Opinion of 7 May 2009 on notifications for prior checking of certain Community agencies concerning the "Staff recruitment procedures" (Case 2009-287)
It is the first time that the EDPS carries out such a challenging exercise in examining 14 notifications, with their cover letters regarding each agency's processing operations, at the same time. The EDPS analysed each agency's practice regarding each principle of data protection stated in the Regulation and evaluated whether each agency followed the EDPS Guidelines or not. In view of the similarities of the procedures, and of some similarities as presented by some agencies in terms of data protection practices, the EDPS decided to examine all notifications in the same context and issue one joint opinion. The EDPS in his joint opinion underlines an agency's practice which does not seem to be in conformity with the principles of the Regulation as well as with the EDPS Guidelines and provides the agency(ies) concerned with a relevant recommendation. Some good practices are also pointed out in the joint opinion.
The data subjects concerned are permanent staff, temporary agents, contract agents, national experts and trainees. The processing operations under examination are subject to prior-checking in conformity with Article 27(2)(b) of Regulation 45/2001, since they involve an evaluation of the applicants’ ability to perform the job functions for which the selection and recruitment procedures have been organized. Some of these processing operations might also involve the processing of data related to health (collection of medical certificate or disability data) as well as to criminal offences (collection of criminal record), which constitutes an additional ground for prior-checking in the light of Article 27(2)(a) of the Regulation.
The procedure towards this joint opinion seems to have been beneficial to the agencies concerned as well, because on one hand it allowed them to compare data protection practices adopted within each agency and on the other hand it made them reconsider their practices in the light of the EDPS recommendations. Indeed, the EDPS notes that most of the agencies seem to have adopted their data protection practices following the EDPS Guidelines and the provisions of Regulation 45/2001.
In analysing the DPOs' remarks on the draft opinion sent to them for comments, the EDPS finds it necessary however to underline that the mere intention or confirmation stated by the DPO of an agency that a specific data protection practice will be applied in conformity with the EDPS Guidelines and recommendations is not sufficient for the implementation of the EDPS recommendations. Instead, concrete measures are required. Consequently, the controller of each agency concerned is now invited to adopt specific and concrete measures in order to implement the EDPS recommendations regarding staff recruitment procedures carried out by each agency. This implies that in the context of the follow-up each agency should send to the EDPS all relevant documents which can show that the EDPS recommendations were actually implemented.