Privacy in the EU Institutions

Opinion of 14 April 2008 on a notification for prior checking concerning the "Family leave / Compel personnel database / Electronic document management system (EDMS)" (Case 2007-498)
Health-related personal data of family members are being processed in connection with family leave that can be granted upon application in case of medically certified serious illness or handicap of certain family relatives.
The respective medical certificates are being validated by the EMEA Personnel & Budget Sector staff and/or may be reviewed by an UK based external medical contractor.
The EDPS recommendations provided in this opinion aim to ensure the full compliance of the processing with Regulation 45/2001 and concern, in particular, data transfers, the modalities of exercise of rights of access and rectification, as well as the information to be provided to the data subjects.

Opinion of 14 April 2008 on a notification for prior checking on the annual appraisal procedure (Case 2007-403)
The Community Plant Variety Office conducts an appraisal procedure every calendar year for each CPVO staff member concerned. The procedure is aimed at evaluating the staff members efficiency, abilities and conduct in service, identify training needs and is used as a career development tool which justifies the submission of the procedure to prior checking by the EDPS under Article 27 (2) (b) of Regulation 45/2001. The EDPS recommendations to be implemented by the CPVO includes, inter alia,
i) Adopt rules on retention of evaluation reports;
ii) Ensure that recipients are made aware that they shall process personal data only for the purposes they were transmitted for;
iii) Ensure that more specific and accurate information is provided to data subjects regarding the data transfer, right of data subjects, the right of recourse to EDPS and the data retention. The "CPVO appraisal guide" should therefore be amended.

Opinion of 7 April 2008 on a notification for prior checking on identity and access control system (Case 2007-635)
The Identity and Access Control System is part of the security infrastructure that protects OLAF premises and IT systems. The purpose of the data processing is to ensure that only authorised persons have access to OLAF's premises.  The system is designed to control the identity and permit or deny access of persons entering and exiting from OLAF's premises outside working hours and special secure zones. To do so, OLAF uses a smartcard and the use of fingerprints authentication. Users' biometrics data are stored only on the smartcard which cannot be used for any other purpose. For the EDPS, the processing operation is not in breach of Regulation 45/2001 if OLAF takes into account the following recommendations, for instance regarding a reassessment of the concerned data subjects submitted to enrolment; the development of fallback procedures; the setting of a shorter conservation period of data after the first year of operation of the new system; the amendment of the privacy statement and the reconsideration of the technological taking into consideration the choice of the best available techniques and discussions on future security systems.

Opinion of 7 April 2008 on a notification for prior checking on coordination cases (Case 2007-699)
OLAF engages in processing of personal data when it opens a Coordination case. These are cases that could be the subject of OLAF external investigations, but where OLAF’s role is to contribute to investigations being carried out by other national or Community services by, among other things, facilitating the gathering and exchange of information and ensuring operational synergy among the relevant national and Community services. The main investigative input is provided by other authorities. OLAF's role includes facilitating contacts and encouraging the responsible authorities to work together. The type of personal information processed by OLAF in these cases includes identification, professional data and information concerning activities related to matters which are the subject of coordination.

The EDPS has issued an opinion on the processing of personal data in the context of OLAF's Coordination cases. The Opinion concludes that on a general basis the data processing complies with the principles established in the data protection Regulation. However the EDPS did make some recommendations. Among others, the EDPS asked OLAF to ensure that individuals whose data are processed by OLAF are informed of the data processing that takes place in the context of Coordination cases. It also suggested some amendments to the privacy statement and asked OLAF to conduct a preliminary evaluation of the necessity of the 20 years conservation period vis-à-vis the purpose of such conservation.

Opinion of 1 April 2008 on a notification for prior checking on part time requests (Case 2007-500)
The European Medicines Agency (EMEA) manages part-time applications of the staff. The data processing operations are both automated and manual. A staff member fills in a form which is collected in hard copies and subsequently the data of each staff member are entered in the COMPEL Database. Data subjects include temporary and contractual agents at the EMEA. In exceptional circumstances, the family members of staff can also be concerned.

The EDPS has issued an opinion concerning part time requests in EMEA. The EDPS concludes that on a general basis the procedure complies with the principles established in the data protection regulation. However the EDPS did make some recommendations mainly as concerns the need to modify the "Personal Data Access Request Form", to amend the information provided in the data protection declaration as well as to remind all EMEA internal recipients of their obligation not to use the data for any further purpose beyond the purposes communicated to the data subjects.