(1)

The European Union Aviation Safety Agency (‘EASA’) is empowered to conduct administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings, in accordance with the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (‘Staff Regulations’) (3), and with Decision No 2011/216/E of EASA Executive Director of 16 December 2011 adopting implementing provisions regarding the conduct of administrative inquiries and disciplinary proceedings. If required, it also notifies cases to OLAF.

(2)

EASA staff members are under an obligation to report potentially illegal activities, including fraud and corruption, which are detrimental to the interests of the Union. Staff members are also obliged to report conduct relating to the discharge of professional duties which may constitute a serious failure to comply with the obligations of officials of the Union. This is regulated by EASA Management Board Decision 15-2018 of 14 December 2018.

(3)

EASA has put in place a policy to prevent and deal effectively with actual or potential cases of psychological or sexual harassment in the workplace, as provided for in EASA Decision No 2008/180/A of EASA Executive Director of 5 August 2009 adopting implementing measures pursuant to the Staff Regulations.

(4)

The Decision establishes an informal procedure whereby the alleged victim of the harassment can contact EASA’s ‘confidential’ counsellors.

(5)

EASA can also conduct investigations into potential breaches of security rules for European Union classified information (‘EUCI’), based on EASA Decision No 2020/010/ED of EASA Executive Director of 17 February 2020 on the EASA security rules on the protection of European Union Classified Information.

(6)

EASA is subject to both internal and external audits concerning its activities.

(7)

In the context of such administrative inquiries, audits and investigations, EASA cooperates with other Union institutions, bodies, offices and agencies.

(8)

EASA can cooperate with third countries’ national authorities and international organisations, either at their request or on its own initiative.

(9)

EASA can also cooperate with EU Member States’ public authorities, either at their request or on its own initiative.

(10)

EASA is involved in cases before the Court of Justice of the European Union when it either refers a matter to the Court, defends a decision it has taken and which has been challenged before the Court, or intervenes in cases relevant to its tasks. In this context, EASA might need to preserve the confidentiality of personal data contained in documents obtained by the parties or the interveners.

(11)

EASA is empowered to conduct inspections, other monitoring activities and investigations in compliance with Article 75(2)(e) of Regulation (EU) 2018/1139.

(12)

EASA is empowered to carry out IT security investigations handled internally or with external involvement (e.g. CERT-EU) in compliance with Article 75(2)(d) of Regulation (EU) 2018/1139.

(13)

The Data Protection Officer of EASA (‘DPO’) is empowered to process internal and external complaints and conduct internal audits and investigations in compliance with Article 45(2) of Regulation (EU) 2018/1725 (‘the Regulation’).

(14)

To fulfil its tasks, EASA collects and processes information and several categories of personal data, including identification data of natural persons, contact information, professional roles and tasks, information on private and professional conduct and performance, and financial data. EASA acts as data controller.

(15)

Under the Regulation, EASA is therefore obliged to provide information to data subjects on those processing activities and to respect their rights as data subjects.

(16)

EASA might be required to reconcile those rights with the objectives of administrative inquiries, audits, investigations and court proceedings. It might also be required to balance a data subject’s rights against the fundamental rights and freedoms of other data subjects. To that end, Article 25 of the Regulation gives EASA the possibility to restrict, under strict conditions, the application of Articles 14 to 22, 35 and 36 of the Regulation, as well as its Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20. Unless restrictions are provided for in a legal act adopted on the basis of the Treaties, it is necessary to adopt internal rules under which EASA is entitled to restrict those rights.

(17)

EASA might, for instance, need to restrict the information it provides to a data subject about the processing of his or her personal data during the preliminary assessment phase of an administrative inquiry or during the inquiry itself, prior to a possible dismissal of case or at the pre-disciplinary stage. In certain circumstances, providing such information might seriously affect EASA’s capacity to conduct the inquiry in an effective way, whenever, for example, there is a risk that the person concerned might destroy evidence or interfere with potential witnesses before they are interviewed. EASA might also need to protect the rights and freedoms of witnesses as well as those of other persons involved.

(18)

It might be necessary to protect the anonymity of a witness or whistle-blower who has asked not to be identified. In such a case, EASA might decide to restrict access to the identity, statements and other personal data of such persons, in order to protect their rights and freedoms.

(19)

It might be necessary to protect confidential information concerning a staff member who has contacted EASA confidential counsellors in the context of a harassment procedure. In such cases, EASA might need to restrict access to the identity, statements and other personal data of the alleged victim, the alleged harasser and other persons involved, in order to protect the rights and freedoms of all concerned.

(20)

EASA should apply restrictions only when they respect the essence of fundamental rights and freedoms, are strictly necessary and are a proportionate measure in a democratic society. EASA should give reasons explaining the justification for those restrictions.

(21)

In application of the principle of accountability, EASA should keep a record of its application of restrictions.

(22)

When processing personal data exchanged with other organisations in the context of its tasks, EASA and those organisations should consult each other on potential grounds for imposing restrictions and the necessity and proportionality of those restrictions, unless this would jeopardise the activities of EASA.

(23)

Article 25(6) of the Regulation obliges the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the EDPS.

(24)

Pursuant to Article 25(8) of the Regulation, EASA is entitled to defer, omit or deny the provision of information on the reasons for the application of a restriction to the data subject if this would in any way cancel the effect of the restriction. EASA should assess on a case-by-case basis whether the communication of the restriction would cancel its effect.

(25)

EASA should lift the restriction as soon as the conditions that justify the restriction no longer apply, and assess those conditions on a regular basis.

(26)

To guarantee utmost protection of the rights and freedoms of data subjects and in accordance with Article 44(1) of the Regulation, the DPO should be consulted in due time of any restrictions that may be applied and verify their compliance with this Decision.

(27)

Articles 16(5) and 17(4) of the Regulation provide for exceptions to data subjects’ right to information and right of access. If these exceptions apply, EASA does not need to apply a restriction under this Decision,