COMMISSION DECISION (EU) 2019/165
of 1 February 2019
laying down internal rules concerning the provision of information to data subjects and the restriction of certain of their data protection rights by the Commission in the context of administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 249(1), thereof,
Whereas:
(1) The Commission conducts administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings, on the basis of Article 86 of the Staff Regulations of Officials of the European Union (1) and in accordance with Annex IX thereto as well as Commission Decision C(2004) 1588 (2). Those tasks are mainly the responsibility of the Investigation and Disciplinary Office of the Commission (‘IDOC’), which is a directorate attached to the Directorate-General for Human Resources and Security. Disciplinary proceedings may include investigations conducted by the Disciplinary Board of the Commission pursuant to Article 17 of Annex IX to the Staff Regulations.
(2) In the context of these activities, the relevant Commission services collect and process relevant information. That information includes personal data, in particular identification, contact and behavioural data. The relevant Commission services transmit personal data to other Commission services on a need to know basis.
(3) The personal data are stored in a secured physical and electronic environment, to prevent unlawful access or transfer of data to persons who do not have a need to know. After the end of the processing, the data are retained in accordance with the applicable Commission rules (3).
(4) While carrying out its tasks, the Commission is bound to respect the rights of natural persons in relation to the processing of personal data recognised by Article 8(1) of the Charter of Fundamental Rights of the European Union and by Article 16(1) of the Treaty, as well as the rights provided for in Regulation (EU) 2018/1725 of the European Parliament and of the Council (4), which replaced Regulation (EC) No 45/2001 of the European Parliament and of the Council (5). At the same time, the Commission is required to comply with strict rules of confidentiality and professional secrecy and to ensure respect for the procedural rights of persons concerned and witnesses, in particular the presumption of innocence of the person concerned.
(5) In certain circumstances it is necessary to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 with the need for effectiveness of administrative inquiries and pre-disciplinary, disciplinary and suspension proceedings, as well as with full respect for fundamental rights and freedoms of other data subjects. To that effect, Article 25(1)(c), (g) and (h) of Regulation (EU) 2018/1725 provides the Commission with the possibility to restrict the application of Articles 14 to 17, 19, 20 and 35, as well as the principle of transparency laid down in Article 4(1)(a), insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19, 20 and 35 of that Regulation.
(6) This might, in particular, be the case as regards the provision of information about the processing of personal data to the person concerned at the start of an administrative inquiry. The provision of such information might affect the Commission's capacity to conduct the administrative inquiry, for example because the person concerned could destroy evidence before it is examined by the Commission or interfere with potential witnesses before they are themselves heard. Similarly, providing access to personal data during phases of the procedure in which the person concerned does not have access to the file, such as during the preliminary assessment or the administrative inquiry, might reveal information that could adversely affect the conduct of the administrative inquiry. In both cases, restricting the rights of the person concerned might be necessary to safeguard a monitoring, inspection or regulatory function connected to the exercise of official authority in a case where an important objective of general public interest of the Union is at stake, namely ensuring that the staff of the Commission abide by their statutory obligations and behave in an ethical manner.
(7) It might also be necessary to restrict the right of access to personal data by the person concerned when such access would reveal information about a witness or a whistle-blower who has asked not to have their identity disclosed. In such a case, the Commission may decide to restrict access to the statement relating to the person concerned in order to protect the rights and freedoms of this witness or whistle-blower.
(8) In order to ensure the confidentiality and effectiveness of administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings, while respecting the standards of protection of personal data under Regulation (EU) 2018/1725, it is necessary to adopt internal rules under which the Commission may restrict data subjects' rights in line with Article 25(1)(c),(g) and (h) of Regulation (EU) 2018/1725.
(9) The internal rules should apply to all processing operations carried out by the Commission in the performance of its tasks, including processing operations carried out prior to the opening of an administrative inquiry and during assistance and cooperation provided by the Commission to national authorities and international organisations outside of its activities.
(10) In order to comply with Articles 14, 15 and 16 of Regulation (EU) 2018/1725, the Commission should inform all individuals of its activities involving processing of their personal data and of their rights, in a transparent and coherent manner, by means of data protection notices published on the Commission's website. In addition, the Commission should individually inform, in an appropriate format, the data subjects involved in an administrative inquiry or in pre-disciplinary, disciplinary or suspension proceedings.
(11) In addition, in order to maintain effective cooperation it may be necessary for the Commission to restrict the application of data subjects' rights in order to protect processing operations of other Union institutions, bodies, offices and agencies or of Member States' and third countries' authorities and international organisations. To that effect, the Commission should consult those institutions, bodies, offices, agencies, authorities and international organisations on the relevant grounds for imposing restrictions and on the necessity and proportionality of the restrictions, unless this would jeopardise the Commission's activities.
(12) The Commission may also have to restrict the provision of information to data subjects and the application of other rights of data subjects in relation to personal data received from third countries or international organisations, in order to fulfil its duty of cooperation with those countries or organisations and thus safeguard an important objective of general public interest of the Union. However, in some circumstances the interest or fundamental rights of the data subject may override the interest of international cooperation.
(13) The Commission should handle all restrictions in a transparent manner and register each application of restrictions in the corresponding record system.
(14) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, controllers may defer, omit or deny the provision of information on the reasons for the application of a restriction to the data subject if providing that information would in any way compromise the purpose of the restriction. This is, in particular, the case of restrictions to the rights provided for in Articles 16 and 35 of Regulation (EU) 2018/1725.
(15) The Commission should regularly review the restrictions imposed in order to ensure that the data subject's rights to be informed in accordance with Articles 16 and 35 of Regulation (EU) 2018/1725 are restricted only as long as such restrictions are necessary to allow the Commission to conduct its administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings.
(16) Where other rights of data subjects are restricted, the controller should assess on a case-by-case basis whether the communication of the restriction would compromise its purpose.
(17) The Data Protection Officer of the European Commission should carry out an independent review of the application of restrictions, with a view to ensuring compliance with this Decision.
(18) The European Data Protection Supervisor delivered an opinion on 5 December 2018,
HAS ADOPTED THIS DECISION:
Article 1
Subject matter and scope
1. This Decision lays down the rules to be followed by the Commission to inform data subjects of the processing of their data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725 when conducting administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings.
2. It also lays down the conditions under which the Commission may restrict the application of Articles 4(1)(a), 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725, in accordance with Article 25 (1) (c), (g) and (h) thereof.
3. This Decision applies to the processing of personal data by the Commission pursuant to Article 86 of the Staff Regulations and Annex IX thereof, as well as Decision C (2004) 1588.
4. This Decision applies to the processing of personal data by the Commission insofar as it processes personal data for purposes related to administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings.
5. The categories of personal data covered by this Decision include identification, contact and behavioural data.
Article 2
Applicable exceptions and restrictions
1. Where the Commission exercises its duties with respect to data subjects' rights under Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.
2. Subject to Articles 3 to 7 of this Decision, the Commission may restrict the application of Articles 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725, as well as the principle of transparency laid down in Article 4(1)(a) of that Regulation insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19, 20 and 35 of that Regulation, where the exercise of those rights and obligations would jeopardise the purpose of administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings or would adversely affect the rights and freedoms of other data subjects.
3. Subject to Articles 3 to 7, the Commission may restrict the rights and obligations referred to in paragraph 2 of this Article in relation to personal data obtained from other Union institutions, bodies, agencies and offices, competent authorities of Member States or third countries or from international organisations, in the following circumstances:
(a) where the exercise of those rights and obligations could be restricted by other Union institutions, bodies, agencies and offices on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or in accordance with Regulation (EU) 2016/794 of the European Parliament and of the Council (6) or Council Regulation (EU) 2017/1939 (7);
(b) where the exercise of those rights and obligations could be restricted by competent authorities of Member States on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council (8), or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council (9);
(c) where the exercise of those rights and obligations could jeopardise the Commission's cooperation with third countries or international organisations in the conduct of administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings.
Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, the Commission shall consult the relevant Union institutions, bodies, agencies, offices or competent authorities of the Member States, unless it is clear to the Commission that the application of a restriction is provided for by one of the acts referred to in those points or such consultation would jeopardise the Commission's activities.
Point (c) of the first subparagraph shall not apply where the interest of the Commission to cooperate with third countries or international organisations is overridden by the interests or fundamental rights and freedom of the data subjects.
Article 3
Provision of information to data subjects
1. The Commission shall publish on its website data protection notices that inform all data subjects of its activities involving processing of their personal data.
2. The Commission shall individually inform, in an appropriate format, the person concerned by an administrative inquiry, pre-disciplinary, disciplinary or suspension proceedings, as well as witnesses requested to provide information in relation to those proceedings, about the processing of their personal data.
3. Where the Commission restricts in accordance with Article 2 of this Decision, wholly or partly, the provision of the information referred to in paragraph 2, it shall record and register the reasons for the restriction in accordance with Article 6.
Article 4
Right of access by data subjects, right of erasure and right to restriction of processing
1. Where the Commission restricts, wholly or partly, the right of access to personal data by data subjects, the right of erasure, or the right to restriction of processing as referred to in Articles 17, 19 and 20 respectively of Regulation (EU) 2018/1725, it shall inform the data subject concerned, in its reply to the request for access, erasure or restriction of processing, of the restriction applied and of the principal reasons therefor, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union.
2. The provision of information concerning the reasons for the restriction referred to in paragraph 1 may be deferred, omitted or denied for as long as it would undermine the purpose of the restriction.
3. The Commission shall record the reasons for the restriction in accordance with Article 6 of this Decision.
4. Where the right of access is wholly or partly restricted, the data subject may exercise his or her right of access through the intermediary of the European Data Protection Supervisor, in accordance with Article 25 (6), (7) and (8) of Regulation (EU) 2018/1725.
Article 5
Communication of personal data breaches to data subjects
Where the Commission restricts the communication of a personal data breach to the data subject, as referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 6 of this Decision.
Article 6
Recording and registering of restrictions
1. The Commission shall record the reasons for any restriction applied pursuant to this Decision, including a case-by-case assessment of the necessity and proportionality of the restriction.
To that end, the record shall state how the exercise of the right would jeopardise the purpose of the administrative inquiry, pre-disciplinary, disciplinary or suspension proceedings, or of restrictions applied pursuant to Article 2(2) or (3), or would adversely affect the rights and freedoms of other data subjects.
2. The record and, where applicable, the documents containing the underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.
Article 7
Duration of restrictions
1. Restrictions referred to in Articles 3, 4 and 5 shall continue to apply as long as the reasons justifying them remain applicable.
2. Where the reasons for a restriction referred to in Articles 3 and 5 no longer apply, the Commission shall lift the restriction and provide the principal reasons for the restriction to the data subject. At the same time, the Commission shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice of the European Union.
3. The Commission shall review the application of the restrictions referred to in Articles 3 and 5 every six months from their adoption and in any case at the end of the administrative inquiry, pre-disciplinary, disciplinary or suspension proceedings. Thereafter, the Commission shall monitor the need to maintain any deferral on an annual basis.
Article 8
Review by the Data Protection Officer of the European Commission
1. The Data Protection Officer of the European Commission shall be informed, without undue delay, whenever data subjects' rights are restricted in accordance with this Decision. Upon request, the Data Protection Officer shall be provided with access to the record and any documents containing underlying factual and legal elements.
2. The Data Protection Officer may request a review of the restriction. The Data Protection Officer shall be informed in writing of the outcome of the requested review.
Article 9
Entry into force
This Decision shall enter into force on the third day following that of its publication in the
Official Journal of the European Union
.
Done at Brussels, 1 February 2019.
For the Commission
The President
Jean-Claude JUNCKER
(1) Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (
OJ L 56, 4.3.1968, p. 1
).
(2) Commission Decision C(2004) 1588 laying down general implementing provisions on the conduct of administrative inquiries and disciplinary procedures.
(3) Common Commission-level retention list for European Commission files — SEC(2012)713
(4) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
(5) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (
OJ L 8, 12.1.2001, p. 1
).
(6) Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (
OJ L 135, 24.5.2016, p. 53
).
(7) Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor's Office (‘the EPPO’) (
OJ L 283, 31.10.2017, p. 1
).
(8) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(9) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (
OJ L 119, 4.5.2016, p. 89
).
Feedback