EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 32022D0118(01)

Decision No 59/2021 of the Secretary-General of the Council of the European Union laying down implementing rules concerning the application of Regulation (EU) 2018/1725 of the European Parliament and of the Council and the restriction of data subjects’ rights for the purpose of administrative investigations, disciplinary and court proceedings 2022/C 25/02

DE/59/2021/INIT

OJ C 25, 18.1.2022, p. 2–7 (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

In force

18.1.2022   

EN

Official Journal of the European Union

C 25/2


DECISION No 59/2021 OF THE SECRETARY-GENERAL OF THE COUNCIL OF THE EUROPEAN UNION

laying down implementing rules concerning the application of Regulation (EU) 2018/1725 of the European Parliament and of the Council and the restriction of data subjects’ rights for the purpose of administrative investigations, disciplinary and court proceedings

(2022/C 25/02)

THE SECRETARY-GENERAL OF THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty of the Functioning of the European Union, and in particular Article 235(4) and 240(2) thereof,

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices, and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1) and in particular Article 25 thereof,

Having regard to the opinion of the European Data Protection Supervisor (EDPS) of 19 July 2021, consulted in accordance with Article 41(2) of Regulation (EU) 2018/1725,

Whereas:

(1)

Regulation (EU) 2018/1725 sets out the principles and rules applicable to the processing of personal data by all Union institutions and bodies as well as the rights of data subjects.

(2)

In certain cases, the General Secretariat of the Council (GSC) may be required to reconcile those rights with the objectives of administrative investigations, disciplinary and court proceedings. It might also be required to balance a data subject’s rights against the fundamental rights and freedoms of other data subjects. To that end, Article 25(1) of Regulation (EU) 2018/1725 provides each Union institution or body with the possibility to restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation. Unless restrictions are provided for in a legal act adopted on the basis of the Treaties, it is necessary to adopt internal rules under which the GSC is entitled to restrict those rights.

(3)

Article 86 of Staff Regulations (2) sets out the possibility for the Appointing Authority to conduct investigations and disciplinary procedures in cases of failure by officials or former officials to comply with their obligations under the Staff Regulations and Annex IX of Staff Regulations details the rules, measures and procedures covering administrative investigations and the disciplinary procedure.

(4)

Pursuant to Article 13 of Decision No 1/2018 of the Secretary-General of the Council on the security and business continuity tasks of the Directorate of Safety and Security, the latter is empowered to conduct investigations into security related matters, into any loss, unauthorised disclosure or compromise of EU classified information has occurred at the places of work of the European Council or the Council, at the GSC or through GSC-operated communication and information systems, and in the framework of its responsibilities for combating espionage and providing protection against passive and active eavesdropping attacks aimed at the interests of the EU, in GSC premises or places of work of the European Council and the Council.

(5)

Article 6 of Decision No 6/2021 of the Secretary-General of the Council of the European Union adopting general implementing provisions on administrative investigations and disciplinary proceedings provides that all personal data collected shall be treated in compliance with the provisions of Regulation (EU) 2018/1725 of the European Parliament and of the Council, and that restrictions to data subject rights shall be dealt in accordance with its Article 25.

(6)

Pursuant to Article 13 of Decision No 1/2018 of the Secretary-General of the Council on the security and business continuity tasks of the Directorate of Safety and Security, investigations carried out by the Directorate for Safety and Security shall respect the internal rules as set in Decision No 6/2021 of the Secretary-General of the Council of the European Union adopting general implementing provisions on administrative investigations and disciplinary proceedings as soon as the possible involvement of an official comes to light.

(7)

According to the Administrative Agreement of 15 February 2017 concluded between the European Anti-Fraud Office (OLAF) and the GSC, the GSC is also required to notify cases and send information to OLAF when cases of possible fraud, corruption, or any other illegal activity detrimental to the interests of the Union which comes to its attention.

(8)

In the conduct of administrative investigations and disciplinary procedures, the relevant departments collect and process different types of personal data, including identification data, contact information, professional roles and tasks, information on private and professional conduct and performance, financial data, or communication data. Investigators ensure that the personal data they collect are adequate, relevant, and not excessive in relation to the purposes of the investigation. The persons concerned by an investigation shall be rapidly informed in writing once it has been opened. They should also be informed of the type of data that are being or will be collected, how they will be processed and what are their rights in that respect.

(9)

In duly justified cases, when there is a serious risk that informing the person concerned will be prejudicial to the establishment of facts and evidence, it may be necessary to postpone the notification of the opening of an enquiry. In such cases, there is a need to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 and the necessity for the Appointing Authority to establish whether officials have failed to comply with their obligations under the Staff Regulations. Any restriction to the rights of data subjects under investigation should only be applied in limited circumstances and be handled in a transparent and proportionate manner in terms of scope and duration.

(10)

It may be necessary to protect the anonymity of a witness or a source. In that case, the right of access to the identity, testimonies and other personal data of such persons may be restricted within the limits of the rights of defence.

(11)

In application of the principle of accountability, the relevant service of the GSC should keep a record of the application of any restrictions.

(12)

Article 25(6) of Regulation (EU) 2018/1725 obliges the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the EDPS.

(13)

Pursuant to Article 25(8) of Regulation (EU) 2018/1725, the GSC is entitled to defer, omit or deny the provision of information on the reasons for the application of a restriction to the data subject if this would in any way cancel the effect of the restriction. The GSC should assess on a case-by-case basis whether the communication of the restriction would cancel its effect.

(14)

Restrictions should be lifted as soon as the conditions that justify them no longer apply or where maintaining them would impinge on the rights of defence. The need for restriction measures should be assessed regularly.

(15)

The Data Protection Officer (DPO) should be consulted in due time and be informed of any restriction to be applied and have the possibility to comment on their compliance with this Decision.

(16)

This Decision has been the subject of consultation with the Staff Committee,

HAS DECIDED AS FOLLOWS:

Article 1

Scope

1.   This Decision lays down rules relating to the conditions under which the General Secretariat of the Council (GSC) may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation, in accordance with Article 25 thereof.

2.   For the purposes of this Decision the GSC shall be considered to be the controller within the meaning of Article 3(8) of Regulation (EU) 2018/1725. The GSC is represented by its Secretary-General.

Article 2

Restrictions

1.   The GSC may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as Article 4 insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 21 of that Regulation (EU) 2018/1725:

(a)

pursuant to Article 25(1)(a), (b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725, when conducting security and administrative investigations or disciplinary proceedings under Decision No 1/2018 of the Secretary-General of the Council on the security and business continuity tasks of the Directorate of Safety and Security, and under Article 86 and Annex IX of the Staff Regulations carried out in accordance with Decision No 6/2021 of the Secretary-General of the Council adopting general implementing provisions on administrative investigations and disciplinary proceedings;

(b)

pursuant to Article 25(1)(a), (b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725, when ensuring the possibility for staff members to report facts confidentially, where the relevant service believes there are serious irregularities, as set out in Decision No 3/2016 of the Secretary-General of the Council adopting internal rules for reporting serious irregularities – Procedures for the implementation of Articles 22a, 22b and 22c of the Staff Regulations and 66.8 of the Financial Regulation;

(c)

pursuant to Article 25(1)(b), (d) and (h) of Regulation (EU) 2018/1725, when conducting investigations in the context of requests for assistance received under Article 24 of the Staff Regulations;

(d)

pursuant to Article 25(1)(h) of Regulation (EU) 2018/1725, when ensuring that staff members are able to report to confidential counsellors in the context of the harassment procedure, as defined by Decision No 23/2021 of the Secretary-General of the Council of the European Union concerning psychological and sexual harassment at work within the General Secretariat of the Council;

(e)

pursuant to Article 25(1)(a), (b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725, when providing or receiving assistance to or from other Union institutions, bodies, offices and agencies or cooperating with them pursuant to relevant service level agreements, memoranda of understanding and cooperation agreements;

(f)

pursuant to Article 25(1)(a), (b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725, when providing or receiving assistance and cooperation to and from EU Member States’ public authorities, either at their request or on its own initiative;

(g)

pursuant to Article 25(1)(a), (b), (c), (d), (f), (g) and (h) of Regulation (EU) 2018/1725, when providing or receiving assistance to or from third countries’ national authorities and international organisations or cooperating with such authorities and organisations, either at their request or on its own initiative;

(h)

pursuant to Article 25(1)(e) and (h) of Regulation (EU) 2018/1725, when processing personal data in the context of judicial proceedings.

Article 3

Application of restrictions

1.   Any restriction of the rights and obligations referred to in Article 2 shall be necessary and proportionate, taking into account the risks to the rights and freedoms of data subjects.

2.   Before applying one of the restrictions listed in Article 2, the GSC relevant service shall carry out a necessity and proportionality test on a case-by-case basis. Restrictions shall be limited to what is strictly necessary to achieve their objective.

3.   The GSC relevant service shall record the reasons for any restriction applied pursuant to this Decision, including the test provided for in paragraph 2 and the grounds provided for under Article 25(1) of Regulation (EU) 2018/1725. The record and, where applicable, the documents containing underlying factual and legal elements shall be part of a register kept by the GSC relevant service. They shall be made available to the EDPS on request.

4.   Before applying restrictions in relation to personal data obtained from other Union institutions, bodies, agencies and offices, competent authorities of Member States or third countries, or from international organisations under Article 2(1)(e), (f) and (g) the GSC shall consult those organisations on potential grounds for imposing restrictions and the necessity and proportionality of the restrictions concerned, unless this would jeopardise the purpose of the activities of the GSC.

Article 4

Duration and review of restrictions

1.   Restrictions referred to in Article 2 shall continue to apply for as long as the reasons justifying them remain applicable.

2.   The GSC relevant service shall review the application of restrictions referred to in Article 2 periodically, at least every six months.

3.   Restrictions shall be lifted as soon as the circumstances that justify them no longer apply.

4.   Where the reasons for a restriction referred to in Article 2 no longer apply, the GSC shall lift the restriction and provide the reasons for the restriction to the data subject. At the same time, the GSC shall inform the data subject of the possibility of lodging a complaint with the EDPS.

Article 5

Involvement of the Data Protection Officer

1.   Where the GSC relevant service concludes that a data subject’s rights should be restricted pursuant to this Decision, it shall inform the DPO. It shall also provide the DPO with access to the record and any documents containing underlying factual and legal elements. The GSC relevant service shall document in detail the involvement of the DPO in the application of restrictions.

2.   The DPO may request that the GSC relevant service review the application of the restrictions. The service concerned shall inform the DPO in writing about the outcome of the requested review.

Article 6

Provision of information to data subjects

1.   The GSC shall include a section in the data protection notices published in the register of processing operations kept by the DPO providing general information to data subjects on the potential for restriction of data subjects’ rights pursuant to Article 2(1). The information shall cover which rights may be restricted, the grounds on which restrictions may be applied and their potential duration.

2.   The relevant services shall individually inform data subjects, in appropriate format, of ongoing or future restrictions of their rights. They shall inform the data subject of the principal reasons on which the application of the restriction is based, of their right to consult the DPO and of their rights to lodge a complaint with the EDPS.

3.   The relevant services may defer, omit or deny the provision of information to data subjects referred to in paragraph 2 of this Article, for as long as it would nullify the effect of the restriction. Assessment of whether this would be justified shall take place on a case-by-case basis. As soon as it would no longer nullify the effect of the restriction, the information should be provided to the data subject.

4.   Where the GSC relevant service restricts, wholly or partly, the provision of information to data subjects referred to in paragraph 2 of this Article, the GSC shall record and register the reasons for the restriction, in accordance with Article 3.

Article 7

Communication of a personal data breach to the data subject

1.   Where the GSC is under an obligation to communicate a data breach under Article 35(1) of Regulation (EU) 2018/1725, it may, in exceptional circumstances, restrict such communication wholly or partly. It shall document this decision as provided under Article 3(3) of this decision.

2.   Where the reasons for the restriction no longer apply, the GSC shall communicate the personal data breach to the data subject concerned and inform him or her of the principal reasons for the restriction and of his or her right to lodge a complaint with the EDPS.

Article 8

Confidentiality of electronic communications

1.   In exceptional circumstances, the GSC may restrict the right to confidentiality of electronic communications under Article 36 of Regulation (EU) 2018/1725.

2.   Where the GSC restricts the right to confidentiality of electronic communications, it shall inform the data subject concerned, in its reply to any request from the data subject, of the principal reasons for which the application of the restriction is based and of his or her right to lodge a complaint with the EDPS.

3.   The GSC may defer, omit or deny the provision of information concerning the reasons for a restriction and the right to lodge a complaint with the EDPS for as long as it would undermine the effect of the restriction. Assessment of whether this would be justified shall take place on a case-by-case basis.

Article 9

Risks to the rights and freedoms of data subjects

1.   Any restriction shall respect the essence of fundamental rights and freedoms and be necessary and proportionate in a democratic society.

2.   Whenever an investigative service tasked with an investigation assesses the necessity and proportionality of a restriction it shall consider the potential risks to the rights and freedoms of the data subject.

3.   No restriction may have the effect of preventing persons concerned by an investigation to exercise their rights of defence, in particular their right to be heard. In cases where the notification of the opening of an investigation to the person concerned is delayed, no conclusions may be drawn without them having had the opportunity to be heard. In cases where evidence and testimonies have been pseudonymised at the stage of the investigation, pseudonymisation or any other restriction must be lifted in case of disciplinary proceedings.

Article 10

Entry into force

This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Done at Brussels, 20 December 2021.

The Secretary-General

Jeppe TRANHOLM-MIKKELSEN


(1)  OJ L 295, 21.11.2018, p. 39.

(2)  Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (OJ L 56, 4.3.1968, p. 1).


Top