Restrictions of data subjects’ rights — Commission’s internal rules

SUMMARY OF:

Commission Decision (EU) 2018/1927 — internal rules concerning the processing of personal data by the Commission in the field of competition in relation to the provision of information to data subjects and the restriction of certain rights

Commission Decision (EU) 2018/1961 — internal rules concerning the provision of information to data subjects and the restriction of certain of their rights in the context of the processing of personal data for the purpose of internal audit activities

Commission Decision (EU) 2018/1962 — internal rules concerning the processing of personal data by the European Anti-Fraud Office (OLAF) in relation to the provision of information to data subjects and the restriction of certain of their rights

Commission Decision (EU) 2018/1996 — internal rules concerning the provision of information to data subjects and the restriction of certain of their rights in the context of the processing of personal data for the purpose of trade defence and trade policy investigations

Commission Decision (EU) 2019/154 — internal rules concerning the restriction of the right of access of data subjects to their medical files

Commission Decision (EU) 2019/165 — internal rules concerning the provision of information to data subjects and the restriction of certain of their data protection rights by the Commission in the context of administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings

Commission Decision (EU) 2019/236 — internal rules concerning the provision of information to data subjects and the restriction of certain of their rights in the context of the processing of personal data by the Commission for the purposes of internal security of the EU institutions

WHAT IS THE AIM OF THESE DECISIONS?

They set out internal rules, based on which the European Commission may restrict the rights of individuals, which they exercise under Regulation (EU) 2018/1725. The internal rules apply to the processing of personal data within specific fields and for specific purposes.

KEY POINTS

Personal data are any information relating to an identified or identifiable natural person (‘data subject’). A natural person is identifiable, if he/she can be identified, directly or indirectly, in particular by reference to an identifier (such as a name, an identification number, location data, or an online identifier) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The new EU legal framework on the protection and free flow of personal data consists of, in particular:

the General Data Protection Regulation (GDPR), which sets outs the rights of individuals as regards their personal data, protects them with regard to the processing of their personal data within the EU countries, and ensures the free flow of such data;
Regulation (EU) 2018/1725, which sets out the rights of individuals as regards their personal data, protects them with regard to the processing of their personal data by the EU institutions, bodies, offices and agencies, and ensures the free flow of such data.

These regulations are considered as equivalent and have to be interpreted as being the same.

Article 25 of Regulation (EU) 2018/1725 provides for the possibility that, in certain cases, the EU institutions and bodies can restrict the rights of individuals, on the condition that such restrictions are laid down in EU law. In line with that, the Commission has adopted 7 Commission decisions, which provide the grounds for possible restrictions in order to safeguard important objectives of general EU public interest.

Based on those decisions and following a case-by-case assessment of the necessity and proportionality of restrictions, the European Commission decides whether the rights of an individual should be restricted in an individual case.

The following rights of individuals may be restricted:

their right to information about;
- processing of their personal data; and
- breaches of their personal data that might result in a high risk to their rights and freedoms;
their right to access their personal data, have their personal data erased, or to restrict the processing of their personal data.

The 7 Commission decisions all follow a similar format, each including some or all of these elements:

Subject matter and scope
- Requirement of a case-by case assessment of each request of a data subject.
Applicable exceptions and/or restrictions
- Before applying a restriction, the Commission must first consider whether any of the exceptions to the rights of data subjects, as set out in Regulation (EU) 2018/1725, apply.
Provision of information to data subjects
- The Commission must publish on its website data protection notices that inform all data subjects of its data processing activities in the relevant area.
- The Commission must individually inform, in an appropriate format, any person individually affected by an inquiry or by a measure carried out in one of the relevant fields.
Rights of data subjects to access their personal data, have them erased or have their processing restricted
- If the Commission restricts access to personal data, the right of erasure and/or right to restriction of processing, it must inform the data subject concerned of the restriction applied, of the main reasons for applying it and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union.
Recording and registering of restrictions
- The Commission must record the reasons for any restriction applied, including an assessment of necessity and proportionality.
Duration of restrictions
- Restrictions continue to apply as long as the reasons justifying them remain.
Review by the Data Protection Officer (DPO) of the European Commission
- The DPO must be informed, without undue delay, whenever data subjects’ rights are restricted.
- Upon request, the DPO must be provided with access to the record and any documents containing underlying factual and legal elements.
- The DPO can request a review of the restriction and must be informed in writing of the outcome of the requested review.

The 7 Commission decisions cover the restriction of data subjects in the following fields:

Internal security of the EU institutions
- Applies to the processing of personal data to ensure the security of persons, assets and information in the Commission.
- The Commission must individually inform witnesses and the persons concerned by a security inquiry of the processing of their personal data.
- Furthermore, the Commission must individually inform data subjects whose data are processed in the case of background checks according to Article 7(5) of Commission Decision (EU, Euratom) 2015/443.
- It must also individually inform persons whose data are processed in the context of searches of Commission premises and communication and information systems and equipment.
Administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings
- The rights and obligations under Regulation (EU) 2018/1725 can be restricted if they would jeopardise the purpose of administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings or would affect the rights and freedoms of other data subjects.
Personal medical data
- The Commission can restrict, on a case-by-case basis, data subjects’ right to access directly personal medical data of a psychological or psychiatric nature concerning them, where access to such data is likely to represent a risk to the data subject’s health.
- This restriction must be proportionate to what is strictly necessary to protect the data subject.
Trade defence and trade policy investigations
- The rights and obligations under Regulation (EU) 2018/1725 can be restricted if they would jeopardise the purpose of the Commission’s trade policy and trade defence activities, or would adversely affect the rights and freedoms of other data subjects.
European Anti-Fraud Office (OLAF)
- Applies to the processing of personal data by OLAF (as well as to the processing of personal data by Commission services and executive agencies which must be transmitted to OLAF) in order to fulfil its tasks;
- Investigations by OLAF are completely independent of the Commission;
- OLAF decides whether any exceptions to the rights of data subjects should be applied.
- Data protection notices informing data subjects of the activities involving the processing of their personal data are published on OLAF’s website.
- OLAF’s DPO reviews any restriction of the rights of data subjects.
Internal audit activities
- The rights and obligations under Regulation (EU) 2018/1725 can be restricted as part of the processing operations carried out by the Commission in the performance of its internal audit activities, whenever the exercise of data subjects’ rights may jeopardise the conduct of internal audit activities, including by revealing its audit tools and methods or would adversely affect the rights and freedoms of other data subjects.
- In addition, it may be necessary for the Commission to restrict the application of data subjects’ rights in order to protect processing operations of Commission services or other Union institutions, bodies, offices and agencies or of Member States’ authorities and international organisations, as well as of the Audit Progress Committee.
- The Commission informs individuals of its internal audit activities involving processing of their personal data and of their rights by means of a data protection notice published on the Commission’s website. Where relevant, the Commission ensures that the data subjects are informed individually in an appropriate format.
Competition
- The rights and obligations under Regulation (EU) 2018/1725 can be restricted if they would jeopardise the purpose of the Commission’s investigative and enforcement activities, including by revealing its investigative tools and methods, or would adversely affect the rights and freedoms of other data subjects.

FROM WHEN DO THE DECISIONS APPLY?

Decisions (EU) 2018/1927, (EU) 2018/1961, (EU) 2018/1962, (EU) 2018/1996 and (EU) 2019/154 have applied since 11 December 2018.
Decisions (EU) 2019/165 has applied since 7 February 2019.
Decision (EU) 2019/236 has applied since 11 February 2019.

BACKGROUND

For more information, see:

2018 reform of data protection rules (European Commission).

MAIN DOCUMENTS

Commission Decision (EU) 2018/1927 of 5 December 2018 laying down internal rules concerning the processing of personal data by the European Commission in the field of competition in relation to the provision of information to data subjects and the restriction of certain rights (OJ L 313, 10.12.2018, pp. 39-44)

Commission Decision (EU) 2018/1961 of 11 December 2018 laying down internal rules concerning the provision of information to data subjects and the restriction of certain of their rights in the context of the processing of personal data for the purpose of internal audit activities (OJ L 315, 12.12.2018, pp. 35-40)

Commission Decision (EU) 2018/1962 of 11 December 2018 laying down internal rules concerning the processing of personal data by the European Anti-Fraud Office (OLAF) in relation to the provision of information to data subjects and the restriction of certain of their rights in accordance with Article 25 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (OJ L 315, 12.12.2018, pp. 41-46)

Commission Decision (EU) 2018/1996 of 14 December 2018 laying down internal rules concerning the provision of information to data subjects and the restriction of certain of their rights in the context of the processing of personal data for the purpose of trade defence and trade policy investigations (OJ L 320, 17.12.2018, pp. 40-44)

Commission Decision (EU) 2019/154 of 30 January 2019 laying down internal rules concerning the restriction of the right of access of data subjects to their medical files (OJ L 27, 31.1.2019, pp. 33-35)

Commission Decision (EU) 2019/165 of 1 February 2019 laying down internal rules concerning the provision of information to data subjects and the restriction of certain of their data protection rights by the Commission in the context of administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings (OJ L 32, 4.2.2019, pp. 9-13)

Commission Decision (EU) 2019/236 of 7 February 2019 laying down internal rules concerning the provision of information to data subjects and the restriction of certain of their rights in the context of the processing of personal data by the European Commission for the purposes of internal security of the Union institutions (OJ L 37, 8.2.2019, pp. 144-149)