Commission Decision (EU) 2024/1245 of 2 May 2024 laying down internal rules conce... (32024D1245)
EU - Rechtsakte: 01 General, financial and institutional matters
2024/1245
3.5.2024

COMMISSION DECISION (EU) 2024/1245

of 2 May 2024

laying down internal rules concerning the provision of information to data subjects and the restrictions of certain of their rights by the Commission in the context of the activities of the Mediation Service

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1), and in particular Article 25(1) thereof,
Whereas:
(1) Commission Decision C(2024)1420 (2) on the Mediation Service establishes the Mediation Service as an independent service in the Commission. Its task is to facilitate the amicable resolution of conflicts at work or disputes relating to rights and obligations of Commission staff members covered by the Staff Regulations of Officials (‘Staff Regulations’) and the Conditions of Employment of Other Servants (‘CEOS’) of the European Union, laid down by Council Regulation (EEC, Euratom, ECSC) No 259/68 (3).
(2) Decision C(2024)1420 establishes an informal procedure whereby any person falling under its scope may request the assistance of the Mediation Service.
(3) The Commission and, in the context of this Decision, the Mediation Service on its behalf, contribute to a productive and respectful workplace, by informally resolving disputes before they escalate, and by preventing similar situations from arising within the Institution. The Mediation Service provides informal confidential advice to any staff member requesting its assistance (‘the requestor’). With the requestor’s consent, it may also contact any other party identified by the requestor (‘the person concerned’) in connection with a mediation. Mediation requires the consent of all parties involved. The Mediation Service acts strictly on an informal basis. It is not empowered to take decisions adversely affecting individuals.
(4) To fulfil its tasks in the area of mediation, the Commission collects and processes information and several categories of personal data of staff members and other persons falling under the scope of Decision C(2024)1420, including identification data, contact information, information about professional roles and tasks, information on private and professional conduct and performance data. The Commission may also process sensitive personal data referred to in Articles 10 and 11 of Regulation (EU) 2018/1725, voluntarily provided by the requestor.
(5) The personal data are stored in a secured physical and electronic environment, to prevent unlawful access or transfer of data to persons who do not have a need to know. After the end of the processing, the data are retained in accordance with Article 6(11) of Decision C(2024)1420.
(6) Under Regulation (EU) 2018/1725, the Commission, as controller, is obliged to provide information to data subjects on those processing activities and to respect their rights as data subjects.
(7) While carrying out its tasks, the Commission is bound to respect the rights of natural persons in relation to the processing of personal data recognised by Article 8(1) of the Charter of Fundamental Rights of the European Union and by Article 16(1) of the Treaty on the Functioning of the European Union, as well as the rights provided for in Regulation (EU) 2018/1725. At the same time, the Commission, in the context of its activities as Mediation Service, is required to comply with strict rules of confidentiality towards the requestors and might therefore be required to balance a data subject’s rights against the fundamental rights and freedoms of other data subjects.
(8) It is crucial for the requestor that the confidentiality of the exchanges is preserved and that no action is undertaken without their consent. When a person consults the Mediation Service for confidential advice in the context of a conflict and does not give consent for the Mediation Service to contact the person concerned with a view to a mediation, it will not be possible for the Mediation Service to inform the person concerned. The provision of such information would render impossible or seriously impair the achievement of the objectives pursued by the Mediation Service, in particular providing a safe space where the requestor can openly discuss their situation and decide whether to start a mediation process with the person concerned. The Commission may therefore apply the exception laid down in Article 16(5), point (b), of Regulation (EU) 2018/1725 to protect the confidentiality of the processing as set out Article 5(1) of the Decision C(2024)1420.
(9) In certain circumstances, it is necessary to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 with the need to ensure that the Commission effectively carries out its tasks of providing informal confidential advice, while ensuring full respect for the fundamental rights and freedoms of other data subjects. To that effect, Article 25(1), point (h), of Regulation (EU) 2018/1725 provides the Commission with the possibility to restrict, under strict conditions, the application of Articles 14 to 17, 19, 20 and 35, as well as the principle of transparency laid down in Article 4(1), point (a), insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19, 20 and 35 of that Regulation.
(10) This might, in particular, be the case when the requestor indirectly provides information relating to other persons concerned. In that case, the Commission may decide to restrict certain rights of the person concerned when the exercise of these rights would result in revealing information about a requestor who has not consented to actions being undertaken by the Mediation Service to facilitate a dialogue with the person concerned. In such a case, the Commission may decide to restrict the right of access to information relating to the person concerned or his or her other rights in order to protect the rights and freedoms of the requestor. The Commission may decide to do so pursuant to Article 25(1), point (h), of Regulation (EU) 2018/1725.
(11) It may be necessary to protect confidential information concerning a requestor. In such cases, the Commission may need to restrict access to the identity, statements and other personal data of the requestor, including the simple fact that they were in contact with the Mediation Service, in order to protect their rights and freedoms.
(12) It may also be necessary to restrict the right of information of the requestor where the Mediation Service would need to alert the Medical Service in cases where urgent action is necessary for the protection of the physical and psychological integrity of the requestor. In such a case, the Mediation Service may decide not to inform the requestor about such alert in order to allow the Medical Service to assess the health or social care measures that may be provided to that person. The Commission may decide to do so pursuant to Article 25(1), point (h), of Regulation (EU) 2018/1725. In that specific situation, the requestor's rights would be protected because the Medical Service would keep medical information secret and the requestor would be informed because the Medical Service will be in contact with them if they deem it necessary.
(13) Decision C(2024)1420 requires the Commission to ensure that requests for assistance submitted to the Mediation Service are handled confidentially. In order to ensure that confidentiality, while respecting the standards of protection of personal data under Regulation (EU) 2018/1725, it is necessary to adopt internal rules under which the Commission may restrict data subjects’ rights in line with Article 25(1), point (h) of Regulation (EU) 2018/1725.
(14) The internal rules should apply to all processing operations carried out by the Commission in the performance of its tasks when handling requests under Article 6 of Decision C(2024)1420 .
(15) In order to comply with Articles 14, 15 and 16 of Regulation (EU) 2018/1725, the Commission should inform all individuals of its activities involving the processing of their personal data and of their rights in a transparent and coherent manner, by means of a data protection notice published on the Commission’s website. Where relevant, the Commission should individually inform the requestor by appropriate means. Where the requestor provided consent to contacting another concerned person, the Commission should individually inform, by appropriate means, the person concerned.
(16) The Commission should apply restrictions only when they respect the essence of fundamental rights and freedoms, are strictly necessary and are a proportionate measure in a democratic society. The Commission should give reasons in order to justify those restrictions.
(17) In application of the principles of transparency, fairness and accountability, the Commission should handle all restrictions in a transparent manner and register each application of restrictions in the corresponding record system.
(18) Article 25(6) of Regulation (EU) 2018/1725 requires the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the European Data Protection Supervisor.
(19) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, the Commission may defer, omit or deny the provision of information relating to the principal reasons for the application of a restriction to the data subject if providing that information would in any way cancel the effect of the restriction.
(20) Where rights of data subjects are restricted, the Commission should assess on a case-by-case basis whether communicating the restriction would cancel its effect.
(21) The Commission should lift the restriction as soon as the conditions that justify the restriction no longer apply, and assess those conditions on a regular basis. In certain cases, it may prove necessary to maintain the application of a restriction until the personal data at issue is no longer retained by the Commission. In such a case, the data subject should not be informed of the processing of their personal data. Such a situation could, in particular, occur where there is a high risk that the exercise of their rights by the person concerned would undermine the rights and freedoms of others. This is particularly the case where the requestor does not consent to the Mediation Service contacting the person concerned in order to initiate an informal mediation between them.
(22) The Commission should review the application of the restrictions when the requestor provides consent to engaging in an informal mediation or at the latest when it closes a request for assistance.
(23) Articles 16(5), 17(4), 19(3) and 20(2) of Regulation (EU) 2018/1725 provide for exceptions to data subjects’ rights. If these exceptions apply, the Commission does not need to apply a restriction under this Decision.
(24) To guarantee the protection of the rights and freedoms of data subjects and in accordance with Article 44(1) of Regulation (EU) 2018/1725, the Commission should involve the relevant data protection coordinator(s) and the data protection officer of the European Commission throughout the procedure and document this consultation. In particular, the data protection coordinator appointed to advise the Commission department concerned should be consulted in advance of any restrictions that may be applied and verify their compliance with this Decision.
(25) The data protection officer of the European Commission should carry out an independent review of the application of restrictions, with a view to ensuring compliance with this Decision.
(26) The European Data Protection Supervisor has been consulted and delivered his opinion on 13 March 2024.
HAS ADOPTED THIS DECISION:

Article 1

Subject-matter and scope

1.   This Decision applies to the processing of personal data by the Commission as controller for the purpose of handling requests under Article 6 of Decision C(2024) 1420 .
2.   This Decision lays down the rules to be followed by the Commission to inform the data subjects of the processing of their personal data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725 when handling requests under Article 6 of Decision C(2024)1420.
3.   It also lays down the conditions under which the Commission may restrict the application of Articles 4, 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725 in accordance with Article 25(1), point (h) thereof.
4.   The categories of personal data covered by this Decision include identification data, contact information, information about professional roles and tasks, information on private and professional conduct and performance. The requestors may also provide sensitive categories of personal data referred to in Articles 10 and 11 of Regulation (EU) 2018/1725 in the context of requesting the assistance of the Mediation Service in a specific case.

Article 2

Applicable restrictions

1.   Subject to Articles 3 to 9 of this Decision, the Commission may restrict the application of Articles 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725, as well as the principle of transparency laid down in Article 4(1), point (a), of that Regulation insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19, 20 and 35 of that Regulation. The Commission may do so where the exercise of those rights and obligations would adversely affect the protection of the data subject or the rights and freedoms of others in line with Article 25(1), point (h) of that Regulation.
2.   Paragraph 1 shall be without prejudice to the application of other Commission decisions laying down internal rules concerning the provision of information to data subjects and the restriction of certain rights under Article 25 of Regulation (EU) 2018/1725.
3.   Any restriction of the rights and obligations referred to in paragraph 1 shall respect the essence of fundamental rights and freedoms and be necessary and proportionate in a democratic society taking into account the risks to the rights and freedoms of data subjects.
4.   Before restrictions are applied, the Commission shall carry out a ‘case-by-case’ assessment of their necessity and proportionality. Restrictions shall be limited to what is strictly necessary to achieve their objective.

Article 3

Provision of information to data subjects

1.   The Commission shall publish on its website a data protection notice that informs all data subjects of its activities involving processing of their personal data for the purpose of handling requests under Article 6 of Decision C(2024)1420. The notice shall also provide information on the potential to restrict data subjects’ rights pursuant to Articles 2, 3, 4 and 5 of this Decision, as well as which rights may be restricted, the grounds on which restrictions may be applied and their potential duration.
2.   The Commission shall individually inform, by appropriate means, requestors about the processing of their personal data. The Commission shall also individually inform, by appropriate means, the person concerned where the requestor consented to an informal mediation with the person concerned.
3.   Where, in accordance with Article 2, the Commission restricts, wholly or partly, the provision of information referred to in paragraph 2 to the requestors, whose personal data are processed for the purpose of handling requests under Article 6 of Decision C (2024)1420, it shall record and register the reasons for the restriction in accordance with Article 6 of this Decision.

Article 4

Right of access by data subjects, right of erasure and right to restriction of processing

1.   Where the Commission restricts, wholly or partly, the right of access to personal data by data subjects, the right of erasure, or the right to restriction of processing as referred to in Articles 17, 19 and 20, respectively, of Regulation (EU) 2018/1725, it shall inform the data subject concerned, in writing and without undue delay, in its reply to the request for access, erasure or restriction of processing:
(a) of the restriction applied and of the principal reasons therefor; and
(b) of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union.
2.   The provision of information concerning the reasons for the restriction referred to in paragraph 1 may be deferred, omitted or denied for as long as it would cancel the effect of the restriction.
3.   The Commission shall record the reasons for the restriction in accordance with Article 6.
4.   Where the right of access is wholly or partly restricted, the data subject may exercise their right of access through the intermediary of the European Data Protection Supervisor, in accordance with Article 25(6), (7) and (8) of Regulation (EU) 2018/1725.

Article 5

Communication of personal data breaches to data subjects

Where the Commission is under an obligation to communicate a personal data breach to the data subject, as referred to in Article 35 of Regulation (EU) 2018/1725, it may, in exceptional circumstances, restrict such communication wholly or partly. It shall record and register the reasons for the restriction in accordance with Article 6 of this Decision. The Commission shall communicate the record to the European Data Protection Supervisor at the time of the notification of the personal data breach.

Article 6

Recording and registering of restrictions

1.   The Commission shall record the reasons for any restriction applied pursuant to this Decision, including an assessment of the risks to the rights and freedoms of data subjects of imposing a restriction and the necessity and proportionality of the restriction, taking into account the relevant elements set out in Article 25(2) of Regulation (EU) 2018/1725.
2.   The record shall state how the exercise of the right by the relevant data subject would adversely affect the protection of the data subject or the rights and freedoms of others under Article 25(1), point (h) of Regulation (EU) 2018/1725.
3.   The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.

Article 7

Duration of restrictions

1.   Restrictions referred to in Articles 3, 4 and 5 shall continue to apply as long as the reasons justifying them remain applicable.
2.   Where the reasons for a restriction referred to in Articles 3, 4 or 5 no longer apply, the Commission shall lift the restriction.
3.   It shall also provide the principal reasons for applying that restriction to the data subject and inform them of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice of the European Union.
4.   The Commission shall review the application of the restrictions referred to in Articles 3, 4 and 5 of this Decision when the requestor provides their consent to engage in informal mediation with the person concerned or at the latest when requests submitted under Decision C(2024)1420 are closed. Thereafter, the Commission shall monitor the need to maintain any restriction every 6 months. The review shall include an assessment of the necessity and proportionality of the restriction, taking into account the relevant elements set out in Article 25(2) of Regulation (EU) 2018/1725.

Article 8

Safeguards and storage periods

1.   The Commission shall implement safeguards to prevent abuse and unlawful access to or transfer of personal data in respect of which restrictions apply or could be applied. Such safeguards shall include technical and organisational measures and be detailed as necessary in the Commission’s internal procedures. The safeguards shall include:
(a) a clear definition of roles, responsibilities, access rights and procedural steps;
(b) a secure electronic environment which prevents unlawful and accidental access or transfer of electronic data to unauthorised persons;
(c) a secure storage and processing of paper-based documents; and
(d) due monitoring of restrictions and a periodic review of their application.
2.   The personal data shall be retained in accordance with Article 6(11) of Decision C (2024)1420. At the end of the retention period, the Commission shall delete the personal data.

Article 9

Involvement of the data protection coordinator and of the data protection officer of the Commission

1.   The data protection coordinator appointed to advise the Commission department concerned shall be consulted before any restrictions are applied and verify their compliance with this Decision.
2.   Without prejudice to paragraph 1, the data protection officer of the Commission shall be informed without undue delay whenever data subjects’ rights are restricted in accordance with this Decision. Upon request, the data protection officer shall be given access to the associated records and any documents containing the underlying factual and legal elements.
3.   The data protection officer may request a review of the application of a restriction. The Commission shall inform the data protection officer in writing of the outcome of the requested review.
4.   The Commission shall document the involvement of the data protection officer and, where applicable, the data protection coordinator (including what information is shared with them), in each case where the rights and obligations referred to in Article 2(2) are restricted.

Article 10

Entry into force

This Decision shall take effect on the twentieth day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 2 May 2024.
For the Commission
The President
Ursula VON DER LEYEN
(1)  
OJ L 295, 21.11.2018, p. 39
, ELI:
http://data.europa.eu/eli/reg/2018/1725/oj
.
(2)  Commission Decision C(2024)1420 on the Mediation Service and repealing Decision C (2002) 601.
(3)  Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (
OJ L 56, 4.3.1968, p. 1
, ELI:
http://data.europa.eu/eli/reg/1968/259(1)/oj
).
ELI: http://data.europa.eu/eli/dec/2024/1245/oj
ISSN 1977-0677 (electronic edition)
Markierungen
Leseansicht