Privacy in the EU Institutions

Opinion of 3 August 2007 on a notification for prior checking on the modification of the data processing operations concerning "gestion du temps" and "medical records" (Case 2007-373)

In his opinion, the EDPS expressed that the EIB would be in breach of certain provisions of the Regulation (lawfulness of the processing, data quality principle, processing of special categories of data) unless it ensures that staff members are requested to provide their freely given, unambiguous consent to the OHC physician's access to data regarding their uncertified medical leave. When requesting consent, it must be ensured that the staff member clearly understands that consent can be withheld or subsequently withdrawn at any time, without any justification, and with no adverse consequences. It must also be made clear that providing this information will only serve the purposes of prevention.

Opinion of 31 July 2007 on a notification for prior checking on Trainee Recruitment (Case 2007-208)

In his Opinion the EDPS has recommended various actions in order to ensure that the data processing fully complies with Regulation (EC) No 45/2001.  In particular, among others, the EDPS has recommended certain periods for retaining different types of data about the trainee that the data controller must adopt and that the trainee is kept informed of these periods.  He has also recommended that it would be good practice to ensure that recipients are reminded when they receive the personal data of candidates that they should not use the data for any further purposes beyond that of trainee recruitment.

Opinion of 31 July 2007 on a notification for prior checking on the recruitment of translation trainees (Case 2007-324)

In his Opinion the EDPS has recommended various actions in order to ensure that the data processing fully complies with Regulation (EC) No 45/2001.  In particular, among others, the EDPS has recommended certain periods for retaining different types of data about the trainee that the data controller must adopt and that the trainee is kept informed of these periods.  He has also recommended that it would be good practice to ensure that recipients are reminded when they receive the personal data of candidates that they should not use the data for any further purposes beyond that of recruitment of translation trainees.

Opinion of 27 July 2007 on a notification for prior checking on the "Management of crèches and childcare facilities" (Case 2007-148)

This dossier deals with the management of "crèches and after-school childcare services in Brussels", undertaken by the Commission's Crèche and Childcare Service. The persons concerned are the children of the staff of the European institutions, those children's parents and persons authorised to collect and drop off children.

Processing is the subject of a prior check since, as part of assessing and selecting children to be admitted to crèches and childcare services based on the criteria set out in internal regulations, the collection of health and administrative data constitutes information on the state of health of the person concerned and their personality.

One recommendation by the EDPS is that if, in future, a waiting list is drawn up for the childcare services, the Commission should guarantee that the medical record is collected only after the child has been admitted to the outdoor or after-school childcare facilities. A further recommendation is that, instead of inquiring about civil status, the Commission should ask whether the family is a one or two-parent family (one or both parents has/have responsibility for the child) or should, at least, inform the parents that data collection on their marital status is not relevant/necessary for the purpose of data processing. It was stressed that the Commission should guarantee protection of the rights of the persons concerned in this kind of processing by means of a clause to be added to the service contract concluded with the company which runs the two private crèches. The EDPS has also recommended that the contract concluded with the childcare company explicitly include provisions on the roles of the controller and the sub-contractor respectively and include provisions on the requirements governing the confidentiality and security of the processing.

Opinion of 27 July 2007 on a notification for prior checking related to Administration of the Accidents and Occupational Disease Insurance (Case 2007-157)

The EDPS has issued an opinion on the management of the scheme which concludes that on a general basis the scheme complies with the principles established in the data protection regulation.  However the EDPS did make some recommendations mainly as concerns raising awareness among non-medical PMO.3 staff regarding medical secrecy, the need to make more visible the privacy statement in the appropriate web site so that EU staff members are properly informed of the processing of their personal data. The EDPS also suggested that the web site for the scheme should ask EU staff members to send medical reports in sealed envelopes marked with the terms 'confidential' and/or 'to be opened by addressee only' and that guidelines should be issued by PMO 3 in order to ensure that inadequate, irrelevant and non excessive information is not provided in medical reports.