DECISION OF THE EUROPEAN INVESTMENT FUND
of 4 June 2020
on internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the framework of activities carried out by the European Investment Fund
THE EUROPEAN INVESTMENT FUND (EIF),
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1) (hereinafter ‘the Regulation’), and in particular Article 25 thereof,
Having regard to the opinion (2) of the European Data Protection Supervisor (EDPS),
Whereas:
(1) EIF Compliance Department may, in the context of its functioning, conduct administrative inquiries, on the basis of the EIB Group Staff Code of Conduct, which implies processing of information including personal data.
(2) The EIF Data Protection Officer (DPO) may, on his or her own initiative or at the request of the controller or any individual, investigate matters and occurrences directly relating to his or her tasks which come to his or her notice and report back to the person who commissioned the investigation or to the controller, as per Article 45(2) of the Regulation.
(3) EIF Human and Resources Management Department may, in the context of its functioning, conduct disciplinary proceedings, on the basis of Section 6 of the EIF Staff Regulations, Title IV of the Dignity at Work Policy, and the applicable EIF codes of conduct.
(4) The members of EIF Board of Directors, the Chief Executive, the Deputy Chief Executive and staff members as well as operation/transaction related parties have the obligation to report to the EIB’s Fraud Investigations Division (‘IG/IN’) any possible prohibited conduct (e.g. fraud or corruption), detrimental to the interests of the EIF and of the Union, or to report to other competent services any conduct relating to the discharge of professional duties which may constitute a serious failure to comply with any applicable obligations. In addition any member of the public, individual, entity can report allegation of Prohibited Conduct to IG/IN.
(5) Investigations into Prohibited Conduct, as defined in the EIF’s Anti-Fraud Policy, are conducted by IG/IN, as data processor, based on the Framework Agreement between the EIF and the EIB concerning provision of services.
(6) The EIF conducts audits on its activities. This is currently performed through the Internal Audit Directorate of the EIB based on the Framework Agreement between the EIF and the EIB concerning provision of services.
(7) In the context of the tasks described in recitals 1 to 6, the EIF may provide and receive assistance and cooperation to and from other Union institutions, bodies, offices and agencies, as set in relevant service level agreements, memoranda of understanding and cooperation agreements.
(8) The EIF may provide and receive assistance and cooperation to and from EU Member States’ public authorities, upon their request or by its own initiative.
(9) The EIF may provide and receive assistance and cooperation to and from third countries’ national authorities and international organisations, upon their request or by its own initiative.
(10) In the context of the abovementioned activities, the EIF, acting as data controller, or any of the business partners of EIF referred to in recital 4 above, including the EIB’s Fraud Investigations Division, acting as data processor, or any other competent service may collect and process information and personal data, including identification data of a natural person, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data.
(11) Adequate safeguards are in place to protect personal data and prevent them from accidentally or unlawfully being accessed or transferred, both if they are stored in a physical or in an electronic environment. After processing, the data are retained in accordance with the applicable EIF retention rules, as defined in data protection records based on Article 31 of the Regulation. At the end of the retention period, the case related information, including personal data, is in line with the principles of the European Data Protection Regulations and related regulatory acts or EIF policies, deleted, fully anonymised or transferred to the historical archives.
(12) Within this context, the EIF is committed to fulfil its obligation to provide information to the data subjects in relation to the above processing activities and respect the rights of the data subjects, as laid down in the Regulation.
(13) It may be necessary to reconcile the rights of data subjects pursuant to the Regulation with the needs of the abovementioned activities, while fully respecting fundamental rights and freedoms of other data subjects. To that effect, Article 25 of the Regulation provides, under strict conditions, the possibility to restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20. In this case it is necessary to adopt internal rules under which the EIF may restrict the aforementioned rights of data subjects in line with the same Article of the Regulation.
(14) This might in particular be the case when providing information about the processing of personal data to the data subject at the preliminary assessment phase of an administrative inquiry or during the inquiry itself, prior to a possible dismissal of the case or a pre-disciplinary stage. In certain circumstances, providing such information might seriously affect the EIF’s capacity to conduct the inquiry in an effective way, whenever, for example, there is a risk that the person concerned destroys evidence or interferes with potential witnesses before they are interviewed. Furthermore, the EIF might need to protect the rights and freedoms of other persons involved. It might, in particular, be necessary to protect the privacy of a witness or a whistle-blower who has asked not to be identified. In such a case, the EIF may decide to restrict access to the identity, statements and other data relating to the whistle-blower and/or other persons involved, in order to protect their rights and freedoms.
(15) When providing or receiving assistance and cooperation to and from other Union institutions, bodies, offices and agencies, EU Member States’ public authorities, third countries’ national authorities and international organisations in the context of the abovementioned activities, the EIF, in certain circumstances, and subject to the maintenance of the minimum data protection level required by the EDPS, might need to preserve the effectiveness of its inquiries or of those carried out by the entity it cooperates with, and protect, as necessary, persons involved and their rights and freedoms.
(16) The EIF shall apply restrictions only when they respect the essence of the fundamental rights and freedoms, and are strictly necessary and a proportionate measure in a democratic society. The EIF shall give justifications explaining the grounds for those restrictions.
(17) Based on the principle of accountability, the EIF shall keep a record of the application of the restrictions.
(18) When processing personal data exchanged with other organisations in the context of its tasks, the EIF shall consult and shall be consulted by those organisations on the possible relevant grounds for imposing restrictions and the necessity and proportionality of the restrictions, unless this would jeopardise the activities of the EIF.
(19) Article 25(6) of the Regulation obliges the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the EDPS.
(20) Pursuant to Article 25(8) of the Regulation, the EIF may defer, omit or deny the provision of information on the reasons for the application of a restriction to the data subject if this would in any way cancel the effect of the restriction. The EIF shall assess on a case-by-case basis whether the communication of the restriction would cancel its effect.
(21) The DPO may carry out an independent review of the application of the restrictions, with a view to ensuring compliance with the present Decision,
HAS ADOPTED THIS DECISION:
Article 1
Subject matter and scope
The present Decision lays down rules relating to the conditions under which the EIF may restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 thereof based on Article 25 of the Regulation.
Article 2
Restrictions
1. In accordance with Article 25(1) of the Regulation, the EIF may, on a case by case basis only, restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 thereof, in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20, when:
(a) conducting administrative inquiries, on the basis of the EIB Group Staff Code of Conduct and other applicable Codes of Conduct;
(b) conducting investigations related to matters and occurrences directly relating to the DPO tasks, as per Article 45(2) of the Regulation;
(c) conducting disciplinary proceedings, on the basis of Section 6 of the EIF Staff Regulations, Title IV of the Dignity at Work Policy, the EIB Group Staff Code of Conduct and other applicable EIF codes of conduct;
(d) ensuring that EIF staff members may confidentially report facts where they believe there are serious irregularities as regulated by the EIB Group Whistleblowing Policy;
(e) ensuring that EIF staff members may confidentially report facts where they believe there are suspicions of prohibited conduct, including fraud or corruption, detrimental to the interests of the Union, or conduct relating to the discharge of professional duties which may constitute a serious failure to comply with the EIF Staff members’ obligations, as regulated by the EIB Group Whistleblowing Policy, the EIF Anti-Fraud Policy, and the relevant EIF Codes of Conduct;
(f) conducting investigations of Prohibited Conduct, as per the EIF’s Anti-Fraud Policy;
(g) conducting internal audits in relation to all the activities and departments of the EIF;
(h) providing or receiving assistance and cooperation to and from other Union institutions, bodies, offices and agencies, in the context of the abovementioned activities, as set out in relevant service level agreements, memoranda of understanding and cooperation agreements;
(i) providing or receiving assistance and cooperation to and from EU Member States’ public authorities, upon their request or by its own initiative;
(j) providing or receiving assistance and cooperation to and from third countries’ national authorities and international organisations, upon their request or by its own initiative.
2. The categories of data may include the identification data of a natural person, contact information, professional roles and tasks, information on private and professional conduct and performance, case involvement data and financial data.
3. The application of the abovementioned restrictions is without prejudice to the possible application of the provisions of Article 16(5) and 17(4) of the Regulation, relating, respectively, to the right of information when data have not been obtained from the data subject, and to the right of access by the data subject.
4. Any restriction shall respect the essence of the fundamental rights and freedoms and be necessary and proportionate in a democratic society, as addressed in the Regulation, corresponding regulatory acts or internal policies of EIF or EIB Group.
5. Any restriction shall be based on an express authorisation in an effective internal EIF policy or procedure and shall affect the rights of the data subject(s) concerned to the least extent possible, as confirmed by the DPO.
6. A necessity and proportionality test shall be carried out on a case-by-case basis and to the satisfaction of the DPO before restrictions are applied. Restrictions shall be limited to what is strictly necessary to achieve the set objectives. Restrictions shall only be established for the time any relevant ground under paragraph 1, which is referred to as motivation for the restriction, so requires, as is evidenced to the satisfaction of the DPO.
7. Where IG/IN restricts, wholly or partly, the provision of information to the data subjects relevant to an investigation (person concerned, witness or informant), it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction. To that end, the record shall state how the provision of the information would jeopardise the purpose of IG/IN’s investigative activities, or of restrictions applied pursuant to Article 2(1)(f), (g) and (h) of this Decision, or would adversely affect the rights and freedoms of other data subjects. The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor (EDPS) on request.
8. The EIF, shall file, for accountability purposes, a record describing the reasons for the restrictions applied, which grounds among those listed in paragraph 1 apply and the outcome of the necessity and proportionality test. Those records shall be part of an ad hoc register, which shall be made available on request to the EDPS.
9. When processing personal data exchanged with other organisations in the context of its tasks, the EIF shall consult and shall be consulted by those organisations on the possible relevant grounds for imposing restrictions and the necessity and proportionality of the restrictions, unless this would jeopardise the activities of the EIF.
Article 3
Risks to the rights and freedoms of data subjects
The assessment of the risks to the rights and freedoms of data subjects whose personal data may be subject to restrictions, as well as their retention period, are referenced in the record of the relevant processing activities in accordance with Article 31 of the Regulation and, if applicable, in relevant data protection impact assessments based on Article 39 of the Regulation.
Article 4
Storage periods and safeguards
The EIF shall implement safeguards to prevent abuse or unlawful access or transfer of personal data that may be subject to restrictions. These safeguards shall include technical and organisational measures and be detailed, as necessary, in EIF internal decisions, procedures and implementing rules. The safeguards shall include:
(1) an adequate definition of roles, responsibilities and procedural steps;
(2) if applicable, a secure electronic environment which prevents unlawful or accidental access or transfer of electronic data to unauthorised persons;
(3) if applicable, secure storage and processing of paper-based documents;
(4) due monitoring of restrictions and a periodical revision by the DPO, which shall be done at least every six months. A revision must also be carried out when essential elements of the case at hand change. The restrictions shall be lifted as soon as the circumstances that justify them no longer apply.
Article 5
Information to and review by the Data Protection Officer
1. The DPO shall be informed without undue delay whenever the rights of any data subject are restricted in accordance with the present Decision and shall be provided full and unrestricted access to all records and any documents containing underlying factual and legal elements, which are relevant for the decision on the restriction and the monitoring of the maintenance of the restriction.
2. The DPO may request to review the application of the restriction.
3. Should the DPO, in the course of his or her own investigations, apply restrictions, he or she will inform the controller without undue delay.
4. The involvement of the DPO in the restrictions process, including information exchanges, shall be documented in the appropriate form and included in the relevant records and registers.
5. In the context of Prohibited Conduct Investigations, the EIB’s Fraud Investigations Division will consult the DPO prior to the application of certain grounds for restriction, referred to in Article 25 of the Regulation to data processing operations carried out in the framework of its tasks set out in the EIF’s Anti-Fraud Policy, the Fraud Investigations Division’s Charter and Investigations Procedures.
Article 6
Information to data subjects on restrictions to their rights
1. The EIF shall include in the data protection notices published on its website general information to the data subjects related to the potential restrictions of all data subjects’ rights described in Article 2(1). The information shall cover which rights may be restricted.
2. The EIF shall inform data subjects individually on present or future restrictions of their rights without undue delay and in a written form, as further specified in Articles 7, 8 and 9.
Article 7
Right to information to be provided to data subjects and communication on data breaches
1. Where in the context of the activities mentioned in the present Decision, the EIF, restricts, wholly or partly, their rights of data subjects referred to in Articles 14 to 16 and 35 of the Regulation, data subjects shall be informed of the principal reasons on which the application of the restriction is based, and of their right to lodge a complaint with the EDPS as well as seeking a judicial remedy before the Court of Justice of the European Union. Such restriction shall follow the rules established and the process described in the present Decision.
2. The EIF may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 to the extent that and for as long as it would jeopardise the purpose of the restriction. This assessment shall take place on a case-by-case basis. Any such deferral or denial must be adequately justified to the satisfaction of the DPO and will be included in the relevant records and registers. For the avoidance of doubt, data subjects concerned shall be informed of their rights to lodge a complaint with the EDPS as well as seeking a judicial remedy before the Court of Justice of the European Union against the decision to defer or deny them the provision of the information referred to under paragraph 1 above.
Article 8
Data subjects’ right of access, rectification, erasure and restriction of processing
1. Where in the context of the activities mentioned in the present Decision, the EIF restricts, wholly or partly, the right of access to personal data, the right to rectification, erasure, and restriction of processing, as referred to in Articles 17 to 20 respectively of the Regulation, it shall inform the data subject concerned, in its reply to the request, of the principal reasons on which the application of the restriction is based, and of the possibility of lodging a complaint with the EDPS or of seeking a judicial remedy before the Court of Justice of the European Union.
2. Where the right of access is wholly or partly restricted, the EIF, when investigating the request, shall only inform the data subject of whether the data have been processed correctly and, if not, whether any necessary corrections have been made, in accordance with Article 25(7) of the Regulation.
3. The EIF may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 and 2 to the extent that and for as long as it would jeopardise the purpose of the restriction. This assessment shall take place on a case-by-case basis and shall follow the rules established and the process described in the present Decision.
Article 9
Confidentiality of electronic communication
1. The EIF, under exceptional circumstances, and in line with the provisions and the rationale of Directive 2002/58/EC of the European Parliament and of the Council (3), may restrict the right to confidentiality of electronic communications, as referred to in Article 36 of the Regulation. In this case, the EIF shall detail circumstances, grounds, relevant risks and related safeguards in specific internal rules.
2. Where the EIF restricts the right to confidentiality of electronic communications, it shall inform the data subject concerned, in its reply to their request, of the principal reasons on which the application of the restriction is based, and of the possibility of lodging a complaint with the EDPS or of seeking a judicial remedy before the Court of Justice of the European Union.
3. The EIF may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 and 2 for as long as it would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis.
Article 10
Entry into force
The present Decision and any amendments thereto shall be approved by the EIF Board of Directors and shall enter into force on the twentieth day after its publication in the
Official Journal of the European Union
.
Done at Luxembourg, 4 June 2020.
(1)
OJ L 295, 21.11.2018, p. 39
.
(2) EDPS comments and recommendations dated 20 February 2020 (DH/CCP/ALS/D(2020) 0372 C2019-1114).
(3) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (
OJ L 201, 31.7.2002, p. 37
).
Feedback