RULES OF PROCEDURE ON THE PROCESSING AND PROTECTION OF PERSONAL DATA AT EUROJUST

THE COLLEGE OF EUROJUST,

Having regard to Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust) and replacing and repealing Council Decision 2002/187/JHA, hereinafter referred to as ‘the Eurojust Regulation’,

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, hereinafter referred to as ‘Regulation (EC) No 2018/1725’,

Having regard to the Rules of Procedure of Eurojust approved by the Council by Implementing Decision (EU) 2019/2250 of 19 December 2019 and adopted by the College on 20 December 2019, and in particular Article 17 thereof,

Having regard to Opinions of the Joint Supervisory Body issued on 28 October 2019 and 11 December 2019,

Having regard to the Opinion of the European Data Protection Supervisor issued on 13 December 2019,

Considering the approval of these Rules of Procedure by the Council by means of Implementing Decision (EU) 2019/2250 of 19 December 2019.

HAS ADOPTED THESE RULES OF PROCEDURE ON THE PROCESSING AND PROTECTION OF PERSONAL DATA AT EUROJUST ON 20 DECEMBER 2019:

TITLE I

SCOPE, STRUCTURE AND DEFINITIONS

Article 1

Scope and definitions

1.   The rules of procedure on the processing and protection of personal data at Eurojust (hereinafter ‘rules of procedure’) implement the data protection provisions of the Eurojust Regulation and Regulation (EC) No 2018/1725.

2.   They shall apply to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

3.   The rules of procedure shall apply to all personal data processed by Eurojust, including those personal data contained in information drawn up or received by it and in its possession, concerning matters relating to the policies, activities and decisions falling within the framework of its competence.

Article 2

Structure

1.   These rules of procedure apply to both operational and administrative personal data processed by Eurojust.

2.   Operational data shall be processed in accordance with Title II.

3.   Administrative data shall be processed in accordance with Title III.

TITLE II

RULES FOR OPERATIONAL PERSONAL DATA PROCESSING OPERATIONS

CHAPTER I

General principles of processing of operational personal data

Article 3

Controllership of processing of operational personal data at Eurojust

With regard to the processing of operational personal data, Eurojust as data controller shall act through the National members who shall, in accordance with Article 24(1) of the Eurojust Regulation, be responsible for the management of the cases opened by them in the exercise of their tasks as defined by the Eurojust Regulation, or initiated by them in case Eurojust will act as a College in accordance with Article 5(2)(a) of the Eurojust Regulation.

Article 4

Specific processing conditions

National members receiving operational personal data from competent national authorities shall comply with specific processing conditions imposed by those in accordance with Article 9(3) and (4) of Directive (EU) 2016/680 and shall also inform those national authorities of any specific conditions imposed by EU applicable law to them which apply to any operational personal data the National members provide to the national authorities where appropriate.

Article 5

Data quality

If Eurojust detects any inaccuracy affecting the data received from a Member State in the context of an investigation or prosecution or from a Union institution, body, office or agency, the National Member shall instruct, after consultation with the national authorities, to correct the information without delay and inform the respective Member State or a Union institution, body, office or agency from whom the information was received.

Article 6

Data security

All Eurojust postholders shall be adequately informed about the Eurojust security policy and shall be required to use the technical and organisational measures put at their disposal, including following the required training, in line with the applicable data protection and security requirements.

CHAPTER II

Rights of the data subjects

Article 7

Procedure for the exercise of the rights of the data subjects in case of operational personal data processing

1.   Requests for the exercise of data subject rights shall be dealt with by the National Member(s) concerned with the request, who shall provide a copy of the request to the Data Protection Officer for its registration.

2.   The National Member(s) concerned shall consult the competent authorities of the Member States on the decision to be taken in response to a request.

3.   The Data Protection Officer shall, should the case so require, carry out additional checks in the Case Management System and inform the National Member(s) concerned if any additional relevant information has been found through these checks. The National Member(s) concerned shall take into account the information provided by the Data Protection Officer and, when appropriate, reconsider the initial decision.

4.   The legal and factual reasons on which the decision is taken by the National Member(s) shall be documented in the Temporary Work File concerning the request in the Case Management System and shall be made available to the EDPS on request.

5.   The Data Protection Officer shall communicate the decision taken by the National Member(s) concerned on behalf of Eurojust to the data subject, and shall inform the data subject of the possibility to lodge a complaint with the EDPS if he or she is not satisfied with the decision or to seek a judicial remedy before the Court of Justice.

6.   In the cases where the request has been received through a national supervisory authority, Eurojust shall inform this authority of a decision communicated by the Data Protection Officer to the data subject.

Article 8

Information to third parties following rectification, restriction or erasure of operational personal data

Eurojust shall put in place appropriate technical measures to ensure that, in the cases where Eurojust rectifies, restricts or erases personal data following a request, a list of the suppliers and recipients of these data is automatically produced.

CHAPTER III

The Case Management System

Article 9

Temporary work files and index in the Case Management System

1.   The case management system shall automatically allocate a unique reference number (identifier) to each new temporary work file opened.

2.   When a National Member responsible for the management of a temporary work file as defined in Article 24(1) of the Eurojust Regulation gives access to a temporary work file or a part of it to one or more involved National Member(s), the case management system shall ensure that the authorised users under the profile of that national desk under the responsibility of the National Member have access to the relevant parts of the file but that they can not modify the data introduced by the original author. The authorised users can, however, add any relevant information to the new parts of the temporary work files. Likewise, information contained in the index can be read by all authorised users of the system but can only be modified by its original author.

3.   The Data Protection Officer shall be automatically informed by the case management system of the creation of each new work file that contains personal data.

4.   The case management system shall ensure that only operational personal data referred in paragraph 1(a) to (i), (k) and (m) and (2) of Annex II of the Eurojust Regulation can be recorded by the National Member concerned, who has opened a temporary work file, in the index in accordance with Articles 23(4) and 24(3) of the Eurojust Regulation.

5.   When, in accordance with Article 23(6) of the Eurojust Regulation, National Members wish to temporarily store and analyse personal data for the purpose of determining whether such data are relevant to Eurojust’s tasks, they shall create a draft temporary work file which shall remain only accessible to them and those authorised by them within their desk’s profile. After three months the draft temporary work file should either be converted into a temporary work file in the case management system or shall be automatically deleted by the system. The system shall provide an alert to the National Member concerned before such time has elapsed to remind him/her of the need to take a decision regarding the draft file.

6.   The National Member(s) concerned shall ensure that the information contained in the index is sufficient to comply with the tasks of Eurojust as defined in Article 2 of the Eurojust Regulation.

Article 10

Special categories of data

1.   Eurojust shall take appropriate technical measures to ensure that the Data Protection Officer is automatically informed of the exceptional cases in which recourse is made to Article 27(4) of the Eurojust Regulation. The case management system shall ensure that such data cannot be included in the index referred to in Article 23(1) and 23(4) of the Eurojust Regulation.

2.   When such data refer to witnesses or victims within the meaning of Article 27(2) of the Eurojust Regulation the case management system shall not record this information unless the national members concerned decide otherwise. The decision to process such data shall be documented.

Article 11

Processing of the categories of operational personal data referred to in Article 27(2) and 27(3) of the Eurojust Regulation

1.   Eurojust shall take appropriate technical measures to ensure that the Data Protection Officer is automatically informed of the exceptional cases in which, for a limited period of time, recourse is made to Article 27(3) of the Eurojust Regulation. The case management system shall mark such data in a way that will remind the person who has introduced the data in the system of the obligation to keep these data for a limited period of time.

2.   When such data refer to witnesses or victims within the meaning of Article 27(2) of the Eurojust Regulation, the case management system shall not record this information unless the national members concerned decide otherwise. The decision to process such data shall be documented.

Article 12

Authorised access to operational personal data

1.   Each National Member of Eurojust shall document and inform the Data Protection Officer regarding the access policy he or she has authorised in line with Article 34 of the Eurojust Regulation within his or her national desk regarding operational personal data.

2.   National Members may, on a case by case basis, decide to give a specific authorisation to access to a temporary work file or to parts of it to a person who is not an Eurojust staff member but who is working on behalf of Eurojust and belongs to a specific category of postholders who has beforehand been authorised by the Administrative Director of Eurojust in line with Article 24(2) of the Eurojust Regulation to be granted access to the Case Management System.

3.   National Members shall ensure that appropriate organisational arrangements are made and complied with within their desks and that proper use is made of the technical and organisational measures, including following the required training, put at their disposal by Eurojust.

4.   In accordance with Article 34 of the Eurojust Regulation, the College may authorise other Eurojust staff to have access to operational personal data where necessary for the performance of the tasks of Eurojust.

Article 13

Records of processing activities

1.   The Eurojust Case Management System as defined in Article 23 of the Eurojust Regulation shall serve as the record of all processing activities mentioned in Article 35 of the Eurojust Regulation in as far as operational personal data is concerned.

2.   The Eurojust Case Management System shall contain a full record of transmission and receipt of operational personal data making it possible to establish any transmission of operational personal data and the identification of the national authority, organisation or third country or international organisation which transmitted or received such information to/from Eurojust.

CHAPTER IV

Data transfers to third countries or international organisations

Article 14

Data transfers to third countries or international organisations subject to appropriate safeguards

1.   A decision on the transfer of personal data to third countries or international organisations in accordance with the Article 58(1) of the Eurojust Regulation shall be taken by the College of Eurojust at the request of the National Member(s) concerned, following an assessment carried out by the Data Protection Officer.

2.   The assessment referred to in paragraph 1 shall be provided by the Data Protection Officer within ten working days. When necessary for reasons of urgency, indicated by the National Member(s) concerned, the assessment shall be provided as soon as possible. In particularly complex cases, the Data Protection Officer may agree a longer timeframe for completing the assessment with the National Member(s) concerned.

3.   The assessment by the Data Protection Officer shall in particular address the issues referred to in Recitals 51 and 52 of the Eurojust Regulation. Where, in the course of carrying out the assessment of the appropriateness of the safeguards in the specific case, the Data Protection Officer has reservations, he/she may consult the EDPS before issuing an assessment on a specific transfer

Article 15

Recording of international transfers to third countries or international organisations in the Case Management System

The Case Management System shall document any transfers of personal data to third countries or international organisations in line with Article 58(3) of the Eurojust Regulation and Article 94(4) of Regulation (EC) No 2018/1725.

CHAPTER V

Time limits

Article 16

Time limits for the storage of operational personal data

1.   Eurojust shall put in place appropriate technical measures to ensure that the time limits for the storage of operational personal data defined in Article 29 of the Eurojust Regulation are observed and that, when no justified decision is taken on the continued storage of operational personal data at the time of the review, those data shall be automatically deleted.

2.   The case management system shall in particular ensure that a review of the need to store data in a temporary work file is carried out every three years after they were entered. Such a review must be properly documented in the system, including the motivation for a decision taken on the continued storage of operational personal data, and it shall be automatically communicated to the Data Protection Officer. The results of such a decision, or lack of it, shall apply to the case as a whole, as defined in Article 29(2) of the Eurojust Regulation.

3.   The case management system shall particularly mark the data recorded for a limited period of time in accordance with Article 27(3) as well as the data mentioned in Article 27(4) of the Eurojust Regulation. If any operational personal data referred to in Article 27(4) are stored for a period exceeding five years the Case Management System will generate an alert to ensure that such information is automatically provided to the EDPS.

4.   In exceptional cases, where a National Member considers that operational personal data are further needed for archiving purposes in the public interest or statistical purposes as referred to in Article 29(7)(e) of the Eurojust Regulation, the College shall decide, after having heard the opinion of the Data Protection Officer, about the necessity to retain the data, in this particular case, for that specific purpose. The EDPS shall be informed when recourse is made to this procedure.

TITLE III

RULES FOR ADMINISTRATIVE PERSONAL DATA PROCESSING OPERATIONS

Article 17

Procedure for the exercise of the rights of the data subjects regarding administrative personal data processing operations

1.   Requests for the exercise of rights shall be addressed directly to the Administrative Director of Eurojust or to the Data Protection Officer. The Data Protection Officer shall be provided in any case with a copy of the request for its registration.

2.   If necessary, the Data Protection Officer shall assist the data subject and shall make available specific forms that can be used by the individuals to make their requests.

3.   The Administrative Director shall, on the basis of the information provided by the administrative entity directly involved in the processing of the personal data and of the advice of the Data Protection Officer, take a decision regarding the specific case.

4.   The Data Protection Officer shall communicate the decision taken by the Administrative Director to the data subject and shall inform the data subject of the possibility to lodge a complaint with the EDPS if he or she is not satisfied with the decision rendered by Eurojust.

5.   The request shall be dealt with in full within a month from the date of receipt. That period may be extended by another two months where necessary taking into account the number and complexity of the request. The Administrative Director shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. The data subject may lodge a complaint with the EDPS if Eurojust has not rendered a decision on the basis of his or her request within this time limit.

Article 18

Time limits for administrative personal data

1.   Each individual processing operation of administrative personal data taking place at Eurojust shall, in the light of its defined purpose and in full compliance with Article 4(1)(d) and Article 31(1)(f) of Regulation (EC) No 2018/1725, have a clear and defined time limit for storage in order to ensure that the data are only kept for no longer than is necessary for the purposes for which the administrative personal data are processed. Such time limit shall be established for each category of data processed and documented in the record of processing activities.

2.   Eurojust shall keep administrative personal data in accordance with paragraph 1, for as long as necessary and in any case no longer than the periods indicated for each category of processing activities in the table appended as an annex to these rules.

3.   The Executive Board, acting on a proposal from the Administrative Director, may determine shorter retention periods than the ones included in the annex to these rules.

TITLE IV

FINAL PROVISIONS

Article 19

Review of the present Rules of Procedure

1.   These rules shall be reviewed regularly to assess if any amendment is necessary. Any amendment to the rules of procedure shall follow the same procedure established for their approval in the Eurojust Regulation.

2.   The EDPS shall bring to the attention of the College any suggestions or recommendations regarding amendments to the rules of procedure.

Article 20

Entry into force and publication

The rules of procedure shall be published in the

Official Journal of the European Union

and shall enter into force the day following their publication.

ANNEX

Maximum time limits for the retention of administrative personal data