23.9.2009   

EN

Official Journal of the European Union

C 229/1

1.

The proposal for a Regulation of the European Parliament and of the Council establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (hereinafter ‘Proposal’ or ‘Commission's Proposal’) was sent by the Commission to the EDPS for consultation on 3 December 2008, in accordance with Article 28(2) of Regulation (EC) No 45/2001. This consultation should be explicitly mentioned in the preamble of the Regulation.

2.

The EDPS contributed to the proposal at an earlier stage, and many of the points he raised informally during the preparatory process have been taken into account by the Commission in its final text of the Proposal.

3.

The Proposal is a recasting of Council Regulation (EC) No 343/2003 of 18 February 2003 on the criteria and mechanisms for determining the Member State responsible for examining an asylum application lodged in one of the Member States by a third-country national (3) (hereinafter ‘the Dublin Regulation’). It has been presented by the Commission as a part of the first package of proposals which aim to ensure a higher degree of harmonisation in this area and better standards of protection for the Common European Asylum System, as called for by the Hague Programme of 4-5 November 2004 and as announced in the Commission's Policy Plan on Asylum of 17 June 2008. The Hague Programme invited the Commission to conclude the evaluation of the first-phase legal instruments and to submit the second-phase instruments and measures to the Council and the European Parliament with a view to their adoption before 2010.

4.

The Proposal was subject to an intensive evaluation and consultation process. It takes into account in particular the results of the Commission's Evaluation Report on the Dublin system issued on 6 June 2007 (4), which identified a number of legal and practical deficiencies existing in the current system, as well as contributions received by the Commission from various stakeholders in response to the Green Paper on the future of the Common European Asylum System (5).

5.

The primary aim of the Proposal is to increase the efficiency of the Dublin system and to ensure higher standards of protection afforded to applicants for international protection subject to the Dublin procedure. Furthermore, it aims to reinforce the solidarity towards those Member States which are faced with situations of particular migratory pressures (6).

6.

The Proposal extends the scope of application of the Dublin Regulation in order to include applicants for (and beneficiaries of) subsidiary protection. The modification is necessary to ensure consistency with the EU acquis, namely the Council Directive 2004/83/EC of 29 April 2004 on minimum standards for qualification and status of third country nationals and stateless persons as refugees or as persons who otherwise need international protection and the content of the protection granted (7) (hereinafter ‘Qualification Directive’), which introduced the notion of subsidiary protection. The Proposal also aligns the definitions and terminology used in the Dublin Regulation with those laid down in other asylum instruments.

7.

In order to increase the efficiency of the system, the Proposal determines in particular the deadline for submitting take back requests and reduces the deadline for replying to requests for information. It also clarifies the cessation of responsibility clauses as well as the circumstances and procedures for applying the discretionary clauses (humanitarian and sovereignty). It adds rules on transfers and extends the existing dispute settlement mechanism. The Proposal also contains a provision on the organisation of a compulsory interview.

8.

Furthermore, and also in order to increase the level of protection granted to the applicants, the Commission's Proposal provides for the right to appeal against a transfer decision as well as for an obligation for the competent authority to decide whether or not its enforcement should be suspended. It addresses the right to legal assistance and/or representation and linguistic assistance. The Proposal also refers to the principle that a person should not be held in detention only because he/she is seeking international protection. It also extends the family reunification right and addresses the needs of unaccompanied minors and other vulnerable groups.

9.

This opinion is to address mainly the modifications of the text which are the most relevant from the point of view of the protection of personal data:

10.

The EDPS supports the objectives of the Commission's Proposal, in particular to increase the efficiency of the Dublin system and to ensure higher standards of protection afforded to applicants for international protection subject to the Dublin procedure. He also shares the understanding of the reasons for which the Commission has decided to undertake the revision of the Dublin system.

11.

Ensuring an adequate level of protection of personal data is a condicio sine qua non to ensure also the effective implementation and high level of protection of other fundamental rights. The EDPS issues this opinion in full awareness of a wide fundamental rights’ dimension of the Proposal which concerns not only the processing of personal data but also many other rights of third country nationals and/or stateless persons, such as in particular the right to asylum, the right to information in a broad sense, the right to family reunification, the right to an effective remedy, the right to liberty and freedom of movement, the rights of the child or the rights of unaccompanied minors.

12.

Both Recital 34 of the Proposal and the Explanatory Memorandum, stress the efforts made by the legislator to ensure consistency of the Proposal with the Charter of Fundamental Rights. In this context, the Explanatory Memorandum refers explicitly to the protection of personal data and the right to asylum. The Explanatory Memorandum also underlines the fact that the Proposal was made subject to an in-depth scrutiny in order to make sure that its provisions are fully compatible with fundamental rights as general principles of Community and international law. However, given the remit of the EDPS, this opinion will mainly focus on the data protection aspects of the Proposal. In this context, the EDPS welcomes the considerable attention which has been devoted in the Proposal to this fundamental right and considers this essential for ensuring an efficiency of the Dublin procedure in full compliance with fundamental rights’ requirements.

13.

The EDPS also notes that the Commission's Proposal strives to consistency with other legal instruments governing the establishment and/or use of other large-scale IT systems. In particular, he wishes to stress that both the sharing of responsibilities vis-à-vis the database and the way the supervision model is formulated in the Proposal, are consistent with the framework of the Schengen Information System II and the Visa Information System.

14.

The EDPS welcomes that his role in the supervision area has been clearly established, which was not the case, for obvious reasons, in the former text.

15.

Article 4(1)(f)-(g) of the Proposal stipulates:

‘As soon as an application for international procedure is lodged, the competent authorities of Member States shall inform the asylum seeker of the application of this Regulation, and in particular of:

Article 4(2) describes the manners in which the information referred to in paragraph 1 of the provision should be provided to the applicant.

16.

Effective implementation of the right to information is crucial for the proper functioning of the Dublin procedure. In particular, it is essential to ensure that information is provided in such a way that it enables the asylum seeker to fully understand his situation as well as the extent of the rights, including the procedural steps he/she can take as follow-up to the administrative decisions taken in his/her case.

17.

As to the practical aspects of the implementation of the right, the EDPS wishes to refer to the fact that in accordance with Article (4)(1)(g) and (2) of the Proposal, the Member States should use a common leaflet for applicants, which shall contain, amongst other information, ‘the contact details of the National Data Protection Authorities competent to hear claims concerning the protection of personal data’. In this context, the EDPS wishes to stress that while the National Data Protection Authorities (hereinafter ‘DPAs’), referred to in Article (4)(2) of the Proposal, are indeed competent to hear claims concerning the protection of personal data, the wording of the Proposal should not prevent the applicant (data subject) from addressing a claim primarily to the data controller (in this case national competent authorities in charge of the Dublin cooperation). The provision of Article (4)(2) as it reads now seems to imply that the applicant should put his request — directly and in each case — with the National Data Protection Authority, whereas the standard procedure and the practice in the Member States is that the applicant lodges his/her claim first with the data controller.

18.

The EDPS also suggests that the wording of Article 4(1)(g) should be reformulated to clarify the rights to be given to the applicant. The wording as proposed is unclear, as it can be interpreted as considering ‘the right to receive information on the procedures for exercising those rights […]’ a part of the right of access to data and/or the right to request that inaccurate data be corrected […]. Moreover, according to the current wording of the above-mentioned provision, the Member States are to inform the applicant not of the content of the rights but of their ‘existence’. As the latter seems to be a stylistic issue, the EDPS suggests that Article (4)(1)(g) be redrafted as follows:

‘As soon as an application for international protection is lodged, the competent authorities of Member States shall inform the asylum seekers […] of […]:

19.

As far as the methods to provide information to the applicants are concerned, the EDPS refers to the work undertaken by the Eurodac Supervision Coordination Group (8) (composed of representatives of the Data Protection Authority of each of the participating States and the EDPS). This Group is currently examining this issue in the framework of EURODAC in view of proposing relevant guidance, as soon as the results of the national investigations are available and have been compiled. Although this coordinated investigation concerns specifically EURODAC, its findings are also likely to be of interest in the context of Dublin since they address such issues as languages/translations and the assessment of the real understanding of the information by the asylum seeker etc.

20.

As to the authorities mentioned in Article 33 of the Proposal, the EDPS welcomes the fact that the Commission shall publish a consolidated list of the authorities referred to in paragraph 1 of the above-mentioned provision in the Official Journal of the European Union. Where there are amendments thereto, the Commission shall publish once a year an updated consolidated list. The publication of the consolidated list will help to ensure transparency and facilitate supervision by the DPAs.

21.

The EDPS notes the introduction of the new mechanism on exchange of relevant information between the Member States before transfers are being carried out (laid down in Article 30 of the Proposal). He considers the purpose of this exchange of information legitimate.

22.

The EDPS also notes the existence of specific data protection safeguards in the Proposal, in compliance with Article (8)(1)-(3) of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data, such as: (a) explicit consent of the applicant and/or of his representative, (b) immediate deletion of data by the transferring Member State once transfers have been completed and (c) the ‘processing of personal health data only by a health professional subject to national law or rules established by national competent bodies to the obligation of professional secrecy or by another person subject to an equivalent obligation of secrecy’ (having obtained appropriate medical training). He also supports the fact that the exchange will only be done via the secured ‘DubliNet’ system and by the authorities notified in advance.

23.

The manner in which this mechanism is to be structured is of crucial importance for its compliance with the data protection regime, in particular given that the information exchange will also cover very sensitive personal data, such as for instance information on ‘any special needs of the applicant to be transferred, which in specific cases may include the information on the state of the physical and mental health of the person concerned’. In this context, the EDPS fully supports the inclusion of Article 36 of the Proposal which obliges the Member States to take the necessary measures to ensure that any misuse of data […] is punishable by penalties, including administrative and/or criminal penalties in accordance with national law.

24.

Article 32 of the Commission's Proposal regulates information sharing. The EDPS contributed at an earlier stage to this provision, and he supports the wording as proposed by the Commission.

25.

The EDPS stresses that it is important that the Member States authorities exchange information about individuals using the DubliNet network. This allows not only to provide for better security but also to ensure better traceability of the transactions. In this regard, the EDPS refers to Commission Staff Working Document of 6 June 2007‘Accompanying document to the Report from the Commission to the European Parliament and the Council on the evaluation of the Dublin system’ (9) in which the Commission recalls that ‘the use of DubliNet is always compulsory safe for the exemptions defined in Article 15(1) second subparagraph’ of the Commission Regulation (EC) No 1560/2003 of 2 September 2003 laying down detailed rules for the application of Council Regulation (EC) No 343/2003 establishing the criteria and mechanisms for determining the Member States responsible for examining an asylum application lodged in one of the Member States by a third country national (10) (hereinafter ‘the Dublin Implementing Regulation’). The EDPS insists that the possibility to derogate from the use of DubliNet referred to in the above-mentioned Article 15(1) should be interpreted restrictively.

26.

Some provisions have been inserted or redrafted in the Proposal to ensure this, and the EDPS welcomes all these efforts. For instance, the new Article 33(4) of the Proposal has been redrafted in order to clarify that not only requests but also replies and all written correspondence shall be subject to rules relating to the establishment of secure electronic transmission channels (laid down in Article 15(1) of the Dublin Implementing Regulation). Moreover, the deletion of paragraph 2 in the new Article 38 which in the former text (Article 25) obliged the Member States to send the requests and replies ‘via a method that provides proof of receipt’, is to clarify that the Member States should use DubliNet also in this respect.

27.

The EDPS notes that relatively little has been regulated in the framework of the Dublin system as regards the exchange of personal information. Although certain aspects of the exchange have already been addressed in the Dublin Implementing Regulation, the current regulation does not seem to cover all aspects of the exchange of personal information, which is regrettable (11).

28.

In this context, it is worth mentioning that this issue of exchange of information about the asylum seeker has also been subject of discussion within the Eurodac Supervision Coordination Group. Without anticipating the results of the work of the Group, the EDPS wishes to mention already at this stage that one of the possible recommendations could be the adoption of a set of rules similar to the ones agreed in the Schengen SIRENE Manual.

29.

The EDPS supports the Commission's Proposal for a Regulation establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person. He shares the understanding of the reasons to revise the existing system.

30.

The EDPS welcomes the consistency of the Commission's Proposal with other legal instruments regulating the complex legal framework of this area.

31.

The EDPS welcomes considerable attention devoted in the Proposal to the respect of fundamental rights, in particular the protection of personal data. He considers this approach as an essential prerequisite to the improvement of the Dublin procedure. He draws particular attention of the legislators to the new mechanisms of exchange of data, which will involve, amongst others, the extremely sensitive personal data of the asylum seekers.

32.

The EDPS also wishes to refer to the important work undertaken in this area by the Eurodac Supervision Coordination Group and believes that the results of the Group's work can usefully contribute to a better formulation of the features of the system.

33.

The EDPS considers that some of the observations made in this opinion can be further developed when seeing the practical implementation of the revised system. In particular, he intends to contribute to the definition of implementing measures concerning the exchange of information through the DubliNet as mentioned in point 24 to 27 of this opinion.

23.9.2009   

EN

Official Journal of the European Union

C 229/6

1.

The Proposal for a Regulation of the European Parliament and of the Council concerning the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of Regulation (EC) No […/…] (establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person) (hereinafter ‘Proposal’ or ‘Commission's Proposal’) was sent by the Commission to the EDPS for consultation on 3 December 2008, in accordance with Article 28(2) of Regulation (EC) No 45/2001. This consultation should be explicitly mentioned in the preamble of the Regulation.

2.

As mentioned in the Explanatory Memorandum, the EDPS has contributed to this Proposal at an earlier stage, and many of the points he raised informally have been taken into account in the final text of the Commission's Proposal.

3.

The Council Regulation (EC) No 2725/2000 (3) for the establishment of ‘Eurodac’ (hereinafter ‘the Eurodac Regulation’) came into force on 15 December 2000. Eurodac, a Community-wide information technology system, was created to facilitate the application of the Dublin Convention which aimed at establishing a clear and workable mechanism for determining responsibility for asylum applications lodged in one of the Member States. The Dublin Convention was afterwards replaced by a Community law instrument, Council Regulation (EC) No 343/2003 of 18 February 2003 establishing the criteria and mechanisms for determining the Member State responsible for examining an asylum application lodged in one of the Member States by a third-country national (4) (hereinafter ‘the Dublin Regulation’) (5). Eurodac started operations on 15 January 2003.

4.

The Proposal is a revision of the Eurodac Regulation and its implementing regulation, Council Regulation (EC) No 407/2002, and it aims at inter alia:

5.

It should also be stressed that one of the main objectives of the Proposal is to better ensure the respect of fundamental rights, in particular the protection of personal data. This opinion will analyze whether the provisions of this Proposal adequately meet this objective.

6.

The Proposal takes account of the results of the Commission Report on the evaluation of the Dublin system of June 2007 (hereinafter ‘Evaluation Report’), which covers the first 3 years of the operation of Eurodac (2003-2005).

7.

Whilst acknowledging that the system set up in the Regulation has been implemented in the Member States in a generally satisfactory way, the Commission Evaluation Report identified certain issues related to the efficiency of the current provisions and highlighted those which needed to be tackled in order to improve the Eurodac system and facilitate the application of the Dublin Regulation. In particular, the Evaluation Report observed the continuing late transmission of fingerprints by some of the Member States. The Eurodac Regulation currently only provides for a very vague deadline for the transmission of fingerprints, which can cause significant delays in practice. This is a key issue for the effectiveness of the system since any delay in transmission may lead to results contrary to the responsibility principles laid down in the Dublin Regulation.

8.

The Evaluation Report also underlined that lack of an efficient method for the Member States to inform each other of the status of the asylum seeker has led in many cases to inefficient management of deletions of data. The Member States which enter data on a specific person are often unaware that another Member State of origin deleted data and therefore do not realise that they should also delete their data relating to the same person. As a consequence, the respect of the principle that ‘no data should be kept in a form which allows the identification of data subjects for longer than is necessary for the purposes for which data were collected’ cannot be sufficiently ensured.

9.

Moreover, according to the analysis presented in the Evaluation Report, unclear specification of national authorities having access to Eurodac hinders the monitoring role of the Commission and of the European Data Protection Supervisor.

10.

Given his current role as the supervisory authority for Eurodac, the EDPS is particularly interested in the Commission Proposal and the positive outcome of the revision of the Eurodac system as a whole.

11.

The EDPS notes that the Proposal involves various aspects relating to fundamental rights of asylum seekers, such as the right to asylum, the right to information in a broader sense, the right to the protection of personal data. However, given the mission of the EDPS, this opinion will mainly focus on the data protection matters tackled by the revised Regulation. In this regard, the EDPS welcomes the considerable attention devoted in the Proposal to the respect and protection of personal data. He takes this opportunity to stress that ensuring a high level of the protection of personal data and its more efficient implementation in practice should be considered an essential prerequisite to the improvement of the working of Eurodac.

12.

This opinion addresses mainly the following modifications of the text since they are the most relevant from the point of view of the protection of personal data:

13.

The EDPS welcomes that the Proposal strives to consistency with other legal instruments governing the establishment and/or use of other large-scale IT systems. In particular, the sharing of responsibilities vis-à-vis the database as well as the way the supervision model has been formulated in the Proposal, are consistent with the legal instruments establishing the Schengen Information System II (SIS II) and Visa Information System (VIS).

14.

The EDPS notes the consistency of the Proposal with Directive 95/46/EC and Regulation (EC) No 45/2001. In this context, the EDPS welcomes in particular the new Recitals 17, 18 and 19, which stipulate that Directive 95/46/EC and Regulation (EC) No 45/2001 apply to the processing of personal data carried out in application of the proposed Regulation respectively by the Member States and by the Community institutions and bodies involved.

15.

Finally, the EDPS draws attention to the need to also ensure full consistency between the Eurodac and Dublin Regulations and he takes the opportunity of the present opinion to provide for more precise indications as to this consistency. He notes however that in some respects this issue has already been tackled in the Proposal, e.g. in the Explanatory Memorandum, which mentions that ‘consistency with the Dublin Regulation (as well as data protection concerns, notably the principle of proportionality) will be ensured by aligning the storage period for data on third country nationals and stateless persons fingerprinted in connection with the irregular crossing of an external border with the period until which Article 14(1) of the Dublin Regulation allocates responsibility on the basis of that information (i.e. one year).’

16.

The EDPS welcomes the supervision model laid down in the Proposal, as well as the specific tasks he has been entrusted with by virtue of Articles 25 and 26 of the Proposal. Article 25 entrusts the EDPS with two supervisory tasks:

Article 26 addresses the issue of co-operation between National Supervisory Authorities and the EDPS.

17.

The EDPS also notes that the Proposal puts forward a similar approach to the one used in the SIS II and the VIS: a layered system of supervision where national Data Protection Authorities (DPAs) and the EDPS supervise the national and EU levels respectively, with a cooperation system established between the two levels. The manner in which the co-operation model is envisaged in the Proposal also reflects the current practice which proved efficient and encouraged close collaboration between the EDPS and DPAs. Therefore, the EDPS welcomes its formalization in the Proposal and the fact that while providing for this, the legislator ensured consistency with the systems of supervision of other large-scale IT systems.

18.

The EDPS notes that the Proposal does not address the issue of subcontracting a part of the Commission tasks to another organisation or entity (such as a private company). Nevertheless, subcontracting is commonly used by the Commission in the management and development both of the system and the communication infrastructure. While the subcontracting does not in itself run contrary to data protection requirements, important safeguards should be put in place to ensure that the applicability of Regulation (EC) No 45/2001, including the data protection supervision by the EDPS remains entirely unaffected by the subcontracting of activities. Furthermore, additional safeguards of a more technical nature should also be adopted.

19.

In this regard, the EDPS suggests that similar legal safeguards as envisaged in the SIS II legal instruments should be provided in the framework of the revision of the EURODAC Regulation, specifying that even when the Commission entrusts the management of the system to another authority, this shall ‘not adversely affect any effective control mechanism under Community law, whether of the Court of Justice, the Court of Auditors or the European Data Protection Supervisor’ (Article 15(7), SIS II Decision and Regulation).

20.

The provisions are even more precise in Article 47 of the SIS II Regulation, which stipulates: ‘Where the Commission delegates its responsibilities (…) to another body or bodies (…) it shall ensure that the European Data Protection Supervisor has the right and is able to fully exercise his tasks, including carrying out on-the-spot checks and to exercise any other powers conferred on him by Article 47 of Regulation (EC) No 45/2001’.

21.

The above-mentioned provisions provide for a necessary clarity in terms of the consequences of subcontracting a part of the Commission tasks to other authorities. The EDPS therefore suggests that provisions aiming at the same effect be added to the text of the Commission's Proposal.

22.

Article 3(5) of the Proposal addresses the procedure for taking fingerprints. This provision stipulates that the procedure ‘shall be determined and applied in accordance with the national practice of the Member State concerned and in accordance with the safeguards laid down in the Charter of Fundamental Rights of the European Union, in the Convention for the Protection of Human Rights and Fundamental Freedoms and the European Convention on Human Rights and in the United Nations Convention on the Rights of the Child.’ Article 6 of the Proposal provides that the lowest age limit for taking fingerprint of an applicant shall be 14 years and shall be taken no later than within 48 hours after the lodging of the application.

23.

First of all, with regard to the age limit, the EDPS stresses the need to ensure consistency of the Proposal with the Dublin Regulation. The Eurodac system has been established with a view to ensuring the effective application of the Dublin Regulation. That means that if the outcome of the ongoing revision of the Dublin Regulation has an impact on its application to underage asylum seekers, this should be reflected in the Eurodac Regulation (6).

24.

Secondly, as to the determination of age limits for fingerprinting in general, the EDPS wishes to point out that most of the currently available documentation tends to indicate that the accuracy of fingerprinting identification decreases with the ageing process. In that regard, it is advisable to follow closely the study on fingerprinting carried out in the framework of the implementation of the VIS. Without anticipating the results of the study, the EDPS wishes to stress already at this stage that in all cases where taking fingerprints proves impossible or would lead to delivering unreliable results, it is important to refer to fall back procedures, which should fully respect the dignity of the person.

25.

Thirdly, the EDPS notes the efforts taken by the legislator to ensure compliance of the provisions on taking fingerprints with international and European human rights’ requirements. Nonetheless, he draws attention to the difficulties occurring in several Member States to determine the age of young asylum seekers. Very often, asylum seekers or illegal immigrants do not have identification documents, and in order to establish whether they should be fingerprinted, their age has to be determined. The methods used to do this cause a lot of debates in different Member States.

26.

In this regard, the EDPS draws attention to the fact the Eurodac supervision coordination Group (7) launched a coordinated inspection on this issue, the results of which — expected in the first half of 2009 — should facilitate the determination of common procedures in this regard.

27.

As a concluding remark on this issue, the EDPS sees the need to better coordinate and harmonize at EU level the procedures for fingerprinting to the greatest possible extent.

28.

Article 4(1) of the Proposal stipulates: ‘After a transitional period, a Management Authority, funded from the general budget of the European Union, shall be responsible for the operational management of Eurodac. The Management Authority shall ensure, in cooperation with the Member States, that at all times the best available technology, subject to a cost-benefit analysis, is used for the Central System’. Although the EDPS welcomes the requirement laid down in Article 4(1), he wishes to note that the expression the ‘best available technology’ referred to in the above-mentioned provision, should be replaced with the wording the ‘best available techniques’ which includes both the technology used and the way in which the installation is designed, built, maintained and operated.

29.

Article 9(1) of the Proposal addresses the issue of advance data erasure. This provision obliges the Member State of origin to erase from the Central System ‘data relating to a person who has acquired citizenship of any Member State before the expiry of the period referred to in Article 8’ as soon as the Member State of origin becomes aware that the person has acquired such citizenship. The EDPS welcomes the obligation to erase the data as it well corresponds with the data quality principle. Moreover, the EDPS believes that the revision of this provision provides for an opportunity to encourage the Member States to put in place procedures ensuring reliable and timely (automatic if possible) erasure of data when an individual obtains citizenship of one of the Member States.

30.

Furthermore, the EDPS wishes to point out that Article 9(2) dealing with advance deletion should be redrafted as the proposed wording is unclear. As a stylistic remark, the EDPS suggests that the word ‘it’ in the provision should be replaced with the word ‘they’.

31.

Article 12 of the Proposal deals with storage of data. The EDPS wishes to note that establishing 1 year as the retention period for data (instead of 2 years in the current text of the Regulation) constitutes a good application of the principle of data quality which stipulates that data should not be kept for longer than necessary to accomplish the purpose for which they are processed. It is a welcome improvement of the text.

32.

The provision providing for the publication by the Management Authority of the list of authorities having access to Eurodac data is welcome. This will help to achieve better transparency and create a practical tool for better supervision of the system, e.g. by the DPAs.

33.

Article 21 of the Proposal concerns keeping of records of all data processing operations within the Central System. Article 21(2) states that such records should be used only for the data-protection monitoring of the admissibility of the processing (…). In this regard, it could be clarified that this also includes self-auditing measures.

34.

Article 23(1)(e) of the Proposal reads as follows:

‘A person covered by this Regulation shall be informed by the Member State of origin (…) of:

35.

The EDPS notes that effective implementation of the right to information is crucial for the proper functioning of Eurodac. In particular, it is essential to ensure that information is provided in a way that enables the asylum seeker to fully understand his situation as well as the extent of the rights, including the procedural steps he/she can take as follow-up to the administrative decisions taken in his/her case.

36.

As to the practical aspects of the implementation of the right, the EDPS wishes to stress that while the DPAs are indeed competent to hear claims concerning the protection of personal data, the wording of the Proposal should not prevent the applicant (data subject) from addressing a claim primarily to the data controller. The provision of Article 23(1)(e) as it reads now seems to imply that the applicant should put his request — directly and in each case — with the DPA, whereas the standard procedure and the practice in the Member States is that the applicant lodges his/her claim first with the data controller.

37.

The EDPS also suggests that the wording of Article 23(1)(e) should be reformulated to clarify the rights to be given to the applicant. The wording as proposed is unclear, as it can be interpreted as considering ‘the right to receive information on the procedures for exercising those rights (…)’ a part of the right of access to data and/or the right to request inaccurate data be corrected (…). Moreover, according to the current wording of the above-mentioned provision, the Member States are to inform the person covered by the Regulation not of the content of the rights but of their ‘existence’. As the latter seems to be a stylistic issue, the EDPS suggests that Article 23(1)(e) be redrafted as follows:

‘A person covered by this Regulation shall be informed by the Member State of origin (…) of (…):

38.

In the same logic, Article 23(10) should be modified as follows: ‘In each Member State, the national supervisory authority shall, where appropriate (or: on the request of the data subject), assist the data subject in accordance with Article 28(4) of Directive 95/46/EC in exercising his/her rights’. Again, the EDPS wishes to stress that an intervention of the DPA should in principle not be necessary; the data controller should, on the contrary, be encouraged to respond in an appropriate manner to the claims of the data subjects. The same applies when cooperation is needed between authorities of different Member States. The data controllers should be primarily responsible for dealing with the requests and cooperating to that effect.

39.

As far as Article 23(9) is concerned, the EDPS welcomes not only the very purpose of this provision (which envisages control of the use of ‘special searches’ as recommended by the Data Protection Authorities in their first report on coordinated inspections), but he also notes with satisfaction the proposed procedure to achieve it.

40.

As far as the methods to provide information to the applicants are concerned, the EDPS refers to the work undertaken by the Eurodac Supervision Coordination Group. This Group is currently examining this issue in the framework of EURODAC in view of proposing — as soon as the results of the national investigations have been known and compiled — relevant guidance.

41.

The EDPS supports the Proposal for a Regulation of the European Parliament and of the Council concerning the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of Regulation (EC) No […/…] establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person.

42.

The EDPS welcomes the supervision model proposed in the Proposal as well as the role and tasks he has been entrusted with in the new system. The envisaged model reflects the current practice which proved efficient.

43.

The EDPS notes that the Proposal strives to consistency with other legal instruments governing the establishment and/or use of other large-scale IT systems.

44.

The EDPS welcomes considerable attention devoted in the Proposal to the respect of fundamental rights, and in particular the protection of personal data. As also mentioned in the opinion on the revision of the Dublin Regulation, the EDPS considers this approach as an essential prerequisite to the improvement of the asylum procedures in the European Union.

45.

The EDPS draws attention to the need to ensure full consistency between the EURODAC and Dublin Regulations.

46.

The EDPS sees the need for a better coordination and harmonization at EU level of the procedures for fingerprinting, whether they concern asylum seekers or any other persons subject to the Eurodac procedure. He draws special attention to the question of the age limits for fingerprinting, and in particular the difficulties occurring in several Member States to determine the age of young asylum seekers.

47.

The EDPS insists on a clarification of the provisions regarding the rights of the data subjects, and in particular he underlines that the national data controllers are primarily responsible to ensure the application of these rights.

23.9.2009   

EN

Official Journal of the European Union

C 229/12

1.

The Initiative of the French Republic with a view to adopting a Council Decision on the use of information technology for customs purposes was published in the Official Journal of 5 February 2009 (4). The EDPS was neither asked for advice on this initiative by the Member State which put it forward, nor by the Council. However, the EDPS was requested by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs to comment on the French Initiative, in accordance with Article 41 of Regulation (EC) No 45/2001, in the context of the European Parliament's opinion on the Initiative. Where, in similar cases (5), the EDPS issued an opinion on own initiative, the present opinion must also be seen as a reaction to this request of the European Parliament.

2.

According to the EDPS, the present opinion should be mentioned in the preamble of the Council Decision, in the same way as his opinion is mentioned in a number of legal instruments adopted on the basis of a proposal by the Commission.

3.

Although there is no legal obligation for a Member State that takes the initiative for a legislative measure under Title VI of the EU Treaty to ask the EDPS for advice, the applicable rules do not preclude the request for such an advice either. The EDPS regrets that neither the French Republic nor the Council had asked for his advice in the present case.

4.

The EDPS stresses that due to the ongoing developments regarding the Proposal in the Council, the comments presented in this opinion are based on the version of the Proposal of 24 February 2009 (5903/2/09 REV 2), that is published on the website of the European Parliament (6).

5.

The EDPS sees the need for more explanation on the justification of the initiative itself as well as on some specific articles and mechanisms therein. He regrets the absence of an Impact Assessment or an explanatory memorandum accompanying the initiative. This is a necessary element enhancing the transparency and more in general the quality of the legislative process. Explanatory information would also facilitate the assessment of a number of propositions in the Proposal, e.g. regarding the necessity and justification of access to the CIS to be granted to Europol and Eurojust.

6.

The EDPS has taken into account the Opinion 09/03 issued by the Customs Joint Supervisory Authority with respect to the draft Council Decision on the use of information technology for customs purposes on 24 March 2009.

7.

The legal framework of the Customs Information System (hereinafter ‘the CIS’) is currently governed both by First and Third Pillar instruments. The Third Pillar legal framework regulating the system consists mainly of the Convention of 26 July 1995 drawn up on the basis of Article K.3 of the Treaty on European Union on the use of information technology for customs purposes (hereinafter ‘the CIS Convention’ (7) as well as the Protocols of 12 March 1999 and 8 March 2003.

8.

Current arrangements on data protection involve the application of the Council of Europe Convention on the Protection of Individuals with Regard to Automatic Processing of Personal Data of 28 January 1981 (hereinafter ‘Council of Europe Convention 108’). Furthermore, the Framework Decision 2008/977/JHA is applicable to the CIS under the Proposal).

9.

The First Pillar part of the system is governed by Council Regulation (EC) No 515/97 of 13 March 1997 on mutual assistance between the administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs and agricultural matters (8).

10.

The purpose of the CIS Convention, in accordance with its Article 2, paragraph 2, was to ‘assist in preventing, investigating and prosecuting serious contraventions of national laws by increasing, through the rapid dissemination of information, the effectiveness of cooperation and control procedures of the customs administrations of the Member States’.

11.

In accordance with the CIS Convention, the Customs Information System consists of a central database facility accessible via terminals in each Member State. Other main features are as follows:

12.

The French initiative, based upon Article 30(1)(a) and Article 34(2) of the Treaty on European Union, intends to replace the CIS Convention as well as the Protocol of 12 March 1999 and the Protocol of 8 March 2003 to align the Third Pillar part of the system with the First Pillar instruments.

13.

However, the Proposal goes further than replacing the text of the CIS Convention with a Council Decision. It modifies a significant number of the Convention's provisions and extends the current scope of access to the CIS by granting access to Europol and Eurojust. Moreover, the Proposal incorporates the similar provisions regarding the functioning of the CIS as laid down in the above-mentioned Regulation (EC) No 766/2008, e.g. as far as the creation of a customs files identification database is concerned (Chapter VI).

14.

The Proposal also takes account of new legal instruments such as the Framework Decision 2008/977/JHA and the Framework Decision 2006/960/JHA of 13 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union (10).

15.

The Proposal aims inter alia at:

16.

In this context, the aim of the CIS, in accordance with Article 1 of the Proposal, is to ‘assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly, thereby increasing the effectiveness of the cooperation and control procedures of the customs administrations of the Member States’. This provision largely reflects Article 2(2) of the CIS Convention.

17.

To achieve this objective the Proposal extends the scope of the use of the CIS data and includes searches in the systems and the possibility for strategic or operational analysis. The EDPS notes the broadening of the purpose and of the list of categories of personal data to be collected and processed, and the extension of the list of data subjects who have direct access to the CIS.

18.

Given his current role as the supervisory authority for the central part of the First Pillar part of the CIS, the EDPS is particularly interested in the Initiative and the new developments in the Council relating to its content. The EDPS emphasises the need for ensuring a coherent and comprehensive approach to align the First and Third Pillar parts of the system.

19.

The EDPS notes that the Proposal involves various aspects relating to fundamental rights, in particular the protection of personal data as well as the right to information and other data subject's rights.

20.

Regarding the current data protection regime in the CIS Convention, the EDPS needs to mention that a number of current Convention provisions required modification and refreshing, given that they do not meet any longer the present data protection requirements and standards. The EDPS takes this opportunity to stress that ensuring a high level of the protection of personal data and its more efficient implementation in practice should be considered an essential prerequisite to the improvement of the working of the CIS.

21.

After some general remarks, this opinion is to address mainly the following issues relevant from the point of view of the protection of personal data:

22.

As mentioned in the introductory remarks, the EDPS is particularly interested in the new developments concerning the Third Pillar part of the CIS, given that he already exercises supervisory tasks over the central part of the First Pillar part, in accordance with the new Regulation (EC) No 766/2008 of the European Parliament and of the Council (11) to ensure the correct application of the law on customs and agricultural matters.

23.

In this context, the EDPS wishes to draw attention of the legislator to the fact that he has already commented on issues relating to the supervision of the First Pillar part of the CIS in a number of his opinions, in particular in his Opinion of 22 February 2007 (12).

24.

In this opinion, the EDPS underlined that the ‘creation and upgrading of the various instruments intended to strengthen Community cooperation, like the CIS, entail an increase in the share of personal information that will be originally collected and further exchanged with Member States’ administrative authorities, and, in some cases, also with third countries. The personal information processed and further shared may include information relating to individuals’ alleged or confirmed involvement in wrongdoing actions in the area of customs or agricultural operations […]. Furthermore, its importance is enhanced if one considers the type of data collected and shared, notably suspicions of individuals being engaged in wrongdoings, and the overall finality and outcome of the processing’.

25.

The EDPS stresses that, unlike the amendments introduced by Regulation (EC) No 766/2008 to the First Pillar instrument governing the CIS, the Proposal provides for a complete overhaul of the CIS Convention, which gives the legislator the opportunity to have a more global vision for the whole system, based on a coherent and comprehensive approach.

26.

In the EDPS's views this approach must also be oriented towards the future. New developments such as the adoption of the Framework Decision 2008/977/JHA and the (possible) future entry into force of the Lisbon Treaty should be duly reflected upon and taken into account when deciding on the very content of the Proposal.

27.

As far as the entry into force of the Lisbon Treaty is concerned, the EDPS draws the legislator's attention to the need for profound analysis of the possible effects the abolition of the pillar structure of the EU would have on the CIS when the Lisbon Treaty enters into force, given that the system is currently built upon a combination of First and Third Pillar instruments. The EDPS regrets the lack of explanatory information on this important future development, which would significantly affect the legal framework governing the CIS in the future. More generally, the EDPS raises a question of whether it would not be more opportune, if the legislator waited with the revision until the entry into force of the Lisbon Treaty to avoid any possible legal uncertainty.

28.

In the EDPS's view the replacement of the CIS Convention as a whole also provides for a good opportunity to ensure consistency of the CIS with other systems and mechanisms which have developed since the Convention was adopted. In this regard, the EDPS calls for coherence, also in terms of the supervision model, with other legal instruments, in particular those establishing the Schengen Information System II and the Visa Information System.

29.

The EDPS welcomes the fact that the Proposal takes account of the Framework Decision on the protection of personal data given the exchange of data between the Member States taking place in the framework of the CIS. Article 20 of the Proposal clearly stipulates that Framework Decision 2008/977/JHA shall apply to the protection of the data exchange in accordance with the present Decision unless otherwise provided in this Decision. The EDPS notes as well that the Proposal refers to the Framework Decision also in other provisions, e.g. in Article 4, paragraph 5, stipulating that data listed in Article 6 of the Framework Decision 2008/977/JHA shall not be included, Article 8 on the use of data obtained from the CIS in order to achieve the aim stated in Article 1(2) of the Decision, Article 22 of the Proposal concerning the rights of persons with regard to personal data in the CIS and Article 29 regarding the responsibilities and liabilities.

30.

The EDPS believes that the concepts and principles established in this Framework Decision are appropriate in the context of the CIS, and should therefore be applicable both for the sake of legal certainty as well as consistency between the legal regimes.

31.

Having said this, the EDPS stresses however that the legislator should provide for the necessary guarantees that while waiting for full implementation of the Framework Decision 2008/977/JHA, in accordance with its final provisions, there will be no loophole in the data protection system. In other words, the EDPS wishes to underline that he favours the approach whereby necessary and adequate safeguards are in place before new data exchanges take place.

32.

The EDPS considers the effective implementation of the right to data protection and the right to information as crucial elements for the proper functioning of the Customs Information System. Data protection safeguards are not only required to ensure the effective protection of individuals subject to the CIS, but they should also serve to facilitate the proper and more efficient functioning of the system.

33.

The EDPS draws the legislator's attention to the fact that the need for strong and efficient data protection safeguards is even more evident when one considers that the CIS is a database based rather on ‘suspicions’ than on convictions or other judicial or administrative decisions. This is reflected in Article 5 of the Proposal which stipulates that ‘data in the categories referred to in Article 3 shall be entered into the Customs Information System only for the purpose of sighting and reporting, discrete surveillance, specific checks and strategic or operational analysis. For the purpose of the suggested actions […], personal data […] may be entered into the Customs Information System only if, especially on the basis of prior illegal activities, there are real indications to suggest that the person concerned has committed, is in the act of committing, or will commit serious contraventions of national laws’. Given this characteristic of the CIS, the Proposal requires balanced, efficient and upgraded safeguards in terms of the protection of personal data and control mechanisms.

34.

Regarding specific provisions in the Proposal on the protection of personal data, the EDPS notes the efforts taken by the legislator to provide for more safeguards than available in the CIS Convention. However, the EDPS still needs to raise a number of serious concerns with regard to the data protection provisions, and in particular with regard to the application of the purpose limitation principle.

35.

It should also be mentioned in this context that the comments on the data protection safeguards in the present opinion are not limited only to the provisions which modify or extend the scope of the CIS Convention, but also concern the parts which are copied from the current text of the Convention. The reason for this, as mentioned in general remarks, is that in the EDPS's view some of the provisions of the Convention do not seem to satisfy any longer the current data protection requirements, and the French initiative is a good opportunity to have a fresh look at the whole system and ensure the adequate level of data protection, equivalent to the one in the First Pillar part of the system.

36.

The EDPS notes with satisfaction that only a closed and exhaustive list of personal data may be included in CIS. He also welcomes that the Proposal provides for a more extended definition of the term ‘personal data’, in comparison with the CIS Convention. Under Article 2(2) of the Proposal, the term ‘personal data’ means any information relating to an identified or identifiable natural person (data subject); ‘an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic, cultural or social identity’.

37.

An example of the provisions which raise serious data protection concerns is Article 8 of the Proposal, stipulating that ‘the Member States may use the data obtained from the CIS only in order to achieve the aim stated in Article 1(2). However, they may use it for administrative or other purposes with the prior authorization of, and subject to any conditions imposed by the Member State which entered the data in the system. Such other use shall be in accordance with the laws, regulations and procedures of the Member State which seeks to use it in accordance with Article 3(2) of the Framework Decision 2008/977/JHA’. This provision concerning the use of the data obtained from the CIS is essential for the structure of the system and therefore needs special attention.

38.

Article 8 of the Proposal refers to Article 3(2) of the Framework Decision 2008/977/JHA which addresses ‘Principles of lawfulness, proportionality and purpose’. Article 3 of the Framework Decision stipulates as follows:

‘1.   Personal data may be collected by the competent authorities only for specified, explicit and legitimate purposes in the framework of their tasks and may be processed only for the same purpose for which data were collected. Processing of the data shall be lawful and adequate, relevant and not excessive in relation to the purposes for which they are collected.

2.   Further processing for another purpose shall be permitted in so far as:

39.

Notwithstanding the application of Article 3(2) of the Framework Decision 2008/977/JHA providing for general conditions under which the processing for another purpose can be permitted, the EDPS draws attention to the fact that the provision of Article 8 of the Proposal, by allowing for use of the CIS data for any possible administrative or other purposes, undefined by the Proposal, raises concerns as to compliance with the data protection requirements, in particular the purpose limitation principle. Moreover, the First Pillar instrument does not allow for such general use. The EDPS calls therefore for specifying the purposes for which the data may be used. This is of essential importance from the perspective of data protection as it tackles the core principles of the use of data in the large scale systems: ‘data should only be used for well defined and clearly limited purposes governed by the legal framework’.

40.

Article 8(4) of the Proposal deals with data to be transferred to third countries or international organisations. This provision stipulates that ‘data obtained from the CIS may, with the prior authorisation of, and subject to any conditions imposed by the Member State which entered them into the system, be transferred for use by […] non-Member States and international or regional organisations wishing to make use of them. Each Member State shall take special measures to ensure the security of such data when they are being transferred to services located outside its territory. Details of such measures must be communicated to the Joint Supervisory Authority referred to in Article 25’.

41.

The EDPS notes that Article 11 of the Framework Decision on the protection of personal data applies in this context. It should be underlined however that given the very general nature of the application of the provision of Article 8(4) of the Proposal, which in principle enables the Member States to transfer data obtained from the CIS to non-Member States and international or regional organisations wishing to make use of them, the safeguards envisaged in this provision are far from sufficient from the perspective of the protection of personal data. The EDPS calls that Article 8(4) be reconsidered to ensure a uniform system of the assessment of adequacy through an appropriate mechanism, e.g. the Committee referred to in Article 26 of the Proposal could be involved in such assessment.

42.

The EDPS notes with satisfaction the provisions on Amendment of data (Chapter IV, Article 13), which constitute an important element of the data quality principle. The EDPS welcomes in particular the extended and modified, when compared to the CIS Convention, scope of this provision, which adds now the rectification and erasure of data. For instance Article 13(2) stipulates that a supplying Member State or Europol, if they note, or have drawn to their attention, that the data they included are factually inaccurate or were entered, or are stored contrary to this Decision, shall amend, supplement, rectify or erase the data, as appropriate, and shall advise the other Member States and Europol accordingly.

43.

EDPS notes the provisions of the Chapter V concerning Retention of data which is mainly based on the CIS Convention and amongst others provides for time limits to retain data copied from the CIS.

44.

Chapter IX (Personal data protection) reflects many of the provisions of the CIS Convention. It however provides for significant change which is the application of the Framework Decision on the protection of personal data to the CIS and the mention in Article 22 of the Proposal that ‘the rights of persons with regard to personal data in the Customs Information System, in particular the right of access, to rectification, erasure or blocking shall be exercised in accordance with the laws, regulations and procedures of the Member States implementing the Framework Decision 2008/977/JHA in which such rights are invoked’. In this context, the EDPS wishes to emphasise in particular the importance of the maintaining of the procedure for data subjects to invoke their rights and be able to ask for access in every Member State. The EDPS will have a close look at the practical implementation of this important right of data subjects.

45.

The Proposal also extends the scope of the CIS Convention when it comes to the prohibition of copying data from CIS into other national data files. The CIS Convention explicitly mentions in Article 14(2) that ‘personal data included by other Member States may not be copied from the CIS into other national data files’. The Proposal, in its Article 21(3), allows such copying ‘for those copies held in the systems of risk management used to direct national customs controls or copies held in an operational analysis system to co-ordinate actions’. With respect to this, the EDPS shares the remarks made by the Customs Joint Supervisory Authority in its Opinion 09/03, in particular as regards the term ‘systems of risk management’ as well as the need to stipulate further when and under which circumstances the copying allowed in Article 21(3) would be possible.

46.

EDPS welcomes provisions on security, which are essential for the efficient functioning of the CIS (Chapter XII).

47.

The Proposal adds provisions on customs files identification database (Articles 16-19). This reflects the creation of the customs files identification database in the First Pillar instrument. Although the EDPS does not question the need for such new databases in the framework of the CIS, he draws attention to the need for appropriate data protection safeguards. In this context, the EDPS welcomes the fact that the exception foreseen in Article 21(3) does not apply to customs files identification databases.

48.

The Proposal grants access to the system to the European Police Office (Europol) and the European Union's Judicial Cooperation Unit (Eurojust).

49.

First of all, the EDPS stresses the need for clearly defining the purpose for access and assessing the proportionality and necessity of the extension of access. The information on why it is necessary to extend the access to the system to Europol and Eurojust is missing. The EDPS also stresses that when access to databases, functionalities and the processing of personal information are at stake, there is a clear need to evaluate in advance not just the usefulness of such access, but also the real and documented necessity of such a proposal. The EDPS underlines that no justification of the reasons has been provided.

50.

The EDPS also calls for a clear definition in the text of the precise missions for which Europol and Eurojust can be granted access to the data.

51.

According to Article 11, ‘Europol shall, within its mandate and for the fulfilment of its tasks, have the right to access the data entered in the CIS, to search data directly, to enter data into the system’.

52.

The EDPS welcomes the limitations introduced in the Proposal, such as in particular:

53.

The EDPS would also like to mention that whenever the Proposal refers to the Europol Convention, account should be taken of the Council Decision on the basis of which, with effect of 1 January 2010, Europol will become an EU agency.

54.

Article 12 of the Proposal deals with Eurojust's access to the CIS. It stipulates that ‘Subject to Chapter IX, the national members and their assistants shall, within their mandate and for the fulfillment of its tasks, have the right to have access to the data entered into the CIS in accordance with Articles 1, 3, 4, 5 and 6, and to search those data’. The Proposal provides for similar mechanisms concerning the consent of the Member State which entered the data to the ones envisaged for Europol. The above comments regarding the need for justification of the necessity to provide for access as well as for adequate and necessary limitations if such access is given, are also applicable to Eurojust.

55.

EDPS welcomes the limitation of the access to CIS only to the national member, their deputies, and their assistants. The EDPS notes however that Article 12(1) only speaks of national member and assistants, whereas other paragraphs of Article 12 cover also deputies to national members. The legislators should ensure clarity and consistency in this context.

56.

With regard to the proposed supervision of the Third Pillar part of the CIS, the EDPS draws attention of the legislator to the need for ensuring a consistent and comprehensive supervision of the whole system. The complex legal framework governing the CIS, based on two legal bases, should be taken into account and two different supervision models should be avoided both for the sake of legal clarity and for practical reasons.

57.

As mentioned earlier in the opinion, the EDPS currently acts as a supervisor of the central part of the First Pillar part of the system. This is in accordance with Article 37 of Regulation (EC) No 515/97 which stipulates ‘the European Data Protection Supervisor shall supervise compliance of the CIS with Regulation (EC) No 45/2001’. The EDPS notes that the supervision model, as proposed in the French Proposal, does not take into account this role. The supervision model is based on the role of the CIS Joint Supervisory Authority.

58.

Although the EDPS appreciates the work done by the CIS Joint Supervisory Authority, he stresses two reasons for which a coordinated supervision model, consistent with his current supervisory tasks in other large scale systems, should be applied. First, such model would ensure the internal consistency between the First and Third pillar parts of the system. Secondly, it would also provide for consistency with the models established in other large scale systems. Therefore, the EDPS advises that a similar model as the one used in the SIS II (‘coordinated supervision’ or ‘layered model’) is applied to the CIS as a whole. As mentioned in the EDPS opinion on the First Pillar part of CIS, ‘in the framework of the SIS II, the European legislator has opted for a rationalisation of the supervision model, by applying the same layered model as described in both the First and Third Pillar environments of the system’).

59.

The EDPS believes that the most opportune solution to provide for this is to introduce a more uniform system of supervision, the already experimented model based on a three-layered structure: DPAs at national level, EDPS at central level and coordination between both. The EDPS is convinced that the replacement of the CIS Convention gives this unique opportunity to provide for simplification and more consistency in the supervision, completely in line with other large scale systems (VIS, SIS II, Eurodac).

60.

Finally, the coordinated supervision model also takes better into account, the changes that will be brought by the entry into force of the Lisbon Treaty and the abolition of the pillar structure of the EU.

61.

The EDPS does not take a position on whether the insertion of the coordinated model of supervision would require amendments to the First Pillar instrument governing the CIS, namely Regulation (EC) No 766/2008, but he draws the legislator's attention to the need to analyze this aspect as well from the perspective of legal consistency.

62.

Article 7, paragraph 2 provides for an obligation on each Member State to send to the other Member States and the Committee referred to in Article 26 a list of the competent authorities it has designed to have access to the CIS, for each authority specifying which data it may have access to and for what purposes.

63.

The EDPS draws attention to the fact that the Proposal only provides that information on the authorities having access to CIS should be exchanged between the Member States and that they should inform the Committee mentioned in Article 26, but no publication of such list of authorities has been envisaged. This is regrettable as such publication would help to achieve better transparency and create a practical tool for an effective supervision of the system, e.g. by the competent Data Protection Authorities.

64.

The EDPS supports the Proposal for a Council Decision on the use of information technology for customs purposes. He stresses that due to the ongoing legislative work in the Council, his comments are not based on the final text of the Proposal.

65.

He regrets the lack of explanatory documents which could provide for some necessary clarification and information on the objectives and specificity of some of the provisions of the Proposal.

66.

The EDPS calls for more attention to be devoted in the Proposal to the need for specific data protection safeguards. He sees a number of issues where the practical implementation of data protection safeguards should be ensured better, in particular as to the application of the purpose limitation with regard to the use of data entered in the CIS. The EDPS considers this as an essential prerequisite for the improvement of the functioning of the Customs Information System.

67.

The EDPS calls for a coordinated model of supervision to be inserted in the Proposal. It should be noted that the EDPS has currently supervisory tasks over the First Pillar part of the system. He underlines that for the sake of coherence and consistency the best approach is to apply the coordinated supervision model also to the Third Pillar part of the system. This model would also ensure, where necessary and adequate, consistency with other legal instruments governing the establishment and/or use of other large-scale IT systems.

68.

The EDPS calls for more explanation on the necessity and proportionality of giving access to Eurojust and Europol. He stresses the lack of explanatory information on this issue in the Proposal.

69.

The EDPS also insists on reinforcing the provision of Article 8(4) of the Proposal regarding the transfer of data to non-Member States or international organisations. This includes the need to ensure a uniform system of adequacy assessment.

70.

The EDPS calls for insertion of a provision on the publication of the list of the authorities having access to the CIS, in order to increase transparency and facilitate the supervision of the system.

23.9.2009   

EN

Official Journal of the European Union

C 229/19

1.

On 10 December 2008, the Commission adopted two proposals relating to the amendment of Regulation (EC) No 726/2004 and Directive 2001/83/EC respectively (3). Regulation (EC) No 726/2004 of the European Parliament and of the Council (4) lays down Community procedures for the authorisation and supervision of medicinal products for human and veterinary use and establishes the European Medicines Agency (hereinafter: ‘the EMEA’). Directive 2001/83/EC of the European Parliament and of the Council (5) contains rules on the Community code relating to medicinal products for human use, dealing with specific processes at Member State level. The proposed amendments relate to the parts in both instruments on pharmacovigilance of medicinal products for human use.

2.

Pharmacovigilance can be defined as the science and activities relating to the detection, assessment, understanding and prevention of adverse effects of medicinal products (6). The pharmacovigilance system currently in place within Europe makes it possible for patients and healthcare professionals to report adverse drug reactions to the relevant public and private bodies involved at national and European level. A Europe-wide database (the EudraVigilance database) is operated by the EMEA as a centralised point for managing and reporting suspected adverse drug reactions.

3.

Pharmacovigilance is seen as a necessary supplement to the Community system of authorisation of medicinal products which dates back to 1965 when Council Directive 65/65/EEC (7) was adopted.

4.

As follows from the Explanatory Memoranda and the Impact Assessment attached to the proposals, the current pharmacovigilance system suffers from a number of weaknesses, including a lack of clarity with regard to roles and responsibilities of the various actors involved, complicated procedures for adverse drug reaction reporting, the need for strengthened medicines safety transparency and communication and the need for rationalisation of the medicines risk management planning.

5.

The general intention of the two proposals is to remedy these weaknesses and to improve and strengthen the Community pharmacovigilance system with the overall objective of better protecting public health, ensuring proper functioning of the internal market and simplifying the current rules and procedures (8).

6.

The overall operation of the current pharmacovigilance system relies on the processing of personal data. These data are included in the adverse drug reactions reporting and can be considered as data relating to health (‘health data’) of the persons concerned since they reveal information about drug use and associated health problems. Processing of such data is subject to strict data protection rules as laid down in Article 10 of Regulation (EC) No 45/2001 and Article 8 of Directive 95/46/EC (9). The importance of protecting such data has recently repeatedly been emphasised by the European Court of Human Rights in the context of Article 8 of the European Convention of Human Rights: ‘The protection of personal data, in particular medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention’ (10).

7.

Despite this, no reference to data protection is included in the current text of Regulation (EC) No 726/2004 and Directive 2001/83/EC, except for one specific reference in the Regulation which will be discussed below in point 21 and further.

8.

The European Data Protection Supervisor (‘EDPS’) regrets that data protection aspects are not considered within the proposed amendments and that he was not formally consulted on both proposals for amendments as provided for by Article 28(2) of Regulation (EC) No 45/2001. The current opinion is therefore based on Article 41(2) of the same Regulation. The EDPS recommends that a reference to this opinion is included in the preamble of both proposals.

9.

The EDPS notes that although data protection is not sufficiently considered in both the current pharmacovigilance legal framework and the proposals, the practical application of the central Community EudraVigilance system clearly raises data protection issues. To this end, the current EudraVigilance system was notified by the EMEA to the EDPS in June 2008 for a prior check on the basis of Article 27 of Regulation (EC) No 45/2001.

10.

The current opinion and the conclusions by the EDPS on the prior check (publication of which is expected later this year) will necessarily contain some overlap. However, the focus of both instruments is different: whereas this opinion concentrates on the general legal framework supporting the system as it follows from Regulation (EC) No 726/2004 and Directive 2001/83/EC and the proposed amendments to it, the prior check constitutes a detailed data protection analysis concentrating on how the current rules have been further elaborated in subsequent instruments (e.g. decisions and guidelines) issued by the EMEA or the Commission and the EMEA jointly, and how the EudraVigilance system works in practice.

11.

This Opinion will first proceed with a simplified explanation of the system of pharmacovigilance in the EU as it follows from Regulation (EC) No 726/2004 and Directive 2001/83/EC in their present state. Subsequently, the necessity of processing of personal data in the context of pharmacovigilance will be analysed. After this, the proposals of the Commission for improving the current and envisaged legal framework will be discussed and recommendations will be made on how to ensure and improve the data protection standards.

12.

Several actors are involved in collecting and disseminating information on adverse effects of medicinal products in the European Union. At national level, the two main actors are the Market Authorisation Holders (companies who are authorised to bring medicinal products on the market) and the National Competent Authorities (authorities responsible for the market authorisation). National Competent Authorities authorise products through national procedures, which include the ‘Mutual Recognition Procedure’ and the ‘Decentralised Procedure’ (11). For products which are authorised through the so-called ‘centralised procedure’, the European Commission can also act as a competent authority. An important additional actor at European level is the EMEA. One of the tasks of this agency is to ensure the dissemination of information on adverse reactions to medicinal products authorised in the Community, by means of a database, which is the earlier mentioned EudraVigilance database.

13.

Directive 2001/83/EC speaks in general terms about the responsibility of Member States to operate a pharmacovigilance system in which information is collected which is ‘useful in the surveillance of medicinal products’ (Article 102). On the basis of Articles 103 and 104 of Directive 2001/83/EC (see also Articles 23 and 24 of Regulation (EC) No 726/2004), Market Authorisation Holders must have their own system of pharmacovigilance in place in order to assume responsibility and liability for their products on the market and to ensure that appropriate action may be taken when necessary. Information is gathered from healthcare professionals or patients directly. All information relevant to the risk-benefit balance of a medicinal product must be reported electronically by the Market Authorisation Holder to the Competent Authority.

14.

Directive 2001/83/EC itself is not very precise about what kind of information on adverse effects should be collected at national level, how it should be stored or how it should be communicated. Articles 104 and 106 only refer to ‘reports’ which have to be drawn up. More detailed rules on these reports can be found in guidelines which are set up by the Commission, after consultation of the EMEA, the Member States and interested parties, on the basis of Article 106. In these guidelines on Pharmacovigilance for Medicinal Products for Human Use (hereinafter: ‘the Guidelines’) reference is made to so-called ‘Individual Case Safety Reports’ (hereinafter: ‘ICSRs’), which are reports about adverse effects of medicinal products relating to a specific patient (12). It follows from the Guidelines that one element of the minimum information required in the ICSRs is ‘an identifiable patient’ (13). It is indicated that the patient may be identified by initials, patient number, date of birth, weight, height and sex, hospital record number, information on the medical history of the patient, information on the parents of the patient (14).

15.

By emphasising the identifiability of the patient, the processing of this information clearly comes within the remit of the rules on data protection as laid down in Directive 95/46/EC. Indeed, although the patient is not mentioned by name, it is possible by putting the different pieces of information together (e.g. hospital, birth date, initials) and under specific conditions (e.g. in closed communities or small places) to identify him or her. Therefore, information processed in the context of pharmacovigilance should in principle be considered as relating to an identifiable natural person in the sense of Article 2(a) of Directive 95/46/EC (15). Although this is not made clear in both the Regulation and the Directive, it is recognised in the Guidelines where it is stated that ‘the information should be as complete as possible, taking into account EU legislation on data protection’ (16).

16.

It must be underlined that, despite the Guidelines, the reporting of adverse effects at national level is far from being uniform. This will be further discussed in points 24 and 25 below.

17.

A crucial role in the EU pharmacovigilance system is played by the EudraVigilance database which is maintained by the EMEA. As already mentioned, EudraVigilance is a centralised data processing network and management system for reporting and evaluating suspected adverse reactions during the development and following the marketing authorisation of medicinal products within the European Community and the countries which form part of the European Economic Area. The legal basis of the EudraVigilance database can be found in Article 57(1)(d) of Regulation (EC) No 726/2004.

18.

The current EudraVigilance database consists of two compartments, namely (1) information which follows from clinical trials (taking place before the medicine is put on the market, therefore called the ‘pre-authorisation’ period) and (2) information stemming from reports about adverse effects (gathered afterwards, therefore called the ‘post-authorisation’ period). The emphasis of the present opinion lies on this ‘post-authorisation’ period since the proposed amendments concentrate on this part.

19.

The EudraVigilance database contains data about patients resulting from the ICSRs. The EMEA is provided with ICSRs by the National Competent Authorities (see Article 102 of Directive 2001/83/EC and Article 22 of Regulation (EC) No 726/2004) and in some case by the Market Authorisation Holders directly (see Article 104 of Directive 2001/83/EC and Article 24 of Regulation (EC) No 726/2004).

20.

The emphasis of the current Opinion lies on the processing of the personal information about patients. It should be noted, however, that the EudraVigilance database also contains personal information about the people working for the National Competent Authority or the Marketing Authorisation Holders when they are providing the information to the database. The full name, address details, contact details, identification document details of these people are kept in the system. Another category of personal information is data about the so-called Qualified Persons Responsible for Pharmacovigilance, who are nominated by the Market Authorisation Holders on the basis as referred to in Article 103 of Directive 2001/83/EC. Obviously, the rights and obligations stemming from Regulation (EC) No 45/2001 fully apply to the processing of this information.

21.

Article 57(1)(d) of Regulation (EC) No 726/2004 states that the database should be permanently accessible to all Member States. Health-care professionals, Marketing Authorisation Holders and the public must furthermore have appropriate levels of access to this database, with personal data protection being guaranteed. As said above in point 7, this is the only provision in both the Regulation and Directive 2001/83/EC which makes reference to data protection.

22.

Article 57(1)(d) has led to the following regime on access. Once the EMEA receives an ICSR it is directly put in the EudraVigilance Gateway which is fully accessible by the EMEA, National Competent Authorities as well as the Commission. After the ICSR has been validated (checked on authenticity and uniqueness) by the EMEA, the information from the ICSR is transferred to the actual database. The EMEA, National Competent Authorities as well as the Commission have full access to the database, while Market Authorisation Holders only have access to the database subject to certain restrictions, namely access only to data which they themselves submitted to the EMEA. Aggregated information about ICSRs is finally put on the EudraVigilance website to which the general public has access, including healthcare professionals.

23.

On 19 December 2008, the EMEA published a draft access policy on its website for public consultation (17). The document shows how the EMEA envisages to implement Article 57(1)(d) of Regulation (EC) No 726/2004. The EDPS will briefly return to this subject from point 48 onwards below.

24.

The Commission's Impact Assessment demonstrates a number of weaknesses of the current EU pharmacovigilance system, which is considered as complex and unclear. The complicated system of data collection, storage and sharing by different actors at national and European level is presented as one of the main deficiencies. This situation is further complicated by the fact that there are disparities in the way in which Directive 2001/83/EC is implemented in the Member States (18). As a consequence, National Competent Authorities as well as the EMEA are often confronted with incomplete or duplicative adverse drug reaction case reporting (19).

25.

This is due to the fact that, although a description of the ICSRs content is provided in the earlier mentioned Guidelines, it is left up to the Member States to decide the way in which these reports will be implemented at national level. This includes both the means of communication applied for the reporting by the Marketing Authorisation Holders to the National Competent Authorities, and the real information included in the reports (no standardised form is used for reporting within Europe). Moreover, some National Competent Authorities may apply specific quality criteria for the admissibility of the reports (depending on their content, level of completeness, etc.), whereas in other countries this might not be the case. It is obvious that the approach used at national level for the reporting and quality evaluation of the ICSRs has a direct impact on the way this reporting is performed towards EMEA, i.e. in the EudraVigilance database.

26.

The EDPS would like to emphasise that the above-mentioned weaknesses do not only lead to practical inconveniences but also pose a considerable threat to the protection of the health data of citizens. Although, as shown in the previous paragraphs, processing of health data takes place at several stages of the pharmacovigilance operation process, no provisions for the protection of these data currently exist. The only exception to this is the general reference to data protection in Article 57(1)(d) of Regulation (EC) No 726/2004, which only relates to the last stage of the data processing, namely the accessibility of the data contained in the EudraVigilance database. Moreover, the lack of clarity with regard to the roles and responsibilities of the different actors involved in the processing, as well as the lack of specific standards for the processing itself threatens the confidentiality, and also the integrity and accountability of the personal data being processed.

27.

The EDPS therefore wishes to emphasise that the absence of a thorough data protection analysis, reflected in the legal framework which forms the basis of the pharmacovigilance system in the EU, must also be seen as one of the weaknesses of the current system. This weakness should be remedied by amendments to the current legislation.

28.

As a preliminary and general concern, the EDPS wishes to raise the question whether the processing of health data about identifiable natural persons is actually necessary at all stages of the pharmacovigilance system (at national as well as at European level).

29.

As explained above, in the ICSRs the patient is not mentioned by name and as such not identified. However, the patient could still be identifiable in certain cases by combining different pieces of information in the ICSRs. As follows from the guidelines in some instances, a specific patient number is given, which implies that the system as a whole allows for the traceability of the person involved. However, neither the Directive nor the Regulation makes reference to the traceability of persons as part of the purpose of the system of pharmacovigilance.

30.

The EDPS therefore urges the legislator to clarify whether traceability is indeed intended to serve as a purpose of pharmacovigilance at the different levels of processing and more specifically in the framework of the EudraVigilance database.

31.

In that respect, it is instructive to compare with the envisaged regime on organ donation and transplantation (20). In the context of organ transplantation the traceability of an organ to the donor as well as the recipient of the organ is of paramount importance, especially in cases of serious adverse events or reactions.

32.

In the context of pharmacovigilance, however, the EDPS has no sufficient evidence to conclude that traceability is actually always needed. Pharmacovigilance is about the reporting of adverse effects of medicinal products which are used by a (mostly) unknown number of people and will be used by a (mostly) unknown number of people. There is therefore — in any case in the ‘post-authorisation’ period — a less automatic and individual link between the adverse effect information and the person concerned as in the case of information about organs and the individuals involved in the transplantation of a specific organ. It is obvious that patients who have used a certain medicinal product and have reported about adverse effects, have an interest in knowing the outcome of any further assessment. This, however, does not imply that the reported information should in every case be linked to this specific person throughout the whole pharmacovigilance process. In many cases it should be sufficient to link the information about adverse effects to the medicinal product itself, which enables the actors involved, perhaps through healthcare professionals, to inform patients in general about the consequences of taking or having taken a certain medicinal product.

33.

If traceability is envisaged after all, the EDPS wishes to recall the analysis he made in his Opinion about the Commission proposal for a Directive on standards of quality and safety of human organs intended for transplantation. In this Opinion he explained the relation between traceability, identifiability, anonymity and confidentiality of data. Identifiability is a term which is crucial in data protection legislation (21). Data protection rules apply to data relating to persons that are identified or identifiable  (22). Traceability of data to a specific person can be aligned with identifiability. In data protection legislation, anonymity is the opposite of identifiability, and thus traceability. Only if it is impossible to identify (or retrace) the person to whom the data relate, data are considered as anonymous. The notion of ‘anonymity’ is therefore different from how it is regularly understood in daily life, namely that an individual cannot be identified from the data as such, for instance because his or her name has been removed. In those situations one rather refers to confidentiality of the data, meaning that the information is only (fully) accessible to those authorised to have access. While traceability and anonymity cannot coexist, traceability and confidentiality can.

34.

Apart from traceability, another justification for keeping the patients identifiable throughout the whole pharmacovigilance process could be the well-functioning of the system. The EDPS understands that when information relates to an identifiable and therefore unique individual, it is easier for the relevant competent authorities (i.e. National Competent Authorities and EMEA) to monitor and control the content of an ICSR (e.g. to check for duplicates). Although the EDPS sees the need for such a control mechanism, he is not convinced that this alone would justify keeping data identifiable at all stages of the pharmacovigilance process and especially in the EudraVigilance database. By better structuring and coordinating the reporting system, for instance through a decentralised system as discussed below in point 42 and further, duplication could be avoided already at national level.

35.

The EDPS acknowledges that in particular circumstances it is impossible to make data anonymous. This is for instance the case if certain medicinal products are used by a very limited group of individuals. For those cases specific safeguards should be put in place to follow the obligations stemming from data protection legislation.

36.

To conclude, the EDPS seriously doubts whether traceability or the use of data about identifiable patients is necessary at every stage of the pharmacovigilance process. The EDPS is aware of the fact that it may not be possible to exclude the processing of identifiable data at every stage, especially at national level where the actual collection of information on adverse effects takes place. However, the data protection rules require that the processing of health data only takes place when it is strictly necessary. The use of identifiable data should therefore be reduced as far as possible and prevented or stopped at the earliest stage possible in cases where this is not deemed necessary. The EDPS would therefore urge the legislator to reassess the need to use such information at European level as well as at national level.

37.

It is noted that in cases where there is a real need to process identifiable data or when the data cannot be rendered anonymous (see point 35 above), the technical possibilities for indirect identification of data subjects should be explored, e.g. by making use of pseudonymisation mechanisms (23).

38.

The EDPS therefore recommends to introduce in Regulation (EC) No 726/2004 and Directive 2001/83/EC a new Article which states that the provisions of Regulation (EC) No 726/2004 and Directive 2001/83/EC are without prejudice to the rights and obligations stemming from the provisions of Regulation (EC) No 45/2001 and Directive 95/46/EC respectively, with specific reference to Article 10 of Regulation (EC) No 45/2001 and Article 8 of Directive 95/46/EC respectively. To this it should be added that identifiable health data shall only be processed when strictly necessary and parties involved should assess this necessity at every single stage of the pharmacovigilance process.

39.

Although data protection is hardly taken into account in the proposed amendments, a more detailed analysis of the proposal is still instructive as it shows that some of the envisaged changes increase the impact and subsequent risks for data protection.

40.

The general intention of the two proposals is to improve the consistency of the rules, to bring clarity about responsibilities, to simplify the reporting system and to strengthen the EudraVigilance database (24).

41.

The Commission has clearly tried to improve clarity about responsibilities by proposing to amend current provisions in such a way that the legislation itself more explicitly spells out who should do what. Of course bringing clarity about the actors involved and their respective obligations regarding the reporting of adverse effects enhances the transparency of the system and is therefore also from a data protection perspective a positive development. Patients should in general terms be able to understand from the legislation how, when and by whom their personal data are being processed. However, the proposed clarity about duties and responsibilities should also be explicitly put in relation to those stemming from data protection legislation.

42.

The simplification of the reporting system should be achieved by the use of national medicines safety web-portals which are linked to the European medicines safety web-portal (see the newly proposed Article 106 of Directive 2001/83/EC as well as Article 26 of Regulation (EC) No 726/2004). The national web-portals will contain publicly available forms for the reporting of suspected adverse reactions by healthcare professionals and patients (see the newly proposed Article 106(3) of Directive 2001/83/EC as well as Article 25 of Regulation (EC) No 726/2004). Also the European web-portal will contain information on how to report, including standard forms for web-based reporting by patients and healthcare professionals.

43.

The EDPS wishes to underline that, although the use of these web-portals and standardised forms will enhance the effectiveness of the reporting system, it at the same time increases the data protection risks of the system. The EDPS urges the legislator to make the development of such a reporting system subject to the requirements of data protection law. This implies, as indicated, that the necessity of processing personal data should be properly assessed with regard to every step of the process. This should be reflected in the way the reporting is organised at national level as well as the submission of information to the EMEA and the EudraVigilance database. In a broader sense, the EDPS strongly recommends developing uniform forms at national level which would prevent diverging practices leading to different levels of data protection.

44.

The envisaged system seems to imply that patients can report directly to the EMEA, or perhaps even directly to the EudraVigilance database itself. This would mean that, in the current application of the EudraVigilance database, the information will be put into the EMEA gateway, which as has been explained in points 21-22 above, is fully accessible for the Commission and the National Competent Authorities as well.

45.

In general terms, the EDPS strongly advocates a decentralised reporting system. Communication to the European web-portal should be coordinated through the use of the national web-portals which fall under the responsibility of the National Competent Authorities. The indirect reporting by patients, i.e. through healthcare professionals (through the use of web-portals or not) should also be used, rather than the possibility of direct reporting by patients especially to the EudraVigilance database.

46.

A system of reporting through web-portals in any case calls for strict security rules. In that respect, the EDPS would like to refer to his earlier mentioned Opinion on the proposed Directive for cross-border healthcare, especially the part on data security in the Member States and privacy in e-health applications (25). In that Opinion the EDPS already emphasised that privacy and security should be part of the design and implementation of any e-health application (‘privacy by design’) (26). The same consideration applies to the envisaged web-portals.

47.

The EDPS would therefore recommend including in the newly proposed Articles 25 and 26 of Regulation (EC) No 726/2004 and Article 106 of Directive 2001/83/EC, which deal with the development of a reporting system for adverse effects through the use of web-portals, an obligation to incorporate proper privacy and security measures. The principles of data confidentiality, integrity, accountability and availability could also be mentioned as main security objectives, which should be guaranteed at an even level in all Member States. The use of appropriate technical standards and means, like encryption and digital signature authentication, could be additionally included.

48.

The newly proposed Article 24 of Regulation (EC) No 726/2004 deals with the EudraVigilance database. The Article makes clear that strengthening of the database implies an increased use of the database by the different parties involved, in terms of providing and accessing information to and from the database. Two paragraphs of Article 24 are of particular interest.

49.

Article 24(2) deals with the accessibility of the database. It replaces the current Article 57(1)(d) of Regulation (EC) No 726/2004, which was discussed before as the only provision currently referring to data protection. The reference to data protection is retained, but the number of actors subject to it is reduced. Where the current text indicates that appropriate levels of access to the database, with personal data being protected, shall be given to healthcare professionals, Market Authorisation Holders and the public, the Commission now proposes to move the Market Authorisation Holders from this list and give them access ‘to the extent necessary for them to comply with their pharmacovigilance obligations’, without any reference to data protection. The reasons for doing so are not clear.

50.

The third paragraph of Article 24 furthermore sets out the rules on access to the ICSRs. Access may be requested by the public and shall be provided within 90 days, ‘unless disclosure would compromise the anonymity of the subjects of the reports’. The EDPS supports the idea behind this provision, namely that only anonymous data can be disclosed. However, he wishes to emphasise, as explained before, that anonymity must be understood as the complete impossibility to identify the person who reported the adverse effect (see also point 33).

51.

The accessibility of the EudraVigilance system should in general be reassessed in light of the data protection rules. This also has direct consequences for the draft access policy published by the EMEA in December 2008, mentioned above in point 23 (27). In as far as information in the EudraVigilance database necessarily relates to identifiable natural persons, access to that data should be as restrictive as possible.

52.

The EDPS therefore recommends to include in the proposed Article 24(2) of Regulation (EC) No 726/2004 a sentence stating that the accessibility of the EudraVigilance database shall be regulated in conformity with the rights and obligations stemming from the Community legislation on data protection.

53.

The EDPS wishes to underline that once identifiable data are processed, the party responsible for such processing should comply with all the requirements of the Community data protection legislation. This implies inter alia that the person involved is well-informed on what will be done with the data and who will be processing it and any further information required on the basis of Article 11 of Regulation (EC) No 45/2001 and/or Article 10 of Directive 95/46/EC. The person concerned should furthermore be enabled to invoke his or her rights at national as well as at European level, such as the right of access (Article 12 of Directive 95/46/EC and Article 13 of Regulation (EC) No 45/2001), the right to object (Article 18 of Regulation (EC) No 45/2001 and Article 14 of Directive 95/46/EC) etc.

54.

The EDPS would therefore recommend adding to the proposed Article 101 of Directive 2001/83/EC a paragraph which states that in case of processing of personal data the individual shall be properly informed in accordance with Article 10 of Directive 95/46/EC.

55.

The issue of access to someone's own information contained in the EudraVigilance database is not addressed in the current and proposed legislation. It must be emphasised that in cases in which it is felt necessary to hold personal data in the database, as just mentioned, the patient concerned should be enabled to invoke his or her right to access his or her personal data in conformity with Article 13 of Regulation (EC) No 45/2001. The EDPS would therefore recommend adding a paragraph to the proposed Article 24 stating that measures shall be taken which ensure that the data subject can exercise his right of access to personal data relating to him as provided for by Article 13 of Regulation (EC) No 45/2001.

56.

The EDPS takes the view that the lack of a proper assessment of the data protection implications of pharmacovigilance constitutes one of the weaknesses of the current legal framework set out by Regulation (EC) No 726/2004 and Directive 2001/83/EC. The current amendment of Regulation (EC) No 726/2004 and Directive 2001/83/EC should be seen as an opportunity to introduce data protection as a full-fledged and important element of pharmacovigilance.

57.

A general issue to be addressed thereby is the actual necessity of processing personal health data at all stages of the pharmacovigilance process. As explained in this Opinion, the EDPS seriously doubts this need and urges the legislator to reassess it at the different levels of the process. It is clear that the purpose of pharmacovigilance can in many cases be achieved by sharing information on adverse effects which is anonymous in the meaning of the data protection legislation. Duplication of reporting can be avoided through the application of well structured data reporting procedures already at national level.

58.

The proposed amendments envisage a simplified reporting system and a strengthening of the EudraVigilance database. The EDPS has explained that these amendments lead to increased risks for data protection, especially when it involves the direct reporting of patients to the EMEA or the EudraVigilance database. In this respect, the EDPS strongly advocates a decentralised and indirect reporting system whereby communication to the European web-portal is coordinated through using the national web-portals. The EDPS furthermore emphasises that privacy and security should be part of the design and implementation of a reporting system through the use of web-portals (‘privacy by design’).

59.

The EDPS furthermore underlines that once data concerning health about identified or identifiable natural persons is processed, the person responsible for such processing should comply with all the requirements of the Community data protection legislation.

60.

More specifically, the EDPS recommends:

23.9.2009   

EN

Official Journal of the European Union

C 229/27

23.9.2009   

EN

Official Journal of the European Union

C 229/28

1.

Barcs–Terezino Polje

2.

Beremend–Baranjsko Petrovo Selo

3.

Berzence–Gola

4.

Drávaszabolcs–Donji Miholjac

5.

Drávaszabolcs (river, on request) (1)

6.

Gyékényes–Koprivnica (rail)

7.

Letenye–Goričan I

8.

Letenye–Goričan II (highway)

9.

Magyarboly–Beli Manastir (railway)

10.

Mohács (river)

11.

Murakeresztúr–Kotoriba (railway)

12.

Udvar–Dubosevica

1.

Bácsalmás–Bajmok (2)

2.

Hercegszántó–Bački Breg

3.

Kelebia–Subotica (railway)

4.

Mohács (river)

5.

Röszke–Horgoš (highway)

6.

Röszke–Horgoš (railway)

7.

Szeged (river) (2)

8.

Tiszasziget–Đjala (Gyála) (2)

9.

Tompa–Kelebija

1.

Ágerdőmajor (Tiborszállás)–Carei (railway)

2.

Ártánd–Borș

3.

Battonya–Turnu

4.

Biharkeresztes–Episcopia Bihorului (railway)

5.

Csengersima–Petea

6.

Gyula–Vărșand

7.

Kiszombor–Cenad

8.

Kötegyán–Salonta (railway)

9.

Létavértes–Săcuieni (3)

10.

Lőkösháza–Curtici (railway)

11.

Méhkerék–Salonta

12.

Nagylak–Nădlac

13.

Nyírábrány–Valea Lui Mihai (railway)

14.

Nyírábrány–Valea Lui Mihai

15.

Vállaj–Urziceni

1.

Barabás–Kosino (4)

2.

Beregsurány–Luzhanka

3.

Eperjeske–Salovka (railway)

4.

Lónya–Dzvinkove (5)

5.

Tiszabecs–Vylok

6.

Záhony–Čop (railway)

7.

Záhony–Čop

1.

Budapest Nemzetközi Repülőtér

2.

Debrecen Repülőtér

3.

Sármellék

1.

Békéscsaba

2.

Budaörs

3.

Fertőszentmiklós

4.

Győr–Pér

5.

Kecskemét

6.

Nyíregyháza

7.

Pápa

8.

Pécs–Pogány

9.

Siófok–Balatonkiliti

10.

Szeged

11.

Szolnok

23.9.2009   

EN

Official Journal of the European Union

C 229/30