DECISION No 20-W-3 OF THE ADMINISTRATIVE BOARD OF THE EUROPEAN FISHERIES CONTROL AGENCY
of 22 April 2020
laying down internal rules concerning the restriction of certain rights of data subjects in relation to the processing of personal data in the framework of activities carried out by the European Fisheries Control Agency
THE ADMINISTRATIVE BOARD OF THE EUROPEAN FISHERIES CONTROL AGENCY,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1), and in particular Article 25 thereof,
Having regard to Regulation (EU) 2019/473 of the European Parliament and of the Council of 19 March 2019 on the European Fisheries Control Agency (2) (‘the Agency’), and in particular Article 32(2)(h) thereof,
Having consulted the European Data Protection Supervisor on this decision, according to Article 41(2) of Regulation (EU) 2018/1725,
Whereas:
(1) Regulation (EU) 2019/473 makes provision for a European Fisheries Control Agency, the objective of which is to organise the operational coordination of fisheries control and inspection activities by the Member States and to assist them to cooperate so as to comply with the rules of the common fisheries policy in order to ensure its effective and uniform application.
(2) In accordance with Article 25(1) of Regulation (EU) 2018/1725 restrictions of the application of Articles 14 to 22, 35 and 36, as well as Article 4 of that Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 should be based on internal rules to be adopted by the Agency, where these are not based on legal acts adopted on the basis of the Treaties.
(3) These internal rules, including its provisions on the assessment of the necessity and proportionality of a restriction, should not apply where a legal act adopted on the basis of the Treaties provides for a restriction of data subject rights.
(4) Where the Agency performs its duties with respect to data subject’s rights under Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.
(5) Within the framework of its administrative functioning, the Agency may conduct administrative inquiries, disciplinary proceedings, carry out preliminary activities related to cases of potential irregularities reported to OLAF, process whistleblowing cases, process formal and informal procedures of harassment, process internal and external complaints, conduct internal audits, carry out investigations by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725 and internal (IT) security investigations.
(6) Within the framework of its operational activities, the Agency receives inspection reports from Union inspectors as provided for by Article 123 of Commission Implementing Regulation (EU) No 404/2011 (3), Articles 18, 19 and 20 of Regulation (EU) No 1236/2010 of the European Parliament and of the Council (4) and Articles 30, 33 and 34 of Regulation (EU) 2019/833 of the European Parliament and of the Council (5). The Agency also receives information and data from Member States in the context of analysis provided to the European Commission for the preparation and conduct of on-the-spot missions in third countries under Article 20(4)(c) of Council Regulation (EC) No 1005/2008 (6), as set out in Commission Decision 2009/988/EU (7).
(7) The Agency processes several categories of personal data, including hard data (‘objective’ data such as identification data, contact data, professional data, administrative details, data received from specific sources, electronic communications and traffic data) and/or soft data (‘subjective’ data related to the case such as reasoning, behavioural data, appraisals, performance and conduct data and data related to or brought forward in connection with the subject matter of the procedure or activity).
(8) The Agency, represented by its Executive Director, acts as the data controller irrespective of further delegations of the controller role within the Agency to reflect operational responsibilities for specific personal data processing operations.
(9) The personal data are stored securely in an electronic environment or on paper preventing unlawful access or transfer of data to persons who do not have a need to know. The personal data processed are retained for no longer than necessary and appropriate for the purposes for which the data are processed for the period specified in the data protection notices, privacy statements or records of the Agency.
(10) The internal rules should apply to all processing operations carried out by the Agency in the performance of administrative inquiries, disciplinary proceedings, preliminary activities related to cases of potential irregularities reported to OLAF, whistleblowing procedures, formal and informal procedures for cases of harassment, processing internal and external complaints, internal audits, the investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725, (IT) security investigations handled internally or with external involvement (e.g. CERT-EU) and the operational activities referred to in recital 6 above.
(11) They should apply to processing operations carried out prior to the opening of the procedures referred to above, during these procedures and during the monitoring of the follow-up to the outcome of these procedures and when implementing the operational activities referred to in recital 6 above. It should also include assistance and cooperation provided by the Agency to national authorities and international organisations outside of its administrative investigations.
(12) In the cases where these internal rules apply, the Agency has to give justifications explaining why the restrictions are strictly necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms.
(13) Within this framework the Agency is bound to respect, to the maximum extent possible, the fundamental rights of the data subjects during the above procedures, in particular, those relating to the right of provision of information, access and rectification, right to erasure, restriction of processing, right of communication of a personal data breach to the data subject or confidentiality of communication as enshrined in Regulation (EU) 2018/1725.
(14) However, the Agency may be obliged to restrict the information to data subject and other data subject’s rights to protect, in particular, its own investigations, the investigations and proceedings of other public authorities, as well as the rights of other persons related to its investigations or other procedures.
(15) The Agency may thus restrict the information for the purpose of protecting the investigation and the fundamental rights and freedoms of other data subjects.
(16) The Agency should periodically monitor that the conditions that justify the restriction apply and lift the restriction as far as they do no longer apply.
(17) The Controller should inform the Data Protection Officer at the moment of deferral and during the revisions,
HAS ADOPTED THIS DECISION:
Article 1
Subject matter and scope
1. This Decision lays down rules relating to the conditions under which the Agency in the framework of its procedures set out in paragraph 2 may restrict the application of the rights enshrined in Articles 14 to 21, 35 and 36, as well as Article 4 thereof, following Article 25 of Regulation (EU) 2018/1725.
2. Within the framework of the administrative functioning of the Agency, this Decision applies to the processing operations on personal data for the purposes of conducting administrative inquiries, disciplinary proceedings, preliminary activities related to cases of potential irregularities reported to OLAF, processing whistleblowing cases, formal and informal procedures of harassment, processing internal and external complaints, conducting internal audits, investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725 and (IT) security investigations handled internally or with external involvement (e.g. CERT-EU).
3. Within the framework of the operational activities of the Agency, this Decision applies to the processing operations on personal data for the purposes of fulfilling its mandate, in particular the reception of inspection reports pursuant to Article 123 of Implementing Regulation (EU) No 404/2011, Articles 18, 19 and 20 of Regulation (EU) No 1236/2010 and Articles 30, 33 and 34 of Regulation (EU) 2019/833, as well as of information and data received from Member States in the context of analysis provided to the European Commission for the preparation and conduct of on-the-spot missions in third countries under Article 20(4)(c) of Regulation (EC) No 1005/2008, as set out in Decision 2009/988/EU.
4. The categories of data concerned are hard data (‘objective’ data such as identification data, contact data, professional data, administrative details, data received from specific sources, electronic communications and traffic data) and/or soft data (‘subjective’ data related to the case such as reasoning, behavioural data, appraisals, performance and conduct data and data related to or brought forward in connection with the subject matter of the procedure or activity).
5. Where the Agency performs its duties with respect to data subject’s rights under Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.
6. Subject to the conditions set out in this Decision, the restrictions may apply to the following rights: provision of information to data subjects, right of access, rectification, erasure, restriction of processing, communication of a personal data breach to the data subject or confidentiality of communication.
Article 2
Specification of the controller and safeguards
1. The Agency shall put in place the following safeguards to prevent abuse or unlawful access or transfer:
(a) Paper documents shall be kept in secured cupboards and only accessible to authorised staff;
(b) All electronic data shall be stored in a secure IT application according to the Agency’s security standards, as well as in specific electronic folders accessible only to authorised staff. Appropriate levels of access shall be granted individually;
(c) IT systems and their databases shall have mechanisms for verifying user’s identity under a single sign-on system and connected automatically to the user’s ID and password. End user accounts shall be unique, personal and non-transferrable, sharing user accounts is strictly prohibited. E-records shall be held securely to safeguard the confidentiality and privacy of the data therein;
(d) All persons having access to the data are bound by the obligation of confidentiality.
2. The controller of the processing operations is the Agency, represented by its Executive Director, who may delegate the function of the controller. Data subjects shall be informed of the delegated controller by way of the data protection notices, privacy statements or records published on the website and/or the intranet of the Agency.
3. The retention period of the personal data referred to in Article 1(3) shall be no longer than necessary and appropriate for the purposes for which the data are processed. It shall in any event not be longer than the retention period specified in the data protection notices, privacy statements or records referred to in Article 5(1).
4. Where the Agency considers to apply a restriction, the risk to the rights and freedoms of the data subject shall be weighed, in particular, against the risk to the rights and freedoms of other data subjects and the risk of cancelling the effect of the Agency’s investigations or procedures for example by destroying evidence. The risks to the rights and freedoms of the data subject concern primarily, but are not limited to, reputational risks and risks to the right of defence and the right to be heard.
Article 3
Restrictions
1. Any restriction shall only be applied by the Agency on the basis of one or more of the grounds listed in points (a) to (i) of Article 25(1) of Regulation (EU) 2018/1725.
The Agency shall include in the data protection notices, privacy statements or records in the sense of Article 31 of Regulation (EU) 2018/1725, published on its website and/or on the intranet informing data subjects of their rights in the framework of a given procedure, information relating to the potential restriction of these rights. The information shall cover which rights may be restricted, the reasons and the potential duration.
2. As a specific application of the purposes described in paragraph 1 above, the Agency may apply restrictions, in the following circumstances:
(a) where the exercise of those rights and obligations is restricted by entitled Commission services or other Union institutions, bodies, agencies and offices on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or with the founding acts of other Union institutions, bodies, agencies and offices, if the purpose of such a restriction would be jeopardised were the Agency not to apply an equivalent restriction in respect of the same personal data;
(b) where the exercise of those rights and obligations is restricted by entitled authorities of Member States on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council (8), or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council (9);
(c) where the exercise of those rights and obligations would jeopardise the Agency’s cooperation with third countries or international organisations in the conduct of its tasks, where there is clear evidence that cooperation is likely to be jeopardised.
Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, the Agency shall consult the relevant Commission services, Union institutions, bodies, agencies, offices or the competent authorities of Member States unless it is clear to the Agency that the application of a restriction is provided for by one of the acts referred to in those points.
3. Any restriction shall be necessary and proportionate to the risks to the rights and freedoms of data subjects and respect the essence of the fundamental rights and freedoms in a democratic society.
4. If the application of restriction is considered, a necessity and proportionality test shall be carried out based on the present rules. It shall be documented through an internal assessment note for accountability purposes on a case by case basis.
The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.
The Agency shall apply a six months review cycle on the application of each restriction from its adoption and at the closure of the relevant inquiry, procedure or investigation. In the framework of this periodic review, a necessity and proportionality test shall be carried out to assess whether the factual and legal reasons for a restriction still apply.
5. Restrictions shall be lifted as soon as the circumstances that justify them no longer apply. In particular, where it is considered that the exercise of the restricted right would no longer cancel the effect of the restriction imposed or adversely affect the rights or freedoms of other data subjects.
Article 4
Review by the Data Protection Officer
1. The Agency shall, without undue delay, inform the Data Protection Officer of the Agency whenever the controller restricts the application of data subjects’ rights, or extends the restriction, in accordance with this Decision. The controller shall provide the Data Protection Officer access to the record containing the assessment of the necessity and proportionality of the restriction and document the date of informing the Data Protection Officer in the record.
2. The Data Protection Officer may request the controller in writing to review the application of the restrictions. The controller shall inform the Data Protection Officer in writing about the outcome of the requested review.
3. The Controller shall inform the Data Protection Officer of each restriction applied to the data subject’s rights, when the restriction has been lifted.
Article 5
Provision of information to data subject
1. In duly justified cases and under the conditions stipulated in this decision, the right to information may be restricted by the controller in the context of the following processing operations, where necessary and proportionate:
(a) the performance of administrative inquiries and disciplinary proceedings. Restrictions may be based on Article 25(1)(b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725;
(b) preliminary activities related to cases of potential irregularities reported to OLAF. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(c) whistleblowing procedures. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(d) formal and informal procedures for dealing with harassment. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(e) processing internal and external complaints. Restrictions may be based on Article 25(1)(b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725;
(f) internal audits. Restrictions may be based on Article 25(1)(b), (c), (f), (g) and (h) of Regulation (EU) 2018/1725;
(g) investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725. Restrictions may be based on Article 25(1)(c), (g) and (h) of Regulation (EU) 2018/1725;
(h) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU). Restrictions may be based on Article 25(1)(b), (c), (d), (g) and (h) of Regulation (EU) 2018/1725;
(i) the information exchange in the framework of the operational activities of the Agency to fulfil its mandate, in particular the reception of inspection reports pursuant to Article 123 of Implementing Regulation (EU) No 404/2011, Articles 18, 19 and 20 of Regulation (EU) No 1236/2010 and Articles 30, 33 and 34 of Regulation (EU) 2019/833, as well as of information and data received from Member States in the context of analysis provided to the European Commission for the preparation and conduct of on-the-spot audits in third countries under Article 20(4)(c) of Regulation (EC) No 1005/2008. Restrictions may be based on Article 25(1)(b), (c), (d), (g) and (h) of Regulation (EU) 2018/1725.
2. Without prejudice to the provisions of paragraph 3, the Agency, where proportionate, shall also inform individually all data subjects, which are considered persons concerned in the specific processing operation, of their rights concerning present or future restrictions without undue delay and in a written form.
3. Where the Agency restricts, wholly or partly, the provision of information to the data subjects referred to in paragraph 2, it shall record the reasons for the restriction, the legal ground in accordance with Article 3 of this Decision, including an assessment of the necessity and proportionality of the restriction.
4. The restriction referred to in paragraph 3 shall continue to apply as long as the reasons justifying it remain applicable.
Where the reasons for the restriction no longer apply, the Agency shall provide information to the data subject on the principal reasons on which the application of a restriction is based. At the same time, the Agency shall inform the data subject of the right of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice of the European Union.
Article 6
Right of access by data subject
1. In duly justified cases and under the conditions stipulated in this decision, the right to access may be restricted by the controller in the context of the following processing operations, where necessary and proportionate:
(a) the performance of administrative inquiries and disciplinary proceedings. Restrictions may be based on Article 25(1)(b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725;
(b) preliminary activities related to cases of potential irregularities reported to OLAF. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(c) whistleblowing procedures. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(d) formal and informal procedures for dealing with harassment. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(e) processing internal and external complaints. Restrictions may be based on Article 25(1)(b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725;
(f) internal audits. Restrictions may be based on Article 25(1)(b), (c), (f), (g) and (h) of Regulation (EU) 2018/1725;
(g) investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725. Restrictions may be based on Article 25(1)(c), (g) and (h) of Regulation (EU) 2018/1725;
(h) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU). Restrictions may be based on Article 25(1)(b), (c), (d), (g) and (h) of Regulation (EU) 2018/1725;
(i) the information exchange in the framework of the operational activities of the Agency to fulfil its mandate, in particular the reception of inspection reports pursuant to Article 123 of Implementing Regulation (EU) No 404/2011, Articles 18, 19 and 20 of Regulation (EU) No 1236/2010 and Articles 30, 33 and 34 of Regulation (EU) 2019/833, as well as of information and data received from Member States in the context of analysis provided to the European Commission for the preparation and conduct of on-the-spot audits in third countries under Article 20(4)(c) of Regulation (EC) No 1005/2008. Restrictions may be based on Article 25(1)(b), (c), (d), (g) and (h) of Regulation (EU) 2018/1725.
Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of Regulation (EU) 2018/1725, the Agency shall limit its assessment of the request to such personal data only.
2. Where the Agency restricts, wholly or partly, the right of access, referred to in Article 17 of Regulation (EU) 2018/1725, it shall take the following steps:
(a) it shall inform the data subject concerned, in its reply to the request, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union;
(b) it shall document in an internal assessment note the reasons for the restriction, including an assessment of the necessity, proportionality of the restriction and its duration.
The provision of information referred to in point (a) may be deferred, omitted or denied if it would cancel the effect of the restriction in accordance with Article 25(8) of Regulation (EU) 2018/1725.
Article 7
Right of rectification, erasure and restriction of processing
1. In duly justified cases and under the conditions stipulated in this decision, the right to rectification, erasure and restriction may be restricted by the controller in the context of the following processing operations, where necessary and proportionate:
(a) the performance of administrative inquiries and disciplinary proceedings. Restrictions may be based on Article 25(1)(b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725;
(b) preliminary activities related to cases of potential irregularities reported to OLAF. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(c) whistleblowing procedures. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(d) formal and informal procedures for dealing with harassment. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(e) processing internal and external complaints. Restrictions may be based on Article 25(1)(b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725;
(f) internal audits. Restrictions may be based on Article 25(1)(b), (c), (f), (g) and (h) of Regulation (EU) 2018/1725;
(g) investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725. Restrictions may be based on Article 25(1)(c), (g) and (h) of Regulation (EU) 2018/1725;
(h) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU). Restrictions may be based on Article 25(1)(b), (c), (d), (g) and (h) of Regulation (EU) 2018/1725;
(i) the information exchange in the framework of the operational activities of the Agency to fulfil its mandate, in particular the reception of inspection reports pursuant to Article 123 of Implementing Regulation (EU) No 404/2011, Articles 18, 19 and 20 of Regulation (EU) No 1236/2010 and Articles 30, 33 and 34 of Regulation (EU) 2019/833, as well as of information and data received from Member States in the context of analysis provided to the European Commission for the preparation and conduct of on-the-spot audits in third countries under Article 20(4)(c) of Regulation (EC) No 1005/2008. Restrictions may be based on Article 25(1)(b), (c), (d), (g) and (h) of Regulation (EU) 2018/1725.
2. Where the Agency restricts, wholly or partly, the application of the right to rectification, erasure and restriction of processing referred to in Articles 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, it shall take the steps set out in Article 6(2) of this Decision and register the record in accordance with Article 6(3) thereof.
Article 8
Communication of a personal data breach to the data subject and confidentiality of electronic communications
1. In duly justified cases and under the conditions stipulated in this decision, the right to the communication of a personal data breach may be restricted by the controller in the context of the following processing operations, where necessary and proportionate:
(a) the performance of administrative inquiries and disciplinary proceedings. Restrictions may be based on Article 25(1)(b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725;
(b) preliminary activities related to cases of potential irregularities reported to OLAF. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(c) whistleblowing procedures. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(d) formal and informal procedures for dealing with harassment. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(e) processing internal and external complaints. Restrictions may be based on Article 25(1)(b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725;
(f) internal audits. Restrictions may be based on Article 25(1)(b), (c), (f), (g) and (h) of Regulation (EU) 2018/1725;
(g) investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725. Restrictions may be based on Article 25(1)(c), (g) and (h) of Regulation (EU) 2018/1725;
(h) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU). Restrictions may be based on Article 25(1)(b), (c), (d), (g) and (h) of Regulation (EU) 2018/1725;
(i) the information exchange in the framework of the operational activities of the Agency to fulfil its mandate, in particular the reception of inspection reports pursuant to Article 123 of Implementing Regulation (EU) No 404/2011, Articles 18, 19 and 20 of Regulation (EU) No 1236/2010 and Articles 30, 33 and 34 of Regulation (EU) 2019/833, as well as of information and data received from Member States in the context of analysis provided to the European Commission for the preparation and conduct of on-the-spot audits in third countries under Article 20(4)(c) of Regulation (EC) No 1005/2008. Restrictions may be based on Article 25(1)(b), (c), (d), (g) and (h) of Regulation (EU) 2018/1725.
2. In duly justified cases and under the conditions stipulated in this decision, the right to confidentiality of electronic communications may be restricted by the controller in the context of the following processing operations, where necessary and proportionate:
(a) the performance of administrative inquiries and disciplinary proceedings; Restrictions may be based on Article 25(1)(b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725;
(b) preliminary activities related to cases of potential irregularities reported to OLAF; Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(c) whistleblowing procedures. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(d) formal and informal procedures for cases of harassment. Restrictions may be based on Article 25(1)(b), (d), (f) and (h) of Regulation (EU) 2018/1725;
(e) processing internal and external complaints. Restrictions may be based on Article 25(1)(b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725;
(f) (IT) security investigations handled internally or with external involvement (e.g. CERT-EU). Restrictions may be based on Article 25(1)(b), (c), (d), (g) and (h) of Regulation (EU) 2018/1725;
(g) the information exchange in the framework of the operational activities of the Agency to fulfil its mandate, in particular the reception of inspection reports pursuant to Article 123 of Implementing Regulation (EU) No 404/2011, as well as of information and data received from Member States in the context of analysis provided to the European Commission for the preparation and conduct of on-the-spot missions in third countries under Article 20(4)(c), (d) of Regulation (EC) No 1005/2008. Restrictions may be based on Article 25(1)(b), (c), (d), (g) and (h) of Regulation (EU) 2018/1725.
3. Where the Agency restricts the communication of a personal data breach to the data subject or the confidentiality of electronic communications referred to in Articles 35 and 36 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 5(3) of this decision. Article 5(4) of this Decision shall apply.
Article 9
Entry into force
This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at Vigo, 22 April 2020.
Chair of the Administrative Board
Reinhard PRIEBE
(1)
OJ L 295, 21.11.2018, p. 39
.
(2)
OJ L 83, 25.3.2019, p. 18
.
(3) Commission Implementing Regulation (EU) No 404/2011 of 8 April 2011 laying down detailed rules for the implementation of Council Regulation (EC) No 1224/2009 establishing a Community control system for ensuring compliance with the rules of the Common Fisheries Policy (
OJ L 112, 30.4.2011, p. 1
).
(4) Regulation (EU) No 1236/2010 of the European Parliament and of the Council of 15 December 2010 laying down a scheme of control and enforcement applicable in the area covered by the Convention on future multilateral cooperation in the North-East Atlantic fisheries and repealing Council Regulation (EC) No 2791/1999 (
OJ L 348, 31.12.2010, p. 17
).
(5) Regulation (EU) 2019/833 of the European Parliament and of the Council of 20 May 2019 laying down conservation and enforcement measures applicable in the Regulatory Area of the Northwest Atlantic Fisheries Organisation, amending Regulation (EU) 2016/1627 and repealing Council Regulations (EC) No 2115/2005 and (EC) No 1386/2007 (
OJ L 141, 28.5.2019, p. 1
).
(6) Council Regulation (EC) No 1005/2008 of 29 September 2008 establishing a Community system to prevent, deter and eliminate illegal, unreported and unregulated fishing, amending Regulations (EEC) No 2847/93, (EC) No 1936/2001 and (EC) No 601/2004 and repealing Regulations (EC) No 1093/94 and (EC) No 1447/1999 (
OJ L 286, 29.10.2008, p. 1
).
(7) Commission Decision 2009/988/EU of 18 December 2009 designating the Community Fisheries Control Agency as the body to carry out certain tasks under Council Regulation (EC) No 1005/2008 (
OJ L 338, 19.12.2009, p. 104
).
(8) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(9) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (
OJ L 119, 4.5.2016, p. 89
).
Feedback