Opinion on the notification of a prior check received from the Data Protection Officer of the Council of the European Union on the Holiday Camps case.

Similar documents
Guidelines concerning the processing of health data in the workplace by Community institutions and bodies

The data subjects are officials and other staff, but also visitors who have had a medical incident during a visit to the EP.

Processing. 2. Description

Brussels, 29 November 2007 (Case ) 1. Proceedings

GENERAL TENDER CONDITIONS

STANDARD GRANT APPLICATION FORM 1 REFERENCE NUMBER OF THE CALL FOR PROPOSALS: 2 TREN/SUB

Open call for proposals VP/2004/021. Initiatives to promote gender equality between women and men, including activities concerning migrant women

COMMISSION IMPLEMENTING REGULATION (EU)

In the entire Finland: Juha Tuominen, Chief Medical Officer Suomen Terveystalo Oy, Group Administration

HERCULE III PROGRAMME CALL FOR PROPOSALS REF. Hercule III 2014 ANTI-FRAUD TRAINING E PROGRA MME ANTI-FRAU

SPECIFIC PRIVACY STATEMENT ERCEA ERC- Proposals Evaluation, Grants Management and Follow-up

COMMISSION IMPLEMENTING DECISION. of

Education, Audiovisual and Culture Executive Agency GRANT DECISION FOR AN ACTION. Decision Nr

SPECIFIC PRIVACY STATEMENT IMI JU

European Voluntary Humanitarian Aid Corps. Call for proposals 2011 for "pilot projects" Guidelines for grant applicants

EUROPEAN COMMISSION DIRECTORATE-GENERAL FOR HUMANITARIAN AID - ECHO

SPECIFIC CALL FOR PROPOSALS COMM/SUBV/2019/M

2018 Terms and Conditions for Support of Grant Awards Revised 7 th June 2018

Specific Call for Proposals Mainstreaming Corporate Social Responsibility (CSR) Among SMEs Grant Programme 2005

ANNEX III FINANCIAL AND CONTRACTUAL RULES I. RULES APPLICABLE TO BUDGET CATEGORIES BASED ON UNIT CONTRIBUTIONS

CALL FOR PROPOSALS COMM/SUBV/2018/E

Sample. Information Governance. Copyright Notice. This booklet remains the intellectual property of Redcrier Publications L td

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE

Education, Audiovisual and Culture Executive Agency

Incentive Guidelines Research and Development - Tax Credits INDUSTRIAL RESEARCH PROJECTS; EXPERIMENTAL DEVELOPMENT PROJECTS; INTELLECTUAL PROPERTY

STANDARD TERMS AND CONDITIONS ON NORWAY GRANTS FROM INNOVATION NORWAY

Processing. - The publication of the projects' coordinators' contact details (opt-out);

Erasmus+: Higher Education Erasmus Mundus Joint Master Degrees PRIVACY STATEMENT

Regulation on the implementation of the European Economic Area (EEA) Financial Mechanism

CALL FOR PROPOSALS DG EAC No EAC/18/2011. Preparatory Action in the Field of Sport (Open call) (2011/C 131/09) Guidelines for Applicants

CALL FOR PROPOSALS FOR PARTNERSHIP COMM/FPA/2016

SUBJECT ACCESS REQUEST HEADER PAGE to be supplied with all SAR/TSAR responses 1. The purpose(s) of the processing

European Centre for Press and Media Freedom

Erasmus+ Application Form. Call: A. General Information. B. Context. B.1. Project Identification

GRANT APPLICATION FORM 1

Contracting Authority: European Commission (EuropeAid) PRO INVEST. Guidelines for grant applicants

INFORMATION TO BE GIVEN

CALL FOR PROPOSALS HOME/2014/PPXX/AG/SPBX NEW INTEGRATED MECHANISMS FOR COOPERATION BETWEEN PUBLIC AND PRIVATE ACTORS TO IDENTIFY SPORTS BETTING RISKS

GENERAL CONDITIONS FOR PLANNING GRANTS WITHIN THE DEMO ENVIRONMENT PROGRAMME

Transatlantic Strategy Forum

Call for proposals 2013 for pilot projects EU AID VOLUNTEERS. Guidelines for Grant Applicants. Contents

NOTE TO THE HEADS OF NATIONAL AGENCIES

Home Energy Saving (HES) scheme - Homeowner Application Form Version 10.0

Support for Applied Research in Smart Specialisation Growth Areas. Chapter 1 General Provisions

DRAFT. Erasmus+ Application Form - Call: Learning Mobility of Individuals. Adult education staff mobility. General Information.

Erasmus+ Application Form. Call: 2014 KA2 Cooperation and Innovation for Good Practices. A. General Information. B. Context

Atlantic Area Programme Draft Transnational Partnership Agreement For the implementation of the project

GDPR DATA PROCESSING ADDENDUM. (Revision March 2018)

COMMISSION DIRECTIVE 2011/18/EU

Incentive Guidelines Start-Up Finance

DRAFT. Erasmus+ Application Form - Call: Learning Mobility of Individuals. VET learner and staff mobility. General Information.

CALL FOR PROPOSALS FOR PARTNERSHIP1 COMM/FPA/2016

CALL FOR PROPOSALS CNECT /2016. Subtitling European cultural TV contents across all Europe

The EU GDPR: Implications for U.S. Universities and Academic Medical Centers

STANDARD GRANT APPLICATION FORM FOR "GRANTS FOR AN ACTION" *

Education and Training Committee, 5 June 2014

Erasmus+ Application Form. Call: Learning Mobility of Individuals. A. General Information. B. Context. B.1. Project Identification

Grant Agreement. The. - hereinafter referred to as "the Recipient" and

STEP BY STEP SCHOOL. Data Protection Policy and Privacy Notice

Partner Declaration ITALY-CROATIA PROGRAMME

Call for Proposals Guidelines for the Programme: Wehubit BEL

AUSTRALIAN RESUSCITATION COUNCIL PRIVACY STATEMENT

Public Diplomacy, Policy Research and Outreach Devoted to the European Union and EU-Canada Relations

Erasmus+ Application Form. Call: A. General Information. B. Context. B.1. Project Identification. Learning Mobility of Individuals

PICK-ME Kick-off meeting Political, scientific, contractual and financial aspects

Brussels, 12 June 2014 COUNCIL OF THE EUROPEAN UNION 10855/14. Interinstitutional File: 2012/0266 (COD) 2012/0267 (COD)

IAF Guidance on the Application of ISO/IEC Guide 61:1996

I. Principality of Asturias

Data Protection Privacy Notice

Council, 25 September 2014

NOTICE OF CALL FOR PROPOSALS WITH A VIEW TO OBTAINING GRANTS IN THE FIELD OF MARITIME TRANSPORT

GUIDE FOR APPLICANTS GRANT FOR PROJECT. Call Identifier: PP Closing Date: 15 May 2018

GRANT AGREEMENT FOR AN ACTION ACTION 2 - ERASMUS MUNDUS PARTNERSHIPS Financing exclusively by lump sum contribution(s) and/or unit contribution(s)

Erasmus+ General Information. Context. Application Form Call: KA2 Cooperation and Innovation for Good Practices

Application Form Call: Learning Mobility of Individuals. Programme and Partner Countries. Mobility of Learners and Staff

Privacy Policy - Australian Privacy Principles (APPs)

Subsidy contract for the project. Click here to enter text.

Method and procedure for evaluating project proposals in the first stage of the public tender for the Competence Centres programme

ERASMUS MUNDUS Frequently-asked questions ACTION 2: Questions from higher education institutions Latest update: January 2011

PART II: GENERAL CONDITIONS APPLICCABLE TO GRANTS FROM THE NORWEGIAN MINISTRY OF FOREIGN AFFAIRS

Republic of Latvia. Cabinet Regulation No. 50 Adopted 19 January 2016

Sub-granting. 1. Background

Grant Application form for associations, foundations, private companies and individuals, etc.

III. The provider of support is the Technology Agency of the Czech Republic (hereafter just TA CR ) seated in Prague 6, Evropska 2589/33b.

Call for Proposals EACEA 43/2014 CREATIVE EUROPE. MEDIA Sub-programme SUPPORT TO INTERNATIONAL CO-PRODUCTION FUNDS GUIDELINES

Official Journal of the European Union. (Non-legislative acts) REGULATIONS

REACH Pre-registration Questions and Answers

HERCULE III PROGRAMME CALL FOR PROPOSALS 2016: TRAINING FOR THE FIGHT AGAINST EU-FRAUD TECHNICAL SPECIFICATIONS

Appendix 3 to AO/1-7094/12/NL/CO Page 1

Call for proposals DG EAC/21/06

Home Energy Saving (HES) scheme - Homeowner Application Form Version 1.0

Incentive Guidelines Start-Up Finance

Guide for Applicants. COSME calls for proposals 2017

4RE Resource Efficiency Waste Prevention Implementation Fund

Hong Kong Tourism Board Hong Kong Transit Programme Guide to Application. Table of Contents

Regulations concerning Administrative Arrangements

CEI Cooperation Fund Call for Proposals CEI Cooperation Fund _ Call for Proposals 2018

ACCESS TO HEALTH RECORDS POLICY & PROCEDURE

CALL FOR PROPOSALS EAC/S15/2013. Creative Europe Programme

Grant Agreement. The. - hereinafter referred to as "the Recipient" and

Transcription:

Opinion on the notification of a prior check received from the Data Protection Officer of the Council of the European Union on the Holiday Camps case. Brussels, 22 February 2012 (Case 2011-0950) 1. Procedure On 7 October 2011, a consultation within the meaning of Article 27(3) of Regulation (EC) No 45/2001 ( the Regulation ) was conducted by the Data Protection Officer ( the DPO ), of the Council of the European Union ( the Council ) concerning the processing of personal data under the holiday camps programme. On 20 October 2011, the EDPS replied that, due to the very nature of health data processed concerning a handicapped child, this processing must be submitted for prior checking by the EDPS within the meaning of Article 27(2)(a) of the Regulation. On 31 October 2011, the DPO sent the EDPS the notification form together with the related documents. The EDPS considers this date to be the date of receipt of the notification, in the light of Article 27(4) of the Regulation. In the course of this notification, questions were put to the Council s DPO by e-mail on 2 December 2011 and replies were received on 3 January 2012. Supplementary questions were asked on 13 January 2012 and replies were furnished on 2 February 2012. The draft opinion was sent to the Council s DPO for comments on 17 February 2012. Comments were provided on 21 February 2012. 2. The facts The processing of data in the context of the holiday camp programme was set up by the Staff Committee of the Council. The Staff Committee is an organisational entity integrated in the Council, which carries out the processing in question as part of its functions listed in Article 9(3) of the Staff Regulations. In contributing in part to the reimbursement of the costs of the holiday camps, the Staff Committee encourages parents to make use of the cultural, linguistic and/or sporting events organised during school holidays. This opportunity helps the parents to reconcile their working and family lives, as the children have more days holiday than their parents. The purpose The purpose of the processing is to calculate the reimbursement of expenses associated with the holiday camps according to the administrative and family situation of the data subjects (in particular their dependent children, including handicapped children and orphans). Postal address: rue Wiertz 60 - B-1047 Brussels Offices: rue Montoyer 63 E-mail : edps@edps.europa.eu - Website: www.edps.europa.eu Tel.: 32-2-283 19 00 - Fax: 32-2-283 19 50

Legal basis The notification makes reference to the following: Article 9 of the Staff Regulations; the general budget of the European Union for each financial year, namely Section II for the Council, Chapter 13 on other expenditure relating to persons working in the institution and Article 1313 relating to welfare expenditure; and the regulations on holiday camps, adopted at the 9th plenary meeting of the Staff Committee on 4 May 2011. Data subjects The notification indicates the following data subjects: officials and other servants of the Council; retired officials; their family members; and orphan children benefiting from a Council pension. Handicapped children are not specifically mentioned as data subjects, as they are included in the categories of officials, servants, their family members or retired officials. However, orphan children are listed as a separate category of data subjects, as they relate to another category, that of the family members of a deceased official or servant. Data compiled in the course of processing According to the regulations on holiday camps, all the dependent children of officials/servants are entitled to apply for reimbursements provided that they do not exceed the amount of income calculated at a weighted rate with a deduction related to the number of dependent, orphan or handicapped children, and that they satisfy the criteria established in the regulations, namely the date of submission, the age of the child as of the starting date of the event, etc. Interested persons must submit the following data to the Staff Committee Bureau: an application form for reimbursement, with their signature: o surname, forename, office, telephone number, number of dependent children and IBAN of the official/servant; o surname, forename and date of birth of the orphan child or the handicapped child; o the name and address of the organisation; o length of stay and the number of days with or without accommodation; o total price or other currency; in the case of an orphan child, evidence of the orphan s pension paid by the Council; in the case of a handicapped child, evidence of the double allowance; a pay slip; a dependent children certificate; an official school calendar from the dependent child s school; a certificate of attendance filled in by the organisation; and proof of payment. Nature of the processing Processing is partially automated; electronic files are used to calculate the reimbursement. 2

The data collected and stored in hard copy format are as follows: the full application, a copy of the calculations, the treasurer s payment document with the reference of the bank statement showing the Staff Committee payment. The data in electronic format relate to the following data which are stored in the Pléiades database 1 : surname and forename of the beneficiary, telephone number, administrative address, weighted income, number of dependent children, surnames and forenames of the children included in the application, their birth dates, the bank account, and particulars of the organisation where the camp has been held. Recipients: A single person is in charge of entering the data and verifying and preparing the calculations. The file is then forwarded for checking to the secretary of the Staff Committee and to the treasurer for payment. In the following year, the auditors carry out a check on the file that was forwarded to the treasurer for payment. Right of access, rectification, blocking and erasure According to the notification, data subjects have the right to access the data provided in the course of their application for reimbursement, and may request the correction, blocking or erasure of the data, stating the reason for the request. The maximum time taken for the requested correction, blocking or erasure of the data is three working days, on the understanding that this period starts to run only from the date on which the Staff Committee reaches a final decision. Applicants for reimbursement may, at any time before reimbursement, withdraw their application and the data provided will be deleted as soon as possible, but within a maximum of three working days following the withdrawal of the reimbursement request. Right to information On the second page, IMPORTANT REMINDER, of annex 1 to the regulations on holiday camps, headed Claim form for reimbursement, the following information is given: the identity of the data controller; the purpose of the data processing; the recipients of the data; the obligation to furnish the documents listed; the existence of the right of access to, and the right to rectify, the data subjects data; the right to have recourse at any time to the EDPS. Retention of data Hard copy documents are kept for a period of seven years, in the light of Financial Regulation No 2342/2002. This period is established by reference to the date on which the European Parliament grants discharge for the budget. Computer files are stored for two years, or up to the time at which the child concerned ceases to be eligible. 1 This database contains background information on the application and automatically calculates the reimbursement to be made against the claim. 3

No data are retained if the data subjects are not granted a reimbursement. Instead the data are returned to the applicant. Storage and security measures Access to the Pléiades database is protected by an individual password. The room in which the hard copy and electronic files are stored is fitted with a magnetic card lock. 3. Legal aspects 3.1 Prior checking The applicability of the Regulation: The data processing being analysed consists of the processing of personal data ( any information relating to an identified or identifiable natural person, according to Article 2(a) of the Regulation). The data are processed by an institution of the European Union ( the EU ), the Council, in the exercise of activities within the field of application of EU 2 law. Processing is automated in part, and thus the Regulation is applicable. Reasons for prior check: Article 27(1) of the Regulation states that Processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes shall be subject to prior checking by the European Data Protection Supervisor. Article 27(2) lists the processing operations likely to present such risks, such as the processing of data relating to health... (Article 27(2)(a)). For a handicapped child to be granted reimbursement of the holiday camp costs, the official or servant concerned must provide a certificate of the handicap and proof of the double allowance. Health data will therefore be processed as part of the processing. Due to the sensitive nature of the data, the processing may present special risks relating to the rights and freedoms of handicapped children and their parents. This is why a prior check must be conducted on this processing, based on Article 27(2)(a) of the Regulation. In principle, the check by the EDPS is carried out prior to processing being set up. The EDPS regrets that he has been unable to give his opinion before the start of the processing. By default, therefore, the check necessarily becomes a posteriori. This does not in any way make it less desirable to implement the recommendations presented by the EDPS. Official notification is considered to have been received on 31 October 2011. In accordance with Article 27(4) of the Regulation, the period of two months in which the EDPS is required to deliver his or her opinion has been suspended. Due therefore to the 53 days suspension, the EDPS will deliver his opinion by 27 February 2012 at the latest (49 days suspension + 4 days for comments). 2 The concepts of institutions and Community bodies and Community law could no longer be used after the Lisbon Treaty came into force on 1 December 2009. Article 3 of the Regulation must therefore be read in the light of that Treaty. 4

3.2 Lawfulness of processing According to Article 5 of the Regulation, data may be processed only on one of the conditions specified. Of the five conditions listed in Article 5 of the Regulation, the processing in this instance satisfies the conditions stated by Article 5(a), to the effect that data may be processed if processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or in the legitimate exercise of official authority vested in the Community institution. In the present case, the legal basis for the processing is Article 9 of the Staff Regulations and the regulation on holiday camps, adopted at the 9th plenary meeting of the Staff Committee of 4 May 2011. The necessity of processing is also mentioned in paragraph 27 of the preamble to the Regulation, which states that Processing of personal data for the performance of tasks carried out in the public interest by the Community institutions and bodies includes the processing of personal data necessary for the management and functioning of those institutions and bodies. In this instance, the processing of personal data on health is necessary in order to establish a list of the data subjects eligible for reimbursement of the costs of holiday camps. This processing is therefore necessary for the proper management and functioning of the Council. The processing proposed is therefore lawful. 3.3 The processing of special categories of data Article 10(1) of the Regulation states that the processing of personal data on health is prohibited, except where it is justified by the reasons referred to in Articles 10(2) and 10(3) of the Regulation. This processing as envisaged in the Staff Regulations and the regulations on holiday camps is seen as necessary to enable the Council to comply with its specific rights and obligations in the field of employment law, as provided for by Article 10(2)(b). The Council, as the employer and with its responsibility for data processing, needs to receive the data so that it can reimburse the data subjects according to the terms of the regulations on holiday camps in the context of the Staff Regulations. This being so, the processing is justified pursuant to Article 10(2)(b). The EDPS considers, moreover, that Article 10(2)(e) of the Regulation is also applicable to this processing. The Staff Committee may be considered to be a non-profit-seeking body which constitutes an entity integrated in the Council. This entity is not subject to national data protection law (but it is subject to the Staff Regulations). In its function of staff representation it may be considered, without prejudice to the specific competences of the trade unions, as pursuing a trade-union aim. Lastly, the processing carried out relates solely to the Council officials or servants having regular contact with the Committee in connection with its purposes 3. This is why the processing of data on the health of the handicapped children, 3 According to Article 9.3 of the Staff Regulations, The Committee shall participate in the management and supervision of social welfare bodies set up by the institution in the interests of its staff. It may, with the consent of the institution, set up such welfare services. 5

namely the certification of their handicap and proof of the double allowance with a view to reimbursement, may also be justified pursuant to Article 10(2)(e). The Staff Committee s Bureau collects a certificate of handicap, but no information on the nature of the handicap is revealed in this certificate. The child concerned will, however, be identified as having a handicap, which may be considered as information on health. Because of this, and in order to establish appropriate guarantees, the EDPS recommends that, in line with the provision of Article 10(3) of the Regulation, the processing manager be bound by an obligation of professional secrecy equivalent to that of a health professional, by means of a note or a declaration to be signed. 3.4 Data quality Pursuant to Article (4)(1)(c) of the Regulation, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. It should therefore be verified that the data are relevant in relation to the purpose for which they are being processed. The EDPS considers that the data as described in this opinion satisfy these conditions regarding the purposes of the processing as explained above. Furthermore, Article (4)(1)(d) of the Regulation provides that data must be accurate and, where necessary, kept up to date. According to this Article, every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified. In the present case, the procedure set up means that the system can in itself reasonably be regarded as guaranteeing data quality. Furthermore, the rights of access and rectification are available to the data subject, in order to make the file as comprehensive as possible. These rights constitute the second means of ensuring that data concerning the data subjects are accurate and updated (see Section 3.7 on the right of access). In addition, the data must be processed fairly and lawfully (Article (4)(1)(a)). The lawfulness of the processing has already been discussed in section 3.2 of this opinion. As for fairness, this is linked with the information that must be forwarded to the data subject (see Section 3.8 on the right to information). 3.5 Retention of data The general principle stated in the Regulation is that the data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed (Article (4)(1)(e) of the Regulation). The EDPS notes that the retention periods adopted by the Council for hard copy documents and electronic files respectively are considered necessary and reasonable, having regard to the purpose of the processing, and that therefore they comply with Article 4(1)(e) of the Regulation. In addition, the EDPS finds it satisfactory that the Council does not retain any data if the data subject is refused any reimbursement. 6

3.6 Transfer of data Articles 7, 8 and 9 of the Regulation lay down certain obligations that apply where personal data are transferred to third parties. The rules differ depending on whether the transfer is within or between EU institutions or bodies (Article 7), to recipients subject to Directive 95/46/EC (Article 8), or to other types of recipients (Article 9). In this instance, the recipients are within the Council. To comply with the provision of Article 7(1), the Council must ensure both that the recipients have the appropriate competence and that the transfer is necessary. Each recipient in question, namely the secretary to the Staff Committee, the treasurer responsible for payment, and the auditors, has a specific competence and the data transferred to each one is seen as necessary for the lawful performance of the duties coming within their respective area of competence. The EDPS therefore considers that these transfers meet the requirements of Article 7(1) of the Regulation. It will be a matter of verifying the lawfulness of the transfer on a case by case basis. The EDPS points out, however, that only the data necessary for the performance of their duties must be transferred. This is why the EDPS recommends that the Council remind all recipients, by means of a note, that they are processing the data only for the purposes for which they have been transmitted, as provided for by Article 7(3) of the Regulation. 3.7 Right of access and rectification Article 13 of the Regulation states the principle of the right of access to the data and the procedures therefor at the request of the data subject. Article 14 of the Regulation provides for the data subject s right of rectification. The note headed IMPORTANT - REMINDER addressed to the data subjects indicates that they have the right of access to their data in the context of reimbursement and the right to request rectification of the data. The EDPS considers that the rights of access and rectification have been provided for and that they should be respected in practice in accordance with Articles 13 and 14 respectively. 3.8 Information to be given to the data subject Articles 11 and 12 of the Regulation relate to the information to be given to data subjects in order to ensure transparency in the processing of personal data. These articles list a series of compulsory and optional items of information. The optional items are applicable insofar as, having regard to the specific circumstances of the processing operation, they are required to guarantee fair processing in respect of the data subject. In this instance, all the data required are supplied to the Staff Committee directly by the data subject, and therefore Article 11 of the Regulation is applicable. The information note headed IMPORTANT - REMINDER contains most of the information listed in Article 11 of the Regulation. Nevertheless, the EDPS recommends that the Council specify in the note the time limits for storing the data. The note should also inform the data subjects that in the event of non-reimbursement their data will be returned to them. 7

3.9 Security measures In accordance with Article 22 of Regulation No 45/2001/EC on security of processing, the controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Having regard to all the security measures adopted to ensure an appropriate level of security for the processing in this instance carried out in particular by administrative managers within the Council, the EDPS has no reason to believe that the Council has not complied with the security measures required by Article 22 of the Regulation. Conclusion: The processing proposed does not appear to involve any infringement of the provisions of Regulation (EC) No 45/2001 provided that the comments made above are taken into account. This means in particular that the Council should: ensure that the processing manager is bound by an obligation of professional secrecy equivalent to that of a health professional, by means of a note or a declaration to be signed; remind all the recipients, by means of a note, that they are processing the data only for the purposes for which they have been transmitted; state in the information note the time limits for storing the data collected both in hard copy and in electronic format. The note should also inform the data subjects that in the event of non-reimbursement their data will be returned to them. Done in Brussels on 22 February 2012 (signed) Giovanni BUTTARELLI Assistant European Data Protection Supervisor 8

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback