1.   This Decision lays down the conditions under which the European Parliament may restrict the application of Articles 4, 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, in accordance with points (b), (e) and (f) of Article 25(1) of that Regulation when providing national authorities with information and documents that they request in the framework of criminal or financial investigations.

2.   This Decision applies to the processing of personal data, particularly the transfer of personal data, by the European Parliament for the purpose of providing national authorities with information and documents that they request in the framework of criminal or financial investigations.

3.   The President, the Secretary-General or the services designated by them may transfer the information and documents requested, and they act as controller for the purpose of such transfer.

4.   This Decision applies to the following categories of personal data:

1.   Personal data shall be stored in a secured physical and electronic environment which prevents unlawful access or transfer of data to persons who do not have a need to know.

2.   After the end of the processing, the personal data shall be retained in accordance with the applicable European Parliament rules (2).

3.   An assessment of the necessity and proportionality of the restriction shall be carried out in accordance with Article 9 before any particular restriction is applied.

1.   Subject to Articles 4 to 10 of this Decision, the controller may restrict the application of Articles 14 to 21, 35 and 36 of Regulation (EU) 2018/1725, as well as its Article 4 in so far as its provisions correspond to the rights and obligations provided for Articles 14 to 21 of that Regulation, where the exercise of those rights would jeopardise the purpose and confidentiality of national criminal and financial investigations.

2.   The controller shall record and register the reasons for the restriction in accordance with Article 9 of this Decision.

1.   The European Parliament shall publish on its website a data protection notice informing all data subjects of the possibility of a transfer of their personal data in the context of the European Parliament’s cooperation with national authorities with regard to pending criminal or financial investigations and of a potential restriction of their rights in this context. The information shall cover which rights may be restricted, the reasons for such restrictions, their potential duration and possible legal remedies.

2.   If possible, the controller shall directly inform each data subject of their rights in respect of such restrictions without undue delay and in the most appropriate format. The information shall cover which rights may be restricted, the reasons for such restrictions, their potential duration and possible legal remedies.

1.   Where the controller restricts the right of information as referred to in Articles 15 and 16 of Regulation (EU) 2018/1725, data subjects shall be informed, in accordance with Article 25(6) of that Regulation, of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the European Data Protection Supervisor.

2.   However, such provision of information on the transfer of personal data to national authorities and on the application of a restriction may be deferred, omitted or denied, in accordance with Article 25(8) of Regulation (EU) 2018/1725, for as long as it would cancel the effect of the restriction.

3.   Where the controller defers, omits or denies, wholly or partly, the provision of information to data subjects within the meaning of paragraph 2, it shall record and register the reasons for doing so in accordance with Article 9.

1.   Where the controller restricts, wholly or partly, the right of access to personal data by data subjects, the right of rectification, the right to erasure or the right to restriction of processing as referred to in Articles 17, 18, 19 and 20 respectively of Regulation (EU) 2018/1725, as well as the notification obligation pursuant to Article 21 of that Regulation, it shall record and register the reasons for the restriction in accordance with Article 9 of this Decision. The controller shall inform the data subject concerned, in its reply to the request for access, rectification, erasure and restriction of processing, of the restriction that has been applied and of the principal reasons for the restriction, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy before the Court of Justice of the European Union.

2.   The provision of information concerning the reasons for the restriction referred to in paragraph 1 may be deferred, omitted or denied for as long as it would cancel the effect of the restriction.

3.   The controller shall record the reasons for the deferral, omission or denial in accordance with Article 9.

4.   Where the right of access is wholly or partly restricted, the data subject shall exercise his or her right of access through the intermediary of the European Data Protection Supervisor in accordance with Article 25(6), (7) and (8) of Regulation (EU) 2018/1725.

1.   Before applying any particular restrictions, the controller shall assess the necessity and proportionality of the restrictions, taking into account the relevant elements in Article 25(2) of Regulation (EU) 2018/1725. That assessment shall also include an assessment of the risks to the rights and freedoms of the data subjects concerned, notably the risk that their personal data might be transferred without their knowledge and consent and that they might be prevented from exercising their rights in accordance with that Regulation. It shall be documented through an internal assessment note and shall be carried out on a case-by-case basis.

2.   The controller shall record the reasons for any restriction applied pursuant to this Decision, including the assessment conducted under paragraph 1.

To that end, the record shall state how the exercise of the data subject’s rights would jeopardise the purpose and confidentiality of national criminal and financial investigations.

3.   Where, pursuant to Article 25(8) of Regulation (EU) 2018/1725, the controller defers, omits or denies the provision of information to a data subject on the application of a restriction, the controller shall also record, where applicable, the reasons for doing so.

4.   The record and, where applicable, the documents containing underlying factual and legal elements shall be stored in a central register. They shall be made available to the European Data Protection Supervisor on request.

1.   Restrictions referred to in Articles 3, 5, 6, 7 and 8 shall continue to apply as long as the reasons justifying them remain applicable.

2.   Where the reasons for a restriction referred to in Articles 3, 5, 6, 7 and 8 no longer apply, the controller shall lift the restriction and provide the principal reasons for the restriction to the data subject. At the same time, the controller shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy before the Court of Justice of the European Union.

3.   The controller shall review the application of a restriction referred to in Articles 3, 5, 6, 7 and 8 every six months from its adoption and at the closure of the relevant procedure.

1.   The Data Protection Officer shall be informed without undue delay whenever data subjects’ rights are restricted in accordance with this Decision. Upon request, the Data Protection Officer shall be provided with access to the record and any documents containing underlying factual and legal elements.

2.   The Data Protection Officer may request from the controller a review of the restrictions. The Data Protection Officer shall be informed in writing of the outcome of the requested review.

3.   All information exchanges with the Data Protection Officer throughout the procedure in accordance with paragraphs 1 and 2 shall be recorded in the appropriate form.