1.   This Decision lays down general rules relating to the conditions under which, pursuant to Article 25(1) EUDPR, data controllers may restrict the application of, as the case may be, Articles 14, 15, 16, 17, 18, 19, 20, 21, 22, 35 and 36 EUDPR, as well as Article 4 EUDPR insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 EUDPR.

2.   For the purpose of this Decision, the following definitions apply:

(a)

"personal data" means any information relating to a data subject that is processed when carrying out activities or procedures that do not fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the Treaty on the Functioning of the European Union, as opposed to operational personal data within the meaning of Article 3(2) EUDPR,

(b)

"data controller" means the entity that, alone or jointly with others, actually determines the purposes and means of the processing of the personal data in the context of activities and procedures carried out by the Committee, regardless of whether the responsibility for such determination was delegated.

3.   This Decision applies to the processing of personal data for the purposes of the activities and procedures carried out by the Committee. It shall not apply where a legal act adopted on the basis of the Treaties provides for a restriction of data subjects’ rights.

4.   The controller within the meaning of Article 3(8) EUDPR is the Committee who may delegate the responsibility for determining the purposes and means of the processing of personal data.

5.   For the purpose of each processing, restriction and deferral, omission or denial of information, the data controller responsible shall be determined in accordance with the Committee’s relevant internal decisions, procedures and implementing rules.

1.   Before applying any restrictions pursuant to Article 3(1), data controllers shall consider whether any of the exceptions or derogations laid down in the Regulation apply, notably those pursuant to Articles 15(4), 16(5), 19(3), 25(3) and (4), and 35(3) EUDPR.

2.   The application of derogations shall be subject to appropriate safeguards in accordance with Article 13 EUDPR and Article 6 of this Decision.

1.   Data controllers may restrict the application of, as the case may be, Articles 14, 15, 16, 17, 18, 19, 20, 21, 22, 35 and 36 EUDPR, as well as Article 4 EUDPR insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 EUDPR, where the exercise of their rights by data subjects would detrimentally affect the purpose or the outcome of one or more of the activities or procedures carried out by the Committee, in particular:

(a)

pursuant to Article 25(1)(b), (c), (f), (g) and (h) EUDPR, when the appointing authority and the authority empowered to conclude contracts of employment of the Committee ("the Appointing Authority") conduct disciplinary procedures, administrative inquiries and investigations relating to staff matters in accordance with Article 86 of the Staff Regulations of Officials of the European Union ("the Staff Regulations" or "SR") and Annex IX to the Staff Regulations as well as Articles 50a and 119 of the Conditions of Employment of Other Servants of the European Union (6) ("the Conditions of Employment" or "CEOS"), and investigations in the context of requests for assistance submitted pursuant to Article 24 SR and Articles 11 and 81 CEOS and with regard to alleged cases of harassment within the meaning of Article 12a SR,

(b)	pursuant to Article 25(1)(b), (c), (f) and (h) EUDPR, when the Appointing Authority reviews requests and complaints submitted by officials and other servants of the Committee ("staff members") in accordance with Article 90 SR and Articles 46 and 117 CEOS,

(c)	pursuant to Article 25(1)(c) and (h) EUDPR, when the Appointing Authority implements the Committee’s staff policy by conducting selection (recruitment), evaluation (appraisal) and promotion procedures,

(d)

pursuant to Article 25(1)(c), (f), (g) and (h) EUDPR, when the authorising officer of the Committee ("the Authorising Officer") implements the Committee’s section of the general budget of the European Union by conducting award procedures in accordance with the financial rules applicable to the general budget of the Union (7) ("the Financial Regulation" or "FR"),

(e)

pursuant to Article 25(1)(b), (c), (f), (g) and (h) EUDPR, when the Authorising Officer conducts monitoring and investigations regarding the legality of financial transactions carried out by and within the Committee, regarding the financial entitlements (8) of the members and the alternates of the Committee ("Committee members"), and regarding the financing of the activities and events organised or co-organised by the Committee, and deals with financial irregularities on the part of a staff member in accordance with Article 93 FR,

(f)	pursuant to Article 25(1)(b), (c), (f), (g) and (h) EUDPR, when the Committee provides information and documents to the European Anti-Fraud Office ("OLAF"), either at OLAF’s request or on its own initiative, notifies cases to OLAF or processes information and documents received from OLAF (9),

(g)	pursuant to Article 25(1)(c), (g) and (h) EUDPR, when the Committee conducts internal audits for the purpose of Articles 118 and 119 FR and in relation to the activities and procedures of its departments,

(h)

pursuant to Article 25(1)(c), (d) and (h) EUDPR, when the Committee conducts internal risk assessments, access controls, including background checks, measures of prevention and investigation of safety and security incidents, including incidents involving Committee members or staff members as well as incidents relating to the Committee’s infrastructure and information and communication technologies, as well as security inquiries and auxiliary investigations, including of its electronic communications networks, on its own initiative or upon request by third parties,

(i)	pursuant to Article 25(1)(c), (d) and (h) EUDPR, when the DPO, on their own initiative or upon request by third parties, conducts investigations into matters and occurrences directly relating to their tasks that have come to their notice, in accordance with Article 45(2) EUDPR,

(j)

pursuant to Article 25(1)(h) EUDPR, when data controllers process personal data obtained in the context of a staff member reporting in good faith factual elements that point to the existence of either possible illegal activities, including fraud and corruption, that are detrimental to the interests of the Union ("serious irregularities") or conduct relating to the discharge of professional duties that may constitute a serious failure to comply with staff members’ obligations ("serious misconduct"),

(k)	pursuant to Article 25(1)(h) EUDPR, when data controllers process personal data obtained by confidential counsellors in the context of the informal procedure for cases of alleged harassment,

(l)

pursuant to Article 25(1)(h) EUDPR, when data controllers process personal data concerning the health ("medical data") of either a Committee member or a staff member, including of a psychological or psychiatric nature, that are contained in the medical file held by the Committee on the data subject concerned,

(m)	pursuant to Article 25(1)(e) EUDPR, when data controllers process personal data in documents produced or obtained by the parties or the interveners in the context of proceedings before the Court of Justice of the European Union ("the Court of Justice"),

(n)

pursuant to Article 25(1)(b), (c), (d), (g) and (h) EUDPR, when the Committee provides or receives assistance to or from other institutions, bodies, offices and agencies of the Union ("EUIs") and cooperates with them in the context of the activities or procedures referred to in paragraph 1, points (a) to (m), and in accordance with the applicable service-level agreements, memoranda of understanding and cooperation agreements,

(o)

pursuant to Article 25(1)(b), (c), (g) and (h) EUDPR, when the Committee provides or receives assistance to or from the authorities of the Member States or those of third countries or international organisations and cooperates with such authorities and organisations, either at their request or on its own initiative,

(p)	pursuant to Article 25(1)(a), (b), (e) and (f) EUDPR, when the Committee provides the authorities of the Member States, or those of third countries or international organisations, with information and documents that they request in the context of investigations.

2.   The restrictions referred to in paragraph 1 may concern objective ("hard data") and subjective ("soft data") personal data alike, in particular but not exclusively one or more of the following categories:

(a)	Identification data;

(b)	Contact data;

(c)	Professional data (10);

(d)	Financial data;

(e)	Surveillance data (11);

(f)	Traffic data (12);

(g)	Medical data (13);

(h)	Genetic data (13);

(i)	Biometric data (13);

(j)	Data concerning a natural person’s sex life or sexual orientation (13);

(k)	Data revealing racial or ethnic origin, religious or philosophical beliefs, political opinions or affiliation, or trade union membership (13);

(l)	Data revealing the performance or conduct of natural persons participating in selection (recruitment), evaluation (appraisal) or promotion procedures (14);

(m)	Data on the presence of natural persons;

(n)	Data on external activities of natural persons;

(o)	Data relating to suspected offences, offences, criminal convictions or security measures;

(p)	Electronic communications;

(q)	All other data related to the subject matter of the relevant activity or procedure requiring the processing of that data.

3.   Any restriction shall respect the essence of fundamental rights and freedoms and be necessary and proportionate in a democratic society, and shall be limited to what is strictly necessary to achieve its objective.

4.   Any restriction of the application of Article 36 EUDPR (Confidentiality of electronic communications), whether total or partial, in accordance with paragraph 1 shall comply with applicable Union law concerning electronic communications privacy (15).

5.   Data controllers shall periodically review the application of restrictions referred to in paragraph 1, at least every six months from their respective adoption but also when essential and decisive elements of the case change and at the completion or termination of the activity or procedure that generated the restrictions. Thereafter, they shall monitor the need to maintain any restriction on an annual basis.

6.   The restrictions referred to in paragraph 1 shall continue to apply for as long as the reasons justifying them remain applicable. Where the reasons for a restriction referred to in paragraph 1 no longer exist, data controllers shall lift that restriction.

7.   When processing personal data received from third parties in the context of the Committee’s tasks, data controllers shall consult those third parties on potential grounds for imposing restrictions and on the necessity and proportionality of the restrictions concerned, unless this would detrimentally affect the activities or procedures of the Committee.

1.   Before applying any restrictions, data controllers shall, on a case-by-case basis, assess whether the restrictions under consideration are necessary and proportionate.

2.   Whenever data controllers assess the necessity and proportionality of a restriction, they shall consider the potential risks to data subjects’ rights and freedoms.

3.   Assessments of the risks to data subjects’ rights and freedoms that arise from imposing the restrictions, notably the risk that their personal data might be further processed without their knowledge and that they might be prevented from exercising their rights in accordance with the Regulation, as well as details of the period of application of those restrictions shall be registered in the record of processing activities maintained by data controllers pursuant to Article 31(1) EUDPR. They shall also be recorded in any data protection impact assessments regarding those restrictions conducted under Article 39 EUDPR.

1.   Whenever data controllers apply restrictions, they shall record:

(a)	The reasons for applying the restrictions;

(b)	The grounds on which the restrictions are applied;

(c)	How the exercise of the data subjects’ rights would detrimentally affect the purpose or the outcome of one or more of the activities or procedures carried out by the Committee;

(d)	The outcome of the assessment referred to in Article 4(1).

2.   The records referred to in paragraph 1 shall be part of the central register provided for in Article 31(5) EUDPR and shall be made available to the EDPS on request.

3.   Where data controllers restrict the application of Article 35 EUDPR (Communication of a personal data breach to the data subject), the record referred to in paragraph 1 shall be included in the notification to the EDPS provided for in Article 34(1) EUDPR.

1.   Data controllers shall implement safeguards to prevent abuse of and unlawful access to or transfer of personal data that may be subject to restrictions pursuant to Article 3(1). Such safeguards shall include appropriate technical and organisational measures and shall be detailed, as necessary, in the Committee’s relevant internal decisions, procedures and implementing rules.

2.   The safeguards referred to in paragraph 1 shall include:

(a)	Clearly defined roles, responsibilities and procedural steps;

(b)	Where appropriate, a secure electronic environment that prevents electronic data being unlawfully or accidentally accessed by or transferred to unauthorised persons;

(c)	Where appropriate, secure storage and processing of paper-based documents;

(d)	Due monitoring of restrictions and a periodic review of the application thereof.

3.   The personal data shall be retained in accordance with the Committee’s applicable retention rules (16), to be laid down in the records maintained by data controllers pursuant to Article 31(1) EUDPR. At the end of the retention period, the personal data shall be, as the case may be, deleted, rendered anonymous in such a manner that the data subject concerned is not or is no longer identifiable, or transferred to the Committee’s archives in accordance with Article 13 EUDPR.

1.   The data protection notices published on the Committee’s public website and on its intranet shall include a section providing data subjects with general information about the potential restriction of their rights in the context of the Committee’s activities and procedures involving the processing of their personal data. This section shall specify the rights that may be restricted, the grounds on which restrictions may be applied, the potential duration of those restrictions and the administrative and legal remedies available to data subjects.

2.   Whenever data controllers apply restrictions, they shall, without undue delay and in the most appropriate format, directly inform each data subject concerned of:

(a)	Any existing or forthcoming restrictions of their rights;

(b)	The principal reasons on which the application of the restriction is based;

(c)	Their right to consult the DPO with a view to challenging the restriction;

(d)	Their right to lodge a complaint with the EDPS;

(e)	Their right to seek a judicial remedy before the Court of Justice.

3.   Notwithstanding paragraph 2, where data controllers restrict, in exceptional cases, the application of Article 35 EUDPR (Communication of a personal data breach to the data subject), they shall communicate the personal data breach to the data subject concerned and provide the information referred to in paragraph 2, points (b), (d) and (e), as soon as the reasons for restricting such communication no longer exist.

4.   Notwithstanding paragraph 2, where data controllers restrict, in exceptional cases, the application of Article 36 EUDPR (Confidentiality of electronic communications), they shall provide the information referred to in paragraph 2 in their reply to any request from the data subject concerned.

5.   Data controllers may defer, omit or deny the provision of the information referred to in paragraph 2 ("deferral, omission or denial of information") for as long as it would cancel the effect of the restriction. They shall provide the data subject concerned with the information referred to in paragraph 2 as soon as doing so would no longer render the restriction ineffective.

6.   Article 4 and Article 5 shall apply by analogy in respect of any instance of deferral, omission or denial of information.

1.   Data controllers shall, without undue delay, inform the DPO in writing whenever they restrict the rights of a data subject pursuant to Article 3(1), perform the periodical reviews referred to in Article 3(5), lift restrictions as provided for in Article 3(6), or defer, omit or deny the provision of the information referred to in Article 7(2) pursuant to Article 7(5). Upon request, the DPO shall be given access to the associated records and any documents containing underlying factual and legal elements.

2.   The DPO may request data controllers to review any existing restrictions as well as deferrals, omissions or denials of information, and the application thereof. The DPO shall be informed in writing of the outcome of the requested review.

3.   The involvement of the DPO provided for in paragraphs 1 and 2 in relation to the application of restrictions and deferrals, omissions or denials of information shall be duly documented by data controllers, including the information shared with the DPO.

4.   The DPO shall, upon request, provide their opinion to data controllers on the determination of their responsibilities in the context of a joint controllership arrangement pursuant to Article 28(1) EUDPR.

1.   The Secretary-General may, as appropriate, issue instructions or adopt implementing measures to, where necessary, further specify and give effect to any provision of this Decision, in compliance with the latter.

2.   This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.