ISSN 1977-0677
Official Journal
of the European Union
L 301
English edition
Legislation
Volume 62
22 November 2019
|
ISSN 1977-0677 |
||
|
Official Journal of the European Union |
L 301 |
|
|
|
||
|
English edition |
Legislation |
Volume 62 |
|
Contents |
|
II Non-legislative acts |
page |
|
|
|
INTERNATIONAL AGREEMENTS |
|
|
|
* |
||
|
|
|
REGULATIONS |
|
|
|
* |
Commission Delegated Regulation (EU) 2019/1935 of 13 May 2019 amending Directive (EU) 2016/97 of the European Parliament and of the Council with regard to regulatory technical standards adapting the base euro amounts for professional indemnity insurance and for financial capacity of insurance and reinsurance intermediaries ( 1 ) |
|
|
|
|
RULES OF PROCEDURE |
|
|
|
* |
||
|
|
* |
||
|
|
* |
|
|
|
|
|
(1) Text with EEA relevance. |
|
EN |
Acts whose titles are printed in light type are those relating to day-to-day management of agricultural matters, and are generally valid for a limited period. The titles of all other Acts are printed in bold type and preceded by an asterisk. |
II Non-legislative acts
INTERNATIONAL AGREEMENTS
|
22.11.2019 |
EN |
Official Journal of the European Union |
L 301/1 |
COUNCIL DECISION (EU) 2019/1934
of 18 March 2019
on the signing, on behalf of the European Union and its Member States, of the Protocol to the Cooperation Agreement on a Civil Global Navigation Satellite System (GNSS) between the European Community and its Member States, of the one part, and the Republic of Korea, of the other part, to take account of the accession of the Republic of Bulgaria, the Republic of Croatia and Romania to the European Union
THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 172, in conjunction with Article 218(5) thereof,
Having regard to the Acts of Accession of the Republic of Bulgaria and Romania (1) and of the Republic of Croatia (2), and in particular Article 6(2) thereof,
Having regard to the proposal from the European Commission,
Whereas:
|
(1) |
The Cooperation Agreement on a Civil Global Navigation Satellite System (GNSS) between the European Community and its Member States, of the one part, and the Republic of Korea, of the other part (3) (the ‘Agreement’) was signed on 9 September 2006 (4) and entered into force on 1 July 2016 (5). |
|
(2) |
Bulgaria and Romania became Member States of the Union on 1 January 2007 and Croatia on 1 July 2013. |
|
(3) |
In accordance with Article 6(2) of the Acts of Accession of Bulgaria and Romania and of Croatia, accession to the Agreement is to be agreed by means of a protocol to that Agreement (the ‘Protocol’). In accordance with Article 6(2) of those Acts of Accession, a simplified procedure is to apply to such accession, whereby a protocol is to be concluded by the Council, acting unanimously on behalf of the Member States, and by the third country concerned. |
|
(4) |
On 23 October 2006 and on 14 September 2012 the Council authorised the Commission to open negotiations with the third country concerned in order to conclude protocols to international agreements concluded by the Union and its Member States. |
|
(5) |
The negotiations with the Republic of Korea were successfully concluded by exchange of notes verbales. |
|
(6) |
The Protocol should be signed, |
HAS ADOPTED THIS DECISION:
Article 1
The signing, on behalf of the Union and its Member States, of the Protocol to the Cooperation Agreement on a Civil Global Navigation Satellite System (GNSS) between the European Community and its Member States, of the one part, and the Republic of Korea, of the other part, to take account of the accession of the Republic of Bulgaria, the Republic of Croatia and Romania to the European Union is hereby authorised, subject to the conclusion of the said Protocol (6).
Article 2
The President of the Council is hereby authorised to designate the person(s) empowered to sign the Protocol on behalf of the Union and its Member States.
Article 3
This Decision shall enter into force on the day of its adoption.
Done at Brussels, 18 March 2019.
For the Council
The President
P. DAEA
(1) Act concerning the conditions of accession of the Republic of Bulgaria and Romania and the adjustments to the Treaties on which the European Union is founded (OJ L 157, 21.6.2005, p. 203).
(2) Act concerning the conditions of accession of the Republic of Croatia and the adjustments to the Treaty on European Union, the Treaty on the Functioning of the European Union and the Treaty establishing the European Atomic Energy Community (OJ L 112, 24.4.2012, p 21).
(3) OJ L 288, 19.10.2006, p. 31.
(4) Council Decision 2006/700/EC of 1 September 2006 on the signing, on behalf of the Community, of the Cooperation Agreement on a Civil Global Navigation Satellite System (GNSS) between the European Community and its Member States, of the one part, and the Republic of Korea, of the other part (OJ L 288, 19.10.2006, p. 30).
(5) Council Decision (EU) 2016/944 of 6 June 2016 on the conclusion of the Cooperation Agreement on a Civil Global Navigation Satellite System (GNSS) between the European Community and its Member States of the one part, and the Republic of Korea, of the other part (OJ L 157, 15.6.2016, p. 19).
(6) The text of the Protocol will be published together with the decision on its conclusion.
REGULATIONS
|
22.11.2019 |
EN |
Official Journal of the European Union |
L 301/3 |
COMMISSION DELEGATED REGULATION (EU) 2019/1935
of 13 May 2019
amending Directive (EU) 2016/97 of the European Parliament and of the Council with regard to regulatory technical standards adapting the base euro amounts for professional indemnity insurance and for financial capacity of insurance and reinsurance intermediaries
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (1), and in particular Article 10(7) thereof,
Whereas:
|
(1) |
The European Insurance and Occupational Pensions Authority (EIOPA) is required to regularly review the base amounts for professional indemnity insurance and financial capacity of insurance and reinsurance intermediaries to take into account the changes to the European index of consumer prices as published by Eurostat. Over the period 1 January 2013 through 31 December 2017, the European index of consumer prices produced for the Union by Eurostat has increased by 4,03 %. As a result, the abovementioned base amounts should be adapted by that percentage increase. |
|
(2) |
Directive (EU) 2016/97 should therefore be amended accordingly. |
|
(3) |
To enable Member States to adapt the relevant base amounts in their national provisions and to give insurance and reinsurance intermediaries enough time to take the necessary implementation measures, the application of this Regulation should be deferred. |
|
(4) |
This Regulation is based on the draft regulatory technical standards submitted by EIOPA to the Commission. |
|
(5) |
EIOPA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the opinion of the Insurance and Reinsurance Stakeholder Group established by Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (2), |
HAS ADOPTED THIS REGULATION:
Article 1
Amendments to Directive (EU) 2016/97
Article 10 of Directive (EU) 2016/97 is amended as follows:
|
(1) |
paragraph 4 is replaced by the following:
|
|
(2) |
in the second subparagraph of paragraph 6, point (b) is replaced by the following:
|
Article 2
Entry into force and date of application
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from 12 June 2020.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 13 May 2019.
For the Commission
The President
Jean-Claude JUNCKER
(2) Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48).
RULES OF PROCEDURE
|
22.11.2019 |
EN |
Official Journal of the European Union |
L 301/5 |
DECISION OF THE SINGLE RESOLUTION BOARD
of 18 September 2019
on internal rules concerning restrictions of certain rights of data subjects in relation to processing of personal data in the framework of administrative inquiries/disciplinary proceedings/investigations/other carried out by the Single Resolution Board (SRB/ES/2019/32)
THE SINGLE RESOLUTION BOARD,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) No 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund and amending Regulation (EU) No 1093/2010 (1) and in particular, Articles 42, Article 43(5), Articles 50(3), 56(1)-(3), 61, 63 and 64 thereof,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (2),
Having regard to the consultation with the European Data Protection Supervisor,
Whereas:
|
(1) |
The Single Resolution Board (‘SRB’) fulfils the tasks of a resolution authority as part of the Single Resolution Mechanism (‘SRM’) in accordance with Regulation (EU) No 806/2014. The SRB’s mission is to ensure an orderly resolution of failing banks with minimum impact on the real economy, the financial system, and the public finances of the participating MS and beyond. |
|
(2) |
The SRB may conduct internal investigations and/or administrative inquiries of its own motion or following confidential information provided by SRB staff members within the framework of the whistleblowing procedure. The SRB may also conduct disciplinary proceedings in accordance with the Annex IX of the Staff Regulations. |
|
(3) |
The SRB may, within the context of internal investigations and/or administrative inquiries and/or disciplinary proceedings notify cases to the Investigation and Disciplinary Office of the Commission (IDOC) and the European Anti-Fraud Office (OLAF) in accordance with the Decision of the Board in its Executive Session of 6 November 2015 concerning the terms and conditions for internal investigations in relation to the prevention of fraud, corruption and any illegal activity detrimental to the Communities’ interest (SRB/ES/2015/01). |
|
(4) |
The SRB, here represented by the SRB Ethics and Compliance Officer, respectively the SRB Data Protection Officer, processes several categories of personal data, and particularly identification data, contact data, professional data and acts as data controller. The personal data are stored in a secured electronic environment which prevents unlawful access or transfer of data to persons who do not have a need to know. The personal data processed are retained in accordance with the SRB rules on retention of documents. At the end of the retention period, the case related information including personal data is transferred to the historical archives or deleted in accordance with the principle of data minimisation and data accuracy. |
|
(5) |
The internal rules should apply to all processing operations carried out by the SRB in the performance of its activities for the prevention, investigation, detection and prosecution of breaches of, inter alia, the SRB Code of Ethics and the Staff Regulations. |
|
(6) |
The internal rules should apply to processing operations carried out both during internal and external investigations, as well as during the monitoring of the follow-up to the outcome of these investigations. The internal rules should apply to processing operations which form part of the activities linked to the SRB Ethics and Compliance Officer’s functions and where applicable the SRB Data Protection Officer. It should also include assistance and cooperation provided by the SRB Ethics and Compliance Officer, respectively the SRB Data Protection Officer upon request, to and from national authorities and international organisations outside of its administrative investigations. |
|
(7) |
The SRB has to give justifications explaining why the restrictions are strictly necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms. |
|
(8) |
Within this framework SRB is bound to respect, to the maximum extent possible, the fundamental rights of the data subjects during the above procedures, in particular, those relating to the right of access and rectification, right to erasure, data portability etc. as enshrined in Regulation (EU) 2018/1725. |
|
(9) |
However, the SRB may be obliged to defer the information to data subject and other data subject’s rights to protect, in particular, its own investigations, the investigations and proceedings of other public authorities including IDOC and OLAF, and the rights of other persons related to its investigations, as well as to protect its disciplinary proceedings. |
|
(10) |
The SRB may thus defer the information for the purpose of protecting the investigations and/or the disciplinary proceedings. |
|
(11) |
The SRB should lift the restriction as soon as and as far as the conditions that justify the restriction no longer apply. |
|
(12) |
The SRB should monitor the restricting conditions on a regular basis, every six months and revise where needed. |
|
(13) |
The SRB should consult the DPO during the revisions, |
HAS ADOPTED THIS DECISION:
Article 1
Subject-matter and scope
1. This Decision lays down internal rules relating to the conditions under which the SRB in the framework of internal investigations, administrative inquiries and disciplinary proceedings carried out by the SRB Ethics and Compliance Officer or investigations carried out by the SRB Data Protection Officer under Article 45(2) of Regulation (EU) 2018/1725 may restrict the application of the rights enshrined in Articles 14 to 21, 35, as well as Article 4 thereof, following Article 25 of the Regulation (EU) 2018/1725.
2. This Decision applies to the processing operation(s) of personal data by the SRB for the purpose of conducting internal investigations, administrative inquiries and disciplinary proceedings. For processing operation(s) of personal data by the SRB for the purpose of initiating, carrying out and closing informal procedure in the framework of the SRB policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment, a different decision concerning the restriction of rights applies (for reference: SRB/ES/2019/33).
3. The categories of data concerned are hard data (administrative details, telephone, private address, electronic communications, and traffic data (use of ICT applications, internet data) and/or soft data (appraisals, opening of inquiries, reports on preliminary investigations) etc.
4. Subject to the conditions set out in this Decision, the restrictions may apply to the following rights: access, rectification, erasure and portability rights, rights of information, confidentiality of communication, and principles of the data processing operation provided that they relate to a right.
Article 2
Specification of the controller and safeguards
1. The safeguards in place to avoid data breaches, leakages or unauthorised disclosure are the following: restriction of access rights to electronic folders and to the functional mailbox for submission of complaints, cupboards secured with keys, and specific training of the persons handling the information on confidentiality.
2. The controller of these processing operations is the SRB, here represented by the SRB Ethics and Compliance Officer, respectively the SRB Data Protection Officer.
3. The personal data collected are stored and retained in accordance with the SRB rules on retention of documents. The retention period respects the principle of retention no longer than necessary for the fulfilment of the purpose of the processing operation, and eventually, to allow judicial or administrative disputes.
Article 3
Restrictions
1. In accordance with Article 25(1) of Regulation (EU) 2018/1725, any restriction shall only be applied to safeguard:
|
— |
the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; |
|
— |
the internal security of Union institutions and bodies, including of their electronic communications networks; |
|
— |
the protection of judicial proceedings; |
|
— |
the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; |
|
— |
the protection of the data subject or the rights and freedoms of others. |
2. Any restriction shall be necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms.
3. A necessity and proportionality test shall be carried out based on the present internal rules. It shall be documented through an internal assessment note by the controller of the specific processing operation for accountability purposes on a case by case basis.
4. Restrictions shall be duly monitored and a periodical revision shall be done every six months.
5. Restrictions shall be lifted as soon as the circumstances that justify them no longer apply.
6. The risk to the rights and freedoms of the data subject is the temporary limitation of the effective exercise of the data subject’s rights, inter alia, to information, erasure or defence, as guaranteed by the Regulation (EU) 2018/1725. These risks shall be taken into account in the scope of the necessity and proportionality test mentioned under paragraph 3 of this Article.
Article 4
Involvement of the Data Protection Officer
1. The SRB shall, throughout any restriction procedure and without undue delay, inform the Data Protection Officer of the SRB (‘the DPO’) whenever it restricts the application of data subjects’ rights in accordance with this Decision. It shall provide access to the record and the assessment of the necessity and proportionality of the restriction.
2. The DPO may request the controller in writing to review the application of the restrictions. The SRB shall inform the DPO in writing about the outcome of the requested review and when the restriction has been lifted.
Article 5
Provision of information to data subject
1. The SRB shall include in the data protection notices published on its intranet informing data subjects of their rights in the framework of a given procedure, information relating to the potential restriction of these rights. The information shall cover which rights may be restricted, the reasons and the potential duration.
2. Additionally, the SRB shall inform individually data subjects on their rights concerning present or future restrictions without undue delay and in a written form, without prejudice of the following paragraph.
3. Data subjects shall be informed on the principal reasons on which the application of a restriction is based and of their right to lodge a complaint before the European Data Protection Supervisor.
Article 6
Right of access by data subject
1. Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of Regulation (EU) 2018/1725, the SRB shall limit its assessment of the request to such personal data only.
2. Where the SRB restricts, wholly or partly, the right of access, referred to in Article 17 of Regulation (EU) 2018/1725, it shall take the following steps:
|
(a) |
it shall inform the data subject concerned, in its reply to the request, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union; |
|
(b) |
it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction; to that end, the record shall state how providing access would jeopardise the purpose of the SRB’s investigative activities or of restrictions applied pursuant to Article 2(3), or would adversely affect the rights and freedoms of other data subjects. |
The provision of information referred to in point (a) may be deferred, omitted or denied in accordance with Article 25(8) of Regulation (EU) 2018/1725.
3. The record referred to in point (b) of paragraph 2 and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request. Article 25(7) of Regulation (EU) 2018/1725 shall apply.
Article 7
Right of rectification, erasure and restriction of processing
Where the SRB restricts, wholly or partly, the application of the right to rectification, erasure or restriction of processing, referred to in Articles 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, it shall take the steps set out in Article 6(2) of this Decision and register the record in accordance with Article 6(3) thereof.
Article 8
Communication of a personal data breach to the data subject
Where the SRB restricts the communication of a personal data breach to the data subject, referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 3(3) of this Decision. Article 3(4) of this Decision shall apply.
Article 9
Entry into force
This Decision shall enter into force on the day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 18 September 2019.
For the Single Resolution Board
Elke KÖNIG
The Chair
|
22.11.2019 |
EN |
Official Journal of the European Union |
L 301/10 |
DECISION OF THE SINGLE RESOLUTION BOARD
of 18 September 2019
on internal rules concerning restrictions of certain rights of data subjects in relation to processing of personal data in the framework of informal procedure of the SRB policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment (SRB/ES/2019/33)
THE SINGLE RESOLUTION BOARD,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) No 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund and amending Regulation (EU) No 1093/2010 (1) and in particular, Articles 42, Article 43(5), Articles 50(3), 56(1)-(3), 61, 63 and 64 thereof,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (2),
Having regard to the consultation with the European Data Protection Supervisor,
Whereas:
|
(1) |
The Single Resolution Board (‘SR B’) fulfils the tasks of a resolution authority as part of the Single Resolution Mechanism (‘SR M’) in accordance with Regulation (EU) No 806/2014. The SRB’s mission is to ensure an orderly resolution of failing banks with minimum impact on the real economy, the financial system, and the public finances of the participating MS and beyond. |
|
(2) |
Article 12a of the Staff Regulations condemns psychological and sexual harassment. The SRB policy on protecting the dignity of the person and preventing sexual harassment and psychological harassment further defines the provisions of the above mentioned article by promoting the culture of respect and protection of the dignity of all SRB staff. It also introduces simple and effective procedures to protect the dignity of every person working for the Agency. In the framework of the policy, a staff member or any other person working for the agency under national law, may initiate an informal procedure if they feel a victim of sexual or psychological harassment by seeking support of a confidential counsellor. |
|
(3) |
The SRB entity in charge of human resources shall notify to the SRB entity in charge of Compliance any recurrent cases involving the same individual in accordance with Article 7.5 of the SRB Policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment. The entity in charge of Compliance will inform the Appointing Authority, which will, where appropriate, launch the procedure provided for in Annex IX of the Staff Regulations. |
|
(4) |
The SRB, here represented by its Anti-Harassment Coordinator, processes several categories of personal data, and particularly identification data, contact data, professional data. The personal data are stored in a secured electronic environment which prevents unlawful access or transfer of data to persons who do not have a need to know. The personal data processed are retained in accordance with the SRB rules on retention of documents. At the end of the retention period, the case related information including personal data is transferred to the historical archives or deleted in accordance with the principle of data minimisation and data accuracy. |
|
(5) |
The internal rules should apply to all processing operations carried out by the SRB in the performance of its activities for the prevention of psychological or sexual harassment, detection and prosecution of breaches of, inter alia, the SRB Code of Ethics and the Staff Regulations. |
|
(6) |
The internal rules should apply to processing operations carried out during informal procedures, as well as during the monitoring of the follow-up to the outcome of these procedures. The internal rules should apply to processing operations which form part of the activities linked to the SRB Ethics and Compliance Officer’s functions. It should also include assistance and cooperation provided by the SRB Ethics and Compliance Officer to national authorities and international organisations outside of its administrative investigations. |
|
(7) |
The SRB has to give justifications explaining why the restrictions are strictly necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms. |
|
(8) |
Within this framework SRB is bound to respect, to the maximum extent possible, the fundamental rights of the data subjects during the above procedures, in particular, those relating to the right of access and rectification, right to erasure, data portability etc. as enshrined in Regulation (EU) 2018/1725. |
|
(9) |
However, the SRB may be obliged to defer the information to data subject and other data subject’s rights to protect, in particular the ongoing informal procedures, and the rights of other persons related to ongoing or closed informal procedures. |
|
(10) |
The SRB may thus defer the information for the purpose of protecting the alleged victim and/or the informal procedure and/or repository of data processes in the context of the informal procedure. |
|
(11) |
The SRB should lift the restriction as soon as and as far as the conditions that justify the restriction no longer apply. |
|
(12) |
The SRB should monitor the restricting conditions on a regular basis, every six months and revise where needed. |
|
(13) |
The SRB should consult the DPO during the revisions, |
HAS ADOPTED THIS DECISION:
Article 1
Subject-matter and scope
1. This Decision lays down internal rules relating to the conditions under which the SRB in the framework of informal procedure of the SRB policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment. The SRB may restrict the application of the rights enshrined in Articles 14 to 21, 35, as well as Article 4 thereof, following Article 25 of the Regulation (EU) 2018/1725.
2. This Decision applies to the processing operation(s) of personal data by the SRB for the purpose of initiating, carrying out and closing informal procedure in the framework of the SRB policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment. For the processing operation(s) of personal data by the SRB for the purposes of conducting internal investigations, administrative inquiries and disciplinary proceedings, a different decision concerning the restriction of rights applies (for reference: SRB/ES/2019/32).
3. The categories of data concerned are hard data (administrative details, telephone, private address, electronic communications, and traffic data and/or soft data (appraisals, opening of inquiries, reports on preliminary investigations) etc.
4. Subject to the conditions set out in this Decision, the restrictions may apply to the following rights: access, rectification, erasure and portability rights, rights of information, confidentiality of communication, and principles of the data processing operation provided that they relate to a right.
Article 2
Specification of the controller and safeguards
1. The safeguards in place to avoid data breaches, leakages or unauthorised disclosure are the following: restriction of access rights to electronic folders and to the functional mailbox for submission of complaints, cupboards secured with keys, and specific training of the persons handling the information on confidentiality.
2. The controller of this processing operation is the SRB, here represented by the SRB Anti-Harassment Coordinator.
3. The personal data collected are stored and retained in accordance with the SRB rules on retention of documents. The retention period respects the principle of retention no longer than necessary for the fulfilment of the purpose of the processing operation, and eventually, to allow judicial or administrative disputes.
Article 3
Restrictions
1. In accordance with Article 25(1) of Regulation (EU) 2018/1725, any restriction shall only be applied to safeguard:
|
— |
the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; |
|
— |
the protection of the data subject or the rights and freedoms of others; |
|
— |
the prevention, investigation, detection and resolution of breaches of ethics. |
2. Any restriction shall be necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms.
3. A necessity and proportionality test shall be carried out based on the present internal rules. It shall be documented through an internal assessment note for accountability purposes on a case by case basis.
4. Restrictions shall be duly monitored and a periodical revision shall be done every six months.
5. Restrictions shall be lifted as soon as the circumstances that justify them no longer apply.
6. The risk to the rights and freedoms of the data subject is the temporary limitation of the effective exercise of the data subject’s rights, inter alia, to information, erasure or defence, as guaranteed by the Regulation (EU) 2018/1725. These risks shall be taken into account in the scope of the necessity and proportionality test mentioned under paragraph 3 of this Article.
Article 4
Involvement of the Data Protection Officer
1. The SRB shall, throughout any restriction procedure and without undue delay, inform the Data Protection Officer of the SRB (‘the DPO’) whenever it restricts the application of data subjects’ rights in accordance with this Decision. It shall provide access to the record and the assessment of the necessity and proportionality of the restriction.
2. The DPO may request the controller in writing to review the application of the restrictions. The SRB shall inform the DPO in writing about the outcome of the requested review and when the restriction has been lifted.
Article 5
Provision of information to data subject
1. The SRB shall include in the data protection notices published on its intranet informing data subjects of their rights in the framework of a given procedure, information relating to the potential restriction of these rights. The information shall cover which rights may be restricted, the reasons and the potential duration.
2. Additionally, the SRB shall inform individually data subjects on their rights concerning present or future restrictions without undue delay and in a written form, without prejudice of the following paragraph.
3. Data subjects shall be informed on the principal reasons on which the application of a restriction is based and of their right to lodge a complaint before the European Data Protection Supervisor.
Article 6
Right of access by data subject
1. Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of Regulation (EU) 2018/1725, the SRB shall limit its assessment of the request to such personal data only.
2. Where the SRB restricts, wholly or partly, the right of access, referred to in Article 17 of Regulation (EU) 2018/1725, it shall take the following steps:
|
(a) |
it shall inform the data subject concerned, in its reply to the request, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union; |
|
(b) |
it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction; to that end, the record shall state how providing access would jeopardise the purpose of the SRB’s investigative activities or of restrictions applied pursuant to Article 2(3), or would adversely affect the rights and freedoms of other data subjects. |
The provision of information referred to in point (a) may be deferred, omitted or denied in accordance with Article 25(8) of Regulation (EU) 2018/1725.
3. The record referred to in point (b) of paragraph 2 and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request. Article 25(7) of Regulation (EU) 2018/1725 shall apply.
Article 7
Right of rectification, erasure and restriction of processing
Where the SRB restricts, wholly or partly, the application of the right to rectification, erasure or restriction of processing, referred to in Articles 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, it shall take the steps set out in Article 6(2) of this Decision and register the record in accordance with Article 6(3) thereof.
Article 8
Entry into force
This Decision shall enter into force on the day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 18 September 2019.
For the Single Resolution Board
Elke KÖNIG
The Chair
|
22.11.2019 |
EN |
Official Journal of the European Union |
L 301/14 |
DECISION OF THE SINGLE RESOLUTION BOARD
of 18 September 2019
on internal rules concerning restrictions of certain rights of data subjects in relation to processing of personal data in the framework of internal security incident investigations carried out by the Single Resolution Board (SRB/ES/2019/34)
THE SINGLE RESOLUTION BOARD,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) No 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund and amending Regulation (EU) No 1093/2010 (1) and in particular, Articles 42, Article 43(5), Articles 50(3), 56(1)-(3), 61, 63 and 64 thereof,
Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (2),
Having regard to the consultation with the European Data Protection Supervisor,
Whereas:
|
(1) |
The Single Resolution Board (‘SRB’) fulfils the tasks of a resolution authority as part of the Single Resolution Mechanism (‘SRM’) in accordance with Regulation (EU) No 806/2014. The SRB’s mission is to ensure an orderly resolution of failing banks with minimum impact on the real economy, the financial system, and the public finances of the participating MS and beyond. |
|
(2) |
The SRB can process personal data for the various systems installed at the SRB premises (video-surveillance, access control, visitors log books). This information is strictly collected for security & safety reasons (e.g. to keep track of how many people are in the building for evacuation purposes, both in line with EC’s security decisions), to prevent, detect and document any security incident that occurs inside the buildings or surrounding areas. |
|
(3) |
The SRB, here represented by the SRB Head of Unit Corporate Services and ICT, processes several categories of personal data, and particularly identification data, contact data, professional data. The personal data are stored in a secured electronic environment which prevents unlawful access or transfer of data to persons who do not have a need to know. The personal data processed are retained in accordance with the EC rules on retention of data. At the end of the retention period, the collected information including personal data is deleted in accordance with the maximum agreed period: visitors log books: 6 months, video surveillance system: 30 days, access control system: 2 months. |
|
(4) |
The internal rules should apply to all processing operations carried out by the SRB in the performance of its activities for the security & safety matters, for the prevention, detection or investigation of security incidents, protection of the agency’s staff, property and information and the SRB’s visitors. |
|
(5) |
The internal rules should apply to processing operations carried out during internal security incident investigations, as well as during the monitoring of the follow-up to the outcome of these investigations. The internal rules should apply to processing operations which form part of the activities linked to the SRB Security/Facilities’ sector. It should also include assistance and cooperation provided by the SRB Security/Facilities to national authorities, Belgian Law forces, OLAF, the Emergency services and international organisations outside of its administrative investigations; |
|
(6) |
The SRB has to give justifications explaining why the restrictions are strictly necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms; |
|
(7) |
Within this framework SRB is bound to respect, to the maximum extent possible, the fundamental rights of the data subjects during the above procedures, in particular, those relating to the right of access and rectification, right to erasure, data portability etc. as enshrined in Regulation (EU) 2018/1725; |
|
(8) |
However, the SRB may be obliged to defer the information to data subject and other data subject’s rights to protect, in particular, its own security incident investigations involving the data from the video surveillance or access control systems. |
|
(9) |
The SRB may thus defer the information for the purpose of protecting the security incident investigations; |
|
(10) |
The SRB should lift the restriction as soon as and as far as the conditions that justify the restriction no longer apply; |
|
(11) |
The SRB should monitor the restricting conditions on a regular basis, every six months and revise where needed; |
|
(12) |
The SRB should consult the DPO during the revisions. |
HAS ADOPTED THIS DECISION:
Article 1
Subject matter and scope
1. This Decision lays down internal rules relating to the conditions under which the SRB in the framework of internal security incident investigations, may restrict the application of the rights enshrined in Articles 14 to 21, 35, as well as Article 4 thereof, following Article 25 of the Regulation (EU) 2018/1725.
2. This Decision applies to the processing operation(s) of personal data by the SRB for the purpose of conducting internal security incident investigations, as well as during the monitoring of the follow-up to the outcome of these investigations.
3. The categories of data concerned are hard data (administrative details, telephone, private address, electronic communications, and traffic data and/or soft data (appraisals, opening of inquiries, reports on preliminary investigations) etc.
4. Subject to the conditions set out in this Decision, the restrictions may apply to the following rights: access, rectification, erasure and portability rights, rights of information, confidentiality of communication, and principles of the data processing operation provided that they relate to a right.
Article 2
Specification of the controller and safeguards
1. The safeguards in place to avoid data breaches, leakages or unauthorised disclosure are the following: restriction of access rights to electronic folders and to the functional mailbox for submission of complaints, cupboards secured with keys, and specific training of the persons handling the information on confidentiality.
2. The controller of these processing operations is the SRB, here represented by the SRB Head of Unit Corporate Services and ICT.
3. The personal data collected are stored and retained in accordance with the EC rules on retention of data and in accordance with the Belgian law of 21/3/2007 (governing the installation and use of surveillance cameras). The retention period respects the principle of retention no longer than necessary for the fulfilment of the purpose of the processing operation, and eventually, to allow judicial or administrative disputes.
Article 3
Restrictions
1. In accordance with Article 25(1) of Regulation (EU) No 2018/1725, any restriction shall only be applied to safeguard:
|
— |
the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; |
|
— |
the internal security of Union institutions and bodies, including of their electronic communications networks; |
|
— |
the protection of judicial proceedings; |
|
— |
the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; |
|
— |
the protection of the data subject or the rights and freedoms of others; |
2. Any restriction shall be necessary and proportionate in a democratic society and respect the essence of the fundamental rights and freedoms.
3. A necessity and proportionality test shall be carried out based on the present internal rules. It shall be documented through an internal assessment note for accountability purposes on a case by case basis.
4. Restrictions shall be duly monitored and a periodical revision shall be done every six months.
5. Restrictions shall be lifted as soon as the circumstances that justify them no longer apply.
6. The risk to the rights and freedoms of the data subject is the temporary limitation of the effective exercise of the data subject’s rights, inter alia, to information, erasure or defence, as guaranteed by the Regulation (EU) 2018/1725. These risks shall be taken into account in the scope of the necessity and proportionality test mentioned under paragraph 3 of this Article.
Article 4
Involvement of the Data Protection Officer
1. The SRB shall, throughout the restriction procedure and without undue delay, inform the Data Protection Officer of the SRB (‘the DPO’) whenever it restricts the application of data subjects’ rights in accordance with this Decision. It shall provide access to the record and the assessment of the necessity and proportionality of the restriction.
2. The DPO may request the controller in writing to review the application of the restrictions. The SRB shall inform the DPO in writing about the outcome of the requested review and when the restriction is lifted.
Article 5
Provision of information to data subject
1. The SRB shall include in the data protection notices published on its intranet and website informing data subjects of their rights in the framework of a given procedure, information relating to the potential restriction of these rights. The information shall cover which rights may be restricted, the reasons and the potential duration.
2. Additionally, the SRB shall inform individually data subjects on their rights concerning present or future restrictions without undue delay and in a written form, without prejudice of the following paragraph.
3. Data subjects shall be informed on the principal reasons on which the application of a restriction is based and of their right to lodge a complaint before the European Data Protection Supervisor.
Article 6
Right of access by data subject
1. Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of Regulation (EU) 2018/1725, the SRB shall limit its assessment of the request to such personal data only.
2. Where the SRB restricts, wholly or partly, the right of access, referred to in Article 17 of Regulation (EU) 2018/1725, it shall take the following steps:
|
(a) |
it shall inform the data subject concerned, in its reply to the request, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union; |
|
(b) |
it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction; to that end, the record shall state how providing access would jeopardise the purpose of the SRB’s investigative activities or of restrictions applied pursuant to Article 2(3), or would adversely affect the rights and freedoms of other data subjects. The provision of information referred to in point (a) may be deferred, omitted or denied in accordance with Article 25(8) of Regulation (EU) 2018/1725. |
3. The record referred to in point (b) of paragraph 2 and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request. Article 25(7) of Regulation (EU) 2018/1725 shall apply.
Article 7
Right of rectification, erasure and restriction of processing
Where the SRB restricts, wholly or partly, the application of the right to rectification, erasure or restriction of processing, referred to in Articles 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, it shall take the steps set out in Article 6(2) of this Decision and register the record in accordance with Article 6(3) thereof.
Article 8
Communication of a personal data breach to the data subject
Where the SRB restricts the communication of a personal data breach to the data subject, referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 3(3) of this Decision. Article 3(4) of this Decision shall apply.
Article 9
Entry into force
This Decision shall enter into force on the day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 18 September 2019.
For the Single Resolution Board
Elke KÖNIG
The Chair