Opinions Prior Check and Prior Consultations

Opinion of 15 December 2008 on a notification for prior checking regarding the database ARDOS (Case 2007-380)

The Security Service of the Joint Research Centre (JRC) at Ispra put in place a processing operation called "nulla osta". The purpose of the "nulla osta" procedure is to ascertain and confirm a selected candidate's good conduct. Information collected through this procedure is stored in a database called ARDOS with all documents requested by and presented to the Security Service of the JRC Ispra. It has to be noted that the "nulla osta" processing operation concern the candidates of all JRC sites except Karlsruhe.

The EDPS examined the processing operation and in particular the legal basis provided by the JRC Ispra to conduct such assessment of the candidate's good conduct. The EDPS concluded that the processing operation appears to be in breach of the provisions of Regulation (EC) No 45/2001 unless a clear legal basis is identified, produced or established by the institution. Indeed the processing operation described by the Security Service goes far beyond a checking of the candidate's good conduct, notably by collecting excessive and non relevant data (data quality principle).

The EDPS moreover recommended that in order to ensure compliance with the Regulation, the JRC Ispra should made several amendments to the privacy statement to fully respect the information that should be given to the data subject following Article 12 of the Regulation. The EDPS also insisted on the fact that the retention period foreseen by the institution should be implemented as soon as possible.

Opinion of 15 December 2008 on the notification for prior checking regarding the optional "Leadership Feedback" procedure established by the European Administrative School ("EAS") in connection with its management courses (Case 2008-527)

This opinion concerns an optional "Leadership Feedback" procedure established by the EAS in connection with its management courses.

EAS, as part of its mandate, organizes management courses for Commission officials and officials of other European institutions and bodies. In connection with each management course, EAS offers participants an opportunity to receive anonymous feedback about their management skills from other participants.

EAS outsourced the provision of management courses to a private company established in a European Union Member State. This company, in turn, outsourced the organization of the Leadership Feedback procedure to another private company, also established in a European Union Member State. EAS has, itself, no access to any data processed during the procedure. The outsourced processor organizes and manages the feedback procedure. In particular, it makes available to participants a secure website tool to collect feedback, aggregates feedback into reports (while the anonymity of those providing feedback is ensured), and provides each participant with a report regarding the group's feedback on his/her own management skills. Participants, if they so wish, may also complete a questionnaire assessing their own management skills and may also allow access to the feedback information to their trainers.

The recommendations of the EDPS include the following:

The contract between EAS and its direct subcontractor, which already contains a data protection clause, should also include that (i) subcontractor is obliged to ensure that all its direct and indirect subcontractors will undertake the same obligations in writing and that (ii) the choice of the subcontractor’s direct or indirect subcontractors is subject to the approval of EAS, which can be withheld in case the security of the data or maintenance of other data protection safeguards are not ensured.

In addition to the detailed privacy statement on the EAS website, at least the following minimum information should also be provided among the printed materials in the information package: (i) the feedback procedure is entirely optional and anonymous, (ii) all data are processed solely for the purposes of providing feedback, (iii) data will be deleted within 2 months, and (iv) all data are processed by subcontractors and that EAS or others within the Institutions have no access to any data.

Opinion of 12 December 2008 on a notification for prior checking on the conduct of investigations by the Security Office (Case 2008-0410)
 

Opinion of 5 December 2008 on a notification for prior checking on trainee recruitment (Case 2008-196)
The European Centre for the Development of Vocational Training (Cedefop) put in place a processing operation to recruit trainees. The purpose of the processing operation is to recruit trainees and give them a general idea of the objectives and problems associated with the development of initial and continuing professional training within the framework of European Institutions. The EDPS made several recommandations. The Cedefop should establish a shorter conservation period for the unsuccessful applicants establish a conservation period for the copy of the traineeship certificate. The right of access and rectification to the assessment report or other administrative documents should also be ensured to the trainees and the new rules on trainees recruitment that will be adopted soon by the Cedefop should be in compliance with the Regulation 45/2001 and in particular with the recommendations made the EDPS in his Opinion.

Opinion of 5 December 2008 on the notification for prior checking on the "IRIS: Family allowances" dossier (Case 2008-439)