Decision No 4/2022 of the Bureau of the Committee of the Regions of 25 Januar... (32022Q0311(01))
EU - Rechtsakte: 01 General, financial and institutional matters

DECISION No 4/2022 OF THE BUREAU OF THE COMMITTEE OF THE REGIONS

of 25 January 2022

laying down internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the context of activities and procedures carried out by the Committee of the Regions

THE BUREAU OF THE COMMITTEE OF THE REGIONS,
Having regard to the Treaty on the Functioning of the European Union (1), and in particular Article 306 thereof,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (2) ("the Regulation" or "EUDPR"), and in particular Article 25 thereof,
Having regard to the Rules of Procedure of the European Committee of the Regions (3), and in particular Rule 37(d) thereof,
Having regard to the opinion D(2021) 0894 (Case 2021-0345) of the European Data Protection Supervisor ("the EDPS") of 20 April 2021, consulted in accordance with Article 41(2) EUDPR,
Whereas:
(1) Pursuant to Article 3(1) EUDPR, any information relating to an identified or identifiable natural person ("data subject") should be considered personal data.
(2) The Regulation applies, in the same way as to any Union institution, to the Committee of the Regions ("the Committee") as regards the processing of personal data in the context of the activities and procedures it carries out.
(3) The controller within the meaning of Article 3(8) EUDPR is the Committee who may delegate the responsibility for determining the purposes and means of the processing of personal data.
(4) Pursuant to Article 45(3) EUDPR, the Bureau of the Committee of the Regions ("the Bureau") adopted implementing rules (4) concerning the Regulation and the data protection officer of the Committee ("the DPO"). In accordance with those rules, the department (directorate, unit or sector) of the Secretariat-General of the Committee or the secretariat of one of the political groups in the Committee that, alone or jointly with others, determines the purposes and means of the processing of the personal data should, in respect of those data, act on behalf of the Committee as delegated controller.
(5) The Committee and the European Economic and Social Committee ("the EESC") share certain departments and resources ("the Joint Services") in the context of inter-institutional cooperation, and the applicable internal rules concerning restrictions of data subjects’ rights in relation to the processing of personal data by the Joint Services should be determined in accordance with the arrangements concluded between the Committee and the EESC to that end.
(6) To fulfil the Committee’s tasks, data controllers collect and process information and several categories of personal data, including identification data of natural persons, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data. Data controllers are therefore obliged, under the Regulation, to provide information to data subjects on those processing activities they perform and to respect their rights as data subjects.
(7) Data controllers might be required to reconcile those rights with the objectives of the inquiries, investigations, verifications, activities, audits and proceedings that are conducted within the Committee. They might also be required to balance a data subject’s rights against the fundamental rights and freedoms of other data subjects. To that end, Article 25(1) EUDPR gives data controllers the possibility to restrict the application of Articles 14, 15, 16, 17, 18, 19, 20, 21, 22, 35 and 36 EUDPR, as well as Article 4 EUDPR insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 EUDPR.
(8) Data controllers should apply restrictions only when the latter respect the essence of fundamental rights and freedoms, are strictly necessary and are a proportionate measure in a democratic society.
(9) Data controllers should give reasons explaining the justification for those restrictions and should keep a record of their application of restrictions to data subjects’ rights.
(10) Data controllers should lift a restriction as soon as the conditions that justified the restriction no longer apply. They should regularly assess those conditions.
(11) To guarantee the utmost protection of data subjects’ rights and freedoms, the DPO should be consulted in due time on any restrictions that may be applied and should verify their compliance with this Decision.
(12) Unless restrictions are provided for in a legal act adopted on the basis of the Treaties (5), it is necessary to adopt internal rules under which data controllers are entitled to restrict data subjects’ rights.
(13) This Decision should not apply in cases where one of the exceptions laid down in Articles 15(4) and 16(5) EUDPR in respect of the information to be provided to a data subject, applies,
HAS ADOPTED THIS DECISION:

Article 1

Subject matter, scope and definitions

1.   This Decision lays down general rules relating to the conditions under which, pursuant to Article 25(1) EUDPR, data controllers may restrict the application of, as the case may be, Articles 14, 15, 16, 17, 18, 19, 20, 21, 22, 35 and 36 EUDPR, as well as Article 4 EUDPR insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 EUDPR.
2.   For the purpose of this Decision, the following definitions apply:
(a) "personal data" means any information relating to a data subject that is processed when carrying out activities or procedures that do not fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the Treaty on the Functioning of the European Union, as opposed to operational personal data within the meaning of Article 3(2) EUDPR,
(b) "data controller" means the entity that, alone or jointly with others, actually determines the purposes and means of the processing of the personal data in the context of activities and procedures carried out by the Committee, regardless of whether the responsibility for such determination was delegated.
3.   This Decision applies to the processing of personal data for the purposes of the activities and procedures carried out by the Committee. It shall not apply where a legal act adopted on the basis of the Treaties provides for a restriction of data subjects’ rights.
4.   The controller within the meaning of Article 3(8) EUDPR is the Committee who may delegate the responsibility for determining the purposes and means of the processing of personal data.
5.   For the purpose of each processing, restriction and deferral, omission or denial of information, the data controller responsible shall be determined in accordance with the Committee’s relevant internal decisions, procedures and implementing rules.

Article 2

Exceptions and derogations

1.   Before applying any restrictions pursuant to Article 3(1), data controllers shall consider whether any of the exceptions or derogations laid down in the Regulation apply, notably those pursuant to Articles 15(4), 16(5), 19(3), 25(3) and (4), and 35(3) EUDPR.
2.   The application of derogations shall be subject to appropriate safeguards in accordance with Article 13 EUDPR and Article 6 of this Decision.

Article 3

Restrictions

1.   Data controllers may restrict the application of, as the case may be, Articles 14, 15, 16, 17, 18, 19, 20, 21, 22, 35 and 36 EUDPR, as well as Article 4 EUDPR insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 EUDPR, where the exercise of their rights by data subjects would detrimentally affect the purpose or the outcome of one or more of the activities or procedures carried out by the Committee, in particular:
(a) pursuant to Article 25(1)(b), (c), (f), (g) and (h) EUDPR, when the appointing authority and the authority empowered to conclude contracts of employment of the Committee ("the Appointing Authority") conduct disciplinary procedures, administrative inquiries and investigations relating to staff matters in accordance with Article 86 of the Staff Regulations of Officials of the European Union ("the Staff Regulations" or "SR") and Annex IX to the Staff Regulations as well as Articles 50a and 119 of the Conditions of Employment of Other Servants of the European Union (6) ("the Conditions of Employment" or "CEOS"), and investigations in the context of requests for assistance submitted pursuant to Article 24 SR and Articles 11 and 81 CEOS and with regard to alleged cases of harassment within the meaning of Article 12a SR,
(b) pursuant to Article 25(1)(b), (c), (f) and (h) EUDPR, when the Appointing Authority reviews requests and complaints submitted by officials and other servants of the Committee ("staff members") in accordance with Article 90 SR and Articles 46 and 117 CEOS,
(c) pursuant to Article 25(1)(c) and (h) EUDPR, when the Appointing Authority implements the Committee’s staff policy by conducting selection (recruitment), evaluation (appraisal) and promotion procedures,
(d) pursuant to Article 25(1)(c), (f), (g) and (h) EUDPR, when the authorising officer of the Committee ("the Authorising Officer") implements the Committee’s section of the general budget of the European Union by conducting award procedures in accordance with the financial rules applicable to the general budget of the Union (7) ("the Financial Regulation" or "FR"),
(e) pursuant to Article 25(1)(b), (c), (f), (g) and (h) EUDPR, when the Authorising Officer conducts monitoring and investigations regarding the legality of financial transactions carried out by and within the Committee, regarding the financial entitlements (8) of the members and the alternates of the Committee ("Committee members"), and regarding the financing of the activities and events organised or co-organised by the Committee, and deals with financial irregularities on the part of a staff member in accordance with Article 93 FR,
(f) pursuant to Article 25(1)(b), (c), (f), (g) and (h) EUDPR, when the Committee provides information and documents to the European Anti-Fraud Office ("OLAF"), either at OLAF’s request or on its own initiative, notifies cases to OLAF or processes information and documents received from OLAF (9),
(g) pursuant to Article 25(1)(c), (g) and (h) EUDPR, when the Committee conducts internal audits for the purpose of Articles 118 and 119 FR and in relation to the activities and procedures of its departments,
(h) pursuant to Article 25(1)(c), (d) and (h) EUDPR, when the Committee conducts internal risk assessments, access controls, including background checks, measures of prevention and investigation of safety and security incidents, including incidents involving Committee members or staff members as well as incidents relating to the Committee’s infrastructure and information and communication technologies, as well as security inquiries and auxiliary investigations, including of its electronic communications networks, on its own initiative or upon request by third parties,
(i) pursuant to Article 25(1)(c), (d) and (h) EUDPR, when the DPO, on their own initiative or upon request by third parties, conducts investigations into matters and occurrences directly relating to their tasks that have come to their notice, in accordance with Article 45(2) EUDPR,
(j) pursuant to Article 25(1)(h) EUDPR, when data controllers process personal data obtained in the context of a staff member reporting in good faith factual elements that point to the existence of either possible illegal activities, including fraud and corruption, that are detrimental to the interests of the Union ("serious irregularities") or conduct relating to the discharge of professional duties that may constitute a serious failure to comply with staff members’ obligations ("serious misconduct"),
(k) pursuant to Article 25(1)(h) EUDPR, when data controllers process personal data obtained by confidential counsellors in the context of the informal procedure for cases of alleged harassment,
(l) pursuant to Article 25(1)(h) EUDPR, when data controllers process personal data concerning the health ("medical data") of either a Committee member or a staff member, including of a psychological or psychiatric nature, that are contained in the medical file held by the Committee on the data subject concerned,
(m) pursuant to Article 25(1)(e) EUDPR, when data controllers process personal data in documents produced or obtained by the parties or the interveners in the context of proceedings before the Court of Justice of the European Union ("the Court of Justice"),
(n) pursuant to Article 25(1)(b), (c), (d), (g) and (h) EUDPR, when the Committee provides or receives assistance to or from other institutions, bodies, offices and agencies of the Union ("EUIs") and cooperates with them in the context of the activities or procedures referred to in paragraph 1, points (a) to (m), and in accordance with the applicable service-level agreements, memoranda of understanding and cooperation agreements,
(o) pursuant to Article 25(1)(b), (c), (g) and (h) EUDPR, when the Committee provides or receives assistance to or from the authorities of the Member States or those of third countries or international organisations and cooperates with such authorities and organisations, either at their request or on its own initiative,
(p) pursuant to Article 25(1)(a), (b), (e) and (f) EUDPR, when the Committee provides the authorities of the Member States, or those of third countries or international organisations, with information and documents that they request in the context of investigations.
2.   The restrictions referred to in paragraph 1 may concern objective ("hard data") and subjective ("soft data") personal data alike, in particular but not exclusively one or more of the following categories:
(a) Identification data;
(b) Contact data;
(c) Professional data (10);
(d) Financial data;
(e) Surveillance data (11);
(f) Traffic data (12);
(g) Medical data (13);
(h) Genetic data (13);
(i) Biometric data (13);
(j) Data concerning a natural person’s sex life or sexual orientation (13);
(k) Data revealing racial or ethnic origin, religious or philosophical beliefs, political opinions or affiliation, or trade union membership (13);
(l) Data revealing the performance or conduct of natural persons participating in selection (recruitment), evaluation (appraisal) or promotion procedures (14);
(m) Data on the presence of natural persons;
(n) Data on external activities of natural persons;
(o) Data relating to suspected offences, offences, criminal convictions or security measures;
(p) Electronic communications;
(q) All other data related to the subject matter of the relevant activity or procedure requiring the processing of that data.
3.   Any restriction shall respect the essence of fundamental rights and freedoms and be necessary and proportionate in a democratic society, and shall be limited to what is strictly necessary to achieve its objective.
4.   Any restriction of the application of Article 36 EUDPR (
Confidentiality of electronic communications
), whether total or partial, in accordance with paragraph 1 shall comply with applicable Union law concerning electronic communications privacy (15).
5.   Data controllers shall periodically review the application of restrictions referred to in paragraph 1, at least every six months from their respective adoption but also when essential and decisive elements of the case change and at the completion or termination of the activity or procedure that generated the restrictions. Thereafter, they shall monitor the need to maintain any restriction on an annual basis.
6.   The restrictions referred to in paragraph 1 shall continue to apply for as long as the reasons justifying them remain applicable. Where the reasons for a restriction referred to in paragraph 1 no longer exist, data controllers shall lift that restriction.
7.   When processing personal data received from third parties in the context of the Committee’s tasks, data controllers shall consult those third parties on potential grounds for imposing restrictions and on the necessity and proportionality of the restrictions concerned, unless this would detrimentally affect the activities or procedures of the Committee.

Article 4

Assessment of necessity and proportionality

1.   Before applying any restrictions, data controllers shall, on a case-by-case basis, assess whether the restrictions under consideration are necessary and proportionate.
2.   Whenever data controllers assess the necessity and proportionality of a restriction, they shall consider the potential risks to data subjects’ rights and freedoms.
3.   Assessments of the risks to data subjects’ rights and freedoms that arise from imposing the restrictions, notably the risk that their personal data might be further processed without their knowledge and that they might be prevented from exercising their rights in accordance with the Regulation, as well as details of the period of application of those restrictions shall be registered in the record of processing activities maintained by data controllers pursuant to Article 31(1) EUDPR. They shall also be recorded in any data protection impact assessments regarding those restrictions conducted under Article 39 EUDPR.

Article 5

Recording and registering of restrictions

1.   Whenever data controllers apply restrictions, they shall record:
(a) The reasons for applying the restrictions;
(b) The grounds on which the restrictions are applied;
(c) How the exercise of the data subjects’ rights would detrimentally affect the purpose or the outcome of one or more of the activities or procedures carried out by the Committee;
(d) The outcome of the assessment referred to in Article 4(1).
2.   The records referred to in paragraph 1 shall be part of the central register provided for in Article 31(5) EUDPR and shall be made available to the EDPS on request.
3.   Where data controllers restrict the application of Article 35 EUDPR (
Communication of a personal data breach to the data subject
), the record referred to in paragraph 1 shall be included in the notification to the EDPS provided for in Article 34(1) EUDPR.

Article 6

Safeguards and retention period

1.   Data controllers shall implement safeguards to prevent abuse of and unlawful access to or transfer of personal data that may be subject to restrictions pursuant to Article 3(1). Such safeguards shall include appropriate technical and organisational measures and shall be detailed, as necessary, in the Committee’s relevant internal decisions, procedures and implementing rules.
2.   The safeguards referred to in paragraph 1 shall include:
(a) Clearly defined roles, responsibilities and procedural steps;
(b) Where appropriate, a secure electronic environment that prevents electronic data being unlawfully or accidentally accessed by or transferred to unauthorised persons;
(c) Where appropriate, secure storage and processing of paper-based documents;
(d) Due monitoring of restrictions and a periodic review of the application thereof.
3.   The personal data shall be retained in accordance with the Committee’s applicable retention rules (16), to be laid down in the records maintained by data controllers pursuant to Article 31(1) EUDPR. At the end of the retention period, the personal data shall be, as the case may be, deleted, rendered anonymous in such a manner that the data subject concerned is not or is no longer identifiable, or transferred to the Committee’s archives in accordance with Article 13 EUDPR.

Article 7

Information to data subjects on the restriction of their rights

1.   The data protection notices published on the Committee’s public website and on its intranet shall include a section providing data subjects with general information about the potential restriction of their rights in the context of the Committee’s activities and procedures involving the processing of their personal data. This section shall specify the rights that may be restricted, the grounds on which restrictions may be applied, the potential duration of those restrictions and the administrative and legal remedies available to data subjects.
2.   Whenever data controllers apply restrictions, they shall, without undue delay and in the most appropriate format, directly inform each data subject concerned of:
(a) Any existing or forthcoming restrictions of their rights;
(b) The principal reasons on which the application of the restriction is based;
(c) Their right to consult the DPO with a view to challenging the restriction;
(d) Their right to lodge a complaint with the EDPS;
(e) Their right to seek a judicial remedy before the Court of Justice.
3.   Notwithstanding paragraph 2, where data controllers restrict, in exceptional cases, the application of Article 35 EUDPR (
Communication of a personal data breach to the data subject
), they shall communicate the personal data breach to the data subject concerned and provide the information referred to in paragraph 2, points (b), (d) and (e), as soon as the reasons for restricting such communication no longer exist.
4.   Notwithstanding paragraph 2, where data controllers restrict, in exceptional cases, the application of Article 36 EUDPR (
Confidentiality of electronic communications
), they shall provide the information referred to in paragraph 2 in their reply to any request from the data subject concerned.
5.   Data controllers may defer, omit or deny the provision of the information referred to in paragraph 2 ("deferral, omission or denial of information") for as long as it would cancel the effect of the restriction. They shall provide the data subject concerned with the information referred to in paragraph 2 as soon as doing so would no longer render the restriction ineffective.
6.   Article 4 and Article 5 shall apply by analogy in respect of any instance of deferral, omission or denial of information.

Article 8

Involvement of the data protection officer of the Committee

1.   Data controllers shall, without undue delay, inform the DPO in writing whenever they restrict the rights of a data subject pursuant to Article 3(1), perform the periodical reviews referred to in Article 3(5), lift restrictions as provided for in Article 3(6), or defer, omit or deny the provision of the information referred to in Article 7(2) pursuant to Article 7(5). Upon request, the DPO shall be given access to the associated records and any documents containing underlying factual and legal elements.
2.   The DPO may request data controllers to review any existing restrictions as well as deferrals, omissions or denials of information, and the application thereof. The DPO shall be informed in writing of the outcome of the requested review.
3.   The involvement of the DPO provided for in paragraphs 1 and 2 in relation to the application of restrictions and deferrals, omissions or denials of information shall be duly documented by data controllers, including the information shared with the DPO.
4.   The DPO shall, upon request, provide their opinion to data controllers on the determination of their responsibilities in the context of a joint controllership arrangement pursuant to Article 28(1) EUDPR.

Article 9

Joint Services

The DPO shall cooperate with the data protection officer of the EESC as regards the processing of personal data by the Joint Services with a view to ensuring the effective implementation of this Decision.

Article 10

Final provisions

1.   The Secretary-General may, as appropriate, issue instructions or adopt implementing measures to, where necessary, further specify and give effect to any provision of this Decision, in compliance with the latter.
2.   This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at Brussels, 25 January 2022.
For the Bureau of the Committee of the Regions
Apostolos TZITZIKOSTAS
President
(1)  
OJ C 202, 7.6.2016, p. 47
.
(2)  
OJ L 295, 21.11.2018, p. 39
.
(3)  
OJ L 472, 30.12.2021, p. 1
.
(4)  Decision No 19/2020 of the Bureau of the Committee of the Regions of 9 October 2020 adopting implementing rules concerning Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data ("Decision No 19/2020").
(5)  The Treaty on European Union ("TEU") (
OJ C 202, 7.6.2016, p. 13
) and the Treaty on the Functioning of the European Union ("TFEU").
(6)  Annex to Council Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Economic Community and the European Atomic Energy Community (
OJ P 45, 14.6.1962, p. 1385
), as modified by Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (
OJ L 56, 4.3.1968, p. 1
) and as further amended, restated, supplemented or otherwise modified.
(7)  Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (
OJ L 193, 30.7.2018, p. 1
).
(8)  Including, but not limited to, general expenditure allowances, staff allowances, equipment and facilities allowances, travel, subsistence and (remote) meeting allowances as well as other indemnities paid pursuant to Article 238 FR.
(9)  This point does not apply to the processing of personal data for which OLAF acts as sole controller, notably in cases when OLAF processes personal data held on the Committee’s premises.
(10)  Including, but not limited to, employment contracts, service provider contracts and data relating to missions.
(11)  Including, but not limited to, audio and video recordings and sign-in and sign-out registers.
(12)  Including, but not limited to, log-on and log-off times, access to internal applications and network-based resources and internet use.
(13)  Insofar as such data is processed pursuant to Article 10(2) EUDPR.
(14)  Including, but not limited to, written tests, recorded speeches, evaluation sheets, and evaluators’ assessments, observations or opinions.
(15)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (
OJ L 201, 31.7.2002, p. 37
).
(16)  Decision No 129/2003 of the Secretary-General of the Committee of the Regions of 17 June 2003 on document management at the Committee of the Regions.
Markierungen
Leseansicht