12
Nov
2008
Flexitime at JRC-ITU Karlsruhe - Commission
Answer to a notification for prior checking regarding "ZEUS - Flexitime at the JRC-ITU Karlsruhe" (Case 2008-486)
Available languages: English, French
Print
Privacy in the EU Institutions
Regulation (EU) 2018/1725 lays down the data protection obligations for the EU institutions, bodies and agencies when they process personal data and develop new policies. This regulation also defines the obligations of the EDPS, including his role as an independent supervisory authority of EU institutions and bodies when they process personal data, and to advise on policies and legislation which affect privacy and cooperate with similar authorities to ensure consistent data protection.
Filters
11
Nov
2008
Expert database - EFSA
Avis du 11 novembre 2008 sur la notification de contrôle préalable à propos de la base de données d'experts (Dossier 2008-455)
The Notification concerns EFSA’s Expert Database. This database contains professional data of external scientific experts who may be called upon to carry out advisory work for EFSA (and for national authorities in Member States with a similar mandate to EFSA). The Notification also covers EFSA's procedure to select external scientific experts from the database for its specific scientific projects.
The EDPS, in general, was satisfied with the data protection safeguards provided by EFSA. To further improve EFSA's data protection compliance, he recommended that the end-users' attention should be specifically called to the limited nature of the validity check that EFSA carries out, suggesting that they use the database as a pool of applications, rather than as a pool of experts whose skills and reliability have already been carefully checked by EFSA in each case.
To ensure the accuracy and up-to-datedness of the profiles kept in the database, he further recommended that automatic reminders should be sent to experts who failed to update their profiles (or confirm their old profiles) with a warning that failure to respond (after a number of reminders) would entail the automatic deletion of their profiles. EFSA was also requested to provide for an appropriate conservation period for processing data during the selection procedure for specific assignments.
With respect to rights of access, the EDPS recommended that EFSA should provide procedural safeguards to ensure that access rights are granted in a timely manner and without undue constraints (including access to certain internal documents). These may include a time-limit established for response to the request by EFSA, and the obligation for the controller to request the advice of the DPO in case of doubt whether a request can be granted. Finally, as regards information to data subjects, the EDPS noted that certain additional information needed to be provided.
Available languages: English, French
11
Nov
2008
Absence owing to illness or accident
Opinion of 11 November 2008 on a notification for prior checking on the procedure in the event of absence owing to illness or accident (Cases 2008-271 et 2008-283)
At the Council, absences owing to illnesses are managed by a specific Medical Absences Management Department, responsible for officials, temporary staff, contract staff and detached national and military experts working at the Council. Various data processing operations are carried out by this department, for the purpose of ensuring compliance with all statutory and other regulations concerning absence owing to illness or accident and to prevent unjustified medical absences (obtaining medical certificates, checking medical absences, etc.).
The EDPS has examined the processing of personal data in the context of the management of absences owing to illness and has concluded that it does not appear to involve any infringement of the provisions of Regulation (EC) No 45/2001 provided that certain recommendations are followed, and in particular that the department responsible for the processing changes the data retention period, puts in place a procedure to be followed in respect of applications for access to or rectification of data and informs data subjects in accordance with Articles 11 and 12 of the Regulation.
Available languages: English, French
10
Nov
2008
Internet monitoring - Court of Auditors
Opinion of 10 November 2008 on a notification for prior checking related to Internt monitoring (Case 2008-284)
The Court of Auditors engages in the monitoring of the Court's of its Internet infrastructure for the following purposes: (i) to ensure the functionality of the network and avoid security breaches and also (ii) to verify whether Court's users employ the Internet in accordance with the allowed uses laid down in the Internet Security Policy.
The EDPS has issued an opinion relating to Court of Auditors Internet monitoring practices which assesses the extent to which such monitoring complies with Regulation 45/2001. The EDPS concludes that the intended data processing activities give rise to doubts about their compatibility with necessity and proportionality principles laid down in Regulation 45/2001. To address this problem, the EDPS recommends, among others, the following:
(i) In the absence of an adequate suspicion, to abstain from monitoring URLs of visited Web sites unless there is a justified reason for such an activity, namely, in case of extremely long URLs, and dangerous sites as specified in SANS, CERT, and similar publications; (ii) To consider using other indicators (volume of data downloaded, time spent, and other off line indicators) to discover abuse.
The Opinion contains other recommendations regarding other aspects of the data processing (provision of information, security, transfers of information, etc).
Available languages: English, French
7
Nov
2008
Promotion of Officials and Regrading of Temporary Agents - OHIM
Opinion of 7 November 2008 on the notification for prior checking regarding the Internal Promotion of Officials and Regrading of Temporary Agents (Case 2008-095)
The purpose of the processingis to conduct the yearly internal promotion/regrading exercise for members of staff. At the beginning of each yearly exercise, the lists of the staff members eligible for promotion and regrading are published on the OHIM's Intranet. A database of staff members to whom promotion/regrading points may be awarded is set up containing administrative data synchronised from a human resources module. The database is made accessible for the respective Directors for a limited period of time so that they can attribute the promotion/regrading points. The members of the Management Committee have to agree on a proposal of points to be awarded. An individual notification of the proposed points is sent to the staff members concerned who may lodge an appeal against the notification within ten working days to the Joint Evaluation and Promotion Committee (JEPC). Before the Appointing Authority takes a formal decision concerning promotions, the JEPC shall examine and issue an opinion on the list of candidates for promotion. It shall also issue an opinion on the overall awarding of promotion points. Wherever relevant, it shall formulate recommendations to the Appointing Authority. The final promotion/regrading points are awarded by the Appointing Authority and notified to the staff member concerned. The lists of promoted/regraded staff members are published on OHIM's Intranet.
The EDPS examined the procedure and concluded that there is no reason to believe that there is a breach of the provisions of Regulation (EC) 45/2001 provided that certain considerations are taken into account notably that the conservation period be reassessed after the first ten years based on practical experience; the recipients be made aware that they shall process the personal data they receive in the course of the promotions procedure only for that purpose; and that information is provided on categories of data processed, notably in the data base, and the recipients of the data other than the Management Committee and the HRD's Personnel Administration Sector.
Available languages: English, French