COMMISSION DECISION (EU) 2022/121
of 27 January 2022
laying down internal rules concerning the provision of information to data subjects and the restriction of certain of their rights in the context of processing of personal data for the purposes of handling requests and complaints under the Staff Regulations
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 249(1) thereof,
Whereas:
(1) The Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (1) (‘the Staff Regulations’), require the Commission to respond to certain requests and complaints. Those tasks are mainly carried out by Unit ‘Appeals and Case Monitoring’ of the Directorate-General responsible for Human Resources and Security (‘DG HR’), which establishes the relevant facts and assesses them from a legal point of view in order to assist the Appointing Authority or the Authority responsible for Concluding Contracts of Employment (‘the Authority’) in taking a decision.
(2) Article 22c of the Staff Regulations requires the Commission, in accordance with Articles 24 and 90 of the Staff Regulations, to put in place a procedure for the handling of complaints made by officials concerning the way in which they are treated after or as a consequence of having reported a serious irregularity pursuant to Articles 22a and 22b of the Staff Regulations (2).
(3) Article 24 of the Staff Regulations requires the Commission to assist officials in proceedings against persons perpetrating threats, insulting or defamatory acts or utterances, or attacks to person or property to which he or a member of their family is subjected by reason of his position or duties.
(4) Article 90(1) and (2) of the Staff Regulations allow any person to whom the Staff Regulations apply to request the Authority to take a decision relating to him, or to submit a complaint against a decision affecting him adversely.
(5) In the context of those activities, the Commission collects and processes relevant information. That information includes personal data, in particular identification, contact and behavioural data. The competent Commission services transmit personal data to other Commission services on ‘a need to know’ basis.
(6) The personal data are stored in a secured physical and electronic environment, to prevent unlawful access or transfer of data to persons who do not have a need to know. After the end of the processing, the data are retained in accordance with the applicable Commission rules (3).
(7) While carrying out its tasks under the Staff Regulations, the Commission is bound to respect the rights of natural persons in relation to the processing of personal data recognised by Article 8(1) of the Charter of Fundamental Rights of the European Union and by Article 16(1) of the Treaty, as well as the rights provided for in Regulation (EU) 2018/1725 of the European Parliament and of the Council (4). At the same time, the Commission is required to comply with strict rules of confidentiality and professional secrecy.
(8) In certain circumstances, it is necessary to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 with the need to safeguard the prevention, investigation, detection and prosecution of criminal offences and to ensure the effectiveness of the Commission’s response to allegations of harassment and other inappropriate behaviour or attacks, as well as with full respect for the fundamental rights and freedoms of other data subjects. To that effect, Article 25(1), points (b), (c), (g) and (h), of Regulation (EU) 2018/1725 provide the Commission with the possibility to restrict the application of Articles 14 to 17, 19, 20 and 35, as well as the principle of transparency laid down in Article 4(1), point (a), insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19 and 20 of that Regulation.
(9) This might, in particular, be the case as regards the provision of information about the processing of personal data to the person in respect of whom a request or complaint is submitted (‘the person concerned’), in particular where the procedure originates from a request for assistance under Article 24 of the Staff Regulations alleging harassment. The Commission may decide to restrict the provision of such information to the person concerned in order to protect the rights and freedoms of the requestor, complainant or witness pursuant to Article 25(1), point (h), of Regulation (EU) 2018/1725. The Commission may decide to do so, in particular to protect those persons against possible retaliation by the persons concerned against whom allegations in good faith were made, which however have not led to measures by the administration. In some situations it might be necessary to restrict the provision of such information to prevent harassment or other inappropriate behaviour or attacks from occurring in the Commission (in particular in the organisational entity where the person concerned works together with the requestor, complainant and or witness).
(10) It might also be necessary to restrict other rights of the person concerned when the exercise of these rights would reveal information about the requestor, complainant or a witness who has asked not to have their identity disclosed. In such a case, the Commission may decide to restrict the right of access to the statement relating to the person concerned or his or her other rights in order to protect the rights and freedoms of the requestor, complainant or witness for the reasons set out in recital 9. The Commission may decide to do so pursuant to Article 25(1), point (h), of Regulation (EU) 2018/1725.
(11) It might also be necessary to restrict the rights of the person concerned in order to safeguard a monitoring, inspection or regulatory function connected to the exercise of official authority in a case where an important objective of general public interest of the Union, namely ensuring the effectiveness of the Commission’s response to allegations of harassment and of any other inappropriate behaviour or attacks, is at stake. The combat of harassment and of any other inappropriate behaviour or attacks constitutes an important objective of general public interest of the Union, including of the Commission. In addition, the Commission has a duty to assist its staff pursuant to Article 24 of the Staff Regulations. In order not to discourage staff members from reporting perceived instances of harassment and other inappropriate behaviour or attacks and from requesting assistance in this context, which is in the public interest of the Union, it must be ensured that persons concerned do not gain knowledge of the request for assistance which concerns them. This might be particularly pertinent in cases where the Authority finds that no harassment within the meaning of the Staff Regulations occurred. In such a situation, the public interest of the Union would require that the person concerned does not gain knowledge of the request for assistance in order to preserve the recourse by staff members to the procedure under Article 24 of the Staff Regulations and to prevent new conflicts. In this respect, the Commission may decide to restrict the rights of the person concerned pursuant to Article 25(1), points (c) and (g) of Regulation (EU) 2018/1725.
(12) It might also be necessary to restrict the rights of the person concerned in order to safeguard the prevention, investigation, detection and prosecution of criminal offences, which requestors, complainants or witnesses report to the Commission in relation to the person concerned. For example, requestors, complainants and witnesses may report inappropriate behaviour and psychological and sexual harassment. In such cases, the Commission may decide to restrict the rights of the person concerned pursuant to Article 25(1), point (b) of Regulation (EU) 2018/1725.
(13) The Staff Regulations require the Commission to ensure that requests and complaints under those Regulations are handled confidentially. In order to ensure that confidentiality, while respecting the standards of protection of personal data under Regulation (EU) 2018/1725, it is necessary to adopt internal rules under which the Commission may restrict data subjects’ rights in line with Article 25(1), points (b), (c), (g) and (h) of Regulation (EU) 2018/1725.
(14) The internal rules should apply to all processing operations carried out by the Commission in the performance of its tasks regarding the handling of requests and complaints under the Staff Regulations.
(15) In order to comply with Articles 14, 15 and 16 of Regulation (EU) 2018/1725, the Commission should inform all individuals of its activities involving the processing of their personal data and of their rights, in a transparent and coherent manner, by means of a data protection notice published on the Commission’s website. Where relevant, the Commission should individually inform, by appropriate means, the data subjects involved in a request or complaint, that is to say, the requestors and complainants, persons concerned and witnesses.
(16) The Commission should handle all restrictions in a transparent manner and register each application of restrictions in the corresponding record system.
(17) As regards restrictions to the application of Article 16 of Regulation (EU) 2018/1725, which provides that where personal data have not been obtained from the data subject, the data subject has to be informed within one month at the latest, the Commission should, within one month, draw up a record describing the reasons for any restriction applied. That record should include a case-by-case assessment of the necessity and proportionality of the restriction.
(18) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, controllers may defer, omit or deny the provision of information relating to the principal reasons for the application of a restriction to the data subject if providing that information would cancel the effect of the restriction. This is particularly the case with respect to restrictions to the application of Articles 16 and 35 of that Regulation.
(19) The Commission should regularly review the restrictions imposed in order to ensure that the data subject’s rights to be informed in accordance with Articles 16 and 35 of Regulation (EU) 2018/1725 are restricted only as long as such restrictions are necessary for the reasons listed in recital 8.
(20) The application of restrictions should be reviewed when replying to requests submitted under Articles 22c and 24 and Article 90(1) of the Staff Regulations and to complaints submitted under Article 22c and Article 90(2) of the Staff Regulations, or when closing such requests and complaints, whichever is earlier. Thereafter, the Commission should monitor the need to maintain any restrictions on an annual basis.
(21) In certain cases, it may prove necessary to maintain the application of a restriction, in particular a restriction of the application of Article 16 of Regulation (EU) 2018/1725, until the personal data at issue is no longer retained by the Commission. In such a case, the data subject should not be informed of the processing of his or her personal data. Such a situation could, in particular, occur where there is a high risk that providing information on the processing of personal data to the person concerned would undermine the rights and freedoms of others. This may be the case where the Authority rejects a request for assistance made in good faith for alleged inappropriate behaviour by the person concerned, and where the person concerned and the requestor work together in the same organisational entity. In such a situation, the requestor risks being subject to retaliation and the working atmosphere of the organisational entity risks being affected. In such a case, the personal data of the person concerned should only be retained for as long as the data are relevant for the handling of the request and/or complaint and for as long as the latter may be the subject of litigation.
(22) The Data Protection Officer of the European Commission should carry out an independent review of the application of restrictions, with a view to ensuring compliance with this Decision.
(23) The European Data Protection Supervisor has been consulted and delivered his opinion on 23 September 2021.
HAS ADOPTED THIS DECISION:
Article 1
Subject matter and scope
1. This Decision lays down the rules to be followed by the Commission to inform data subjects of the processing of their personal data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725 when handling requests and complaints under the Staff Regulations.
It also lays down the conditions under which the Commission may restrict the application of Articles 4, 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725, in accordance with Article 25(1), points (b), (c), (g) and (h) thereof.
2. This Decision applies to the processing of personal data by the Commission for the purposes of the handling of requests and complaints pursuant to Articles 22c and 24 and Article 90(1) and (2) of the Staff Regulations.
3. The categories of personal data covered by this Decision include identification, contact and behavioural data as well as special categories of personal data within the meaning of Article 10(1) of Regulation (EU) 2018/1725.
Article 2
Applicable exceptions and restrictions
1. Where the Commission exercises its duties with respect to data subjects’ rights under Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.
2. Subject to Articles 3 to 7, where the exercise of the rights and obligations provided for in Articles 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725 in relation to personal data processed by the Commission would undermine the grounds listed in Article 25(1), points (b), (c), (g) or (h) of that Regulation, the Commission may restrict the application of:
(a) Articles 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725; and
(b) The principle of transparency laid down in Article 4(1), point (a), of Regulation (EU) 2018/1725 insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19 and 20 of that Regulation, in order to safeguard the prevention, investigation, detection and prosecution of criminal offences, which requestors, complainants or witnesses report to the competent services of the Commission, in relation to the person concerned by allegations of harassment or other inappropriate behaviour or attacks.
3. Paragraphs 1 and 2 shall be without prejudice to the application of other Commission decisions laying down internal rules concerning the provision of information to data subjects and the restriction of certain rights under Article 25 of Regulation (EU) 2018/1725.
4. Any restriction of the rights and obligations referred to in paragraph 2 shall be necessary and proportionate taking into account the risks to the rights and freedoms of data subjects.
5. Before restrictions are applied, the Commission should carry out a ‘case-by-case’ assessment of their necessity and proportionality. Restrictions shall be limited to what is strictly necessary to achieve their objective.
Article 3
Provision of information to data subjects
1. The Commission shall publish on its website a data protection notice that informs all data subjects of its activities involving processing of their personal data for the purpose of handling requests and complaints under the Staff Regulations.
2. The Commission shall individually inform, by appropriate means, requestors and complainants, the persons concerned, as well as witnesses requested to provide information in relation to such requests or complaints, about the processing of their personal data.
3. Where the Commission restricts in accordance with Article 2, wholly or partly, the provision of information referred to in paragraph 2 to the persons concerned, whose personal data are processed for the purpose of handling requests and complaints under the Staff Regulations, it shall record and register the reasons for the restriction in accordance with Article 6.
Article 4
Right of access by data subjects, right of erasure and right to restriction of processing
1. Where the Commission restricts, wholly or partly, the right of access to personal data by data subjects, the right of erasure, or the right to restriction of processing as referred to in Articles 17, 19 and 20, respectively, of Regulation (EU) 2018/1725, it shall inform the data subject concerned, in its reply to the request for access, erasure or restriction of processing:
(a) of the restriction applied and of the principal reasons therefor;
(b) of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union.
2. The provision of information concerning the reasons for the restriction referred to in paragraph 1 may be deferred, omitted or denied for as long as it would cancel the effect of the restriction.
3. The Commission shall record the reasons for the restriction in accordance with Article 6.
4. Where the right of access is wholly or partly restricted, the data subject may exercise his or her right of access through the intermediary of the European Data Protection Supervisor, in accordance with Article 25(6), (7) and (8) of Regulation (EU) 2018/1725.
Article 5
Communication of personal data breaches to data subjects
Where the Commission restricts the communication of a personal data breach to the data subject, as referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 6. The Commission shall communicate the record to the European Data Protection Supervisor at the time of the notification of the personal data breach.
Article 6
Recording and registering of restrictions
1. The Commission shall record the reasons for any restriction applied pursuant to this Decision, including an assessment of the necessity and proportionality of the restriction, taking into account the relevant elements set out in Article 25(2) of Regulation (EU) 2018/1725.
2. The record shall state how the exercise of the right by the relevant data subject would undermine one or more of the applicable grounds listed in Article 25(1), points (b), (c), (g) and (h) of Regulation (EU) 2018/1725.
3. The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.
Article 7
Duration of restrictions
1. Restrictions referred to in Articles 3, 4 and 5 shall continue to apply as long as the reasons justifying them remain applicable.
2. Where the reasons for a restriction referred to in Article 3, 4 or 5 no longer apply, the Commission shall lift the restriction.
3. It shall also provide the principal reasons for applying that restriction to the data subject and inform him or her of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice of the European Union.
4. The Commission shall review the application of the restrictions referred to in Articles 3, 4 and 5 when it replies to requests submitted under Articles 22c and 24 and Article 90(1) of the Staff Regulations, and to complaints, submitted under Article 22c and Article 90(2) of the Staff Regulations, or, when such requests or complaints are closed, whichever is the earlier. Thereafter, the Commission shall monitor the need to maintain any restriction on an annual basis. The review shall include an assessment of the necessity and proportionality of the restriction, taking into account the relevant elements set out in Article 25(2) of Regulation (EU) 2018/1725.
Article 8
Safeguards and storage periods
1. The Commission, respectively the Appeals and Case Monitoring Unit of DG HR shall implement safeguards to prevent abuse and unlawful access to or transfer of personal data in respect of which restrictions apply or could be applied. Such safeguards shall include technical and organisational measures such as:
(a) a clear definition of roles, responsibilities, access rights and procedural steps;
(b) a secure electronic environment to prevent unlawful or accidental access to or transfer of electronic data to unauthorised persons;
(c) a secure storage and processing of paper documents limited to what is strictly necessary to achieve the purpose of processing;
(d) due monitoring of restrictions and a periodic review of their application. The reviews referred to in point (d) shall be conducted at least every six months.
2. Restrictions shall be lifted as soon as the circumstances justifying them no longer apply.
3. The personal data shall be retained in accordance with the applicable Commission retention rules, to be defined in the records kept under Article 31 of Regulation (EU) 2018/1725. At the end of the retention period, the personal data shall be deleted, anonymised or transferred to the archives in accordance with Article 13 of Regulation (EU) 2018/1725.
Article 9
Review by the Data Protection Officer of the Commission
1. The Data Protection Officer of the Commission shall be informed, without undue delay, whenever data subjects’ rights are restricted in accordance with this Decision. Upon request, the Data Protection Officer shall be provided with access to the record and any documents containing underlying factual and legal elements.
2. The Data Protection Officer may request a review of the restriction. The Data Protection Officer shall be informed in writing of the outcome of the requested review.
3. The Commission shall document the involvement of the Data Protection Officer in each case where the rights and obligations referred to in Article 2(2) are restricted.
Article 10
Entry into force
This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at Brussels, 27 January 2022.
For the Commission
The President
Ursula VON DER LEYEN
(1)
OJ L 56, 4.3.1968, p. 1
.
(2) Administrative Notice No 79-2013 of 19 December 2013‘
Update of the arrangements for submitting requests and complaints (Article 90(1) and (2) of the Staff Regulations) and requests for assistance (Article 24 of the Staff Regulations)
’.
(3) Retention of files in the Commission is regulated by the Common Commission-Level Retention List, a regulatory document in the form of a retention schedule that establishes the retention periods for the different types of Commission files (SEC(2019)900). The retention periods for personal data are indicated in the privacy notice concerning the handling of requests and complaints under the Staff Regulations.
(4) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
Feedback