THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 249(1) thereof,

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC(1), and in particular Article 45(3) thereof,

Whereas:

(1) In order to ensure the proper functioning of the office of the Commission’s data protection officer (‘DPO’), it is necessary to determine in detail the tasks, duties and powers of the DPO.

(2) Regulation (EU) 2018/1725 assigns clear responsibilities to data controllers, in particular vis-à-vis the data subjects. With a view to ensuring that the Commission, as a controller, operates in a uniform and transparent manner with regard to its responsibilities, rules should be set out on how to identify who in the Commission service or services is responsible for a processing operation which is carried out on behalf of the Commission. In this respect, it is appropriate to introduce the notion of delegated controller in order to indicate precisely the responsibilities of the entities of the Commission, in particular as regards individual decisions concerning data subjects’ rights. In addition, it is appropriate to introduce the notion of operational controller who, under the responsibility of the delegated controller, is designated to ensure compliance in practice, and to process requests from data subjects with regard to a processing operation. The appointment of an operational controller does not prevent the use in practice of a contact point, for example in the form of a functional mailbox to be made available for data subjects’ requests.

(3) In certain cases, several Commission services may jointly carry out a processing operation in order to fulfil their mission. In such cases, they should ensure that internal arrangements are in place in order to determine in a transparent manner their respective responsibilities under Regulation (EU) 2018/1725, in particular responsibilities vis-à-vis the data subjects, notification to the European Data Protection Supervisor (‘EDPS’) and record keeping.

(4) In order to facilitate the exercise of the responsibilities of the delegated controllers, each Commission service should appoint a Data Protection Coordinator (‘DPC’). The DPC should participate in the network of data protection coordinators in the Commission in order to ensure coherent implementation and interpretation of Regulation (EU) 2018/1725 in the Commission, and to discuss subjects of common interest.

(5) With a view to the task of the DPO to assign responsibilities pursuant to Article 45(1)(b) of Regulation (EU) 2018/1725, the DPO should issue additional guidance on the function of the DPC.

(6) The Commission processes several categories of personal data for the purpose of the monitoring, investigative, auditing and consultative activities of the DPO. In particular, the Commission processes identification data, contact data, professional data and case involvement data. Those data are retained for five years after the activities are closed in accordance with the Common Commission-Level Retention List(2).

(7) In certain circumstances, it is necessary to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 with the need for the Commission to perform the monitoring, investigative, auditing or consultative tasks of the DPO, and the need for confidentiality of exchanges of information with other Commission services, as well as with full respect for fundamental rights and freedoms of other data subjects. To that effect, Article 25(1) of Regulation (EU) 2018/1725 provides the Commission with the possibility to restrict the application of Articles 14 to 17, 19, 20 and 35, as well as the principle of transparency laid down in Article 4(1)(a), insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19 and 20 of that Regulation.

(8) In order to ensure the confidentiality and effectiveness of the monitoring, investigative, auditing or consultative tasks of the DPO while respecting the standards of protection of personal data under Regulation (EU) 2018/1725, it is necessary to adopt internal rules under which the DPO may restrict data subjects’ rights in line with Article 25 of Regulation (EU) 2018/1725.

(9) The internal rules should apply to all data processing operations carried out by the Commission in the performance of the monitoring, investigative, auditing or consultative tasks of the DPO. They should apply to processing operations carried out prior to the opening of an investigation or audit, during the course of an investigation or audit, and during the monitoring of the follow-up to their outcome. Those rules should also apply to processing operations which form part of the tasks linked to the investigative or auditing function of the DPO, such as complaint processes conducted by the DPO. The rules should also apply to the monitoring of the DPO and the consultations of the DPO, when the DPO provides assistance and cooperation to the Commission services outside of its administrative investigations and audits.

(10) In order to comply with Articles 14, 15 and 16 of Regulation (EU) 2018/1725, the Commission should inform all individuals of the monitoring, investigative, auditing or consultative tasks of the DPO that involve processing of their personal data and of their rights pursuant to Regulation (EU) 2018/1725. The Commission should inform those individuals in a transparent and coherent manner, in the form of the data protection notices published on Commission website, as well as inform each data subject concerned by a monitoring, investigative, auditing or consultative activity of the DPO.

(11) In certain circumstances, the Commission may have to restrict the provision of information to data subjects and the application of other rights of data subjects. It may do so in order to protect the monitoring, investigative, auditing or consultative tasks of the DPO, related investigations and proceedings of other Commission services, the tools and methods of DPO investigations and audits, as well as the rights of other persons related to the tasks of the DPO.

(12) In some cases, providing particular information to the data subjects or revealing the existence of a monitoring, investigative, auditing or consultative activity of the DPO could render impossible or seriously impair the purpose of the processing operation and the capability of the DPO to conduct such activity.

(13) Furthermore, the Commission should protect the identity of informants, who should not suffer negative repercussions as a consequence of their cooperation with the DPO.

(14) For those reasons, the Commission may need to apply the grounds for restrictions referred to in Article 25(1)(c), (g) and (h) of Regulation (EU) 2018/1725 to data processing operations carried out in the framework of the monitoring, investigative, auditing or consultative tasks of the DPO set out in Article 45 of that Regulation.

(15) In addition, in order to maintain effective cooperation, the Commission may need to apply restrictions to data subjects’ rights to protect information containing personal data originating from other Commission services, Union institutions or bodies. To that effect, the DPO should consult those services, institutions or bodies on the relevant grounds for and the necessity and proportionality of the restrictions.

(16) In the framework of the monitoring, investigative, auditing or consultative tasks of the DPO, the DPO exchanges information, including personal data, with other Commission services. Therefore, all Commission services processing personal data, which are processed by the DPO in the performance of his or her tasks, should apply the rules set out in this Decision with a view to protecting the processing operations carried out by the DPO. In such circumstances, the Commission services concerned should therefore consult the DPO on the relevant grounds for the restrictions and their necessity and proportionality in order to ensure their coherent application.

(17) The DPO – and, where relevant, other Commission services – should handle all restrictions in a transparent manner and register each application of restrictions in the corresponding record system.

(18) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, the controllers may defer or refrain from providing information on the reasons for the application of a restriction to the data subject if this would in any way compromise the purpose of the restriction. In particular, where a restriction to the rights provided for in Articles 16 and 35 is applied, the notification of such a restriction would compromise the purpose of the restriction. In order to ensure that the data subject’s right to be informed in accordance with Articles 16 and 35 of Regulation (EU) 2018/1725 is restricted only as long as the reasons for the deferral last, the Commission should regularly review its position.

(19) Where a restriction of other data subjects’ rights is applied, the DPO should assess, on a case-by-case basis, whether the communication of the restriction would compromise its purpose.

(20) The DPO should carry out an independent review of the application of restrictions based on this Decision, by other Commission services, with a view to ensuring compliance with this Decision.

(21) Any restriction applied on the basis of this Decision should be necessary and proportionate taking into account the risks to the rights and freedoms of data subjects.

(22) The European Data Protection Supervisor was informed and consulted in accordance with Article 41(1) and (2) of Regulation (EU) 2018/1725 and delivered an opinion on 16 September 2019.

(23) Commission Decision 2008/597/EC(3) lays down implementing rules concerning the Data Protection Officer pursuant to Regulation (EC) No 45/2001 of the European Parliament and of the Council(4). Regulation (EU) 2018/1725 repealed Regulation (EC) No 45/2001 with effect from 11 December 2019. In order to ensure that only one set of implementing rules apply to the Data Protection Officer, Decision 2008/597/EC should also be repealed,

HAS ADOPTED THIS DECISION: