Some of the procedures that EU institutions put in place pose risks to the data protection rights and freedoms of individuals.
Under the old legal framework (Regulation (EC) 45/2001), EU institutions were obliged to notify us before putting in place risky data processing operations.
In general, our prior checking Opinions were public.
Regulation 2018/1725 builds on the old Regulation and mirrors the General Data Protection Regulation (EU) 2016/679 (GDPR) that applies to most organisations processing personal data in the Member States. Compared to the previous rules, Regulation 2018/1725 aligns documentation obligations more closely to the risks caused by processing personal data. This means for example that the documentation requirements for a EUI’s newsletter subscription will be lower than for a system using ‘intelligent CCTV’ covering publicly accessible space or a database profiling travellers for screening purposes.
Depending on the process at hand, EU institutions processing personal data ('controllers') may not have to go through all the steps below (these steps are described in the Accountability on the ground toolkit):
• Generate basic documentation (called ‘records’) for all processes;
• Check if the process is likely to result in high risks to the people whose data are processed and consult the DPO if it appears to do so;
• If the EU institution needs to do a data protection impact assessment (DPIA), they analyse those risks in more detail and develop specific safeguards/controls to manage them;
• If the results of the DPIA still indicate high residual data protection risks, the EU institution has to file a prior consultation with the EDPS (see Articles 40 and 90 of Regulation 2018/1725 respectively for administrative and operational personal data).
Article 39 of Regulation 2016/794 on Europol provides for an ad hoc prior consultation mechanism for new type of processing of operational data, namely data processed by Europol to support the Member States in preventing and combating serious crime and terrorism. Similarly, Article 72 of Regulation 2017/1939 on the European Public Prosecutor Office (EPPO) provides a specific prior consultation mechanism for the processing of operational data, namely data processed in the context of criminal investigations and prosecutions undertaken by the EPPO. Regulation 2018/1725, including the standard prior consultation mechanism, applies to Europol's and EPPO's processing of administrative data, which includes data on staff and visitors, for example.
Where an EU institution is unsure whether to notify us a data processing operation for prior consultation, their DPO can consult us for advice to confirm.
As for the old prior checking Opinions, in general the prior consultation Opinions are public, but we may delete sensitive elements where necessary, related to security for example. Some opinions, which are by nature sensitive, in particular in the police and justice area, may not be published. For the sake of transparency, these Opinions are summarised in our Annual Report.
Letter of 13 October 2008 in reply to a notification for prior checking concerning the "Recording of emergency calls at the JRC ISPRA site" (Case 2008-492)
Opinion of 9 October 2008 on a notification for prior checking on the Trainee selection procedure and management of trainees at the Joint Research Centre (JRC) (Case 2008-136)
The purpose of the processing is the recruitment of trainees at the JRC by the Human resources Unit (HR) Ispra or the Institute Management Support Unit (MSU) for other JRC sites, namely Petten, Karlsruhe, Sevilla, Geel. During the selection phase, candidates make a request for a traineeship by filling in an application form for a training period at the JRC.
The Institute concerned will rank the applicants according to the needs of the Institute/Directorate. Trainees are chosen by a selection committee. Selected candidates must also provide results of medical tests. For all trainees the site Security Service needs to ascertain the good conduct of the person in question. The Security Service asks for a recent 'Police Record' from the country of usual residence. Requests for security clearance ("Zuverlässigkeitsüberprüfung") are also required for all persons executing job related tasks at the Karlsruhe site.
The EDPS makes several recommendations, in particular regarding the quality of collected data, data retention, medical data, access to files. The EDPS is also requesting detailed information on security measures adopted.
Opinion of 9 October 2008 on a notification for prior checking regarding the recruitment procedure for contract agents at the Joint Research Centre (Case 2008-142)
This prior-check is part of several opinions adopted by the CEPD this day in the field of recruitment at JRC.
The processing concerns the selection and recruitment of JRC's contractual staff referred to in Title IV of the Conditions of Employment of other servants of the European Communities. The main purpose of the processing is the constitution and management of Contract Agent recruitment files. The recruitment files collect all the information needed in order to start, process and finalize the recruitment procedure, which, at different stages, involves DG JRC Institutes/Directorates (Management Support Units –"MSUs"- and scientific staff), the Human Resources Unit of the Resource Management and the candidates concerned.
The EDPS concludes that on a general basis the procedure complies with the principles established in the data protection regulation. However the EDPS did make number of recommendations mainly as concerns data quality, transfer of data, rights of access and rectification, information of the data subject. The EDPS is also requesting detailed information on security measures adopted.
Opinion of 9 October 2008 on the notification for prior checking regarding the "Management of recruitment files for officials at the JRC (transfers and laureates of open competitions)" (Case 2008-140)
The processing concerns the constitution and management of recruitment files for officials (transfers and laureates of open competitions). The recruitment files collect all the information needed in order to start, process and finalize the recruitment procedure, which, at different stages, involve DG JRC Institutes/Directorates (Management Support Units (MSUs) and scientific staff), the other DGs of the Commission in case of transfers, the Human Resources Unit of the Resource Management Directorate and the candidates concerned.
The EDPS made recommendations in particular relating to data quality (in particular replace the collection of certificates of good conduct by other tools that only demonstrate the prior criminal behaviour by carrying out a case by case analysis of the content of the national extracts of the police register, so as to collect only relevant data in the light of the Staff Regulation requirements), data retention period, data transfer, rights of access and rectification (have access to their file, including the assessment notes concerning them drafted by the panel members) and information to data subjects (in particular mention of medical services and security services as recipients).
Opinion of 9 October 2008 on a notification for prior checking on the selection, recruitment and management of grantholders at the Joint Research Centre (JRC) (Case 2008-138)
The Joint Research Centre (JRC) of the European Commission offers grants for doctoral researchers (cat. 20), post-doctoral researchers (cat.30) and senior scientists (cat. 40). The recruitment procedure starts with the publication of a open call on the JRC corporate website. Then, the candidates make a request for a grant by filling in an application form. Applications are collected and evaluated. A contract is signed with the successful candidates.
The EDPS has issued an opinion relating to the processing of personal data in the selection, recruitment and management procedures of grantholders at the Joint Research Centre. The EDPS concludes that on a general basis the procedure complies with the principles established in the data protection regulation. However the EDPS did make number of recommendations mainly as concerns the collection of excessive data, transfer of data, access to evaluation data, information of the data subject as well as the security measures.