1.   This Decision lays down rules relating to the conditions under which the Agency in the framework of its procedures set out paragraph 2 may restrict the application of the rights enshrined in Articles 14 to 21, 35 and 36, as well as Article 4 thereof, following Article 25 of the Regulation (EU) 2018/1725.

2.   Within the framework of the administrative functioning of the Agency, this Decision applies to the processing operations on personal data by the Office for the purposes of conducting administrative inquiries, disciplinary proceedings, preliminary activities related to cases of potential irregularities reported to OLAF, processing whistleblowing cases, (formal and informal) procedures of harassment prevention, processing internal and external complaints, conducting internal audits, investigations carried out by the Data Protection Officer in line with Article 45(2) of Regulation (EU) 2018/1725 and (IT) security investigations handled internally or with external involvement (e.g. CERT-EU).

3.   The categories of data concerned are hard data (‘objective’ data such as identification data, contact data, professional data, administrative details, data received from specific sources, electronic communications and traffic data) and/or soft data (‘subjective’ data related to the case such as reasoning, behavioural data, appraisals, performance and conduct data and data related to or brought forward in connection with the subject matter of the procedure or activity).

4.   Where the Agency performs its duties with respect to data subject's rights under Regulation (EU) 2018/1725, it shall consider whether any of the exemptions laid down in that Regulation apply.

5.   Subject to the conditions set out in this Decision, the restrictions may apply to the following rights: provision of information to data subjects, right of access, rectification, erasure, restriction of processing, communication of a personal data breach to the data subject or confidentiality of communication.

1.   The safeguards in place to avoid data breaches, leakages or unauthorised disclosure are the following:

2.   The controller of the processing operations is the Agency, represented by its Executive Director, who may delegate the function of the controller. Data subjects shall be informed of the delegated controller by way of the data protection notices or records published on the website and/or the intranet of the Agency.

3.   The retention period of the personal data referred to in Article 1(3) shall be no longer than necessary and appropriate for the purposes for which the data are processed. It shall in any event not be longer than the retention period specified in the data protection notices, privacy statements or records referred to in Article 5(1).

4.   Where the Agency considers to apply a restriction, the risk to the rights and freedoms of the data subject shall be weighed, in particular, against the risk to the rights and freedoms of other data subjects and the risk of undermining the effectiveness of the Agency's investigations or procedures for example by destroying evidence. The risks to the rights and freedoms of the data subject concern primarily, but are not limited to, reputational risks and risks to the right of defence and the right to be heard.

1.   Any restriction shall only be applied by the Agency to safeguard:

2.   As a specific application of the purposes described in paragraph 1 above, the Agency may apply restrictions in relation to personal data exchanged with Commission services or other Union institutions, bodies, agencies and offices, competent authorities of Member States or third countries or international organisations, in the following circumstances:

Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, the Agency shall consult the relevant Commission services, Union institutions, bodies, agencies, offices or the competent authorities of Member States unless it is clear to the Agency that the application of a restriction is provided for by one of the acts referred to in those points.

3.   Any restriction shall be necessary and proportionate taking into account the risks to the rights and freedoms of data subjects and respect the essence of the fundamental rights and freedoms in a democratic society.

4.   If the application of a restriction is considered, a necessity and proportionality test shall be carried out based on the present rules. It shall be documented in every case through an internal assessment note for accountability purposes.

5.   Restrictions shall be lifted as soon as the circumstances that justify them no longer apply. In particular, where it is considered that the exercise of the restricted right would no longer undermine the effectiveness of the restriction imposed or adversely affect the rights or freedoms of other data subjects.

1.   The Agency shall, without undue delay, inform the Data Protection Officer of the Agency (‘the DPO’) whenever the controller restricts the application of data subjects' rights, or extends the restriction, in accordance with this Decision. The controller shall provide the DPO access to the record containing the assessment of the necessity and proportionality of the restriction and document the date of informing the DPO in the record.

2.   The DPO may request the controller in writing to review the application of the restrictions. The controller shall inform the DPO in writing about the outcome of the requested review.

3.   The controller shall inform the DPO when the restriction has been lifted.

1.   In duly justified cases and under the conditions stipulated in this decision, the right to information may be restricted by the controller in the context of the following processing operations:

The Agency shall include in the data protection notices, privacy statements or records in the sense of Article 31 of Regulation (EU) 2018/1725, published on its website and/or on the intranet informing data subjects of their rights in the framework of a given procedure, information relating to the potential restriction of these rights. The information shall cover which rights may be restricted, the reasons and the potential duration.

2.   Without prejudice to the provisions of paragraph 3, the Agency, where proportionate, shall also inform individually all data subjects, which are considered persons concerned in the specific processing operation, of their rights concerning present or future restrictions without undue delay and in a written form.

3.   Where the Agency restricts, wholly or partly, the provision of information to the data subjects referred to in paragraph 2, it shall record the reasons for the restriction, the legal ground in accordance with Article 3 of this Decision, including an assessment of the necessity and proportionality of the restriction.

The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.

4.   The restriction referred to in paragraph 3 shall continue to apply as long as the reasons justifying it remain applicable.

Where the reasons for the restriction no longer apply, the Agency shall provide information to the data subject on the principal reasons on which the application of a restriction is based. At the same time, the Agency shall inform the data subject of the right of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice of the European Union.

The Agency shall review the application of the restriction every six months from its adoption and at the closure of the relevant inquiry, procedure or investigation. Thereafter, the controller shall monitor the need to maintain any restriction every six months.

1.   In duly justified cases and under the conditions stipulated in this decision, the right to access may be restricted by the controller in the context of the following processing operations, where necessary and proportionate:

Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of Regulation (EU) 2018/1725, the Agency shall limit its assessment of the request to such personal data only.

2.   Where the Agency restricts, wholly or partly, the right of access, referred to in Article 17 of Regulation (EU) 2018/1725, it shall take the following steps:

The provision of information referred to in point (a) may be deferred, omitted or denied if it would cancel the effect of the restriction in accordance with Article 25(8) of Regulation (EU) 2018/1725.

The Agency shall review the application of the restriction every six months from its adoption and at the closure of the relevant investigation. Thereafter, the controller shall monitor the need to maintain any restriction every six months.

3.   The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.

1.   In duly justified cases and under the conditions stipulated in this decision, the right to rectification, erasure and restriction may be restricted by the controller in the context of the following processing operations, where necessary and appropriate:

2.   Where the Agency restricts, wholly or partly, the application of the right to rectification, erasure and restriction of processing referred to in Articles 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, it shall take the steps set out in Article 6(2) of this Decision and register the record in accordance with Article 6(3) thereof.

1.   In duly justified cases and under the conditions stipulated in this decision, the right to the communication of a personal data breach may be restricted by the controller in the context of the following processing operations, where necessary and appropriate:

2.   In duly justified cases and under the conditions stipulated in this decision, the right to confidentiality of electronic communications may be restricted by the controller in the context of the following processing operations, where necessary and appropriate:

3.   Where the Agency restricts the communication of a personal data breach to the data subject or the confidentiality of electronic communications referred to in Articles 35 and 36 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 5(3) of this decision. Article 5(4) of this Decision shall apply.