Decision of the High Representative of the Union for Foreign Affairs and Security Policy
of 1 October 2019
on internal rules concerning restrictions of certain rights of data subjects in relation to processing of personal data in the framework of the functioning of the European External Action Service
(2019/C 370/06)
THE HIGH REPRESENTATIVE OF THE UNION FOR FOREIGN AFFAIRS AND SECURITY POLICY,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to the Council Decision 2010/427/EU of 26 July 2010 establishing the organisation and functioning of the European External Action Service (1),
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (2) ('Regulation (EU) 2018/1725'), and in particular Article 25 thereof,
Having regard to the opinion of the European Data Protection Supervisor in accordance with Article 41(2) of the Regulation (EU) 2018/1725, delivered on 28 June 2019,
Whereas:
(1) The European External Action Service (EEAS) carries out its activities in accordance with Decision 2010/427/EU.
(2) In accordance with Article 25(1) of Regulation (EU) 2018/1725, restrictions of the application of Articles 14 to 21, 35 and 36, as well as Article 4 of Regulation (EU) 2018/1725 insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 21, shall be laid down by the EEAS in internal rules, where they are not based on legal acts adopted on the basis of the Treaties.
(3) These internal rules, including its provisions on the assessment of the necessity and proportionality of a restriction, should not apply where a legal act adopted on the basis of the Treaties provides for a restriction of data subject rights.
(4) Where the EEAS performs its duties with respect to data subject´s rights under Regulation (EU) 2018/1725, it shall consider whether any of the exemptions laid down in that Regulation apply.
(5) Such restrictions may apply to different data subject rights, including the provision of information to data subjects, right of access, rectification, erasure, restriction of processing, communication of a personal data breach to the data subject or confidentiality of communication.
(6) Within the framework of its organisation and functioning the EEAS carries out activities involving personal data wherein it may be necessary and proportionate in a democratic society to impose a restriction in accordance with Article 25(1) of Regulation (EU) 2018/1725 in order to safeguard a legitimate interest, while respecting the essence of the fundamental rights and freedoms of data subjects.
(7) Such restrictions may apply to several categories of personal data, including factual data and assessment data.
(8) Assessments, observations and opinions are considered personal data in the meaning of Article 3(1) of Regulation (EU) 2018/1725. Limitations, in particular to the access, rectification and erasure of such assessments, observations or opinions in the context of staff selection and evaluation procedures, and in the context of activities of the Medical Service, the Mediation Service and the internal audit and inspection services for Union Delegations and Offices, are foreseen in these specific administrative procedures.
(9) In relation to selection and recruitment procedures, staff evaluation and public procurement procedures the right to access, rectification, erasure and restriction can be exercised only at certain points in time as foreseen in the relevant procedure in order to safeguard the rights of other data subjects and to respect the principles of equal treatment and the secrecy of deliberations.
(10) The data subject may exercise the right to rectification of assessments or opinions of EEAS medical officers and advisers by providing their comments or a report of a medical practitioner of their choice.
(11) In relation to the selection and recruitment procedures, it is not possible to modify the opinion or the assessment of the selection board. This right may be exercised through an appeal of the decision of the selection board. The assessments made by individual members of the selection board and the internal discussions of the selection board are covered by the secrecy of deliberations.
(12) In relation to the staff evaluations, including appraisal procedures, it is not possible to modify the opinion or the assessment of the different actors intervening in the appraisal procedure. Data subjects may exercise the right to rectification by providing their comments or by making an appeal as foreseen by the staff appraisal procedure.
(13) Restrictions to personal data rights and obligations shall be applied on a case-by-case basis and maintained for no longer than necessary for the fulfilment of the purpose of the restriction.
(14) The EEAS is committed to respecting, to the maximum extent possible, the fundamental rights of the data subjects, including the right of provision of information, access and rectification, right to erasure, restriction of processing, right of communication of a personal data breach to the data subject or confidentiality of communication, as enshrined in Regulation (EU) 2018/1725. However, the EEAS may also be required to restrict the rights and obligations for the purpose of protecting its activities and the fundamental rights and freedoms of others,
HAS DECIDED AS FOLLOWS:
Article 1
Subject-matter and scope
1. In accordance with Article 25 of Regulation (EU) 2018/1725 (the 'Regulation'), this Decision lays down rules relating to the conditions under which the EEAS, in the framework of its activities referred to in paragraph 2, may restrict the application of the rights and obligations under the Regulation Articles 14 to 21, 35 and 36, as well as Article 4 of the Regulation insofar as its provisions correspond to the rights and obligations provided for in the same Articles 14 to 21.
2. This Decision applies to the processing of personal data by the EEAS for the purposes of the following activities:
(i) internal investigations, including security investigations, administrative enquiries including on harassment or reported irregularities, disciplinary and suspension proceedings;
(ii) notifying and referring cases to the Investigation and Disciplinary Office of the Commission (IDOC) and the European Anti-Fraud Office (OLAF);
(iii) security analyses related to cyber security incidents or IT system abuse, including external involvement of CERT-EU, ensuring internal security by means of video surveillance , access control and investigation purposes, securing communication and information systems and carrying out technical security counter-measures;
(iv) investigating matters directly relating to the tasks of the Data Protection Officer of the EEAS (hereinafter 'DPO');
(v) internal audits;
(vi) inspections of EU Delegations and offices;
(vii) activities of the Medical Service and of medical advisers engaged by the EEAS;
(viii)
activities of the Mediation Service;
(ix) public procurement procedures;
(x) staff selection procedures and staff evaluations;
(xi) collecting data for intelligence purposes, including situational awareness, counter-intelligence, early warning and intelligence analysis supporting the various EU decision-making bodies in the fields of the Common Foreign and Security Policy (CFSP), the Common Security and Defence Policy (CSDP), Counter-terrorism and Hybrid threats;
(xii) procedures on restrictive measures (sanctions) in pursuit of specific foreign and security policy objectives of the Union;
(xiii)
activities to protect other important objectives of general public interest of the Union or of a Member State, in particular the objectives of the CFSP.
For the purposes of this Decision, the above activities shall include preparatory and follow-up actions directly related to the same activities.
3. The categories of personal data processed related to the above activities may contain factual data and assessment data. Factual data include data related to personal identification and other administrative details, metadata related to electronic communications and traffic data. Assessment data include the description and assessment of situations and circumstances, opinions, observations related to data subjects, evaluation of the conduct or performance of data subjects and reasoning underpinning individual decisions in connection with the administrative functioning of the EEAS.
Article 2
Specification of the controller and safeguards
1. The EEAS shall put in place specific safeguards to avoid data breaches, leakages or unauthorised disclosure of data under a restriction, such as
(a) enhanced security measures for storing physical supports with personal data;
(b) specific security measures for electronic databases and tools;
(c) restrictions on access and log files.
2. The data controller for the data processing activities is the EEAS. The organisational entities that may restrict rights and obligations referred to in Article 1(1) are the services that are in charge of the activities described under Article 1(2).
3. Restrictions to personal data rights and obligations should be maintained for no longer than necessary for the fulfilment of the purpose of the restriction. The retention period for personal data under a restriction shall be defined taking into account the purpose of the processing and shall include the timeframe necessary for administrative and judicial review.
Article 3
Restrictions
1. A restriction under this Decision may be applied by the EEAS on a case-by-case basis to safeguard:
(a) national security, public security or defence of Member States, including, but not limited to surveillance and processing of data for intelligence purposes or for the protection of human life, especially in response to natural or manmade disasters and terrorist attacks;
(b) the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including, but not limited to preventing threats to public security; such investigations may include administrative inquiries, disciplinary proceedings or OLAF investigations to the extent that there is a connection with the prevention or investigation of criminal offences;
(c) important objectives of general public interest of the Union or of a Member State, in particular CFSP objectives or important economic or financial interests of the Union or of a Member State, including, but not limited to monetary, budgetary and taxation matters, public health and social security, and procurement procedures and investigations serving important objectives of public interest of the Union;
(d) the internal security of Union institutions and bodies, including, but not limited to the electronic communications and information networks;
(e) the protection of judicial independence and judicial proceedings, including legal advice;
(f) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions or violations of obligations in the Staff Regulations (3) and the Financial Regulation (4), including cases with no connection to criminal offences;
(g) monitoring, inspection or regulatory functions connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (c), including, but not limited to the case of a targeted audit, an inspection or an investigation;
(h) the protection of the data subject or the rights and freedoms of others, including, but not limited to the protection of witnesses, interviewed persons in the context of security investigations, administrative inquiries, inspections and audits, whistleblowers and alleged victims of harassment;
(i) the enforcement of civil law claims.
2. Subject to Articles 4 to 8, the EEAS may restrict the rights and obligations referred to in Article 1(1) in relation to personal data obtained from another Union institution, body, agency or office, competent authorities of a Member State or third country or from an international organisation, in the following cases:
(a) where the exercise of those rights and obligations could be restricted by the other Union institution, body, agency or office on the basis of their relevant legal acts adopted in accordance with Article 25 or Chapter IX of the Regulation or their founding acts;
(b) where exercise of those rights and obligations could be restricted by the competent authorities of a Member State on the basis of legal acts adopted in accordance with Article 23 of Regulation (EU) 2016/679 (5) of the European Parliament and of the Council or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 (6) of the European Parliament and of the Council;
(c) where the exercise of those rights and obligations could jeopardise the EEAS cooperation with third countries or international organisations in the conduct of its activities, unless this need to cooperate is overridden by the interests or fundamental rights and freedoms of the data subjects.
Before applying a restriction under this paragraph, the EEAS shall consult the relevant Union institution, body, agency, office, international organisation or the competent authorities of a Member State unless it is patently clear that the restriction is provided for by a legal act referred to under this paragraph or such a consultation would jeopardise the EEAS activities.
3. Before applying a restriction, the EEAS shall consider if it is necessary and proportionate in a democratic society and that it respects the essence of the fundamental rights and freedoms of data subjects.
In making the necessity and proportionality assessment for each case, the EEAS shall:
i.
weigh the risk to the rights and freedoms of the data subject against the risk to the rights and freedoms of others. The risks to the rights and freedoms of the data subject concern primarily their privacy, their reputation and the moment in time when they can start to exercise their rights of defence; and
ii.
consider the need to safeguard the objective of the EEAS activities under Article 1(2), in particular the risk of destroying or hiding evidence.
This necessity and proportionality assessment, as well as the reasons for a restriction, shall be documented. To that end, every restriction shall be specifically recorded in the inventory managed by the data controller and shall state how the exercise of the restricted rights and obligations referred to in Article 1(1) would jeopardise the purpose of the activities referred to in Article 1(2), or would adversely affect the rights and freedoms of others. The documents containing the underlying factual and legal elements of the restriction shall be also registered. The records shall be made available to the European Data Protection Supervisor on request.
Access to the records in the inventory, including the assessment note, shall be restricted for as long as the restriction it justifies remains valid in accordance with paragraph 4 and 5.
4. A restriction shall be lifted as soon as the reasons, that justify it, no longer exist.
5. The need to maintain a restriction shall be reviewed at appropriate intervals, at least every six months from its adoption, and in any case at the closure of the relevant procedure in relation to the activities referred to in Article 1(2).
Article 4
Review by the Data Protection Officer
1. Each organisational entity shall, without undue delay, inform the DPO in writing when it restricts the exercise of the rights and obligations referred to in Article 1(1), when it performs the review of the restriction and when it extends or lifts the restriction. The DPO shall have access to the records established in accordance with Article 3(3).
2. The DPO may request the data controller in writing to review the application of the restriction. The data controller shall inform the DPO in writing about the outcome of the requested review.
3. Documents under this article shall be made available to the EDPS on request.
Article 5
Provision of information to data subjects and information on restrictions
1. The EEAS shall publish on its website or intranet its privacy statements and data protection notices that inform data subjects of its activities involving processing of personal data, of their rights and their potential restrictions.
2. The right to information may be restricted by the data controller with regards to activities under Article 1(2) (i), (ii), (iii), (iv), (v), (vi), (viii), (xi), (xii) and (xiii). Without prejudice to paragraph 4, the EEAS, where proportionate, shall inform individually the concerned data subjects of the application of the restriction without undue delay and in a written form. If a request from a data subject is rejected due to a restriction, data subjects shall be informed of the principal reasons on which a restriction is based and of their right to lodge a complaint with the European Data Protection Supervisor.
3. A restriction under this article shall be applied in accordance with Articles 3 and 4.
4. The provision of information about a restriction under this Decision may be deferred, omitted or denied if it would cancel the effect of the restriction. This deferral, omission or denial shall be applied in accordance with the provisions of Article 3 and 4.
Article 6
Right of access
1. The right of access under Article 17 of the Regulation may be restricted with regards to activities under Article 1(2) (i), (ii), (iii), (iv), (v), (vi), (vii), (viii), (x), (xi), (xii) and (xiii).
2. Where data subjects request access to their personal data processed in the context of a specific activity referred to in Article 1(2), the EEAS shall limit its response to the personal data processed for that activity.
3. Where the EEAS restricts, wholly or partly, the right of access to personal data by data subjects, as referred to in Article 17 of Regulation (EU) 2018/1725, it shall inform the data subject concerned, in writing, in its reply to the request for access without undue delay of the restriction applied and of the principal reasons thereof. The provision of information concerning the reasons for the restriction may be deferred, omitted or denied for as long as it would undermine the purpose of the restriction.
4. The EEAS may restrict, on a case-by-case basis, data subjects' right to access directly medical data of a psychological or psychiatric nature, where access to such data is likely to represent a risk for the data subject's health. This restriction shall be proportionate to what is strictly necessary to protect the data subject. In such cases, access to the information shall be given to a medical practitioner of the data subject's choice.
5. A restriction under this article shall be applied in accordance with Articles 3, 4 and 5.
Article 7
Right of rectification, erasure and restriction of processing
1. The right to rectification, erasure and restriction of processing under Articles 18, 19(1) and 20(1) of the Regulation may be restricted with regards to activities under Article 1(2) (i), (ii), (iii), (iv), (v), (vi), (vii), (viii), (ix), (x), (xi), (xii) and (xiii).
2. In relation to medical data, data subjects may exercise the right to rectification of the assessments or opinions of EEAS medical officers or advisors by providing their comments or a report of a medical practitioner of their choice.
3. A restriction under this article shall be applied in accordance with Articles 3, 4 and 5.
Article 8
Communication of a personal data breach to data subjects
1. The right to the communication of a personal data breach to the data subject under Article 35 of the Regulation may be restricted with regards to activities under Article 1(2) (i), (ii), (iii), (iv), (v), (vi), (viii), (xi), (xii) and (xiii).
2. A restriction under this article shall be applied in accordance with Articles 3, 4 and 5.
Article 9
Confidentiality of electronic communications
1. The obligation of ensuring the confidentiality of electronic communications may only be restricted with regards to activities under Article 1(2) (i), (ii), (iii), (iv), (xi), (xii) and (xiii) in the following exceptional cases:
(a) if the restriction to the obligation of ensuring the confidentiality of the calling line identification is necessary to trace nuisance calls;
(b) if the restriction to the obligation of ensuring the confidentiality of the calling line identification and location data is necessary to allow emergency services to carry out their tasks effectively;
(c) if the restriction to the obligation of ensuring the confidentiality of the communications, traffic data and location data is necessary to safeguard national security, public security or defence of the Member States, internal security of Union institutions and bodies, the prevention, investigation, detection and prosecution of criminal offences, violations of the Staff Regulations and the Financial Regulation or of unauthorised use of the electronic communication system, as referred to in Article 25 of the Regulation.
2. A restriction under this article shall be applied in accordance with Articles 3, 4 and 5.
Article 10
Entry into force
This Decision shall enter into force on the day following its publication in the
Official Journal of the European Union
.
Done at Brussels, 1 October 2019.
Federica MOGHERINI
The High Representative
(1)
OJ L 201, 3.8.2010, p. 30
.
(2)
OJ L 295, 21.11.2018, p. 39
.
(3) Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Union (
OJ 45, 14.6.1962, p. 1385
in its consolidated version).
(4) Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (
OJ L 193, 30.7.2018, p. 1
).
(5) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(6) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (
OJ L 119, 4.5.2016, p. 89
).
Feedback