Commission Decision (EU) 2018/1962 of 11 December 2018 laying down internal rules... (32018D1962)
EU - Rechtsakte: 13 Industrial policy and internal market

COMMISSION DECISION (EU) 2018/1962

of 11 December 2018

laying down internal rules concerning the processing of personal data by the European Anti-Fraud Office (OLAF) in relation to the provision of information to data subjects and the restriction of certain of their rights in accordance with Article 25 of Regulation (EU) 2018/1725 of the European Parliament and of the Council

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 249(1) thereof,
Whereas:
(1) The European Anti-Fraud Office (‘the Office’) was established by Commission Decision 1999/352/EC, ECSC, Euratom (1) as a service of the Commission. The Office conducts investigations in complete independence.
(2) The Office conducts administrative investigations for the purpose of fighting fraud, corruption and any other illegal activity affecting the financial interests of the Union in accordance with Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council (2). To that end, it exercises the powers of investigation conferred on the Commission by the relevant Union acts in the Member States, as well as in accordance with cooperation and mutual assistance agreements and any other legal instrument in force, in third countries and on the premises of international organisations.
(3) The Office also conducts administrative investigations within the institutions, bodies, offices and agencies established by, or on the basis of, the Treaties. In the framework of its investigative mandate, the Office collects information of investigative interest, including personal data, from various sources – public authorities, private entities and natural persons – and exchanges it with Union institutions, bodies, offices and agencies, with competent authorities of Member States and third countries, as well as with international organisations before, during and after the investigation or coordination activities.
(4) In the framework of its activities, the Office processes several categories of personal data, particularly identification data, contact data, professional data and case involvement data. The Office, represented by its Director-General, acts as the data controller. The personal data are stored in a secured electronic environment which prevents unlawful access or transfer of data to persons who do not have a need to know. The personal data processed are retained for fifteen years after the case is dismissed or the investigation or the coordination case is closed by a decision of the Director-General. At the end of the retention period, the case related information including personal data is transferred to the historical archives.
(5) While carrying out its tasks, the Office is bound to respect the rights of natural persons in relation to the processing of personal data recognised by Article 8(1) of the Charter of Fundamental Rights of the European Union and by Article 16(1) of the Treaty, as well as by legal acts based on those provisions. At the same time, the Office is required to comply with strict rules of confidentiality and professional secrecy referred to in Article 10 of Regulation (EU, Euratom) No 883/2013 and ensure the respect of procedural rights of persons concerned and witnesses, referred to in Article 9 of that Regulation, in particular the right of persons concerned to the presumption of innocence.
(6) The secured electronic environment in which personal data are stored as well as the procedural guarantees and strict rules of confidentiality and professional secrecy referred to respectively in Articles 9 and 10 of Regulation (EU, Euratom) No 883/2013 ensure a high level of protection against the risks to the rights and freedoms of data subjects involved by the processing.
(7) In certain circumstances, it is necessary to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council (3) with the needs of investigations and confidentiality of exchanges of information with other competent public authorities, as well as with full respect for fundamental rights and freedoms of other data subjects. To that effect, Article 25 of that Regulation provides the Office with the possibility to restrict the application of Articles 14 to 22, 35 and 36, as well as Article 4 thereof, insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 22.
(8) The Office designated, pursuant to Article 10(4) of Regulation (EU, Euratom) No 883/2013 a Data Protection Officer in accordance with Article 24 of Regulation (EC) No 45/2001 of the European Parliament and of the Council (4).
(9) In order to ensure the confidentiality and effectiveness of investigations and other operational activities carried out by the Office while respecting the standards of protection of personal data under Regulation (EU) 2018/1725, it is necessary to adopt internal rules under which the Office may restrict data subjects' rights in line with Article 25 of that Regulation.
(10) The scope of this legal act should cover all processing operations carried out by the Office in the performance of its independent investigative function. They should apply to processing operations carried out prior to the opening of an investigation, both during internal and external investigations, as referred to in Articles 3 and 4 of Regulation (EU, Euratom) No 883/2013, and during the monitoring of the follow-up to the outcome of the investigations. The rules should apply to processing operations which form part of the activities linked to the investigative function such as the system to report fraud, operational analyses, international cooperation data bases, as well as operations which can contain investigative data such as in the handling of DPO investigations or in other complaint processes conducted by the Office. It should also include assistance and cooperation provided by the Office to national authorities and international organisations outside of its administrative investigations.
(11) In order to comply with Articles 14, 15 and 16 of Regulation (EU) 2018/1725, the Office should inform all individuals of its activities involving processing of their personal data and of their rights in a transparent and coherent manner in the form of the data protection notices published on the Office's website, as well as to individually inform data subjects relevant to the investigation – persons concerned, witnesses and informants – in the appropriate format.
(12) Without prejudice to the application of the exceptions laid down in Regulation (EU) 2018/1725, the Office may have to restrict the provision of information to data subjects and the application of other rights of data subjects' in order to protect its own investigations, investigations and proceedings of public authorities of the Member States, the investigation tools and methods, as well as the rights of other persons related to its investigations.
(13) In some cases, providing particular information to the data subjects or revealing the existence of an investigation could render impossible or seriously impair the purpose of the processing operation and the capability of the Office or competent national authorities and Union institutions, bodies, offices and agencies to conduct an investigation effectively in the future.
(14) Furthermore, the Office is required to protect the identity of informants, including whistle-blowers, and witnesses, who should not suffer negative repercussions in relation to their cooperation with the Office.
(15) For those reasons, the Office may need to apply certain grounds for restrictions referred to in Article 25 of Regulation (EU) 2018/1725 to data processing operations carried out in the framework of the Office's tasks set out in Article 2 of Decision 1999/352/EC, ECSC, Euratom.
(16) In addition, in order to maintain effective cooperation, the Office may need to apply restrictions to data subjects' rights to protect information containing personal data originating from Commission services or other Union institutions, bodies, offices and agencies, competent authorities of Member States and third countries, as well as from international organisations. To that effect, the Office should consult those services, institutions, bodies, offices, agencies, authorities and international organisations on the relevant grounds for and the necessity and proportionality of the restrictions.
(17) In the framework of its investigative function, the Office often exchanges information, including personal data, with,
inter alia
, Commission services and executive agencies assisting the Commission services in the implementation of their programmes. In line with Article 25(5) of Regulation (EU) 2018/1725 – which requires the internal rules to be adopted at the highest level of management of the Union institutions, bodies, agencies and offices concerned – this Decision shall encompass the processing of personal data contained in information which they are required to transmit to the Office. Therefore all Commission services and executing agencies processing personal data subject to their duty to inform the Office under Article 8(1) of Regulation (EU, Euratom) No 883/2013 or where such personal data are processed by the Office in the performance of its tasks should apply the rules set out in this Decision with a view to protecting the processing operations carried out by the Office. In such circumstances, the Commission services and executive agencies concerned should therefore consult the Office on the relevant grounds for the restrictions and their necessity and proportionality in order to ensure their coherent application.
(18) The Office – and, where relevant, Commission services and executive agencies – should handle all restrictions in a transparent manner and register each application of restrictions in the corresponding record system.
(19) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, the controllers may defer or refrain from providing information on the reasons for the application of a restriction to the data subject if this would in any way compromise the purpose of the restriction. In particular, where a restriction to the rights provided for in Articles 16 and 35 is applied, the notification of such a restriction would compromise the purpose of the restriction. In order to ensure that the data subject's right to be informed in accordance with Articles 16 and 38 of Regulation (EU) 2018/1725 is restricted only as long as the reasons for the deferral last, the Office should regularly review its position.
(20) Where a restriction of other data subjects' rights is applied the controller should assess on a case-by-case basis whether the communication of the restriction would compromise its purpose.
(21) The Data Protection Officer of the Office – and, where relevant, the Data Protection Officer of the Commission or of the executive agency concerned – should also carry out an independent review of the application of restrictions, with a view to ensuring compliance with this Decision.
(22) Regulation (EU) 2018/1725 replaces Regulation (EC) No 45/2001, without any transitional period, from the date on which it enters into force. The possibility to apply restrictions to certain rights was provided for in Regulation (EC) No 45/2001. In order to avoid jeopardising the purpose of investigations in the Office's remit and adversely affecting the rights and freedoms of others, this Decision should apply from the date of entry into force of Regulation (EU) 2018/1725.
(23) The European Data Protection Supervisor was consulted on 23 November 2018,
HAS ADOPTED THIS DECISION:

Article 1

Subject matter and scope

1.   This Decision lays down the rules to be followed by the European Anti-Fraud Office (‘the Office’) to inform data subjects of the processing of their data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725.
It also lays down the conditions under which the Office may restrict the application of Articles 4, 14 to 20 and 35 Regulation (EU) 2018/1725, in accordance with Article 25 of that Regulation.
2.   This Decision applies to the processing of personal data by the Office for the purpose of or in relation to the activities carried out in order to fulfil the Office's tasks referred to in Article 2 of Decision 1999/352/EC, ECSC, Euratom and Regulation (EU, Euratom) No 883/2013.
3.   This Decision applies to the processing of personal data by Commission services and executive agencies in so far as they process personal data contained in information which they are required to transmit to the Office pursuant to Article 8(1) of Regulation (EU, Euratom) No 883/2013 or personal data already processed by the Office for the purpose of or in relation to the activities referred to in paragraph 2 of this Article.

Article 2

Applicable exceptions and restrictions

1.   Where the Office exercises its duties with respect to the data subjects' rights pursuant to Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.
2.   Subject to Articles 3 to 6 of this Decision, the Office may restrict the application of Articles 14 to 20 and 35 of Regulation (EU) 2018/1725, as well as its Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20 and 35 of Regulation (EU) 2018/1725 where the exercise of those rights and obligations would jeopardise the purpose of the Office's investigative activities, including by revealing its investigative tools and methods, or would adversely affect the rights and freedoms of others.
3.   Subject to Articles 3 to 6 of this Decision, the Office may restrict the rights and obligations referred to in paragraph 2 of this Article in relation to personal data obtained from Commission services or other Union institutions, bodies, agencies and offices, competent authorities of Member States or third countries or from international organisations, in the following circumstances:
(a) where the exercise of those rights and obligations could be restricted by Commission services or other Union institutions, bodies, agencies and offices on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or with the founding acts of other Union institutions, bodies, agencies and offices;
(b) where the exercise of those rights and obligations could be restricted by competent authorities of Member States on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council (5), or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council (6);
(c) where the exercise of those rights and obligations could jeopardise the Office's cooperation with third countries or international organisations in the conduct of its tasks.
Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, the Office shall consult the relevant Commission services, Union institutions, bodies, agencies, offices or the competent authorities of Member States unless it is clear to the Office that the application of a restriction is provided for by one of the acts referred to in those points.
Point (c) of the first subparagraph shall not apply where the interest of the Union to cooperate with third countries or international organisations is overridden by the interests or fundamental rights and freedoms of the data subjects.
4.   Where Commission services and executive agencies process personal data in instances referred to in Article 1(3), they may, where necessary, apply restrictions in accordance with this Decision. To that end, they shall consult the Office, unless it is clear to the Commission service or executive agency concerned that the application of a restriction is justified under this Decision.

Article 3

Provision of information to data subjects

1.   The Office shall publish on its website data protection notices that inform all data subjects of its activities involving processing of their personal data.
2.   The Office shall individually inform all data subjects whom it considers to be persons concerned, witnesses or informants within the meaning of Regulation (EU, Euratom) No 883/2013.
3.   Where the Office restricts, wholly or partly, the provision of information to the data subjects referred to in paragraph 2, it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction.
To that end, the record shall state how the provision of the information would jeopardise the purpose of the Office's investigative activities, or of restrictions applied pursuant to Article 2(3), or would adversely affect the rights and freedoms of others.
The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.
4.   The restriction referred to in paragraph 3 shall continue to apply as long as the reasons justifying it remain applicable.
Where the reasons for the restriction no longer apply, the Office shall provide the information concerned and the reasons for the restriction to the data subject. At the same time, the Office shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice of the European Union.
The Office shall review the application of the restriction every six months from its adoption and at the closure of the relevant investigation. Thereafter, the controller shall monitor the need to maintain any restriction on an annual basis.

Article 4

Right of access by data subject

1.   Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of Regulation (EU) 2018/1725, the Office shall limit its assessment of the request to such personal data only.
2.   Where the Office restricts, wholly or partly, the right of access, referred to in Article 17 of Regulation (EU) 2018/1725, it shall take the following steps:
(a) it shall inform the data subject concerned, in its reply to the request, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union;
(b) it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction; to that end, the record shall state how providing access would jeopardise the purpose of the Office's investigative activities or of restrictions applied pursuant to Article 2(3), or would adversely affect the rights and freedoms of other data subjects.
The provision of information referred to in point (a) may be deferred, omitted or denied in accordance with Article 25(8) of Regulation (EU) 2018/1725.
3.   The record referred to in point (b) of paragraph 2 and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request. Article 25(7) of Regulation (EU) 2018/1725 shall apply.

Article 5

Right of rectification, erasure and restriction of processing

Where the Office restricts, wholly or partly, the application of the right to rectification, erasure or restriction of processing, referred to in Articles 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, it shall take the steps set out in Article 4(2) of this Decision and register the record in accordance with Article 4(3) thereof.

Article 6

Communication of a personal data breach to the data subject

Where the Office restricts the communication of a personal data breach to the data subject, referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 3(3) of this Decision. Article 3(4) of this Decision shall apply.

Article 7

Review by the Data Protection Officer

1.   The Data Protection Officer of the Office (‘the Office DPO’), shall be informed, without undue delay, whenever data subjects' rights are restricted in accordance with this Decision. The Office DPO shall be provided with access to the record and any documents containing underlying factual and legal elements.
The Office DPO may request a review of the restrictions. The Office DPO shall be informed in writing of the outcome of the requested review.
2.   Where Commission services and executive agencies process personal data in instances referred to in Article 1(3), the Data Protection Officer of the Commission (‘the Commission DPO’) or, where applicable, the Data Protection Officer of the executive agency concerned (‘the Agency DPO’), shall be informed, without undue delay, whenever data subjects' rights are restricted in accordance with this Decision. Upon request, the Commission DPO or, where applicable, the Agency DPO shall be provided with access to the record and any documents containing underlying factual and legal elements.
The Commission DPO or, where applicable, the Agency DPO, may request a review of the restrictions. The Commission DPO or the Agency DPO shall be informed in writing about the outcome of the requested review.
3.   All information exchanges with the DPO throughout the procedure shall be recorded in the appropriate form.

Article 8

Entry into force

This Decision shall enter into force on the day of its publication in the
Official Journal of the European Union
.
It shall apply from 11 December 2018.
Done at Brussels, 11 December 2018.
For the Commission
The President
Jean-Claude JUNCKER
(1)  Commission Decision 1999/352/EC, ECSC, Euratom of 28 April 1999 establishing the European Anti-fraud Office (OLAF) (
OJ L 136, 31.5.1999, p. 20
).
(2)  Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (
OJ L 248, 18.9.2013, p. 1
).
(3)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
(4)  Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (
OJ L 8, 12.1.2001, p. 1
).
(5)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(6)  Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (
OJ L 119, 4.5.2016, p. 89
).
Markierungen
Leseansicht