Privacy in the EU Institutions

Opinion of 7 April 2008 on a notification for prior checking on identity and access control system (Case 2007-635)
The Identity and Access Control System is part of the security infrastructure that protects OLAF premises and IT systems. The purpose of the data processing is to ensure that only authorised persons have access to OLAF's premises.  The system is designed to control the identity and permit or deny access of persons entering and exiting from OLAF's premises outside working hours and special secure zones. To do so, OLAF uses a smartcard and the use of fingerprints authentication. Users' biometrics data are stored only on the smartcard which cannot be used for any other purpose. For the EDPS, the processing operation is not in breach of Regulation 45/2001 if OLAF takes into account the following recommendations, for instance regarding a reassessment of the concerned data subjects submitted to enrolment; the development of fallback procedures; the setting of a shorter conservation period of data after the first year of operation of the new system; the amendment of the privacy statement and the reconsideration of the technological taking into consideration the choice of the best available techniques and discussions on future security systems.

Opinion of 7 April 2008 on a notification for prior checking on coordination cases (Case 2007-699)
OLAF engages in processing of personal data when it opens a Coordination case. These are cases that could be the subject of OLAF external investigations, but where OLAF’s role is to contribute to investigations being carried out by other national or Community services by, among other things, facilitating the gathering and exchange of information and ensuring operational synergy among the relevant national and Community services. The main investigative input is provided by other authorities. OLAF's role includes facilitating contacts and encouraging the responsible authorities to work together. The type of personal information processed by OLAF in these cases includes identification, professional data and information concerning activities related to matters which are the subject of coordination.

The EDPS has issued an opinion on the processing of personal data in the context of OLAF's Coordination cases. The Opinion concludes that on a general basis the data processing complies with the principles established in the data protection Regulation. However the EDPS did make some recommendations. Among others, the EDPS asked OLAF to ensure that individuals whose data are processed by OLAF are informed of the data processing that takes place in the context of Coordination cases. It also suggested some amendments to the privacy statement and asked OLAF to conduct a preliminary evaluation of the necessity of the 20 years conservation period vis-à-vis the purpose of such conservation.

Opinion of 1 April 2008 on a notification for prior checking on part time requests (Case 2007-500)
The European Medicines Agency (EMEA) manages part-time applications of the staff. The data processing operations are both automated and manual. A staff member fills in a form which is collected in hard copies and subsequently the data of each staff member are entered in the COMPEL Database. Data subjects include temporary and contractual agents at the EMEA. In exceptional circumstances, the family members of staff can also be concerned.

The EDPS has issued an opinion concerning part time requests in EMEA. The EDPS concludes that on a general basis the procedure complies with the principles established in the data protection regulation. However the EDPS did make some recommendations mainly as concerns the need to modify the "Personal Data Access Request Form", to amend the information provided in the data protection declaration as well as to remind all EMEA internal recipients of their obligation not to use the data for any further purpose beyond the purposes communicated to the data subjects.

Answer to a notification for prior checking on the staff management at JRC-ITU in Karlsruhe (Case 2008-151)