Article 16 of the Treaty on the Functioning of the European Union (ex-Article 286 of the Treaty of the European Community) specifies that "Everyone has the right to the protection of personal data concerning them", and requires legislation to be drawn up to protect individuals as regards the processing of personal data and the free movement of data. This legislation applies to the EU institutions and bodies set up by, or based on, the Treaty.
Regulation 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, was drawn up in order to comply with the Treaty and provide individuals with legally enforceable rights, to specify Data Controllers' data processing obligations, and to create an independent supervisory authority.
The objectives of Regulation 2018/1725 are to protect natural persons when as regards the processing of personal data by the Union institutions, bodies, offices and agencies and the free movement of personal data between them or to other recipients established in the Union. Some definitions concerning the protection of personal data and related subjects, together with information on personal data protection at the Court, are provided below:
Data protection principles
The controller shall be responsible and be able to demonstrate compliance "accountability". Anyone processing personal data should be aware of certain basic principles, which require such data to be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- processed for specified, explicit and legitimate purposes "purpose limitation";
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed "data minimisation";
- accurate and, where necessary, kept up to date "accuracy";
- not kept longer than necessary "storage limitation";
- processed in a manner that ensures appropriate security "integrity and confidentiality;
- not transferred to third parties without adequate precautions;
- processed in accordance with the Data Subject's rights".
What is 'personal data'?
Personal data means any information relating to an identified or identifiable natural person ('the Data Subject').
An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online ID or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
The processing of special categories of data, defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning an individual's health or sexual orientation, is prohibited, subject to certain exceptions (see Article 10 of Regulation 2018/1725).
Data Controller and Data Subject
The Data Controller is the EU institution or body, Directorate-General, unit or any other organisational entity which, alone or jointly with others, determines the purposes and means of processing personal data.
The Court's Data Controllers are the Members, the Secretary-General, the Directors and the Principal Managers.
For each processing operation, a Data Controller must be identified and prior notice must be given to the institution's Data Protection Officer.
The Data Subject is the person whose personal data are collected, held or processed by the Data Controller.
If Data Controllers do not process personal data themselves, processing is carried out by a Processor on their behalf. The Processor must provide sufficient guarantees in respect of the technical and organisational security measures required, and ensure compliance with those measures. The Processor can be a natural or legal person, a public authority, an agency or any other body, acting on instructions – and only on instructions – from the Data Controller. Both the Data Controller and the Processor shall be bound by a contract or legal act governing the processing of personal data.
Contact Person (Delegated Controller)
The Contact Person (or 'Delegated Controller') is appointed by the Data Controller and acts on the latter's instructions. Their task is to prepare the notifications to be sent to the DPO by the responsible Data Controller (after validation), and to liaise with the DPO where necessary.
Data Protection Officer
Each institution has one or more DPOs to ensure in an independent manner that the principles of personal data protection are applied in the institution. Each DPO keeps a register of all personal data processing operations in their institution. They also provide advice and make recommendations on rights and obligations. They notify the EDPS if the processing of personal data entails an element of risk (see below), and respond to the EDPS's requests. They may investigate matters and incidents on request or on their own initiative.
Since June 2021, the ECA's DPO has been Elena Mapelle.
What is notification ("record of processing activities") and who is responsible for it?
Notification is prior notice which the Data Controller gives to the DPO in respect of any (manual or electronic) processing operation where personal data are involved. It is only required if personal data are processed.
What is the DPO Register?
The Register is a database containing all notifications which the Data Controllers send to the DPO regarding the processing of personal data. Article 31 of Regulation 2018/1725 requires the DPO to keep a Register of processing activities, and requires the Register to be publicly accessible.
What is a filing system?
Regulation 2018/1725 applies in all cases where personal data which form part of a filing system or are intended to form part of a filing system are processed. 'Filing system' shall mean any structured set of personal data accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
It does not matter where the system is located. It can be located at Court level, but also at institutional, national, regional, local or even 'private' level (at an audited firm).
What is processing?
Processing is any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, storage, consultation, use, disclosure by transmission, erasure, destruction, etc.
What is lawful processing?
Article 5 of the Regulation states that the processing of personal data must be either necessary or by consent. Personal data may be processed only if:
- processing is necessary for the performance of a task carried out in the public interest on the basis of EU legislation or in the exercise of official EU authority;
- processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
- processing is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract;
- the Data Subject has unambiguously given consent (meaning any freely given specific and informed indication of the Data Subjects' wishes signifying agreement to their personal data being processed);
- processing is necessary in order to protect the vital interests of the Data Subject.
The Data Controller is responsible for ensuring that personal data are processed fairly and lawfully.
Whenever a Court department processes personal data contained in a (manual or electronic) filing system, wherever this system is located, whatever kind of personal data are contained therein and for whatever purpose the processing takes place, this is to be considered as an instance of processing of personal data within the meaning of Regulation 2018/1725. Regulation 2018/1725 also applies in cases where personal data which are intended to form part of a filing system are processed by a Court department.
The DPO must be notified of such processing using the notification system (record of processing activities) in operation at the Court.
Information to be given to the Data Subject prior to the collection of personal data (Article 15 of Regulation 2018/1725) and Data Subject's rights in respect of personal data process (Articles 17 to 24 of Regulation 2018/1725)
The Data Controller must give the Data Subject the following information about the data being processed:
- The identity and the contact details of the controller
- The contact details of the DPO
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing
- The recipients or categories of recipients of the personal data, if any
- Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation […] and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 48, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- The existence of the right to access personal data and to have them rectified without undue delay if it is inaccurate or incomplete.
- Under certain conditions, right to ask to erase personal data or to restrict their processing.
- Where applicable, right to object to the processing of personal data, at any time, on grounds relating to a particular situation, and the right to data portability.
- The existence of the right to withdraw consent (where processing if based on consent)
- The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects him or her
- The right to lodge a complaint to the EDPS
- Whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, and if it is an obligation to provide the personal data and of the possible consequences of failure to provide such data
- Whether the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, provision with information on the other purpose and any relevant information (retention period, rights, etc...)
- The right to request to communicate, insofar as possible, any changes to personal data to other parties to whom data have been disclosed
Requests must be dealt with without undue delay and in any event within one month of receipt. This period may be extended by two further months where necessary.
European Data Protection Supervisor (EDPS)
EDPS is an independent supervisory authority established in accordance with Regulation 2018/1725. With respect to the processing of personal data, the EDPS is responsible for ensuring that the fundamental rights and freedoms of natural persons, in particular their right to privacy, are respected by the EU institutions and bodies. The EDPS is also responsible for advising EU institutions and bodies and Data Subjects on all matters concerning the processing of personal data.
Data Controllers are required to cooperate with the EDPS, in particular by granting access to information.