The European guardian of personal data protection … · The European guardian of personal data...
Transcript of The European guardian of personal data protection … · The European guardian of personal data...
Annual Report2011
ISSN 1830-5474
European Data Protection Supervisor
The European guardian of personal data protection
www.edps.europa.eu
European DataProtection Supervisor
QT-A
A-12-001-EN
-C
HOW TO OBTAIN EU PUBLICATIONS
Free publications:
• viaEUBookshop(http://bookshop.europa.eu);
• attheEuropeanCommission’srepresentationsordelegations.YoucanobtaintheircontactdetailsontheInternet(http://ec.europa.eu)orbysendingafaxto+3522929-42758.
Priced publications:
• viaEUBookshop(http://bookshop.europa.eu).
Priced subscriptions (e.g. annual series of the Official Journal of the European Union and reports of cases before the Court of Justice of the European Union):
• viaoneofthesalesagentsofthePublicationsOfficeoftheEuropeanUnion(http://publications.europa.eu/others/agents/index_en.htm).
Annual Report2011
Europe Direct is a service to help you find answers to your questions about the European Union.
Freephone number (*):
00 800 6 7 8 9 10 11(*)Certainmobiletelephoneoperatorsdonotallowaccessto00800numbersor
thesecallsmaybebilled.
MoreinformationontheEuropeanUnionisavailableontheInternet(http://europa.eu).
Cataloguingdatacanbefoundattheendofthispublication.
Luxembourg:PublicationsOfficeoftheEuropeanUnion,2012
ISBN978-92-95073-28-9doi:10.2804/35928
©EuropeanUnion,2012Reproductionisauthorisedprovidedthesourceisacknowledged.©Photos:iStockphotoandEuropeanParliament
Printed in Luxembourg
PRINTEDONELEMENTALCHLORINE-FREEBLEACHEDPAPER(ECF)
Userguide 7Missionstatement 9Foreword 11
Contents
2011HIGHLIGHTS
SUPERVISIONANDENFORCEMENT
1.2011HIGHLIGHTS 12
1.1. General overview of 2011 121.2. Results in 2011 16
2.SUPERVISIONANDENFORCEMENT 18
2.1. Introduction 182.2. Data protection officers 182.3. Prior checks 19
2.3.1.Legalbase 192.3.2.Procedure 202.3.3.Mainissuesinpriorchecks 222.3.4.Consultationsontheneedforpriorchecking 262.3.5.Notificationsnotsubjecttopriorcheckingorwithdrawn 262.3.6.Follow-upofpriorcheckingopinions 272.3.7.Conclusions 27
2.4. Complaints 282.4.1.TheEDPSmandate 282.4.2.Procedureforhandlingofcomplaints 282.4.3.Confidentialityguaranteedtothecomplainants 302.4.4.Complaintsdealtwithduring2011 31
2.5. Monitoring compliance 342.5.1.Generalmonitoringandreporting:2011Survey 342.5.2.Targetedmonitoring 342.5.3.Inspections 35
2.6. Consultations on administrative measures 372.6.1.ConsultationsArticles28.1and46(d) 37
2.7. Data protection guidance 402.7.1.ThematicGuidelines 40Guidelinesonanti-harassmentprocedures 40Guidelinesonstaffevaluation 41Follow-upReportonVideo-SurveillanceGuidelines 412.7.2.Training 42
POLICYANDCONSULTATION
3.POLICYANDCONSULTATION 44
3.1.Introduction: overview of the year and main trends 443.2.Policy framework and priorities 45
3.2.1.Implementationofconsultationpolicy 453.2.2.Resultsin2011 46
3.3.Review of the EU Data Protection Framework 473.3.1.A comprehensiveapproachtopersonaldataprotectionin
theEuropeanUnion 473.4.Area of Freedom, Security and Justice and international cooperation 48
3.4.1.DataRetention 483.4.2.TerroristFinanceTrackingSystem(TFTS) 493.4.3.EuropeanPassengerNameRecords 493.4.4.AgreementbetweentheEUandAustraliaonPassengerNameRecords 503.4.5.AgreementbetweentheEUandUSAonPassengerNameRecords 513.4.6.Anti-corruptionpackage 513.4.7.Legislativeproposalsconcerningcertainrestrictivemeasures 513.4.8.Migration 523.4.9.Victimsofcrime 52
COOPERATION
4.COOPERATION 68
4.1. Article 29 Working Party 684.2. Coordinated supervision of Eurodac 69
4.2.1.AdvanceDeletionReport 704.2.2.Newexercisein2012:unreadablefingerprints 704.2.3.Coordinatedsecurityauditquestionnaire 704.2.4.VisaInformationSystem 70
4.3. Supervision of the Customs Information System (CIS) 714.4. Police and judicial cooperation: cooperation with JSB/JSAs and WPPJ 714.5. European Conference 724.6. International Conference 73
INFORMATIONANDCOMMUNICATION
5.INFORMATIONANDCOMMUNICATION 74
5.1. Introduction 745.2. Communication ‘features’ 74
5.2.1.Keyaudiencesandtargetgroups 745.2.2.Languagepolicy 74
5.3. Media relations 755.3.1.Pressreleases 755.3.2.Pressinterviews 755.3.3.Pressconference 765.3.4.Mediaenquiries 76
5.4. Requests for information and advice 775.5. Study visits 785.6. Online information tools 79
5.6.1.Website 795.6.2.Newsletter 79
3.5.Digital Agenda and technology 53 3.5.1.Netneutrality 53 3.5.2.Technologicalproject“Turbine” 533.6.Internal Market including financial data 54
3.6.1.InternalMarketInformationSystem 543.6.2.EnergyMarketIntegrityandTransparency 543.6.3.Interconnectionofbusinessregisters 553.6.4.Creditagreementsrelatingtoresidentialproperty 553.6.5.Over-the-counterderivatives,centralcounterpartiesandtrade
repositories 563.6.6.TechnicalrequirementsforcredittransfersanddirectdebitsinEuros 563.6.7.Airportbodyscanners 57
3.7.Cross-border enforcement 573.7.1.IntellectualPropertyRightsEnforcementDirective 573.7.2.Customsenforcementofintellectualpropertyrights 583.7.3.Jurisdictionandtherecognitionandenforcementofjudgments
incivilandcommercialmatters 583.7.4.EuropeanAccountPreservationOrder 58
3.8. Public health and consumer affairs 593.8.1.ConsumerProtectionCooperationSystem 59
3.9.Other issues 593.9.1.OLAFReformRegulation 593.9.2.EUFinancialRegulation 603.9.3.Europeanstatisticsonsafetyfromcrime 603.9.4.Transport 603.9.5.CommonAgriculturalPolicyafter2013 613.9.6.Fisheriespolicycontrol 62
3.10.Public access to documents containing personal data 633.11.Court matters 63
3.11.1.EDPSparticipationincourtproceedings 633.11.2.Dataprotectioncaselaw 64
3.12.Future technological developments 643.13.Priorities for 2012 66
ADMINISTRATION,BUDGETAND STAFF
EDPSDATAPROTECTIONOFFICER
MAINOBJECTIVESIN 2012
6.ADMINISTRATION,BUDGETANDSTAFF 82
6.1. Introduction 826.2. Budget 826.3. Human resources 83
6.3.1.Recruitment 836.3.2.Traineeshipprogramme 856.3.3.Programmeforsecondednationalexperts 856.3.4.Organisationchart 856.3.5.Workingconditions 856.3.6.Training 856.3.7.Socialactivities 86
6.4. Control functions 866.4.1.Internalcontrol 866.4.2.Internalaudit 876.4.3.Externalaudit 876.4.4.Security 87
6.5. Infrastructure 876.6. Administrative environment 88
6.6.1.Administrativeassistanceandinter-institutionalcooperation 886.6.2.Internalrules 896.6.3.Documentmanagement 896.6.4.Planning 89
7.EDPSDATAPROTECTIONOFFICER 90
7.1. The DPO at the EDPS 907.2. The Register of processing operations 907.3. EDPS 2011 Survey 907.4. Information and raising awareness 91
8.MAINOBJECTIVESIN2012 92
8.1. Supervision and enforcement 928.2. Policy and consultation 938.3. Cooperation 938.4. Other fields 94
AnnexA —Legalframework 95
AnnexB —ExtractfromRegulation(EC)No 45/2001 97
AnnexC —Listofabbreviations 99
AnnexD —ListofDataProtectionOfficers 101
AnnexE —Listofpriorcheckopinions 104
AnnexF —Listofopinionsandformalcommentsonlegislativeproposals 109
AnnexG —SpeechesbytheSupervisorandAssistantSupervisorin2011 112
AnnexH —CompositionofEDPSSecretariat 115
5.7. Publications 795.7.1.AnnualReport 795.7.2.Thematicpublications 80
5.8. Awareness-raising events 805.8.1.DataProtectionDay2011 805.8.2.EUOpenDay2011 81
Chapter 1 annual report 2011
7
USER GUIDE
Followingthisguide,thereisa missionstatementandforewordtothe2011AnnualReportbyPeterHustinx,European Data Protection Supervisor (EDPS), andGiovanniButtarelli,AssistantSupervisor.
Chapter1 — 2011 HighlightspresentsthemainfeaturesoftheEDPSworkin2011andtheresultsachievedinthevariousfieldsofactivities.
Chapter2 — SupervisiondescribestheworkdonetomonitorandensurethecomplianceofEUinstitutionsand bodies to their data protection obligations.Thischapterpresentsananalysisofthemainissuesinpriorchecks,furtherworkinthefieldofcomplaints,monitor-ingcomplianceandadviceonadministrativemeasuresdealtwithin2011.ItalsoincludesthematicguidelinesadoptedbytheEDPSinanti-harassmentproceduresandstaff evaluation, as well as the follow-up report onvideo-surveillance.
Chapter3 — ConsultationdealswithdevelopmentsintheEDPSadvisoryrole,focusingonopinionsandcom-mentsissuedonlegislativeproposalsandrelateddocu-ments,aswellastheirimpactina growingnumberofareas.ThechapteralsodiscussestheinvolvementoftheEDPSincasesbeforetheCourtofJustice.Itcontainsananalysisofhorizontalthemes:newdevelopmentsinpol-icyandlegislationandtheongoingreviewoftheEUdataprotectionlegalframework.
Chapter4 — CooperationdescribesworkdoneinkeyforumssuchastheArticle29DataProtectionWorkingPartyandtheEuropeanaswellastheinternationaldataprotectionconferences.Italsodealswithcoordinatedsupervision (by EDPS and national data protectionauthorities)oflargescaleIT-systems.
Chapter5 — CommunicationpresentstheEDPSinfor-mationandcommunicationactivitiesandachievements,including external communication with the media,
awareness-raisingevents,publicinformationandonlineinformationtools.
Chapter6 — Administration, budget and staffdetailsthekeyareaswithin theEDPSorganisation includingbudgetissues,humanresourcemattersandadministra-tiveagreements.
Chapter 7 — EDPS Data Protection Officer (DPO).DrawingontheDPOactionplanandtheimplementingrulesadopted,thischapterhighlightstheprogressmadeontheRegisterofnotifications,oncompliancewiththeSpring exerciseandontheneedforinformationandrais-ingawareness.
Chapter8-Main objectives in 2012providesa brieflookaheadandthemainprioritiesfor2012.
ThisReportconcludeswitha numberofannexes.Theyincludeanoverviewoftherelevantlegalframework,pro-visionsofRegulation(EC)No 45/2001,thelistofDataProtectionOfficers,thelistsofEDPSpriorcheckopinionsandconsultativeopinions,speechesgivenbytheSuper-visorandAssistantSupervisorandthecompositionoftheEDPSsecretariat.
AnexecutivesummaryofthisReportisalsoavailable,providing an overview of key developments in EDPSactivitiesover2011.
FurtherdetailsabouttheEDPScanbefoundonourweb-site at http://www.edps.europa.eu. The website alsodetailsa subscriptionfeaturetoournewsletter.
Hardcopiesoftheannualreportandtheexecutivesum-marymaybeorderedfreeofchargefromtheEUBook-shop(http://www.bookshop.europa.eu).
Chapter 1 annual report 2011
9
ThemissionoftheEuropeanDataProtectionSupervisor(EDPS)istoensurethatthefundamentalrightsandfree-domsofindividuals—inparticulartheirprivacy—arerespectedwhentheEUinstitutionsandbodiesprocesspersonaldata.
TheEDPSisresponsiblefor:
• monitoringandensuringthattheprovisionsofRegulation(EC)No 45/2001(1),aswellasotherEUactsontheprotectionoffundamentalrightsandfreedoms,arecompliedwithwhenEUinstitutionsandbodiesprocesspersonaldata(supervision);
• advisingEUinstitutionsandbodiesonallmattersrelatingtotheprocessingofpersonaldata;thisincludesconsultationonproposalsforlegislationandmonitoringnewdevelopmentsthathaveanimpact on the protection of personal data(consultation);
• cooperatingwithnationalsupervisoryauthoritiesandsupervisorybodiesintheformer‘thirdpillar’oftheEUwitha viewtoimprovingconsistencyintheprotectionofpersonaldata(cooperation).
(1) Regulation(EC)No45/2001oftheEuropeanParliamentandoftheCouncilof18December2000ontheprotectionofindividualswithregardtotheprocessingofpersonaldatabytheCommunityinstitutionsandbodiesandonthefreemovementofsuchdata(OJL 8,12.1.2001,p. 1).
Inlightofthis,theEDPSalsoaimstoworkstrategicallyto:
• promote a ‘data protection culture’ within EUinstitutionsandbodies,therebycontributingtoimprovegoodgovernance;
• integraterespectfordataprotectionprinciplesinEUlegislationandpolicies,wheneverrelevant;
• improve the quality of EU policies, whenevereffectivedataprotectionisa basicconditionfortheirsuccess.
MISSION STATEMENT
11
FOREWORD
WearepleasedtosubmittheAnnualReportontheactivitiesoftheEuropeanDataProtectionSupervisor(EDPS)totheEuropeanParliament,theCouncilandtheEuropeanCommission,inaccordancewithRegulation(EC)No45/2001oftheEuropeanParliamentandoftheCouncilandArticle16oftheTreatyontheFunctioningoftheEuropeanUnion,whichhasreplacedArticle286oftheECTreaty.
Thisreportcovers2011astheseventhfullyearofactivityoftheEDPSasanindependentsupervisoryauthority,taskedwithensuringthatthefundamentalrightsandfreedomsofnaturalpersonsandinparticulartheirprivacywithregardtotheprocessingofpersonaldataarerespectedbyEUinstitutionsandbodies.Italsocoversthethirdyearofourcommonmandateasmembersofthisauthority.
Inthecourseof2011,wesetnewbenchmarksindifferentareasofactivity.InthesupervisionofEUinstitutionsandbod-ies,whenprocessingpersonaldata,weinteractedwithmoredataprotectionofficersinmoreinstitutionsandbodiesthaneverbefore.Inaddition,wesawtheeffectsofournewenforcementpolicy:mostEUinstitutionsandbodiesaremakinggoodprogressincomplyingwiththeDataProtectionRegulation,whileothersshouldincreasetheirefforts.
Intheconsultationofnewlegislativemeasures,weissueda recordnumberofopinionsona rangeofsubjects.ThemostprominentistheReviewoftheEUlegalframeworkfordataprotection,whichremainshighonouragenda.However,theimplementationoftheStockholmprogrammeintheareaoffreedom,securityandjusticeandtheDigitalAgenda,asthecornerstonefortheEurope2020strategy,alsohadanimpactondataprotection.Thiscanbesaidaswellofissuesintheinternalmarket,publichealthandconsumeraffairs,andenforcementina crossbordercontext.
Atthesametime,weincreasedcooperationwithothersupervisoryauthoritiesandfurtherimprovedtheefficiencyandeffectivenessofourorganisation.
WewishtotakethisopportunitytothankthoseintheEuropeanParliament,theCouncilandtheCommissionwhosup-portourworkandmanyothersindifferentinstitutionsandbodieswhoareresponsibleforthewayinwhichdataprotec-tionisdeliveredinpractice.Wewouldalsoliketoencouragethosewhoaredealingwithimportantchallengesaheadinthisfield.
Finally,wewishtoexpressspecialthankstoourmembersofstaff.Thelevelofqualityisoutstandingandourstaffcon-tributesgreatlytooureffectiveness.
PeterHustinx GiovanniButtarelli European Data Protection Supervisor Assistant Supervisor
12
11.1. General overview of 2011
ThemainactivitiesoftheEDPSin2011havebeenbased on the same overall strategy as in pastyears,thoughtheyhavecontinuedtogrowbothinscaleandscope.ThecapacityoftheEDPStoactboth effectively and efficiently has also beenimproved.
Thelegalframework(2)withinwhichtheEDPSactsprovidesfora numberoftasksandpowerswhichallowfora distinctionbetweenthreemainroles.TheserolescontinuetoserveasstrategicplatformsfortheactivitiesoftheEDPSandarereflectedinthemissionstatement:
• a supervisory roletomonitorandensurethatEUinstitutionsandbodies(3)complywithexist-ing legal safeguards whenever they processpersonaldata;
• a consultative roletoadviseEUinstitutionsandbodiesonallrelevantmatters,especiallyonproposalsforlegislationthathaveanimpactontheprotectionofpersonaldata;
• a cooperative role to work with nationalsupervisoryauthoritiesandsupervisorybodiesintheformer‘thirdpillar’oftheEU,involving
(2) Seeoverviewof legalframeworkinAnnex Aandextractfrom Regulation(EC)No 45/2001inAnnex B.
(3) The terms ‘institutions’ and ‘bodies’ of Regulation (EC)No 45/2001 are used throughout the report. This alsoincludes EUagencies.Fora full list,visitthefollowinglink:http//europa.eu/agencies/community_agencies/index.en.htm
policeandjudicialcooperationincriminalmat-ters,witha viewtoimprovingconsistencyintheprotectionofpersonaldata.
TheseroleswillbedetailedfurtherinChapters 2,3 and4ofthisannualreport, inwhichthemainactivitiesoftheEDPSandtheprogressachievedin2011arepresented.Somekeyelementsaresum-marisedinthissection.
Theimportanceofinformationandcommunicationconcerning these activities justifies a separateemphasisoncommunicationandthisiscoveredinChapter5.Alltheseactivitiesrelyoneffectiveman-agementoffinancial,humanandotherresources,asoutlinedinChapter6.
Supervisionandenforcement
Supervisory tasks range fromadvisingandsup-porting data protection officers through priorcheckingof riskydataprocessingoperations, toconductinginquiries,includingon-the-spotinspec-tionsandhandlingcomplaints.Furtheradvicetothe EU administration can also take the form ofconsultationsonadministrativemeasuresorthepublicationofthematicguidelines.
AllEUinstitutionsandbodiesmusthaveatleastonedata protection officer (DPO). In2011, thenumberofDPOstotalled54.Regular interactionwiththemandtheirnetworkisanimportantcondi-tionforeffectivesupervision.TheEDPShasworkedcloselywiththe‘DPOquartet’composedoffourDPOs (Council, European Parliament, European
2011 HIGHLIGHTS
Chapter 1 annual report 2011
13
Commission and the European Food SafetyAgency) who coordinate the DPO network. TheDPOnetworkmeetings,whichtheEDPSattends,areanopportunitytogiveupdatesonEDPSwork,giveanoverviewofdevelopmentsinEUdatapro-tectionandtodiscussissuesofcommoninterest.
Prior checkingofriskyprocessingoperationscon-tinuedtobeanimportantaspectofsupervision.In2011,theEDPSreceived164notificationsforpriorcheckingandadopted71 priorcheckopinionsonstandardadministrativeprocedures,suchasstaffevaluation, administrative inquiries, disciplinaryproceduresandanti-harassmentprocedures,butalsooncorebusinessactivitiessuchastheCon-sumerProtectionSystem,theQualityManagementSystemandex-postqualitychecksatOHIMandtheElectronicExchangeofSocialSecuritysystemattheEuropeanCommission.Theseopinionsarepub-lishedontheEDPSwebsiteandtheirimplementa-tionisfollowedupsystematically.
In2011,thenumberofcomplaints receivedbytheEDPSincreasedto107;26ofthesewerefoundtobe admissible. Many inadmissible complaintsinvolved issues at national level for which theEDPSisnotcompetent.Inthe15casesresolvedduring2011,theEDPSfoundthateithertherewasnobreachofdataprotectionrulesorthatthenec-essarymeasurestocomplywereundertakenbythecontroller.Converselyintwocases,non-com-pliancewithdataprotectionruleswasfoundtohaveoccurredandrecommendationsweremadetothecontroller.
Theimplementation of the Regulationbyinsti-tutionsandbodiesisalsomonitoredsystematicallybyregularstocktakingofperformanceindicators,involvingallEUinstitutionsandbodies.TheEDPSlaunchedhisthirdstocktakingexercise,monitor-ingcompliancewithdataprotectionrules(2011Survey)leadingtoa reporthighlightingtheprog-ress made by institutions and bodies in imple-menting the Regulation and also underliningshortcomings.Inadditiontothisgeneralexercise,targetedmonitoringexerciseswerecarriedoutincaseswhere,asa resultofsupervisionactivities,theEDPShadcausetobeconcernedaboutthelevelofcomplianceinspecificinstitutionsorbod-ies.Thesetooktheformofcorrespondencewiththeinstitutionorbodyora onedayvisitnotablytothe European Railway Agency, the CommunityPlantVarietyOffice,theEuropeanFoundationforthe ImprovementofLivingandWorkingCondi-tionsandtheEuropeanGlobalNavigationSatelliteSystemsAgency.
TheEDPSalsocarriedoutanon-the-spotinspec-tionattheCEDEFOP,OLAFandtheECBtoverifycomplianceonspecificissues.
Furtherworkwasalsodoneinresponsetoconsul-tations on administrative measuresbyEUinsti-tutionsandbodiesinrelationtotheprocessingofpersonal data. A variety of issues were raised,includingpublicationofemployees’picturesontheIntranet,controllershipwhenCCTVisoperatedonthepremisesofanother institutionandthepro-cessingofemployees’e-mails.
TheEDPSalsoadoptedguidelinesonanti-harass-mentproceduresandstaffevaluationandfollowedupontheprogressmadebyinstitutionsandbodiesfollowingtheVideo-SurveillanceGuidelines.
Consultation
2011wasa busyyearforconsultation,leadingtoa recordnumberof24opinions,12formalcom-mentsand41informalcomments.TheEDPScon-tinuedtoimplementaproactiveapproachtocon-sultation,basedona regularlyupdatedinventoryoflegislativeproposalstobesubmittedforconsul-tationaswellasavailabilityforinformalcommentsinthepreparatoryphasesoflegislativeproposals.Takingadvantageofthisavailabilityforinformalcomments,in2011theCommissionservicesalmostdoubled the number of informal consultationscomparedto2010.
The Commission’s work on a modernised legalframework for data protection in Europe meritsspecialmention.ThelegislativereviewprocesshasbeencloselyfollowedbytheEDPS,whoprovidedinputatdifferentlevels, includinganopiniononthe Commission Communication laying downa comprehensiveapproachtodataprotectioninEuropeinJanuaryandinformalcommentsonthedraftlegislativeproposalsinDecember.
Thereappearstobea generaldiversificationinthefieldstouchingondataprotectionissues:besidestraditionalprioritiessuchastheAreaofFreedom,SecurityandJustice(AFSJ)andinternationaldatatransfers,newareasareemerging,asmaybeseeninthelargenumberofopinionsadoptedrelatingtothe internal market. The following highlightsincludea selectionoftheopinionsadoptedintherespectivefields.
IntheAFSJ,theEDPSissuedseveralhighlycriticalopinionsonissuessuchastheevaluationreport
14
onthedataretentiondirective2006/24/ECandthe proposal for European Passenger NameRecordsprocessing.PassengernamerecordswerealsothesubjectoftwoopinionsdealingwiththeagreementsforthetransferofsuchdatatoAustra-liaandtheUSArespectively.TheEDPSalsocom-mentedontheCommissioncommunicationona TerroristFinanceTrackingSystem(TFTS),ques-tioningitsnecessity.
RegardingInformation Technology and theDigi-tal Agenda, the EDPS published an innovativeopiniononnetneutralityhighlightingtheimpactofsomemonitoringpracticesbyinternetservicepro-viders.HealsoissuedhisfirsteveropiniononanEU-fundedresearchprojectwhichdealtwithpri-vacy-preservingwaysofimplementingbiometrics.
In the area of the internal market, the EDPSissued,amongothers,anopinionontheInternalMarketInformationSystem(IMI),urgingthatnewfunctionalitiestobeaddedinthefuturebeclari-fied. Other notable opinions were issued onEnergymarketintegrityandtransparencyaswellasover-the-counterderivatives,centralcounter-partiesandtraderepositories.Inthesecases,theproposalsintendedtograntfar-reachinginvesti-gationpowersthatwerenotclearlycircumscribedtoregulatoryauthoritiesandsotheEDPScalledforgreaterclarity.
Severalopinionswereissuedonenforcement in a cross-boder context. TheEDPSprovided, forinstance,guidanceontheproposalsfortheintel-lectualpropertyrightsenforcementdirective,call-ingfortheestablishmentofa clearretentionperiodaswellasforclarifyingthelegalbasisofanassoci-ated database. Regarding the proposal for theEuropeanaccountpreservationorder,heempha-sisedtheneedtolimitthepersonaldataprocessedtotheminimumnecessary.
Inpublic health and consumer affairs,theEDPSissued an opinion on the Consumer ProtectionCooperationSystem(CPCS),urgingthelegislatortoreconsider the retentionperiodsandtoexplorewaysofensuringprivacybydesign.
TheEDPSalsointervenedinotherareas,suchastheOLAFreformregulation,theEUfinancialregu-lationandtheuseofdigitaltachographsforprofes-sionaldrivers.
Courtcases
In2011,theEDPSintervenedinfivecasesbeforetheGeneralCourtandtheCivilServiceTribunal.
One of the cases dealt with an allegedly illegaltransferofmedicaldatabetweenthemedicalser-vicesoftheParliamentandtheCommission.TheCivilServiceTribunal-takingthisinitiativeforthefirsttime-invitedtheEDPStointervene.Initsjudg-ment, theTribunal followedtheEDPSreasoningand awarded financial compensation to theapplicant.
ThreeothercasesdealtwithaccesstodocumentsofEUinstitutionsandcanbeseenasfollow-uptothe Bavarian Lager ruling. In all three, the EDPSarguedinfavourofgreatertransparency.Thisrea-soningwasfollowedbytheCourtinonecase;inanothercase,itupheldtheParliamentdecisionnottograntaccess;thethirdcaseis,atthetimeofwrit-ing,pending.
Inaddition,theEDPSintervenedinaninfringementproceedingagainstAustriaontheindependenceofDPAs.Inhisintervention,hearguedthattheorgan-isationstructureoftheofficeoftheAustrianDPAasprovidedforinnationallaw,doesnotliveuptothestandardof independencerequiredbyDirective95/46/EC. At the time of writing, this case toois pending.
Cooperation
ThemainplatformforcooperationbetweendataprotectionauthoritiesinEuropeistheArticle 29 Data Protection Working Party.TheEDPStakespartintheactivitiesoftheWorkingParty,whichplaysanimportantroleintheuniformapplicationoftheDataProtectionDirective.
TheEDPSandtheArticle29WorkingPartyhaveworkedwelltogetherona rangeofsubjects,espe-ciallyinthecontextofthesubgroupsonkeyprovi-sions and borders, travel and law-enforcement(BTLE).Intheformer,theEDPSwastherapporteurfortheopiniononthenotionof‘consent’.
In addition to the Article 29 Working Party, theEDPS continued his close cooperation with theauthoritiesestablishedtoexercisejoint supervi-sion on EU large-scale IT systems.
Chapter 1 annual report 2011
15
Animportantelementofthesecooperativeactivi-tiesisEurodac.TheEurodacSupervisionCoordina-tionGroup–composedofnationaldataprotectionauthoritiesandtheEDPS–metinBrusselsinJuneandOctober2011.TheGroupcompleteda coordi-natedinspectionontheissueofadvancedeletion,further elaborated a joint framework for theplannedfullsecurityauditandscheduledanothercoordinatedinspection,theresultsofwhichwillbereportedin2012.Inaddition,thegroupinformallydiscussedtheissueofcoordinatedsupervisionoftheVisaInformationSystem(VIS),whichwentliveinOctober2011.
AsimilararrangementgovernsthesupervisionoftheCustoms Information System (CIS),inthecon-textofwhichtheEDPSconvenedtwomeetingsoftheCISSupervisionCoordinationGroupin2011.The meetings gathered the representatives ofnationaldataprotectionauthorities,aswellasrep-resentatives of the Customs Joint SupervisoryAuthorityandDataProtectionSecretariat.InthemeetinginJune,theGroupadoptedanactionplanoutliningitsplannedactivitiesfor2011and2012,while intheDecembermeeting, itagreedonitsfirst twocoordinated inspections.Theresultsofthese inspections will be delivered during thecourseof2012.
Cooperation in international fora continuedtoattract attention, especially the European andInternationalConferencesofDataProtectionandPrivacyCommissioners.In2011,theEuropeanCon-ferencewasheldinBrussels,hostedbytheArticle29WorkingPartyandtheEDPS.InMexicoCity,pri-vacy and data protection commissioners fromaroundtheworldadopteda declarationcallingforefficientcooperationina worldof‘bigdata’.
Some EDPS key figures in 2011
➔ 71 prior-check opinions adopted, 6 non prior check opinions➔ 107 complaints received, 26 admis sible. Maintypesofviola-tionsalleged:violationofconfidenti-alityofdata,excessivecollectionofdataorillegaluseofdatabythecontroller➔ 34 consultations on administra-tive measures. Advicewasgivenona widerangeoflegalaspectsrelatedtotheprocessingofpersonaldataconductedbytheEUinstitutionsandbodies➔ 4 on-the-spot inspections carried out
➔ 2 guidelines published onanti-harassmentproceduresandevalua-tionofstaff
➔ 24 legislative opinions issued on,amongothers,initiativesrelatingtotheAreaofFreedom,SecurityandJustice,technologicaldevelopments,internationalcooperation,datatransfers,orinternalmarket.➔ 12 sets of formal comments issued on,amongothers,intellectualpropertyrights,civilaviationsecurity,EUcriminalpolicy,theTerroristFinanceTrackingSystem,energyefficiency,ortheRightsandCitizen-shipProgramme.➔ 41 sets of informal comments➔ 14 new colleagues recruited
16
1.2. Results in 2011
Thefollowingmainobjectivesweresetoutin2010.Mostoftheseobjectiveshavebeenfullyorpartiallyrealisedin2011.Insomecases,workwillcontinuein2012.
• Raising awareness
The EDPSinvestedtimeandresourcesinawarenessraisingexercisesforEUinstitutionsandbodiesandDPOs. This took the form of thematic guidancenotablyintheareasofanti-harassmentprocedures,staffevaluationandworkshopsondataprotectionforDPOsorcontrollers.
• Role of prior checking
In 2011, the EDPS received 164 notifications forpriorchecking,thesecondhighestnumberever.Thisincreasewasduemainlytothelaunchingofvisitstoagencies,onthespotinspectionsandtheissuanceofthematicguidance.Thenotificationsreceivedfromnewlycreatedagenciesalsocontrib-utedtothisincrease.TheEDPScontinuedtoplacestrongemphasisontheimplementationofrecom-mendationsmadeinpriorcheckopinions.
• Monitoring and reporting exercises
TheEDPSlaunchedhisthirdstocktakingexercise,monitoring the compliance of data protectionrules(2011Survey).Inadditiontothisgeneralexer-cise,targetedmonitoringexerciseswerecarriedoutincaseswhere,asa resultofsupervisionactivi-ties, theEDPShadcause forconcernabout thelevelofcomplianceinspecificinstitutionsorbod-ies.Someofthesewerecorrespondencebased,whilstotherstooktheformofa onedayvisittothebodyconcerned,withtheaimofaddressingcom-pliancefailings.
• Inspections
Inspectionsarea crucialtool,enablingtheEDPStomonitorandensuretheapplicationoftheRegula-tion. In2011,theEDPS launchedfour inspectionsandcontinuedthefollowupofrecommendationsmadeinpreviousinspections.A securityauditoftheVisaInformationSystem(VIS)wasalsocarriedout.
• Scope of consultation
The EDPS again increased his output, issuinga recordnumberof24opinionsand12setsoffor-malcomments.Inmanycases,theCommissionhad
alreadyconsultedtheEDPSbeforetheadoptionofitsproposals,leadingto41setsofinformalcom-mentsbeingissued.Manyoftheopinionswerefol-lowedupbypresentationsintheLIBECommitteeoftheEuropeanParliamentortherelevantCouncilWorkingParties.Theproposalsforwhichopinionswerepublishedwereselectedfroma systematicinventoryofrelevantsubjectsandprioritiesfortheEDPS. The opinions, formal comments and theinventoryarepublishedontheEDPSwebsite.
• Review of the data protection legal framework
TheEDPS issuedanopinionontheCommissionCommunicationona comprehensiveapproachonpersonaldataprotection,aswellasinformalcom-mentsonthelegislativeproposals.Hecloselyfol-lowedtheprocessandgaveinputwherenecessaryandappropriate.
• Implementation of the Stock holm Programme
TheEDPSclosely followedpolicydevelopmentsrelatedtotheStockholmProgramme,issuinganopinionontheproposalfora directiveontheuseofPNRforlawenforcementpurposes,aswellasfor-malcommentsontheintroductionofa EuropeanTerrorist Financing Tracking Programme (TFTS).Whilenolegislativeproposalswereissuedonthetopic of smart borders, the EDPS addressed theissueinhisopinionontheCommissioncommuni-cationonmigration.
• Initiatives in the area of technology
TheEDPSissuedhisfirstopiniononanEU-fundedresearchproject;theprojectdealtwiththeprivacypreservingimplementationofbiometrics. Inthecontext of the Digital Agenda, he published anopiniononnetneutrality.
• Other initiatives
TheEDPS issueda varietyofopinionsandcom-mentsonotherinitiativesthathadanimpactontheprotectionofpersonaldata,suchastheInternalMarketInformationSystemandtheuseofsecurityscannersatairports.
Chapter 1 annual report 2011
17
• Cooperation with data protection authorities
TheEDPSactivelytookpartintheworkoftheArti-cle 29DataProtectionWorkingParty,especiallyinthesubgroupsonkeyprovisionsandonborders,travelandlawenforcement.
• Coordinated supervision
TheEDPSprovidedthedataprotectionauthoritiesinvolvedinthecoordinatedsupervisionofEurodacandtheCustomsInformationSystemwithaneffi-cientsecretariat.FortheVisaInformationSystem,thedataprotectionauthoritiesrepresentedinthesupervision coordination group had a f irstexchangeofviewsaspartofoneoftheEurodaccoordinated supervision meetings, addressingimplications of the system and the approach tosupervision.
• Internal organisation
FollowingthereorganisationoftheSecretariatin2010,theinstitutiondecidedtolauncha strategicreviewofallitsactivitiesin2011,steeredbya “Stra-tegicReview”TaskForcemadeupoftheDirectorandrepresentativesfromallteamsanddisciplines.Thefirstphaseofthereviewculminatedinaninter-nal meeting of the institution in October 2011,whichallowedthemembersandstafftoreflectontheirtasks,valuesandobjectives.
• Resource management
TheEDPS,incooperationwiththeParliament,car-riedoutanexhaustiveexaminationofthemarketforprovidersofa CaseManagementSystemandchosethecontractorwith themostappropriateproduct. At the end of 2011, the contract wassignedandtheworkofdevelopinga customisedsystembegan.
During2011,workcontinuedontheintegrationoftheEDPSintoITapplicationsinthefieldofhumanresourcesonthebasisofServiceLevelAgreements:Syslog Formation was successfully introduced,work began on SysperII and an agreement wasfoundontheintroductionofMIPSin2012.
18
2.1. Introduction
TheEDPScontinuedtoperformhismainopera-tionalactivitiesnotablyinthefieldofpriorchecks,complaints and consultations on administrativemeasuresthrough2011.Thepriorcheckingofpro-cessingoperationswhichexhibitspecificriskscon-tinuedtorepresentanimportantaspectofsupervi-sionworkattheEDPSin2011,notablyduetoanincreaseinthenumberofnotificationsreceived.Thenumberandcomplexityofcomplaintsreceivedalsoincreasedandledtoa resolutionof15casesin2011. Within the framework of consultations onadministrativemeasures,theEDPSexamineda vari-etyofissues.
Aside from his regular supervision activities, theEDPS also developed other forms of monitoringcompliance with the Regulation, in line with theCompliance and Enforcement Policy adopted inDecember2010.Inadditiontohisgeneralstocktak-ingexercise,targetedmonitoringexerciseswerecar-riedoutincaseswhere,asa resultofsupervisionactivities, the EDPS had reason to be concernedaboutthelevelofcomplianceincertaininstitutionsorbodies.Thesetooktheformofcorrespondence
withtheinstitutionorbodyconcerned,onedayvis-itsbymanagementtoaddresscompliancefailingsorinspectionstoverifycomplianceonspecificissues.
The EDPS also continued his awareness raisingactivities,notablybyorganisingspecifictrainingforDPOseitherintheformofa workshopora telecon-ferenceandbyproducingthematicguidanceforinstitutionsandbodiesinthefieldofanti-harass-mentproceduresandstaffevaluation.
2.2. Data protection officers
European Union institutions and bodies have anobligationtoappointa dataprotectionofficer(DPO)(Article 24.1oftheRegulation).SomeinstitutionshavecoupledtheDPOwithanassistantordeputyDPO.TheCommissionhasalsoappointeda DPOfortheEuropeanAnti-FraudOffice(OLAF,a Directorate-GeneraloftheCommission).A numberof institu-tionshaveappointeddataprotectioncoordinatorsinordertocoordinateallaspectsofdataprotectionwithina particulardirectorateorunit.
In2011,sixnewDPOswereappointedwithinnewagenciesorjointundertakings,bringingthetotalnumberofDPOsto54.Therewasalsoa highturn-over in institutionsandestablishedagencies,asmanymandatesexpiredthisyear.
Fora numberofyears,theDPOshavemetatregu-larintervalsinordertosharecommonexperiencesanddiscusshorizontalissues.Thisinformalnetworkhasprovedtobeproductiveintermsofcollabora-tionandcontinuedthroughout2011.
2SUPERVISION AND ENFORCEMENT
The task of the EDPS in his independent supervisory capacity is to monitor the processing of personal data carried out by EU institutions or bodies (except the Court of Justice acting in its judicial capacity). Regulation (EC) No 45/2001 (the Regulation) describes and grants a number of duties and powers, which enable the EDPS to carry out this task.
Chapter 2 annual report 2011
19
A‘DPOquartet’composedoffourDPOs(theCoun-cil,theEuropeanParliament,theEuropeanCommis-sionandtheEuropeanFoodSafetyAgency)wassetupwiththegoalofcoordinatinga DPOnetwork.TheEDPShascollaboratedcloselywiththisquartet.
The EDPS attended the DPO meetings held inApril 2011at theFundamentalRightsAgency inViennaandattheEuropeanOmbudsmaninStras-bourginOctober 2011.TheEDPStooktheopportu-nitytoupdatetheDPOsonhiswork,giveanover-viewofrecentdevelopmentsinEUdataprotectionanddiscussissuesofcommoninterest.
Morespecifically,theEDPSusedthisforum todis-cusstheproceduresandtoolsforpriorchecks; pres-entrecentdevelopmentsindataprotection;updatethe DPOs on the review of the legal framework;presentthematicguidelinesand the2011Survey;provideinformationontraininginitiativesandshareprogressonthevideo-surveillanceguidancereport.TheforumisalsousedtoshareinitiativesforEuro-peanDataProtectionDay(on28 January).
On8June2011,theEDPSorganiseda workshopforDPOsaspartofhisguidanceprogramme(seealsoSection2.7.2).TheaimwastoprovidebasictrainingforDPOs, inparticularthoserecently-appointed.Theprogramme includedan introductiontothebasicprinciplesanddefinitionsoftheRegulationandpresentationsonspecificsubjectssuchasthelegalbasisofdataprocessing, rightsof thedata
subject,transferofdataandprocessingonbehalfofthecontroller.ThesepresentationsweresupportedbyconcreteexamplestakenfromtheEDPS’supervi-sionactivities.TheafternoonsessionwasdedicatedtocooperationbetweenDPOsandtheEDPS,focus-ingonthepracticalaspectsofcomplainthandling,priorcheckingproceduresandsecurityofprocess-ingoperations.Theworkshopwaswell-attendedandactiveparticipationoftheDPOsledtoa pro-ductiveexchangeofexperiencesandconcerns.
2.3. Prior checks
2.3.1.Legalbase
Article 27(2) of the Regulation contains a non-exhaustive list of processing operations that arelikely to present such risks. During the reportingperiod, the EDPS continued to apply the criteriadevelopedinpreviousyears(4)wheninterpretingthisprovision,bothwhendecidingthata notification
(4) SeeAnnualReport2005,section2.3.1.
30thDPOMeetinginStrasbourginOctober2011.
Regulation (EC) No 45/2001 provides that all processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes are to be subject to prior checking by the EDPS (Article 27(1)).
20
froma DPOwasnotsubjecttopriorcheckingandwhen advising on the need for prior checking ofa consultation.(seealsoSection 2.3.4).
2.3.2.Procedure
Notification
PriorchecksmustbecarriedoutbytheEDPSfol-lowing receipt of a notification from the DPO.ShouldtheDPObeindoubtastowhethera pro-cessingoperationshouldbesubmittedforpriorchecking, he may consult the EDPS (seeSection 2.3.4).
Priorchecksinvolveoperationsnotyetinprogress,butalsoprocessingthatbeganbefore17 Janu-ary 2004(theappointmentdateofthefirstEDPSandAssistantEDPS)orbeforetheRegulationcameintoforce(ex-postpriorchecks).Insuchsituations,anArticle 27 checkcannotbe‘prior’inthestrictsenseoftheword,butmustbedealtwithonanex-postbasis.
Period,suspensionandextension
The EDPS must deliver his opinion within twomonthsofreceivingthenotification(5).ShouldtheEDPSmakea requestforfurtherinformation,the
(5) Forex-postcasesreceivedbefore1 September 2011,themonthofAugustwasnot included in thecalculationofdeadlinesforinstitutionsandbodies,norfortheEDPS.
periodoftwomonthsisusuallysuspendeduntilthe EDPS has obtained this information. Thisperiodofsuspensionincludesthetimegiventothe DPO for comments and if needed, furtherinformationonthefinaldraft.Incomplexcases,theEDPSmayalsoextendthe initialperiodbya further two months. If no decision has beendeliveredattheendofthetwo-monthperiodorextension thereof, the opinion of the EDPS isdeemedtobefavourable.Todate,nosuchtacitopinionhaseverarisen.
Register
In 2011, the EDPS received 164 notifications forpriorchecking-thesecondhighestnumberever.This representsa dramatic increasewithalmosttwiceasmanynotificationsreceivedin2011com-pared to 2010. Whilst the EDPS has cleared thebacklogofex-postpriorchecksformostEUinstitu-tions, processing operations put in place by EUagencies,inparticularbynewlyestablishedones,thefollow-upofguidelinesissuedaswellasseveralvisits to agencies in 2011 have generated anincreaseinthenumberofnotifications.
UndertheRegulation,theEDPSmustkeepa regis-terofallprocessingoperationsofwhichhehasbeennotifiedforpriorchecking(Article 27(5)).ThisregistercontainstheinformationreferredtoinArti-cle 25andisavailabletothepublic,intheinterestsoftransparency,ontheEDPSwebsite(exceptforsecuritymeasures,whicharenotmentionedinthepublicregister).
Noti�cations to the EDPS
9
65 63
176
128110
89
020406080
100120140160180200
2004 2005 2006 2007 2008 2009 2010 2011
164
Chapter 2 annual report 2011
21
Opinions
ThefinalpositionoftheEDPStakestheformofanopinion,whichisnotifiedtothecontrolleroftheprocessingoperationandtheDPOoftheinstitu-tionorbody(Article 27(4)).In2011,theEDPSissued71 prior checking opinions and 6 on ‘non-prior checks’ (seeSection2.3.5).Thisrepresentsa signifi-cantincreasecomparedtothepreviousyearandalsotakes intoaccountthattheEDPSdealtwitha significantnumberofcaseswithjointopinions:in2011, there were 10 joint opinions dealing witha totalof52notifications(e.g.onejointopiniononhealthdatadealingwitha totalof18notifications).Inissuingthesejointopinionsfollowingthepubli-cationofguidelines, forexampleonhealthdataandanti-harassment,theEDPSthusincreasedeffi-ciencyatthecostofstatisticalvisibility.
Aswasthecasein2010,a significant number of these opinionswereaddressedtotheEuropean Commission,with16priorchecking opinions(andthreenon-priorchecks).Unlikeinpreviousyearswheretheother largeEU institutions (EuropeanParliament and Council) had been frequentaddresseesin2011,therunners-upwereEUagen-ciesandbodies,towhichtheEDPSaddressedanunprecedentednumberofopinions(partiallyintheformofjointopinions),e.g.sixrelatingtoprocess-ing operations at the Community Plant VarietyOffice, five to the European Foundation for theImprovement of Living and Working ConditionsandthreeorfourtoseveralotherEUagencies.EUagencieshavethusfurthercontinuedtonotifytheircorebusinessactivitiesandstandardadministrativeproceduresaccordingtotherelevantproceduresdrawnupbytheEDPS(seeSection2.3.2).
Opinionsroutinelycontaina descriptionofthepro-ceedings,a summaryofthefactsanda legalanaly-sisofwhethertheprocessingoperationcomplieswith the relevant provisions of the Regulation.Wherenecessary,recommendationsaremadesoastoenablethecontrollertocomplywiththeRegula-tion.Intheconcludingremarks,theEDPSusuallystatesthattheprocessingdoesnotseemtoinvolvea breachofanyprovisionoftheRegulation,pro-videdthattheserecommendationsaretakenintoaccount,buttheEDPSmayofcoursealsoexerciseotherpowersgrantedtohimunderArticle 47oftheRegulation. For example, the EDPS introduceda temporarybanona processingoperationwhichwasfoundtobeinbreachofthedataprotectionprinciples(seeSection2.3.3.10).
OncetheEDPShasdeliveredhisopinion,itismadepublic.AllpublishedopinionsareavailableonthewebsiteoftheEDPSinthreelanguageversions(asthesebecomeavailable)together,inmostcases,witha summaryofthecase.
Acasemanualensuresthattheentireteamworkson the same basis and that the opinions of theEDPSareadoptedaftera completeanalysisofallsignificantinformation.Itprovidesa templateforopinions,basedonaccumulatedpracticalexperi-enceandiscontinuouslyupdated.A workflowsys-temisusedtomakesurethatallrecommendationsin a particular case are followed up and, whereapplicable,allenforcementdecisionsarecompliedwith(seeSection 2.3.6).
EDPS prior-check opinions per year
3
42
66
131120
110
55
0
20
40
60
80
100
120
140
2004 2005 2006 2007 2008 2009 2010 2011
71
22
Procedureforex-postpriorchecksin EU agencies
InOctober 2008,theEDPSlauncheda newproce-dureforex-postpriorchecksinEU agencies.SincestandardproceduresarethesameinmostEU agen-ciesandarebasedonCommissiondecisions,notifi-cationsona similarthemearegatheredandeithera collectiveopinion(forvariousagencies)ora ‘minipriorcheck’addressingonlythespecificneedsofeachindividualagencyisadopted.Tohelptheagen-cies complete their notifications, the EDPS sum-marisesthemainpointsandconclusionsofpreviouspriorcheckingopinionsontherelevantthemeintheformofthematicguidelines(seesection 2.7).
Thefirstthemewasrecruitmentandledtoa hori-zontalopinionoftheEDPSinMay 2009,covering
notifications from 12 agencies. A second set ofguidelineswassenttotheagenciesattheendofSeptember 2009 on the processing of health data,leadingtoa jointopinionregardingthepro-cessingoperationsof18agenciesonpre-recruit-ment examinations, annual check-ups and sickleaveabsencesinFebruary2011.InApril 2010,theEDPSissuedguidelinesconcerningtheprocessingofpersonaldatainadministrative inquiries and disciplinary proceedings by European institu-tionsandbodies. InJune2011, theEDPS issueda jointopinioncoveringtheprocessingoperationsinplaceatfiveagencies.Furtherguidelinesintheareaofanti-harassment procedures ledtotheadoptionofanopinioninOctober2011coveringnotificationsreceivedbynineagencies (onthe-maticguidance,seeSection2.7).
e-monitoring Breakdown ofthe evaluation
Evaluationnon priorchecks
other
Opinions 2011 per main category
other
appraisal
health datasuspicionand offences
recruitment
2.3.3.1. Processing of health data in the workplace
FollowingthepublicationofEDPS Guidelinesontheprocessingofhealthdataintheworkplace,theEDPScarriedouta particularlychallengingexerciseinexamining18notifications forpriorchecking
regardingtheprocessingoperationsin18agenciesonpre-recruitmentexaminations,annualcheck-upsandsickleaveabsences.Inviewofthesimilari-tiesinproceduresanddataprotectionpractices,the EDPS decided to issue one joint opinion on11 February2011(Case2010-0071).
2.3.3.Mainissuesinpriorchecks
Chapter 2 annual report 2011
23
2.3.3.2. Consumer Protection Co-operation System (CPCS)
The Consumer Protection Co-operation System(CPCS)isaninformationtechnologysystemdesignedandoperatedbytheCommission,whichfacilitatesco-operationamongMemberStateauthoritiesandtheEuropeanCommissionintheareaofconsumerprotectionpursuanttoRegulation(EC)No2006/2004onconsumerprotectioncooperation.On4May2011,
theEDPSissueda priorcheckingopinionconcerningtheexchangeofinformationincludingpersonaldatabycompetentauthoritiesintheframeworkofthisco-operation(Case2009-0019).
2.3.3.3. Quality Management System and ex-post quality checks at OHIM
Since2007,theOfficeofHarmonizationfortheInter-nalMarket(OHIM)hasbeenconductingex-anteandex-postqualitychecksoftrademarkdecisionspro-ducedbyOHIM’strademarkexaminersforqualitycontrolpurposes.Theresultsofthesechecksshowthetypesofmistakesmadebyexaminers.InSep-tember2009,OHIM informedexaminers that theresultsofex-postqualitychecks(EPQC)wouldalsobeusedforthepurposeoftheirannualperformanceappraisal.Asa result,theEPQCsystemwassubmit-tedforpriorcheckingtotheEDPS,whoissuedhisopinionon9June2011(Case2010-0869).
The European Commission has a central role inconfiguring the CPCS system architecture andoperatingthesystemandissubjecttothesupervi-sionoftheEDPS.Inhisopinion,theEDPSrecom-mendedtechnicalandorganisationalmeasurestobetakenbytheEuropeanCommission.Manyoftherecommendationsprovidedintheopinion-includingthoseontraining,theestablishmentofdata protection guidelines, information to datasubjectsand“privacy by design” solutions built into the system architecture-shouldalsofacili-tate compliance with data protection rules byother users of the system, such as competentauthoritiesinMemberStates.
Thejointopinionontheprocessingofhealthdataattheworkplacehighlightedthreecrucialissues:
• firstly, thebroad concept of “health data”andtheimpactofdataprotectionprincipleson processing operations related to pre-recruitmentexaminations,annualcheck-upsandsickleaveabsences;
• secondly,theabsenceofimportantelementsinthecontractsofseveralagencieswithexter-nalmedicalproviders,notablyofsecuritymea-suresanddataprotectionclausesinthelightofArticle23oftheRegulation;
• thirdly,theincompletescopeofprivacystate-mentsused: for theprocessing tobe lawfulunderArticles11and12oftheRegulation,thecontrollershallinformthedatasubjectaboutallelementsrelatedtotheprocessingopera-tions, in particular where the processing isbasedontheconsentofthedatasubject.
EUinstitutions,agenciesandbodiesprocesshealth-relateddata.
Moderninformationtechnologiessupportconsumerprotection.
24
2.3.3.4. Access Control System – Joint Research Centre (JRC) - Ispra site
The purpose of the Access Control System at theIsprasiteoftheJointResearchCentre(JRC)istopro-tectthepremisesagainstunauthorisedaccessandexternalandinternalthreats.Thetriggerforthepriorcheckingprocedurewasthatbiometricreaderscov-eredaccesstosomeprotectedareas,althoughthesewerenotusedbymanystaffmembers.TheEDPSissuedanopinionon15July2011(Case2010-0902).
2.3.3.5. Fingerprint recognition study by JRC of children below the age of 12 years
TheJointResearchCentre(JRC)conducteda studyentitled“Fingerprintrecognitionstudyofchildrenbelowtheageof12years”withinthescopeoftheEuropeanVisaInformationSystem(VIS).Thestudyexaminedthephysiologicaldevelopmentofthefingertipridgestructureofchildren(ridgedistance,positionofminutiae)andtheresultingrecognition
rateoffingerprintmatchingalgorithmsadaptedtochildren.Asthisprocessingisrelatedtobiometricdata,priorcheckingwasrequiredtoallowtheEDPStoverifythatstringentsafeguardshadbeenimple-mented;hepublishedhisopinionon25July2011(Case2011-0209).
2.3.3.6. Electronic Exchange of Social Security Information - European Commission
TheEDPSpriorcheckedanITsystemforthecross-border exchange of social security informationdevelopedbytheEuropeanCommission.Thesys-tem,whichisexpectedtobeoperationalasof2012,aimstofacilitatethecalculationandpaymentofsocial security benefits for persons who haveworkedinmorethanoneMemberStateandallowsfora moreefficientverificationofdata.
TheEDPSrecognisedtheimportanceofthebio-metricstudy,buthighlightedtheneedforthedatacontrollertoperforma risk assessmentandestab-lishan access policy relating to theprocessingoperationatstake.
TheEDPSconcludedthattheEuropeanCommis-sionwasinbreach of the Regulationsinceithadinstalledandoperateda biometricaccesscontrolsystemwithoutnotifyingthisprocessingoperationtotheEDPSex-ante.Moreover,theEDPSrecom-mendedthattheJRCshould,amongotherthings:
-enacta legalbasisfortheprocessingoperationsbytheaccesscontrolsystemusingbiometrics;
-complywiththeCCTVGuidelinesandreporttotheEDPSonthemeasuresithasimplementedinthatrespect;
- reconsider the technologicalchoicesmadebymeansofanimpact assessment,includinga time-tabletoimplementchangesintechnology.
Fingerprintrecognitionisoneofthemostwell-knownbiometricsandreferstoanautomatedmethodofverifyinga matchbetweentwohumanfingerprints.
Given the change of purpose of the processingfromgeneralqualitycontroltoindividualperfor-manceappraisal, inhisopiniontheEDPSrecom-mendedthatOHIMadoptsaninternaldecisionset-tingforthappropriatedata protection guaranteesandensuresthatEPQCdataarenotthesolebasisfortheannualperformanceappraisalsofexaminers.TheEDPSfurthermorerecommendedmeasurestoensuretheaccuracyofthedata,toinformtheexam-inersabouttheprocessingandtoensurethattheyaregrantedalltheirrightsasdatasubjects.
Chapter 2 annual report 2011
25
2.3.3.7. Physical Access Control System - European Commission
TheEuropeanCommission’sphysicalaccesscontrolsystem(PACS)performsallphysicalsecurityfunctionsandisbasedontheuseofbiometric data.Theuseofsuchdatapresentsspecific risks to the rightsandfreedomsofdatasubjects,duetosome inherent characteristics of this type of data.Forexample,biometric data irrevocably changes the relationbetweenbodyandidentity, inthattheymakethecharacteristicsof thehumanbody ‘machine-read-able’andsubjecttofurtheruse.TheserisksjustifytheneedforsuchdataprocessingtobepriorcheckedbytheEDPSinordertoverifythatstringentsafeguardshavebeenimplemented.TheEDPSissuedhisopinionon8September2011(Case2010-0427).
2.3.3.8. “IDEAS-Exclusion of Experts by Applicants” project - ERCEA
Project proposals submitted to the EuropeanResearch Council Executive Agency (ERCEA) are
subjecttopeerevaluationi.e.a reviewbypanelscomposedofindependentscientistsandscholars.The EDPS opinion of 21 September 2011 (Case2010-0661), regards a procedure notified by theERCEAunderwhichapplicantssubmittinga projectproposalcanrequestthatuptothreespecificper-sonswouldnotactaspeerreviewerintheevalua-tionoftheproposal.Thepurposeoftheprocessingistoguaranteea fair,equalandobjectiveassess-mentofprojectproposalsandneutraliseanycon-cernsonthecorrectnessoftheevaluationoutcomeandtheobjectivityofexperts.
2.3.3.9. Systems enhancing cooperation between customs authorities - OLAF
Usingthesameplatform,threesystems(theVirtualOperationalCooperationUnit, theMutualAssis-tanceBrokerandtheCustomsInformationSystem)aim to enhance cooperation between customsauthorities in the Member States, the EuropeanCommissionandinsomecasesthirdcountriesandinternationalorganisations.Tothisend,theyallowtheexchangeofinformationonpersons,compa-niesandgoodsundersuspicionofinfringingcus-toms and agricultural legislation, in order torequest connected authorities to take certainactions(e.g.specificchecks,discreetsurveillance).The systems involve the processing of sensitivedata(suspicionofcriminalbehaviour,healthdata).
Inhisopinionof28July2011(Case2011-0016),theEDPSwelcomedtheproposaltocreatea ‘onestoppoint’forindividualswantingtoexercisetheirrights.TheEDPSneverthelessinvitedtheEuropeanCom-missiontoensurethatdatasubjectscanfullyenforcetheirrightsattherelevantcontactpointintheMem-berState.Toensurethesecurityofthedata,theEDPSalsorecommendeda numberoftechnicalmeasures,which include the recommendation that onlyencrypteddatashouldbetransmittedtopreventtheEuropeanCommissionfromhavingaccesstothecon-tentofthesensitivedatatransitingthroughthesys-tem.Sincethesystemisstillinitsproductionphase,theEDPSemphasisedthatheshouldbenotifiedofanysubstantialchangetothedesignofthesystemwhichcouldimpactthelevelofdataprotection.
In light of principle of data quality, the EDPSinvitedERCEAtoconsiderdefiningpre-fixedcate-goriesratherthanusinga “freetext”fieldforsub-mittingspecificreasonstoexcludecertainpeersfrombecomingpanelmembers.TheEDPSfurtherrecommended that ERCEA procedurally ensuresthattherightsofaccessandrectificationofexpertsconcernedarelimitedonlytocaseswherethisisnecessary.SubjecttotherestrictionsofArticle20oftheRegulation,eachexpertshould,forexample,beabletoverifywhetherhe/shewantstoaddhis/herownstatement “neutralising”or “balancing” thesubjectiveappreciationbytheapplicant.
TheEDPSwelcomedtheEuropeanCommission’sinvolvementoftheEDPSata veryearlystage,thusfacilitatingthedevelopmentofa privacy-friendlyapproachinimplementingtheprocessingopera-tionsatstake.AmongotheraspectsofthePACS,theEDPSfocusedhisanalysisonthecategoriesofdatasubjectsconcerned,theexistenceoffallbackprocedures for individualswhoarenoteligible,eventemporarily,forenrolment(e.g.becauseofdamagedfingerprints),retentionperiodsandthesecuritymeasuresimplemented. In his joint opinion of 17 October 2011 on the
threesystems(jointcases2010-0797,2010-0798,2010-0799),theEDPSaskedOLAFtoprovidebet-ter information to data subjects and recom-mendedanevaluationoftheneedtoprocesscer-taindatacategoriesaswellastheretentionperi-odsapplicable.
26
2.3.3.10. “Return to Work” policy - EU-OSHA
Tofacilitatethereturntoworkofsickstaffmem-bers,underthe“ReturntoWork”policyoftheEuro-peanAgencyforSafetyandHealthatWork(EU-OSHA), the staff member’s Head of Unit or theHumanResourcesSection(HR)isresponsibleforcoordinatingactionsbetweenthestaffmember,his/hergeneralpractitioner,occupationalhealth,HRandanyotherstakeholders(e.g.unionandstaffrepresentatives).Thisinvolvesregularcontactswiththesickstaffmember,referralsformedicalassess-mentandindividual-leveltherapies(e.g.psycho-therapy)andtheexaminationofthestaffmember’sjobandmedicalassessments,whichmayresultinredeploymentoranadjustmentofthestaffmem-ber’sworkingtime,responsibilitiesandtasks.
2.3.4.Consultationsontheneedforpriorchecking
Themerepossibilityofthepresenceofsensitive dataina casedoesnotautomaticallysubjectittopriorchecking.Nevertheless,theprocessingofsen-sitivedatarelatingto,forexample,healthorcrimi-nal/civiloffencesdoesmeanthatparticularatten-tionshouldbegiventotheadoptionofappropriatesecuritymeasures,inaccordancewithArticle 22oftheRegulation.
When in doubt, EU institutions and bodies canconsulttheEDPSontheneedforpriorcheckingunderArticle27(3)oftheRegulation.During2011,the EDPS received 13 such consultations fromDPOs.AmongtheissuesconsideredbytheEDPSwereprocessingactivitiesregardingmobility inthecontextofrestructuringandtheuseofelec-troniccommunication (mobile telephony,emailandinternet).
2.3.5.Notificationsnotsubjecttopriorcheckingorwithdrawn
Followingcarefulanalysis,sixcaseswerefoundnottobesubjecttopriorcheckingin2011. Inthesesituations(alsoreferredtoas‘non-priorchecks’),theEDPSmaystillmakerecommendations.Fur-thermore,onenotificationwaswithdrawnandonewasreplaced.
Inhisopinionof24October2011(Case2011-0752),the EDPS concluded that some elements of theprocessing operation breached the principle ofnecessityandproportionalityandviolatedthedataqualityprinciplesofadequacy,relevance,propor-tionality and accuracy and therefore imposeda temporary ban on the processing.TheEDPSnotedthat,whilstthestatedpurposeofthepro-cessingreferredtofitnesstoworkfromanoccupa-tionalandpreventivemedicineperspective,onlymedicalspecialists-nottheHeadofUnitorHR-areable to certify these aspects. Further concernsregardedhowtheEU-OSHAcouldensurethatanyconsentfromthedatasubjectswasinformedandfreelygivenunderthecircumstancesandthatonlyadequate,relevantandnotexcessivedatashouldbecollected,processedandtransferred.
In his opinion of 12 November 2009 (Case 2009-0477), regarding the planned verification of flexitime clocking operations through data on physical access collected by the Euro-pean Council, the EDPS confirmed his doubts regarding the proportionality of the planned processing operation. He advised that the operation would violate the Regula-tion at various levels (lawfulness of the processing operation, necessity and proportional-ity, change in purpose, data quality) if the verification of flexitime clocking operations with respect to data on physical access checks, as described in the notification, were to be executed outside the framework of an administrative investigation. On 6 July 2011, the EDPS received a letter from the Data Protection Officer of the European Council inform-ing him that, following the above EDPS prior check opinion, the data controller had withdrawn the notification and the planned system had not been implemented.
Chapter 2 annual report 2011
27
2.3.6.Follow-upofpriorcheckingopinions
InstitutionsandbodieshavereadilyfollowedtherecommendationsoftheEDPSandtodatetherehas
beennoneedforexecutivedecisions.Intheformallettersentwithhisopinion,theEDPSrequeststhattheinstitutionorbodyconcernedinformshimofthemeasurestakentoimplementtherecommenda-tionswithina periodofthreemonths.
TheEDPSconsidersthisfollowupasa critical ele-ment in achieving full compliancewiththeReg-ulation.Inkeepingwithhis2010PolicyPaperon‘MonitoringandEnsuringCompliancewithRegu-lation(EC)No 45/2001’,theEDPSexpectsinstitu-tionsandbodiestobeaccountableforanyrec-ommendationsmade.Thismeansthattheybearthe responsibility for implementing them andthey must be able to demonstrate this to theEDPS.Anyinstitutionorbodyfailingtoactontherecommendationswillthusriskformalenforce-mentaction.
Comparative situation
0
20
40
60
80
100
120
140
160
180
200
2004 2005 2006 2007 2008 2009 20112010
noti�cationsopinionsclosed �les
An EDPS prior check opinion is usually concluded by stating that the processing operation does not violate the Regulation providing certainrecommendationsare implemented. Recommendations are also issued when a case is analysed to decide on the need for prior checking and some critical aspects appear to deserve corrective measures. Should the controller not comply with these recommendations, the EDPS may exercise the powers granted to him under Article 47 of the Regulation.
2.3.7.Conclusions
The71 priorcheckingopinionsissuedbytheEDPShaveprovidedvaluableinsightintotheprocessingoperationsof theEuropeanadministrationsandhaveenabledtheEDPStobuildonhisexpertiseinprovidinggenericguidanceincertainareas,suchascommonadministrativeprocedures.Thisisevidentintheprocessingrelatedtostaffevaluationaswellasanti-harassmentprocedures(seesection 2.7onthematicguidelines).TheEDPSwillcontinuetopro-videsuchguidanceto institutionsandagenciesandcontinuetofacilitatethenotificationprocessfromtheagencies.
Regardingthefollow-upofEDPSpriorcheckingopinions,62 caseswereclosedin2011.TheEDPSwillcontinuetocloselymonitorthefollow-upworksoastoensurethatinstitutionsandagenciesinte-grate recommendations made by the EDPS ina timelyandsatisfactorymanner.
28
2.4. Complaints
2.4.1.TheEDPSmandate
Inprinciple,anindividualcanonlycomplainaboutanallegedviolationofhisorherrightsrelatedtotheprotectionofhisorherpersonaldata.HoweverEUstaffcancomplainaboutanyallegedviolationofdataprotectionrules,whetherthecomplainantisdirectlyaffectedbytheprocessingornot.TheStaffRegulationsofEuropeanUnioncivilservantsalsoallowfora complainttotheEDPS(Article 90b).
According to theRegulation, theEDPScanonlyinvestigatecomplaintssubmittedbynatural per-sons.Complaintssubmittedbycompaniesorotherlegalpersonsarenotadmissible.
Complainantsmustalsoidentifythemselvesandsoanonymousrequestsarenotconsideredascom-plaints.However,anonymousinformationmaybetaken intoaccount in the frameworkofanotherprocedure (such as a self-initiated enquiry, ora requesttosendnotificationofa dataprocessingoperation,etc.).
A complaint to the EDPS can only relate to the processing of personal data. The EDPS is notcompetenttodealwithcasesofgeneralmalad-ministration,tomodifythecontentofthedocu-mentsthatthecomplainantwantstochallengeortograntfinancialcompensationfordamages.
A citizen of a non-EU country complained to the EDPS about the fact that an entry visa to the Schengen area was refused to him and to his family apparently on the basis of the information provided by the Schengen Information System (SIS). The complainant asked the EDPS to provide him access to his own and his family’s personal data in-cluded in the SIS. However, even if the SIS is established on the basis of EU law, when it comes to the data subject’s right of access, the supervision is exercised not by the EDPS but at national level by national Data Protection Authorities (DPAs). The com-plainant was therefore advised, that under the current Schengen Agreement, he can request assistance from the national DPA of his choice.
A staff member of an EU institution complained about the refusal of access to some data in documents written in the context of a comparative assessment carried out at different stages of the contention procedure related to the decision on merit points. He requested the EDPS to order the institution to provide access to the relevant documents, as they contained his personal data. However, the institution maintained that the docu-ment in question never existed. The complainant, therefore, considered that the institu-tion should draft the “missing” documents. The EDPS did not follow the reasoning of the complainant. In fact, the allegation that the institution did not correctly conduct an administrative procedure by not preparing all relevant documents goes beyond the re-mit of data protection rules. Therefore, no breach of the data protection rules was estab-lished in this case.
One of the main duties of the EDPS, as established by Regulation (EC) No 45/2001, is to ‘hear and investigate complaints’ as well as ‘to conduct inquiries either on his or her own initiative or on the basis of a complaint’ (Article 46).
Theprocessingofpersonaldatawhichisthesub-jectofa complaintmustbecarriedoutbyone of theEU institutions or bodies.Furthermore,the
EDPS isnotanappealauthority for thenationaldataprotectionauthorities.
2.4.2.Procedureforhandlingof complaints
TheEDPShandlescomplaintsaccordingtotheexist-inglegalframework,thegeneralprinciplesofEUlaw
andgoodadministrativepracticescommontotheEUinstitutionsandbodies.InDecember2009,theEDPSadoptedan internal manualdesignedtoprovideguidance to staff when handling complaints. ThismanualwasupdatedinSeptember2011inorderto
Chapter 2 annual report 2011
29
reflectchangesintheorganisationalstructureoftheEDPSandtointegraterecentdevelopmentsinthepracticeofcomplainthandling.TheEDPShasalsoimplementeda statistical tooldesignedtomonitorcomplaint-relatedactivities,inparticulartomonitortheprogressofspecificcases.
In all phases of handling a complaint, the EDPSadherestotheprinciplesofproportionalityandreasonableness.Guidedbytheprinciplesoftrans-parency and non-discrimination, he undertakesappropriateactionstakingintoaccount:
• thenatureandgravityoftheallegedbreachofdataprotectionrules;
• the importanceof theprejudice thatoneormore data subjects may have suffered asa resultoftheviolation;
• thepotentialoverallimportanceofthecaseinrelation to the other public and/or privateinterestsinvolved;
• thelikelihoodofproofthattheinfringementhasoccurred;
• the exact date of the events, any conductwhichisnolongeryieldingeffects,theremovaloftheseeffectsoranappropriateguaranteeofsucha removal.
InFebruary2011,theEDPSenhancedtheprocessofsubmittingcomplaintsbyprovidinganinteractiveonline complaint submission formontheEDPSwebsite.A provisionalversionofsucha formhasbeen available on the EDPS website since early2010.ThisformhelpscomplainantstoassesstheadmissibilityoftheircomplaintandtherebysubmitonlyrelevantmatterstotheEDPS.ItalsoallowstheEDPStoobtainmorecompleteandrelevantinfor-mationinordertospeeduptheprocessingofcom-plaints and to reduce the number of manifestlyinadmissiblecomplaints.TheformisavailableinEnglish,FrenchandGerman.AsofSeptember2011,ifa complaintisreceivedbye-mailinoneoftheselanguages,thecomplainantisinvitedtofillintheonlineform.Thismeasurehasreducedthenumberofinadmissiblecomplaintsduringthefinaltrimes-terof2011byabout60%.
EachcomplaintreceivedbytheEDPSiscarefullyexamined.Thepreliminaryexaminationofthecom-plaint is specifically designed to verify whethera complaintfulfilstheconditionsforfurtherinquiry,includingwhethertherearesufficientgroundsforaninquiry.
AcomplaintforwhichtheEDPSlacks legal com-petence is declared inadmissible and the com-plainantinformedaccordingly.Insuchcases,ifrel-evant, theEDPS informsthecomplainantofanyother competent bodies (e.g. the Court, theOmbudsman,nationaldataprotectionauthorities,etc.)towhomthecomplaintcanbesubmitted.
A staff member sent to the EDPS a large number of documents exchanged with an in-stitution that employed him and requested the EDPS to examine them all in order to verify if the data protection rules were respected. The complainant did not formulate any specific allegation of breach of data protection rules nor did he provide the EDPS with any indication or suspicion of such a breach. The EDPS took the position that the complaint does not concern a real or potential breach of data protection rules and de-cided to close the case without any further inquiry.
Acomplaintthataddressesfactswhicharemani-festly insignificant,orwouldrequiredispropor-tionate effortstoinvestigateisnotpursued.TheEDPScanonlyinvestigatecomplaintsthatconcerna real or potentialandnotpurelyhypotheticalbreachoftherelevantrulesrelatingtotheprocess-ingofpersonaldata.Thisincludesa studyofalter-nativeoptionstodealwiththerelevantissue,eitherbythecomplainantorbytheEDPS.Forinstance,theEDPScanopenaninquiryintoa generalprob-lemonhisowninitiativeaswellasopenaninvesti-gation into an individual case submitted by
a complainant. Insuchcases thecomplainant isinformedaboutallavailablemeansofaction.
Acomplaintis,inprinciple,inadmissible ifthecom-plainant has not first contacted the institution con-cernedinordertoredressthesituation.Iftheinstitu-tionwasnotcontacted,thecomplainantshouldpro-videtheEDPSwithsufficientreasonsfornotdoingso.
Ifthematterisalreadybeingexaminedbyadminis-trativebodies–e.g.aninternalinquirybytheinsti-tutionconcernedisinprogress-thecomplaintis
30
admissible in principle. However, the EDPS candecide,onthebasisoftheparticularfactsofthecase,toawaittheoutcomeofthoseadministrativeproceduresbeforestartinginvestigations.Onthecontrary,ifthesamematter(samefactualcircum-stances)isalreadybeingexaminedbya Court,thecomplaintisdeclaredinadmissible.
Inordertoensuretheconsistenttreatmentofcom-plaints concerning data protection and to avoidunnecessaryduplication,theEuropean OmbudsmanandtheEDPSsigneda MemorandumofUnderstand-inginNovember2006.TheMoUstipulates,amongotherthings,thata complaintthathasalreadybeenexaminedshouldnotbereopenedbyanotherinstitu-tionunlesssignificantnewevidenceissubmitted.
Withregardtotime limits,ifthefactsaddressedtotheEDPSaresubmittedaftera periodoftwoyears,thecomplaintisinprincipleinadmissible.Thetwoyearperiodstartsfromthedateonwhichthecom-plainanthadknowledgeofthefacts.
Where a complaint is admissible, the EDPS willlaunchan inquirytotheextentappropriate.Thisinquirymayincludea requestforinformationtotheinstitutionconcerned,a reviewofrelevantdoc-uments,a meetingwiththecontrolleroranon-the-spot inspection. The EDPS has the authority toobtainaccesstoallpersonaldataandtoallinfor-mationnecessaryfortheinquiryfromtheinstitu-tionorbodyconcerned.Hecanalsoobtainaccesstoanypremisesinwhicha controllerorinstitutionorbodycarriesoutitsactivities.
Attheendoftheinquiry,a decision issenttothecomplainantaswellastothecontrollerresponsibleforprocessing thedata. In thedecision, theEDPSexpresseshisopinionona possiblebreachofthedataprotectionrulesbythe institutionconcerned.Thecompetence of the EDPSisbroad,rangingfromgiv-ingadvicetodatasubjects,towarningoradmonish-ingthecontroller,toimposinga banontheprocess-ingorreferringthemattertotheCourtofJustice.
Anyinterestedpartycanaskfora reviewbytheEDPSofhisdecisionwithinonemonthofthedeci-sion being made. Concerned parties may alsoappealdirectlytotheCourtofJustice.
2.4.3.Confidentialityguaranteedtothecomplainants
Asstandardpolicy,complaintsaretreatedconfi-dentially.Confidential treatmentimpliesthatper-sonalinformationisnotdisclosedtopersonsout-sidetheEDPS.However,fortheproperconductoftheinvestigationitmaybenecessarytoinformtherelevantservicesoftheinstitutionconcernedandthethirdpartiesinvolvedaboutthecontentofthecomplaintandtheidentityofthecomplainant.TheEDPSalsocopiestheDataProtectionOfficer(DPO)oftheinstitutionconcernedinallcorrespondencebetweentheEDPSandtheinstitution.
If the complainant requests anonymity from theinstitution,theDPOorthirdpartiesinvolved,heisinvitedtoexplainthereasonsforsucha request.TheEDPSthenanalysesthecomplainant’sargumentsandexaminestheconsequencesfortheviabilityofthesubsequentEDPSinquiry.IftheEDPSdecidesnottoaccepttheanonymityofthecomplainant,heexplainshisevaluationandasksthecomplainantwhetherheacceptsthattheEDPSexaminesthecomplaintwith-outguaranteeinganonymityorwhetherhepreferstowithdrawthecomplaint.Ifthecomplainantdecidestowithdrawthecomplaint,theinstitutionconcernedwillnotbeinformedabouttheexistenceofthecom-plaint.Insucha case,theEDPSmayundertakeotheractionsonthematter,withoutrevealingtotheinsti-tutionconcernedtheexistenceofthecomplainti.e.aninquiryonhisowninitiativeora requestfornotifi-cationabouta dataprocessingoperation.
NodecisionsoftheEDPSwerechallengedbycom-plainantsin2011.
Ononeoccasion in2011, thedatacontrollercon-cernedchallengedthedecisionoftheEDPSintheGeneralCourt(caseT-345/11).TheapplicationwasrejectedbytheCourtonproceduralgrounds.ThesubstanceofthecasewasnotdiscussedbytheCourt.
The EDPS recognises that some complainants put their careers at risk when exposing violations of data protection rules and thatconfidentialityshould, therefore, be guaranteed to the complainants and informants who request it. On the other hand, the EDPS is committed to working in a transparent mannerand to publishing at least the substance of his decisions. The internal procedures of the EDPS reflect this delicate balance.
Chapter 2 annual report 2011
31
Attheendofaninquiry,alldocuments related to the complaint,includingthefinaldecisionremainconfidentialinprinciple.Theyarenotpublishedinfull nor transferred to third parties. However, ananonymoussummaryofthecomplaintcanbepub-lishedontheEDPSwebsiteandintheEDPSAnnualReport,ina formwhichdoesnotallowthecomplain-antorthirdpartiestobeidentified.TheEDPScanalsodecidetopublishthefinaldecisionin-extensoinimportantcases.Thismustbedone ina waythat
takesintoaccounta complainant’srequestforconfi-dentialityand,therefore,doesnotallowthecom-plainantorotherrelevantpersonstobeidentified.
2.4.4.Complaintsdealtwithduring 2011
2.4.4.1. Number of complaints
ConfidentialityandanonymityareguaranteedbytheEDPStocomplainantsandinformantswhorequestit.
12
20
6165
92
111
94
0
20
40
60
80
100
120
2004 2005 2006 2007 2008 2009 20112010
Number of complaints received
107
The number and complexity of complaintsreceivedbytheEDPSincreasedin2011.In 2011, the EDPS received 107 complaints(anincreaseof14%comparedto2010).Ofthese,81 complaints were inadmissible, the majority relating toprocessingatnationallevelasopposedtoprocess-ingbyanEUinstitutionorbody.
The remaining26 complaints requiredmore in-depth inquiries (an increaseof4%comparedto2010).Inaddition,nine admissiblecomplaints,sub-mittedinpreviousyears(onein2008,fivein2009andthreein2010),werestillintheinquiry,revieworfollow-upphaseon31December2011.
32
2.4.4.2. Nature of complainants
Of the 107 complaints received, 19 complaints(18%)weresubmittedbymembersofstaffofEUinstitutionsorbodies,includingformerstaffmem-bers and candidates for employment. For theremaining88 complaints,thecomplainantdidnotappeartohaveanemploymentrelationshipwiththeEUadministration.
2.4.4.3. Institutions concerned by complaints
Ofthe26admissiblecomplaintssubmittedin2011,mostweredirectedagainsttheEuropeanCommis-sion, the European Parliament, OLAF and EPSO.ThisistobeexpectedsincetheCommissionandthe Parliament conduct more processing of per-sonaldatathanotherEUinstitutionsandbodies.TherelativelyhighnumberofcomplaintsrelatedtoOLAFandEPSOmaybeexplainedbythenatureoftheactivitiesundertakenbythosebodies.
0
1
2
3
4
5
6
7
8
EU institutions and bodies concerned
Com
miss
ion
(EPS
O and
OLAF e
xclu
ded)
Other
EU b
odie
s
EPSO
OLAF
EIB
ECJ
Euro
pean
Par
liam
ent
2.4.4.4. Language of complaints
The majority of complaints were submitted inEnglish (57%), French (20%) or German (15%).Complaints in other languages are relativelyrare (8%).
2.4.4.5. Types of violations alleged
Theviolationsofdataprotectionrulesallegedbythecomplainantsin2011mainlyrelatedto:
• Abreachofdatasubjects’rights,suchasaccesstoandrectificationofdata(30%)orobjectionanddeletion(13%);
• Violationofconfidentiality(30%),excessivecol-lectionofpersonaldata(17%),lossofdata (9%).
Chapter 2 annual report 2011
33
2.4.4.6. Results of EDPS inquiries
In15 casesresolvedduring2011,theEDPSfoundtherewasnobreachofdataprotectionrulesorthat
thenecessarymeasureswere takenby thedatacontrollerduringtheEDPSinquiry.
The EDPS received a complaint relating to the transfer, in the context of the departure of an official to another institution, of the number of days of medical absence during the past three years. The EDPS confirmed that such a transfer is in fact necessary for the institution to which the official arrives to fulfil its obligations under Article 59.4 of the Staff Regulations. The EDPS, therefore, concluded in this case that there was no breach of data protection rules.
Types of violations alleged
Loss of data
Objectionand deletion
Excessivecollection
Con�dentiality
Access toand recti�cation
of data
A complaint was received that some documents containing highly sensitive personal data of the complainant and of other persons were available to all staff on the server of an EU body for several weeks. Access to these documents was restricted by the data controller only after the intervention of the complainant. Following an inquiry into the matter, the EDPS con-cluded that the unauthorised disclosure of the personal data contained in the relevant docu-ments constituted a violation of Article 22 the Regulation (EC) No 45/2001. In order to limit the risk of such a situation arising again in future, the EDPS recommended that the data controller implement a comprehensive system of access rights to different parts of the server.
A complaint was received from a candidate in an EPSO competition relating to the com-munication of a document containing sensitive personal data from the selection board of the competition to a person external to the competition. Following an inquiry the EDPS considered that the relevant data controller took reasonable measures to prevent such an unauthorised disclosure, in particular ensuring that all the members of the selection board sign a declaration informing them explicitly of their confidentiality obligations. The EDPS concluded that the disclosure of personal data was illegal and due to an individual action of a specific member of the selection board. The EDPS invited the Appointing Authority to consider a disciplinary procedure against the relevant member of the selection board.
Inonecase,non-compliancewithdataprotectionruleswasfoundtohaveoccurredwithouta breach
oftheserulesbythedatacontroller.
Conversely,intwo cases,non-compliancewithdataprotectionruleswasfoundtohaveoccurredand
recommendations were addressed to the datacontroller.
34
2.5. Monitoring compliance
2.5.1.Generalmonitoringandreporting:2011Survey
InhispolicypaperadoptedinDecember2010(6),theEDPSannouncedthat“he will continue to conduct periodic “surveys” in order to ensure that he has a rep-resentative view of data protection compliance within EU institutions/bodies and to enable him to set appro-priate internal objectives to address his findings”.
InApril2011,theEDPSembarkedonhisthirdgen-eralstocktakingexercise.Theexercisehada widescope,involvingsixEUinstitutionsand52EUbod-iesandfocusedonaspectsthatgivea goodindica-tionoftheprogressmadeintheimplementationoftheRegulationbyinstitutionsandbodies.Thecon-clusionsofthisexercisewerecompiledina report.
The analysis and the report were based on theresponses received by September 2011 from EUinstitutionsandbodies(includingformersecondandthirdpillarbodies)toEDPSlettersraisingspe-cificquestions.ThecontentoftheEDPSlettersvar-iedslightlyaccordingtothestatusoftheinstitu-tionsandbodies,i.e.,youngormature,withorwith-outanappointedDataProtectionOfficer(DPO).
Theresponsesweredisplayedincomparativetables,bygroupsofinstitutionsandbodies.Benchmarkswereestablishedonthebasisoftheresultsofeachgrouptogiveanindicationofthethresholdwhichaninstitutionorbodyoftherelevantgroupshouldreasonablybeexpectedtomeet.Thesebenchmarks
(6) SeetheEDPSPolicyPaperof13December2010on“MonitoringandEnsuringCompliancewithRegulation(EC)45/2001”,p.8.
weresetupin concretobytheEDPS,deducedfromthefacts,toallowcomparison between peers.
Asa partofEDPSenforcementpolicy,thisgeneralsurveywasmadepublic.Itemphasisedtheprogressmadebyinstitutionsandbodiesandalsohiglightedtheshortcomingsintermsofcompliance.
TheconclusionsofthisexercisewillbetakenintoaccountbytheEDPSinplanningfurthersupervi-sionandenforcementactivities.Thisprogrammewillcombineguidancetoinstitutionsandbodies,enforcement actionsandmeasurestopromoteaccountability.Inparticular,compliancevisitstrig-gered by a manifest lack of commitment by aninstitutionorbodyhavebeenplannedonthebasisoftheresultsofthe2011exercise.
2.5.2.Targetedmonitoring
Pre-recruitmentexaminationbytheParliament’smedicalservice(case 2010-0279)
In the course of 2010, a number of MEPs raisedquestionsastotheappropriateuseofthemedicalquestionnaireinthecaseofparliamentaryaccred-itedassistantsinthecontextofthepre-recruitmentexamination.On17March2011,theEDPScarriedoutaninvestigationwiththeobjectivetoobtaininformationaboutthepracticesoftheParliament’smedicalserviceonthisissue.
Afteranalysisoftheinformationcollectedinthecourseoftheinquiry,theEDPSrecommendedthatthemedicalserviceoftheParliamentclearlycom-municatetotheaccreditedassistants:
• thestatusofthemedicalquestionnaire,namelythatallthequestionsareconsiderednecessaryandrelevantinprincipleandthatintheeventthat a person wishes not to reply to certainquestions,thedoctorswillassessempiricallyandonthebasisofthemedicalexaminationwhichinformationisorisnotrelevant,and
• theconsequencesofnotreplyingtotheques-tionswhichthedoctorsconsidernecessaryandofrefusingtopresentthemselvestothepre-recruitmentexamination.
Secondly,theEDPSrecommendedthatthemedicalserviceestablisha documentedpolicyforallactorsinthemedicalserviceonthecollectionofdatainthecontextofthepre-recruitmentexamination.
The EDPS is responsible for monitoring andensuring the application of Regulation (EC) No 45/2001.Monitoring is performed by periodicgeneral surveys. In addition to thisgeneral stock taking exercise, targeted monitoringexercises were carried out in cases where, as a result of his supervision activities, the EDPS had cause for concern about the level of compliance in specific institutions or bodies. Some of these werecorrespondence‑basedwhilst others took the form of a one dayvisitto the body concerned with the aim of addressing the compliance failings. Finally,inspectionswere carried out in certain institutions and bodies to verify compliance on specific issues.
Chapter 2 annual report 2011
35
Inthecontextofthefollow-up,theEDPSconsid-eredthecaseclosed,aslongastheParliamentoffi-ciallycommunicatesthedocumentedpolicytoallactorsofitsmedicalserviceandensuresthattheyrigorouslyapplythisguidance.
VisitstoseveralAgencies
BetweenJanuaryandSeptember2011,asa resultofa numberofissuesidentifiedinthecourseofthe2009stocktakingexerciseanditsfollowup,theEDPSvisitedseveralEUagenciesinordertodiscussandbetterunderstandtheirlowlevelofcompli-ancewiththeDataProtectionRegulation,notablythe European Railway Agency, the CommunityPlantVarietyOffice,theEuropeanFoundationfortheImprovementofLivingandWorkingConditionsandtheEuropeanGlobalNavigationSatelliteSys-temsAgency.
Thevisitshada similarstructure:
• ameetingbetweentheSupervisororAssistantSupervisorandtheDirectoroftheAgency
• furthermeetingsinvolvingthedataprotectionof f icer and controllers of processingoperations
• presentationsonthedataprotectionRegula-tionandtheEDPSapproachtomonitoringandensuringregulatorycompliance.
ThesemeetingsprovidedanopportunityfortheEDPSto raisespecificconcernsandallowedtheAgencies to provide updates on their progresstowardscompliance.
At theendofeachvisit,a specificroadmapwasagreedupon,detailingpriorityactionstobeunder-takenbytheAgencies,monitoredbytheEDPS,inordertoensurea betterlevelofcompliancewiththeRegulation.Ingeneral,a goodefforthasbeenmade by the agencies visited. Bodies that hada rate of Article 25 notifications close to 0 nowreacha levelof60,70,80andinonecase100%.Each body now also has a good, intelligibleinventory.
2.5.3.Inspections
Article 30oftheRegulationrequiresEUinstitutionsandbodiestocooperatewiththeEDPSinperform-inghisdutiesandtoprovidetheinformationandaccessrequested.
Duringinspections,theEDPSverifies facts on the spotwiththefurthergoalofensuringcompliance.Inspectionsarefollowedbyappropriatefeedbacktotheinspectedinstitutionorbody.
In2011,theEDPScontinuedthefollow-upofprevi-ousinspections.InMay 2011,theEDPScarriedoutan inspectionat theCEDEFOPandatOLAF.Tar-getedinspectionsfollowinga complaintwerealsocarriedoutbytheEDPSattheECBinOctober2011andatOLAFinDecember2011.
FollowupoftheinspectionattheJointResearchCentre–EuropeanCommission
Following its on-the-spot inspection at the JointResearchCentreinIspraattheendof2010,theEDPSadoptedaninspectionreportcoveringtheselectionandrecruitmentofJRCpersonnelandthedifferentproceduresputinplacebythesecurityservice(pre-employmentsecuritycheck,securityinvestigations,accesscontrolandrecordingofemergencycalls).
In2011,theJRCtooka numberofstepswitha viewtobringingitsprocessingoperationsinlinewiththe data protection regulation, based on theinspectionreportadoptedbytheEDPS.FurtherstepsinensuringcompliancestillrequireadditionaleffortsbytheJRC.TheEDPSexpectstoconcludethisexercisein2012.
Inspections are a crucial tool enabling the EDPS to monitor and ensure the application of the Regulation. They are based on Articles 41(2), 46(c) and 47(2) thereof.
The extensive powers of the EDPS to access any information and personal data necessary for his inquiries and to obtain access to any premises where the controller or the EU institution or body carries out its activity are designed to ensure that the EDPS has sufficient tools to perform his function.
Inspections can be triggered by a complaint or be carried out on the EDPS’ own initiative.
36
InspectionattheCEDEFOP
TheEDPSconductedanon-the-spotinspectionattheEuropeanCentrefortheDevelopmentof Voca-tionalTraining(CEDEFOP)inThessalonikion31Mayand1June2011.ThisinspectionwaspartoftheEDPS2011annual inspectionplan,basedonaninternalrisk assessment exercise. Three main areas wereinspected:staffrecruitmentprocedureswitha focusoncurrentandfuturepractices,accesscontroltothepremisesmanagedbythesecurityservicesandtheregistryand inventoryofnotifications.
Thebackgroundinformationfortheinspectionwasa combinationofpriorcheckingcasesandananaly-sisofconsultationcases. Basedonitsfindings,theEDPS drafted aninspectionreportcompilingrecom-mendationswitha viewtoensuringbettercompli-ancewiththeEUDataProtectionRegulation.TheCEDEFOPfollowed-uptheinspectionreportandsub-mittedcorrectivemeasuresandcommentsregard-ing the recommendations of the EDPS. This caseshouldbeclosedduringthefirstquarterof2012.
InspectionatOLAF
On14and15 July2011,theEDPSconductedanon-siteinspectionat OLAFpremises.Thisinspectionwasiniti-atedonthebasisofArticle47(2)oftheRegulation,asa follow-upofseveralEDPSopinionsconcerningOLAFexternal and internal investigations in addition toOLAFphysicalandlogicalaccesscontrol.Theinvesti-gation particularlyfocusedonhowtheidentificationofdatasubjects isdone, howcompliancewiththeobligationto informdatasubjects isachievedandhowcompliancewiththedataprotectionobligationsontransfersisensured.A finalinspectionreportwasadoptedon12October2011, inwhichtheEDPS pro-vided anumberofrecommendations onwhichOLAFisexpectedtocommentbyearly2012.
InspectionattheEuropeanCentralBank
In October2011,theEDPSconductedaninspectionattheEuropeanCentralBank(ECB).Thisinspectiontookplacewithintheframeworkofaninquiryintothe protection of personal data during internaladministrativeinquiries. The inspectionconsistedofanon-the-spotverificationofseveralfilesrelatedtointernalinquiriesinwhichtheECBaccessedtheelectronicfiles ortrafficdata. Followingtheinspec-tion, anumberofadditionalquestionsrelatingtotheapplicationof the ECB AdministrativeCircu-lar 01/2006oninternaladministrativeinquiries anditsprinciplesweresent to theECB.Theinquiryhasnotyetbeenconcluded.
TargetedinspectionatOLAF
In October2009,twocomplaintswerelodgedwiththeEDPSagainstOLAFconcerningthecollectionandfurtherprocessingofpersonaldatainthecon-textofanexternalinvestigation into thecompanywhere the complainants were employed. AftercarefulanalysisofthecomplaintsandtherelevantresponsesbyOLAF, theEDPSdecidedtoconductanon-the-spot visittoOLAF’spremisesinDecem-ber 2011. The purpose of the visit was to clarifyissuesrelatedtotheproportionality of thecollec-tion ofdigitalevidence includingpersonaldatabyOLAF,usingforensictools(e.g.copyingorseizureofharddiskdrives).
The visit aimed to assess the overall procedurewithregardtothecollectionandfurtherprocess-ingofdigitalevidencebefore,duringandafteranOLAF external investigation and includedaccess to relevant material inOLAF’sforensiclab.TheinformationobtainedduringthevisitwillbeusedtofinalisetheEDPSdecisionontheabove-mentionedcomplaints.
VisaInformationSystem
The Visa Information System (VIS) allows theexchangeofdataonshort-stayvisasamongMem-berStateswithintheSchengenarea.Itwasestab-lishedbyCouncilDecision2004/512/ECof8June2004andtheRegulation767/2008oftheEuropeanParliamentandoftheCouncilof9July2008andallowsthecompetentauthoritiesoftheMemberStatestoexchangedataonvisaapplicationsandonvisas issued, refused, annulled, revoked orextended.BiometricdataisprocessedaspartoftheoperationoftheVIS.
Inspectionsarea fundamentaltoolfortheEDPSasa supervisoryauthority.
Chapter 2 annual report 2011
37
Regulation767/2008providesforcoordinatedsuper-visionbetweennationaldataprotectionauthoritiesandtheEDPS.Inparticular,itprovidesthattheEDPSshallperformanauditofthedataprocessingactivi-tiescarriedoutinthecentralunitandthecommuni-cation infrastructure every four years. In order toaccomplishthistask,twoon-the-spotvisitswerecar-riedoutbytheEDPS,oneinJulyandoneinNovem-ber2011.Thetimingofthevisitswaschoseninordertoprovidesomeguidancepriortothesystemgoing-liveandverifythesecuritymeasuresput inplace.ThevisitinNovemberthusgavetheEDPSa baselineagainstwhichtocomparefutureinspections.
2.6. Consultations on administrative measures
2.6.1.ConsultationsArticles28.1and46(d)
Theterm‘administrativemeasure’istobeunder-stoodasa decisionoftheadministrationofgeneralapplicationrelatingtotheprocessingofpersonaldatacarriedoutby the institutionorbodycon-cerned(e.g.implementingmeasuresoftheRegula-tionorgeneralinternalrulesandpolicies,aswellasdecisionsadoptedbytheadministrationrelatingtotheprocessingofpersonaldata).
Furthermore,Article 46(d)oftheRegulationpro-videswidematerialscopeforconsultations,extend-ingitto‘allmattersconcerningtheprocessingofpersonal data’. This is the basis for the EDPS toadvise institutions and bodies on specific casesinvolvingprocessingactivitiesorabstractquestionsontheinterpretationoftheRegulation.
Withintheframeworkofconsultationsonadminis-trative measures envisaged by an institution orbody,a varietyof issueswereexaminedin2011,someofwhicharereportedbelow.
2.6.1.1. Publication of employees’ pictures on the Intranet
The“Whoiswho”projectoftheCommitteeoftheRegionsincludedthedisplayofa photooftheCom-mittee’s staff members with their functions andresponsibilitiesontheIntranet.Forthispurpose,theSecretaryGeneralintendedtosendanOutlookmessagetothestaffinformingthemabouttheproj-ect and of the possibility to opt-out of havingtheirphotopublishedbyclickingona specific“No,I don’twantmypicturetobepublished”tab.
Inhisreplytotheconsultation,theEDPShigh-lightedthat“unambiguous consent”underArti-cle 5(d) of the Regulation implies that thereshouldbenodoubtineveryindividualcasethatthedatasubjectfreelyconsents.Theproposedsystemleftroomforuncertaintyastowhether-by taking no action - the staff member reallyintendedtohavehis/herpicturepublished.Datasubjectsmustbeina positiontofullyappreciatethattheyareconsentingandwhattheyarecon-sentingto.Themostappropriatesystemtobeused to obtain consent is therefore an opt-in mechanism requiring an affirmative action toindicatetheconsentofeachstaffmemberbeforepublishinghis/herphoto.
Consequently,theEDPSrecommendedthatstaffmembersshouldbeprovidedtheoptiontoexpressconsentbyclickingona boxstating,forexample,“Yes,I wantmypicturetobepublished”.TheEDPSalsorecommendedthattheCommitteehighlighttostaffmembersthattheyarecompletelyfreetogiveorrefusetheirconsent.
2.6.1.2. Role of an agency in a research project (notion of controllership)
TheEuropeanMedicinesAgency(EMA)consultedtheEDPSoncertainlegalissuesraisedbyitspartici-pationintheconductofa clinicalstudyintheframe-workofa European-wideresearchproject.Theproj-ectiscarriedoutbya consortiumof29members,towhichEMAcontributesascoordinator.
In particular, the Data Protection Officer of theAgencyaskedwhetherEMAcouldbeconsideredasa “joint controller”togetherwithallotherpartici-pantsintheresearchprojectandwhetherthepro-cessingofpersonaldatafortheclinicalstudywouldfallunderthescopeoftheRegulation.On21March2011,theEDPSadoptedanopinionhighlightingthefollowingaspectsof“controllership”:
Regulation (EC) No 45/2001 provides for the right of the EDPS to be informed about administrative measures which relate to the processing of personal data (Article 28(1)). The EDPS may issue an opinion, either following a requestfrom the institution or body concerned or on hisown initiative.
38
• althoughEMAspecifiedthatthepurposesandmeans of the processing are determined bya steering committee, the EDPS consideredthat, in this case, the notion of controller should be analysed with regard to the con-sortium as a whole;
• theEDPSconsideredthatallmembersoftheconsortiumco-decidetheconductofthestudy.TheEDPSwasnotina positiontoevaluatespe-cificallythedegreetowhichmembersoftheconsortium–separatelyorasa whole-controltheprocessing.TheEDPSanalysiswasfocusedontheresponsibilitiesofEMA,whichmustbeconsideredoneofthecontrollers.
2.6.1.3. CCTV operated on the premises of another institution
TheTrans-EuropeanTransportNetworkExecutiveAgency (TEN-T EA) consulted the EDPS on thequestionofthecontroller-processorrelationshipwhereanAgency’sCCTVsystemisoperatedbyanother institution.TheAgency’svideosurveil-lancesystemisdesigned,installed,operatedandmanagedbytheCommission,basedona ‘ServiceLevelAgreement’.
TheEDPSrepliedon28July2011,recallingOpinion1/2010ofArticle29DataProtectionWorkingPartyon the concepts of ‘controller’ and ‘processor’,stressingthattheconceptof controller is a func-tional concept,intendedtoallocateresponsibili-tiesaccordingtothefactualinfluence.Hespecifiedthat,incaseofdoubt,elementssuchasthedegreeofactualcontrolexercisedbya party,theimagegiventodatasubjectsandthereasonableexpecta-tionsofdatasubjectsonthebasisofthisvisibilitymaybeusefultodeterminethecontroller.
Based on the facts, the role of the Commissionappearedtobemorethana mereprocessoranditsrolewasbetterdescribedas thatofa controller.However, theEDPSpointedout that theAgencycouldnotescape its liabilityascontrolleronthegroundsthatitwasobligedtoconcludea contractwiththeCommissionwhoseservicesarestandardandofferedtoallitspartners.
TheAgencyshouldexerciseduediligenceinreview-ingtherelevantpracticesoftheCommission,com-municateCommissionpracticestoitsstaffandvisi-torsandraisewiththeCommission(andultimately,withtheEDPS,iflegalityisatstake)anyconcernsitmayhaveregardingthelegalityorcustomisationoftheCommissionservicesasnecessary.
Closedcircuittelevision(CCTV)mustbeusedresponsiblyandwitheffectivesafeguardsinplace.
Chapter 2 annual report 2011
39
2.6.1.4. Processing of data in employee emails
TheCourtofJusticeoftheEuropeanUnion(CJEU)consulted the EDPS on some general questionsregardingthedataprocessinginvolvedinprovidingemailaccesstoemployees.TheEDPSrepliedon2September2011,highlightingthefollowingissues:
• providingemailaccesstoemployeesconsti-tutestheprocessing of personal dataundertheRegulation,anemployermustrespectitslegalrequirementsaswellastheprincipleofconfidentialityofcommunicationsstipulatedinArticle8oftheEuropeanConventionfortheProtectionofHumanRightsandFundamentalFreedomsandinArticle7oftheCharterofFun-damentalRightsoftheEU;
• althougha particulardepartment(forinstance,theITunit)mightbespecificallydesignatedasprimarilyresponsibleandthecontactpointforthisprocessing,theCJEUwillultimatelybecon-sideredthecontrolleroftheprocessing;
• itisthecontroller’sresponsibilitytodefinethemodalitiesapplicabletotheprocessingofper-sonaldatainthecontextofemailusageandto transparently communicatethesemodalitiestotheusers.TheEDPSrecommendsadopting“rules governing the use of emails” whichdefinethepurposeandmodalitiesofthepro-cessing.Itisuptothecontrollertoensurethattheprocessingisnecessaryandthatthemea-suresadoptedinlinewiththispurposearepro-portionate.Therulesmustbebroughttotheattentionofallusersfollowinga possiblecon-sultationofstaffrepresentatives.
Such rules governing the use of emails shoulddefineinparticular:
• thepurpose(s) of the processingofpersonaldatainvolvedintheuseofemails.Thepurposemust be a legitimate one (e.g. ensuring thefunctioningandsecurityofanemailsystem,butnotcontroltheusemadeofthesystemina particularcase);
• themodalitiesapplicabletotheprivate use of emails(e.g.byobligingtheusertoclearlyindi-catetheprivatenatureofcorrespondenceinthesubjectlineorinthearchivingfolder);
• theretention period(s)applicabletothemes-sages and security copies in the system, in
keepingwiththeproportionalityprinciple.Itisalsoadvisabletospecifytheperiodafterwhichtheemailmessagesaredefinitivelyerasedfromtheserver;
• thedifferenttypesofsecurity measuresputinplace;
• the access rights established for IT staff toensure the proper functioning of the emailsystem;
• themonitoring measuresputinplacebythecontroller,whichmustbeproportionatetothepurposeoftheprocessingandtransparentfortheusers(nosilentmonitoringofemailuse).Inthiscontext,attentionwasdrawntotheguid-anceprovidedintheWorkingdocumentonthesurveillanceofelectroniccommunicationsinthe workplace published by the Article 29WorkingParty(7).
2.6.1.5. Using statistical data in a database for staff evaluation purposes
TheEuropeanRailwayAgency(ERA)consultedtheEDPSonitsintentiontousestatistical data on the number of financial operations validated in the ABAC System(“AccrualBasedACcounting”)forthepurpose of evaluating the financial initiatingagents.Informationontheactualnumberoftrans-actionsvalidatedbyeachagentisavailableonlineinABACandcanalsoberetrievedbyusingBusinessObjectreports.
Inhisreplyof5May2011,theEDPSconsideredthatERA had failed to demonstrate the necessity ofusingABACdataforstaffevaluation,inparticularinviewoftheevaluationdataalreadycollectedwithin
(7) availableunderhttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp55_en.pdf
Useofemailsinvolvesdataprocessing.
40
CareerDevelopmentReviewsatERA.Also,noneoftheexistinglegalinstrumentsprovidedforthepro-cessingofsuchdataforthispurpose.UnderArticle6(1)oftheRegulation,theprocessingofdataforpurposes other than those for which they havebeencollectedhastobeexpresslypermittedbytherespectiveinternalrules.Consequently,theuseofdatacollectedforaccountancypurposesforthepurpose of evaluating certain financial agentswouldneedtobeexplicitlyallowed.
The EDPS also requested that a notification for(true) prior checking be submitted in due timebeforetheintroductionofthisnewprocedure.
2.7. Data protection guidance
2.7.1.ThematicGuidelines
Guidelinesonanti-harassmentprocedures
InFebruary 2011, theEDPS issuedguidelinesonhowtomanagetheprocessingofpersonaldatainharassmentprocedures.TheguidelinesdealwiththeinformalprocedureputinplacebytheEUinsti-tutionsandbodiestodealwith-butalsotopre-vent - harassment. The selection of confidentialcounsellors,whoplaya keyroleintheprocedure,isalsotoucheduponinthedocument.
Theconfidentialityexpectedbythedatasubjectisthecornerstoneoftheinformalprocedure.Froma dataprotectionpointofview,thechallengeistoensuretheconfidentiality of the datawhileallow-ingthepreventionofharassmentcases.Theguide-lines,therefore,makethedistinctionbetweenharddata(objectivedata)thatcanbestructurallytrans-ferredtoHumanResourcesundercertaincircum-stancestohelptheidentificationofrecurrentandmultiplecases,andsoftdata(subjectivedata)thatcanneverbestructurallytransferredtopreservetheconfidentialcharacteroftheprocedure.
Inaddition,theEDPSinsistsontheprinciplesofthedatasubject’srightofaccessandrighttobeinformed.Inlightoftheprincipleofproportionality,restrictionstotheserightsapplyona casebycasebasis.
The experience gathered in the application of the Data Protection Regulation has enabled EDPS staff to translate their expertise into generic guidance for institutions and bodies. In 2011, this guidance took the form of training for new DPOs or for controllers or thematic guidelines in the field of staff evaluation and processing of personal data in anti-harassment procedures. The EDPS is currently working on guidelines for absences and leaves, procurement and selection of experts, e-monitoring and data transfers.
Statisticsmayincludepersonaldata.
Chapter 2 annual report 2011
41
Theguidelinesaretobeusedbytheagencies intheirnotificationofproceduresinthisfieldtotheEDPSforpriorchecking,butshouldalsoserveasa practicalguideforallinstitutionsandbodies.TheEDPSissueda jointopinionon21October2011onnotificationssubmittedbynineagenciesforpriorcheckinginthelightoftheseguidelines.
Guidelinesonstaffevaluation
InJuly2011,theEDPSissuedguidelinesonthepro-cessingofpersonaldataintheareaofstaffevalua-tionbyEUinstitutionsandbodies.
TheobjectiveoftheguidelinesistoofferpracticalguidanceandassistancetoallDataProtectionOffi-cersandcontrollersintheirtaskofnotifyingexist-ingand/orfuturedataprocessingoperationstotheEDPSinthefollowingstatutoryprocedures:
• annual appraisal / career developmentreview (CDR),
• probation,
• promotionofofficials,
• re-gradingoftemporaryagents,
• evaluationoftheabilitytoworkina thirdlan-guagebeforethefirstpromotion,
• re-classificationorrenewalofa contractforanindefiniteperiod,
• certificationofASTofficials,
• ‘attestation’offormerC andD officials.
TheDPOnetworkwasconsultedonthedraftguide-linesinMay2011anda presentationoftheguide-lineswasmadeattheDPOmeetinginOctober2011.
Intheguidelines,theEDPSexpressedhisconcernastothelengthyconservationperiodofpersonaldatacontainedinannualevaluationandprobationreports,aswellassupportingdocumentsrelatingtootherevaluationprocedureskeptinpersonnelfiles.Herecommendedthattimelimitsexceedingthe career of the staff members concerned bereconsideredandsuggesteda maximumtimelimitoffiveyearsaftera givenevaluationexercise,asthebestpractice.
TheDPOswereaskedtosubmitanyoutstandingnotificationsby21October2011totheEDPS.Todate,43notificationsfrom21institutionsandbod-ies concerning 57 evaluation procedures werereceivedbytheendofDecember2011.TheEDPSintendstoaddressall relevantevaluationproce-dures,perEUinstitutionorbody,ina jointopinion.
Follow-upReportonVideo-SurveillanceGuidelines
In March 2010, the EDPS issued Video-Surveil-lance Guidelines(8)basedonthepowersconferredonhiminArticle47(1)(a)ofRegulation45/2001.
TheFollow-upReport,whichwascompiledoverthecourseof2011andpublishedinearly2012,isa systematicandcomparativeanalysisofthestatusreportsreceivedfroma totalof42EUinstitutionsandbodies.Inadditiontorecognisingbestprac-tices,thisreporthighlightsshortcomingsinthoseinstitutions and bodies lagging behind in theireffortstoensurecompliancewiththeguidelines.Furthermore, it clarifies certain aspects of theguidelines,wherequestionswereraisedbybodiesin preparing their video-surveillance policy ora needforclarificationbecameapparentthroughtheanalysisofthestate-of-playreports.
Inthereport,theEDPStooknoteoftheconsider-ableeffortsundertakenbythoseinstitutionsandbodieswhosubmittedtheirstate-of-playreportsin2011andwasgenerallyreassuredthattheguide-linescontributedtoraisingthelevelofawarenessand transparency regarding video-surveillancematterswithinEUinstitutionsandbodies.
However,morethana yearaftertheadoptionoftheguidelinesandnearlytwoyearsafterhavingstartedtheconsultationprocess,theEDPSwasdis-appointedtoseethattheimplementationoftheguidelineshasbeenputonholdorsignificantlydelayedinseveralinstitutionsandbodies.
(8) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Guidelines/10-03-17_Video-surveillance_Guidelines_EN.pdf.
42
2.7.2.Training
On10February2011,theEDPSorganiseda trainingsessionforENISAstaffasa follow-uptotheEDPSvisittoENISAinSeptember2010.TheEDPSpro-videdpracticalguidanceon“Selectionandrecruit-ment of staff”. This theme was chosen becausea priorcheckingfollowupwaspendingandEDPShad already issued thematic guidelines on thetopic. The training session was attended by HRstaff, theDPO, theDirectorandtheHeadof theadministration.
On 8 June 2011, the EDPS organised a one dayworkshopondataprotectionforDataProtectionOfficersfromallEUinstitutionsandbodies.TheaimwastoprovidebasictrainingforDPOs,particularlyforrecently-appointedones.Theworkshopbeganwithan introductiontothebasicprinciplesanddefinitionsoftheregulation.Thiswasfollowedbya sessionwhich includedpresentationson legalissues(e.g.legalbasisofdataprocessing,rightsofthedatasubject, transferofdata,processingonbehalfofthecontroller).TheafternoonsessionwasdedicatedtocooperationbetweenDPOsandtheEDPS, focusingonthepracticalaspectsofcom-plainthandling,prior-checkingprocedures,andsecurityofprocessingoperations.
Theworkshopwaswell-attendedandactivepar-ticipationoftheDPOsledtoa productiveexchangeofexperiencesandconcerns.TheEDPSwillbuildon this experience and based on the feedbackreceived,organisea similarworkshopforDataPro-tectionCoordinatorsin2012.
InNovember2011,EDPSstaffprovidedtrainingatthe Auditors Forum, a monthly conferenceaddressedtotheinternalauditorsoftheEuropeanCommission.Thepresentationcovereda generalintroductiontodataprotectionandcompliancewiththedataprotectionrulesbyinternalauditser-vices in the performance of their activities. ThetrainingwaswellattendedbyCommissionstaffandwasalsofollowedbyvideoconferencebytheinter-nalauditservicesoftheEuropeanCourtofAudi-tors,theEuropeanCourtofJusticeandtheEuro-peanCentralBank.
OnrequestfromtheTENTEADPO,EDPSstaffpro-videdgeneraltrainingondataprotectionandtheRegulationtoTENTEAstaffon1December2011.ThefirstsessionwasdedicatedtodataprotectionandthebasicprinciplesoftheRegulation.Thiswasfollowedbya presentationontheEDPSenforce-mentpolicyandthenbya Q&Asession.Thetrain-ingwaswell-attendedbyTENTEAstaff.
PersonaldataareprocessedbyEUinstitutionsandbodiesduringstaffevaluationprocedures.
44
33.1. Introduction: overview of the year and main trends
In2011,theCommissionpublishedmanylegislativeproposalsaffectingdataprotectionandmadesig-nificantheadwaytowardsa newgeneralandcom-prehensiveframeworkfordataprotectioninEurope.
ThisprojectfeaturedhighontheEDPSagendain 2011andwillremainsoforthecomingyearsas thelegislativeprocedureadvances:oncetheCommission has presented its proposal andaccompanyingcommunicationin2012,theEDPSwillprovideanopinion.Thereafter, thediscus-sionsintheEuropeanParliamentandtheCouncilwill proceed.
Followingthetrendofpastyears,theareascov-ered by EDPS opinions continued to diversify.Asidefromtraditionalpriorities,suchasthefur-therdevelopmentoftheAreaofFreedom,Secu-rityandJusticeorinternationaldatatransfers,newfields are emerging. 2011 saw a number of
opinionsissuedonmattersrelatedtotheinternalmarket,aswellasfisheriescontrolandagriculturalsupportschemes.
IntheArea of Freedom, Security and Justice,thequestionofnecessityhasbeena recurrenttheme.Onseveraloccasions,theEDPSissuedopinionsinwhichthisdataprotectionprinciplefiguredpromi-nently.ThiswasthecasefortheevaluationreportontheDataRetentionDirective,thecommunica-tiononmigrationandtheproposalforanEUPas-sengerNameRecordsProgramme.
PassengerNameRecordswerealsoa recurrenttopicwhentheEDPSwasconsultedoninitiativesinthefieldofinternationallawenforcementandsecuritycooperation.Heissuedopinionsontheproposals for agreements with the USA andAustralia.
Theincreasingnumberofopinionsrelatedtotheinternal marketisa newdevelopmentandamong
POLICY AND CONSULTATION
The ongoing work on the new data protection legislation framed 2011: on 14 January, the EDPS published his opinion on the Commission Communication on the comprehensive approach to personal data protection in the European Union; in December, he provided informal comments on draft proposals to DG Justice, which is responsible for the new legal framework. On both occasions, the EDPS provided substantive input into the legislative procedure. He will continue to do so in 2012.
Necessity is a key concept in data protection. It is a strict rather than simply “useful” standard: A measure can only be considered necessary if the results could not have been achieved with less intrusive means. Especially when evaluating existing measures, this standard must be applied with utmost rigour. This standard of proof is enshrined in European law and has been applied extensively by the Court of Justice of the European Union in Luxembourg as well as by the European Court for Human Rights in Strasbourg, usually closely linked to the standard of proportionality.
Chapter 3 annual report 2011
45
others,theEDPSadoptedopinionsontheInternalMarketInformationSystemandover-the-counterderivatives.
Inanotherinnovation,theEDPSpublishedhisfirstopinion on EU-funded research activities,pro-vidingadvicetoEuropeanresearchanddevelop-mentactivities.Thisopinionputthepolicypaper‘The EDPS and EU Research and TechnologicalDevelopment’intopractice.
ThewiderangeofissuesaddressedinEDPSconsul-tativeactivitiesdemonstratesthattheprocessingofpersonaldataanddataprotectionhave trulybecomehorizontalissuesthatcannotbeconfinedtospecificpolicyareas.Instead,theyareofcross-cuttingrelevance,justifyingtheroleoftheEDPSasthecompetentadvisertotheEUinstitutions.
ThischapteroftheAnnualReportnotonlyfocusesonlegislativeconsultationbutalsodealswithrela-tionsbetweentheEDPSandtheEUCourtsandwiththemonitoringofnewdevelopmentsbytheEDPS,inparticularnewtechnologies.CooperationwithDPAs,includingcoordinatedsupervisiononlargescaleinformationsystems,isincludedinChapter4.
3.2. Policy framework and priorities
3.2.1.Implementationofconsultationpolicy
AlthoughtheworkingmethodsoftheEDPSintheareaofconsultationhavedevelopedovertheyears,the basic approach for interventions has notchanged.ThepolicypaperadoptedinMarch2005andentitled“TheEDPSasanadvisortotheCom-munityinstitutionsonproposalsforlegislationandrelateddocuments”(9)remainsrelevant,althoughitmustnowbereadinlightoftheLisbonTreaty.
(9) AvailableontheEDPSwebsiteunderPublications>Papers.
LegislativeconsultationsbasedonArticle28(2)ofRegulation(EC)No45/2001arethecoreelementoftheEDPSadvisoryrole.Accordingtothisarticle,theCommissionshallconsulttheEDPSwhenitadoptsa legislativeproposalrelatingtotheprotectionofindividuals’rightsandfreedoms.TheEDPSopin-ionsfullyanalysethedataprotectionaspectsofa proposalorothertext.
Asa rule,theEDPSonlyissuesopinionsonnon-legislativetexts(suchasCommissionworkingdoc-uments,communicationsorrecommendations)ifdata protection is a core element. Occasionally,writtencommentsareissuedformorelimitedpur-poses,soastoconveyquicklya fundamentalpoliti-calmessageortofocusononeormoretechnicalaspects.Theyarealsousedtosummariseorrepeatobservationsmadeearlier.Forinstance,theEDPSwrotetwolettersonseverallegislativeproposalson restrictive measures, as the data protectionissues in theseproposalswere largelysimilar tothoseaddressedinearlieropinions.
Otherinstrumentscanalsobeused,suchaspres-entations,explanatoryletters,pressconferencesorpressreleases.Forinstance,opinionsareoftenfollowedbypresentationsintheCommitteeforCivil Liberties, Justice and Home Affairs of theEuropeanParliamentorintherelevantworkingpartiesintheCouncil.
TheEDPSisavailabletotheEUinstitutionsduringallphasesofpolicymakingandlegislationandusesa widerangeofotherinstrumentsinhisadvisoryrole.Althoughthismayrequireclosecontactwiththe institutions, maintaining his independenceremainsparamount.
ConsultationswiththeCommissiontakeplaceatvariousstagesinthepreparationofproposalsandthe frequency varies depending on the subjectandontheapproachfollowedbytheCommissionservices.Thisappliestolong-termprojectsinpar-ticular,suchasthereformofthelegalframeworkforOLAFtowhichtheEDPScontributedatdiffer-entjunctures.
Formalconsultationactivitiesarequiteoftenpre-cededbyinformalcomments.WhentheCommis-siondraftsa newlegislativemeasurewithanimpactondataprotection,thedraftisusuallysenttotheEDPS during the inter-service consultation, i.e.beforeitispublished.Theseinformalcomments,ofwhichtherewere41in2011,allowdataprotectionissuestobeaddressedatanearlystagewhenthetextofa proposalcanstillbechangedrelatively
The formal opinions of the EDPS - based on Article 28(2) or 41 of Regulation (EC) No 45/2001 - are the main instruments of consultation policy and contain a full analysis of all the data protection related elements of any Commission proposal or other relevant instrument.
46
easily.ThesubmissionofinformalcommentstotheCommissionisa valuablewayofensuringduecon-sideration for data protection principles at thedraftingstageofa legislativeproposalandcriticalissuescanveryoftenberesolvedatthisstage.Asa rule,theseinformalcommentsarenotpublic.Ifthey are followed by an opinion or formal com-ments,theseusuallyrefertothefactthatinformalcommentshavebeensubmittedearlier.
RegularcontactwiththerelevantservicesofaninstitutionwilltakeplacefollowingtheissuingofEDPS comments or opinion. In some cases, theEDPSandhisstaffarecloselyinvolvedinthediscus-sionsandnegotiationstakingplaceinParliamentandCouncil.Inothers,theCommissionisthemaininterlocutorinthefollow-upphase.
3.2.2.Resultsin2011In2011,thesteadyincreaseinthenumberofopin-ionsissuedcontinued.TheEDPSissued24opin-ions,12 formalcommentsand41 informalcom-mentsona varietyofsubjects.
Withtheseopinionsandotherinstrumentsusedforintervention,theEDPSimplementedhisprioritiesfor2011,aslaiddowninhisinventory.The24opin-ionscovereddifferentEUpolicyareas.
The 2011 Inventory defined four main areas ofattention:
a)towards a new legal framework for dataprotection
b)furtherdevelopingtheAreaofFreedom,Secu-rityandJustice
c)technological developments and the DigitalAgenda
d)otherinitiativeswitha significantimpactondataprotection.
0
5
10
15
20
25
30
35
40
45
Legislative opinions evolution 2004-2011
1
6
11 12 14
16 19
24
0
1 1 5 3
6 7
12
0 0
6 11
16
15
24
41
OpinionsFormal commentsInformal comments
2004 2005 2006 2007 2008 2009 2010 2011
Chapter 3 annual report 2011
47
3.3. Review of the EU Data Protection Framework
3.3.1.A comprehensiveapproachtopersonaldataprotectionintheEuropeanUnionOn14January2011,theEDPSissuedanopinionontheCommissionCommunicationonthereviewoftheEU legal frameworkfordataprotection.TheCommunication is an essential landmark on thewaytowardsa newlegalframeworkthatwillrepre-sentthemostimportantdevelopmentintheareaofEUdataprotectionsincetheadoptionoftheEUDataProtectionDirective17yearsago.
TheEDPShaswelcomedtheCommission’sinten-tiontoreformtheEUlegalframeworkfordatapro-tection - which he has previously requested ona numberofoccasions(10)-andthereviewofthelegalframeworkalreadywasoneofthetoppriori-tiesfortheEDPSin2009and2010.HesharedtheCommission’sviewthatinthefuturea strongsys-tem of data protection is absolutely necessary,basedonthenotionthattheexistinggeneralprin-ciplesofprivacyanddataprotectionremainvalid.
Inhisopinion,theEDPSsupportedthemainissuesandchallengesidentifiedbytheCommission,butaskedformoreambitioussolutionstomakethesystemmoreeffectiveandgivecitizensbettercon-trolovertheirpersonaldata.
(10) seee.g.:Opinionof25July2007ontheCommunicationfromtheCommissiontotheEuropeanParliamentandtheCouncilonthefollow-upoftheWorkProgrammeforbetterimplementa-tionoftheDataProtectionDirective,OJC 255,27.10.2007,p. 1
0%
5%
10%
15%
20%
25%
30%
Dat
a pr
otec
tion
refo
rm
Dig
ital a
gend
aan
d te
chno
logy
Free
dom
, Sec
urity
and
Just
icea
nd in
tern
atio
nal
coop
erat
ion
Cros
s-bo
rder
enfo
rcem
ent
Inte
rnal
mar
ket
and
�nan
cial
dat
a
Publ
ic h
ealth
and
cons
umer
a a
irs
Oth
er
Main policy areas for legislative opinions in 2011
48
TheCommissionwilladopttwolegislativepropos-alsinearly2012,oneproposalfora generaldataprotectionregulationandanotheronefora direc-tiveondataprotectioninthefieldoflawenforce-ment.TheEDPSwill,ofcourse,continuetomonitorthelegislativeprocessandwillissuefurthercontri-butionsasappropriate.
3.4. Area of Freedom, Security and Justice and international cooperation
3.4.1.DataRetentionUnder the Data Retention Directive public elec-troniccommunicationsproviders(telephonecom-panies,mobiletelecomsandInternetservicepro-viders)areobligedtoretaintraffic, locationandsubscriberdataforthepurposesofinvestigation,detectionandprosecutionofseriouscrime.
TheEDPSopinionadoptedon31May2011ana-lysedtheCommissionReportwhichprovidesanevaluationoftheimplementationandapplicationoftheDataRetentionDirectiveandmeasuresitsimpactoneconomicoperatorsandconsumers.
TheEDPStooktheviewthattheDirectivedoes not meet the requirements imposed by the funda-mental rights to privacy and data protectionforthefollowingreasons:
• thenecessityfordataretentionprovidedforinthe Directive has not been suff icientlydemonstrated;
• dataretentioncouldhavebeenregulatedina lessprivacy-intrusiveway;
• theDirectiveleavestoomuchscopeforMemberStatestodecideonthepurposesforwhichthedatamightbeusedandfordeterminingwhocanaccessthedataandunderwhichconditions.
TheEDPSpointedoutthatinformationprovidedbytheMemberStateswasnotsufficienttodrawa pos-itiveconclusionontheneedfordataretentionasdevelopedintheDirective.Furtherinvestigationofnecessityandproportionality is requiredand inparticular,theexaminationofalternative,lesspri-vacy-intrusivemeans.
TheCommission(Evaluation)Reportplaysa roleinpossibledecisionsonamendingtheDirective.TheEDPShasthereforecalledontheCommissiontoseriouslyconsideralloptionsinthisprocess,includ-ing the possibility of repealing the Directive,whetherornotcombinedwiththeproposalforanalternative,moretargetedEUmeasure.
IntheEDPS’view,themajorgoalsofthereviewprocessshouldbeasfollows:
• the rights of individuals should be strength-ened:theEDPSsuggestsintroducinga manda-torysecuritybreachnotificationcoveringallrelevantsectors,aswellasnewrights,espe-ciallyintheonlineenvironment,suchastherighttobeforgottenanddataportability.Chil-dren’sdatashouldalsobebetterprotected;
• the responsibility of organisations needs to be reinforced:thenewframeworkmustcon-tainincentivesfordatacontrollersinthepublicorprivatesector toproactively includenewtools in their business processes to ensurecompliancewithdataprotection(accountabil-ityprinciple).TheEDPSproposestheintroduc-tionofgeneralprovisionsonaccountabilityand‘privacybydesign’;
• the inclusion of police and justice coopera-tion in the legal framework isa conditio sine qua non for effective data protection in thefuture;
• further harmonisation shouldbeoneofthekeyobjectivesofthereview.TheDataProtec-tionDirectiveshouldbereplacedbya directlyapplicableregulation;
• thenewlegalframeworkmustbeformulatedina technologically neutral wayandmusthavetheambitiontocreatelegal certainty fora longerperiod;
• theenforcementpowersofdata protection authorities shouldbestrengthened,andtheirindependenceshouldbebetterguaranteedacrosstheEU.
Chapter 3 annual report 2011
49
If,onthebasisofnewinformation,thenecessityforanEUinstrumentondataretentionisdemonstrated,thefollowingbasicrequirementsshouldberespected:
• itshouldbecomprehensiveandgenuinelyhar-moniserulesontheobligationstoretaindata,aswellasontheaccessandfurtheruseofthedatabycompetentauthorities;
• itshouldbeexhaustive,whichmeansthat ithasa clearandprecisepurposewhichcannotbecircumvented;
• itshouldbeproportionateandnotgobeyondwhatisnecessary.
3.4.2.TerroristFinanceTrackingSystem(TFTS)
On25October2011,theEDPSsenthiscommentsontheCommissionCommunicationontheTerror-istFinanceTrackingSystemof13July2011totheCommissionerforHomeAffairs.HesupportedallthepointsmadebytheArticle29WorkingPartyinitsletterof29September2011,particularlyregard-ingtheprinciplesofnecessityandproportionality,datacontrollersandprocessorrelationships,bulkdata transfers, types of data being processed,retention,rightsofdatasubjects,DPAs,datasecu-rityandcooperationbetweentheMemberStates.Moreover,hehighlightednecessity and propor-tionality as the procedural guarantees thatshouldbeintroducedintoanyEUTFTSscheme.
3.4.3.EuropeanPassengerName Records
In2011,asinpreviousyears,theproposedprocess-ing of Passenger Name Records (PNR) by lawenforcement authorities raised data protectionissuesfroma Europeanperspective.
On25March2011, theEDPSadoptedanopinionwhich analysed the new Commission proposalobligingairlinecarrierstoprovideEUMemberStateswith the personal data of passengers (Passenger
The EDPS stressed that the massive invasion of privacy posed by the Data Retention Directive needed profound justification. The EDPS, therefore, called on the European Commission to use the evaluation exercise to prove the necessity of the Directive. Concrete facts and figures should make it possible to assess whether the results presented in the evaluation could be achieved by other less intrusive means.
DataRetentionDirectiveposesa massiveinvasionofprivacy.
50
NameRecord)enteringordepartingtheEUforthepurposesoffightingseriouscrimeandterrorism.
3.4.4.AgreementbetweentheEU andAustraliaonPassengerNameRecords
On15July2011,theEDPSadoptedanopinionona CommissionproposalconcerninganAgreementbetweentheEuropeanUnionandAustraliaontheprocessingandtransferofPassengerNameRecord(PNR) data. The EDPS welcomed the safeguardsprovidedintheproposals,especiallywithregardtotheconcreteimplementationoftheagreement,in
particulardatasecurityaspects,supervisionandenforcementprovisions.
However,healso identifiedsignificantroom for improvement,inparticularasregardsthescopeoftheagreement,thedefinitionofterrorismandtheinclusionofsomeexceptionalpurposes,aswellastheretentionperiodforPNRdata.Healsoconsid-eredthatthelegalbasisfortheagreementshouldbereconsideredandshouldrefertoArticle16ofthe Treaty on the Functioning of the EuropeanUnion(TFEU).
Inaddition,theEDPSrecalledthewidercontextofthelegitimacyofanyPNRscheme,seenasthesys-tematiccollectionofpassengerdataforriskassess-mentpurposes.A proposalcansatisfytheotherrequirementsofthedataprotectionframework,only if the scheme respects the fundamentalrequirements of necessity and proportionalityunderArticles7and8oftheCharterofFundamen-talRightsandArticle16TFEU.
The EDPS recommendations included thefollowing:
• scope of application:thescopeofapplicationshouldbemuchmorelimitedwithregardto
Personalinformationiscollectedbyairlinesortravelagenciesatthetimeapassengermakesareservation,beforetravelling.
Inhisopinion,theEDPSrecalledthattheneedtocollectorstoremassiveamountsofpersonalinfor-mationmustrelyona clear demonstration of the relationship between use and result (necessityprinciple).Thisisanessentialprerequisiteforanydevelopmentofa PNRscheme.IntheviewoftheEDPS, thecurrentacts failed todemonstrate thenecessityandtheproportionalityofa systeminvolv-inglarge-scalecollectionofPNRdataforthepur-poseofa systematicassessmentofallpassengers.
Chapter 3 annual report 2011
51
thetypeofcrimesinvolved.TheEDPSrecom-mendsexplicitlydefiningandexcludingminorcrimesfromthescopeandprecludingMemberStatesfromexpandingthescope;
• data retention: no data should be keptbeyond30daysinanidentifiableform,exceptincasesrequiringfurtherinvestigation;
• data protection principles:a higherstandardofsafeguardsshouldbedeveloped,particu-larlyintermsofdatasubjects’rightsandtrans-ferstothirdcountries;
• list of PNR data:theEDPSwelcomesthefactthatsensitivedataarenotincludedinthelistofdatatobecollectedbutstillregardsthelistastooextensiveandrecommendsthatit isfur-therreduced;
• evaluation of EU PNR system:theassessmentoftheimplementationofthesystemshouldbebased on comprehensive statistical data,including thenumberofpersonseffectivelyconvicted-andnotonlyprosecuted-onthebasisoftheprocessingoftheirpersonaldata.
Finally,theEDPSrecalledthattheneedtocollectorstore massive amounts of personal informationmustrelyona cleardemonstrationoftherelation-shipbetweenuseandresult(necessityprinciple).This isanessentialprerequisiteforanydevelop-mentofa PNRscheme.IntheviewoftheEDPS,theproposalandaccompanying impactassessmentfailedtodemonstratethenecessityandthepro-portionalityofa systeminvolvinglarge-scalecol-lectionofPNRdataforthepurposeofa systematicassessmentofallpassengers.
3.4.5.AgreementbetweentheEU andUSAonPassengerName Records
TheEDPSwascriticalofthenewproposalforanEU-USPassengerNameRecord(PNR)agreement,asthe necessity and the proportionality of PNRschemeshavenotyetbeendemonstrated.Inhisopinionof9December2011,hecriticised:
• the15-yearsretention period:theEDPSrec-ommendeddeletingthedataafteritsanalysisoraftera maximumof6months;
• theoverbroad purpose definition:thepur-poseshouldbelimitedtocombatingterrorism
ora welldefinedlistoftransnationalseriouscrimes;
• theamount of data to be transferredtotheDepartment of Homeland Security (DHS): itshouldbenarrowedandexcludesensitivedata;
• the exceptions to the “push” method: USauthoritiesshouldnotdirectlyaccessthedata(“pull”method);
• thelimits to data subjects’ exercising their rights:everycitizenshouldhavetherighttoeffectivejudicialredress;
• the rules on onward transfers: the DHSshouldnottransferthedatatootherUSauthor-itiesorthirdcountriesunlesstheyguaranteeanequivalentlevelofprotection.
TheEDPSconsideredthatneitherthemaincon-cernspreviouslyexpressedbytheEDPSandtheEUnationaldataprotectionauthorities,northecondi-tionsrequiredbytheEuropeanParliamenttopro-videitsconsentweremet.
3.4.6.Anti-corruptionpackageOn6July2011,theEDPSissuedformalcommentsonthe anti-corruption package, which consisted ofa communicationsettingouttheEuropeanUnion’sapproachtocurbcorruption,a Commissiondecisiontoestablisha regularEUanti-corruptionreportanda reportonthetermsofEUparticipationintheCoun-cilofEuropeGroupofStatesagainstCorruption.
Thecommunicationreferstoa plannedstrategyforimprovingthequalityoffinancial investigationsand developing financial intelligence, includingsharingofinformationwithinandbetweenMem-berStates,EUagenciesandthirdcountries.Inthisregard,theEDPSencouragedtheCommissiontoensure a sufficient level of data protection in this future strategy.HealsorecommendedthatthesharingofbestpracticesenvisagedintheEUanti-corruption report shouldbeunderstoodtoalsoincludepracticesforensuringdataprotectioninanti-corruptioninvestigations.
3.4.7.Legislativeproposalsconcerningcertainrestrictivemeasures
On16Marchand9December2011,theEDPSsentletterstotheEuropeanCommission,theEuropean
52
Parliament,theCouncilandtheHighRepresenta-tiveoftheUnionforForeignAffairsandSecurityPolicyasa responsetotheCommissionconsulta-tiononvariouslegislativeproposalsconcerningcertainrestrictivemeasureswithregardtoIran,theRepublicofGuinea-Bissau,Côted’Ivoire,Belarus,Tunisia, Egypt, Libya, Syria, Afghanistan andBurma/Myanmar.Inhisletters,theEDPSreaffirmedhispositionthatwhenEUinstitutionstakerestric-tivemeasureswithregardtoindividuals,data pro-tection principles and any necessary restric-tions to them should be comprehensively and clearly laid down.
The Commission proposals envisaged fightinghumanrightsabusesbyimposingrestrictivemeas-ures - notably, freezing of assets and economicresources-onnaturalandlegalpersonswhoareconsideredtobeinvolvedinsuchabuses.Tothisend,“blacklists”ofthenaturalorlegalpersonscon-cernedarepublishedandpublicised.
TheEDPScriticisedthatwhilethetextinitiallypro-posedbytheCommissionandtheHighRepresenta-tiveincludedstrongreferencestodataprotectionrules,theyweresignificantlyweakenedbytheCoun-cil.HereiteratedtherecommendationtotheCom-mission,theHighRepresentativeandtheCounciltoabandonthecurrentpiecemealapproach-withspe-cificdataprotectionrulesforeachcountryororgani-sation-andtodevelopa consistent framework for restrictive measures,ensuringrespectoffunda-mental rights and in particular, the fundamentalrighttotheprotectionofpersonaldata.
3.4.8.MigrationIn2011,theCommissionworkedona comprehen-siveapproachtomigration.Tooutlineitspositionandagenda,itpublisheda communicationonthistopicinMay.On7July2011,theEDPSadoptedanopiniononthiscommunication.
Inhisopinion,theEDPSfocusedontheneed to prove the necessity of the proposed new instru-mentssuchastheEntry-Exit-System.Tothisend,herecalledthecaselawoftheEuropeanCourtofHumanRightsandtheEuropeanCourtofJustice,which establishes that the standard of proofneededtointerferewiththerighttoprivacyanddata protection is that of ‘being necessary ina democraticsociety’andelaboratedonthecon-ceptofnecessity.
Alsoaddressedwastheuseofbiometrics.Here,theEDPSurgedthatany use of biometrics should be accompanied by strict safeguards and comple-mented by a fall-back procedure for personswhosebiometriccharacteristicsmaynotbereada-ble. Additionally, he specifically called on the Commission not to reintroduce the proposal to grant law-enforcement access to Eurodac (alarge-scale IT system devoted to storing finger-prints,see4.2).
Byexplicitlystatinghispositiononthistopic,theEDPSgaveguidancetotheCommissiononhowtoevaluatenecessity.ItcanbenotedthatsubsequentCommissiondocuments,suchastheCommunica-tiononsmartborders,showincreasedattentiontothisconcept.
3.4.9.VictimsofcrimeOn17October2011,theEDPSpublishedhisopin-iononthe legislativepackageonthevictimsofcrime,whichfocusesonprivacy-relatedaspectsoftheprotectionofthevictimsofcrime.TheEDPSwelcomedthepolicyobjectivesoftheproposalsandgenerallyendorsedtheapproachoftheCom-mission.Nevertheless,hefoundthattheprotectionofprivacyandpersonaldataofthevictimsintheproposeddirectivecouldhavebeenstrengthenedandclarified.
WithregardtotheproposedRegulationonmutualrecognitionofprotectionmeasuresincivilmatters,whichdealswithprotectionofindividualsagainstotherindividualscausingriskstothem(“stalking”)theEDPSsuggested that informationabout theprotectedpersonto the person causing the risk should be limitedtothosepersonaldatawhichare strictly necessary for the execution of themeasure.
Useofbiometricsshouldbeaccompaniedbystrictsafeguards.
Chapter 3 annual report 2011
53
3.5. Digital Agenda and technology
TheCommissioncarriedoutsignificantworkintheareaoftheinformationsocietyandnewtechnolo-giesin2011.ParticularemphasiswasgiventotheimplementationoftheDigitalAgendaandtheEU2020Programme.Severaloftheseinitiativeshadsignificant data protection relevance and were,therefore,closely followedbytheEDPS.Healsomonitored and engaged in relevant Europeanresearchandtechnologicaldevelopmentprojects.
Apart fromthe initiativesmentionedbelow,theEDPSalsoprovidedadviceonadditionalproposalsincludedintheDigitalAgendaactionplan,namelythepublicconsultationontheIntellectualPropertyRights Enforcement Directive(11) and the legalframeworkfortheConsumerProtectionCoopera-tionSystem(CPCS)(12).
3.5.1.NetneutralityOn7October2011,theEDPSadoptedanopinionontheCommissionCommunicationontheopenInternetandnetneutralityinEurope.
TheEDPShighlightedtheseriousimplications ofsomemonitoringpracticesof ISPsonthefunda-mental right to privacy and data protectionof users, in particular in terms of confidentiality ofcommunications.HehascalledontheCommissiontoinitiatea debateinvolvingalltherelevantstake-holderswitha viewtoclarifying how the datapro-tection legal framework applies inthiscontext.
Herecommendedguidancetobeprovidedinareassuchas:
(11) seebelowSection3.7.1
(12) seebelowSection3.8.1
• determining inspection practices that arelegitimate,suchasthoseneededforsecuritypurposes;
• determining when monitoring requires theusers’ consent,forinstanceincaseswherefil-teringaimstolimitaccesstocertainapplica-tionsandservices,suchaspeertopeer.
Inparticulartheguidanceshouldcovertheapplica-tionofthenecessarydata protection safeguards suchaspurposelimitationandsecurity.
3.5.2.Technologicalproject“Turbine”On1February2011,theEDPSadoptedanopinionbased on his policy paper “The EDPS and EUResearch and Technological Development”,adoptedin2008.ThispaperdescribedthepossiblerolestheEDPScouldplayforresearchandtechno-logicaldevelopment(RTD)projectsinthecontextof the Commission Framework Programme forResearchandTechnologicalDevelopment.
In his opinion, the EDPS analysed the Turbine(TrUstedRevocableBiometricIdeNtitiEs)researchproject,theoverallobjectivesofwhichareto:
• developaninnovative,privacyenhancingtech-nology solution for electronic identity (eID)authenticationthroughfingerprintbiometrics;
• demonstratetheperformanceandsecurityofthissolutionforuseincommercialeIDman-agementapplications,aswellasitsbenefitforthecitizenintermsofenhancedprivacypro-tection and user trust in electronic identitymanagementthroughtheuseoffingerprints.
TheanalysisoftheEDPSfocusedonsomeimpor-tantfeaturesoftheproject,namelytheprotectionofthebiometrictemplatebycryptographictrans-formation of the fingerprint information intoa non-reversiblekey(whereitisnotpossibletoreturntotheoriginalbiometricinformation)and
Netneutralityraisesmanydataprotectionrelatedissues.
Turbine-TrUstedRevocableBiometricIdeNtitiEs
54
therevocabilityof thiskey (wherea new inde-pendentkeycanbegeneratedtore-issuebiomet-ric identities).Moreover,throughthetestphase,theproject tested implementationofthefeaturesinrealcasescenarios.
TheEDPSwelcomedtheprojectasitdemonstratesthat implementing “privacy by design” as a keyprincipleinresearch,representsaneffectivemeanstoensure“privacycompliant”solutions.
3.6. Internal Market including financial data
3.6.1.InternalMarketInformationSystem
Inhisopinionof22November2011,theEDPSpro-vided a series of recommendations to furtherstrengthenthedataprotectionframeworkfortheInternalMarketInformationSystem(IMI).TheEDPSsupporteda consistentapproachtodataprotec-tion inestablishinganelectronicsystemfor theexchangeofinformation,includingrelevantper-sonaldata.
TheEDPSwelcomedthefactthattheCommissionproposeda horizontallegalinstrumentforIMIintheformofa ParliamentandCouncilRegulation,whichaimstocomprehensivelyhighlightthemostrelevantdataprotectionissuesforIMI.TheEDPScautionedthatthereareassociatedrisksinestab-lishinga singlecentralisedelectronicsystemformultipleareasofadministrativecooperation.WithregardtothelegalframeworkforIMItobeestab-lishedintheproposedRegulation,theEDPSdrewattention to two key challenges: the need to ensure consistency while respecting diversity and the need to balance flexibility and legal certainty.
TheEDPSacknowledgedtheneedforflexibilitytocoveradministrativecooperationindifferentpolicyareas but insisted that this flexibility should beaccompaniedbylegalcertainty.Againstthisback-ground,theEDPSrecommendedthatthefunction-alitiesof IMIalready foreseenshouldbe furtherclarifiedandthattheinclusionofnewfunctionali-tiesshouldrequireappropriateproceduralsafe-guards,suchaspreparationofa dataprotectionimpactassessmentandconsultationoftheEDPSandnationaldataprotectionauthorities.
Theopinionalsocalledforfurtherstrengtheningofdata subjects’ rights and reconsideration of theextensionofthecurrent6-monthretentionperiodunlessadequatejustificationcanbeprovided.
Finally,theEDPSwelcomedtheprovisionsoncoor-dinatedsupervisionandrecommendedthattheseshouldbefurtherstrengthenedinordertoguaran-teeeffectiveandactivecooperationamongthedataprotectionauthoritiesinvolved.
3.6.2.EnergyMarketIntegrityandTransparency
On21June2011,theEDPSissuedanopinionontheproposalfora regulationonenergymarketintegrityandtransparency.Themainaimoftheproposalistopreventmarketmanipulationandinsidertradingonwholesaleenergy-gasandelectricity-markets.TheEDPScommentedonseveralaspectsofthepro-posal,includingthoseonmarketmonitoringandreportingandinvestigationandenforcement.
ThekeyconcernoftheEDPSwasthattheproposallacked clarity and adequate data protection safeguardswithregardtotheinvestigatorypow-ersgrantedtonationalregulatoryauthorities.TheEDPS,therefore,recommendedclarificationon:
TheEDPStookacloselookattheproposalforaregulationontheenergymarket.
Chapter 3 annual report 2011
55
• whetheron-site inspectionswouldbelimitedtobusinesspropertiesoralsoapplytoprivatepropertiesofindividuals.Inthelattercase,thenecessity and proportionality of this powershouldbeclearlyjustifiedanda judicialwarrantandadditionalsafeguardsrequired;
• thescope of the powerstorequest“existingtelephone and existing data traffic records”.Theproposalshouldunambiguouslyspecifywhat records can be requested and fromwhom.Thefactthatnodatacanberequestedfromprovidersofpubliclyavailableelectroniccommunicationsservicesshouldbeexplicitlymentioned.Theproposedregulationshouldclarifywhethertheauthoritiesmayalsorequesttheprivaterecordsofindividuals(e.g.textmes-sagessent frompersonalmobiledevices). Ifthiswerethecase,thenecessityandpropor-tionalityofthispowershouldbeclearlyjusti-fiedandtheproposalwouldalsorequirea war-rantfroma judicialauthority.
Thereportingandcollectionofdataregardingsus-picioustransactionswasanothersensitivesubjectintheproposalwheretheEDPScalledfortheclari-ficationoftherelevantprovisionsandadequatesafeguards,suchasstrictpurposelimitationsandretentionperiods.
3.6.3.Interconnectionofbusinessregisters
On6May2011,theEDPSissuedanopinionontheproposalfora directiveamendingthreeexistingdirectivesontheinterconnectionofbusinessreg-isters.TheaimoftheproposalistofacilitateandstepupcrossbordercooperationandinformationexchangeamongbusinessregistersintheEuro-peanUnion,thereby increasingtransparencyaswell as reliability of the information availableacrossborders.
ThemainconcernoftheEDPSisthattheproposal,asdrafted,wouldleavekeyissuessuchasthoseofgovernance,roles,competencesandresponsibili-tiestodelegatedacts.Inordertoensure legal cer-tainty as to who is responsible for what and toensurethatadequatedataprotectionsafeguardscanbeidentifiedandimplemented,theEDPSrec-ommendedthatthesekeyissuesbeaddressedintheproposeddirective.
3.6.4.Creditagreementsrelatingto residentialproperty
On25July2011,theEDPSadoptedanopinionona Commissionproposal fora directiveoncreditagreements relating to residential property.Responsiblelendingisdefinedbytheproposalasthecaretakenbycreditorsandintermediariestolendamountsthatconsumerscanaffordandmeettheirneedsandcircumstances.Theproposalwasdrafted from the perspective that irresponsiblebehaviour by some market players was at thesourceofthefinancialcrisis.Theproposal,there-fore, introduces prudential and supervisoryrequirementsforlendersandobligationsandrightsfor borrowers in order to establish a clear legalframeworkthatshouldsafeguardtheEUmortgagemarket from the disruptive effects experiencedduringthefinancialcrisis.
TheEDPSwelcomedthespecificreferenceintheproposaltoDirective95/46/EC.However,hesug-gestedsomemodificationstothetextinordertoclarifytheapplicability of the data protection principlesto the processing operations,particu-larlyinrelationtotheconsultationofthedatabaseoncredit-worthinesswhichisestablishedinalmostallMemberStates.
Creditagreementsareasubjecttoapplicabilityofthedataprotectionprinciples.
56
3.6.5.Over-the-counterderivatives,centralcounterpartiesandtraderepositoriesTheopinion,publishedby theEDPSon19April2011,focusedprimarilyonthespecificinvestigationpowers granted to the European Securities andMarketsAuthority(ESMA)undertheproposedReg-ulation,namelythepowerto“require records of telephone and data traffic”.
TheEDPSconsideredthattheserequirementswerenot fulfilled in the proposed Regulation as thepowerunderconsiderationwastoo broadly for-mulated.Inparticular,thepersonal and material scopeofthepower,thecircumstances and the conditionsunderwhichitcouldbeusedwerenotspecified.TheEDPS,therefore,calledformoreclar-ityandadvisedthelegislatorto:
• clearlyspecifythecategoriesoftelephoneanddatatrafficrecordswhichtraderepositoriesarerequired to retain and/or to provide to thecompetentauthorities;
• limitthepowertorequirerecordsoftelephoneanddatatraffictotraderepositoriesonly;
• stateexplicitlythataccessingtelephoneanddatatrafficrecordsdirectlyfromtelecomcom-paniesisexcluded.
TheEDPSalsorecommendedlimitingtheexerciseofthepowertoidentified and serious violationsof the proposed Regulation and in cases wherea reasonable suspicionofa breachexists.Further-more,hesuggestedthatpriorjudicial authorisa-tion(atleastwheresuchauthorisationisrequiredundernationallaw)andadequateproceduralsafe-guardsagainsttheriskofabusebeintroduced.
3.6.6.Technicalrequirementsforcredittransfersanddirectdebitsin Euros
On23June2011,theEDPSadoptedanopinionona Commissionproposalfora Regulationestablish-ingtechnicalrequirementsforcredittransfersanddirectdebitsinEuros,whichrelatestotheSingleEuropeanPaymentArea(SEPA).
IntroductionanddevelopmentofSEPAinvolveseveraldataprocessingoperations.
The opinion highlights that investigatory powers directly relating to traffic data, given their potential intrusiveness, have to comply with the requirements ofnecessity and proportionality. It is, therefore, essential that they are clearly formulated in their personal and material scope, as well as the circumstances and conditions in which they can be used. Adequate safeguards should also be provided against the risk of abuse.
Chapter 3 annual report 2011
57
TheSEPAprojectaimstoestablisha singlemarketforretaileuropaymentsbyovercomingthetechni-cal,legalandmarketbarriersthatexistpriortotheintroductionofthesingleEUROcurrency.OnceSEPAhas been completed, there will be no differencebetweennationalandcrossborderEuropayments.
TheintroductionanddevelopmentofSEPAinvolvesseveral data processing operations: names, bankaccountnumbersandcontentofcontractsneedtobeexchangeddirectlybetweenpayersandpayeesandindirectlythroughtheirrespectivepaymentserv-iceprovidersinordertoguaranteea smoothfunc-tioningofthetransfers.Theproposalalsointroducesa newrolefornationalauthoritiescompetenttomon-itorcompliancewiththeRegulationandtakeallnec-essarymeasurestoensuresuchcompliance.WhilethisroleisfundamentalforguaranteeinganeffectiveimplementationofSEPA,itmightalsoinvolvebroadpowersforthefurtherprocessingofpersonaldatabytheauthorities,includingthetotalamountofEurotransfersbetweenindividualsandentities.
TheEDPS,therefore,recommendedsomemodifica-tionstothetextinordertoensure that exchanges of such data comply with the relevant applicable legislation, particularly with the principles ofnecessity,proportionalityandpurposelimitation.
3.6.7.AirportbodyscannersOn 17October2011,theEDPSsenta lettertotheEuropean Commission Vice-president Sim
Kallas concerning three proposals on commonbasicstandardsoncivilaviationsecurityasregardsthe use of security scanners at EU airports. Thedraftmeasures wereadoptedbytheCommissionusingthe“comitology”procedure.
In his comments, the EDPS welcomed the safe-guardsincludedinthedraftmeasuresandthefactthatthereisanEUapproachtosecurityscanners,asthiscanguaranteelegalcertaintyaswellasa con-sistent levelofprotectionoffundamentalrights.However,hequestionedthenecessityandthepro-portionalityofsuchmeasuresandhighlightedthatdata protection legislation is applicable.
TheEDPSalsoregretted that body scanners pro-viding a detailed image of the body will be allowed,especiallygiventhatpreferencecouldhavebeengiventoa lessprivacy-intrusivedevice(i.e.a bodyscannershowinga “stickfigure”insteadofthehumanbody).
3.7. Cross-border enforcement
3.7.1.IntellectualPropertyRightsEnforcementDirectiveOn8April2011,theEDPSrespondedtoa publicconsultationlaunchedbytheEuropeanCommis-sionontheapplicationoftheIntellectualPropertyRightsEnforcementDirective.TheEDPSprovideda broadoverviewofthedataprotectionissuesthat
EnforcementofintellectualpropertyrightsontheInternetrequiresadequatedataprotectionsafeguards.
58
canarise inthecontextofenforcingintellectualproperty rightson the internet.TheEDPShigh-lightedthattheenforcementofintellectualprop-erty (IP) rights on the internet poses importantchallengesandrequiresadequatedataprotectionsafeguards.Thisisparticularlyapplicablewhencar-ryingoutmonitoringof internetactivity tofindallegedinfringers,orwhencollectingpersonaldatainformation(suchasa subscribernamelinkedtoa concreteIPaddress)fromintermediariessuchasInternetServiceProviders.
The EDPS stressed the importance of striking a balance between the fundamental right to data protection and the right to intellectual property.HeacceptedthatthecurrentprovisionsintheDirective-basedonstrikingthebalanceinlinewiththecommercialscaleoftheinfringement- were appropriate, although clarification is stillnecessaryinsomeareas.
FinallytheEDPSmadesomerecommendationstoassisttheCommissionintakinga moreprospectiveview. In particular, data protection should be taken into account in the evaluation of the implementation of the current Directive,itsfol-low up and during possible future legislativemodifications.
3.7.2.Customsenforcementofintellectualpropertyrights
On12October2011,theEDPSadoptedanopinionontheproposalfora Regulationconcerningcus-tomsenforcementofintellectualpropertyrights.TheEDPSwelcomedthespecificreferenceintheproposaltotheapplicabilityofDirective95/46/ECandRegulation(EC)45/2001tothepersonaldataprocessingactivitiescoveredbytheRegulation.
TheEDPSalsohighlightedthedatasubject’srighttoinformation,theneedtodevisea “dataprotec-tioncompliant”modelapplicationform,thespeci-ficationofa timelimitfortheretentionofpersonaldatasubmittedbytherightholder,bothatnationalandatCommissionlevelandtheneedforclarifica-tion of the legal basis for the establishment ofa newcentraldatabaseoftheCommission(COPIS).
3.7.3.Jurisdictionandtherecognitionandenforcementofjudgmentsincivilandcommercialmatters
On20September2011,theEDPScommentedontheproposalfora Regulationonjurisdictionandrecognitionandenforcementofjudgmentsincivilandcommercialmatters.TheEDPShighlightedtheimportance,equallyintheareaofdataprotection,offacilitatingthesettlementofcross-borderdis-putes.TheEDPSemphasisedtheneedforfurtherreflectiononsomeoftheissuesraisedinthepro-posal,alsointhecontextoftheongoingreviewofthedataprotectionframeworkintheEU:
• furtherreflectionshouldbegiventowhetherjurisdictionalrulesshouldprotecttheweakerpartyalsoindataprotectionlitigation–asisalreadythecaseinemployment,insuranceandconsumerprotectionmatters;
• withregardtotheretentionoftheexequaturforprivacy,defamationandrightsrelatingtopersonalityandthepossibilityofdenyingrec-ognitionofjudgmentsonpublicpolicygroundsinthesecases,theEDPSstressestheneedfora strictinterpretationofthoseexceptions;
• itisnotclearwhethertheaboveexceptionforprivacyrightsisintendedtoalsocoverviola-tionsoflegalrulesfortheprocessingofper-sonaldataasprovidedforintheDataProtec-tionDirectiveandifso,towhatextentthismaybethecase.Thismaycreateproblemsofinter-pretationandwillnotcontributetothelegalcertaintythattheproposalaimstoestablish;
• furtherreflectionshouldbeundertakenonhowtobetteralignthecourts’jurisdictionwiththecompetenceofdataprotectionauthorities.
3.7.4.EuropeanAccountPreservationOrder
On13October2011,theEDPSadoptedanopinionona proposalfora Regulationcreatinga EuropeanAccountPreservationOrdertofacilitatecross-bor-derdebtrecoveryincivilandcommercialmatters.TheEDPSwaspleasedtoseetheeffortstakentoaddressthedifferentdataprotectionissuesthatarosefromtheproposedinstrumentofanEAPO.Inparticular,heappreciatedtheapplicationofandthereferencestotheprincipleofnecessity.
Chapter 3 annual report 2011
59
However,theEDPSmaintainedthattheproposedRegulationrequiredfurtherimprovementandclari-fication. The EDPS recommended among otherthings:
• to consider including the possibility for theclaimanttorequesttheremovalofhisaddressdetailsfromtheinformationprovidedtothedefendant;
• toremovetheoptionaldatafieldsinAnnexI tothe Regulation (the telephone number andemailaddressofthedefendant) iftheactualneedisnotproven;
• to restrict the information provided by theclaimanttowhatisnecessaryinordertoiden-tifythedefendantandtodeterminehisorherbankaccount(s).
3.8. Public health and consumer affairs
3.8.1.ConsumerProtectionCooperationSystem
On4May2011,theEDPSissueda legislativeopin-ioncommentingonthe legal frameworkfortheConsumerProtectionCooperationSystem(CPCS).TheCPCSisanITsystemdesignedandoperatedbytheCommission.TheCPCSfacilitatescooperationamongcompetentauthoritiesintheEUMemberStatesandtheCommissionintheareaofconsumerprotection.Intheframeworkoftheirco-operation,competent authorities exchange informationincludingpersonaldata.
TheEDPSwelcomedthefactthattheCPCSRegula-tionhasbeencomplementedover timewithanimplementingdecisionanda setofdataprotectionguidelineswhich,combined,providemoredetails
ontheactualprocessingaswellasspecificdataprotectionsafeguards.
Themainrecommendationsofthelegislativeopin-ionincludedthefollowing:
• regardingtheretention period,mutualassis-tancerequestsshouldbeclosedwithinspecifi-callydesignatedtime-limits.Unlessaninvesti-gationorenforcementisongoing,alertsshouldbewithdrawnanddeletedwithinsixmonthsofissuance.Additionally,theCommissionshouldclarifyandreconsiderthepurposeandpropor-tionalityofkeepingalldatarelatingtoclosedcasesforfiveadditionalyears;
• theCommissionshouldre-assesswhataddi-tionaltechnicalandorganisationalmeasurescouldbetakentoensurethatprivacyanddataprotectionare“designed”intotheCPCSsystemarchitecture(privacy by design)andthatade-quatecontrolsareinplacetoensuredatapro-tection compliance and provide evidencethereof(accountability).
3.9. Other issues
3.9.1.OLAFReformRegulation
On1June2011,theEDPSadoptedanopinionona proposalfora Regulationwhichisintendedtomodifythecurrentrulesconcerninginvestigationsconducted by the European Anti-fraud Office(OLAF).Theaimoftheproposalistoincreasetheefficiency, effectiveness and accountability ofOLAF, while safeguarding its investigativeindependence.
The EDPS supported the objectives of the pro-posedamendmentsandwelcomedtheproposal.Despitetheoverallpositiveimpression,theEDPSconsidered that the proposal could be furtherimprovedintheprotectionofpersonaldatawith-outjeopardisingtheobjectivesthatitpursues.
TheEDPS,therefore,madea numberofrecommen-dationsthatshouldbeaddressedbymodifyingthetextandinparticularthattheproposalshould:
• clearlymentiontheright to informationofthedifferentcategoriesofdatasubjects(sus-pects,witnessesetc.),aswellastheright of access and rectification in relation to allphases of the investigations carried out byOLAF;
Cross-borderdebtrecoveryinvolvesprocessingofpersonaldata.
60
• clarifytherelationshipbetweentheneedforconfidentialityof the investigationsandthedataprotectionregimeapplicableduringtheinvestigations;
• clarifythegeneraldataprotectionprinciplesonthe basis of which OLAF can transmit and receive information,includingpersonaldata,withotherEUbodiesandagenciesandgivetheDirectorGeneralthetaskofensuringthata stra-tegic and comprehensive overview of the dif-ferent processing operationsofOLAFiscar-riedout,keptuptodateandmadetransparent.
3.9.2.EUFinancialRegulationOn15April2011,theEDPSadoptedanopiniononthe Commission proposal revising the financialrulesapplicabletotheannualbudgetoftheEuro-peanUnion(EUFinancialRegulation).Theproposalcoversseveralmatterswhichinvolvetheprocess-ingofpersonaldatabyEUinstitutionsandentitiesatMemberStatelevel.
Oneofthemostsignificantnewelements intro-ducedbytheproposalisthepotentialpublicationofdecisionsonadministrativeandfinancialpenal-ties.Suchpublicationwouldentailthedisclosureofinformation about the person concerned in anidentifiableway.TheEDPSbelievesthatthisprovi-sionasdrafteddoesnotmeettherequirementsofdataprotectionlaw.
To better comply with data protection rules, itshould be improved by explicitly indicating thepurposeforthedisclosureandbyensuringthecon-sistentapplicationofthepossibility,ofwhatisinfactnamingandshamingofpersons,togetherwiththeuseofclearcriteriatodemonstratetheneces-sityofthedisclosure.
The EDPS recommendations also covered thefollowing:
• whistleblowers:thelegislatorshouldensuretheconfidentialityofwhistleblowers’identityduringinvestigations,exceptincaseswhereitcontravenesnationalrulesregulatingjudicialprocedures;
• publication of information on the recipients of fundsderivingfromthebudget:theRegula-tionshouldexplicitlyindicatethepurposeandexplainthenecessityforthedisclosureofinfor-mationontherecipientsoffundsderivingfromthebudget;
• Central Exclusion Database: the proposalprovidesforthesetting-upofa databasecon-tainingdetailsofindividualandcompanycan-didatesexcludedfromparticipationintenders.Accesstothedatabasebythirdcountryauthor-itiesshouldcomplywiththespecificdatapro-tectionrulesrelatedtothirdcountrytransfers.
3.9.3.Europeanstatisticsonsafetyfromcrime
On19September2011,theEDPSadoptedanopin-ionontheCommissionproposalfora RegulationonEuropeanstatisticsonsafetyfromcrime.Theproposalaimedtoimplementa newEUsurveyonsafety from crime. The survey would includedetailedquestionsonpossibleincidentsofsexualandphysicalviolencethattherespondentsmighthavesufferedwithinoroutsidethecouple,onpastrelationships,ontheirsocio-demographicback-groundandontheirfeelingsofsafetyandattitudestolawenforcementandsecurityprecautions.
TheEDPSstatedthatheisawareoftheimportanceofthedevelopment,productionanddisseminationofstatisticaldata.However,heisconcerned about questions related to physical and sexual offencesandaboutthepossibility of identifying alleged victims and aggressors . He madea numberofrecommendationstoreducetheriskofunnecessary direct or indirect identification, toensurethatthecategoriesofpersonaldatatobecollected and processed are relevant and notexcessive for thespecificpurposeandto imple-mentadequatetechnicalandorganisationalmeas-urestoensuretheconfidentialityandsecurityofpersonaldatauntiltheyaremadeanonymousinlinewithdataprotectionprinciples.
3.9.4.TransportOn5October2011,theEDPSadoptedanopinionontheCommissionproposaltorevisetheEUlegislationontachographs–thedeviceusedinroadtransporttomonitordrivingtimesandrestperiodsofprofes-sionaldrivers–asa meansofcheckingcompliancewithsocial legislation in thefield.The revision ismeanttomakeuseofnewtechnologicaldevelop-mentstoimprovetheeffectivenessofdigitaltacho-graphsagainstmanualones,notablythroughtheuseofgeo-locationequipmentandremotecommu-nicationfacilities.Theinitiativeinvadestheprivacy of professional driversina veryvisibleway,asitallows the constant monitoring of their wherea-bouts as well as remote surveillance by control
Chapter 3 annual report 2011
61
authoritiesthatwillhavedirectaccesstothedrivers’personaldatastoredinthesystem.
TheEDPSemphasisedthatspecificdata protection safeguardsareneededtoguaranteea satisfactorylevelofdataprotectioninthesystem,inparticular:
• theinstallationanduseofdevicesforthedirectandprincipalpurposeofallowingemployerstoremotely monitor in real time the actions or whereabouts of their employeesshouldbeexcluded;
• the general modalities of the processing of personal data intachographsshouldbesetoutclearlyintheProposal,suchasthetypeofdatarecordedintachographsandingeo-loca-tionequipments,therecipientsandthetimelimitsfordataretention;
• the security requirements for the digitaltachographlaiddownintheProposalneedtobefurtherdeveloped,inparticulartopreservetheconfidentialityofthedata,toensuredataintegrity and to prevent fraud and unlawfulmanipulation;
• theintroductionofanytechnologicalupdate(e.g.remotecommunication,IntelligentTrans-portSystems)intachographsshouldbedulysupportedbyprivacy impact assessmentstoassess the privacy risks raised by the use ofthesetechnologies.
Thesesafeguardswillalsoberelevantinthewidercontextofgeo-locationtechnologies:whilethesetechnologiescanhelpto improvetheefficiencyandqualityoftransport,theyalsoentaila riskofheightenedsurveillanceofdrivers.
3.9.5.CommonAgriculturalPolicyafter2013
On14December2011,theEDPSadoptedanopiniononthelegalproposalsfortheCommonAgriculturalPolicy after 2013. The EDPS observed that manyaspectscentraltodataprotectionwerenotincludedin theproposals,butwillbe regulatedby imple-mentingordelegatedacts.TheEDPSrecommendedthatatleastthefollowingelementsberegulatedintheproposalstoensurelegalcertainty:
Introductionofa newdigitaltachographcouldturnouttobeveryprivacy-invasive.
62
• thespecific purposeofeveryprocessingoper-ationshouldbeexplicitlystated;
• the categories of data to be processedshouldbeforeseenandspecifiedbecause,inmanycases,thescopeoftheprocessingwasnotclear;
• access rightsshouldbeclarified,inparticularasregardsaccesstodatabytheCommission-itshouldbespecifiedthattheCommissioncanonlyprocesspersonaldatawherenecessary,forexample,forcontrolpurposes;
• maximum retention periods shouldbe laiddown,asforsomecasesintheproposals,onlyminimumretentionperiodsarementioned;
• therights of data subjectsshouldbespeci-fied,especiallyasregardstherightofinforma-tiontobeneficiariesandtothirdparties;
• thescope and the purpose of transfers to third countriesshouldalsobespecifiedandtherequirementslaiddownbythedataprotec-tionlegislationberespected.
Security measures should also be envisaged,especiallywithregardtocomputeriseddatabases
andsystems.Inaddition,data relating to offences or suspected offences couldbeprocessed (forexample, inrelationto fraud),sothe processingmaybesubjecttopriorcheckingbytheEDPSorbynationaldataprotectionauthorities.
3.9.6.FisheriespolicycontrolThisopinion,publishedon28October2011,dealtwithsometechnicalaspectsrelatingtoa Commis-sionRegulationimplementingthefisheriescontrolsystem.TheEDPShadalreadyissuedanopinioninMarch2009ona relatedRegulation,butwasnone-thelessnotconsultedbytheCommissionbeforeitadoptedthecurrentRegulation.
Theactivitiesoffishingvesselsaresubjecttosys-tematicanddetailedmonitoringthroughadvancedtechnologicalmeans, includingsatellitetrackingdevicesandcomputeriseddata-bases,tracingandretaininglocationdatasuchasthegeographicalposition,courseandspeedoffishingvessels.Allthesedataaresystematicallycross-checked,ana-lysed and verified through computerised algo-rithmsandautomatedmechanismsinordertospotinconsistenciesorsuspectedinfringements.
Aslongasthesedatarelatetoidentifiedoridentifi-ableindividuals(e.g.themasterofthevessel,the
Theactivitiesofthefishingvesselsaresubjecttosystematicanddetailedmonitoringthroughadvancedtechnologicalmeans.
Chapter 3 annual report 2011
63
ownerofthevessel,orthemembersofthecrew),suchmonitoringinvolvestheprocessing of per-sonal data.Itis,therefore,importantthatthecon-trolsystemiswell-balancedandthatadequatesafe-guardsareputinplaceinordertoavoidtherightsofthepersonsinvolvedbeingundulyrestricted.
3.10. Public access to documents containing personal data
TheEDPShasaddressedfromtheoutsetthesome-timescomplicatedrelationshipbetweenEUruleson public access to documents and EUruleson data protection.HefirsttackledtheissuebyprovidingguidancetoEUinstitutions.In2005,forexample,theEDPSpublisheda backgroundpaperentitled‘Publicaccesstodocumentsanddataprotection’,whichcontainedguidelinesforEUinstitutionsandbodies.
PartoftheanalysispresentedinthisbackgroundpaperisnolongervalidinlightoftheEuropeanCourtofJustice judgment intheBavarianLagerCase (see below 3.11.1). Therefore, on 24 March2011,theEDPSpublisheda backgroundpaperonpublicaccesstodocumentscontainingpersonaldata,to serve as guidance for EU institutions.ThepaperexplainstheupdatedEDPSpositiononthematter followingtherulingof theEuropeanCourtofJusticeintheBavarian Lagercaseonthereconciliationofthefundamentalrightstoprivacyanddataprotectionwiththefundamentalrighttopublicaccesstodocumentsandtransparency.
IncaseofpublicdisclosureofpersonaldatabytheEUinstitutions,a proactiveapproachwouldensurethatthepersonsconcernedarewell-informedandabletoinvoketheirdataprotectionrights.Itwouldalsobebeneficialtotheinstitutions,as itwouldreduce future administrative burdens for thoseresponsiblefordataprocessingandthosewhodealwithpublicaccessrequests.
3.11. Court matters
3.11.1.EDPSparticipationincourtproceedings
2011wasa busyyearfortheEDPSwithregardtoparticipationinproceedingsbeforetheEuropeancourts.TheagentsoftheEDPSpresentedtheEDPS’positioninhearingsbeforethecourtsinfourcases,threeofwhichhavealreadyledtoa courtruling.
In V. vs. European Parliament (Case F-46/09), theEDPSwasinvitedtointervenebytheCivilServiceTribunal.Thecaseconcernedtheallegedlyillegaltransferofmedicaldatabetweenthemedicalserv-icesoftheCommissionandtheEuropeanParlia-ment.TheEDPSpleadedinfavouroftheapplicant,arguingthatthetransferwascontrarytodatapro-tectionrules,as itwasnotnecessaryandlackeda properlegalbasis.Initsjudgmentof5July2011,the Civil Service Tribunal ruled in favour of theapplicant,followingthereasoningoftheEDPS.
Thethreeothercasesallconcernedtherelation-shipbetweentheEUrulesonpublicaccesstodoc-umentsandtheEUrulesondataprotection.Asoutlinedin3.10,theEDPSwasinvolvedinthismat-ter.Thethreecasescanbeseenasthelegalfollow-uptotheleadingBavarian LagerrulingoftheCourtofJusticeon29June2010 (CaseC-28/08P).TheEDPSexplainedhispositioninthethreehearings,assetoutintheadditionalbackgroundpaperof24March2011.
Initsrulingof7July2011,Valero Jordana v. Commis-sion(CaseT-161/04),theGeneralCourtconsideredthattheCommissionhadbeenwronginnotassess-ingtherequestforpublicaccesstocertainpersonaldataunderthedataprotectionrules.Thisconclu-sionwasinlinewiththeEDPS’submissionstotheCourtargument.
The EDPS encourages the EU administration todevelopclear internal policies,creatinga pre-sumptionofopennessforcertainpersonaldatainspecifiedcases (e.g.documentscontainingper-sonaldatarelatingsolelytotheprofessionalactivi-tiesofthepersonconcerned).TheEDPSmaintainsthat a change to the rules on public access isneededandheencouragestheCouncilandParlia-menttoacceleratethependingrevisionprocess. Inhisinterventions,theEDPSaimstoclarifytheperspectiveof
dataprotection.
64
Intherulingof23November2011,Dennekamp v. European Parliament (Case T-82/09), the GeneralCourt concluded that the applicant, a journalistaskingforthenamesofMembersoftheEuropeanParliamentwhowereparticipatinginanadditionalpensionscheme,hadnotdemonstratedthe neces-sityofhavingthedatamadepublic.The EDPShaddefendedtheoppositeview,consideringthata bal-anceofthedifferentinterestsinvolvedshouldhaveledtodisclosureofthedatatothejournalist.
Thethirdcase,Egan & Hackett v. European Parlia-ment(CaseT-190/10),hasnot,atthetimeofwriting,ledtoa rulingoftheGeneralCourt.Thiscasecon-cerneda requestforaccesstothenamesof assist-antsofMembersoftheEuropeanParliament.
Inadditiontothesefourcases,theEDPShasinter-venedinCommissionv.Austria(CaseC-614/10),aninfringementcaseagainstAustriaonthelackofindependence of the Austrian data protectionauthority. The EDPS submitted a statement inintervention,supportingtheCommission’sconclu-sionthatthewayinwhichtheAustriandatapro-tectionauthorityisembeddedintheinstitutionalstructureofAustriadoesnotsufficientlyensureitsindependence.
Finally,ENISAbroughta casebeforetheGeneralCourtagainsta decisionoftheEDPSona complaint(CaseT-345/11).Theapplicationwasdeclaredmani-festlyinadmissibleonproceduralgrounds.
3.11.2.DataprotectioncaselawTheEuropeancourtsissuedseveralotherrulingswithdataprotectionrelevance.ThreeCourtofJus-ticerulingsarebrieflyoutlinedasfollows.
InDeutsche Telekom(CaseC-543/09)questionswereraisedonwhetherunderthee-privacyDirective,anundertakingassigningtelephonenumberstoitssubscriberswasallowedtoprovidedatarelatingtothesesubscriberstoanotherundertakingwhoseactivity consists of providing publicly availabledirectoryenquiryserviceswithoutrenewedcon-sentofthepersonsinvolved.TheCourtconsideredinitsrulingof5May2011thatasthesubscriberswerealreadycorrectlyinformedofthispossibility,renewedconsentwasnotneeded.
InitsrulinginASNEF and FECEMDof24November2011 (Joined Cases C-648/10 and C-469/10), theCourtofJusticerepliedtoa Spanishcourtwhichhadaskedforclarificationona provisioninthedataprotectionDirective,whichallowstheprocessing
ofpersonaldataifthisservesa legitimateinterestandisnotoutweighedbytheinterestofthedatasubjectinvolved.InSpanishlawthiswasonlypos-siblewithregardtopersonaldatathathadalreadybeen made publicly available. According to theCourt,thisnationalrestrictionisnotinlinewiththeDirectivewhichhasdirecteffectonthispoint.
On24November2011,theCourtofJusticeissueda preliminaryrulingina Belgiancase,concerninganobligationonanInternetServiceProvider(Scar-letExtended)tomonitortheinternetbehaviourofitsconsumersinordertopreventbreachesofintel-lectualpropertyrights(CaseC-70/10).TheCourtconcludedthattheobligationamountedtoa gen-eral monitoring obligation which is forbiddenunder EU rules on e-commerce. The Court alsonotedthatsuchanobligationwouldnotconstitutea fairbalancebetweentheenforcementofintellec-tualpropertyrightsandseveralfundamentalrightsandfreedomslaiddownintheCharteronFunda-mentalrights,amongstwhichistherighttodataprotection.
3.12. Future technological developmentsIn the so-called Information Society or DigitalWorld, citizens, customers, administrations, andenterprisesinteractmorethaneverbeforethankstotechnology.Technologyismakingtheproduc-tion,exchangeandstorageofinformation(includ-ingpersonaldata)easierandismakingtraditionalbarrierssuchasgeographicallocation,languageoreveninfrastructurecostsincreasinglylessrelevant.
Furthermore,newtechnologicaldevelopmentsareblurringthefrontiersbetweenthedigitalandrealworld(dataexistsinthedigitalarenabutdatasub-jects,datacontrollersanddataprocessorsdonot);soonerratherthanlaterbothworldswillconvergeintoa singlerealitywithcommonrules.Technologyisbecomingincreasinglyaccessibleandeasiertouseandthosewhouseitarenotonlydatasubjectsbutoftenalsodatacontrollers.
From2012onwards,theEDPSanticipatesthefol-lowingsixtopicsassumingparticularimportance:
•Increased Processing in the Cloud.The‘cloud’paradigmhasbeenaroundforsomeyears.Withsuf-ficientscale,thecloudisnowbringingnoticeablebenefitsintermsofcostreductionandthuscon-vincingenterprises,governmentorganisationsandcitizenstomovetheirdataprocessingoperations
Chapter 3 annual report 2011
65
into it. However it brings new challenges froma dataprotectionpointofview,suchas,amongoth-ers: (i) data controllers losing control over dataprocessingoperationsduetothecomplexityofthescenarios arising, (ii) de-localisation of data andinterplayofdifferent jurisdictions inconjunctionwiththelackofharmonisationofdataprotectionlawsat international level, (iii)an increase inthenumberofplayersinvolvedindataprocessingoper-ationsanda blurringoftheirresponsibilities, (iv)massivedataprocessingby individualsactingasdatacontrollerswithoutdueknowledgeof theirobligationsand(v)significantchallengesforsecu-rityandtheenforcementofdatasubjects’rights.
Storagecapacity,processingpowerandnetworkbandwidthcostscontinuetodropinallthevari-ants of cloud computing (as infrastructure, asa platformorasa service)tothepointthatthetra-ditionallinkbetweenvolumeofdataandthecostofassociatedinfrastructurewillbesoonbrokeni.e.asinfrastructurecostsarelowered,entrybarrierstoprocesslargedataoperationsdisappear.Thisphenomenon will allow individuals and smallenterprisestocarryoutmassivedataprocessingoperationsthat,uptonow,onlygovernmentsandbigcorporationscouldafford.
•Increased processing on smart mobile devices. Thepossibilitiesthatsmartmobiledevicesofferarealso growing at an accelerated pace. Today’sdevicesarealwaysonandabletoshare,modifyandprocessinformationinrealtime.Newgenera-tiondevices willhavemorepower,better inter-faces,moreconnectivity,morestoragecapacityandwillbeseamlesslyintegratedwiththecloud.In2012,quad-coreprocessorswillbecomecommonin smart mobile devices, deployment of LTEnetworks(13)willtakeplace,deviceswillconnecttothecloudtoprocessourvoicecommands,aug-mentedrealitywillcontinuetogrowandbiometricinterfaces such as face or voice recognition willbecomestandard.
Inadditiontotheenhancedcapabilitiesofthenewdevicesuserswillhaveallthecomputingpowerofthecloud,packagedinaneasy-to-useintegratedkit.Individualswillbeabletogenerateinformationanduploaditintothecloudonanunprecedented
(13) LTEisa standardforwirelesscommunicationofhigh-speeddataformobilephonesanddataterminals.Itisbasedonthe GSM/EDGE and UMTS/HSPA network technologies,increasingthecapacityandspeedusingnewmodulationtechniquesThe standard is developed by the 3GPP (3rdGenerationPartnershipProject).Itprovidesforspeedsthatgoupto300Mbit/s.
scale.Theywillcontinuouslyprocesstheirownper-sonaldataandthepersonaldataofothers.
•IPv6. In2011,thelastremainingIPv4addresses(thecurrentnetworkaddressingschemausedintheInternet)wereassignedandfocusturnsnowtoIPv6. This new standard allows, among otherthings,a virtuallyunlimitedIPaddressspaceandconsequently,theallocationofuniqueidentifierstoeverysingledeviceconnectedtothenetwork(forinstanceRFIDdevicesusingIP).IPaddresseswillnolongerbea scarceresourceanditwillbecheaperto assign a unique identifier than a dynamicaddress.
Inthiscontext,theResolutionadoptedattheInter-nationalPrivacyConferenceinMexico(14)onIPv6isrelevant;thisresolutionrequiresuniqueidentifiersnottobeusedwithouttheconsentofendusersandtoallowenduserstousetemporaryandvola-tileIPv6addresses(dynamicaddresses)bydefault.Security issuesthatmightarise in thetransitionfrom IPv4 to IPv6, should also be taken intoconsideration.
•New Human to Machine Interfaceswillbecomeavailable.Currenttabletsandsmartphoneshavemade communication between humans andmachines easier. Soon these interfaces will beincorporatedinotherdevicessuchassecuritysys-tems,cars,televisionsandgamingsystems.Touch-able, wearable, visual and voice interfaces willbecomepartofeverydaylife.Informationsystemsdesignedtoassisthumanswillbeabletosenseandinterpretfaces,movements,voices,behaviourandevenhealth.Indeed,intelligentsystemswillsoonbeabletomonitorhowhumansfeelphysicallyandevenpsychologicallybasedonbehaviouralpat-terns. An application for e-health services thatremotely monitors patients so they can stay athomeinsteadofina hospitalbenefitstheindivid-ual and can potentially bring cost savings butshouldnotbeimplementedattheexpenseoftherighttodataprotectionandprivacy.
Thesedevelopmentswillhaveenormousinfluencefroma societalpointofviewanddataprotectioninparticular,willhavetoplayanincreasingroletoensurethatappropriatesafeguardsareforeseenand that the principle of privacy-by-design isappliedintheimplementationofthesetechnolo-gies.Solutionscanbefoundtoobtainfullfunction-alitywhilepreservingtheprivacyofindividualsifsystemsarewelldesignedfrominception.
(14) Seealsochapter4.6ofthisannualreport.
66
•Smart Grids.Variousupcominggridtechnologiesarestartingtotakeshape,suchasVehicletoGrid(V2G), Outage Management Systems (OMS) ormicrogrids.Inparticular,utilitycompanies(waterand electricity mainly) have already started thedeploymentofadvancedmeteringsystemsthatwillprovidemuchmoredetailed informationofconsumptionpatternstotheutilityproviderandeventuallyalsotothecustomer.Thisinformationwillbeusedforbetterforecastingandadaptabilityofthenetworktoconsumerdemandandhopefullywill increase the efficiency in the use of scarceresourcessuchaswaterorenergy,especiallybytheautomationofdistributionnetworks.
However,theconceptofsmartgridsisbroadandcanhavea far-reaching impactassmartdevicesconnect to the grid and exchange information.Notwithstandingthepossibleeconomicbenefits,itisalsoclearthatanunprecedentamountofinfor-mationaboutindividuals’behaviourwillbetrans-mittedandprocessedbya myriadofactors.
Consequently,inordertopreservetherighttodataprotectionof individuals, thesedataprocessingoperationshavetobebalancedanddataprotec-tionprinciplessuchasproportionality,necessityorlegitimacyneedtobecorrectlyapplied.
•Increased Security Issues willmakecybersecu-ritymoreimportantthanever.Whilstthevalueofthecybercriminaleconomyasa wholeisnotyetknown,themostrecentestimateofglobalcorpo-ratelossesalonestandsataroundEUR750billionperyear.(15)Thenumberofcybercrimesisgrowingandcriminalactivitiesarebecomingincreasinglysophisticated and international. There are clearindicationsofa growthinorganisedcrimegroups,newgroupsbornfromhackersandinternetcultureandeventheinvolvementofsomegovernments.
Special attention should be paid to the variouslegal rules, in order to ensure that appropriatesecuritymeasuresaretakeninordertoprotectper-sonaldata,intheharmonisationofthesemeasuresandtheprocedurestonotifydatabreachestotherelevantauthoritiesandtheaffecteddatasubjects.Inparticular,itshouldbenotedthatthenewgen-eralDataProtectionRegulationproposedbytheCommissionwillextendtheobligationtonotifydatabreachestoalldatacontrollers(16).
(15) http://ec.europa.eu/home-affairs/policies/crime/crime_cybercrime_en.htm
(16) Directive2002/58asamendedby2009/136onlyestablishestheobligationtonotifypersonaldatabreachesforelec-troniccommunicationsserviceproviders.
Information systems are becoming critical ele-mentsinourdailylivesandindividualshavetorelyontechnologyandsystemsthattheydonotfullyunderstand.Consequently,theyneedthirdpartiestoprovidethemwithassurancemechanismsthatcanwarranttheprivacyandsecurityofsuchinfor-mationsystems.Inthiscontext,a steadygrowthisforeseeableinthecertificationbusinessandalsointhe processes providing accountability of goodpractices.
3.13. Priorities for 2012
There are several notable trends in recent yearswhich merit attention from a data protectionperspective:
• There is an increasing tendency to endowadministrativeauthorities,bothattheEUandnationallevelswithpowerfulinformationgath-eringandinvestigativetools.Thisisparticularlythecaseintheareaoffreedom,securityandjusticeandinrelationtotherevisionoftheleg-islative framework concerning f inancialsupervision;
• EUlegislationincreasinglyfacilitatessignificantexchanges of information between nationalauthorities,frequentlyinvolvingEUbodiesandlarge-scaledatabases(withorwithouta centralpart)ofincreasingsizeandprocessingpower.This requirescarefulconsiderationbypolicymakersandactorswhensettingoutdatapro-tection requirements during the legislativeprocedure, because of the serious conse-quencestheseexchangescanhaveforthepri-vacyofcitizens,e.g.byfacilitatingthemonitor-ingofcitizens’lives;
• Recentyearshavebeencharacterisedbysig-nificanttechnologicaldevelopments,mainlyduetothewidespreaduseofinternetandgeo-location technologies. Such developments
In January 2012, the EDPS will publish his sixth public inventory as an advisor on proposals for EU legislation, setting his priorities in the field of consultation for the year ahead. The EDPS faces the challenge of fulfilling his increasing role in the legislative procedure, by delivering high-quality and well-appreciated advice with increasingly limited resources.
Chapter 3 annual report 2011
67
havea significantimpactona citizen’srighttoprivacyanddataprotection.
Such policy and technological developmentsunderlinethatdataprotectionandprivacyhavebecome truly horizontal issues. This also meansthattherewillbemoredemandforEDPSadviceonproposedlegislativemeasures.
In lightof this, theEDPShas identified issuesofstrategic importance that will form the corner-stonesofhisconsultationworkfor2012,whilenotneglectingtheimportanceofotherlegislativepro-cedureswheredataprotectionisconcerned.
TheEDPSisthereforecommittedtodevotingsub-stantialresourcesin2012totheanalysisofpropos-alsofstrategicimportance.Inaddition,theEDPShasidentifieda numberofinitiativesoflessstrate-gicimportancewhichmaynonethelesshavedataprotectionrelevance.ThefactthatthelatterareincludedintheEDPSInventoryimpliesthattheywillbe regularlymonitored,butdoesnotmeanthattheEDPSwillalwaysissueanopinionorformalcommentsonsuchinitiatives.
ThemainEDPSpriorities,asidentifiedinhisinven-tory,areasfollows:
a. Towards a new legal framework for dataprotection• RevisionofEUdataprotectionframework
b. TechnologicaldevelopmentsandtheDigitalAgenda,IPrightsandInternet• PanEuropeanframeworkforelectroniciden-
tification,authenticationandsignature• Internetmonitoring(e.g.enforcementofIP
rights,takedownprocedures)• Cloudcomputingservices• eHealth
c. FurtherdevelopingtheAreaofFreedom,Secu-rityandJustice• EU-PNR• EU-TFTS• Bordercontrols• ReviewofDataRetentionDirective• Negotiationsonagreementswiththirdcoun-
triesondataprotection
d. Financialsectorreform• Regulationandsupervisionoffinancialmar-
ketsandactors
68
44.1. Article 29 Working Party
ItstasksarelaiddowninArticle 30oftheDirectiveandcanbesummarised,asfollows:
• provide expert opinion from Member StateleveltotheEuropeanCommissiononmattersrelatingtodataprotection;
• promotetheuniformapplicationofthegeneralprinciplesofthedirectiveinallMemberStatesthroughcooperationbetweendataprotectionsupervisoryauthorities;
• advisetheCommissiononanymeasuresaffect-ingtherightsandfreedomsofnaturalpersonswithregardtotheprocessingofpersonaldata;
(17) TheWorkingPartyiscomposedofrepresentativesofthenational supervisory authorities in each Member State,a representativeoftheauthoritysetupfortheEUinstitu-tionsandbodies(i.e.theEDPS),anda representativeoftheCommission.TheCommissionalsoprovidesthesecretariatoftheWorkingParty.ThenationalsupervisoryauthoritiesofIceland,NorwayandLiechtenstein(asEEApartners)arerep-resentedasobservers.
• makerecommendationstothepublicatlargeandinparticulartoEUinstitutions,onmattersrelatingtotheprotectionofpersonswithregardtotheprocessingofpersonaldataintheEU.
The EDPS has been a member of the Article 29WorkingParty(WP29)sinceearly2004andconsid-ersittobea veryimportantplatformforcoopera-tionwithnationalsupervisoryauthorities.ItisalsoevidentthattheWorkingPartyshouldplaya cen-tralroleintheconsistentapplicationofthedirec-tive and in the interpretation of its generalprinciples.
In2011,asin2010,theWorkingPartyfocuseditsactivitiesonthefourmainstrategicthemesidenti-fiedinits2010-2011workprogramme,notably:
• implementingtherevisede-PrivacyDirectiveandpreparinga futurecomprehensive legalframework;
• addressingglobalisation;
• respondingtotechnologicalchallenges;
• makingtheWorkingPartyanddataprotectionauthoritiesmoreeffective.
Tothisend,theWorkingPartyadoptedseveraldoc-uments,amongwhichare:
• Opinion9/2011on the revised IndustryPro-posalfora PrivacyandDataProtectionImpactAssessment Framework for RFID Applica-tions (WP180);
COOPERATION
The Article 29 Working Party is the independent advisory body set up under Article 29 of the Data Protection Directive (95/46/EC). It provides the European Commission with independent advice on data protection issues and contributes to the development of harmonised policies for data protection in EU Member States.(17)
Chapter 4 annual report 2011
69
• Opinion10/2011ontheproposalfora DirectiveoftheEuropeanParliamentandoftheCouncilontheuseofpassenger name recorddatafortheprevention,detection, investigationandprosecutionofterroristoffencesandseriouscrime(WP181);
• Opinion15/2011 onthedefinitionof consent (WP187);
• Opinion 16/2011 on EASA/IAB Best PracticeRecommendation on Online BehaviouralAdvertising(WP188).
TheWorkingPartyalsotookpositionsintheformoflettersonseveralissues,amongwhichweretheimplementationoftheTerroristFinancingTrackingProgramme(TFTP)andtheself-regulatoryframe-work on Online Behavioural Advertising (OBA)developedbytheindustry.
TheEDPSactivelycontributedtotheworkoftheWP29 in different areas. He was particularlyinvolvedintheworkofseveralsubgroups,includ-ingthetechnologysubgroup,theBTLEsubgroup(BorderTravelandLawEnforcement)andthekeyprovisionssubgroup,theaimsofwhicharetopro-videfora commoninterpretationofessentialprovi-sionsofDirective95/46/EC.Inthecontextofthislastsubgroup,hewasrapporteurfortheopinion
onthenotionofconsent (Opinion15/2011).TheEDPSwasalsodeeplyinvolvedintheworkofthesubgrouponthe‘futureofprivacy’inrelationtotheinitiativeoftheCommissionfora newdatapro-tectionframework.
TheEDPSalsocooperateswiththenationalsuper-visoryauthoritiestotheextentnecessaryfortheperformanceofhisduties,inparticularbyexchang-ingallusefulinformationandrequestingordeliver-ing assistance in the performance of their tasks(Article 46(f)(i)oftheRegulation).Thiscooperationtakesplaceona casebycasebasis.
Directcooperationwithnationalauthoritiesisanelementofgrowingimportanceinthecontextofthedevelopmentoflarge-scaleinternationalsys-temssuchasEurodac,whichrequirea coordinatedapproachtosupervision(seeSections 4.2and4.3).
4.2. Coordinated supervision of Eurodac
TechnologicalchallengeswereoneofthemainstrategicthemesoftheArticles29WorkingPartyin2011.
Effective supervision of Eurodac relies on close cooperation between the national data protection authorities and the EDPS.
70
Eurodacisa large-scaleITsystemdevotedtostor-ing fingerprints of asylum seekers and personsapprehendedirregularlycrossingtheexternalbor-dersoftheEUandseveralassociatedcountries.(18)
In 2011, the Eurodac Supervision CoordinationGroup,composedofrepresentativesofthenationaldataprotectionauthoritiesandtheEDPS,baseditsactivities on the 2010-2011 work programme,adoptedinearly2010.
TheGroupheldtwomeetingsinBrussels,oneinJuneandoneinOctober2011.TheOctobermeetingrepresentedthefirstmeetingentirelyorganisedbythe EDPS and was considered by participants asa successintermsoforganisationandoutcome.
4.2.1.AdvanceDeletionReportOneoftheGroup’smostsignificantachievementsof the year was the coordinated inspection onadvancedeletion.Advancedeletionreferstothedeletionofdatainthecentralunitbeforetheendofthe retention period. This can occur if a personleavestheEUoracquirescitizenshipora resident’spermit, forexample.Deletingsuchpersonsfromthedatabasesafeguardstheirrightsandincreasesdataquality.Oneoftheaimsofthisexercisewastoprovidea stateofplayontheapplicationofadvancedeletionrulesintheMemberStatesandtoexplorewhetherthereisa needforalternativesolutions.
ThefinalreportconfirmsthatmanyMemberStateshavealreadyimplementedappropriateprocedures;thosethathavenotyetdonesousuallyexperiencevery fewornocases inwhichadvancedeletionwould have been necessary. Recommendationsincludedestablishingsuchprocedureswheretheyarestillmissing,providingbetter informationtoconcerned persons and working towards betterstatisticsonthephenomenon.
ThereporthasbeensenttothemainEUinstitu-tionalstakeholders,aswellastorelevantinterna-tionalorganisations.
4.2.2.Newexercisein2012:unreadablefingerprints
AsthereformoftheEurodacRegulationdidnotmoveforwardin2011,theGrouphadtoadaptitsworkprogrammeaccordingly,postponingseveral
(18) Iceland,Norway,Switzerlandand,sincetheentryintoforceofa protocoltothiseffecton1April2011,Liechtenstein.
items.Thisadaptationintroduceda newcoordi-natedinspectionontheissueofunreadablefinger-prints,tobecarriedoutin2012.
Theprocessingofbiometricdatasuchasfinger-printsposesspecificchallengesandcreatesriskswhichhavetobeaddressed. In thiscontext, theproblemofso-called‘failuretoenrol’-thesituationinwhicha personfindsthattheirfingerprintsarenotusableforsomereason-isoneofthemainrisks.
Themainpurposeoftheexerciseistoexaminethe current procedures applied in all MemberStates when this situation occurs and whetherthereisa needfornewsolutions.Similartotheadvance deletion exercise, this investigationshouldbeseenmoreasanexploratoryexercise,whichcouldthenleadto:
• theidentificationofgoodpractices(whethertheytaketheformoftechnicalfeatures,inter-nalguidelinesoradministrativepractices)andanencouragementtousethemwidely;
• anyfurtherrecommendations iftheexerciseshowsthattherearedeficienciesinthecurrentsystem.
4.2.3.Coordinatedsecurityauditquestionnaire
During both meetings of Eurodac in 2011, theongoingpreparationsforthecoordinatedsecurityauditwerediscussed.Onthebasisofthemethod-ologyusedina nationalaudit,effortsarebeingmadetodevelopa commonframeworkforsecu-rityauditmethodology,whichcanprovidesup-porttonationalauthoritiesandatthesametimeensureconsistentandusefuloutcomesforEurodacgenerally.Workwillcontinueonthisin2012withtheaimofadoptinga commonframeworkbytheendoftheyear.
4.2.4.VisaInformationSystemThelaunchingoftheVisaInformationSystem(VIS)inOctober2011gaverisetoaninformaldiscussionwithin the Group on its supervision. The Groupagreedona gradualandpragmaticapproachtobeconcludedbytheendof2012.ThismeansthatthenextEurodacmeetingswilldedicatea substantialportionoftheagenda,albeitinformally,toVIS.
Chapter 4 annual report 2011
71
4.3. Supervision of the Customs Information System (CIS)TheaimoftheCustomsInformationSystem(CIS)istocreateanalert systemwithinthefight against fraudframeworksoastoenableanyMemberStateentering data in the system to request anotherMemberStatetocarryoutsightingandreporting,discreetsurveillance,a specificcheckoroperationalandstrategicanalysis.
TheCISstoresinformationoncommodities,meansoftransport,personsandcompaniesandongoodsandcashdetained,seizedorconfiscatedinordertoassistinpreventing,investigatingandprosecutingactionswhichareinbreachofcustomsandagricul-turallegislation(theformerEU‘firstpillar’)orseri-ouscontraventionsofnationallaws(theformerEU‘thirdpillar’).Thelatterpartissupervisedbya JointSupervisoryAuthoritycomposedof representa-tivesofthenationaldataprotectionauthorities.
TheCoordinationGroupshall:
(a)examineimplementationproblemsinconnec-tionwiththeCISoperations;
(b)examinedifficultiesexperiencedduringchecksbythesupervisoryauthorities;
(c)examinedifficultiesofinterpretationorapplica-tionoftheCISRegulation;
(d)drawuprecommendationsforcommonsolu-tionstoexistingproblems;
(e)endeavourtoenhancecooperationbetweenthesupervisoryauthorities.
(19) Regulation(EC)No 766/2008oftheEuropeanParliamentandoftheCouncilof9 July 2008amendingCouncilRegulation(EC)No 515/97onmutualassistancebetweentheadminis-trativeauthoritiesoftheMemberStatesandcooperationbetweenthelatterandtheCommissiontoensurethecorrectapplicationofthelawoncustomsandagriculturalmatters.
In2011,theEDPSconvenedtwomeetingsoftheCISSupervisionCoordinationGroup(inJuneandDecember).Themeetingsgatheredtherepresenta-tivesofnationaldataprotectionauthorities,aswellasrepresentativesoftheCustomsJointSupervisoryAuthorityandDataProtectionSecretariat.
IntheJunemeeting,theGroupelectedMr.GiovanniButtarelli,AssistantEDPS,asChairandMr.GregorKönig,AustrianrepresentativeandChairoftheCus-tomsJointSupervisoryAuthority,asVice-Chair.TheGroup also discussed and adopted a work pro-grammeoutliningitsactivitiesfor2011and2012andconfirmeditsintentiontofullycooperatewiththeCustomsJointSupervisoryAuthorityinareasofcommoninterest. IntheDecembermeeting, theGroupdiscusseddocumentsguidingitsfirstinspec-tions on access to the system and data subjectrights,whichwillbecarriedoutin2012.
4.4. Police and judicial cooperation: cooperation with JSB/JSAs and WPPJ
The EDPS also cooperates with the authoritieschargedwiththesupervisionofspecificbodiesorEUlarge-scaleITsystems,suchastheJointSupervi-soryBodies(JSBs)ofEuropolandEurojustandtheJointSupervisoryAuthorities(JSAs)fortheSchen-genInformationSystem(SIS)andthe‘ex-thirdpil-lar’ aspects of the Customs Information System(CIS).Thiscooperationtakesthe formofmutualinformationonitemsofcommoninterest,suchasthosewheretheEDPSandtheJSB/JSAseachsuper-visedifferentpartsofthesamesystem.
In2011,thecooperationrelatedmainlytotheCIS.SincetheEDPSandtheJSAoftheCISsharea super-visoryroleforthesamesystem,itislogicaltocoordi-natetheiractionasmuchaspossible.Thus,theEDPSinvitedrepresentativesoftheJSAtoattendmeetingsorganisedonthecoordinatedsupervisionoftheCIS(seeSection4.3).Inthesamespirit,EDPSrepresenta-tiveswereinvitedtopartsofJSAmeetingswhereitemsofcommoninterestwerediscussed.
The CIS Supervision Coordination Group is set up as a platform in which the data protection authorities, responsible for the supervision of CIS in accordance with Regulation (EC) No 766/2008(19) - i.e. EDPS and national data protection authorities - cooperate in line with their responsibilities in order to ensure coordinated supervision of CIS.
72
The EDPS also participates in the meetings andactivitiesoftheWorkingPartyonPoliceandJustice(WPPJ).TheWPPJworkedonseveralissuesin2011,suchastheuseofDNAprofilesbylawenforcementauthorities (includingexchangeofDNAdataviaInterpol Gateway), establishment of a commonsupervisory policy and risk assessments withrespecttoprocessingofpersonaldataintheareaoflawenforcementinEurope.
In2011,theWPPJalsobroachedthesubjectofitsownfutureinlightofthegrowinginvolvementoftheWP29inareastraditionallydealtwithbytheWPPJ.AttheEuropeanConference(seepoint4.5.EuropeanConferencebelow),theWPPJwasman-datedtoworktowardsthe integrationof itsEU-relatedcompetencesandexpertiseintotheArticle29WorkingParty,whichinturnwasinvitedtoclar-ifythestatusofitssubgrouponlawenforcementandthepossibilitiesfornon-EUMemberStatestoparticipateinitswork.
4.5. European Conference
In2011,theEuropeanConferenceofDataProtec-tion Commissioners took place in Brussels on5 April 2011. The format for the meeting wasexceptional: theconferencewashostedby theEDPS, in close cooperation with the Article 29WorkingPartywhichalsometonthemorningofthesameday.
The conference included sessions dedicated toa varietyofissues,including:
• overviewoflegaldevelopments:LisbonTreaty,EU legal framework, Convention 108, OECDguidelines...;
• roleoftheArticle29WorkingParty;
• supervisionintheAreaofFreedom,SecurityandJustice.
Data Protection Authorities from Member States of the European Union and of the Council of Europe meet annually for a spring conference to discuss matters of common interest and to exchange information and experience on different topics.
UseofDNAprofilesbylawenforcementauthoritieswasontheagendaofWPPJ.
The future framework for data protectionwasatthattimestillinpreparationbytheEuropeanCom-mission.Itwasa centralthemeofthediscussionsandledtotheadoptionofa Resolutionontheneedfora comprehensivedataprotectionframework.
4.6. International Conference
The33rdAnnualConferenceofDataProtectionandPrivacyCommissionerstookplaceinMexicoCityon1-3November2011andwasentitled‘Privacy:TheGlobalAge’.Itsaimwastoexplorewaysforbuildingtherelationshipsandtoolsnecessarytoprotectthedataofindividualsbeyondnationalborders.
Therewasalsoa pre-conferenceon31OctoberinMexicoCityentitled‘PrivacyasFreedom’,followedby two events on 1 November hosted by theOrganisationforEconomicCooperationandDevel-opmentandtheInformationandPrivacyCommis-sionerofOntario,Canada.Theconferencewasanopportunity for data protection stakeholders inEurope to meet their peers from Canada, theUnitedStates,LatinAmerica,Australia,NewZea-land,China,Japantonamebuta few.
Theclosingsessionwitnessedtheofficialpresenta-tionoftheso-calledMexicoDeclaration,preparedbythehostingauthoritywithcontributions fromotherdelegations.Thisdeclarationurgesselectedstakeholders to effectively cooperate in order toconfrontnewchallenges,onebeinghowtoeffec-tivelyenforcedataprotectionina worldof‘bigdata’.
Oneofthemainachievementsoftheconferencewastheinitiativetakentostepuptheglobalcoop-erationofDataProtectionandPrivacyCommission-ers.Anexecutivecommitteewasinstalled-chairedbytheChairmanoftheArticle29WorkingPartyandparticipantsfromallovertheworld-togivemorepermanencetotheInternationalConferencebetweenitsannualmeetings.Specialemphasiswillbegiventoglobalcooperationinprivacyenforce-ment and a separate meeting on enforcementissueswasannouncedforMay2012,inMontreal.
ThelistofdistinguishedspeakersincludedPeterHus-tinx,EDPSandGiovanniButtarelli,AssistantSupervi-sor,whobothmoderatedsessionsattheconference.
The34thInternationalConferencewilltakeplaceinUruguay,inOctober2012.
Data Protection Authorities and Privacy Commissioners from Europe and other parts of the world, including Canada, Latin-America, Australia, New Zealand, Hong Kong, Japan and other jurisdictions in the Asia-Pacific region, have met annually for a conference in the autumn for many years.
74
55.1. Introduction
Informationandcommunicationplaya keyroleinensuringthevisibilityoftheEDPS’mainactivitiesandinraising awarenessbothoftheEDPS’workandofdataprotection ingeneral.This isall themoreimportantasawarenessoftheEDPSroleandmission at EU level needs to be raised further,although significant progress has already beenmade.Indicatorssuchasthenumberofinforma-tionrequestsreceivedfromcitizens,mediaenqui-riesand interviewrequests, thenumberofsub-scriberstothenewsletter,aswellasinvitationstospeakatconferencesandwebsitetrafficallsupporttheviewthattheEDPSisa pointofreferencefordataprotectionissuesatEU level.
TheincreasedvisibilityoftheEDPSatinstitutionallevel ispertinentforhisthreemainroles i.e.thesupervisoryroleinrelationtoallEUinstitutionsandbodiesinvolvedintheprocessingofpersonaldata;theconsultativeroleinrelationtothoseinstitutions(Commission, Council and Parliament) that areinvolvedinthedevelopmentandadoptionofnewlegislationandpoliciesthatmayhaveanimpactontheprotectionofpersonaldata;andthecoopera-tiveroleinrelationtonationalsupervisoryauthori-tiesandthevarioussupervisorybodiesinthefieldofsecurityandjustice.
5.2. Communication ‘features’
EDPScommunicationpolicyisshapedaccordingtospecific features thatare relevant inviewof theage,sizeandremitoftheinstitutionandtheneeds
ofitsstakeholders.Ittailorsthetoolsavailabletothe audiences concerned and is adaptable toa numberofconstraintsandrequirements.
5.2.1.Keyaudiencesandtargetgroups
ThecommunicationpoliciesandactivitiesofthemajorityofotherEU institutionsandbodiesoper-ate on a general level to address EU citizens asa whole.TheEDPS’directsphereofactionismoredistinct.ItisprimarilyfocusedatEDPSstakeholders-theEUinstitutionsandbodies,datasubjectsingeneralandEU staffinparticular,EU politicalstake-holders and ‘data protection colleagues’. Asa result,EDPScommunicationpolicydoesnotneedto engage in a ‘mass communication’ strategy.Instead,awarenessofdataprotectionissuesamongEU citizensintheMembersStatesdependsessen-tiallyona moreindirectapproach,forinstanceviadataprotectionauthoritiesatnationallevel.
Thisbeingsaid,theEDPSdoescommunicatewiththegeneralpublic,viaa numberofcommunicationtools (website, newsletter, awareness-raisingevents), regularly liaisingwith interestedparties(studyvisitstotheEDPSoffice,for instance)andparticipating in public events, meetings andconferences.
5.2.2.LanguagepolicyEDPScommunicationpolicytakesintoaccountthespecificnatureofitsfieldofactivity.Dataprotec-tionissuesmaybeviewedasfairlytechnicaland
INFORMATION AND COMMUNICATION
Chapter 5 annual report 2011
75
obscurefornon-expertsandthelanguageinwhichthe EDPS communicates is, therefore, adaptedaccordingly. When it comes to information andcommunicationtoolsaimedata diverseaudience,clearandaccessiblelanguagewhichavoidsunnec-essaryjargonneedstobeused.Continuedeffortsarethereforemadeinthisdirection,inparticularwhencommunicatingwiththegeneralpublicandthegeneralpress,withtheaimofcorrectingtheexcessive‘legal’imageofdataprotection.
Whenconsideringmoreinformedaudiences(e.g.data protection specialists, EU stakeholders),a morespecialisedlanguageisappropriate.Differ-entcommunicationstylesandlanguagepatternsneedtobeusedtocommunicatethesamenews.
Since2010,theEDPShasbeenrelayinghismes-sagesinhispressandcommunicationactivitiesinatleastthreelanguages-English,FrenchandGer-man.Theoverallaimistoreachouttothewidestpossibleaudience.
5.3. Media relations
TheEDPSaimstobeasaccessibleaspossibletojournalistsinordertoallowthepublictofollowhisactivities.Heregularlyinformsthemediathroughpressreleases,interviewsandbackgrounddiscus-sions.Thehandlingofmediaenquiriesallowsforadditionalregularcontactswiththemedia.
5.3.1.PressreleasesIn2011,thepressserviceissued12pressreleases.MostoftheserelatedtotheEDPSworkinthefieldofconsultationand,morespecifically,onnew leg-islative opinionsofdirectrelevancetothegeneralpublic.AmongtheissuescoveredweretheEUDataProtectionReformStrategy,theguidanceforgoodpracticeondataprotectionandtransparency,theEU system on Passenger Name Record, the EUfinancial regulation, the evaluation of the DataRetentionDirective,onlinebehaviouraladvertising,recordingequipmentinroadtransport,theneu-tralityoftheInternetandtheInternalMarketInfor-mationSystem.
PressreleasesarepublishedontheEDPSwebsiteandintheEuropeanCommissioninter-institutionaldatabase of press releases (RAPID) in English,FrenchandGerman.Pressreleasesaredistributedtoa regularlyupdatednetworkofjournalistsandinterested parties. The information provided inpressreleasesusuallyresultsinsignificantmedia
coveragebyboththegeneralandspecialisedpress.Press releases are also frequently published oninstitutionalandnon-institutionalwebsitesrangingfrom,amongothers,EU institutionsandbodies,tocivillibertygroups,academicinstitutionsandinfor-mationtechnologycompanies.
5.3.2.PressinterviewsIn2011,theEDPSgave14directinterviewstojour-nalistsfromprint,broadcastandelectronicmediathroughoutEurope,witha significantnumberofrequestscoming fromGerman,Austrian,Dutch,FrenchandtheEUspecialisedpress.
Thisresultedina numberofarticlesintheinterna-tional,nationalandEU press,whethergeneralorspecialised in information technology issues, aswellasinterviewsonradios.
Theinterviewscoveredhorizontalthemessuchasthecurrentandupcomingchallengesinthefieldofprivacyanddataprotection.Theyalsoaddressedmore specific issues that made the headlines in2011,includingEU-USdatatransfers,thereviewoftheEUlegalframeworkfordataprotectionandpri-vacyconcernswithregardtosocialnetworking,consumerprofiling,rightsofdigitalcitizens,dataretentionandsecurity.
76
5.3.3.Pressconference
TheEDPShelda pressconferenceon15June2011attheEuropeanParliamentinBrusselstopresenttheEDPS2010AnnualReportandoutlinethemainfeaturesoftheEDPSactivitiesin2010withregardtohissupervisory,consultativeandcooperativetasks(seesection 5.7.1.).
The press conference provided Peter Hustinx,EDPS,andGiovanniButtarelli,AssistantSupervi-sor, the opportunity to address the currentdynamiccontextofEUdataprotectionandfuturechallengesaswellastoanswerquestionsposedbyjournalists.
5.3.4.Mediaenquiries
In2011,theEDPSreceivedsome46writtenmediaenquiries that included requests for EDPS com-ments and requests for clarification, position orinformation. Media attention in 2011 focusedmainlyontheissueofonlineprivacy,inparticularnew online applications, such as geo-locationapplications,searchenginesand–thetop-rankingareaofenquiry-socialnetworks.
Otherissuesofinteresttothemediaincludedinter-nationaltransfersofdata,thereviewoftheEUlegalframeworkfordataprotection,theDataRetentionDirective, data security and provisions on databreaches,aswellastheuseandtransferofPassen-gerNameRecordstotheUnitedStates.
PeterHustinxandGiovanniButtarellipresentingEDPSAnnualReport2010duringa pressconference.
Chapter 5 annual report 2011
77
5.4. Requests for information and advice
There was an increase of 39% in the number ofenquiries for information or assistance receivedfromcitizensbetween2010and2011(196 requestscompared to 141 in 2010). This evolution is theresultofthemoreprominentprofileoftheEDPSwithin the data protection sphere, reinforcedthroughtheuseofvariousinformationandcom-municationtools.
Requestsforinformationcomefroma widerangeofindividualsandparties,rangingfromstakehold-ersoperatingintheEU environmentand/orwork-inginthefieldofprivacy,dataprotectionandinfor-mationtechnology(lawfirms,consultancies,lobby-ists,NGOs,associations,universities,etc.)tocitizensaskingformoreinformationonprivacymattersorrequiring assistance in dealing with the privacyproblemstheyhaveencountered.
Thelargestcategoryofrequestsreceivedin2011concernedcomplaintsfromEU citizensaboutmat-ters over which the EDPS has no competence.Thesecomplaintsrelatedmostlytoallegeddataprotectionbreachesbypublicauthorities,national
orprivatecompaniesandonlineservicesandtech-nologies,suchasonlinegaming,blogs,geo-loca-tion services, social networking and messagingtools.Otherissuesincludedthesecurityofbankdata, the right of access to documents held bynationaladministrations,thedisseminationofper-sonaldatatothirdpartieswithouttheconsentofthe person concerned and requests for appealagainsta ruling froma nationaldataprotectionauthority.Whencomplaintssuchasthesefallout-sidethecompetenceoftheEDPS,a replyissenttothe complainant specifying the mandate of theEDPSandadvisingthe individual to refer to thecompetentnationalauthority,usuallythedatapro-tectionauthorityoftherelevantMemberState.
Thenextsizeablecategoryofrequestsreceivedin2011,relatedtodataprotectionlegislationinEUMember States and/or its implementation atnationallevel.Insuchcases,theEDPSadvisestheindividualtocontacttherelevantdataprotectionauthority and where appropriate, the EuropeanCommissionDataProtectionUnit.
Thethirdmaincategoryofrequestsforinformationrelated to data protection issues within the EUadministration,suchasprocessingactivitiesbyEUinstitutions,bodiesandagencies.
Main topics for requests from the press in 2011
In percentage
(*) Including new online applications, search engines and social networks.(**) Including Schengen Information System.
0
5
10
15
20
25
30
35
Biometric data**SWIFT/TFTPEDPS' role and missionData security
Data retentionEU Data Protection frameworkInternational transfers of dataOnline privacy*
78
Theremainingcategoriesofinformationrequestsincluded enquiries about EDPS activities, roleand missions,EU dataprotectionlegislation,online
privacy,internationaltransferofdata,large-scaleITsystems such as VIS, SIS and Eurodac, and thereviewoftheEU frameworkfordataprotection.
Main areas of information requests from the public in 2011
0
5
10
15
20
25
30
35
40
45
OthersReview of EU data protection frameworkLarge-scale IT systems (SIS, VIS, Eurodac)International transfer of dataOnline privacyEU data protection lawEDPS's missions and activities Data protection issues in EU administrationNational data protection lawComplaints for which the EDPS is not competent
5.5. Study visits
Aspartoftheeffortstofurtherincreaseawarenessofdataprotectionandtointeractwiththeacademicworld, the EDPS regularly welcomes visits fromgroupsspecialisedinthefieldofEuropeanlaw,dataprotection and/or IT security issues. In 2011, theEDPSofficewelcomedfourstudentgroupsfromdif-ferentcountries.InDecember 2011,forinstance,theEDPSofficewelcomeda groupofGermanandEuro-peanlawstudentsfromtheUniversityofCologneinGermany,presenteditsroleandactivities,anddis-cussed data protection issues at EU level. Other
groupsofvisitorsincludedtheScienceandTechnol-ogyLawInstituteofTaipei(Taiwan),theNanyangTechnologicalUniversity(Singapore)andtheUniver-sityPierreMendèsFranceofGrenoble(France).
Witha viewtoreachingouttoa broaderaudience,theEDPSofficealsowelcomedfourgroupsorasso-ciationsinterestedindataprotectionissuesandpri-vacyconcerns:membersoftheGermanEvangelicalChurch,theassociationoftheYoungEuropeansofBordeaux(France),thePolitieacademie(theNether-lands)andtheCommunicationSub-CommitteeoftheTraineesoftheEuropeanCommission.
Chapter 5 annual report 2011
79
5.6. Online information tools
5.6.1.WebsiteThe website remains the EDPS’ most importantcommunicationchannelandinformationtool.Itisupdated on a daily basis. It is also the mediumthroughwhichvisitorshaveaccesstovariousdocu-mentsproducedasa resultofEDPSactivities(e.g.opinionsonpriorchecksandonproposalsforEUlegislation,workpriorities,publications,speechesoftheSupervisorandAssistantSupervisor,pressreleases,newsletters,eventinformationandsoon).
Webdevelopments
Themostprominentdevelopmentofthewebsitein2011wasanelectronicplatformforlodgingcom-plaints.Theonlinecomplaintformfacilitatestheprocessofsubmittingcomplaintsandspeeds-uptheirprocessingbytheEDPSservices.
AsannouncedintheAnnualReport2010,a ‘presskit’sectionwasalsointroducedonthewebsiteinordertoprovidemediaprofessionalswithrelevantmaterialsandresourcesthatcanbeusedintheirnewsarticlesandreportinginterviews.
BetweenSeptemberandNovember2011,anonlinesurveywascarriedoutonthequalityof theEDPSwebsite.Theoverallviewsofthewebsitewereposi-tive:themajorityofpeoplefoundthewebsitesatis-factoryintermsofthecontent.Theyalsoclaimedthattheinformationwasaccurate,up-to-dateandeasytounderstand.Althoughthesitewasratedasquiteeasytouse,furtherimprovementswillbemadein2012tothe‘advancedsearch’functionandtheregister.
Inaddition,anoverhaulofthesupervisionandcon-sultationsectionsisforeseeninordertoenhancesearchoptionsandnavigationthroughthematiccategories.Otherimprovementswillincludecreat-inga DataProtectionOfficers’Cornerandimple-mentingtheRSSfeedfeature.
Trafficandnavigation
Ananalysisofthetrafficandnavigationdatashowsthatin2011,thewebsitereceiveda totalof65599unique visitors, including more than 6 000 permonthinJanuary,MayandJune.
After the homepage, the most regularly viewedpageswerethe‘PressandNews’,‘Supervision’and
‘Consultation’pages,althoughthe‘Publications’and‘Events’pageswerealsopopular.Thestatisticsalsoshow that most visitors access the website viaa directaddress,a bookmark,a linkinanemailora linkfromanothersite–suchastheEuropaportalora nationaldataprotectionauthority’swebsite.Searchengineslinksareusedonlybya fewvisitors.
5.6.2.NewsletterTheEDPSnewsletterremainsa valuabletoolforproviding informationontheEDPS’mostrecentactivitiesandtodrawattentiontorecentadditionstothewebsite.Thenewsletterprovidesinforma-tionontheEDPS’mostrecentopinionsonEU legis-lativeproposalsandonpriorchecksinhissupervi-soryrole.Italsoincludesdetailsofconferencesandothereventsorganisedinthefield,aswellasrecentspeechesbytheSupervisorandAssistantSupervi-sor.ThenewslettersareavailableinEnglish,FrenchandGermanontheEDPSwebsiteanda subscrip-tionfeatureisofferedontherelevantpage.
FourissuesoftheEDPSnewsletterwerepublishedin2011,withanaveragefrequencyofoneissueeverythreemonths.Thenumberofsubscribersrosefrom1 500attheendof2010toapproximately1 750bytheendof2011.SubscribersincludemembersoftheEuropean Parliament, staff members from theEU institutions, staff of national data protectionauthorities, journalists,theacademiccommunity,telecommunicationcompaniesandlawfirms.
5.7. Publications
5.7.1.AnnualReport
Theannualreportisa keyEDPSpublication.Itpro-videsanoverviewofEDPSactivities inthemainoperationalfieldsofsupervision,consultationandcooperationduringthereportingyearandsetsoutthemainpriorities for the followingyear. Italsodescribes what has been achieved in terms ofexternalcommunicationaswellasdevelopmentsinadministration,budgetandstaff.A specificchap-terisalsodedicatedtotheactivitiesoftheEDPS’DataProtectionOfficer.
Thereportmaybeofparticularinteresttovariousgroupsandindividualsatinternational,Europeanandnationallevels–datasubjectsingeneralandEU staffinparticular,theEU institutionalsystem,dataprotectionauthorities,dataprotectionspe-cialists, interest groups and non-governmentalorganisations active in the field, journalists and
80
anyoneseekinginformationontheprotectionofpersonaldataatEU level.
TheSupervisorandAssistantSupervisorpresentedtheEDPS2010AnnualReporttotheEuropeanPar-liamentCommitteeonCivilLiberties,JusticeandHomeAffairson15 June 2011.Themainfeaturesofthereportwerealsopresentedatthepressconfer-enceonthesameday.
5.7.2.ThematicpublicationsPreparatory work has started on thematic factsheetsrelatingtodataprotectionissuesofstrate-gicimportancefortheEDPS.Theaimistopublishtargetedinformationasguidanceforthegeneralpublicandotherinterestedparties.Thefirstsetoffactsheetswillcoverissuessuchasdatabreaches,e-Privacy,theSWIFT/TFTPagreementandPassen-gerNameRecord(PNR).
5.8. Awareness-raising events
TheEDPSiskeentoseizerelevantopportunitiestohighlighttheincreasingrelevanceofprivacyanddataprotectionandtoraiseawarenessoftherightsofdatasubjectsaswellastheobligationsoftheEuropeanadministrationinrelationtothese.
5.8.1.DataProtectionDay2011TheMemberStatesoftheCouncilofEuropeandtheEuropeaninstitutionsandbodiescelebratedthefifthEuropeanDataProtectionDayon28 Janu-ary 2011.Thisdatemarks theanniversaryof the
adoptionoftheCouncilofEuropeConventionontheprotectionofpersonaldata(Convention 108),thefirstlegallybindinginternationalinstrumentinthefieldofdataprotection.
The EDPS uses this opportunity to stress theimportanceofprivacyanddataprotectionandinparticular to raiseawarenessamongEU staffoftheirrightsandobligationsinthefield.ForeachDataProtectionDay,aninformationstandissetupandoperatedbymembersoftheEDPSofficeanditsdataprotectionofficeronthepremisesoftheCouncil,theEuropeanCommissionandtheEuro-peanParliamentincooperationwiththedatapro-tectionofficeroftherespectiveinstitution.VisitorshavetheopportunitytoaskquestionsandtotesttheirknowledgeofEU dataprotectionina quiz.
In 2011, the EDPS renewed this specific activity,whileinvestingfurthereffortsinraisingawarenessamongEU staff.A videomessagefromtheSupervi-sorandAssistantSupervisorwasalsocirculatedtoinstitutionalstakeholdersandmadeavailableontheEDPSwebsite,inbotha longandshortversion,to present the role of the EDPS and outline thechallengesfortheyear.
EDPSAnnualReport2010.
Visitorfillingina quizduringDataProtectionDay2011ontheEDPSinformationstand.
Chapter 5 annual report 2011
81
TheEDPSalsoparticipatedinvariouseventsorgan-isedontheoccasionofDataProtectionDay,suchastheinternationalconferenceon‘Computers,PrivacyandDataProtection’,thatservesasa bridgeforpoli-cymakers,academics,practitionersandactiviststodiscussemergingissuesofprivacy,dataprotectionandinformationtechnology.Forthisfourthinterna-tionalevent,theconferencethemewas‘EuropeanDataProtection:InGoodHealth?’.Ittookplaceon25-27 January 2011 and included two one-dayeventson ‘eHealth’andsurveillanceanda roundtableonbodyscanners.MembersoftheEDPSsecre-tariattookpartinpaneldiscussionsandPeterHus-tinxgavetheconcludingnotesattheconference.
5.8.2.EUOpenDay2011On7 May 2011,theEDPSparticipatedasusualintheOpenDayattheEuropeaninstitutions,organ-isedattheEuropeanParliamentinBrussels.TheEUOpenDayoffersanexcellentopportunityfortheEDPStoincreasegeneralpublicawarenessoftheneedtoprotectprivacyandpersonalinformation.
StaffmembersfromtheEDPSsecretariatwerepres-enttoanswerquestionsfromvisitorsattheEDPSstandinthemainbuildingoftheEuropeanParlia-ment.AswiththeEDPSstandforDataProtectionDay,therewasa quizonprivacyanddataprotec-tionatEU levelandinformationmaterialswerealsodistributedtovisitors.Theinstallationofa thermiccameralinkedtoa largescreenwasa majorattrac-tionatthestand.Althoughtherewasnodirectlinkwiththeprocessingofpersonaldata,citizensweremadeaware,ina strikingandfunway,ofthepoten-tialprivacyriskposedbynewtechnology.
VisitorsplayingwithathermiccameraontheEDPSstandduringEUOpenDay2011attheEuropeanParliament.
82
66.1. Introduction
TheentryintoforceoftheTreatyofLisbonhadadirect impact on the activities and tasks of theEDPS. The Treaty assigns greater importance todataprotectionintheEUinstitutionsandbodiesandhasthusincreasedtheworkloadoftheinstitu-tionandinturn,oftheHumanResources,BudgetandAdministrationUnit(HRBA)aswell.
Theplannedmoderategrowthof theestablish-mentplanoftheEDPSoverrecentyearscouldnotcopewiththesenewtasksandresponsibilitiesandit was necessary to hire a number of contractagentsandtemporarystaffandtonegotiatethesecondmentofdataprotectionexpertsfromotherEUinstitutionsandDataProtectionAuthoritiesinthe Member States to assist the EDPS with theincreasingworkload.
In2011,amorestrategicandefficientmanagementof prioritiesandresourceswas developed-particu-larlyimportantintimesof austerityandbudgetaryconsolidation.AstrategicreviewoftheEDPSwaslaunched during the year and a “StrategicReview” Task Force wassetupandcomprisedrep-resentatives from all teams and chaired by theDirector of the EDPS. An internal conference inOctober2011,wasanopportunityfor thevariousEDPSteamstoreflectontheirrespectivetasks,val-ues and objectives and to identify those of theEDPSfortheyearstocome. Thiswillbefollowedupin2012with anexternalconsultationofstakehold-ers by means of on-line surveys, focus groupsand workshops. Theresultswillbe presented ata publicconference.
In2011,theeffortstoimproveefficiencyyieldedtangible results, such as securing access to thetrainingcatalogueof theEuropeanCommissionthroughSyslogFormation,theadoptionofdetailedinternalmanualsdealingwiththerecruitmentofseveralcategoriesofstaffandanewbudgetimple-mentationcontrolmechanismwhichgaverisetoasubstantialincreaseintheimplementationrateofthebudget.
ImprovementsintheefficiencyoftheHRfunctionwillcontinuein2012whenaccesstoSysper(per-sonnel file management system) and MIPS (anapplicationtocoordinatemissions)becomeavail-able.Thesewillfacilitatesomeroutineadministra-tivetasksandfreeupresourcestobetterpositiontheHRteamasareliablestrategicpartnerfortheManagementBoardoftheEDPS.
6.2. Budget
The allocated budget for the EDPS in 2011 wasEUR 7 564 137. This represented an increase of6.47%onthepreviousyear,buttakingintoaccounttheoveralldevelopmentoftheinstitutionanditsincreased workload, it represented moderategrowth.
Thismodestbudgetaryrisewasabsorbed,inthemain,bythebudgetlineforsalaries,whichinmon-etaryterms,isthemostimportantitemoftheEDPSbudget.Asignificantpartofthebudgetwasallo-catedtotranslationtheofEDPSopinionsonlegisla-tiveproposalsintoallofficiallanguages.Theycanthen be published in the Official Journal of the
ADMINISTRATION, BUDGET AND STAFF
Chapter 6 annual report 2011
83
European UniontoplacetheminproximitytotheEUlegislativetextsandthejurisprudenceoftheEuropeanCourtofJustice,ensuringthattheviewsoftheEDPScanbeeasilylocatedbypractitionersandcourtsalike.OtherdocumentsadoptedbytheEDPS(e.g.opinionsonpriorchecks)aretranslatedintotheworkinglanguagesoftheEDPS(English,FrenchandGerman).
The2010DeclarationofAssurance(DAS)fromtheEuropeanCourtofAuditorsdidnotraiseanycon-cernsorrecommendationsfortheEDPS.Neverthe-less,withinthecontextofsoundfinancialmanage-mentandwithaviewtoimprovethereliabilityandthequalityoftheEDPSfinancialdata:
a)a new internal financial verification system,including check-lists for all levels of financialtransactions,wasintroducedintothefinancialworkflow;
b)a quarterly budget implementation report,includingaline-by-linebudgetaryconsumptionfollow-up,wasimplemented;
c)newmissionformsforbettercontrolandtrans-parencywereadopted;
d)guidelines for low value procurements weredrawnup;
e)newfinancialreportingtablesweresetup.
Asaresultoftheseinitiatives,thebudgetimple-mentationrateoftheEDPSimprovedsubstantially:from76%in2010toalmost85%in2011.
Assistance from the European Commission infinancematterscontinuedin2011,particularlyinrelationtoaccountancyservices-theAccountingOfficeroftheCommissionisalsotheAccountingOfficeroftheEDPS.Wherespecificruleshavenotbeenlaiddown,theEDPSappliestheinternalrulesoftheCommissionfortheimplementationofthebudget.
EDPS - Budget evolution 2004-2012
EURO
0
1.000.000
2.000.000
3.000.000
4.000.000
5.000.000
6.000.000
7.000.000
8.000.000
201220112010200920082007200620052004
6.3. Human resources
6.3.1.RecruitmentThegrowingnumberoftasksandincreasedvisi-bility of the EDPS are leading to an increasedworkload and an expansion of activities which
needtobeaddressed fromahumanresourcesperspective.
ThankstoaservicelevelagreementwiththeEuro-peanPersonnelSelectionOffice(EPSO),ageneralcompetitionondataprotectionwasorganisedin2009soastorecruithighlyspecialisedstaff.Three
84
reservelistsweremadeavailableinSummer2010forgradesAD9,AD6andAST3foravalidityofthreeyears.Atpresent,82%ofthelaureatesonthethreelistshavebeenrecruited.TheAST3listisopenforrecruitmentbyallEUinstitutions.
Followingthepublicationoftheselistsin2010,theEDPSembarkedonamajorrecruitmentoperation,interviewingcandidatesfromthereservelistsandofficials from other institutions, in compliancewith Article 29 of the Staff Regulations. Thisrecruitmenteffortcontinuedin2011.Priorto2011,newcomersweremainlyselectedfromEPSOcom-petitionlists.In2011,theEDPSbegantoreceiveasignificantnumberoftransferapplicationsfromEUofficials inother institutions,whichdemon-strates thegrowingvisibilityof theEDPSasanattractiveemployer.
Inordertodealmoreefficientlywiththeincreasednumberofapplicationsandtoguaranteeafairand
professional recruitment process, the HumanResourcesteamissuedseveralrecruitmentmanu-alsrelatedtoallcategoriesofstaff,settingoutpro-cedurestobefollowedbyHRstaffandlinemanag-ersduringtherecruitmentprocess.
Inaddition toofficials, theEDPS recruited threecontractagentsandwelcomedtheformerDPOofthe Council on secondment to the EDPS, thusstrengthening the Supervision Unit. In order tocovertemporaryneedsin2011,twointerimstaffmembersandoneexternalcontractorforthemain-tenance and development of the EDPS websitewerehired.Intotal,theEDPSrecruited14 newcol-leaguesin2011.
TheproceduretofillthevacancyofDirectoroftheEDPSSecretariat,launchedattheendof2010,wascompleted.Followinganinter-institutionalrecruit-ment procedure, the Director was selected andappointedinMarch2011.
0
5
10
15
20
25
30
35
40
45
50
55
Num
ber
of p
erso
ns
2008 2009 20112010
EDPS - Staff evolution by category
AD AST CA OTHER
Chapter 6 annual report 2011
85
6.3.2.Traineeshipprogramme
Atraineeshipprogrammewascreatedin2005toofferrecentuniversitygraduatestheopportunityto put their academic knowledge into practice,therebyacquiringpracticalexperienceintheday-to-dayactivitiesoftheEDPS.Thisalsoprovidestheinstitutionwithanopportunitytoincreaseitsvisi-bility among younger EU citizens, particularlyamongthoseuniversitystudentsandyounggradu-ates who have specialised in the field of dataprotection.
Theprogrammehostsonaverageoffourtraineespersession,withtwofive-monthsessionsperyear(MarchtoJulyandOctobertoFebruary).Inexcep-tionalsituationsandunderstringentadmissioncri-teria,theEDPSmayalsowelcomenon-remuner-atedtraineeswhowishtogainexperienceinthefieldofDataProtectionintheframeworkoftheirstudies or professional career. The criteria aredefinedinthenewdecisionthattheEDPSadoptedon25October2011andcontainstherulesgovern-ingthetraineeshipprogramme.Inthenewdeci-sion,particularattentionisgiventothedatapro-tectionaspects,inordertobetterinformthecandi-datesontheirrights.
Allthetraineeswhetherremuneratedornot,con-tributetoboththeoreticalandpracticalworkandalsogainusefulfirst-handexperience.
OnthebasisofaservicelevelagreementwiththeCommission, the EDPS has benefited from theadministrativeassistanceoftheTraineeshipOfficeoftheCommissionDirectorate-GeneralforEducationandCulture,whichhascontinuedtoprovidevalu-ablesupportthroughitshighlyexperiencedstaff.
6.3.3.Programmeforsecondednationalexperts
The programme for seconded national experts(SNEs)attheEDPSwaslaunchedinJanuary2006.Onaverage,twonationalexpertsfromdataprotec-tionauthorities(DPAs) intheMemberStatesaresecondedeveryyear.ThesesecondmentsenabletheEDPStobenefitfromtheskillsandexperienceofsuchstaffandhelptoincreasethevisibilityoftheEDPSatnationallevel.Thisprogramme,inturn,allowsSNEstofamiliarisethemselveswithdatapro-tectionissuesatEUlevel.Aninternalmanualgov-erningtheirselectionprocedurewasissuedin2011.
6.3.4.Organisationchart
TheEDPSorganisationchartremainedunchangedsinceitsinceptionin2004upto2009,afterwhich,thefirstreorganisationtookplacewiththecreationofthepostofDirectorasHeadofSecretariat.
In2010,theEDPSorganisationchartunderwentamajorchangeasthestaffwasreorganisedintofivesectorswithheadsofsectorappointedatmiddlemanagementlevel.
Themajor recruitmentendeavour that followedafter the publication of the EPSO competitionreserve lists resulted in a substantial growth ofthesesectors.Forthisreason,inJune2011,the3largest EDPS sectors, namely Supervision andEnforcement,PolicyandConsultationandHumanResourcesBudgetandAdministration,weretrans-formedintounits.
Thesechangeshavegivenrisetoaneworganisa-tionchartwhichisavailableontheEDPSwebsite.
6.3.5.WorkingconditionsTheflexitimeregimewasintroducedattheEDPSin2005andishighlyappreciatedbystaff.Manycol-leagues use this opportunity to balance profes-sionalandpersonallifeinanequitablemanner.
In2011, thedecisiononflexitimewas revised inordertorationaliseandsimplifytheprocedureandtoensureequaltreatmentofallstaff.Furthermore,thenewdecisionharmonisestherulesapplicableattheEDPSwiththose inplaceattheEuropeanCommission,inordertofacilitatetheintroductionoftheSysperIITimeManagementmodulein2012.
Twostaffmembers(onefromtheHRUnitandonefromtheStaffCommittee)wereappointed“trustpersons”in2011,availabletoallstafftodiscusspos-siblecasesofharassment.ThetwoofficialsfollowedspecifictrainingorganisedbytheCommissiontoprepare them for treating possible cases and toimplementaspecificpolicyagainstharassment.
6.3.6.TrainingSyslogWebFormationwasimplementedattheEDPSin2011.Thisallowselectronicaccesstothetrainingcatalogue of the European Commission and hasresultedinatremendousimprovementintheeffi-ciencyandrapidityoforganisingtraining.Asaconse-quence,mostofthetrainingbudgetwasconsumedin2011(88%ofthetotalbudget–EUR 102 499).
86
Generaltrainingcourses(attheCommission,includinglanguagecourses)
21.75%
EAStrainingcourses 48.70%
Externaltrainingcourses 17.55%
Thehighimplementationrateofthetrainingbud-getisasignofsuccessoftheEDPSreorganisationandassiststhedeclaredobjectiveoftheManage-mentBoardoftheinstitutiontomeettheneedsofEDPS Staff and to make the EDPS an attractiveemployerforEUofficialsfromotherEUinstitutions.
Atailor-made“Firststepsinmanagement”coursewasorganisedover2daysbytheEASfor16admin-istratorsfromtheEDPS.Thecoursewasdesignedtoimpartknowledgeonmanagement,withafocusonthebasicsofteammanagement,diversityandcommunication. The course gave staff a betterunderstandingofthechallengesfacedbymiddlemanagementandpreparedthemforfutureman-agementresponsibilities.Duetoitssuccess,suchacoursewillbeorganisedagainin2012.
In 2011, EDPS middle management who wereappointedin2010and2011,followedaspecificman-agementtrainingcourseandalsobenefitedfromanindividualandcollectivecoachingprogrammedeliv-eredbythecoachcoordinatoroftheEuropeanCom-mission.ThishasallowedtheDirectorandtheHeadsofUnitandSectortofunctionbetterasindividualmanagersandasamanagementteam,withtangibleimprovementsinplanning,coordinationandimple-mentationofpoliciesdecidedbytheManagementBoardoftheinstitution.
TheEDPScontinuedtoparticipateinvariousinter-institutionalcommitteeswhichfacilitatesthepool-ingoftrainingneedsandallowsforeconomiesofscaleinanareawhereneedsareessentiallysimilaracrosstheEUinstitutions.Thesixthamendmenttothe protocol of language courses was signed inDecember2011,anareaforwhichtherehavealsobeenasignificantincreaseintrainingrequests.
Attherequestofthetrainingcoordinator,theEDPSupdated its training decision in October 2011,allowingmoretrainingopportunitiestobeofferedtoEDPSstaff.
6.3.7.SocialactivitiesTheEDPSbenefitsfromacooperationagreementwiththeCommissiontofacilitatetheintegrationofnewstaff,forinstancebyprovidinglegalassistance
in private matters (rental contracts, taxes, realestate,etc.)andbygivingthemtheopportunitytoparticipateinvarioussocialandnetworkingactivi-ties. New staff are personally welcomed by theSupervisor,theAssistantSupervisorandtheDirec-toroftheEDPS.Inadditiontotheirmentor,new-comersalsomeetmembersoftheHR,BudgetandAdministrationUnit,whoprovidethemwiththeEDPSadministrativeguideandotherinformationonthespecificproceduresoftheEDPS.
TheEDPShascontinuedtodevelopinter-institu-tional cooperation with regard to childcare: thechildrenofEDPSstaffhaveaccesstothecrèches,theEuropeanschools,after-schoolchildcareandtheoutdoorchildcarecentresoftheCommission.TheEDPSalsoparticipatesasanobserver intheEuropeanParliamentadvisorycommitteeonpre-ventionandprotectionatwork,theaimofwhichistoimprovetheworkenvironment.
In2011,severalsocialactivitieswereorganisedforEDPSstaffinclosecooperationwiththeStaffCom-mitteeoftheinstitutionandeacheventresultedinahighrateofattendance.
6.4. Control functions
6.4.1.Internalcontrol
Theinternalcontrolsystem,effectivesince2006,manages the risk of failure to achieve businessobjectives.In2011,considerableeffortswereputinto the implementation of the Internal ControlStandards(ICS).Thelistofactionswasextendedtoensureamoreefficientinternalcontrolofthepro-cessesinplace.Bywayofexample,anawareness-raisingactiononethics,harmonisedtitlesforallstaff,amentorshipprogramme,anadaptationofthenewfinancialworkflow,abusinesscontinuityplanandanupdateofthemissions’guidewerealladoptedinrelationtotheICS.AnupdateddecisiononInternalControlStandardswillbeadoptedin2012tosimplifytheapproach,increasetheowner-shipandstrengthentheireffectiveness.
TheEDPStooknoteoftheannualactivityreportandtheDeclarationofAssurancesignedbytheAuthorising Officer by delegation. Overall, theEDPSconsidersthattheinternalcontrolsystemsinplaceprovidereasonableassuranceofthelegalityand regularity of operations for which he isresponsible.
Chapter 6 annual report 2011
87
6.4.2.Internalaudit
TheInternalAuditService(IAS)oftheCommissionalsoservesastheauditoroftheEDPS.InJanuary2011,ariskassessmentvisittookplacetosetuptheIASauditstrategyfortheEDPSfortheperiod2011-2013.AlltheprocessesoftheEDPSwerethoroughlycheckedbytheIASandariskmapprofileandtrig-gerareasofauditvisitsweredrawnup.
AspecificITriskassessmentvisitbytheIAStookplaceattherequestoftheEDPS,inJuly2011.AstheEDPSishostedonthepremisesoftheEuro-peanParliamentandreliesonitsITinfrastructure,furtherworkwiththeITservicesoftheEPwillcon-tinuein2012.
Finally,anauditwasperformedinNovember2011concerningpriorcheckingopinions,administrativemeasuresandinspections.Thereportonthisauditwillbeavailablein2012.
Withregardtothefollowupofthe2riskassess-ment audits, 6 recommendations remain open.Threeofthemareexpectedtobeclosedinearly2012andthethreeotherswillbeaddressedlaterin2012or2013astheyconcernlong-termprojectssuchasthedevelopmentofaCaseManagementSystem(seefurtherinSection6.6.3)orariskman-agementpolicy.
Asbothorganisationsshareaninterestintheareaofaudits,asfarascompliancewithdataprotec-tionisconcerned,theEDPShasproposedaMem-orandum of Understanding to the IAS to allowbothorganisationstofulfiltheirrolesinthemosteffectivewaypossible.TheMoUwillbeconcludedin2012withfullregardtotheirrespectiverights,obligations and independence as laid down intheirconstitutivedocuments.
6.4.3.ExternalauditAsanEUinstitution,theEDPSisauditedbytheCourtofAuditors.PursuanttoArticle287oftheTreatyontheFunctioningoftheEuropeanUnion,theCourtundertakesanannualauditofthereve-nueandexpenditureoftheEDPSinordertopro-videastatementofassuranceastothereliabilityoftheaccountsandthelegalityandregularityoftheunderlyingtransactions.Thistakesplaceintheframework of the so-called discharge exercisewithauditquestionsandinterviews.
Forthedischargeoftheyear2010,thequestionsposedbytheCourtwereansweredsatisfactorilybytheEDPS.
6.4.4.SecurityIn2011,considerableresourcesintheareaofsecu-rityweredevotedtotheinternalCaseManage-ment System of the EPDS which will be tailor-made for the EDPS and implemented in 2012,with particularattentionpaidtothesecuritymea-sures to be put in place. The contract with thecompanydevelopingthesystemwassigned inDecember 2011withtheassistanceoftheEuro-peanParliament.
TheITriskassessmentvisitcarriedoutbyourinter-nalauditorinJuly2011,althoughnotfinalised,hasalreadytriggeredsomeinitiativessuchastheset-tingupofanITSteeringCommitteethatmetforthefirsttimeinJanuary2012.
TheEDPSalsoadoptedaBusinessContinuityPlan(BCP) in 2011 with regard to health and safetyconditionsforstaffandpremises.In2012,follow-ingthescheduledmovetonewpremises,anewplanwillbepreparedinclosecooperationwithotherinstitutions.
BasedontheneedtoaccessEUClassifiedInforma-tion(EUCI)inordertocarryouttheirduties,severalmembers of EDPS staff have received an officialsecurityclearance,grantedbytheirnationalsecu-rityauthorities.ThisallowstheEDPStocarryoutsecurityinspectionsoflargescaleITsystemsoratotherimportantandsensitivesites.
AdvicewasdeliveredonaregularbasisonEDPSactivities, includingan introductiontothetasksandmandateoftheEDPSgiventotheLocalSecu-rityOfficers(LSO)andLocalInformationSecurityOfficers(LISO)oftheEuropeanCommission.
6.5. Infrastructure
On the basis of the administrative cooperationagreementdescribedbelow,theofficesofEDPSarelocatedinthepremisesoftheEuropeanParliament,whichalsoassiststheEDPSinthefieldsofITandinfrastructure.
Becauseofarecurrentlackofspaceinthebuildingin which the EDPS is located and the imminentexpiry of the rental contract of the building inwhich the EDPS is hosted (Montoyer 63), the
88
EuropeanParliamentsetupaBuildingCommittee,in which the EDPS participated, to select a newbuildingtohousetheofficesoftheEDPS.
The new building was selected in 2011 and themoveisplannedformid-2012.Ataskforcenamed“EDPSbydesign”wascreated,withthemandate“toanalyseanddevelopallaspectsrelatedtothedesignandthemovetoanewbuilding(e.g.plan-ning,spacedistribution,ITissues,bothatshortandlongtermperspective,securityordataprotectionmatters, etc.) in the course of 2012, so that themoveissuccessfulanddisruptiontotheworkoftheInstitutionisreducedasmuchaspossible.”
The institution has continued to independentlymanageitsfurnitureandITgoodsinventory,withtheassistanceoftheEuropeanParliamentservices.
6.6. Administrative environment
6.6.1.Administrativeassistanceandinter-institutionalcooperation
TheEDPSbenefitsfrominter-institutionalcoopera-tioninmanyareasbyvirtueofanagreementcon-cludedin2004,withtheSecretaries-GeneraloftheCommission,theParliamentandtheCouncil,whichwasextendedin2006(forathree-yearperiod)andin2010(foratwo-yearperiod)withtheCommis-sionandtheParliament.Aextensionoftheagree-ment for two-years was signed by the Secretar-ies-GeneraloftheCommissionandtheParliamentand the EDPS Director in December 2011. ThiscooperationisvitalfortheEDPSasitincreaseseffi-ciencyandallowsforeconomiesofscale.
Closeinter-institutionalcooperationcontinuedin2011withvariousCommissionDirectorates-General(Personnel and Administration, Budget, InternalAuditService,EducationandCulture),thePaymas-ter’s Office (PMO), the European AdministrativeSchool(EAS),theTranslationCentrefortheBodiesoftheEuropeanUnionandvariousEuropeanParlia-mentservices(ITservices,particularlywitharrange-mentsforthemaintenanceanddevelopmentofthe
2008 2009 20112010
EDPS budget execution through inter-institutional cooperation
EURO
6.000.000
5.000.000
4.000.000
3.000.000
2.000.000
1.000.000
0
Commission CDT Council Parliament Other
Chapter 6 annual report 2011
89
EDPSwebsite;fittingoutofthepremises,buildingsecurity,printing,mail,telephone,supplies,etc.).Inmanycases,thiscooperationtakesplacebymeansof service level agreements, which are regularlyupdated.TheEDPSalsocontinuedtoparticipateintheinter-institutionalcallsfortenders,thusincreas-ing efficiency in many administrative areas andmakingprogresstowardsgreaterautonomy.
TheEDPSisamemberofvariousinter-institutionalcommittees and working groups, including theCollège des Chefs d’administration,Comité de Ges-tion Assurances maladies, Comité de Préparation pour les Questions Statutaires,Comité du Statut,the InterinstitutionalWorkingParty/EAS,EPSOman-agementboard,EPSOworkinggroup,Commission paritaire communeandComité de préparation pour les affaires sociales.
6.6.2.InternalrulesTherewasanadoptionofvariousinternalrulesforthe smooth functioning of the EDPS in 2011. InareaswheretheEDPSbenefitsfromtheassistanceoftheCommissionortheEuropeanParliament,therulesaresimilartothoseoftheseinstitutions,albeitwithsomeadjustmentstoallowforthespecificfea-turesoftheEDPSoffice.
In2011,theDirector’smeeting(Headsofunitorsec-torplusDirector)starteddiscussionsonadoptinginternalrulesofamoregeneralscopeandafirstproposalwassubmittedtotheManagementBoardoftheEDPS.TheEDPSplanstoadoptthesein2012togetherwitharevisedversionoftheCodeofgoodconductfortheEDPS.
6.6.3.DocumentmanagementTheEDPSselectedandprocuredadocumentandrecordsmanagementsystemincorporatingcasemanagement.ThisprocesswascompletedwiththesupportoftheEuropeanParliamentITservices.
Thecustomisationandconfigurationofthissystemto accommodate the specif ic needs of theEDPS began at the end of the year. The currentEDPSdatabaseshavebeenharmonised,inprepara-tionformigrationintothenewsystem.
6.6.4.Planning
Inthecourseof2011,planningandcontrolofactivi-tieswithintheEDPSwasimproved.Threelevelsofplanningwereput inplace:astrategicplan(3-5years),anannualmanagementplanandadetailedactivityplanning:
a) Strategicplan OneearlyoutcomeoftheStrategicReviewwas
to set up an accurate and detailed strategicplan.ThisstrategicplanningwillallowtheMan-agementBoardtomanageresourcesmoreeffi-cientlyoverthemediumterm.
b) Managementplan The annual Management Plan outlines the
detailed planning for the year based on theobjectivesandactivitiesmentionedinthethreeyearstrategicplan.
c) Weeklyactivityplanning Accurateweeklyplanningofactivitiesiscarried
out to ensure that the EDPS meets his legalobligations and deadlines. Planning alsoensureseffectivecooperationacrossthediffer-entEDPSteams.
90
7EDPS DATA PROTECTION OFFICER
7.1. The DPO at the EDPS
In2010,theDPOteamconsistedoftwoDPOs(aDPOandanassistantDPO)whohadbeenappointedbytheEDPSinSeptember2010.Followingthedepar-tureoftheDPOinMarch2011,theEDPSdecidedtonominatetheassistantDPO-whosucceededinthecertificationprogrammein2010-astheactingDPO.TheactingDPOwasnominatedasDPOinDecember2011,onceshehadbeenappointedtoanADpost.
TheroleoftheDPOattheEDPSpresentsmanychal-lenges:beingindependentwithinanindependentinstitution,meetingthehighexpectationsofcol-leagues who are particularly aware and sensitiveaboutdataprotectionissuesanddeliveringsolutionsthatcanserveasbenchmarksforotherinstitutions.
Tostrengthenthisindependenceanddeepenherexpertise, the EDPS DPO is following the IAPP(InternationalAssociationofPrivacyProfessionals)trainingrecommendedintheDPOpaperonpro-fessionalstandardsissuedbytheDPOnetwork(20).
7.2. The Register of processing operations2011wasdedicatedtotherevisionofallprocessingoperationnotificationswithintheEDPSandtonewnotifications.Sevennotificationsweresubstantially
(20) ProfessionalStandardsforDataProtectionOfficersoftheEUinstitutionsandbodiesworkingunderRegulation(EC)45/2001,14October2010
revisedinordertotakeaccountofthenewproce-dures in place at the EDPS following its internalreorganisation,notablyinHumanResourcesproce-dures.Eightnewnotificationswererequired,mainlyin the Human Resources and Communicationteams.A notificationonhowtheEDPSdealswithcomplaintslodgedwasalsoaddressed.Thesenoti-ficationsrelatetoArticle25ofRegulation45/2011.
Atthesametime,theDPOhastakencareofnotifi-cationssubmittedtotheEDPSunderArticle27.2ofRegulation 45/2001 following EDPS guidelines.Amongthe17existingnotificationsbasedonArti-cle25oftheRegulation,nineweresubjecttonoti-ficationunderArticle27ofRegulation45/2011,ofwhich89%dealwithHumanResourcesissues.
TheDPO’smainobjectivefor2012istorequestnoti-ficationsofallprocessingoperationswhichareintheinventoryandwhichhavenotyetbeenestab-lishedbythepersonsresponsibleforprocessing.
7.3. EDPS 2011 Survey
InMarch2011,a letterwassenttotheSupervisorbytheEDPSDirectoroutliningalltheworkcarriedouttobeincompliancewithRegulation45/2001.TheEDPShastakenthesedocumentsintoaccountinhis2011Survey.The2010ActionPlan,whichwasimplemented at 95%, was positively acknowl-edged.TheEDPSunderlinedthatallnotificationsunderArticle27havebeencompleted.
Chapter 7 annual report 2011
91
7.4. Information and raising awareness
TheDPOplacesgreatemphasisonraisingaware-nessandoncommunicationofdataprotectioncom-plianceattheEDPS,bothexternallyandinternally.
Withregardtoexternal communication,a DPOsectionoftheEDPSwebsite,whichprovidesbasicinformationabouttheDPOroleandactivities,hasbeenupdated,sothattheupdatedRegisterandallthenotificationsareavailableforpublicconsulta-tionintheirnewversions.
Inaddition, theDPOtakespart intheDPO net-work meetings,whichrepresenta uniqueoppor-tunitytonetwork,discusscommonproblemsandsharebestpractices.
Withregardtointernal communication,theEDPSintranetprovidesaneffectivemeansofcommuni-cationwithstaff.TheDPOintranetsectioncontainsinformation that is useful to staff members: themainelementsoftheroleoftheDPO,theimple-mentingrules,theDPOActionPlanandinforma-tiononDPOactivities.
TheDPOIntranetsectionhasbeencompletedwitha detailedlistofprivacystatementsabouttheEDPSprocessing operations, allowing all members ofstafftoexercisetheirrights(Articles11and12ofRegulation45/2001)byinformingthemthereof.
Raising awareness also took the form of a DPOpresentation “Initiation to Regulation 45/2001”aimedatnewcomersandofficialsnotexperiencedindataprotection.ItspurposewastofamiliarisestaffmemberswithdataprotectionmattersandwiththeEDPSmissionsandvalues.
92
8MAIN OBJECTIVES IN 2012
Thefollowingobjectiveshavebeenselectedfor2012.Theresultsachievedwillbereportedin2013.
8.1. Supervision and EnforcementInlinewiththeComplianceandEnforcementPolicyPaperadoptedinDecember 2010,theEDPShassetthefollowingobjectivesinthefieldofSupervisionandEnforcement.
• Raising awareness
TheEDPSwillinvesttimeandresourcesinprovidingguidancetoEUinstitutionsandagencies.Guidanceisnecessarytohelpachievea shifttowardsgreateraccountability of Institutions and agencies. Thisguidancewilltaketheformofthematicpapersonstandardadministrativeproceduresandhorizontalthemessuchase-monitoring,transfersandrightsofdatasubjects.Trainingandworkshopswillalsobeorganised for DPOs/DPCs either on request bya specificinstitutionoragencyorontheinitiativeoftheEDPSwhena needisidentified.TheEDPSweb-sitewillbedevelopedsoastoprovideusefulinfor-mationtoDPOs.Thepublicregisterofpriorcheck-ing notifications will also be made accessibleaccordingtoa commonsubjecttaxonomy.
• Prior checking
TheEDPScontinuestoreceiveex-postnotificationseitherrelatingtostandardadministrativeproceduresor to processing operations already in operation.Actionwillbetakenin2012todefineappropriate
proceduresforhandlingsuchnotificationsandtoensurethatnotificationsforcheckingex-postarenotpermittedsaveinexceptionalandjustifiedcircum-stances.Thefollow-upofrecommendationsmadeinpriorcheckingopinionsisa crucialelementoftheenforcementstrategyoftheEDPS.TheEDPSwillcon-tinuetoplacestrongemphasisontheimplementa-tionofrecommendationsinpriorcheckopinionsandensureanadequatefollowup.
• General stock taking exercises
In2011,theEDPSlauncheda generalstocktakingexercise, providing indicators of compliance byinstitutions and bodies with certain obligations(e.g. appointment of a DPO, adoption of imple-mentingrules,levelofArticle25notifications,levelofArticle27notifications).ThereportissuedbytheEDPS emphasised the progress made in imple-mentingtheRegulation,butalsounderlinedshort-comings.ThereportwillemphasisetheprogressmadeinimplementingtheRegulation,butwillalsounderlineshortcomings.The2011surveywillbecomplemented in2012bya specificexerciseonDPOStatus:thisexerciseisalsointendedtoprovidesupport for the DPO function in line with theaccountabilityprinciple.Inaddition,theEDPSwilllauncha surveyspecificallyfortheCommissionin2012, the aim of which is to collect informationdirectlyfromthevariousDGsattheCommission.
• Visits
Onthebasisoftheindicatorsfromthe2011survey,theEDPShasselectedinstitutionsandagenciesforvisits(6plannedvisits).Thesevisitsaretriggered
Chapter 8 annual report 2011
93
eitherbyanapparentlackofcommitmentorcom-municationfrommanagement,orifaninstitutionor agency is below the benchmark set fora peer group.
• Inspections
Inspectionsarea vitaltoolthatenabletheEDPStomonitorandensuretheapplicationoftheRegula-tion:anincreaseinthenumberof inspectionsiscrucialnotonlyasanenforcementtool,butalsoasa tooltoraiseawarenessofdataprotectionissuesandtheEDPS.Inspections willincreasein2012dueto the introduction of lighter, more targetedinspections inadditionto full-scale inspections. Someinstitutionsorbodiesprocesspersonaldataintheircorebusinessactivitiesanddataprotectionis,therefore,a keyelement.Thesebodieswillbeidentifiedandbetheobjectoftargetedmonitoring(paperbased)orinspections.GeneralinspectionsarealsoplannedforlargescaleITsystemsin2012.Theseareselectedonthebasisoflegalobligations.Thematic inspections will be launched in areaswheretheEDPShasprovidedguidanceandwishestocheckagainstreality(e.g.CCTV).
8.2. Policy and Consultation
ThemainobjectivesoftheEDPSforhisadvisoryrolearesetoutintheinventoryandtheaccompanyingmemoaspublishedonthewebsite.TheEDPSfacesthechallengeoffulfillinghisever-increasingroleinthelegislativeprocedure,guaranteeinghigh-qualityandwell-appreciatedcontributionstoit,deliveredbylimitedresources.Inlightofthis,theEDPShasidenti-fiedissuesofstrategicimportancethatwillformthecornerstonesofhisconsultationworkfor2012,whilenotneglectingtheimportanceofotherlegislativeprocedureswheredataprotectionisconcerned.
• Towards a new legal framework for data protection
TheEDPSwillgiveprioritytotheworkona newlegalframeworkfordataprotectionintheEU.Hewillissueanopiniononthelegislativeproposalsfortheframeworkandcontributetothedebatesinthenextstepsofthelegislativeprocedurewherenec-essaryandappropriate.
• Technological developments and the Digital Agenda, IP rights and Internet
Technologicaldevelopments,especiallythosecon-nectedtotheInternetandtheassociatedpolicy
responses will be another area of focus for theEDPS in2012.Subjects range fromtheplans fora Pan-Europeanframeworkforelectronicidentifi-cation,authenticationandsignature,theissueofInternetmonitoring(e.g.enforcementofIPrights,takedownprocedures)tocloudcomputingservicesand eHealth. The EDPS will also strengthen histechnologicalexpertiseandengageinresearchonprivacy-enhancingtechnologies.
• Further developing the Area of Freedom, Security and Justice
TheAreaofFreedom,SecurityandJusticewillremainoneofthekeypolicyareasfortheEDPStoaddress.RelevantupcomingproposalsincludeEU-TFTSandsmartborders.Additionally,theEDPSwillcontinuetofollowthereviewofthedataretentiondirective.Hewillalsocloselymonitornegotiationswiththirdcountriesondataprotectionagreements.
• Financial sector reform
TheEDPSwillcontinuetofollowandscrutinisenewproposals for the regulation and supervision offinancialmarketsandactors,insofarastheyaffecttherighttoprivacyanddataprotection.
• Other initiatives
TheEDPSwillalsofollowproposalsinotherpolicyareasthathavea significantimpactondataprotec-tion.Hewillcontinuetobeavailableforformalandinformalconsultationsonproposalsaffectingtherighttoprivacyanddataprotection.
8.3. Cooperation
TheEDPSwillcontinuetofulfilhisresponsibilitiesinthefieldofcoordinatedsupervision.Additionally,hewillreachouttonationaldataprotectionauthor-itiesaswellastointernationalorganisations.
• Coordinated supervision
The EDPS will play his role in the coordinatedsupervisionofEurodac,theCustomsInformationSystemandtheVisaInformationSystem(VIS).Coor-dinatedsupervisionoftheVIS,whichwentliveinOctober2011,isstill initsinfancy.AfterinformaldiscussionsintheframeworkoftheEurodacsuper-visioncoordinationmeetings,thetargetfor2012isto gradually establish supervision in this area.WhenSISII is launched, itwillalsobesubjecttocoordinatedsupervision;itisscheduledtogolive
94
in 2013 and the preparations will be followedclosely.TheEDPSwillalsocarryoutinspectionsofthecentralunitsofthesesystemswherenecessaryorlegallyrequired.
• Cooperation with data protec tion authorities
Asbefore,theEDPSwillactivelycontributetotheactivitiesandsuccessoftheArticle29DataProtec-tionWorkingParty,ensuringconsistencyandsyn-ergiesbetweentheWorkingPartyandtheposi-tionsoftheEDPSinlinewithrespectiveprioritiesandmaintaininga constructiverelationshipwithnationaldataprotectionauthorities.Asrapporteurforsomespecificdossiers,hewillsteerandpreparetheadoptionofWP29opinions.
• D at a p ro te c t i o n i n i n te r n at i o n a l organisations
Internationalorganisationsareusuallynotsubjecttodataprotectionlegislationintheirhostcountries;however,notallofthemhaveappropriaterulesfordataprotectioninplace.TheEDPSwillreachouttointernationalorganisationsbyorganisinga work-shop aimed at raising awareness and spreadinggoodpractices.
8.4. Other fields
• Information and communication
Information,communicationandpressactivitieswillcontinuetobedevelopedandimproved,withspecial focusonawareness-raising,publicationsandonline information.TheEDPSwillalsostartimplementingthereviewofhis InformationandCommunicationStrategy,aftertheconsultationofhismainstakeholders.There-organisationofsomeimportantpartsoftheEDPSwebsiteisplannedinordertoincreasetheuserfriendlycharacterofthewebsite and facilitate search and navigationthroughtheavailableinformation.
• Internal organisation
TheEDPSstrategic reviewwillcontinuethrough2012,withanexternalconsultationofstakeholdersby means of online surveys, interviews, focusgroupsandworkshops. Immediateresultsofthereviewlaunchedin2011ledtodecisionstodevelopa morestrategicapproachtosupervisionandcon-sultationactivitiesandtocreatea newITpolicysec-torin2012.Oncethereviewhasbeenconcluded
andtheresultsanalysed,theEDPSwillfinalisehismid-termstrategyanddrawuptheperformancemeasuringtools(KPI)necessarytoevaluatekeyele-mentsofthatstrategy.
• Resource management
Theworkofdevelopinga customisedCaseMan-agementSystemattheEDPSwillcontinuein2012.ITapplicationsinthefieldofhumanresourcesonthebasisofServiceLevelAgreementswillalsobedevelopedfurther,especiallywiththeimplementa-tionofSysperII,whichwillbecompletedin2012,andwiththeintroductionofMIPS.
Chapter 8 annual report 2011
95
Annex A — Legal framework
The European Data Protection Supervisor wasestablishedbyRegulation(EC)No 45/2001oftheEuropeanParliamentandoftheCouncilonthepro-tectionofindividualswithregardtotheprocessingofpersonaldatabytheCommunityinstitutionsandbodiesandonthefreemovementofsuchdata.TheRegulation was based on Article 286 of the ECTreaty,nowreplacedbyArticle16oftheTreatyontheFunctioningoftheEuropeanUnion(TFEU).TheRegulationalsolaiddownappropriaterulesfortheinstitutionsandbodiesinlinewiththethenexist-ingEU legislationondataprotection. Itenteredintoforcein2001 (21).
SincetheentryintoforceoftheLisbonTreatyon1December2009,Article16TFEUmustbeconsid-ered as the legal basis for the EDPS. Article 16underlinestheimportanceoftheprotectionofper-sonaldataina moregeneralway.BothArticle16TFEUandArticle8oftheEUCharterofFundamen-talRights,which isnowlegallybinding,providethatcompliancewithdataprotectionrulesshouldbesubjecttocontrolbyanindependentauthority.AttheEUlevel,thisauthorityistheEDPS.
Other EU acts on data protection are Directive95/46/EC,whichlaysdowna generalframeworkfordataprotectionlawintheMemberStates,Directive2002/58/EConprivacyandelectroniccommunica-tions (as amended by Directive 2009/136) andCouncilframeworkDecision2008/977/JHAontheprotectionofpersonaldataprocessedintheframe-workofpoliceandjudicialcooperationincriminalmatters.Thesethreeinstrumentscanbeconsid-eredastheoutcomeofa legaldevelopmentwhichstartedintheearly1970sintheCouncilofEurope.
Background
Article8oftheEuropeanConventionforthePro-tectionofHumanRightsandFundamentalFree-domsprovidesfora righttorespectforprivateandfamily life, subject to restrictions allowed onlyundercertainconditions.However,in1981itwasconsiderednecessarytoadopta separateconven-tionondataprotection,inordertodevelopa posi-tiveandstructuralapproachtotheprotectionoffundamentalrightsandfreedoms,whichmaybeaffected by the processing of personal data ina modernsociety.Theconvention,alsoknownas
(21) OJL 8,12.1.2001,p. 1.
Convention108,hasbeenratifiedbymorethan40MemberStatesoftheCouncilofEurope,includingallEUMemberStates.
Directive95/46/ECwasbasedontheprinciplesofConvention108,butspecifiedanddevelopedtheminmanyways.Itaimedtoprovidea highlevelofprotectionanda freeflowofpersonaldataintheEU.WhentheCommissionmadetheproposalforthisdirectiveintheearly1990s,itstatedthatCom-munityinstitutionsandbodiesshouldbecoveredbysimilarlegalsafeguards,thusenablingthemtotakepartina freeflowofpersonaldata,subjecttoequivalentrulesofprotection.However,untiltheadoptionofArticle286TEC,a legalbasisforsuchanarrangementwaslacking.
TheTreatyofLisbonenhancestheprotectionoffun-damentalrightsindifferentways.Respectforpri-vateandfamilylifeandprotectionofpersonaldataaretreatedasseparatefundamentalrightsinArti-cles7and8oftheCharterthathasbecomelegallybinding,bothfortheinstitutionsandbodies,andfortheEUMemberStateswhentheyapplyUnionlaw.Dataprotection isalsodealtwithasa horizontalsubjectinArticle16TFEU.Thisclearlyindicatesthatdataprotectionisregardedasa basicingredientof‘goodgovernance’.Independentsupervisionisanessentialelementofthisprotection.
Regulation(EC)No 45/2001
Takinga closerlookattheRegulation,itshouldbenotedfirstthataccordingtoArticle3(1)thereofitappliestothe‘processingofpersonaldatabyCom-munityinstitutionsandbodiesinsofarassuchpro-cessingiscarriedoutintheexerciseofactivitiesallorpartofwhicharewithinthescopeofCommunitylaw’.However,sincetheentryintoforceoftheLis-bonTreatyandtheabolitionofthepillarstructure–asa resultofwhichreferences to ‘Communityinstitutions’ and ‘Community law’ have becomeoutdated–theRegulationinprinciplecoversallEUinstitutionsandbodies,excepttotheextentthatotherEUactsspecificallyprovideotherwise.Thepreciseimplicationsofthesechangesarestillbeingexaminedandmayrequirefurtherclarification.
ThedefinitionsandthesubstanceoftheRegulationcloselyfollowtheapproachofDirective95/46/EC.ItcouldbesaidthatRegulation(EC)No 45/2001istheimplementationofthatdirectiveatEuropeanlevel.ThismeansthattheRegulationdealswithgeneralprincipleslikefairandlawfulprocessing,propor-tionalityandcompatibleuse,specialcategoriesof
96
sensitivedata,informationtobegiventothedatasubject,rightsofthedatasubject,obligationsofcontrollers—addressingspecialcircumstancesatEUlevelwhereappropriate—andwithsupervi-sion,enforcementandremedies.A separatechap-terdealswiththeprotectionofpersonaldataandprivacyinthecontextofinternaltelecommunica-tionnetworks.ThischapteristheimplementationatEuropeanleveloftheformerDirective97/66/EConprivacyandcommunications.
AninterestingfeatureoftheRegulationistheobli-gationforEUinstitutionsandbodiestoappointatleastonepersonasDataProtectionOfficer(DPO).Theseofficershavethetaskofensuringtheinternalapplication of the provisions of the Regulation,including the proper notification of processingoperations,inanindependentmanner.Allinstitu-tionsandmostbodiesnowhavetheseofficers,andinsomecasesalreadyformanyyears.ThismeansthatimportantworkhasbeendonetoimplementtheRegulation,evenintheabsenceofa supervi-sorybody.Theseofficersmayalsobeina betterpositiontoadviseortointerveneatanearlystageandtohelptodevelopgoodpractice.SincetheDPO has the formal duty to cooperate with theEDPS,thisisa veryimportantandhighlyappreci-atednetworktoworkwithandtodevelopfurther(seeSection2.2).
TasksandpowersofEDPS
The tasks and powers of the EDPS are clearlydescribedinArticles41,46and47oftheRegulation(seeAnnexB)bothingeneralandinspecificterms.Article 41 lays down the general mission of theEDPS—toensurethatthefundamentalrightsandfreedomsofnaturalpersons,andinparticulartheirprivacy,withregardtotheprocessingofpersonaldataarerespectedbyEUinstitutionsandbodies.Moreover,itsetsoutsomebroadlinesforspecificelementsofthismission.Thesegeneralresponsi-bilitiesaredevelopedandspecifiedinArticles46and47witha detailedlistofdutiesandpowers.
This presentation of responsibilities, duties andpowers follows in essence the same pattern asthosefornationalsupervisorybodies:hearingandinvestigatingcomplaints,conductingotherinqui-ries,informingcontrollersanddatasubjects,carry-ingoutpriorcheckswhenprocessingoperationspresentspecificrisks,etc.TheRegulationgivestheEDPSthepowertoobtainaccesstorelevantinfor-mationandrelevantpremises,wherethisisneces-saryforinquiries.Hecanalsoimposesanctionsand
refera casetotheCourtofJustice.Thesesupervi-soryactivitiesarediscussedatgreater length inChapter2ofthisreport.
Some tasks are of a special nature. The task ofadvising the Commission and other institutionsabout new legislation — emphasised in Article28(2)bya formalobligationfortheCommissiontoconsulttheEDPSwhenitadoptsa legislativepro-posalrelatingtotheprotectionofpersonaldata—alsorelatestodraftdirectivesandothermeasuresthataredesignedtoapplyatnationallevelortobeimplementedinnationallaw.Thisisa strategictaskthatallowstheEDPStohavea lookatprivacyimpli-cationsatanearlystageandtodiscussanypossiblealternatives,alsointheformer‘thirdpillar’(policeandjudicialcooperationincriminalmatters).Moni-toringrelevantdevelopmentswhichmayhaveanimpact on the protection of personal data andinterveningincasesbeforetheCourtofJusticearealsoimportanttasks.TheseconsultativeactivitiesoftheEDPSaremorewidelydiscussedinChapter3ofthisreport.
Thedutytocooperatewithnationalsupervisoryauthoritiesandsupervisorybodiesintheformer‘thirdpillar’hasa similarimpact.Asa memberoftheArticle29DataProtectionWorkingParty,estab-lishedtoadvisetheEuropeanCommissionandtodevelop harmonised policies, the EDPS has theopportunitytocontributeatthatlevel.Coopera-tionwithsupervisorybodiesintheformer‘thirdpillar’allowshimtoobservedevelopmentsinthatcontextandtocontributetoa morecoherentandconsistent framework for the protection of per-sonaldata,regardlessofthe‘pillar’orthespecificcontextinvolved.ThiscooperationisfurtherdealtwithinChapter4ofthisreport.
Chapter 8 annual report 2011
97
Annex B — Extract from Regulation (EC) No 45/2001
Article41—EuropeanDataProtectionSupervisor
1.AnindependentsupervisoryauthorityisherebyestablishedreferredtoastheEuropeanDataPro-tectionSupervisor.
2.Withrespecttotheprocessingofpersonaldata,theEuropeanDataProtectionSupervisorshallberesponsibleforensuringthatthefundamentalrightsandfreedomsofnaturalpersons,andinparticulartheirrighttoprivacy,arerespectedbytheCommunityinstitutionsandbodies.
TheEuropeanDataProtectionSupervisorshallberesponsibleformonitoringandensuringtheappli-cationoftheprovisionsofthisregulationandanyotherCommunityactrelatingtotheprotectionofthefundamental rightsandfreedomsofnaturalpersonswithregardtotheprocessingofpersonaldatabya Communityinstitutionorbody,andforadvisingCommunityinstitutionsandbodiesanddatasubjectsonallmattersconcerningthepro-cessingofpersonaldata.TotheseendsheorsheshallfulfilthedutiesprovidedforinArticle46andexercisethepowersgrantedinArticle47.
Article46—DutiesTheEuropeanDataProtectionSupervisorshall:
(a)hearandinvestigatecomplaints,andinformthedatasubjectoftheoutcomewithina reasonableperiod;
(b)conductinquirieseitheronhisorherowninitia-tiveoronthebasisofa complaint,andinformthedatasubjectsoftheoutcomewithina rea-sonableperiod;
(c)monitorandensuretheapplicationoftheprovi-sionsofthisregulationandanyotherCommu-nityactrelatingtotheprotectionofnaturalper-sonswithregardtotheprocessingofpersonaldatabya CommunityinstitutionorbodywiththeexceptionoftheCourtofJusticeoftheEuro-peanCommunitiesactinginitsjudicialcapacity;
(d)adviseallCommunityinstitutionsandbodies,eitheronhisorherowninitiativeorinresponsetoa consultation,onallmattersconcerningtheprocessingofpersonaldata,inparticularbeforetheydrawupinternalrulesrelatingtothepro-tection of fundamental rights and freedomswithregardtotheprocessingofpersonaldata;
(e)monitorrelevantdevelopments,insofarastheyhaveanimpactontheprotectionofpersonaldata,inparticularthedevelopmentofinforma-tionandcommunicationtechnologies;
(f)cooperatewiththenationalsupervisoryauthori-tiesreferredtoinArticle28ofDirective95/46/ECinthecountriestowhichthatdirectiveappliestotheextentnecessaryfortheperformanceoftheirrespectiveduties,inparticularbyexchangingallusefulinformation,requestingsuchauthorityorbody to exercise its powers or responding toa requestfromsuchauthorityorbody;
ii)alsocooperatewiththesupervisorydatapro-tectionbodiesestablishedunderTitleVIofthe Treaty on European Union particularlywith a view to improving consistency inapplyingtherulesandprocedureswithwhichtheyarerespectivelyresponsibleforensuringcompliance;
(g)participateintheactivitiesoftheworkingpartyontheprotectionofindividualswithregardtotheprocessingofpersonaldatasetupbyArticle29ofDirective95/46/EC;
(h)determine,givereasonsforandmakepublictheexemptions, safeguards, authorisations andconditionsmentionedinArticle10(2)(b),(4),(5)and(6),inArticle12(2),inArticle19andinArti-cle37(2);
(i)keepa registerofprocessingoperationsnotifiedtohimorherbyvirtueofArticle27(2)andregis-teredinaccordancewithArticle27(5),andpro-videmeansofaccesstotheregisterskeptbythedataprotectionofficersunderArticle26;
(j)carryouta priorcheckofprocessingnotifiedtohimorher;
(k)establishhisorherrulesofprocedure.
98
Article47—Powers
1. The European Data Protection Supervisor may:
(a)giveadvicetodatasubjectsintheexerciseoftheirrights;
(b)referthemattertothecontrollerintheeventofanallegedbreachoftheprovisionsgoverningthe processing of personal data, and, whereappropriate,makeproposalsforremedyingthatbreachandforimprovingtheprotectionofthedatasubjects;
(c)orderthatrequeststoexercisecertainrightsinrelationtodatabecompliedwithwheresuchrequestshavebeenrefusedinbreachofArti-cles 13to19;
(d)warnoradmonishthecontroller;
(e)order the rectification, blocking, erasure ordestruction of all data when they have beenprocessedinbreachoftheprovisionsgoverningtheprocessingofpersonaldataandthenotifica-tionofsuchactionstothirdpartiestowhomthedatahavebeendisclosed;
(f)impose a temporary or definitive ban onprocessing;
(g)referthemattertotheCommunityinstitutionor body concerned and, if necessary, to theEuropean Parliament, the Council and theCommission;
(h)referthemattertotheCourtofJusticeoftheEuropeanCommunitiesunder theconditionsprovidedforintheTreaty;
(i)interveneinactionsbroughtbeforetheCourtofJusticeoftheEuropeanCommunities.
2. The European Data Protection Supervisor shall have the power:
(a)toobtainfroma controllerorCommunityinsti-tutionorbodyaccesstoallpersonaldataandto all information necessary for his or herenquiries;
(b)toobtainaccesstoanypremisesinwhicha con-trollerorCommunityinstitutionorbodycarrieson its activities when there are reasonablegroundsforpresumingthatanactivitycoveredbythisregulationisbeingcarriedoutthere.
Chapter 8 annual report 2011
99
Annex C — List of abbreviations
ACTA Anti-CounterfeitingTradeAgreement
CIS CustomsInformationSystem
CoA CourtofAuditors
CoR CommitteeoftheRegions
CPAS Comité de Préparation pour les Affaires Sociales
DAS DeclarationofAssurance
DGINFSO DirectorateGeneralfortheInforma-tionSocietyandMedia
DGMARKT InternalMarketandServicesDirector-ateGeneral
DIGIT DirectorateGeneralInformatics
DPA DataProtectionAuthority
DPC DataProtectionCoordinator
DPO DataProtectionOfficer
EAS EuropeanAdministrativeSchool
EASA EuropeanAviationSafetyAgency
EC EuropeanCommunities
ECB EuropeanCentralBank
ECDC EuropeanCentreforDiseasePreven-tionandControl
ECJ EuropeanCourtofJustice
EDPS EuropeanDataProtectionSupervisor
EEA EuropeanEnvironmentAgency
EFSA EuropeanFoodSafetyAuthority
EIB EuropeanInvestmentBank
EIO EuropeanInvestigationOrder
ENISA EuropeanNetworkandInformationSecurityAgency
ECHR EuropeanConventiononHumanRights
EPO EuropeanProtectionOrder
EPSO EuropeanPersonnelSelectionOffice
ERCEA EuropeanResearchCouncilExecutiveAgency
EU EuropeanUnion
EWRS EarlyWarningResponseSystem
FRA EuropeanUnionAgencyforFunda-mentalRights
HR Humanresources
IAS InternalAuditingService
ICT InformationandCommunicationTechnology
IMI InternalMarketInformationSystem
IOM InternationalOrganisationforMigration
ISS InternalSecurityStrategy
IT Informationtechnology
JRC JointResearchCentre
JRO Jointreturnoperation
JSA JointSupervisoryAuthority
JSB JointSupervisoryBody
JSIMC JointSicknessInsuranceManagementCommittee
LIBE EuropeanParliament’sCommitteeonCivilLiberties,JusticeandHomeAffairs
LISO LocalInformationSecurityOfficer
LSO LocalSecurityOfficer
OHIM OfficeforHarmonizationintheInternalMarket
OLAF EuropeanAnti-fraudOffice
100
PNR PassengerNameRecord
RFID RadioFrequencyIdentification
SIS SchengenInformationSystem
SNE Secondednationalexpert
SOC ServiceandOperationalCentre
s-TESTA SecureTrans-EuropeanServicesforTelematicsbetweenAdministrations
SWIFT SocietyforWorldwideInterbankFinancialTelecommunication
TFTP TerroristFinanceTrackingProgramme
TFTS TerroristFinanceTrackingSystem
TFUE TreatyontheFunctioningoftheEuropeanUnion
TURBINE TrUstedRevocableBiometricsIdeNtitiEs
UNHCR UnitedNationsHighCommissionerforRefugees
VIS Visainformationsystem
WCO WorldCustomsOrganization
WP29 Article29DataProtectionWorkingParty
WPPJ WorkingPartyonPoliceandJustice
Chapter 8 annual report 2011
101
Annex D — List of Data Protection Officers
• ORGANISATION • NAME • E-MAIL
European Parliament (EP) JonathanSTEELE [email protected]
Council of the European Union (Consilium)
CarmenLOPEZRUIZ [email protected]
European Commission (EC) PhilippeRENAUDIÈRE [email protected]
Court of Justice of the European Union (CURIA)
ValerioAgostinoPLACCO [email protected]
European Court of Auditors (ECA)
JohanVANDAMME [email protected]
European Economic and Social Committee (EESC)
MariaARSENE [email protected]
Committee of the Regions (CoR) RastislavSPÁC [email protected]
European Investment Bank (EIB) Jean-PhilippeMINNAERT [email protected]
European External Action Service (EEAS)
IngridHVASS [email protected]
European Ombudsman LoïcJULIEN [email protected]
European Data Protection Supervisor (EDPS)
SylviePICARD [email protected]
European Central Bank (ECB) FrederikMALFRÈRE [email protected]
European Anti-Fraud Office (OLAF)
LaraineLAUDATI [email protected]
Translation Centre for the Bodies of the European Union (CdT)
EdinaTELESSY [email protected]
Office for Harmonisation in the Internal Market (OHIM)
IgnacioDEMEDRANOCABALLERO
European Union Fundamental Rights Agency (FRA)
NikolaosFIKATAS [email protected]
European Medicines Agency (EMEA)
AlessandroSPINA [email protected]
Community Plant Variety Office (CPVO)
VéroniqueDOREAU [email protected]
European Training Foundation (ETF)
TizianaCICCARONE [email protected]
European Network and Informa-tion Security Agency (ENISA)
UlrikeLECHNER [email protected]
European Foundation for the Improvement of Living and Working Conditions (Eurofound)
MarkusGRIMMEISEN [email protected]
European Monitoring Centre for Drugs and Drug Addiction (EMCDDA)
IgnacioVázquezMOLINÍ [email protected]
>>>
102
• ORGANISATION • NAME • E-MAIL
European Food Safety Authority (EFSA)
ClausRÉUNIS [email protected]
European Maritime Safety Agency (EMSA)
MalgorzataNESTEROWICZ [email protected]
European Centre for the Devel-opment of Vocational Training (Cedefop)
SpyrosANTONIOU [email protected]
Education, Audiovisual and Culture Executive Agency (EACEA)
HubertMONET [email protected]
European Agency for Safety and Health at Work (OSHA)
EusebioRIALGONZALES [email protected]
Community Fisheries Control Agency (CFCA)
RiekeARNDT [email protected]
European Union Satellite Center (EUSC)
Jean-BaptisteTAUPIN [email protected]
European Institute for Gender Equality (EIGE)
RamunasLUNSKUS [email protected]
European GNSS Supervisory Authority (GSA)
TriinuVOLMER [email protected]
European Railway Agency (ERA) ZografiaPYLORIDOU [email protected]
Executive Agency for Health and Consumers (EAHC)
BeataHARTWIG [email protected]
European Centre for Disease Prevention and Control (ECDC)
RebeccaTROTT [email protected]
European Environment Agency (EEA)
OlivierCORNU [email protected]
European Investment Fund (EIF) JobstNEUSS [email protected]
European Agency for the Management of Operational Cooperation at the External Border (Frontex)
SakariVUORENSOLA [email protected]
European Aviation Safety Agency (EASA)
FrancescaPAVESI [email protected]
Executive Agency for Competi-tiveness and Innovation (EACI)
ElenaFIERROSEDANO [email protected]
Trans-European Transport Network Executive Agency (TEN-T EA)
ZsófiaSZILVÁSSY [email protected]
European Banking Authority (EBA)
JosephMIFSUD [email protected]
European Chemicals Agency (ECHA)
AlainLEFÈBVRE [email protected]
European Research Council Executive Agency (ERCEA)
NadineKOLLOCZEK [email protected]
Research Executive Agency (REA)
EvangelosTSAVALOPOULOS [email protected]
European Systemic Risk Board (ESRB)
FrederikMALFRÈRE [email protected]
>>>
Chapter 8 annual report 2011
103
• ORGANISATION • NAME • E-MAIL
Fusion for Energy RadoslavHANAK [email protected]
SESAR Joint Undertaking DaniellaPAVKOVIC [email protected]
ARTEMIS Joint Undertaking AnneSALAÜN [email protected]
Clean Sky Joint Undertaking SilviaPOLIDORI [email protected]
Innovative Medecines Initiative (IMI)
EstefaniaRIBEIRO [email protected]
Fuel Cells & Hydrogen Joint Undertaking
NicolasBRAHY [email protected]
European Insurance and Occu-pations Pensions Authority (EIOPA)
CatherineCOUCKE [email protected]
Collège européen de police (CEPOL)
LeeloKILG [email protected]
European Institute of Innova-tion and Technology (EIT)
RobertaMAGGIO [email protected]
European Defence Agency (EDA) Alain-PierreLOUIS [email protected]
ENIAC Joint Undertaking MarcJEUNIAUX [email protected]
104
Annex E — List of prior check opinions
Procurement procedures - CFCA
Opinionof21December2011onthenotificationforpriorcheckingconcerningprocurementproce-duresattheCommunityFisheriesControlAgency(Case2011-0890)
Video-surveillance system - ECA
Letterof20December2011onthenotificationforprior checking regarding the video-surveillancesystemat theEuropeanCourtofAuditors (ECA)(Case2011-0989)
360° feedback survey for managers
Opinionof20December2011ona notificationforpriorcheckingregardingthe“360°feedbacksurveyfor managers” at the Committee of the Regions(Case2011-0926)
Staff Evaluation Procedures - Eurofound
Opinionof19December2011onthenotificationforpriorcheckingregardingprobationaryreports,staffappraisalsandpromotionsattheEuropeanFoundationforImprovementofLivingandWork-ingConditions(Case2011-0628)
Interventions of the Chambre d’écoute in the Framework of the Reorganization of OLAF’s Organigram
Opinionof16December2011onthenotificationforpriorcheckingregardingInterventionsoftheChambred’écouteintheFrameworkoftheReorga-nizationofOLAF’sOrganigram(case2011-1021)
Procédure relative aux commissions d’invalidité - Cour de Justice
Avisdu15décembre2011surlanotificationd’uncontrôlepréalableà proposdudossier“Procédurerelative aux commissions d’invalidité” (Dossier2011-0655)
Staff evaluation procedures - European Chemicals Agency
Opinionof15December2011onthenotificatonforpriorcheckingregardingstaffevaluationproce-
duresattheEuropeanchemicalsAgency(ECHA)(Case2011-0945)
Staff appraisals - ACER
Opinionof15December2011onthenotificationforpriorcheckingconcerningProbationaryReportsandStaffappraisalsincludingappraisalofDirectorattheAgencyforthecooperationofEnergyRegu-lators(ACER)(Case2011-0953)
Probationary reports, staff appraisals, reclassification - ERCEA
Opinionof15December2011onthenotificationforpriorcheckingconcerningtheannualappraisalandprobation,reclassificationandassessmentoftheabilitytoworkina thirdlanguageattheEuro-pean Research Council Executive Agency (Case2011-0955/0956/0963)
Staff evaluation procedures - Trans-European Transport Network Executive Agency
JointOpinionof14December2011onthenotifica-tionsforpriorcheckingregardingstaffevaluationproceduresattheTrans-EuropeanTransportNet-workExecutiveAgency(TEN-TEA)(case2011-0990)
Procedure for early retirement without reduction of pension rights - CPVO
Opinionof13December2011onthenotificationforpriorcheckingontheprocedureforearlyretirementwithoutreductionofpensionrightsattheCommu-nityPlantVarietyOffice(CPVO)(Case2011-0304)
Transmission of inspection reports - CFCA
Jointopinionof30November2011ontwonotifica-tionsforPriorCheckingconcerningthe“Transmis-sionof inspectionreports relatedto thebluefintunajointdeploymentplan(BFTJDP)andtransmis-sionofinspectionreports(NAFO/NEAFC)”,Commu-nityFisheriesControlAgency(CFCA)(Cases2011-0615and2011-0636)
Procurement procedures and related procurement contracts - CPVO
Opinionof30November2011onthenotificationforpriorcheckingconcerningprocurementproce-duresandrelatedprocurementcontractsat theCommunityPlantVarietyOffice(Case2011-0740)
Chapter 8 annual report 2011
105
E-recruitment for the Graduate Recruitment and Development Programme - EIB
Letterof24November2011onnotificationforpriorcheckingregarding“E-recruitmentfortheGradu-ateRecruitmentandDevelopmentProgramme”attheEuropeanInvestmentBank(Case2009-0761)
Selection of experts - ERA
Opinionof22November2011onthenotificationsforpriorcheckingconcerningtheCallsforapplica-tionstoestablishlistsofprospectiveindependentexpertstoassisttheworkoftheWorkingParties/Groups/Task Forces of the European RailwayAgencyinthefieldsofRailwaySafetyandRailwayInteroperability(JointCases2011-0667/0668)
Evaluation and grants management - ERCEA
Opinionof21November2011onthenotificationforpriorcheckingconcerningproposalsevaluationandgrants management at the European ResearchCouncilExecutiveAgency(ERCEA)(Case2011-0845)
Recruitment of staff and selection and recruitment of trainees - Fuel Cells Hydrogen Joint Undertaking
Opinionof15November2011onthenotificationsforpriorcheckingconcerningselectionandrecruit-ment of staff and selection and recruitment oftrainees,FuelCellsHydrogenJointUndertaking(FCHJU)(Cases2011-0833/0834)
Procédures de sélection des agents contractuels - Commission européenne
Lettredu11novembre2011surlanotificationd’uncontrôlepréalableconcernantdesprocéduresdesélectiondesagentscontractuelsdanslesservicesdelaCommissioneuropéenne(Dossier2011-0820)
Video-surveillance system - ECHA
Letterof25October2011onnotificationforpriorcheckingonthevideo-surveillancesystemattheEuropean Chemicals Agency (ECHA) (Case2011-0012)
“Return to Work” policy - EU-OSHA
Opinionof24October2011ona notificationforprior checking regarding the policy “Return toWork” at the European Agency for Safety andHealthatWork(EU-OSHA)(Case2011-0752)
Selection of confidential counsellors and anti-harassment policy
Opinion of 21 October 2011 on notifications forprior checking concerning the “anti-harassmentpolicy”and“theselectionofconfidentialcounsel-lors”atcertainEUagencies(Case2011-0483)
Recrutement du personnel - Cour de justice
Lettredu21octobre2011surlanotificationd’uncontrôle préalable des traitements de donnéesrelatifsau“recrutementdupersonnel”auCourdejusticedel’Unioneuropéenne(Dossier2011-0388)
Probation at the CPVO
Opinionof19October2011ona notificationforpriorcheckingconcerningassessmentandreport-ingonprobationaryperiodattheCommunityPlantVarietyOffice(Case2011-0298)
Virtual Operational Cooperation Unit, the Mutual Assistance Broker, and the Customs Information System - OLAF
Jointopinionof17October2011onnotificationsforpriorcheckingregardingtheVirtualOperationalCooperationUnit, theMutualAssistanceBroker,andtheCustomsInformationSystem(Jointcases2010-0797/0798/0799)
Selection of participants to (internal/external) learning and development actions - EC
Opinionof17October2011onthenotificationforprior checking concerning “Selection of partici-pantsto(internal/external)learninganddevelop-mentactions”(Case2011-0627)
Internal mobility of staff members - EACEA
Opinionof17October2011onthenotificationforprior checking concerning “internal mobility ofEACEA’sstaffmembers”(Case2011-0672)
Electronic CV
Opinionof4October2011onthenotificationforpriorcheckingfromtheDataProtectionOfficeroftheEuropeanParliamentconcerningElectronicCV(Case2011-0568)
106
Selection procedure for the position of Member of the Management Board - EFSA
Opinion of 3 October 2011 on a notification forpriorcheckingregardingthe“Selectionprocedurefor thepositionofMemberof theManagementBoard of the European Food Safety Authority(EFSA)”(Case2011-0575)
Selection and recruitment of SNEs, trainees and temporary staff - Eurofound
Opinionof27September2011ona notificationforpriorcheckingontheselectionandrecruitmentofSNEs, trainees and temporary staf f (Cases2011-0645/0646/0647)
PMO - establishment of individual output indicators
Opinionof23September2011onthenotificationforpriorcheckingconcerningtheestablishmentofindividualoutputindicators(Case2011-0368)
DG INFSO Staff Competencies and Aspirations Mapping Database
Opinionof23September2011ona notificationforpriorcheckingconcerningDGINFSOStaffCompe-tenciesandAspirationsMappingDatabase(Case2011-0614)
“IDEAS-Exclusion of Experts by Applicants” project - ERCEA
Opinionof21September2011ona notificationforpriorcheckingregardingtheproject“IDEAS-ExclusionofExpertsbyApplicants”oftheEuropeanResearchCouncilExecutiveAgency(ERCEA)(Case2010-0661)
Establishment and payment of salaries and allowances
Opinionof19September2011ontheprocessingofpersonaldatabytheservicesoftheEuropeanFounda-tionfortheImprovementofLivingandWorkingCon-ditions(Eurofound)forthe“establishmentandpay-mentofsalariesandallowances”(Case2011-0644)
Administrative inquiries and disciplinary proceedings - Court of Justice
Opinionof12September2011ontheupdatednoti-ficationconcerningadministrative inquiriesanddisciplinaryproceedingswithintheCourtofJusticeoftheEU(Case2011-0806)
Further development of DG Translation managers
Opinionof9September2011onthenotificationforpriorcheckingconcerningFeedbackforfurtherdevel-opmentofDGTranslationmanagers(Case2011-0511)
Selection and recruitment of SNEs at Fusion for Energy
Opinionof9September2011onthenotificationsforpriorcheckingontheprocessingoperationsrelatedtotheselectionandrecruitmentofSNEsatFusionforEnergy(F4E)(Case2011-0340)
Seconded National Experts
Letterof9September2011onthenotificationforpriorcheckingonprocessingofdatainconnectionwith ‘Seconded National Experts’ (SNEs) (Case2011-0557)
Commission Physical Access Control System (PACS)
Opinionof8September2011onthe“CommissionPhysicalAccessControlSystem(PACS):PSGProjetdeSécurisationGlobale”(Case2010-0427)
Selection procedure for temporary agents
Opinionof29July2011ona notificationforpriorcheckingontheprocessingoperationsrelatedtothe selection procedure for temporary agentsorganised by the European Commission (EC) for“postsotherthansupervisionandadvicewithoutEPSOconcours”(Case2011-0559)
Electronic Exchange of Social Security Information system
Opinionof28July2011ona notificationforpriorcheckingontheElectronicExchangeofSocialSecu-rityInformationsystem(“EESSI”)(Case2011-0016)
Requests for a part-time work - CPVO
Opinionof28July2011ona notification forpriorcheckingregardingrequestsfora part-timeworkattheCommunityPlantVarietyOffice(Case2011-0299)
Mobility Procedure
Opinionof27July2011onthenotificationforpriorcheckingrelatingtothe‘MobilityProcedure’(Case2011-0648)
Chapter 8 annual report 2011
107
Executive Committee and the Technical Advisory Panel of the Fusion for Energy
Opinionof26July2011onthenotificationsforpriorcheckingfromtheDataProtectionOfficerofFusionforEnergyconcerningthecalls forexpressionofinterestforexternalexpertstobeappointedtotheExecutiveCommitteeandtheTechnicalAdvisoryPanel of the Fusion for Energy (Joint Cases2011-0363/0364)
Fingerprint recognition study of children below the age of 12 years
Opinionof25July2011ona notificationforpriorcheckingrelatedtothe“Fingerprintrecognitionstudyofchildrenbelowtheageof12years”(Case2011-0209)
Management of the European Parliament’s Crèches in Brussels
Opinionof25July2011onthenotificationforpriorcheckingon the “Managementof theEuropeanParliament’sCrèchesinBrussels”(Case2010-0385)
Access Control System
Opinionof15July2011ona notificationforpriorcheckingonAccessControlSystematJRCIspraSite(Case2010-0902)
Processing of administrative inquiries and disciplinary proceedings - EASA
Letterof13July2011onthenotificationforpriorcheckingconcerningtheprocessingofadministra-tive inquiries and disciplinary proceedings (theAI&DP) at the European Aviation Safety Agency(EASA)inthelightoftheEDPSGuidelinesonAI&DP(Case2011-0558)
Sickness Leave at OHIM
Opinionof12July2011onthenotificationforpriorcheckingconcerningControlandManagementofSicknessLeaveattheOfficeforHarmonisationoftheInternalMarket(Case2010-0263)
Agents intérimaires - Comité des régions
Lettredu30juin2011surlanotificationd’uncon-trôlepréalableconcernantdestraitementsdedon-néesrelatifsauxagentsintérimairesauComitédesrégions(Dossier2010-0796)
Processing of administrative inquiries and disciplinary proceedings
Opinionof22June2011onnotificationsforpriorcheckingregardingthe“processingofadministra-tiveinquiriesanddisciplinaryproceedings”incer-tainEUagencies(Case2010-0752)
Quality Management System and ex-post quality checks - OHIM
Opinionof9June2011onthenotificationforpriorregarding Quality Management System and ex-postqualitychecksforHarmonizationattheOfficeforHarmonizationfortheInternalMarket(“OHIM”)(Case2010-0869)
Selection of trainees - CPVO
Letterof1June2011ona notificationforpriorcheck-ingontheprocessingofdatainconnectionwiththeselectionoftraineesattheCPVO(Case2011-0214)
Selection procedure of SNEs - JRC
Opinionof30May2011onthenotificationforpriorchecking regarding the “SelectionprocedureofSNEsatJRC”(Case2008-0141)
Staff Appraisal at CEDEFOP
Opinionof24May2011onthenotificationforpriorcheckingconcerningStaffAppraisalattheEuro-pean Centre for the Development of VocationalTraining(Case2010-0620)
Certification procedure - CPVO
Opinionof19May2011onthenotificationforpriorcheckingconcerningthecertificationprocedureatthe Community Plant Variety Off ice (Case2011-0055)
Consumer Protection Co-operation System (CPCS)
Opinionof4May2011onthenotificatinforpriorcheckingconcerningtheConsumerProtectionCo-operationSystem(“CPCS”)(Case2009-0019)
Procurement procedures - EACEA
Opinion of 29 April 2011 on the notification forprior checking concerning procurement proce-dures at the Education Audiovisual and CultureExecutiveAgency(EACEA)(Case2011-0135)
108
Grant and procurement award procedures including call for expression of interest - EEA
Opinionof18April2011onthenotificationforpriorchecking concerning ‘Grant and procurementawardproceduresincludingcallforexpressionofinterest’ at the European Environment Agency(Case2011-0103)
Selection of the members of the European Systemic Risk Board Advisory Scientific Committee - ECB
Opinionof13April2011ona notificationforpriorcheckingregardingthe“SelectionofthemembersoftheEuropeanSystemicRiskBoardAdvisorySci-entificCommittee”attheEuropeanCentralBank(Case2011-0101)
“Anti-harassment policy and the setting up of an interagency network of confidential counsellors” and “the selection of confidential counsellors”
Opinionof11April2011onnotificationsforpriorcheckingconcerningthe“anti-harassmentpolicyandthesettingupofaninteragencynetworkofconfidentialcounsellors”and“theselectionofcon-fidentialcounsellors”(Case2011-0151)
Selection and recruitment of officials, temporary and contracts agent - F4E
Letter of 7 April 2011 on a notification for priorcheckingconcerningselectionandrecruitmentofofficials, temporary and contracts agent at theFusionforEnergy(F4E)(Case2010-0454)
“Management of leave” and “Management of Leave on Personal Grounds and Unpaid Leave” - CPVO
Jointopinionof28March2011ontwonotificationsfor prior checking concerning “Management ofleave” and “Management of Leave on PersonalGrounds and Unpaid Leave” at the CommunityPlantVarietyOffice(CPVO)(Cases2010-0073/0075)
Selection and Appointment of members of EFSA’s Scientific Committee and Panels - EFSA
Opinionof21March2011onthenotificationforprior checking regarding the “Selection andAppointmentofmembersofEFSA’sScientificCom-mitteeandPanels”(Case2010-0980)
Management of Recruitment Files for Temporary Agents - JRC
Opinionof9March2011ona notificationforpriorcheckingregardingtheManagementofRecruit-ment Files for Temporary Agents at the JointResearchCentre(JRC)(Case2008-0143)
Analytical accounting and performance reports - OHIM
Opinionof2March2011ona notificationforpriorcheckingregarding“Analyticalaccountingandper-formancereports”(Case2009-0771)
Processing of data in connection with the selection and recruitment of trainees - ERA
Letterof2March2011onthenotificationforpriorcheckingconcerningtheprocessingofdataincon-nectionwiththeselectionandrecruitmentoftrain-eesattheERA(Case2010-0313)
CRIS-Follow up of experts availability in FWC assignment - EC
Opinionof23February2011ona notificationforprior checking regarding “CRIS-Follow up ofexperts availability in FWC assignment” (Case2010-0465)
Processing of health data in the workplace
Opinionof11February2011onnotifications forprior checking concerning the “processing ofhealthdataintheworkplace”(Case2010-0071)
Processing operations “Listening Points/Informal procedures” - EMA
Opinionof7February2011ona notification forpriorcheckingregardingtheprocessingoperations“ListeningPoints/Informalprocedures”(manage-mentofcasesofpsychologicalorsexualharass-ment)(Case2010-0598)
Evaluation of the EMCDDA Director
Opinionof26January2011onthenotificationforprior checking concerning Probationary Period,ManagementProbationaryPeriodandAnnualPer-formanceAppraisaloftheDirectoroftheEuropeanMonitoringCentreforDrugsandDrugAddiction(case2010-0895)
Chapter 8 annual report 2011
109
Annex F — List of opinions and formal comments on legislative proposals
Opinionsonlegislativeproposals
Common Agricultural Policy after 2013
Opinionof14December2011onthelegalpropos-alsfortheCommonAgriculturalPolicyafter2013
Use and transfer of Passenger Name Records to the United States Department of Homeland Security
Opinionof9December2011ontheProposalfora CouncilDecisionontheconclusionoftheAgree-mentbetweentheUnitedStatesofAmericaandtheEuropeanUnionontheuseandtransferofPas-sengerNameRecordstotheUnitedStatesDepart-mentofHomelandSecurity
Internal Market Information System (‘IMI’)
Opinionof22November2011ontheCommissionPro-posalfora RegulationoftheEuropeanParliamentandoftheCouncilonadministrativecooperationthroughtheInternalMarketInformationSystem(‘IMI’)
Community control system for ensuring compliance with the rules of the Common Fisheries Policy
Opinionof28October2011ontheCommissionImplementingRegulation (EU)No404/2011of8April2011layingdowndetailedrulesfortheimple-mentationofCouncilRegulation(EC)No1224/2009establishinga Communitycontrolsystemforensur-ingcompliancewiththerulesoftheCommonFish-eriesPolicy
Legislative package on the victims of crime
Opinionof17October2011onthelegislativepack-ageonthevictimsofcrime,includinga proposalfora Directiveestablishingminimumstandardsontherights,supportandprotectionofthevictimsofcrimeanda proposalfora Regulationonmutualrecognitionofprotectionmeasuresincivilmatters
European Account Preservation Order
Opinion of 13 October 2011 on a proposal fora RegulationoftheEuropeanParliamentandofthe
Councilcreatinga EuropeanAccountPreservationOrderto facilitatecross-borderdebtrecovery incivilandcommercialmatters
Customs enforcement of intellectual property rights
Opinionof12October2011ontheproposal fora RegulationoftheEuropeanParliamentandoftheCouncilconcerningcustomsenforcementofintel-lectualpropertyrights
Net neutrality
Opinionof7October2011onnetneutrality,trafficmanagementandtheprotectionofprivacyandpersonaldata
Recording equipment in road transport
Opinion of 5 October 2011 on the proposal fora RegulationoftheEuropeanParliamentandoftheCouncil amending Council Regulation (EEC) No3821/85onrecordingequipmentinroadtransportandamendingRegulation(EC)No561/2006oftheEuropeanParliamentandtheCouncil
European statistics on safety from crime
Opinionof19September2011ontheProposalfora RegulationoftheEuropeanParliamentandoftheCouncilonEuropeanstatisticsonsafetyfromcrime
Credit agreements relating to residential property
Opinionof25July2011ontheproposalfora Direc-tiveoftheEuropeanParliamentandoftheCouncilon credit agreements relating to residentialproperty
PNR - Australia
Opinionof15July2011ontheProposalfora Coun-cil Decision on the conclusion of an AgreementbetweentheEuropeanUnionandAustraliaontheprocessingandtransferofPassengerNameRecord(PNR)databyaircarrierstotheAustralianCustomsandBorderProtectionService
Migration
Opinionof7July2011ontheCommunicationfromtheCommissiontotheEuropeanParliament,theCouncil,theEconomicandSocialCommitteeandtheCommitteeoftheRegionsonmigration
110
Technical requirements for credit transfers and direct debits in euros
Opinionof23June2011ontheProposalfora Reg-ulation of the European Parliament and of theCouncil establishing technical requirements forcredit transfers and direct debits in euros andamendingRegulation(EC)No924/2009
Energy market integrity and transparency
Opinionof21June2011ontheProposalfora Regu-lationoftheEuropeanParliamentandoftheCoun-cilonenergymarketintegrityandtransparency
Investigations conducted by the European Anti-Fraud Office (OLAF)
Opinionof1June2011ontheProposalfora Regu-lationoftheEuropeanParliamentandoftheCoun-cilamendingRegulation(EC)No1073/1999con-cerninginvestigationsconductedbytheEuropeanAnti-FraudOffice(OLAF)andrepealingRegulation(EURATOM)No1074/1999
Evaluation report from the Commission to the Council and the European Parliament on the Data Retention Directive (Directive 2006/24/EC)
Opinionof31May2011ontheEvaluationreportfromtheCommissiontotheCouncilandtheEuro-peanParliamentontheDataRetentionDirective(Directive2006/24/EC)
Interconnection of central, commercial and companies registers
Opinionof6May2011ontheProposalfora Direc-tiveoftheEuropeanParliamentandoftheCouncilamendingDirectives89/666/EEC,2005/56/ECand2009/101/ECasregardstheinterconnectionofcen-tral,commercialandcompaniesregisters
Consumer Protection Cooperation System (“CPCS”)
Opinionof5May2011ontheConsumerProtectionCooperationSystem(“CPCS”)andonCommissionRecommendation2011/136/EUonguidelinesfortheimplementationofdataprotectionrulesintheCPCS
OTC derivatives, central counterparties and trade repositories
Opinionof19April2011ontheproposalfora Regu-lation of the European Parliament and of the
CouncilonOTCderivatives,centralcounterpartiesandtraderepositories
Financial rules applicable to the annual budget of the Union
Opinionof15April2011ontheproposalfora Reg-ulation of the European Parliament and of theCouncil on the financial rules applicable to theannualbudgetoftheUnion
Passenger Name Record
Opinionof25March2011ontheuseofPassengerNameRecorddatafortheprevention,detection,investigationandprosecutionofterroristoffencesandseriouscrime
Turbine (TrUsted Revocable Biometric IdeNtitiEs)
Opinionof1February2011ona researchprojectfundedbytheEuropeanUnionundertheSeventhFramework Programme (FP7) for Research andTechnologyDevelopment-Turbine(TrUstedRevo-cableBiometricIdeNtitiEs)
Comprehensive approach on personal data protection in the European Union
Opinionof14January2011ontheCommunicationfromtheCommissionon“AcomprehensiveapproachonpersonaldataprotectionintheEuropeanUnion”
Formalcommentsonlegislativeproposals
Amended proposal on OLAF Regulation No 1073/1999
Letterof19December2011concerninga newArti-cleandrecitalintheamendedproposalonOLAFRegulationNo1073/1999
Rights and Citizenship Programme
Letterof19December2011on theProposal fora RegulationoftheEuropeanParliamentandoftheCouncilestablishingfortheperiod2014to2020theRightsandCitizenshipProgramme
Implementation of the harmonised EU-wide in-vehicle emergency call (“eCall”)
EDPS comments of 12 December 2011 on theCommissionRecommendationandtheaccompa-nyingimpactassessmentontheimplementation
Chapter 8 annual report 2011
111
oftheharmonisedEU-widein-vehicleemergencycall(“eCall”)
EDPS comments on various legislative proposals concerning certain restrictive measures with regard to Afghanistan, Syria and Burma/Myanmar
Letterof9December2011tothePresidentoftheCounciloftheEuropeanUniononvariouslegisla-tiveproposalsconcerningcertainrestrictivemea-sureswithregardtoAfghanistan,SyriaandBurma/Myanmar
EDPS comments on a proposal for a Directive on energy efficiency
Letterof27October2011toMrGüntherH.Oet-tinger,CommissionerforEnergyona proposalfora DirectiveoftheEuropeanParliamentandoftheCouncilonenergyefficiencyandrepealingDirec-tives2004/8/ECand2006/32/EC
Terrorist Finance Tracking System (TFTS)
CommentsontheCommunicationfromtheCom-missiontotheEuropeanParliament,theCouncil,the European Economic and Social CommitteeandtheCommitteeoftheRegionsof13July2011:“A European terrorist finance tracking system:Availableoptions”
Towards an EU Criminal Policy: Ensuring the effective implementation of EU policies through criminal law
EDPScommentsof24ofOctober2011ontheCom-municationofEuropeanCommission‘TowardsanEUCriminalPolicy:Ensuringtheeffective imple-mentationofEUpoliciesthroughcriminallaw’
Common basic standards on civil aviation security
Commentsof17October2011onthedraftpropos-alsfora CommissionRegulationandfora Commis-sionimplementingRegulationoncommonbasicstandardsoncivilaviationsecurityasregardstheuseofsecurityscannersatEUairports
Commentaires du CEPD sur la compétence judiciaire, la reconnaissance et l’exécution des décisions en matière civile et commerciale
Letterof20September2011toMsVivianeReding,Vice-President of the European Commission on
a proposalfora RegulationoftheEuropeanParlia-mentandoftheCouncilonjurisdictionandtherec-ognitionandenforcementofjudgmentsincivilandcommercialmatters
EDPS comments on the Anti-Corruption Package
EDPSletterof6July2011ontheCommission’sCom-munication“FightingCorruptionintheEU”andtheCommissionDecisionestablishinganEUAnti-corrup-tionreportingmechanismforperiodicassessment
Intellectual Property Rights Directive
EDPSresponseof8April2011totheCommission’sConsultationon itsReportontheapplicationofIntellectualPropertyRightsDirective
Various legislative proposals concerning certain restrictive measures, with regard to Iran, in the Republic of Guinea-Bissau, in Côte d’Ivoire, in Belarus, in Tunisia, in Libya and in Egypt
EDPSletterof16March2011concerningvariouslegislativeproposalsconcerningcertainrestrictivemeasures,withregardtoIran, intheRepublicofGuinea-Bissau,inCôted’Ivoire,inBelarus,inTuni-sia,inLibyaandinEgypt.
112
Annex G — Speeches by the Supervisor and Assistant Supervisor in 2011TheSupervisorandtheAssistantSupervisorcontin-uedin2011toinvestsubstantialtimeandeffortinexplainingtheirmissionandraisingawarenessofdataprotectioningeneral,aswellasa numberofspecific issues inspeechesandsimilarcontribu-tionsfordifferentinstitutionsandinvariousMem-berStatesthroughouttheyear.
European Parliament
12January Supervisor,JURICommittee,WGonAdministrativeLaw(Brussels)
26January Supervisor,JURICommitteeaboutsensitivedataonInternet(Brussels)
14March AssistantSupervisor,ITRECommit-teeondraftRegulationonENISA(Brussels)
31March Supervisor,ETICA-EthicsandGovernanceofFutureandEmerg-ingICTs(Brussels)(*)
13April Supervisor,LIBECommitteeonPublicaccesstodocuments(Brussels)(*)
27April Supervisor,JURIConferenceonAdministrativeLaw(Leon)
15June SupervisorandAssistantSupervi-sor,LIBECommitteeonAnnualReport2010(Brussels)(**)
4October Supervisor,LIBECommitteeonCyberAttacksagainstInformationSystems(Brussels)(*)
10November Supervisor,LIBECommitteeonEUCharterofFundamentalRights(Brussels)(*)
Council
17January Supervisor,WPonDataProtectionandInformationExchange(Brussels)
27January Supervisor,PolishPermanentRepresentationonDataProtectionDay(Brussels)
1March AssistantSupervisor,WPonENISARegulation(Brussels)(*)
4May AssistantSupervisor,WPonDataProtectionandInformationExchange(Brussels)(*)
16June SupervisorandAssistantSupervi-sor,InternationalDPConference(Budapest)(*)
23June AssistantSupervisor,WPonGeneralMattersonEUPNR(Brussels)
21September Supervisor,InternationalDataProtectionConference(Warsaw)
18November AssistantSupervisor,MinisterialConferenceone-Government(Poznan)(*)
23November AssistantSupervisor,WPonStatisticsonSafetyforCrime(Brussels)(*)
European Commission
28January Supervisor,JointHighLevelMeetingonDataProtection(Brussels)(*)
22June Supervisor,ConferenceonDataRetention(Brussels)
22June AssistantSupervisor,EuropeanGroupofEthics(EGE)(Brussels)
15September Supervisor,Secretary-GeneralandDirectors-General
28September AssistantSupervisor,EC-EtsionStandardsintheCloud(*)
20October AssistantSupervisor,SixthSecuritySymposium(Brussels)(*)
Other EU institutions and bodies
11January AssistantSupervisor,EuropeanEconomicandSocialCommittee(Brussels)
28January SupervisorandAssistantSupervisor,DataProtectionDay(Brussels)(**)
Chapter 8 annual report 2011
113
7February Supervisor,EuropeanAdministra-tiveSchool,Erasmus(Brussels)
9February AssistantSupervisor,EuropeanEconomicandSocialCommittee(Brussels)(*)
28March Supervisor,EuropeanAdministra-tiveSchool,Erasmus(Brussels)
8June AssistantSupervisor,DataProtec-tionOfficersWorkshop(Brussels)
13October Supervisor,HeadsofEuropeanAgencies(Helsinki)
20October AssistantSupervisor,EuropeanAdministrativeSchool,Erasmus(Brussels)
International Conferences
27January Supervisor,Computers,Privacy& DataProtection(Brussels)
27January AssistantSupervisor,Computers,Privacy&DataProtection(Brussels) (*)
10March Supervisor,IAPPGlobalPrivacySummit(WashingtonDC)
5April SupervisorandAssistantSupervi-sor,EuropeanDataProtectionAuthorities(Brussels)
12July Supervisor,PrivacyLaws&Business(Cambridge)
1November SupervisorandAssistantSupervisor,PrivacyandDataProtectionCommissioners(MexicoCity)
21November AssistantSupervisor,CouncilofEuropeonRightsoftheChild2012-2015(Monaco)(*)
30November Supervisor,IAPPEurope(Paris)
2December AssistantSupervisor,UN-ISPACandCNPDSonCybercryme(Courmayeur)(*)
6December Supervisor,EUDataProtection&Privacy(Brussels)
Other events
19January Supervisor,BoltzmannInstituteforHumanRights(Vienna)
26January Supervisor,GSMAssociation(Brussels)
3February AssistantSupervisor,FIDEForumonDataProtectionintheEU(Madrid)
10February Supervisor,EuropeanPolicyCentre(Brussels)
11February Supervisor,UniversityofLeuven,FacultyofLaw(Leuven)
17February Supervisor,CentreforEuropeanPolicyStudies(Brussels)
21February Supervisor,SenateofDutchParliament(TheHague)
23February Supervisor,InternetSociety/INETConference(Frankfurt)(**)
24February Supervisor,DataProtectionConference(Edinburgh)
24February AssistantSupervisor,CRIDWork-shoponCloudComputing(Brussels)
2March Supervisor,ITSecurityande-Pri-vacy(Copenhagen)
21March AssistantSupervisor,JusticeandProtectionofCitizens(Brussels)
23March Supervisor,WorkshopPrivacyPrinciples(Copenhagen)
24March Supervisor,SaxonyOfficeExpertSeminarone-Justice(Brussels)(*)
29March AssistantSupervisor,EUROISPADigitalRoundtable(Brussels)
30March Supervisor,HearingItalianCham-berofDeputies(Rome)(*)
8April AssistantSupervisor,ITCassationCourtonPenalLawandInternet(Rome)
114
14April Supervisor,Computers&DataProtectionForum(Copenhagen)
3May Supervisor,CouncilofEuropeonPublicAccess(Brussels)
5May Supervisor,C-PETonEU-USrelations(WashingtonDC)
6May Supervisor,RISEConferenceonBiometrics(WashingtonDC)
9May AssistantSupervisor,RomeUniversityonFundamentalRightsintheEU(Rome)
12May Supervisor,Clyde&CoSeminaronDataProtection(London)
12May AssistantSupervisor,EuropeanBankingForum(Brussels)
17May Supervisor,EuropeanDataProtec-tionDay(Berlin)
20May AssistantSupervisor,AIDPonPrivacyintheWorkplace(Cagliari)
25May AssistantSupervisor,Accountabil-ityPhaseIII(Madrid)
26May AssistantSupervisor,ISMSForumonCrossBorderDataFlows(Madrid)
26May Supervisor,BiometricsInstituteAustralia(Sydney)(*)and(**)
27May Supervisor,DataProtectionIntensive(London)
8June AssistantSupervisor,PSCEuropeForumConferenceonVideosur-veillance(Brussels)(*)
15June Supervisor,EuropeanBiometricsSeminar(Brussels)
28June Supervisor,InternetofThings(Brussels)
5-6July AssistantSupervisor,ConsentSocialNetworkingSummit(Göttin-gen)(*)
7July Supervisor,UniversityofEdin-burgh,SchoolofLaw(*)
19September Supervisor,FDBlueprintonDataProtectionReview(Brussels)
20September Supervisor,MediaLawandDataProtection(London)
27September Supervisor,10thAnniversaryEPOF(Brussels)
28September Supervisor,RIMInformationSecurity(Berlin)
29September Supervisor,CentreforEuropeanReform(Brussels)
4October Supervisor,LisbonCouncilDigitalAgendaSummit(Brussels)
28October Supervisor,DataProtectioninCriminalProcess(Madrid)
9November Supervisor,NAID-ARMAConfer-ence(London)
18November AssistantSupervisor,Lobbying,TransparencyandEUinstitutions(Brussels)
25November Supervisor,PrivacyImpactAssess-mentConference(Berlin)
10December Supervisor,FelixMeritis,Bescherm-ingBurgerrechten(Amsterdam)
(*) TextavailableontheEDPSwebsite
(**) VideoavailableontheEDPSwebsite
Chapter 8 annual report 2011
115
Annex H — Composition of EDPS Secretariat
TheEDPSandAssistantEDPSwithmostoftheirstaff.
Director, Head of SecretariatChristopherDOCKSEY
116
• Supervision and Enforcement
SophieLOUVEAUXActing Head of Unit
PierreVERNHESLegal Adviser
LaurentBESLAY(*)Coordinator for Security and Technology
JaroslawLOTARSKICoordinator for Complaints
MariaVerónicaPEREZASINARICoordinator for Consultations
AthenaBOURKASeconded National Expert
BartDESCHUITENEERTechnology Officer Local Security Officer/LISO
RaffaeleDIGIOVANNIBEZZILegal Officer
ElisabethDUHRSeconded National Expert
DelphineHAROULegal Officer
John-PierreLAMB(*)Seconded National Expert
UteKALLENBERGERLegal Officer
XanthiKAPSOSIDERILegal Officer
LuisaPALLASupervision and Enforcement Assistant
DarioROSSISupervision and Enforcement Assistant Accounting Correspondent External Data Warehouse Manager (EDWM)
GalinaSAMARASSupervision and Enforcement Assistant
TerezaSTRUNCOVALegal Officer
MichaëlVANFLETERENLegal Officer
• Policy and Consultation
HielkeHIJMANSHead of Unit
BénédicteHAVELANGE(*)Coordinator for Large Scale IT Systems and Border Policy
HerkeKRANENBORGCoordinator for Court Proceedings
Anne-ChristineLACOSTECoordinator for cooperation with DPAs
RosaBARCELO(*)Legal Officer
ZsuzsannaBELENYESSYLegal Officer
GabrielCristianBLAJLegal Officer
AlbaBOSCHMOLINELegal Officer
IsabelleCHATELIERLegal Officer
KatarzynaCUADRAT-GRZYBOWSKALegal Officer
PriscillaDELOCHTLegal Officer / Contract Agent
PerJOHANSSONLegal Officer
OweLANGFELDTLegal Officer / Interim
RobertoLATTANZI(*)Seconded National Expert
ParminderMUDHARPolicy and Consultation Assistant
AlfonsoSCIROCCO(*)Data Protection Officer Quality Management
VeraPOZZATOLegal Officer
LuisVELASCOTechnology Officer
Chapter 8 annual report 2011
117
• Operations, Planning and Support
AndreaBEACHHead of Sector
MartaCORDOBA-HERNANDEZAdministrative Assistant
ChristineHUC(*)Administrative Assistant
KimDAUPHINAdministrative Assistant
MilanKUTRAAdministrative Assistant
KimThienLÊAdministrative Assistant
EwaTHOMSONAdministrative Assistant
• Information and Communication
NathalieVANDELLE(*)Head of Sector
OlivierROSSIGNOLActing Head of Sector
AgnieszkaNYKAInformation and Communication Assistant
BenoîtPIRONETWeb Developer Contractor
• Human Resources, Budget and Administration
LeonardoCERVERANAVASHead of Unit
IsabelleDELATTREFinance and Accounting Assistant
AnneLEVÊCQUEHuman Resources Assistant GECO
VittorioMASTROJENIHuman Resources Officer
JuliaMALDONADOMOLEROContract Agent
DanielaOTTAVIFinance and Accounting Assistant
AidaPASCUAdministration Assistant Assistant LSO
SylviePICARDData Protection Officer COFO - ICC
Anne-FrançoiseREYNDERSAdministration Assistant
MariaSANCHEZLOPEZFinance and Accounting Officer
(*) StaffmemberswholefttheEDPSinthecourseof2011
TheEuropeanDataProtectionSupervisor
Annual Report 2011
Luxembourg:PublicationsOfficeoftheEuropeanUnion
2012—117pp.—21×29.7cm
ISBN978-92-95073-28-9doi:10.2804/35928
HOW TO OBTAIN EU PUBLICATIONS
Free publications:
• viaEUBookshop(http://bookshop.europa.eu);
• attheEuropeanCommission’srepresentationsordelegations.YoucanobtaintheircontactdetailsontheInternet(http://ec.europa.eu)orbysendingafaxto+3522929-42758.
Priced publications:
• viaEUBookshop(http://bookshop.europa.eu).
Priced subscriptions (e.g. annual series of the Official Journal of the European Union and reports of cases before the Court of Justice of the European Union):
• viaoneofthesalesagentsofthePublicationsOfficeoftheEuropeanUnion(http://publications.europa.eu/others/agents/index_en.htm).
Annual Report2011
ISSN 1830-5474
European Data Protection Supervisor
The European guardian of personal data protection
www.edps.europa.eu
European DataProtection Supervisor
QT-A
A-12-001-EN
-C