DECISION No 42-2021 OF THE COURT OF AUDITORS
of 20 May 2021
adopting internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the framework of activities carried out by the European Court of Auditors
THE EUROPEAN COURT OF AUDITORS,
Having regard to the Treaty on the Functioning of the European Union (‘TFEU’);
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (the ‘Regulation’), and in particular Article 25 and Chapter VI thereof;
Having regard to the discussions held by the Court of Auditors at its meeting of 20 May 2021;
Having consulted the European Data Protection Supervisor on this Decision, according to Article 41(2) of the Regulation, who delivered his opinion on 23 September 2019;
Whereas in the framework of its activities, the European Court of Auditors (the ‘Court’) processes several categories of personal data and is bound to respect the rights of natural persons in relation to the processing of personal data recognised by Article 8(1) of the Charter of Fundamental Rights of the European Union and by Article 16(1) TFEU;
Whereas in certain circumstances, it is necessary to reconcile the rights of data subjects pursuant to the Regulation with the needs of the tasks and activities of the Court. To that effect, Article 25 of the Regulation provides, under strict conditions, the possibility to restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4;
Whereas the Court should apply restrictions only when they respect the essence of the fundamental rights and freedoms, and are a necessary and proportionate measure in a democratic society. The Court should handle all restrictions in a transparent manner and provide information on the reasons for the application of a restriction to the data subject;
Whereas the Court should lift the restriction as soon as the conditions justifying it no longer apply, and assess those conditions on a regular basis;
Whereas the Data Protection Officer of the Court (the ‘DPO’) should be informed in due time of any restrictions being applied and carry out an independent review of the application of restrictions, with a view to ensuring compliance with this Decision,
HAS DECIDED:
Article 1
Subject matter and scope
This Decision lays down rules relating to the conditions under which the Court, based on Article 25 of the Regulation, may restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 thereof.
Article 2
Restrictions
1. In accordance with Article 25(1) of the Regulation, the Court may restrict, on a case-by-case basis, the application of Articles 14 to 20, 35 and 36, as well as Article 4 thereof, in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20, when:
(a) carrying out audits, on the basis of Article 287 TFEU. Relevant restrictions may be based on Article 25(1)(c),(g),(h) of the Regulation;
(b) conducting administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings, on the basis of Article 86 of the Staff Regulations of Officials of the European Union (1) (the ‘Staff Regulations’) and in accordance with Annex IX thereto. Relevant restrictions may be based on Article 25(1)(b),(c),(d),(f),(g),(h) of the Regulation;
(c) processing internal and external complaints against a staff member or Member of the ECA. Relevant restrictions may be based on Article 25(1)(h) of the Regulation;
(d) conducting preliminary activities related to cases of potential irregularities reported to OLAF. Relevant restrictions may be based on Article 25(1)(b),(c),(h) of the Regulation;
(e) ensuring that the Court’s staff members may confidentially provide information on serious irregularities of which they become aware in the course of their duties, in conformity with the Court’s Rules of Procedure for providing information in the event of serious irregularities (whistleblowing). Relevant restrictions may be based on Article 25(1)(f),(h) of the Regulation;
(f) ensuring that the Court’s staff members who consider themselves to have been subjected to harassment may confidentially seek counselling and support from a manager, a contact person, the medical officer or a mediator, in conformity with the Court’s Decision No 26-2017 on the policy for maintaining a satisfactory working environment and combating psychological and sexual harassment. Relevant restrictions may be based on Article 25(1)(f),(h) of the Regulation;
(g) conducting internal audits, in accordance with the Court’s Decision No 38-2016 laying down the rules for implementing the Rules of Procedure of the Court of Auditors. Relevant restrictions may be based on Article 25(1)(c),(g),(h) of the Regulation;
(h) ensuring access, pursuant to Article 26a of the Staff Regulations and Articles 16 and 91 of the Conditions of Employment of Other Servants, of data subjects to medical data of a psychological or psychiatric nature concerning them, where direct access to such data is likely to represent a risk for the data subject’s health or to medical data where the exercise of that right would adversely affect the rights and freedoms of the data subject or other subjects. Relevant restrictions may be based on Article 25(1)(h) of the Regulation;
(i) ensuring internal security at the Court, i.e. security of persons, assets and information, including conducting internal security enquiries, eventually with external involvement (CERT-EU, national police authorities, etc.). Relevant restrictions may be based on Article 25(1)(a),(b),(c),(d),(g),(h) of the Regulation;
(j) ensuring that the DPO may carry out investigations in accordance with Article 45(2) of the Regulation. Relevant restrictions may be based on Article 25(1)(d),(g),(h) of the Regulation;
(k) providing assistance and cooperation to or receiving them from other Union institutions, bodies, offices and agencies. Relevant restrictions may be based on Article 25(1)(c),(d),(g),(h) of the Regulation;
(l) providing assistance and cooperation to or receiving them from EU Member States’ public authorities, third countries and international organisations, upon their request or on its own initiative. Relevant restrictions may be based on Article 25(1)(c),(g),(h) of the Regulation;
(m) processing personal data in documents obtained by the parties or the interveners in the context of judicial proceedings before the Court of Justice of the European Union. Relevant restrictions may be based on Article 25(1)(e) of the Regulation.
2. The categories of data include the identification data of a natural person, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data.
3. Any restriction shall respect the essence of the fundamental rights and freedoms in a democratic society and be necessary and proportionate.
4. A necessity and proportionality test shall be carried out by the controller and the DPO on a case-by-case basis before restrictions are applied. Restrictions shall be limited to what is strictly necessary to achieve the set objectives.
5. The Court shall record the reasons for the restrictions applied, the legal basis, the assessment of the risks to the rights and freedoms of data subjects whose personal data may be subject to restrictions, and the assessment of the necessity and proportionality of the restriction. The record and, where applicable, the documents containing underlying factual and legal elements shall be part of an ad hoc register, which shall be made available to the European Data Protection Supervisor (‘EDPS’) on request. The documentation concerning restrictions for the medical file shall only be registered in the relevant medical file.
6. When processing personal data exchanged with other organisations in the context of its tasks, the Court shall consult and shall be consulted by those organisations on the possible relevant grounds for imposing restrictions and the necessity and proportionality of the restrictions, unless this would jeopardise the activities of the Court.
Article 3
Monitoring of restrictions and review
1. The restrictions referred to in Article 2 shall continue to apply as long as the circumstances justifying them remain applicable.
2. The Court shall review the application of a restriction every six months from its adoption. A review must also be carried out when the essential elements of a case change.
Article 4
Safeguards
1. The Court shall implement safeguards to prevent abuse or unlawful access or transfer of personal data that may be subject to restrictions. These safeguards shall include technical and organisational measures and be detailed, as necessary, in the Court’s internal decisions, procedures and implementing rules. The safeguards shall include:
(a) an adequate definition of roles, responsibilities and procedural steps;
(b) if applicable, a secure electronic environment which prevents unlawful or accidental access or transfer of electronic data to unauthorised persons;
(c) if applicable, secure storage and processing of paper-based documents.
Article 5
Information to be communicated to the DPO and review by the DPO
1. The DPO shall be informed without undue delay whenever data subject rights are restricted in accordance with this Decision and shall be provided access to the record and any documents containing underlying factual and legal elements.
2. The DPO may submit a request to review the application of a restriction. The Court shall inform the DPO in writing about the outcome of the request.
3. The involvement of the DPO in the restrictions procedure, including information exchanges, shall be documented in an appropriate form.
Article 6
Information provided to data subjects on restrictions to their rights
1. The Court shall publish on its website general information on the restrictions of data subjects’ rights described in Article 2. The scope of the restriction, the underlying reasons and the potential duration shall be explained.
2. Where the Court applies Article 2 of this Decision, it shall inform the data subjects, without undue delay and in a written form, of the principal reasons on which the application of the restriction is based, and of the data subjects’ right to lodge a complaint with the EDPS and seek judicial remedy before the Court of Justice of the European Union.
3. The Court may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 2 for as long as this would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis.
Article 7
Communication of personal data breaches to data subjects
Where the Court restricts the communication of a personal data breach to the data subject, as referred to in Article 35 of the Regulation, it shall record and register the reasons for restriction in accordance with Article 2(5) of this Decision.
Article 8
Confidentiality of electronic communication
1. The Court, under exceptional circumstances, and in line with the provisions of Directive 2002/58/EC on privacy and electronic communications, may restrict the right to confidentiality of electronic communications, as referred to in Article 36 of the Regulation. In this case, the Court shall detail circumstances, grounds, relevant risks and related safeguards in specific internal rules.
2. Where the Court restricts the right to confidentiality of electronic communications, it shall inform the data subject concerned, in its reply to their request, of the principal reasons on which the application of the restriction is based, and of the possibility of lodging a complaint with the EDPS or of seeking judicial remedy before the Court of Justice of the European Union.
3. The Court may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraphs 1 and 2 for as long as it would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis.
Article 9
Entry into force
This Decision shall enter into force on the day of its publication in the
Official Journal of the European Union
.
Done at Luxembourg, 20 May 2021.
For the Court of Auditors
Klaus-Heiner LEHNE
President
(1) Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (
OJ L 56, 4.3.1968, p. 1
).
Feedback