EUR-Lex Access to European Union law
This document is an excerpt from the EUR-Lex website
Document 32012Y0922(03)
Decision of the European Systemic Risk Board of 13 July 2012 implementing rules on data protection at the European Systemic Risk Board (ESRB/2012/1)
Decision of the European Systemic Risk Board of 13 July 2012 implementing rules on data protection at the European Systemic Risk Board (ESRB/2012/1)
Decision of the European Systemic Risk Board of 13 July 2012 implementing rules on data protection at the European Systemic Risk Board (ESRB/2012/1)
OJ C 286, 22.9.2012, p. 16–19
(BG, ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
Special edition in Croatian: Chapter 01 Volume 014 P. 130 - 133
In force
|
22.9.2012 |
EN |
Official Journal of the European Union |
C 286/16 |
DECISION OF THE EUROPEAN SYSTEMIC RISK BOARD
of 13 July 2012
implementing rules on data protection at the European Systemic Risk Board
(ESRB/2012/1)
2012/C 286/11
THE GENERAL BOARD OF THE EUROPEAN SYSTEMIC RISK BOARD,
Having regard to Article 16 of the Treaty on the Functioning of the European Union,
Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (1), and in particular Article 24(8) and the Annex thereto,
Having consulted the European Data Protection Supervisor (EDPS),
Whereas:
|
(1) |
Regulation (EC) No 45/2001 sets out principles and rules applicable to all European Union institutions and bodies and provides for the appointment by each Union institution and body of a data protection officer (DPO). |
|
(2) |
Pursuant to Article 24(8) of Regulation (EC) No 45/2001, each Union institution or body must adopt further implementing rules concerning the DPO in accordance with the Annex to that Regulation. |
|
(3) |
It is appropriate to include provisions relating to controllers and data protection coordinators, whose tasks and duties relate to those of the DPO, and to the regulation of data subjects’ rights, |
HAS ADOPTED THIS DECISION:
SECTION 1
GENERAL PROVISIONS
Article 1
Subject matter and scope
This Decision lays down rules relating to:
|
(a) |
the appointment and status of the European Systemic Risk Board’s (ESRB’s) DPO, as well as to the tasks, duties and powers of the DPO; |
|
(b) |
the roles, tasks and duties of controllers and data protection coordinators; |
|
(c) |
the exercise of rights by data subjects. |
Article 2
Definitions
For the purposes of this Decision, the following definitions shall apply:
|
(a) |
‘controller’ means a manager responsible for an organisational unit that determines the purposes and means of the processing of personal data; |
|
(b) |
‘data protection coordinator’ means a staff member who assists a controller in fulfilling the latter’s data protection obligations. This person shall be a specialist in record management. |
SECTION 2
THE DATA PROTECTION OFFICER
Article 3
Appointment, status and organisational matters
1. The General Board shall:
|
(a) |
appoint a DPO who is sufficiently senior to meet the requirements of Article 24 of Regulation (EC) No 45/2001; |
|
(b) |
set a term of office for the DPO of between two and five years. |
2. The General Board shall ensure that the DPO can carry out DPO tasks and duties in an independent manner. Without prejudice to such independence, the DPO’s appraisers shall consult the EDPS before appraising the DPO’s performance of DPO tasks and duties.
3. The relevant controller shall ensure that the DPO is informed without delay:
|
(a) |
when an issue arises that has, or might have, data protection implications; and |
|
(b) |
in respect of all contacts between the ESRB and external parties relating to the application of Regulation (EC) No 45/2001, notably any interaction with the EDPS. |
4. The General Board may appoint a Deputy DPO, to whom Article 24(1), (2) and (6) of Regulation (EC) No 45/2001 shall apply. The Deputy DPO shall support the DPO in carrying out DPO tasks and duties and deputise in the event of the DPO’s absence.
5. Any staff providing support to the DPO in relation to data protection issues shall act solely on the DPO’s instructions.
6. The DPO may be dismissed with the consent of the EDPS, if they no longer fulfil the conditions required for the performance of their tasks and duties.
Article 4
DPO’s tasks and duties
When carrying out the tasks specified in Article 24 of Regulation (EC) No 45/2001 and in the Annex to that Regulation, the DPO shall perform the following duties, taking into account input from the ESRB Secretariat:
|
(a) |
raise awareness concerning data protection issues and encourage a culture of protection of personal data within the ESRB; |
|
(b) |
advise the General Board, the Steering Committee, the Secretariat, the controller and the data protection coordinator on matters concerning the application of data protection provisions at the ESRB. The DPO may be consulted by the General Board, the Steering Committee, the Secretariat, the controller concerned or any individual on any matter concerning the interpretation or application of Regulation (EC) No 45/2001; |
|
(c) |
cooperate with the EDPS at the latter’s request or on their own initiative and respond to requests that the EDPS addresses to the ESRB DPO; |
|
(d) |
determine whether a processing operation is likely to present specific risks in the sense of Article 27 of Regulation (EC) No 45/2001 and is thus subject to prior checking. The DPO shall consult the controller concerned if necessary. In case of doubt as to the need for prior checking the EDPS shall be consulted, in accordance with Article 27(3) of Regulation (EC) No 45/2001; |
|
(e) |
at the request of the General Board, the Steering Committee, the Secretariat or any individual, or on their own initiative, investigate matters and occurrences directly relating to DPO tasks and duties and report back to the requester. The DPO shall consider issues and facts impartially and with due regard to the data subject’s rights. If the DPO deems it appropriate, they shall inform all other parties concerned accordingly. If the requester is an individual or acts on behalf of an individual, the DPO shall, to the extent possible, ensure that the request remains confidential, unless the data subject concerned gives their unambiguous consent to treating the request otherwise; |
|
(f) |
cooperate with the DPOs of other Union institutions and bodies, in particular by exchanging experience and sharing know-how and representing the ESRB in all discussions — excluding court cases — relating to data protection issues; and |
|
(g) |
submit an annual work programme and an annual report of DPO activities to the General Board and the EDPS. |
Article 5
DPO’s powers
1. The DPO may:
|
(a) |
request an opinion from the ESRB Secretariat on any matter relating to DPO tasks and duties; |
|
(b) |
issue an opinion on the lawfulness of current or proposed processing operations or on any issue concerning the notification of processing operations; |
|
(c) |
bring to the attention of the Head of the ESRB Secretariat any failure of staff to comply with the obligations under Regulation (EC) No 45/2001; |
|
(d) |
have access at all times to the data forming the subject matter of processing operations on personal data and to all offices, data-processing installations and data carriers; |
|
(e) |
be involved whenever the ESRB draws up internal rules related to the protection of personal data; |
|
(f) |
keep an anonymous list of the written requests from data subjects relating to the exercise of their rights; and |
|
(g) |
carry out the other tasks specified in the Annex to Regulation (EC) No 45/2001. |
2. Without prejudice to the tasks and powers of the controller, the DPO has the signing powers for the correspondence prepared by the DPO within the limits of their mandate.
SECTION 3
CONTROLLER AND DATA PROTECTION COORDINATOR
Article 6
Tasks and duties of controllers and data protection coordinators
1. The controllers shall ensure that all processing operations involving personal data that are performed within their area of responsibility comply with Regulation (EC) No 45/2001.
2. When fulfilling the obligation to assist the DPO and the EDPS in the performance of their duties, the controllers shall provide full information to them, grant access to personal data and respond to questions within 20 working days of receipt of the request.
3. The controllers shall inform the DPO in due time when they receive a request for access to, or rectification, blocking, or deletion of personal data, or regarding the data subject’s right to object, or any complaint related to data protection matters.
4. Without prejudice to the controllers’ responsibilities:
|
(a) |
the data protection coordinators shall assist the controllers in fulfilling their obligations, either at the controllers’ request or on their own initiative. When doing so, the data protection coordinators shall liaise with the controllers’ staff, who shall provide them with all necessary information. This may, at the relevant controller’s discretion, include accessing personal data processed under that controller’s responsibility; |
|
(b) |
the data protection coordinators shall assist the DPO in:
|
Article 7
Notification procedure
1. Before introducing new processing operations relating to personal data, the relevant controller shall notify the DPO thereof using the on-line interface accessible through the DPO web pages on the ESRB intranet. Any processing operation that is subject to prior checking pursuant to Article 27(3) of Regulation (EC) No 45/2001 shall be notified sufficiently well in advance of introduction to allow for prior checking by the EDPS.
2. The relevant controller shall immediately inform the DPO of any change affecting the information contained in a notification already submitted to the DPO.
SECTION 4
DATA SUBJECTS’ RIGHTS
Article 8
Register
The register kept by the DPO pursuant to Article 26 of Regulation (EC) No 45/2001 shall serve as an index of all processing operations relating to personal data conducted at the ESRB. Data subjects may make use of the information contained in the register to exercise their rights under Articles 13 to 19 of Regulation (EC) No 45/2001.
Article 9
Exercise of data subjects’ rights
1. Further to their right to be appropriately informed about any processing of their personal data, data subjects may approach the relevant controller to exercise their rights pursuant to Articles 13 to 19 of Regulation (EC) No 45/2001, as specified below:
|
(a) |
these rights may only be exercised by the data subject or their duly authorised representative. Such persons may exercise any of these rights free of charge; |
|
(b) |
requests to exercise these rights shall be addressed in writing to the relevant controller. The controller shall only grant the request if the requester’s identity and, if relevant, their entitlement to represent the data subject have been appropriately verified. The controller shall without delay inform the data subject in writing of whether or not the request has been accepted. If the request has been rejected, the controller shall include the grounds for the rejection; |
|
(c) |
the controller shall, at any time within three calendar months of receipt of the request, grant access pursuant to Article 13 of Regulation (EC) No 45/2001 by enabling the data subject to consult these data on-site or to receive a copy thereof, according to the applicant’s preference; |
|
(d) |
data subjects may contact the DPO in the event that the controller does not respect either of the time limits in paragraphs (b) or (c). In the event of obvious abuse by a data subject in exercising their rights, the controller may refer the data subject to the DPO. If the case is referred to the DPO, the DPO shall decide on the merits of the request and the appropriate follow-up. In the event of disagreement between the data subject and the controller, both parties shall have the right to consult the DPO. |
2. Staff may consult the DPO before lodging a complaint with the EDPS.
Article 10
Exemption and restrictions
1. Provided that the DPO has been consulted in advance, the controller may restrict the rights referred to in Articles 13 to 17 of Regulation (EC) No 45/2001 on the grounds, and in accordance with the conditions, set out in Article 20 of Regulation (EC) No 45/2001.
2. Any affected person may ask the EDPS to apply Article 47(1)(c) of Regulation (EC) No 45/2001.
Article 11
Investigation
1. Any request for an investigation under point 1 of the Annex to Regulation (EC) No 45/2001 shall be addressed to the DPO in writing.
2. The DPO shall send an acknowledgment of receipt to the requester within 20 working days of receipt of the request.
3. The DPO may investigate the matter on-site and request a written statement from the relevant controller. The relevant controller shall provide their response to the DPO within 20 working days of the controller’s receipt of the DPO’s request. The DPO may ask for additional information or assistance from the Secretariat. Such information or assistance shall be given within 20 working days of receipt of the DPO’s request.
4. The DPO shall report back to the requester within three calendar months of receipt of the request.
SECTION 5
ENTRY INTO FORCE
Article 12
Entry into force
This Decision shall enter into force on the 20th day following its publication in the Official Journal of the European Union.
Done in Frankfurt am Main, 13 July 2012.
The Chair of the ESRB
Mario DRAGHI