This Decision lays down rules relating to the conditions under which the EMCDDA in the framework of its procedures set out paragraph 2 may restrict the application of the rights enshrined in Articles 14 to 21, 35 and 36, as well as Article 4 thereof, following Article 25 of the Regulation (EU) 2018/1725.
Decision of the Management Board of the European Monitoring Centre for Drugs and Drugs Addiction of 28 June 2019 on internal rules concerning restrictions of certain rights of data subjects in relation to processing of personal data in the framework of the functioning of the EMCDDA
Decision of the Management Board of the European Monitoring Centre for Drugs and Drugs Addiction of 28 June 2019 on internal rules concerning restrictions of certain rights of data subjects in relation to processing of personal data in the framework of the functioning of the EMCDDA
THE MANAGEMENT BOARD OF THE EMCDDA
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC(1), and in particular Article 25 thereof,
Having regard to Regulation (EC) No 1920/2006 of the European Parliament and of the Council of 12 December 2006 on the European Monitoring Centre for Drugs and Drug Addiction(2), and in particular to Articles 6 and 9 thereof,
Having regard to the opinion of the EDPS of 29 May 2019 and to the EDPS Guidance on Article 25 of the new Regulation and internal rules,
Whereas:
The EMCDDA carries out its activities in accordance with the above referred Council Regulation (EC) No 1920/2006.
In accordance with Article 25(1) of Regulation (EU) 2018/1725 restrictions of the application of Articles 14 to 22, 35 and 36, as well as Article 4 of that Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 should be based on internal rules to be adopted by the EMCDDA, where these are not based on legal acts adopted on the basis of the Treaties.
These internal rules, including its provisions on the assessment of the necessity and proportionality of a restriction, should not apply where a legal act adopted on the basis of the Treaties provides for a restriction of data subject rights.
Where the EMCDDA performs its duties with respect to data subject’s rights under Regulation (EU) 2018/1725, it shall consider whether any of the exemptions laid down in that Regulation apply.
Within the framework of its administrative functioning, the EMCDDA may conduct administrative inquiries, disciplinary proceedings, carry out preliminary activities related to cases of potential irregularities reported to OLAF, process whistleblowing cases, process (formal and informal) procedures of harassment, process internal and external complaints, conduct internal audits, carry out investigations by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725 and internal (IT) security investigations.
The EMCDDA processes several categories of personal data, including hard data (‘objective’ data such as identification data, contact data, professional data, administrative details, data received from specific sources, electronic communications and traffic data) and/or soft data (‘subjective’ data related to the case such as reasoning, behavioural data, appraisals, performance and conduct data and data related to or brought forward in connection with the subject matter of the procedure or activity).
The EMCDDA, represented by its Director, acts as the data controller irrespective of further delegations of the controller role within the EMCDDA to reflect operational responsibilities for specific personal data processing operations.
The personal data are stored securely in an electronic environment or on paper preventing unlawful access or transfer of data to persons who do not have a need to know. The personal data processed are retained for no longer than necessary and appropriate for the purposes for which the data are processed for the period specified in the data protection notices, privacy statements or records of the EMCDDA.
The internal rules should apply to all processing operations carried out by the EMCDDA in the performance of administrative inquiries, disciplinary proceedings, preliminary activities related to cases of potential irregularities reported to OLAF, whistleblowing procedures, (formal and informal) procedures for cases of harassment, processing internal and external complaints, internal audits, the investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725, (IT) security investigations handled internally or with external involvement (e.g. CERT-EU).
They should apply to processing operations carried out prior to the opening of the procedures referred to above, during these procedures and during the monitoring of the follow-up to the outcome of these procedures. It should also include assistance and cooperation provided by the EMCDDA to national authorities and international organisations outside of its administrative investigations.
In the cases where these internal rules apply the EMCDDA has to give justifications explaining why the restrictions are strictly necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms.
Within this framework the EMCDDA is bound to respect, to the maximum extent possible, the fundamental rights of the data subjects during the above procedures, in particular, those relating to the right of provision of information, access and rectification, right to erasure, restriction of processing, right of communication of a personal data breach to the data subject or confidentiality of communication as enshrined in Regulation (EU) 2018/1725.
However, the EMCDDA may be obliged to restrict the information to data subject and other data subject’s rights to protect, in particular, its own investigations, the investigations and proceedings of other public authorities, as well as the rights of other persons related to its investigations or other procedures.
The EMCDDA may thus restrict the information for the purpose of protecting the investigation and the fundamental rights and freedoms of other data subjects.
The EMCDDA should periodically monitor that the conditions that justify the restriction apply and lift the restriction as far as they do no longer apply.
The Controller should inform the Data Protection Officer at the moment of deferral and during the revisions.
HAS ADOPTED THIS DECISION:
Article 1 Subject-matter and scope
1.
2.
Within the framework of the administrative functioning of the EMCDDA, this Decision applies to the processing operations on personal data by the EMCDDA for the purposes of: conducting administrative inquiries, disciplinary proceedings, preliminary activities related to cases of potential irregularities reported to OLAF, processing whistleblowing cases, (formal and informal) procedures of harassment, processing internal and external complaints, conducting internal audits, investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725 and (IT) security investigations handled internally or with external involvement (e.g. CERT-EU).
3.
The categories of data concerned are hard data ( ‘objective’ data such as identification data, contact data, professional data, administrative details, data received from specific sources, electronic communications and traffic data) and/or soft data (‘subjective’ data related to the case such as reasoning, behavioural data, appraisals, performance and conduct data and data related to or brought forward in connection with the subject matter of the procedure or activity).
4.
Where the EMCDDA performs its duties with respect to data subject’s rights under Regulation (EU) 2018/1725, it shall consider whether any of the exemptions laid down in that Regulation apply.
5.
Subject to the conditions set out in this Decision, the restrictions may apply to the following rights: provision of information to data subjects, right of access, rectification, erasure, restriction of processing, communication of a personal data breach to the data subject or confidentiality of communication.
Article 2 Specification of the controller and safeguards
1.
The safeguards in place to avoid data breaches, leakages or unauthorised disclosure are the following:
-
Paper documents shall be kept in secured cupboards and only accessible to authorised staff;
-
All electronic data shall be stored in a secure IT application according to the EMCDDA’s security standards, as well as in specific electronic folders accessible only to authorised staff. Appropriate levels of access shall be granted individually;
-
The database shall be password-protected under a single sign-on system and connected automatically to the user’s ID and password. Replacing users is strictly prohibited. E-records shall be held securely to safeguard the confidentiality and privacy of the data therein;
-
All persons having access to the data are bound by the obligation of confidentiality.
2.
The Controller of the processing operations is the EMCDDA, represented by its Director, who may delegate the function of the Controller. Data subjects shall be informed of the delegated Ccontroller by way of the data protection notices or records published on the website and/or the intranet of the EMCDDA.
3.
The retention period of the personal data referred to in Article 1(3) shall be no longer than necessary and appropriate for the purposes for which the data are processed. It shall in any event not be longer than the retention period specified in the data protection notices, privacy statements or records referred to in Article 5(1).
4.
Where the EMCDDA considers to apply a restriction, the risk to the rights and freedoms of the data subject shall be weighed, in particular, against the risk to the rights and freedoms of other data subjects and the risk of cancelling the effect of the EMCDDA’s investigations or procedures for example by destroying evidence. The risks to the rights and freedoms of the data subject concern primarily, but are not limited to, reputational risks and risks to the right of defence and the right to be heard.
Article 3 Restrictions
1.
Any restriction shall only be applied by the EMCDDA to safeguard:
-
the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
-
other important objectives of general public interest of the Union or of a Member State, in particular the objectives of the common foreign and security policy of the Union or an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;
-
the internal security of Union institutions and bodies, including of their electronic communications networks;
-
the protection of judicial independence and judicial proceedings;
-
the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
-
a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (c);
-
the protection of the data subject or the rights and freedoms of others;
2.
As a specific application of the purposes described in paragraph 1 above, the EMCDDA may apply restrictions in relation to personal data exchanged with Commission services or other Union institutions, bodies, agencies and offices, competent authorities of Member States or third countries or international organisations, in the following circumstances:
-
where the exercise of those rights and obligations could be restricted by Commission services or other Union institutions, bodies, agencies and offices on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or with the founding acts of other Union institutions, bodies, agencies and offices;
-
where the exercise of those rights and obligations could be restricted by competent authorities of Member States on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council(3), or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council(4);
-
where the exercise of those rights and obligations could jeopardise the EMCDDA’s cooperation with third countries or international organisations in the conduct of its tasks.
Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, the EMCDDA shall consult the relevant Commission services, Union institutions, bodies, agencies, offices or the competent authorities of Member States unless it is clear to the EMCDDA that the application of a restriction is provided for by one of the acts referred to in those points.
3.
Any restriction shall be necessary and proportionate taking into account the risks to the rights and freedoms of data subjects and respect the essence of the fundamental rights and freedoms in a democratic society.
4.
If the application of restriction is considered, a necessity and proportionality test shall be carried out based on the present rules. It shall be documented through an internal assessment note for accountability purposes on a case by case basis.
5.
Restrictions shall be lifted as soon as the circumstances that justify them no longer apply. In particular, where it is considered that the exercise of the restricted right would no longer cancel the effect of the restriction imposed or adversely affect the rights or freedoms of other data subjects.
Article 4 Review by the Data Protection Officer
1.
The EMCDDA shall, without undue delay, inform the Data Protection Officer of the EMCDDA (‘the DPO’) whenever the Controller restricts the application of Data subjects’ rights, or extends the restriction, in accordance with this Decision. The Controller shall provide the DPO access to the record containing the assessment of the necessity and proportionality of the restriction and document the involvement of the DPO in the different procedures.
2.
The DPO may request the Controller in writing to review the application of the restrictions. The Controller shall inform the DPO in writing about the outcome of the requested review.
3.
The Controller shall inform the DPO when the restriction has been lifted.