Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 32020D0969

    Commission Decision (EU) 2020/969 of 3 July 2020 laying down implementing rules concerning the Data Protection Officer, restrictions of data subjects’ rights and the application of Regulation (EU) 2018/1725 of the European Parliament and of the Council, and repealing Commission Decision 2008/597/EC

    C/2020/4183

    OJ L 213, 06/07/2020, p. 12–22 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

    Legal status of the document In force

    ELI: http://data.europa.eu/eli/dec/2020/969/oj

    6.7.2020   

    EN

    Official Journal of the European Union

    L 213/12


    COMMISSION DECISION (EU) 2020/969

    of 3 July 2020

    laying down implementing rules concerning the Data Protection Officer, restrictions of data subjects’ rights and the application of Regulation (EU) 2018/1725 of the European Parliament and of the Council, and repealing Commission Decision 2008/597/EC

    THE EUROPEAN COMMISSION,

    Having regard to the Treaty on the Functioning of the European Union, and in particular Article 249(1) thereof,

    Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1), and in particular Article 45(3) thereof,

    Whereas:

    (1)

    In order to ensure the proper functioning of the office of the Commission’s data protection officer (‘DPO’), it is necessary to determine in detail the tasks, duties and powers of the DPO.

    (2)

    Regulation (EU) 2018/1725 assigns clear responsibilities to data controllers, in particular vis-à-vis the data subjects. With a view to ensuring that the Commission, as a controller, operates in a uniform and transparent manner with regard to its responsibilities, rules should be set out on how to identify who in the Commission service or services is responsible for a processing operation which is carried out on behalf of the Commission. In this respect, it is appropriate to introduce the notion of delegated controller in order to indicate precisely the responsibilities of the entities of the Commission, in particular as regards individual decisions concerning data subjects’ rights. In addition, it is appropriate to introduce the notion of operational controller who, under the responsibility of the delegated controller, is designated to ensure compliance in practice, and to process requests from data subjects with regard to a processing operation. The appointment of an operational controller does not prevent the use in practice of a contact point, for example in the form of a functional mailbox to be made available for data subjects’ requests.

    (3)

    In certain cases, several Commission services may jointly carry out a processing operation in order to fulfil their mission. In such cases, they should ensure that internal arrangements are in place in order to determine in a transparent manner their respective responsibilities under Regulation (EU) 2018/1725, in particular responsibilities vis-à-vis the data subjects, notification to the European Data Protection Supervisor (‘EDPS’) and record keeping.

    (4)

    In order to facilitate the exercise of the responsibilities of the delegated controllers, each Commission service should appoint a Data Protection Coordinator (‘DPC’). The DPC should participate in the network of data protection coordinators in the Commission in order to ensure coherent implementation and interpretation of Regulation (EU) 2018/1725 in the Commission, and to discuss subjects of common interest.

    (5)

    With a view to the task of the DPO to assign responsibilities pursuant to Article 45(1)(b) of Regulation (EU) 2018/1725, the DPO should issue additional guidance on the function of the DPC.

    (6)

    The Commission processes several categories of personal data for the purpose of the monitoring, investigative, auditing and consultative activities of the DPO. In particular, the Commission processes identification data, contact data, professional data and case involvement data. Those data are retained for five years after the activities are closed in accordance with the Common Commission-Level Retention List (2).

    (7)

    In certain circumstances, it is necessary to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 with the need for the Commission to perform the monitoring, investigative, auditing or consultative tasks of the DPO, and the need for confidentiality of exchanges of information with other Commission services, as well as with full respect for fundamental rights and freedoms of other data subjects. To that effect, Article 25(1) of Regulation (EU) 2018/1725 provides the Commission with the possibility to restrict the application of Articles 14 to 17, 19, 20 and 35, as well as the principle of transparency laid down in Article 4(1)(a), insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19 and 20 of that Regulation.

    (8)

    In order to ensure the confidentiality and effectiveness of the monitoring, investigative, auditing or consultative tasks of the DPO while respecting the standards of protection of personal data under Regulation (EU) 2018/1725, it is necessary to adopt internal rules under which the DPO may restrict data subjects’ rights in line with Article 25 of Regulation (EU) 2018/1725.

    (9)

    The internal rules should apply to all data processing operations carried out by the Commission in the performance of the monitoring, investigative, auditing or consultative tasks of the DPO. They should apply to processing operations carried out prior to the opening of an investigation or audit, during the course of an investigation or audit, and during the monitoring of the follow-up to their outcome. Those rules should also apply to processing operations which form part of the tasks linked to the investigative or auditing function of the DPO, such as complaint processes conducted by the DPO. The rules should also apply to the monitoring of the DPO and the consultations of the DPO, when the DPO provides assistance and cooperation to the Commission services outside of its administrative investigations and audits.

    (10)

    In order to comply with Articles 14, 15 and 16 of Regulation (EU) 2018/1725, the Commission should inform all individuals of the monitoring, investigative, auditing or consultative tasks of the DPO that involve processing of their personal data and of their rights pursuant to Regulation (EU) 2018/1725. The Commission should inform those individuals in a transparent and coherent manner, in the form of the data protection notices published on Commission website, as well as inform each data subject concerned by a monitoring, investigative, auditing or consultative activity of the DPO.

    (11)

    In certain circumstances, the Commission may have to restrict the provision of information to data subjects and the application of other rights of data subjects. It may do so in order to protect the monitoring, investigative, auditing or consultative tasks of the DPO, related investigations and proceedings of other Commission services, the tools and methods of DPO investigations and audits, as well as the rights of other persons related to the tasks of the DPO.

    (12)

    In some cases, providing particular information to the data subjects or revealing the existence of a monitoring, investigative, auditing or consultative activity of the DPO could render impossible or seriously impair the purpose of the processing operation and the capability of the DPO to conduct such activity.

    (13)

    Furthermore, the Commission should protect the identity of informants, who should not suffer negative repercussions as a consequence of their cooperation with the DPO.

    (14)

    For those reasons, the Commission may need to apply the grounds for restrictions referred to in Article 25(1)(c), (g) and (h) of Regulation (EU) 2018/1725 to data processing operations carried out in the framework of the monitoring, investigative, auditing or consultative tasks of the DPO set out in Article 45 of that Regulation.

    (15)

    In addition, in order to maintain effective cooperation, the Commission may need to apply restrictions to data subjects’ rights to protect information containing personal data originating from other Commission services, Union institutions or bodies. To that effect, the DPO should consult those services, institutions or bodies on the relevant grounds for and the necessity and proportionality of the restrictions.

    (16)

    In the framework of the monitoring, investigative, auditing or consultative tasks of the DPO, the DPO exchanges information, including personal data, with other Commission services. Therefore, all Commission services processing personal data, which are processed by the DPO in the performance of his or her tasks, should apply the rules set out in this Decision with a view to protecting the processing operations carried out by the DPO. In such circumstances, the Commission services concerned should therefore consult the DPO on the relevant grounds for the restrictions and their necessity and proportionality in order to ensure their coherent application.

    (17)

    The DPO – and, where relevant, other Commission services – should handle all restrictions in a transparent manner and register each application of restrictions in the corresponding record system.

    (18)

    Pursuant to Article 25(8) of Regulation (EU) 2018/1725, the controllers may defer or refrain from providing information on the reasons for the application of a restriction to the data subject if this would in any way compromise the purpose of the restriction. In particular, where a restriction to the rights provided for in Articles 16 and 35 is applied, the notification of such a restriction would compromise the purpose of the restriction. In order to ensure that the data subject’s right to be informed in accordance with Articles 16 and 35 of Regulation (EU) 2018/1725 is restricted only as long as the reasons for the deferral last, the Commission should regularly review its position.

    (19)

    Where a restriction of other data subjects’ rights is applied, the DPO should assess, on a case-by-case basis, whether the communication of the restriction would compromise its purpose.

    (20)

    The DPO should carry out an independent review of the application of restrictions based on this Decision, by other Commission services, with a view to ensuring compliance with this Decision.

    (21)

    Any restriction applied on the basis of this Decision should be necessary and proportionate taking into account the risks to the rights and freedoms of data subjects.

    (22)

    The European Data Protection Supervisor was informed and consulted in accordance with Article 41(1) and (2) of Regulation (EU) 2018/1725 and delivered an opinion on 16 September 2019.

    (23)

    Commission Decision 2008/597/EC (3) lays down implementing rules concerning the Data Protection Officer pursuant to Regulation (EC) No 45/2001 of the European Parliament and of the Council (4). Regulation (EU) 2018/1725 repealed Regulation (EC) No 45/2001 with effect from 11 December 2019. In order to ensure that only one set of implementing rules apply to the Data Protection Officer, Decision 2008/597/EC should also be repealed,

    HAS ADOPTED THIS DECISION:

    CHAPTER 1

    GENERAL PROVISIONS

    Article 1

    Subject matter and scope

    1.   This Decision provides rules and procedures for the application of Regulation (EU) 2018/1725 by the Commission, and sets out implementing rules concerning the Data Protection Officer for the Commission (‘DPO’).

    2.   This Decision also lays down the rules to be followed by the Commission, in relation to the monitoring, investigative, auditing or consultative tasks of the DPO, to inform data subjects of the processing of their personal data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725.

    3.   This Decision also lays down the conditions under which the Commission, in relation to the monitoring, investigative, auditing or consultative tasks of the DPO, may restrict the application of Articles 4, 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725, in accordance with Article 25(1)(c), (g) and (h) thereof.

    4.   This Decision applies to the processing of personal data by the Commission for the purpose of or in relation to the tasks of the DPO referred to in Article 45 of Regulation (EU) 2018/1725, in particular the monitoring, investigative, auditing and consultative tasks of the DPO.

    Article 2

    Controllership

    For the purposes of this Decision, the Commission shall be considered to be the controller within the meaning of Article 3(8) of Regulation (EU) 2018/1725.

    Article 3

    Definitions

    For the purpose of this Decision, the following definitions apply:

    (1)

    ‘Data Protection Officer’ (DPO) means the person whom the Commission has designated pursuant to Article 43 of Regulation (EU) 2018/1725;

    (2)

    ‘DPO tasks’ means the DPO tasks referred to in Article 45 of Regulation (EU) 2018/1725, in particular the monitoring, investigative, auditing and consultative tasks of the DPO;

    (3)

    ‘Data Protection Coordinator’ (DPC) means the Commission staff member whom a Directorate-General or Service of the Commission appointed to advise and assist that Directorate-General or Service in all aspects of the protection of personal data;

    (4)

    ‘delegated controller’ means the Head of the Directorate-General, Service or Cabinet, which carries out a processing operation on behalf of the Commission in fulfilment of the mission of that Directorate-General, Service or Cabinet;

    (5)

    ‘operational controller’ means the Commission staff member of middle or senior management level, designated by the delegated controller to ensure record keeping for the processing operation and to serve as primary contact point for data subjects in relation to that processing operation;

    (6)

    ‘internal arrangement’ means any arrangement between two or more Directorates-General or Services to determine their respective responsibilities and coordinate the keeping of a record of processing regarding a processing operation which they carry out jointly or where one or more Directorates-General or Services carry out a part of the delegated controller’s processing operation;

    (7)

    ‘informant’ means an individual who brings a matter alleging that a breach of the provisions of Regulation (EU) 2018/1725 has taken place to the attention of the DPO, or requests that the DPO investigate matters and occurrences directly relating to the DPO’s tasks, which that individual brings to the DPO’s notice.

    CHAPTER 2

    DATA PROTECTION OFFICER AND DATA PROTECTION COORDINATOR

    Article 4

    Designation and position

    The DPO shall be selected from the staff of the Commission on the basis of his or her professional qualities, including a sound knowledge of the Commission Services, their structure, and their administrative rules and procedures.

    Article 5

    Tasks and duties

    1.   The DPO shall contribute to creating a culture of protection of personal data within the Commission based on risk assessment and accountability.

    2.   The DPO shall monitor implementation of Regulation (EU) 2018/1725 in the Commission by, inter alia, annually establishing and carrying out a work programme on inspections and audits.

    3.   The DPO shall organise and chair regular meetings of DPCs.

    4.   The DPO shall keep the Commission’s records of processing activities in a central register and shall make it publicly accessible.

    The DPO shall also keep an internal Commission register of personal data breaches within the meaning of Article 3(16) of Regulation (EU) 2018/1725.

    5.   In the discharge of his or her functions, the DPO shall cooperate with the data protection officers designated by the other Union institutions and bodies.

    6.   The DPO shall be considered to be the delegated controller for the purpose of individual decisions concerning the rights of data subjects under Regulation (EU) 2018/1725 in relation to processing operations of the DPO.

    Article 6

    Powers

    In performing the DPO tasks, the DPO:

    (a)

    shall, where necessary for his or her tasks have access to the data forming the subject matter of processing operations on personal data and to all offices, data processing installations and data carriers;

    (b)

    may request legal opinions from the Legal Service of the Commission;

    (c)

    may, in the event of conflict between the DPO and the delegated controller, operational controller or processor relating to the interpretation or implementation of Regulation (EU) 2018/1725, inform the competent delegated controller and the Secretary-General;

    (d)

    may assign files to the Commission’s Directorates-General or Services concerned for appropriate follow-up;

    (e)

    may perform investigations on request, or upon the DPO’s own initiative, into matters and occurrences directly relating to the DPO tasks in accordance with the procedure set out in Article 11;

    (f)

    may, when making recommendations and rendering advice:

    (i)

    call upon the delegated controller or the processor to comply with a data subject’s request for the exercise of his or her rights pursuant to Regulation (EU) 2018/1725;

    (ii)

    issue warnings to the delegated controller or the processor when a processing operation infringes provisions of Regulation (EU) 2018/1725, and call upon them to bring processing operations into compliance, where appropriate, in a specified manner and within a specified period;

    (iii)

    call upon the delegated controller or the processor to suspend data flows to a recipient in a Member State, to a third country or to an international organisation;

    (iv)

    request the delegated controller or the processor to report within a set deadline to the DPO on the follow-up given to the DPO’s recommendation or advice;

    (g)

    may bring to the attention of the Secretary-General any failure of a delegated controller, an operational controller or a processor to comply with the measures taken pursuant to Article 6(f);

    (h)

    shall be responsible for initial decisions on requests for access to documents held by his or her office under Regulation (EC) No 1049/2001 of the European Parliament and of the Council (5).

    Article 7

    Data Protection Coordinators

    1.   The delegated controller shall appoint a DPC and, where appropriate one or more assistant DPCs in the Directorate-General or Service under his or her responsibility. Two or more delegated controllers may, for reasons of coherence or efficiency, decide to appoint a common DPC or assistant DPC or share the services of an already appointed DPC or assistant DPC. The delegated controllers concerned shall record their agreement to do so in writing.

    2.   The DPC appointed by a Directorate-General or Service shall also be competent for the Cabinet responsible for that Directorate-General or Service. The DPC appointed for the Secretariat-General shall be competent for the President’s Cabinet as well as for Cabinets for which the Secretariat-General is the only supporting Service. Where a Cabinet is responsible for several Directorates-General or Services, the delegated controllers shall decide which of their respective DPCs are to be competent for that Cabinet.

    3.   The DPO, the staff of the relevant Directorate-General or Service and the relevant Cabinet shall be informed whenever a new DPC is appointed.

    Newly appointed DPCs shall complete training to acquire the necessary competences for the role of DPC within six months of appointment. A DPC who has previously held a DPC post in another Directorate-General or Service or has been a staff member of the DPO within two years prior to appointment as DPC shall be exempt from that training requirement.

    4.   Delegated controllers shall put appropriate arrangements in place in order to ensure that the DPC is involved properly and in a timely manner in all issues which relate to data protection in their Directorate-General or Service and that opinions delivered by the DPC are promptly brought to the attention of the delegated controller at the request of the DPC.

    5.   DPCs shall be chosen on the basis of their knowledge and experience of the functioning of the respective Directorate-General or Service, motivation for the function, competences relating to data protection, understanding of information systems principles, and communication skills.

    6.   The function of DPC may be combined with other functions. The delegated controller shall ensure that those functions are compatible with the function of DPC.

    7.   The DPC function shall be part of the job description of each member of staff appointed as DPC. Reference to their responsibilities and achievements shall be made in the annual appraisal report.

    8.   The DPC shall act as a contact point between the delegated controller, the operational controller and the processor, and the DPO.

    9.   DPCs shall have the right to obtain any information in their Directorate-General or Service to the extent that this is necessary for the performance of the tasks of DPC. DPCs shall access personal data, only if it is necessary for the performance of their tasks.

    10.   The DPC shall keep records and provide anonymised statistics of requests from data subjects to the Directorate-General, Service or Cabinet, specifying the numbers of requests and the number of requests rejected fully or in part. The DPO shall specify the categories of requests of which statistics shall be kept. The DPO may specify which further details are to be provided.

    The DPC shall keep anonymised statistics of personal data breaches managed by the Directorate-General, Service or Cabinet, specifying the total number of personal data breaches, the number of personal data breaches notified to the EDPS and the number of personal data breaches communicated to data subjects.

    11.   The DPC shall raise awareness on data protection matters within his or her DG or Service and shall advice and assist the delegated controllers and operational controllers in complying with their obligations, especially as regards:

    (a)

    implementation of the general principles of Regulation (EU) 2018/1725;

    (b)

    documentation of the processing operations;

    (c)

    submission of the records of delegated controllers’ processing operations to the DPO pursuant to Article 10;

    (d)

    the preparation of privacy statements.

    12.   DPCs shall participate in the meetings and, where necessary, in working groups of the DPCs.

    13.   The DPO shall issue additional guidance on the responsibilities and the functions of the DPC.

    CHAPTER 3

    CONTROLLERS

    Article 8

    Delegated controllers and operational controllers

    1.   Delegated controllers shall act on behalf of the Commission as controller for the purposes of the application of Regulation (EU) 2018/1725.

    2.   Delegated controllers and operational controllers:

    (a)

    may consult the DPO, through the DPC, on the conformity of processing operations, in particular in the event of doubt as to conformity;

    (b)

    shall report to the DPO, through the DPC, on the handling of any request received from a data subject for the exercise of his or her rights.

    3.   The delegated controller shall:

    (a)

    designate an operational controller to assist the delegated controller in ensuring compliance with Regulation (EU) 2018/1725, in particular vis-à-vis data subjects;

    (b)

    ensure that internal arrangements with other Directorates-General or Services are in place, where the delegated controller carries out processing operations jointly with those Directorates-General or Services or where those Directorates-General or Services carry out a part of the delegated controller’s processing operation.

    The arrangements referred to in point (b) of the first subparagraph shall determine their respective responsibilities for compliance with their data protection obligations. In particular, it shall include identification of the delegated controller determining the means and purposes of the processing operation as well as the operational controller for the processing operation, and where appropriate, which person and/or entities which shall assist the operational controller, inter alia, with information in case of data breaches or to accommodate data subjects rights.

    4.   The operational controller shall:

    (a)

    receive and process all requests from data subjects;

    (b)

    notify the European Data Protection Supervisor (EDPS) in case of personal data breaches;

    (c)

    inform the DPC and the DPO in case of personal data breaches, and notify the data subject, when relevant;

    (d)

    ensure that the DPC is kept aware of all matters relating to data protection, in particular requests from data subjects;

    (e)

    carry out any other task within the scope of this Decision at the request of the delegated controller.

    CHAPTER 4

    OTHER OBLIGATIONS AND PROCEDURES

    Article 9

    Information

    The delegated controller, in cooperation with the DPC, shall inform the DPO when it consults or informs the EDPS in accordance with Regulation (EU) 2018/1725, and in particular pursuant to Articles 40 and 41 of that Regulation. In addition, the delegated controller, operational controller or DPC shall inform the DPO of any other direct interactions with EDPS related to the implementation of Regulation (EU) 2018/1725.

    Article 10

    Register

    1.   The DPO shall ensure that the register of processing operations of the Commission is accessible through the website of the DPO on the Commission’s Intranet and through the website of the DPO on the Europa website.

    2.   Delegated controllers shall notify the records of their processing operations, through their DPC, to the DPO by using the online notification system of the Commission, accessible through the website of the DPO on the Commission’s Intranet.

    Article 11

    Investigation procedure

    1.   The requests for an investigation referred to in Article 6(e) shall be addressed to the DPO in writing. Within 15 working days following receipt, the DPO shall send an acknowledgement of receipt to the person who commissioned the investigation, and verify whether the request is to be treated as confidential to ensure confidentiality governing the request, unless the data subjects concerned gives their unambiguous consent for the request to be handled otherwise. In the event of manifest abuse of the right to request an investigation, the DPO shall not be obliged to report to the requester.

    2.   The DPO shall request a written statement on the matter from the delegated controller who is responsible for the data-processing operation in question. The delegated controller shall provide their response to the DPO within 15 working days. The DPO may request complementary information from the delegated controller, the processor or other parties within 15 working days.

    3.   The DPO shall report back to the person who commissioned the investigation no later than three months following the receipt of the request. This period may be suspended until the DPO has obtained all necessary information that he or she may have requested.

    4.   No one shall suffer prejudice on account of a matter brought to the attention of the DPO alleging a breach of the provisions of Regulation (EU) 2018/1725.

    Article 12

    Administration and management

    1.   The DPO shall be attached for administrative purposes to the Secretariat-General. In this context, the DPO shall participate in preparing the Annual Management Plan and the Draft Preliminary Budget of the Secretariat-General.

    2.   The DPO shall be the reporting officer for the staff of the Data Protection Office. The Deputy Secretary-General shall be the countersigning officer. The DPO shall participate in the management coordination of the Secretariat-General as appropriate.

    CHAPTER 5

    RESTRICTION OF DATA SUBJECTS’ RIGHTS

    Article 13

    Applicable exceptions and restrictions

    1.   Where the Commission exercises its duties with respect to data subjects’ rights pursuant to Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.

    2.   Subject to Articles 14 to 18 of this Decision, the Commission may restrict the application of Articles 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725, as well as the principle of transparency laid down in Article 4(1)(a) of that Regulation insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19 and 20 of Regulation (EU) 2018/1725, where the exercise of those rights and obligations would jeopardise the purpose of the DPO tasks, inter alia, by revealing its investigative or auditing tools and methods, or would adversely affect the rights and freedoms of other data subjects in accordance with Article 25(1)(c), (g) and (h).

    3.   Subject to Articles 14 to 18 of this Decision, the Commission may restrict the rights and obligations referred to in paragraph 2 of this Article, in relation to personal data obtained by the DPO from Commission services, or other Union institutions and bodies. The Commission may do so where the exercise of those rights and obligations could be restricted by those Commission services, Union institutions or bodies on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or in accordance with Regulation (EU) 2016/794 of the European Parliament and of the Council (6) or Council Regulation (EU) 2017/1939 (7).

    Before applying restrictions in the circumstances referred to in the first subparagraph, the Commission shall consult the relevant Union institution or bodies unless it is clear to the Commission that the application of a restriction is provided for by one of the acts referred to in that subparagraph.

    4.   Any restriction of the application of rights and obligations, referred to in paragraph 2 of this Article, shall be necessary and proportionate taking into account the risks to the rights and freedoms of data subjects.

    Article 14

    Provision of information to data subjects

    1.   The Commission shall publish, on its website, data protection notices that inform all data subjects of the DPO tasks involving processing of their personal data.

    2.   The Commission shall individually inform, in an appropriate format, any natural person whom it considers a person concerned by the DPO tasks or an informant.

    3.   Where the Commission restricts, wholly or partly, the provision of the information to data subjects referred to in paragraph 2, the Commission shall record and register the reasons for the restriction, in accordance with Article 17.

    Article 15

    Right to access by data subjects, right to erasure and right to restriction of processing

    1.   Where the Commission restricts, wholly or partly, the right of access to personal data by data subjects, the right to erasure, or the right to restriction of processing as referred to in Articles 17, 19 and 20 respectively of Regulation (EU) 2018/1725, it shall inform the data subject concerned, in its reply to the request for access, erasure or restriction of processing of the restriction applied and of the principal reasons therefor, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union.

    2.   The provision of information concerning the reasons for the restriction referred to in paragraph 1 may be deferred, omitted or denied for as long as it would undermine the purpose of the restriction.

    3.   The Commission shall record and register the reasons for the restriction in accordance with Article 17.

    4.   Where the right of access is wholly or partly restricted, the data subject is entitled to exercise his or her right of access through the intermediary of the EDPS, in accordance with Article 25(6), (7) and (8) of Regulation (EU) 2018/1725.

    Article 16

    Communication of a personal data breach to the data subject

    Where the Commission restricts the communication of a personal data breach to the data subject, as referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 17 of this Decision.

    Article 17

    Recording and registering of restrictions

    1.   The Commission shall record the reasons for any restriction applied pursuant to this Decision, including a case-by-case assessment of the necessity and proportionality of the restriction taking into account the relevant elements in Article 25(2) of Regulation (EU) 2018/1725.

    To that end, the record shall state how the exercise of the right would jeopardise the purpose of the DPO tasks under this Decision, or of restrictions applied pursuant to Article 13(2) or (3), or would adversely affect the rights and freedoms of other data subjects.

    2.   The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the EDPS on request.

    Article 18

    Duration of restrictions

    1.   Restrictions referred to in Articles 14, 15 and 16 shall continue to apply as long as the reasons justifying them remain applicable.

    2.   Where the reasons for a restriction referred to in Article 14 or 16 no longer apply, the Commission shall lift the restriction and provide the reasons for the restriction to the data subject. At the same time, the Commission shall inform the data subject of the possibility of lodging a complaint with the EDPS at any time or of seeking a judicial remedy in the Court of Justice of the European Union.

    3.   The Commission shall review the application of the restrictions referred to in Articles 14 and 16 every six months from their adoption and in any case at the closure of the relevant DPO activity. Thereafter, the Commission shall monitor the need to maintain any restriction or deferral on an annual basis.

    Article 19

    Review by the Data Protection Officer

    1.   Where other Commission services conclude that a data subject’s rights should be restricted pursuant to this Decision, they shall inform the DPO. They shall also provide the DPO with access to the record and any documents containing underlying factual and legal elements.

    2.   The DPO may request that the delegated controller of the Commission service concerned review the application of the restrictions. The delegated controller of the Commission service concerned shall inform the DPO in writing about the outcome of the requested review.

    CHAPTER 6

    FINAL PROVISIONS

    Article 20

    Repeal

    Decision 2008/597/EC is repealed.

    Article 21

    Entry into force

    This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

    Done at Brussels, 3 July 2020.

    For the Commission

    The President

    Ursula VON DER LEYEN


    (1)   OJ L 295, 21.11.2018, p. 39.

    (2)  SEC(2019)900/2.

    (3)  Commission Decision 2008/597/EC of 3 June 2008 adopting implementing rules concerning the Data Protection Officer pursuant to Article 24(8) of Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 193, 22.7.2008, p. 7).

    (4)  Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

    (5)  Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).

    (6)  Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).

    (7)  Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) (OJ L 283, 31.10.2017, p. 1).


    Top