DECISION OF THE MANAGEMENT BOARD OF THE EUROPEAN CENTRE FOR THE DEVELOPMENT OF VOCATIONAL TRAINING (CEDEFOP)
of 6 May 2020
adopting internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the framework of the functioning of Cedefop
THE MANAGEMENT BOARD,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1), and in particular Article 25 thereof,
Having regard to Regulation (EU) 2019/128 of the European Parliament and of the Council of 16 January 2019 establishing the European Centre for the Development of Vocational Training (‘Cedefop’), and repealing Council Regulation (EEC) No 337/75 (2), and in particular Article 23(4) thereof,
Having regard to the opinion of the European Data Protection Supervisor (EDPS) of 12 December 2019 and to the EDPS Guidance on Article 25 of the new Regulation and internal rules (3),
Whereas:
(1) Cedefop carries out its activities in accordance with Regulation (EU) 2019/128.
(2) In accordance with Article 25(1) of Regulation (EU) 2018/1725, restrictions of the application of Articles 14 to 22, 35 and 36, as well as Article 4 of that Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22, should be based on internal rules to be adopted by Cedefop, where these are not based on legal acts adopted on the basis of the Treaties.
(3) These internal rules, including provisions on the assessment of the necessity and proportionality of a restriction, should not apply where a legal act adopted on the basis of the Treaties provides for a restriction of the data subject’s rights.
(4) Where Cedefop performs its duties with respect to the data subject’s rights under Regulation (EU) 2018/1725, it shall consider whether any of the exemptions laid down in that Regulation apply.
(5) Within the framework of its administrative functioning, Cedefop may conduct administrative inquiries, disciplinary proceedings, carry out preliminary activities related to cases of potential irregularities reported to OLAF, process whistleblowing cases, implement (formal and informal) procedures of harassment, process internal and external complaints, conduct internal audits, carry out investigations by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725 and internal (IT) security investigations and handle requests of staff members for access to their medical files.
Cedefop processes several categories of personal data, including hard data (‘objective’ data such as identification data, contact data, professional data, administrative details, data received from specific sources, electronic communications and traffic data) and/or soft data (‘subjective’ data related to the case such as reasoning, behavioural data, appraisals, performance and conduct data and data related to or brought forward in connection with the subject matter of the procedure or activity).
(6) Cedefop, represented by its Executive Director, acts as the (data) controller irrespective of further delegations of the controller role within Cedefop to reflect operational responsibilities for specific personal data processing operations.
(7) The personal data are stored securely in an electronic environment or on paper preventing abuse or unlawful access by or transfer of data to persons who do not have a need to know. The medical files are stored by the external service provider used by Cedefop. The personal data processed are retained for no longer than necessary and appropriate for the purposes for which the data are processed for the period specified in the data protection notices or records of Cedefop.
(8) These internal rules should apply to all processing operations carried out by Cedefop in the performance of administrative inquiries, disciplinary proceedings, preliminary activities related to cases of potential irregularities reported to OLAF, whistleblowing procedures, (formal and informal) procedures for cases of harassment, processing of internal and external complaints, internal audits, investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725, (IT) security investigations handled internally or with external involvement (e.g. CERT-EU) and the handling of requests for access by staff members to their medical files.
(9) These internal rules should apply to processing operations carried out prior to the opening of the procedures referred to above, during these procedures and during the monitoring of the follow-up to the outcome of these procedures. They should also include assistance and cooperation provided by Cedefop to national authorities and international organisations outside of its administrative investigations.
(10) In the cases where these internal rules apply, Cedefop should provide justifications explaining why the restrictions are strictly necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms.
(11) Within this framework, Cedefop is bound to respect, to the maximum extent possible, the fundamental rights of the data subjects during the above procedures, in particular those relating to the right of information to be provided to the data subject right of access by the data subject, rights of the data subject to rectification, erasure and restriction of processing and rights to communication of a personal data breach to the data subject and confidentiality of electronic communications as enshrined in Regulation (EU) 2018/1725.
(12) However, Cedefop may be obliged to restrict the right of information to be provided to the data subject and other data subject’s rights to protect, in particular, its own investigations, the investigations and proceedings of other public authorities, as well as the rights of other persons involved in its investigations or other procedures.
(13) Cedefop should periodically monitor whether the conditions which justify the restriction continue to apply and lift the restriction as soon as they no longer apply.
(14) The controller should inform the Data Protection Officer at the moment when there is an intention to apply a restriction and during subsequent reviews and involve him or her throughout the entire procedure until the restriction has been lifted.
HAS ADOPTED THIS DECISION:
Article 1
Subject matter and scope
1. This Decision lays down rules relating to the conditions under which Cedefop may restrict the application of the rights enshrined in Articles 14 to 21, 35 and 36, as well as Article 4 of Regulation (EU) 2018/1725 in the context of the procedures set out in paragraph 2 in accordance with Article 25 of that Regulation.
2. Within the framework of the administrative functioning of Cedefop, this Decision applies to the processing operations on personal data carried out by Cedefop for the purposes of conducting administrative inquiries and disciplinary proceedings, preliminary activities related to cases of potential irregularities reported to OLAF, processing whistleblowing cases, implementing (formal and informal) procedures for cases of harassment, processing internal and external complaints, conducting internal audits, investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725 and (IT) security investigations handled internally or with external involvement (e.g. CERT-EU) and the handling of requests for access by staff members to their medical files.
3. The categories of data concerned are hard data (‘objective’ data such as identification data, contact data, professional data, administrative details, data received from specific sources, electronic communications and traffic data) and/or soft data (‘subjective’ data related to the case such as reasoning, behavioural data, appraisals, data related to performance and conduct and data related to or brought forward in connection with the subject matter of the procedure or activity).
4. Where Cedefop performs its duties with respect to the data subject’s rights under Regulation (EU) 2018/1725, it shall consider whether any of the exemptions laid down in that Regulation apply.
5. Subject to the conditions set out in this Decision, the restrictions may apply to the following rights: right of information to be provided to the data subject, right of access by the data subject, rights of the data subject to rectification, erasure and restriction of processing and rights to communication of a personal data breach to the data subject and confidentiality of electronic communications.
Article 2
Specification of the controller and safeguards
1. Cedefop shall put in place the following safeguards to prevent abuse or unlawful access or transfer:
(a) paper documents shall be kept in secured cupboards and only accessible to authorised staff;
(b) all electronic data shall be stored in a secure IT application according to Cedefop’s security standards, as well as in specific electronic folders accessible only to authorised staff. Appropriate levels of access shall be granted individually;
(c) the IT environment of Cedefop shall be accessible via a single sign-on system and connected automatically to the user’s ID and password. E-records shall be held securely to safeguard the confidentiality and privacy of the data therein;
(d) all persons having access to the data shall be bound by the obligation of confidentiality;
(e) the external service provider storing the medical files shall be bound by contractual clauses regarding confidentiality and processing of personal data.
2. The controller of the processing operations is Cedefop, represented by its Executive Director, who may delegate the function of the controller. Data subjects shall be informed of the delegated controller by means of data protection notices or records published on the website and intranet of Cedefop.
3. The retention period of the personal data referred to in Article 1(3) of this Decision shall be no longer than necessary and appropriate for the purposes for which the data are processed. It shall in any event not be longer than the retention period specified in the data protection notices or records referred to in Article 3(3) of this Decision.
4. Where Cedefop considers applying a restriction, the risk to the rights and freedoms of the data subject shall be weighed, in particular against the risk to the rights and freedoms of other data subjects and the risk of undermining the effectiveness of Cedefop’s investigations or procedures, in particular by destroying evidence. The risks to the rights and freedoms of the data subject concern primarily, but are not limited to, reputational risks and risks to the right of defence and the right to be heard.
Article 3
Restrictions
1. Any restriction shall only be applied by Cedefop on the basis of one or more of the grounds listed in points (a) to (i) of Article 25(1) of Regulation (EU) 2018/1725. In particular, in the context of the purposes of processing personal data indicated in Article 1(2) of this Decision, restrictions may be based on the following grounds:
(a) for the performance of administrative inquiries and disciplinary proceedings, restrictions may be based on Article 25(1) points (b), (c), (g) and (h) of Regulation (EU) 2018/1725;
(b) for preliminary activities related to cases of potential irregularities reported to OLAF, restrictions may be based on Article 25(1) points (b), (c), (f), (g) and (h) of Regulation (EU) 2018/1725;
(c) for whistleblowing procedures, restrictions may be based on Article 25(1) points (b), (c), (f), (g) and (h) of Regulation (EU) 2018/1725;
(d) for (formal and informal) procedures for cases of harassment, restrictions may be based on Article 25(1) points (b), (f), (h) and (i) of Regulation (EU) 2018/1725;
(e) for the processing of internal and external complaints, restrictions may be based on Article 25(1) points (c), (g) and (h) of Regulation (EU) 2018/1725;
(f) for internal audits, restrictions may be based on Article 25(1) points (c), (g) and (h) of Regulation (EU) 2018/1725;
(g) for investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725, restrictions may be based on Article 25(1) points (c), (g) and (h) of that Regulation;
(h) for (IT) security investigations handled internally or external involvement (e.g. CERT-EU), restrictions may be based on Article 25(1) points (c), (d), (g) and (h) of Regulation (EU) 2018/1725;
(i) for the handling of requests for access by staff members to their medical files, restrictions may be based on Article 25(1) point (h) of Regulation (EU) 2018/1725.
2. As a specific application of the purposes described in paragraph 1 above, Cedefop may apply restrictions on the rights referred to in Article 1(5) of this Decision in the following circumstances:
(a) where another Union institution, body, office or agency is entitled to restrict the exercise of these rights on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or with their founding acts and the purpose of such a restriction by that other Union institution, body, office or agency would be jeopardised were Cedefop not to apply an equivalent restriction in respect of the same personal data;
(b) where the competent authority of a Member State is entitled to restrict the exercise of these rights on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council (4), or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council (5) and the purpose of such a restriction by that competent authority of a Member State would be jeopardised were Cedefop not to apply an equivalent restriction in respect of the same personal data;
(c) where the exercise of these rights would jeopardise Cedefop’s cooperation with third countries or international organisations in the performance of its tasks.
Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, Cedefop shall consult the relevant Union institution, body, office or agency or the competent authority of a Member State unless it is clear to Cedefop that the application of a restriction is provided for by one of the acts referred to in those points.
3. Cedefop shall include in the data protection notices or records in the sense of Article 31 of Regulation (EU) 2018/1725, published on its website and intranet, informing data subjects of their rights in the framework of a given procedure, information relating to the potential restriction of these rights. The information shall indicate which rights may be restricted, the reasons and the potential duration.
Without prejudice to the provisions of Article 5(2), Cedefop, where proportionate, shall also inform individually all data subjects, which are considered persons concerned in the specific processing operation, of their rights concerning present or future restrictions without undue delay and in a written form.
4. Any restriction shall be necessary and proportionate taking into account the risks to the rights and freedoms of data subjects and respect the essence of the fundamental rights and freedoms in a democratic society.
5. If the application of restriction is considered, a necessity and proportionality test shall be carried out on the basis of the present rules. It shall be documented through an internal assessment note for accountability purposes on a case-by-case basis.
6. Restrictions shall be lifted as soon as the circumstances that justify them no longer apply.
Article 4
Review by the Data Protection Officer
1. The Data Protection Officer of Cedefop (‘the DPO’) shall be informed without undue delay whenever the controller intends to restrict the application of data subjects’ rights, or extends the restriction, in accordance with this Decision. The controller shall provide the DPO access to the record containing the assessment of the necessity and proportionality of the restriction and document the date of informing the DPO in the record The DPO shall be involved throughout the entire procedure until the restriction has been lifted.
2. The DPO may request the controller in writing to review the application of the restrictions. The controller shall inform the DPO in writing about the outcome of the requested review.
3. The controller shall inform the DPO when the restriction has been lifted.
Article 5
Restriction of the right of information to be provided to the data subject
1. In duly justified cases and under the conditions stipulated in this Decision, the right of information to be provided to the data subject may be restricted by the controller in the context of the following processing operations:
(a) the performance of administrative inquiries and disciplinary proceedings;
(b) preliminary activities related to cases of potential irregularities reported to OLAF;
(c) whistleblowing procedures;
(d) (formal and informal) procedures for cases of harassment;
(e) processing of internal and external complaints;
(f) internal audits;
(g) investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725;
(h) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU).
2. Where Cedefop restricts, wholly or partly, the right of information to be provided to the data subjects referred to in Articles 14 to 16 of Regulation (EU) 2018/1725, it shall record the reasons for the restriction, the legal ground(s) in accordance with Article 3 of this Decision, including an assessment of the necessity and proportionality of the restriction.
The record and, where applicable, the documents containing underlying factual and legal
elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.
3. The restriction referred to in paragraph 2 shall continue to apply as long as the reasons justifying it remain applicable.
Where the reasons for the restriction no longer apply, Cedefop shall provide information to the data subject on the principal reasons on which the application of a restriction is based. At the same time, Cedefop shall inform the data subject of the right of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy before the Court of Justice of the European Union (the ‘Court of Justice’).
Cedefop shall review the application of the restriction every six months from its adoption and at the closure of the relevant inquiry, procedure or investigation. Thereafter, the controller shall monitor the need to maintain any restriction every six months. The necessity and proportionality test referred to in Article 3(5) shall also be conducted in the context of each periodic review, following an assessment of whether the factual and legal reasons for a restriction still apply.
Article 6
Restriction of the right of access by the data subject
1. In duly justified cases and under the conditions stipulated in this Decision, the right of access by the data subject may be restricted by the controller in the context of the following processing operations, where necessary and proportionate:
(a) the performance of administrative inquiries and disciplinary proceedings;
(b) preliminary activities related to cases of potential irregularities reported to OLAF;
(c) whistleblowing procedures;
(d) (formal and informal) procedures for cases of harassment;
(e) processing of internal and external complaints;
(f) internal audits;
(g) investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725;
(h) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU).
(i) handling of requests for access by staff members to their medical files.
Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of Regulation (EU) 2018/1725, Cedefop shall limit its assessment of the request to such personal data only.
2. Where Cedefop restricts, wholly or partly, the right of access, referred to in Article 17 of Regulation (EU) 2018/1725, it shall take the following steps:
(a) it shall inform the data subject concerned, in its reply to the request, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy before the Court of Justice;
(b) it shall document in an internal assessment note the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction and its duration.
Restrictions imposed on the right of access of staff members to their medical files shall only concern requests for direct access by staff members to medical data of psychological or psychiatric nature where an assessment made on a case-by-case basis reveals that indirect access is necessary for the protection of the data subject. Access to such data shall be given through the intermediary of a doctor appointed by the data subject concerned. The doctor of the data subject’s choice shall be given access to all the information and discretionary power to decide how and what access to provide to the data subject.
The provision of information referred to in point (a) may be deferred, omitted or denied if it would cancel the effect of the restriction in accordance with Article 25(8) of Regulation (EU) 2018/1725.
Cedefop shall review the application of the restriction every six months from its adoption and at the closure of the relevant inquiry, procedure or investigation. Thereafter, the controller shall monitor the need to maintain any restriction every six months. The necessity and proportionality test referred to in Article 3(5) shall also be conducted in the context of each periodic review, following an assessment of whether the factual and legal reasons for a restriction still apply.
3. The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor upon request.
Article 7
Restriction of the rights of the data subject to rectification, erasure and restriction of processing
1. In duly justified cases and under the conditions stipulated in this Decision, the rights of the data subject to rectification, erasure and restriction of processing may be restricted by the controller in the context of the following processing operations, where necessary and appropriate:
(a) the performance of administrative inquiries and disciplinary proceedings;
(b) preliminary activities related to cases of potential irregularities reported to OLAF;
(c) whistleblowing procedures;
(d) (formal and informal) procedures for cases of harassment;
(e) processing of internal and external complaints;
(f) internal audits;
(g) investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725;
(h) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU).
2. Where Cedefop restricts, wholly or partly, the application of the rights of the data subject to rectification, erasure and restriction of processing referred to in Articles 18, 19(1) and 20(1) of Regulation (EU) 2018/1725 respectively, it shall take the steps set out in Article 6(2) of this Decision and register the record in accordance with Article 6(3) thereof.
Article 8
Restriction of the rights to communication of a personal data breach to the data subject and confidentiality of electronic communications
1. In duly justified cases and under the conditions stipulated in this Decision, the right to communication of a personal data breach to the data subject may be restricted by the controller in the context of the following processing operations, where necessary and appropriate:
(a) the performance of administrative inquiries and disciplinary proceedings;
(b) preliminary activities related to cases of potential irregularities reported to OLAF;
(c) whistleblowing procedures;
(d) internal audits;
(e) investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725;
(f) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU).
2. In duly justified cases and under the conditions stipulated in this Decision, the right to confidentiality of electronic communications may be restricted by the controller in the context of the following processing operations, where necessary and appropriate:
(a) the performance of administrative inquiries and disciplinary proceedings;
(b) preliminary activities related to cases of potential irregularities reported to OLAF;
(c) whistleblowing procedures;
(d) formal procedures for cases of harassment;
(e) processing of internal and external complaints;
(f) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU).
3. Where Cedefop restricts the rights to communication of a personal data breach to the data subject or confidentiality of electronic communications referred to in Articles 35 and 36 of Regulation (EU) 2018/1725 respectively, it shall record and register the reasons for the restriction in accordance with Article 5(2) of this Decision. Article 5(3) of this Decision shall also apply.
Article 9
Entry into force
This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done on 6 May 2020.
For the Management Board
Barbara DORN
Chairperson of the Management Board
(1) .
OJ L 295, 21.11.2018, p. 39
.
(2) .
OJ L 30, 31.1.2019, p. 90
.
(3) . https://edps.europa.eu/sites/edp/files/publication/18-12-20_guidance_on_article_25_en.pdf
(4) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(5) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (
OJ L 119, 4.5.2016, p. 89
).
Feedback