Opinion of 16 December 2013 on a notification for prior-checking regarding OHIM's attestation procedure (ex-C and ex-D categories) (Case 2013-0797)
The mini-prior-check Opinion in case 2013-0797 covers the processing operations related to the OHIM's attestation procedure (ex-C and ex-D categories). As the EDPS issued Guidelines on the evaluation of statutory staff in the context of annual appraisal, probation, promotion or regarding certification and attestation (henceforth: "Guidelines"), the EDPS only addresses the existing data conservation policy which does not seem to be in conformity with the principles of the Regulation and with the Guidelines issued by the EDPS in July 2011. Article 4(1)(e) of the Regulation states that personal data can be kept in a form permitting identification of data subjects for no longer than necessary for the purpose for which they were collected or further processed.
The EDPS observes that conservation of attestation files of unsuccessful applicants for up to five years after the particular exercise can be considered as necessary for the related appeals. At the same time, there seem to be no sufficient evidence as to the necessity of storage of the actual attestation decisions beyond the end of the career at the OHIM. Therefore, the OHIM is invited to reconsider the existing time limit and to provide for precise justifications that will be taken into account in the on-going discussions with the relevant stakeholders.
Opinion of 25 November 2008 on a notification for prior checking concerning "Probationary Period Reports" (Case 2008-432)
OHIM Reporting Officers draft Probationary Period Reports and Management Capacities Assessments which aim to assess the performance of newly recruited officials and temporary/contractual agents as well as the management competences of officials appointed in management positions. The processing is carried out under the responsibility of OHIM Career and Development Sector which is part of the OHIM Human Resources Department.
The Prior Check Opinion gives recommendations to ensure full compliance with Regulation 45/2001, in particular, among others, it suggests that OHIIM (i) sets out an appropriate time-limit for the storage of the personal files; (ii) reminds all recipients of their obligation not to use the data received for any further purpose than the one for which they were transmitted and, (iii) inserts in the "Probation Period Report" data protection information in light of Article 12 of the Regulation as suggested in this Opinion.
Opinion of 18 July 2007 on a notification for prior checking on silent monitoring (Case 2007-128)
Therefore, the purposes of the processing operations referred to in the present notification for prior check, are to assess the quality of the service provided by the Switchboard and by the Information Centre as follows:
The EDPS has issued an opinion on this procedure which concludes that on a general basis the procedure complies with the principles established in the data protection regulation. However, the EDPS did make some recommendations mainly as concerns avoidance of the use of Article 5(c) of the Regulation as the basis for lawfulness regarding the processing operation conducted vis-à-vis the Switchboard. On the contrary, Article 5(a) of the Regulation has to be used in this regard. Furthermore, a method to guarantee the accuracy of the data should be found. This could be done either by recording the monitored calls or by sharing with the data subject the results of the monitoring in an immediate manner (e.g. after each day of the monitoring exercise), in such a way that the results are documented and discussed as soon as possible after the listening.
Opinion of 11 January 2008 on a notification for prior checking on the Call center technology (Case 2007-583)
The EDPS recommendations provided in this opinion aim to ensure the full compliance with the Regulation 45/2001, in particular, as regards the storage periods, the scope of the right of access and the requirements for data transfers to service providers established in non-adequate countries.
Opinion of 2 March 2011 on a notification for Prior Checking regarding "Analytical accounting and performance reports" (Case 2009-0771)
OHIM introduced in October 2009 a tool to measure the productivity of staff, which also serves as a basis for performance appraisals: the Analytical and Accounting Performance Report. In his prior checking opinion, after having underlined that the processing should have been notified to him prior to the start of the processing operations, the EDPS particularly insisted that OHIM adopts a legal basis for the processing. The EDPS further emphasized that OHIM should refrain from using AA&P reports as the sole tool supporting the annual evaluation of staff members. The EDPS reminded OHIM that adequate guarantees should be implemented to ensure the effective exercise by staff of their rights to access and rectify data concerning them. In particular, the EDPS recommended that a specific procedure is set forth as concerns the rights of data subjects to contest and correct the accuracy of data generated automatically.
Opinion of 22 November 2010 on "Empirical analysis of correlations between work system variables and decision-making" notified by the Office for Harmonization in the Internal Market ("OHIM") on 22 July 2010 (case 2010-0468)
This prior checking covers the data protection aspects of an exercise undertaken by OHIM entitled "Empirical analysis of correlations between work system variables and decision-making". It was explained to the EDPS that the analysis could help identify comparable job profiles, and develop best practice of HR management for these profiles. In addition to bringing practical benefits to OHIM as an organization, the project also serves additional scientific purposes, as the analyst carrying out the research plans to publish his findings (after careful editing to protect the privacy of the participants in the exercise) in a PhD thesis.
The EDPS provided a number of recommendations, including on data retention, transfers to third parties and information to data subjects.
As for retention, the EDPS recommended that all personal data from OHIM's servers should be deleted by the end of the conservation period which was foreseen for the end of 2011. As for data retention by he analyst, further efforts may be necessary under national law to ensure that the microdata retained for a longer period of time for potential future research purposes should be limited to what is strictly necessary for such purposes.
As for transfers to third parties, considering deletion of all data from OHIM servers by the end of 2011 and the fact that OHIM has no plans to further transfer the data, this issue is limited to potential transfers of any microdata by the analyst for research purposes. In this respect the EDPS calls the attention of the analyst to assess, under applicable law, what safeguards should be in place to ensure that the data disclosed remains confidential and will only be used for genuine research purposes.
Regarding information to data subjects, the EDPS recommended that additional information should be provided on some remaining items to the participants.