Security & Access to Premises

The report runs through the main features of the EDPS activities in 2007, notably with regard to his supervisory and consultative tasks.
The report highlights a considerable increase in the number of prior-checks relating to processing operations of personal data in Community institutions and bodies. The EDPS also gave further effect to his advisory role on new EU legislative proposals having an impact on data protection with the publication of 12 opinions. 
2007 saw the signing of the Lisbon Treaty that provides for an enhanced protection of personal data and whose impact for data protection will be closely monitored.

You can obtain a paper version of this Annual Report on EU Bookshop.

Opinion of 7 April 2008 on a notification for prior checking on identity and access control system (Case 2007-635)
The Identity and Access Control System is part of the security infrastructure that protects OLAF premises and IT systems. The purpose of the data processing is to ensure that only authorised persons have access to OLAF's premises.  The system is designed to control the identity and permit or deny access of persons entering and exiting from OLAF's premises outside working hours and special secure zones. To do so, OLAF uses a smartcard and the use of fingerprints authentication. Users' biometrics data are stored only on the smartcard which cannot be used for any other purpose. For the EDPS, the processing operation is not in breach of Regulation 45/2001 if OLAF takes into account the following recommendations, for instance regarding a reassessment of the concerned data subjects submitted to enrolment; the development of fallback procedures; the setting of a shorter conservation period of data after the first year of operation of the new system; the amendment of the privacy statement and the reconsideration of the technological taking into consideration the choice of the best available techniques and discussions on future security systems.

Opinion of 14 February 2008 on a notification for prior checking related to the extension of a pre-existing access control system by an iris scan technology for high secure business areas (Case 2007-501)

• Enact a legal instrument providing the legal basis for the processing operations that take place in order to set up an access control system based on the use of biometrics (iris scan);
• Reconsider the decision taken in terms of technological choices through an impact assessment, including a viable timetable to implement changes in technology, i.e. in the current iris scan system. In a first phase, consider introducing a "one to one" search mode by including an additional identification, for example, using ECB standard access badges together with the upgraded IrisAccess 4000. At a later stage, consider changing to a "one to one" search mode where biometric data would be stored in chips rather than in a central database;
• Shorten the deadline for the storage of audit trail data which reveals whether an individual accessed or tried to access the areas controlled by the system; 
• Amend the privacy statement as recommended in the Opinion.

Answer to a notification for prior checking concerning "SECPAC" at the Joint Research Centre (Case 2007-381)

Answer to a notification of prior checking of a processing for the issuing and checking of passes giving access to the European Commission's buildings in Brussels and Luxembourg (Case 2004-235)