COMMISSION DECISION (EU) 2019/236
of 7 February 2019
laying down internal rules concerning the provision of information to data subjects and the restriction of certain of their rights in the context of the processing of personal data by the European Commission for the purposes of internal security of the Union institutions
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 249(1) thereof,
Whereas:
(1) The Commission needs to operate in a safe and secure environment. To accomplish that it needs a coherent, integrated approach as regards its security, providing appropriate levels of protection for persons, assets and information commensurate with identified risks, and ensuring efficient and timely delivery of security. The Commission faces major threats and challenges in the field of security, in particular as regards terrorism, cyber-attacks and political and commercial espionage.
(2) In order to ensure security of persons, assets and information, the Commission, notably through its Security Directorate of the Directorate General for Human Resources and Security takes measures as provided for in Commission Decision (EU, Euratom) 2015/443 (1) which involve the processing of several categories of personal data. Those measures include the conduct of security background checks pursuant to Article 7(5), threat assessments pursuant to Article 12 and security inquiries pursuant to Article 13 of Decision (EU, Euratom) 2015/443. In the framework of its investigative mandate, the Commission collects information of investigative interest, including personal data, from various sources — public authorities and natural persons — and exchanges it with other Union institutions, bodies, offices and agencies, with competent authorities of Member States and third countries, and with international organisations before, during and after the inquiry or coordination activities.
(3) The categories of personal data processed by the Commission are, for example, identification data, contact data, professional data and data related to or brought in connection with the subject matter of a security background check, threat assessment or a security inquiry. The personal data are stored in a secured electronic environment, to prevent unlawful access or transfer of data to persons outside the Commission. The personal data are retained in the services of the Commission in charge of the inquiry until the end of the inquiry. Different retention periods apply to different processing activities, depending on the category of the inquiry, namely whether in the field of suspected criminal offences, counter-intelligence or counter-terrorism. At the end of the retention period, the case-related information including personal data is eliminated (2).
(4) While carrying out its tasks, the Commission, as a controller, is bound to respect the rights of natural persons in relation to the processing of personal data recognised by Article 8(1) of the Charter of Fundamental Rights of the European Union and by Article 16(1) of the Treaty on the Functioning of the European Union, as well as the rights provided for in Regulation (EU) 2018/1725 of the European Parliament and of the Council (3). At the same time, the Commission is required to comply with strict rules of confidentiality as laid down in Article 9 of Decision (EU, Euratom) 2015/443.
(5) In certain circumstances, it is necessary to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 with the need that the Commission effectively carries out its tasks of ensuring the security of persons, assets and information in the Commission pursuant to Decision (EU, Euratom) 2015/443, in particular security inquiries, as well as with full respect for fundamental rights and freedoms of other data subjects. To that effect, Article 25(1) (c), (d) and (h) of Regulation (EU) 2018/1725 provides the Commission with the possibility to restrict the application of Articles 14 to 17, 19, 20, and 35, as well as the principle of transparency laid down in Article 4(1)(a), insofar its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19 and 20 of that Regulation.
(6) In order to ensure that the Commission effectively carries out its tasks of ensuring the security of persons, assets and information in the Commission pursuant to Decision (EU, Euratom) 2015/443, in particular its security inquiries, while respecting the standards of protection of personal data under Regulation (EU) 2018/1725, it is necessary to adopt internal rules under which the Commission may restrict data subjects' rights in accordance with Article 25(1)(c), (d) and (h) of Regulation (EU) 2018/1725.
(7) Those internal rules should cover all processing operations carried out by the Commission in the performance of its tasks to ensure security of persons, assets and information in the Commission pursuant to Decision (EU, Euratom) 2015/443, in particular its investigative function in the area of security. They should apply to processing operations carried out prior to the opening of an investigation, during investigations and during the monitoring of the follow-up to the outcome of investigations.
(8) In order to comply with Articles 14, 15 and 16 of Regulation (EU) 2018/1725, the Commission should inform all individuals of its activities involving processing of their personal data and of their rights in a transparent and coherent manner by means of a data protection notice published on the Commission's website.
(9) In addition, the Commission should individually inform, in an appropriate format, the data subjects involved in a security inquiry that is to say, the persons concerned and witnesses. The Commission should furthermore individually inform persons whose data are processed in the context of security measures taken under Article 7(5) and 12(1)(d) and (e) of Decision (EU, Euratom) 2015/443, namely in searches of Commission premises and communication and information systems and equipment.
(10) On the basis of Article 25 of Regulation (EU) 2018/1725, it may be necessary for the Commission to restrict the provision of information to data subjects and the exercise of other rights of data subjects in order to protect, in particular, a security inquiry, its investigation tools and methods, the security inquiries and proceedings of other public authorities, as well as the rights of other persons related to that security inquiry, investigations and/or proceedings.
(11) In some cases, providing particular information to the data subjects or revealing the existence of an inquiry or of security measures taken under Article 12(1)(d) and (e) of Decision (EU, Euratom) 2015/443, namely searches of Commission premises and communication and information systems and equipment, could render impossible or seriously impair the purpose of the inquiry and the capability of the Commission to ensure its security and in particular to conduct security inquiries effectively in the future.
(12) In addition, in order to maintain effective cooperation, as referred to in Article 17(2) and (3) of Decision (EU, Euratom) 2015/443, it may be necessary for the Commission to restrict the application of data subjects' rights in order to protect processing operations of other Union institutions, bodies, offices and agencies, or of competent authorities of the Member States. To that effect, the Commission should consult those institutions, bodies, offices, agencies, authorities on the relevant grounds for imposing restrictions and on the necessity and proportionality of the restrictions.
(13) The Commission may also have to restrict the provision of information to data subjects and the application of other rights of data subjects in relation to personal data received from third countries or international organisations, in order to fulfil its duty of cooperation with those countries or organisation and thus safeguard an important objective of general public interest of the Union. However, in some circumstances the interest or fundamental rights of the data subject may override the interest of international cooperation.
(14) The Commission should handle all restrictions in a transparent manner and register each application of restrictions in the corresponding record system.
(15) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, controllers may defer, omit or deny the provision of information on the reasons for the application of a restriction to the data subject if providing that information would in any way compromise the purpose of the restriction. This is, in particular, the case of restrictions to the rights provided for in Articles 16 and 35 of Regulation (EU) 2018/1725.
(16) The Commission should regularly review the restrictions imposed in order to ensure that the data subject's rights to be informed in accordance with Articles 16 and 35 of Regulation (EU) 2018/1725 are restricted only as long as such restrictions are necessary to allow the Commission to ensure its security and in particular to conduct its security inquiries.
(17) Where other rights of data subjects are restricted, the controller should assess on a case-by-case basis whether the communication of the restriction would compromise its purpose.
(18) The Data Protection Officer of the Commission should carry out an independent review of the application of restrictions, with a view to ensuring compliance with this Decision.
(19) The European Data Protection Supervisor delivered an opinion on 10 December 2018,
HAS ADOPTED THIS DECISION:
Article 1
Subject matter and scope
1. This Decision lays down the rules to be followed by the Commission to inform data subjects of the processing of their data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725 when carrying out all of its tasks pursuant to Decision (EU, Euratom) 2015/443.
It also lays down the conditions under which the Commission may restrict the application of Articles 4, 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725, in accordance with Article 25(1) (c), (d) and (h) of that Regulation.
2. This Decision applies to the processing of personal data by the Commission for the purpose of or in relation to the activities carried out in order to ensure security of persons, assets and information in the Commission pursuant to Decision (EU, Euratom) 2015/443.
Article 2
Applicable exceptions and restrictions
1. Where the Commission exercises its duties with respect to data subjects' rights under Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.
2. Subject to Articles 3 to 7 of this Decision, the Commission may restrict the application of Articles 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725 as well as the principle of transparency laid down in Article 4(1)(a) of that Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19 and 20 of Regulation (EU) 2018/1725, where the exercise of those rights and obligations would jeopardise the internal security of Union institutions, bodies, offices or agencies including of their electronic communications networks, inter alia by revealing its investigative tools and methods in the context of security inquiries, or would adversely affect the rights and freedoms of other data subjects.
3. Subject to Articles 3 to 7, the Commission may restrict the rights and obligations referred to in paragraph 2 of this Article in relation to personal data obtained from other Union institutions, bodies, agencies and offices, competent authorities of Member States or third countries or from international organisations, in the following circumstances:
(a) where the exercise of those rights and obligations could be restricted by other Union institutions, bodies, agencies and offices on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or in accordance with Regulation (EU) 2016/794 of the European Parliament and of the Council (4) or Council Regulation (EU) 2017/1939 (5);
(b) where the exercise of those rights and obligations could be restricted by competent authorities of Member States on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council (6), or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council (7);
(c) where the exercise of those rights and obligations could jeopardise the Commission's cooperation with third countries or international organisations regarding information exchanges on potential counter-intelligence and counter-terrorist threats and in the conduct of its security inquiries.
Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, the Commission shall consult the relevant Union institutions, bodies, agencies, offices or competent authorities of the Member States, unless it is clear to the Commission that the application of a restriction is provided for by one of the acts referred to in those points or such consultation would jeopardise the purpose of its activities under Decision (EU, Euratom) 2015/443.
Point (c) of the first subparagraph of this paragraph shall not apply where the interest of the Commission to cooperate with third countries or international organisations is overridden by the interests or fundamental rights and freedoms of the data subjects.
4. Paragraphs 1, 2 and 3 are without prejudice to the application of other Commission decisions laying down internal rules concerning the provision of information to data subjects and the restriction of certain rights under Article 25 of Regulation (EU) 2018/1725 and to Article 23 of the Rules of Procedure of the Commission.
Article 3
Provision of information to data subjects
1. The Commission shall publish on its website data protection notices that inform all data subjects of its activities involving processing of their personal data which it carries out in order to fulfil its tasks pursuant to Decision (EU, Euratom) 2015/443.
2. The Commission shall individually inform witnesses and the persons concerned by a security inquiry of the processing of their personal data in an appropriate format. It shall also individually inform persons whose data are processed in the context of security measures taken under Article 7(5) and Article 12(1) (d) and (e) of Decision (EU, Euratom) 2015/443, namely in searches of Commission premises and communication and information systems and equipment.
3. Where the Commission restricts, wholly or partly, the provision of the information to data subjects referred to in paragraph 2 of this Article, it shall record and register the reasons for the restriction in accordance with Article 6 of this decision.
Article 4
Right to access by data subjects, right of erasure and right to restriction of processing
1. Where the Commission restricts, wholly or partly, the right of access to data by data subjects, the right of erasure or the right to restriction of processing as referred to in Articles 17, 19 and 20 respectively of Regulation (EU) 2018/1725, it shall inform the data subject concerned, in its reply to the request for access, erasure or restriction of processing, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union.
2. The provision of information concerning the reasons for the restriction referred to in paragraph 1 of this Article may be deferred, omitted or denied for as long as it would undermine the purpose of the restriction.
3. The Commission shall record and register the reasons for the restriction in accordance with Article 6 of this decision.
4. Where the right of access is wholly or partly restricted, the data subject may exercise his or her right of access through the intermediary of the European Data Protection Supervisor, in accordance with Article 25(6), (7) and (8) of Regulation (EU) 2018/1725.
Article 5
Communication of a personal data breach to data subjects
Where the Commission restricts the communication of a personal data breach to the data subject, as referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 6 of this Decision.
Article 6
Recording and registering of restrictions
1. The Commission shall record the reasons for any restriction applied pursuant to this Decision, including an assessment of the necessity and proportionality of the restriction taking into account the relevant elements in Article 25(2) of Regulation (EU) 2018/1725.
To that end, the record shall state how the exercise of the right would jeopardise the purpose of the Commission's tasks under Decision (EU, Euratom) 2015/443, or of restrictions applied pursuant to Article 2(2) or (3), or would adversely affect the rights and freedoms of other data subjects.
2. The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.
Article 7
Duration of restrictions
1. Restrictions referred to in Articles 3, 4 and 5 of this decision shall continue to apply as long as the reasons justifying them remain applicable.
2. Where the reasons for a restriction referred to in Article 3 or 5 of this decision no longer apply, the Commission shall lift the restriction and provide the reasons for the restriction to the data subject. At the same time, the Commission shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice of the European Union.
3. The Commission shall review the application of the restrictions referred to in Articles 4 and 6 every six months from their application and at the closure of the relevant investigation. Thereafter, the Commission shall monitor the need to maintain any restriction/deferral on an annual basis.
Article 8
Review by the Data Protection Officer
1. The Data Protection Officer of the Commission shall be informed, without undue delay, whenever data subjects' rights are restricted in accordance with this Decision. Upon request, the Data Protection Officer shall be provided with access to the record and any documents containing underlying factual and legal elements.
2. The Data Protection Officer of the Commission may request a review of the restrictions. The Data Protection Officer shall be informed about the outcome of the requested review.
3. The information exchanges with the Data Protection Officer throughout the procedure shall be recorded in the appropriate form.
Article 9
This Decision shall enter into force on the third day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 7 February 2019.
For the Commission
The President
Jean-Claude JUNCKER
(1) Commission Decision (EU, Euratom) 2015/443 of 13 March 2015 on Security in the Commission (
OJ L 72, 17.3.2015, p. 41
).
(2) Retention of files in the Commission is regulated by the Common retention list, a regulatory document (the last version is SEC(2012) 713) in the form of a retention schedule that establishes the retention periods for the different types of Commission files.
(3) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
(4) Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (
OJ L 135, 24.5.2016, p. 53
).
(5) Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor's Office (‘the EPPO’,
OJ L 283, 31.10.2017, p. 1
).
(6) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(7) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (
OJ L 119, 4.5.2016, p. 89
).
Feedback