DECISION OF THE MANAGEMENT BOARD OF EUROPOL
of 9 June 2020
on internal rules concerning restrictions of certain rights of data subjects in relation to processing of administrative personal data by Europol
THE MANAGEMENT BOARD OF EUROPOL,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (1) (hereinafter ‘Europol Regulation’), and in particular Article 46 thereof,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (2), and in particular Article 25 thereof,
Having regard to the Guidance on Article 25 of that Regulation and internal rules of the European Data Protection Supervisor (‘EDPS’) of December 2018,
Having regard to the EDPS comments on the draft decision of the Management Board of Europol on internal rules concerning restrictions of certain rights of data subjects in relation to processing of administrative personal data by Europol from 14 January 2020,
Whereas:
(1) Europol processes operational data and non-operational (administrative) data unrelated to criminal investigations, such as personal data concerning staff of Europol, service providers or visitors. The processing of operational data falls under the provisions of the Europol Regulation whereas non-operational (administrative) data is subject to Regulation (EU) 2018/1725.
(2) In accordance with Article 25(1) of Regulation (EU) 2018/1725 restrictions of the application of Articles 14 to 22, 35 and 36, as well as Article 4 of that Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 should be based on internal rules to be adopted by Europol, where these are not based on legal acts adopted on the basis of the Treaties.
(3) These internal rules, including its provisions on the assessment of the necessity and proportionality of a restriction, should not apply where a legal act adopted on the basis of the Treaties provides for a restriction on data subject rights.
(4) Europol may, in the context of its functioning, conduct administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings. Administrative inquiries should be carried out by the Internal Investigations Service (IIS) which shall also represent the authority authorised to conclude contracts of employment referred to in Article 6 of the Conditions of employment before the Disciplinary Board on the basis of Article 86 of the Staff Regulations of Officials of the European Union (3) and in accordance with Decision of the Europol Management Board laying down General implementing provisions on the conduct of administrative inquiries and disciplinary procedures (EDOC #417349).
(5) Europol staff members have the obligation to report possible illegal activities, including fraud or corruption, detrimental to the interests of the Union, or of conduct relating to the discharge of professional duties which may constitute a serious failure to comply with the obligations of official of the Union. This is further explained in the Guidance to Europol staff on whistle-blowing arrangements (EDOC# 903736).
(6) Europol has set out a policy to prevent and deal effectively and efficiently with actual or potential cases of psychological or sexual harassment at the workplace, as provided for in its Decision of the Management Board of Europol on the policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment (EDOC # 958626). The Decision establishes an informal procedure where the alleged victim of the harassment may contact Europol confidential counsellors.
(7) The Data Protection Officer, pursuant to Article 13 of the Decision of the Management Board of Europol laying down Implementing Rules concerning the Data Protection Officer (EDOC# 845687) can carry out inquiries concerning the subject matter of a request.
(8) Europol may conduct audits on its activities which are performed via the Europol’s Internal Audit Capability (IAC) which was established by the Management Board at its 1 May 2017 meeting, pursuant to Article 11(1) of the Europol Regulation, and is solely accountable to this organ.
(9) In the context of the abovementioned tasks Europol may provide and receive assistance and cooperation to and from other Union institutions, bodies, offices and agencies, as set in relevant service level agreements, memorandum of understanding and cooperation agreements.
(10) It may be necessary to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 with the needs of the abovementioned activities, while fully respecting fundamental rights and freedoms of other data subjects. To that effect, Article 25 of Regulation (EU) 2018/1725 provides, under strict conditions, the possibility to restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20. In this case it is necessary to adopt internal rules under which Europol may restrict those rights in line with the same Article of Regulation (EU) 2018/1725.
(11) This might in particular be the case when providing information about the processing of personal data to the data subject at the preliminary assessment phase of an administrative inquiry or during the inquiry itself, prior to a possible dismissal of the case or a pre-disciplinary stage. In certain circumstances, providing such information might seriously affect the IIS’ capacity to conduct the enquiry in an effective way, whenever, for example, there is a risk that the person concerned destroys evidence or interferes with potential witnesses before they are interviewed. Furthermore, Europol might need to protect their rights and freedoms as well as the rights and freedoms of other persons involved.
(12) It might be necessary to protect the confidentiality of a witness or a whistle-blower who has asked not to be identified. In such a case, Europol may decide to restrict access to the identity, statements and other personal data of the whistle-blower and other persons involved, in order to protect their rights and freedoms.
(13) It might be necessary to protect the confidentiality of a staff member who has contacted Europol confidential counsellors in the context of a harassment procedure. In such a case, Europol may decide to restrict access to the identity, statements and other personal data of the alleged victim, the alleged harasser and other persons involved, in order to protect their rights and freedoms.
(14) When handling inquiries on processing activities carried out at Europol, the Data Protection Officer might, in certain circumstances, need to preserve the effectiveness of its inquiries and to protect, as necessary, persons involved and their rights and freedoms.
(15) Europol should apply restrictions only when they respect the essence of the fundamental rights and freedoms, and are strictly necessary and a proportionate measure in a democratic society. Europol should give justifications explaining the grounds for those restrictions.
(16) Based on the principle of accountability, Europol should keep a record of the application of the restrictions.
(17) When processing administrative personal data exchanged with other organisations in the context of its tasks, Europol should consult and should be consulted by those organisations on the possible relevant grounds for imposing restrictions and the necessity and proportionality of the restrictions, unless this would jeopardise the activities of Europol.
(18) Article 25(6) of Regulation (EU) 2018/1725 obliges the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the EDPS.
(19) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, Europol may defer, omit or deny the provision of information on the reasons for the application of a restriction to the data subject if this would in any way cancel the effect of the restriction.
(20) Europol should assess on a case-by-case basis and in cooperation with the Data Protection Officer whether the communication of the restriction would cancel its effect.
(21) To guarantee the utmost protection of the rights and freedoms of data subjects and in accordance with Article 44(1) of Regulation (EU) 2018/1725, the Data Protection Officer should be informed in due time of any restrictions being applied and verify compliance with this Decision.
(22) The application of the abovementioned restrictions is without prejudice to the possible application of the provisions of Article 16(5) and 17(4) of Regulation (EU) 2018/1725, relating, respectively, to the right of information when data have not been obtained from the data subject, and to the right of access by the data subject,
HAS ADOPTED THIS DECISION:
Article 1
Subject matter and scope
This Decision lays down rules relating to the conditions under which Europol may restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 thereof based on Article 25 of Regulation (EU) 2018/1725.
Article 2
Specification of the controller
1. The controller of the processing operations is Europol, represented by its Executive Director, who may delegate the function of the controller.
2. Data subjects shall be informed of the delegated controller by way of the data protection notices or records published on the website and/or the intranet of Europol.
Article 3
Restrictions
1. Where Europol exercises its duties with respect to data subjects’ rights under Regulation (EU) 2018/1725, it shall consider whether any of the exemptions laid down in Regulation (EU) 2018/1725 applies.
2. In accordance with Article 25(1) of Regulation (EU) 2018/1725, Europol may restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 thereof, in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20 of Regulation (EU) 2018/1725, when:
(a) IIS is conducting pre-inquiries and administrative inquiries and the Disciplinary Board is carrying out disciplinary procedures on the basis of the Staff Regulations of Officials of the European Union as well as the Decision of the Europol Management Board laying down General implementing provisions on the conduct of administrative inquiries and disciplinary procedures. Relevant restrictions may be based on Article 25(1)(c), (g) and (h) of Regulation (EU) 2018/1725;
(b) in the course of whistleblowing procedures in order to ensure that Europol staff members may confidentially report facts where they believe there are serious irregularities as indicated in the Guidelines on whistle-blowing arrangements. Relevant restrictions may be based on Article 25(1)(h) of Regulation (EU) 2018/1725;
(c) in formal and informal procedures for cases of harassment ensuring that Europol staff members may confidentially report to confidential counsellors in the context of a harassment procedure as defined by the Decision of the Management Board of Europol on the policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment. Relevant restrictions may be based on Article 25(1)(h) of Regulation (EU) 2018/1725;
(d) Data Protection Officer is conducting inquiries on processing activities carried out at Europol pursuant to Article 13 of the Decision of the Management Board of Europol laying down Implementing Rules concerning the Data Protection Officer. Relevant restrictions may be based on Article 25(1)(c), (g) and (h) of Regulation (EU) 2018/1725;
(e) Internal Audit Capability is conducting internal audits in relation to all the activities and departments at Europol. Relevant restrictions may be based on Article 25(1)(c), (g) and (h) of Regulation (EU) 2018/1725;
(f) Europol is providing or receiving assistance and cooperation to and from other Union institutions, bodies, offices and agencies, in the context of the abovementioned activities, as set out in relevant service level agreements, memorandum of understanding and cooperation agreements. Relevant restrictions may be based on Article 25(1)(c), (d), (g) and (h) of Regulation (EU) 2018/1725.
3. The categories of data include identification data of a natural person, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data.
4. Any restriction shall respect the essence of the fundamental rights and freedoms and be necessary and proportionate in a democratic society.
5. A necessity and proportionality test shall be carried out on a case-by-case basis before restrictions are applied. Restrictions shall be limited to what is strictly necessary to achieve the set objectives.
6. Restrictions should be duly monitored by the data controller and a periodical revision with a necessity and proportionality test shall be done every six months following their adoption in consultation with the Data Protection Officer.
7. Restrictions shall be lifted as soon as the circumstances that justify them no longer apply. The data controller in consultation with the Data Protection Officer shall provide the information concerned to the data subject together with the information on the possibility to lodge a complaint with the EDPS at any time or to seek a judicial remedy in the Court of Justice of the European Union.
8. Europol shall file, for accountability purposes, a record describing the reasons for the restrictions applied, which grounds among those listed in paragraph 1 apply and the outcome of the necessity and proportionality test. Those records shall be part of an ad hoc register kept by the Data Protection Officer, which shall be made available on request to the EDPS. A report on the application of Article 25 of Regulation (EU) 2018/1725 shall be made available periodically.
9. When processing administrative personal data exchanged with other organisations in the context of its tasks, Europol shall consult those organisations on the possible relevant grounds for imposing restrictions and the necessity and proportionality of the restrictions, unless this would jeopardise the activities of Europol.
Article 4
Risks to the rights and freedoms of data subjects
The assessment of the risks to the rights and freedoms of data subjects whose personal data may be subject to restrictions, as well as their retention period, are referenced in the record of the relevant processing activities in accordance with Article 31 of Regulation (EU) 2018/1725 and, if applicable, in relevant data protection impact assessments based on Article 39 of the said Regulation.
Article 5
Storage periods and safeguards
1. Europol shall implement safeguards to prevent abuse or unlawful access or transfer of personal data that may be subject to restrictions. These safeguards shall include technical and organisational measures to protect the personal data against accidental or unlawful destruction, accidental loss or unauthorised disclosure, alteration and access or any other unauthorised form of processing. The safeguards shall include:
(a) a clear definition of roles, responsibilities and procedural steps;
(b) if appropriate, a secure electronic environment which prevents unlawful or accidental access or transfer of electronic data to unauthorised persons;
(c) if appropriate, secure storage and processing of paper-based documents;
(d) due monitoring of restrictions and a periodic review of their application.
2. The retention period of the personal data that may be subject to restrictions shall be no longer than necessary and appropriate for the purposes for which the data are processed. It shall in any event not be longer than the retention period specified in the data protection notices, privacy statements or records referred above.
Article 6
Information to and review by the Data Protection Officer
1. The Data Protection Officer shall be consulted without undue delay whenever the data controller intends to apply restrictions to the data subject rights in accordance with this Decision and shall be provided access to the record containing the assessment of the necessity and proportionality and any documents underlying factual and legal elements.
2. The involvement of the Data Protection Officer in the restrictions procedure, including information exchanges, shall be documented in an appropriate form.
Article 7
Information to data subjects on restrictions to their rights
1. Europol shall publish on Europol intranet data protection notices that inform all data subjects of processing activities involving processing of their personal data which could be subject to restrictions in accordance with these rules.
2. Data controllers shall individually inform data subjects who are parties to a procedure, parties concerned by a procedures or witnesses concerning their rights and possible restrictions.
Article 8
Right to information to be provided to data subjects and communication on data breaches
1. Where in the context of the activities mentioned in this Decision, Europol restricts, wholly or partly, their rights mentioned in Articles 14 to 16 and 35 of Regulation (EU) 2018/1725, data subjects shall be informed of the principal reasons on which the application of the restriction is based, and of their right to lodge a complaint with the EDPS as well to seek a judicial remedy before the Court of Justice of the European Union.
2. Europol may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 for as long as it would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis in cooperation with the Data Protection Officer.
Article 9
Data subjects’ right of access, rectification, erasure and restriction of processing
1. Where in the context of the activities mentioned in this Decision, Europol restricts, wholly or partly, the right of access to personal data, the right to rectification, erasure, and restriction of processing, as referred to in Articles 17 to 20 respectively of Regulation (EU) 2018/1725, it shall inform the data subject concerned, in its reply to their request, of the principal reasons on which the application of the restriction is based, and of the possibility of lodging a complaint with the EDPS or of seeking a judicial remedy before the Court of Justice of the European Union.
2. Europol may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 if it would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis in cooperation with the Data Protection Officer.
Article 10
Confidentiality of electronic communication
1. Europol, under exceptional circumstances, and in line with the provisions and the rationale of Directive 2002/58/EC of the European Parliament and of the Council (4), may restrict the right to confidentiality of electronic communications, as referred to in Article 36 of Regulation (EU) 2018/1725.
2. Where Europol restricts the right to confidentiality of electronic communications, it shall inform the data subject concerned, in its reply to their request, of the principal reasons on which the application of the restriction is based, and of the possibility of lodging a complaint with the EDPS or of seeking a judicial remedy before the Court of Justice of the European Union.
3. Europol may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 and 2 for as long as it would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis in cooperation with the Data Protection Officer.
Article 11
Entry in to force
This Decision shall enter into force on the day twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at The Hague, 9 June 2020.
For the Management Board
Andrei LINTA
Chairperson
(1)
OJ L 135, 24.5.2016, p. 53
.
(2)
OJ L 295, 21.11.2018, p. 39
.
(3) Staff Regulations of Officials of the European Union, laid down in Regulation (EEC, Euratom, ECSC) No 259/68 of the Council (
OJ L 56, 4.3.1968, p. 1
).
(4) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (
OJ L 201, 31.7.2002, p. 37
).
Feedback