2004/644/EC: Council Decision of 13 September 2004 adopting implementing rules concerning Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with... (European Union)

2004/644/EC: Council Decision of 13 September 2004 adopting implementing rules concerning Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Commu

Published: 2004-09-13

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Unlimited Searches
Weekly Updates on New Laws
Access to 5,345,848 Global Laws from 110 Countries
View the Original Law Side-by-Side with the Translation

Subscribe Now for only USD$40 per month.

21.9.2004

Official Journal of the European Union

L 296/16

COUNCIL DECISION

of 13 September 2004

adopting implementing rules concerning Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

(2004/644/EC)

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty establishing the European Community, and in particular Article 286 thereof,

Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council (1), and in particular Article 24(8) thereof,

Whereas:

(1)	Regulation (EC) No 45/2001, hereinafter referred to as the ‘Regulation’, sets out the principles and rules applicable to all Community institutions and bodies and provides for the appointment by each Community institution and Community body of the Data Protection Officer.

(2)

Article 24(8) of the Regulation requires that further implementing rules concerning the Data Protection Officer shall be adopted by each Community institution or body in accordance with the provisions in the Annex thereto. The implementing rules shall in particular concern the tasks, duties and powers of the Data Protection Officer.

(3)	The implementing rules also specify the procedures for the exercise of rights of the data subjects, as well as for the fulfilment of obligations of all relevant actors within the Community institutions or bodies relating to the processing of personal data.

(4)

The implementing rules of the Regulation are without prejudice to Regulation (EC) No 1049/2001 (2), to Decision 2004/338/EC, Euratom (3), and in particular Annex II thereto, to Decision 2001/264/EC (4), and in particular Section VI of Part II of the Annex thereto, as well as to Decision of the Secretary-General of the Council/High Representative for Common Foreign and Security Policy of 25 June 2001 (5),

HAS DECIDED AS FOLLOWS:

SECTION 1

GENERAL PROVISIONS

Article 1

Subject matter and scope

This Decision lays down further implementing rules concerning Regulation (EC) No 45/2001 of the European Parliament and of the Council (hereinafter referred to as the Regulation) as regards the Council of the European Union.

Article 2

Definitions

For the purpose of this Decision and without prejudice to the definitions provided by the Regulation:

‘controller’ shall mean the institution, the Directorate-General, the Directorate, the Division, the Unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data, as identified in the notification to be sent to the Data Protection Officer (hereafter referred to as the DPO) in accordance with Article 25 of the Regulation;

b)	‘contact person’ shall mean the administrative assistant(s) of the Directorate-General or otherwise any staff member designated in consultation with the DPO by his/her Directorate-General as its representative to deal in close cooperation with the DPO with data protection issues;

‘GSC staff’ shall mean all General Secretariat of the Council (hereafter referred to as ‘GSC’) officials and any other person covered by the Staff Regulations of officials of the European Communities and the Conditions of Employment of other servants of the European Communities laid down in Regulation (EEC, Euratom, ECSC) No 259/68 (6) (hereinafter referred to as the Staff Regulations) or working for the GSC on a contractual basis (trainees, consultants, contractors, officials seconded by Member States).

SECTION 2

THE DATA PROTECTION OFFICER

Article 3

Appointment and status of the Data Protection Officer

1. The Deputy Secretary-General of the Council appoints the DPO and registers him with the European Data Protection Supervisor (hereafter referred to as EDPS). The DPO is directly attached to the Deputy Secretary-General of the Council.

2. The term of office of the DPO shall be three years and is renewable twice.

3. With respect to the performance of his/her duties, the DPO shall act in an independent manner and in cooperation with the EDPS. In particular, the DPO may not receive any instructions from the Appointing Authority of the GSC or from anyone else regarding the internal application of the provisions of the Regulation or his/her cooperation with the EDPS.

4. The evaluation of the performance of the DPO's tasks and duties shall take place after prior consultation of the EDPS. The DPO may be dismissed from his/her post only with the consent of the EDPS, if he/she no longer fulfils the conditions required for the performance of his/her duties.

5. Without prejudice to the procedure foreseen for his/her appointment, the DPO shall be informed of all contacts with external parties relating to the application of the Regulation, notably with regard to interaction with the EDPS.

6. Without prejudice to the relevant provisions of the Regulation, the DPO and his/her staff shall be subject to the rules and regulations applicable to officials and other servants of the European Communities.

Article 4

Tasks

The DPO shall:

(a)

ensure that controllers and data subjects are informed of their rights and obligations pursuant to the Regulation. In the discharge of this task, he/she shall in particular establish information and notification forms, consult interested parties and raise the general awareness of data protection issues;

(b)	respond to requests from the EDPS and, within the sphere of his/her competence, cooperate with the EDPS at the latter's request or on his/her own initiative;

(c)	ensure in an independent manner the internal application of the provisions of the Regulation in the GSC;

(d)	keep a Register of the processing operations carried out by the controllers and grant access to it to any person directly or indirectly through the EDPS;

(e)	notify the EDPS of the processing operations likely to present specific risks referred to in Article 27(2) of the Regulation;

(f)	thus, ensure that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations.

Article 5

Duties

1. In addition to the general tasks to be fulfilled, the DPO shall:

(a)

act as an advisor to the Appointing Authority of the GSC and to controllers on matters concerning the application of data protection provisions. The DPO may be consulted by the Appointing Authority, the controllers concerned, the Staff Committee and by any individual, without going through the official channels, on any matter concerning the interpretation or application of the Regulation;

(b)

on his/her own initiative or on the initiative of the Appointing Authority, the controllers, the Staff Committee or any individual, investigate matters and occurrences directly relating to his or her tasks and which come to his/her notice, and report back to the Appointing Authority or the person who commissioned the investigation. If deemed appropriate, all other parties concerned should be informed accordingly. If the complainant is an individual, or in case the complainant acts on behalf of an individual, the DPO must, to the extent possible, ensure confidentiality of the request, unless the Data Subject concerned gives his/her unambiguous consent to treat the request otherwise;

(c)	cooperate in the discharge of his/her functions with the Data Protection Officers of other Community institutions and bodies, in particular by exchanging experience and best practices;

(d)	represent the GSC in all data protection related issues; without prejudice to Decision 2004/338/EC, Euratom, this may include the DPO's participation in relevant committees or for at international level;

(e)	submit an annual report on his/her activities to the Deputy Secretary-General of the Council and make it available to staff.

2. Without prejudice to Articles 4(b), 5(1)(b), (c) and 15, the DPO and his or her staff shall not divulge information or documents which they obtain in the course of their duties.

Article 6

Powers

In performing his or her tasks and duties the DPO:

(a)	shall have access at all times to the data forming the subject-matter of processing operations and to all offices, data-processing installations and data carriers;

(b)	may request legal opinions from the Council Legal Service;

(c)

may call on Information Technologies external experts’ services upon prior agreement of the authorising officer in compliance with Council Regulation (EC, Euratom) No 1605/2002 of 25 June 2002 on the Financial Regulation applicable to the general budget of the European Communities (7) and its implementing Rules;

(d)	may without prejudice to the EDPS's duties and powers, propose to the GSC administrative measures and issue general recommendations on the appropriate application of the Regulation;

(e)	may make, in specific cases, any other recommendation for the practical improvement of data protection to the GSC and/or to all other parties concerned;

(f)	may bring to the attention of the Appointing Authority of the GSC any failure of a staff member to comply with the obligations under the Regulation and suggest an administrative investigation being launched in view of the possible application of Article 49 of the Regulation.

Article 7

Resources

The DPO shall be provided with adequate staff and resources necessary to carry out his or her duties.

SECTION 3

RIGHTS AND OBLIGATIONS OF ACTORS IN THE FIELD OF DATA PROTECTION

Article 8

Appointing Authority

1. In case of a complaint within the meaning of Article 90 of the Staff Regulations relating to a violation of the Regulation, the Appointing Authority shall consult the DPO, who should deliver his/her opinion in writing no later than 15 days after receipt of the request. If, after the end of this period, the DPO has not provided his/her opinion to the Appointing Authority, it is no longer required. The Appointing Authority shall not be bound by the DPO's opinion.

2. The DPO shall be informed whenever an issue is under consideration which has, or might have, data protection implications.

Article 9

Controllers

1. The controllers are responsible for ensuring that all processing operations under their control comply with the Regulation.

2. In particular, the controllers shall:

(a)

give prior notice to the DPO of any processing operation or set of such operations intended to serve a single purpose or several related purposes, as well as of any substantial change of an existing processing operation. For processing operations carried out prior to the entry into force of the Regulation on 1 February 2001, the controller shall notify it without delay;

(b)	assist the DPO and the EDPS in performing their respective duties, in particular by giving information in reply to their requests within 30 days, at the latest;

(c)	implement appropriate technical and organisational measures and give adequate instructions to GSC staff to ensure both the confidentiality of the processing and a level of security appropriate to the risks represented by the processing;

(d)

where appropriate, consult the DPO on the conformity of processing operations with the Regulation, and in particular when they have reason to believe that certain processing operations are incompatible with Articles 4 to 10 of the Regulation. They may also consult the DPO and/or the Information Technologies security experts in Directorate-General A, the Security Office and Security of Information (Infosec) Office on issues relating to the confidentiality of the processing operations and on the security measures taken pursuant to Article 22 of the Regulation.

Article 10

Contact persons

1. Without prejudice to the responsibilities of the DPO, the contact person shall:

(a)	assist his/her Directorate-General or Unit in keeping an inventory of all existing processing of personal data;

(b)	assist his/her Directorate-General or Unit in identifying the respective controllers;

(c)

have the right to obtain from the controllers and from staff adequate and necessary information required for the accomplishment of his/her administrative tasks within his/her Directorate-General or Unit. This shall not include the right of access to personal data processed under the responsibility of the controller.

2. Without prejudice to the responsibilities of the controllers, the contact persons shall:

(a)	assist the controllers in complying with their obligations;

(b)	where appropriate, facilitate communication between the DPO and the controllers.

Article 11

GSC staff

1. In particular, all GSC staff shall contribute to the application of the confidentiality and security rules for the processing of personal data as provided for in Articles 21 and 22 of the Regulation. No member of the GSC staff with access to personal data shall process them other than on instructions from the controller, unless required to do so by national or Community law.

2. Any member of GSC staff may lodge a complaint with the EDPS regarding an alleged breach of the provisions of the Regulation governing the processing of personal data, without acting through official channels, as specified by the Rules set by the EDPS.

Article 12

Data subjects

1. Further to the data subjects’ right to be appropriately informed about any processing of personal data relating to themselves, in accordance with Articles 11 and 12 of the Regulation, the data subjects may approach the controller concerned to exercise their rights according to Articles 13 to 19 of the Regulation, as specified in Section 5 of this Decision.

2. Without prejudice to any judicial remedy, every data subject may lodge a complaint with the EDPS if he/she considers that his/her rights under the Regulation have been infringed as a result of the processing of his/her personal data by the Council, as specified by the Rules set by the EDPS.

3. No one shall suffer prejudice on account of a complaint lodged with the EDPS or of a matter brought to the attention of the DPO alleging a breach of the provisions of the Regulation.

SECTION 4

Article 13

Notification procedure

1. The Controller shall notify to the DPO any processing operation of personal data on the basis of a notification form made accessible on the GSC's Intranet site (Data Protection). The notification shall be transmitted to the DPO electronically. A confirmatory notification shall be sent to the DPO by note within 10 working days. Upon receipt of the confirmatory notification, the DPO shall publish it in the Register.

2. The notification shall include all information specified in Article 25(2) of the Regulation. Any change affecting this information shall be notified promptly to the DPO.

3. Further rules and procedures regarding the notification procedure to be followed by the controllers shall form part of the general recommendations issued by the DPO.

Article 14

The content and the purpose of the Register

1. The DPO shall keep a Register of processing operations performed upon personal data, which shall be set up on the basis of the notifications received from the controllers.

2. The Register shall contain at least the information referred to in Article 25(2)(a) to (g) of the Regulation. However, the information entered in the Register by the DPO may exceptionally be limited when it is necessary to safeguard the security of a specific processing operation.

3. The Register shall serve as an index of the personal data processing operations conducted at the Council. It shall provide information to data subjects and facilitate the exercise of their rights set out in Articles 13 to 19 of the Regulation.

Article 15

Access to the Register

1. Appropriate measures shall be taken by the DPO to ensure that any person has access to the Register, either directly or indirectly through the EDPS. In particular, the DPO shall provide information and assistance to interested persons on how and where applications for access to the Register can be made.

2. Except where on-line access is granted, applications for access to the Register are made in any written form, including electronically, in one of the languages referred to in Article 314 of the Treaty and in a sufficiently precise manner to enable the DPO to identify the concerned processing operations. An acknowledgement of receipt shall be sent to the applicant without delay.

3. If an application is not sufficiently precise, the DPO shall ask the applicant to clarify the application and shall assist the applicant in doing so. In the event of an application relating to a very large number of processing operations, the DPO may confer with the applicant informally, with a view to finding a fair solution.

4. Any person may request from the DPO a copy of the information which is available in the Register on any notified processing operation.

SECTION 5

PROCEDURE FOR DATA SUBJECTS TO EXERCISE THEIR RIGHTS

Article 16

General provisions

1. The data subjects’ rights specified in this Section can only be exercised by the individuals concerned or, in exceptional cases, on behalf of the individuals with proper authorisation. Requests shall be addressed in writing to the controller concerned with a copy to the DPO. If necessary, the DPO shall assist the data subject in identifying the controller concerned. The DPO shall make specific forms available. Controllers shall grant the request only if the form has been filled in completely and the complainant's identity has been verified properly. The exercise by data subjects of their rights shall be free of charge.

2. The controller shall send to the applicant an acknowledgement of receipt within five working days from the registration of the application. Unless otherwise provided, the controller shall reply to the request at the latest within fifteen working days from the registration of the request and shall either give satisfaction or state in writing the reasons for the total or partial refusal, in particular in cases where the applicant is not considered as data subject.

3. In case of irregularities or obvious misuse by the data subject in exercising his/her rights and where the processing is alleged to be unlawful by the data subject, the controller must consult the DPO on the request and/or refer the data subject to the DPO, who will decide on the eligibility of the request and the appropriate follow-up to be given.

4. Any person concerned may consult the DPO with regard to the exercise of his/her rights in a specific case. Without prejudice to any judicial remedy, every data subject may lodge a complaint with the EDPS, if he/she considers that his/her rights under the Regulation have been infringed as a result of the processing of his/her personal data.

Article 17

Right of access

The data subject shall have the right to obtain from the controller, without constraint, at any time within three months from the receipt of the request, the information referred to in points (a) to (d) of Article 13 of the Regulation, either by consulting these data on the spot, or by receiving a copy, including, where appropriate, a copy in an electronic form, according to the applicant's preference.

Article 18

Right of rectification

Each data subject’s request for the rectification of inaccurate or incomplete personal data shall specify the data concerned as well as the rectification to be made. It shall be dealt with by the controller without delay.

Article 19

Right of blocking

The controller shall treat any request for the blocking of data under Article 15 of the Regulation without delay. The request shall specify the data concerned as well as the reasons for blocking them. The controller shall inform the data subject who made the request before the data are unblocked.

Article 20

Right of erasure

The data subject may request the controller to erase data without delay in case of unlawful processing, particularly where the provisions of Articles 4 to 10 of the Regulation have been infringed. The request shall specify the data concerned and shall provide the reasons or evidence of the unlawfulness of the processing. In automated filing systems, erasure shall in principle be ensured by all appropriate technical means, excluding the possibility of any further processing of the erased data. If erasure is not possible for technical reasons, the controller, after consultation of the DPO and of the interested person, shall proceed to the immediate blocking of such data.

Article 21

Notification to third parties

In case of any rectification, blocking or erasure following a request made by the data subject, he/she may obtain from the controller the notification to third parties to whom his/her personal data have been disclosed, unless this proves impossible or involves a disproportionate effort.

Article 22

Right to object

The data subject may object to the processing of data relating to him/her and to the disclosure or use of his/her personal data, in conformity with Article 18 of the Regulation. The request shall specify the data concerned and shall provide the reasons justifying the request. Where the objection is justified, the processing in question shall no longer involve those data.

Article 23

Automated individual decisions

The data subject is entitled not to be the subject of automated individual decisions as intended by Article 19 of the Regulation, unless the decision is explicitly authorised pursuant to national or Community legislation, or by an EDPS decision safeguarding the data subject's legitimate interests. In either case, the data subject shall have the opportunity to make known his or her point of view in advance and to consult the DPO.

Article 24

Exceptions and restrictions

1. To the extent that legitimate reasons as specified in Article 20 of the Regulation clearly justify it, the controller may restrict the rights referred to in Articles 17 to 21 of this Decision. Except in case of absolute necessity, the controller shall first consult the DPO, whose opinion shall not bind the Institution. The controller shall reply to requests relating to the application of exceptions or restrictions to the exercise of rights without delay and shall substantiate this decision.

2. Any person concerned may request the EDPS to apply Article 47(1)(c) of the Regulation.

SECTION 6

INVESTIGATION PROCEDURE

Article 25

Practical modalities

1. Requests for an investigation shall be addressed to the DPO in writing by using a specific form made available by him/her. In the case of obvious misuse of the right to request an investigation, for example where the same individual has made an identical request only recently, the DPO is not obliged to report back to the requester.

2. Within 15 days upon receipt, the DPO shall send acknowledgement of receipt to the Appointing Authority or the person who commissioned the investigation and verify whether the request is to be treated as confidential.

3. The DPO shall request from the controller who is responsible for the data processing operation in question a written statement on the issue. The controller shall provide his/her response to the DPO within 15 days. The DPO may wish to receive complementary information from other parties, such as the Security Office and Security of Information (Infosec) Office of the GSC. If appropriate, he/she may request an opinion on the issue from the Council Legal Service. The DPO shall be provided with the information or opinion within 30 days.

4. The DPO shall report back to the Appointing Authority or the person who made the request no later than three months following its receipt.

SECTION 7

FINAL PROVISIONS

Article 26

Effect

This Decision shall take effect on the day following that of its publication in the Official Journal of the European Union.

Done at Brussels, 13 September 2004.

For the Council

The President

B. R. BOT

(1) OJ L 8, 12.1.2001, p. 1.

(2) Regulation (EC) 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Community documents (OJ L 145, 31.5.2001, p. 43).

(3) Council Decision 2004/338/EC, Euratom of 22 March 2004 adopting the Council's Rules of Procedure (OJ L 106, 15.4.2004, p. 22).

(4) Council Decision 2001/264/EC of 19 March 2001 adopting the Council's security regulations (OJ L 101, 11.4.2001, p. 1). Decision as amended by Decision 2004/194/EC (OJ L 63, 28.2.2004, p. 48).

(5) Decision of the Secretary-General of the Council/High Representative for Common Foreign and Security Policy of 25 June 2001 on a code of good administrative behaviour for the General Secretariat of the Council of the European Union and its staff in their professional relations with the public (OJ C 189, 5.7.2001, p. 1).

(6) OJ L 56, 4.3.1968, p. 1. Regulation as last amended by Regulation (EC, Euratom) No 723/2004 (OJ L 124, 27.4.2004, p. 1).

(7) OJ L 248, 16.9.2002, p. 1.