Decision of the Authority for European political parties and European political foundations

of 18 May 2021

adopting rules concerning the implementation of Regulation (EU) 2018/1725 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by the Union Institutions, Bodies, Offices and Agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, in relation to the restriction of certain rights of data subjects in accordance with Article 25 of that Regulation

(2021/C 257 I/01)

THE AUTHORITY FOR EUROPEAN POLITICAL PARTIES AND EUROPEAN POLITICAL FOUNDATIONS,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council (1), and in particular Articles 25 and 45(3) thereof,

Having regard to the Opinion of the European Data Protection Supervisor of 28 April 2021, which was consulted pursuant to Article 41(2) of Regulation (EU) 2018/1725 on this Decision,

Whereas:

(1) The purpose of the implementing rules relating to Regulation (EU) 2018/1725 (the ‘implementing rules’) is to specify the conditions under which the Authority is permitted to restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in accordance with Article 25 thereof.

(2) Within this framework, the Authority, when applying restrictions pursuant to Chapter II of this Decision, is bound to respect the fundamental rights of the data subjects concerned, as enshrined in Article 8(1) of the Charter of Fundamental Rights of the European Union, in Article 16(1) of the Treaty on the Functioning of the European Union and in Regulation (EU) 2018/1725.

(3) To that end, the Authority, before applying any particular restrictions, must carry out, on a case-by-case basis, an assessment of the necessity and proportionality of the respective restrictions, taking into account the risks to the rights and freedoms of data subjects.

(4) Article 25(5) of Regulation (EU) 2018/1725 lays downs that internal rules concerning restrictions under Article 25 of that Regulation shall be adopted at the highest level of management of the Union institutions and be published in the

Official Journal of the European Union

HAS ADOPTED THIS DECISION:

CHAPTER I

GENERAL PROVISIONS

Article 1

Purpose

This Decision lays down internal rules pursuant to which the Authority for European political parties and European political foundations (the ‘Authority’) may apply exceptions, derogations or restrictions with regard to the rights of data subjects according to Article 25 of Regulation (EU) 2018/1725.

Article 2

Controller

1. The Authority determines the purposes and means of the processing of personal data and therefore acts as controller in respect to those data within the meaning of Article 3(8) of Regulation (EU) 2018/1725, and as referred to in Article 25(2)(e) of that Regulation.

2. Where the Authority and at least one other entity, including Union Institutions and bodies, determine the purposes and means of a given processing operation, the competent actors shall be considered to be joint controllers within the meaning of Article 28(1) of Regulation (EU) 2018/1725.

3. The controller shall be responsible for ensuring that processing operations are carried out in compliance with Regulation (EU) 2018/1725 and must be able to demonstrate compliance with that Regulation.

In particular, the controller shall be responsible for:

(a) implementing appropriate technical and organisational measures in view of the application of the data protection by design and by default principles,

(b) giving the staff under its authority suitable instructions for ensuring that processing is lawful, fair, transparent and confidential and providing an appropriate level of security in view of the risks which processing entails,

(c) cooperating with the Data Protection Officer and the European Data Protection Supervisor in the performance of its respective duties, in particular by sending information to them in reply to their requests,

(d) informing and involving in a timely manner the Data Protection Officer notably in projects regarding new data processing operations or significant modifications to existing operations.

CHAPTER II

EXCEPTIONS, DEROGATIONS AND RESTRICTIONS TO DATA SUBJECT RIGHTS

SECTION 1

Exceptions and derogations

Article 3

Exceptions

1. Before applying a restriction pursuant to Section 2 of this Chapter, the controller shall consider whether any of the exceptions laid down in Regulation (EU) 2018/1725 apply, notably those pursuant to Articles 15(4), 16(5), 19(3) and 35(3) of that Regulation.

2. For processing for archiving purposes in the public interest as well as for processing for scientific or historical research purposes or statistical purposes, the controller shall consider whether the exceptions pursuant to Articles 16(5), point (b), and 19(3), point (d), of Regulation (EU) 2018/1725 apply.

Article 4

Derogations

1. For processing for archiving purposes in the public interest, the controller may apply derogations in accordance with Article 25(4) of Regulation (EU) 2018/1725. To that end, the controller may derogate from the rights referred to in Articles 17, 18, 20, 21, 22 and 23 of Regulation (EU) 2018/1725 in accordance with the conditions provided for in Article 25(4) of that Regulation.

2. For processing for scientific or historical research purposes or statistical purposes, the controller may apply derogations in accordance with Article 25(3) of Regulation (EU) 2018/1725. To that end, the controller may derogate from the rights referred to in Articles 17, 18, 20 and 23 of Regulation (EU) 2018/1725 in accordance with the conditions provided for in Article 25(3) of that Regulation.

3. Such derogations shall be subject to appropriate safeguards in accordance with Article 13 of Regulation (EU) 2018/1725 and Article 6(1) and (2) of this Decision. Technical and organisational measures shall be in place to ensure the respect of data minimisation and, where applicable, pseudonymisation.

SECTION 2

Restrictions

Article 5

Subject-matter and scope

1. This Section lays down the general conditions under which the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in accordance with Article 25 thereof.

The general conditions referred to in subparagraph one are complemented by the provisions of the Annexes to this Decision, which specify the conditions under which the Authority may restrict rights of the data subjects in each of its activities and procedures where personal data is being processed and restrictions might become necessary.

2. This Section applies to the processing of personal data for the purposes of the activities and procedures carried out by the Authority, as specified in the Annexes to this Decision.

Article 6

Safeguards

1. Personal data subject to a restriction shall be stored in a secure physical or electronic environment which prevents unlawful access or transfer of data to persons who do not have a need to know.

2. Before applying any restriction, an assessment of whether the restriction is necessary and proportional, as well as of the risks to data subjects, shall be carried out in accordance with Article 12 of this Decision.

Article 7

Applicable restrictions

1. Subject to Articles 8 to 13 and to the specifications laid down in the applicable Annexes to this Decision, the controller may apply restrictions with regard to those rights of the data subject explicitly referred to in the applicable Annexes, where the exercise of those rights would jeopardise the purpose of one of the activities or procedures laid down in those Annexes.

2. Where it applies a restriction, and in particular where it defers, omits or denies, wholly or partly, the exercise of a data subject right, the controller shall proceed in accordance with Article 12 of this Decision.

Article 8

Right of the data subject to be informed about reasons for restrictions

1. Where the controller restricts the right of information, as referred to in Articles 15 and 16 of Regulation (EU) 2018/1725, data subjects shall be informed, in accordance with Article 25(6) of that Regulation, of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the European Data Protection Supervisor.

2. However, such provision of information may, following a case-by-case assessment, be deferred, omitted or denied, in accordance with Article 25(8) of Regulation (EU) 2018/1725, for as long as it would cancel the effect of the restriction. As soon as the provision of this information would no longer cancel the effect of the restriction, the information shall be provided to the data subject.

Article 9

Right of access by data subjects, right to rectification, right to erasure, right to restriction of processing and notification obligation

1. Where the controller restricts, wholly or partly, the right of access to personal data by data subjects, the right to rectification, the right to erasure or the right to restriction of processing as referred to in Articles 17, 18, 19 and 20 respectively of Regulation (EU) 2018/1725 as well as the notification obligation pursuant to Article 21 of that Regulation, it shall inform the data subject concerned, in its reply to the request for access, rectification, erasure or restriction of processing, of the restriction that has been applied and of the principal reasons for the restriction and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy before the Court of Justice of the European Union (‘the Court of Justice’).

2. The provision of information concerning the reasons for the restriction referred to in paragraph 1 may, following a case-by-case assessment, be deferred, omitted or denied for as long as it would cancel the effect of the restriction. As soon as the provision of this information would no longer cancel the effect of the restriction, the information shall be provided to the data subject.

3. Where the right of access is wholly or partly restricted and the data subject has exercised his or her right to lodge a complaint with the European Data Protection Supervisor, the data subject, and only he or she, shall be informed by the European Data Protection Supervisor of whether the data have been processed correctly and, if not, whether any corrections have been made in accordance with Article 25(7) of Regulation (EU) 2018/1725.

Article 10

Communication of a personal data breach to the data subject

Where it restricts the application of Article 35 of Regulation (EU) 2018/1725, the controller shall proceed in accordance with Article 12 of this Decision. If the communication of a data breach to the data subject is restricted on this basis, this shall be documented in a note and the note shall be communicated to the European Data Protection Supervisor at the time of the notification of the personal data breach.

Article 11

Confidentiality of electronic communications

Where it restricts the obligation to ensure confidentiality of electronic communications referred to in Article 36 of Regulation (EU) 2018/1725, the controller shall proceed in accordance with Article 12 of this Decision.

Article 12

Assessment of necessity and proportionality, recording and registering of restrictions

1. Before applying any particular restrictions, the controller shall assess on case-by-case basis whether the restrictions are necessary and proportionate, taking into account Article 25(2) and (8) of Regulation (EU) 2018/1725.

2. That assessment shall state in writing the reasons for any restriction applied pursuant to this Decision and include an examination of the risks to the rights and freedoms of the data subjects concerned, notably the risk that their personal data might be further processed without their knowledge and that they might be prevented from exercising their rights in accordance with Regulation (EU) 2018/1725, and of how the exercise of the data subjects' rights would jeopardise the purpose of one of the activities or procedures carried out by the Authority, as defined in the Annexes to this Decision.

3. The assessments shall be stored in a central register and be made available to the European Data Protection Supervisor on request.

4. Where the controller restricts the right to confidentiality of electronic communications referred to in Article 36 of Regulation (EU) 2018/1725 under this Article, the controller shall inform the data subject concerned, in reply to any request from the data subject, of the principal reasons on which the application of the restriction is based and the right to lodge a complaint with the European Data Protection Supervisor.

5. The provision of information referred to in paragraph 4 may, following a case-by-case assessment, be deferred, omitted or denied for as long as it would cancel the effect of the restriction. As soon as the provision of this information would no longer cancel the effect of the restriction, the information shall be provided to the data subject.

Article 13

Duration of restrictions

1. Restrictions referred to in this Decision, read in conjunction with the applicable Annexes to this Decision, shall apply as long as the reasons justifying them remain applicable.

2. Where the reasons for a restriction referred to in this Decision, read in conjunction with the applicable Annexes to this Decision, no longer exist, the controller shall lift the restriction. At the same time, the controller shall provide the data subject with the principal reasons for the restriction and inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy before the Court of Justice.

3. The controller shall review the application of restrictions referred to in this Decision, read in conjunction with the applicable Annexes to this Decision, every six months from its adoption and at the closure of the relevant procedure. Thereafter, for the purposes of the activities and procedures laid down in Annexes I, II, III, IV, V, VI, VII and VIII to this Decision, the controller shall monitor the need to maintain any restriction on an annual basis.

Article 14

Review by the Data Protection Officer

1. The Data Protection Officer shall be informed, without undue delay, whenever data subjects' rights are restricted in accordance with this Section. The Data Protection Officer shall, to the extent possible, be consulted before and throughout the restriction procedure and be involved in the assessment. The involvement of the Data Protection Officer shall be documented in a note to be produced by the controller. The note shall document the information that was shared with the Data Protection Officer.

Upon request, the Data Protection Officer shall be provided with access to any documents containing underlying factual and legal elements.

2. The Data Protection Officer may request from the controller a review of the restrictions. The Data Protection Officer shall be informed in writing of the outcome of the requested review.

CHAPTER III

FINAL PROVISIONS

Article 15

Annexes

The Annexes to this Decision form an integral part of this Decision.

Article 16

Entry into force

This Decision shall enter into force on the day following that of its publication in the Official Journal of the European Union.

Done at Brussels, 18 May 2021.

For the Authority for European political parties and European political foundations

The Director

M. ADAM

(1) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (

OJ L 295, 21.11.2018, p. 39

ANNEX I

Disciplinary procedures, administrative inquiries and investigations relating to staff matters

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of the procedures laid down in paragraph 2.

This Annex lays down the specific conditions under which, when conducting disciplinary procedures, administrative inquiries and investigations relating to staff matters pursuant to Article 86 and Annex IX of the Staff Regulations, and investigations in the context of requests for assistance submitted under Article 24 of the Staff Regulations and with regard to alleged cases of harassment, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard:

(a) other important objectives of general public interest of the Union such as the ability of the Authority to comply with its obligations under the Staff Regulations and to conduct its internal staffing policy, in accordance with Article 25(1), point (c), of Regulation (EU) 2018/1725,

(b) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, in accordance with Article 25(1), point (f), of Regulation (EU) 2018/1725,

(c) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in Article 25(1), point (c), of Regulation (EU) 2018/1725, in accordance with Article 25(1), point (g), thereof, and

(d) the protection of the rights and freedoms of other data subjects, in accordance with Article 25(1), point (h), of Regulation (EU) 2018/1725.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) data on the presence of persons;

(e) data on external activities of persons;

(f) data revealing racial or ethnic origin, religious or philosophical beliefs or data concerning health;

(g) all other data related to the subject matter of the relevant disciplinary procedures, administrative inquiries and investigations relating to staff matters conducted by the Authority.

(2)

Applicable restrictions

Subject to Articles 8 to 13 of this Decision, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, where the exercise of those rights would jeopardise the purpose and effectiveness of the disciplinary procedures, administrative inquiries or investigations in staff matters, including investigations on alleged cases of harassment, or would adversely affect the rights and freedoms of other data subjects.

ANNEX II

Selection procedures

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of conducting selection procedures.

This Annex lays down the specific conditions under which, when conducting selection procedures (1), the controller may restrict the application of Article 17 of Regulation (EU) 2018/1725, in order to safeguard:

(a) other important objectives of general public interest of the Union, such as the ability of the Authority to comply with its obligations under the Staff Regulations and to conduct its internal staffing policy, in accordance with Article 25(1), point (c), of Regulation (EU) 2018/1725, and

(b) the protection of the rights and freedoms of other data subjects, in accordance with Article 25(1), point (h), of Regulation (EU) 2018/1725.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) recorded speeches or tests of candidates;

(e) evaluation sheets;

(f) all other data related to the relevant selection procedures conducted by the Authority.

(2)

Applicable restrictions

Subject to Articles 8 to 13 of this Decision, the controller may restrict the application of the right of data subjects to access their personal data pursuant to Article 17 of Regulation (EU) 2018/1725 where the exercise of this right would jeopardise the purpose and effectiveness of such selection procedures, notably by revealing assessments made by selection committees, or would adversely affect the rights and freedoms of other data subjects, notably by revealing personal data of other candidates. The restriction for protecting rights and freedoms of other data subjects shall be applied only in very exceptional circumstances.

(3)

Duration of restrictions

By way of derogation from Article 13 of this Decision, the following rules shall apply as regards the duration of restrictions:

— Restrictions applied pursuant to this Annex shall continue to apply as long as the reasons justifying them remain applicable.

— The controller shall lift the restriction where the reasons for a restriction no longer exist and the data subject has asked again for access to the personal data concerned. At the same time, the controller shall provide the data subject with the principal reasons for the restriction and inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy before the Court of Justice.

(1) This includes selection procedures for temporary and contract staff as well as internal competitions.

ANNEX III

Examination of complaints by staff

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of processing complaints under the Staff Regulations.

This Annex lays down the specific conditions under which, when examining complaints by staff pursuant to Article 90 of the Staff Regulations (1), the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard:

(a) other important objectives of general public interest of the Union such as the ability of the Authority to comply with its obligations under the Staff Regulations, in accordance with Article 25(1), point (c), of Regulation (EU) 2018/1725, and

(b) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, in accordance with Article 25(1), point (f), of Regulation (EU) 2018/1725.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) all other data related to the relevant complaints made by staff.

(2)

Applicable restrictions

(1) Within the examination of complaints by members of staff pursuant to Article 90 of the Staff Regulations, the Authority may process personal data of members of staff other than the complainant for the purposes of verification of compliance with the principle of equal treatment.

ANNEX IV

Internal audits

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of conducting internal audits.

This Annex lays down the specific conditions under which, when conducting internal audits for the purpose of Regulation (EU, Euratom) 2018/1046 (1), the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard:

(a) other important objectives of general public interest of the Union or of a Member State in particular the financial interest of the Union or of a Member State, in accordance with Article 25(1), point (c), of Regulation (EU) 2018/1725, and

(b) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in Article 25(1), point (c), of Regulation (EU) 2018/1725, in accordance with Article 25(1), point (g), thereof.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) financial data;

(e) traffic data;

(f) data on presence of persons;

(g) data on external activities of persons;

(h) political affiliation data;

(i) all other data related to the subject matter of the relevant audit activity.

(2)

Applicable restrictions

(1) Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (

OJ L 193, 30.7.2018, p. 1

ANNEX V

Judicial proceedings

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of judicial proceedings.

This Annex lays down the specific conditions under which the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard the protection of judicial proceedings, in accordance with Article 25(1), point (e), thereof.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) financial data;

(e) traffic data;

(f) data on the presence of persons;

(g) data on external activities of persons;

(h) all other data related to the subject matter of the relevant judicial proceedings.

(2)

Applicable restrictions

ANNEX VI

Verification, monitoring and investigation activities

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of conducting verification, monitoring and investigation activities within the meaning of paragraph 2.

This Annex lays down the specific conditions under which, when conducting verification, monitoring and investigation activities regarding European political parties, European political foundations and applicants for registration, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard:

(a) other important objectives of general public interest of the Union or of a Member State, in particular the registration and supervision of European political parties and European political foundations in accordance with the mission conferred on the Authority under Regulation (EU, Euratom) No 1141/2014 (1),

(b) other important objectives of general public interests of the Union or of a Member State, in particular the financial interest of the Union or of a Member State, in accordance with Article 25(1), point (c), of Regulation (EU) 2018/1725,

(c) monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in Article 25(1), points (b) and (c), of Regulation (EU) 2018/1725, in accordance with Article 25(1), point (g), thereof, and

(d) the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, in accordance with Article 25(1), point (b), of Regulation (EU) 2018/1725,

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) financial data;

(e) traffic data;

(f) data on presence of persons;

(g) data on external activities of persons;

(h) political affiliation data;

(i) all other data related to the subject matter of the relevant monitoring and investigations conducted by the Authority.

(2)

Applicable restrictions

Subject to Articles 8 to 13 of this Decision, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, where the exercise of those rights would jeopardise the purpose and effectiveness of verification, monitoring and investigation activities conducted by the Authority, including by revealing their investigative tools and methods.

(1) Regulation (EU, Euratom) No 1141/2014 of the European Parliament and of the Council of 22 October 2014 on the statute and funding of European political parties and European political foundations (

OJ L 317, 4.11.2014, p. 1

ANNEX VII

Cooperation with the European Anti-Fraud Office (‘OLAF’)

(1)

Subject-matter and scope

This Annex applies to the processing of personal data, particularly the transfer of personal data, by the controller for the purpose of providing OLAF with information and documents, notifying cases to OLAF or processing information and documents coming from OLAF.

This Annex lays down the specific conditions under which, when providing information and documents to OLAF at the request of OLAF or on its own initiative, when notifying cases to OLAF or when processing information and documents coming from OLAF the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard:

(a) the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, in accordance with of Article 25(1), point (b), of Regulation (EU) 2018/1725, and

(b) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, in accordance with Article 25(1), point (f), of Regulation (EU) 2018/1725.

Before applying a restriction under paragraph 2, the controller shall consult OLAF on the necessity of such a restriction unless it is certain to the controller that a restriction is indispensable for the reasons set out in subparagraphs (a) and (b) of paragraph 2, or if such a consultation would jeopardise OLAF’s activities.

This Annex shall not apply to the processing of personal data where OLAF acts as controller, notably where OLAF processes personal data held in the Authority’s premises pursuant to Articles 4(2) and 6 of Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council (1).

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) financial data;

(e) traffic data;

(f) data on the presence of persons;

(g) data on external activities of persons;

(h) political affiliation data;

(i) all other data related to the subject matter of the relevant investigation conducted by OLAF or by the Authority in cooperation with OLAF.

(2)

Applicable restrictions

Subject to Articles 8 to 13 of this Decision, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, where the exercise of those rights would jeopardise the purpose and effectiveness of OLAF’s investigative activities or the Authority’s investigative activities in cooperation with OLAF, including by revealing their investigative tools and methods.

Subject to Articles 8 to 13 of this Decision, the Authority may restrict the rights and obligations referred to in paragraph 1 in relation to personal data obtained from OLAF, where the exercise of those rights and obligations could be restricted by OLAF on the basis of Article 2(3) of Commission Decision (EU) 2018/1962 (2).

(1) Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (

OJ L 248, 18.9.2013, p. 1

(2) Commission Decision (EU) 2018/1962 of 11 December 2018 laying down internal rules concerning the processing of personal data by the European Anti-Fraud Office (OLAF) in relation to the provision of information to data subjects and the restriction of certain of their rights in accordance with Article 25 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (

OJ L 315, 12.12.2018, p. 41

ANNEX VIII

Cooperation with the Member States in the context of criminal or financial investigations

(1)

Subject-matter and scope

This Annex applies to the processing of personal data, particularly the transfer of personal data, by the controller for the purpose of providing national authorities with information and documents that they request in the framework of criminal or financial investigations.

This Annex lays down the specific conditions under which, when providing national authorities with information and documents that they request in the framework of criminal or financial investigations (1), the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard:

(a) the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, in accordance with Article 25(1), point (b), of Regulation (EU) 2018/1725,

(b) the protection of judicial independence and judicial proceedings, in accordance with Article 25(1), point (e), of Regulation (EU) 2018/1725, and

(c) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, in accordance with Article 25(1), point (f), of Regulation (EU) 2018/1725.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) financial data;

(e) electronic communications;

(f) traffic data;

(g) data on the presence of persons

(h) all other data related to the subject matter of the relevant investigation conducted by national authorities.

(2)

Applicable restrictions

(1) The Authority is required to provide national authorities with the information and documents requested according to the principle of sincere cooperation enshrined in Article 4(3) of the Treaty on the European Union.