Accept Refuse

EUR-Lex Access to European Union law

This document is an excerpt from the EUR-Lex website

Document 52012XX0511(01)

Opinion of the European Data Protection Supervisor on the legislative proposals on alternative and online dispute resolution for consumer disputes

OJ C 136, 11.5.2012, p. 1–4 (BG, ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

11.5.2012   

EN

Official Journal of the European Union

C 136/1


Opinion of the European Data Protection Supervisor on the legislative proposals on alternative and online dispute resolution for consumer disputes

2012/C 136/01

THE EUROPEAN DATA PROTECTION SUPERVISOR,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Having regard to the Charter of Fundamental Rights of the European Union, and in particular Articles 7 and 8 thereof,

Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1),

Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (2), and in particular Article 41 thereof,

HAS ADOPTED THE FOLLOWING OPINION:

I.   INTRODUCTION

I.1.   Consultation of the EDPS and aim of the Opinion

1.

On 29 November 2011, the Commission adopted two legislative proposals on alternative dispute resolution (hereinafter: ‘the proposals’):

proposal for a directive of the European Parliament and of the Council on alternative dispute resolution for consumer disputes (hereinafter: ‘the ADR proposal’) (3),

proposal for a regulation on online dispute resolution for consumer disputes (hereinafter: ‘the ODR proposal’) (4).

2.

On 6 December 2011, the EDPS received the ADR proposal and the ODR proposal for consultation. The EDPS had also been consulted informally before the adoption of the proposals and has issued informal comments. The EDPS welcomes this early consultation and the fact that most of the recommendations contained in these comments have been included in the proposals.

3.

The present Opinion aims at analysing the processing of personal data foreseen by the proposals and at explaining how they address data protection issues. It will focus on the ODR proposal, as it involves a centralised processing of personal data related to disputes through an online platform.

I.2.   Aim of the proposals

4.

Alternative dispute resolution schemes (ADR) provide an alternative means of solving disputes which is usually less costly and faster than bringing a case to court. The ADR proposal aims at ensuring that these entities are in place in all EU Member States to solve any cross-border consumer dispute arising from the sale of goods or the provision of services in the EU.

5.

The ODR proposal builds on this EU-wide availability of ADR for consumer disputes. It establishes an online platform (hereinafter: the ‘ODR platform’) that consumers and traders will be able to use to transmit complaints on cross-border online transactions to the competent ADR entity.

II.   GENERAL REMARKS

6.

The EDPS supports the aim of the proposals and welcomes the fact that data protection principles have been taken into account from the earliest stage of the drafting process.

7.

The EDPS also welcomes the references to the applicability of the data protection legislation in the ODR proposal (5) and to the applicability of national legislation implementing Directive 95/46/EC in the context of the ADR proposal (6), as well as the references to the consultation to the EDPS (7).

III.   SPECIFIC REMARKS

III.1.   Role of the controllers: need for a clear allocation of responsibilities

8.

According to the ODR proposal, the data will be processed by three types of actors in the context of each dispute submitted through the ODR platform:

ADR entities,

ODR facilitators, that will provide support to the resolution of disputes submitted via the ODR platform (8),

the Commission.

Article 11(4) states that each of these actors is to be considered as a controller as regards the processing of personal data related to their responsibilities.

9.

However, many of these controllers could be deemed responsible for the processing of the same personal data (9). For example, data related to a particular dispute sent through the ODR platform may be examined by several ODR facilitators and by the competent ADR scheme who will deal with the dispute. The Commission may also process these personal data for the operation and maintenance of the ODR platform.

10.

In this respect, the EDPS welcomes the fact that recital 20 of the ODR proposal states that data protection legislation applies to all of these actors. However, the legislative part of the ODR proposal should specify at least to which of the controllers data subjects should address their requests of access, rectification, blocking and erasure; and which controller would be accountable in case of specific breaches of the data protection legislation (for example, for security breaches). Data subjects should also be informed accordingly.

III.2.   Access limitation and retention period

11.

According to Article 11 of the ODR proposal, access to personal data processed through the ODR platform is limited to:

the competent ADR entity for the purposes of the resolution of the dispute,

ODR facilitators to support the resolution of the dispute (e.g., to facilitate the communication between the parties and the relevant ADR entity or to inform consumers of means of redress other than the ODR platform),

the Commission, if necessary for the operation and maintenance of the ODR platform, including to monitor the use of the platform by ADR entities and ODR facilitators (10).

12.

The EDPS welcomes these limitations of the purpose and the access rights. However, it is not clear whether all ODR facilitators (at least 54) will have access to personal data related to all the disputes. The EDPS recommends clarifying that every ODR facilitator will have access only to the data needed to fulfil his or her obligations under Article 6(2).

13.

As regards the retention period, the EDPS welcomes Article 11(3), which allows the retention of personal data only for the time necessary for the resolution of the dispute and for the exercise of data subjects' right of access. He also welcomes the obligation to automatically delete the data six months after the conclusion of the dispute.

III.3.   Processing of special categories of data: possible need for prior check

14.

Taking into account the purpose of the proposals, it is possible that personal data related to suspected infringements will be processed. Health data might also be processed in the context of disputes arising from the sale of goods or provision of services related to health.

15.

The processing of personal data in the framework of the ODR platform may therefore be subject to prior checking by national data protection authorities and by the EDPS, as required by Article 27 of Regulation (EC) No 45/2001 and Article 20 of Directive 95/46/EC (11). The EDPS understands that the Commission is aware of the necessity of assessing, before the ODR platform becomes operational, whether the processing should be subject to prior checking.

III.4.   The EDPS should be consulted on delegated and implementing acts relating to the complaint form

16.

The information to be provided in the electronic complaint form (hereinafter: ‘the form’) is detailed in the Annex to the ODR proposal. This includes personal data of the parties (name, address and, if applicable, e-mail and website address) and data aimed at determining which ADR entity is competent to deal with the relevant dispute (consumer's place of residence at the time the goods or services were ordered, type of goods or services involved, etc.).

17.

The EDPS welcomes Article 7(6) which reminds that only accurate, relevant and not excessive data can be processed through the form and its attachments. The list of data contained in the Annex also respects the purpose limitation principle.

18.

However, this list can be modified by delegated acts and the modalities of the form will be regulated by implementing acts (12). The EDPS recommends including a reference to the need to consult the EDPS as long as these acts concern the processing of personal data.

III.5.   Security measures: need for a privacy impact assessment

19.

The EDPS welcomes the provisions dedicated to confidentiality and security. The security measures detailed in Article 12 of the ODR proposal include access controls, a security plan and security incident management.

20.

The EDPS recommends adding also a reference to the need to conduct a privacy impact assessment (including a risk assessment) and to the fact that compliance with data protection legislation and data security should be periodically audited and reported.

21.

In addition, the EDPS would like to remind that the development of IT tools for the establishment of the ODR platform should integrate privacy and data protection from the very early design stage (privacy by design), including the implementation of tools enabling users to better protect personal data (such as authentication and encryption).

III.6.   Information to data subjects

22.

The EDPS welcomes recital 21 of the ODR proposal, which states that data subjects should be informed about the processing of their personal data and their rights through a publicly available privacy notice. However, the obligation to inform data subjects should also be included in the legislative part of the ODR proposal.

23.

In addition, data subjects should also be informed on which controller is responsible for compliance with their rights. The privacy notice should be clearly visible for anyone filling the form.

IV.   CONCLUSION

24.

The EDPS welcomes the fact that data protection principles have been integrated in the text, in particular as regards the purpose and access limitation, the limitation of the retention period and the security measures. However, he recommends:

clarifying the responsibilities of the controllers and informing data subjects accordingly,

clarifying the limitation of access rights,

complementing the provisions on security,

mentioning the need to consult the EDPS on delegated and implementing acts related to the processing of personal data.

25.

The EDPS would also like to remind that the processing of personal data in the framework of the ODR platform may be subject to prior checking by the EDPS and by national data protection authorities.

Done at Brussels, 12 January 2012.

Giovanni BUTTARELLI

Assistant European Data Protection Supervisor


(1)  OJ L 281, 23.11.1995, p. 31.

(2)  OJ L 8, 12.1.2001, p. 1.

(3)  COM(2011) 793 final.

(4)  COM(2011) 794 final.

(5)  Recital 20 and 21 and Article 11(4) of the ODR proposal.

(6)  Recitals 16 of the ADR proposal.

(7)  Preambles and explanatory memoranda of the proposals.

(8)  Each Member State will have to designate one contact point for ODR that will host at least two ODR facilitators. The Commission will establish a network of ODR contact points.

(9)  See also Article 29 Working Party Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’, adopted on 16.2.2010 (WP 169), pp. 17-24, available on http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf

(10)  See Article 11(2) of the ODR proposal.

(11)  Article 27 of Regulation (EC) No 45/2001 requires that the processing of ‘data relating to health and to suspected offences, offences, criminal convictions or security measures’ be subject to prior checking by the EDPS. According to Article 20(1) of Directive 95/46/EC, the processing operations likely to present specific data protection risks, as determined by national data protection legislation, are subject to prior checking by the national data protection authority.

(12)  Recitals 23-24 and Article 7(4)-(5) of the ODR proposal.


Top