Home Über uns Sitemap Login Registrieren
Decision of the Management Board of the Agency for Support for BEREC (BEREC O... (32020Q0424(01))
EU - Rechtsakte: 01 General, financial and institutional matters

DECISION OF THE MANAGEMENT BOARD OF THE AGENCY FOR SUPPORT FOR BEREC (BEREC OFFICE)

of 10 September 2019

laying down internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the framework of activities carried out by the BEREC Office

THE MANAGEMENT BOARD,
Having regard to Regulation (EU) 2018/1971 of the European Parliament and of the Council of 11 December 2018 establishing the Body of European Regulators for Electronic Communications (BEREC) and the Agency for Support for BEREC (BEREC Office), amending Regulation (EU) 2015/2120 and repealing Regulation (EC) No 1211/2009 (1), and in particular Article 36(4) thereof,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (2) (‘the Regulation’), and in particular Article 25 thereof,
Whereas:
(1) The BEREC Office may, in the context of its functioning, conduct administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings, on the basis of Annex IX to the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the European Union (3) and in compliance with Decision MC/2012/3 by the Management Committee of the Office of the Body of European Regulators for Electronic Communications (BEREC Office) laying down general implementing provisions on the conduct of administrative inquiries and disciplinary procedures, which implies processing of information including personal data.
(2) The BEREC Office staff members have the obligation to report possible illegal activities, including fraud or corruption, detrimental to the interests of the Union, or of conduct relating to the discharge of professional duties, which may constitute a serious failure to comply with the obligations of staff members of the Union. This is regulated by Decision No MC/2018/11 of the Management Committee of the Office of the Body of European Regulators for Electronic Communications (BEREC Office) laying down guidelines on whistleblowing of the BEREC Office.
(3) The BEREC Office has set out a policy to prevent and deal effectively and efficiently with actual or potential cases of psychological or sexual harassment at the workplace, as provided for by Decision No MC/2016/15 of the Management Committee of the Office of the Body of European Regulators for Electronic Communications (BEREC Office) on the policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment.
(4) In the context of the above-mentioned activities, the BEREC Office collects and processes relevant information and several categories of personal data, including identification data of a natural person, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data. The BEREC Office acts as data controller.
(5) Adequate safeguards are in place to protect personal data and prevent them from accidental or unlawful access or transfer, both if they are stored in a physical or in an electronic environment. After processing, the data are retained in accordance with the applicable BEREC Office’s retention rules, as defined in data protection records based on Article 31 of the Regulation. At the end of the retention period, the case related information, including personal data, is deleted, anonymised or transferred to the historical archives.
(6) Within this context, the BEREC Office is bound to fulfil its obligation to provide information to the data subjects in relation to the above processing activities and respect the rights of the data subjects, as laid down in the Regulation.
(7) It may be necessary to reconcile the rights of data subjects pursuant to the Regulation with the needs of the above-mentioned activities, while fully respecting fundamental rights and freedoms of other data subjects. To that effect, Article 25 of the Regulation provides, under strict conditions, the possibility to restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 20. In this case, it is necessary to adopt internal rules under which the BEREC Office may restrict those rights in line with the same Article of the Regulation.
(8) This might in particular be the case when providing information about the processing of personal data to the data subject at the preliminary assessment phase of an administrative enquiry or during the enquiry itself, prior to a possible dismissal of the case or a pre-disciplinary stage. In certain circumstances, providing such information might seriously affect the BEREC Office’s capacity to conduct the enquiry in an effective way, whenever, for example, there is a risk that the person concerned destroys evidence or interferes with potential witnesses before they are interviewed. Furthermore, the BEREC Office might need to protect their rights and freedoms as well as the rights and freedoms of other persons involved.
(9) It might be necessary to protect the confidentiality of a witness or a whistle-blower who has asked not to be identified. In such a case, the BEREC Office may decide to restrict access to the identity, statements and other personal data of the whistle-blower and other persons involved, in order to protect their rights and freedoms.
(10) It might be necessary to protect the confidentiality of a staff member who has contacted BEREC Office’s confidential counsellors in the context of a harassment procedure. In such a case, the BEREC Office may decide to restrict access to the identity, statements and other personal data of the alleged victim, the alleged harasser and other persons involved, in order to protect their rights and freedoms.
(11) The BEREC Office should apply restrictions only when they respect the essence of the fundamental rights and freedoms, and are strictly necessary and a proportionate measure in a democratic society. The BEREC Office should give justifications explaining the grounds for those restrictions.
(12) Based on the principle of accountability, the BEREC Office should keep a record of the application of the restrictions.
(13) Article 25(6) of the Regulation obliges the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the EDPS.
(14) Pursuant to Article 25(8) of the Regulation, the BEREC Office may defer, omit or deny the provision of information on the reasons for the application of a restriction to the data subject if this would in any way cancel the effect of the restriction. The BEREC Office should assess on a case-by-case basis whether the communication of the restriction would cancel its effect.
(15) The BEREC Office should lift the restriction as soon as the conditions that justify the restriction no longer apply, and assess those conditions on a regular basis.
(16) To guarantee the utmost protection of the rights and freedoms of data subjects and in accordance with Article 44(1) of the Regulation, the DPO should be informed in due time of any restrictions being applied and verify compliance with this Decision.
(17) The application of the above-mentioned restrictions is without prejudice to the possible application of the provisions of Article 16(5) and 17(4) of the Regulation, relating, respectively, to the right of information when data have not been obtained from the data subject, and to the right of access by the data subject.
(18) The European Data Protection Supervisor (‘EDPS’) has been consulted on 27 May 2019,
HAS ADOPTED THIS DECISION:

Article 1

Subject matter and scope

This Decision lays down rules relating to the conditions under which the BEREC Office may restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 thereof based on Article 25 of the Regulation.

Article 2

Restrictions

1.   In accordance with Article 25(1) of the Regulation, the BEREC Office may restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 thereof, in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20, when:
(a) conducting administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings, on the basis of Annex IX to the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the European Union and in compliance with Decision MC/2012/3 by the Management Committee of the Office of the Body of European Regulators for Electronic Communications (BEREC Office) laying down general implementing provisions on the conduct of administrative inquiries and disciplinary procedures, which implies processing of information including personal data. Relevant restrictions may be based on Article 25(1)(c), (g), (h) of the Regulation;
(b) ensuring that BEREC Office’s staff members may confidentially report facts where they believe there are serious irregularities in compliance with Decision No MC/2018/11 of the Management Committee of the Office of the Body of European Regulators for Electronic Communications (BEREC Office) laying down guidelines on whistleblowing of the BEREC Office. Relevant restrictions may be based on Article 25(1)(h) of the Regulation;
(c) ensuring that BEREC Office’s staff members may confidentially report to confidential counsellors in the context of a harassment procedure in compliance with Decision No MC/2016/15 of the Management Committee of the Office of the Body of European Regulators for Electronic Communications (BEREC Office) on the policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment. Relevant restrictions may be based on Article 25(1)(h) of the Regulation.
2.   The categories of data include identification data of a natural person, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data.
3.   Any restriction shall respect the essence of the fundamental rights and freedoms and be necessary and proportionate in a democratic society.
4.   A necessity and proportionality test shall be carried out on a case-by-case basis before restrictions are applied. Restrictions shall be limited to what is strictly necessary to achieve the set objectives taking into account the risks to the rights and freedoms of the data subjects.
5.   The BEREC Office shall file, for accountability purposes, a record describing the reasons for the restrictions applied, which grounds among those listed in paragraph 1 apply and the outcome of the necessity and proportionality test. Those records shall be part of an ad hoc register, which shall made available on request to the EDPS. A report on the application of Article 25 of the Regulation shall be made available periodically.

Article 3

Risks to the rights and freedoms of data subjects

The assessment of the risks to the rights and freedoms of data subjects whose personal data may be subject to restrictions, as well as their retention period, are referenced in the record of the relevant processing activities in accordance with Article 31 of the Regulation and, if applicable, in relevant data protection impact assessments based on Article 39 of the Regulation.

Article 4

Storage periods and safeguards

The BEREC Office shall implement safeguards to prevent abuse or unlawful access or transfer of personal data that may be subject to restrictions. These safeguards shall include technical and organisational measures and be detailed, as necessary, in BEREC Office’s internal decisions, procedures and implementing rules. The safeguards shall include:
(a) an adequate definition of roles, responsibilities and procedural steps;
(b) if applicable, a secure electronic environment which prevents unlawful or accidental access or transfer of electronic data to unauthorised persons;
(c) if applicable, secure storage and processing of paper-based documents.
(d) due monitoring of restrictions and a periodical revision, which shall be done at least every six months. A revision must also be carried out when essential elements of the case at hand change. The restrictions shall be lifted as soon as the circumstances that justify them no longer apply.

Article 5

Information to and review by the Data Protection Officer

1.   The DPO of the BEREC Office shall be informed without undue delay whenever the data subject rights are restricted in accordance with this Decision and shall be provided access to the record and any documents underlying factual and legal elements.
2.   The DPO of the BEREC Office may request to review the application of the restriction. The BEREC Office shall inform its DPO in writing about the outcome of the requested review.
3.   The involvement of the DPO of the BEREC Office in the restrictions procedure, including information exchanges, shall be documented in the appropriate form.

Article 6

Information to data subjects on restrictions to their rights

1.   The BEREC Office shall include in the data protection notices published on its website general information to the data subjects related to the potential restrictions of all data subjects’ rights described in Article 2(1) of this Decision. The information shall cover which rights may be restricted, the reasons and the potential duration of the restriction.
2.   Additionally, the BEREC Office shall inform data subjects individually on present or future restrictions of their rights without undue delay and in a written form, as further specified in Articles 7, 8 and 9 of this Decision.

Article 7

Right to information to be provided to data subjects and communication on data breaches

1.   Where in the context of the activities mentioned in this Decision, the BEREC Office restricts, wholly or partly, their rights mentioned in Articles 14 to 16 and 35 of the Regulation, data subjects shall be informed of the principal reasons on which the application of the restriction is based, and of their right to lodge a complaint with the EDPS as well as seeking a judicial remedy before the Court of Justice of the European Union.
2.   The BEREC Office may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 for as long as it would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis.

Article 8

Data subjects’ right of access, rectification, erasure and restriction of processing

1.   Where in the context of the activities mentioned in this Decision, the BEREC Office restricts, wholly or partly, the right of access to personal data, the right to rectification, erasure, and restriction of processing, as referred to in Articles 17 to 20 respectively of the Regulation, it shall inform the data subject concerned, in its reply to their request, of the principal reasons on which the application of the restriction is based, and of the possibility of lodging a complaint with the EDPS or of seeking a judicial remedy before the Court of Justice of the European Union.
2.   The BEREC Office may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 if it would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis.

Article 9

Confidentiality of electronic communication

1.   The BEREC Office, under exceptional circumstances, and in line with the provisions and the rationale of Directive 2002/58/EC of the European Parliament and of the Council (4), may restrict the right to confidentiality of electronic communications, as referred to in Article 36 of the Regulation. In this case, the BEREC Office shall detail circumstances, grounds, relevant risks and related safeguards in specific internal rules.
2.   Where the BEREC Office restricts the right to confidentiality of electronic communications, it shall inform the data subject concerned, in its reply to their request, of the principal reasons on which the application of the restriction is based, and of the possibility of lodging a complaint with the EDPS or of seeking a judicial remedy before the Court of Justice of the European Union.
3.   The BEREC Office may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 and 2 for as long as it would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis.

Article 10

Entry into force

This Decision shall enter into force on the day of its publication in the
Official Journal of the European Union
.
Done at Riga, 10 September 2019.
For the Agency for Support for BEREC
Jeremy GODFREY
Chairperson of the Management Board
(1)  
OJ L 321, 17.12.2018, p. 1
.
(2)  
OJ L 295, 21.11.2018, p. 39
.
(3)  Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (
OJ L 56, 4.3.1968, p. 1
).
(4)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (
OJ L 201, 31.7.2002, p. 37
).
Markierungen
Leseansicht