The European guardian of personal data protection … · The European guardian of personal data protection ... Free publications: • via EU Bookshop ... Terrorist Finance Tracking

Annual Report2011

ISSN 1830-5474

European Data Protection Supervisor

The European guardian of personal data protection

www.edps.europa.eu

European DataProtection Supervisor

QT-A

A-12-001-EN

-C

HOW TO OBTAIN EU PUBLICATIONS

Free publications:

• viaEUBookshop(http://bookshop.europa.eu);

• attheEuropeanCommission’srepresentationsordelegations.YoucanobtaintheircontactdetailsontheInternet(http://ec.europa.eu)orbysendingafaxto+3522929-42758.

Priced publications:

• viaEUBookshop(http://bookshop.europa.eu).

Priced subscriptions (e.g. annual series of the Official Journal of the European Union and reports of cases before the Court of Justice of the European Union):

• viaoneofthesalesagentsofthePublicationsOfficeoftheEuropeanUnion(http://publications.europa.eu/others/agents/index_en.htm).

Annual Report2011

Europe Direct is a service to help you find answers to your questions about the European Union.

Freephone number (*):

00 800 6 7 8 9 10 11(*)Certainmobiletelephoneoperatorsdonotallowaccessto00800numbersor

thesecallsmaybebilled.

MoreinformationontheEuropeanUnionisavailableontheInternet(http://europa.eu).

Cataloguingdatacanbefoundattheendofthispublication.

Luxembourg:PublicationsOfficeoftheEuropeanUnion,2012

ISBN978-92-95073-28-9doi:10.2804/35928

©EuropeanUnion,2012Reproductionisauthorisedprovidedthesourceisacknowledged.©Photos:iStockphotoandEuropeanParliament

Printed in Luxembourg

PRINTEDONELEMENTALCHLORINE-FREEBLEACHEDPAPER(ECF)

Userguide 7Missionstatement 9Foreword 11

Contents

2011HIGHLIGHTS

SUPERVISIONANDENFORCEMENT

1.2011HIGHLIGHTS 12

1.1. General overview of 2011 121.2. Results in 2011 16

2.SUPERVISIONANDENFORCEMENT 18

2.1. Introduction 182.2. Data protection officers 182.3. Prior checks 19

2.3.1.Legalbase 192.3.2.Procedure 202.3.3.Mainissuesinpriorchecks 222.3.4.Consultationsontheneedforpriorchecking 262.3.5.Notificationsnotsubjecttopriorcheckingorwithdrawn 262.3.6.Follow-upofpriorcheckingopinions 272.3.7.Conclusions 27

2.4. Complaints 282.4.1.TheEDPSmandate 282.4.2.Procedureforhandlingofcomplaints 282.4.3.Confidentialityguaranteedtothecomplainants 302.4.4.Complaintsdealtwithduring2011 31

2.5. Monitoring compliance 342.5.1.Generalmonitoringandreporting:2011Survey 342.5.2.Targetedmonitoring 342.5.3.Inspections 35

2.6. Consultations on administrative measures 372.6.1.ConsultationsArticles28.1and46(d) 37

2.7. Data protection guidance 402.7.1.ThematicGuidelines 40Guidelinesonanti-harassmentprocedures 40Guidelinesonstaffevaluation 41Follow-upReportonVideo-SurveillanceGuidelines 412.7.2.Training 42

POLICYANDCONSULTATION

3.POLICYANDCONSULTATION 44

3.1.Introduction: overview of the year and main trends 443.2.Policy framework and priorities 45

3.2.1.Implementationofconsultationpolicy 453.2.2.Resultsin2011 46

3.3.Review of the EU Data Protection Framework 473.3.1.A comprehensiveapproachtopersonaldataprotectionin

theEuropeanUnion 473.4.Area of Freedom, Security and Justice and international cooperation 48

3.4.1.DataRetention 483.4.2.TerroristFinanceTrackingSystem(TFTS) 493.4.3.EuropeanPassengerNameRecords 493.4.4.AgreementbetweentheEUandAustraliaonPassengerNameRecords 503.4.5.AgreementbetweentheEUandUSAonPassengerNameRecords 513.4.6.Anti-corruptionpackage 513.4.7.Legislativeproposalsconcerningcertainrestrictivemeasures 513.4.8.Migration 523.4.9.Victimsofcrime 52

COOPERATION

4.COOPERATION 68

4.1. Article 29 Working Party 684.2. Coordinated supervision of Eurodac 69

4.2.1.AdvanceDeletionReport 704.2.2.Newexercisein2012:unreadablefingerprints 704.2.3.Coordinatedsecurityauditquestionnaire 704.2.4.VisaInformationSystem 70

4.3. Supervision of the Customs Information System (CIS) 714.4. Police and judicial cooperation: cooperation with JSB/JSAs and WPPJ 714.5. European Conference 724.6. International Conference 73

INFORMATIONANDCOMMUNICATION

5.INFORMATIONANDCOMMUNICATION 74

5.1. Introduction 745.2. Communication ‘features’ 74

5.2.1.Keyaudiencesandtargetgroups 745.2.2.Languagepolicy 74

5.3. Media relations 755.3.1.Pressreleases 755.3.2.Pressinterviews 755.3.3.Pressconference 765.3.4.Mediaenquiries 76

5.4. Requests for information and advice 775.5. Study visits 785.6. Online information tools 79

5.6.1.Website 795.6.2.Newsletter 79

3.5.Digital Agenda and technology 53 3.5.1.Netneutrality 53 3.5.2.Technologicalproject“Turbine” 533.6.Internal Market including financial data 54

3.6.1.InternalMarketInformationSystem 543.6.2.EnergyMarketIntegrityandTransparency 543.6.3.Interconnectionofbusinessregisters 553.6.4.Creditagreementsrelatingtoresidentialproperty 553.6.5.Over-the-counterderivatives,centralcounterpartiesandtrade

repositories 563.6.6.TechnicalrequirementsforcredittransfersanddirectdebitsinEuros 563.6.7.Airportbodyscanners 57

3.7.Cross-border enforcement 573.7.1.IntellectualPropertyRightsEnforcementDirective 573.7.2.Customsenforcementofintellectualpropertyrights 583.7.3.Jurisdictionandtherecognitionandenforcementofjudgments

incivilandcommercialmatters 583.7.4.EuropeanAccountPreservationOrder 58

3.8. Public health and consumer affairs 593.8.1.ConsumerProtectionCooperationSystem 59

3.9.Other issues 593.9.1.OLAFReformRegulation 593.9.2.EUFinancialRegulation 603.9.3.Europeanstatisticsonsafetyfromcrime 603.9.4.Transport 603.9.5.CommonAgriculturalPolicyafter2013 613.9.6.Fisheriespolicycontrol 62

3.10.Public access to documents containing personal data 633.11.Court matters 63

3.11.1.EDPSparticipationincourtproceedings 633.11.2.Dataprotectioncaselaw 64

3.12.Future technological developments 643.13.Priorities for 2012 66

ADMINISTRATION,BUDGETAND STAFF

EDPSDATAPROTECTIONOFFICER

MAINOBJECTIVESIN 2012

6.ADMINISTRATION,BUDGETANDSTAFF 82

6.1. Introduction 826.2. Budget 826.3. Human resources 83

6.3.1.Recruitment 836.3.2.Traineeshipprogramme 856.3.3.Programmeforsecondednationalexperts 856.3.4.Organisationchart 856.3.5.Workingconditions 856.3.6.Training 856.3.7.Socialactivities 86

6.4. Control functions 866.4.1.Internalcontrol 866.4.2.Internalaudit 876.4.3.Externalaudit 876.4.4.Security 87

6.5. Infrastructure 876.6. Administrative environment 88

6.6.1.Administrativeassistanceandinter-institutionalcooperation 886.6.2.Internalrules 896.6.3.Documentmanagement 896.6.4.Planning 89

7.EDPSDATAPROTECTIONOFFICER 90

7.1. The DPO at the EDPS 907.2. The Register of processing operations 907.3. EDPS 2011 Survey 907.4. Information and raising awareness 91

8.MAINOBJECTIVESIN2012 92

8.1. Supervision and enforcement 928.2. Policy and consultation 938.3. Cooperation 938.4. Other fields 94

AnnexA —Legalframework 95

AnnexB —ExtractfromRegulation(EC)No 45/2001 97

AnnexC —Listofabbreviations 99

AnnexD —ListofDataProtectionOfficers 101

AnnexE —Listofpriorcheckopinions 104

AnnexF —Listofopinionsandformalcommentsonlegislativeproposals 109

AnnexG —SpeechesbytheSupervisorandAssistantSupervisorin2011 112

AnnexH —CompositionofEDPSSecretariat 115

5.7. Publications 795.7.1.AnnualReport 795.7.2.Thematicpublications 80

5.8. Awareness-raising events 805.8.1.DataProtectionDay2011 805.8.2.EUOpenDay2011 81

Chapter 1 annual report 2011

7

USER GUIDE

Followingthisguide,thereisa missionstatementandforewordtothe2011AnnualReportbyPeterHustinx,European Data Protection Supervisor (EDPS), andGiovanniButtarelli,AssistantSupervisor.

Chapter1 — 2011 HighlightspresentsthemainfeaturesoftheEDPSworkin2011andtheresultsachievedinthevariousfieldsofactivities.

Chapter2 — SupervisiondescribestheworkdonetomonitorandensurethecomplianceofEUinstitutionsand bodies to their data protection obligations.Thischapterpresentsananalysisofthemainissuesinpriorchecks,furtherworkinthefieldofcomplaints,monitor-ingcomplianceandadviceonadministrativemeasuresdealtwithin2011.ItalsoincludesthematicguidelinesadoptedbytheEDPSinanti-harassmentproceduresandstaff evaluation, as well as the follow-up report onvideo-surveillance.

Chapter3 — ConsultationdealswithdevelopmentsintheEDPSadvisoryrole,focusingonopinionsandcom-mentsissuedonlegislativeproposalsandrelateddocu-ments,aswellastheirimpactina growingnumberofareas.ThechapteralsodiscussestheinvolvementoftheEDPSincasesbeforetheCourtofJustice.Itcontainsananalysisofhorizontalthemes:newdevelopmentsinpol-icyandlegislationandtheongoingreviewoftheEUdataprotectionlegalframework.

Chapter4 — CooperationdescribesworkdoneinkeyforumssuchastheArticle29DataProtectionWorkingPartyandtheEuropeanaswellastheinternationaldataprotectionconferences.Italsodealswithcoordinatedsupervision (by EDPS and national data protectionauthorities)oflargescaleIT-systems.

Chapter5 — CommunicationpresentstheEDPSinfor-mationandcommunicationactivitiesandachievements,including external communication with the media,

awareness-raisingevents,publicinformationandonlineinformationtools.

Chapter6 — Administration, budget and staffdetailsthekeyareaswithin theEDPSorganisation includingbudgetissues,humanresourcemattersandadministra-tiveagreements.

Chapter 7 — EDPS Data Protection Officer (DPO).DrawingontheDPOactionplanandtheimplementingrulesadopted,thischapterhighlightstheprogressmadeontheRegisterofnotifications,oncompliancewiththeSpring exerciseandontheneedforinformationandrais-ingawareness.

Chapter8-Main objectives in 2012providesa brieflookaheadandthemainprioritiesfor2012.

ThisReportconcludeswitha numberofannexes.Theyincludeanoverviewoftherelevantlegalframework,pro-visionsofRegulation(EC)No 45/2001,thelistofDataProtectionOfficers,thelistsofEDPSpriorcheckopinionsandconsultativeopinions,speechesgivenbytheSuper-visorandAssistantSupervisorandthecompositionoftheEDPSsecretariat.

AnexecutivesummaryofthisReportisalsoavailable,providing an overview of key developments in EDPSactivitiesover2011.

FurtherdetailsabouttheEDPScanbefoundonourweb-site at http://www.edps.europa.eu. The website alsodetailsa subscriptionfeaturetoournewsletter.

Hardcopiesoftheannualreportandtheexecutivesum-marymaybeorderedfreeofchargefromtheEUBook-shop(http://www.bookshop.europa.eu).


9

ThemissionoftheEuropeanDataProtectionSupervisor(EDPS)istoensurethatthefundamentalrightsandfree-domsofindividuals—inparticulartheirprivacy—arerespectedwhentheEUinstitutionsandbodiesprocesspersonaldata.

TheEDPSisresponsiblefor:

• monitoringandensuringthattheprovisionsofRegulation(EC)No 45/2001(1),aswellasotherEUactsontheprotectionoffundamentalrightsandfreedoms,arecompliedwithwhenEUinstitutionsandbodiesprocesspersonaldata(supervision);

• advisingEUinstitutionsandbodiesonallmattersrelatingtotheprocessingofpersonaldata;thisincludesconsultationonproposalsforlegislationandmonitoringnewdevelopmentsthathaveanimpact on the protection of personal data(consultation);

• cooperatingwithnationalsupervisoryauthoritiesandsupervisorybodiesintheformer‘thirdpillar’oftheEUwitha viewtoimprovingconsistencyintheprotectionofpersonaldata(cooperation).

(1) Regulation(EC)No45/2001oftheEuropeanParliamentandoftheCouncilof18December2000ontheprotectionofindividualswithregardtotheprocessingofpersonaldatabytheCommunityinstitutionsandbodiesandonthefreemovementofsuchdata(OJL 8,12.1.2001,p. 1).

Inlightofthis,theEDPSalsoaimstoworkstrategicallyto:

• promote a ‘data protection culture’ within EUinstitutionsandbodies,therebycontributingtoimprovegoodgovernance;

• integraterespectfordataprotectionprinciplesinEUlegislationandpolicies,wheneverrelevant;

• improve the quality of EU policies, whenevereffectivedataprotectionisa basicconditionfortheirsuccess.

MISSION STATEMENT

11

FOREWORD

WearepleasedtosubmittheAnnualReportontheactivitiesoftheEuropeanDataProtectionSupervisor(EDPS)totheEuropeanParliament,theCouncilandtheEuropeanCommission,inaccordancewithRegulation(EC)No45/2001oftheEuropeanParliamentandoftheCouncilandArticle16oftheTreatyontheFunctioningoftheEuropeanUnion,whichhasreplacedArticle286oftheECTreaty.

Thisreportcovers2011astheseventhfullyearofactivityoftheEDPSasanindependentsupervisoryauthority,taskedwithensuringthatthefundamentalrightsandfreedomsofnaturalpersonsandinparticulartheirprivacywithregardtotheprocessingofpersonaldataarerespectedbyEUinstitutionsandbodies.Italsocoversthethirdyearofourcommonmandateasmembersofthisauthority.

Inthecourseof2011,wesetnewbenchmarksindifferentareasofactivity.InthesupervisionofEUinstitutionsandbod-ies,whenprocessingpersonaldata,weinteractedwithmoredataprotectionofficersinmoreinstitutionsandbodiesthaneverbefore.Inaddition,wesawtheeffectsofournewenforcementpolicy:mostEUinstitutionsandbodiesaremakinggoodprogressincomplyingwiththeDataProtectionRegulation,whileothersshouldincreasetheirefforts.

Intheconsultationofnewlegislativemeasures,weissueda recordnumberofopinionsona rangeofsubjects.ThemostprominentistheReviewoftheEUlegalframeworkfordataprotection,whichremainshighonouragenda.However,theimplementationoftheStockholmprogrammeintheareaoffreedom,securityandjusticeandtheDigitalAgenda,asthecornerstonefortheEurope2020strategy,alsohadanimpactondataprotection.Thiscanbesaidaswellofissuesintheinternalmarket,publichealthandconsumeraffairs,andenforcementina crossbordercontext.

Atthesametime,weincreasedcooperationwithothersupervisoryauthoritiesandfurtherimprovedtheefficiencyandeffectivenessofourorganisation.

WewishtotakethisopportunitytothankthoseintheEuropeanParliament,theCouncilandtheCommissionwhosup-portourworkandmanyothersindifferentinstitutionsandbodieswhoareresponsibleforthewayinwhichdataprotec-tionisdeliveredinpractice.Wewouldalsoliketoencouragethosewhoaredealingwithimportantchallengesaheadinthisfield.

Finally,wewishtoexpressspecialthankstoourmembersofstaff.Thelevelofqualityisoutstandingandourstaffcon-tributesgreatlytooureffectiveness.

PeterHustinx GiovanniButtarelli European Data Protection Supervisor Assistant Supervisor

12

11.1. General overview of 2011

ThemainactivitiesoftheEDPSin2011havebeenbased on the same overall strategy as in pastyears,thoughtheyhavecontinuedtogrowbothinscaleandscope.ThecapacityoftheEDPStoactboth effectively and efficiently has also beenimproved.

Thelegalframework(2)withinwhichtheEDPSactsprovidesfora numberoftasksandpowerswhichallowfora distinctionbetweenthreemainroles.TheserolescontinuetoserveasstrategicplatformsfortheactivitiesoftheEDPSandarereflectedinthemissionstatement:

• a supervisory roletomonitorandensurethatEUinstitutionsandbodies(3)complywithexist-ing legal safeguards whenever they processpersonaldata;

• a consultative roletoadviseEUinstitutionsandbodiesonallrelevantmatters,especiallyonproposalsforlegislationthathaveanimpactontheprotectionofpersonaldata;

• a cooperative role to work with nationalsupervisoryauthoritiesandsupervisorybodiesintheformer‘thirdpillar’oftheEU,involving

(2) Seeoverviewof legalframeworkinAnnex Aandextractfrom Regulation(EC)No 45/2001inAnnex B.

(3) The terms ‘institutions’ and ‘bodies’ of Regulation (EC)No 45/2001 are used throughout the report. This alsoincludes EUagencies.Fora full list,visitthefollowinglink:http//europa.eu/agencies/community_agencies/index.en.htm

policeandjudicialcooperationincriminalmat-ters,witha viewtoimprovingconsistencyintheprotectionofpersonaldata.

TheseroleswillbedetailedfurtherinChapters 2,3 and4ofthisannualreport, inwhichthemainactivitiesoftheEDPSandtheprogressachievedin2011arepresented.Somekeyelementsaresum-marisedinthissection.

Theimportanceofinformationandcommunicationconcerning these activities justifies a separateemphasisoncommunicationandthisiscoveredinChapter5.Alltheseactivitiesrelyoneffectiveman-agementoffinancial,humanandotherresources,asoutlinedinChapter6.

Supervisionandenforcement

Supervisory tasks range fromadvisingandsup-porting data protection officers through priorcheckingof riskydataprocessingoperations, toconductinginquiries,includingon-the-spotinspec-tionsandhandlingcomplaints.Furtheradvicetothe EU administration can also take the form ofconsultationsonadministrativemeasuresorthepublicationofthematicguidelines.

AllEUinstitutionsandbodiesmusthaveatleastonedata protection officer (DPO). In2011, thenumberofDPOstotalled54.Regular interactionwiththemandtheirnetworkisanimportantcondi-tionforeffectivesupervision.TheEDPShasworkedcloselywiththe‘DPOquartet’composedoffourDPOs (Council, European Parliament, European

2011 HIGHLIGHTS


13

Commission and the European Food SafetyAgency) who coordinate the DPO network. TheDPOnetworkmeetings,whichtheEDPSattends,areanopportunitytogiveupdatesonEDPSwork,giveanoverviewofdevelopmentsinEUdatapro-tectionandtodiscussissuesofcommoninterest.

Prior checkingofriskyprocessingoperationscon-tinuedtobeanimportantaspectofsupervision.In2011,theEDPSreceived164notificationsforpriorcheckingandadopted71 priorcheckopinionsonstandardadministrativeprocedures,suchasstaffevaluation, administrative inquiries, disciplinaryproceduresandanti-harassmentprocedures,butalsooncorebusinessactivitiessuchastheCon-sumerProtectionSystem,theQualityManagementSystemandex-postqualitychecksatOHIMandtheElectronicExchangeofSocialSecuritysystemattheEuropeanCommission.Theseopinionsarepub-lishedontheEDPSwebsiteandtheirimplementa-tionisfollowedupsystematically.

In2011,thenumberofcomplaints receivedbytheEDPSincreasedto107;26ofthesewerefoundtobe admissible. Many inadmissible complaintsinvolved issues at national level for which theEDPSisnotcompetent.Inthe15casesresolvedduring2011,theEDPSfoundthateithertherewasnobreachofdataprotectionrulesorthatthenec-essarymeasurestocomplywereundertakenbythecontroller.Converselyintwocases,non-com-pliancewithdataprotectionruleswasfoundtohaveoccurredandrecommendationsweremadetothecontroller.

Theimplementation of the Regulationbyinsti-tutionsandbodiesisalsomonitoredsystematicallybyregularstocktakingofperformanceindicators,involvingallEUinstitutionsandbodies.TheEDPSlaunchedhisthirdstocktakingexercise,monitor-ingcompliancewithdataprotectionrules(2011Survey)leadingtoa reporthighlightingtheprog-ress made by institutions and bodies in imple-menting the Regulation and also underliningshortcomings.Inadditiontothisgeneralexercise,targetedmonitoringexerciseswerecarriedoutincaseswhere,asa resultofsupervisionactivities,theEDPShadcausetobeconcernedaboutthelevelofcomplianceinspecificinstitutionsorbod-ies.Thesetooktheformofcorrespondencewiththeinstitutionorbodyora onedayvisitnotablytothe European Railway Agency, the CommunityPlantVarietyOffice,theEuropeanFoundationforthe ImprovementofLivingandWorkingCondi-tionsandtheEuropeanGlobalNavigationSatelliteSystemsAgency.

TheEDPSalsocarriedoutanon-the-spotinspec-tionattheCEDEFOP,OLAFandtheECBtoverifycomplianceonspecificissues.

Furtherworkwasalsodoneinresponsetoconsul-tations on administrative measuresbyEUinsti-tutionsandbodiesinrelationtotheprocessingofpersonal data. A variety of issues were raised,includingpublicationofemployees’picturesontheIntranet,controllershipwhenCCTVisoperatedonthepremisesofanother institutionandthepro-cessingofemployees’e-mails.

TheEDPSalsoadoptedguidelinesonanti-harass-mentproceduresandstaffevaluationandfollowedupontheprogressmadebyinstitutionsandbodiesfollowingtheVideo-SurveillanceGuidelines.

Consultation

2011wasa busyyearforconsultation,leadingtoa recordnumberof24opinions,12formalcom-mentsand41informalcomments.TheEDPScon-tinuedtoimplementaproactiveapproachtocon-sultation,basedona regularlyupdatedinventoryoflegislativeproposalstobesubmittedforconsul-tationaswellasavailabilityforinformalcommentsinthepreparatoryphasesoflegislativeproposals.Takingadvantageofthisavailabilityforinformalcomments,in2011theCommissionservicesalmostdoubled the number of informal consultationscomparedto2010.

The Commission’s work on a modernised legalframework for data protection in Europe meritsspecialmention.ThelegislativereviewprocesshasbeencloselyfollowedbytheEDPS,whoprovidedinputatdifferentlevels, includinganopiniononthe Commission Communication laying downa comprehensiveapproachtodataprotectioninEuropeinJanuaryandinformalcommentsonthedraftlegislativeproposalsinDecember.

Thereappearstobea generaldiversificationinthefieldstouchingondataprotectionissues:besidestraditionalprioritiessuchastheAreaofFreedom,SecurityandJustice(AFSJ)andinternationaldatatransfers,newareasareemerging,asmaybeseeninthelargenumberofopinionsadoptedrelatingtothe internal market. The following highlightsincludea selectionoftheopinionsadoptedintherespectivefields.

IntheAFSJ,theEDPSissuedseveralhighlycriticalopinionsonissuessuchastheevaluationreport

14

onthedataretentiondirective2006/24/ECandthe proposal for European Passenger NameRecordsprocessing.PassengernamerecordswerealsothesubjectoftwoopinionsdealingwiththeagreementsforthetransferofsuchdatatoAustra-liaandtheUSArespectively.TheEDPSalsocom-mentedontheCommissioncommunicationona TerroristFinanceTrackingSystem(TFTS),ques-tioningitsnecessity.

RegardingInformation Technology and theDigi-tal Agenda, the EDPS published an innovativeopiniononnetneutralityhighlightingtheimpactofsomemonitoringpracticesbyinternetservicepro-viders.HealsoissuedhisfirsteveropiniononanEU-fundedresearchprojectwhichdealtwithpri-vacy-preservingwaysofimplementingbiometrics.

In the area of the internal market, the EDPSissued,amongothers,anopinionontheInternalMarketInformationSystem(IMI),urgingthatnewfunctionalitiestobeaddedinthefuturebeclari-fied. Other notable opinions were issued onEnergymarketintegrityandtransparencyaswellasover-the-counterderivatives,centralcounter-partiesandtraderepositories.Inthesecases,theproposalsintendedtograntfar-reachinginvesti-gationpowersthatwerenotclearlycircumscribedtoregulatoryauthoritiesandsotheEDPScalledforgreaterclarity.

Severalopinionswereissuedonenforcement in a cross-boder context. TheEDPSprovided, forinstance,guidanceontheproposalsfortheintel-lectualpropertyrightsenforcementdirective,call-ingfortheestablishmentofa clearretentionperiodaswellasforclarifyingthelegalbasisofanassoci-ated database. Regarding the proposal for theEuropeanaccountpreservationorder,heempha-sisedtheneedtolimitthepersonaldataprocessedtotheminimumnecessary.

Inpublic health and consumer affairs,theEDPSissued an opinion on the Consumer ProtectionCooperationSystem(CPCS),urgingthelegislatortoreconsider the retentionperiodsandtoexplorewaysofensuringprivacybydesign.

TheEDPSalsointervenedinotherareas,suchastheOLAFreformregulation,theEUfinancialregu-lationandtheuseofdigitaltachographsforprofes-sionaldrivers.

Courtcases

In2011,theEDPSintervenedinfivecasesbeforetheGeneralCourtandtheCivilServiceTribunal.

One of the cases dealt with an allegedly illegaltransferofmedicaldatabetweenthemedicalser-vicesoftheParliamentandtheCommission.TheCivilServiceTribunal-takingthisinitiativeforthefirsttime-invitedtheEDPStointervene.Initsjudg-ment, theTribunal followedtheEDPSreasoningand awarded financial compensation to theapplicant.

ThreeothercasesdealtwithaccesstodocumentsofEUinstitutionsandcanbeseenasfollow-uptothe Bavarian Lager ruling. In all three, the EDPSarguedinfavourofgreatertransparency.Thisrea-soningwasfollowedbytheCourtinonecase;inanothercase,itupheldtheParliamentdecisionnottograntaccess;thethirdcaseis,atthetimeofwrit-ing,pending.

Inaddition,theEDPSintervenedinaninfringementproceedingagainstAustriaontheindependenceofDPAs.Inhisintervention,hearguedthattheorgan-isationstructureoftheofficeoftheAustrianDPAasprovidedforinnationallaw,doesnotliveuptothestandardof independencerequiredbyDirective95/46/EC. At the time of writing, this case toois pending.

Cooperation

ThemainplatformforcooperationbetweendataprotectionauthoritiesinEuropeistheArticle 29 Data Protection Working Party.TheEDPStakespartintheactivitiesoftheWorkingParty,whichplaysanimportantroleintheuniformapplicationoftheDataProtectionDirective.

TheEDPSandtheArticle29WorkingPartyhaveworkedwelltogetherona rangeofsubjects,espe-ciallyinthecontextofthesubgroupsonkeyprovi-sions and borders, travel and law-enforcement(BTLE).Intheformer,theEDPSwastherapporteurfortheopiniononthenotionof‘consent’.

In addition to the Article 29 Working Party, theEDPS continued his close cooperation with theauthoritiesestablishedtoexercisejoint supervi-sion on EU large-scale IT systems.


15

Animportantelementofthesecooperativeactivi-tiesisEurodac.TheEurodacSupervisionCoordina-tionGroup–composedofnationaldataprotectionauthoritiesandtheEDPS–metinBrusselsinJuneandOctober2011.TheGroupcompleteda coordi-natedinspectionontheissueofadvancedeletion,further elaborated a joint framework for theplannedfullsecurityauditandscheduledanothercoordinatedinspection,theresultsofwhichwillbereportedin2012.Inaddition,thegroupinformallydiscussedtheissueofcoordinatedsupervisionoftheVisaInformationSystem(VIS),whichwentliveinOctober2011.

AsimilararrangementgovernsthesupervisionoftheCustoms Information System (CIS),inthecon-textofwhichtheEDPSconvenedtwomeetingsoftheCISSupervisionCoordinationGroupin2011.The meetings gathered the representatives ofnationaldataprotectionauthorities,aswellasrep-resentatives of the Customs Joint SupervisoryAuthorityandDataProtectionSecretariat.InthemeetinginJune,theGroupadoptedanactionplanoutliningitsplannedactivitiesfor2011and2012,while intheDecembermeeting, itagreedonitsfirst twocoordinated inspections.Theresultsofthese inspections will be delivered during thecourseof2012.

Cooperation in international fora continuedtoattract attention, especially the European andInternationalConferencesofDataProtectionandPrivacyCommissioners.In2011,theEuropeanCon-ferencewasheldinBrussels,hostedbytheArticle29WorkingPartyandtheEDPS.InMexicoCity,pri-vacy and data protection commissioners fromaroundtheworldadopteda declarationcallingforefficientcooperationina worldof‘bigdata’.

Some EDPS key figures in 2011

➔ 71 prior-check opinions adopted, 6 non prior check opinions➔ 107 complaints received, 26 admis sible. Maintypesofviola-tionsalleged:violationofconfidenti-alityofdata,excessivecollectionofdataorillegaluseofdatabythecontroller➔ 34 consultations on administra-tive measures. Advicewasgivenona widerangeoflegalaspectsrelatedtotheprocessingofpersonaldataconductedbytheEUinstitutionsandbodies➔ 4 on-the-spot inspections carried out

➔ 2 guidelines published onanti-harassmentproceduresandevalua-tionofstaff

➔ 24 legislative opinions issued on,amongothers,initiativesrelatingtotheAreaofFreedom,SecurityandJustice,technologicaldevelopments,internationalcooperation,datatransfers,orinternalmarket.➔ 12 sets of formal comments issued on,amongothers,intellectualpropertyrights,civilaviationsecurity,EUcriminalpolicy,theTerroristFinanceTrackingSystem,energyefficiency,ortheRightsandCitizen-shipProgramme.➔ 41 sets of informal comments➔ 14 new colleagues recruited

16

1.2. Results in 2011

Thefollowingmainobjectivesweresetoutin2010.Mostoftheseobjectiveshavebeenfullyorpartiallyrealisedin2011.Insomecases,workwillcontinuein2012.

• Raising awareness

The EDPSinvestedtimeandresourcesinawarenessraisingexercisesforEUinstitutionsandbodiesandDPOs. This took the form of thematic guidancenotablyintheareasofanti-harassmentprocedures,staffevaluationandworkshopsondataprotectionforDPOsorcontrollers.

• Role of prior checking

In 2011, the EDPS received 164 notifications forpriorchecking,thesecondhighestnumberever.Thisincreasewasduemainlytothelaunchingofvisitstoagencies,onthespotinspectionsandtheissuanceofthematicguidance.Thenotificationsreceivedfromnewlycreatedagenciesalsocontrib-utedtothisincrease.TheEDPScontinuedtoplacestrongemphasisontheimplementationofrecom-mendationsmadeinpriorcheckopinions.

• Monitoring and reporting exercises

TheEDPSlaunchedhisthirdstocktakingexercise,monitoring the compliance of data protectionrules(2011Survey).Inadditiontothisgeneralexer-cise,targetedmonitoringexerciseswerecarriedoutincaseswhere,asa resultofsupervisionactivi-ties, theEDPShadcause forconcernabout thelevelofcomplianceinspecificinstitutionsorbod-ies.Someofthesewerecorrespondencebased,whilstotherstooktheformofa onedayvisittothebodyconcerned,withtheaimofaddressingcom-pliancefailings.

• Inspections

Inspectionsarea crucialtool,enablingtheEDPStomonitorandensuretheapplicationoftheRegula-tion. In2011,theEDPS launchedfour inspectionsandcontinuedthefollowupofrecommendationsmadeinpreviousinspections.A securityauditoftheVisaInformationSystem(VIS)wasalsocarriedout.

• Scope of consultation

The EDPS again increased his output, issuinga recordnumberof24opinionsand12setsoffor-malcomments.Inmanycases,theCommissionhad

alreadyconsultedtheEDPSbeforetheadoptionofitsproposals,leadingto41setsofinformalcom-mentsbeingissued.Manyoftheopinionswerefol-lowedupbypresentationsintheLIBECommitteeoftheEuropeanParliamentortherelevantCouncilWorkingParties.Theproposalsforwhichopinionswerepublishedwereselectedfroma systematicinventoryofrelevantsubjectsandprioritiesfortheEDPS. The opinions, formal comments and theinventoryarepublishedontheEDPSwebsite.

• Review of the data protection legal framework

TheEDPS issuedanopinionontheCommissionCommunicationona comprehensiveapproachonpersonaldataprotection,aswellasinformalcom-mentsonthelegislativeproposals.Hecloselyfol-lowedtheprocessandgaveinputwherenecessaryandappropriate.

• Implementation of the Stock holm Programme

TheEDPSclosely followedpolicydevelopmentsrelatedtotheStockholmProgramme,issuinganopinionontheproposalfora directiveontheuseofPNRforlawenforcementpurposes,aswellasfor-malcommentsontheintroductionofa EuropeanTerrorist Financing Tracking Programme (TFTS).Whilenolegislativeproposalswereissuedonthetopic of smart borders, the EDPS addressed theissueinhisopinionontheCommissioncommuni-cationonmigration.

• Initiatives in the area of technology

TheEDPSissuedhisfirstopiniononanEU-fundedresearchproject;theprojectdealtwiththeprivacypreservingimplementationofbiometrics. Inthecontext of the Digital Agenda, he published anopiniononnetneutrality.

• Other initiatives

TheEDPS issueda varietyofopinionsandcom-mentsonotherinitiativesthathadanimpactontheprotectionofpersonaldata,suchastheInternalMarketInformationSystemandtheuseofsecurityscannersatairports.


17

• Cooperation with data protection authorities

TheEDPSactivelytookpartintheworkoftheArti-cle 29DataProtectionWorkingParty,especiallyinthesubgroupsonkeyprovisionsandonborders,travelandlawenforcement.

• Coordinated supervision

TheEDPSprovidedthedataprotectionauthoritiesinvolvedinthecoordinatedsupervisionofEurodacandtheCustomsInformationSystemwithaneffi-cientsecretariat.FortheVisaInformationSystem,thedataprotectionauthoritiesrepresentedinthesupervision coordination group had a f irstexchangeofviewsaspartofoneoftheEurodaccoordinated supervision meetings, addressingimplications of the system and the approach tosupervision.

• Internal organisation

FollowingthereorganisationoftheSecretariatin2010,theinstitutiondecidedtolauncha strategicreviewofallitsactivitiesin2011,steeredbya “Stra-tegicReview”TaskForcemadeupoftheDirectorandrepresentativesfromallteamsanddisciplines.Thefirstphaseofthereviewculminatedinaninter-nal meeting of the institution in October 2011,whichallowedthemembersandstafftoreflectontheirtasks,valuesandobjectives.

• Resource management

TheEDPS,incooperationwiththeParliament,car-riedoutanexhaustiveexaminationofthemarketforprovidersofa CaseManagementSystemandchosethecontractorwith themostappropriateproduct. At the end of 2011, the contract wassignedandtheworkofdevelopinga customisedsystembegan.

During2011,workcontinuedontheintegrationoftheEDPSintoITapplicationsinthefieldofhumanresourcesonthebasisofServiceLevelAgreements:Syslog Formation was successfully introduced,work began on SysperII and an agreement wasfoundontheintroductionofMIPSin2012.

18

2.1. Introduction

TheEDPScontinuedtoperformhismainopera-tionalactivitiesnotablyinthefieldofpriorchecks,complaints and consultations on administrativemeasuresthrough2011.Thepriorcheckingofpro-cessingoperationswhichexhibitspecificriskscon-tinuedtorepresentanimportantaspectofsupervi-sionworkattheEDPSin2011,notablyduetoanincreaseinthenumberofnotificationsreceived.Thenumberandcomplexityofcomplaintsreceivedalsoincreasedandledtoa resolutionof15casesin2011. Within the framework of consultations onadministrativemeasures,theEDPSexamineda vari-etyofissues.

Aside from his regular supervision activities, theEDPS also developed other forms of monitoringcompliance with the Regulation, in line with theCompliance and Enforcement Policy adopted inDecember2010.Inadditiontohisgeneralstocktak-ingexercise,targetedmonitoringexerciseswerecar-riedoutincaseswhere,asa resultofsupervisionactivities, the EDPS had reason to be concernedaboutthelevelofcomplianceincertaininstitutionsorbodies.Thesetooktheformofcorrespondence

withtheinstitutionorbodyconcerned,onedayvis-itsbymanagementtoaddresscompliancefailingsorinspectionstoverifycomplianceonspecificissues.

The EDPS also continued his awareness raisingactivities,notablybyorganisingspecifictrainingforDPOseitherintheformofa workshopora telecon-ferenceandbyproducingthematicguidanceforinstitutionsandbodiesinthefieldofanti-harass-mentproceduresandstaffevaluation.

2.2. Data protection officers

European Union institutions and bodies have anobligationtoappointa dataprotectionofficer(DPO)(Article 24.1oftheRegulation).SomeinstitutionshavecoupledtheDPOwithanassistantordeputyDPO.TheCommissionhasalsoappointeda DPOfortheEuropeanAnti-FraudOffice(OLAF,a Directorate-GeneraloftheCommission).A numberof institu-tionshaveappointeddataprotectioncoordinatorsinordertocoordinateallaspectsofdataprotectionwithina particulardirectorateorunit.

In2011,sixnewDPOswereappointedwithinnewagenciesorjointundertakings,bringingthetotalnumberofDPOsto54.Therewasalsoa highturn-over in institutionsandestablishedagencies,asmanymandatesexpiredthisyear.

Fora numberofyears,theDPOshavemetatregu-larintervalsinordertosharecommonexperiencesanddiscusshorizontalissues.Thisinformalnetworkhasprovedtobeproductiveintermsofcollabora-tionandcontinuedthroughout2011.

2SUPERVISION AND ENFORCEMENT

The task of the EDPS in his independent supervisory capacity is to monitor the processing of personal data carried out by EU institutions or bodies (except the Court of Justice acting in its judicial capacity). Regulation (EC) No 45/2001 (the Regulation) describes and grants a number of duties and powers, which enable the EDPS to carry out this task.


19

A‘DPOquartet’composedoffourDPOs(theCoun-cil,theEuropeanParliament,theEuropeanCommis-sionandtheEuropeanFoodSafetyAgency)wassetupwiththegoalofcoordinatinga DPOnetwork.TheEDPShascollaboratedcloselywiththisquartet.

The EDPS attended the DPO meetings held inApril 2011at theFundamentalRightsAgency inViennaandattheEuropeanOmbudsmaninStras-bourginOctober 2011.TheEDPStooktheopportu-nitytoupdatetheDPOsonhiswork,giveanover-viewofrecentdevelopmentsinEUdataprotectionanddiscussissuesofcommoninterest.

Morespecifically,theEDPSusedthisforum todis-cusstheproceduresandtoolsforpriorchecks; pres-entrecentdevelopmentsindataprotection;updatethe DPOs on the review of the legal framework;presentthematicguidelinesand the2011Survey;provideinformationontraininginitiativesandshareprogressonthevideo-surveillanceguidancereport.TheforumisalsousedtoshareinitiativesforEuro-peanDataProtectionDay(on28 January).

On8June2011,theEDPSorganiseda workshopforDPOsaspartofhisguidanceprogramme(seealsoSection2.7.2).TheaimwastoprovidebasictrainingforDPOs, inparticularthoserecently-appointed.Theprogramme includedan introductiontothebasicprinciplesanddefinitionsoftheRegulationandpresentationsonspecificsubjectssuchasthelegalbasisofdataprocessing, rightsof thedata

subject,transferofdataandprocessingonbehalfofthecontroller.ThesepresentationsweresupportedbyconcreteexamplestakenfromtheEDPS’supervi-sionactivities.TheafternoonsessionwasdedicatedtocooperationbetweenDPOsandtheEDPS,focus-ingonthepracticalaspectsofcomplainthandling,priorcheckingproceduresandsecurityofprocess-ingoperations.Theworkshopwaswell-attendedandactiveparticipationoftheDPOsledtoa pro-ductiveexchangeofexperiencesandconcerns.

2.3. Prior checks

2.3.1.Legalbase

Article 27(2) of the Regulation contains a non-exhaustive list of processing operations that arelikely to present such risks. During the reportingperiod, the EDPS continued to apply the criteriadevelopedinpreviousyears(4)wheninterpretingthisprovision,bothwhendecidingthata notification

(4) SeeAnnualReport2005,section2.3.1.

30thDPOMeetinginStrasbourginOctober2011.

Regulation (EC) No 45/2001 provides that all processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes are to be subject to prior checking by the EDPS (Article 27(1)).

20

froma DPOwasnotsubjecttopriorcheckingandwhen advising on the need for prior checking ofa consultation.(seealsoSection 2.3.4).

2.3.2.Procedure

Notification

PriorchecksmustbecarriedoutbytheEDPSfol-lowing receipt of a notification from the DPO.ShouldtheDPObeindoubtastowhethera pro-cessingoperationshouldbesubmittedforpriorchecking, he may consult the EDPS (seeSection 2.3.4).

Priorchecksinvolveoperationsnotyetinprogress,butalsoprocessingthatbeganbefore17 Janu-ary 2004(theappointmentdateofthefirstEDPSandAssistantEDPS)orbeforetheRegulationcameintoforce(ex-postpriorchecks).Insuchsituations,anArticle 27 checkcannotbe‘prior’inthestrictsenseoftheword,butmustbedealtwithonanex-postbasis.

Period,suspensionandextension

The EDPS must deliver his opinion within twomonthsofreceivingthenotification(5).ShouldtheEDPSmakea requestforfurtherinformation,the

(5) Forex-postcasesreceivedbefore1 September 2011,themonthofAugustwasnot included in thecalculationofdeadlinesforinstitutionsandbodies,norfortheEDPS.

periodoftwomonthsisusuallysuspendeduntilthe EDPS has obtained this information. Thisperiodofsuspensionincludesthetimegiventothe DPO for comments and if needed, furtherinformationonthefinaldraft.Incomplexcases,theEDPSmayalsoextendthe initialperiodbya further two months. If no decision has beendeliveredattheendofthetwo-monthperiodorextension thereof, the opinion of the EDPS isdeemedtobefavourable.Todate,nosuchtacitopinionhaseverarisen.

Register

In 2011, the EDPS received 164 notifications forpriorchecking-thesecondhighestnumberever.This representsa dramatic increasewithalmosttwiceasmanynotificationsreceivedin2011com-pared to 2010. Whilst the EDPS has cleared thebacklogofex-postpriorchecksformostEUinstitu-tions, processing operations put in place by EUagencies,inparticularbynewlyestablishedones,thefollow-upofguidelinesissuedaswellasseveralvisits to agencies in 2011 have generated anincreaseinthenumberofnotifications.

UndertheRegulation,theEDPSmustkeepa regis-terofallprocessingoperationsofwhichhehasbeennotifiedforpriorchecking(Article 27(5)).ThisregistercontainstheinformationreferredtoinArti-cle 25andisavailabletothepublic,intheinterestsoftransparency,ontheEDPSwebsite(exceptforsecuritymeasures,whicharenotmentionedinthepublicregister).

Noti�cations to the EDPS

9

65 63

176

128110

89

020406080

100120140160180200

2004 2005 2006 2007 2008 2009 2010 2011

164


21

Opinions

ThefinalpositionoftheEDPStakestheformofanopinion,whichisnotifiedtothecontrolleroftheprocessingoperationandtheDPOoftheinstitu-tionorbody(Article 27(4)).In2011,theEDPSissued71 prior checking opinions and 6 on ‘non-prior checks’ (seeSection2.3.5).Thisrepresentsa signifi-cantincreasecomparedtothepreviousyearandalsotakes intoaccountthattheEDPSdealtwitha significantnumberofcaseswithjointopinions:in2011, there were 10 joint opinions dealing witha totalof52notifications(e.g.onejointopiniononhealthdatadealingwitha totalof18notifications).Inissuingthesejointopinionsfollowingthepubli-cationofguidelines, forexampleonhealthdataandanti-harassment,theEDPSthusincreasedeffi-ciencyatthecostofstatisticalvisibility.

Aswasthecasein2010,a significant number of these opinionswereaddressedtotheEuropean Commission,with16priorchecking opinions(andthreenon-priorchecks).Unlikeinpreviousyearswheretheother largeEU institutions (EuropeanParliament and Council) had been frequentaddresseesin2011,therunners-upwereEUagen-ciesandbodies,towhichtheEDPSaddressedanunprecedentednumberofopinions(partiallyintheformofjointopinions),e.g.sixrelatingtoprocess-ing operations at the Community Plant VarietyOffice, five to the European Foundation for theImprovement of Living and Working ConditionsandthreeorfourtoseveralotherEUagencies.EUagencieshavethusfurthercontinuedtonotifytheircorebusinessactivitiesandstandardadministrativeproceduresaccordingtotherelevantproceduresdrawnupbytheEDPS(seeSection2.3.2).

Opinionsroutinelycontaina descriptionofthepro-ceedings,a summaryofthefactsanda legalanaly-sisofwhethertheprocessingoperationcomplieswith the relevant provisions of the Regulation.Wherenecessary,recommendationsaremadesoastoenablethecontrollertocomplywiththeRegula-tion.Intheconcludingremarks,theEDPSusuallystatesthattheprocessingdoesnotseemtoinvolvea breachofanyprovisionoftheRegulation,pro-videdthattheserecommendationsaretakenintoaccount,buttheEDPSmayofcoursealsoexerciseotherpowersgrantedtohimunderArticle 47oftheRegulation. For example, the EDPS introduceda temporarybanona processingoperationwhichwasfoundtobeinbreachofthedataprotectionprinciples(seeSection2.3.3.10).

OncetheEDPShasdeliveredhisopinion,itismadepublic.AllpublishedopinionsareavailableonthewebsiteoftheEDPSinthreelanguageversions(asthesebecomeavailable)together,inmostcases,witha summaryofthecase.

Acasemanualensuresthattheentireteamworkson the same basis and that the opinions of theEDPSareadoptedaftera completeanalysisofallsignificantinformation.Itprovidesa templateforopinions,basedonaccumulatedpracticalexperi-enceandiscontinuouslyupdated.A workflowsys-temisusedtomakesurethatallrecommendationsin a particular case are followed up and, whereapplicable,allenforcementdecisionsarecompliedwith(seeSection 2.3.6).

EDPS prior-check opinions per year

3

42

66

131120

110

55

0

20

40

60

80

100

120

140

2004 2005 2006 2007 2008 2009 2010 2011

71

22

Procedureforex-postpriorchecksin EU agencies

InOctober 2008,theEDPSlauncheda newproce-dureforex-postpriorchecksinEU agencies.SincestandardproceduresarethesameinmostEU agen-ciesandarebasedonCommissiondecisions,notifi-cationsona similarthemearegatheredandeithera collectiveopinion(forvariousagencies)ora ‘minipriorcheck’addressingonlythespecificneedsofeachindividualagencyisadopted.Tohelptheagen-cies complete their notifications, the EDPS sum-marisesthemainpointsandconclusionsofpreviouspriorcheckingopinionsontherelevantthemeintheformofthematicguidelines(seesection 2.7).

Thefirstthemewasrecruitmentandledtoa hori-zontalopinionoftheEDPSinMay 2009,covering

notifications from 12 agencies. A second set ofguidelineswassenttotheagenciesattheendofSeptember 2009 on the processing of health data,leadingtoa jointopinionregardingthepro-cessingoperationsof18agenciesonpre-recruit-ment examinations, annual check-ups and sickleaveabsencesinFebruary2011.InApril 2010,theEDPSissuedguidelinesconcerningtheprocessingofpersonaldatainadministrative inquiries and disciplinary proceedings by European institu-tionsandbodies. InJune2011, theEDPS issueda jointopinioncoveringtheprocessingoperationsinplaceatfiveagencies.Furtherguidelinesintheareaofanti-harassment procedures ledtotheadoptionofanopinioninOctober2011coveringnotificationsreceivedbynineagencies (onthe-maticguidance,seeSection2.7).

e-monitoring Breakdown ofthe evaluation

Evaluationnon priorchecks

other

Opinions 2011 per main category

other

appraisal

health datasuspicionand offences

recruitment

2.3.3.1. Processing of health data in the workplace

FollowingthepublicationofEDPS Guidelinesontheprocessingofhealthdataintheworkplace,theEDPScarriedouta particularlychallengingexerciseinexamining18notifications forpriorchecking

regardingtheprocessingoperationsin18agenciesonpre-recruitmentexaminations,annualcheck-upsandsickleaveabsences.Inviewofthesimilari-tiesinproceduresanddataprotectionpractices,the EDPS decided to issue one joint opinion on11 February2011(Case2010-0071).

2.3.3.Mainissuesinpriorchecks


23

2.3.3.2. Consumer Protection Co-operation System (CPCS)

The Consumer Protection Co-operation System(CPCS)isaninformationtechnologysystemdesignedandoperatedbytheCommission,whichfacilitatesco-operationamongMemberStateauthoritiesandtheEuropeanCommissionintheareaofconsumerprotectionpursuanttoRegulation(EC)No2006/2004onconsumerprotectioncooperation.On4May2011,

theEDPSissueda priorcheckingopinionconcerningtheexchangeofinformationincludingpersonaldatabycompetentauthoritiesintheframeworkofthisco-operation(Case2009-0019).

2.3.3.3. Quality Management System and ex-post quality checks at OHIM

Since2007,theOfficeofHarmonizationfortheInter-nalMarket(OHIM)hasbeenconductingex-anteandex-postqualitychecksoftrademarkdecisionspro-ducedbyOHIM’strademarkexaminersforqualitycontrolpurposes.Theresultsofthesechecksshowthetypesofmistakesmadebyexaminers.InSep-tember2009,OHIM informedexaminers that theresultsofex-postqualitychecks(EPQC)wouldalsobeusedforthepurposeoftheirannualperformanceappraisal.Asa result,theEPQCsystemwassubmit-tedforpriorcheckingtotheEDPS,whoissuedhisopinionon9June2011(Case2010-0869).

The European Commission has a central role inconfiguring the CPCS system architecture andoperatingthesystemandissubjecttothesupervi-sionoftheEDPS.Inhisopinion,theEDPSrecom-mendedtechnicalandorganisationalmeasurestobetakenbytheEuropeanCommission.Manyoftherecommendationsprovidedintheopinion-includingthoseontraining,theestablishmentofdata protection guidelines, information to datasubjectsand“privacy by design” solutions built into the system architecture-shouldalsofacili-tate compliance with data protection rules byother users of the system, such as competentauthoritiesinMemberStates.

Thejointopinionontheprocessingofhealthdataattheworkplacehighlightedthreecrucialissues:

• firstly, thebroad concept of “health data”andtheimpactofdataprotectionprincipleson processing operations related to pre-recruitmentexaminations,annualcheck-upsandsickleaveabsences;

• secondly,theabsenceofimportantelementsinthecontractsofseveralagencieswithexter-nalmedicalproviders,notablyofsecuritymea-suresanddataprotectionclausesinthelightofArticle23oftheRegulation;

• thirdly,theincompletescopeofprivacystate-mentsused: for theprocessing tobe lawfulunderArticles11and12oftheRegulation,thecontrollershallinformthedatasubjectaboutallelementsrelatedtotheprocessingopera-tions, in particular where the processing isbasedontheconsentofthedatasubject.

EUinstitutions,agenciesandbodiesprocesshealth-relateddata.

Moderninformationtechnologiessupportconsumerprotection.

24

2.3.3.4. Access Control System – Joint Research Centre (JRC) - Ispra site

The purpose of the Access Control System at theIsprasiteoftheJointResearchCentre(JRC)istopro-tectthepremisesagainstunauthorisedaccessandexternalandinternalthreats.Thetriggerforthepriorcheckingprocedurewasthatbiometricreaderscov-eredaccesstosomeprotectedareas,althoughthesewerenotusedbymanystaffmembers.TheEDPSissuedanopinionon15July2011(Case2010-0902).

2.3.3.5. Fingerprint recognition study by JRC of children below the age of 12 years

TheJointResearchCentre(JRC)conducteda studyentitled“Fingerprintrecognitionstudyofchildrenbelowtheageof12years”withinthescopeoftheEuropeanVisaInformationSystem(VIS).Thestudyexaminedthephysiologicaldevelopmentofthefingertipridgestructureofchildren(ridgedistance,positionofminutiae)andtheresultingrecognition

rateoffingerprintmatchingalgorithmsadaptedtochildren.Asthisprocessingisrelatedtobiometricdata,priorcheckingwasrequiredtoallowtheEDPStoverifythatstringentsafeguardshadbeenimple-mented;hepublishedhisopinionon25July2011(Case2011-0209).

2.3.3.6. Electronic Exchange of Social Security Information - European Commission

TheEDPSpriorcheckedanITsystemforthecross-border exchange of social security informationdevelopedbytheEuropeanCommission.Thesys-tem,whichisexpectedtobeoperationalasof2012,aimstofacilitatethecalculationandpaymentofsocial security benefits for persons who haveworkedinmorethanoneMemberStateandallowsfora moreefficientverificationofdata.

TheEDPSrecognisedtheimportanceofthebio-metricstudy,buthighlightedtheneedforthedatacontrollertoperforma risk assessmentandestab-lishan access policy relating to theprocessingoperationatstake.

TheEDPSconcludedthattheEuropeanCommis-sionwasinbreach of the Regulationsinceithadinstalledandoperateda biometricaccesscontrolsystemwithoutnotifyingthisprocessingoperationtotheEDPSex-ante.Moreover,theEDPSrecom-mendedthattheJRCshould,amongotherthings:

-enacta legalbasisfortheprocessingoperationsbytheaccesscontrolsystemusingbiometrics;

-complywiththeCCTVGuidelinesandreporttotheEDPSonthemeasuresithasimplementedinthatrespect;

- reconsider the technologicalchoicesmadebymeansofanimpact assessment,includinga time-tabletoimplementchangesintechnology.

Fingerprintrecognitionisoneofthemostwell-knownbiometricsandreferstoanautomatedmethodofverifyinga matchbetweentwohumanfingerprints.

Given the change of purpose of the processingfromgeneralqualitycontroltoindividualperfor-manceappraisal, inhisopiniontheEDPSrecom-mendedthatOHIMadoptsaninternaldecisionset-tingforthappropriatedata protection guaranteesandensuresthatEPQCdataarenotthesolebasisfortheannualperformanceappraisalsofexaminers.TheEDPSfurthermorerecommendedmeasurestoensuretheaccuracyofthedata,toinformtheexam-inersabouttheprocessingandtoensurethattheyaregrantedalltheirrightsasdatasubjects.


25

2.3.3.7. Physical Access Control System - European Commission

TheEuropeanCommission’sphysicalaccesscontrolsystem(PACS)performsallphysicalsecurityfunctionsandisbasedontheuseofbiometric data.Theuseofsuchdatapresentsspecific risks to the rightsandfreedomsofdatasubjects,duetosome inherent characteristics of this type of data.Forexample,biometric data irrevocably changes the relationbetweenbodyandidentity, inthattheymakethecharacteristicsof thehumanbody ‘machine-read-able’andsubjecttofurtheruse.TheserisksjustifytheneedforsuchdataprocessingtobepriorcheckedbytheEDPSinordertoverifythatstringentsafeguardshavebeenimplemented.TheEDPSissuedhisopinionon8September2011(Case2010-0427).

2.3.3.8. “IDEAS-Exclusion of Experts by Applicants” project - ERCEA

Project proposals submitted to the EuropeanResearch Council Executive Agency (ERCEA) are

subjecttopeerevaluationi.e.a reviewbypanelscomposedofindependentscientistsandscholars.The EDPS opinion of 21 September 2011 (Case2010-0661), regards a procedure notified by theERCEAunderwhichapplicantssubmittinga projectproposalcanrequestthatuptothreespecificper-sonswouldnotactaspeerreviewerintheevalua-tionoftheproposal.Thepurposeoftheprocessingistoguaranteea fair,equalandobjectiveassess-mentofprojectproposalsandneutraliseanycon-cernsonthecorrectnessoftheevaluationoutcomeandtheobjectivityofexperts.

2.3.3.9. Systems enhancing cooperation between customs authorities - OLAF

Usingthesameplatform,threesystems(theVirtualOperationalCooperationUnit, theMutualAssis-tanceBrokerandtheCustomsInformationSystem)aim to enhance cooperation between customsauthorities in the Member States, the EuropeanCommissionandinsomecasesthirdcountriesandinternationalorganisations.Tothisend,theyallowtheexchangeofinformationonpersons,compa-niesandgoodsundersuspicionofinfringingcus-toms and agricultural legislation, in order torequest connected authorities to take certainactions(e.g.specificchecks,discreetsurveillance).The systems involve the processing of sensitivedata(suspicionofcriminalbehaviour,healthdata).

Inhisopinionof28July2011(Case2011-0016),theEDPSwelcomedtheproposaltocreatea ‘onestoppoint’forindividualswantingtoexercisetheirrights.TheEDPSneverthelessinvitedtheEuropeanCom-missiontoensurethatdatasubjectscanfullyenforcetheirrightsattherelevantcontactpointintheMem-berState.Toensurethesecurityofthedata,theEDPSalsorecommendeda numberoftechnicalmeasures,which include the recommendation that onlyencrypteddatashouldbetransmittedtopreventtheEuropeanCommissionfromhavingaccesstothecon-tentofthesensitivedatatransitingthroughthesys-tem.Sincethesystemisstillinitsproductionphase,theEDPSemphasisedthatheshouldbenotifiedofanysubstantialchangetothedesignofthesystemwhichcouldimpactthelevelofdataprotection.

In light of principle of data quality, the EDPSinvitedERCEAtoconsiderdefiningpre-fixedcate-goriesratherthanusinga “freetext”fieldforsub-mittingspecificreasonstoexcludecertainpeersfrombecomingpanelmembers.TheEDPSfurtherrecommended that ERCEA procedurally ensuresthattherightsofaccessandrectificationofexpertsconcernedarelimitedonlytocaseswherethisisnecessary.SubjecttotherestrictionsofArticle20oftheRegulation,eachexpertshould,forexample,beabletoverifywhetherhe/shewantstoaddhis/herownstatement “neutralising”or “balancing” thesubjectiveappreciationbytheapplicant.

TheEDPSwelcomedtheEuropeanCommission’sinvolvementoftheEDPSata veryearlystage,thusfacilitatingthedevelopmentofa privacy-friendlyapproachinimplementingtheprocessingopera-tionsatstake.AmongotheraspectsofthePACS,theEDPSfocusedhisanalysisonthecategoriesofdatasubjectsconcerned,theexistenceoffallbackprocedures for individualswhoarenoteligible,eventemporarily,forenrolment(e.g.becauseofdamagedfingerprints),retentionperiodsandthesecuritymeasuresimplemented. In his joint opinion of 17 October 2011 on the

threesystems(jointcases2010-0797,2010-0798,2010-0799),theEDPSaskedOLAFtoprovidebet-ter information to data subjects and recom-mendedanevaluationoftheneedtoprocesscer-taindatacategoriesaswellastheretentionperi-odsapplicable.

26

2.3.3.10. “Return to Work” policy - EU-OSHA

Tofacilitatethereturntoworkofsickstaffmem-bers,underthe“ReturntoWork”policyoftheEuro-peanAgencyforSafetyandHealthatWork(EU-OSHA), the staff member’s Head of Unit or theHumanResourcesSection(HR)isresponsibleforcoordinatingactionsbetweenthestaffmember,his/hergeneralpractitioner,occupationalhealth,HRandanyotherstakeholders(e.g.unionandstaffrepresentatives).Thisinvolvesregularcontactswiththesickstaffmember,referralsformedicalassess-mentandindividual-leveltherapies(e.g.psycho-therapy)andtheexaminationofthestaffmember’sjobandmedicalassessments,whichmayresultinredeploymentoranadjustmentofthestaffmem-ber’sworkingtime,responsibilitiesandtasks.

2.3.4.Consultationsontheneedforpriorchecking

Themerepossibilityofthepresenceofsensitive dataina casedoesnotautomaticallysubjectittopriorchecking.Nevertheless,theprocessingofsen-sitivedatarelatingto,forexample,healthorcrimi-nal/civiloffencesdoesmeanthatparticularatten-tionshouldbegiventotheadoptionofappropriatesecuritymeasures,inaccordancewithArticle 22oftheRegulation.

When in doubt, EU institutions and bodies canconsulttheEDPSontheneedforpriorcheckingunderArticle27(3)oftheRegulation.During2011,the EDPS received 13 such consultations fromDPOs.AmongtheissuesconsideredbytheEDPSwereprocessingactivitiesregardingmobility inthecontextofrestructuringandtheuseofelec-troniccommunication (mobile telephony,emailandinternet).

2.3.5.Notificationsnotsubjecttopriorcheckingorwithdrawn

Followingcarefulanalysis,sixcaseswerefoundnottobesubjecttopriorcheckingin2011. Inthesesituations(alsoreferredtoas‘non-priorchecks’),theEDPSmaystillmakerecommendations.Fur-thermore,onenotificationwaswithdrawnandonewasreplaced.

Inhisopinionof24October2011(Case2011-0752),the EDPS concluded that some elements of theprocessing operation breached the principle ofnecessityandproportionalityandviolatedthedataqualityprinciplesofadequacy,relevance,propor-tionality and accuracy and therefore imposeda temporary ban on the processing.TheEDPSnotedthat,whilstthestatedpurposeofthepro-cessingreferredtofitnesstoworkfromanoccupa-tionalandpreventivemedicineperspective,onlymedicalspecialists-nottheHeadofUnitorHR-areable to certify these aspects. Further concernsregardedhowtheEU-OSHAcouldensurethatanyconsentfromthedatasubjectswasinformedandfreelygivenunderthecircumstancesandthatonlyadequate,relevantandnotexcessivedatashouldbecollected,processedandtransferred.

In his opinion of 12 November 2009 (Case 2009-0477), regarding the planned verification of flexitime clocking operations through data on physical access collected by the Euro-pean Council, the EDPS confirmed his doubts regarding the proportionality of the planned processing operation. He advised that the operation would violate the Regula-tion at various levels (lawfulness of the processing operation, necessity and proportional-ity, change in purpose, data quality) if the verification of flexitime clocking operations with respect to data on physical access checks, as described in the notification, were to be executed outside the framework of an administrative investigation. On 6 July 2011, the EDPS received a letter from the Data Protection Officer of the European Council inform-ing him that, following the above EDPS prior check opinion, the data controller had withdrawn the notification and the planned system had not been implemented.


27

2.3.6.Follow-upofpriorcheckingopinions

InstitutionsandbodieshavereadilyfollowedtherecommendationsoftheEDPSandtodatetherehas

beennoneedforexecutivedecisions.Intheformallettersentwithhisopinion,theEDPSrequeststhattheinstitutionorbodyconcernedinformshimofthemeasurestakentoimplementtherecommenda-tionswithina periodofthreemonths.

TheEDPSconsidersthisfollowupasa critical ele-ment in achieving full compliancewiththeReg-ulation.Inkeepingwithhis2010PolicyPaperon‘MonitoringandEnsuringCompliancewithRegu-lation(EC)No 45/2001’,theEDPSexpectsinstitu-tionsandbodiestobeaccountableforanyrec-ommendationsmade.Thismeansthattheybearthe responsibility for implementing them andthey must be able to demonstrate this to theEDPS.Anyinstitutionorbodyfailingtoactontherecommendationswillthusriskformalenforce-mentaction.

Comparative situation

0

20

40

60

80

100

120

140

160

180

200

2004 2005 2006 2007 2008 2009 20112010

noti�cationsopinionsclosed �les

An EDPS prior check opinion is usually concluded by stating that the processing operation does not violate the Regulation providing certainrecommendationsare implemented. Recommendations are also issued when a case is analysed to decide on the need for prior checking and some critical aspects appear to deserve corrective measures. Should the controller not comply with these recommendations, the EDPS may exercise the powers granted to him under Article 47 of the Regulation.

2.3.7.Conclusions

The71 priorcheckingopinionsissuedbytheEDPShaveprovidedvaluableinsightintotheprocessingoperationsof theEuropeanadministrationsandhaveenabledtheEDPStobuildonhisexpertiseinprovidinggenericguidanceincertainareas,suchascommonadministrativeprocedures.Thisisevidentintheprocessingrelatedtostaffevaluationaswellasanti-harassmentprocedures(seesection 2.7onthematicguidelines).TheEDPSwillcontinuetopro-videsuchguidanceto institutionsandagenciesandcontinuetofacilitatethenotificationprocessfromtheagencies.

Regardingthefollow-upofEDPSpriorcheckingopinions,62 caseswereclosedin2011.TheEDPSwillcontinuetocloselymonitorthefollow-upworksoastoensurethatinstitutionsandagenciesinte-grate recommendations made by the EDPS ina timelyandsatisfactorymanner.

28

2.4. Complaints

2.4.1.TheEDPSmandate

Inprinciple,anindividualcanonlycomplainaboutanallegedviolationofhisorherrightsrelatedtotheprotectionofhisorherpersonaldata.HoweverEUstaffcancomplainaboutanyallegedviolationofdataprotectionrules,whetherthecomplainantisdirectlyaffectedbytheprocessingornot.TheStaffRegulationsofEuropeanUnioncivilservantsalsoallowfora complainttotheEDPS(Article 90b).

According to theRegulation, theEDPScanonlyinvestigatecomplaintssubmittedbynatural per-sons.Complaintssubmittedbycompaniesorotherlegalpersonsarenotadmissible.

Complainantsmustalsoidentifythemselvesandsoanonymousrequestsarenotconsideredascom-plaints.However,anonymousinformationmaybetaken intoaccount in the frameworkofanotherprocedure (such as a self-initiated enquiry, ora requesttosendnotificationofa dataprocessingoperation,etc.).

A complaint to the EDPS can only relate to the processing of personal data. The EDPS is notcompetenttodealwithcasesofgeneralmalad-ministration,tomodifythecontentofthedocu-mentsthatthecomplainantwantstochallengeortograntfinancialcompensationfordamages.

A citizen of a non-EU country complained to the EDPS about the fact that an entry visa to the Schengen area was refused to him and to his family apparently on the basis of the information provided by the Schengen Information System (SIS). The complainant asked the EDPS to provide him access to his own and his family’s personal data in-cluded in the SIS. However, even if the SIS is established on the basis of EU law, when it comes to the data subject’s right of access, the supervision is exercised not by the EDPS but at national level by national Data Protection Authorities (DPAs). The com-plainant was therefore advised, that under the current Schengen Agreement, he can request assistance from the national DPA of his choice.

A staff member of an EU institution complained about the refusal of access to some data in documents written in the context of a comparative assessment carried out at different stages of the contention procedure related to the decision on merit points. He requested the EDPS to order the institution to provide access to the relevant documents, as they contained his personal data. However, the institution maintained that the docu-ment in question never existed. The complainant, therefore, considered that the institu-tion should draft the “missing” documents. The EDPS did not follow the reasoning of the complainant. In fact, the allegation that the institution did not correctly conduct an administrative procedure by not preparing all relevant documents goes beyond the re-mit of data protection rules. Therefore, no breach of the data protection rules was estab-lished in this case.

One of the main duties of the EDPS, as established by Regulation (EC) No 45/2001, is to ‘hear and investigate complaints’ as well as ‘to conduct inquiries either on his or her own initiative or on the basis of a complaint’ (Article 46).

Theprocessingofpersonaldatawhichisthesub-jectofa complaintmustbecarriedoutbyone of theEU institutions or bodies.Furthermore,the

EDPS isnotanappealauthority for thenationaldataprotectionauthorities.

2.4.2.Procedureforhandlingof complaints

TheEDPShandlescomplaintsaccordingtotheexist-inglegalframework,thegeneralprinciplesofEUlaw

andgoodadministrativepracticescommontotheEUinstitutionsandbodies.InDecember2009,theEDPSadoptedan internal manualdesignedtoprovideguidance to staff when handling complaints. ThismanualwasupdatedinSeptember2011inorderto


29

reflectchangesintheorganisationalstructureoftheEDPSandtointegraterecentdevelopmentsinthepracticeofcomplainthandling.TheEDPShasalsoimplementeda statistical tooldesignedtomonitorcomplaint-relatedactivities,inparticulartomonitortheprogressofspecificcases.

In all phases of handling a complaint, the EDPSadherestotheprinciplesofproportionalityandreasonableness.Guidedbytheprinciplesoftrans-parency and non-discrimination, he undertakesappropriateactionstakingintoaccount:

• thenatureandgravityoftheallegedbreachofdataprotectionrules;

• the importanceof theprejudice thatoneormore data subjects may have suffered asa resultoftheviolation;

• thepotentialoverallimportanceofthecaseinrelation to the other public and/or privateinterestsinvolved;

• thelikelihoodofproofthattheinfringementhasoccurred;

• the exact date of the events, any conductwhichisnolongeryieldingeffects,theremovaloftheseeffectsoranappropriateguaranteeofsucha removal.

InFebruary2011,theEDPSenhancedtheprocessofsubmittingcomplaintsbyprovidinganinteractiveonline complaint submission formontheEDPSwebsite.A provisionalversionofsucha formhasbeen available on the EDPS website since early2010.ThisformhelpscomplainantstoassesstheadmissibilityoftheircomplaintandtherebysubmitonlyrelevantmatterstotheEDPS.ItalsoallowstheEDPStoobtainmorecompleteandrelevantinfor-mationinordertospeeduptheprocessingofcom-plaints and to reduce the number of manifestlyinadmissiblecomplaints.TheformisavailableinEnglish,FrenchandGerman.AsofSeptember2011,ifa complaintisreceivedbye-mailinoneoftheselanguages,thecomplainantisinvitedtofillintheonlineform.Thismeasurehasreducedthenumberofinadmissiblecomplaintsduringthefinaltrimes-terof2011byabout60%.

EachcomplaintreceivedbytheEDPSiscarefullyexamined.Thepreliminaryexaminationofthecom-plaint is specifically designed to verify whethera complaintfulfilstheconditionsforfurtherinquiry,includingwhethertherearesufficientgroundsforaninquiry.

AcomplaintforwhichtheEDPSlacks legal com-petence is declared inadmissible and the com-plainantinformedaccordingly.Insuchcases,ifrel-evant, theEDPS informsthecomplainantofanyother competent bodies (e.g. the Court, theOmbudsman,nationaldataprotectionauthorities,etc.)towhomthecomplaintcanbesubmitted.

A staff member sent to the EDPS a large number of documents exchanged with an in-stitution that employed him and requested the EDPS to examine them all in order to verify if the data protection rules were respected. The complainant did not formulate any specific allegation of breach of data protection rules nor did he provide the EDPS with any indication or suspicion of such a breach. The EDPS took the position that the complaint does not concern a real or potential breach of data protection rules and de-cided to close the case without any further inquiry.

Acomplaintthataddressesfactswhicharemani-festly insignificant,orwouldrequiredispropor-tionate effortstoinvestigateisnotpursued.TheEDPScanonlyinvestigatecomplaintsthatconcerna real or potentialandnotpurelyhypotheticalbreachoftherelevantrulesrelatingtotheprocess-ingofpersonaldata.Thisincludesa studyofalter-nativeoptionstodealwiththerelevantissue,eitherbythecomplainantorbytheEDPS.Forinstance,theEDPScanopenaninquiryintoa generalprob-lemonhisowninitiativeaswellasopenaninvesti-gation into an individual case submitted by

a complainant. Insuchcases thecomplainant isinformedaboutallavailablemeansofaction.

Acomplaintis,inprinciple,inadmissible ifthecom-plainant has not first contacted the institution con-cernedinordertoredressthesituation.Iftheinstitu-tionwasnotcontacted,thecomplainantshouldpro-videtheEDPSwithsufficientreasonsfornotdoingso.

Ifthematterisalreadybeingexaminedbyadminis-trativebodies–e.g.aninternalinquirybytheinsti-tutionconcernedisinprogress-thecomplaintis

30

admissible in principle. However, the EDPS candecide,onthebasisoftheparticularfactsofthecase,toawaittheoutcomeofthoseadministrativeproceduresbeforestartinginvestigations.Onthecontrary,ifthesamematter(samefactualcircum-stances)isalreadybeingexaminedbya Court,thecomplaintisdeclaredinadmissible.

Inordertoensuretheconsistenttreatmentofcom-plaints concerning data protection and to avoidunnecessaryduplication,theEuropean OmbudsmanandtheEDPSsigneda MemorandumofUnderstand-inginNovember2006.TheMoUstipulates,amongotherthings,thata complaintthathasalreadybeenexaminedshouldnotbereopenedbyanotherinstitu-tionunlesssignificantnewevidenceissubmitted.

Withregardtotime limits,ifthefactsaddressedtotheEDPSaresubmittedaftera periodoftwoyears,thecomplaintisinprincipleinadmissible.Thetwoyearperiodstartsfromthedateonwhichthecom-plainanthadknowledgeofthefacts.

Where a complaint is admissible, the EDPS willlaunchan inquirytotheextentappropriate.Thisinquirymayincludea requestforinformationtotheinstitutionconcerned,a reviewofrelevantdoc-uments,a meetingwiththecontrolleroranon-the-spot inspection. The EDPS has the authority toobtainaccesstoallpersonaldataandtoallinfor-mationnecessaryfortheinquiryfromtheinstitu-tionorbodyconcerned.Hecanalsoobtainaccesstoanypremisesinwhicha controllerorinstitutionorbodycarriesoutitsactivities.

Attheendoftheinquiry,a decision issenttothecomplainantaswellastothecontrollerresponsibleforprocessing thedata. In thedecision, theEDPSexpresseshisopinionona possiblebreachofthedataprotectionrulesbythe institutionconcerned.Thecompetence of the EDPSisbroad,rangingfromgiv-ingadvicetodatasubjects,towarningoradmonish-ingthecontroller,toimposinga banontheprocess-ingorreferringthemattertotheCourtofJustice.

Anyinterestedpartycanaskfora reviewbytheEDPSofhisdecisionwithinonemonthofthedeci-sion being made. Concerned parties may alsoappealdirectlytotheCourtofJustice.

2.4.3.Confidentialityguaranteedtothecomplainants

Asstandardpolicy,complaintsaretreatedconfi-dentially.Confidential treatmentimpliesthatper-sonalinformationisnotdisclosedtopersonsout-sidetheEDPS.However,fortheproperconductoftheinvestigationitmaybenecessarytoinformtherelevantservicesoftheinstitutionconcernedandthethirdpartiesinvolvedaboutthecontentofthecomplaintandtheidentityofthecomplainant.TheEDPSalsocopiestheDataProtectionOfficer(DPO)oftheinstitutionconcernedinallcorrespondencebetweentheEDPSandtheinstitution.

If the complainant requests anonymity from theinstitution,theDPOorthirdpartiesinvolved,heisinvitedtoexplainthereasonsforsucha request.TheEDPSthenanalysesthecomplainant’sargumentsandexaminestheconsequencesfortheviabilityofthesubsequentEDPSinquiry.IftheEDPSdecidesnottoaccepttheanonymityofthecomplainant,heexplainshisevaluationandasksthecomplainantwhetherheacceptsthattheEDPSexaminesthecomplaintwith-outguaranteeinganonymityorwhetherhepreferstowithdrawthecomplaint.Ifthecomplainantdecidestowithdrawthecomplaint,theinstitutionconcernedwillnotbeinformedabouttheexistenceofthecom-plaint.Insucha case,theEDPSmayundertakeotheractionsonthematter,withoutrevealingtotheinsti-tutionconcernedtheexistenceofthecomplainti.e.aninquiryonhisowninitiativeora requestfornotifi-cationabouta dataprocessingoperation.

NodecisionsoftheEDPSwerechallengedbycom-plainantsin2011.

Ononeoccasion in2011, thedatacontrollercon-cernedchallengedthedecisionoftheEDPSintheGeneralCourt(caseT-345/11).TheapplicationwasrejectedbytheCourtonproceduralgrounds.ThesubstanceofthecasewasnotdiscussedbytheCourt.

The EDPS recognises that some complainants put their careers at risk when exposing violations of data protection rules and thatconfidentialityshould, therefore, be guaranteed to the complainants and informants who request it. On the other hand, the EDPS is committed to working in a transparent mannerand to publishing at least the substance of his decisions. The internal procedures of the EDPS reflect this delicate balance.


31

Attheendofaninquiry,alldocuments related to the complaint,includingthefinaldecisionremainconfidentialinprinciple.Theyarenotpublishedinfull nor transferred to third parties. However, ananonymoussummaryofthecomplaintcanbepub-lishedontheEDPSwebsiteandintheEDPSAnnualReport,ina formwhichdoesnotallowthecomplain-antorthirdpartiestobeidentified.TheEDPScanalsodecidetopublishthefinaldecisionin-extensoinimportantcases.Thismustbedone ina waythat

takesintoaccounta complainant’srequestforconfi-dentialityand,therefore,doesnotallowthecom-plainantorotherrelevantpersonstobeidentified.

2.4.4.Complaintsdealtwithduring 2011

2.4.4.1. Number of complaints

ConfidentialityandanonymityareguaranteedbytheEDPStocomplainantsandinformantswhorequestit.

12

20

6165

92

111

94

0

20

40

60

80

100

120

2004 2005 2006 2007 2008 2009 20112010

Number of complaints received

107

The number and complexity of complaintsreceivedbytheEDPSincreasedin2011.In 2011, the EDPS received 107 complaints(anincreaseof14%comparedto2010).Ofthese,81 complaints were inadmissible, the majority relating toprocessingatnationallevelasopposedtoprocess-ingbyanEUinstitutionorbody.

The remaining26 complaints requiredmore in-depth inquiries (an increaseof4%comparedto2010).Inaddition,nine admissiblecomplaints,sub-mittedinpreviousyears(onein2008,fivein2009andthreein2010),werestillintheinquiry,revieworfollow-upphaseon31December2011.

32

2.4.4.2. Nature of complainants

Of the 107 complaints received, 19 complaints(18%)weresubmittedbymembersofstaffofEUinstitutionsorbodies,includingformerstaffmem-bers and candidates for employment. For theremaining88 complaints,thecomplainantdidnotappeartohaveanemploymentrelationshipwiththeEUadministration.

2.4.4.3. Institutions concerned by complaints

Ofthe26admissiblecomplaintssubmittedin2011,mostweredirectedagainsttheEuropeanCommis-sion, the European Parliament, OLAF and EPSO.ThisistobeexpectedsincetheCommissionandthe Parliament conduct more processing of per-sonaldatathanotherEUinstitutionsandbodies.TherelativelyhighnumberofcomplaintsrelatedtoOLAFandEPSOmaybeexplainedbythenatureoftheactivitiesundertakenbythosebodies.

0

1

2

3

4

5

6

7

8

EU institutions and bodies concerned

Com

miss

ion

(EPS

O and

OLAF e

xclu

ded)

Other

EU b

odie

s

EPSO

OLAF

EIB

ECJ

Euro

pean

Par

liam

ent

2.4.4.4. Language of complaints

The majority of complaints were submitted inEnglish (57%), French (20%) or German (15%).Complaints in other languages are relativelyrare (8%).

2.4.4.5. Types of violations alleged

Theviolationsofdataprotectionrulesallegedbythecomplainantsin2011mainlyrelatedto:

• Abreachofdatasubjects’rights,suchasaccesstoandrectificationofdata(30%)orobjectionanddeletion(13%);

• Violationofconfidentiality(30%),excessivecol-lectionofpersonaldata(17%),lossofdata (9%).


33

2.4.4.6. Results of EDPS inquiries

In15 casesresolvedduring2011,theEDPSfoundtherewasnobreachofdataprotectionrulesorthat

thenecessarymeasureswere takenby thedatacontrollerduringtheEDPSinquiry.

The EDPS received a complaint relating to the transfer, in the context of the departure of an official to another institution, of the number of days of medical absence during the past three years. The EDPS confirmed that such a transfer is in fact necessary for the institution to which the official arrives to fulfil its obligations under Article 59.4 of the Staff Regulations. The EDPS, therefore, concluded in this case that there was no breach of data protection rules.

Types of violations alleged

Loss of data

Objectionand deletion

Excessivecollection

Con�dentiality

Access toand recti�cation

of data

A complaint was received that some documents containing highly sensitive personal data of the complainant and of other persons were available to all staff on the server of an EU body for several weeks. Access to these documents was restricted by the data controller only after the intervention of the complainant. Following an inquiry into the matter, the EDPS con-cluded that the unauthorised disclosure of the personal data contained in the relevant docu-ments constituted a violation of Article 22 the Regulation (EC) No 45/2001. In order to limit the risk of such a situation arising again in future, the EDPS recommended that the data controller implement a comprehensive system of access rights to different parts of the server.

A complaint was received from a candidate in an EPSO competition relating to the com-munication of a document containing sensitive personal data from the selection board of the competition to a person external to the competition. Following an inquiry the EDPS considered that the relevant data controller took reasonable measures to prevent such an unauthorised disclosure, in particular ensuring that all the members of the selection board sign a declaration informing them explicitly of their confidentiality obligations. The EDPS concluded that the disclosure of personal data was illegal and due to an individual action of a specific member of the selection board. The EDPS invited the Appointing Authority to consider a disciplinary procedure against the relevant member of the selection board.

Inonecase,non-compliancewithdataprotectionruleswasfoundtohaveoccurredwithouta breach

oftheserulesbythedatacontroller.

Conversely,intwo cases,non-compliancewithdataprotectionruleswasfoundtohaveoccurredand

recommendations were addressed to the datacontroller.

34

2.5. Monitoring compliance

2.5.1.Generalmonitoringandreporting:2011Survey

InhispolicypaperadoptedinDecember2010(6),theEDPSannouncedthat“he will continue to conduct periodic “surveys” in order to ensure that he has a rep-resentative view of data protection compliance within EU institutions/bodies and to enable him to set appro-priate internal objectives to address his findings”.

InApril2011,theEDPSembarkedonhisthirdgen-eralstocktakingexercise.Theexercisehada widescope,involvingsixEUinstitutionsand52EUbod-iesandfocusedonaspectsthatgivea goodindica-tionoftheprogressmadeintheimplementationoftheRegulationbyinstitutionsandbodies.Thecon-clusionsofthisexercisewerecompiledina report.

The analysis and the report were based on theresponses received by September 2011 from EUinstitutionsandbodies(includingformersecondandthirdpillarbodies)toEDPSlettersraisingspe-cificquestions.ThecontentoftheEDPSlettersvar-iedslightlyaccordingtothestatusoftheinstitu-tionsandbodies,i.e.,youngormature,withorwith-outanappointedDataProtectionOfficer(DPO).

Theresponsesweredisplayedincomparativetables,bygroupsofinstitutionsandbodies.Benchmarkswereestablishedonthebasisoftheresultsofeachgrouptogiveanindicationofthethresholdwhichaninstitutionorbodyoftherelevantgroupshouldreasonablybeexpectedtomeet.Thesebenchmarks

(6) SeetheEDPSPolicyPaperof13December2010on“MonitoringandEnsuringCompliancewithRegulation(EC)45/2001”,p.8.

weresetupin concretobytheEDPS,deducedfromthefacts,toallowcomparison between peers.

Asa partofEDPSenforcementpolicy,thisgeneralsurveywasmadepublic.Itemphasisedtheprogressmadebyinstitutionsandbodiesandalsohiglightedtheshortcomingsintermsofcompliance.

TheconclusionsofthisexercisewillbetakenintoaccountbytheEDPSinplanningfurthersupervi-sionandenforcementactivities.Thisprogrammewillcombineguidancetoinstitutionsandbodies,enforcement actionsandmeasurestopromoteaccountability.Inparticular,compliancevisitstrig-gered by a manifest lack of commitment by aninstitutionorbodyhavebeenplannedonthebasisoftheresultsofthe2011exercise.

2.5.2.Targetedmonitoring

Pre-recruitmentexaminationbytheParliament’smedicalservice(case 2010-0279)

In the course of 2010, a number of MEPs raisedquestionsastotheappropriateuseofthemedicalquestionnaireinthecaseofparliamentaryaccred-itedassistantsinthecontextofthepre-recruitmentexamination.On17March2011,theEDPScarriedoutaninvestigationwiththeobjectivetoobtaininformationaboutthepracticesoftheParliament’smedicalserviceonthisissue.

Afteranalysisoftheinformationcollectedinthecourseoftheinquiry,theEDPSrecommendedthatthemedicalserviceoftheParliamentclearlycom-municatetotheaccreditedassistants:

• thestatusofthemedicalquestionnaire,namelythatallthequestionsareconsiderednecessaryandrelevantinprincipleandthatintheeventthat a person wishes not to reply to certainquestions,thedoctorswillassessempiricallyandonthebasisofthemedicalexaminationwhichinformationisorisnotrelevant,and

• theconsequencesofnotreplyingtotheques-tionswhichthedoctorsconsidernecessaryandofrefusingtopresentthemselvestothepre-recruitmentexamination.

Secondly,theEDPSrecommendedthatthemedicalserviceestablisha documentedpolicyforallactorsinthemedicalserviceonthecollectionofdatainthecontextofthepre-recruitmentexamination.

The EDPS is responsible for monitoring andensuring the application of Regulation (EC) No 45/2001.Monitoring is performed by periodicgeneral surveys. In addition to thisgeneral stock taking exercise, targeted monitoringexercises were carried out in cases where, as a result of his supervision activities, the EDPS had cause for concern about the level of compliance in specific institutions or bodies. Some of these werecorrespondence‑basedwhilst others took the form of a one dayvisitto the body concerned with the aim of addressing the compliance failings. Finally,inspectionswere carried out in certain institutions and bodies to verify compliance on specific issues.


35

Inthecontextofthefollow-up,theEDPSconsid-eredthecaseclosed,aslongastheParliamentoffi-ciallycommunicatesthedocumentedpolicytoallactorsofitsmedicalserviceandensuresthattheyrigorouslyapplythisguidance.

VisitstoseveralAgencies

BetweenJanuaryandSeptember2011,asa resultofa numberofissuesidentifiedinthecourseofthe2009stocktakingexerciseanditsfollowup,theEDPSvisitedseveralEUagenciesinordertodiscussandbetterunderstandtheirlowlevelofcompli-ancewiththeDataProtectionRegulation,notablythe European Railway Agency, the CommunityPlantVarietyOffice,theEuropeanFoundationfortheImprovementofLivingandWorkingConditionsandtheEuropeanGlobalNavigationSatelliteSys-temsAgency.

Thevisitshada similarstructure:

• ameetingbetweentheSupervisororAssistantSupervisorandtheDirectoroftheAgency

• furthermeetingsinvolvingthedataprotectionof f icer and controllers of processingoperations

• presentationsonthedataprotectionRegula-tionandtheEDPSapproachtomonitoringandensuringregulatorycompliance.

ThesemeetingsprovidedanopportunityfortheEDPSto raisespecificconcernsandallowedtheAgencies to provide updates on their progresstowardscompliance.

At theendofeachvisit,a specificroadmapwasagreedupon,detailingpriorityactionstobeunder-takenbytheAgencies,monitoredbytheEDPS,inordertoensurea betterlevelofcompliancewiththeRegulation.Ingeneral,a goodefforthasbeenmade by the agencies visited. Bodies that hada rate of Article 25 notifications close to 0 nowreacha levelof60,70,80andinonecase100%.Each body now also has a good, intelligibleinventory.

2.5.3.Inspections

Article 30oftheRegulationrequiresEUinstitutionsandbodiestocooperatewiththeEDPSinperform-inghisdutiesandtoprovidetheinformationandaccessrequested.

Duringinspections,theEDPSverifies facts on the spotwiththefurthergoalofensuringcompliance.Inspectionsarefollowedbyappropriatefeedbacktotheinspectedinstitutionorbody.

In2011,theEDPScontinuedthefollow-upofprevi-ousinspections.InMay 2011,theEDPScarriedoutan inspectionat theCEDEFOPandatOLAF.Tar-getedinspectionsfollowinga complaintwerealsocarriedoutbytheEDPSattheECBinOctober2011andatOLAFinDecember2011.

FollowupoftheinspectionattheJointResearchCentre–EuropeanCommission

Following its on-the-spot inspection at the JointResearchCentreinIspraattheendof2010,theEDPSadoptedaninspectionreportcoveringtheselectionandrecruitmentofJRCpersonnelandthedifferentproceduresputinplacebythesecurityservice(pre-employmentsecuritycheck,securityinvestigations,accesscontrolandrecordingofemergencycalls).

In2011,theJRCtooka numberofstepswitha viewtobringingitsprocessingoperationsinlinewiththe data protection regulation, based on theinspectionreportadoptedbytheEDPS.FurtherstepsinensuringcompliancestillrequireadditionaleffortsbytheJRC.TheEDPSexpectstoconcludethisexercisein2012.

Inspections are a crucial tool enabling the EDPS to monitor and ensure the application of the Regulation. They are based on Articles 41(2), 46(c) and 47(2) thereof.

The extensive powers of the EDPS to access any information and personal data necessary for his inquiries and to obtain access to any premises where the controller or the EU institution or body carries out its activity are designed to ensure that the EDPS has sufficient tools to perform his function.

Inspections can be triggered by a complaint or be carried out on the EDPS’ own initiative.

36

InspectionattheCEDEFOP

TheEDPSconductedanon-the-spotinspectionattheEuropeanCentrefortheDevelopmentof Voca-tionalTraining(CEDEFOP)inThessalonikion31Mayand1June2011.ThisinspectionwaspartoftheEDPS2011annual inspectionplan,basedonaninternalrisk assessment exercise. Three main areas wereinspected:staffrecruitmentprocedureswitha focusoncurrentandfuturepractices,accesscontroltothepremisesmanagedbythesecurityservicesandtheregistryand inventoryofnotifications.

Thebackgroundinformationfortheinspectionwasa combinationofpriorcheckingcasesandananaly-sisofconsultationcases. Basedonitsfindings,theEDPS drafted aninspectionreportcompilingrecom-mendationswitha viewtoensuringbettercompli-ancewiththeEUDataProtectionRegulation.TheCEDEFOPfollowed-uptheinspectionreportandsub-mittedcorrectivemeasuresandcommentsregard-ing the recommendations of the EDPS. This caseshouldbeclosedduringthefirstquarterof2012.

InspectionatOLAF

On14and15 July2011,theEDPSconductedanon-siteinspectionat OLAFpremises.Thisinspectionwasiniti-atedonthebasisofArticle47(2)oftheRegulation,asa follow-upofseveralEDPSopinionsconcerningOLAFexternal and internal investigations in addition toOLAFphysicalandlogicalaccesscontrol.Theinvesti-gation particularlyfocusedonhowtheidentificationofdatasubjects isdone, howcompliancewiththeobligationto informdatasubjects isachievedandhowcompliancewiththedataprotectionobligationsontransfersisensured.A finalinspectionreportwasadoptedon12October2011, inwhichtheEDPS pro-vided anumberofrecommendations onwhichOLAFisexpectedtocommentbyearly2012.

InspectionattheEuropeanCentralBank

In October2011,theEDPSconductedaninspectionattheEuropeanCentralBank(ECB).Thisinspectiontookplacewithintheframeworkofaninquiryintothe protection of personal data during internaladministrativeinquiries. The inspectionconsistedofanon-the-spotverificationofseveralfilesrelatedtointernalinquiriesinwhichtheECBaccessedtheelectronicfiles ortrafficdata. Followingtheinspec-tion, anumberofadditionalquestionsrelatingtotheapplicationof the ECB AdministrativeCircu-lar 01/2006oninternaladministrativeinquiries anditsprinciplesweresent to theECB.Theinquiryhasnotyetbeenconcluded.

TargetedinspectionatOLAF

In October2009,twocomplaintswerelodgedwiththeEDPSagainstOLAFconcerningthecollectionandfurtherprocessingofpersonaldatainthecon-textofanexternalinvestigation into thecompanywhere the complainants were employed. AftercarefulanalysisofthecomplaintsandtherelevantresponsesbyOLAF, theEDPSdecidedtoconductanon-the-spot visittoOLAF’spremisesinDecem-ber 2011. The purpose of the visit was to clarifyissuesrelatedtotheproportionality of thecollec-tion ofdigitalevidence includingpersonaldatabyOLAF,usingforensictools(e.g.copyingorseizureofharddiskdrives).

The visit aimed to assess the overall procedurewithregardtothecollectionandfurtherprocess-ingofdigitalevidencebefore,duringandafteranOLAF external investigation and includedaccess to relevant material inOLAF’sforensiclab.TheinformationobtainedduringthevisitwillbeusedtofinalisetheEDPSdecisionontheabove-mentionedcomplaints.

VisaInformationSystem

The Visa Information System (VIS) allows theexchangeofdataonshort-stayvisasamongMem-berStateswithintheSchengenarea.Itwasestab-lishedbyCouncilDecision2004/512/ECof8June2004andtheRegulation767/2008oftheEuropeanParliamentandoftheCouncilof9July2008andallowsthecompetentauthoritiesoftheMemberStatestoexchangedataonvisaapplicationsandonvisas issued, refused, annulled, revoked orextended.BiometricdataisprocessedaspartoftheoperationoftheVIS.

Inspectionsarea fundamentaltoolfortheEDPSasa supervisoryauthority.


37

Regulation767/2008providesforcoordinatedsuper-visionbetweennationaldataprotectionauthoritiesandtheEDPS.Inparticular,itprovidesthattheEDPSshallperformanauditofthedataprocessingactivi-tiescarriedoutinthecentralunitandthecommuni-cation infrastructure every four years. In order toaccomplishthistask,twoon-the-spotvisitswerecar-riedoutbytheEDPS,oneinJulyandoneinNovem-ber2011.Thetimingofthevisitswaschoseninordertoprovidesomeguidancepriortothesystemgoing-liveandverifythesecuritymeasuresput inplace.ThevisitinNovemberthusgavetheEDPSa baselineagainstwhichtocomparefutureinspections.

2.6. Consultations on administrative measures

2.6.1.ConsultationsArticles28.1and46(d)

Theterm‘administrativemeasure’istobeunder-stoodasa decisionoftheadministrationofgeneralapplicationrelatingtotheprocessingofpersonaldatacarriedoutby the institutionorbodycon-cerned(e.g.implementingmeasuresoftheRegula-tionorgeneralinternalrulesandpolicies,aswellasdecisionsadoptedbytheadministrationrelatingtotheprocessingofpersonaldata).

Furthermore,Article 46(d)oftheRegulationpro-videswidematerialscopeforconsultations,extend-ingitto‘allmattersconcerningtheprocessingofpersonal data’. This is the basis for the EDPS toadvise institutions and bodies on specific casesinvolvingprocessingactivitiesorabstractquestionsontheinterpretationoftheRegulation.

Withintheframeworkofconsultationsonadminis-trative measures envisaged by an institution orbody,a varietyof issueswereexaminedin2011,someofwhicharereportedbelow.

2.6.1.1. Publication of employees’ pictures on the Intranet

The“Whoiswho”projectoftheCommitteeoftheRegionsincludedthedisplayofa photooftheCom-mittee’s staff members with their functions andresponsibilitiesontheIntranet.Forthispurpose,theSecretaryGeneralintendedtosendanOutlookmessagetothestaffinformingthemabouttheproj-ect and of the possibility to opt-out of havingtheirphotopublishedbyclickingona specific“No,I don’twantmypicturetobepublished”tab.

Inhisreplytotheconsultation,theEDPShigh-lightedthat“unambiguous consent”underArti-cle 5(d) of the Regulation implies that thereshouldbenodoubtineveryindividualcasethatthedatasubjectfreelyconsents.Theproposedsystemleftroomforuncertaintyastowhether-by taking no action - the staff member reallyintendedtohavehis/herpicturepublished.Datasubjectsmustbeina positiontofullyappreciatethattheyareconsentingandwhattheyarecon-sentingto.Themostappropriatesystemtobeused to obtain consent is therefore an opt-in mechanism requiring an affirmative action toindicatetheconsentofeachstaffmemberbeforepublishinghis/herphoto.

Consequently,theEDPSrecommendedthatstaffmembersshouldbeprovidedtheoptiontoexpressconsentbyclickingona boxstating,forexample,“Yes,I wantmypicturetobepublished”.TheEDPSalsorecommendedthattheCommitteehighlighttostaffmembersthattheyarecompletelyfreetogiveorrefusetheirconsent.

2.6.1.2. Role of an agency in a research project (notion of controllership)

TheEuropeanMedicinesAgency(EMA)consultedtheEDPSoncertainlegalissuesraisedbyitspartici-pationintheconductofa clinicalstudyintheframe-workofa European-wideresearchproject.Theproj-ectiscarriedoutbya consortiumof29members,towhichEMAcontributesascoordinator.

In particular, the Data Protection Officer of theAgencyaskedwhetherEMAcouldbeconsideredasa “joint controller”togetherwithallotherpartici-pantsintheresearchprojectandwhetherthepro-cessingofpersonaldatafortheclinicalstudywouldfallunderthescopeoftheRegulation.On21March2011,theEDPSadoptedanopinionhighlightingthefollowingaspectsof“controllership”:

Regulation (EC) No 45/2001 provides for the right of the EDPS to be informed about administrative measures which relate to the processing of personal data (Article 28(1)). The EDPS may issue an opinion, either following a requestfrom the institution or body concerned or on hisown initiative.

38

• althoughEMAspecifiedthatthepurposesandmeans of the processing are determined bya steering committee, the EDPS consideredthat, in this case, the notion of controller should be analysed with regard to the con-sortium as a whole;

• theEDPSconsideredthatallmembersoftheconsortiumco-decidetheconductofthestudy.TheEDPSwasnotina positiontoevaluatespe-cificallythedegreetowhichmembersoftheconsortium–separatelyorasa whole-controltheprocessing.TheEDPSanalysiswasfocusedontheresponsibilitiesofEMA,whichmustbeconsideredoneofthecontrollers.

2.6.1.3. CCTV operated on the premises of another institution

TheTrans-EuropeanTransportNetworkExecutiveAgency (TEN-T EA) consulted the EDPS on thequestionofthecontroller-processorrelationshipwhereanAgency’sCCTVsystemisoperatedbyanother institution.TheAgency’svideosurveil-lancesystemisdesigned,installed,operatedandmanagedbytheCommission,basedona ‘ServiceLevelAgreement’.

TheEDPSrepliedon28July2011,recallingOpinion1/2010ofArticle29DataProtectionWorkingPartyon the concepts of ‘controller’ and ‘processor’,stressingthattheconceptof controller is a func-tional concept,intendedtoallocateresponsibili-tiesaccordingtothefactualinfluence.Hespecifiedthat,incaseofdoubt,elementssuchasthedegreeofactualcontrolexercisedbya party,theimagegiventodatasubjectsandthereasonableexpecta-tionsofdatasubjectsonthebasisofthisvisibilitymaybeusefultodeterminethecontroller.

Based on the facts, the role of the Commissionappearedtobemorethana mereprocessoranditsrolewasbetterdescribedas thatofa controller.However, theEDPSpointedout that theAgencycouldnotescape its liabilityascontrolleronthegroundsthatitwasobligedtoconcludea contractwiththeCommissionwhoseservicesarestandardandofferedtoallitspartners.

TheAgencyshouldexerciseduediligenceinreview-ingtherelevantpracticesoftheCommission,com-municateCommissionpracticestoitsstaffandvisi-torsandraisewiththeCommission(andultimately,withtheEDPS,iflegalityisatstake)anyconcernsitmayhaveregardingthelegalityorcustomisationoftheCommissionservicesasnecessary.

Closedcircuittelevision(CCTV)mustbeusedresponsiblyandwitheffectivesafeguardsinplace.


39

2.6.1.4. Processing of data in employee emails

TheCourtofJusticeoftheEuropeanUnion(CJEU)consulted the EDPS on some general questionsregardingthedataprocessinginvolvedinprovidingemailaccesstoemployees.TheEDPSrepliedon2September2011,highlightingthefollowingissues:

• providingemailaccesstoemployeesconsti-tutestheprocessing of personal dataundertheRegulation,anemployermustrespectitslegalrequirementsaswellastheprincipleofconfidentialityofcommunicationsstipulatedinArticle8oftheEuropeanConventionfortheProtectionofHumanRightsandFundamentalFreedomsandinArticle7oftheCharterofFun-damentalRightsoftheEU;

• althougha particulardepartment(forinstance,theITunit)mightbespecificallydesignatedasprimarilyresponsibleandthecontactpointforthisprocessing,theCJEUwillultimatelybecon-sideredthecontrolleroftheprocessing;

• itisthecontroller’sresponsibilitytodefinethemodalitiesapplicabletotheprocessingofper-sonaldatainthecontextofemailusageandto transparently communicatethesemodalitiestotheusers.TheEDPSrecommendsadopting“rules governing the use of emails” whichdefinethepurposeandmodalitiesofthepro-cessing.Itisuptothecontrollertoensurethattheprocessingisnecessaryandthatthemea-suresadoptedinlinewiththispurposearepro-portionate.Therulesmustbebroughttotheattentionofallusersfollowinga possiblecon-sultationofstaffrepresentatives.

Such rules governing the use of emails shoulddefineinparticular:

• thepurpose(s) of the processingofpersonaldatainvolvedintheuseofemails.Thepurposemust be a legitimate one (e.g. ensuring thefunctioningandsecurityofanemailsystem,butnotcontroltheusemadeofthesystemina particularcase);

• themodalitiesapplicabletotheprivate use of emails(e.g.byobligingtheusertoclearlyindi-catetheprivatenatureofcorrespondenceinthesubjectlineorinthearchivingfolder);

• theretention period(s)applicabletothemes-sages and security copies in the system, in

keepingwiththeproportionalityprinciple.Itisalsoadvisabletospecifytheperiodafterwhichtheemailmessagesaredefinitivelyerasedfromtheserver;

• thedifferenttypesofsecurity measuresputinplace;

• the access rights established for IT staff toensure the proper functioning of the emailsystem;

• themonitoring measuresputinplacebythecontroller,whichmustbeproportionatetothepurposeoftheprocessingandtransparentfortheusers(nosilentmonitoringofemailuse).Inthiscontext,attentionwasdrawntotheguid-anceprovidedintheWorkingdocumentonthesurveillanceofelectroniccommunicationsinthe workplace published by the Article 29WorkingParty(7).

2.6.1.5. Using statistical data in a database for staff evaluation purposes

TheEuropeanRailwayAgency(ERA)consultedtheEDPSonitsintentiontousestatistical data on the number of financial operations validated in the ABAC System(“AccrualBasedACcounting”)forthepurpose of evaluating the financial initiatingagents.Informationontheactualnumberoftrans-actionsvalidatedbyeachagentisavailableonlineinABACandcanalsoberetrievedbyusingBusinessObjectreports.

Inhisreplyof5May2011,theEDPSconsideredthatERA had failed to demonstrate the necessity ofusingABACdataforstaffevaluation,inparticularinviewoftheevaluationdataalreadycollectedwithin

(7) availableunderhttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp55_en.pdf

Useofemailsinvolvesdataprocessing.

40

CareerDevelopmentReviewsatERA.Also,noneoftheexistinglegalinstrumentsprovidedforthepro-cessingofsuchdataforthispurpose.UnderArticle6(1)oftheRegulation,theprocessingofdataforpurposes other than those for which they havebeencollectedhastobeexpresslypermittedbytherespectiveinternalrules.Consequently,theuseofdatacollectedforaccountancypurposesforthepurpose of evaluating certain financial agentswouldneedtobeexplicitlyallowed.

The EDPS also requested that a notification for(true) prior checking be submitted in due timebeforetheintroductionofthisnewprocedure.

2.7. Data protection guidance

2.7.1.ThematicGuidelines

Guidelinesonanti-harassmentprocedures

InFebruary 2011, theEDPS issuedguidelinesonhowtomanagetheprocessingofpersonaldatainharassmentprocedures.TheguidelinesdealwiththeinformalprocedureputinplacebytheEUinsti-tutionsandbodiestodealwith-butalsotopre-vent - harassment. The selection of confidentialcounsellors,whoplaya keyroleintheprocedure,isalsotoucheduponinthedocument.

Theconfidentialityexpectedbythedatasubjectisthecornerstoneoftheinformalprocedure.Froma dataprotectionpointofview,thechallengeistoensuretheconfidentiality of the datawhileallow-ingthepreventionofharassmentcases.Theguide-lines,therefore,makethedistinctionbetweenharddata(objectivedata)thatcanbestructurallytrans-ferredtoHumanResourcesundercertaincircum-stancestohelptheidentificationofrecurrentandmultiplecases,andsoftdata(subjectivedata)thatcanneverbestructurallytransferredtopreservetheconfidentialcharacteroftheprocedure.

Inaddition,theEDPSinsistsontheprinciplesofthedatasubject’srightofaccessandrighttobeinformed.Inlightoftheprincipleofproportionality,restrictionstotheserightsapplyona casebycasebasis.

The experience gathered in the application of the Data Protection Regulation has enabled EDPS staff to translate their expertise into generic guidance for institutions and bodies. In 2011, this guidance took the form of training for new DPOs or for controllers or thematic guidelines in the field of staff evaluation and processing of personal data in anti-harassment procedures. The EDPS is currently working on guidelines for absences and leaves, procurement and selection of experts, e-monitoring and data transfers.

Statisticsmayincludepersonaldata.


41

Theguidelinesaretobeusedbytheagencies intheirnotificationofproceduresinthisfieldtotheEDPSforpriorchecking,butshouldalsoserveasa practicalguideforallinstitutionsandbodies.TheEDPSissueda jointopinionon21October2011onnotificationssubmittedbynineagenciesforpriorcheckinginthelightoftheseguidelines.

Guidelinesonstaffevaluation

InJuly2011,theEDPSissuedguidelinesonthepro-cessingofpersonaldataintheareaofstaffevalua-tionbyEUinstitutionsandbodies.

TheobjectiveoftheguidelinesistoofferpracticalguidanceandassistancetoallDataProtectionOffi-cersandcontrollersintheirtaskofnotifyingexist-ingand/orfuturedataprocessingoperationstotheEDPSinthefollowingstatutoryprocedures:

• annual appraisal / career developmentreview (CDR),

• probation,

• promotionofofficials,

• re-gradingoftemporaryagents,

• evaluationoftheabilitytoworkina thirdlan-guagebeforethefirstpromotion,

• re-classificationorrenewalofa contractforanindefiniteperiod,

• certificationofASTofficials,

• ‘attestation’offormerC andD officials.

TheDPOnetworkwasconsultedonthedraftguide-linesinMay2011anda presentationoftheguide-lineswasmadeattheDPOmeetinginOctober2011.

Intheguidelines,theEDPSexpressedhisconcernastothelengthyconservationperiodofpersonaldatacontainedinannualevaluationandprobationreports,aswellassupportingdocumentsrelatingtootherevaluationprocedureskeptinpersonnelfiles.Herecommendedthattimelimitsexceedingthe career of the staff members concerned bereconsideredandsuggesteda maximumtimelimitoffiveyearsaftera givenevaluationexercise,asthebestpractice.

TheDPOswereaskedtosubmitanyoutstandingnotificationsby21October2011totheEDPS.Todate,43notificationsfrom21institutionsandbod-ies concerning 57 evaluation procedures werereceivedbytheendofDecember2011.TheEDPSintendstoaddressall relevantevaluationproce-dures,perEUinstitutionorbody,ina jointopinion.

Follow-upReportonVideo-SurveillanceGuidelines

In March 2010, the EDPS issued Video-Surveil-lance Guidelines(8)basedonthepowersconferredonhiminArticle47(1)(a)ofRegulation45/2001.

TheFollow-upReport,whichwascompiledoverthecourseof2011andpublishedinearly2012,isa systematicandcomparativeanalysisofthestatusreportsreceivedfroma totalof42EUinstitutionsandbodies.Inadditiontorecognisingbestprac-tices,thisreporthighlightsshortcomingsinthoseinstitutions and bodies lagging behind in theireffortstoensurecompliancewiththeguidelines.Furthermore, it clarifies certain aspects of theguidelines,wherequestionswereraisedbybodiesin preparing their video-surveillance policy ora needforclarificationbecameapparentthroughtheanalysisofthestate-of-playreports.

Inthereport,theEDPStooknoteoftheconsider-ableeffortsundertakenbythoseinstitutionsandbodieswhosubmittedtheirstate-of-playreportsin2011andwasgenerallyreassuredthattheguide-linescontributedtoraisingthelevelofawarenessand transparency regarding video-surveillancematterswithinEUinstitutionsandbodies.

However,morethana yearaftertheadoptionoftheguidelinesandnearlytwoyearsafterhavingstartedtheconsultationprocess,theEDPSwasdis-appointedtoseethattheimplementationoftheguidelineshasbeenputonholdorsignificantlydelayedinseveralinstitutionsandbodies.

(8) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Guidelines/10-03-17_Video-surveillance_Guidelines_EN.pdf.

42

2.7.2.Training

On10February2011,theEDPSorganiseda trainingsessionforENISAstaffasa follow-uptotheEDPSvisittoENISAinSeptember2010.TheEDPSpro-videdpracticalguidanceon“Selectionandrecruit-ment of staff”. This theme was chosen becausea priorcheckingfollowupwaspendingandEDPShad already issued thematic guidelines on thetopic. The training session was attended by HRstaff, theDPO, theDirectorandtheHeadof theadministration.

On 8 June 2011, the EDPS organised a one dayworkshopondataprotectionforDataProtectionOfficersfromallEUinstitutionsandbodies.TheaimwastoprovidebasictrainingforDPOs,particularlyforrecently-appointedones.Theworkshopbeganwithan introductiontothebasicprinciplesanddefinitionsoftheregulation.Thiswasfollowedbya sessionwhich includedpresentationson legalissues(e.g.legalbasisofdataprocessing,rightsofthedatasubject, transferofdata,processingonbehalfofthecontroller).TheafternoonsessionwasdedicatedtocooperationbetweenDPOsandtheEDPS, focusingonthepracticalaspectsofcom-plainthandling,prior-checkingprocedures,andsecurityofprocessingoperations.

Theworkshopwaswell-attendedandactivepar-ticipationoftheDPOsledtoa productiveexchangeofexperiencesandconcerns.TheEDPSwillbuildon this experience and based on the feedbackreceived,organisea similarworkshopforDataPro-tectionCoordinatorsin2012.

InNovember2011,EDPSstaffprovidedtrainingatthe Auditors Forum, a monthly conferenceaddressedtotheinternalauditorsoftheEuropeanCommission.Thepresentationcovereda generalintroductiontodataprotectionandcompliancewiththedataprotectionrulesbyinternalauditser-vices in the performance of their activities. ThetrainingwaswellattendedbyCommissionstaffandwasalsofollowedbyvideoconferencebytheinter-nalauditservicesoftheEuropeanCourtofAudi-tors,theEuropeanCourtofJusticeandtheEuro-peanCentralBank.

OnrequestfromtheTENTEADPO,EDPSstaffpro-videdgeneraltrainingondataprotectionandtheRegulationtoTENTEAstaffon1December2011.ThefirstsessionwasdedicatedtodataprotectionandthebasicprinciplesoftheRegulation.Thiswasfollowedbya presentationontheEDPSenforce-mentpolicyandthenbya Q&Asession.Thetrain-ingwaswell-attendedbyTENTEAstaff.

PersonaldataareprocessedbyEUinstitutionsandbodiesduringstaffevaluationprocedures.

44

33.1. Introduction: overview of the year and main trends

In2011,theCommissionpublishedmanylegislativeproposalsaffectingdataprotectionandmadesig-nificantheadwaytowardsa newgeneralandcom-prehensiveframeworkfordataprotectioninEurope.

ThisprojectfeaturedhighontheEDPSagendain 2011andwillremainsoforthecomingyearsas thelegislativeprocedureadvances:oncetheCommission has presented its proposal andaccompanyingcommunicationin2012,theEDPSwillprovideanopinion.Thereafter, thediscus-sionsintheEuropeanParliamentandtheCouncilwill proceed.

Followingthetrendofpastyears,theareascov-ered by EDPS opinions continued to diversify.Asidefromtraditionalpriorities,suchasthefur-therdevelopmentoftheAreaofFreedom,Secu-rityandJusticeorinternationaldatatransfers,newfields are emerging. 2011 saw a number of

opinionsissuedonmattersrelatedtotheinternalmarket,aswellasfisheriescontrolandagriculturalsupportschemes.

IntheArea of Freedom, Security and Justice,thequestionofnecessityhasbeena recurrenttheme.Onseveraloccasions,theEDPSissuedopinionsinwhichthisdataprotectionprinciplefiguredpromi-nently.ThiswasthecasefortheevaluationreportontheDataRetentionDirective,thecommunica-tiononmigrationandtheproposalforanEUPas-sengerNameRecordsProgramme.

PassengerNameRecordswerealsoa recurrenttopicwhentheEDPSwasconsultedoninitiativesinthefieldofinternationallawenforcementandsecuritycooperation.Heissuedopinionsontheproposals for agreements with the USA andAustralia.

Theincreasingnumberofopinionsrelatedtotheinternal marketisa newdevelopmentandamong

POLICY AND CONSULTATION

The ongoing work on the new data protection legislation framed 2011: on 14 January, the EDPS published his opinion on the Commission Communication on the comprehensive approach to personal data protection in the European Union; in December, he provided informal comments on draft proposals to DG Justice, which is responsible for the new legal framework. On both occasions, the EDPS provided substantive input into the legislative procedure. He will continue to do so in 2012.

Necessity is a key concept in data protection. It is a strict rather than simply “useful” standard: A measure can only be considered necessary if the results could not have been achieved with less intrusive means. Especially when evaluating existing measures, this standard must be applied with utmost rigour. This standard of proof is enshrined in European law and has been applied extensively by the Court of Justice of the European Union in Luxembourg as well as by the European Court for Human Rights in Strasbourg, usually closely linked to the standard of proportionality.


45

others,theEDPSadoptedopinionsontheInternalMarketInformationSystemandover-the-counterderivatives.

Inanotherinnovation,theEDPSpublishedhisfirstopinion on EU-funded research activities,pro-vidingadvicetoEuropeanresearchanddevelop-mentactivities.Thisopinionputthepolicypaper‘The EDPS and EU Research and TechnologicalDevelopment’intopractice.

ThewiderangeofissuesaddressedinEDPSconsul-tativeactivitiesdemonstratesthattheprocessingofpersonaldataanddataprotectionhave trulybecomehorizontalissuesthatcannotbeconfinedtospecificpolicyareas.Instead,theyareofcross-cuttingrelevance,justifyingtheroleoftheEDPSasthecompetentadvisertotheEUinstitutions.

ThischapteroftheAnnualReportnotonlyfocusesonlegislativeconsultationbutalsodealswithrela-tionsbetweentheEDPSandtheEUCourtsandwiththemonitoringofnewdevelopmentsbytheEDPS,inparticularnewtechnologies.CooperationwithDPAs,includingcoordinatedsupervisiononlargescaleinformationsystems,isincludedinChapter4.

3.2. Policy framework and priorities

3.2.1.Implementationofconsultationpolicy

AlthoughtheworkingmethodsoftheEDPSintheareaofconsultationhavedevelopedovertheyears,the basic approach for interventions has notchanged.ThepolicypaperadoptedinMarch2005andentitled“TheEDPSasanadvisortotheCom-munityinstitutionsonproposalsforlegislationandrelateddocuments”(9)remainsrelevant,althoughitmustnowbereadinlightoftheLisbonTreaty.

(9) AvailableontheEDPSwebsiteunderPublications>Papers.

LegislativeconsultationsbasedonArticle28(2)ofRegulation(EC)No45/2001arethecoreelementoftheEDPSadvisoryrole.Accordingtothisarticle,theCommissionshallconsulttheEDPSwhenitadoptsa legislativeproposalrelatingtotheprotectionofindividuals’rightsandfreedoms.TheEDPSopin-ionsfullyanalysethedataprotectionaspectsofa proposalorothertext.

Asa rule,theEDPSonlyissuesopinionsonnon-legislativetexts(suchasCommissionworkingdoc-uments,communicationsorrecommendations)ifdata protection is a core element. Occasionally,writtencommentsareissuedformorelimitedpur-poses,soastoconveyquicklya fundamentalpoliti-calmessageortofocusononeormoretechnicalaspects.Theyarealsousedtosummariseorrepeatobservationsmadeearlier.Forinstance,theEDPSwrotetwolettersonseverallegislativeproposalson restrictive measures, as the data protectionissues in theseproposalswere largelysimilar tothoseaddressedinearlieropinions.

Otherinstrumentscanalsobeused,suchaspres-entations,explanatoryletters,pressconferencesorpressreleases.Forinstance,opinionsareoftenfollowedbypresentationsintheCommitteeforCivil Liberties, Justice and Home Affairs of theEuropeanParliamentorintherelevantworkingpartiesintheCouncil.

TheEDPSisavailabletotheEUinstitutionsduringallphasesofpolicymakingandlegislationandusesa widerangeofotherinstrumentsinhisadvisoryrole.Althoughthismayrequireclosecontactwiththe institutions, maintaining his independenceremainsparamount.

ConsultationswiththeCommissiontakeplaceatvariousstagesinthepreparationofproposalsandthe frequency varies depending on the subjectandontheapproachfollowedbytheCommissionservices.Thisappliestolong-termprojectsinpar-ticular,suchasthereformofthelegalframeworkforOLAFtowhichtheEDPScontributedatdiffer-entjunctures.

Formalconsultationactivitiesarequiteoftenpre-cededbyinformalcomments.WhentheCommis-siondraftsa newlegislativemeasurewithanimpactondataprotection,thedraftisusuallysenttotheEDPS during the inter-service consultation, i.e.beforeitispublished.Theseinformalcomments,ofwhichtherewere41in2011,allowdataprotectionissuestobeaddressedatanearlystagewhenthetextofa proposalcanstillbechangedrelatively

The formal opinions of the EDPS - based on Article 28(2) or 41 of Regulation (EC) No 45/2001 - are the main instruments of consultation policy and contain a full analysis of all the data protection related elements of any Commission proposal or other relevant instrument.

46

easily.ThesubmissionofinformalcommentstotheCommissionisa valuablewayofensuringduecon-sideration for data protection principles at thedraftingstageofa legislativeproposalandcriticalissuescanveryoftenberesolvedatthisstage.Asa rule,theseinformalcommentsarenotpublic.Ifthey are followed by an opinion or formal com-ments,theseusuallyrefertothefactthatinformalcommentshavebeensubmittedearlier.

RegularcontactwiththerelevantservicesofaninstitutionwilltakeplacefollowingtheissuingofEDPS comments or opinion. In some cases, theEDPSandhisstaffarecloselyinvolvedinthediscus-sionsandnegotiationstakingplaceinParliamentandCouncil.Inothers,theCommissionisthemaininterlocutorinthefollow-upphase.

3.2.2.Resultsin2011In2011,thesteadyincreaseinthenumberofopin-ionsissuedcontinued.TheEDPSissued24opin-ions,12 formalcommentsand41 informalcom-mentsona varietyofsubjects.

Withtheseopinionsandotherinstrumentsusedforintervention,theEDPSimplementedhisprioritiesfor2011,aslaiddowninhisinventory.The24opin-ionscovereddifferentEUpolicyareas.

The 2011 Inventory defined four main areas ofattention:

a)towards a new legal framework for dataprotection

b)furtherdevelopingtheAreaofFreedom,Secu-rityandJustice

c)technological developments and the DigitalAgenda

d)otherinitiativeswitha significantimpactondataprotection.

0

5

10

15

20

25

30

35

40

45

Legislative opinions evolution 2004-2011

1

6

11 12 14

16 19

24

0

1 1 5 3

6 7

12

0 0

6 11

16

15

24

41

OpinionsFormal commentsInformal comments

2004 2005 2006 2007 2008 2009 2010 2011


47

3.3. Review of the EU Data Protection Framework

3.3.1.A comprehensiveapproachtopersonaldataprotectionintheEuropeanUnionOn14January2011,theEDPSissuedanopinionontheCommissionCommunicationonthereviewoftheEU legal frameworkfordataprotection.TheCommunication is an essential landmark on thewaytowardsa newlegalframeworkthatwillrepre-sentthemostimportantdevelopmentintheareaofEUdataprotectionsincetheadoptionoftheEUDataProtectionDirective17yearsago.

TheEDPShaswelcomedtheCommission’sinten-tiontoreformtheEUlegalframeworkfordatapro-tection - which he has previously requested ona numberofoccasions(10)-andthereviewofthelegalframeworkalreadywasoneofthetoppriori-tiesfortheEDPSin2009and2010.HesharedtheCommission’sviewthatinthefuturea strongsys-tem of data protection is absolutely necessary,basedonthenotionthattheexistinggeneralprin-ciplesofprivacyanddataprotectionremainvalid.

Inhisopinion,theEDPSsupportedthemainissuesandchallengesidentifiedbytheCommission,butaskedformoreambitioussolutionstomakethesystemmoreeffectiveandgivecitizensbettercon-trolovertheirpersonaldata.

(10) seee.g.:Opinionof25July2007ontheCommunicationfromtheCommissiontotheEuropeanParliamentandtheCouncilonthefollow-upoftheWorkProgrammeforbetterimplementa-tionoftheDataProtectionDirective,OJC 255,27.10.2007,p. 1

0%

5%

10%

15%

20%

25%

30%

Dat

a pr

otec

tion

refo

rm

Dig

ital a

gend

aan

d te

chno

logy

Free

dom

, Sec

urity

and

Just

icea

nd in

tern

atio

nal

coop

erat

ion

Cros

s-bo

rder

enfo

rcem

ent

Inte

rnal

mar

ket

and

�nan

cial

dat

a

Publ

ic h

ealth

and

cons

umer

a a

irs

Oth

er

Main policy areas for legislative opinions in 2011

48

TheCommissionwilladopttwolegislativepropos-alsinearly2012,oneproposalfora generaldataprotectionregulationandanotheronefora direc-tiveondataprotectioninthefieldoflawenforce-ment.TheEDPSwill,ofcourse,continuetomonitorthelegislativeprocessandwillissuefurthercontri-butionsasappropriate.

3.4. Area of Freedom, Security and Justice and international cooperation

3.4.1.DataRetentionUnder the Data Retention Directive public elec-troniccommunicationsproviders(telephonecom-panies,mobiletelecomsandInternetservicepro-viders)areobligedtoretaintraffic, locationandsubscriberdataforthepurposesofinvestigation,detectionandprosecutionofseriouscrime.

TheEDPSopinionadoptedon31May2011ana-lysedtheCommissionReportwhichprovidesanevaluationoftheimplementationandapplicationoftheDataRetentionDirectiveandmeasuresitsimpactoneconomicoperatorsandconsumers.

TheEDPStooktheviewthattheDirectivedoes not meet the requirements imposed by the funda-mental rights to privacy and data protectionforthefollowingreasons:

• thenecessityfordataretentionprovidedforinthe Directive has not been suff icientlydemonstrated;

• dataretentioncouldhavebeenregulatedina lessprivacy-intrusiveway;

• theDirectiveleavestoomuchscopeforMemberStatestodecideonthepurposesforwhichthedatamightbeusedandfordeterminingwhocanaccessthedataandunderwhichconditions.

TheEDPSpointedoutthatinformationprovidedbytheMemberStateswasnotsufficienttodrawa pos-itiveconclusionontheneedfordataretentionasdevelopedintheDirective.Furtherinvestigationofnecessityandproportionality is requiredand inparticular,theexaminationofalternative,lesspri-vacy-intrusivemeans.

TheCommission(Evaluation)Reportplaysa roleinpossibledecisionsonamendingtheDirective.TheEDPShasthereforecalledontheCommissiontoseriouslyconsideralloptionsinthisprocess,includ-ing the possibility of repealing the Directive,whetherornotcombinedwiththeproposalforanalternative,moretargetedEUmeasure.

IntheEDPS’view,themajorgoalsofthereviewprocessshouldbeasfollows:

• the rights of individuals should be strength-ened:theEDPSsuggestsintroducinga manda-torysecuritybreachnotificationcoveringallrelevantsectors,aswellasnewrights,espe-ciallyintheonlineenvironment,suchastherighttobeforgottenanddataportability.Chil-dren’sdatashouldalsobebetterprotected;

• the responsibility of organisations needs to be reinforced:thenewframeworkmustcon-tainincentivesfordatacontrollersinthepublicorprivatesector toproactively includenewtools in their business processes to ensurecompliancewithdataprotection(accountabil-ityprinciple).TheEDPSproposestheintroduc-tionofgeneralprovisionsonaccountabilityand‘privacybydesign’;

• the inclusion of police and justice coopera-tion in the legal framework isa conditio sine qua non for effective data protection in thefuture;

• further harmonisation shouldbeoneofthekeyobjectivesofthereview.TheDataProtec-tionDirectiveshouldbereplacedbya directlyapplicableregulation;

• thenewlegalframeworkmustbeformulatedina technologically neutral wayandmusthavetheambitiontocreatelegal certainty fora longerperiod;

• theenforcementpowersofdata protection authorities shouldbestrengthened,andtheirindependenceshouldbebetterguaranteedacrosstheEU.


49

If,onthebasisofnewinformation,thenecessityforanEUinstrumentondataretentionisdemonstrated,thefollowingbasicrequirementsshouldberespected:

• itshouldbecomprehensiveandgenuinelyhar-moniserulesontheobligationstoretaindata,aswellasontheaccessandfurtheruseofthedatabycompetentauthorities;

• itshouldbeexhaustive,whichmeansthat ithasa clearandprecisepurposewhichcannotbecircumvented;

• itshouldbeproportionateandnotgobeyondwhatisnecessary.

3.4.2.TerroristFinanceTrackingSystem(TFTS)

On25October2011,theEDPSsenthiscommentsontheCommissionCommunicationontheTerror-istFinanceTrackingSystemof13July2011totheCommissionerforHomeAffairs.HesupportedallthepointsmadebytheArticle29WorkingPartyinitsletterof29September2011,particularlyregard-ingtheprinciplesofnecessityandproportionality,datacontrollersandprocessorrelationships,bulkdata transfers, types of data being processed,retention,rightsofdatasubjects,DPAs,datasecu-rityandcooperationbetweentheMemberStates.Moreover,hehighlightednecessity and propor-tionality as the procedural guarantees thatshouldbeintroducedintoanyEUTFTSscheme.

3.4.3.EuropeanPassengerName Records

In2011,asinpreviousyears,theproposedprocess-ing of Passenger Name Records (PNR) by lawenforcement authorities raised data protectionissuesfroma Europeanperspective.

On25March2011, theEDPSadoptedanopinionwhich analysed the new Commission proposalobligingairlinecarrierstoprovideEUMemberStateswith the personal data of passengers (Passenger

The EDPS stressed that the massive invasion of privacy posed by the Data Retention Directive needed profound justification. The EDPS, therefore, called on the European Commission to use the evaluation exercise to prove the necessity of the Directive. Concrete facts and figures should make it possible to assess whether the results presented in the evaluation could be achieved by other less intrusive means.

DataRetentionDirectiveposesa massiveinvasionofprivacy.

50

NameRecord)enteringordepartingtheEUforthepurposesoffightingseriouscrimeandterrorism.

3.4.4.AgreementbetweentheEU andAustraliaonPassengerNameRecords

On15July2011,theEDPSadoptedanopinionona CommissionproposalconcerninganAgreementbetweentheEuropeanUnionandAustraliaontheprocessingandtransferofPassengerNameRecord(PNR) data. The EDPS welcomed the safeguardsprovidedintheproposals,especiallywithregardtotheconcreteimplementationoftheagreement,in

particulardatasecurityaspects,supervisionandenforcementprovisions.

However,healso identifiedsignificantroom for improvement,inparticularasregardsthescopeoftheagreement,thedefinitionofterrorismandtheinclusionofsomeexceptionalpurposes,aswellastheretentionperiodforPNRdata.Healsoconsid-eredthatthelegalbasisfortheagreementshouldbereconsideredandshouldrefertoArticle16ofthe Treaty on the Functioning of the EuropeanUnion(TFEU).

Inaddition,theEDPSrecalledthewidercontextofthelegitimacyofanyPNRscheme,seenasthesys-tematiccollectionofpassengerdataforriskassess-mentpurposes.A proposalcansatisfytheotherrequirementsofthedataprotectionframework,only if the scheme respects the fundamentalrequirements of necessity and proportionalityunderArticles7and8oftheCharterofFundamen-talRightsandArticle16TFEU.

The EDPS recommendations included thefollowing:

• scope of application:thescopeofapplicationshouldbemuchmorelimitedwithregardto

Personalinformationiscollectedbyairlinesortravelagenciesatthetimeapassengermakesareservation,beforetravelling.

Inhisopinion,theEDPSrecalledthattheneedtocollectorstoremassiveamountsofpersonalinfor-mationmustrelyona clear demonstration of the relationship between use and result (necessityprinciple).Thisisanessentialprerequisiteforanydevelopmentofa PNRscheme.IntheviewoftheEDPS, thecurrentacts failed todemonstrate thenecessityandtheproportionalityofa systeminvolv-inglarge-scalecollectionofPNRdataforthepur-poseofa systematicassessmentofallpassengers.


51

thetypeofcrimesinvolved.TheEDPSrecom-mendsexplicitlydefiningandexcludingminorcrimesfromthescopeandprecludingMemberStatesfromexpandingthescope;

• data retention: no data should be keptbeyond30daysinanidentifiableform,exceptincasesrequiringfurtherinvestigation;

• data protection principles:a higherstandardofsafeguardsshouldbedeveloped,particu-larlyintermsofdatasubjects’rightsandtrans-ferstothirdcountries;

• list of PNR data:theEDPSwelcomesthefactthatsensitivedataarenotincludedinthelistofdatatobecollectedbutstillregardsthelistastooextensiveandrecommendsthatit isfur-therreduced;

• evaluation of EU PNR system:theassessmentoftheimplementationofthesystemshouldbebased on comprehensive statistical data,including thenumberofpersonseffectivelyconvicted-andnotonlyprosecuted-onthebasisoftheprocessingoftheirpersonaldata.

Finally,theEDPSrecalledthattheneedtocollectorstore massive amounts of personal informationmustrelyona cleardemonstrationoftherelation-shipbetweenuseandresult(necessityprinciple).This isanessentialprerequisiteforanydevelop-mentofa PNRscheme.IntheviewoftheEDPS,theproposalandaccompanying impactassessmentfailedtodemonstratethenecessityandthepro-portionalityofa systeminvolvinglarge-scalecol-lectionofPNRdataforthepurposeofa systematicassessmentofallpassengers.

3.4.5.AgreementbetweentheEU andUSAonPassengerName Records

TheEDPSwascriticalofthenewproposalforanEU-USPassengerNameRecord(PNR)agreement,asthe necessity and the proportionality of PNRschemeshavenotyetbeendemonstrated.Inhisopinionof9December2011,hecriticised:

• the15-yearsretention period:theEDPSrec-ommendeddeletingthedataafteritsanalysisoraftera maximumof6months;

• theoverbroad purpose definition:thepur-poseshouldbelimitedtocombatingterrorism

ora welldefinedlistoftransnationalseriouscrimes;

• theamount of data to be transferredtotheDepartment of Homeland Security (DHS): itshouldbenarrowedandexcludesensitivedata;

• the exceptions to the “push” method: USauthoritiesshouldnotdirectlyaccessthedata(“pull”method);

• thelimits to data subjects’ exercising their rights:everycitizenshouldhavetherighttoeffectivejudicialredress;

• the rules on onward transfers: the DHSshouldnottransferthedatatootherUSauthor-itiesorthirdcountriesunlesstheyguaranteeanequivalentlevelofprotection.

TheEDPSconsideredthatneitherthemaincon-cernspreviouslyexpressedbytheEDPSandtheEUnationaldataprotectionauthorities,northecondi-tionsrequiredbytheEuropeanParliamenttopro-videitsconsentweremet.

3.4.6.Anti-corruptionpackageOn6July2011,theEDPSissuedformalcommentsonthe anti-corruption package, which consisted ofa communicationsettingouttheEuropeanUnion’sapproachtocurbcorruption,a Commissiondecisiontoestablisha regularEUanti-corruptionreportanda reportonthetermsofEUparticipationintheCoun-cilofEuropeGroupofStatesagainstCorruption.

Thecommunicationreferstoa plannedstrategyforimprovingthequalityoffinancial investigationsand developing financial intelligence, includingsharingofinformationwithinandbetweenMem-berStates,EUagenciesandthirdcountries.Inthisregard,theEDPSencouragedtheCommissiontoensure a sufficient level of data protection in this future strategy.HealsorecommendedthatthesharingofbestpracticesenvisagedintheEUanti-corruption report shouldbeunderstoodtoalsoincludepracticesforensuringdataprotectioninanti-corruptioninvestigations.

3.4.7.Legislativeproposalsconcerningcertainrestrictivemeasures

On16Marchand9December2011,theEDPSsentletterstotheEuropeanCommission,theEuropean

52

Parliament,theCouncilandtheHighRepresenta-tiveoftheUnionforForeignAffairsandSecurityPolicyasa responsetotheCommissionconsulta-tiononvariouslegislativeproposalsconcerningcertainrestrictivemeasureswithregardtoIran,theRepublicofGuinea-Bissau,Côted’Ivoire,Belarus,Tunisia, Egypt, Libya, Syria, Afghanistan andBurma/Myanmar.Inhisletters,theEDPSreaffirmedhispositionthatwhenEUinstitutionstakerestric-tivemeasureswithregardtoindividuals,data pro-tection principles and any necessary restric-tions to them should be comprehensively and clearly laid down.

The Commission proposals envisaged fightinghumanrightsabusesbyimposingrestrictivemeas-ures - notably, freezing of assets and economicresources-onnaturalandlegalpersonswhoareconsideredtobeinvolvedinsuchabuses.Tothisend,“blacklists”ofthenaturalorlegalpersonscon-cernedarepublishedandpublicised.

TheEDPScriticisedthatwhilethetextinitiallypro-posedbytheCommissionandtheHighRepresenta-tiveincludedstrongreferencestodataprotectionrules,theyweresignificantlyweakenedbytheCoun-cil.HereiteratedtherecommendationtotheCom-mission,theHighRepresentativeandtheCounciltoabandonthecurrentpiecemealapproach-withspe-cificdataprotectionrulesforeachcountryororgani-sation-andtodevelopa consistent framework for restrictive measures,ensuringrespectoffunda-mental rights and in particular, the fundamentalrighttotheprotectionofpersonaldata.

3.4.8.MigrationIn2011,theCommissionworkedona comprehen-siveapproachtomigration.Tooutlineitspositionandagenda,itpublisheda communicationonthistopicinMay.On7July2011,theEDPSadoptedanopiniononthiscommunication.

Inhisopinion,theEDPSfocusedontheneed to prove the necessity of the proposed new instru-mentssuchastheEntry-Exit-System.Tothisend,herecalledthecaselawoftheEuropeanCourtofHumanRightsandtheEuropeanCourtofJustice,which establishes that the standard of proofneededtointerferewiththerighttoprivacyanddata protection is that of ‘being necessary ina democraticsociety’andelaboratedonthecon-ceptofnecessity.

Alsoaddressedwastheuseofbiometrics.Here,theEDPSurgedthatany use of biometrics should be accompanied by strict safeguards and comple-mented by a fall-back procedure for personswhosebiometriccharacteristicsmaynotbereada-ble. Additionally, he specifically called on the Commission not to reintroduce the proposal to grant law-enforcement access to Eurodac (alarge-scale IT system devoted to storing finger-prints,see4.2).

Byexplicitlystatinghispositiononthistopic,theEDPSgaveguidancetotheCommissiononhowtoevaluatenecessity.ItcanbenotedthatsubsequentCommissiondocuments,suchastheCommunica-tiononsmartborders,showincreasedattentiontothisconcept.

3.4.9.VictimsofcrimeOn17October2011,theEDPSpublishedhisopin-iononthe legislativepackageonthevictimsofcrime,whichfocusesonprivacy-relatedaspectsoftheprotectionofthevictimsofcrime.TheEDPSwelcomedthepolicyobjectivesoftheproposalsandgenerallyendorsedtheapproachoftheCom-mission.Nevertheless,hefoundthattheprotectionofprivacyandpersonaldataofthevictimsintheproposeddirectivecouldhavebeenstrengthenedandclarified.

WithregardtotheproposedRegulationonmutualrecognitionofprotectionmeasuresincivilmatters,whichdealswithprotectionofindividualsagainstotherindividualscausingriskstothem(“stalking”)theEDPSsuggested that informationabout theprotectedpersonto the person causing the risk should be limitedtothosepersonaldatawhichare strictly necessary for the execution of themeasure.

Useofbiometricsshouldbeaccompaniedbystrictsafeguards.


53

3.5. Digital Agenda and technology

TheCommissioncarriedoutsignificantworkintheareaoftheinformationsocietyandnewtechnolo-giesin2011.ParticularemphasiswasgiventotheimplementationoftheDigitalAgendaandtheEU2020Programme.Severaloftheseinitiativeshadsignificant data protection relevance and were,therefore,closely followedbytheEDPS.Healsomonitored and engaged in relevant Europeanresearchandtechnologicaldevelopmentprojects.

Apart fromthe initiativesmentionedbelow,theEDPSalsoprovidedadviceonadditionalproposalsincludedintheDigitalAgendaactionplan,namelythepublicconsultationontheIntellectualPropertyRights Enforcement Directive(11) and the legalframeworkfortheConsumerProtectionCoopera-tionSystem(CPCS)(12).

3.5.1.NetneutralityOn7October2011,theEDPSadoptedanopinionontheCommissionCommunicationontheopenInternetandnetneutralityinEurope.

TheEDPShighlightedtheseriousimplications ofsomemonitoringpracticesof ISPsonthefunda-mental right to privacy and data protectionof users, in particular in terms of confidentiality ofcommunications.HehascalledontheCommissiontoinitiatea debateinvolvingalltherelevantstake-holderswitha viewtoclarifying how the datapro-tection legal framework applies inthiscontext.

Herecommendedguidancetobeprovidedinareassuchas:

(11) seebelowSection3.7.1

(12) seebelowSection3.8.1

• determining inspection practices that arelegitimate,suchasthoseneededforsecuritypurposes;

• determining when monitoring requires theusers’ consent,forinstanceincaseswherefil-teringaimstolimitaccesstocertainapplica-tionsandservices,suchaspeertopeer.

Inparticulartheguidanceshouldcovertheapplica-tionofthenecessarydata protection safeguards suchaspurposelimitationandsecurity.

3.5.2.Technologicalproject“Turbine”On1February2011,theEDPSadoptedanopinionbased on his policy paper “The EDPS and EUResearch and Technological Development”,adoptedin2008.ThispaperdescribedthepossiblerolestheEDPScouldplayforresearchandtechno-logicaldevelopment(RTD)projectsinthecontextof the Commission Framework Programme forResearchandTechnologicalDevelopment.

In his opinion, the EDPS analysed the Turbine(TrUstedRevocableBiometricIdeNtitiEs)researchproject,theoverallobjectivesofwhichareto:

• developaninnovative,privacyenhancingtech-nology solution for electronic identity (eID)authenticationthroughfingerprintbiometrics;

• demonstratetheperformanceandsecurityofthissolutionforuseincommercialeIDman-agementapplications,aswellasitsbenefitforthecitizenintermsofenhancedprivacypro-tection and user trust in electronic identitymanagementthroughtheuseoffingerprints.

TheanalysisoftheEDPSfocusedonsomeimpor-tantfeaturesoftheproject,namelytheprotectionofthebiometrictemplatebycryptographictrans-formation of the fingerprint information intoa non-reversiblekey(whereitisnotpossibletoreturntotheoriginalbiometricinformation)and

Netneutralityraisesmanydataprotectionrelatedissues.

Turbine-TrUstedRevocableBiometricIdeNtitiEs

54

therevocabilityof thiskey (wherea new inde-pendentkeycanbegeneratedtore-issuebiomet-ric identities).Moreover,throughthetestphase,theproject tested implementationofthefeaturesinrealcasescenarios.

TheEDPSwelcomedtheprojectasitdemonstratesthat implementing “privacy by design” as a keyprincipleinresearch,representsaneffectivemeanstoensure“privacycompliant”solutions.

3.6. Internal Market including financial data

3.6.1.InternalMarketInformationSystem

Inhisopinionof22November2011,theEDPSpro-vided a series of recommendations to furtherstrengthenthedataprotectionframeworkfortheInternalMarketInformationSystem(IMI).TheEDPSsupporteda consistentapproachtodataprotec-tion inestablishinganelectronicsystemfor theexchangeofinformation,includingrelevantper-sonaldata.

TheEDPSwelcomedthefactthattheCommissionproposeda horizontallegalinstrumentforIMIintheformofa ParliamentandCouncilRegulation,whichaimstocomprehensivelyhighlightthemostrelevantdataprotectionissuesforIMI.TheEDPScautionedthatthereareassociatedrisksinestab-lishinga singlecentralisedelectronicsystemformultipleareasofadministrativecooperation.WithregardtothelegalframeworkforIMItobeestab-lishedintheproposedRegulation,theEDPSdrewattention to two key challenges: the need to ensure consistency while respecting diversity and the need to balance flexibility and legal certainty.

TheEDPSacknowledgedtheneedforflexibilitytocoveradministrativecooperationindifferentpolicyareas but insisted that this flexibility should beaccompaniedbylegalcertainty.Againstthisback-ground,theEDPSrecommendedthatthefunction-alitiesof IMIalready foreseenshouldbe furtherclarifiedandthattheinclusionofnewfunctionali-tiesshouldrequireappropriateproceduralsafe-guards,suchaspreparationofa dataprotectionimpactassessmentandconsultationoftheEDPSandnationaldataprotectionauthorities.

Theopinionalsocalledforfurtherstrengtheningofdata subjects’ rights and reconsideration of theextensionofthecurrent6-monthretentionperiodunlessadequatejustificationcanbeprovided.

Finally,theEDPSwelcomedtheprovisionsoncoor-dinatedsupervisionandrecommendedthattheseshouldbefurtherstrengthenedinordertoguaran-teeeffectiveandactivecooperationamongthedataprotectionauthoritiesinvolved.

3.6.2.EnergyMarketIntegrityandTransparency

On21June2011,theEDPSissuedanopinionontheproposalfora regulationonenergymarketintegrityandtransparency.Themainaimoftheproposalistopreventmarketmanipulationandinsidertradingonwholesaleenergy-gasandelectricity-markets.TheEDPScommentedonseveralaspectsofthepro-posal,includingthoseonmarketmonitoringandreportingandinvestigationandenforcement.

ThekeyconcernoftheEDPSwasthattheproposallacked clarity and adequate data protection safeguardswithregardtotheinvestigatorypow-ersgrantedtonationalregulatoryauthorities.TheEDPS,therefore,recommendedclarificationon:

TheEDPStookacloselookattheproposalforaregulationontheenergymarket.


55

• whetheron-site inspectionswouldbelimitedtobusinesspropertiesoralsoapplytoprivatepropertiesofindividuals.Inthelattercase,thenecessity and proportionality of this powershouldbeclearlyjustifiedanda judicialwarrantandadditionalsafeguardsrequired;

• thescope of the powerstorequest“existingtelephone and existing data traffic records”.Theproposalshouldunambiguouslyspecifywhat records can be requested and fromwhom.Thefactthatnodatacanberequestedfromprovidersofpubliclyavailableelectroniccommunicationsservicesshouldbeexplicitlymentioned.Theproposedregulationshouldclarifywhethertheauthoritiesmayalsorequesttheprivaterecordsofindividuals(e.g.textmes-sagessent frompersonalmobiledevices). Ifthiswerethecase,thenecessityandpropor-tionalityofthispowershouldbeclearlyjusti-fiedandtheproposalwouldalsorequirea war-rantfroma judicialauthority.

Thereportingandcollectionofdataregardingsus-picioustransactionswasanothersensitivesubjectintheproposalwheretheEDPScalledfortheclari-ficationoftherelevantprovisionsandadequatesafeguards,suchasstrictpurposelimitationsandretentionperiods.

3.6.3.Interconnectionofbusinessregisters

On6May2011,theEDPSissuedanopinionontheproposalfora directiveamendingthreeexistingdirectivesontheinterconnectionofbusinessreg-isters.TheaimoftheproposalistofacilitateandstepupcrossbordercooperationandinformationexchangeamongbusinessregistersintheEuro-peanUnion,thereby increasingtransparencyaswell as reliability of the information availableacrossborders.

ThemainconcernoftheEDPSisthattheproposal,asdrafted,wouldleavekeyissuessuchasthoseofgovernance,roles,competencesandresponsibili-tiestodelegatedacts.Inordertoensure legal cer-tainty as to who is responsible for what and toensurethatadequatedataprotectionsafeguardscanbeidentifiedandimplemented,theEDPSrec-ommendedthatthesekeyissuesbeaddressedintheproposeddirective.

3.6.4.Creditagreementsrelatingto residentialproperty

On25July2011,theEDPSadoptedanopinionona Commissionproposal fora directiveoncreditagreements relating to residential property.Responsiblelendingisdefinedbytheproposalasthecaretakenbycreditorsandintermediariestolendamountsthatconsumerscanaffordandmeettheirneedsandcircumstances.Theproposalwasdrafted from the perspective that irresponsiblebehaviour by some market players was at thesourceofthefinancialcrisis.Theproposal,there-fore, introduces prudential and supervisoryrequirementsforlendersandobligationsandrightsfor borrowers in order to establish a clear legalframeworkthatshouldsafeguardtheEUmortgagemarket from the disruptive effects experiencedduringthefinancialcrisis.

TheEDPSwelcomedthespecificreferenceintheproposaltoDirective95/46/EC.However,hesug-gestedsomemodificationstothetextinordertoclarifytheapplicability of the data protection principlesto the processing operations,particu-larlyinrelationtotheconsultationofthedatabaseoncredit-worthinesswhichisestablishedinalmostallMemberStates.

Creditagreementsareasubjecttoapplicabilityofthedataprotectionprinciples.

56

3.6.5.Over-the-counterderivatives,centralcounterpartiesandtraderepositoriesTheopinion,publishedby theEDPSon19April2011,focusedprimarilyonthespecificinvestigationpowers granted to the European Securities andMarketsAuthority(ESMA)undertheproposedReg-ulation,namelythepowerto“require records of telephone and data traffic”.

TheEDPSconsideredthattheserequirementswerenot fulfilled in the proposed Regulation as thepowerunderconsiderationwastoo broadly for-mulated.Inparticular,thepersonal and material scopeofthepower,thecircumstances and the conditionsunderwhichitcouldbeusedwerenotspecified.TheEDPS,therefore,calledformoreclar-ityandadvisedthelegislatorto:

• clearlyspecifythecategoriesoftelephoneanddatatrafficrecordswhichtraderepositoriesarerequired to retain and/or to provide to thecompetentauthorities;

• limitthepowertorequirerecordsoftelephoneanddatatraffictotraderepositoriesonly;

• stateexplicitlythataccessingtelephoneanddatatrafficrecordsdirectlyfromtelecomcom-paniesisexcluded.

TheEDPSalsorecommendedlimitingtheexerciseofthepowertoidentified and serious violationsof the proposed Regulation and in cases wherea reasonable suspicionofa breachexists.Further-more,hesuggestedthatpriorjudicial authorisa-tion(atleastwheresuchauthorisationisrequiredundernationallaw)andadequateproceduralsafe-guardsagainsttheriskofabusebeintroduced.

3.6.6.Technicalrequirementsforcredittransfersanddirectdebitsin Euros

On23June2011,theEDPSadoptedanopinionona Commissionproposalfora Regulationestablish-ingtechnicalrequirementsforcredittransfersanddirectdebitsinEuros,whichrelatestotheSingleEuropeanPaymentArea(SEPA).

IntroductionanddevelopmentofSEPAinvolveseveraldataprocessingoperations.

The opinion highlights that investigatory powers directly relating to traffic data, given their potential intrusiveness, have to comply with the requirements ofnecessity and proportionality. It is, therefore, essential that they are clearly formulated in their personal and material scope, as well as the circumstances and conditions in which they can be used. Adequate safeguards should also be provided against the risk of abuse.


57

TheSEPAprojectaimstoestablisha singlemarketforretaileuropaymentsbyovercomingthetechni-cal,legalandmarketbarriersthatexistpriortotheintroductionofthesingleEUROcurrency.OnceSEPAhas been completed, there will be no differencebetweennationalandcrossborderEuropayments.

TheintroductionanddevelopmentofSEPAinvolvesseveral data processing operations: names, bankaccountnumbersandcontentofcontractsneedtobeexchangeddirectlybetweenpayersandpayeesandindirectlythroughtheirrespectivepaymentserv-iceprovidersinordertoguaranteea smoothfunc-tioningofthetransfers.Theproposalalsointroducesa newrolefornationalauthoritiescompetenttomon-itorcompliancewiththeRegulationandtakeallnec-essarymeasurestoensuresuchcompliance.WhilethisroleisfundamentalforguaranteeinganeffectiveimplementationofSEPA,itmightalsoinvolvebroadpowersforthefurtherprocessingofpersonaldatabytheauthorities,includingthetotalamountofEurotransfersbetweenindividualsandentities.

TheEDPS,therefore,recommendedsomemodifica-tionstothetextinordertoensure that exchanges of such data comply with the relevant applicable legislation, particularly with the principles ofnecessity,proportionalityandpurposelimitation.

3.6.7.AirportbodyscannersOn 17October2011,theEDPSsenta lettertotheEuropean Commission Vice-president Sim

Kallas concerning three proposals on commonbasicstandardsoncivilaviationsecurityasregardsthe use of security scanners at EU airports. Thedraftmeasures wereadoptedbytheCommissionusingthe“comitology”procedure.

In his comments, the EDPS welcomed the safe-guardsincludedinthedraftmeasuresandthefactthatthereisanEUapproachtosecurityscanners,asthiscanguaranteelegalcertaintyaswellasa con-sistent levelofprotectionoffundamentalrights.However,hequestionedthenecessityandthepro-portionalityofsuchmeasuresandhighlightedthatdata protection legislation is applicable.

TheEDPSalsoregretted that body scanners pro-viding a detailed image of the body will be allowed,especiallygiventhatpreferencecouldhavebeengiventoa lessprivacy-intrusivedevice(i.e.a bodyscannershowinga “stickfigure”insteadofthehumanbody).

3.7. Cross-border enforcement

3.7.1.IntellectualPropertyRightsEnforcementDirectiveOn8April2011,theEDPSrespondedtoa publicconsultationlaunchedbytheEuropeanCommis-sionontheapplicationoftheIntellectualPropertyRightsEnforcementDirective.TheEDPSprovideda broadoverviewofthedataprotectionissuesthat

EnforcementofintellectualpropertyrightsontheInternetrequiresadequatedataprotectionsafeguards.

58

canarise inthecontextofenforcingintellectualproperty rightson the internet.TheEDPShigh-lightedthattheenforcementofintellectualprop-erty (IP) rights on the internet poses importantchallengesandrequiresadequatedataprotectionsafeguards.Thisisparticularlyapplicablewhencar-ryingoutmonitoringof internetactivity tofindallegedinfringers,orwhencollectingpersonaldatainformation(suchasa subscribernamelinkedtoa concreteIPaddress)fromintermediariessuchasInternetServiceProviders.

The EDPS stressed the importance of striking a balance between the fundamental right to data protection and the right to intellectual property.HeacceptedthatthecurrentprovisionsintheDirective-basedonstrikingthebalanceinlinewiththecommercialscaleoftheinfringement- were appropriate, although clarification is stillnecessaryinsomeareas.

FinallytheEDPSmadesomerecommendationstoassisttheCommissionintakinga moreprospectiveview. In particular, data protection should be taken into account in the evaluation of the implementation of the current Directive,itsfol-low up and during possible future legislativemodifications.

3.7.2.Customsenforcementofintellectualpropertyrights

On12October2011,theEDPSadoptedanopinionontheproposalfora Regulationconcerningcus-tomsenforcementofintellectualpropertyrights.TheEDPSwelcomedthespecificreferenceintheproposaltotheapplicabilityofDirective95/46/ECandRegulation(EC)45/2001tothepersonaldataprocessingactivitiescoveredbytheRegulation.

TheEDPSalsohighlightedthedatasubject’srighttoinformation,theneedtodevisea “dataprotec-tioncompliant”modelapplicationform,thespeci-ficationofa timelimitfortheretentionofpersonaldatasubmittedbytherightholder,bothatnationalandatCommissionlevelandtheneedforclarifica-tion of the legal basis for the establishment ofa newcentraldatabaseoftheCommission(COPIS).

3.7.3.Jurisdictionandtherecognitionandenforcementofjudgmentsincivilandcommercialmatters

On20September2011,theEDPScommentedontheproposalfora Regulationonjurisdictionandrecognitionandenforcementofjudgmentsincivilandcommercialmatters.TheEDPShighlightedtheimportance,equallyintheareaofdataprotection,offacilitatingthesettlementofcross-borderdis-putes.TheEDPSemphasisedtheneedforfurtherreflectiononsomeoftheissuesraisedinthepro-posal,alsointhecontextoftheongoingreviewofthedataprotectionframeworkintheEU:

• furtherreflectionshouldbegiventowhetherjurisdictionalrulesshouldprotecttheweakerpartyalsoindataprotectionlitigation–asisalreadythecaseinemployment,insuranceandconsumerprotectionmatters;

• withregardtotheretentionoftheexequaturforprivacy,defamationandrightsrelatingtopersonalityandthepossibilityofdenyingrec-ognitionofjudgmentsonpublicpolicygroundsinthesecases,theEDPSstressestheneedfora strictinterpretationofthoseexceptions;

• itisnotclearwhethertheaboveexceptionforprivacyrightsisintendedtoalsocoverviola-tionsoflegalrulesfortheprocessingofper-sonaldataasprovidedforintheDataProtec-tionDirectiveandifso,towhatextentthismaybethecase.Thismaycreateproblemsofinter-pretationandwillnotcontributetothelegalcertaintythattheproposalaimstoestablish;

• furtherreflectionshouldbeundertakenonhowtobetteralignthecourts’jurisdictionwiththecompetenceofdataprotectionauthorities.

3.7.4.EuropeanAccountPreservationOrder

On13October2011,theEDPSadoptedanopinionona proposalfora Regulationcreatinga EuropeanAccountPreservationOrdertofacilitatecross-bor-derdebtrecoveryincivilandcommercialmatters.TheEDPSwaspleasedtoseetheeffortstakentoaddressthedifferentdataprotectionissuesthatarosefromtheproposedinstrumentofanEAPO.Inparticular,heappreciatedtheapplicationofandthereferencestotheprincipleofnecessity.


59

However,theEDPSmaintainedthattheproposedRegulationrequiredfurtherimprovementandclari-fication. The EDPS recommended among otherthings:

• to consider including the possibility for theclaimanttorequesttheremovalofhisaddressdetailsfromtheinformationprovidedtothedefendant;

• toremovetheoptionaldatafieldsinAnnexI tothe Regulation (the telephone number andemailaddressofthedefendant) iftheactualneedisnotproven;

• to restrict the information provided by theclaimanttowhatisnecessaryinordertoiden-tifythedefendantandtodeterminehisorherbankaccount(s).

3.8. Public health and consumer affairs

3.8.1.ConsumerProtectionCooperationSystem

On4May2011,theEDPSissueda legislativeopin-ioncommentingonthe legal frameworkfortheConsumerProtectionCooperationSystem(CPCS).TheCPCSisanITsystemdesignedandoperatedbytheCommission.TheCPCSfacilitatescooperationamongcompetentauthoritiesintheEUMemberStatesandtheCommissionintheareaofconsumerprotection.Intheframeworkoftheirco-operation,competent authorities exchange informationincludingpersonaldata.

TheEDPSwelcomedthefactthattheCPCSRegula-tionhasbeencomplementedover timewithanimplementingdecisionanda setofdataprotectionguidelineswhich,combined,providemoredetails

ontheactualprocessingaswellasspecificdataprotectionsafeguards.

Themainrecommendationsofthelegislativeopin-ionincludedthefollowing:

• regardingtheretention period,mutualassis-tancerequestsshouldbeclosedwithinspecifi-callydesignatedtime-limits.Unlessaninvesti-gationorenforcementisongoing,alertsshouldbewithdrawnanddeletedwithinsixmonthsofissuance.Additionally,theCommissionshouldclarifyandreconsiderthepurposeandpropor-tionalityofkeepingalldatarelatingtoclosedcasesforfiveadditionalyears;

• theCommissionshouldre-assesswhataddi-tionaltechnicalandorganisationalmeasurescouldbetakentoensurethatprivacyanddataprotectionare“designed”intotheCPCSsystemarchitecture(privacy by design)andthatade-quatecontrolsareinplacetoensuredatapro-tection compliance and provide evidencethereof(accountability).

3.9. Other issues

3.9.1.OLAFReformRegulation

On1June2011,theEDPSadoptedanopinionona proposalfora Regulationwhichisintendedtomodifythecurrentrulesconcerninginvestigationsconducted by the European Anti-fraud Office(OLAF).Theaimoftheproposalistoincreasetheefficiency, effectiveness and accountability ofOLAF, while safeguarding its investigativeindependence.

The EDPS supported the objectives of the pro-posedamendmentsandwelcomedtheproposal.Despitetheoverallpositiveimpression,theEDPSconsidered that the proposal could be furtherimprovedintheprotectionofpersonaldatawith-outjeopardisingtheobjectivesthatitpursues.

TheEDPS,therefore,madea numberofrecommen-dationsthatshouldbeaddressedbymodifyingthetextandinparticularthattheproposalshould:

• clearlymentiontheright to informationofthedifferentcategoriesofdatasubjects(sus-pects,witnessesetc.),aswellastheright of access and rectification in relation to allphases of the investigations carried out byOLAF;

Cross-borderdebtrecoveryinvolvesprocessingofpersonaldata.

60

• clarifytherelationshipbetweentheneedforconfidentialityof the investigationsandthedataprotectionregimeapplicableduringtheinvestigations;

• clarifythegeneraldataprotectionprinciplesonthe basis of which OLAF can transmit and receive information,includingpersonaldata,withotherEUbodiesandagenciesandgivetheDirectorGeneralthetaskofensuringthata stra-tegic and comprehensive overview of the dif-ferent processing operationsofOLAFiscar-riedout,keptuptodateandmadetransparent.

3.9.2.EUFinancialRegulationOn15April2011,theEDPSadoptedanopiniononthe Commission proposal revising the financialrulesapplicabletotheannualbudgetoftheEuro-peanUnion(EUFinancialRegulation).Theproposalcoversseveralmatterswhichinvolvetheprocess-ingofpersonaldatabyEUinstitutionsandentitiesatMemberStatelevel.

Oneofthemostsignificantnewelements intro-ducedbytheproposalisthepotentialpublicationofdecisionsonadministrativeandfinancialpenal-ties.Suchpublicationwouldentailthedisclosureofinformation about the person concerned in anidentifiableway.TheEDPSbelievesthatthisprovi-sionasdrafteddoesnotmeettherequirementsofdataprotectionlaw.

To better comply with data protection rules, itshould be improved by explicitly indicating thepurposeforthedisclosureandbyensuringthecon-sistentapplicationofthepossibility,ofwhatisinfactnamingandshamingofpersons,togetherwiththeuseofclearcriteriatodemonstratetheneces-sityofthedisclosure.

The EDPS recommendations also covered thefollowing:

• whistleblowers:thelegislatorshouldensuretheconfidentialityofwhistleblowers’identityduringinvestigations,exceptincaseswhereitcontravenesnationalrulesregulatingjudicialprocedures;

• publication of information on the recipients of fundsderivingfromthebudget:theRegula-tionshouldexplicitlyindicatethepurposeandexplainthenecessityforthedisclosureofinfor-mationontherecipientsoffundsderivingfromthebudget;

• Central Exclusion Database: the proposalprovidesforthesetting-upofa databasecon-tainingdetailsofindividualandcompanycan-didatesexcludedfromparticipationintenders.Accesstothedatabasebythirdcountryauthor-itiesshouldcomplywiththespecificdatapro-tectionrulesrelatedtothirdcountrytransfers.

3.9.3.Europeanstatisticsonsafetyfromcrime

On19September2011,theEDPSadoptedanopin-ionontheCommissionproposalfora RegulationonEuropeanstatisticsonsafetyfromcrime.Theproposalaimedtoimplementa newEUsurveyonsafety from crime. The survey would includedetailedquestionsonpossibleincidentsofsexualandphysicalviolencethattherespondentsmighthavesufferedwithinoroutsidethecouple,onpastrelationships,ontheirsocio-demographicback-groundandontheirfeelingsofsafetyandattitudestolawenforcementandsecurityprecautions.

TheEDPSstatedthatheisawareoftheimportanceofthedevelopment,productionanddisseminationofstatisticaldata.However,heisconcerned about questions related to physical and sexual offencesandaboutthepossibility of identifying alleged victims and aggressors . He madea numberofrecommendationstoreducetheriskofunnecessary direct or indirect identification, toensurethatthecategoriesofpersonaldatatobecollected and processed are relevant and notexcessive for thespecificpurposeandto imple-mentadequatetechnicalandorganisationalmeas-urestoensuretheconfidentialityandsecurityofpersonaldatauntiltheyaremadeanonymousinlinewithdataprotectionprinciples.

3.9.4.TransportOn5October2011,theEDPSadoptedanopinionontheCommissionproposaltorevisetheEUlegislationontachographs–thedeviceusedinroadtransporttomonitordrivingtimesandrestperiodsofprofes-sionaldrivers–asa meansofcheckingcompliancewithsocial legislation in thefield.The revision ismeanttomakeuseofnewtechnologicaldevelop-mentstoimprovetheeffectivenessofdigitaltacho-graphsagainstmanualones,notablythroughtheuseofgeo-locationequipmentandremotecommu-nicationfacilities.Theinitiativeinvadestheprivacy of professional driversina veryvisibleway,asitallows the constant monitoring of their wherea-bouts as well as remote surveillance by control


61

authoritiesthatwillhavedirectaccesstothedrivers’personaldatastoredinthesystem.

TheEDPSemphasisedthatspecificdata protection safeguardsareneededtoguaranteea satisfactorylevelofdataprotectioninthesystem,inparticular:

• theinstallationanduseofdevicesforthedirectandprincipalpurposeofallowingemployerstoremotely monitor in real time the actions or whereabouts of their employeesshouldbeexcluded;

• the general modalities of the processing of personal data intachographsshouldbesetoutclearlyintheProposal,suchasthetypeofdatarecordedintachographsandingeo-loca-tionequipments,therecipientsandthetimelimitsfordataretention;

• the security requirements for the digitaltachographlaiddownintheProposalneedtobefurtherdeveloped,inparticulartopreservetheconfidentialityofthedata,toensuredataintegrity and to prevent fraud and unlawfulmanipulation;

• theintroductionofanytechnologicalupdate(e.g.remotecommunication,IntelligentTrans-portSystems)intachographsshouldbedulysupportedbyprivacy impact assessmentstoassess the privacy risks raised by the use ofthesetechnologies.

Thesesafeguardswillalsoberelevantinthewidercontextofgeo-locationtechnologies:whilethesetechnologiescanhelpto improvetheefficiencyandqualityoftransport,theyalsoentaila riskofheightenedsurveillanceofdrivers.

3.9.5.CommonAgriculturalPolicyafter2013

On14December2011,theEDPSadoptedanopiniononthelegalproposalsfortheCommonAgriculturalPolicy after 2013. The EDPS observed that manyaspectscentraltodataprotectionwerenotincludedin theproposals,butwillbe regulatedby imple-mentingordelegatedacts.TheEDPSrecommendedthatatleastthefollowingelementsberegulatedintheproposalstoensurelegalcertainty:

Introductionofa newdigitaltachographcouldturnouttobeveryprivacy-invasive.

62

• thespecific purposeofeveryprocessingoper-ationshouldbeexplicitlystated;

• the categories of data to be processedshouldbeforeseenandspecifiedbecause,inmanycases,thescopeoftheprocessingwasnotclear;

• access rightsshouldbeclarified,inparticularasregardsaccesstodatabytheCommission-itshouldbespecifiedthattheCommissioncanonlyprocesspersonaldatawherenecessary,forexample,forcontrolpurposes;

• maximum retention periods shouldbe laiddown,asforsomecasesintheproposals,onlyminimumretentionperiodsarementioned;

• therights of data subjectsshouldbespeci-fied,especiallyasregardstherightofinforma-tiontobeneficiariesandtothirdparties;

• thescope and the purpose of transfers to third countriesshouldalsobespecifiedandtherequirementslaiddownbythedataprotec-tionlegislationberespected.

Security measures should also be envisaged,especiallywithregardtocomputeriseddatabases

andsystems.Inaddition,data relating to offences or suspected offences couldbeprocessed (forexample, inrelationto fraud),sothe processingmaybesubjecttopriorcheckingbytheEDPSorbynationaldataprotectionauthorities.

3.9.6.FisheriespolicycontrolThisopinion,publishedon28October2011,dealtwithsometechnicalaspectsrelatingtoa Commis-sionRegulationimplementingthefisheriescontrolsystem.TheEDPShadalreadyissuedanopinioninMarch2009ona relatedRegulation,butwasnone-thelessnotconsultedbytheCommissionbeforeitadoptedthecurrentRegulation.

Theactivitiesoffishingvesselsaresubjecttosys-tematicanddetailedmonitoringthroughadvancedtechnologicalmeans, includingsatellitetrackingdevicesandcomputeriseddata-bases,tracingandretaininglocationdatasuchasthegeographicalposition,courseandspeedoffishingvessels.Allthesedataaresystematicallycross-checked,ana-lysed and verified through computerised algo-rithmsandautomatedmechanismsinordertospotinconsistenciesorsuspectedinfringements.

Aslongasthesedatarelatetoidentifiedoridentifi-ableindividuals(e.g.themasterofthevessel,the

Theactivitiesofthefishingvesselsaresubjecttosystematicanddetailedmonitoringthroughadvancedtechnologicalmeans.


63

ownerofthevessel,orthemembersofthecrew),suchmonitoringinvolvestheprocessing of per-sonal data.Itis,therefore,importantthatthecon-trolsystemiswell-balancedandthatadequatesafe-guardsareputinplaceinordertoavoidtherightsofthepersonsinvolvedbeingundulyrestricted.

3.10. Public access to documents containing personal data

TheEDPShasaddressedfromtheoutsetthesome-timescomplicatedrelationshipbetweenEUruleson public access to documents and EUruleson data protection.HefirsttackledtheissuebyprovidingguidancetoEUinstitutions.In2005,forexample,theEDPSpublisheda backgroundpaperentitled‘Publicaccesstodocumentsanddataprotection’,whichcontainedguidelinesforEUinstitutionsandbodies.

PartoftheanalysispresentedinthisbackgroundpaperisnolongervalidinlightoftheEuropeanCourtofJustice judgment intheBavarianLagerCase (see below 3.11.1). Therefore, on 24 March2011,theEDPSpublisheda backgroundpaperonpublicaccesstodocumentscontainingpersonaldata,to serve as guidance for EU institutions.ThepaperexplainstheupdatedEDPSpositiononthematter followingtherulingof theEuropeanCourtofJusticeintheBavarian Lagercaseonthereconciliationofthefundamentalrightstoprivacyanddataprotectionwiththefundamentalrighttopublicaccesstodocumentsandtransparency.

IncaseofpublicdisclosureofpersonaldatabytheEUinstitutions,a proactiveapproachwouldensurethatthepersonsconcernedarewell-informedandabletoinvoketheirdataprotectionrights.Itwouldalsobebeneficialtotheinstitutions,as itwouldreduce future administrative burdens for thoseresponsiblefordataprocessingandthosewhodealwithpublicaccessrequests.

3.11. Court matters

3.11.1.EDPSparticipationincourtproceedings

2011wasa busyyearfortheEDPSwithregardtoparticipationinproceedingsbeforetheEuropeancourts.TheagentsoftheEDPSpresentedtheEDPS’positioninhearingsbeforethecourtsinfourcases,threeofwhichhavealreadyledtoa courtruling.

In V. vs. European Parliament (Case F-46/09), theEDPSwasinvitedtointervenebytheCivilServiceTribunal.Thecaseconcernedtheallegedlyillegaltransferofmedicaldatabetweenthemedicalserv-icesoftheCommissionandtheEuropeanParlia-ment.TheEDPSpleadedinfavouroftheapplicant,arguingthatthetransferwascontrarytodatapro-tectionrules,as itwasnotnecessaryandlackeda properlegalbasis.Initsjudgmentof5July2011,the Civil Service Tribunal ruled in favour of theapplicant,followingthereasoningoftheEDPS.

Thethreeothercasesallconcernedtherelation-shipbetweentheEUrulesonpublicaccesstodoc-umentsandtheEUrulesondataprotection.Asoutlinedin3.10,theEDPSwasinvolvedinthismat-ter.Thethreecasescanbeseenasthelegalfollow-uptotheleadingBavarian LagerrulingoftheCourtofJusticeon29June2010 (CaseC-28/08P).TheEDPSexplainedhispositioninthethreehearings,assetoutintheadditionalbackgroundpaperof24March2011.

Initsrulingof7July2011,Valero Jordana v. Commis-sion(CaseT-161/04),theGeneralCourtconsideredthattheCommissionhadbeenwronginnotassess-ingtherequestforpublicaccesstocertainpersonaldataunderthedataprotectionrules.Thisconclu-sionwasinlinewiththeEDPS’submissionstotheCourtargument.

The EDPS encourages the EU administration todevelopclear internal policies,creatinga pre-sumptionofopennessforcertainpersonaldatainspecifiedcases (e.g.documentscontainingper-sonaldatarelatingsolelytotheprofessionalactivi-tiesofthepersonconcerned).TheEDPSmaintainsthat a change to the rules on public access isneededandheencouragestheCouncilandParlia-menttoacceleratethependingrevisionprocess. Inhisinterventions,theEDPSaimstoclarifytheperspectiveof

dataprotection.

64

Intherulingof23November2011,Dennekamp v. European Parliament (Case T-82/09), the GeneralCourt concluded that the applicant, a journalistaskingforthenamesofMembersoftheEuropeanParliamentwhowereparticipatinginanadditionalpensionscheme,hadnotdemonstratedthe neces-sityofhavingthedatamadepublic.The EDPShaddefendedtheoppositeview,consideringthata bal-anceofthedifferentinterestsinvolvedshouldhaveledtodisclosureofthedatatothejournalist.

Thethirdcase,Egan & Hackett v. European Parlia-ment(CaseT-190/10),hasnot,atthetimeofwriting,ledtoa rulingoftheGeneralCourt.Thiscasecon-cerneda requestforaccesstothenamesof assist-antsofMembersoftheEuropeanParliament.

Inadditiontothesefourcases,theEDPShasinter-venedinCommissionv.Austria(CaseC-614/10),aninfringementcaseagainstAustriaonthelackofindependence of the Austrian data protectionauthority. The EDPS submitted a statement inintervention,supportingtheCommission’sconclu-sionthatthewayinwhichtheAustriandatapro-tectionauthorityisembeddedintheinstitutionalstructureofAustriadoesnotsufficientlyensureitsindependence.

Finally,ENISAbroughta casebeforetheGeneralCourtagainsta decisionoftheEDPSona complaint(CaseT-345/11).Theapplicationwasdeclaredmani-festlyinadmissibleonproceduralgrounds.

3.11.2.DataprotectioncaselawTheEuropeancourtsissuedseveralotherrulingswithdataprotectionrelevance.ThreeCourtofJus-ticerulingsarebrieflyoutlinedasfollows.

InDeutsche Telekom(CaseC-543/09)questionswereraisedonwhetherunderthee-privacyDirective,anundertakingassigningtelephonenumberstoitssubscriberswasallowedtoprovidedatarelatingtothesesubscriberstoanotherundertakingwhoseactivity consists of providing publicly availabledirectoryenquiryserviceswithoutrenewedcon-sentofthepersonsinvolved.TheCourtconsideredinitsrulingof5May2011thatasthesubscriberswerealreadycorrectlyinformedofthispossibility,renewedconsentwasnotneeded.

InitsrulinginASNEF and FECEMDof24November2011 (Joined Cases C-648/10 and C-469/10), theCourtofJusticerepliedtoa Spanishcourtwhichhadaskedforclarificationona provisioninthedataprotectionDirective,whichallowstheprocessing

ofpersonaldataifthisservesa legitimateinterestandisnotoutweighedbytheinterestofthedatasubjectinvolved.InSpanishlawthiswasonlypos-siblewithregardtopersonaldatathathadalreadybeen made publicly available. According to theCourt,thisnationalrestrictionisnotinlinewiththeDirectivewhichhasdirecteffectonthispoint.

On24November2011,theCourtofJusticeissueda preliminaryrulingina Belgiancase,concerninganobligationonanInternetServiceProvider(Scar-letExtended)tomonitortheinternetbehaviourofitsconsumersinordertopreventbreachesofintel-lectualpropertyrights(CaseC-70/10).TheCourtconcludedthattheobligationamountedtoa gen-eral monitoring obligation which is forbiddenunder EU rules on e-commerce. The Court alsonotedthatsuchanobligationwouldnotconstitutea fairbalancebetweentheenforcementofintellec-tualpropertyrightsandseveralfundamentalrightsandfreedomslaiddownintheCharteronFunda-mentalrights,amongstwhichistherighttodataprotection.

3.12. Future technological developmentsIn the so-called Information Society or DigitalWorld, citizens, customers, administrations, andenterprisesinteractmorethaneverbeforethankstotechnology.Technologyismakingtheproduc-tion,exchangeandstorageofinformation(includ-ingpersonaldata)easierandismakingtraditionalbarrierssuchasgeographicallocation,languageoreveninfrastructurecostsincreasinglylessrelevant.

Furthermore,newtechnologicaldevelopmentsareblurringthefrontiersbetweenthedigitalandrealworld(dataexistsinthedigitalarenabutdatasub-jects,datacontrollersanddataprocessorsdonot);soonerratherthanlaterbothworldswillconvergeintoa singlerealitywithcommonrules.Technologyisbecomingincreasinglyaccessibleandeasiertouseandthosewhouseitarenotonlydatasubjectsbutoftenalsodatacontrollers.

From2012onwards,theEDPSanticipatesthefol-lowingsixtopicsassumingparticularimportance:

•Increased Processing in the Cloud.The‘cloud’paradigmhasbeenaroundforsomeyears.Withsuf-ficientscale,thecloudisnowbringingnoticeablebenefitsintermsofcostreductionandthuscon-vincingenterprises,governmentorganisationsandcitizenstomovetheirdataprocessingoperations


65

into it. However it brings new challenges froma dataprotectionpointofview,suchas,amongoth-ers: (i) data controllers losing control over dataprocessingoperationsduetothecomplexityofthescenarios arising, (ii) de-localisation of data andinterplayofdifferent jurisdictions inconjunctionwiththelackofharmonisationofdataprotectionlawsat international level, (iii)an increase inthenumberofplayersinvolvedindataprocessingoper-ationsanda blurringoftheirresponsibilities, (iv)massivedataprocessingby individualsactingasdatacontrollerswithoutdueknowledgeof theirobligationsand(v)significantchallengesforsecu-rityandtheenforcementofdatasubjects’rights.

Storagecapacity,processingpowerandnetworkbandwidthcostscontinuetodropinallthevari-ants of cloud computing (as infrastructure, asa platformorasa service)tothepointthatthetra-ditionallinkbetweenvolumeofdataandthecostofassociatedinfrastructurewillbesoonbrokeni.e.asinfrastructurecostsarelowered,entrybarrierstoprocesslargedataoperationsdisappear.Thisphenomenon will allow individuals and smallenterprisestocarryoutmassivedataprocessingoperationsthat,uptonow,onlygovernmentsandbigcorporationscouldafford.

•Increased processing on smart mobile devices. Thepossibilitiesthatsmartmobiledevicesofferarealso growing at an accelerated pace. Today’sdevicesarealwaysonandabletoshare,modifyandprocessinformationinrealtime.Newgenera-tiondevices willhavemorepower,better inter-faces,moreconnectivity,morestoragecapacityandwillbeseamlesslyintegratedwiththecloud.In2012,quad-coreprocessorswillbecomecommonin smart mobile devices, deployment of LTEnetworks(13)willtakeplace,deviceswillconnecttothecloudtoprocessourvoicecommands,aug-mentedrealitywillcontinuetogrowandbiometricinterfaces such as face or voice recognition willbecomestandard.

Inadditiontotheenhancedcapabilitiesofthenewdevicesuserswillhaveallthecomputingpowerofthecloud,packagedinaneasy-to-useintegratedkit.Individualswillbeabletogenerateinformationanduploaditintothecloudonanunprecedented

(13) LTEisa standardforwirelesscommunicationofhigh-speeddataformobilephonesanddataterminals.Itisbasedonthe GSM/EDGE and UMTS/HSPA network technologies,increasingthecapacityandspeedusingnewmodulationtechniquesThe standard is developed by the 3GPP (3rdGenerationPartnershipProject).Itprovidesforspeedsthatgoupto300Mbit/s.

scale.Theywillcontinuouslyprocesstheirownper-sonaldataandthepersonaldataofothers.

•IPv6. In2011,thelastremainingIPv4addresses(thecurrentnetworkaddressingschemausedintheInternet)wereassignedandfocusturnsnowtoIPv6. This new standard allows, among otherthings,a virtuallyunlimitedIPaddressspaceandconsequently,theallocationofuniqueidentifierstoeverysingledeviceconnectedtothenetwork(forinstanceRFIDdevicesusingIP).IPaddresseswillnolongerbea scarceresourceanditwillbecheaperto assign a unique identifier than a dynamicaddress.

Inthiscontext,theResolutionadoptedattheInter-nationalPrivacyConferenceinMexico(14)onIPv6isrelevant;thisresolutionrequiresuniqueidentifiersnottobeusedwithouttheconsentofendusersandtoallowenduserstousetemporaryandvola-tileIPv6addresses(dynamicaddresses)bydefault.Security issuesthatmightarise in thetransitionfrom IPv4 to IPv6, should also be taken intoconsideration.

•New Human to Machine Interfaceswillbecomeavailable.Currenttabletsandsmartphoneshavemade communication between humans andmachines easier. Soon these interfaces will beincorporatedinotherdevicessuchassecuritysys-tems,cars,televisionsandgamingsystems.Touch-able, wearable, visual and voice interfaces willbecomepartofeverydaylife.Informationsystemsdesignedtoassisthumanswillbeabletosenseandinterpretfaces,movements,voices,behaviourandevenhealth.Indeed,intelligentsystemswillsoonbeabletomonitorhowhumansfeelphysicallyandevenpsychologicallybasedonbehaviouralpat-terns. An application for e-health services thatremotely monitors patients so they can stay athomeinsteadofina hospitalbenefitstheindivid-ual and can potentially bring cost savings butshouldnotbeimplementedattheexpenseoftherighttodataprotectionandprivacy.

Thesedevelopmentswillhaveenormousinfluencefroma societalpointofviewanddataprotectioninparticular,willhavetoplayanincreasingroletoensurethatappropriatesafeguardsareforeseenand that the principle of privacy-by-design isappliedintheimplementationofthesetechnolo-gies.Solutionscanbefoundtoobtainfullfunction-alitywhilepreservingtheprivacyofindividualsifsystemsarewelldesignedfrominception.

(14) Seealsochapter4.6ofthisannualreport.

66

•Smart Grids.Variousupcominggridtechnologiesarestartingtotakeshape,suchasVehicletoGrid(V2G), Outage Management Systems (OMS) ormicrogrids.Inparticular,utilitycompanies(waterand electricity mainly) have already started thedeploymentofadvancedmeteringsystemsthatwillprovidemuchmoredetailed informationofconsumptionpatternstotheutilityproviderandeventuallyalsotothecustomer.Thisinformationwillbeusedforbetterforecastingandadaptabilityofthenetworktoconsumerdemandandhopefullywill increase the efficiency in the use of scarceresourcessuchaswaterorenergy,especiallybytheautomationofdistributionnetworks.

However,theconceptofsmartgridsisbroadandcanhavea far-reaching impactassmartdevicesconnect to the grid and exchange information.Notwithstandingthepossibleeconomicbenefits,itisalsoclearthatanunprecedentamountofinfor-mationaboutindividuals’behaviourwillbetrans-mittedandprocessedbya myriadofactors.

Consequently,inordertopreservetherighttodataprotectionof individuals, thesedataprocessingoperationshavetobebalancedanddataprotec-tionprinciplessuchasproportionality,necessityorlegitimacyneedtobecorrectlyapplied.

•Increased Security Issues willmakecybersecu-ritymoreimportantthanever.Whilstthevalueofthecybercriminaleconomyasa wholeisnotyetknown,themostrecentestimateofglobalcorpo-ratelossesalonestandsataroundEUR750billionperyear.(15)Thenumberofcybercrimesisgrowingandcriminalactivitiesarebecomingincreasinglysophisticated and international. There are clearindicationsofa growthinorganisedcrimegroups,newgroupsbornfromhackersandinternetcultureandeventheinvolvementofsomegovernments.

Special attention should be paid to the variouslegal rules, in order to ensure that appropriatesecuritymeasuresaretakeninordertoprotectper-sonaldata,intheharmonisationofthesemeasuresandtheprocedurestonotifydatabreachestotherelevantauthoritiesandtheaffecteddatasubjects.Inparticular,itshouldbenotedthatthenewgen-eralDataProtectionRegulationproposedbytheCommissionwillextendtheobligationtonotifydatabreachestoalldatacontrollers(16).

(15) http://ec.europa.eu/home-affairs/policies/crime/crime_cybercrime_en.htm

(16) Directive2002/58asamendedby2009/136onlyestablishestheobligationtonotifypersonaldatabreachesforelec-troniccommunicationsserviceproviders.

Information systems are becoming critical ele-mentsinourdailylivesandindividualshavetorelyontechnologyandsystemsthattheydonotfullyunderstand.Consequently,theyneedthirdpartiestoprovidethemwithassurancemechanismsthatcanwarranttheprivacyandsecurityofsuchinfor-mationsystems.Inthiscontext,a steadygrowthisforeseeableinthecertificationbusinessandalsointhe processes providing accountability of goodpractices.

3.13. Priorities for 2012

There are several notable trends in recent yearswhich merit attention from a data protectionperspective:

• There is an increasing tendency to endowadministrativeauthorities,bothattheEUandnationallevelswithpowerfulinformationgath-eringandinvestigativetools.Thisisparticularlythecaseintheareaoffreedom,securityandjusticeandinrelationtotherevisionoftheleg-islative framework concerning f inancialsupervision;

• EUlegislationincreasinglyfacilitatessignificantexchanges of information between nationalauthorities,frequentlyinvolvingEUbodiesandlarge-scaledatabases(withorwithouta centralpart)ofincreasingsizeandprocessingpower.This requirescarefulconsiderationbypolicymakersandactorswhensettingoutdatapro-tection requirements during the legislativeprocedure, because of the serious conse-quencestheseexchangescanhaveforthepri-vacyofcitizens,e.g.byfacilitatingthemonitor-ingofcitizens’lives;

• Recentyearshavebeencharacterisedbysig-nificanttechnologicaldevelopments,mainlyduetothewidespreaduseofinternetandgeo-location technologies. Such developments

In January 2012, the EDPS will publish his sixth public inventory as an advisor on proposals for EU legislation, setting his priorities in the field of consultation for the year ahead. The EDPS faces the challenge of fulfilling his increasing role in the legislative procedure, by delivering high-quality and well-appreciated advice with increasingly limited resources.


67

havea significantimpactona citizen’srighttoprivacyanddataprotection.

Such policy and technological developmentsunderlinethatdataprotectionandprivacyhavebecome truly horizontal issues. This also meansthattherewillbemoredemandforEDPSadviceonproposedlegislativemeasures.

In lightof this, theEDPShas identified issuesofstrategic importance that will form the corner-stonesofhisconsultationworkfor2012,whilenotneglectingtheimportanceofotherlegislativepro-cedureswheredataprotectionisconcerned.

TheEDPSisthereforecommittedtodevotingsub-stantialresourcesin2012totheanalysisofpropos-alsofstrategicimportance.Inaddition,theEDPShasidentifieda numberofinitiativesoflessstrate-gicimportancewhichmaynonethelesshavedataprotectionrelevance.ThefactthatthelatterareincludedintheEDPSInventoryimpliesthattheywillbe regularlymonitored,butdoesnotmeanthattheEDPSwillalwaysissueanopinionorformalcommentsonsuchinitiatives.

ThemainEDPSpriorities,asidentifiedinhisinven-tory,areasfollows:

a. Towards a new legal framework for dataprotection• RevisionofEUdataprotectionframework

b. TechnologicaldevelopmentsandtheDigitalAgenda,IPrightsandInternet• PanEuropeanframeworkforelectroniciden-

tification,authenticationandsignature• Internetmonitoring(e.g.enforcementofIP

rights,takedownprocedures)• Cloudcomputingservices• eHealth

c. FurtherdevelopingtheAreaofFreedom,Secu-rityandJustice• EU-PNR• EU-TFTS• Bordercontrols• ReviewofDataRetentionDirective• Negotiationsonagreementswiththirdcoun-

triesondataprotection

d. Financialsectorreform• Regulationandsupervisionoffinancialmar-

ketsandactors

68

44.1. Article 29 Working Party

ItstasksarelaiddowninArticle 30oftheDirectiveandcanbesummarised,asfollows:

• provide expert opinion from Member StateleveltotheEuropeanCommissiononmattersrelatingtodataprotection;

• promotetheuniformapplicationofthegeneralprinciplesofthedirectiveinallMemberStatesthroughcooperationbetweendataprotectionsupervisoryauthorities;

• advisetheCommissiononanymeasuresaffect-ingtherightsandfreedomsofnaturalpersonswithregardtotheprocessingofpersonaldata;

(17) TheWorkingPartyiscomposedofrepresentativesofthenational supervisory authorities in each Member State,a representativeoftheauthoritysetupfortheEUinstitu-tionsandbodies(i.e.theEDPS),anda representativeoftheCommission.TheCommissionalsoprovidesthesecretariatoftheWorkingParty.ThenationalsupervisoryauthoritiesofIceland,NorwayandLiechtenstein(asEEApartners)arerep-resentedasobservers.

• makerecommendationstothepublicatlargeandinparticulartoEUinstitutions,onmattersrelatingtotheprotectionofpersonswithregardtotheprocessingofpersonaldataintheEU.

The EDPS has been a member of the Article 29WorkingParty(WP29)sinceearly2004andconsid-ersittobea veryimportantplatformforcoopera-tionwithnationalsupervisoryauthorities.ItisalsoevidentthattheWorkingPartyshouldplaya cen-tralroleintheconsistentapplicationofthedirec-tive and in the interpretation of its generalprinciples.

In2011,asin2010,theWorkingPartyfocuseditsactivitiesonthefourmainstrategicthemesidenti-fiedinits2010-2011workprogramme,notably:

• implementingtherevisede-PrivacyDirectiveandpreparinga futurecomprehensive legalframework;

• addressingglobalisation;

• respondingtotechnologicalchallenges;

• makingtheWorkingPartyanddataprotectionauthoritiesmoreeffective.

Tothisend,theWorkingPartyadoptedseveraldoc-uments,amongwhichare:

• Opinion9/2011on the revised IndustryPro-posalfora PrivacyandDataProtectionImpactAssessment Framework for RFID Applica-tions (WP180);

COOPERATION

The Article 29 Working Party is the independent advisory body set up under Article 29 of the Data Protection Directive (95/46/EC). It provides the European Commission with independent advice on data protection issues and contributes to the development of harmonised policies for data protection in EU Member States.(17)


69

• Opinion10/2011ontheproposalfora DirectiveoftheEuropeanParliamentandoftheCouncilontheuseofpassenger name recorddatafortheprevention,detection, investigationandprosecutionofterroristoffencesandseriouscrime(WP181);

• Opinion15/2011 onthedefinitionof consent (WP187);

• Opinion 16/2011 on EASA/IAB Best PracticeRecommendation on Online BehaviouralAdvertising(WP188).

TheWorkingPartyalsotookpositionsintheformoflettersonseveralissues,amongwhichweretheimplementationoftheTerroristFinancingTrackingProgramme(TFTP)andtheself-regulatoryframe-work on Online Behavioural Advertising (OBA)developedbytheindustry.

TheEDPSactivelycontributedtotheworkoftheWP29 in different areas. He was particularlyinvolvedintheworkofseveralsubgroups,includ-ingthetechnologysubgroup,theBTLEsubgroup(BorderTravelandLawEnforcement)andthekeyprovisionssubgroup,theaimsofwhicharetopro-videfora commoninterpretationofessentialprovi-sionsofDirective95/46/EC.Inthecontextofthislastsubgroup,hewasrapporteurfortheopinion

onthenotionofconsent (Opinion15/2011).TheEDPSwasalsodeeplyinvolvedintheworkofthesubgrouponthe‘futureofprivacy’inrelationtotheinitiativeoftheCommissionfora newdatapro-tectionframework.

TheEDPSalsocooperateswiththenationalsuper-visoryauthoritiestotheextentnecessaryfortheperformanceofhisduties,inparticularbyexchang-ingallusefulinformationandrequestingordeliver-ing assistance in the performance of their tasks(Article 46(f)(i)oftheRegulation).Thiscooperationtakesplaceona casebycasebasis.

Directcooperationwithnationalauthoritiesisanelementofgrowingimportanceinthecontextofthedevelopmentoflarge-scaleinternationalsys-temssuchasEurodac,whichrequirea coordinatedapproachtosupervision(seeSections 4.2and4.3).

4.2. Coordinated supervision of Eurodac

TechnologicalchallengeswereoneofthemainstrategicthemesoftheArticles29WorkingPartyin2011.

Effective supervision of Eurodac relies on close cooperation between the national data protection authorities and the EDPS.

70

Eurodacisa large-scaleITsystemdevotedtostor-ing fingerprints of asylum seekers and personsapprehendedirregularlycrossingtheexternalbor-dersoftheEUandseveralassociatedcountries.(18)

In 2011, the Eurodac Supervision CoordinationGroup,composedofrepresentativesofthenationaldataprotectionauthoritiesandtheEDPS,baseditsactivities on the 2010-2011 work programme,adoptedinearly2010.

TheGroupheldtwomeetingsinBrussels,oneinJuneandoneinOctober2011.TheOctobermeetingrepresentedthefirstmeetingentirelyorganisedbythe EDPS and was considered by participants asa successintermsoforganisationandoutcome.

4.2.1.AdvanceDeletionReportOneoftheGroup’smostsignificantachievementsof the year was the coordinated inspection onadvancedeletion.Advancedeletionreferstothedeletionofdatainthecentralunitbeforetheendofthe retention period. This can occur if a personleavestheEUoracquirescitizenshipora resident’spermit, forexample.Deletingsuchpersonsfromthedatabasesafeguardstheirrightsandincreasesdataquality.Oneoftheaimsofthisexercisewastoprovidea stateofplayontheapplicationofadvancedeletionrulesintheMemberStatesandtoexplorewhetherthereisa needforalternativesolutions.

ThefinalreportconfirmsthatmanyMemberStateshavealreadyimplementedappropriateprocedures;thosethathavenotyetdonesousuallyexperiencevery fewornocases inwhichadvancedeletionwould have been necessary. Recommendationsincludedestablishingsuchprocedureswheretheyarestillmissing,providingbetter informationtoconcerned persons and working towards betterstatisticsonthephenomenon.

ThereporthasbeensenttothemainEUinstitu-tionalstakeholders,aswellastorelevantinterna-tionalorganisations.

4.2.2.Newexercisein2012:unreadablefingerprints

AsthereformoftheEurodacRegulationdidnotmoveforwardin2011,theGrouphadtoadaptitsworkprogrammeaccordingly,postponingseveral

(18) Iceland,Norway,Switzerlandand,sincetheentryintoforceofa protocoltothiseffecton1April2011,Liechtenstein.

items.Thisadaptationintroduceda newcoordi-natedinspectionontheissueofunreadablefinger-prints,tobecarriedoutin2012.

Theprocessingofbiometricdatasuchasfinger-printsposesspecificchallengesandcreatesriskswhichhavetobeaddressed. In thiscontext, theproblemofso-called‘failuretoenrol’-thesituationinwhicha personfindsthattheirfingerprintsarenotusableforsomereason-isoneofthemainrisks.

Themainpurposeoftheexerciseistoexaminethe current procedures applied in all MemberStates when this situation occurs and whetherthereisa needfornewsolutions.Similartotheadvance deletion exercise, this investigationshouldbeseenmoreasanexploratoryexercise,whichcouldthenleadto:

• theidentificationofgoodpractices(whethertheytaketheformoftechnicalfeatures,inter-nalguidelinesoradministrativepractices)andanencouragementtousethemwidely;

• anyfurtherrecommendations iftheexerciseshowsthattherearedeficienciesinthecurrentsystem.

4.2.3.Coordinatedsecurityauditquestionnaire

During both meetings of Eurodac in 2011, theongoingpreparationsforthecoordinatedsecurityauditwerediscussed.Onthebasisofthemethod-ologyusedina nationalaudit,effortsarebeingmadetodevelopa commonframeworkforsecu-rityauditmethodology,whichcanprovidesup-porttonationalauthoritiesandatthesametimeensureconsistentandusefuloutcomesforEurodacgenerally.Workwillcontinueonthisin2012withtheaimofadoptinga commonframeworkbytheendoftheyear.

4.2.4.VisaInformationSystemThelaunchingoftheVisaInformationSystem(VIS)inOctober2011gaverisetoaninformaldiscussionwithin the Group on its supervision. The Groupagreedona gradualandpragmaticapproachtobeconcludedbytheendof2012.ThismeansthatthenextEurodacmeetingswilldedicatea substantialportionoftheagenda,albeitinformally,toVIS.


71

4.3. Supervision of the Customs Information System (CIS)TheaimoftheCustomsInformationSystem(CIS)istocreateanalert systemwithinthefight against fraudframeworksoastoenableanyMemberStateentering data in the system to request anotherMemberStatetocarryoutsightingandreporting,discreetsurveillance,a specificcheckoroperationalandstrategicanalysis.

TheCISstoresinformationoncommodities,meansoftransport,personsandcompaniesandongoodsandcashdetained,seizedorconfiscatedinordertoassistinpreventing,investigatingandprosecutingactionswhichareinbreachofcustomsandagricul-turallegislation(theformerEU‘firstpillar’)orseri-ouscontraventionsofnationallaws(theformerEU‘thirdpillar’).Thelatterpartissupervisedbya JointSupervisoryAuthoritycomposedof representa-tivesofthenationaldataprotectionauthorities.

TheCoordinationGroupshall:

(a)examineimplementationproblemsinconnec-tionwiththeCISoperations;

(b)examinedifficultiesexperiencedduringchecksbythesupervisoryauthorities;

(c)examinedifficultiesofinterpretationorapplica-tionoftheCISRegulation;

(d)drawuprecommendationsforcommonsolu-tionstoexistingproblems;

(e)endeavourtoenhancecooperationbetweenthesupervisoryauthorities.

(19) Regulation(EC)No 766/2008oftheEuropeanParliamentandoftheCouncilof9 July 2008amendingCouncilRegulation(EC)No 515/97onmutualassistancebetweentheadminis-trativeauthoritiesoftheMemberStatesandcooperationbetweenthelatterandtheCommissiontoensurethecorrectapplicationofthelawoncustomsandagriculturalmatters.

In2011,theEDPSconvenedtwomeetingsoftheCISSupervisionCoordinationGroup(inJuneandDecember).Themeetingsgatheredtherepresenta-tivesofnationaldataprotectionauthorities,aswellasrepresentativesoftheCustomsJointSupervisoryAuthorityandDataProtectionSecretariat.

IntheJunemeeting,theGroupelectedMr.GiovanniButtarelli,AssistantEDPS,asChairandMr.GregorKönig,AustrianrepresentativeandChairoftheCus-tomsJointSupervisoryAuthority,asVice-Chair.TheGroup also discussed and adopted a work pro-grammeoutliningitsactivitiesfor2011and2012andconfirmeditsintentiontofullycooperatewiththeCustomsJointSupervisoryAuthorityinareasofcommoninterest. IntheDecembermeeting, theGroupdiscusseddocumentsguidingitsfirstinspec-tions on access to the system and data subjectrights,whichwillbecarriedoutin2012.

4.4. Police and judicial cooperation: cooperation with JSB/JSAs and WPPJ

The EDPS also cooperates with the authoritieschargedwiththesupervisionofspecificbodiesorEUlarge-scaleITsystems,suchastheJointSupervi-soryBodies(JSBs)ofEuropolandEurojustandtheJointSupervisoryAuthorities(JSAs)fortheSchen-genInformationSystem(SIS)andthe‘ex-thirdpil-lar’ aspects of the Customs Information System(CIS).Thiscooperationtakesthe formofmutualinformationonitemsofcommoninterest,suchasthosewheretheEDPSandtheJSB/JSAseachsuper-visedifferentpartsofthesamesystem.

In2011,thecooperationrelatedmainlytotheCIS.SincetheEDPSandtheJSAoftheCISsharea super-visoryroleforthesamesystem,itislogicaltocoordi-natetheiractionasmuchaspossible.Thus,theEDPSinvitedrepresentativesoftheJSAtoattendmeetingsorganisedonthecoordinatedsupervisionoftheCIS(seeSection4.3).Inthesamespirit,EDPSrepresenta-tiveswereinvitedtopartsofJSAmeetingswhereitemsofcommoninterestwerediscussed.

The CIS Supervision Coordination Group is set up as a platform in which the data protection authorities, responsible for the supervision of CIS in accordance with Regulation (EC) No 766/2008(19) - i.e. EDPS and national data protection authorities - cooperate in line with their responsibilities in order to ensure coordinated supervision of CIS.

72

The EDPS also participates in the meetings andactivitiesoftheWorkingPartyonPoliceandJustice(WPPJ).TheWPPJworkedonseveralissuesin2011,suchastheuseofDNAprofilesbylawenforcementauthorities (includingexchangeofDNAdataviaInterpol Gateway), establishment of a commonsupervisory policy and risk assessments withrespecttoprocessingofpersonaldataintheareaoflawenforcementinEurope.

In2011,theWPPJalsobroachedthesubjectofitsownfutureinlightofthegrowinginvolvementoftheWP29inareastraditionallydealtwithbytheWPPJ.AttheEuropeanConference(seepoint4.5.EuropeanConferencebelow),theWPPJwasman-datedtoworktowardsthe integrationof itsEU-relatedcompetencesandexpertiseintotheArticle29WorkingParty,whichinturnwasinvitedtoclar-ifythestatusofitssubgrouponlawenforcementandthepossibilitiesfornon-EUMemberStatestoparticipateinitswork.

4.5. European Conference

In2011,theEuropeanConferenceofDataProtec-tion Commissioners took place in Brussels on5 April 2011. The format for the meeting wasexceptional: theconferencewashostedby theEDPS, in close cooperation with the Article 29WorkingPartywhichalsometonthemorningofthesameday.

The conference included sessions dedicated toa varietyofissues,including:

• overviewoflegaldevelopments:LisbonTreaty,EU legal framework, Convention 108, OECDguidelines...;

• roleoftheArticle29WorkingParty;

• supervisionintheAreaofFreedom,SecurityandJustice.

Data Protection Authorities from Member States of the European Union and of the Council of Europe meet annually for a spring conference to discuss matters of common interest and to exchange information and experience on different topics.

UseofDNAprofilesbylawenforcementauthoritieswasontheagendaofWPPJ.

The future framework for data protectionwasatthattimestillinpreparationbytheEuropeanCom-mission.Itwasa centralthemeofthediscussionsandledtotheadoptionofa Resolutionontheneedfora comprehensivedataprotectionframework.

4.6. International Conference

The33rdAnnualConferenceofDataProtectionandPrivacyCommissionerstookplaceinMexicoCityon1-3November2011andwasentitled‘Privacy:TheGlobalAge’.Itsaimwastoexplorewaysforbuildingtherelationshipsandtoolsnecessarytoprotectthedataofindividualsbeyondnationalborders.

Therewasalsoa pre-conferenceon31OctoberinMexicoCityentitled‘PrivacyasFreedom’,followedby two events on 1 November hosted by theOrganisationforEconomicCooperationandDevel-opmentandtheInformationandPrivacyCommis-sionerofOntario,Canada.Theconferencewasanopportunity for data protection stakeholders inEurope to meet their peers from Canada, theUnitedStates,LatinAmerica,Australia,NewZea-land,China,Japantonamebuta few.

Theclosingsessionwitnessedtheofficialpresenta-tionoftheso-calledMexicoDeclaration,preparedbythehostingauthoritywithcontributions fromotherdelegations.Thisdeclarationurgesselectedstakeholders to effectively cooperate in order toconfrontnewchallenges,onebeinghowtoeffec-tivelyenforcedataprotectionina worldof‘bigdata’.

Oneofthemainachievementsoftheconferencewastheinitiativetakentostepuptheglobalcoop-erationofDataProtectionandPrivacyCommission-ers.Anexecutivecommitteewasinstalled-chairedbytheChairmanoftheArticle29WorkingPartyandparticipantsfromallovertheworld-togivemorepermanencetotheInternationalConferencebetweenitsannualmeetings.Specialemphasiswillbegiventoglobalcooperationinprivacyenforce-ment and a separate meeting on enforcementissueswasannouncedforMay2012,inMontreal.

ThelistofdistinguishedspeakersincludedPeterHus-tinx,EDPSandGiovanniButtarelli,AssistantSupervi-sor,whobothmoderatedsessionsattheconference.

The34thInternationalConferencewilltakeplaceinUruguay,inOctober2012.

Data Protection Authorities and Privacy Commissioners from Europe and other parts of the world, including Canada, Latin-America, Australia, New Zealand, Hong Kong, Japan and other jurisdictions in the Asia-Pacific region, have met annually for a conference in the autumn for many years.

74

55.1. Introduction

Informationandcommunicationplaya keyroleinensuringthevisibilityoftheEDPS’mainactivitiesandinraising awarenessbothoftheEDPS’workandofdataprotection ingeneral.This isall themoreimportantasawarenessoftheEDPSroleandmission at EU level needs to be raised further,although significant progress has already beenmade.Indicatorssuchasthenumberofinforma-tionrequestsreceivedfromcitizens,mediaenqui-riesand interviewrequests, thenumberofsub-scriberstothenewsletter,aswellasinvitationstospeakatconferencesandwebsitetrafficallsupporttheviewthattheEDPSisa pointofreferencefordataprotectionissuesatEU level.

TheincreasedvisibilityoftheEDPSatinstitutionallevel ispertinentforhisthreemainroles i.e.thesupervisoryroleinrelationtoallEUinstitutionsandbodiesinvolvedintheprocessingofpersonaldata;theconsultativeroleinrelationtothoseinstitutions(Commission, Council and Parliament) that areinvolvedinthedevelopmentandadoptionofnewlegislationandpoliciesthatmayhaveanimpactontheprotectionofpersonaldata;andthecoopera-tiveroleinrelationtonationalsupervisoryauthori-tiesandthevarioussupervisorybodiesinthefieldofsecurityandjustice.

5.2. Communication ‘features’

EDPScommunicationpolicyisshapedaccordingtospecific features thatare relevant inviewof theage,sizeandremitoftheinstitutionandtheneeds

ofitsstakeholders.Ittailorsthetoolsavailabletothe audiences concerned and is adaptable toa numberofconstraintsandrequirements.

5.2.1.Keyaudiencesandtargetgroups

ThecommunicationpoliciesandactivitiesofthemajorityofotherEU institutionsandbodiesoper-ate on a general level to address EU citizens asa whole.TheEDPS’directsphereofactionismoredistinct.ItisprimarilyfocusedatEDPSstakeholders-theEUinstitutionsandbodies,datasubjectsingeneralandEU staffinparticular,EU politicalstake-holders and ‘data protection colleagues’. Asa result,EDPScommunicationpolicydoesnotneedto engage in a ‘mass communication’ strategy.Instead,awarenessofdataprotectionissuesamongEU citizensintheMembersStatesdependsessen-tiallyona moreindirectapproach,forinstanceviadataprotectionauthoritiesatnationallevel.

Thisbeingsaid,theEDPSdoescommunicatewiththegeneralpublic,viaa numberofcommunicationtools (website, newsletter, awareness-raisingevents), regularly liaisingwith interestedparties(studyvisitstotheEDPSoffice,for instance)andparticipating in public events, meetings andconferences.

5.2.2.LanguagepolicyEDPScommunicationpolicytakesintoaccountthespecificnatureofitsfieldofactivity.Dataprotec-tionissuesmaybeviewedasfairlytechnicaland

INFORMATION AND COMMUNICATION


75

obscurefornon-expertsandthelanguageinwhichthe EDPS communicates is, therefore, adaptedaccordingly. When it comes to information andcommunicationtoolsaimedata diverseaudience,clearandaccessiblelanguagewhichavoidsunnec-essaryjargonneedstobeused.Continuedeffortsarethereforemadeinthisdirection,inparticularwhencommunicatingwiththegeneralpublicandthegeneralpress,withtheaimofcorrectingtheexcessive‘legal’imageofdataprotection.

Whenconsideringmoreinformedaudiences(e.g.data protection specialists, EU stakeholders),a morespecialisedlanguageisappropriate.Differ-entcommunicationstylesandlanguagepatternsneedtobeusedtocommunicatethesamenews.

Since2010,theEDPShasbeenrelayinghismes-sagesinhispressandcommunicationactivitiesinatleastthreelanguages-English,FrenchandGer-man.Theoverallaimistoreachouttothewidestpossibleaudience.

5.3. Media relations

TheEDPSaimstobeasaccessibleaspossibletojournalistsinordertoallowthepublictofollowhisactivities.Heregularlyinformsthemediathroughpressreleases,interviewsandbackgrounddiscus-sions.Thehandlingofmediaenquiriesallowsforadditionalregularcontactswiththemedia.

5.3.1.PressreleasesIn2011,thepressserviceissued12pressreleases.MostoftheserelatedtotheEDPSworkinthefieldofconsultationand,morespecifically,onnew leg-islative opinionsofdirectrelevancetothegeneralpublic.AmongtheissuescoveredweretheEUDataProtectionReformStrategy,theguidanceforgoodpracticeondataprotectionandtransparency,theEU system on Passenger Name Record, the EUfinancial regulation, the evaluation of the DataRetentionDirective,onlinebehaviouraladvertising,recordingequipmentinroadtransport,theneu-tralityoftheInternetandtheInternalMarketInfor-mationSystem.

PressreleasesarepublishedontheEDPSwebsiteandintheEuropeanCommissioninter-institutionaldatabase of press releases (RAPID) in English,FrenchandGerman.Pressreleasesaredistributedtoa regularlyupdatednetworkofjournalistsandinterested parties. The information provided inpressreleasesusuallyresultsinsignificantmedia

coveragebyboththegeneralandspecialisedpress.Press releases are also frequently published oninstitutionalandnon-institutionalwebsitesrangingfrom,amongothers,EU institutionsandbodies,tocivillibertygroups,academicinstitutionsandinfor-mationtechnologycompanies.

5.3.2.PressinterviewsIn2011,theEDPSgave14directinterviewstojour-nalistsfromprint,broadcastandelectronicmediathroughoutEurope,witha significantnumberofrequestscoming fromGerman,Austrian,Dutch,FrenchandtheEUspecialisedpress.

Thisresultedina numberofarticlesintheinterna-tional,nationalandEU press,whethergeneralorspecialised in information technology issues, aswellasinterviewsonradios.

Theinterviewscoveredhorizontalthemessuchasthecurrentandupcomingchallengesinthefieldofprivacyanddataprotection.Theyalsoaddressedmore specific issues that made the headlines in2011,includingEU-USdatatransfers,thereviewoftheEUlegalframeworkfordataprotectionandpri-vacyconcernswithregardtosocialnetworking,consumerprofiling,rightsofdigitalcitizens,dataretentionandsecurity.

76

5.3.3.Pressconference

TheEDPShelda pressconferenceon15June2011attheEuropeanParliamentinBrusselstopresenttheEDPS2010AnnualReportandoutlinethemainfeaturesoftheEDPSactivitiesin2010withregardtohissupervisory,consultativeandcooperativetasks(seesection 5.7.1.).

The press conference provided Peter Hustinx,EDPS,andGiovanniButtarelli,AssistantSupervi-sor, the opportunity to address the currentdynamiccontextofEUdataprotectionandfuturechallengesaswellastoanswerquestionsposedbyjournalists.

5.3.4.Mediaenquiries

In2011,theEDPSreceivedsome46writtenmediaenquiries that included requests for EDPS com-ments and requests for clarification, position orinformation. Media attention in 2011 focusedmainlyontheissueofonlineprivacy,inparticularnew online applications, such as geo-locationapplications,searchenginesand–thetop-rankingareaofenquiry-socialnetworks.

Otherissuesofinteresttothemediaincludedinter-nationaltransfersofdata,thereviewoftheEUlegalframeworkfordataprotection,theDataRetentionDirective, data security and provisions on databreaches,aswellastheuseandtransferofPassen-gerNameRecordstotheUnitedStates.

PeterHustinxandGiovanniButtarellipresentingEDPSAnnualReport2010duringa pressconference.


77

5.4. Requests for information and advice

There was an increase of 39% in the number ofenquiries for information or assistance receivedfromcitizensbetween2010and2011(196 requestscompared to 141 in 2010). This evolution is theresultofthemoreprominentprofileoftheEDPSwithin the data protection sphere, reinforcedthroughtheuseofvariousinformationandcom-municationtools.

Requestsforinformationcomefroma widerangeofindividualsandparties,rangingfromstakehold-ersoperatingintheEU environmentand/orwork-inginthefieldofprivacy,dataprotectionandinfor-mationtechnology(lawfirms,consultancies,lobby-ists,NGOs,associations,universities,etc.)tocitizensaskingformoreinformationonprivacymattersorrequiring assistance in dealing with the privacyproblemstheyhaveencountered.

Thelargestcategoryofrequestsreceivedin2011concernedcomplaintsfromEU citizensaboutmat-ters over which the EDPS has no competence.Thesecomplaintsrelatedmostlytoallegeddataprotectionbreachesbypublicauthorities,national

orprivatecompaniesandonlineservicesandtech-nologies,suchasonlinegaming,blogs,geo-loca-tion services, social networking and messagingtools.Otherissuesincludedthesecurityofbankdata, the right of access to documents held bynationaladministrations,thedisseminationofper-sonaldatatothirdpartieswithouttheconsentofthe person concerned and requests for appealagainsta ruling froma nationaldataprotectionauthority.Whencomplaintssuchasthesefallout-sidethecompetenceoftheEDPS,a replyissenttothe complainant specifying the mandate of theEDPSandadvisingthe individual to refer to thecompetentnationalauthority,usuallythedatapro-tectionauthorityoftherelevantMemberState.

Thenextsizeablecategoryofrequestsreceivedin2011,relatedtodataprotectionlegislationinEUMember States and/or its implementation atnationallevel.Insuchcases,theEDPSadvisestheindividualtocontacttherelevantdataprotectionauthority and where appropriate, the EuropeanCommissionDataProtectionUnit.

Thethirdmaincategoryofrequestsforinformationrelated to data protection issues within the EUadministration,suchasprocessingactivitiesbyEUinstitutions,bodiesandagencies.

Main topics for requests from the press in 2011

In percentage

(*) Including new online applications, search engines and social networks.(**) Including Schengen Information System.

0

5

10

15

20

25

30

35

Biometric data**SWIFT/TFTPEDPS' role and missionData security

Data retentionEU Data Protection frameworkInternational transfers of dataOnline privacy*

78

Theremainingcategoriesofinformationrequestsincluded enquiries about EDPS activities, roleand missions,EU dataprotectionlegislation,online

privacy,internationaltransferofdata,large-scaleITsystems such as VIS, SIS and Eurodac, and thereviewoftheEU frameworkfordataprotection.

Main areas of information requests from the public in 2011

0

5

10

15

20

25

30

35

40

45

OthersReview of EU data protection frameworkLarge-scale IT systems (SIS, VIS, Eurodac)International transfer of dataOnline privacyEU data protection lawEDPS's missions and activities Data protection issues in EU administrationNational data protection lawComplaints for which the EDPS is not competent

5.5. Study visits

Aspartoftheeffortstofurtherincreaseawarenessofdataprotectionandtointeractwiththeacademicworld, the EDPS regularly welcomes visits fromgroupsspecialisedinthefieldofEuropeanlaw,dataprotection and/or IT security issues. In 2011, theEDPSofficewelcomedfourstudentgroupsfromdif-ferentcountries.InDecember 2011,forinstance,theEDPSofficewelcomeda groupofGermanandEuro-peanlawstudentsfromtheUniversityofCologneinGermany,presenteditsroleandactivities,anddis-cussed data protection issues at EU level. Other

groupsofvisitorsincludedtheScienceandTechnol-ogyLawInstituteofTaipei(Taiwan),theNanyangTechnologicalUniversity(Singapore)andtheUniver-sityPierreMendèsFranceofGrenoble(France).

Witha viewtoreachingouttoa broaderaudience,theEDPSofficealsowelcomedfourgroupsorasso-ciationsinterestedindataprotectionissuesandpri-vacyconcerns:membersoftheGermanEvangelicalChurch,theassociationoftheYoungEuropeansofBordeaux(France),thePolitieacademie(theNether-lands)andtheCommunicationSub-CommitteeoftheTraineesoftheEuropeanCommission.


79

5.6. Online information tools

5.6.1.WebsiteThe website remains the EDPS’ most importantcommunicationchannelandinformationtool.Itisupdated on a daily basis. It is also the mediumthroughwhichvisitorshaveaccesstovariousdocu-mentsproducedasa resultofEDPSactivities(e.g.opinionsonpriorchecksandonproposalsforEUlegislation,workpriorities,publications,speechesoftheSupervisorandAssistantSupervisor,pressreleases,newsletters,eventinformationandsoon).

Webdevelopments

Themostprominentdevelopmentofthewebsitein2011wasanelectronicplatformforlodgingcom-plaints.Theonlinecomplaintformfacilitatestheprocessofsubmittingcomplaintsandspeeds-uptheirprocessingbytheEDPSservices.

AsannouncedintheAnnualReport2010,a ‘presskit’sectionwasalsointroducedonthewebsiteinordertoprovidemediaprofessionalswithrelevantmaterialsandresourcesthatcanbeusedintheirnewsarticlesandreportinginterviews.

BetweenSeptemberandNovember2011,anonlinesurveywascarriedoutonthequalityof theEDPSwebsite.Theoverallviewsofthewebsitewereposi-tive:themajorityofpeoplefoundthewebsitesatis-factoryintermsofthecontent.Theyalsoclaimedthattheinformationwasaccurate,up-to-dateandeasytounderstand.Althoughthesitewasratedasquiteeasytouse,furtherimprovementswillbemadein2012tothe‘advancedsearch’functionandtheregister.

Inaddition,anoverhaulofthesupervisionandcon-sultationsectionsisforeseeninordertoenhancesearchoptionsandnavigationthroughthematiccategories.Otherimprovementswillincludecreat-inga DataProtectionOfficers’Cornerandimple-mentingtheRSSfeedfeature.

Trafficandnavigation

Ananalysisofthetrafficandnavigationdatashowsthatin2011,thewebsitereceiveda totalof65599unique visitors, including more than 6 000 permonthinJanuary,MayandJune.

After the homepage, the most regularly viewedpageswerethe‘PressandNews’,‘Supervision’and

‘Consultation’pages,althoughthe‘Publications’and‘Events’pageswerealsopopular.Thestatisticsalsoshow that most visitors access the website viaa directaddress,a bookmark,a linkinanemailora linkfromanothersite–suchastheEuropaportalora nationaldataprotectionauthority’swebsite.Searchengineslinksareusedonlybya fewvisitors.

5.6.2.NewsletterTheEDPSnewsletterremainsa valuabletoolforproviding informationontheEDPS’mostrecentactivitiesandtodrawattentiontorecentadditionstothewebsite.Thenewsletterprovidesinforma-tionontheEDPS’mostrecentopinionsonEU legis-lativeproposalsandonpriorchecksinhissupervi-soryrole.Italsoincludesdetailsofconferencesandothereventsorganisedinthefield,aswellasrecentspeechesbytheSupervisorandAssistantSupervi-sor.ThenewslettersareavailableinEnglish,FrenchandGermanontheEDPSwebsiteanda subscrip-tionfeatureisofferedontherelevantpage.

FourissuesoftheEDPSnewsletterwerepublishedin2011,withanaveragefrequencyofoneissueeverythreemonths.Thenumberofsubscribersrosefrom1 500attheendof2010toapproximately1 750bytheendof2011.SubscribersincludemembersoftheEuropean Parliament, staff members from theEU institutions, staff of national data protectionauthorities, journalists,theacademiccommunity,telecommunicationcompaniesandlawfirms.

5.7. Publications

5.7.1.AnnualReport

Theannualreportisa keyEDPSpublication.Itpro-videsanoverviewofEDPSactivities inthemainoperationalfieldsofsupervision,consultationandcooperationduringthereportingyearandsetsoutthemainpriorities for the followingyear. Italsodescribes what has been achieved in terms ofexternalcommunicationaswellasdevelopmentsinadministration,budgetandstaff.A specificchap-terisalsodedicatedtotheactivitiesoftheEDPS’DataProtectionOfficer.

Thereportmaybeofparticularinteresttovariousgroupsandindividualsatinternational,Europeanandnationallevels–datasubjectsingeneralandEU staffinparticular,theEU institutionalsystem,dataprotectionauthorities,dataprotectionspe-cialists, interest groups and non-governmentalorganisations active in the field, journalists and

80

anyoneseekinginformationontheprotectionofpersonaldataatEU level.

TheSupervisorandAssistantSupervisorpresentedtheEDPS2010AnnualReporttotheEuropeanPar-liamentCommitteeonCivilLiberties,JusticeandHomeAffairson15 June 2011.Themainfeaturesofthereportwerealsopresentedatthepressconfer-enceonthesameday.

5.7.2.ThematicpublicationsPreparatory work has started on thematic factsheetsrelatingtodataprotectionissuesofstrate-gicimportancefortheEDPS.Theaimistopublishtargetedinformationasguidanceforthegeneralpublicandotherinterestedparties.Thefirstsetoffactsheetswillcoverissuessuchasdatabreaches,e-Privacy,theSWIFT/TFTPagreementandPassen-gerNameRecord(PNR).

5.8. Awareness-raising events

TheEDPSiskeentoseizerelevantopportunitiestohighlighttheincreasingrelevanceofprivacyanddataprotectionandtoraiseawarenessoftherightsofdatasubjectsaswellastheobligationsoftheEuropeanadministrationinrelationtothese.

5.8.1.DataProtectionDay2011TheMemberStatesoftheCouncilofEuropeandtheEuropeaninstitutionsandbodiescelebratedthefifthEuropeanDataProtectionDayon28 Janu-ary 2011.Thisdatemarks theanniversaryof the

adoptionoftheCouncilofEuropeConventionontheprotectionofpersonaldata(Convention 108),thefirstlegallybindinginternationalinstrumentinthefieldofdataprotection.

The EDPS uses this opportunity to stress theimportanceofprivacyanddataprotectionandinparticular to raiseawarenessamongEU staffoftheirrightsandobligationsinthefield.ForeachDataProtectionDay,aninformationstandissetupandoperatedbymembersoftheEDPSofficeanditsdataprotectionofficeronthepremisesoftheCouncil,theEuropeanCommissionandtheEuro-peanParliamentincooperationwiththedatapro-tectionofficeroftherespectiveinstitution.VisitorshavetheopportunitytoaskquestionsandtotesttheirknowledgeofEU dataprotectionina quiz.

In 2011, the EDPS renewed this specific activity,whileinvestingfurthereffortsinraisingawarenessamongEU staff.A videomessagefromtheSupervi-sorandAssistantSupervisorwasalsocirculatedtoinstitutionalstakeholdersandmadeavailableontheEDPSwebsite,inbotha longandshortversion,to present the role of the EDPS and outline thechallengesfortheyear.

EDPSAnnualReport2010.

Visitorfillingina quizduringDataProtectionDay2011ontheEDPSinformationstand.


81

TheEDPSalsoparticipatedinvariouseventsorgan-isedontheoccasionofDataProtectionDay,suchastheinternationalconferenceon‘Computers,PrivacyandDataProtection’,thatservesasa bridgeforpoli-cymakers,academics,practitionersandactiviststodiscussemergingissuesofprivacy,dataprotectionandinformationtechnology.Forthisfourthinterna-tionalevent,theconferencethemewas‘EuropeanDataProtection:InGoodHealth?’.Ittookplaceon25-27 January 2011 and included two one-dayeventson ‘eHealth’andsurveillanceanda roundtableonbodyscanners.MembersoftheEDPSsecre-tariattookpartinpaneldiscussionsandPeterHus-tinxgavetheconcludingnotesattheconference.

5.8.2.EUOpenDay2011On7 May 2011,theEDPSparticipatedasusualintheOpenDayattheEuropeaninstitutions,organ-isedattheEuropeanParliamentinBrussels.TheEUOpenDayoffersanexcellentopportunityfortheEDPStoincreasegeneralpublicawarenessoftheneedtoprotectprivacyandpersonalinformation.

StaffmembersfromtheEDPSsecretariatwerepres-enttoanswerquestionsfromvisitorsattheEDPSstandinthemainbuildingoftheEuropeanParlia-ment.AswiththeEDPSstandforDataProtectionDay,therewasa quizonprivacyanddataprotec-tionatEU levelandinformationmaterialswerealsodistributedtovisitors.Theinstallationofa thermiccameralinkedtoa largescreenwasa majorattrac-tionatthestand.Althoughtherewasnodirectlinkwiththeprocessingofpersonaldata,citizensweremadeaware,ina strikingandfunway,ofthepoten-tialprivacyriskposedbynewtechnology.

VisitorsplayingwithathermiccameraontheEDPSstandduringEUOpenDay2011attheEuropeanParliament.

82

66.1. Introduction

TheentryintoforceoftheTreatyofLisbonhadadirect impact on the activities and tasks of theEDPS. The Treaty assigns greater importance todataprotectionintheEUinstitutionsandbodiesandhasthusincreasedtheworkloadoftheinstitu-tionandinturn,oftheHumanResources,BudgetandAdministrationUnit(HRBA)aswell.

Theplannedmoderategrowthof theestablish-mentplanoftheEDPSoverrecentyearscouldnotcopewiththesenewtasksandresponsibilitiesandit was necessary to hire a number of contractagentsandtemporarystaffandtonegotiatethesecondmentofdataprotectionexpertsfromotherEUinstitutionsandDataProtectionAuthoritiesinthe Member States to assist the EDPS with theincreasingworkload.

In2011,amorestrategicandefficientmanagementof prioritiesandresourceswas developed-particu-larlyimportantintimesof austerityandbudgetaryconsolidation.AstrategicreviewoftheEDPSwaslaunched during the year and a “StrategicReview” Task Force wassetupandcomprisedrep-resentatives from all teams and chaired by theDirector of the EDPS. An internal conference inOctober2011,wasanopportunityfor thevariousEDPSteamstoreflectontheirrespectivetasks,val-ues and objectives and to identify those of theEDPSfortheyearstocome. Thiswillbefollowedupin2012with anexternalconsultationofstakehold-ers by means of on-line surveys, focus groupsand workshops. Theresultswillbe presented ata publicconference.

In2011,theeffortstoimproveefficiencyyieldedtangible results, such as securing access to thetrainingcatalogueof theEuropeanCommissionthroughSyslogFormation,theadoptionofdetailedinternalmanualsdealingwiththerecruitmentofseveralcategoriesofstaffandanewbudgetimple-mentationcontrolmechanismwhichgaverisetoasubstantialincreaseintheimplementationrateofthebudget.

ImprovementsintheefficiencyoftheHRfunctionwillcontinuein2012whenaccesstoSysper(per-sonnel file management system) and MIPS (anapplicationtocoordinatemissions)becomeavail-able.Thesewillfacilitatesomeroutineadministra-tivetasksandfreeupresourcestobetterpositiontheHRteamasareliablestrategicpartnerfortheManagementBoardoftheEDPS.

6.2. Budget

The allocated budget for the EDPS in 2011 wasEUR 7 564 137. This represented an increase of6.47%onthepreviousyear,buttakingintoaccounttheoveralldevelopmentoftheinstitutionanditsincreased workload, it represented moderategrowth.

Thismodestbudgetaryrisewasabsorbed,inthemain,bythebudgetlineforsalaries,whichinmon-etaryterms,isthemostimportantitemoftheEDPSbudget.Asignificantpartofthebudgetwasallo-catedtotranslationtheofEDPSopinionsonlegisla-tiveproposalsintoallofficiallanguages.Theycanthen be published in the Official Journal of the

ADMINISTRATION, BUDGET AND STAFF


83

European UniontoplacetheminproximitytotheEUlegislativetextsandthejurisprudenceoftheEuropeanCourtofJustice,ensuringthattheviewsoftheEDPScanbeeasilylocatedbypractitionersandcourtsalike.OtherdocumentsadoptedbytheEDPS(e.g.opinionsonpriorchecks)aretranslatedintotheworkinglanguagesoftheEDPS(English,FrenchandGerman).

The2010DeclarationofAssurance(DAS)fromtheEuropeanCourtofAuditorsdidnotraiseanycon-cernsorrecommendationsfortheEDPS.Neverthe-less,withinthecontextofsoundfinancialmanage-mentandwithaviewtoimprovethereliabilityandthequalityoftheEDPSfinancialdata:

a)a new internal financial verification system,including check-lists for all levels of financialtransactions,wasintroducedintothefinancialworkflow;

b)a quarterly budget implementation report,includingaline-by-linebudgetaryconsumptionfollow-up,wasimplemented;

c)newmissionformsforbettercontrolandtrans-parencywereadopted;

d)guidelines for low value procurements weredrawnup;

e)newfinancialreportingtablesweresetup.

Asaresultoftheseinitiatives,thebudgetimple-mentationrateoftheEDPSimprovedsubstantially:from76%in2010toalmost85%in2011.

Assistance from the European Commission infinancematterscontinuedin2011,particularlyinrelationtoaccountancyservices-theAccountingOfficeroftheCommissionisalsotheAccountingOfficeroftheEDPS.Wherespecificruleshavenotbeenlaiddown,theEDPSappliestheinternalrulesoftheCommissionfortheimplementationofthebudget.

EDPS - Budget evolution 2004-2012

EURO

0

1.000.000

2.000.000

3.000.000

4.000.000

5.000.000

6.000.000

7.000.000

8.000.000

201220112010200920082007200620052004

6.3. Human resources

6.3.1.RecruitmentThegrowingnumberoftasksandincreasedvisi-bility of the EDPS are leading to an increasedworkload and an expansion of activities which

needtobeaddressed fromahumanresourcesperspective.

ThankstoaservicelevelagreementwiththeEuro-peanPersonnelSelectionOffice(EPSO),ageneralcompetitionondataprotectionwasorganisedin2009soastorecruithighlyspecialisedstaff.Three

84

reservelistsweremadeavailableinSummer2010forgradesAD9,AD6andAST3foravalidityofthreeyears.Atpresent,82%ofthelaureatesonthethreelistshavebeenrecruited.TheAST3listisopenforrecruitmentbyallEUinstitutions.

Followingthepublicationoftheselistsin2010,theEDPSembarkedonamajorrecruitmentoperation,interviewingcandidatesfromthereservelistsandofficials from other institutions, in compliancewith Article 29 of the Staff Regulations. Thisrecruitmenteffortcontinuedin2011.Priorto2011,newcomersweremainlyselectedfromEPSOcom-petitionlists.In2011,theEDPSbegantoreceiveasignificantnumberoftransferapplicationsfromEUofficials inother institutions,whichdemon-strates thegrowingvisibilityof theEDPSasanattractiveemployer.

Inordertodealmoreefficientlywiththeincreasednumberofapplicationsandtoguaranteeafairand

professional recruitment process, the HumanResourcesteamissuedseveralrecruitmentmanu-alsrelatedtoallcategoriesofstaff,settingoutpro-cedurestobefollowedbyHRstaffandlinemanag-ersduringtherecruitmentprocess.

Inaddition toofficials, theEDPS recruited threecontractagentsandwelcomedtheformerDPOofthe Council on secondment to the EDPS, thusstrengthening the Supervision Unit. In order tocovertemporaryneedsin2011,twointerimstaffmembersandoneexternalcontractorforthemain-tenance and development of the EDPS websitewerehired.Intotal,theEDPSrecruited14 newcol-leaguesin2011.

TheproceduretofillthevacancyofDirectoroftheEDPSSecretariat,launchedattheendof2010,wascompleted.Followinganinter-institutionalrecruit-ment procedure, the Director was selected andappointedinMarch2011.

0

5

10

15

20

25

30

35

40

45

50

55

Num

ber

of p

erso

ns

2008 2009 20112010

EDPS - Staff evolution by category

AD AST CA OTHER


85

6.3.2.Traineeshipprogramme

Atraineeshipprogrammewascreatedin2005toofferrecentuniversitygraduatestheopportunityto put their academic knowledge into practice,therebyacquiringpracticalexperienceintheday-to-dayactivitiesoftheEDPS.Thisalsoprovidestheinstitutionwithanopportunitytoincreaseitsvisi-bility among younger EU citizens, particularlyamongthoseuniversitystudentsandyounggradu-ates who have specialised in the field of dataprotection.

Theprogrammehostsonaverageoffourtraineespersession,withtwofive-monthsessionsperyear(MarchtoJulyandOctobertoFebruary).Inexcep-tionalsituationsandunderstringentadmissioncri-teria,theEDPSmayalsowelcomenon-remuner-atedtraineeswhowishtogainexperienceinthefieldofDataProtectionintheframeworkoftheirstudies or professional career. The criteria aredefinedinthenewdecisionthattheEDPSadoptedon25October2011andcontainstherulesgovern-ingthetraineeshipprogramme.Inthenewdeci-sion,particularattentionisgiventothedatapro-tectionaspects,inordertobetterinformthecandi-datesontheirrights.

Allthetraineeswhetherremuneratedornot,con-tributetoboththeoreticalandpracticalworkandalsogainusefulfirst-handexperience.

OnthebasisofaservicelevelagreementwiththeCommission, the EDPS has benefited from theadministrativeassistanceoftheTraineeshipOfficeoftheCommissionDirectorate-GeneralforEducationandCulture,whichhascontinuedtoprovidevalu-ablesupportthroughitshighlyexperiencedstaff.

6.3.3.Programmeforsecondednationalexperts

The programme for seconded national experts(SNEs)attheEDPSwaslaunchedinJanuary2006.Onaverage,twonationalexpertsfromdataprotec-tionauthorities(DPAs) intheMemberStatesaresecondedeveryyear.ThesesecondmentsenabletheEDPStobenefitfromtheskillsandexperienceofsuchstaffandhelptoincreasethevisibilityoftheEDPSatnationallevel.Thisprogramme,inturn,allowsSNEstofamiliarisethemselveswithdatapro-tectionissuesatEUlevel.Aninternalmanualgov-erningtheirselectionprocedurewasissuedin2011.

6.3.4.Organisationchart

TheEDPSorganisationchartremainedunchangedsinceitsinceptionin2004upto2009,afterwhich,thefirstreorganisationtookplacewiththecreationofthepostofDirectorasHeadofSecretariat.

In2010,theEDPSorganisationchartunderwentamajorchangeasthestaffwasreorganisedintofivesectorswithheadsofsectorappointedatmiddlemanagementlevel.

Themajor recruitmentendeavour that followedafter the publication of the EPSO competitionreserve lists resulted in a substantial growth ofthesesectors.Forthisreason,inJune2011,the3largest EDPS sectors, namely Supervision andEnforcement,PolicyandConsultationandHumanResourcesBudgetandAdministration,weretrans-formedintounits.

Thesechangeshavegivenrisetoaneworganisa-tionchartwhichisavailableontheEDPSwebsite.

6.3.5.WorkingconditionsTheflexitimeregimewasintroducedattheEDPSin2005andishighlyappreciatedbystaff.Manycol-leagues use this opportunity to balance profes-sionalandpersonallifeinanequitablemanner.

In2011, thedecisiononflexitimewas revised inordertorationaliseandsimplifytheprocedureandtoensureequaltreatmentofallstaff.Furthermore,thenewdecisionharmonisestherulesapplicableattheEDPSwiththose inplaceattheEuropeanCommission,inordertofacilitatetheintroductionoftheSysperIITimeManagementmodulein2012.

Twostaffmembers(onefromtheHRUnitandonefromtheStaffCommittee)wereappointed“trustpersons”in2011,availabletoallstafftodiscusspos-siblecasesofharassment.ThetwoofficialsfollowedspecifictrainingorganisedbytheCommissiontoprepare them for treating possible cases and toimplementaspecificpolicyagainstharassment.

6.3.6.TrainingSyslogWebFormationwasimplementedattheEDPSin2011.Thisallowselectronicaccesstothetrainingcatalogue of the European Commission and hasresultedinatremendousimprovementintheeffi-ciencyandrapidityoforganisingtraining.Asaconse-quence,mostofthetrainingbudgetwasconsumedin2011(88%ofthetotalbudget–EUR 102 499).

86

Generaltrainingcourses(attheCommission,includinglanguagecourses)

21.75%

EAStrainingcourses 48.70%

Externaltrainingcourses 17.55%

Thehighimplementationrateofthetrainingbud-getisasignofsuccessoftheEDPSreorganisationandassiststhedeclaredobjectiveoftheManage-mentBoardoftheinstitutiontomeettheneedsofEDPS Staff and to make the EDPS an attractiveemployerforEUofficialsfromotherEUinstitutions.

Atailor-made“Firststepsinmanagement”coursewasorganisedover2daysbytheEASfor16admin-istratorsfromtheEDPS.Thecoursewasdesignedtoimpartknowledgeonmanagement,withafocusonthebasicsofteammanagement,diversityandcommunication. The course gave staff a betterunderstandingofthechallengesfacedbymiddlemanagementandpreparedthemforfutureman-agementresponsibilities.Duetoitssuccess,suchacoursewillbeorganisedagainin2012.

In 2011, EDPS middle management who wereappointedin2010and2011,followedaspecificman-agementtrainingcourseandalsobenefitedfromanindividualandcollectivecoachingprogrammedeliv-eredbythecoachcoordinatoroftheEuropeanCom-mission.ThishasallowedtheDirectorandtheHeadsofUnitandSectortofunctionbetterasindividualmanagersandasamanagementteam,withtangibleimprovementsinplanning,coordinationandimple-mentationofpoliciesdecidedbytheManagementBoardoftheinstitution.

TheEDPScontinuedtoparticipateinvariousinter-institutionalcommitteeswhichfacilitatesthepool-ingoftrainingneedsandallowsforeconomiesofscaleinanareawhereneedsareessentiallysimilaracrosstheEUinstitutions.Thesixthamendmenttothe protocol of language courses was signed inDecember2011,anareaforwhichtherehavealsobeenasignificantincreaseintrainingrequests.

Attherequestofthetrainingcoordinator,theEDPSupdated its training decision in October 2011,allowingmoretrainingopportunitiestobeofferedtoEDPSstaff.

6.3.7.SocialactivitiesTheEDPSbenefitsfromacooperationagreementwiththeCommissiontofacilitatetheintegrationofnewstaff,forinstancebyprovidinglegalassistance

in private matters (rental contracts, taxes, realestate,etc.)andbygivingthemtheopportunitytoparticipateinvarioussocialandnetworkingactivi-ties. New staff are personally welcomed by theSupervisor,theAssistantSupervisorandtheDirec-toroftheEDPS.Inadditiontotheirmentor,new-comersalsomeetmembersoftheHR,BudgetandAdministrationUnit,whoprovidethemwiththeEDPSadministrativeguideandotherinformationonthespecificproceduresoftheEDPS.

TheEDPShascontinuedtodevelopinter-institu-tional cooperation with regard to childcare: thechildrenofEDPSstaffhaveaccesstothecrèches,theEuropeanschools,after-schoolchildcareandtheoutdoorchildcarecentresoftheCommission.TheEDPSalsoparticipatesasanobserver intheEuropeanParliamentadvisorycommitteeonpre-ventionandprotectionatwork,theaimofwhichistoimprovetheworkenvironment.

In2011,severalsocialactivitieswereorganisedforEDPSstaffinclosecooperationwiththeStaffCom-mitteeoftheinstitutionandeacheventresultedinahighrateofattendance.

6.4. Control functions

6.4.1.Internalcontrol

Theinternalcontrolsystem,effectivesince2006,manages the risk of failure to achieve businessobjectives.In2011,considerableeffortswereputinto the implementation of the Internal ControlStandards(ICS).Thelistofactionswasextendedtoensureamoreefficientinternalcontrolofthepro-cessesinplace.Bywayofexample,anawareness-raisingactiononethics,harmonisedtitlesforallstaff,amentorshipprogramme,anadaptationofthenewfinancialworkflow,abusinesscontinuityplanandanupdateofthemissions’guidewerealladoptedinrelationtotheICS.AnupdateddecisiononInternalControlStandardswillbeadoptedin2012tosimplifytheapproach,increasetheowner-shipandstrengthentheireffectiveness.

TheEDPStooknoteoftheannualactivityreportandtheDeclarationofAssurancesignedbytheAuthorising Officer by delegation. Overall, theEDPSconsidersthattheinternalcontrolsystemsinplaceprovidereasonableassuranceofthelegalityand regularity of operations for which he isresponsible.


87

6.4.2.Internalaudit

TheInternalAuditService(IAS)oftheCommissionalsoservesastheauditoroftheEDPS.InJanuary2011,ariskassessmentvisittookplacetosetuptheIASauditstrategyfortheEDPSfortheperiod2011-2013.AlltheprocessesoftheEDPSwerethoroughlycheckedbytheIASandariskmapprofileandtrig-gerareasofauditvisitsweredrawnup.

AspecificITriskassessmentvisitbytheIAStookplaceattherequestoftheEDPS,inJuly2011.AstheEDPSishostedonthepremisesoftheEuro-peanParliamentandreliesonitsITinfrastructure,furtherworkwiththeITservicesoftheEPwillcon-tinuein2012.

Finally,anauditwasperformedinNovember2011concerningpriorcheckingopinions,administrativemeasuresandinspections.Thereportonthisauditwillbeavailablein2012.

Withregardtothefollowupofthe2riskassess-ment audits, 6 recommendations remain open.Threeofthemareexpectedtobeclosedinearly2012andthethreeotherswillbeaddressedlaterin2012or2013astheyconcernlong-termprojectssuchasthedevelopmentofaCaseManagementSystem(seefurtherinSection6.6.3)orariskman-agementpolicy.

Asbothorganisationsshareaninterestintheareaofaudits,asfarascompliancewithdataprotec-tionisconcerned,theEDPShasproposedaMem-orandum of Understanding to the IAS to allowbothorganisationstofulfiltheirrolesinthemosteffectivewaypossible.TheMoUwillbeconcludedin2012withfullregardtotheirrespectiverights,obligations and independence as laid down intheirconstitutivedocuments.

6.4.3.ExternalauditAsanEUinstitution,theEDPSisauditedbytheCourtofAuditors.PursuanttoArticle287oftheTreatyontheFunctioningoftheEuropeanUnion,theCourtundertakesanannualauditofthereve-nueandexpenditureoftheEDPSinordertopro-videastatementofassuranceastothereliabilityoftheaccountsandthelegalityandregularityoftheunderlyingtransactions.Thistakesplaceintheframework of the so-called discharge exercisewithauditquestionsandinterviews.

Forthedischargeoftheyear2010,thequestionsposedbytheCourtwereansweredsatisfactorilybytheEDPS.

6.4.4.SecurityIn2011,considerableresourcesintheareaofsecu-rityweredevotedtotheinternalCaseManage-ment System of the EPDS which will be tailor-made for the EDPS and implemented in 2012,with particularattentionpaidtothesecuritymea-sures to be put in place. The contract with thecompanydevelopingthesystemwassigned inDecember 2011withtheassistanceoftheEuro-peanParliament.

TheITriskassessmentvisitcarriedoutbyourinter-nalauditorinJuly2011,althoughnotfinalised,hasalreadytriggeredsomeinitiativessuchastheset-tingupofanITSteeringCommitteethatmetforthefirsttimeinJanuary2012.

TheEDPSalsoadoptedaBusinessContinuityPlan(BCP) in 2011 with regard to health and safetyconditionsforstaffandpremises.In2012,follow-ingthescheduledmovetonewpremises,anewplanwillbepreparedinclosecooperationwithotherinstitutions.

BasedontheneedtoaccessEUClassifiedInforma-tion(EUCI)inordertocarryouttheirduties,severalmembers of EDPS staff have received an officialsecurityclearance,grantedbytheirnationalsecu-rityauthorities.ThisallowstheEDPStocarryoutsecurityinspectionsoflargescaleITsystemsoratotherimportantandsensitivesites.

AdvicewasdeliveredonaregularbasisonEDPSactivities, includingan introductiontothetasksandmandateoftheEDPSgiventotheLocalSecu-rityOfficers(LSO)andLocalInformationSecurityOfficers(LISO)oftheEuropeanCommission.

6.5. Infrastructure

On the basis of the administrative cooperationagreementdescribedbelow,theofficesofEDPSarelocatedinthepremisesoftheEuropeanParliament,whichalsoassiststheEDPSinthefieldsofITandinfrastructure.

Becauseofarecurrentlackofspaceinthebuildingin which the EDPS is located and the imminentexpiry of the rental contract of the building inwhich the EDPS is hosted (Montoyer 63), the

88

EuropeanParliamentsetupaBuildingCommittee,in which the EDPS participated, to select a newbuildingtohousetheofficesoftheEDPS.

The new building was selected in 2011 and themoveisplannedformid-2012.Ataskforcenamed“EDPSbydesign”wascreated,withthemandate“toanalyseanddevelopallaspectsrelatedtothedesignandthemovetoanewbuilding(e.g.plan-ning,spacedistribution,ITissues,bothatshortandlongtermperspective,securityordataprotectionmatters, etc.) in the course of 2012, so that themoveissuccessfulanddisruptiontotheworkoftheInstitutionisreducedasmuchaspossible.”

The institution has continued to independentlymanageitsfurnitureandITgoodsinventory,withtheassistanceoftheEuropeanParliamentservices.

6.6. Administrative environment

6.6.1.Administrativeassistanceandinter-institutionalcooperation

TheEDPSbenefitsfrominter-institutionalcoopera-tioninmanyareasbyvirtueofanagreementcon-cludedin2004,withtheSecretaries-GeneraloftheCommission,theParliamentandtheCouncil,whichwasextendedin2006(forathree-yearperiod)andin2010(foratwo-yearperiod)withtheCommis-sionandtheParliament.Aextensionoftheagree-ment for two-years was signed by the Secretar-ies-GeneraloftheCommissionandtheParliamentand the EDPS Director in December 2011. ThiscooperationisvitalfortheEDPSasitincreaseseffi-ciencyandallowsforeconomiesofscale.

Closeinter-institutionalcooperationcontinuedin2011withvariousCommissionDirectorates-General(Personnel and Administration, Budget, InternalAuditService,EducationandCulture),thePaymas-ter’s Office (PMO), the European AdministrativeSchool(EAS),theTranslationCentrefortheBodiesoftheEuropeanUnionandvariousEuropeanParlia-mentservices(ITservices,particularlywitharrange-mentsforthemaintenanceanddevelopmentofthe

2008 2009 20112010

EDPS budget execution through inter-institutional cooperation

EURO

6.000.000

5.000.000

4.000.000

3.000.000

2.000.000

1.000.000

0

Commission CDT Council Parliament Other


89

EDPSwebsite;fittingoutofthepremises,buildingsecurity,printing,mail,telephone,supplies,etc.).Inmanycases,thiscooperationtakesplacebymeansof service level agreements, which are regularlyupdated.TheEDPSalsocontinuedtoparticipateintheinter-institutionalcallsfortenders,thusincreas-ing efficiency in many administrative areas andmakingprogresstowardsgreaterautonomy.

TheEDPSisamemberofvariousinter-institutionalcommittees and working groups, including theCollège des Chefs d’administration,Comité de Ges-tion Assurances maladies, Comité de Préparation pour les Questions Statutaires,Comité du Statut,the InterinstitutionalWorkingParty/EAS,EPSOman-agementboard,EPSOworkinggroup,Commission paritaire communeandComité de préparation pour les affaires sociales.

6.6.2.InternalrulesTherewasanadoptionofvariousinternalrulesforthe smooth functioning of the EDPS in 2011. InareaswheretheEDPSbenefitsfromtheassistanceoftheCommissionortheEuropeanParliament,therulesaresimilartothoseoftheseinstitutions,albeitwithsomeadjustmentstoallowforthespecificfea-turesoftheEDPSoffice.

In2011,theDirector’smeeting(Headsofunitorsec-torplusDirector)starteddiscussionsonadoptinginternalrulesofamoregeneralscopeandafirstproposalwassubmittedtotheManagementBoardoftheEDPS.TheEDPSplanstoadoptthesein2012togetherwitharevisedversionoftheCodeofgoodconductfortheEDPS.

6.6.3.DocumentmanagementTheEDPSselectedandprocuredadocumentandrecordsmanagementsystemincorporatingcasemanagement.ThisprocesswascompletedwiththesupportoftheEuropeanParliamentITservices.

Thecustomisationandconfigurationofthissystemto accommodate the specif ic needs of theEDPS began at the end of the year. The currentEDPSdatabaseshavebeenharmonised,inprepara-tionformigrationintothenewsystem.

6.6.4.Planning

Inthecourseof2011,planningandcontrolofactivi-tieswithintheEDPSwasimproved.Threelevelsofplanningwereput inplace:astrategicplan(3-5years),anannualmanagementplanandadetailedactivityplanning:

a) Strategicplan OneearlyoutcomeoftheStrategicReviewwas

to set up an accurate and detailed strategicplan.ThisstrategicplanningwillallowtheMan-agementBoardtomanageresourcesmoreeffi-cientlyoverthemediumterm.

b) Managementplan The annual Management Plan outlines the

detailed planning for the year based on theobjectivesandactivitiesmentionedinthethreeyearstrategicplan.

c) Weeklyactivityplanning Accurateweeklyplanningofactivitiesiscarried

out to ensure that the EDPS meets his legalobligations and deadlines. Planning alsoensureseffectivecooperationacrossthediffer-entEDPSteams.

90

7EDPS DATA PROTECTION OFFICER

7.1. The DPO at the EDPS

In2010,theDPOteamconsistedoftwoDPOs(aDPOandanassistantDPO)whohadbeenappointedbytheEDPSinSeptember2010.Followingthedepar-tureoftheDPOinMarch2011,theEDPSdecidedtonominatetheassistantDPO-whosucceededinthecertificationprogrammein2010-astheactingDPO.TheactingDPOwasnominatedasDPOinDecember2011,onceshehadbeenappointedtoanADpost.

TheroleoftheDPOattheEDPSpresentsmanychal-lenges:beingindependentwithinanindependentinstitution,meetingthehighexpectationsofcol-leagues who are particularly aware and sensitiveaboutdataprotectionissuesanddeliveringsolutionsthatcanserveasbenchmarksforotherinstitutions.

Tostrengthenthisindependenceanddeepenherexpertise, the EDPS DPO is following the IAPP(InternationalAssociationofPrivacyProfessionals)trainingrecommendedintheDPOpaperonpro-fessionalstandardsissuedbytheDPOnetwork(20).

7.2. The Register of processing operations2011wasdedicatedtotherevisionofallprocessingoperationnotificationswithintheEDPSandtonewnotifications.Sevennotificationsweresubstantially

(20) ProfessionalStandardsforDataProtectionOfficersoftheEUinstitutionsandbodiesworkingunderRegulation(EC)45/2001,14October2010

revisedinordertotakeaccountofthenewproce-dures in place at the EDPS following its internalreorganisation,notablyinHumanResourcesproce-dures.Eightnewnotificationswererequired,mainlyin the Human Resources and Communicationteams.A notificationonhowtheEDPSdealswithcomplaintslodgedwasalsoaddressed.Thesenoti-ficationsrelatetoArticle25ofRegulation45/2011.

Atthesametime,theDPOhastakencareofnotifi-cationssubmittedtotheEDPSunderArticle27.2ofRegulation 45/2001 following EDPS guidelines.Amongthe17existingnotificationsbasedonArti-cle25oftheRegulation,nineweresubjecttonoti-ficationunderArticle27ofRegulation45/2011,ofwhich89%dealwithHumanResourcesissues.

TheDPO’smainobjectivefor2012istorequestnoti-ficationsofallprocessingoperationswhichareintheinventoryandwhichhavenotyetbeenestab-lishedbythepersonsresponsibleforprocessing.

7.3. EDPS 2011 Survey

InMarch2011,a letterwassenttotheSupervisorbytheEDPSDirectoroutliningalltheworkcarriedouttobeincompliancewithRegulation45/2001.TheEDPShastakenthesedocumentsintoaccountinhis2011Survey.The2010ActionPlan,whichwasimplemented at 95%, was positively acknowl-edged.TheEDPSunderlinedthatallnotificationsunderArticle27havebeencompleted.


91

7.4. Information and raising awareness

TheDPOplacesgreatemphasisonraisingaware-nessandoncommunicationofdataprotectioncom-plianceattheEDPS,bothexternallyandinternally.

Withregardtoexternal communication,a DPOsectionoftheEDPSwebsite,whichprovidesbasicinformationabouttheDPOroleandactivities,hasbeenupdated,sothattheupdatedRegisterandallthenotificationsareavailableforpublicconsulta-tionintheirnewversions.

Inaddition, theDPOtakespart intheDPO net-work meetings,whichrepresenta uniqueoppor-tunitytonetwork,discusscommonproblemsandsharebestpractices.

Withregardtointernal communication,theEDPSintranetprovidesaneffectivemeansofcommuni-cationwithstaff.TheDPOintranetsectioncontainsinformation that is useful to staff members: themainelementsoftheroleoftheDPO,theimple-mentingrules,theDPOActionPlanandinforma-tiononDPOactivities.

TheDPOIntranetsectionhasbeencompletedwitha detailedlistofprivacystatementsabouttheEDPSprocessing operations, allowing all members ofstafftoexercisetheirrights(Articles11and12ofRegulation45/2001)byinformingthemthereof.

Raising awareness also took the form of a DPOpresentation “Initiation to Regulation 45/2001”aimedatnewcomersandofficialsnotexperiencedindataprotection.ItspurposewastofamiliarisestaffmemberswithdataprotectionmattersandwiththeEDPSmissionsandvalues.

92

8MAIN OBJECTIVES IN 2012

Thefollowingobjectiveshavebeenselectedfor2012.Theresultsachievedwillbereportedin2013.

8.1. Supervision and EnforcementInlinewiththeComplianceandEnforcementPolicyPaperadoptedinDecember 2010,theEDPShassetthefollowingobjectivesinthefieldofSupervisionandEnforcement.

• Raising awareness

TheEDPSwillinvesttimeandresourcesinprovidingguidancetoEUinstitutionsandagencies.Guidanceisnecessarytohelpachievea shifttowardsgreateraccountability of Institutions and agencies. Thisguidancewilltaketheformofthematicpapersonstandardadministrativeproceduresandhorizontalthemessuchase-monitoring,transfersandrightsofdatasubjects.Trainingandworkshopswillalsobeorganised for DPOs/DPCs either on request bya specificinstitutionoragencyorontheinitiativeoftheEDPSwhena needisidentified.TheEDPSweb-sitewillbedevelopedsoastoprovideusefulinfor-mationtoDPOs.Thepublicregisterofpriorcheck-ing notifications will also be made accessibleaccordingtoa commonsubjecttaxonomy.

• Prior checking

TheEDPScontinuestoreceiveex-postnotificationseitherrelatingtostandardadministrativeproceduresor to processing operations already in operation.Actionwillbetakenin2012todefineappropriate

proceduresforhandlingsuchnotificationsandtoensurethatnotificationsforcheckingex-postarenotpermittedsaveinexceptionalandjustifiedcircum-stances.Thefollow-upofrecommendationsmadeinpriorcheckingopinionsisa crucialelementoftheenforcementstrategyoftheEDPS.TheEDPSwillcon-tinuetoplacestrongemphasisontheimplementa-tionofrecommendationsinpriorcheckopinionsandensureanadequatefollowup.

• General stock taking exercises

In2011,theEDPSlauncheda generalstocktakingexercise, providing indicators of compliance byinstitutions and bodies with certain obligations(e.g. appointment of a DPO, adoption of imple-mentingrules,levelofArticle25notifications,levelofArticle27notifications).ThereportissuedbytheEDPS emphasised the progress made in imple-mentingtheRegulation,butalsounderlinedshort-comings.ThereportwillemphasisetheprogressmadeinimplementingtheRegulation,butwillalsounderlineshortcomings.The2011surveywillbecomplemented in2012bya specificexerciseonDPOStatus:thisexerciseisalsointendedtoprovidesupport for the DPO function in line with theaccountabilityprinciple.Inaddition,theEDPSwilllauncha surveyspecificallyfortheCommissionin2012, the aim of which is to collect informationdirectlyfromthevariousDGsattheCommission.

• Visits

Onthebasisoftheindicatorsfromthe2011survey,theEDPShasselectedinstitutionsandagenciesforvisits(6plannedvisits).Thesevisitsaretriggered


93

eitherbyanapparentlackofcommitmentorcom-municationfrommanagement,orifaninstitutionor agency is below the benchmark set fora peer group.

• Inspections

Inspectionsarea vitaltoolthatenabletheEDPStomonitorandensuretheapplicationoftheRegula-tion:anincreaseinthenumberof inspectionsiscrucialnotonlyasanenforcementtool,butalsoasa tooltoraiseawarenessofdataprotectionissuesandtheEDPS.Inspections willincreasein2012dueto the introduction of lighter, more targetedinspections inadditionto full-scale inspections. Someinstitutionsorbodiesprocesspersonaldataintheircorebusinessactivitiesanddataprotectionis,therefore,a keyelement.Thesebodieswillbeidentifiedandbetheobjectoftargetedmonitoring(paperbased)orinspections.GeneralinspectionsarealsoplannedforlargescaleITsystemsin2012.Theseareselectedonthebasisoflegalobligations.Thematic inspections will be launched in areaswheretheEDPShasprovidedguidanceandwishestocheckagainstreality(e.g.CCTV).

8.2. Policy and Consultation

ThemainobjectivesoftheEDPSforhisadvisoryrolearesetoutintheinventoryandtheaccompanyingmemoaspublishedonthewebsite.TheEDPSfacesthechallengeoffulfillinghisever-increasingroleinthelegislativeprocedure,guaranteeinghigh-qualityandwell-appreciatedcontributionstoit,deliveredbylimitedresources.Inlightofthis,theEDPShasidenti-fiedissuesofstrategicimportancethatwillformthecornerstonesofhisconsultationworkfor2012,whilenotneglectingtheimportanceofotherlegislativeprocedureswheredataprotectionisconcerned.

• Towards a new legal framework for data protection

TheEDPSwillgiveprioritytotheworkona newlegalframeworkfordataprotectionintheEU.Hewillissueanopiniononthelegislativeproposalsfortheframeworkandcontributetothedebatesinthenextstepsofthelegislativeprocedurewherenec-essaryandappropriate.

• Technological developments and the Digital Agenda, IP rights and Internet

Technologicaldevelopments,especiallythosecon-nectedtotheInternetandtheassociatedpolicy

responses will be another area of focus for theEDPS in2012.Subjects range fromtheplans fora Pan-Europeanframeworkforelectronicidentifi-cation,authenticationandsignature,theissueofInternetmonitoring(e.g.enforcementofIPrights,takedownprocedures)tocloudcomputingservicesand eHealth. The EDPS will also strengthen histechnologicalexpertiseandengageinresearchonprivacy-enhancingtechnologies.

• Further developing the Area of Freedom, Security and Justice

TheAreaofFreedom,SecurityandJusticewillremainoneofthekeypolicyareasfortheEDPStoaddress.RelevantupcomingproposalsincludeEU-TFTSandsmartborders.Additionally,theEDPSwillcontinuetofollowthereviewofthedataretentiondirective.Hewillalsocloselymonitornegotiationswiththirdcountriesondataprotectionagreements.

• Financial sector reform

TheEDPSwillcontinuetofollowandscrutinisenewproposals for the regulation and supervision offinancialmarketsandactors,insofarastheyaffecttherighttoprivacyanddataprotection.

• Other initiatives

TheEDPSwillalsofollowproposalsinotherpolicyareasthathavea significantimpactondataprotec-tion.Hewillcontinuetobeavailableforformalandinformalconsultationsonproposalsaffectingtherighttoprivacyanddataprotection.

8.3. Cooperation

TheEDPSwillcontinuetofulfilhisresponsibilitiesinthefieldofcoordinatedsupervision.Additionally,hewillreachouttonationaldataprotectionauthor-itiesaswellastointernationalorganisations.

• Coordinated supervision

The EDPS will play his role in the coordinatedsupervisionofEurodac,theCustomsInformationSystemandtheVisaInformationSystem(VIS).Coor-dinatedsupervisionoftheVIS,whichwentliveinOctober2011,isstill initsinfancy.AfterinformaldiscussionsintheframeworkoftheEurodacsuper-visioncoordinationmeetings,thetargetfor2012isto gradually establish supervision in this area.WhenSISII is launched, itwillalsobesubjecttocoordinatedsupervision;itisscheduledtogolive

94

in 2013 and the preparations will be followedclosely.TheEDPSwillalsocarryoutinspectionsofthecentralunitsofthesesystemswherenecessaryorlegallyrequired.

• Cooperation with data protec tion authorities

Asbefore,theEDPSwillactivelycontributetotheactivitiesandsuccessoftheArticle29DataProtec-tionWorkingParty,ensuringconsistencyandsyn-ergiesbetweentheWorkingPartyandtheposi-tionsoftheEDPSinlinewithrespectiveprioritiesandmaintaininga constructiverelationshipwithnationaldataprotectionauthorities.Asrapporteurforsomespecificdossiers,hewillsteerandpreparetheadoptionofWP29opinions.

• D at a p ro te c t i o n i n i n te r n at i o n a l organisations

Internationalorganisationsareusuallynotsubjecttodataprotectionlegislationintheirhostcountries;however,notallofthemhaveappropriaterulesfordataprotectioninplace.TheEDPSwillreachouttointernationalorganisationsbyorganisinga work-shop aimed at raising awareness and spreadinggoodpractices.

8.4. Other fields

• Information and communication

Information,communicationandpressactivitieswillcontinuetobedevelopedandimproved,withspecial focusonawareness-raising,publicationsandonline information.TheEDPSwillalsostartimplementingthereviewofhis InformationandCommunicationStrategy,aftertheconsultationofhismainstakeholders.There-organisationofsomeimportantpartsoftheEDPSwebsiteisplannedinordertoincreasetheuserfriendlycharacterofthewebsite and facilitate search and navigationthroughtheavailableinformation.

• Internal organisation

TheEDPSstrategic reviewwillcontinuethrough2012,withanexternalconsultationofstakeholdersby means of online surveys, interviews, focusgroupsandworkshops. Immediateresultsofthereviewlaunchedin2011ledtodecisionstodevelopa morestrategicapproachtosupervisionandcon-sultationactivitiesandtocreatea newITpolicysec-torin2012.Oncethereviewhasbeenconcluded

andtheresultsanalysed,theEDPSwillfinalisehismid-termstrategyanddrawuptheperformancemeasuringtools(KPI)necessarytoevaluatekeyele-mentsofthatstrategy.

• Resource management

Theworkofdevelopinga customisedCaseMan-agementSystemattheEDPSwillcontinuein2012.ITapplicationsinthefieldofhumanresourcesonthebasisofServiceLevelAgreementswillalsobedevelopedfurther,especiallywiththeimplementa-tionofSysperII,whichwillbecompletedin2012,andwiththeintroductionofMIPS.


95

Annex A — Legal framework

The European Data Protection Supervisor wasestablishedbyRegulation(EC)No 45/2001oftheEuropeanParliamentandoftheCouncilonthepro-tectionofindividualswithregardtotheprocessingofpersonaldatabytheCommunityinstitutionsandbodiesandonthefreemovementofsuchdata.TheRegulation was based on Article 286 of the ECTreaty,nowreplacedbyArticle16oftheTreatyontheFunctioningoftheEuropeanUnion(TFEU).TheRegulationalsolaiddownappropriaterulesfortheinstitutionsandbodiesinlinewiththethenexist-ingEU legislationondataprotection. Itenteredintoforcein2001 (21).

SincetheentryintoforceoftheLisbonTreatyon1December2009,Article16TFEUmustbeconsid-ered as the legal basis for the EDPS. Article 16underlinestheimportanceoftheprotectionofper-sonaldataina moregeneralway.BothArticle16TFEUandArticle8oftheEUCharterofFundamen-talRights,which isnowlegallybinding,providethatcompliancewithdataprotectionrulesshouldbesubjecttocontrolbyanindependentauthority.AttheEUlevel,thisauthorityistheEDPS.

Other EU acts on data protection are Directive95/46/EC,whichlaysdowna generalframeworkfordataprotectionlawintheMemberStates,Directive2002/58/EConprivacyandelectroniccommunica-tions (as amended by Directive 2009/136) andCouncilframeworkDecision2008/977/JHAontheprotectionofpersonaldataprocessedintheframe-workofpoliceandjudicialcooperationincriminalmatters.Thesethreeinstrumentscanbeconsid-eredastheoutcomeofa legaldevelopmentwhichstartedintheearly1970sintheCouncilofEurope.

Background

Article8oftheEuropeanConventionforthePro-tectionofHumanRightsandFundamentalFree-domsprovidesfora righttorespectforprivateandfamily life, subject to restrictions allowed onlyundercertainconditions.However,in1981itwasconsiderednecessarytoadopta separateconven-tionondataprotection,inordertodevelopa posi-tiveandstructuralapproachtotheprotectionoffundamentalrightsandfreedoms,whichmaybeaffected by the processing of personal data ina modernsociety.Theconvention,alsoknownas

(21) OJL 8,12.1.2001,p. 1.

Convention108,hasbeenratifiedbymorethan40MemberStatesoftheCouncilofEurope,includingallEUMemberStates.

Directive95/46/ECwasbasedontheprinciplesofConvention108,butspecifiedanddevelopedtheminmanyways.Itaimedtoprovidea highlevelofprotectionanda freeflowofpersonaldataintheEU.WhentheCommissionmadetheproposalforthisdirectiveintheearly1990s,itstatedthatCom-munityinstitutionsandbodiesshouldbecoveredbysimilarlegalsafeguards,thusenablingthemtotakepartina freeflowofpersonaldata,subjecttoequivalentrulesofprotection.However,untiltheadoptionofArticle286TEC,a legalbasisforsuchanarrangementwaslacking.

TheTreatyofLisbonenhancestheprotectionoffun-damentalrightsindifferentways.Respectforpri-vateandfamilylifeandprotectionofpersonaldataaretreatedasseparatefundamentalrightsinArti-cles7and8oftheCharterthathasbecomelegallybinding,bothfortheinstitutionsandbodies,andfortheEUMemberStateswhentheyapplyUnionlaw.Dataprotection isalsodealtwithasa horizontalsubjectinArticle16TFEU.Thisclearlyindicatesthatdataprotectionisregardedasa basicingredientof‘goodgovernance’.Independentsupervisionisanessentialelementofthisprotection.

Regulation(EC)No 45/2001

Takinga closerlookattheRegulation,itshouldbenotedfirstthataccordingtoArticle3(1)thereofitappliestothe‘processingofpersonaldatabyCom-munityinstitutionsandbodiesinsofarassuchpro-cessingiscarriedoutintheexerciseofactivitiesallorpartofwhicharewithinthescopeofCommunitylaw’.However,sincetheentryintoforceoftheLis-bonTreatyandtheabolitionofthepillarstructure–asa resultofwhichreferences to ‘Communityinstitutions’ and ‘Community law’ have becomeoutdated–theRegulationinprinciplecoversallEUinstitutionsandbodies,excepttotheextentthatotherEUactsspecificallyprovideotherwise.Thepreciseimplicationsofthesechangesarestillbeingexaminedandmayrequirefurtherclarification.

ThedefinitionsandthesubstanceoftheRegulationcloselyfollowtheapproachofDirective95/46/EC.ItcouldbesaidthatRegulation(EC)No 45/2001istheimplementationofthatdirectiveatEuropeanlevel.ThismeansthattheRegulationdealswithgeneralprincipleslikefairandlawfulprocessing,propor-tionalityandcompatibleuse,specialcategoriesof

96

sensitivedata,informationtobegiventothedatasubject,rightsofthedatasubject,obligationsofcontrollers—addressingspecialcircumstancesatEUlevelwhereappropriate—andwithsupervi-sion,enforcementandremedies.A separatechap-terdealswiththeprotectionofpersonaldataandprivacyinthecontextofinternaltelecommunica-tionnetworks.ThischapteristheimplementationatEuropeanleveloftheformerDirective97/66/EConprivacyandcommunications.

AninterestingfeatureoftheRegulationistheobli-gationforEUinstitutionsandbodiestoappointatleastonepersonasDataProtectionOfficer(DPO).Theseofficershavethetaskofensuringtheinternalapplication of the provisions of the Regulation,including the proper notification of processingoperations,inanindependentmanner.Allinstitu-tionsandmostbodiesnowhavetheseofficers,andinsomecasesalreadyformanyyears.ThismeansthatimportantworkhasbeendonetoimplementtheRegulation,evenintheabsenceofa supervi-sorybody.Theseofficersmayalsobeina betterpositiontoadviseortointerveneatanearlystageandtohelptodevelopgoodpractice.SincetheDPO has the formal duty to cooperate with theEDPS,thisisa veryimportantandhighlyappreci-atednetworktoworkwithandtodevelopfurther(seeSection2.2).

TasksandpowersofEDPS

The tasks and powers of the EDPS are clearlydescribedinArticles41,46and47oftheRegulation(seeAnnexB)bothingeneralandinspecificterms.Article 41 lays down the general mission of theEDPS—toensurethatthefundamentalrightsandfreedomsofnaturalpersons,andinparticulartheirprivacy,withregardtotheprocessingofpersonaldataarerespectedbyEUinstitutionsandbodies.Moreover,itsetsoutsomebroadlinesforspecificelementsofthismission.Thesegeneralresponsi-bilitiesaredevelopedandspecifiedinArticles46and47witha detailedlistofdutiesandpowers.

This presentation of responsibilities, duties andpowers follows in essence the same pattern asthosefornationalsupervisorybodies:hearingandinvestigatingcomplaints,conductingotherinqui-ries,informingcontrollersanddatasubjects,carry-ingoutpriorcheckswhenprocessingoperationspresentspecificrisks,etc.TheRegulationgivestheEDPSthepowertoobtainaccesstorelevantinfor-mationandrelevantpremises,wherethisisneces-saryforinquiries.Hecanalsoimposesanctionsand

refera casetotheCourtofJustice.Thesesupervi-soryactivitiesarediscussedatgreater length inChapter2ofthisreport.

Some tasks are of a special nature. The task ofadvising the Commission and other institutionsabout new legislation — emphasised in Article28(2)bya formalobligationfortheCommissiontoconsulttheEDPSwhenitadoptsa legislativepro-posalrelatingtotheprotectionofpersonaldata—alsorelatestodraftdirectivesandothermeasuresthataredesignedtoapplyatnationallevelortobeimplementedinnationallaw.Thisisa strategictaskthatallowstheEDPStohavea lookatprivacyimpli-cationsatanearlystageandtodiscussanypossiblealternatives,alsointheformer‘thirdpillar’(policeandjudicialcooperationincriminalmatters).Moni-toringrelevantdevelopmentswhichmayhaveanimpact on the protection of personal data andinterveningincasesbeforetheCourtofJusticearealsoimportanttasks.TheseconsultativeactivitiesoftheEDPSaremorewidelydiscussedinChapter3ofthisreport.

Thedutytocooperatewithnationalsupervisoryauthoritiesandsupervisorybodiesintheformer‘thirdpillar’hasa similarimpact.Asa memberoftheArticle29DataProtectionWorkingParty,estab-lishedtoadvisetheEuropeanCommissionandtodevelop harmonised policies, the EDPS has theopportunitytocontributeatthatlevel.Coopera-tionwithsupervisorybodiesintheformer‘thirdpillar’allowshimtoobservedevelopmentsinthatcontextandtocontributetoa morecoherentandconsistent framework for the protection of per-sonaldata,regardlessofthe‘pillar’orthespecificcontextinvolved.ThiscooperationisfurtherdealtwithinChapter4ofthisreport.


97

Annex B — Extract from Regulation (EC) No 45/2001

Article41—EuropeanDataProtectionSupervisor

1.AnindependentsupervisoryauthorityisherebyestablishedreferredtoastheEuropeanDataPro-tectionSupervisor.

2.Withrespecttotheprocessingofpersonaldata,theEuropeanDataProtectionSupervisorshallberesponsibleforensuringthatthefundamentalrightsandfreedomsofnaturalpersons,andinparticulartheirrighttoprivacy,arerespectedbytheCommunityinstitutionsandbodies.

TheEuropeanDataProtectionSupervisorshallberesponsibleformonitoringandensuringtheappli-cationoftheprovisionsofthisregulationandanyotherCommunityactrelatingtotheprotectionofthefundamental rightsandfreedomsofnaturalpersonswithregardtotheprocessingofpersonaldatabya Communityinstitutionorbody,andforadvisingCommunityinstitutionsandbodiesanddatasubjectsonallmattersconcerningthepro-cessingofpersonaldata.TotheseendsheorsheshallfulfilthedutiesprovidedforinArticle46andexercisethepowersgrantedinArticle47.

Article46—DutiesTheEuropeanDataProtectionSupervisorshall:

(a)hearandinvestigatecomplaints,andinformthedatasubjectoftheoutcomewithina reasonableperiod;

(b)conductinquirieseitheronhisorherowninitia-tiveoronthebasisofa complaint,andinformthedatasubjectsoftheoutcomewithina rea-sonableperiod;

(c)monitorandensuretheapplicationoftheprovi-sionsofthisregulationandanyotherCommu-nityactrelatingtotheprotectionofnaturalper-sonswithregardtotheprocessingofpersonaldatabya CommunityinstitutionorbodywiththeexceptionoftheCourtofJusticeoftheEuro-peanCommunitiesactinginitsjudicialcapacity;

(d)adviseallCommunityinstitutionsandbodies,eitheronhisorherowninitiativeorinresponsetoa consultation,onallmattersconcerningtheprocessingofpersonaldata,inparticularbeforetheydrawupinternalrulesrelatingtothepro-tection of fundamental rights and freedomswithregardtotheprocessingofpersonaldata;

(e)monitorrelevantdevelopments,insofarastheyhaveanimpactontheprotectionofpersonaldata,inparticularthedevelopmentofinforma-tionandcommunicationtechnologies;

(f)cooperatewiththenationalsupervisoryauthori-tiesreferredtoinArticle28ofDirective95/46/ECinthecountriestowhichthatdirectiveappliestotheextentnecessaryfortheperformanceoftheirrespectiveduties,inparticularbyexchangingallusefulinformation,requestingsuchauthorityorbody to exercise its powers or responding toa requestfromsuchauthorityorbody;

ii)alsocooperatewiththesupervisorydatapro-tectionbodiesestablishedunderTitleVIofthe Treaty on European Union particularlywith a view to improving consistency inapplyingtherulesandprocedureswithwhichtheyarerespectivelyresponsibleforensuringcompliance;

(g)participateintheactivitiesoftheworkingpartyontheprotectionofindividualswithregardtotheprocessingofpersonaldatasetupbyArticle29ofDirective95/46/EC;

(h)determine,givereasonsforandmakepublictheexemptions, safeguards, authorisations andconditionsmentionedinArticle10(2)(b),(4),(5)and(6),inArticle12(2),inArticle19andinArti-cle37(2);

(i)keepa registerofprocessingoperationsnotifiedtohimorherbyvirtueofArticle27(2)andregis-teredinaccordancewithArticle27(5),andpro-videmeansofaccesstotheregisterskeptbythedataprotectionofficersunderArticle26;

(j)carryouta priorcheckofprocessingnotifiedtohimorher;

(k)establishhisorherrulesofprocedure.

98

Article47—Powers

1. The European Data Protection Supervisor may:

(a)giveadvicetodatasubjectsintheexerciseoftheirrights;

(b)referthemattertothecontrollerintheeventofanallegedbreachoftheprovisionsgoverningthe processing of personal data, and, whereappropriate,makeproposalsforremedyingthatbreachandforimprovingtheprotectionofthedatasubjects;

(c)orderthatrequeststoexercisecertainrightsinrelationtodatabecompliedwithwheresuchrequestshavebeenrefusedinbreachofArti-cles 13to19;

(d)warnoradmonishthecontroller;

(e)order the rectification, blocking, erasure ordestruction of all data when they have beenprocessedinbreachoftheprovisionsgoverningtheprocessingofpersonaldataandthenotifica-tionofsuchactionstothirdpartiestowhomthedatahavebeendisclosed;

(f)impose a temporary or definitive ban onprocessing;

(g)referthemattertotheCommunityinstitutionor body concerned and, if necessary, to theEuropean Parliament, the Council and theCommission;

(h)referthemattertotheCourtofJusticeoftheEuropeanCommunitiesunder theconditionsprovidedforintheTreaty;

(i)interveneinactionsbroughtbeforetheCourtofJusticeoftheEuropeanCommunities.

2. The European Data Protection Supervisor shall have the power:

(a)toobtainfroma controllerorCommunityinsti-tutionorbodyaccesstoallpersonaldataandto all information necessary for his or herenquiries;

(b)toobtainaccesstoanypremisesinwhicha con-trollerorCommunityinstitutionorbodycarrieson its activities when there are reasonablegroundsforpresumingthatanactivitycoveredbythisregulationisbeingcarriedoutthere.


99

Annex C — List of abbreviations

ACTA Anti-CounterfeitingTradeAgreement

CIS CustomsInformationSystem

CoA CourtofAuditors

CoR CommitteeoftheRegions

CPAS Comité de Préparation pour les Affaires Sociales

DAS DeclarationofAssurance

DGINFSO DirectorateGeneralfortheInforma-tionSocietyandMedia

DGMARKT InternalMarketandServicesDirector-ateGeneral

DIGIT DirectorateGeneralInformatics

DPA DataProtectionAuthority

DPC DataProtectionCoordinator

DPO DataProtectionOfficer

EAS EuropeanAdministrativeSchool

EASA EuropeanAviationSafetyAgency

EC EuropeanCommunities

ECB EuropeanCentralBank

ECDC EuropeanCentreforDiseasePreven-tionandControl

ECJ EuropeanCourtofJustice

EDPS EuropeanDataProtectionSupervisor

EEA EuropeanEnvironmentAgency

EFSA EuropeanFoodSafetyAuthority

EIB EuropeanInvestmentBank

EIO EuropeanInvestigationOrder

ENISA EuropeanNetworkandInformationSecurityAgency

ECHR EuropeanConventiononHumanRights

EPO EuropeanProtectionOrder

EPSO EuropeanPersonnelSelectionOffice

ERCEA EuropeanResearchCouncilExecutiveAgency

EU EuropeanUnion

EWRS EarlyWarningResponseSystem

FRA EuropeanUnionAgencyforFunda-mentalRights

HR Humanresources

IAS InternalAuditingService

ICT InformationandCommunicationTechnology

IMI InternalMarketInformationSystem

IOM InternationalOrganisationforMigration

ISS InternalSecurityStrategy

IT Informationtechnology

JRC JointResearchCentre

JRO Jointreturnoperation

JSA JointSupervisoryAuthority

JSB JointSupervisoryBody

JSIMC JointSicknessInsuranceManagementCommittee

LIBE EuropeanParliament’sCommitteeonCivilLiberties,JusticeandHomeAffairs

LISO LocalInformationSecurityOfficer

LSO LocalSecurityOfficer

OHIM OfficeforHarmonizationintheInternalMarket

OLAF EuropeanAnti-fraudOffice

100

PNR PassengerNameRecord

RFID RadioFrequencyIdentification

SIS SchengenInformationSystem

SNE Secondednationalexpert

SOC ServiceandOperationalCentre

s-TESTA SecureTrans-EuropeanServicesforTelematicsbetweenAdministrations

SWIFT SocietyforWorldwideInterbankFinancialTelecommunication

TFTP TerroristFinanceTrackingProgramme

TFTS TerroristFinanceTrackingSystem

TFUE TreatyontheFunctioningoftheEuropeanUnion

TURBINE TrUstedRevocableBiometricsIdeNtitiEs

UNHCR UnitedNationsHighCommissionerforRefugees

VIS Visainformationsystem

WCO WorldCustomsOrganization

WP29 Article29DataProtectionWorkingParty

WPPJ WorkingPartyonPoliceandJustice


101

Annex D — List of Data Protection Officers

• ORGANISATION • NAME • E-MAIL

European Parliament (EP) JonathanSTEELE [email protected]

Council of the European Union (Consilium)

CarmenLOPEZRUIZ [email protected]

European Commission (EC) PhilippeRENAUDIÈRE [email protected]

Court of Justice of the European Union (CURIA)

ValerioAgostinoPLACCO [email protected]

European Court of Auditors (ECA)

JohanVANDAMME [email protected]

European Economic and Social Committee (EESC)

MariaARSENE [email protected]

Committee of the Regions (CoR) RastislavSPÁC [email protected]

European Investment Bank (EIB) Jean-PhilippeMINNAERT [email protected]

European External Action Service (EEAS)

IngridHVASS [email protected]

European Ombudsman LoïcJULIEN [email protected]

European Data Protection Supervisor (EDPS)

SylviePICARD [email protected]

European Central Bank (ECB) FrederikMALFRÈRE [email protected]

European Anti-Fraud Office (OLAF)

LaraineLAUDATI [email protected]

Translation Centre for the Bodies of the European Union (CdT)

EdinaTELESSY [email protected]

Office for Harmonisation in the Internal Market (OHIM)

IgnacioDEMEDRANOCABALLERO

[email protected]

European Union Fundamental Rights Agency (FRA)

NikolaosFIKATAS [email protected]

European Medicines Agency (EMEA)

AlessandroSPINA [email protected]

Community Plant Variety Office (CPVO)

VéroniqueDOREAU [email protected]

European Training Foundation (ETF)

TizianaCICCARONE [email protected]

European Network and Informa-tion Security Agency (ENISA)

UlrikeLECHNER [email protected]

European Foundation for the Improvement of Living and Working Conditions (Eurofound)

MarkusGRIMMEISEN [email protected]

European Monitoring Centre for Drugs and Drug Addiction (EMCDDA)

IgnacioVázquezMOLINÍ [email protected]

>>>

102


European Food Safety Authority (EFSA)

ClausRÉUNIS [email protected]

European Maritime Safety Agency (EMSA)

MalgorzataNESTEROWICZ [email protected]

European Centre for the Devel-opment of Vocational Training (Cedefop)

SpyrosANTONIOU [email protected]

Education, Audiovisual and Culture Executive Agency (EACEA)

HubertMONET [email protected]

European Agency for Safety and Health at Work (OSHA)

EusebioRIALGONZALES [email protected]

Community Fisheries Control Agency (CFCA)

RiekeARNDT [email protected]

European Union Satellite Center (EUSC)

Jean-BaptisteTAUPIN [email protected]

European Institute for Gender Equality (EIGE)

RamunasLUNSKUS [email protected]

European GNSS Supervisory Authority (GSA)

TriinuVOLMER [email protected]

European Railway Agency (ERA) ZografiaPYLORIDOU [email protected]

Executive Agency for Health and Consumers (EAHC)

BeataHARTWIG [email protected]

European Centre for Disease Prevention and Control (ECDC)

RebeccaTROTT [email protected]

European Environment Agency (EEA)

OlivierCORNU [email protected]

European Investment Fund (EIF) JobstNEUSS [email protected]

European Agency for the Management of Operational Cooperation at the External Border (Frontex)

SakariVUORENSOLA [email protected]

European Aviation Safety Agency (EASA)

FrancescaPAVESI [email protected]

Executive Agency for Competi-tiveness and Innovation (EACI)

ElenaFIERROSEDANO [email protected]

Trans-European Transport Network Executive Agency (TEN-T EA)

ZsófiaSZILVÁSSY [email protected]

European Banking Authority (EBA)

JosephMIFSUD [email protected]

European Chemicals Agency (ECHA)

AlainLEFÈBVRE [email protected]

European Research Council Executive Agency (ERCEA)

NadineKOLLOCZEK [email protected]

Research Executive Agency (REA)

EvangelosTSAVALOPOULOS [email protected]

European Systemic Risk Board (ESRB)

FrederikMALFRÈRE [email protected]

>>>


103


Fusion for Energy RadoslavHANAK [email protected]

SESAR Joint Undertaking DaniellaPAVKOVIC [email protected]

ARTEMIS Joint Undertaking AnneSALAÜN [email protected]

Clean Sky Joint Undertaking SilviaPOLIDORI [email protected]

Innovative Medecines Initiative (IMI)

EstefaniaRIBEIRO [email protected]

Fuel Cells & Hydrogen Joint Undertaking

NicolasBRAHY [email protected]

European Insurance and Occu-pations Pensions Authority (EIOPA)

CatherineCOUCKE [email protected]

Collège européen de police (CEPOL)

LeeloKILG [email protected]

European Institute of Innova-tion and Technology (EIT)

RobertaMAGGIO [email protected]

European Defence Agency (EDA) Alain-PierreLOUIS [email protected]

ENIAC Joint Undertaking MarcJEUNIAUX [email protected]

104

Annex E — List of prior check opinions

Procurement procedures - CFCA

Opinionof21December2011onthenotificationforpriorcheckingconcerningprocurementproce-duresattheCommunityFisheriesControlAgency(Case2011-0890)

Video-surveillance system - ECA

Letterof20December2011onthenotificationforprior checking regarding the video-surveillancesystemat theEuropeanCourtofAuditors (ECA)(Case2011-0989)

360° feedback survey for managers

Opinionof20December2011ona notificationforpriorcheckingregardingthe“360°feedbacksurveyfor managers” at the Committee of the Regions(Case2011-0926)

Staff Evaluation Procedures - Eurofound

Opinionof19December2011onthenotificationforpriorcheckingregardingprobationaryreports,staffappraisalsandpromotionsattheEuropeanFoundationforImprovementofLivingandWork-ingConditions(Case2011-0628)

Interventions of the Chambre d’écoute in the Framework of the Reorganization of OLAF’s Organigram

Opinionof16December2011onthenotificationforpriorcheckingregardingInterventionsoftheChambred’écouteintheFrameworkoftheReorga-nizationofOLAF’sOrganigram(case2011-1021)

Procédure relative aux commissions d’invalidité - Cour de Justice

Avisdu15décembre2011surlanotificationd’uncontrôlepréalableà proposdudossier“Procédurerelative aux commissions d’invalidité” (Dossier2011-0655)

Staff evaluation procedures - European Chemicals Agency

Opinionof15December2011onthenotificatonforpriorcheckingregardingstaffevaluationproce-

duresattheEuropeanchemicalsAgency(ECHA)(Case2011-0945)

Staff appraisals - ACER

Opinionof15December2011onthenotificationforpriorcheckingconcerningProbationaryReportsandStaffappraisalsincludingappraisalofDirectorattheAgencyforthecooperationofEnergyRegu-lators(ACER)(Case2011-0953)

Probationary reports, staff appraisals, reclassification - ERCEA

Opinionof15December2011onthenotificationforpriorcheckingconcerningtheannualappraisalandprobation,reclassificationandassessmentoftheabilitytoworkina thirdlanguageattheEuro-pean Research Council Executive Agency (Case2011-0955/0956/0963)

Staff evaluation procedures - Trans-European Transport Network Executive Agency

JointOpinionof14December2011onthenotifica-tionsforpriorcheckingregardingstaffevaluationproceduresattheTrans-EuropeanTransportNet-workExecutiveAgency(TEN-TEA)(case2011-0990)

Procedure for early retirement without reduction of pension rights - CPVO

Opinionof13December2011onthenotificationforpriorcheckingontheprocedureforearlyretirementwithoutreductionofpensionrightsattheCommu-nityPlantVarietyOffice(CPVO)(Case2011-0304)

Transmission of inspection reports - CFCA

Jointopinionof30November2011ontwonotifica-tionsforPriorCheckingconcerningthe“Transmis-sionof inspectionreports relatedto thebluefintunajointdeploymentplan(BFTJDP)andtransmis-sionofinspectionreports(NAFO/NEAFC)”,Commu-nityFisheriesControlAgency(CFCA)(Cases2011-0615and2011-0636)

Procurement procedures and related procurement contracts - CPVO

Opinionof30November2011onthenotificationforpriorcheckingconcerningprocurementproce-duresandrelatedprocurementcontractsat theCommunityPlantVarietyOffice(Case2011-0740)


105

E-recruitment for the Graduate Recruitment and Development Programme - EIB

Letterof24November2011onnotificationforpriorcheckingregarding“E-recruitmentfortheGradu-ateRecruitmentandDevelopmentProgramme”attheEuropeanInvestmentBank(Case2009-0761)

Selection of experts - ERA

Opinionof22November2011onthenotificationsforpriorcheckingconcerningtheCallsforapplica-tionstoestablishlistsofprospectiveindependentexpertstoassisttheworkoftheWorkingParties/Groups/Task Forces of the European RailwayAgencyinthefieldsofRailwaySafetyandRailwayInteroperability(JointCases2011-0667/0668)

Evaluation and grants management - ERCEA

Opinionof21November2011onthenotificationforpriorcheckingconcerningproposalsevaluationandgrants management at the European ResearchCouncilExecutiveAgency(ERCEA)(Case2011-0845)

Recruitment of staff and selection and recruitment of trainees - Fuel Cells Hydrogen Joint Undertaking

Opinionof15November2011onthenotificationsforpriorcheckingconcerningselectionandrecruit-ment of staff and selection and recruitment oftrainees,FuelCellsHydrogenJointUndertaking(FCHJU)(Cases2011-0833/0834)

Procédures de sélection des agents contractuels - Commission européenne

Lettredu11novembre2011surlanotificationd’uncontrôlepréalableconcernantdesprocéduresdesélectiondesagentscontractuelsdanslesservicesdelaCommissioneuropéenne(Dossier2011-0820)

Video-surveillance system - ECHA

Letterof25October2011onnotificationforpriorcheckingonthevideo-surveillancesystemattheEuropean Chemicals Agency (ECHA) (Case2011-0012)

“Return to Work” policy - EU-OSHA

Opinionof24October2011ona notificationforprior checking regarding the policy “Return toWork” at the European Agency for Safety andHealthatWork(EU-OSHA)(Case2011-0752)

Selection of confidential counsellors and anti-harassment policy

Opinion of 21 October 2011 on notifications forprior checking concerning the “anti-harassmentpolicy”and“theselectionofconfidentialcounsel-lors”atcertainEUagencies(Case2011-0483)

Recrutement du personnel - Cour de justice

Lettredu21octobre2011surlanotificationd’uncontrôle préalable des traitements de donnéesrelatifsau“recrutementdupersonnel”auCourdejusticedel’Unioneuropéenne(Dossier2011-0388)

Probation at the CPVO

Opinionof19October2011ona notificationforpriorcheckingconcerningassessmentandreport-ingonprobationaryperiodattheCommunityPlantVarietyOffice(Case2011-0298)

Virtual Operational Cooperation Unit, the Mutual Assistance Broker, and the Customs Information System - OLAF

Jointopinionof17October2011onnotificationsforpriorcheckingregardingtheVirtualOperationalCooperationUnit, theMutualAssistanceBroker,andtheCustomsInformationSystem(Jointcases2010-0797/0798/0799)

Selection of participants to (internal/external) learning and development actions - EC

Opinionof17October2011onthenotificationforprior checking concerning “Selection of partici-pantsto(internal/external)learninganddevelop-mentactions”(Case2011-0627)

Internal mobility of staff members - EACEA

Opinionof17October2011onthenotificationforprior checking concerning “internal mobility ofEACEA’sstaffmembers”(Case2011-0672)

Electronic CV

Opinionof4October2011onthenotificationforpriorcheckingfromtheDataProtectionOfficeroftheEuropeanParliamentconcerningElectronicCV(Case2011-0568)

106

Selection procedure for the position of Member of the Management Board - EFSA

Opinion of 3 October 2011 on a notification forpriorcheckingregardingthe“Selectionprocedurefor thepositionofMemberof theManagementBoard of the European Food Safety Authority(EFSA)”(Case2011-0575)

Selection and recruitment of SNEs, trainees and temporary staff - Eurofound

Opinionof27September2011ona notificationforpriorcheckingontheselectionandrecruitmentofSNEs, trainees and temporary staf f (Cases2011-0645/0646/0647)

PMO - establishment of individual output indicators

Opinionof23September2011onthenotificationforpriorcheckingconcerningtheestablishmentofindividualoutputindicators(Case2011-0368)

DG INFSO Staff Competencies and Aspirations Mapping Database

Opinionof23September2011ona notificationforpriorcheckingconcerningDGINFSOStaffCompe-tenciesandAspirationsMappingDatabase(Case2011-0614)

“IDEAS-Exclusion of Experts by Applicants” project - ERCEA

Opinionof21September2011ona notificationforpriorcheckingregardingtheproject“IDEAS-ExclusionofExpertsbyApplicants”oftheEuropeanResearchCouncilExecutiveAgency(ERCEA)(Case2010-0661)

Establishment and payment of salaries and allowances

Opinionof19September2011ontheprocessingofpersonaldatabytheservicesoftheEuropeanFounda-tionfortheImprovementofLivingandWorkingCon-ditions(Eurofound)forthe“establishmentandpay-mentofsalariesandallowances”(Case2011-0644)

Administrative inquiries and disciplinary proceedings - Court of Justice

Opinionof12September2011ontheupdatednoti-ficationconcerningadministrative inquiriesanddisciplinaryproceedingswithintheCourtofJusticeoftheEU(Case2011-0806)

Further development of DG Translation managers

Opinionof9September2011onthenotificationforpriorcheckingconcerningFeedbackforfurtherdevel-opmentofDGTranslationmanagers(Case2011-0511)

Selection and recruitment of SNEs at Fusion for Energy

Opinionof9September2011onthenotificationsforpriorcheckingontheprocessingoperationsrelatedtotheselectionandrecruitmentofSNEsatFusionforEnergy(F4E)(Case2011-0340)

Seconded National Experts

Letterof9September2011onthenotificationforpriorcheckingonprocessingofdatainconnectionwith ‘Seconded National Experts’ (SNEs) (Case2011-0557)

Commission Physical Access Control System (PACS)

Opinionof8September2011onthe“CommissionPhysicalAccessControlSystem(PACS):PSGProjetdeSécurisationGlobale”(Case2010-0427)

Selection procedure for temporary agents

Opinionof29July2011ona notificationforpriorcheckingontheprocessingoperationsrelatedtothe selection procedure for temporary agentsorganised by the European Commission (EC) for“postsotherthansupervisionandadvicewithoutEPSOconcours”(Case2011-0559)

Electronic Exchange of Social Security Information system

Opinionof28July2011ona notificationforpriorcheckingontheElectronicExchangeofSocialSecu-rityInformationsystem(“EESSI”)(Case2011-0016)

Requests for a part-time work - CPVO

Opinionof28July2011ona notification forpriorcheckingregardingrequestsfora part-timeworkattheCommunityPlantVarietyOffice(Case2011-0299)

Mobility Procedure

Opinionof27July2011onthenotificationforpriorcheckingrelatingtothe‘MobilityProcedure’(Case2011-0648)


107

Executive Committee and the Technical Advisory Panel of the Fusion for Energy

Opinionof26July2011onthenotificationsforpriorcheckingfromtheDataProtectionOfficerofFusionforEnergyconcerningthecalls forexpressionofinterestforexternalexpertstobeappointedtotheExecutiveCommitteeandtheTechnicalAdvisoryPanel of the Fusion for Energy (Joint Cases2011-0363/0364)

Fingerprint recognition study of children below the age of 12 years

Opinionof25July2011ona notificationforpriorcheckingrelatedtothe“Fingerprintrecognitionstudyofchildrenbelowtheageof12years”(Case2011-0209)

Management of the European Parliament’s Crèches in Brussels

Opinionof25July2011onthenotificationforpriorcheckingon the “Managementof theEuropeanParliament’sCrèchesinBrussels”(Case2010-0385)

Access Control System

Opinionof15July2011ona notificationforpriorcheckingonAccessControlSystematJRCIspraSite(Case2010-0902)

Processing of administrative inquiries and disciplinary proceedings - EASA

Letterof13July2011onthenotificationforpriorcheckingconcerningtheprocessingofadministra-tive inquiries and disciplinary proceedings (theAI&DP) at the European Aviation Safety Agency(EASA)inthelightoftheEDPSGuidelinesonAI&DP(Case2011-0558)

Sickness Leave at OHIM

Opinionof12July2011onthenotificationforpriorcheckingconcerningControlandManagementofSicknessLeaveattheOfficeforHarmonisationoftheInternalMarket(Case2010-0263)

Agents intérimaires - Comité des régions

Lettredu30juin2011surlanotificationd’uncon-trôlepréalableconcernantdestraitementsdedon-néesrelatifsauxagentsintérimairesauComitédesrégions(Dossier2010-0796)

Processing of administrative inquiries and disciplinary proceedings

Opinionof22June2011onnotificationsforpriorcheckingregardingthe“processingofadministra-tiveinquiriesanddisciplinaryproceedings”incer-tainEUagencies(Case2010-0752)

Quality Management System and ex-post quality checks - OHIM

Opinionof9June2011onthenotificationforpriorregarding Quality Management System and ex-postqualitychecksforHarmonizationattheOfficeforHarmonizationfortheInternalMarket(“OHIM”)(Case2010-0869)

Selection of trainees - CPVO

Letterof1June2011ona notificationforpriorcheck-ingontheprocessingofdatainconnectionwiththeselectionoftraineesattheCPVO(Case2011-0214)

Selection procedure of SNEs - JRC

Opinionof30May2011onthenotificationforpriorchecking regarding the “SelectionprocedureofSNEsatJRC”(Case2008-0141)

Staff Appraisal at CEDEFOP

Opinionof24May2011onthenotificationforpriorcheckingconcerningStaffAppraisalattheEuro-pean Centre for the Development of VocationalTraining(Case2010-0620)

Certification procedure - CPVO

Opinionof19May2011onthenotificationforpriorcheckingconcerningthecertificationprocedureatthe Community Plant Variety Off ice (Case2011-0055)

Consumer Protection Co-operation System (CPCS)

Opinionof4May2011onthenotificatinforpriorcheckingconcerningtheConsumerProtectionCo-operationSystem(“CPCS”)(Case2009-0019)

Procurement procedures - EACEA

Opinion of 29 April 2011 on the notification forprior checking concerning procurement proce-dures at the Education Audiovisual and CultureExecutiveAgency(EACEA)(Case2011-0135)

108

Grant and procurement award procedures including call for expression of interest - EEA

Opinionof18April2011onthenotificationforpriorchecking concerning ‘Grant and procurementawardproceduresincludingcallforexpressionofinterest’ at the European Environment Agency(Case2011-0103)

Selection of the members of the European Systemic Risk Board Advisory Scientific Committee - ECB

Opinionof13April2011ona notificationforpriorcheckingregardingthe“SelectionofthemembersoftheEuropeanSystemicRiskBoardAdvisorySci-entificCommittee”attheEuropeanCentralBank(Case2011-0101)

“Anti-harassment policy and the setting up of an interagency network of confidential counsellors” and “the selection of confidential counsellors”

Opinionof11April2011onnotificationsforpriorcheckingconcerningthe“anti-harassmentpolicyandthesettingupofaninteragencynetworkofconfidentialcounsellors”and“theselectionofcon-fidentialcounsellors”(Case2011-0151)

Selection and recruitment of officials, temporary and contracts agent - F4E

Letter of 7 April 2011 on a notification for priorcheckingconcerningselectionandrecruitmentofofficials, temporary and contracts agent at theFusionforEnergy(F4E)(Case2010-0454)

“Management of leave” and “Management of Leave on Personal Grounds and Unpaid Leave” - CPVO

Jointopinionof28March2011ontwonotificationsfor prior checking concerning “Management ofleave” and “Management of Leave on PersonalGrounds and Unpaid Leave” at the CommunityPlantVarietyOffice(CPVO)(Cases2010-0073/0075)

Selection and Appointment of members of EFSA’s Scientific Committee and Panels - EFSA

Opinionof21March2011onthenotificationforprior checking regarding the “Selection andAppointmentofmembersofEFSA’sScientificCom-mitteeandPanels”(Case2010-0980)

Management of Recruitment Files for Temporary Agents - JRC

Opinionof9March2011ona notificationforpriorcheckingregardingtheManagementofRecruit-ment Files for Temporary Agents at the JointResearchCentre(JRC)(Case2008-0143)

Analytical accounting and performance reports - OHIM

Opinionof2March2011ona notificationforpriorcheckingregarding“Analyticalaccountingandper-formancereports”(Case2009-0771)

Processing of data in connection with the selection and recruitment of trainees - ERA

Letterof2March2011onthenotificationforpriorcheckingconcerningtheprocessingofdataincon-nectionwiththeselectionandrecruitmentoftrain-eesattheERA(Case2010-0313)

CRIS-Follow up of experts availability in FWC assignment - EC

Opinionof23February2011ona notificationforprior checking regarding “CRIS-Follow up ofexperts availability in FWC assignment” (Case2010-0465)

Processing of health data in the workplace

Opinionof11February2011onnotifications forprior checking concerning the “processing ofhealthdataintheworkplace”(Case2010-0071)

Processing operations “Listening Points/Informal procedures” - EMA

Opinionof7February2011ona notification forpriorcheckingregardingtheprocessingoperations“ListeningPoints/Informalprocedures”(manage-mentofcasesofpsychologicalorsexualharass-ment)(Case2010-0598)

Evaluation of the EMCDDA Director

Opinionof26January2011onthenotificationforprior checking concerning Probationary Period,ManagementProbationaryPeriodandAnnualPer-formanceAppraisaloftheDirectoroftheEuropeanMonitoringCentreforDrugsandDrugAddiction(case2010-0895)


109

Annex F — List of opinions and formal comments on legislative proposals

Opinionsonlegislativeproposals

Common Agricultural Policy after 2013

Opinionof14December2011onthelegalpropos-alsfortheCommonAgriculturalPolicyafter2013

Use and transfer of Passenger Name Records to the United States Department of Homeland Security

Opinionof9December2011ontheProposalfora CouncilDecisionontheconclusionoftheAgree-mentbetweentheUnitedStatesofAmericaandtheEuropeanUnionontheuseandtransferofPas-sengerNameRecordstotheUnitedStatesDepart-mentofHomelandSecurity

Internal Market Information System (‘IMI’)

Opinionof22November2011ontheCommissionPro-posalfora RegulationoftheEuropeanParliamentandoftheCouncilonadministrativecooperationthroughtheInternalMarketInformationSystem(‘IMI’)

Community control system for ensuring compliance with the rules of the Common Fisheries Policy

Opinionof28October2011ontheCommissionImplementingRegulation (EU)No404/2011of8April2011layingdowndetailedrulesfortheimple-mentationofCouncilRegulation(EC)No1224/2009establishinga Communitycontrolsystemforensur-ingcompliancewiththerulesoftheCommonFish-eriesPolicy

Legislative package on the victims of crime

Opinionof17October2011onthelegislativepack-ageonthevictimsofcrime,includinga proposalfora Directiveestablishingminimumstandardsontherights,supportandprotectionofthevictimsofcrimeanda proposalfora Regulationonmutualrecognitionofprotectionmeasuresincivilmatters

European Account Preservation Order

Opinion of 13 October 2011 on a proposal fora RegulationoftheEuropeanParliamentandofthe

Councilcreatinga EuropeanAccountPreservationOrderto facilitatecross-borderdebtrecovery incivilandcommercialmatters

Customs enforcement of intellectual property rights

Opinionof12October2011ontheproposal fora RegulationoftheEuropeanParliamentandoftheCouncilconcerningcustomsenforcementofintel-lectualpropertyrights

Net neutrality

Opinionof7October2011onnetneutrality,trafficmanagementandtheprotectionofprivacyandpersonaldata

Recording equipment in road transport

Opinion of 5 October 2011 on the proposal fora RegulationoftheEuropeanParliamentandoftheCouncil amending Council Regulation (EEC) No3821/85onrecordingequipmentinroadtransportandamendingRegulation(EC)No561/2006oftheEuropeanParliamentandtheCouncil

European statistics on safety from crime

Opinionof19September2011ontheProposalfora RegulationoftheEuropeanParliamentandoftheCouncilonEuropeanstatisticsonsafetyfromcrime

Credit agreements relating to residential property

Opinionof25July2011ontheproposalfora Direc-tiveoftheEuropeanParliamentandoftheCouncilon credit agreements relating to residentialproperty

PNR - Australia

Opinionof15July2011ontheProposalfora Coun-cil Decision on the conclusion of an AgreementbetweentheEuropeanUnionandAustraliaontheprocessingandtransferofPassengerNameRecord(PNR)databyaircarrierstotheAustralianCustomsandBorderProtectionService

Migration

Opinionof7July2011ontheCommunicationfromtheCommissiontotheEuropeanParliament,theCouncil,theEconomicandSocialCommitteeandtheCommitteeoftheRegionsonmigration

110

Technical requirements for credit transfers and direct debits in euros

Opinionof23June2011ontheProposalfora Reg-ulation of the European Parliament and of theCouncil establishing technical requirements forcredit transfers and direct debits in euros andamendingRegulation(EC)No924/2009

Energy market integrity and transparency

Opinionof21June2011ontheProposalfora Regu-lationoftheEuropeanParliamentandoftheCoun-cilonenergymarketintegrityandtransparency

Investigations conducted by the European Anti-Fraud Office (OLAF)

Opinionof1June2011ontheProposalfora Regu-lationoftheEuropeanParliamentandoftheCoun-cilamendingRegulation(EC)No1073/1999con-cerninginvestigationsconductedbytheEuropeanAnti-FraudOffice(OLAF)andrepealingRegulation(EURATOM)No1074/1999

Evaluation report from the Commission to the Council and the European Parliament on the Data Retention Directive (Directive 2006/24/EC)

Opinionof31May2011ontheEvaluationreportfromtheCommissiontotheCouncilandtheEuro-peanParliamentontheDataRetentionDirective(Directive2006/24/EC)

Interconnection of central, commercial and companies registers

Opinionof6May2011ontheProposalfora Direc-tiveoftheEuropeanParliamentandoftheCouncilamendingDirectives89/666/EEC,2005/56/ECand2009/101/ECasregardstheinterconnectionofcen-tral,commercialandcompaniesregisters

Consumer Protection Cooperation System (“CPCS”)

Opinionof5May2011ontheConsumerProtectionCooperationSystem(“CPCS”)andonCommissionRecommendation2011/136/EUonguidelinesfortheimplementationofdataprotectionrulesintheCPCS

OTC derivatives, central counterparties and trade repositories

Opinionof19April2011ontheproposalfora Regu-lation of the European Parliament and of the

CouncilonOTCderivatives,centralcounterpartiesandtraderepositories

Financial rules applicable to the annual budget of the Union

Opinionof15April2011ontheproposalfora Reg-ulation of the European Parliament and of theCouncil on the financial rules applicable to theannualbudgetoftheUnion

Passenger Name Record

Opinionof25March2011ontheuseofPassengerNameRecorddatafortheprevention,detection,investigationandprosecutionofterroristoffencesandseriouscrime

Turbine (TrUsted Revocable Biometric IdeNtitiEs)

Opinionof1February2011ona researchprojectfundedbytheEuropeanUnionundertheSeventhFramework Programme (FP7) for Research andTechnologyDevelopment-Turbine(TrUstedRevo-cableBiometricIdeNtitiEs)

Comprehensive approach on personal data protection in the European Union

Opinionof14January2011ontheCommunicationfromtheCommissionon“AcomprehensiveapproachonpersonaldataprotectionintheEuropeanUnion”

Formalcommentsonlegislativeproposals

Amended proposal on OLAF Regulation No 1073/1999

Letterof19December2011concerninga newArti-cleandrecitalintheamendedproposalonOLAFRegulationNo1073/1999

Rights and Citizenship Programme

Letterof19December2011on theProposal fora RegulationoftheEuropeanParliamentandoftheCouncilestablishingfortheperiod2014to2020theRightsandCitizenshipProgramme

Implementation of the harmonised EU-wide in-vehicle emergency call (“eCall”)

EDPS comments of 12 December 2011 on theCommissionRecommendationandtheaccompa-nyingimpactassessmentontheimplementation


111

oftheharmonisedEU-widein-vehicleemergencycall(“eCall”)

EDPS comments on various legislative proposals concerning certain restrictive measures with regard to Afghanistan, Syria and Burma/Myanmar

Letterof9December2011tothePresidentoftheCounciloftheEuropeanUniononvariouslegisla-tiveproposalsconcerningcertainrestrictivemea-sureswithregardtoAfghanistan,SyriaandBurma/Myanmar

EDPS comments on a proposal for a Directive on energy efficiency

Letterof27October2011toMrGüntherH.Oet-tinger,CommissionerforEnergyona proposalfora DirectiveoftheEuropeanParliamentandoftheCouncilonenergyefficiencyandrepealingDirec-tives2004/8/ECand2006/32/EC

Terrorist Finance Tracking System (TFTS)

CommentsontheCommunicationfromtheCom-missiontotheEuropeanParliament,theCouncil,the European Economic and Social CommitteeandtheCommitteeoftheRegionsof13July2011:“A European terrorist finance tracking system:Availableoptions”

Towards an EU Criminal Policy: Ensuring the effective implementation of EU policies through criminal law

EDPScommentsof24ofOctober2011ontheCom-municationofEuropeanCommission‘TowardsanEUCriminalPolicy:Ensuringtheeffective imple-mentationofEUpoliciesthroughcriminallaw’

Common basic standards on civil aviation security

Commentsof17October2011onthedraftpropos-alsfora CommissionRegulationandfora Commis-sionimplementingRegulationoncommonbasicstandardsoncivilaviationsecurityasregardstheuseofsecurityscannersatEUairports

Commentaires du CEPD sur la compétence judiciaire, la reconnaissance et l’exécution des décisions en matière civile et commerciale

Letterof20September2011toMsVivianeReding,Vice-President of the European Commission on

a proposalfora RegulationoftheEuropeanParlia-mentandoftheCouncilonjurisdictionandtherec-ognitionandenforcementofjudgmentsincivilandcommercialmatters

EDPS comments on the Anti-Corruption Package

EDPSletterof6July2011ontheCommission’sCom-munication“FightingCorruptionintheEU”andtheCommissionDecisionestablishinganEUAnti-corrup-tionreportingmechanismforperiodicassessment

Intellectual Property Rights Directive

EDPSresponseof8April2011totheCommission’sConsultationon itsReportontheapplicationofIntellectualPropertyRightsDirective

Various legislative proposals concerning certain restrictive measures, with regard to Iran, in the Republic of Guinea-Bissau, in Côte d’Ivoire, in Belarus, in Tunisia, in Libya and in Egypt

EDPSletterof16March2011concerningvariouslegislativeproposalsconcerningcertainrestrictivemeasures,withregardtoIran, intheRepublicofGuinea-Bissau,inCôted’Ivoire,inBelarus,inTuni-sia,inLibyaandinEgypt.

112

Annex G — Speeches by the Supervisor and Assistant Supervisor in 2011TheSupervisorandtheAssistantSupervisorcontin-uedin2011toinvestsubstantialtimeandeffortinexplainingtheirmissionandraisingawarenessofdataprotectioningeneral,aswellasa numberofspecific issues inspeechesandsimilarcontribu-tionsfordifferentinstitutionsandinvariousMem-berStatesthroughouttheyear.

European Parliament

12January Supervisor,JURICommittee,WGonAdministrativeLaw(Brussels)

26January Supervisor,JURICommitteeaboutsensitivedataonInternet(Brussels)

14March AssistantSupervisor,ITRECommit-teeondraftRegulationonENISA(Brussels)

31March Supervisor,ETICA-EthicsandGovernanceofFutureandEmerg-ingICTs(Brussels)(*)

13April Supervisor,LIBECommitteeonPublicaccesstodocuments(Brussels)(*)

27April Supervisor,JURIConferenceonAdministrativeLaw(Leon)

15June SupervisorandAssistantSupervi-sor,LIBECommitteeonAnnualReport2010(Brussels)(**)

4October Supervisor,LIBECommitteeonCyberAttacksagainstInformationSystems(Brussels)(*)

10November Supervisor,LIBECommitteeonEUCharterofFundamentalRights(Brussels)(*)

Council

17January Supervisor,WPonDataProtectionandInformationExchange(Brussels)

27January Supervisor,PolishPermanentRepresentationonDataProtectionDay(Brussels)

1March AssistantSupervisor,WPonENISARegulation(Brussels)(*)

4May AssistantSupervisor,WPonDataProtectionandInformationExchange(Brussels)(*)

16June SupervisorandAssistantSupervi-sor,InternationalDPConference(Budapest)(*)

23June AssistantSupervisor,WPonGeneralMattersonEUPNR(Brussels)

21September Supervisor,InternationalDataProtectionConference(Warsaw)

18November AssistantSupervisor,MinisterialConferenceone-Government(Poznan)(*)

23November AssistantSupervisor,WPonStatisticsonSafetyforCrime(Brussels)(*)

European Commission

28January Supervisor,JointHighLevelMeetingonDataProtection(Brussels)(*)

22June Supervisor,ConferenceonDataRetention(Brussels)

22June AssistantSupervisor,EuropeanGroupofEthics(EGE)(Brussels)

15September Supervisor,Secretary-GeneralandDirectors-General

28September AssistantSupervisor,EC-EtsionStandardsintheCloud(*)

20October AssistantSupervisor,SixthSecuritySymposium(Brussels)(*)

Other EU institutions and bodies

11January AssistantSupervisor,EuropeanEconomicandSocialCommittee(Brussels)

28January SupervisorandAssistantSupervisor,DataProtectionDay(Brussels)(**)


113

7February Supervisor,EuropeanAdministra-tiveSchool,Erasmus(Brussels)

9February AssistantSupervisor,EuropeanEconomicandSocialCommittee(Brussels)(*)

28March Supervisor,EuropeanAdministra-tiveSchool,Erasmus(Brussels)

8June AssistantSupervisor,DataProtec-tionOfficersWorkshop(Brussels)

13October Supervisor,HeadsofEuropeanAgencies(Helsinki)

20October AssistantSupervisor,EuropeanAdministrativeSchool,Erasmus(Brussels)

International Conferences

27January Supervisor,Computers,Privacy& DataProtection(Brussels)

27January AssistantSupervisor,Computers,Privacy&DataProtection(Brussels) (*)

10March Supervisor,IAPPGlobalPrivacySummit(WashingtonDC)

5April SupervisorandAssistantSupervi-sor,EuropeanDataProtectionAuthorities(Brussels)

12July Supervisor,PrivacyLaws&Business(Cambridge)

1November SupervisorandAssistantSupervisor,PrivacyandDataProtectionCommissioners(MexicoCity)

21November AssistantSupervisor,CouncilofEuropeonRightsoftheChild2012-2015(Monaco)(*)

30November Supervisor,IAPPEurope(Paris)

2December AssistantSupervisor,UN-ISPACandCNPDSonCybercryme(Courmayeur)(*)

6December Supervisor,EUDataProtection&Privacy(Brussels)

Other events

19January Supervisor,BoltzmannInstituteforHumanRights(Vienna)

26January Supervisor,GSMAssociation(Brussels)

3February AssistantSupervisor,FIDEForumonDataProtectionintheEU(Madrid)

10February Supervisor,EuropeanPolicyCentre(Brussels)

11February Supervisor,UniversityofLeuven,FacultyofLaw(Leuven)

17February Supervisor,CentreforEuropeanPolicyStudies(Brussels)

21February Supervisor,SenateofDutchParliament(TheHague)

23February Supervisor,InternetSociety/INETConference(Frankfurt)(**)

24February Supervisor,DataProtectionConference(Edinburgh)

24February AssistantSupervisor,CRIDWork-shoponCloudComputing(Brussels)

2March Supervisor,ITSecurityande-Pri-vacy(Copenhagen)

21March AssistantSupervisor,JusticeandProtectionofCitizens(Brussels)

23March Supervisor,WorkshopPrivacyPrinciples(Copenhagen)

24March Supervisor,SaxonyOfficeExpertSeminarone-Justice(Brussels)(*)

29March AssistantSupervisor,EUROISPADigitalRoundtable(Brussels)

30March Supervisor,HearingItalianCham-berofDeputies(Rome)(*)

8April AssistantSupervisor,ITCassationCourtonPenalLawandInternet(Rome)

114

14April Supervisor,Computers&DataProtectionForum(Copenhagen)

3May Supervisor,CouncilofEuropeonPublicAccess(Brussels)

5May Supervisor,C-PETonEU-USrelations(WashingtonDC)

6May Supervisor,RISEConferenceonBiometrics(WashingtonDC)

9May AssistantSupervisor,RomeUniversityonFundamentalRightsintheEU(Rome)

12May Supervisor,Clyde&CoSeminaronDataProtection(London)

12May AssistantSupervisor,EuropeanBankingForum(Brussels)

17May Supervisor,EuropeanDataProtec-tionDay(Berlin)

20May AssistantSupervisor,AIDPonPrivacyintheWorkplace(Cagliari)

25May AssistantSupervisor,Accountabil-ityPhaseIII(Madrid)

26May AssistantSupervisor,ISMSForumonCrossBorderDataFlows(Madrid)

26May Supervisor,BiometricsInstituteAustralia(Sydney)(*)and(**)

27May Supervisor,DataProtectionIntensive(London)

8June AssistantSupervisor,PSCEuropeForumConferenceonVideosur-veillance(Brussels)(*)

15June Supervisor,EuropeanBiometricsSeminar(Brussels)

28June Supervisor,InternetofThings(Brussels)

5-6July AssistantSupervisor,ConsentSocialNetworkingSummit(Göttin-gen)(*)

7July Supervisor,UniversityofEdin-burgh,SchoolofLaw(*)

19September Supervisor,FDBlueprintonDataProtectionReview(Brussels)

20September Supervisor,MediaLawandDataProtection(London)

27September Supervisor,10thAnniversaryEPOF(Brussels)

28September Supervisor,RIMInformationSecurity(Berlin)

29September Supervisor,CentreforEuropeanReform(Brussels)

4October Supervisor,LisbonCouncilDigitalAgendaSummit(Brussels)

28October Supervisor,DataProtectioninCriminalProcess(Madrid)

9November Supervisor,NAID-ARMAConfer-ence(London)

18November AssistantSupervisor,Lobbying,TransparencyandEUinstitutions(Brussels)

25November Supervisor,PrivacyImpactAssess-mentConference(Berlin)

10December Supervisor,FelixMeritis,Bescherm-ingBurgerrechten(Amsterdam)

(*) TextavailableontheEDPSwebsite

(**) VideoavailableontheEDPSwebsite


115

Annex H — Composition of EDPS Secretariat

TheEDPSandAssistantEDPSwithmostoftheirstaff.

Director, Head of SecretariatChristopherDOCKSEY

116

• Supervision and Enforcement

SophieLOUVEAUXActing Head of Unit

PierreVERNHESLegal Adviser

LaurentBESLAY(*)Coordinator for Security and Technology

JaroslawLOTARSKICoordinator for Complaints

MariaVerónicaPEREZASINARICoordinator for Consultations

AthenaBOURKASeconded National Expert

BartDESCHUITENEERTechnology Officer Local Security Officer/LISO

RaffaeleDIGIOVANNIBEZZILegal Officer

ElisabethDUHRSeconded National Expert

DelphineHAROULegal Officer

John-PierreLAMB(*)Seconded National Expert

UteKALLENBERGERLegal Officer

XanthiKAPSOSIDERILegal Officer

LuisaPALLASupervision and Enforcement Assistant

DarioROSSISupervision and Enforcement Assistant Accounting Correspondent External Data Warehouse Manager (EDWM)

GalinaSAMARASSupervision and Enforcement Assistant

TerezaSTRUNCOVALegal Officer

MichaëlVANFLETERENLegal Officer

• Policy and Consultation

HielkeHIJMANSHead of Unit

BénédicteHAVELANGE(*)Coordinator for Large Scale IT Systems and Border Policy

HerkeKRANENBORGCoordinator for Court Proceedings

Anne-ChristineLACOSTECoordinator for cooperation with DPAs

RosaBARCELO(*)Legal Officer

ZsuzsannaBELENYESSYLegal Officer

GabrielCristianBLAJLegal Officer

AlbaBOSCHMOLINELegal Officer

IsabelleCHATELIERLegal Officer

KatarzynaCUADRAT-GRZYBOWSKALegal Officer

PriscillaDELOCHTLegal Officer / Contract Agent

PerJOHANSSONLegal Officer

OweLANGFELDTLegal Officer / Interim

RobertoLATTANZI(*)Seconded National Expert

ParminderMUDHARPolicy and Consultation Assistant

AlfonsoSCIROCCO(*)Data Protection Officer Quality Management

VeraPOZZATOLegal Officer

LuisVELASCOTechnology Officer


117

• Operations, Planning and Support

AndreaBEACHHead of Sector

MartaCORDOBA-HERNANDEZAdministrative Assistant

ChristineHUC(*)Administrative Assistant

KimDAUPHINAdministrative Assistant

MilanKUTRAAdministrative Assistant

KimThienLÊAdministrative Assistant

EwaTHOMSONAdministrative Assistant

• Information and Communication

NathalieVANDELLE(*)Head of Sector

OlivierROSSIGNOLActing Head of Sector

AgnieszkaNYKAInformation and Communication Assistant

BenoîtPIRONETWeb Developer Contractor

• Human Resources, Budget and Administration

LeonardoCERVERANAVASHead of Unit

IsabelleDELATTREFinance and Accounting Assistant

AnneLEVÊCQUEHuman Resources Assistant GECO

VittorioMASTROJENIHuman Resources Officer

JuliaMALDONADOMOLEROContract Agent

DanielaOTTAVIFinance and Accounting Assistant

AidaPASCUAdministration Assistant Assistant LSO

SylviePICARDData Protection Officer COFO - ICC

Anne-FrançoiseREYNDERSAdministration Assistant

MariaSANCHEZLOPEZFinance and Accounting Officer

(*) StaffmemberswholefttheEDPSinthecourseof2011

TheEuropeanDataProtectionSupervisor

Annual Report 2011

Luxembourg:PublicationsOfficeoftheEuropeanUnion

2012—117pp.—21×29.7cm

ISBN978-92-95073-28-9doi:10.2804/35928

HOW TO OBTAIN EU PUBLICATIONS

Free publications:

• viaEUBookshop(http://bookshop.europa.eu);

• attheEuropeanCommission’srepresentationsordelegations.YoucanobtaintheircontactdetailsontheInternet(http://ec.europa.eu)orbysendingafaxto+3522929-42758.

Priced publications:

• viaEUBookshop(http://bookshop.europa.eu).

Priced subscriptions (e.g. annual series of the Official Journal of the European Union and reports of cases before the Court of Justice of the European Union):

• viaoneofthesalesagentsofthePublicationsOfficeoftheEuropeanUnion(http://publications.europa.eu/others/agents/index_en.htm).

Annual Report2011

ISSN 1830-5474

European Data Protection Supervisor

The European guardian of personal data protection

www.edps.europa.eu

European DataProtection Supervisor

QT-A

A-12-001-EN

-C