Brussels, 29 November 2007 (Case ) 1. Procedure

Similar documents
Brussels, 3 May 2006 (Case ) 1. Procedure

Brussels, 16 May 2006 (Case ) 1. Procedure

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Ombudsman on verification of telephone bills

Selection procedure at the European Ombudsman's Secretariat

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Brussels, 16 July 2007 (Case ) 1. Procedure

on the proposal for a Regulation of the European Parliament and of the Council concerning customs enforcement of intellectual property rights

Opinion on a notification for Prior Checking received from the OLAF Data Protection Officer regarding the Customs File Identification Database (FIDE)

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Commission regarding the database ARDOS

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

Art. I Right to Access to Personal Data

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

ARTICLE 29 Data Protection Working Party

INFORMATION TO BE GIVEN 2

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

Opinion of the European Data Protection Supervisor

ARTICLE 29 Data Protection Working Party

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

The EDPS has limited the comments below to the provisions of the Proposal that are particularly relevant from a data protection perspective.

COMP Article 1. Article 1 Subject matter and objectives

ARTICLE 29 DATA PROTECTION WORKING PARTY

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

EUROPEAN DATA PROTECTION SUPERVISOR DECISION OF 28 APRIL 2009 LAYING DOWN RULES ON THE SECONDMENT OF NATIONAL EXPERTS TO THE EDPS

Data Protection Policy. Malta Gaming Authority

closer look at Rights & remedies

Privacy policy. 1.1 We are committed to safeguarding the privacy of our website visitors.

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Address: PL 52 (Ketunpolku 1), Kajaani

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

(1) General information

16 March Purpose & Introduction

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

PE-CONS 71/1/15 REV 1 EN

EXECUTIVE SUMMARY. 3 P a g e

5418/16 AV/NT/vm DGD 2

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Charities & Not-for-Profits Overview of Data Protection Law

RESTREINT UE/EU RESTRICTED

EUROPEAN EXTERNAL ACTION SERVICE

Data Protection Bill [HL]

Reports of Cases. JUDGMENT OF THE COURT (Second Chamber) 20 December 2017 *

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

6153/1/18 REV 1 VH/np 1 DGD2

Aalto Summer continuing education

Information leaflet about processing of personal data for Newsletter Recipients (hereinafter Data Subject)

DECISION No 263/12 A LAYING DOWN RULES ON THE SECONDMENT OF NATIONAL EXPERTS TO THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE

Case C-553/07. College van burgemeester en wethouders van Rotterdam. M.E.E. Rijkeboer. (Reference for a preliminary ruling from the Raad van State)

DATA PROTECTION (JERSEY) LAW 2018

Number 5 of Vehicle Registration Data (Automated Searching and Exchange) Act 2018

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

Opinion 07/2016. EDPS Opinion on the First reform package on the Common European Asylum System (Eurodac, EASO and Dublin regulations)

The Act on Processing of Personal Data

Council of the European Union Brussels, 11 January 2017 (OR. fr)

The legal framework and guidance on data protection under the. Cross-border ehealth Information Services (CBeHIS) T6.2 JAseHN draft v.2 (20.10.

Official Journal of the European Union. (Acts whose publication is obligatory)

General Data Protection Regulation

Personal Data Protection Act

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Tentative Translation ELECTRONIC TRANSACTIONS ACT, B.E (2001) 1

DATA PROTECTION (JERSEY) LAW 2005

9091/17 VH/np 1 DGD 2C

SCHNEIDER GROUP OOO POLICY OF THE COMPANY REGARDING TO THE PERSONAL DATA PROCESSING

Information about the Processing of Personal Data (Article 13, 14 GDPR)

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

Data Protection Act 1998 Policy

Mission of Montenegro to the European Union

EN Official Journal of the European Communities. (Acts whose publication is obligatory) COUNCIL REGULATION (EC) No 1206/2001.

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

EUROPEAN PARLIAMENT COMMITTEE ON CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS

the Commisslone Mazionale per le Sodeta e la Borsa in ItaJy and the Public Company Accounting Oversight Board In the United States

Having regard to the Treaty establishing the European Community, and in particular Article 235 thereof,

Application for a visa for a long stay in Belgium This application form is free

LIBE Committee Inquiry on electronic mass surveillance of EU citizens. Public Hearing, Strasbourg, 7 October 2013 Contribution of Peter Hustinx (EDPS)

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

COUNCIL OF THE EUROPEAN UNION. Brussels, 7 July 2005 (28.07) (OR. nl) 10900/05 LIMITE CRIMORG 65 ENFOPOL 85 MIGR 30

CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA

DECISION OF THE EEA JOINT COMMITTEE No 76/2009. of 30 June 2009

EUROPEAN DATA PROTECTION SUPERVISOR

ASSEMBLEIA DA REPÚBLICA [PORTUGUESE PARLIAMENT]

Implementing Regulations to the Convention on the Grant of European Patents

EDPS respomse to the Commission public consultation on lowering tfiie fingerprinting âge for children in the visa procédure from 12 years to 6 years

EDPS Newsletter NO 25 JULY 2010

LAW OF THE REPUBLIC OF ARMENIA ON PROTECTION OF PERSONAL DATA CHAPTER 1 GENERAL PROVISIONS

European College of Business and Management Data Protection Policy

Data Protection Act 1998

DATA PROCESSING AGREEMENT

Council of the European Union Brussels, 24 October 2017 (OR. en)

(2002/309/EC, Euratom)

ARTICLE 29 Data Protection Working Party

REGULATION (EC) No 767/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 9 July 2008

PERSONAL DATA PROCESSING AGREEMENT

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY WORKING PARTY ON POLICE AND JUSTICE

Transcription:

Opinion on the notification for prior checking received from the Data Protection Officer of the Council concerning administrative management in the event of strikes and equivalent action: deductions from salaries and requisitions Brussels, 29 November 2007 (Case 2004-249) 1. Procedure Notification within the meaning of Article 27(3) of Regulation No 45/2001 concerning administrative management in the event of strikes and equivalent action: deductions from salaries and requisitions was given by the Data Protection Officer (hereinafter referred to as the "DPO") of the Council of the European Union (hereinafter referred to as "the Council") by letter received on 1 October 2007. The DPO was given seven days to make comments. 2. The facts The arrangements concerning the right to strike at the Council are governed by a Staff Note (43/2003) dated 2 April 2003 on measures to be applied in the event of strikes and equivalent action and by a record of agreement following consultation dated 24 May 2004 (draft agreement between the Deputy Secretary-General and the Trade Union or Professional Organisations (OSP) of the General Secretariat on the arrangements to be applied in the event of a concerted work stoppage by the staff of the General Secretariat of the Council). The principle that was adopted is that the trade unions or professional organisations must give the appointing authority five days' notice of the strike, that such notice enables negotiations between the various parties to be held, that the strike cannot prevent Council meetings from being held and finally that no payment can be made for days on strike. For the purposes of non-payment, attendance or absence on strike days must be monitored. Staff must sign a declaration on strike action. The declaration must be countersigned by the hierarchical superior. The data subjects for the processing of data relating to strike participation are officials and other servants. The purpose of the data processing operation is to establish a reliable list of strike participants in order to apply a salary deduction to them and to ensure the requisition of the staff necessary for the operation of certain essential services. The categories of data shall be as follows: full name/personnel number/post/presence or absence and reasons for and conditions of presence or absence. The data subjects were informed by Staff Note No 43/03 setting out the administrative measures to be applied in the event of strikes. If necessary, officials will be informed by the Postal address: rue Wiertz 60 - B-1047 Brussels Offices: rue Montoyer 63 E-mail : edps@edps.europa.eu - Website: www.edps.europa.eu Tel.: 02-283 19 00 - Fax : 02-283 19 50

publication of a Staff Note setting out the measures that will apply in the event of a strike, the procedure and the forms for verifying participation in the strike. The procedures guaranteeing the rights of the data subjects (right of access, rectification, blocking, erasure and right to object) are those provided for in Section 5 of the Council Decision of 13 September 2004: 2004/644/EC (OJ L 296, 21.9.2004, p.20). The automated and manual processing operations are the following: the officials in charge of each department make lists of officials who took part in the strike after checking the attendance lists supplied and forward their lists to the Leave Department. After checking the lists received, the Leave Department keys them into the electronic system in order to draw up the final list to be forwarded to the Salaries Department for action. Given the time necessary, deductions from salaries are not made until the second month following forwarding. The officials or servants concerned are able to react and supply supporting documents in order to request changes. The processes are therefore partially automated. With regard to drawing up paper lists, only the final result is keyed into the appropriate data-processing systems by the Salaries Department in order to make deductions from the salaries of those who took part in a strike. The recipients or categories of recipients to whom the data might be disclosed are as follows: DGA1/A (Human Resources), Leave Department and Salaries Department. The departments involved in the processing form part of DG A 1B (Personnel Administration). With regard to the policy concerning the retention and storage of personal data (or categories of data), they are kept until they are no longer of use for administrative purposes to the Council General Secretariat and audit institutions. The data gathered by the Leave Department are destroyed (paper lists - lists of participants, declarations of participation, requisition forms) or erased (electronic medium) two years after the date of the strike. This period should be sufficient for covering the duration of any proceedings (Article 90 of the Staff Regulations). Salary deductions are not carried out until the second month following the forwarding of data by the persons in charge. Rectification is possible even after two months have elapsed if supporting documents are submitted. No processing is carried out for historical, scientific or statistical purposes. The security measures are as follows: normal security procedure in force in the departments concerned with regard to keeping paper documents and the relevant computer applications. The list of absences and the relevant forms are filed in a locked cupboard in the Leave Department during the data retention period. The data are accessible only to members of the department who have the necessary password/login for connection to the application itself. 3. Legal aspects 3.1. Prior checking The management of data on strike participation constitutes processing of personal data ("any information relating to an identified or identifiable natural person" Article 2(a) of Regulation EC No 45/2001). The data processing in question is carried out by an institution in the exercise of activities which fall within the scope of Community law.

The processing of data concerning participation in a strike is both automated (keyed into the electronic system in order to draw up the final list) and manual (drawing up of attendance lists) but the data will be included in a data file. The processing is therefore partly automated (Article 3(2) of the Regulation). The processing therefore falls within the scope of Regulation (EC) No 45/2001. Article 27(1) of Regulation (EC) No 45/2001 makes processing operations that present specific risks to the rights and freedoms of data subjects (which is the case for participation in a strike) subject to prior checking by the European Data Protection Supervisor (hereinafter referred to as the EDPS). Article 27(2) contains a list of processing operations likely to present such risks. Article 27(2)(d) classifies as operations likely to present such risks "processing operations for the purpose of excluding individuals from a right, benefit or contract". Management of data concerning participation in a strike is an operation for the processing of personal data covered by Article 27(2)(d), and as such is subject to prior checking by the EDPS. Article 27(2)(d) applies insofar as participation in a strike automatically involves a salary deduction and potential requisitions in accordance with the principle established by Staff Note No 43/2003 of 2 April 2003. In principle, checks by the EDPS should be performed before the processing operation is implemented. In this case, as the EDPS was appointed after the system was set up, the check necessarily has to be performed ex post. This does not alter the fact that the recommendations issued by the EDPS should be implemented. The formal notification was received through the post on 1 October 2007. The DPO was given seven days to make comments. Comments were sent on 26 November 2007, involving a suspension of 4 days. In accordance with Article 27(4), the EDPS will therefore deliver his opinion by 6 December 2007 at the latest (2 December + 4 suspension days). 3.2. Lawfulness of processing The lawfulness of processing must be examined in the light of Article 5(a) of Regulation (EC) No 45/2001, which stipulates that "Personal data may be processed only if: (a) processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof or in the legitimate exercise of official authority vested in the Community institution". In the present case, the general administrative management of participation in a strike is carried out in the public interest insofar as good management of the strike (and, in particular, of requisitions) allows efficient functioning of the institution and protects the Community's financial interests. The data processing is carried out on the basis of legislative acts (Staff Note and agreement following consultation between the Council and the OSP). The processing operation is therefore lawful. The processing is carried out on this basis and on the basis of Article 207 of the EC Treaty (the Council shall adopt its rules of procedure). This legal basis is valid and supports the lawfulness of the processing.

Finally, data relating to trade union membership are among the data which Article 10 of the Regulation refers to as "special categories of data". 3.3. The processing of special categories of data If the strike were to be called by a single trade union, the persons likely to follow the strike could be regarded as being members of that trade union. The processing proposed could indirectly imply trade union membership. The processing of personal data revealing trade union membership is prohibited (Article 10(1) of Regulation (EC) No 45/2001). However, in the case under examination the general management of participation in a strike is covered by Article 10(2)(b), which authorises processing necessary "[to comply] with the specific rights and obligations of the controller in the field of employment law". Article 10 of Regulation (EC) No 45/2001 on the processing of special categories of data is duly complied with. 3.4. Data Quality "Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed" (Article 4(1)(c) of the Regulation). The data processed in the context of strike participation, set out above, may be deemed to be "adequate, relevant and not excessive" and to comply with Article 4(1)(c) of the Regulation. Moreover, the data must be "processed fairly and lawfully" (Article 4(1)(a) of the Regulation). Lawfulness has already been considered in section 3.2 of this opinion. As for fairness, this relates to the information which must be transmitted to the data subject (see section 3.10 below). Finally, the data must be "accurate and, where necessary, kept up-to-date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified" (Article 4(1)(d) of the Regulation). The system described provides reasonable assurance as regards the accuracy of the data. The data subject is made aware of his or her right of access to and right to rectify data, in order to ensure that the file remains as comprehensive as possible. These rights are the second means of ensuring data quality. See point 3.9 below on the dual rights of access and rectification. 3.5. Data storage Personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. ( )" (Article 4(1)(e) of the Regulation). Data are kept until they are of no further administrative use to the Council General Secretariat and audit institutions. The data gathered by the Leave Department are destroyed (paper lists - lists of participants, declarations of participation, requisition forms) or erased (electronic medium) two years after the date of the strike. This period should be sufficient for covering the duration of any proceedings (Article 90 of the Staff Regulations).

It should be noted moreover that records will remain in the pay files for the entire period for which pay application data are retained. Those records are therefore likely to be kept for a period of 7 years pursuant to Article 49(d) of the detailed rules for the implementation of the Financial Regulation. This duration is covered by the indication in this case "until they are of no further use for administrative purposes to the Council General Secretariat and audit institutions". The EDPS considers that the various time limits are reasonable in the light of the purpose of the administrative management of participation in a strike. The generation of statistics is excluded. Article 4(1) is not applicable in this case. 3.6. Change of purpose / compatible use Data are retrieved from or entered into the staff databases (Leave Department, Salaries Department). The processing being reviewed involves no general change to the specified purpose of staff databases, management of participation in a strike being only a very small part of that purpose. Accordingly, Article 6(1) of Regulation (EC) No 45/2001 does not apply in this instance and the conditions of Article 4(1)(b) of the Regulation are fulfilled. 3.7. Transfer of data The processing operation should also be scrutinised in the light of Article 7(1) of the Regulation. The processing covered by Article 7(1) is the transfer of personal data within or to other Community institutions or bodies "if the data are necessary for the legitimate performance of tasks covered by the competence of the recipient". The conditions in Article 7(1) are fulfilled, since the data are transferred within the institution (DGA1/Leave Department and Salaries Department). The purpose of such transfers is to implement the financial consequences of participation in a strike. Article 7(3) of Regulation (EC) No 45/2001 provides that "the recipient shall process the personal data only for the purposes for which they were transmitted". It must be explicitly guaranteed that any person receiving and processing data in the context of the strike management procedure is informed that he may not use it for any other purpose. To comply with Article 7(3) of the Regulation, the EDPS recommends that staff of DG 1B (Personnel Administration) of the Personnel and Administration DG be informed of this obligation. 3.8. Processing including the personnel or identifying number The Council uses personnel numbers in the context of the proposed processing for the purpose of analysis. This use of an identifier is, in itself, no more than a means (and a legitimate one in this case) of facilitating the task of the personal data controller. However, such use may have significant consequences. That is why the European legislator decided to regulate the use of identifying numbers under Article 10(6) of the Regulation, which makes provision for action by the EDPS. Here, it is not a case of establishing the conditions under which the Council may process the identifying number, but rather of drawing attention to this point in the Regulation. In the present case, the Council's use of an identifying number is reasonable as it is used for the purposes of identifying the person and keeping track of the file, thereby facilitating

processing. The EDPS considers that this number may be used in the context of the administrative management by the Council of strike participation. 3.9. Right of access and rectification Article 13 of Regulation (EC) No 45/2001 establishes a right of access and the arrangements for exercising it upon request by the data subject. Article 14 of Regulation (EC) No 45/2001 allows the data subject the right of rectification. The procedures guaranteeing the rights of the persons concerned (right of access, rectification, blocking, erasure and right to object) are those provided for in Section 5 of the Council Decision of 13 September 2004: 2004/644/EC (OJ L 296, 21.9.2004, p.20). They fulfil the conditions of Articles 13 and 14 of the Regulation, which are therefore duly complied with. 3.10. Information to be given to the data subject Regulation (EC) No 45/2001 provides that the data subject must be informed where his or her personal data are processed and lists a series of specific items of information that must be provided. In the present case, some of the data are collected directly from the data subject and other data from other persons. The provisions of Article 11 (Information to be supplied where the data have been obtained from the data subject) on information to be given to the data subject apply in this case. In signing the declaration on strike action, the data subjects themselves provide the data. The provisions of Article 12 (Information to be supplied where the data have not been obtained from the data subject) on information to be given to the data subject also apply in this case because information is obtained from the various parties involved in the process (hierarchical superiors). It will be recalled that in this case the persons concerned were informed by Staff Note No 43/03 setting out the administrative measures to be taken in the event of a strike. If necessary, officials will be informed by the publication of a Staff Note setting out the measures that will apply in the event of a strike, the procedure and the forms for verifying participation in the strike. Annex 2 to Staff Note No 43/03 fails to mention the possibility of an appeal to the EDPS at any time (instead of the additional information section). The EDPS recommends that Annex 2 be supplemented accordingly. 3.11. Security In accordance with Article 22 of Regulation (EC) No 45/2001 on security of processing, "the controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected". After a careful examination, the security measures seem appropriate and in conformity with Article 22 of the Regulation.

Conclusion The proposed processing operation does not appear to infringe the provisions of Regulation (EC) No 45/2001, subject to the comments made above. This implies, in particular, that the Council should: inform the recipients of the processing of the obligation set out in Article 7(3) of the Regulation, namely, "The recipient shall process the personal data only for the purposes for which they were transmitted;" supplement Annex 2 of Staff Note No 43/03 by mentioning the possibility of an appeal to the European Data Protection Supervisor at any time. Done at Brussels, 29 November 2007 (Signed) Peter HUSTINX European Data Protection Supervisor

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback