Decision 22/2023 of the Governing Board of the European Institute of Innovation ... (32024Q01540)
EU - Rechtsakte: 01 General, financial and institutional matters
2024/1540
31.5.2024

Decision 22/2023 of the Governing Board of the European Institute of Innovation and Technology (EIT) on internal rules concerning restrictions of certain rights of data subjects in relation to processing of personal data in the framework of the functioning of the EIT

THE GOVERNING BOARD OF THE EIT,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2021/819 of the European Parliament and of the Council of 20 May 2021 on the European Institute of Innovation and Technology (1), in particular, Article 17(6) thereof,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (2) (hereinafter referred to as ‘the Regulation’), and in particular Article 25 thereof,
Having regard to the European Data Protection Supervisor’s (EDPS) Guidance of 24 June 2020 on Article 25 of Regulation (EU) 2018/1725 and internal rules restricting data subjects’ rights (3),
Having consulted the European Data Protection Supervisor,
Whereas:
(1) In accordance with Article 25(1) of the Regulation (EU) 2018/1725 restrictions of the application of Articles 14 to 22, 35 and 36, as well as Article 4 of that Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 should be based on internal rules to be adopted by the Agency, where these are not based on legal acts adopted on the basis of the Treaties.
(2) These internal rules, including its provisions on the assessment of the necessity and proportionality of a restriction, should not apply when a legal act adopted on the basis of the Treaties provides for a restriction for data subject rights.
(3) Where the Agency performs its duties with respect to data subjects’ rights under Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.
(4) The EIT may, in the context of its functioning, conduct administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings, in accordance with the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (4) (‘Staff Regulations’), and with Decision 29/2022 of the Governing Board of the EIT (5).
(5) EIT staff members have the obligation to report potentially illegal activities, including fraud and corruption, which are detrimental to the interests of the Union or of conduct relating to the discharge of professional duties which may constitute a serious failure to comply with the obligations laid down in the Staff Regulations. Staff members are also obliged to report conduct relating to the discharge of professional duties which may constitute a serious failure to comply with the obligations of officials of the Union. This is regulated by Decision 33/2018 of the Governing Board of the EIT (6).
(6) The EIT has set out a policy to prevent and deal effectively with actual or potential cases of psychological or sexual harassment in the workplace, as provided for in Decision 16/2017 of the Governing Board of the EIT (7). In addition, Decision 28/2019 of the EIT Director (8) adopted the manual for informal procedures for cases involving psychological and sexual harassment. These decisions establish informal procedures whereby the alleged victim of the harassment can contact the EIT’s confidential counsellors (9). The EIT may also process internal and external complaints, conduct internal audits, carry out investigations by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725.
(7) The EIT is subject to both internal and external audits concerning its activities.
(8) In the context of the abovementioned tasks, the EIT may provide and receive assistance and cooperation to and from other Union institutions, bodies, offices and agencies as set out in the relevant service level agreements, memorandum of understanding and cooperation agreement.
(9) The EIT can also cooperate with third countries’ national authorities and international organisations, either at their request or on its own initiative.
(10) The EIT can also cooperate with EU Member States’ public authorities, either at their request or on its own initiative.
(11) The EIT is involved in cases before the Court of Justice of the European Union when it either refers a matter to the Court, defends a decision it has taken and which has been challenged before the Court, or intervenes in cases relevant to its tasks. In this context, the EIT might need to preserve the confidentiality of personal data contained in documents obtained by the parties or the interveners.
(12) To fulfil its tasks, the EIT collects and processes information and several categories of personal data, including identification data of natural persons, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data. The EIT acts as data controller.
(13) Under the Regulation (EU) 2018/1725, the EIT is therefore obliged to provide information to data subjects on those processing activities and to respect their rights as data subjects.
(14) The EIT might be required to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 with the needs of the abovementioned activities, while fully respecting fundamental rights and freedoms of other data subjects. To that effect, Article 25 of Regulation (EU) 2018/1725 provides, under strict conditions, the possibility to restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20. Unless restrictions are provided for in a legal act adopted on the basis of the Treaties, it is necessary to adopt internal rules under which EIT may restrict those rights in line with the same Article of Regulation (EU) 2018/1725.
(15) This might in particular be the case when providing information about the processing of personal data to the data subject at the preliminary assessment phase of an administrative inquiry or during the inquiry itself, prior to a possible dismissal of the case or a pre-disciplinary stage. In certain circumstances, providing such information might seriously affect the EIT’s capacity to conduct the enquiry in an effective way, whenever, for example, there is a risk that the person concerned destroys evidence or interferes with potential witnesses before they are interviewed. Furthermore, EIT might need to protect their rights and freedoms as well as the rights and freedoms of other persons involved.
(16) It might be necessary to protect the anonymity of a witness or a whistle-blower who has asked not to be identified. In such a case, EIT may decide to restrict access to the identity, statements and other personal data of the whistle-blower and other persons involved, in order to protect their rights and freedoms.
(17) It might be necessary to protect the confidential information concerning a staff member who has contacted EIT confidential counsellors in the context of a harassment procedure. In such a case, EIT may decide to restrict access to the identity, statements and other personal data of the alleged victim, the alleged harasser and other persons involved, in order to protect their rights and freedoms.
(18) When handling inquiries on processing activities carried out at EIT, the Data Protection Officer might, in certain circumstances, need to preserve the effectiveness of its inquiries and to protect, as necessary, persons involved and their rights and freedoms.
(19) EIT should apply restrictions only when they respect the essence of the fundamental rights and freedoms, and are strictly necessary and are a proportionate measure in a democratic society. EIT should give justifications explaining the grounds for those restrictions.
(20) Based on the principle of accountability, EIT should keep a record of the application of the restrictions.
(21) When processing personal data exchanged with other organisations in the context of its tasks, the EIT and those organisations should consult each other on potential grounds for imposing restrictions and the necessity and proportionality of those restrictions, unless this would jeopardise the activities of the EIT.
(22) Article 25(6) of the Regulation (EU) 2018/1725 obliges the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the EDPS.
(23) Pursuant to Article 25(8) of the Regulation (EU) 2018/1725, the EIT may defer, omit or deny the provision of information on the reasons for the application of a restriction to the data subject if this would in any way cancel the effect of the restriction. The EIT should assess on a case-by-case basis and in cooperation with the Data Protection Officer whether the communication of the restriction would cancel its effect.
(24) The EIT should lift the restriction as soon as the conditions that justify the restriction no longer apply and assess those conditions on a regular basis.
(25) To guarantee the utmost protection of the rights and freedoms of data subjects and in accordance with Article 44(1) of the Regulation, the Data Protection Officer should be informed in due time of any restrictions that may be applied and verify their compliance with this Decision.
(26) The application of the abovementioned restrictions is without prejudice to the possible application of the provisions of Articles 16(5) and 17(4) of Regulation (EU) 2018/1725, relating, respectively, to the right of information when data have not been obtained from the data subject, and to the right of access by the data subject. If these exceptions apply, the EIT does not need to apply a restriction under this Decision,
HAS ADOPTED THIS DECISION:

Article 1

Subject matter and scope

This Decision lays down rules relating to the conditions under which the EIT may restrict the application of Articles 14 to 20, 35 and 36, as well as Article 4 thereof based on Article 25 of the Regulation (EU) 2018/1725.

Article 2

Specification of the controller

1.   The controller of the processing operations is the EIT, represented by its Director, who may delegate the function of the controller.
2.   Data subjects shall be informed of the delegated controller by way of the data protection records or privacy statements published on the website and/or the intranet of the EIT.

Article 3

Restrictions

1.   Where the EIT exercises its duties with respect to data subjects’ rights under Regulation (EU) 2018/1725, it shall consider whether any of the exemptions laid down in Regulation (EU) 2018/1725 applies.
2.   In accordance with Article 25(1) of Regulation (EU) 2018/1725, EIT may restrict the application of Articles 14 to 20, 35 and 36, and Article 4 thereof in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20 of Regulation (EU) 2018/1725:
(a) pursuant to Article 25(1), points (b), (c), (f), (g) and (h) of the Regulation (EU) 2018/1725, when conducting administrative inquiries, pre-disciplinary, disciplinary or suspension proceedings under Article 86 and Annex IX of the Staff Regulations as well as Decision of the Governing Board of the EIT laying down implementing provisions on the conduct of administrative inquiries and disciplinary proceedings, and when notifying cases to OLAF;
(b) pursuant to Article 25(1), point (h) of the Regulation (EU) 2018/1725, in the course of whistleblowing procedures in order ensuring that EIT staff members may confidentially report facts where they believe there are serious irregularities, as set out in the Decision 33/2018 of the Governing Board of the EIT on laying down Guidelines on Whistleblowing;
(c) pursuant to Article 25(1), point (h) of the Regulation (EU) 2018/1725, in formal and informal procedures for cases of harassment ensuring that EIT staff members are able to confidentially report to confidential counsellors in the context of a harassment procedure, as defined by Decision 16/2017 of the Governing Board of the EIT on the EIT policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment and Decision 28/2019 of the Director of the EIT on the adoption of a manual for informal procedures for cases involving psychological and sexual harassment;
(d) pursuant to Article 25(1), points (c), (g) and (h) of the Regulation (EU) 2018/1725, when conducting internal or external audits in relation to activities or units/departments of the EIT;
(e) pursuant to Article 25(1), points (c), (d), (g) and (h) of the Regulation (EU) 2018/1725, when providing or receiving assistance to or from other Union institutions, bodies, offices and agencies or cooperating with them in the context of activities under points (a) to (d) of this paragraph and pursuant to relevant service level agreements, memoranda of understanding and cooperation agreements;
(f) pursuant to Article 25(1), points (c), (g) and (h) of the Regulation (EU) 2018/1725, when providing or receiving assistance to or from third countries national authorities and international organisations or cooperating with such authorities and organisations, either at their request or on its own initiative;
(g) pursuant to Article 25(1), points (c), (g) and (h) of the Regulation (EU) 2018/1725, when providing or receiving assistance and cooperation to and from EU Member States’ public authorities, either at their request or on its own initiative;
(h) pursuant to Article 25(1), point (e) of the Regulation (EU) 2018/1725, when processing personal data in documents obtained by the parties or interveners in the context of proceedings before the Court of Justice of the European Union as well as in case of proceedings initiated by the national authorities or courts of a Member State;
(i) pursuant to Article 25(1), points (c), (g) and (h) of Regulation (EU) 2018/1725, when the Data Protection Officer is conducting inquiries on processing activities carried out at the EIT in accordance with Decision 01/2020 of the EIT Director (10), and in line with Article 45(2) of Regulation (EU) 2018/1725.
3.   The categories of data include identification data of a natural person, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data.
4.   Any restriction shall respect the essence of fundamental rights and freedoms and be necessary and proportionate in a democratic society.
5.   A necessity and proportionality test shall be carried out on a case-by-case basis before restrictions are applied and it must be duly documented. Restrictions shall be limited to what is strictly necessary to achieve the set objectives.
6.   Restrictions should be duly monitored by the data controller and a periodical revision with a necessity and proportionality test shall be done every six months following their adoption in consultation with the Data Protection Officer.
7.   Restrictions shall be lifted as soon as the circumstances that justify them no longer apply. The data controller in consultation with the Data Protection Officer shall provide the information concerned to the data subject together with the information on the possibility to lodge a complaint with the EDPS at any time or to seek a judicial remedy in the Court of Justice of the European Union.
8.   For accountability purposes, the EIT shall draw up a record describing the reasons for the restrictions applied, which grounds among those listed in paragraph 1 apply and the outcome of the necessity and proportionality test. Those records shall be part of an ad hoc register kept by the Data Protection Officer, which shall be made available on request to the EDPS. The EIT shall prepare periodic reports on the application of Article 25 of the Regulation (EU) 2018/1725.
9.   When processing personal data exchanged with other organisations in the context of its tasks, the EIT shall consult those organisations on the possible relevant grounds for imposing restrictions and the necessity and proportionality of the restrictions concerned, unless this would jeopardise the activities of the EIT.

Article 4

Risks to the rights and freedoms of data subjects

1.   The assessment of the risks to the rights and freedoms of data subjects whose personal data may be subject to restrictions as well as their retention period, shall be registered in the record of processing activities maintained by the EIT under Article 31 of the Regulation (EU) 2018/1725, if applicable in relevant data protection impact assessments regarding those restrictions conducted under Article 39 of the said Regulation.
2.   Whenever the EIT assesses the necessity and proportionality of a restriction it shall consider the potential risks to the rights and freedoms of the data subject.

Article 5

Safeguards and storage periods

1.   The EIT shall implement safeguards to prevent abuse and unlawful access or transfer of the personal data that may be subject to restrictions. These safeguards shall include technical and organisational measures to protect the personal data against accidental or unlawful destruction, accidental loss or unauthorised disclosure, alteration and access or any other unauthorised form of processing and be detailed as necessary in EIT internal decisions, procedures and implementing rules.
The safeguards shall include:
(a) a clear definition of roles, responsibilities and procedural steps;
(b) if appropriate, a secure electronic environment which prevents unlawful and accidental access or transfer of electronic data to unauthorised persons;
(c) if appropriate, secure storage and processing of paper-based documents;
(d) due monitoring of restrictions and a periodic review of their application.
The reviews referred to in point (d) shall be conducted at least every six months.
2.   Restrictions shall be lifted as soon as the circumstances that justify them no longer apply.
3.   The retention period of the personal data that may be subject to restrictions shall be no longer than necessary and appropriate for the purposes for which the data are processed. It shall in any event not be longer than the retention period specified in the data protection notices, privacy statements or data protection records maintained under Article 31 of the Regulation (EU) 2018/1725. At the end of the retention period, the personal data shall be deleted, anonymised or transferred to archives in accordance with Article 13 of the Regulation (EU) 2018/1725.

Article 6

Information to and review by the Data Protection Officer

1.   The Data Protection Officer shall be informed without undue delay by the data controller whenever the data subject rights are restricted in accordance with this Decision and shall be provided access to the record containing the assessment of the necessity and proportionality as well as any documents concerning factual or legal elements.
2.   The Data Protection Officer may request the review of the application of a restriction. The EIT shall inform its DPO in writing of the outcome of the review by the data controller.
3.   The involvement of the Data Protection Officer in the restrictions procedure, including information exchanges, shall be documented in an appropriate form by the data controller.

Article 7

Information to data subjects on restrictions of their rights

1.   The EIT shall include a section in the data protection notices published on its website/intranet informing all data subjects on processing activities involving processing of their personal data which could be subject to restrictions in accordance with these rules. This information shall cover which rights may be restricted, the grounds on which restrictions may be applied and their potential duration.
2.   Data controllers shall individually inform data subjects who are parties to a procedure, parties concerned by procedures or witnesses, in writing and without delay of ongoing or future restrictions to their rights.
3.   Where in the context of the activities mentioned in this Decision, the EIT restricts, wholly or partly, the rights of the data subjects mentioned in Articles 14 to 16 and 35 of Regulation (EU) 2018/1725, they shall be informed of the principal reasons on which the application of the restriction is based, and of their right to consult the Data Protection Officer with a view to challenging the restriction and of their rights to lodge a complaint with the EDPS as well to seek a judicial remedy before the Court of Justice of the European Union.
4.   The EIT may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 and the right to lodge a complaint with EDPS for as long as it would cancel the effect of the restriction. The assessment of whether this would be justified shall take place on a case-by-case basis in cooperation with the Data Protection Officer. As soon as it would no longer cancel the effect of the restriction, the EIT shall provide the information to the data subject.

Article 8

Communication of a personal data breach to the data subject

1.   Where the EIT is under an obligation to communicate a data breach under Article 35(1) of the Regulation (EU) 2018/1725, it may, in exceptional circumstances, restrict such communication wholly or partly. It shall document in a note the reasons for the restriction, the legal ground for it under Article 2 and an assessment of its necessity and proportionality. The note shall be communicated to the EDPS at the time of the notification of the personal data breach.
2.   Where the reasons for the restriction no longer apply, the EIT shall communicate the personal data breach to the data subject concerned and inform him or her of the principal reasons for the restriction and of his or her right to lodge a complaint with the EDPS.

Article 9

Confidentiality of electronic communications

1.   In exceptional circumstances, the EIT may restrict the right to confidentiality of electronic communications under Article 36 of Regulation (EU) 2018/1725. Such restrictions shall comply with Directive 2002/58/EC of the European Parliament and of the Council.
2.   Where the EIT restricts the right to confidentiality of electronic communications, it shall inform the data subject concerned, in its reply to any request from the data subject, of the principal reasons on which the application of the restriction is based and of his or her right to lodge a complaint with the EDPS or of seeking a judicial remedy before the Court of Justice of the European Union.
3.   The EIT may defer, omit or deny the provision of information concerning the reasons for the restriction and the right to lodge a complaint with the EDPS for as long as it would cancel the effect of the restriction. This assessment shall take place on a case-by-case basis in cooperation with the Data Protection Officer.

Article 10

Entry into force

This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done in Heraklion, on 21 June 2023.
Chairperson of the Governing Board
Nektarios TAVERNARAKIS
(1)  
OJ L 189, 28.5.2021, p. 61
.
(2)  
OJ L 295, 21.11.2018, p. 39
.
(3)  
https://edps.europa.eu/sites/edp/files/publication/20-06-24_edps_guidance_on_article_25_of_the_new_regulation_and_internal_rules_en.pdf
(4)  
OJ L 56, 4.3.1968, p. 1
, ELI:
http://data.europa.eu/eli/reg/1968/259(1)/oj
.
(5)  Decision 29/2022 of the Governing Board of the EIT of 5 August 2022 on laying down implementing provisions on the conduct of the administrative inquiries and disciplinary proceedings;
https://eit.europa.eu/library/gb-decisionadministrative-inquiries-disciplinary-proceedings
.
(6)  Decision 33/2018 of the Governing Board of the EIT of 30 November 2018 on laying down guidelines on whistleblowing;
https://eit.europa.eu/library/eit-governing-board-decision-332018-laying-down-guidelines-whistleblowing
.
(7)  Decision 16/2017 of the Governing Board of the EIT of 7 July 2017 on the policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment;
https://eit.europa.eu/library/decision-162017-governing-board-eit-7-july-2017-policy-protecting-dignity-person-and-0
.
(8)  Decision 28/2019 of the EIT Director of 5 November 2019 on the adoption of a manual for informal procedures for cases involving psychological and sexual harassment;
https://eit.europa.eu/library/decision-282019-eit-director-5- november-2019-adoption-manual-informal-procedures-cases
.
(9)  The alleged victim may contact any confidential counsellor selection in an inter-agency call for expression of interest by the participation of 6 EU agencies/bodies.
(10)  Decision 01/2020 of the EIT Director of 13 January 2020 on the implementing rules concerning the data protection officer of the European Institute of Innovation and Technology;
https://eit.europa.eu/library/decision-012020-implementing-rules-concerning-data-protection-officer-eit
.
ELI: http://data.europa.eu/eli/dec/2024/1540/oj
ISSN 1977-0677 (electronic edition)
Markierungen
Leseansicht