Security

Opinion of 29 April 2009 on a notification for prior checking on Voice Logging at the Joint Research Centre Institute for Energy (JRC-IE) in Petten (Case 2008-014)

This case concerned the recording of incoming and outgoing calls as well as records the calling telephone number, the called telephone number, date, time and length of the conversation at the JRC-IE in Petten the purpose of being able to check the content of the calls to the lines concerned in the event of an operational incident, emergencies and to be able to evaluate emergency training exercises at a later stage. These calls may also furnish evidence for investigations into potential threats to the institution.

The EDPS opinion particularly examines the lawfulness of the processing operation as the recording of calls is a violation to the principle of confidentiality of communications. The EDPS acknowledged that the processing was lawful as based on mandatory national legislation applicable in the field of nuclear facilities. The EDPS also made recommendations on the information to the persons concerned notably to external persons calling the switchboard and who must be informed that the communication will be recorded for security purposes at the start of the call.

Answer to a notification for prior checking on site management and security (Case 2009-036)

Second opinion on the review of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ C 128, 06.06.2009, p. 28

Opinion of 15 December 2008 on a notification for prior checking regarding the database ARDOS (Case 2007-380)

The Security Service of the Joint Research Centre (JRC) at Ispra put in place a processing operation called "nulla osta". The purpose of the "nulla osta" procedure is to ascertain and confirm a selected candidate's good conduct. Information collected through this procedure is stored in a database called ARDOS with all documents requested by and presented to the Security Service of the JRC Ispra. It has to be noted that the "nulla osta" processing operation concern the candidates of all JRC sites except Karlsruhe.

The EDPS examined the processing operation and in particular the legal basis provided by the JRC Ispra to conduct such assessment of the candidate's good conduct. The EDPS concluded that the processing operation appears to be in breach of the provisions of Regulation (EC) No 45/2001 unless a clear legal basis is identified, produced or established by the institution. Indeed the processing operation described by the Security Service goes far beyond a checking of the candidate's good conduct, notably by collecting excessive and non relevant data (data quality principle).

The EDPS moreover recommended that in order to ensure compliance with the Regulation, the JRC Ispra should made several amendments to the privacy statement to fully respect the information that should be given to the data subject following Article 12 of the Regulation. The EDPS also insisted on the fact that the retention period foreseen by the institution should be implemented as soon as possible.