DECISION No 20/2022 OF THE ELA MANAGEMENT BOARD

of 24 November 2022

on internal rules concerning restrictions of certain data subject rights in relation to the processing of personal data in the framework of activities carried out by the European Labour Authority

(2023/C 113/10)

THE MANAGEMENT BOARD OF THE EUROPEAN LABOUR AUTHORITY,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1) (“Regulation (EU) 2018/1725” or “Regulation”), and in particular Article 25 thereof,

Having regard to Regulation (EU) 2019/1149 of the European Parliament and of the Council of 20 June 2019 establishing a European Labour Authority, amending Regulations (EC) No 883/2004, (EU) No 492/2011, and (EU) 2016/589 and repealing Decision (EU) 2016/344 (2) (“the founding Regulation”), and in particular Article 36 thereof,

Having consulted the European Data Protection Supervisor,

Whereas:

(1) The European Labour Authority (hereinafter referred to as “ELA”) is empowered to conduct administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings, in accordance with the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (3) (“Staff Regulations”) and with Decision No 22/2021 of 10 November 2021 of the ELA Management Board concerning the terms and conditions for internal investigations at the European Labour Authority in relation to the prevention of fraud, corruption and any illegal activity detrimental to the interests of the Union adopting implementing provisions regarding the conduct of administrative inquiries and disciplinary proceedings. If required, it also notifies cases to OLAF.

(2) The ELA is empowered to coordinate and support concerted and joint inspections in the areas within the Authority’s competence in accordance with Articles 8 and 9 of the founding Regulation.

The Authority may also, on its own initiative, suggest to the authorities of the Member States concerned that they carry out a concerted or joint inspection.

(3) ELA staff members are under an obligation to report potentially illegal activities, including fraud and corruption, which are detrimental to the interests of the Union. Staff members are also obliged to report conduct relating to the discharge of professional duties which may constitute a serious failure to comply with the obligations of officials of the Union. This is regulated by Decision No 11/2021 of 25 May 2021of the ELA Management Board.

(4) The ELA has put in place a policy to prevent and deal effectively with actual or potential cases of psychological or sexual harassment in the workplace, as provided for in its Decision No 6/2022 of 15 March 2022 of the ELA Management Board adopting implementing measures pursuant to the Staff Regulations.

The Decision establishes an informal procedure whereby the alleged victim of the harassment can contact ELA’s “confidential counsellors”.

(5) The ELA can also conduct investigations into potential breaches of security rules for European Union sensitive non-classified information, based on Article 38 of the founding Regulation.

(6) The ELA is subject to both internal and external audits concerning its activities.

(7) In the context of such administrative inquiries, audits and investigations, the ELA cooperates with other Union institutions, bodies, offices and agencies.

(8) The ELA can cooperate with third countries’ national authorities and international organisations, either at their request or on its own initiative. In the particular case of concerted and/or joint inspections, at the request of one or more Member States or on its own initiative, the Authority shall coordinate and support concerted or joint inspection in the areas within the Authority’s competence in order to achieve the objectives set out in the founding Regulation and without prejudice to the competence of the Member States and of the Union institutions.

(9) The ELA can also cooperate with EU Member States’ public authorities, either at their request or on its own initiative. In the particular case of concerted and/or joint inspections, at the request of one or more Member States or on its own initiative, the Authority shall coordinate and support concerted or joint inspection in the areas within the Authority’s competence in order to achieve the objectives set out in the founding Regulation and without prejudice to the competence of the Member States and of the Union institutions.

(10) The ELA is involved in cases before the Court of Justice of the European Union when it either refers a matter to the Court, defends a decision it has taken and which has been challenged before the Court, or intervenes in cases relevant to its tasks. In this context, the ELA might need to preserve the confidentiality of personal data contained in documents obtained by the parties or the interveners.

(11) To fulfil its tasks, the ELA collects and processes information and several categories of personal data, including identification data of natural persons, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data. The ELA, as the data controller, is represented by its Executive Director, irrespective of further delegations of the controller role within the ELA to reflect operational responsibilities for specific personal data processing operations.

(12) Under Regulation (EU) 2018/1725, the ELA is therefore obliged to provide information to data subjects on those processing activities and to respect their rights as data subjects.

(13) The ELA might be required to reconcile those rights with the objectives of administrative inquiries, audits, investigations, concerted and joint inspections and court proceedings. It might also be required to balance a data subject’s rights against the fundamental rights and freedoms of other data subjects. To that end, Article 25 of the Regulation (EU) 2018/1725 gives the ELA the possibility to restrict, under strict conditions, the application of Articles 14 to 22, 35 and 36 of the Regulation, as well as its Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20. Unless restrictions are provided for in a legal act adopted on the basis of the Treaties, it is necessary to adopt internal rules under which the ELA is entitled to restrict those rights.

(14) The ELA might, for instance, need to restrict the information it provides to a data subject about the processing of his or her personal data during the preliminary assessment phase of an administrative inquiry or during the inquiry itself, prior to a possible dismissal of case or at the pre-disciplinary stage. In certain circumstances, providing such information might seriously affect the ELA's capacity to conduct the inquiry in an effective way, whenever, for example, there is a risk that the person concerned might destroy evidence or interfere with potential witnesses before they are interviewed. The ELA might also need to protect the rights and freedoms of witnesses as well as those of other persons involved.

(15) It might be necessary to protect the anonymity of a witness or whistleblower who has asked not to be identified. In such a case, the ELA might decide to restrict access to the identity, statements and other personal data of such persons, in order to protect their rights and freedoms.

(16) It might be necessary to protect confidential information concerning a staff member who has contacted ELA’s “confidential counsellors” in the context of a harassment procedure. In such cases, the ELA might need to restrict access to the identity, statements and other personal data of the alleged victim, the alleged harasser and other persons involved, in order to protect the rights and freedoms of all concerned.

(17) The ELA should apply restrictions only when they respect the essence of fundamental rights and freedoms, are strictly necessary and are a proportionate measure in a democratic society. The ELA should give reasons explaining the justification for those restrictions.

(18) In application of the principle of accountability, the ELA should keep a record of its application of restrictions.

(19) When processing personal data exchanged with other organisations in the context of its tasks, the ELA and those organisations should consult each other on potential grounds for imposing restrictions and the necessity and proportionality of those restrictions, unless this would jeopardise the activities of the ELA.

(20) Article 25(6) of the Regulation obliges the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the EDPS.

(21) Pursuant to Article 25(8) of the Regulation, the ELA is entitled to defer, omit or deny the provision of information on the reasons for the application of a restriction to the data subject if this would in any way cancel the effect of the restriction. The ELA should assess on a case-by-case basis whether the communication of the restriction would cancel its effect.

(22) The ELA should lift the restriction as soon as the conditions that justify the restriction no longer apply, and assess those conditions on a regular basis.

(23) To guarantee utmost protection of the rights and freedoms of data subjects and in accordance with Article 44(1) of the Regulation, the ELA DPO should be consulted in due time of any restrictions that may be applied and verify their compliance with this Decision.

(24) Articles 16(5) and 17(4) of the Regulation provide for exceptions to data subjects’ right to information and right of access. If these exceptions apply, the ELA does not need to apply a restriction under this Decision,

HAS DECIDED AS FOLLOWS:

Article 1

Subject matter and scope

1. This Decision lays down rules relating to the conditions under which the ELA may restrict the application of Articles 4, 14 to 22, 35 and 36, pursuant to Article 25 of the Regulation.

2. The ELA, as the controller, is represented by its Executive Director.

Article 2

Restrictions

1. The ELA may restrict the application of Articles 14 to 22, 35 and 36, and Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20:

(a) pursuant to Article 25(1) (b), (c), (f), (g) and (h) of the Regulation, when conducting administrative inquiries, pre-disciplinary, disciplinary or suspension proceedings under Article 86 and Annex IX of the Staff Regulations and the Decision No 22/2021of 10 November 2021 of the ELA Management Board concerning the terms and conditions for internal investigations at the European Labour Authority in relation to the prevention of fraud, corruption and any illegal activity detrimental to the interests of the Union, and when notifying cases to OLAF;

(b) pursuant to Article 25(1)(h) of the Regulation, when ensuring that ELA staff members may report facts confidentially where they believe there are serious irregularities, as set out in Decision No 11/2021 of 25 May 2021of the ELA Management Board;

(c) pursuant to Article 25(1)(h) of the Regulation, when ensuring that ELA staff members are able to report to “confidential counsellors” in the context of a harassment procedure, as defined by Decision No 6/2022 of 15 March 2022 of the ELA Management Board adopting implementing measures pursuant to the Staff Regulations;

(d) pursuant to Article 25(1)(c), (g) and (h) of the Regulation, when conducting internal audits in relation to activities or departments of the ELA, investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725 and (IT) security investigations handled internally or with external involvement (e.g. CERT-EU);

(e) pursuant to Article 25(1)(b),(c), (d), (g) and (h) of the Regulation, when providing or receiving assistance to or from other Union institutions, bodies, offices and agencies or cooperating with them in the context of activities under points (a) to (d) of this paragraph, in particular concerted and joint inspections and pursuant to relevant service level agreements, memoranda of understanding, arrangements for concerted and joint inspections and cooperation agreements;

(f) pursuant to Article 25(1)(c), (g) and (h) of the Regulation, when providing or receiving assistance to or from third countries national authorities and international organisations or cooperating with such authorities and organisations, either at their request or on its own initiative;

(g) pursuant to Article 25(1)(b), (c), (g) and (h) of the Regulation, when providing or receiving assistance and cooperation to and from EU Member States’ public authorities, either at their request or on its own initiative, in particular for concerted and joint inspection activities;

(h) pursuant to Article 25(1)(e) of the Regulation, when processing personal data in documents obtained by the parties or interveners in the context of proceedings before the Court of Justice of the European Union;

2. Any restriction shall respect the essence of fundamental rights and freedoms and be necessary and proportionate in a democratic society.

3. A necessity and proportionality test shall be carried out on a case-by-case basis before restrictions are applied. Restrictions shall be limited to what is strictly necessary to achieve their objective.

4. For accountability purposes, the ELA shall draw up a record describing the reasons for restrictions that are applied, which grounds among those listed in paragraph 1 apply and the outcome of the necessity and proportionality test. Those records shall be part of a register, which shall be made available on request to the EDPS. The ELA shall prepare periodic reports on the application of Article 25 of the Regulation.

5. When processing personal data received from other organisations in the context of its tasks, the ELA shall consult those organisations on potential grounds for imposing restrictions and the necessity and proportionality of the restrictions concerned, unless this would jeopardise the activities of the ELA.

Article 3

Risks to the rights and freedoms of data subjects

1. Assessments of the risks to the rights and freedoms of data subjects of imposing restrictions and details of the period of application of those restrictions shall be registered in the record of processing activities maintained by the ELA under Article 31 of the Regulation. They shall also be recorded in any data protection impact assessments regarding those restrictions conducted under Article 39 of the Regulation.

2. Whenever the ELA assesses the necessity and proportionality of a restriction it shall consider the potential risks to the rights and freedoms of the data subject.

Article 4

Safeguards and storage periods

1. The ELA shall implement safeguards to prevent abuse and unlawful access or transfer of the personal data in respect of which restrictions apply or could be applied. Such safeguards shall include technical and organisational measures and be detailed as necessary in ELA internal decisions, procedures and implementing rules. The safeguards shall include:

(a) a clear definition of roles, responsibilities and procedural steps;

(b) if appropriate, a secure electronic environment which prevents unlawful and accidental access or transfer of electronic data to unauthorised persons;

(d) due monitoring of restrictions and a periodic review of their application.

The reviews referred to in point (d) shall be conducted at least every six months.

2. Restrictions shall be lifted as soon as the circumstances that justify them no longer apply.

3. The personal data shall be retained in accordance with the applicable retention rules, to be defined in the data protection records maintained under Article 31 of the Regulation.

At the end of the retention period, the personal data shall be deleted, anonymised or transferred to archives in accordance with Article 13 of the Regulation.

Article 5

Involvement of the Data Protection Officer

1. The ELA DPO shall be informed without undue delay before any decision to restrict data subjects’ rights is taken in accordance with this Decision. The ELA DPO shall be given access to the associated records and any documents concerning the factual or legal context.

2. The ELA DPO may request a review of the application of a restriction. The controller shall inform its DPO in writing of the outcome of the review.

3. The controller ELA shall document the involvement of the DPO in the application of restrictions, including what information is shared with him or her.

4. The controller shall inform the DPO when the restriction has been lifted.

Article 6

Right to information

1. In duly justified cases and under the conditions stipulated in this decision, the right to information may be restricted by the controller in the context of the following processing operations:

(a) the performance of administrative inquiries, pre-disciplinary and disciplinary proceedings;

(b) activities related to cases of potential irregularities reported to OLAF;

(d) (formal and informal) procedures for cases of harassment;

(e) processing internal and external complaints;

(f) internal and external audits;

(g) concerted and joint inspections, when providing or receiving assistance and cooperation to and from EU Member States’ public authorities, either at their request or on ELA own initiative;

(h) the investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725;

(i) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU);

(j) processing personal data in documents obtained by the parties or interveners in the context of proceedings before the Court of Justice of the European Union.

The ELA shall include in the data protection notices, privacy statements or records in the sense of Article 31 of Regulation (EU) 2018/1725, published on its website and/or on the intranet informing data subjects of their rights in the framework of a given procedure, information relating to the potential restriction of these rights. The information shall cover which rights may be restricted, the reasons and the potential duration.

2. Without prejudice to the provisions of paragraph 1, the ELA, where proportionate, shall also inform individually all data subjects, which are considered persons concerned in the specific processing operation, of their rights concerning present or future restrictions without undue delay and in a written form.

3. Where the ELA restricts, wholly or partly, the provision of information to the data subjects referred to in paragraph 2, it shall record the reasons for the restriction, the legal ground in accordance with Article 2 of this Decision, including an assessment of the necessity and proportionality of the restriction.

The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.

4. The restriction referred to in paragraph 1 shall continue to apply as long as the reasons justifying it remain applicable.

Where the reasons for the restriction no longer apply, the ELA shall provide information to the data subject on the principal reasons on which the application of a restriction is based. At the same time, the ELA shall inform the data subject of the right of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice of the European Union.

Article 7

Right of access by data subject

1. In duly justified cases and under the conditions stipulated in this decision, the right to access may be restricted by the controller in the context of the following processing operations, where necessary and proportionate:

(a) the performance of administrative inquiries and disciplinary proceedings;

(b) activities related to cases of potential irregularities reported to OLAF;

(d) (formal and informal) procedures for cases of harassment;

(e) processing internal and external complaints;

(f) internal and external audits;

(g) concerted and joint inspections, when providing or receiving assistance and cooperation to and from EU Member States’ public authorities, either at their request or on ELA own initiative;

(h) the investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725;

(i) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU);

(j) processing personal data in documents obtained by the parties or interveners in the context of proceedings before the Court of Justice of the European Union;

Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of Regulation (EU) 2018/1725, the ELA shall limit its assessment of the request to such personal data only.

2. Where the ELA restricts, wholly or partly, the right of access, referred to in Article 17 of Regulation (EU) 2018/1725, it shall take the following steps:

(a) it shall inform the data subject concerned, in its reply to the request, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union;

(b) it shall document in an internal assessment note the reasons for the restriction, including an assessment of the necessity, proportionality of the restriction and its duration.

The provision of information referred to in point (a) may be deferred, omitted or denied if it would cancel the effect of the restriction in accordance with Article 25(8) of Regulation (EU) 2018/1725.

The ELA shall review the application of the restriction every six months from its adoption and at the closure of the relevant investigation. Thereafter, the controller shall monitor the need to maintain any restriction on an annual basis.

3. The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.

Article 8

Right of rectification, erasure and restriction of processing

1. In duly justified cases and under the conditions stipulated in this decision, the right to rectification, erasure and restriction may be restricted by the controller in the context of the following processing operations, where necessary and appropriate:

(a) the performance of administrative inquiries and disciplinary proceedings;

(b) activities related to cases of potential irregularities reported to OLAF;

(d) (formal and informal) procedures for cases of harassment;

(e) processing internal and external complaints;

(f) internal and external audits;

(g) concerted and joint inspections, when providing or receiving assistance and cooperation to and from EU Member States’ public authorities, either at their request or on ELA own initiative;

(h) the investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725;

(i) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU);

(j) processing personal data in documents obtained by the parties or interveners in the context of proceedings before the Court of Justice of the European Union;

2. Where the ELA restricts, wholly or partly, the application of the right to rectification, erasure and restriction of processing referred to in Articles 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, it shall take the steps set out in Article 6(2) of this Decision and register the record in accordance with Article 6(3) thereof.

Article 9

Provision of information to data subjects about restrictions of their rights

The ELA may defer, omit or deny the provision of information concerning the reasons for a restriction and the right to lodge a complaint with the EDPS for as long as it would cancel the effect of the restriction. Assessment of whether this would be justified shall take place on a case-by-case basis. As soon as it would no longer cancel the effect of the restriction, the ELA shall provide the information to the data subject.

Article 10

Communication of a personal data breach to the data subject

1. Where the ELA is under an obligation to communicate a data breach under Article 35(1) of the Regulation, it may, in exceptional circumstances, restrict such communication wholly or partly. It shall document in a note the reasons for the restriction, the legal ground for it under Article 2 and an assessment of its necessity and proportionality. The note shall be communicated to the EDPS at the time of the notification of the personal data breach.

2. Where the reasons for the restriction no longer apply, the ELA shall communicate the personal data breach to the data subject concerned and inform him or her of the principal reasons for the restriction and of his or her right to lodge a complaint with the EDPS.

Article 11

Confidentiality of electronic communications

1. In exceptional circumstances, the ELA may restrict the right to confidentiality of electronic communications under Article 36 of the Regulation. Such restrictions shall comply with Directive 2002/58/EC of the European Parliament and of the Council (4).

2. Where the ELA restricts the right to confidentiality of electronic communications, it shall inform the data subject concerned, in its reply to any request from the data subject, of the principal reasons on which the application of the restriction is based and of his or her right to lodge a complaint with the EDPS.

3. The ELA may defer, omit or deny the provision of information concerning the reasons for a restriction and the right to lodge a complaint with the EDPS for as long as it would cancel the effect of the restriction. Assessment of whether this would be justified shall take place on a case-by-case basis.

Article 12

Entry into force

This Decision shall enter into force on the twentieth day following that of its publication in the

Official Journal of the European Union

Done at Bratislava, 24 November 2022.

For the Management Board

Tom BEVERS

Chair of the Management Board

(1)

OJ L 295, 21.11.2018, p. 39

(2)

OJ L 186, 11.7.2019, p. 21

(3) Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (

OJ L 56, 4.3.1968, p. 1

(4) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (

OJ L 201, 31.7.2002, p. 37