24
Oct
2007
Certification procedure - Ombudsman
Opinion of 24 October 2007 on the notification for prior checking regarding the certification procedure (Case 2007-414)
Available languages: English, French
Print
Privacy in the EU Institutions
Regulation (EU) 2018/1725 lays down the data protection obligations for the EU institutions, bodies and agencies when they process personal data and develop new policies. This regulation also defines the obligations of the EDPS, including his role as an independent supervisory authority of EU institutions and bodies when they process personal data, and to advise on policies and legislation which affect privacy and cooperate with similar authorities to ensure consistent data protection.
Filters
19
Oct
2007
Mutual assistance exchanges - OLAF
Opinion of 19 October 2007 on a notification for prior checking on mutual assistance exchanges (Case 2007-202)
Available languages: English, French
19
Oct
2007
Mutual assistance exchanges - OLAF
Opinion of 19 October 2007 on a notification for prior checking on mutual assistance exchanges (Case 2007-202)
OLAF assists competent authorities in the Member States of the EU referred to in Council Regulation (EC) 515/97 in preventing, investigating and prosecuting violations of customs or agricultural legislation and to enhance the effectiveness of the cooperation among Member States and between them and the European Commission. For this purpose, competent authorities of Member States communicate and exchange anti-fraud information with each other and with the Commission [OLAF]. Anti-fraud information is also exchanged with Third countries under Mutual Assistance Agreements. These exchanges are made by means of the mailing applications of OLAF Anti-Fraud Information System (AFIS) and are organised via the use of screens, called modules, which are designed to cover a specific type of information regarding a particular area of movement of goods and/or means of transport. Three main categories of stakeholders are involved in the processing operation whose personal data therefore are processed: the persons concerned by the investigation or prosecution, the providers of information to the system and the recipients of the information (both of these latter can be OLAF agents or individuals in Member States authorities). The personal data processed concerns identification data, professional data, financial data, case involvement and criminal record data.
After examining the details of the processing operation, the EDPS made several recommendations, which concern, among others, the data quality principle, transfers of personal data, right of access and rectification and the restriction of those rights and the information that should be supplied to data subjects.
Available languages: English, French
19
Oct
2007
Flexitime at DG INFSO - Commission
Opinion of 19 October 2007 on a notification for prior checking on the implementation of flexitime specific to DG INFSO (Case 2007-218)
Within the general framework of Time management regulated by the "SYSPER 2 Time management system", DG INFSO added to the application of Flexitime an additional and important component in the element of a RFID chip integrated in the personal badge necessary to clock in and out. The inclusion of such a technology into a flexitime system thus reinforces the specific risks already present in the system. Therefore, the EDPS considered the case as such subject to prior checking.
In his analysis, the EDPS concluded that the system does process personal data because the data relate to natural persons who are identifiable, for instance by the use of names, personal numbers. Furthermore, the EDPS analysed closely the necessity test applied to the system and concluded that there was not a specific need to develop a badging system using RFID to implement a flexitime system, as the same purpose (management of working hours) could be reached by other, less intrusive, means. However, the EDPS also accepted that "need" does not mean that it is unavoidable but that it can be considered reasonably necessary in the specific context for fulfilling the purpose aimed at. Therefore, a margin of appreciation is left at the discretion of the administration in deciding to implement this system using RFID. If the safeguards and proportionality are present, it can be considered that such a system fulfils the conditions of need.
In his conclusions, the EDPS required several modifications of the planned system regarding security aspects by introducing an interim solution, as well as concerning the drafting of the privacy statement, some organisational measures and the data subjects concerned.
Available languages: English, French
17
Oct
2007
Financial irregularities - Court of Justice
Opinion of 17 October 2007 on a notification for prior checking concerning the "Financial Irregularities Panel" (Case 2007-433)
The processing operation is designed to enable the Financial Irregularities Panel to give an opinion evaluating whether a financial irregularity has occurred, and if so, how serious it is and what role was played by the persons involved in the events on which its opinion is sought and, where appropriate, what its consequences might be.
The EDPS considers that the proposed processing does not appear to be in breach of the provisions of Regulation (EC) No 45/2001 provided that it must be ensured that the data collected are relevant and adequate for the purpose of the referral to the Panel; that provision must be made to state that, if processing for historical, statistical or scientific use is envisaged in the future, the Panel will ensure that the data are rendered anonymous in compliance with Article 4(1)(e); and that the information notice available on the Intranet contains a clear reference to Article 11(d) (whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply).
Available languages: English, French