21.12.2011   

EN

Official Journal of the European Union

C 373/4

1.

On 25 July 2011, the Commission adopted a proposal for a regulation of the European Parliament and of the Council creating a European account preservation order (hereinafter: ‘EAPO’) to facilitate cross-border debt recovery in civil and commercial matters (3).

2.

The proposal was sent to the EDPS in accordance with Article 28(2) of Regulation (EC) No 45/2001 on the same day as it was adopted. The EDPS was informally consulted prior to the adoption of the proposal. The EDPS welcomed this informal consultation and is pleased to see that almost all his remarks have been taken into account in the final proposal.

3.

In this Opinion the EDPS will briefly explain and analyse the data protection aspects of the proposal.

4.

The proposed regulation will establish a European procedure for a protective measure which enables a creditor (‘the claimant’) to obtain a European account preservation order (hereinafter: ‘EAPO’) preventing the withdrawal or transfer of funds held by the debtor (‘the defendant’) in a bank account within the EU. The proposal intends to improve the current situation in which, due to ‘cumbersome, lengthy and costly’ procedures, debtors can easily escape enforcement measures by swiftly moving their money from a bank account in one Member State to another (4).

5.

Personal data is processed in various ways and transferred between various actors under the proposed regulation. A relevant distinction is made between two situations. In the first place, the situation in which an EAPO is requested prior to the initiation of judicial procedures or in which a judgment, court settlement or authentic instrument has not yet been declared enforceable in the Member State of enforcement (5). In the second place, the situation in which an EAPO is requested after an enforceable judgment, court settlement or authentic instrument has been obtained.

6.

In the first situation, personal data of the claimant as well as of the defendant (identification data, details of defendant's bank account, description of relevant circumstances and evidence of conduct) is provided by the claimant to the national court where proceedings on the substance of the matter have to be brought in accordance with the applicable rules on jurisdiction. The application is made with use of the form set out in Annex I to the proposal (see Article 8 of the proposal).

7.

In the second situation, the claimant sends personal data of the defendant (identification data, details of defendant's bank account and a copy of the judgment, court settlement or authentic instrument) either to the court that issued the judgment or court settlement or, in case of an authentic instrument, to the competent authority of the Member State where the authentic instrument has been drawn up, or directly to the competent authority in the Member State of enforcement. The application is made with use of the form set out in Annex I to the proposal (see Article 15).

8.

In both situations, the claimant must provide all information with regard to the defendant and the defendant's bank account(s) necessary to enable the bank(s) to identify that defendant and his/her account(s) (see Article 16 of the proposal). For natural persons, this includes the full name of the defendant, the name of the bank, the account number(s), the defendant's full address and his or her date of birth or national identity or passport number. This is all reflected in the form set out in Annex I (see point 4.7 of Annex I). Optional data fields in the form are the telephone number and the e-mail address of the defendant (see point 3 of Annex I).

9.

If the claimant does not have the account information of the defendant available, the claimant may request the competent authority of the Member State of enforcement to obtain the necessary information pursuant to Article 17 of the proposal. Such a request must be made in the application for an EAPO and must include ‘all information available to the claimant’ about the defendant and the defendant's bank accounts (see Article 17(1) and (2)). The court or issuing authority issues the EAPO and transmits it to the competent authority of the Member State of enforcement who uses ‘all appropriate and reasonable means available in the Member State of enforcement to obtain the information’ (Article 17(3) and (4)). The methods of obtaining the information are one of the following: obliging all banks in their territory to disclose whether the defendant holds an account with them and access by the competent authority where the information is held by public authorities or administrations in registers or otherwise (Article 17(5)).

10.

In Article 17(6) it is underlined that the information referred to in Article 17(4) shall be ‘adequate for the purpose of identifying the defendant's account or accounts, relevant and not excessive and be limited to (a) the defendant's address; (b) the bank or banks holding the defendant's account or accounts; (c) the defendant's account number or numbers’.

11.

Several provisions of the proposal entail the cross-border exchange of information, including personal data. As regards the transfer of the EAPO from the court or issuing authority to the competent authority in the Member State of enforcement, this is done with use of the form set out in Annex II to the proposal (see Articles 21 and 24 of the proposal). This form contains less data on the defendant, as no reference is made to the defendant's date of birth, national identity number or passport number or to his or her telephone number or e-mail address. It seems to follow from the different steps described in the proposed regulation that this is due to the fact that either the account number(s) of the defendant have already been determined beyond doubt or this information still has to be collected by the competent authority of the Member State of enforcement on the basis of Article 17 of the proposal.

12.

Article 20 deals with the communication and cooperation between courts. Information on all relevant circumstances may be sought directly or through the contact points of the European Judicial Network in civil and commercial matters established by Decision 2001/470/EC (6).

13.

Within three working days following the receipt of an EAPO, the bank informs the competent authority in the Member State of enforcement and the claimant using the form set out in Annex III to the proposal (see Article 27). This form requires the same information on the defendant as the form set out in Annex II. In Article 27(3) it is stated that the bank may transmit its declaration by secured electronic means of communication.

14.

The various personal data processing activities covered by the proposed regulation must be performed with due observance to the rules on data protection as set out in Directive 95/46/EC and the national legislation implementing it. The EDPS is pleased to see that this has been emphasised in recital 21 and Article 46(3) of the proposal. The EDPS also welcomes the reference to Articles 7 and 8 of the EU Charter on Fundamental Rights in recital 20 of the proposal.

15.

Certain information on the claimant and the defendant are indispensable for the proper functioning of the EAPO. Data protection rules require that only information is used which is proportionate and actually necessary. The EDPS is pleased to see that the Commission has seriously considered the proportionality and necessity of the processing of personal data for the purposes of the current proposal.

16.

This is illustrated in the first place by the limited list of personal details required in Articles 8, 15 and 16, as well as Annexes to the proposal. The EDPS notes with satisfaction that the amount of personal data decreases in the different annexes which follow the different steps in the EAPO procedure. In general, the EDPS has no reason to believe that the required data goes beyond what is necessary for the purposes of the proposed regulation. In this respect, the EDPS has only two further remarks.

17.

The first relates to the address details of the claimant in the Annexes to the proposed regulation. According to Article 25 of the proposal, the defendant shall be served with the EAPO and all documents submitted to the court or competent authority with a view to obtaining the order, which seems to include the information provided in Annexes I, II and III. There is no indication of the possibility for the claimant to request the removal of his address details from the different documents before they are sent to the defendant. As there might be circumstances in which revealing the address details of the claimant to the defendant might entail the risk of the claimant being subject to out of court pressure from the defendant, the EDPS suggests the legislator to include in Article 25 the possibility for the claimant to request the removal of these details from the information provided to the defendant.

18.

The second remark relates to the optional data fields in Annex I regarding the telephone number and e-mail address. If this information is included as data fields which can be used if other contact information of the defendant is missing, this should be clarified. Otherwise, there seems to be no reasons to keep these data fields.

19.

A further illustration of the serious considerations the Commission has put to the proportionality and necessity of the processing of personal data for the purposes of the present proposal is the explicit reference to the necessity principle in Article 16 and Article 17(1) and (6) of the proposal. Article 16 refers to all information ‘necessary’ to identify the defendant, Article 17(1) to the ‘necessary’ information and Article 17(6) reiterates the wording of Article 6(1)(c) of Directive 95/46/EC which provides that the data should be adequate, relevant and not excessive. The EDPS is satisfied with these provisions, as they make it visible that the collection of personal data should be done in accordance with the principle of necessity. Still Article 17 raises some questions.

20.

Article 17(2) requires the claimant to provide ‘all information available to the claimant’ about the defendant and the defendant's bank account(s). This is a broad formulation which could entail the transfer of all kinds of information on the defendant. The provision does not make clear that such information should be restricted to information which is necessary to identify the defendant and determine his or her bank account(s). The EDPS recommends including this restriction in Article 17(2).

21.

The reference in Article 17(4) to ‘all the appropriate and reasonable means’ could imply methods of investigation which severely intrude into the private life of the defendant. Read in conjunction with Article 17(5), however, it becomes clear that these means are restricted to the two methods which were described in point 9 of this Opinion. However, in order to prevent any misunderstanding on the scope of the means available to the competent authority, the legislator could consider replacing the reference to ‘all appropriate and reasonable means’ by ‘one of the two methods referred to in paragraph 5’.

22.

As to the two methods mentioned in Article 17(5)(b), the EDPS has questions with regard to the second one. This method concerns access by the competent authority where that information is held by public authorities or administrations in registers or otherwise. In Annex I to the proposal reference is made to ‘existing public registers’ (see point 4 of Annex I). For the sake of clarity, it should be explained what is actually meant by Article 17(5)(b) of the proposal. It should be underlined that not only the information collected should be necessary for the purposes of the proposed regulation; also the methods for collecting the information should comply with the principles of necessity and proportionality.

23.

As regard the cross border transfer of the data between the different entities involved, the EDPS sees no particular problems from a data protection point of view. Only Article 27(3) of the proposal raises some further reflection. It is provided that banks may transmit its declaration (using the form set out in Annex III) by secured electronic means of communication. The word ‘may’ is used as the use of electronic means is an alternative for sending the declaration by regular post. This follows from Annex III. Article 27(3) intends to allow banks to use electronic means of communication, however only if these means are secure. The EDPS recommends the legislator to clarify this provision, as the current text could be interpreted as making the use of secured means optional. Article 27(3) could be replaced by: ‘The bank may transmit its declaration by electronic means of communication, if these means are secure in line with Articles 16 and 17 of Directive 95/46/EC’.

24.

The EDPS is pleased to see the efforts taken to address the different data protection aspects which are raised by the proposed instrument of an EAPO. More in particular, he appreciates the application of and the references to the principle of necessity. However, the EDPS believes the proposed regulation would still require some further improvements and clarifications. The EDPS recommends: