DECISION OF THE BUREAU OF THE EUROPEAN PARLIAMENT

of 17 June 2019

on the implementing rules relating to Regulation (EU) 2018/1725 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by the Union Institutions, Bodies, Offices and Agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC

(2019/C 259/02)

THE BUREAU OF THE EUROPEAN PARLIAMENT,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council (1), and in particular Articles 25 and 45(3) thereof,

Having regard to Rule 25(2) of the Rules of Procedure of the European Parliament,

Having regard to the Opinion of the European Data Protection Supervisor of 2 May 2019, which was consulted pursuant to Article 41(2) of Regulation (EU) 2018/1725 on Chapter V of this Decision,

Whereas:

(1) Regulation (EU) 2018/1725 lays down the principles and the rules applicable to the processing of personal data by all Union institutions and bodies and provides for a data protection officer to be appointed by each Union institution and body.

(2) The purpose of the European Parliament's implementing rules relating to Regulation (EU) 2018/1725 (‘the implementing rules’) is to specify the tasks, duties and powers of the Data Protection Officer of the European Parliament (‘the Data Protection Officer’).

(3) The purpose of the implementing rules is also to lay down procedures which will enable data subjects to exercise their rights and all persons within the European Parliament who are involved in the processing of personal data to fulfil their obligations.

(4) The implementing rules should ensure that the European Parliament duly respects its obligations under Regulation (EU) 2018/1725 without impeding it from duly carrying out its legislative, budgetary, political, analytical, scrutiny and communication activities.

(5) Regulation (EU) 2018/1725, and in particular the exceptions to data subject rights that it provides, should therefore be interpreted in a way that ensures the ability of the European Parliament to fully exercise its powers, in particular its legislative and budgetary functions as well as its functions of political control and consultation as laid down in the Treaties.

(6) To that end the exercise of the right to erasure under Article 19 of Regulation (EU) 2018/1725 should be interpreted in such a way that its application avoids any undue interference with the European Parliament's obligation to duly document and make its parliamentary activities visible to, and traceable by, the public, notably at the level of plenary and parliamentary bodies' proceedings, in accordance with the principle of transparency and openness and the applicable rules on archiving.

(7) Furthermore, the right to data portability under Article 22 of Regulation (EU) 2018/1725 only applies where the processing is based either on consent or on the need to fulfil a contract and is carried out by automated means. The exercise of that right is limited by an exception laid down in Article 22(3), second sentence, of that Regulation which should be understood to mean that, unless the administrative activities of the European Parliament are concerned, the European Parliament is exempt from the obligation to provide personal data in accordance with Article 22(1) and (2) of that Regulation.

(8) Moreover, as regards the application of the implementing rules regarding joint controllership of Directorates-General of the European Parliament with other bodies or institutions, or between the Directorates-General of the European Parliament, such joint controllerships should exist only if and to the extent that they are jointly responsible for the same single processing operations, and not where they merely intervene sequentially with thematically proximate but distinct processing operations.

(9) Article 13 of this Decision is to be understood as providing to political groups and Members of the European Parliament the possibility to request, on a strictly voluntary basis, advice from the Data Protection Officer on matters relating to the application of Regulation (EU) 2018/1725, taking into account in particular the interplay between the requirements of data protection and the exercise of the free mandate. Such advice is not binding.

(10) It is moreover necessary to adopt internal rules laying down the conditions under which the European Parliament is permitted to restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation in accordance with Article 25 thereof, in order to ensure that the European Parliament can continue to pursue its activities and procedures.

(11) Within this framework, the European Parliament, when applying restrictions pursuant to Chapter V of this Decision, is bound to respect the fundamental rights of the data subjects concerned, as enshrined in Article 8(1) of the Charter of Fundamental Rights of the European Union, in Article 16(1) of the Treaty on the Functioning of the European Union and in Regulation (EU) 2018/1725.

(12) To that end, the European Parliament, before applying any particular restrictions, must carry out, on a case-by-case basis, an assessment of the necessity and proportionality of the respective restrictions, taking into account the risks to the rights and freedoms of data subjects.

(13) The European Parliament must justify why the restrictions are strictly necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms,

HAS ADOPTED THIS DECISION:

CHAPTER I

GENERAL PROVISIONS

Article 1

Purpose

This Decision lays down the general rules governing the implementation of Regulation (EU) 2018/1725 in the European Parliament, and in particular:

(a) implements the provisions set out in Regulation (EU) 2018/1725 which relate to the tasks, duties and powers of the Data Protection Officer;

(b) lays down detailed rules pursuant to which a data subject may exercise his or her rights;

(c) lays down internal rules pursuant to which the European Parliament may apply exceptions, derogations or restrictions with regard to the rights of data subjects according, notably, to Article 25 of Regulation (EU) 2018/1725.

Article 2

Controller

1. The Unit or service of the European Parliament which determines the purposes and means of the processing of personal data acts as controller in respect to those data within the meaning of Article 3(8) of Regulation (EU) 2018/1725.

2. When the processing operation exceeds the competences of a Unit or service of the European Parliament, the competent Directorate shall be controller within the meaning of Article 3(8) of Regulation (EU) 2018/1725 unless joint controllership is agreed in accordance with Article 28 of that Regulation.

3. When the processing operation exceeds the competences of a Directorate of the European Parliament, the competent Directorate-General of the European Parliament shall be controller within the meaning of Article 3(8) of Regulation (EU) 2018/1725 unless joint controllership is agreed in accordance with Article 28 of that Regulation.

4. Where more than one Directorate-General of the European Parliament determines the purposes and means of a given processing operation or where one of the organisational entities under paragraphs 1 to 3 and at least one entity other than Union Institutions and bodies determine the purposes and means of a given processing operation, the competent actors shall be considered to be joint controllers within the meaning of Article 28(1) of Regulation (EU) 2018/1725.

5. The European Parliament shall be considered to be the controller for the purpose of Article 44(3) and (6) of Regulation (EU) 2018/1725.

6. The controller shall be responsible for ensuring that processing operations are carried out in compliance with Regulation (EU) 2018/1725 and must be able to demonstrate compliance with that Regulation.

In particular, the controller shall be responsible for:

(a) implementing appropriate technical and organisational measures in view of the application of the data protection by design and by default principles;

(b) giving the staff under their authority suitable instructions for ensuring that processing is lawful, fair, transparent and confidential and providing an appropriate level of security in view of the risks which processing entails;

(c) cooperating with the Data Protection Officer and the European Data Protection Supervisor in the performance of their respective duties, in particular by sending information to them in reply to their requests;

(d) informing and involving in a timely manner the Data Protection Officer notably in projects regarding new data processing operations or significant modifications to existing operations.

CHAPTER II

THE DATA PROTECTION OFFICER

Article 3

Appointment, statute and independence

1. The Secretary-General shall appoint the Data Protection Officer from amongst the staff of the European Parliament in accordance with Article 43 and Article 44(8) and (9) of Regulation (EU) 2018/1725. The Data Protection Officer shall be appointed in accordance with the applicable procedure under the Staff Regulations (‘the Staff Regulations’) or, under the Conditions of Employment applicable to Other Servants of the European Union (‘the Conditions of Employment’) laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68) (2), as applicable. The Data Protection Officer shall be appointed for a five-year period, which may be renewed.

2. For the purposes of performing his or her tasks under this Decision, the Data Protection Officer shall be relieved of any other task within the European Parliament. The Secretary-General may nevertheless decide to assign specific additional tasks to the Data Protection Officer, provided that they do not result in a conflict of interests with the role of the Data Protection Officer, particularly in relation to the application of the provisions laid down in Regulation (EU) 2018/1725.

3. The Data Protection Officer shall refrain from any act which is incompatible with the nature of his or her duties.

4. The Data Protection Officer is subject to professional secrecy in accordance with Article 44(5) of Regulation (EU) 2018/1725, including after his or her duties have ceased.

5. The Data Protection Officer may only be dismissed in accordance with Article 44(3) and (8) of Regulation (EU) 2018/1725. For the purposes of obtaining the consent of the European Data Protection Supervisor to such a dismissal pursuant to Article 44(8) of Regulation (EU) 2018/1725, the European Data Protection Supervisor shall be consulted in writing. A copy of that consent shall be sent to the Data Protection Officer.

6. The European Parliament shall ensure that the Data Protection Officer does not receive any instructions regarding the exercise of his or her tasks, as defined in Articles 44 and 45 of Regulation (EU) 2018/1725. In that regard, he or she shall, in particular, not receive any instructions from the Secretary-General, including as regards his or her cooperation with the European Data Protection Supervisor required in accordance with Regulation (EU) 2018/1725.

7. The Data Protection Officer shall directly report to the Secretary-General.

Article 4

Tasks, duties and powers

1. The Data Protection Officer shall ensure the application of Regulation (EU) 2018/1725 by the General Secretariat of the European Parliament and shall monitor compliance with the applicable legal framework on the protection of personal data. Without prejudice to Article 13 of this Decision, the Data Protection Officer shall, in principle, not be competent to monitor the application of Regulation (EU) 2018/1725 by individual Members of the European Parliament or by the political groups of the European Parliament.

2. The Data Protection Officer may be consulted or shall provide advice in accordance with Article 44(4) and (7) and with Article 45(1), points (d), (e) and (f), of Regulation (EU) 2018/1725 and shall exercise all further tasks laid down in Article 45 of that Regulation.

3. The Data Protection Officer shall report any breach or any serious risk of breach of the provisions laid down in Regulation (EU) 2018/1725 to the Secretary-General.

4. The Data Protection Officer shall, upon request, issue an opinion to the relevant controller on actual or proposed processing operations and on the proportionality and adequacy of the processing of certain data or on security measures. The opinion may in particular relate to any issue concerning the analysis of risks for rights and freedoms of data subjects.

5. The competent service of the European Parliament shall consult the Data Protection Officer before the approval of internal rules laying down the framework for the processing of personal data.

6. The Data Protection Officer shall carry out his or her tasks in cooperation with the European Data Protection Supervisor. He or she shall be the contact point between the European Parliament and the European Data Protection Supervisor and shall be informed of all communication between the two institutions regarding matters of his or her competence.

7. The Data Protection Officer shall regularly attend meetings convened by the European Data Protection Supervisor or the Data Protection Officers of the other institutions and bodies with a view to facilitating good cooperation.

8. The Data Protection Officer shall at all times be subject to the rules and provisions laid down in the Staff Regulations or in the Conditions of Employment, as applicable.

Article 5

Personal data breaches and data security

1. When a personal data breach occurs, the controller shall inform the Data Protection Officer about the incident without delay.

2. The Data Protection Officer shall set up and maintain a central register for the purpose of documenting those reported personal data breaches, in accordance with Article 34(6) of Regulation (EU) 2018/1725. The controller facing the breach shall complete the register with the information requested by that Article.

3. The Data Protection Officer shall organise regular meetings with the Chief Information Security Officer and the risk manager of the European Parliament in order to ensure compliance with Articles 33 to 36 of Regulation (EU) 2018/1725. The Data Protection Officer may invite further attendees, where appropriate.

4. The Data Protection Officer shall, drawing on the results of the meetings referred to in paragraph 3:

(a) present to the Secretary-General on an annual basis a data protection risk analysis, which shall be updated in the light of evolving risk factors;

(b) propose to the Secretary-General data protection policies, addressing in particular risks of data theft, leaks or unauthorised manipulation by electronic means;

(c) propose to the Secretary-General appropriate technical and organisational measures to ensure a level of personal data security appropriate to the data protection risks.

Article 6

Records of processing activities and central register

The Data Protection Officer shall set up and maintain the central register within the meaning of Article 31(5) of Regulation (EU) 2018/1725, in which the records of processing activities shall be kept. The Data Protection Officer shall ensure that the register is publicly accessible, also electronically. Upon request, access shall also be possible via the European Data Protection Supervisor.

Upon request, records of processing activities of the European Parliament shall be made available to the European Data Protection Supervisor.

Article 7

Information and access

1. The Data Protection Officer shall be informed immediately by the controller where the setting up of a new administrative procedure, or where the modification of an existing administrative procedure affecting processing operations of personal data, is concerned.

2. The Data Protection Officer shall at any time have access to personal data which are being processed, to data processing installations and to data carriers.

Article 8

Internal audit

When so requested by the Internal Auditor, acting within his or her competences, the Data Protection Officer shall collaborate with the Internal Auditor in particular to facilitate the conduct of internal audits involving the processing of personal data within the General Secretariat of the European Parliament.

Article 9

Risk-based approach

1. For new or modified administrative procedures, technical or organisational measures involving the processing of personal data, the Data Protection Officer, where requested or on his or her own initiative, shall provide information and assist the controller in the assessment of the risks to the rights and freedoms of data subjects.

2. The Data Protection Officer shall advise the controller, following the conduct of the aforementioned risk assessment, on whether it is necessary to carry out a data protection impact assessment.

Article 10

Technical and organisational measures

1. The Data Protection Officer shall advise the controller in assessing technical and organisational solutions to implement processing operations.

2. The Data Protection Officer may recommend to the Secretary-General technical or organisational measures to implement Article 27 of Regulation (EU) 2018/1725 where he or she concludes on the basis of an evaluation that a processing operation does not guarantee full compliance with that Article.

Article 11

Joint controllers and processors

1. The Data Protection Officer shall, upon request, provide an opinion to the controller on the determination of the relevant responsibilities in the context of an arrangement between joint controllers pursuant to Article 28(1) of Regulation (EU) 2018/1725.

2. The Data Protection Officer may, upon request, provide an opinion to the controller regarding the appropriate technical and organisational measures to be guaranteed by the processor or by the sub-processor pursuant Article 29(1) and (2) of Regulation (EU) 2018/1725.

Article 12

Annual report

The Data Protection Officer shall draw up an annual activity report for the Secretary-General and the European Data Protection Supervisor concerning activities relating to the protection of personal data within the General Secretariat of the European Parliament. He or she shall make the report accessible to the staff of the European Parliament.

Article 13

Members of the European Parliament and political groups of the European Parliament

1. By derogation from Article 4(1) of this Decision, Members of the European Parliament and political groups of the European Parliament may request advice from the Data Protection Officer on a matter relating to the application of Regulation (EU) 2018/1725. Without prejudice to own responsibility of the Members of the European Parliament and political groups of the European Parliament to apply Regulation (EU) 2018/1725 as controller within the meaning of Article 3(8) of Regulation (EU) 2018/1725, the Data Protection Officer may, at the request of a Member of the European Parliament or a political group of the European Parliament, offer his or her advice, by applying the relevant provisions of this Decision

mutatis mutandis

2. The Data Protection Officer shall agree on a case-by-case basis on the detailed arrangements for the assistance referred to in paragraph 1, in compliance with this Decision. The performance of that advisory function must not conflict with the Data Protection Officer's other tasks.

CHAPTER III

SUPPORTING STAFF AND NETWORKS

Article 14

Data protection staff and resources

1. The Secretary-General may appoint staff members to the Data Protection Service, to assist the Data Protection Officer in the exercise of his or her functions.

2. Staff members appointed in accordance with paragraph 1 may represent the Data Protection Officer in his or her absence. To this end, the Data Protection Officer may issue internal delegations of authority with regard to specific members of his or her staff. The European Data Protection Supervisor and the Secretary-General shall be notified by being sent a copy of any such delegation of authority.

Article 15

Data protection coordinators network

1. A data protection coordinators network consisting of at least one member for each Directorate-General, of one person representing the coordination of political groups and of the Data Protection Officer shall be established in the European Parliament.

2. The Secretary-General may specify the detailed arrangements concerning the appointment, duties and tasks of the data protection coordinators.

3. The Data Protection Officer shall regularly organise meetings with the data protection coordinators.

CHAPTER IV

EXERCISE OF RIGHTS BY DATA SUBJECTS

Article 16

General rules for the implementation of Articles 14 to 24 of Regulation (EU) 2018/1725

1. The right to be informed, the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right of recipients to be notified, the right to data portability, the right to object and rights relating to automated decision-making including profiling, as laid down in Articles 14 to 24 of Regulation (EU) 2018/1725, may be exercised only by the data subject or by his or her duly authorised representative.

2. The data subject shall address requests to exercise one of his or her rights referred to in paragraph 1 to the controller. A non-mandatory template for this purpose shall be available in electronic form on the European Parliament's website. The request shall contain:

(a) the name, first name and contact details of the data subject;

(b) an indication of the right to be exercised;

(d) the category or categories of the personal data concerned;

(e) the data subject's signature and the date of the request.

3. The request may be submitted by internal or external mail, by e-mail or by any other written means.

4. The controller shall ask for the necessary clarifications in case of unclear or incomplete requests. Until final clarification of these matters, the applicable deadline under Article 14(3) and (4) of Regulation (EU) 2018/1725 shall not start to run.

5. The controller shall verify the data subject's identity in accordance with Article 14(6) of Regulation (EU) 2018/1725. The identity of the data subject shall be verified in the least intrusive way possible. During the identity verification period, the applicable deadline under Article 14(3) and (4) of Regulation (EU) 2018/1725 shall not start to run.

6. The controller shall respond to any request by the data subjects to exercise their rights, even in cases in which the European Parliament does not hold any relevant personal data. An acknowledgement of receipt shall be sent to the data subject within five working days of the receipt of the request. However, the controller shall not be required to send an acknowledgement of receipt if a substantive reply to the request is provided within the same time limit of five working days.

7. The reply shall be sent to the data subject, within the deadlines provided for under Article 14(3) and (4) of Regulation (EU) 2018/1725, by the same written means of communication and in the same official language of the Union as was used by the data subject, unless otherwise requested by this latter.

8. While processing a request under Article 14 of Regulation (EU) 2018/1725, the controller shall take account of any need to apply an exception, a derogation or a restriction under Chapter V of this Decision.

9. In the case of a highly complex request, or when the due processing of a request is likely to result in a risk to the rights and freedoms of other data subjects, the controller shall consult the Data Protection Officer.

Article 17

Right to be informed

(Articles 15 and 16 of Regulation (EU) 2018/1725)

1. In accordance with Article 14 of Regulation (EU) 2018/1725, the controller shall provide the information referred to in Articles 15 and 16 of that Regulation, including when further processing is intended, in generalised form on the internet or the intranet.

2. If possible, and without prejudice to alternative means of communication referred to under Article 14(1) and (7) of Regulation (EU) 2018/1725, the information referred to in Articles 15 and 16 of that Regulation shall be provided to the data subjects concerned in an individualised manner, either in writing or by electronic means.

Article 18

Right of access

(Article 17 of Regulation (EU) 2018/1725)

1. Without prejudice to paragraph 2, where the data subject makes a request for access to his or her personal data, the relevant data shall be retrieved by the controller from its storage location, including electronic or paper documents, and be made available to the data subject by any of the following means:

(a) compilation drawn up by the controller;

(b) hard copy or electronic copy;

2. In accordance with Article 17(3) of Regulation (EU) 2018/1725, where the data subject makes a request for access by electronic means, and unless otherwise requested, the information shall be provided by the controller in a commonly used electronic format.

Article 19

Right to rectification

(Article 18 of Regulation (EU) 2018/1725)

1. Requests for rectification shall specify the personal data to be rectified or completed, a demonstration of the inaccuracy or incompleteness of the data and the correction to be made. Where appropriate, a request may be accompanied by supporting documents.

2. The data subject shall be notified of the successful rectification. In the case of the rejection of the request, the controller shall inform the data subject in writing about the reasons thereof.

Article 20

Right to erasure

(Article 19 of Regulation (EU) 2018/1725)

1. Requests for erasure shall specify the personal data to be erased and indicate the grounds for erasure within the meaning of Article 19(1) of Regulation (EU) 2018/1725.

2. The data subject shall be notified of the successful erasure. In the case of the rejection of the request, the controller shall inform the data subject in writing about the reasons thereof.

3. Erasure entails the physical disappearance of the personal data without it being necessary to replace them by a code.

Article 21

Right to restriction of processing

(Article 20 of Regulation (EU) 2018/1725)

1. Requests for the restriction of processing shall specify the personal data concerned and the grounds for the restriction, as laid down in Article 20(1) of Regulation (EU) 2018/1725.

2. The data subject shall be notified of the successful restriction of processing. In the case of the rejection of the request, the controller shall inform the data subject in writing about the reasons thereof.

Article 22

Notification to recipients

(Article 21 of Regulation (EU) 2018/1725)

1. After finalisation of one of the procedures laid down in Articles 19 to 21 of this Decision, the controller shall launch the procedure under Article 21 of Regulation (EU) 2018/1725 without delay.

2. In the case that the notification to recipients proves impossible or involves a disproportionate effort, the controller shall inform the data subject in writing about the reasons thereof.

Article 23

Right to data portability

(Article 22 of Regulation (EU) 2018/1725)

1. Requests under Article 22 of Regulation (EU) 2018/1725 shall specify the personal data concerned.

2. In the case of the rejection of the request, the controller shall inform the data subject in writing about the reasons thereof.

Article 24

Right to object

(Article 23 of Regulation (EU) 2018/1725)

1. Objections shall specify the personal data concerned and the grounds relating to the personal situation justifying the objection.

2. In the case of the rejection of the objection, the controller shall inform the data subject in writing about the reasons thereof.

CHAPTER V

EXCEPTIONS, DEROGATIONS AND RESTRICTIONS

SECTION 1

Exceptions and derogations

Article 25

Exceptions

1. Before applying a restriction pursuant to Section 2 of this Chapter, the controller shall consider whether any of the exceptions laid down in Regulation (EU) 2018/1725 apply, notably those pursuant to Articles 15(4), 16(5), 19(3) and 35(3) of that Regulation.

2. For processing for archiving purposes in the public interest as well as for processing for scientific or historical research purposes or statistical purposes, the controller shall consider whether the exceptions pursuant to Articles 16(5), point (b), and 19(3), point (d), of Regulation (EU) 2018/1725 apply.

Article 26

Derogations

1. For processing for archiving purposes in the public interest, the controller may apply derogations in accordance with Article 25(4) of Regulation (EU) 2018/1725. To that end, the controller may derogate from the rights referred to in Articles 17, 18, 20, 21, 22 and 23 of Regulation (EU) 2018/1725 in accordance with the conditions provided for in Article 25(4) of that Regulation.

2. For processing for scientific or historical research purposes or statistical purposes, the controller may apply derogations in accordance with Article 25(3) of Regulation (EU) 2018/1725. To that end, the controller may derogate from the rights referred to in Articles 17, 18, 20 and 23 of Regulation (EU) 2018/1725 in accordance with the conditions provided for in Article 25(3) of that Regulation.

3. Such derogations shall be subject to appropriate safeguards in accordance with Article 13 of Regulation (EU) 2018/1725 and Article 28(1) and (2) of this Decision. Technical and organisational measures shall be in place in accordance with Articles 2(6), point (a), and Article 10 of this Decision notably to ensure the respect of data minimisation and, where applicable, pseudonymisation.

SECTION 2

Restrictions

Article 27

Subject-matter and scope

1. This Section lays down the general conditions under which the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in accordance with Article 25 thereof.

The general conditions referred to in subparagraph one are complemented by provisions of the Annexes to this Decision, which specify the conditions under which the European Parliament may restrict rights of the data subjects in each of its activities and procedures where personal data is being processed and restrictions might become necessary.

2. This Section applies to the processing of personal data for the purposes of the activities and procedures carried out by the European Parliament, as specified in Annexes to this Decision.

3. For the purpose of each processing and restriction, the competent controller shall be determined pursuant to Article 2 of this Decision.

Article 28

Safeguards

1. Personal data subject to a restriction shall be stored in a secure physical or electronic environment which prevents unlawful access or transfer of data to persons who do not have a need to know.

2. After the end of the processing, the documents containing the personal data shall be retained in accordance with the applicable rules of the European Parliament (3).

3. Before applying any restriction, an assessment of whether the restriction is necessary and proportional, as well as of the risks to data subjects, shall be carried out in accordance with Article 35 of this Decision.

Article 29

Applicable restrictions

1. Subject to Articles 30 to 36 and to the specifications laid down in the applicable Annexes to this Decision, the controller may apply restrictions with regard to those rights of the data subject explicitly referred to in the applicable Annexes, where the exercise of those rights would jeopardise the purpose of one of the activities or procedures laid down in those Annexes.

2. The controller shall record and register the reasons for the restriction in accordance with Article 35 of this Decision.

Article 30

Provision of information to data subjects

1. The European Parliament shall publish on its website data protection notices that inform all data subjects of its activities involving processing of their personal data and of a potential restriction of their rights in this context. The information shall specify the rights which may be restricted, the reasons for such restriction, their potential duration and the legal remedies possible.

2. If possible, the controller shall, without undue delay and in the most appropriate format, directly inform each data subject of his or her rights in respect of such restrictions, which shall be determined on a case-by-case basis. The information shall specify the rights which can be restricted, the reasons for such restrictions, their potential duration and possible legal remedies.

Article 31

Right to be informed

1. Where the controller restricts the right of information, as referred to in Articles 15 and 16 of Regulation (EU) 2018/1725, data subjects shall be informed, in accordance with Article 25(6) of that Regulation, of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the European Data Protection Supervisor.

2. However, such provision of information may be deferred, omitted or denied, in accordance with Article 25(8) of Regulation (EU) 2018/1725, for as long as it would cancel the effect of the restriction.

3. Where the controller defers, omits or denies, wholly or partly, the provision of information to data subjects within the meaning of paragraph 2 of this Article, it shall record and register the reasons for doing so in accordance with Article 35 of this Decision.

Article 32

Right of access by data subjects, right to rectification, right to erasure, right to restriction of processing and notification obligation

1. Where the controller restricts, wholly or partly, the right of access to personal data by data subjects, the right to rectification, the right to erasure or the right to restriction of processing as referred to in Articles 17, 18, 19 and 20 respectively of Regulation (EU) 2018/1725 as well as the notification obligation pursuant to Article 21 of that Regulation, it shall inform the data subject concerned, in its reply to the request for access, rectification, erasure or restriction of processing, of the restriction that has been applied and of the principal reasons for the restriction and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy before the Court of Justice of the European Union (‘the Court of Justice’).

2. The provision of information concerning the reasons for the restriction referred to in paragraph 1 may be deferred, omitted or denied for as long as it would cancel the effect of the restriction.

3. The controller shall record the reasons for the deferral, omission or denial in accordance with Article 35 of this Decision.

4. Where the right of access is wholly or partly restricted and the data subject has exercised his or her right to lodge a complaint with the European Data Protection Supervisor, the data subject, and only he or she, shall be informed by the European Data Protection Supervisor of whether the data have been processed correctly and, if not, whether any corrections have been made in accordance with Article 25 (7) of Regulation (EU) 2018/1725.

Article 33

Communication of a personal data breach to the data subject

Where the controller restricts the application of Article 35 of Regulation (EU) 2018/1725, the controller shall record and register the reasons for doing so in accordance with Article 35 of this Decision.

Article 34

Confidentiality of electronic communications

Where the controller restricts the obligation of the European Parliament to ensure confidentiality of electronic communications referred to in Article 36 of Regulation (EU) 2018/1725, the controller shall record and register the reasons for doing so in accordance with Article 35 of this Decision.

Article 35

Assessment of necessity and proportionality, recording and registering of restrictions

1. Before applying any particular restrictions, the controller shall assess whether the restrictions are necessary and proportionate, taking into account the relevant elements in Article 25(2) of Regulation (EU) 2018/1725. That assessment shall also include an assessment of the risks to the rights and freedoms of the data subjects concerned, notably the risk that their personal data might be further processed without their knowledge and that they might be prevented from exercising their rights in accordance with Regulation (EU) 2018/1725. It shall be documented through an internal assessment note and shall be carried out on a case-by-case basis.

2. The controller shall record the reasons for any restriction applied pursuant to this Decision, including the assessment conducted pursuant to paragraph 1.

To that end, the record shall state how the exercise of the data subjects' rights would jeopardise the purpose of one of the activities or procedures carried out by the European Parliament, as defined under the Annexes to this Decision.

3. Where, pursuant to Article 25(8) of Regulation (EU) 2018/1725, the controller defers, omits or denies the provision of information to a data subject on the application of a restriction, the controller shall also record, where applicable, the reasons for doing so.

4. The record and, where applicable, the documents containing underlying factual and legal elements shall be stored in a central register. They shall be made available to the European Data Protection Supervisor on request.

Article 36

Duration of restrictions

1. Restrictions referred to in Articles 29 and 31 to 34 of this Decision, read in conjunction with the applicable Annexes to this Decision, shall apply as long as the reasons justifying them remain applicable.

2. Where the reasons for a restriction referred to in Articles 29 and 31 to 34 of this Decision, read in conjunction with the applicable Annexes to this Decision, no longer exist, the controller shall lift the restriction. At the same time, the controller shall provide the data subject with the principal reasons for the restriction and inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy before the Court of Justice.

3. The controller shall review the application of restrictions referred to in Articles 29 and 31 to 34 of this Decision, read in conjunction with the applicable Annexes to this Decision, every six months from its adoption and at the closure of the relevant procedure. Thereafter, for the purposes of the activities and procedures laid down in Annexes I, II, V, VI, VII, VIII, IX and X to this Decision, the controller shall monitor the need to maintain any restriction on an annual basis.

Article 37

Review by the Data Protection Officer

1. The Data Protection Officer shall be informed, without undue delay, whenever data subjects' rights are restricted in accordance with this Section.

Upon request, the Data Protection Officer shall be provided with access to the record and any documents containing underlying factual and legal elements.

2. The Data Protection Officer may request from the controller a review of the restrictions. The Data Protection Officer shall be informed in writing of the outcome of the requested review.

3. All information exchanges with the Data Protection Officer throughout the procedure in accordance with paragraphs 1 and 2 shall be recorded in the appropriate form.

Article 38

Annexes

The Annexes to this Decision form an integral part of this Decision.

CHAPTER VI

FINAL PROVISIONS

Article 39

Remedies

1. Any staff member of the European Parliament may lodge a complaint, pursuant to Article 68 of Regulation (EU) 2018/1725, with the European Data Protection Supervisor. Lodging such a complaint shall not have the effect of suspending the deadline for lodging a complaint pursuant to Article 90 of the Staff Regulations.

2. Irrespective of the right referred to in paragraph 1, any staff member of the European Parliament may lodge a complaint with the Appointing Authority, pursuant to Article 90 of the Staff Regulations, with respect to a matter relating to the processing of personal data. In its complaint, the staff member shall indicate whether a complaint to the European Data Protection Supervisor has been lodged in parallel to the complaint under the Staff Regulations.

In the case of a complaint under Article 90(2) of the Staff Regulations, the Data Protection Officer shall be consulted by the relevant departments of the European Parliament.

Article 40

Acts repealed

1. Implementing Rules relating to Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data Bureau decision of 22 June 2005 (4), are repealed with effect on the day of the entry into force of the this Decision.

2. Decision of the Bureau of the European Parliament of 3 April 2019 on the implementing rules on the restriction of certain data subject rights in relation to the transfer of personal data by the European Parliament to national authorities in the context of criminal or financial investigations (5) is repealed with effect on the day of the entry into force of the this Decision.

Article 41

Entry into force

This Decision shall enter into force on the day following its publication in the

Official Journal of the European Union

(1) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (

OJ L 295, 21.11.2018, p. 39

(2)

OJ L 56, 4.3.1968, p. 1

(3) Bureau Decision of 2 July 2012 regarding rules on document management in the European Parliament.

(4)

OJ C 308, 6.12.2005, p. 1

(5)

OJ C 163, 13.5.2019, p. 1

ANNEX I

Internal prevention and investigation of security incidents, security inquiries and auxiliary investigations

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of the procedures laid down in the paragraph 2.

This Annex lays down the specific conditions under which the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard the internal security of the European Parliament, including of its electronic communications networks, in accordance with Article 25(1), point (d), of that Regulation, when conducting internal risk assessments, access controls including background checks, measures of prevention and investigation of security incidents, including information and communication technologies incidents (1), as well as security inquiries and auxiliary investigations on its own initiative or upon request by third parties (2).

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) financial data;

(e) traffic data including log-on and log-off times, access to internal applications and network-based resources and internet use;

(f) video surveillance data;

(g) audio recordings;

(h) data on the presence of persons;

(i) data on external activities of persons;

(j) data relating to suspected offences, offences, criminal convictions or security measures;

(k) all other data related to the subject matter of the relevant risk assessments, access controls including background checks, security incidents' investigations, security inquiries and auxiliary investigations conducted by the European Parliament on its own initiative or at the request of third parties.

(2)

Applicable restrictions

Subject to Articles 30 to 36 of this Decision, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, where the exercise of those rights would jeopardise the European Parliament's internal risk assessments, access controls including background checks, measures of prevention and investigation of security incidents, security inquiries and auxiliary investigations, including of its electronic communications networks,

inter alia

by revealing its investigative tools and methods.

(1) Bureau Decision on European Parliament Information and Communication Technology Systems Security Policy of 7 September 2015.

(2) Bureau Decision on rules governing security and safety in the European Parliament of 15 January 2018.

ANNEX II

Disciplinary procedures, administrative inquiries and investigations relating to staff matters

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of the procedures laid down in paragraph 2.

This Annex lays down the specific conditions under which, when conducting disciplinary procedures, administrative inquiries and investigations relating to staff matters pursuant to Article 86 and Annex IX of the Staff Regulations, and investigations in the context of requests for assistance submitted under Article 24 of the Staff Regulations and with regard to alleged cases of harassment, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard:

(a) other important objectives of general public interest of the Union such as the ability of the European Parliament to comply with its obligations under the Staff Regulations and to conduct its internal staffing policy, in accordance with Article 25(1), point (c), of that Regulation,

(b) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, in accordance with Article 25(1), point (f), of that Regulation,

(c) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in Article 25(1), point (c), of that Regulation, in accordance with Article 25(1), point (g), thereof, and

(d) the protection of the rights and freedoms of other data subjects, in accordance with Article 25(1), point (h), of that Regulation.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) data on the presence of persons;

(e) data on external activities of persons;

(f) data revealing racial or ethnic origin, religious or philosophical beliefs or data concerning health;

(g) all other data related to the subject matter of the relevant disciplinary procedures, administrative inquiries and investigations relating to staff matters conducted by the European Parliament.

(2)

Applicable restrictions

Subject to Articles 30 to 36 of this Decision, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, where the exercise of those rights would jeopardise the purpose and effectiveness of the disciplinary procedures, administrative inquiries or investigations in staff matters, including investigations on alleged cases of harassment, or would adversely affect the rights and freedoms of other data subjects.

ANNEX III

Selection procedures

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of conducting selection procedures.

This Annex lays down the specific conditions under which, when conducting selection procedures (1), the controller may restrict the application of Article 17 of Regulation (EU) 2018/1725, in order to safeguard:

(a) other important objectives of general public interest of the Union, such as the ability of the European Parliament to comply with its obligations under the Staff Regulations and to conduct its internal staffing policy, in accordance with Article 25(1), point (c), of that Regulation, and

(b) the protection of the rights and freedoms of other data subjects, in accordance with Article 25(1), point (h), of that Regulation.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) recorded speeches or tests of candidates;

(e) evaluation sheets;

(f) all other data related to the relevant selection procedures conducted by the European Parliament.

(2)

Applicable restrictions

Subject to Articles 30 to 35 of this Decision, the controller may restrict the application of the right of data subjects to access their personal data pursuant to Article 17 of Regulation (EU) 2018/1725 where the exercise of this right would jeopardise the purpose and effectiveness of such selection procedures, notably by revealing assessments made by selection committees, or would adversely affect the rights and freedoms of other data subjects, notably by revealing personal data of other candidates.

(3)

Duration of restrictions

By way of derogation from Article 36 of this Decision, the following rules shall apply as regards the duration of restrictions:

— Restrictions applied pursuant to this Annex shall continue to apply as long as the reasons justifying them remain applicable.

— The controller shall lift the restriction where the reasons for a restriction no longer exist and the data subject has asked again for access to the personal data concerned. At the same time, the controller shall provide the data subject with the principal reasons for the restriction and inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy before the Court of Justice.

(1) This includes selection procedures for temporary and contract staff as well as internal competitions.

ANNEX IV

Medical files

(1)

Subject-matter and scope

This Annex applies to the access to personal medical data of staff members and Members of European Parliament.

This Annex lays down the specific conditions under which the controller may restrict the application of Article 17 of Regulation (EU) 2018/1725, in order to safeguard the protection of the data subject when processing medical data of staff members pursuant to the Staff Regulations and of Members of the European Parliament pursuant to the Implementing Measures for the Statute for Members of the European Parliament (1) in accordance with Article 25(1), point (h), of that Regulation.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) medical data.

(2)

Applicable restrictions

Subject to Articles 30 to 35 of this Decision, the controller may restrict the application of the right to access directly personal medical data, including of a psychological or psychiatric nature concerning the data subject, which is processed by the European Parliament, where access to such data is likely to represent a risk for the data subject's health. This restriction shall be proportionate to what is strictly necessary to protect the data subject. Access to the information referred to in this paragraph shall therefore be given, upon request, to a doctor of the data subject's choice.

Before applying a restriction pursuant to paragraph 1, a medical officer, acting on behalf of the European Parliament, shall give reasons for any such restriction and those reasons shall be included in the medical file of the person concerned.

(3)

Duration of restrictions

By way of derogation from Article 36 of this Decision, the following rules shall apply as regards the duration of restrictions:

— Restrictions applied pursuant to this Annex shall continue to apply as long as the reasons justifying them remain applicable.

— The controller shall lift the restriction where the reasons for a restriction no longer exist and the data subject has asked again for access to the personal medical data concerned. At the same time, the controller shall provide the data subject with the principal reasons for the restriction and inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice.

(1) Bureau Decision on implementing measures for the statute for members of the European Parliament of 19 May and 9 July 2008 as amended by the Bureau decisions of 11 November 2009, 23 November 2009, 14 December 2009, 19 April 2010, 5 July 2010, 13 December 2010, 14 February 2011, 23 March 2011, 14 November 2011, 12 December 2012, 1 July 2013, 16 June 2014, 15 September 2014, 15 December 2014, 26 October 2015, 14 December 2015, 12 December 2016, 13 December 2017, 11 June 2018, 2 July 2018 and 10 December 2018.

ANNEX V

Examination of complaints by staff

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of processing complaints under the Staff Regulations.

This Annex lays down the specific conditions under which, when examining complaints by staff pursuant to Article 90 of the Staff Regulations (1), the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard:

(a) other important objectives of general public interest of the Union such as the ability of the European Parliament to comply with its obligations under the Staff Regulations, in accordance with Article 25(1), point (c), of that Regulation, and

(b) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, in accordance with Article 25(1), point (f), of that Regulation.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) all other data related to the relevant complaints made by staff.

(2)

Applicable restrictions

(1) Within the examination of complaints by members of staff pursuant to Article 90 of the Staff Regulations, the European Parliament may process personal data of members of staff other than the complainant for the purposes of verification of compliance with the principle of equal treatment.

ANNEX VI

Internal audits

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of conducting internal audits.

This Annex lays down the specific conditions under which, when conducting internal audits for the purpose of Articles 118 and 119 of Regulation (EU, Euratom) 2018/1046 (1) and pursuant to the Charter of the Internal Auditor, adopted by the Bureau on 14 January 2019, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard:

(a) other important objectives of general public interest of the Union or of a Member State in particular the financial interest of the Union or of a Member State, in accordance with Article 25(1), point (c), of that Regulation, and

(b) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in Article 25(1) (c) of that Regulation, in accordance with Article 25(1), point (g), thereof.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) financial data;

(e) traffic data;

(f) data on presence of persons;

(g) data on external activities of persons;

(h) political affiliation data;

(i) all other data related to the subject matter of the relevant audit activity.

(2)

Applicable restrictions

(1) Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (

OJ L 193, 30.7.2018, p. 1

ANNEX VII

Judicial proceedings

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of judicial proceedings.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) financial data;

(e) traffic data;

(f) data on the presence of persons;

(g) data on external activities of persons;

(h) all other data related to the subject matter of the relevant judicial proceedings.

(2)

Applicable restrictions

ANNEX VIII

Financial monitoring and investigations

(1)

Subject-matter and scope

This Annex applies to the processing of personal data by the controller for the purpose of conducting financial monitoring and investigations within the meaning of paragraph 2.

This Annex lays down the specific conditions under which, when conducting monitoring and investigations on the legality of financial transactions conducted by and within the European Parliament, monitoring and investigations on Members' entitlements (1), as well as monitoring and investigations on financing of European political parties, European political foundations and European political groups, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard:

(a) the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, in accordance with Article 25(1), point (b), of that Regulation,

(b) other important objectives of general public interests of the Union or of a Member State, in particular the financial interest of the Union or of a Member State, in accordance with Article 25(1), point (c), of that Regulation, and

(c) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in Article 25(1), points (b) and (c), of that Regulation, in accordance with Article 25(1), point (g), of that Regulation.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) financial data;

(e) traffic data;

(f) data on presence of persons;

(g) data on external activities of persons;

(h) political affiliation data;

(i) all other data related to the subject matter of the relevant monitoring and investigations conducted by the European Parliament.

(2)

Applicable restrictions

Subject to Articles 30 to 36 of this Decision, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, where the exercise of those rights would jeopardise the purpose and effectiveness of financial monitoring and investigations conducted by the European Parliament.

(1) This includes notably investigations on general expenditure allowances, personal staff allowances, equipment and facilities allowances, and travel allowances.

ANNEX IX

Cooperation with the European Anti-Fraud Office (‘OLAF’)

(1)

Subject-matter and scope

This Annex applies to the processing of personal data, particularly the transfer of personal data, by the controller for the purpose of providing OLAF with information and documents, notifying cases to OLAF or processing information and documents coming from OLAF.

This Annex lays down the specific conditions under which, when providing information and documents to OLAF at the request of OLAF or on its own initiative, when notifying cases to OLAF or when processing information and documents coming from OLAF the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard:

(a) the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, in accordance with of Article 25(1), point (b), of that Regulation, and

(b) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, in accordance with Article 25(1), point(f), of that Regulation.

This Annex shall not apply to the processing of personal data where OLAF acts as controller, notably where OLAF processes personal data held in the European Parliament’s premises pursuant to Article 4(2) and 6 of Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council (1).

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(c) professional data including accredited parliamentary assistants and local assistants contracts, service provider contracts and data relating to missions;

(d) financial data;

(e) traffic data;

(f) data on the presence of persons;

(g) data on external activities of persons;

(h) political affiliation data;

(i) all other data related to the subject matter of the relevant investigation conducted by OLAF or by the European Parliament in cooperation with OLAF.

(2)

Applicable restrictions

Subject to Articles 30 to 36 of this Decision, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation where the exercise of those rights would jeopardise the purpose of OLAF’s investigative activities or the European Parliament’s investigative activities in cooperation with OLAF, including by revealing their investigative tools and methods.

Subject to Articles 30 to 36 of this Decision, the European Parliament may restrict the rights and obligations referred to in paragraph 1 in relation to personal data obtained from OLAF where the exercise of those rights and obligations could be restricted by OLAF on the basis of Article 2(3) of Commission Decision (EU) 2018/1962 (2).

(1) Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (

OJ L 248, 18.9.2013, p. 1

(2) Commission Decision (EU) 2018/1962 of 11 December 2018 laying down internal rules concerning the processing of personal data by the European Anti-Fraud Office (OLAF) in relation to the provision of information to data subjects and the restriction of certain of their rights in accordance with Article 25 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (

OJ L 315, 12.12.2018, p. 41

ANNEX X

Cooperation with the Member States in the context of criminal or financial investigations

(1)

Subject-matter and scope

This Annex applies to the processing of personal data, particularly the transfer of personal data, by the controller for the purpose of providing national authorities with information and documents that they request in the framework of criminal or financial investigations.

This Annex lays down the specific conditions under which, when providing national authorities with information and documents that they request in the framework of criminal or financial investigations (1), the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in order to safeguard:

(a) the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, in accordance with Article 25(1), point (b), of that Regulation,

(b) the protection of judicial independence and judicial proceedings, in accordance with Article 25(1), point (e), of that Regulation, and

(c) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, in accordance with Article 25(1), point (f), of that Regulation.

This Annex applies to the following categories of personal data:

(a) identification data;

(b) contact data;

(d) financial data;

(e) electronic communications;

(f) traffic data;

(g) video surveillance data;

(h) audio recordings;

(i) data on the presence of persons

(j) all other data related to the subject matter of the relevant investigation conducted by national authorities.

(2)

Applicable restrictions

(1) The European Parliament is required to provide national authorities with the information and documents requested according to the principle of sincere cooperation enshrined in Article 4(3) of the Treaty on the European Union.