Privacy in the EU Institutions

Opinion of 20 May 2009 on the notification for prior checking regarding the management of safety at work at the Joint Research Centre's Institute for Health and Consumer Protection in Ispra (Case 2008-541)

The Notification and the EDPS Opinion concern a dedicated filing system: "Management of Safety at Work" used by the Institute. Personal data with an implication for safety at work are collected and stored in this filing system and consulted when needed. The purpose of the processing is to comply with the employer's obligations on safety at work under Italian laws. The processing operation covers all employees of the Institute.

With regard to data quality and proportionality, the EDPS recommended that the Institute should reconsider whether the safety officer indeed needs direct access to general training data in SYSLOG Formation, as well as training data on languages and e-learning, in addition to training information directly relevant to safety at work. On rights of access, the EDPS recommended that the Institution should establish a minimum set of safeguards to ensure that access requests will be addressed in a timely manner and without restraints. With regard to information to data subjects, the EDPS recommended that notice with respect to certain items under Articles 11 and 12 of the Regulation should be provided in a more specific manner.

Opinion of 19 May 2009 on the notification for prior checking regarding the prevention of harassment (Case 2008-477)

The Advisory Committee on Harassment and its Prevention at the Workplace functions in the European Parliament with the multiple purpose of promoting a peaceful and productive working environment, preventing and/or stopping harassment of staff (officials and other servants) of the European Parliament (EP), playing a role of conciliation and mediation, training and information and playing an active role within the EP's existing health promotion network. The ACPH combats psychological and sexual harassment on the basis of complaints. In the framework of its activities, the ACPH can process various personal data, including sensitive data, related to a particular individual.

After careful analysis of the data processing activities, the EDPS advised to improve different aspects of the processing, inter alia, regarding the confidentiality of handling personal data, reconsidering the retention period and drawing up a privacy notice and provide personalised information to the person concerned.

Opinion of 19 May 2009 on the notification for prior checking regarding the processing of personal data in DG ENTR Entreprise Data Warehouse (Case 2008-487)

The DG ENTR Data Warehouse (EDW) is a system in charge of retrieving data from multiple data sources (ABAC, COMREF, SYSLOG and DG ENTR's in-house financial data). The main goal is to provide managers with powerful reports presenting metrics of performance, like the 'Scoreboard' report, at destination of the Head of Units, Directors and Director General.

The EDPS examined the processing in the light of the legal requirements of Regulation (EC) 45/2001 and concluded that there was no breach of the Regulation provided certain recommendations are taken into account and notably:

• The Data Warehouse should be limited to the use of data specified in the current notification and require further authorisation if other databases where to be added as database sources;
• The data minimization principles, the accuracy of data and the necessity to transfer them should be assessed and evaluated;
• DG ENTR should implement specific security measures relating to the planned system's specifications.

Opinion of 18 May 2009 on a notification for prior checking regarding trainee applications and recruitment (Case 2008-730)
The prior check concerned the processing of personal data in the collection of trainee selection and recruitment. The EDPS examined the processing in the light of the legal requirements of Regulation (EC) 45/2001 and concluded that there was no breach of the Regulation provided certain recommendations are taken into account and notably as concerns requests made to the medical service in case of requests for a disability allowance by the trainees. The Personnel and Budget Sector should limit its request to the medical service to disability related data which is strictly necessary for making a decision about the needs of the trainee and the amount of the additional grant to be supplied to disabled trainees and persons in charge of handling that data in the Personnel sector should be made aware that they are processing sensitive information and they should respect the confidentiality requirement.