Investigations

Opinion of 26 January 2009 on a notification for prior checking concerning "Threats to European Commission interests in the areas of counter-intelligence and counter-terrorism" (Case 2008-0440)
In the context of threat management in the areas of counter-espionage and counter-terrorism, the European Commission has set up the two separate procedures of security investigations and screening procedures in order to protect its interests and those of the Member States. The EDPS has examined the two procedures and issued recommendations including the following: establishment of a more detailed legal basis covering a broader scope spanning all the possibilities for launching a screening procedure and establishment of a procedure ensuring that data are stored no longer than necessary.  The EDPS also recommended revising the screening section of the privacy statement and pro-actively supplying data subjects of screening with the privacy statement.

Opinion of 12 December 2008 on a notification for prior checking on the conduct of investigations by the Security Office (Case 2008-0410)
 

Opinion of 3 November 2008 on the notification for prior checking on "Traffic violations with official vehicles of the Commission managed by the Infrastructure and Logistics Office - Brussels (OIB)" (Case 2008-395)

Within the European Commission, the Mobility and Supplies Unit, which is responsible for managing the car pool, deals with offences against the highway code committed by the drivers of official Commission vehicles managed by the OIB. The purposes of the processing operation are to examine whether, when traffic violations are committed by the drivers of official Commission vehicles, the immunity granted by the Protocol on Privileges and Immunities can be invoked, and to provide administration and follow-up.

The proposed data processing operation complies with Regulation (CE) No 45/2001, if the Commission:

• reminds anyone who receives or processes data in the context of the procedure for handling penalty notices that the data may not be used for other purposes;
• complies with Articles 8 and 9 as regards the transfer of data to the competent authorities;
• as well as publishing the privacy statement on the internet, sends it to all data subjects concerned by this processing operation at the same time as the document on the procedure for forwarding the penalty notice;
• updates the "Information for the attention of drivers of official Commission vehicles" to make the necessary changes (name of the controller and details of the data recipients).

Opinion of 2 October 2008 on a notification for prior checking on security investigations (Case 2007-736)

The ADMIN/DS/RA section of the Commission is empowered to take measures in response to criminal acts concerning the buildings occupied by the Commission, the people who work in or for various reasons have access to those buildings, and any other acts which may be harmful to the institution. This includes collecting and keeping evidence and taking various investigative steps to gather such evidence, technical reporting, and collecting statements from victims, complainants, witnesses and where appropriate the perpetrators of acts.

The EDPS has examined the processing of personal data in the procedure for security investigations, and has concluded that it does not appear to breach the provisions of Regulation (EC) No 45/2001 so long as certain recommendations are followed, in particular that the department responsible should assess the proportionality of its processing activities on a case‑by‑case basis; that it should provide adequate safeguards during its activities; that it should ensure that transfers of data are legal and necessary; that it should improve the procedures relating to the rights of access to and rectification of data, and should provide the requisite information to the data subjects concerned by the investigations.

Opinion of 31 July 2008 on a notification for prior checking on the Security investigations at Joint Research Centre ISPRA (Case 2007-507)
The Security Service of JRC Ispra C7 performs investigations related to security related incidents such as traffic accidents, vandalism theft, unauthorised access, etc. in the context of which personal data are processed. The outcome of the investigation is reflected in a report describing the occurrence. This prior check analyses whether this data processing is in line with Regulation (EC) No 45/2001. The Opinion concludes by giving some recommendations to data controller towards ensuring full compliance with Regulation (EC) No 45/2001. Among others, the EDPS suggests amending the privacy statement and setting up a procedure to give the privacy statement directly to individuals, confirming the competences of the Security Service of JRC to perform investigations, etc.