This document is an excerpt from the EUR-Lex website
Document 32024Q02022
Decision of the European Data Protection Supervisor of 18 July 2024 amending the Rules of Procedure of the EDPS of 15 May 2020 [2024/2022]
Decision of the European Data Protection Supervisor of 18 July 2024 amending the Rules of Procedure of the EDPS of 15 May 2020 [2024/2022]
Decision of the European Data Protection Supervisor of 18 July 2024 amending the Rules of Procedure of the EDPS of 15 May 2020 [2024/2022]
OJ L, 2024/2022, 29.7.2024, ELI: http://data.europa.eu/eli/proc_rules/2024/2022/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
In force
|
Official Journal |
EN L series |
|
2024/2022 |
29.7.2024 |
DECISION OF THE EUROPEAN DATA PROTECTION SUPERVISOR
of 18 July 2024
amending the Rules of Procedure of the EDPS of 15 May 2020 [2024/2022]
THE EUROPEAN DATA PROTECTION SUPERVISOR,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1) (the ‘Regulation’), and in particular, Articles 54(4) and 57(1)(q) thereof,
Whereas:
|
(1) |
The EDPS Rules of Procedure of 15 May 2020 (2) adopted in accordance with Article 57(1)(q) of the Regulation provide in Article 18 for a review procedure in complaint cases limited to new factual evidence and legal arguments. |
|
(2) |
However, the application of the review procedure has presented practical and legal difficulties for EU institutions, offices bodies and agencies as well as for complainants. The review procedure should therefore be abolished. |
|
(3) |
Article 58(5) of the Regulation requires that the exercise of the powers conferred on the EDPS pursuant to that article should be subject to appropriate safeguards, including effective judicial remedies and due process, set out in Union law. In the same vein, Article 66(5) and (6) of the Regulation provide that before taking decisions imposing an administrative fine, the EDPS should give the Union institution or body which is the subject of the proceedings conducted by the EDPS the opportunity of being heard on the matters to which the EDPS has taken objection. In order to effectively safeguard the right to good administration and the rights of defence as enshrined in the Charter of Fundamental Rights of the European Union (‘the Charter’), including the right of every person to be heard before any individual measure which would affect him or her adversely is taken, it is therefore important to provide for clear rules in the EDPS Rules of Procedure on the exercise of these rights. |
|
(4) |
Controllers or processors should have the opportunity to express their views before a decision adversely affecting them is taken by the EDPS. Therefore, the EDPS Rules of Procedure should provide for the EDPS to draft a preliminary assessment and communicate it to the controller or processor which is the subject of the proceedings conducted by the EDPS before adopting a decision containing finding of an infringement of the Regulation or of any other Union act relating to the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data by a Union institution or body, or when exercising corrective powers pursuant to the Regulation, or imposing an administrative fine, or exercising powers against the European Union Agency for Law Enforcement Cooperation (Europol), the European Union Agency for Criminal Justice Cooperation (Eurojust), or the European Public Prosecutor’s Office (EPPO). |
|
(5) |
Controllers or processors should have the opportunity to express their views before a decision adversely affecting them is taken by the EDPS. Therefore, the EDPS Rules of Procedure should specify the situations in which the EDPS should draft a preliminary assessment and then communicate it to the controller or processor which is the subject of the proceedings conducted by the EDPS. |
|
(6) |
Likewise, complainants should have the opportunity to express their views before a decision adversely affecting them is taken by the EDPS. Therefore, the EDPS Rules of Procedure should specify the situations in which the EDPS should draft a preliminary assessment and then communicate it to the complainant. |
|
(7) |
The preliminary assessment constitutes an essential procedural safeguard which ensures that the right to be heard is observed. The EDPS Rules of Procedure should consequently lay down the elements to be contained in such a preliminary assessment. Given that these elements differ in cases where the EDPS intends to impose an administrative fine, the EDPS Rules of Procedure should also lay down the elements to be contained in a preliminary assessment in these cases. |
|
(8) |
A limitation of the information contained in the preliminary assessment may be necessary to protect interests referred to in Union or Member State law. These interests include the national security, public security or defence of the Member States; the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; other important objectives of general public interest of the Union or of a Member State, in particular the objectives of the common foreign and security policy of the Union or an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security; the internal security of Union institutions and bodies, including of their electronic communications networks; the protection of judicial independence and judicial proceedings; the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority; the protection of the data subject or the rights and freedoms of others; the enforcement of civil law claims; avoidance of obstructing official or legal inquiries, investigations or procedures; avoidance of prejudicing the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Other interests include legitimate interests of confidentiality or of professional and business secrecy. The EDPS Rules of Procedure should therefore include specific references to these interests and specify the information to the complaint. |
|
(9) |
After the communication of its preliminary assessment, the controller or processor and the complainant should be given the opportunity of submitting their observations. The EDPS should therefore lay down rules on when to give to the controller or processor, or the complainant, the opportunity of being heard, and within which time frame. |
|
(10) |
Access to the file forms part of the rights of defence and the right to good administration enshrined in the Charter. However, a limitation to access to the file of the EDPS may be necessary to protect interests referred to in Union or Member State law and should thus be reflected in the EDPS Rules of Procedure. |
|
(11) |
For maintaining a fair decision-making process, the EDPS Rule of Procedure should clarify that any EDPS decisions should only be based on findings and measures on which the controller or processor or the complainant have been able to comment, except in cases of application of limitations necessary for the protection of interests referred to in Union or Member State law. |
|
(12) |
In order to guarantee in a consistent manner that each legally binding measure of the EDPS refers to the right to an effective remedy, the EDPS Rule of Procedure should provide for the EDPS to inform, in the text of its decision, the controller or processor, and the complainant, of their right to challenge the decision before the Court of Justice of the European Union in accordance with Article 263 of the Treaty on the Functioning of the European Union, |
HAS ADOPTED THIS DECISION:
Article 1
Article 18 of the Rules of Procedure of the EDPS of 15 May 2020 is amended as follows:
‘Article 18
Preliminary assessment and right to be heard
1. Before adopting a decision:
|
(a) |
containing finding of an infringement of the Regulation or of any other Union act relating to the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data by a Union institution or body; or |
|
(b) |
exercising corrective powers pursuant to Article 58(2) of the Regulation; or |
|
(c) |
imposing an administrative fine pursuant to Articles 58(2)(i) and 66 of the Regulation, or pursuant to point (l) of Article 43(3) of Regulation (EU) 2016/794 of the European Parliament and of the Council (*1); or |
|
(d) |
exercising powers against the European Union Agency for Law Enforcement Cooperation (Europol) pursuant to points (b), (c), (d) (e), (f), (g), (j), and (k) of Article 43(3) of Regulation (EU) 2016/794; or |
|
(e) |
exercising powers against the European Public Prosecutor’s Office (EPPO) pursuant to points (b), (d) and (e) of Article 85(3)(b) of Council Regulation (EU) 2017/1939 (*2) ; or |
|
(f) |
exercising powers against the European Union Agency for Criminal Justice Cooperation (Eurojust) pursuant to points (b), (d) and (e) of Article 40(3) of Regulation (EU) 2018/1727 of the European Parliament and of the Council (*3); the EDPS shall draft a preliminary assessment and communicate it to the controller or processor which is the subject of the proceedings conducted by the EDPS (“the controller or processor”). |
2. Before adopting a decision in cases where the EDPS intends to partially or wholly dismiss a complaint lodged pursuant to:
|
(a) |
Articles 63 and 68 of the Regulation; or |
|
(b) |
Article 47 of Regulation (EU) 2016/794; or |
|
(c) |
Article 88 of Regulation (EU) 2017/1939; |
|
(d) |
Article 43 of Regulation (EU) 2018/1727; or the EDPS shall draft a preliminary assessment and communicate it to the complainant. |
3. The preliminary assessment shall contain:
|
(a) |
the relevant established facts and references to supporting evidence on which the EDPS intends to rely on to reach its decision; |
|
(b) |
the EDPS’ initial legal assessment of the facts, and any alleged infringement of the applicable data protection rules; and |
|
(c) |
any corrective powers envisaged by the EDPS, having considered aggravating or mitigating factors. |
4. By way of derogation from paragraph 3, in cases of application of Article 18(1)(c), the preliminary assessment shall only contain the relevant elements on which the EDPS intends to rely in deciding whether to impose an administrative fine and in deciding on the amount of the administrative fine, having regard to the elements listed in Article 66(1) of the Regulation.
5. The EDPS may restrict the information provided to the complainant in the preliminary assessment referred to in paragraphs 2 and 3, to protect any of the interests referred to in:
|
(a) |
Article 25(1) of the Regulation; or |
|
(b) |
Articles 79(3), 81(1) or 84(2) of the Regulation; or |
|
(c) |
Articles 58(3), 60(1) and 61(5) of Regulation (EU) 2017/1939; or |
|
(d) |
any other legitimate interests of confidentiality or of professional and business secrecy. In such cases, the EDPS shall inform the complainant at least about the part(s) of the complaint that it intends to dismiss, and of the justification for applying any of the restrictions referred to in the first subparagraph. In cases of restriction of information for interests referred to in points (b) and (c) of the first subparagraph, the EDPS may omit information regarding the justification for applying any of the restrictions where the provision thereof would undermine these interests. In such cases, the EDPS shall inform the complainant in accordance with Article 84(3) of the Regulation and Article 62(3) of Regulation (EU) 2017/1939. |
6. The EDPS shall give to the controller or processor and the complainant the opportunity of being heard on the finding of an infringement of the Regulation or of any other Union act relating to the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data by a Union institution or body, and/or the exercise of corrective powers, or the imposition of an administrative fine, or where the EDPS intends to partially or wholly dismiss a complaint, as the case may be. The EDPS shall set a time-limit within which the controller or processor and the complainant may make known their views in writing, taking into account the urgency of the matter.
7. The EDPS may limit access to the file where this is necessary to protect any of the interests referred to in paragraph 5 above.
8. The EDPS shall base his or her decisions only on findings and measures on which the controller or processor or the complainant have been able to comment, except in cases of application of paragraphs 5 and 7.
9. The EDPS shall, in the text of its decision, inform the controller or processor and the complainant of their right to challenge the decision before the Court of Justice of the European Union in accordance with Article 263 of the Treaty on the Functioning of the European Union.
Article 2
This Decision shall enter into force on the twentieth day following its publication in the Official Journal of the European Union.
Done at Brussels, 18 July 2024.
For the EDPS
Wojciech Rafał WIEWIÓROWSKI
European Data Protection Supervisor
(1) OJ L 295, 21.11.2018, p. 39.
(2) Decision of the European Data Protection Supervisor of 15 May 2020 adopting the Rules of Procedure of the EDPS (OJ L 204, 26.6.2020, p. 49).
ELI: http://data.europa.eu/eli/proc_rules/2024/2022/oj
ISSN 1977-0677 (electronic edition)