Privacy in the EU Institutions

Opinion of 21 January 2009 on a notification for prior checking concerning the report on probation period (Case 2008-604)

The European Parliament has implemented a data processing to evaluate newly recruited officials, temporary and contract agents during the initial period of their employment, which serves as a basis for the confirmation, dismissal or possible extension of the probation period of that person.

Amongst its recommendations, the EDPS in particular asked that the European Parliament ensures that no sensitive data relating to health is processed, that recipients of the data are reminded to use the data only for the purpose for which they were transmitted, and that data subjects are informed about the data retention periods and their rights of access and rectification which can be done by adding the necessary information in the Vade-mecum to newcomers and in the probation report form.

Opinion of 21 January 2009 on a notification for prior checking on the assessment of staff's capacity to work in a third language before first promotion (Case 2008-690)

The European Parliament has implemented a data processing to evaluate the capacity of officials and contractual agents in function group IV to work in a third language. Officials must demonstrate the capacity to work in a third language to be eligible for a first promotion, and contractual agents must prove their ability to work in a third language before the renewal of their contract for an indefinite period.

The EDPS recommends that appropriate data retention periods are defined for the conservation of these assessments, that a procedure is implemented ensuring the exercise by individuals of their right to access and rectify their assessment (in particular access and rectification to the tests organized by EPSO), that specific information concerning the processing of individuals' data for the purpose of the assessment of the capacity to work in a third language is provided to the persons concerned. The EDPS also outlines that the staff processing personal data should be reminded of their duty of confidentiality towards such data.

Opinion of 16 January 2009 on a notification for prior checking on the management of Central and Local Training SYSLOG Formation (Case 2008-481)

SYSLOG is the administrative management tool for training at the European Commission in three fields: informatics, language and general. It is managed by DG ADMIN. However, some data processing also takes place within each Directorate-General by its training manager (COFO) and informatics training manager (REFOI).

The EDPD considers that the data processing is in line with Regulation 45/2001 but advises DG ADMIN among others to: (1) Set up reasonable time limits for dealing with requests from data subjects exercising their right of access and, (2) Set up procedures to provide the privacy policy to staff members working for agencies/bodies with no access to SYSLOG.

Opinion of 16 January 2009 on the notification for prior checking regarding the "Invalidity Committee procedure" (Case 2008-626)

The Council of the European Union has established a procedure defining the arrangements for referrals to and the functioning of an invalidity committee responsible for evaluating the invalidity of an official, temporary member of staff or contract member of staff, the opinion of which will be used as a basis for a decision on whether the person concerned should be granted invalidity or resume work.

The EDPS recommends, inter alia, that the administrative departments dealing with social medicine be reminded that they are subject to professional secrecy, and that health-related data be disclosed only to persons authorised to receive such data and who are subject to professional secrecy. The EDPS also recommends that the information note be revised to include information on data recipients and on whether replies to questions are obligatory or voluntary and the possible consequences if the individual refuses to produce medical certificates.

Opinion of 15 January 2009 on the notification of prior checking concerning the "management of the crèche of the General Secretariat of the Council and billing" case (Case 2007-441).

The processing operation concerns, firstly, the procedure for enrolment and admission, as the case may be, of children to the GSC crèche through the examination of administrative and financial data provided by the persons having legal responsibility for the child. It is also designed to monitor the child's presence at the facilities, particularly with a view to monitoring attendance, controlling access of persons dropping off children and reimbursing crèche expenses.
It follows that the processing operation in this case is intended to evaluate the personal and family circumstances of parents and their children in the light of the eligibility criteria for admission. The processing operation also concerns data relating to health.
In its recommendations, the EDPS stressed, inter alia, that the GSC should:

• remove the requirement to submit a medical form from Article II of the crèche rules and clarify Article VIII so that it is understood that there will be no medical examination until after the child has obtained a place at the crèche;
• refer in the crèche rules to the existence of a waiting list;
• ensure that the administrative arrangement with the OIB specifies that the processor can act only on instructions from the controller, and that it sets out the security measures applicable to the data to which the OIB has access.