Print

EDPS-DPOs meetings

EDPS-DPOs meetings

27
Feb
2014

Data Security Breaches

In October 2013, the EDPS was notified of a data security breach involving unauthorised access to an EU Agency database which is operated by an external contractor. This database contained the names and email addresses of approximately 70 individuals. The Agency asked the EDPS for advice on how best to handle this breach, and has now implemented all our suggested remedial measures. These included carrying out a full investigation with the contractor, implementing amendments to the contract, and notifying affected data subjects.

Some EU institutions may already have their own rules in place about reporting security breaches to the relevant internal departments. Whilst we welcome this type of proactive approach, we are presently unable to provide a direct or definitive instruction on any obligations to notify security breaches to the controller or the EDPS, under current data protection law. However, the contractual changes that the Agency has implemented in this particular case indicate a positive and practical approach to data breach management, by obligating contractors to promptly notify any such breaches to the controller. This will enable the Agency to deal with any future incident in a timely and effective manner.

3
Feb
2014

Information note on transfers of staff data to Member States

Some Member States governments (e.g. via Permanent Representations, Embassies or directly their Ministries of Foreign Affairs) request personal data (name, grade, contact information...) of their nationals working for the institutions, bodies and agencies. In doing so, some refer to a specific legal basis, others simply ask without giving further reasons. Following several consultations on this matter, the EDPS has compiled a small note explaining to MS governments how and for which purposes such requests can be made. Please feel free to use and forward this note if you receive such requests. It is meant to explain this matter to colleagues in the national administrations, so it repeats the relevant provisions of Regulation (EC) 45/2001.

Please note that while we initially had proposed to send a letter to all MS governments explaining the issue, in the end, we decided not to do so. The main reason was that only about ten MS seem to regularly ask for this information, so there seemed to be no need to point out this possibility to all the others.

Langues disponibles: anglais