COUNCIL DECISION (EU) 2021/1093

of 28 June 2021

laying down implementing rules concerning the Data Protection Officer of the Council, the application of Regulation (EU) 2018/1725 of the European Parliament and of the Council, and restrictions of data subjects’ rights in the context of the exercise of the tasks of the Data Protection Officer of the Council, and repealing Council Decision 2004/644/EC

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 240(3) thereof,

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1), and in particular Article 45(3) thereof,

Whereas:

(1) Regulation (EU) 2018/1725 sets out principles and rules applicable to all Union institutions and bodies and provides for the appointment by each Union institution or body of a data protection officer.

(2) Article 45(3) of Regulation (EU) 2018/1725 requires the adoption of implementing rules concerning the data protection officer by each Union institution or body (the ‘implementing rules’). The implementing rules should in particular concern the tasks, duties and powers of the Data Protection Officer of the Council and of the General Secretariat of the Council (‘DPO’).

(3) The implementing rules should lay down the procedures for the exercise of the rights of the data subjects and for the fulfilment of the obligations of all relevant actors within the Council and the General Secretariat of the Council (‘GSC’) relating to the processing of personal data.

(4) Regulation (EU) 2018/1725 provides for clear responsibilities of data controllers, in particular with regard to the rights of data subjects. The implementing rules should ensure that the Council and the GSC fulfil their responsibilities as a controller in a uniform and transparent manner. Rules should be set out in order to identify who is responsible for a processing operation which is carried out on behalf of the Council or the GSC. In this respect, it is appropriate to introduce the concept of a ‘delegated controller’ in order to indicate precisely the responsibilities of the entities of the GSC, in particular as regards individual decisions concerning data subjects’ rights. In addition, it is appropriate to introduce the concept of an ‘operational controller’ who, under the responsibility of the delegated controller, is designated to ensure compliance in practice, and to process requests from data subjects with regard to a processing operation. In order to indicate precisely the responsibilities in the GSC for each processing activity, the operational controller should be indicated precisely in the record kept in the register. The appointment of an operational controller does not prevent the use in practice of a contact point, for example in the form of a functional mailbox to be made available for data subjects’ requests.

(5) In certain cases, several GSC directorates-general or services jointly carry out a processing operation in order to fulfil their mission. In such cases, they should ensure that internal arrangements are in place in order to determine in a transparent manner their respective responsibilities under Regulation (EU) 2018/1725, in particular with regard to the rights of the data subjects, notification to the European Data Protection Supervisor (‘EDPS’) and record keeping.

(6) In order to facilitate the exercise of the responsibilities of the delegated controllers, each GSC directorate-general or other service should appoint a data protection coordinator. The data protection coordinators should assist the GSC directorate-general or other service in all aspects of the protection of personal data and participate in the network of data protection coordinators in the GSC in order to ensure coherent implementation and interpretation of Regulation (EU) 2018/1725.

(7) Pursuant to point (b) of Article 45(1) of Regulation (EU) 2018/1725, the DPO could issue additional guidance on the function of the data protection coordinator.

(8) Article 25(1) of Regulation (EU) 2018/1725 provides each Union institution or body with the possibility to restrict the application of Articles 14 to 17, 19, 20 and 35 of that Regulation, as well as the principle of transparency laid down in Article 4(1), point (a), thereof, insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19 and 20 of that Regulation.

(9) In certain cases, the DPO may need to restrict data subjects’ rights in order to perform the monitoring, investigative, auditing or consultative tasks set out in Article 45 of Regulation (EU) 2018/1725 while respecting the standards of protection of personal data under that Regulation. It is necessary to adopt internal rules under which the DPO may restrict data subjects’ rights in accordance with Article 25 thereof (the ‘internal rules’).

(10) The internal rules should apply to all data processing operations carried out by the Council and the GSC in the performance of the monitoring, investigative, auditing or consultative tasks of the DPO. The internal rules should also apply to processing operations which form part of the tasks linked to the investigative or auditing function of the DPO, such as complaint processes conducted by the DPO. The internal rules should also apply to the monitoring of the DPO and the consultations of the DPO where the DPO provides assistance and cooperation to GSC directorates-general and services outside of its administrative investigations and audits.

(11) The Council and the GSC may need to apply restrictions based on the grounds referred to in Article 25(1), points (c), (g) and (h), of Regulation (EU) 2018/1725 to data processing operations carried out in the framework of the monitoring, investigative, auditing or consultative tasks of the DPO when it is necessary to protect the tasks of the DPO, related investigations and proceedings, the tools and methods of DPO investigations and audits, as well as the rights of other persons related to the tasks of the DPO.

(12) In order to maintain effective cooperation, the Council and the GSC may need to apply restrictions to data subjects’ rights to protect information containing personal data originating from other GSC directorates-general and services, or other Union institutions or bodies. To that effect, the DPO should consult those directorates-general and services or other institutions or bodies on the relevant grounds for, and on the necessity and proportionality of, such restrictions.

(13) The DPO and, where relevant, GSC directorates-general and services should handle all restrictions in a transparent manner and register each application of restrictions in the corresponding record system.

(14) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, the controllers may defer or refrain from providing information on the reasons for the application of a restriction to the data subject if this would in any way compromise the purpose of the restriction. In particular, where a restriction of the rights provided for in Articles 16 and 35 of that Regulation is applied, the notification of such a restriction would compromise the purpose of the restriction. In order to ensure that the data subject’s right to be informed in accordance with those Articles is restricted only as long as the reasons for the deferral last, the DPO or the GSC directorate-general or service applying the restriction should regularly review its position.

(15) Where a restriction of other data subjects’ rights is applied, the DPO should assess, on a case-by-case basis, whether the communication of the restriction would compromise its purpose.

(16) The DPO should carry out an independent review of the application of restrictions based on this Decision by other GSC directorates-general or services, with a view to ensuring compliance with this Decision.

(17) Any restriction applied on the basis of this Decision should be necessary and proportionate in a democratic society.

(18) The EDPS was informed and consulted in accordance with Article 41(1) and (2) of Regulation (EU) 2018/1725 and delivered an opinion (2).

(19) The implementing rules of Regulation (EU) 2018/1725 are without prejudice to Regulation (EC) No 1049/2001 of the European Parliament and of the Council (3), to Council Decision 2004/338/EC, Euratom (4), and in particular Annex II thereto, to Council Decision 2013/488/EU (5), and in particular Section VI of Part II of the Annex thereto, as well as to the Decision of the Secretary-General of the Council/High Representative for Common Foreign and Security Policy of 25 June 2001 (6).

(20) Council Decision 2004/644/EC (7) lays down implementing rules concerning Regulation (EC) No 45/2001 of the European Parliament and of the Council. Regulation (EU) 2018/1725 repealed Regulation (EC) No 45/2001 with effect from 11 December 2019. In order to ensure that only one set of implementing rules is applicable, Decision 2004/644/EC should be repealed,

HAS ADOPTED THIS DECISION:

SECTION 1

GENERAL PROVISIONS

Article 1

Subject matter and scope

1. This Decision lays down rules and procedures for the application of Regulation (EU) 2018/1725 by the Council and the General Secretariat of the Council (GSC) and sets out further implementing rules concerning the Data Protection Officer of the Council (DPO).

2. This Decision lays down the rules to be followed by the Council and the GSC, in relation to the monitoring, investigative, auditing or consultative tasks of the DPO, when informing data subjects of the processing of their personal data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725.

3. This Decision lays down the conditions under which the Council and the GSC, in relation to the monitoring, investigative, auditing or consultative activities of the DPO, may restrict the application of Articles 4, 14 to 17, 19, 20 and 35 of the Regulation (EU) 2018/1725, in accordance with Article 25(1), points (c), (g) and (h), of that Regulation.

4. This Decision applies to the processing of personal data by the Council and the GSC for the purpose of or in relation to the tasks of the DPO referred to in Article 45 of Regulation (EU) 2018/1725.

Article 2

Controllership

For the purposes of this Decision, the Council and the GSC shall be considered to be the controller within the meaning of Article 3, point (8), of Regulation (EU) 2018/1725.

Article 3

Definitions

For the purposes of this Decision, the following definitions apply:

(1) ‘Data Protection Officer’ (DPO) means the person designated by the Secretary-General of the Council pursuant to Article 43 of Regulation (EU) 2018/1725;

(2) ‘DPO tasks’ means the tasks referred to in Article 45 of Regulation (EU) 2018/1725;

(3) ‘GSC staff’ means all GSC officials and any other person covered by the Staff Regulations of officials of the European Union and the Conditions of Employment of other servants of the Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (8) (the ‘Staff Regulations’), or working for the GSC on a contractual basis (namely trainees, consultants, contractors, officials seconded by Member States);

(4) ‘delegated controller’ means the head of the GSC directorate-general or service which, alone or jointly with others, determines the purposes and means of the processing of personal data on behalf of the Council or the GSC in fulfilment of the mission of that directorate-general or service;

(5) ‘operational controller’ means the GSC staff member at middle or senior management level who is designated by the delegated controller to assist him or her in ensuring compliance with Regulation (EU) 2018/1725 for the processing operations for which he or she is responsible, and to serve as the primary contact point for data subjects;

(6) ‘data protection coordinator’ means the GSC staff member designated in each GSC directorate-general or other service in consultation with the DPO to assist that directorate-general or service in all aspects of the protection of personal data and to deal as its representative with data protection issues in close cooperation with the DPO.

SECTION 2

THE DATA PROTECTION OFFICER

Article 4

Designation and status of the DPO

1. The Secretary-General of the Council shall designate the DPO from the staff of the GSC and register him or her with the European Data Protection Supervisor (‘EDPS’), in accordance with Article 43 of Regulation (EU) 2018/1725.

2. The DPO shall be selected on the basis of his or her professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 45 of Regulation (EU) 2018/1725. The DPO shall also have a sound knowledge of the GSC, its structure and its administrative rules and procedures. For the purposes of performing his or her tasks, the DPO shall be relieved of any other task within the GSC.

3. The DPO is designated for a term of five years and shall be eligible for reappointment.

4. The DPO and his or her staff are directly attached to the Secretary-General of the Council and report directly to him or her.

5. In performing his or her tasks, the DPO shall act in an independent manner and shall not receive any instruction from the Secretary-General of the Council, from the delegated controllers or the operational controllers or from anyone else regarding the internal application of the provisions of Regulation (EU) 2018/1725 or his or her cooperation with the EDPS.

6. The Council and the GSC shall support the DPO in performing the tasks referred to in Article 45 of Regulation (EU) 2018/1725 by providing the resources necessary to carry out those tasks and provide access to personal data and processing operations, and to maintain his or her expert knowledge.

7. The DPO shall not be dismissed or penalised for performing his or her tasks. The DPO may only be dismissed in accordance with Article 44(8) of Regulation (EU) 2018/1725. For the purpose of obtaining the consent of the EDPS to such a dismissal pursuant to that Article, the EDPS shall be consulted in writing. A copy of that consent shall be sent to the DPO.

8. The GSC, in particular the delegated controllers and the operational controllers, shall ensure that the DPO is involved properly and in a timely manner in all issues which relate to the protection of personal data.

Article 5

Tasks and duties

1. The DPO shall exercise all the tasks foreseen in Article 45 of Regulation (EU) 2018/1725. In particular, the DPO shall:

(a) ensure the application and implementation of Regulation (EU) 2018/1725 by the Council and the GSC, and monitor compliance with that Regulation and the applicable legal framework on the protection of personal data;

(b) advise the Secretary-General of the Council, the delegated controllers and the operational controllers on matters concerning the application of data protection provisions;

(c) advise and assist the delegated controllers and the operational controllers when carrying out a data protection impact assessment in accordance with Articles 39 and 40 of Regulation (EU) 2018/1725;

(d) ensure that the rights and freedoms of data subjects are not adversely affected by processing operations;

(e) raise awareness on the applicable legal framework on the protection of personal data and contribute to creating a culture of protection of personal data within the GSC.

The DPO may be consulted by the Secretary-General of the Council, the controllers concerned, the Staff Committee and by any individual, without going through the official channels, on any matter concerning the application or implementation of Regulation (EU) 2018/1725.

2. The DPO shall keep a register of records of processing activities and shall make it publicly available, in accordance with Article 12.

3. The DPO shall keep an internal register of personal data breaches within the meaning of Article 3, point (16), of Regulation (EU) 2018/1725.

4. The DPO shall advise the delegated controller, where requested, on the application of a restriction of the application of Articles 14 to 22, 35 and 36, as well as Article 4 of Regulation (EU) 2018/1725.

5. The DPO shall organise and chair regular meetings of data protection coordinators.

6. The DPO shall submit an annual report on his or her activities to the Secretary-General of the Council and make it available to GSC staff.

7. The DPO shall cooperate with the data protection officers designated by the other Union institutions and bodies and shall regularly attend meetings convened by the EDPS or the data protection officers of the other Union institutions and bodies with a view to facilitating good cooperation, in particular by exchanging experience and best practices.

8. The DPO shall be considered the delegated controller for the processing operations carried out in the exercise of his or her tasks.

Article 6

Powers

In performing his or her tasks and duties, the DPO:

(a) shall have access at all times to the data forming the subject-matter of processing operations and to all offices, data-processing installations and data carriers;

(b) may request legal opinions from the Council Legal Service;

(d) may assign files to the GSC directorates-general and services concerned for appropriate follow-up;

(e) may perform investigations on request, or on his or her own initiative, into matters and occurrences directly relating to the DPO tasks in accordance with the procedure set out in Article 14;

(f) may propose administrative measures to the Secretary-General of the Council and issue general recommendations on the appropriate application of Regulation (EU) 2018/1725;

(g) may make recommendations for the practical improvement of the application of Regulation (EU) 2018/1725 to the GSC, the delegated controllers and operational controllers, including:

(i) calling upon the delegated controller or the processor to comply with a data subject’s request for the exercise of his or her rights pursuant to Regulation (EU) 2018/1725;

(ii) issuing warnings to the delegated controller or the processor where a processing operation infringes provisions of Regulation (EU) 2018/1725, and calling upon them to bring processing operations into compliance, where appropriate, in a specified manner and within a specified period;

(iii) calling upon the delegated controller or the processor to suspend data flows to a recipient in a Member State, to a third country or to an international organisation;

(iv) requesting the delegated controller or the processor to report within a set deadline to the DPO on the follow-up given to the DPO’s recommendation or advice;

(h) may request the services of external information and communication technologies experts upon prior agreement of the authorising officer in compliance with Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (9);

(i) shall be invited to the relevant management boards and committees of the GSC whenever issues relating to the processing of personal data are discussed and may propose relevant points on the agenda of those boards and committees;

(j) may bring to the attention of the Appointing Authority of the GSC any failure of a GSC staff member to comply with the obligations under Regulation (EU) 2018/1725 and suggest that an administrative investigation be launched with a view to the possible application of the sanctions provided for in Article 69 of that Regulation;

(k) shall be responsible for initial decisions on requests for access to documents held by his or her office under Regulation (EC) No 1049/2001, in consultation with the relevant services of the GSC.

SECTION 3

RIGHTS AND OBLIGATIONS OF ACTORS IN THE FIELD OF DATA PROTECTION

Article 7

Consultation of and provision of information to the DPO

1. Controllers shall involve the DPO when planning and discussing an activity that involves the processing of personal data. The DPO shall be informed of any processing operation as well as of any substantial change in an existing processing operation.

2. The DPO shall be informed about draft internal notes and decisions of the GSC directly relating to the internal application of Regulation (EU) 2018/1725.

3. The DPO shall be informed of all contacts with external parties relating to the internal application of Regulation (EU) 2018/1725 and of any interaction with the EDPS, in particular where the EDPS is consulted or informed pursuant to Articles 40 and 41 of that Regulation.

4. The DPO shall be consulted on draft arrangements between joint controllers and on draft data protection contractual clauses or other legal acts where personal data is processed by a processor.

Article 8

Delegated controllers

1. Delegated controllers shall be responsible for ensuring that all processing operations under their control comply with Regulation (EU) 2018/1725.

2. In particular, delegated controllers shall:

(a) designate an operational controller to assist the delegated controller in ensuring compliance with Regulation (EU) 2018/1725, in particular vis-à-vis data subjects;

(b) maintain the records of processing activities under their responsibility and ensure that the records and the related privacy statement are submitted by the operational controller to the DPO to be entered into the register referred to in Article 12;

(c) be responsible for the activities of processors and sub-processors who process personal data on their behalf and ensure that the processing is governed by a contract or other legal act in accordance with Article 29(3) of Regulation (EU) 2018/1725.

3. Delegated controllers shall ensure that the DPO is involved in a timely manner in all issues relating to personal data and put appropriate arrangements in place in order to ensure that the data protection coordinator is involved properly in all issues which relate to data protection in their GSC directorate-general or other service.

4. Delegated controllers shall ensure that appropriate technical and organisational measures are in place to demonstrate that the processing activities comply with Regulation (EU) 2018/1725 and give adequate instructions to GSC staff to ensure both the confidentiality of the processing and a level of security appropriate to the risks represented by the processing. They may consult the DPO in selecting these measures.

5. Delegated controllers shall report to the DPO on the handling of any request received from a data subject for the exercise of his or her rights and assist the DPO and the EDPS in performing their respective duties, in particular by giving information in reply to their requests within 30 days.

6. Delegated controllers shall be responsible for the application of a restriction of the application of Articles 14 to 22, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 of that Regulation in accordance with the relevant internal rules. Delegated controllers shall involve the DPO throughout the entire procedure when applying such a restriction.

7. Delegated controllers shall ensure that internal arrangements with other GSC directorates-general or services are in place where the delegated controller carries out processing operations jointly with those GSC directorates-general or services or where they carry out a part of the delegated controller’s processing operation.

The arrangements referred to in the first subparagraph shall determine the respective responsibilities of the delegated controllers and the other GSC directorates-general or services for compliance with their data protection obligations. In particular, those arrangements shall include identification of the delegated controller determining the means and purposes of the processing operation as well as the operational controller for the processing operation, and, where appropriate, which persons or entities are to assist the operational controller, inter alia, with information in the event of data breaches or in accommodating data subjects’ rights.

Article 9

Operational controllers

1. Operational controllers shall assist the delegated controller in ensuring compliance with Regulation (EU) 2018/1725 for the processing operations for which he or she is responsible, and serve as the primary contact point for data subjects.

2. In particular, operational controllers shall:

(a) receive and process all requests from data subjects;

(b) prepare the records of processing activities under their responsibility and the related privacy statement in consultation with the data protection coordinator;

(c) ensure that contracts or other legal acts governing processing of personal data by a processor are compliant with Regulation (EU) 2018/1725 and consult the DPO on draft data protection contract clauses;

(d) ensure that documentation is available to demonstrate compliance with Regulation (EU) 2018/1725.

3. Operational controllers shall inform the DPO without undue delay in the event of personal data breaches and provide him or her with all the information necessary to enable him or her to ensure that the Council complies with the obligations regarding personal data breaches under Articles 34 and 35 of Regulation (EU) 2018/1725.

4. In coordination with the delegated controller and the DPO, operational controllers shall notify the EDPS in the event of personal data breaches, where applicable. They shall also inform data subjects, where applicable.

5. Operational controllers shall ensure that the data protection coordinator is kept aware of all matters relating to data protection.

6. Operational controllers shall assess the risk for the rights and freedoms of the data subject related to the processing operations for which they are responsible and, where appropriate, carry out a data protection impact assessment. Operational controllers shall seek the advice of the DPO when carrying out those impact assessments and on the need for prior consultation in accordance with Articles 39 and 40 of Regulation (EU) 2018/1725.

7. Operational controllers shall carry out any other task within the scope of this Decision at the request of the delegated controller.

Article 10

Data protection coordinators

1. Each GSC directorate-general or other service shall, in consultation with the DPO, appoint one or more data protection coordinators to assist the delegated controller and operational controllers in his or her GSC directorate-general or other service in all aspects of the protection of personal data.

2. Data protection coordinators shall be chosen on the basis of their knowledge and experience of the functioning of the respective GSC directorate-general or other service, suitability for the function, competences relating to data protection, knowledge of the principles of information systems, and communication skills. Newly appointed data protection coordinators shall complete training to acquire the necessary competences for their role within six months of their appointment. A data protection coordinator who has previously worked as a contact person in another GSC directorate-general or other service in the two years prior to his or her appointment shall be exempt from that training requirement.

3. The data protection coordinators’ function shall be part of the job description of each GSC staff member appointed as a contact person. Reference to their responsibilities and achievements shall be made in the annual appraisal report.

4. Data protection coordinators shall be involved properly and in a timely manner in all issues relating to data protection in their GSC directorate-general or other service and perform their duties in close cooperation with the DPO.

5. Data protection coordinators shall have the right to obtain from the controllers and from staff adequate and necessary information required for the accomplishment of their tasks within their GSC directorate-general or other service. This shall not include access to personal data processed under the responsibility of the delegated controller. The data protection coordinators shall access personal data only if it is necessary for the performance of their tasks.

6. The data protection coordinators shall raise awareness on data protection matters and assist the delegated controllers within their GSC directorate-general or other service in complying with their obligations, especially as regards:

(a) the implementation of Regulation (EU) 2018/1725;

(b) the identification of the operational controllers, and the preparation of records of processing operations and privacy statements before they are submitted to the DPO;

7. The data protection coordinators shall assist the operational controllers within their GSC directorate-general or other service in complying with their obligations, especially as regards:

(a) the preparation of records of processing operations and privacy statements before they are submitted to the DPO;

(b) documentation of the processing;

(d) the handling of data breaches.

Article 11

GSC staff

GSC staff shall contribute to ensuring the application and implementation of Regulation (EU) 2018/1725. GSC staff shall not have access to personal data or process such data other than under the instructions of the delegated controller or the operational controller, unless required to do so by Union or Member State law.

SECTION 4

OTHER OBLIGATIONS AND PROCEDURES

Article 12

Register

1. The DPO shall keep a register of processing operations and shall ensure that the register is accessible through the website of the DPO on the GSC intranet and through the website of the Council.

2. The operational controller shall notify the DPO of any processing operation and submit the records of processing activities and the related privacy statement on the basis of a form made accessible on the GSC’s intranet site (under ‘Data Protection’). The notification shall be transmitted to the DPO electronically. After consultation with the DPO, the delegated controller shall confirm the record and the related privacy statement and the DPO shall publish them in the register.

3. The record shall include all information specified in Article 31 of Regulation (EU) 2018/1725. However, the information entered in the register by the DPO may exceptionally be limited to what is necessary in order to safeguard the security of a specific processing operation. Any change affecting such information shall be notified promptly by the operational controller to the DPO.

Article 13

Data breaches

1. Where a personal data breach occurs, the delegated controller or operational controller shall seek the assistance of the data protection coordinator and inform the DPO about the incident without undue delay and provide him or her with all the necessary information enabling him or her to ensure that the Council complies with the obligation on personal data breach notifications and communications pursuant to Articles 34 and 35 of Regulation (EU) 2018/1725.

2. The DPO shall set up and maintain an internal register of personal data breaches. Delegated controllers and operational controllers shall provide the necessary information to be introduced in the register.

3. The delegated controllers and operational controllers shall prepare the notification to the EDPS in consultation with the DPO, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Article 14

Investigations

1. The DPO may on his or her own initiative, or at the request of the delegated controller, the operational controller, the processor, the Staff Committee or any individual, investigate matters and occurrences relating to his or her tasks and report back to the person who commissioned the investigation or to the delegated controller, the operational controller or the processor.

2. Requests for an investigation shall be addressed to the DPO in writing. In the case of obvious misuse of the right to request an investigation, for example where the same individual has made an identical request recently, the DPO is not obliged to report back to the requester.

3. Within 15 days of receipt of a request for investigation, the DPO shall send an acknowledgement of receipt to the person who made the request and verify whether the request is to be treated as confidential.

4. The DPO shall request from the delegated controller who is responsible for the data processing operation that is the subject of the request for investigation to provide a report on the issue. The delegated controller shall provide the response to the DPO within 15 days. The DPO may request complementary information from the delegated controller, the operational controller, the processor or other relevant services of the GSC. If appropriate, he or she may request an opinion on the issue from the Council Legal Service. The DPO shall be provided with the requested information or opinion within 30 days.

5. The DPO shall report back to the person who made the request for investigation no later than three months following its receipt. This period may be suspended until the DPO has obtained all the necessary information that he or she may have requested.

6. No one shall suffer prejudice on account of a matter brought to the attention of the DPO alleging a breach of Regulation (EU) 2018/1725.

Article 15

General rules for the exercise of rights by data subjects

1. The data subjects’ rights as laid down in Articles 14 to 24 of Regulation (EU) 2018/1725 may be exercised only by the data subject or by his or her duly authorised representative.

2. The data subject shall address requests in writing to the operational controller with a copy to the DPO. If necessary, the DPO shall assist the data subject in identifying the operational controller concerned. The request may be addressed in electronic form and shall contain:

(a) the surname, first name and contact details of the data subject and the date of the request;

(b) an indication of the right being exercised and, where appropriate, supporting documents related to the request;

3. The operational controller shall send to the data subject an acknowledgement of receipt within five working days of the registration of the request. The operational controller shall ask for any clarifications necessary if the request is unclear or incomplete. The applicable deadlines under Article 14(3) and (4) of Regulation (EU) 2018/1725 shall not start to run until all the necessary clarifications have been provided.

4. The operational controller shall verify the data subject’s identity in accordance with Article 14(6) of Regulation (EU) 2018/1725. While the identity is being verified, the applicable deadlines under Article 14(3) and (4) of that Regulation shall not start to run.

5. The operational controller shall either give satisfaction to the data subject or state in writing the reasons for the total or partial refusal, within the deadlines provided for under Article 14(3) and (4) of Regulation (EU) 2018/1725.

6. In the case of a highly complex request, irregularities or obvious misuse by the data subject in exercising his or her rights, where the processing of a request is likely to result in a risk to the rights and freedoms of other data subjects or where the processing is alleged to be unlawful by the data subject, the operational controller shall consult the DPO.

Article 16

Article 90 complaints

In the case of a complaint within the meaning of Article 90 of the Staff Regulations (‘Article 90 complaint’) with regard to a matter relating to the processing of personal data, the Appointing Authority shall consult the DPO. Without affecting the admissibility of the Article 90 complaint, the GSC staff member shall indicate in the Article 90 complaint whether a complaint to the EDPS has been lodged in parallel. The DPO shall deliver his or her opinion in writing no later than 15 working days after receipt of the request from the Appointing Authority. If, after the end of this period, the DPO has not provided his or her opinion, it is no longer required. The Appointing Authority shall not be bound by the DPO’s opinion.

SECTION 5

RESTRICTIONS OF DATA SUBJECTS’ RIGHTS IN THE CONTEXT OF THE EXERCISE OF THE TASKS OF THE DPO

Article 17

Exceptions and restrictions

1. Where the Council or the GSC exercises its duties with regard to data subjects’ rights pursuant to Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.

2. Subject to Articles 18 to 22 of this Decision, the Council or the GSC may restrict, in accordance with Article 25(1), points (c), (g) and (h), of Regulation (EU) 2018/1725, the application of Articles 14 to 17, 19, 20 and 35 of that Regulation, as well as the principle of transparency laid down in Article 4(1), point (a), of that Regulation insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19 and 20 of that Regulation, where the exercise of those rights and obligations would jeopardise the exercise of the DPO tasks, inter alia, by revealing its investigative or auditing tools and methods, or would adversely affect the rights and freedoms of other data subjects.

3. Subject to Articles 18 to 22 of this Decision, the Council or the GSC may restrict the rights and obligations referred to in paragraph 2 of this Article, in relation to personal data obtained by the DPO from GSC directorates-general or services or other Union institutions or bodies. The Council or the GSC may do so where the exercise of those rights and obligations could be restricted by those GSC directorates-general or services or other institutions or bodies on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or in accordance with Regulation (EU) 2016/794 of the European Parliament and of the Council (10) or Council Regulation (EU) 2017/1939 (11).

Before applying restrictions in the circumstances referred to in the first subparagraph, the Council or the GSC shall consult the relevant Union institution or body, unless it is clear that the application of a restriction is provided for by one of the acts referred to in that subparagraph.

4. Any restriction of the rights and obligations referred to in paragraph 2 shall be necessary and proportionate, taking into account the risks to the rights and freedoms of data subjects.

Article 18

Provision of information to data subjects

1. The GSC shall publish on the Council’s website data protection notices that inform data subjects of the DPO tasks involving the processing of their personal data.

2. The GSC shall individually inform, in an appropriate format, any natural person whom it considers a person concerned by the DPO tasks.

3. Where the GSC restricts, wholly or partly, the provision of information to data subjects referred to in paragraph 2 of this Article, the GSC shall record and register the reasons for the restriction, in accordance with Article 21.

Article 19

Right of access by data subjects, right to erasure and right to restriction of processing

1. Where the Council or the GSC restricts, wholly or partly, the right of access to personal data by data subjects, the right to erasure or the right to restriction of processing as referred to in Articles 17, 19 and 20, respectively, of Regulation (EU) 2018/1725, it shall inform the data subject concerned, in its reply to a request for access, erasure or restriction of processing of the restriction applied and of the principal reasons therefor, and of the possibility of lodging a complaint with the EDPS or of seeking a judicial remedy before the Court of Justice of the European Union.

2. The provision of information concerning the reasons for the restriction referred to in paragraph 1 may be deferred, omitted or denied for as long as it would undermine the purpose of the restriction. The Council shall provide the information to the data subject as soon as such information would not undermine that purpose.

3. The GSC shall record and register the reasons for the restriction in accordance with Article 21.

Article 20

Communication of a personal data breach to the data subject

Where the Council or the GSC restricts the communication of a personal data breach to the data subject as referred to in Article 35 of Regulation (EU) 2018/1725, the GSC shall record and register the reasons for the restriction in accordance with Article 21 of this Decision.

Article 21

Recording and registering of restrictions

1. The GSC shall record the reasons for any restriction applied pursuant to this Decision, including a case-by-case assessment of the necessity and proportionality of the restriction, taking into account the relevant elements of Article 25(2) of Regulation (EU) 2018/1725.

To that end, the record shall state how the exercise of any of the rights referred to in Articles 14 to 17, 19, 20 and 35 of that Regulation, or of the principle of transparency laid down in Article 4(1), point (a), thereof, would jeopardise the DPO activities under this Decision, or the restrictions applied pursuant to Article 17(2) or (3) of this Decision, or would adversely affect the rights and freedoms of other data subjects.

2. The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the EDPS on request.

Article 22

Duration of restrictions

1. Restrictions referred to in Articles 18, 19 and 20 shall continue to apply as long as the reasons justifying them remain applicable.

2. Where the reasons for a restriction referred to in Articles 18 and 20 no longer apply, the GSC shall lift the restriction and provide the reasons for the restriction to the data subject. At the same time, the GSC shall inform the data subject of the possibility of lodging a complaint with the EDPS at any time or of seeking judicial remedy before the Court of Justice of the European Union.

3. The GSC shall review the application of the restrictions referred to in Articles 18 and 20 every six months after their adoption and in any case at the completion of the relevant DPO task. After the completion, the GSC shall monitor the need to maintain any restriction or deferral on an annual basis.

Article 23

Review by the DPO

1. Where other GSC directorates-general or services conclude that a data subject’s rights should be restricted pursuant to this Decision, they shall inform the DPO. They shall also provide the DPO with access to the record and any documents containing underlying factual and legal elements. The involvement of the DPO in the application of restrictions shall be documented in detail.

2. The DPO may request that the delegated controller concerned review the application of the restrictions. The delegated controller concerned shall inform the DPO in writing about the outcome of the requested review.

SECTION 6

FINAL PROVISIONS

Article 24

Repeal

Decision 2004/644/EC is repealed.

Article 25

Entry into force

This Decision shall enter into force on the twentieth day following that of its publication in the

Official Journal of the European Union

Done at Luxembourg, 28 June 2021.

For the Council

The President

M. do C. ANTUNES

(1)

OJ L 295, 21.11.2018, p. 39

(2) Opinion of 6 April 2021 (not yet published in the Official Journal).

(3) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (

OJ L 145, 31.5.2001, p. 43

(4) Council Decision 2004/338/EC, Euratom of 22 March 2004 adopting the Council’s Rules of Procedure (

OJ L 106, 15.4.2004, p. 22

(5) Council Decision 2013/488/EU of 23 September 2013 on the security rules for protecting EU classified information (

OJ L 274, 15.10.2013, p. 1

(6) Decision of the Secretary-General of the Council/High Representative for Common Foreign and Security Policy of 25 June 2001 on a code of good administrative behaviour for the General Secretariat of the Council of the European Union and its staff in their professional relations with the public (

OJ C 189, 5.7.2001, p. 1

(7) Council Decision 2004/644/EC of 13 September 2004 adopting implementing rules concerning Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (

OJ L 296, 21.9.2004, p. 16

(8)

OJ L 56, 4.3.1968, p. 1

(9) Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (

OJ L 193, 30.7.2018, p. 1

(10) Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (

OJ L 135, 24.5.2016, p. 53

(11) Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) (

OJ L 283, 31.10.2017, p. 1