11.5.2012   

EN

Official Journal of the European Union

C 136/1

1.

On 29 November 2011, the Commission adopted two legislative proposals on alternative dispute resolution (hereinafter: ‘the proposals’):

2.

On 6 December 2011, the EDPS received the ADR proposal and the ODR proposal for consultation. The EDPS had also been consulted informally before the adoption of the proposals and has issued informal comments. The EDPS welcomes this early consultation and the fact that most of the recommendations contained in these comments have been included in the proposals.

3.

The present Opinion aims at analysing the processing of personal data foreseen by the proposals and at explaining how they address data protection issues. It will focus on the ODR proposal, as it involves a centralised processing of personal data related to disputes through an online platform.

4.

Alternative dispute resolution schemes (ADR) provide an alternative means of solving disputes which is usually less costly and faster than bringing a case to court. The ADR proposal aims at ensuring that these entities are in place in all EU Member States to solve any cross-border consumer dispute arising from the sale of goods or the provision of services in the EU.

5.

The ODR proposal builds on this EU-wide availability of ADR for consumer disputes. It establishes an online platform (hereinafter: the ‘ODR platform’) that consumers and traders will be able to use to transmit complaints on cross-border online transactions to the competent ADR entity.

6.

The EDPS supports the aim of the proposals and welcomes the fact that data protection principles have been taken into account from the earliest stage of the drafting process.

7.

The EDPS also welcomes the references to the applicability of the data protection legislation in the ODR proposal (5) and to the applicability of national legislation implementing Directive 95/46/EC in the context of the ADR proposal (6), as well as the references to the consultation to the EDPS (7).

8.

According to the ODR proposal, the data will be processed by three types of actors in the context of each dispute submitted through the ODR platform:

Article 11(4) states that each of these actors is to be considered as a controller as regards the processing of personal data related to their responsibilities.

9.

However, many of these controllers could be deemed responsible for the processing of the same personal data (9). For example, data related to a particular dispute sent through the ODR platform may be examined by several ODR facilitators and by the competent ADR scheme who will deal with the dispute. The Commission may also process these personal data for the operation and maintenance of the ODR platform.

10.

In this respect, the EDPS welcomes the fact that recital 20 of the ODR proposal states that data protection legislation applies to all of these actors. However, the legislative part of the ODR proposal should specify at least to which of the controllers data subjects should address their requests of access, rectification, blocking and erasure; and which controller would be accountable in case of specific breaches of the data protection legislation (for example, for security breaches). Data subjects should also be informed accordingly.

11.

According to Article 11 of the ODR proposal, access to personal data processed through the ODR platform is limited to:

12.

The EDPS welcomes these limitations of the purpose and the access rights. However, it is not clear whether all ODR facilitators (at least 54) will have access to personal data related to all the disputes. The EDPS recommends clarifying that every ODR facilitator will have access only to the data needed to fulfil his or her obligations under Article 6(2).

13.

As regards the retention period, the EDPS welcomes Article 11(3), which allows the retention of personal data only for the time necessary for the resolution of the dispute and for the exercise of data subjects' right of access. He also welcomes the obligation to automatically delete the data six months after the conclusion of the dispute.

14.

Taking into account the purpose of the proposals, it is possible that personal data related to suspected infringements will be processed. Health data might also be processed in the context of disputes arising from the sale of goods or provision of services related to health.

15.

The processing of personal data in the framework of the ODR platform may therefore be subject to prior checking by national data protection authorities and by the EDPS, as required by Article 27 of Regulation (EC) No 45/2001 and Article 20 of Directive 95/46/EC (11). The EDPS understands that the Commission is aware of the necessity of assessing, before the ODR platform becomes operational, whether the processing should be subject to prior checking.

16.

The information to be provided in the electronic complaint form (hereinafter: ‘the form’) is detailed in the Annex to the ODR proposal. This includes personal data of the parties (name, address and, if applicable, e-mail and website address) and data aimed at determining which ADR entity is competent to deal with the relevant dispute (consumer's place of residence at the time the goods or services were ordered, type of goods or services involved, etc.).

17.

The EDPS welcomes Article 7(6) which reminds that only accurate, relevant and not excessive data can be processed through the form and its attachments. The list of data contained in the Annex also respects the purpose limitation principle.

18.

However, this list can be modified by delegated acts and the modalities of the form will be regulated by implementing acts (12). The EDPS recommends including a reference to the need to consult the EDPS as long as these acts concern the processing of personal data.

19.

The EDPS welcomes the provisions dedicated to confidentiality and security. The security measures detailed in Article 12 of the ODR proposal include access controls, a security plan and security incident management.

20.

The EDPS recommends adding also a reference to the need to conduct a privacy impact assessment (including a risk assessment) and to the fact that compliance with data protection legislation and data security should be periodically audited and reported.

21.

In addition, the EDPS would like to remind that the development of IT tools for the establishment of the ODR platform should integrate privacy and data protection from the very early design stage (privacy by design), including the implementation of tools enabling users to better protect personal data (such as authentication and encryption).

22.

The EDPS welcomes recital 21 of the ODR proposal, which states that data subjects should be informed about the processing of their personal data and their rights through a publicly available privacy notice. However, the obligation to inform data subjects should also be included in the legislative part of the ODR proposal.

23.

In addition, data subjects should also be informed on which controller is responsible for compliance with their rights. The privacy notice should be clearly visible for anyone filling the form.

24.

The EDPS welcomes the fact that data protection principles have been integrated in the text, in particular as regards the purpose and access limitation, the limitation of the retention period and the security measures. However, he recommends:

25.

The EDPS would also like to remind that the processing of personal data in the framework of the ODR platform may be subject to prior checking by the EDPS and by national data protection authorities.