DECISION OF THE COURT OF JUSTICE OF THE EUROPEAN UNION
of 1 October 2019
on internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the exercise of non-judicial functions of the Court of Justice of the European Union
THE COURT OF JUSTICE OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1) (‘the Regulation’), and in particular Article 25 thereof,
Having regard to the opinion of the European Data Protection Supervisor (‘the EDPS’) of 26 July 2019, consulted in accordance with Article 41(2) of the Regulation,
Having regard to the opinion of the Administrative Committee of 16 September 2019,
Whereas the Regulation applies, in the same way as to any Union institution, to the Court of Justice of the European Union so far as concerns the processing of personal data in the exercise of its non-judicial functions;
Whereas it is appropriate, therefore, to implement in respect of such processing Article 25 of the Regulation by adopting the internal rules referred to in that Article,
HAS ADOPTED THIS DECISION:
Article 1
Subject matter and scope
This Decision lays down rules relating to the conditions under which the Court of Justice of the European Union, in the exercise of its non-judicial functions, may restrict the application of Articles 14 to 21, 35 and 36 of the Regulation, as well as Article 4 of the Regulation, pursuant to Article 25 thereof.
Article 2
Restrictions
1. In accordance with Article 25(1) of the Regulation, the application of Articles 14 to 21, 35 and 36 of the Regulation, as well as Article 4 of the Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21, may be restricted in the case of:
(a) administrative investigations conducted in accordance with the relevant internal rules; pre-disciplinary, disciplinary and suspension proceedings conducted pursuant to Article 86 of the Staff Regulations of the European Union (‘the Staff Regulations’) and the provisions of Annex IX thereto; the handling of whistleblowing in accordance with the relevant internal rules; security inquiries conducted in accordance with the relevant internal rules; investigations carried out by the data protection officer in accordance with the last sentence of Article 45(2) of the Regulation and the relevant internal rules; notification of a case to the European Anti-Fraud Office (OLAF). Relevant restrictions may be based on Article 25(1)(b), (c), (d), (g) and (h) of the Regulation;
(b) contact, by a member of the staff of the Court of Justice of the European Union, with the counsellor in the context of the informal procedure for cases of harassment. Relevant restrictions may be based on Article 25(1)(h) of the Regulation;
(c) the processing of a request or of a complaint within the meaning of article 90 of the Staff Regulations. Relevant restrictions may be based on Article 25(1)(h) of the Regulation;
(d) the conduct of an internal audit. Relevant restrictions may be based on Article 25(1)(c), (g) and (h) of the Regulation;
(e) cooperation with the other institutions, bodies, offices and agencies of the European Union. Relevant restrictions may be based on Article 25(1)(b), (c), (d), (g) and (h) of the Regulation;
(f) cooperation with the authorities of the Member States and of third countries as well as with international organisations. Relevant restrictions may be based on Article 25(1)(b), (c), (g) and (h) of the Regulation;
(g) the processing of personal data contained in documents produced or obtained in the context of judicial cases to which the Court of Justice of the European Union is a party. Relevant restrictions may be based on Article 25(1)(e) and (h) of the Regulation.
2. The categories of data include identification data of a natural person, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data.
3. Any restriction shall respect the essence of the fundamental rights and freedoms and be necessary and proportionate in a democratic society.
4. A necessity and proportionality test in relation, in particular, to the risk of infringement of the rights and freedoms of data subjects shall be carried out on a case-by-case basis before restrictions are applied. Restrictions shall be limited to what is strictly necessary to achieve the set objectives.
5. The restrictions applied and the outcome of the necessity and proportionality analysis in relation, in particular, to the risk of infringement of the rights and freedoms of data subjects shall be recorded in a memorandum drawn up by the data controller. Those memoranda shall be part of an ad hoc register which is maintained by the data protection officer and which shall be made available on request to the EDPS. The data protection officer shall have access to any document underlying those memoranda.
6. When personal data are exchanged with other organisations, there shall be a consultation on the possible relevant grounds for imposing restrictions and the necessity and proportionality of the restrictions. This consultation shall not prevent the application of restrictions in accordance with this Decision.
Article 3
Assessment of risks, retention period and safeguards
1. The assessment of the risks to the rights and freedoms of data subjects whose rights to the protection of personal data may be subject to restrictions within the meaning of Article 25 of the Regulation, as well as the retention period in respect of those data, shall be referenced in the record of the relevant processing activities, in accordance with Article 31 of the Regulation and, if applicable, in the data protection impact assessments, in accordance with Article 39 of the Regulation.
2. Safeguards shall be implemented to prevent abuse or unlawful access or transfer of personal data that may be subject to restrictions within the meaning of Article 25 of the Regulation. The safeguards shall include:
(a) the technical and organisational measures described, in respect of each processing concerned, in the record of processing activities;
(b) due monitoring of restrictions and a periodical revision, which shall be done at least every six months. A revision must also be carried out when essential elements of the case at hand change. The restrictions shall be lifted as soon as the circumstances that justify them no longer apply.
Article 4
Confidentiality of electronic communications
Other than in the cases referred to in Article 2(1) and, in particular, in point (a) thereof, the right to confidentiality of electronic communications, within the meaning of Article 36 of the Regulation, may be restricted, in exceptional cases, on the basis of specific internal rules which shall detail the grounds, the procedure to be followed and the safeguards to be observed.
Article 5
Information for data subjects on restrictions of their rights
1. General information shall be published on the website of the Court of Justice of the European Union for data subjects concerning the rights that may be restricted and the reasons for, and duration of, such restrictions, in accordance with this Decision.
2. Where the rights referred to in Articles 14 to 21, 35 and 36 of the Regulation, as well as Article 4 of the Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21, are restricted, wholly or partly, the data subject shall be informed of the principal reasons on which the application of the restriction is based and of his or her right to lodge a complaint with the EDPS.
3. The communication of information concerning the reasons for the restriction, referred to in paragraph 2, shall be deferred, omitted or denied if it renders that restriction ineffective. The assessment relating thereto shall take place on a case-by-case basis.
Article 6
Entry into force
This Decision shall enter into force on the day of its publication in the
Official Journal of the European Union
.
Done at Luxembourg, 8 October 2019.
Registrar
A.CALOT ESCOBAR
President
KLENAERTS
(1)
OJ L 295, 21.11.2018, p. 39
.
Feedback