Nos avis portent principalement sur des propositions législatives et sont adressés au législateur de l'UE (le Parlement européen, le Conseil et la Commission européenne), dans le but de signaler les principales préoccupations en matière de protection des données ainsi que nos recommandations.
Ces avis sont rendus en réponse aux demandes de la Commission, qui est légalement tenue de demander notre avis sur toute proposition législative ou projet d'actes d'exécution ou délégués, ainsi que sur les recommandations et propositions au Conseil dans le cadre d'accords internationaux conformément à l'article 42(1) du règlement (UE) 2018/1725 lorsqu'il y a un impact sur la protection des données personnelles.
Nous émettons également des avis d'initiative dans le cadre de notre rôle de conseil sur toutes les questions relatives au traitement de données personnelles.
Avis sur l'initiative de la République française en vue de l'adoption d'une décision du Conseil sur l'emploi de l'informatique dans le domaine des douanes, JO C 229, 23.09.2009, p. 12
Given his current role as the supervisory authority for the central part of the First Pillar part of the CIS, the EDPS is particularly interested in the Initiative and the new developments in the Council relating to its content.The EDPS emphasises the need for ensuring a coherent and comprehensive approach to align the First and Third Pillar parts of the system.
The EDPS notes that the Proposal involves various aspects relating to fundamental rights, in particular the protection of personal data as well as the right to information and other data subject's rights.
The EDPS is particularly interested in the new developments concerning the Third Pillar part of the CIS, given that he already exercises supervisory tasks over the central part of the First Pillar part, in accordance with the new Regulation 766/2008 amending Council Regulation 515/97 on mutual assistance between administrative authorities of the Member States and cooperation (...) to ensure the correct application of the law on customs and agricultural matters.
Avis sur les propositions de règelement et de directive en ce qui concerne la pharmacovigilance, JO C 229, 23.09.2009, p. 19
The EDPS takes the view that the lack of a proper assessment of the data protection implications of pharmacovigilance constitutes one of the weaknesses of the current legal framework set out by Regulation (EC) No 726/2004 and Directive 2001/83/EC. The current amendment of Regulation (EC) No 726/2004 and Directive 2001/83/EC should be seen as an opportunity to introduce data protection as a full-fledged and important element of pharmacovigilance.
A general issue to be addressed thereby is the actual necessity of processing personal health data at all stages of the pharmacovigilance process. As explained in this Opinion, the EDPS seriously doubts this need and urges the legislator to reassess it at the different levels of the process. It is clear that the purpose of pharmacovigilance can in many cases be achieved by sharing information on adverse effects which is anonymous in the meaning of the data protection legislation. Duplication of reporting can be avoided through the application of well structured data reporting procedures already at national level.
Avis sur la recommandation pour un règlement du Conseil modifiant le règlement (CE) n° 2533/98 du 23 novembre 1998 concernant la collecte d'informations statistiques par la Banque centrale européenne, JO C 192, 15.08.2009, p. 1
On 23 November 1998, the Council of the European Union adopted Regulation (EC) No 2533/98 concerning the collection of statistical information by the European Central Bank (ECB). In order to maintain this Regulation as an effective instrument to carry out the statistical information collection tasks of the European System of Central Banks, the Governing Council of the European Central Bank adopted a Recommendation for a Council Regulation amending Regulation No 2533/98.
The Opinion analyses the Recommendation and gives some further reflexion on the relation between statistical confidentiality and data protection.
More specifically the EDPS:
welcomes that the proposed amendments contain a specific reference to the data protection legal framework;
underlines the need for further clarification of some concepts common to data protection and statistics;
considers that the purpose limitation principle should be ensured in the widening of scope of the Regulation;
stresses the need to assess the necessity of processing payment statistics which may contain personal information about natural persons;
advocates for further collaboration between the European Statistical System and the ECB in view of ensuring the respect of the data quality principle as well as the data minimization principle;
suggests that access to statistical information for research purposes should be provided in such a way that the reporting agent cannot be identified, either directly or indirectly, when account is taken of all relevant means that might reasonably be used by a third party.
Avis sur la proposition de directive relative aux normes de qualité et de sécurité des organes humains destinés à la transplantation, JO C192, 15.08.2009, p. 6
The proposal provides for national quality programmes to advance organs donation and transplantation, including a traceability mechanism to ensure that all organs can be traced from donation to reception and vice versa. The proposed procedure involves the collection and circulation of health data, which are regarded as sensitive and therefore fall under the stricter rules of EU data protection legislation.
The EDPS welcomes the attention given in the proposal to the data protection needs arising both for the donors and the recipient of organs, especially as concerns the requirement for keeping their identities confidential. He however recommends to further emphasize the need for reinforced protection of the donors' and recipients' personal data throughout the organs traceability chain established within the proposal. This can be achieved with the application of strong organisational and technical security measures, both in the national donors and recipients databases, as well as in the cross-border exchange of organs.
Basic principles for national security measures may include the following:
adoption of a specific information security policy;
definition of a confidentiality and access control policy, together with data confidentiality guarantees for the persons involved in the processing;
addressing security mechanisms in the national databases, based on the concept of "privacy by design" (i.e. application of data protection requirements as early as possible in the life cycle of new technological developments);
ensuring regular monitoring and independent audits of the security policies in place.
With regard to the cross-border exchange of organs, the need for harmonizing information security policies among Member States should be further stressed. In addition, special attention should be paid to the possibilities of indirect identification of donors and recipients' data (pseudonymisation). The EDPS also recommends specific consultation with the national data protection authority when organs are exchanged with third countries.
Avis sur la proposition de règlement du Conseil instituant un régime communautaire de contrôle afin d'assurer le respect des règles de la politique commune de la pêche, JO C 151, 03.07.2009, p. 11
There are different reasons why data protection provisions in the context of this proposal are relevant. First, the proposal foresees the processing of various data, which in certain cases, can be considered as personal data. Moreover, the proposal also foresees transfers of these data and exchanges of information, both between Member States and with the Commission or the Community Fisheries Control Agency. The EDPS also notes that the proposal foresees the use of aggregated data in certain circumstances. All these aspects require respecting the data protection legal framework.
The EDPS welcomes that reference to privacy and data protection is made within the current proposal. However, some amendments are needed in order to provide clear requirements, both for the Member States and for the Commission to address the data protection aspects of the system.
