EDPS comments on DG Connect's public consultation on specific aspects of transparency, traffic management and switching in an open internet
Opinion on the Commission Recommendation on preparations for the roll-out of smart metering systems
See also the text of the Commission recommendation on preparations for the roll-out of smart metering systems
Opinion on the proposal for a decision of the European Parliament and of the Council on serious cross-border threats to health
Opinion on the Commission proposal for a Directive of the European Parliament and of the Council amending Directive 2005/36/EC on the recognition of professional qualifications and Regulation [...] on administrative cooperation through the Internal Market Information System, OJ C 137/01 12.05.2012, p1
See also the text of the proposal for a Directive of the European Parliament and of the Council amending the Directive 2005/36/EC on the recognition of professional qualifications and Regulation [...] on administrative cooperation through the Internal Market Information System
The objective of the Proposal is to modernize and amend the existing text of Directive 2005/36/EC (the Professional Qualifications Directive). From the data protection perspective, the two key aspects of the Proposal are (i) the introduction of an alert system and (ii) the introduction on a voluntary basis of a European Professional Card . The processing of personal data in both cases is foreseen to take place via the Internal Market Information System (IMI).
The EDPS welcomes the efforts made in the Proposal to address data protection concerns. The EDPS also welcomes the fact that the use of an existing information system, IMI, is proposed for the administrative cooperation, which already offers, at the practical level, a number of data protection safeguards. Nevertheless, important concerns remain, mainly relating to the alert system, which must remain proportionate.
The EDPS recommends, in particular, that:
- the Proposal should specify unambiguously in which concrete cases alerts can be sent, more clearly define what personal data can be included in alerts, and limit the processing to the minimum that is necessary, taking into account proportionality and balancing of rights and interests;
- in this respect, the Proposal should unambiguously specify that alerts can only be sent after a decision has been made by a competent authority or a court in a Member State prohibiting an individual to pursue his or her professional activities in its territory;
- specify that the content of the alert must not contain more specific information regarding the circumstances and reasons for the prohibition;
- clarify and limit to the minimum strictly necessary, the period for which alerts are retained; and
- ensure that alerts are only sent to competent authorities in Member States and that these authorities shall keep alert information received confidential and not further distribute or publish it, unless the data were made public in accordance with the law of the sending Member State.
With regard to the European Professional Card and the related ‘IMI-file’, the EDPS recommends further clarifications on the conditions under which information concerning disciplinary action or criminal sanctions or any other serious specific circumstances must be included in the file, and the content of the information to be included, and also recommends clear limitation on the retention periods.
Further, the EDPS recommends that in the long term, if and when the use of Professional Cards and IMI will become widespread, the Commission undertake a review of whether the Article 56a alert systems are still necessary and whether they cannot be replaced by a more limited, and thus, from the data protection point of view, less intrusive, system.
Finally, the EDPS further recommends that the EDPS and Article 29 Working Party where national data protection authorities are also represented be consulted before the adoption of delegated acts referred to in Article 56a(5) and of any other delegated acts adopted under Article 58 which may have an impact on data protection. A data protection impact assessment should precede such consultation.