DECISION OF THE MANAGEMENT BOARD OF THE EUROPEAN MEDICINES AGENCY
of 12 June 2019
on internal rules concerning restrictions of certain rights of data subjects in relation to processing of personal data in the framework of the functioning of the Agency
THE MANAGEMENT BOARD OF THE EUROPEAN MEDICINES AGENCY,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1), and in particular Article 25 thereof,
Having regard to Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (2),
Having regard to the Staff Regulations of Officials of the European Union, in particular Article 2(3) and Article 30 of Annex IX thereto, and the Conditions of Employment of Other Servants of the European Union,
Having regard to EMA implementing rules on the conduct of administrative enquiries and disciplinary procedures of 8 June 2012 (3),
Having regard to the EDPS Guidance issued on 18 December 2018 and to the notification to the EDPS for the purposes of Article 41(2) of Regulation (EU) 2018/1725,
After consulting the Staff Committee,
Whereas:
(1) The European Medicines Agency (‘EMA’ or ‘the Agency’) was set up by Regulation (EC) No 726/2004 of the European Parliament and of the Council (4) for coordinating the existing scientific resources put at its disposal by Member States for the evaluation, supervision and pharmacovigilance of medicinal products;
(2) The Agency conducts administrative inquiries and disciplinary proceedings in line with the rules laid down in the Staff Regulations of Officials of the European Union, and the Conditions of Employment of Other Servants of the European Union, the Agency may also carry out preliminary activities related to cases of potential irregularities reported to OLAF (according to Regulation (EU, Euratom) No 883/2013), process whistleblowing cases, process (formal and informal) procedures of harassment, process internal and external complaints, conduct internal audits, carry out investigations by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725 and (IT) security investigations handled internally or with external involvement (e.g. CERT-EU);
(3) The Agency processes several categories of personal data, such as identification data, contact data, professional data. The European Medicines Agency represented by its Executive Director is responsible as data controller. Internally, the Head of Administration and Corporate Management Division has been appointed to act by delegation as data controller for the activities concerned by this Decision (for the purpose hereof, hereinafter referred as ‘Controller’). If the administrative enquiry or disciplinary proceedings concerns the Head of Administration and Corporate Management Division, the Deputy Executive Director shall be the Controller for that the relevant enquiry or proceedings. The personal data are stored in an electronic file and in paper form. The paper file is stored in a locked cupboard which is only accessible to staff members authorised by senior management. The electronic files are stored in a secure electronic environment which is designed and maintained to prevent accidental or unlawful destruction, loss, alteration, transfer, unauthorised disclosure of, or access to, personal data to internal and external partners who are not authorised to have access to such data;
(4) The personal data processed are retained in accordance with Article 13 of the EMA implementing rules on the conduct of administrative enquiries and disciplinary procedures of 8 June 2012, as explained in Article 2(3) of this Decision;
(5) This Decision on internal rules should apply to all processing operations carried out by the Agency in the performance of its administrative inquiries and disciplinary proceedings, as well as in the performance of preliminary activities related to cases of potential irregularities reported to OLAF, process whistleblowing cases, process (formal and informal) procedures of harassment, process internal and external complaints, conduct internal audits, carry out investigations by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725 and (IT) security investigations handled internally or with external involvement (e.g. CERT-EU). This Decision should apply to processing operations carried out prior to the opening of the procedures referred to above, during these procedures and during the monitoring of the follow-up to the outcome of these procedures.
(6) This Decision on internal rules should also apply to activities linked to assistance and cooperation provided by the Agency outside of its administrative enquiries to other Union institutions, bodies, offices and agencies, competent authorities of the Member States and international organisations to protect their processing operations; as well as to activities related to cooperation with, and the transmission of information regarding an administrative enquiry or disciplinary proceedings to, EU institutions and bodies. To that effect, the Agency should consult those institutions, bodies, offices, agencies, authorities or organisations on the relevant grounds for imposing restrictions and on the necessity and proportionality of the restrictions;
(7) The Agency has to give justifications explaining why the restrictions are strictly necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms;
(8) Within this framework the Agency is bound to respect, to the maximum extent possible, the fundamental rights of the data subjects during the above procedures, in particular but not limited to those relating to the right of access and rectification, right to erasure, as enshrined in Regulation (EU) 2018/1725;
(9) However, the Agency may be obliged to defer the information to data subject and other data subject's rights in order to protect, in particular, its own investigations and procedures, the investigations and proceedings of other public authorities, as well as the rights of other persons related to its investigations and procedures;
(10) The Agency may thus defer the information for the purposes to protect its administrative inquiries and disciplinary proceedings, the investigations and proceedings of other public authorities as well as to protect the identity of informants and other persons involved in the procedures, including whistle-blowers and witnesses who should not suffer negative repercussions in relation to their cooperation. In particular, Article 5(3) of the EMA implementing rules on the conduct of administrative enquiries and disciplinary procedures of 8 June 2012 provides for an obligation to inform any staff member who may personally be involved in an investigation, provided that such notification does not hinder the inquiry. This constitutes a restriction of the application of data subjects' rights, in particular Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725. Therefore, in accordance with Article 25 of the same Regulation, internal rules shall be laid down to ensure that such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society;
(11) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, the Controller may defer or refrain from providing information on the reasons for the application of a restriction to the data subject, if the notification would in any way compromise the purpose of the restriction. In order to ensure that the data subject's right to be informed in accordance with Articles 16 and 35 of Regulation (EU) 2018/1725 is restricted only as long as the reasons for the deferral last, the Agency should regularly review its position.
(12) Where a restriction of other data subjects' rights is applied, the Controller should assess on a case-by-case basis whether the communication of the restriction would compromise its purpose;
(13) In accordance with the principle of proportionality, the Agency should monitor regularly (about every six months) that the conditions which justify a particular restriction still exist. Accordingly, the Agency should lift the restriction when the conditions that justify the restriction no longer apply;
(14) The Agency should consult the Data Protection Officer (the ‘DPO’) at the moment of deferral of information or when other restriction of data subjects' right is applied, as well as on the occasion of the assessment of the conditions as to whether the restriction is still justified,
HAS ADOPTED THIS DECISION:
Article 1
Subject matter and scope
1. This Decision lays down rules relating to the conditions under which the Agency in the framework of administrative inquiries and disciplinary proceedings, when notifying cases to OLAF according to Regulation (EU, Euratom) No 883/2013, may restrict, pursuant to Article 25 of the Regulation (EU) 2018/1725, the application of the rights enshrined in Articles 14 to 21, 35 and 36, as well as Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21.
2. This Decision applies to the processing operations of personal data by the Agency for the purpose of conducting administrative inquiries and disciplinary proceedings, as well as to carry out preliminary activities related to cases of potential irregularities reported to OLAF (according to Regulation (EU, Euratom) No 883/2013), process whistleblowing cases, process (formal and informal) procedures of harassment, process internal and external complaints, conduct internal audits, carry out investigations by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725 and (IT) security investigations handled internally or with external involvement (e.g. CERT-EU).
This Decision should also apply to the Agency's activities of assistance and cooperation provided by the Agency outside of its administrative enquiries to other Union institutions, bodies, offices and agencies, competent authorities of the Member States and international organisations to protect their processing operations.
In addition, this decision applies to activities related to cooperation with, and the transmission of information regarding an administrative enquiry or disciplinary proceedings to, EU institutions and bodies, when such information is necessary for the recipient to evaluate the grounds for opening formal investigation or proceedings.
3. The Agency processes several categories of personal data, such as identification data, contact data, professional data. The categories of data concerned can be hard data (for example, administrative details, telephone, private address, electronic communications, and traffic data) and/or soft data (for example appraisal reports, opening of inquiries, reports on preliminary investigations, records/minutes of witness' statements and investigation hearings, social activities and behaviour of staff members, comments on the abilities and efficiency of the concerned staff member(s) etc.)
4. The categories of data subjects who may be subject to this Decision are staff and former staff of the Agency, i.e. (former) agents, officers/administrators, seconded national experts and trainees, as well as (former) contractors of the Agency.
5. Subject to the conditions set out in this Decision, the restrictions may apply to the following rights: provision of information and communication of a personal data breach to the data subjects in accordance with Articles 16 and 35 of Regulation (EU) 2018/1725; right of access by data subject in accordance with Article 17 of Regulation (EU) 2018/1725; right of rectification, erasure, restriction of processing and notification of rectification or erasure in accordance with Articles 18, 19(1), 20 and 21 of Regulation (EU) 2018/1725.
Article 2
Specification of the controllers and safeguards
1. The European Medicines Agency represented by its Executive Director is responsible as data controller. Internally, the Head of Administration and Corporate Management Division has been appointed to act by delegation as Controller for the activities concerned by this Decision. If the administrative enquiry or disciplinary proceedings concerns the Head of Administration and Corporate Management Division, the Deputy Executive Director shall be the Controller for that the relevant enquiry or proceedings.
2. The personal data are stored in an electronic file and/or in paper form. The safeguards in place to avoid personal data breaches, leakages or unauthorised disclosure are the following:
(a) The paper file is stored in a locked cupboard which is only accessible to authorised staff members on a need-to-know basis. The security system of the premises, internal record management policies, staff training and audits are also in place to ensure proper safeguards.
(b) The electronic files are stored in a secure electronic environment which is designed and maintained to prevent accidental or unlawful destruction, loss, alteration, transfer, unauthorised disclosure of, or access to, personal data to internal and external partners who are not authorised to have access to such data
(c) The strict rules of confidentiality and professional secrecy applicable to the appointed investigators and/or to anyone who is otherwise involved in the administrative enquiry or disciplinary proceedings as required in the EMA implementing rules on the conduct of administrative enquiries and disciplinary procedures of 8 June 2012, as well as in the Staff Regulations and CEOS, ensure a high level of protection against the risks to the rights and freedoms of data subjects involved by the processing.
(d) In accordance with the principle of data minimisation, the Agency will only collect and process personal data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Additional safeguards apply where special categories of data are processed, as well as where personal data relating to criminal convictions and offences or related security measures are processed.
3. The storage and retention periods applicable are the following:
(a) According to Article 13 of the EMA implementing rules on the conduct of administrative enquiries and disciplinary procedures of 8 June 2012, where no charge is made against the staff member or where a charge is made but no disciplinary action was taken, the paper and electronic file of administrative inquiry proceedings, as well as the copy in the personal file of the initial notification to the staff member according to Article 5 of the same Implementing Rules, are held for 5 years after the date of the decision that no charge or disciplinary action is needed. This provision is not applicable to the decision inserted in the staff member's personal file upon his/her request in accordance with Article 1(3) of Annex IX of the Staff Regulations and Article 5(5) of the EMA implementing rules on the conduct of administrative enquiries and disciplinary procedures of 8 June 2012. Such decision is only removed from the personal file upon the request of the staff member concerned.
(b) Where a charge is made against the staff member, paper and electronic files as well as the copy in the personal file of the initial notification to the staff member are retained for 10 years after the date of the decision of disciplinary action. In exceptional cases, where it is in the interest of the Agency to retain the administrative inquiry file following the expiry of the 10 years, a reasoned decision shall be issued six months before the expiry of the 10-year period, and it shall be communicated to the staff member concerned. The reasoned decision shall state the further period for which the administrative inquiry file shall be retained. In such cases, the notification in the staff member's personal file is also retained.
4. The risk to the rights and freedoms of the data subject may entail risks to the right to respect the confidentiality of his/her private communications, to the right to freedom of expression and information and to the right of defence and to be heard. These risks will be balanced against the grounds and purposes justifying the application of the restrictions provided in this Decision. This balancing operation shall be duly documented and be performed on the basis of a case-by-case analysis to ensure that a restriction is only applied where necessary and in a proportionate way, as well as in accordance with the rules set out in this Decision.
Article 3
Restrictions
1. Pursuant to Article 25(1) of Regulation (EU) 2018/1725 any restriction shall only be applied to safeguard:
(a) the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(b) other important objectives of general public interest of the Union or of a Member State, in particular an important interest of the Union or of a Member State, including public health and social security;
(c) the internal security of Union institutions and bodies, including of their electronic communications networks;
(d) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(e) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (c).
(f) the protection of the data subject, or the rights and freedoms of others.
2. As a specific application of the purposes described in paragraph 1 above, the Agency may apply restrictions in relation to personal data exchanged with Commission services or other Union institutions, bodies, agencies and offices, competent authorities of Member States or third countries or international organisations, in the following circumstances:
(a) where the exercise of those rights and obligations could be restricted by Commission services or other Union institutions, bodies, agencies and offices on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or with the founding acts of other Union institutions, bodies, agencies and offices;
(b) where the exercise of those rights and obligations could be restricted by competent authorities of Member States on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council (5), or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council (6);
(c) where the exercise of those rights and obligations could jeopardise the Agency's cooperation with third countries or international organisations in the conduct of its tasks.
Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, the Agency shall consult the relevant Commission services, Union institutions, bodies, agencies, offices or the competent authorities of Member States unless it is clear to the Agency that the application of a restriction is provided for by one of the acts referred to in those points.
3. Any restriction shall be as necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms.
4. A necessity and proportionality test shall be carried out based on the present rules. It shall be documented through an internal assessment note for accountability purposes on a case-by-case basis.
5. Restrictions shall be duly monitored, and a periodical revision shall be done every six months at the latest to assess that the conditions which justify a particular restriction still exist.
6. Restrictions shall be lifted as soon as the conditions that justify them no longer apply, for example where the exercise of the data subjects' rights (e.g. providing information about the data processing and access to the file) would no longer jeopardise the purpose of the concerned investigation or procedure.
Article 4
Information to the Data Protection Officer and review
1. The Controller (on behalf of the Agency) shall, without undue delay, inform the Agency's DPO whenever it restricts the application of data subjects' rights in accordance with this Decision and shall provide access to the records and the documentation of the assessment of the necessity and proportionality of the restriction (including any documents containing underlying factual and legal elements). This requirement applies to any subsequent reviews of the restriction as well.
2. The DPO may request the Controller, in writing, to review the application of the restrictions. The Agency shall inform the DPO, in writing, about the outcome of the requested review.
3. The exchanges of information with the DPO throughout the procedure shall be recorded and documented in writing.
Article 5
Restriction of the provision of information to the data subjects
1. The Agency shall include in the privacy statement related to administrative enquiries and disciplinary procedure and published on its intranet the information relating to the potential restriction of these rights. The information shall cover which rights may be restricted, the reasons for this restriction and the potential duration.
2. Additionally, the Agency shall inform individually data subjects on their rights concerning present or future restrictions, without undue delay and in a written form, and without prejudice to the following paragraphs.
3. Where the Agency restricts, wholly or partly, the provision of information to the data subjects in accordance with this Decision, it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction. To that end, the record shall state how the provision of the information would jeopardise the purpose of the concerned investigation or procedure, or would adversely affect the rights and freedoms of others. The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.
4. The restriction referred to in paragraph 3 shall continue to apply as long as the reasons justifying it remain applicable. When the reasons for the restriction no longer apply, the Agency shall provide the information concerned and the reasons for the restriction to the data subject. The data subjects may submit any queries to the DPO.
5. At the same time, the Agency shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy before the Court of Justice of the European Union.
6. The Agency shall review the application of the restriction every six months from its adoption and at the end of the procedure.
Article 6
Restriction of right of access by the data subjects
1. Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of Regulation (EU) 2018/1725, the Agency shall limit its assessment of the request to such personal data only.
2. Where the Agency restricts, wholly or partly, the right of access, referred to in Article 17 of Regulation (EU) 2018/1725, it shall take the following steps:
(a) it shall inform the data subject concerned, in its reply to the request, of the restriction applied and of the principal reasons thereof to the extent that it would not jeopardise the purpose of the investigation or proceedings concerned, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy before the Court of Justice of the European Union;
(b) it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction; to that end, the record shall state how providing access would jeopardise the purpose of the concerned investigation or procedure, or would adversely affect the rights and freedoms of others.
The provision of information referred to in point (a) may be deferred, omitted or denied in accordance with Article 25(8) of Regulation (EU) 2018/1725.
3. The record referred to in point (b) of paragraph 2 and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request. Article 25(7) of Regulation (EU) 2018/1725 shall apply.
Article 7
Restriction of right of rectification, erasure and restriction of processing
Where the Agency restricts, wholly or partly, the application of the right to rectification, erasure or restriction of processing, referred to in Articles 18, 19(1), 20(1), and 21 of Regulation (EU) 2018/1725, it shall take the steps set out in Article 6(2) of this Decision and register the record in accordance with Article 6(3) thereof.
Article 8
Restriction of communication of a personal data breach to the data subjects and confidentiality of electronic communications
1. Where the Agency restricts the communication of a personal data breach to the data subject, referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 5(3)-(6) of this Decision.
2. Where the Agency restricts the right to the confidentiality of electronic communications of a data subject, referred to in Article 36 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 5(3)-(6) of this Decision.
Article 9
Entry into force
This Decision shall enter into force on the day following that of its publication in the
Official Journal of the European Union
.
Done at Amsterdam, 12 June 2019.
Christa WIRTHUMER-HOCHE
Chair of the EMA Management Board
(1)
OJ L 295, 21.11.2018, p. 39
.
(2)
OJ L 248, 18.9.2013, p. 1
.
(3) Doc. ref. 7.20/08.
(4) Regulation (EC) No 726/2004 of the European Parliament and of the Council of 31 March 2004 laying down Union procedures for the authorisation and supervision of medicinal products for human and veterinary use and establishing a European Medicines Agency, (
OJ L 136, 30.4.2004, p. 1
).
(5) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(6) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (
OJ L 119, 4.5.2016, p. 89
).
Feedback