Home Über uns Sitemap Login Registrieren
Commission Decision (EU) 2025/628 of 31 March 2025 laying down internal rules con... (32025D0628)
EU - Rechtsakte: 01 General, financial and institutional matters
2025/628
1.4.2025

COMMISSION DECISION (EU) 2025/628

of 31 March 2025

laying down internal rules concerning the provision of information to data subjects and the restrictions of certain data-subjects’ rights in relation to the processing of personal data by the Commission for the purpose of the supervision, investigation, enforcement and monitoring under Regulation (EU) 2022/2065

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1), and in particular Article 25 thereof,
Whereas:
(1) The Commission conducts investigations for the purpose of enforcing the rules laid down in Regulation (EU) 2022/2065 (2) with respect to providers of very large online platforms and very large online search engines. To that end, it exercises powers of supervision, investigation, enforcement and monitoring conferred on the Commission by Regulation (EU) 2022/2065.
(2) The tasks of the Commission under Regulation (EU) 2022/2065 are carried out by the Directorate-General responsible for Communications Networks, Content and Technology of the Commission.
(3) In the context of exercising its supervision, investigation, enforcement, and monitoring tasks pursuant to Regulation (EU) 2022/2065, the Commission processes information. That information may include personal data of natural persons, such as individual staff of the undertaking (for example, the head of the compliance function, the single point of contact), suspects, victims, whistleblowers, informants, and witnesses as well as other natural persons whose personal data is contained in documents obtained in connection with the exercise of its supervision, investigation, enforcement and monitoring tasks by the Commission pursuant to Regulation (EU) 2022/2065.
(4) Personal data processing, within the meaning of Article 3(3) of Regulation (EU) 2018/1725, carried out in the course of investigation and enforcement activities under Regulation (EU) 2022/2065, might take place even before the Commission formally initiates proceedings pursuant to Article 66 of Regulation (EU) 2022/2065, might continue throughout the conduct of the investigation, and might continue even after the formal closure of the investigation (for example, for compliance monitoring or screening activities, assessing the need for initiating new investigative activities or legal proceedings).
(5) To fulfil its tasks under Regulation (EU) 2022/2065, the Commission processes several categories of personal data, such as identification data, contact details, case involvement data, case related data and any other information deemed necessary. Although unlikely, the categories of personal data processed might also include special categories of personal data as referred to in Article 10(1) of Regulation (EU) 2018/1725 if any of the reasons listed in Article 10(2) or (3) of that Regulation apply as well as personal data relating to criminal convictions and offences as referred to in Article 11 of Regulation (EU) 2018/1725. While carrying out its tasks under Regulation (EU) 2022/2065, the Commission is bound to respect the rights of natural persons in relation to the processing of personal data recognised by Article 8(1) of the Charter of Fundamental Rights of the European Union and by Article 16(1) of the Treaty on the Functioning of the European Union, as well as the rights provided for in Regulation (EU) 2018/1725. At the same time, the Commission, in the context of its activities under Regulation (EU) 2022/2065, is required to comply with strict rules of confidentiality and professional secrecy referred to in Article 84 of that Regulation.
(6) In certain circumstances, it is necessary to reconcile the rights of data subjects under Regulation (EU) 2018/1725 with the effective exercise of Commission’s tasks of supervision, investigation, enforcement and monitoring under Regulation (EU) 2022/2065, while ensuring full respect for the fundamental rights and freedoms of other data subjects. To that effect, Article 25(1) of Regulation (EU) 2018/1725 provides the Commission with the possibility to restrict, under certain conditions, the application of Articles 14 to 22, 35 and 36 of Regulation (EU) 2018/1725, as well its Article 4, insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 of Regulation (EU) 2018/1725.
(7) In certain circumstances, it is necessary to reconcile the rights of data subjects with the need to safeguard the objectives of the supervision, investigation, enforcement, and monitoring conducted under Regulation (EU) 2022/2065 as an important objective of general public interest of the Union pursuant to Article 25(1), point (c), of Regulation (EU) 2018/1725. The Commission might apply restrictions where, for instance, exercising those rights would seriously affect its capacity to conduct the investigation in an effective manner, thus hampering its objective. In such cases, there is a risk of evidence being destroyed or interfering with key actors (for example, witnesses) during an investigation.
(8) In certain circumstances, it is necessary to balance the rights of data subjects against the fundamental rights and freedoms of other persons concerned, such as victims or witnesses. In such a case, the Commission might decide to restrict access to the identity, statements, and other personal data of such persons in order to protect their rights and freedoms pursuant to Article 25(1), point (h), of Regulation (EU) 2018/1725. The Commission might decide to do so, in particular to protect those persons against possible retaliation.
(9) It is necessary to protect confidential information concerning an informant, whistleblower, or any other natural person who has reported information to the Commission in the context of the exercise of its supervision, investigation, enforcement and monitoring tasks pursuant to Regulation (EU) 2022/2065. The Commission should restrict access to the identity, statements and other personal data of such persons in order to protect the rights and freedoms of all concerned pursuant to Article 25(1), point (h), of Regulation (EU) 2018/1725. Only if the reporting person so authorises, the Commission may reveal their identity. If required by law or a judicial authority, the Commission should reveal their identity. In cases where data subjects submit a request to access their personal data, they should be given access to such personal data including that provided by a reporting person. In order to protect their confidentiality, the Commission should not provide the data subject with the name of the reporting person as well as any other information that would allow their direct or indirect identification.
(10) In addition, in order to ensure the effective application of Regulation (EU) 2022/2065, in particular with regard to the cooperation between the Commission and the Member States, the Commission might restrict the application of data subjects’ rights and thus safeguard an important objective of general public interest of the Union or of a Member State, as referred to in Article 25(1), point (c), of Regulation (EU) 2018/1725. The Commission might do so in a situation where the purpose of such a restriction by a Member State authority would be jeopardised were the Commission not to apply an equivalent restriction in respect of the same personal data. Furthermore, in order to ensure an effective application of Regulation (EU) 2022/2065, the Commission might apply restrictions to safeguard the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security in line with Article 25(1), point (b), of Regulation (EU) 2018/1725. In the application of restrictions based on Article 25(1), point (c), of Regulation (EU) 2018/1725, the Commission should consult the Member State of the important objective of the general public interest concerned on the relevant potential grounds for imposing restrictions and the necessity and proportionality of those restrictions, unless this would jeopardise the activities of the Commission. Pursuant to Article 25(1), point (g), of Regulation (EU) 2018/1725, the Commission might decide to restrict the application of data subjects’ rights to safeguard a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases mentioned above, and as referred to in Articles 25(1), points (b) and (c), of Regulation (EU) 2018/1725.
(11) The Commission should apply restrictions only when they respect the fundamental rights and freedoms laid down in the Charter, are strictly necessary and proportionate in a democratic society. The Commission should provide a justification for those restrictions.
(12) Article 25(6) of Regulation (EU) 2018/1725 requires the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the European Data Protection Supervisor.
(13) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, the Commission may defer, omit, or deny the provision of information relating to the principal reasons on which the application of a restriction is based to the data subject if providing that information would in any way cancel the effect of the restriction. The Commission should assess on a case-by-case basis whether the communication of the restriction would cancel its effect.
(14) The Commission should lift the restriction as soon as the conditions that justify the restriction no longer apply and assess those conditions on a regular basis.
(15) In order to comply with Articles 14, 15 and 16 of Regulation (EU) 2018/1725, the Commission should inform all data subjects of its activities involving the processing of their personal data and of their rights, in a transparent and coherent manner, by means of a data protection notice published on the Commission’s website. The Commission should individually inform, by appropriate means, whistleblowers, informants, witnesses and, where relevant for the case, individual staff of the undertaking (for example, the head of the compliance function, the single point of contact), about the processing of their personal data.
(16) Article 16(5) of Regulation (EU) 2018/1725 provides for exceptions to data subjects’ right to information. If those exceptions apply, the Commission does not need to apply a restriction to the right to information under this Decision. Exceptions under Article 16(5), point (b), of Regulation (EU) 2018/1725 are to apply where the provision of information referred to in Article 16(1) to (4) of that Regulation would prove impossible, would involve a disproportionate effort, or would be likely to render impossible or seriously impair the achievement of the objectives of that processing. In cases of data subjects not relevant to the investigation whose personal data is contained in documents collected as part of the supervision, investigation, enforcement, and monitoring pursuant to Regulation (EU) 2022/2065, other than those data subjects individually informed, the provision of such information could prove impossible or could involve a disproportionate effort. This might be the case where the Commission obtains personal data in the context of a whistleblower report or during its monitoring actions to ensure the effective implementation of and compliance with Regulation (EU) 2022/2065. Exceptions under Article 16(5), point (b), of Regulation (EU) 2018/1725 may also be applied when providing such information to suspects and victims related to a case could likely render impossible or seriously impair the achievement of the objectives of that processing.
(17) In application of the principles of transparency, fairness and accountability, the Commission should handle all exceptions and restrictions in a transparent manner and keep a record of its application of those exceptions and restrictions.
(18) To guarantee the protection of the rights and freedoms of data subjects and in accordance with Article 44(1) of Regulation (EU) 2018/1725, the Commission should involve the Data Protection Coordinator of the Directorate-General for Communications Networks, Content and Technology and the Data Protection Officer of the Commission throughout the process of applying restrictions and document that consultation. In particular, the Data Protection Coordinator should be consulted in due time on any restrictions that may be applied and verify their compliance with this Decision.
(19) The Data Protection Officer of the Commission should carry out an independent review of the application of restrictions, with a view to ensuring compliance with this Decision.
(20) The European Data Protection Supervisor has been consulted and delivered his opinion on 22 October 2024,
HAS ADOPTED THIS DECISION:

Article 1

Subject-matter

1.   This Decision lays down the rules to be followed by the Commission to inform data subjects of the processing of their personal data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725 when carrying out its supervision, investigation, enforcement and monitoring tasks under Regulation (EU) 2022/2065.
2.   This Decision also lays down the conditions under which the Commission may restrict the application of Articles 4, 14 to 20 and 35 of Regulation (EU) 2018/1725, in accordance with Article 25(1), points (b), (c), (g) and (h) thereof.

Article 2

Scope

1.   This Decision applies to the processing of personal data by the Commission of the following categories of data subjects:
(a) suspects
(b) victims;
(c) whistleblowers;
(d) informants;
(e) witnesses
(f) staff of an undertaking;
(g) natural persons whose personal data is contained in the documents or other media collected as part of supervision, investigation, enforcement and monitoring pursuant to Regulation (EU) 2022/2065.
2.   This Decision applies to the processing of personal data of the following categories of personal data:
(a) identification data;
(b) contact details;
(c) case involvement data,
(d) case-related data;
(e) any other information deemed necessary to fulfil the requirements under Regulation (EU) 2022/2065, including the personal data referred to in Article 10(1) and Article 11 of Regulation (EU) 2018/1725.

Article 3

Restrictions

1.   Subject to Articles 3 to 8 of this Decision, the Commission may restrict the application of Articles 14 to 20 and 35 of Regulation (EU) 2018/1725, as well as the principle of transparency laid down in Article 4(1), point (a), of that Regulation, insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 20 of Regulation (EU) 2018/1725 where:
(a) the exercise of those rights would jeopardise the purpose of the Commission’s supervisory, investigative, enforcement, and monitoring activities under Regulation (EU) 2022/2065, in line with Article 25(1), points (c) and (g) of Regulation (EU) 2018/1725;
(b) the exercise of those rights and obligations would adversely affect the protection of the data subject or the rights and freedoms of others in line with Article 25(1), point (h), of Regulation (EU) 2018/1725;
(c) the exercise of those rights and obligations could jeopardise the Commission’s cooperation with Member States with the purpose of ensuring the effective application of Regulation (EU) 2022/2065, in line with Article 25(1), points (b), and (g), of Regulation (EU) 2018/1725.
2.   Before applying restrictions in the circumstances referred to in paragraph 1, point (c), the Commission shall consult the relevant Member States on potential grounds for imposing restrictions and the necessity and proportionality of those restrictions, unless this would jeopardise the activities of the Commission.
3.   Paragraphs 1, and 2 of this Article are without prejudice to the application of other Commission decisions laying down internal rules concerning the provision of information to data subjects and the restriction of certain rights under Article 25 of Regulation (EU) 2018/1725.
4.   Before restrictions referred to in paragraph 1 are applied, the Commission shall carry out and document a case-by-case assessment of their necessity and proportionality. Those restrictions shall be limited to what is strictly necessary to achieve their objective.

Article 4

Provision of information to data subjects

1.   The Commission shall publish, on its website, a data protection notice that informs all data subjects of its activities involving the processing of their personal data for the purpose of its supervision, investigation, enforcement and monitoring tasks under Regulation (EU) 2022/2065. The data protection notice shall provide information on the potential restriction to data subjects’ rights pursuant to Article 3. The information shall cover which rights may be restricted, the grounds on which restrictions may be applied and their potential duration.
2.   The Commission shall individually inform, by appropriate means, whistleblowers, informants, witnesses and, where relevant for the case, individual staff of the undertaking, about the processing of their personal data.
3.   Where the Commission restricts in accordance with Article 3, wholly or partly, the provision of information referred to in paragraph 1, it shall record and register the reasons for the restriction in accordance with Article 7 of this Decision. Additionally, the Commission shall inform data subjects of their right to lodge a complaint with the European Data Protection Supervisor.

Article 5

Right of access by data subject, right to rectification, right of erasure and right to restriction of processing

1.   Where the Commission restricts, wholly or partly, the right of access to data by data subjects, the right to rectification, the right of erasure, or the right to restriction of processing as referred to in Articles 17 to 20, respectively, of Regulation (EU) 2018/1725, it shall inform the data subject concerned, in its reply to the request for access, rectification, erasure or restriction of processing of the following aspects:
(a) the restriction applied and of the principal reasons thereof;
(b) the possibility of lodging a complaint with the European Data Protection Supervisor.
2.   The Commission may defer, omit or deny the provision of information concerning the reasons for a restriction and the right to lodge a complaint with the European Data Protection Supervisor for as long as it would cancel the effect of the restriction. The Commission shall assess whether this is justified on a case-by-case basis. As soon as it no longer cancels the effect of the restriction, the Commission shall provide the information to the data subject.

Article 6

Communication of personal data breaches to data subjects

1.   Where the Commission is under an obligation to communicate a personal data breach pursuant to Article 35(1) of Regulation (EU) 2018/1725, it may, in exceptional circumstances, restrict such communication wholly or partly. It shall record and register the reasons for the restriction, the legal ground for it under Article 3, and an assessment of its necessity and proportionality. The record shall be communicated to the European Data Protection Supervisor at the time of the notification of the personal data breach.
2.   Where the reasons for the restriction no longer apply, the Commission shall communicate the personal data breach to the data subject concerned and inform him or her of the principal reasons for the restriction and of his or her right to lodge a complaint with the European Data Protection Supervisor.
3.   Where the Commission notifies the personal data breach to the European Data Protection Supervisor pursuant to Article 34(1) of Regulation (EU) 2018/1725, it shall include the record it made pursuant to Article 7 of this Decision.

Article 7

Recording and registering of restrictions

1.   The Commission shall record the reasons for any restriction applied pursuant to this Decision, the legal ground for it, an assessment of the risks to the rights and freedoms of data subjects of imposing a restriction, and an assessment of the necessity and proportionality of the restriction taking into account the relevant elements in Article 25(2) of Regulation (EU) 2018/1725.
2.   The record shall state how the exercise of the right by the relevant data subject undermines one or more of the applicable grounds set out in Article 25(1), points (b), (c), (g) and (h), of Regulation (EU) 2018/1725.
3.   The record and, where applicable, the documents containing the underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.
4.   The Commission shall prepare periodic reports on the application of restrictions in line with Article 25 of the Regulation (EU) 2018/1725 under this Decision.

Article 8

Duration of restrictions

1.   The restrictions referred to in Articles 4, 5 and 6 shall continue to apply for as long as the reasons justifying them remain applicable and lifted as soon as those reasons no longer apply.
2.   Where the reasons for a restriction no longer apply, the Commission shall lift the restriction.
3.   It shall also provide the reasons for applying that restriction to the data subject and inform them of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice of the European Union.
4.   The Commission shall review the application of the restrictions referred to in Articles 4, 5 and 6 every six months and at the closure of the file. The review shall include an assessment of the necessity and proportionality of the restriction taking into account the relevant elements listed in Article 25(2) of Regulation (EU) 2018/1725.

Article 9

Safeguards and retention

1.   The Commission shall implement safeguards to prevent abuse and unlawful access to or transfer of personal data in respect of which restrictions or exceptions apply or could be applied. Such safeguards shall include technical and organisational measures such as:
(a) a clear definition of roles, responsibilities, procedural steps and access rights;
(b) a secure electronic environment which prevents unlawful or accidental access to or transfer of electronic data to unauthorised persons;
(c) a secure storage and processing of paper documents limited to what is strictly necessary to achieve the purpose of processing;
(d) due monitoring of restrictions and a periodic review of their application. The reviews shall be conducted at least every six months and at the closure of the file.
2.   The personal data shall be retained in accordance with the applicable Commission retention rules to be defined in the records of processing kept under Article 31 of Regulation (EU) 2018/1725. At the end of the retention period, the personal data shall be deleted, anonymised or transferred to the archives in accordance with Article 13 of Regulation (EU) 2018/1725.

Article 10

Involvement of the Data Protection Coordinator and the Data Protection Officer of the Commission

1.   The Data Protection Coordinator of the Directorate-General for Communications Networks, Content and Technology shall be consulted before any restrictions are applied and shall verify their compliance with this Decision.
2.   The Data Protection Officer of the Commission shall be informed, without undue delay, whenever a data subject’s rights are restricted in accordance with this Decision. Upon request, the Data Protection Officer of the Commission shall be given access to the record and any documents containing the underlying factual and legal elements.
3.   The Data Protection Officer may request a review of the application of a restriction and shall be informed in writing of the outcome of such review.
4.   The Commission shall document the involvement of the Data Protection Officer of the Commission and the Data Protection Coordinator, including what information is shared with them, in each case where the rights and obligations referred to in Article 3(1) are restricted.

Article 11

Entry into force

This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at Brussels, 31 March 2025.
For the Commission
The President
Ursula VON DER LEYEN
(1)  
OJ L 295, 21.11.2018, p. 39
, ELI:
http://data.europa.eu/eli/reg/2018/1725/oj
.
(2)  Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (
OJ L 277, 27.10.2022, p. 1
, ELI:
http://data.europa.eu/eli/reg/2022/2065/oj
).
ELI: http://data.europa.eu/eli/dec/2025/628/oj
ISSN 1977-0677 (electronic edition)
Markierungen
Leseansicht