the provision of information concerning the reasons for a restriction and the right to lodge a complaint with the EDPS for as long as it would cancel the effect of the restriction. Assessment of whether this would be justified shall take place on a case-by-case basis.
Article 10
Entry into force
This Decision shall enter into force on the twentieth day following its publication in the
Official Journal of the European Union
.
Done at Brussels, 3 August 2023.
For the Global Health EDCTP3 Joint Undertaking Governing Board
Dr Henning GÄDEKE
Chairperson of the Governing Board
(1)
OJ L 295, 21.11.2018, p. 39
.
(2)
OJ L 427, 30.11.2021, p. 17
.
(3) Available at Guidance on Art. 25 of the Regulation 2018/1725 | European Data Protection Supervisor (europa.eu)
(4) In cases of joint controllership data shall be processed in line with the means and purposes established in the relevant agreement among the joint controllers as defined in Article 28 of Regulation (EU) 2018/1725.
(5) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (
OJ L 119, 4.5.2016, p. 1
).
(6) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (
OJ L 119, 4.5.2016, p. 89
).
ELI: http://data.europa.eu/eli/dec/2023/2189/oj
ISSN 1977-0677 (electronic edition)
Feedback