Opinions Prior Check and Prior Consultations

Some of the procedures that EU institutions put in place pose risks to the data protection rights and freedoms of individuals.

Under the old legal framework (Regulation (EC) 45/2001), EU institutions were obliged to notify us before putting in place risky data processing operations.

In general, our prior checking Opinions were public.

Regulation 2018/1725 builds on the old Regulation and mirrors the General Data Protection Regulation (EU) 2016/679 (GDPR) that applies to most organisations processing personal data in the Member States. Compared to the previous rules, Regulation 2018/1725 aligns documentation obligations more closely to the risks caused by processing personal data. This means for example that the documentation requirements for a EUI’s newsletter subscription will be lower than for a system using ‘intelligent CCTV’ covering publicly accessible space or a database profiling travellers for screening purposes.

Depending on the process at hand, EU institutions processing personal data ('controllers') may not have to go through all the steps below (these steps are described in the Accountability on the ground toolkit):
• Generate basic documentation (called ‘records’) for all processes;
• Check if the process is likely to result in high risks to the people whose data are processed and consult the DPO if it appears to do so;
• If the EU institution needs to do a data protection impact assessment (DPIA), they analyse those risks in more detail and develop specific safeguards/controls to manage them;
• If the results of the DPIA still indicate high residual data protection risks, the EU institution has to file a prior consultation with the EDPS (see Articles 40 and 90 of Regulation 2018/1725 respectively for administrative and operational personal data).

Article 39 of Regulation 2016/794 on Europol provides for an ad hoc prior consultation mechanism for new type of processing of operational data, namely data processed by Europol to support the Member States in preventing and combating serious crime and terrorism. Similarly, Article 72 of Regulation 2017/1939 on the European Public Prosecutor Office (EPPO) provides a specific prior consultation mechanism for the processing of operational data, namely data processed in the context of criminal investigations and prosecutions undertaken by the EPPO. Regulation 2018/1725, including the standard prior consultation mechanism, applies to Europol's and EPPO's processing of administrative data, which includes data on staff and visitors, for example.

Where an EU institution is unsure whether to notify us a data processing operation for prior consultation, their DPO can consult us for advice to confirm.

As for the old prior checking Opinions, in general the prior consultation Opinions are public, but we may delete sensitive elements where necessary, related to security for example. Some opinions, which are by nature sensitive, in particular in the police and justice area, may not be published. For the sake of transparency, these Opinions are summarised in our Annual Report.

Filters

Filter by Publication Year

Filter by Topics/Tags

Filter by Institution

Nov

2007

Opinions Prior Check and Prior Consultations

Intelligence databases - OLAF

Opinion of 21 November 2007 on a notification for prior checking on information and intelligence data pool and intelligence databases (Joint cases 2007-27 and 2007-28)

Information and Intelligence Data Pool” is the description given to all data held within the remit of Operational Intelligence Unit C4 in OLAF, including the Intelligence Databases.

Operational Information and Intelligence support are essential aspects of OLAF’s mandate to fight fraud, corruption, and any other illegal activity affecting the financial interests of the European Community, and serious matters relating to the discharge of professional duties - as established in Article 1 of Regulation (EC) n° 1073/1999 and Commission Decision 1999/352/EC Article 2 (5).

The purpose of the processing under analysis is then to further OLAF intelligence/analysis and operational activity. It also aims to support specific case requests, operations and investigations with a view to ensuring the optimum accuracy and relevance of information received, disseminated and otherwise processed for intelligence, financial, administrative, disciplinary and judicial use. This support may be provided throughout the various stages of OLAF investigation and operational activities, over all sectors and is recorded within the CMS (Case Management System) where applicable.

OLAF’s operational intelligence role also includes supporting the control, intelligence and enforcement activities in Member States, for OLAF partners and Operational DGs. Chapter 2.4.3 of the OLAF Manual further explains the role of OLAF's operational intelligence.

In his prior checking Opinion, the EDPS issued the main following recommendations:

to acknowledge in the intelligence files when any restriction based on Article 20 of the Regulation is operated;
to respect the confidentiality of the identity of whistleblowers during OLAF intelligence activities and in the later stages when appropriate;
to provide the information (Article 12 of the Regulation) to the data subjects whose names appear in the documentation under analysis, but who are not persons concerned, witnesses, whistleblowers or informants, unless such activity would be impossible or would involve a disproportionate effort, in which case the obligation to provide directly the information could only be replaced by the indirect provision through the privacy statement published on the OLAF website. The same principle should be applied when intelligence activities are conducted independently of an investigation;
to supplement the publication on the website with personalised information notices addressed to individuals (unless such activity would be impossible or would involve a disproportionate effort). The EDPS therefore calls upon OLAF to develop practices in providing personalised information to the individuals concerned to the degree it is appropriate in the context of intelligence activities and inform the EDPS about such guidelines.

Available languages: English

Topics

Privacy in the EU Institutions

Investigations

Nov

2007

Opinions Prior Check and Prior Consultations

Recruitment of temporary agents - OLAF

Opinion of 14 November 2007 on a notification for prior checking regarding OLAF's selection and recruitment of its temporary agents (Case 2007-6)

Available languages: English, French

Topics

Privacy in the EU Institutions

Recruitment

Nov

2007

Opinions Prior Check and Prior Consultations

Evaluation of the members of the linguistic team - OHIM

Opinion of 12 Novembre 2007 on a notification for prior checking on the evaluation of the members of the linguistic team (Case 2007-475)

Members of the Linguistic Team of the Office for Harmonisation in the Internal Market (OHIM) are subject to evaluation of their translation or revision work by means of two processing operations of personal data aiming at making, on the one hand, a qualitative assessment, and on the other hand, a quantitative assessment. Those processing operations pursue the same purpose of evaluating both the team's performance and the individuals' work.

The EDPS has issued an opinion on the evaluation of the members of the linguistic team. The EDPS concludes that on a general basis the procedure complies with the principles established in the data protection regulation. However the EDPS did make some recommendations mainly as concerns the information of the persons concerned and the security measures. In particular, the EDPS suggested that the controller must inform the evaluated staff and provide them with the Data Protection Statement at the time of undertaking the evaluation procedure. Concerning the security measures, the EDPS recommended implementing measures to ensure an appropriate level of security in case of transfer of data.

Available languages: English, French

Topics

Privacy in the EU Institutions

Staff Evaluation

Nov

2007

Opinions Prior Check and Prior Consultations

Processing of personal data by social services - Court of Auditors

Opinion of 8 November 2007 on a notification for prior checking on processing of personal data by the social services (Case 2007-302)

The Social Service of the Court of Auditors is provided by a professionally qualified social worker who is responsible for the provision of social financial assistance and psychosocial support. Types of assistance include home help, assistance for disabled officials or disabled dependents of officials, loans and aid granted on social grounds (special assistance in extreme circumstances). The social worker also offers psychosocial support to officials and their families, retired officials, and the surviving family members of deceased officials. The social worker also provides practical assistance chiefly in the form of information as to the availability of resources and services in specific areas.

As a rule, the relevant data are compiled by the social worker in an interview with the applicant. In certain cases, the applicant is requested to complete certain forms. If need be, medical approval is sought from the Medical Service or from the JSIS's medical officer. A decision, drawn up by the social worker, is submitted to the Appointing Authority (Head of Division, Human Resources) for signature and the beneficiary is informed of the decision.

When the social worker meets with the client, personal and private data are compiled in a personal record, which is only accessible to the social worker. The social worker is bound by professional secrecy and that all conversations will be confidential. The social worker may make personal notes concerning the client's situation as a memory aid and for future reference. Any documentation in the file supplied by the applicant remains the property of the applicant and, on request, may be returned to the persons concerned.

The EDPS opinion concluded that the processing proposed does not seem to involve any infringement of Regulation (EC) No 45/2001, as long certain recommendations are taken into account and notably that the Court of Auditors assesses the period of conservation of short term assistance; that the Court of Auditors ensures, in compliance with Article 4(1)(e) that the data stored in Excel tables for statistical and record-keeping purposes are kept in an anonymous form or with the identity of the data subject encrypted; and that further information must be provided to data subjects in accordance with Articles 11 and 12.

Available languages: English, French

Topics

Privacy in the EU Institutions

Working Conditions

Oct

2007

Opinions Prior Check and Prior Consultations

National experts - EMEA

Opinion of 26 October 2007 on a notification for prior checking regarding national expert's expression of interest (Case 2007-423)

The European Medicines Agency (EMEA) collects expressions of interest from national experts to be seconded to the institution. The processing in this framework implies operations such as collection, organisation, storage, consultation and distribution of CVs in order to set up a reserve list of potential candidates. A curriculum vitae must be attached to the applications. The applications received are used for selecting suitable candidates.

On the facts, the collection and further processing of personal data of job applicants is carried out in the legitimate exercise of EMEA's activities and authority. An EMEA Executive Director's Decision laying down the rules on the secondment of national experts constitutes the legal basis of the processing operation.

After examination of EMEA's notification EDPS concludes there is no reason to believe that there is a breach of the provisions of Regulation 45/2001. However, EDPS recommends EMEA should:

if candidates include data which are irrelevant and excessive in relation with the purposes of the processing, EMEA has to make sure that they are deleted in the most appropriate way.
publish the Executive Director's Decision on the adoption of implementing rules relating to the protection of individuals with regard to the processing of personal and the free movement of such data of 12 June 2007 on its website,
adopt and publish a specific policy statement concerning this processing operation which should refer to all the provisions of Article 11.

Available languages: English, French

Topics

Privacy in the EU Institutions

Procurements, Grants, Experts

Access to documents
Administrative and Human Resources
AI Supervision by EDPS
AI Supervision by EDPS
Article 7 - right to private life
Binding Corporate Rules
Biometrics
Money laundering
C-ITS
Case Management System
ECHR
CJEU
Communication
Computer Forensics
Council of Europe
Data retention
COVID-19
Data Breach
Right of Information
EU Passengers Name Record
Europol
Finance
IT at Work
IT
Tracking
Management of the EDPS
mHealth
PETs
Physical Security
Public Events
Regulation 2018/1725
Safe Harbour
SIS
SIS SCG
Staff Committee
Supervision by EDPS
Surveys
Article 8 - right to data protection
Right of Access
Blockchain
Encryption
Standard Contractual Clauses
Clinical Trials
Convention 108
Tax cooperation
ECtHR
Cybersecurity
Investigations
eCall
ECRIS
PNR
OECD
Profiling
VIS
VIS SCG
Adequacy Decision
Anti-fraud
Cloud Computing
EDPB - 29WP
Cybercrime Convention
Counter-terrorism
Drones
Right to Rectification
Eurodac
Eurodac SCG
Tax evasion
Privacy Shield
Mobile Devices & Apps
CIS
CIS SCG
Umbrella Agreement
Right to Erasure
Financial markets
United Nations
Recruitment
IMI
Open Data
Right to Restriction of Processing
Staff Evaluation
IMI SCG
TTIP
Working Conditions
Smart Meters
Data Portability
EES
Procurements, Grants, Experts
Right to Object
Social Networks
Automated Individual Decision-Making
Health Data in the Workplace
Anti-harassment
Data Protection Officer
Conflicts of Interest
Security & Access to Premises
Net Neutrality
Encryption
Artificial Intelligence
Ethics
Robotics
Charter of Fundamental Rights
General Data Protection Regulation
Police Directive
ePrivacy Directive
Regulation 45/2001
Rights of the Individual
Necessity & Proportionality
Privacy by Design
Interoperability
Privacy by Default
Accountability
International Agreements
International Standards
International Cooperation
Case-law and litigation
Transfers of data
Supervision coordination
Large-Scale IT Systems
Information Security
Digital Clearinghouse 2.0
Internet of Things
Personal Information Management System
IPEN
eGovernment
Borders, Asylum, Migration
Common Foreign and Security Policy
Competition
Consumers
Finance & Economy
Health
Internal Market
Digital Single Market
Judicial Cooperation
Police Cooperation
Electronic Communications, Information Society
Research & Science
Transport
Privacy in the EU Institutions
Transparency
Whistleblowing
Surveillance
Security
Technologies

Agency for the Cooperation of Energy Regulators (ACER)
Body of European Regulators for Electronic Communications (BEREC)
Clean Sky Joint Undertaking (CSJU)
Committee of the Regions (CoR)
Community Plant Variety Office (CPVO)
Consumers, Health and Food Executive Agency (CHAFEA)
Council of the European Union
Court of Justice of the European Union (CJEU)
ECSEL Joint Undertaking (ECSEL)
eu-LISA
European Agency for Safety and Health at Work (EU-OSHA)
European Anti-Fraud Office (OLAF)
European Asylum Support Office (EASO)
European Aviation Safety Agency (EASA)
European Banking Authority (EBA)
European Border and Coast Guard Agency (FRONTEX)
European Central Bank (ECB)
European Centre for Desease Prevention and Control (ECDC)
European Centre for the Development of Vocational Training (Cedefop)
European Chemicals Agency (ECHA)
European Climate, Infrastructure and Environment Executive Agency (CINEA)
European Commission
European Court of Auditors (ECA)
European Data Protection Board (EDPB)
European Data Protection Supervisor (EDPS)
European Defence Agency (EDA)
European Economic and Social Committee (EESC)
European Education and Culture Executive Agency (EACEA)
European Environment Agency (EEA)
European External Action Service (EEAS)
European Fisheries Control Agency (EFCA)
European Food Safety Authority (EFSA)
European Foundation for the Improvement of Living and Working Conditions (Eurofound)
European GNSS Agency (GSA)
European Health and Digital Executive Agency (HaDEA)
European Innovation Council and SMEs Executive Agency (EISMEA)
European Institute for Gender Equality (EIGE)
European Institute of Innovation and Technology (EIT)
European Insurance and Occupations Pensions Authority (EIOPA)
European Investment Bank (EIB)
European Investment Fund (EIF)
European Labour Authority (ELA)
European Maritime Safety Agency (EMSA)
European Medicines Agency (EMA)
European Ombudsman (Ombudsman)
European Parliament
European Personnel Selection Office (EPSO)
European Police College (CEPOL)
European Police Office (EUROPOL)
European Public Prosecutor's Office (EPPO)
European Research Council Executive Agency (ERCEA)
European Research Executive Agency (REA)
European Securities and Markets Authority (ESMA)
European Systemic Risk Board (ESRB)
European Training Foundation (ETF)
European Union Agency for Fundamental Rights (FRA)
European Union Agency for Network and Information Security (ENISA)
European Union Agency for Railways (ERA)
European Union Drugs Agency
European Union Institute for Security Studies (EUISS)
European Union Intellectual Property Office (EUIPO)
European Union Satellite Centre (EUSC)
Fuel Cells & Hydrogen Joint Undertaking (FCHJU)
Fusion for Energy (F4E)
Innovative Medicines Initiative Joint Undertaking (IMI JU)
Joint Research Centre (JRC)
Office for Harmonisation in the Internal Market (OHIM)
Other
SESAR Joint Undertaking (SESAR JU)
Single Resolution Board (SRB)
The European Union's Judicial Cooperation Unit (EUROJUST)
Translation Centre for the Bodies of the European Union (CdT)