MANAGEMENT BOARD DECISION 28/2022

of 4 April 2022

on internal rules concerning restrictions of certain data subject rights in relation to the processing of personal data in the framework of activities carried out by the European Border and Coast Guard Agency

THE MANAGEMENT BOARD,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1) (hereinafter the ‘Regulation’), and in particular Article 25 thereof,

Having regard to the Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 November 2019 on the European Border and Coast Guard and repealing Regulations (EU) No 1052/2013 and (EU) 2016/1624 (2) (hereinafter the ‘EBCG Regulation’), in particular Article 86(2) thereof,

Having consulted the European Data Protection Supervisor on 16 November 2021,

Whereas:

(1) The European Border and Coast Guard Agency (‘Agency’) is empowered to conduct administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings, in accordance with the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (3) (‘Staff Regulations’), and with Management Board Decision 26/2018 of 25 October 2018 adopting implementing provisions regarding the conduct of administrative inquiries and disciplinary proceedings. If required, it also notifies cases to OLAF.

(2) The Agency’s staff members are under an obligation to report potentially illegal activities, including fraud and corruption, which are detrimental to the interests of the Union. Staff members are also obliged to report conduct relating to the discharge of professional duties which may constitute a serious failure to comply with the obligations of officials of the Union. This is regulated by Management Board Decision 17/2019 of 18 July 2019 adopting the Frontex Guidelines on Whistleblowing.

(3) The Agency has put in place a policy to prevent and deal effectively with actual or potential cases of psychological or sexual harassment in the workplace, as provided for in its Management Board Decision 16/2019 of 18 July 2019 adopting implementing measures pursuant to the Staff Regulations. The Decision establishes an informal procedure whereby the alleged victim of the harassment can contact the Agency’s ‘confidential’ counsellors.

(4) The Agency can also conduct investigations into potential breaches of security rules for European Union classified information (‘EUCI’), based on its security rules for protecting EUCI.

(5) The Agency is subject to both internal and external audits concerning its activities including by the European Court of Auditors. The internal audits are conducted by the Internal Audit Capability of the Agency set up by Management Board Decision 43/2020 of 9 December 2020 adopting the Agency’s amended organisational structure and relevant Decision of the Executive Director in accordance with Article 80 of the Management Board Decision 19/2019 of 23 July 2019 adopting Frontex Financial Regulation.

(6) The Agency handles external complaints in particular those received in the context of the complaints mechanism set up in accordance with Article 111 of the EBCG Regulation to monitor and ensure respect for fundamental rights in all the activities of the Agency.

(7) Participants in Frontex activities are under the obligation to report serious incidents in accordance with Article 38(3)(h) of the EBCG Regulation and Decision of the Executive Director of 19 April 2021 on Standard Operating Procedure (SOP) – Serious Incident Reporting (4). The Agency has also established a supervisory mechanism to monitor the application of the provisions of the EBCG Regulation on use of force by statutory staff, including rules on reporting and specific measures, such as those of a disciplinary nature, with regard to the use of force during deployments. This is regulated by Management Board Decision 7/2021 of 20 January 2021 establishing a supervisory mechanism to monitor the application of the provisions on the use of force by statutory staff of the European Border and Coast Guard Standing Corps. The Agency also monitors use of force by staff seconded to the Agency by the Member States for a long term, staff provided by Member States for short-term deployments and staff forming part of the reserve for rapid reaction for rapid border interventions while applying force in Frontex operational activities in accordance with the relevant Decision of the Executive Director.

(8) In the context of such administrative inquiries, audits, examination of complaints and investigations, reporting of serious incidents and monitoring activities the Agency cooperates with Member States’ (5) competent authorities, other Union institutions, bodies, offices and agencies.

(9) The Agency can cooperate with third countries’ competent authorities and international organisations, either at their request or on its own initiative.

(10) The Agency is involved in cases before the Court of Justice of the European Union and national courts when it either refers a matter to the Court, defends a decision it has taken and which has been challenged before the Court, or intervenes in cases relevant to its tasks. In this context, the Agency might need to preserve the confidentiality of personal data contained in documents obtained by the parties or the interveners.

(11) To fulfil its tasks, the Agency collects and processes information and several categories of personal data, including identification data of natural persons, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data. Hence, the Agency acts as data controller.

(12) Under the Regulation, the Agency is therefore obliged to provide information to data subjects on those processing activities and to respect their rights as data subjects.

(13) The Agency might be required to reconcile those rights with the objectives of administrative inquiries, audits, investigations, reporting of serious incidents and monitoring of the application of the provisions of the EBCG Regulation on the use of force, and court proceedings. It might also be required to balance a data subject’s rights against the fundamental rights and freedoms of other data subjects. To that end, Article 25 of the Regulation and Article 86(2) of the EBCG Regulation give the Agency the possibility to restrict, under strict conditions, the application of Articles 14 to 22, 35 and 36 of the Regulation, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20. Unless restrictions are provided for in a legal act adopted on the basis of the Treaties, it is necessary to adopt internal rules under which the Agency is entitled to restrict those rights.

(14) The Agency might, for instance, need to restrict the information it provides to a data subject about the processing of his or her personal data during the preliminary assessment phase of an administrative inquiry or during the inquiry itself, prior to a possible dismissal of case or at the pre-disciplinary stage or where the data subject may potentially be subject to specific measures, such as those of a disciplinary nature, with regard to the use of force during deployments. In certain circumstances, providing such information might seriously affect the Agency’s capacity to conduct the inquiry or exercise its monitoring of the use of force function in an effective way, whenever, for example, there is a risk that the person concerned might destroy evidence or interfere with potential witnesses before they are interviewed.

(15) The Agency might also need to protect the rights and freedoms of witnesses as well as those of other persons involved. Similarly, the Agency might need to restrict the information it provides to a data subject about the processing of his or her personal data where providing this information might seriously affect the assessment and validation steps of reporting serious incidents process in accordance with Article 38(3)(h) of the EBCG Regulation.

(16) It might be necessary to protect the anonymity of a witness or whistle-blower who has asked not to be identified. In such a case, the Agency might decide to restrict access to the identity, statements and other personal data of such persons, in order to protect their rights and freedoms. In particular, the Agency might need to protect the anonymity of witnesses or other persons reporting incidents involving the use of force in accordance with supervisory mechanism to monitor the application of the provisions of the EBCG Regulation on the use of force. Similarly, in the context of reporting of serious incidents in accordance with Article 38(3)(h) of the EBCG Regulation, the Agency might need to protect the anonymity of participants in a Frontex activity who reported such an incident.

(17) It might be necessary to protect confidential information concerning a staff member who has contacted the Agency’s confidential counsellors. In such cases, the Agency might need to restrict access to the identity, statements and other personal data of the alleged victim, the alleged harasser and other persons involved, in order to protect the rights and freedoms of all concerned.

(18) The Agency processes personal data of its statutory staff on medical and psychological fitness, including where necessary for the authorisation to carry and use weapons in accordance with Article 82(7) of the EBCG Regulation and Management Board Decision 3/2021 of 15 January 2021 (6). Considering the sensitive nature of the medical data and in order to protect the data subject from direct access to files that could be harmful to the health and mental status of the concerned data subject, the Agency shall provide indirect access to the relevant medical information through the Agency’s medical advisor or an external medical provider for the relevant medical information and advice.

(19) The Agency should apply restrictions only when they respect the essence of fundamental rights and freedoms, are strictly necessary and are a proportionate measure in a democratic society. The Agency should give reasons explaining the justification for those restrictions.

(20) In application of the principle of accountability, the Agency should keep a record of its application of restrictions.

(21) When processing personal data exchanged with other organisations in the context of its tasks, the Agency and those organisations should consult each other on potential grounds for imposing restrictions and the necessity and proportionality of those restrictions, unless this would jeopardise the activities of the Agency.

(22) Article 25(6) of the Regulation obliges the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the EDPS.

(23) Pursuant to Article 25(8) of the Regulation, the Agency is entitled to defer, omit or deny the provision of information on the reasons for the application of a restriction to the data subject if this would in any way cancel the effect of the restriction. The Agency should assess on a case-by-case basis whether the communication of the restriction would cancel its effect.

(24) The Agency should lift the restriction as soon as the conditions that justify the restriction no longer apply and assess those conditions on a regular basis.

(25) To guarantee utmost protection of the rights and freedoms of data subjects and in accordance with Article 44(1) of the Regulation, the Agency’s Data Protection Officer (‘DPO’) should be consulted in due time of any restrictions that may be applied and verify their compliance with this Decision.

(26) The Agency has laid down separate rules regarding the processing of operational personal data, in accordance with Article 90 of the EBCG Regulation, including specific internal rules on data retention of operational personal data and rules on restrictions applied to the relevant data subject rights (7),

HAS DECIDED AS FOLLOWS:

Article 1

Subject matter, scope and controllership

1. This Decision lays down rules relating to the conditions under which the Agency may restrict the application of Article 4, 14 to 22, 35 and 36 of the Regulation, pursuant to Article 25 of the Regulation and Article 86(2) of the EBCG Regulation.

This Decision applies to the processing of personal data by the Agency for the purpose of administrative tasks in accordance with Article 87(1)(h) of the EBCG Regulation.

2. In accordance with paragraph 1 and subject to the conditions set out in this Decision, the restrictions may be applied to the following rights: right of information to be provided to the data subject, right of access by the data subject, right of the data subject to rectification, erasure and restriction of processing and rights to communication of a personal data breach to the data subject and confidentiality of electronic communications.

3. The categories of personal data concerned by this Decision are both objective/hard data (e.g. identification data, contact data, professional data, administrative data, data received from specific sources, electronic communications and traffic data) and subjective/soft data (e.g. reasoning, behavioural data, appraisals, data related to performance and conduct and data related to, or brought forward in connection with, the subject matter of the procedure or activity in question).

4. The Agency, as the controller, is represented by the Executive Director. The Agency’s rules implementing the Regulation in respect of data controllership shall apply (8).

5. Data subjects shall be informed of the designated controllers through information or records published on the website and/or the intranet of the Agency.

Article 2

Restrictions

1. The Agency may restrict the application of Articles 14 to 22, 35 and 36 of the Regulation, and Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 in the context of the purpose of processing personal data indicated in Article 1(1) of the Decision:

(a) pursuant to Article 25(1)(b), (c), (f), (g) and (h) of the Regulation, when conducting administrative inquiries, pre-disciplinary, disciplinary or suspension proceedings under Article 86 and Annex IX of the Staff Regulations and Management Board Decision 26/2018 of 25 October 2018 adopting general implementing provisions on the conduct of administrative inquiries and disciplinary procedures, when notifying cases to OLAF and pursuant to Article 25(1)(c), (g) and (h) of the Regulation, when the DPO investigates matters directly related to his/her tasks in particular when conducting inquiries on processing activities carried out at the Agency pursuant to Article 5(11) of Management Board Decision 56/2021 of 15 October 2021. (9) The Agency may restrict some of the rights referred to in Article 1(2) of the Decision of a staff member, a person concerned or a third party in relation to any information capable of seriously affecting future or ongoing inquiries, pre-disciplinary, disciplinary or suspension proceedings including statements of witnesses and other documents;

(b) pursuant to Article 25(1)(h) of the Regulation, when ensuring that Agency staff members may report facts confidentially where they believe there are serious irregularities, as set out in Management Board Decision 17/2019 of 18 July 2019 adopting the Frontex Guidelines on Whistleblowing The Agency may restrict some of the rights referred to in Article 1(2) of the Decision of data subjects potentially implicated in the alleged wrongdoings in relation to any information which could compromise the anonymity of person reporting a serious irregularity;

(c) pursuant to Article 25(1)(h) of the Regulation, when ensuring that Agency staff members may use the support of the confidential counsellors, as defined by Management Board Decision 16/2019 of 18 July 2019 on the Frontex policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment. The Agency may restrict some of the rights referred to in Article 1(2) of the Decision of alleged harassers, where necessary, to protect the anonymity of the potential victim of harassment and the anonymity of witnesses;

(d) pursuant to Article 25(1)(c), (g) and (h) of the Regulation, when conducting internal and external audits in relation to activities or departments of the Agency in particular when internal audits are conducted by the Internal Audit Capability of the Agency. The Agency may restrict some of the rights referred to in Article 1(2) of data subjects in relation to information capable of compromising the confidentiality of information gathered from the audit or interfering with the conduct of an ongoing audit;

(e) pursuant to Article 25(1)(b), (e), (g) and (h) of the Regulation, in the context of investigations from the European Public Prosecutor’s Office (EPPO). The Agency may restrict some of the rights referred to in Article 1(2) of this Decision of data subjects in relation to information necessary for ensuring proper conduct and confidentiality of investigations by the EPPO;

(f) pursuant to Article 25(1)(c), (e), (g) and (h) of the Regulation, when handling complaints including those received by the Agency in the context of the complaints mechanism set up in accordance with Article 111 of the EBCG Regulation to monitor and ensure respect for fundamental rights in all the activities of the Agency and the relevant Decision of the Executive Director. The Agency may restrict some of the rights referred to in Article 1(2) of this Decision of a staff member involved in an Agency activity (10), who is subject to a complaint, in relation to any information capable of seriously affecting the review and handling of the complaint;

(g) pursuant to Article 25(1)(c), (e), (g) and (h) of the Regulation, when handling incident reports under Article 38(3)(h) of the EBCG Regulation and Decision of the Executive Director of 19 April 2021 on Standard Operating Procedure (SOP) – Serious Incident Reporting. The Agency may restrict some of the rights referred to in Article 1(2) of this Decision of data subjects contained in the Serious Incident Report in relation to information capable of seriously affecting the validation and assessment of the Serious Incident Report as well as follow up actions and the anonymity of witnesses or other persons reporting incidents including migrants and returnees;

(h) pursuant to Article 25(1)(b), (c), (f), (g) and (h) of the Regulation, when monitoring the application of the provisions on the use of force by statutory staff of the European Border and Coast Guard Standing Corps under Article 55(5)(a) of the EBCG Regulation and Management Board Decision 7/2021 of 20 January 2021 and when monitoring the use of force by staff seconded to the Agency by the Member States for a long term, staff provided by Member States for short-term deployments and staff forming part of the reserve for rapid reaction for rapid border interventions while applying force in Frontex operational activities in accordance with the relevant Decision of the Executive Director. The Agency may restrict some of the rights referred to in Article 1(2) of this Decision of data subjects contained in a report on the use of force in relation to information (including statements of witnesses and other documents) capable of seriously affecting the verification of the report and any future or ongoing follow-up actions including inquiries, pre-disciplinary, disciplinary or suspension proceedings;

(i) pursuant to Article 25(1)(b), (c), (d), (g) and (h) of the Regulation, when providing or receiving assistance to or from other Union institutions, bodies, offices and agencies or cooperating with them in the context of activities under points (a) to (h) of this paragraph and pursuant to relevant service level agreements, memoranda of understanding and working arrangements;

(j) pursuant to Article 25(1)(b), (c), (g) and (h) of the Regulation, when providing or receiving assistance and cooperation to and from Member States’ competent national authorities, either at their request or on its own initiative in particular in the context of activities under points (f) to (h) of this paragraph and pursuant to provisions of the EBCG Regulation and Decisions of the Management Board;

(k) pursuant to Article 25(1)(b), (c), (g) and (h) of the Regulation, when providing or receiving assistance to or from competent national authorities of the third countries and international organisations or cooperating with such authorities and organisations in particular pursuant to relevant, memoranda of understanding and working arrangements;

(l) pursuant to Article 25(1)(e) of the Regulation, when processing personal data in the context of proceedings before the Court of Justice of the European Union or national courts and tribunals;

(m) pursuant to Article 25(1)(h) of the Regulation, when the handling of requests for access by staff members to their medical files related to their medical and psychological fitness, if a direct access to these files could be harmful to the data subject concerned considering the health or mental status of the data subject. In such cases the Agency shall provide indirect access to the relevant medical information through the Agency’s medical advisor or an external medical provider;

(n) pursuant to Article 25(1)(c), (d), (g) and (h) of the Regulation, when conducting security analyses which may lead to internal investigations related to cyber security incidents or IT system abuse, including external involvement of CERT-EU, ensuring internal security by means of video surveillance, access control and investigation purposes, securing communication and information systems and carrying out technical security counter-measures. The Agency may restrict some of the rights referred to in Article 1(2) of this Decision of data subjects in relation to information capable of seriously affecting those security analyses, means of ensuring internal security including access control, security investigations and technical security counter-measures.

2. Any restriction shall respect the essence of fundamental rights and freedoms and be necessary and proportionate in a democratic society.

3. A necessity and proportionality test shall be carried out on a case-by-case basis before restrictions are applied. Restrictions shall be limited to what is strictly necessary to achieve their objective.

4. For accountability purposes, the Agency shall draw up a record describing the reasons for restrictions that are applied, which grounds among those listed in paragraph 1 apply and the outcome of the necessity and proportionality test. Those records shall be part of a register, which shall be made available on request to the EDPS. The Agency shall prepare and make public periodic reports on the application of Article 25 of the Regulation.

5. When processing personal data received from other organisations in the context of its tasks, the Agency shall consult those organisations on potential grounds for imposing restrictions and the necessity and proportionality of the restrictions concerned, unless this would jeopardise the activities of the Agency.

Article 3

Risks to the rights and freedoms of data subjects

1. Assessments of the risks to the rights and freedoms of data subjects of imposing restrictions and details of the period of application of those restrictions shall be registered in the record of processing activities maintained by the Agency under Article 31 of the Regulation. They shall also be recorded in any data protection impact assessments regarding those restrictions conducted under Article 39 of the Regulation.

2. Whenever the Agency assesses the necessity and proportionality of a restriction it shall consider the potential risks to the rights and freedoms of the data subject.

3. Restrictions shall not apply where the exercise of the restricted right would deprive the restriction of its purpose or adversely affect the rights or freedoms of other data subjects.

Article 4

Safeguards and storage periods

1. The Agency shall implement safeguards to prevent abuse and unlawful access or transfer of the personal data for which restrictions apply or could be applied. Such safeguards shall include technical and organisational measures and be detailed as necessary in Decisions of the Agency’s Management Board, Decisions of the Executive Director, operational plans drawn up in accordance with Article 38 of the EBCG Regulation, internal decisions, procedures and Administrative Notices. The safeguards shall include:

(a) a clear definition of roles, responsibilities and procedural steps;

(b) if appropriate, a secure electronic environment which prevents unlawful and accidental access or transfer of electronic data to unauthorised persons;

(d) due monitoring of restrictions and a periodic review of their application.

The reviews referred to in point (d) shall be conducted at least every six months and may result in lifting restrictions in accordance with paragraph 2. The reviews shall be documented by the designated controller for accountability purposes.

2. Restrictions shall be lifted as soon as the circumstances that justify them no longer apply.

3. The personal data shall be retained in accordance with the applicable Agency retention rules, to be defined in the data protection records maintained under Article 31 of the Regulation. At the end of the retention period, the personal data shall be deleted, anonymised or transferred to archives in accordance with Article 13 of the Regulation.

Article 5

Involvement of the Data Protection Officer

1. The DPO shall be informed without undue delay whenever data subject rights are restricted in accordance with this Decision. He or she shall be given access to the associated records and any documents concerning the factual or legal context.

2. The DPO may request a review of the application of a restriction. The Agency shall inform the DPO in writing of the outcome of the review.

3. The Agency shall document the involvement of the DPO in the application of restrictions, including what information is shared with him or her.

4. The designated controllers shall inform the DPO when a restriction has been lifted.

Article 6

Information to data subjects on restrictions of their rights

1. The Agency shall include a section in the data protection notices published on its website and intranet providing general information to data subjects on potential restrictions of data subjects’ rights pursuant to Article 2(1). The information shall cover which rights may be restricted, the grounds on which restrictions may be applied and their potential duration.

2. The Agency shall inform data subjects individually, in writing and without undue delay of ongoing or future restrictions of their rights. The Agency shall inform the data subject of the principal reasons on which the application of the restriction is based, of their right to consult the DPO with a view to challenging the restriction and of their rights to lodge a complaint with the EDPS.

3. The Agency may defer, omit or deny the provision of information concerning the reasons for a restriction and the right to lodge a complaint with the EDPS for as long as it would cancel the effect of the restriction. Assessment of whether this would be justified shall take place on a case-by-case basis. As soon as it would no longer cancel the effect of the restriction, the Agency shall provide the information to the data subject.

Article 7

Communication of a personal data breach to the data subject

1. Where the Agency is under an obligation to communicate a data breach under Article 35(1) of the Regulation, it may, in exceptional circumstances, restrict such communication wholly or partly. It shall document in a note the reasons for the restriction, the legal ground for it under Article 2 and an assessment of its necessity and proportionality. The note shall be communicated to the EDPS at the time of the notification of the personal data breach.

2. Where the reasons for the restriction no longer apply, the Agency shall communicate the personal data breach to the data subject concerned and inform him or her of the principal reasons for the restriction and of his or her right to lodge a complaint with the EDPS.

Article 8

Confidentiality of electronic communications

1. In exceptional circumstances, the Agency may restrict the right to confidentiality of electronic communications under Article 36 of the Regulation. Such restrictions shall comply with Directive 2002/58/EC of the European Parliament and of the Council (11).

2. Where the Agency restricts the right to confidentiality of electronic communications, it shall inform the data subject concerned, in its reply to any request from the data subject, of the principal reasons on which the application of the restriction is based and of his or her right to lodge a complaint with the EDPS.

Article 9

Entry into force

This Decision shall enter into force on the twentieth day following that of its publication in the

Official Journal of the European Union

Done by written procedure on 4 April 2022.

For the Management Board

Marko GAŠPERLIN

Chairperson

(1)

OJ L 295, 21.11.2018, p. 39

(2)

OJ L 295, 14.11.2019, p. 1

(3) Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (

OJ L 56, 4.3.1968, p. 1

(4) Executive Director Decision No R-ED-2021-51 of 19.4.2021 on Standard Operating Procedure (SOP) – Serious Incident Reporting.

(5) For the purpose of this Decision, the term ‘Member States’ includes also the States participating in the relevant development of the Schengen acquis within the meaning of the Treaty on the Functioning of the European Union and its Protocol (No 19) on the Schengen acquis integrated into the framework of the European Union.

(6) Management Board Decision 3/2021 of 15 January 2021 adopting rules for the Executive Director to authorise statutory staff to carry and use weapons, including on mandatory cooperation with the competent national authorities, and ensuring that the conditions for issuing such authorisations continue to be met by statutory staff.

(7) Management Board Decision 69/2021 of 21 December 2021 adopting rules on processing operational personal data by the Agency.

(8) Management Board Decision 56/2021 of 15 October 2021 adopting implementing rules on the application of Regulation (EU) 2018/1725 concerning the tasks, duties and powers of the Data Protection Officer as well as rules concerning Designated Controllers in Frontex.

(9) Management Board Decision 56/2021 of 15 October 2021 adopting implementing rules on the application of Regulation (EU) 2018/1725 concerning the tasks, duties and powers of the Data Protection Officer as well as rules concerning Designated Controllers in Frontex.

(10) ‘Staff involved in an Agency activity’ includes members of the teams such as Agency’s own staff or members of categories 2, 3 and 4 of the Standing Corps.

(11) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (

OJ L 201, 31.7.2002, p. 37