Proposal for a regulation
Article 67 a (new)
Article 67 a Amendments to the Regulation on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (EU) 2017/XXX A new chapter XXX is added : PROCESSING OFOPERATIONAL PERSONAL DATA Article XXX By way of derogation from Articles 4, 6, 7, 8, 10, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 35, 41, 43, 49, 50 and 51, the provisions of this Chapter shall apply to processing of operational data by Union agencies established on the basis of Chapters 4 and 5 of Title V of Part Three of the TFEU. Article XXX Principles relating to processing of personal data Personal data shall be: (a) processed lawfully and fairly ('lawfulness and fairness'); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes provided that the Union agencies and missions provide appropriate safeguards for the rights and freedoms of data subjects ('purpose limitation'); (c) adequate, relevant, and not excessive in relation to the purposes for which they are processed ('data minimisation'); (d) accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy'); (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes provided that the agencies or missions provide appropriate safeguards for the rights and freedoms of data subjects, in particular by the implementation of the appropriate technical and organisational measures required by this Regulation ('storage limitation'); (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). Article XXX Lawfulness of processing 1. Processing shall be lawful only if and to the extent that processing is necessary for the performance of a task carried out by Union agencies and missions and that it is based on Union law. 2. Union law specifying and complementing this Regulation as regards the processing within the scope of this Chapter shall specify the objectives of processing, the personal data to be processed and the purposes of the processing. Article XXX Distinction between different categories of data subjects Union agencies shall make a clear distinction between personal data of different categories of data subjects, such as: (a) persons with regard to whom there are serious grounds for believing that they have committed or are about to commit a criminal offence; (b) persons convicted of a criminal offence; (c) victims of a criminal offence or persons with regard to whom certain facts give rise to reasons for believing that they could be the victim of a criminal offence; and (d) other parties to a criminal offence, such as persons who might be called on to testify in investigations in connection with criminal offences or subsequent criminal proceedings, persons who can provide information on criminal offences, or contacts or associates of one of the persons referred to in points (a) and(b). Article XXX Distinction between personal data and verification of quality of personal data 1. Union agencies and missions shall distinguish personal data based on facts from personal data based on personal assessments. 2. Union agencies and missions shall process personal data in such a way that it can be established which authority provided the data or where the data has been retrieved from. 3. Union agencies and missions shall ensure that personal data which are inaccurate, incomplete or no longer up to date are not transmitted or made available. To that end, Union agencies and missions shall verify the quality of personal data before they are transmitted or made available. As far as possible, in all transmissions of personal data, Union agencies and missions shall add necessary information enabling the recipient to assess the degree of accuracy, completeness and reliability of personal data, and the extent to which they are up to date shall be added. 4. If it emerges that incorrect personal data have been transmitted or personal data have been unlawfully transmitted, the recipient shall be notified without delay. In such a case, the personal data shall be rectified or erased or processing shall be restricted. ARTICLE XXX Specific processing conditions 1. When Union agencies and missions provide for specific conditions for processing, they shall inform the recipient of such personal data of those conditions and the requirement to comply with them. 2. Union agencies and missions shall comply with specific processing conditions for processing provided by a national authority in accordance with Article 9 (3) and (4) of Directive (EU) 2016/680. ARTICLE XXX Transmission of personal data to other Union institutions and bodies 1. Union agencies and missions shall only transmit personal data to other Union institutions and bodies if the data are necessary for the legitimate performance of tasks covered by the competence of other Union institutions and bodies. 2. Where personal data are transmitted following a request from the other Union institution or body, both the controller and the recipient shall bear the responsibility for the legitimacy of this transfer. 3. Union agencies and missions shall be required to verify the competence of the other Union institution or body and to make a provisional evaluation of the necessity for the transmission. If doubts arise as to this necessity, Union agencies and missions shall seek further information from the recipient. 4. Other Union institutions and bodies shall ensure that the necessity for the transmission can be subsequently verified. 5. Other Union institutions and bodies shall process the personal data only for the purposes for which they were transmitted. ARTICLE XXX Processing of special categories of personal data 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, personal data concerning health or personal data concerning a natural person's sex life or sexual orientation shall be allowed only where strictly necessary for the performance of tasks of Union agencies and missions, subject to appropriate safeguards for the rights and freedoms of the data subject and only if they supplement other operational personal data already processed by Union agencies and missions. 2. The data protection officer shall be informed immediately of recourse to this Article. ARTICLE XXX Automated individual decision-making, including profiling The data subject shall have the right not to be subject to a decision of Union agencies and missions based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her. ARTICLE XXX Information to be made available or given to the data subject 1. Union agencies and missions shall make available to the data subject at least the following information: (a) the identity and the contact details of the Union agency or mission; (b) the contact details of the data protection officer; (c) the purposes of the processing for which the personal data are intended; (d) the right to lodge a complaint with the European Data Protection Supervisor and its contact details; (e) the existence of the right to request from Union agencies and missions access to and rectification or erasure of personal data and restriction of processing of the personal data concerning the data subject. 2. In addition to the information referred to in paragraph 1, Union agencies and missions shall give to the data subject, in specific cases, the following further information to enable the exercise of his or her rights: (a) the legal basis for the processing; (b) the period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period; (c) the categories of recipients of the personal data, including in third countries or international organisations; (d) where necessary, further information, in particular where the personal data are collected without the knowledge of the data subject. 3. Union agencies and missions may delay, restrict or omit the provision of the information to the data subject pursuant to paragraph 2 to the extent that, and for as long as, such a measure is provided for by a legal act adopted on the basis of the Treaties and constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and the legitimate interests of the natural person concerned, in order to: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security of the Member States; (d) protect national security of the Member States; (e) protect the rights and freedoms of others. ARTICLE XXX Right of access by the data subject The data subject shall have the right to obtain from Union agencies and missions confirmation as to whether or not personal data concerning that subject are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of and legal basis for the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from Union agencies and missions rectification or erasure of personal data or restriction of processing of personal data concerning the data subject; (f) the right to lodge a complaint with the European Data Protection Supervisor and his or her contact details; (g) communication of the personal data undergoing processing and of any available information as to their origin. ARTICLE XXX Limitations to the right of access 1. Union agencies and missions may restrict, wholly or partly, the data subject's right of access to the extent that, and for as long as, such a partial or complete restriction is provided for by a legal act adopted on the basis of the Treaties and constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned, in order to: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security of the Member States; (d) protect national security of the Member States; (e) protect the rights and freedoms of others. 2. In the cases referred to in paragraph 1, Union agencies and missions shall inform the data subject, without undue delay, in writing of any refusal or restriction of access and of the reasons for the refusal or the restriction. Such information may be omitted where the provision thereof would undermine a purpose under paragraph 1. Union agencies and missions shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor or seeking a judicial remedy in the Court of Justice of the European Union. 3. Union agencies and missions shall document the factual or legal reasons on which the decision is based. That information shall be made available to the European Data Protection Supervisor on request. ARTICLE XXX Right to rectification or erasure of personal data and restriction of processing 1. The data subject shall have the right to obtain from Union agencies and missions without undue delay the rectification of inaccurate personal data relating to that subject. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. 2. Union agencies and missions shall erase personal data without undue delay and the data subject shall have the right to obtain from Union agencies and missions the erasure of personal data concerning that subject without undue delay where processing infringes Articles 52b, 52c or 52h, or where personal data must be erased in order to comply with a legal obligation to which Union agencies and missions are subject. 3. Instead of erasure, Union agencies and missions shall restrict processing where: (a) the accuracy of the personal data is contested by the data subject and their accuracy or inaccuracy cannot be ascertained; or (b) the personal data must be maintained for the purposes of evidence. Where processing is restricted pursuant to point (a) of the first subparagraph, Union agencies and missions shall inform the data subject before lifting the restriction of processing. Restricted data shall be processed only for the purpose that prevented their erasure. 4. Union agencies and missions shall inform the data subject in writing of any refusal of rectification or erasure of personal data or restrict processing and of the reasons for the refusal. Union agencies and missions may restrict, wholly or partly, the obligation to provide such information to the extent that such a restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned in order to: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security of the Member States; (d) protect national security of the Member States; (e) protect the rights and freedoms of others. 5. Union agencies and missions shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor or seeking a judicial remedy from the Court of Justice of the European Union. 6. Union agencies and missions shall communicate the rectification of inaccurate personal data to the competent authority from which the inaccurate personal data originate. 7. Union agencies and missions shall, where personal data has been rectified or erased or processing has been restricted pursuant to paragraphs 1, 2 and 3, notify the recipients and inform them that they have to rectify or erase the personal data or restrict processing of the personal data under their responsibility. ARTICLE XXX Exercise of rights by the data subject and verification by the European Data Protection Supervisor 1. In the cases referred to in Articles 52i(3) , 52k and 52m(4), the rights of the data subject may also be exercised through the European Data Protection Supervisor. 2. Union agencies and missions shall inform the data subject of the possibility of exercising his or her rights through the European Data Protection Supervisor pursuant to paragraph 1. 3. Where the right referred to in paragraph 1 is exercised, the European Data Protection Supervisor shall at least inform the data subject that all necessary verifications or a review by it have taken place. The European Data Protection Supervisor shall also inform the data subject of his or her right to seek a judicial remedy in the Court of Justice of the European Union. ARTICLE XXX Logging 1. Union agencies and missions shall keep logs for any of the following processing operations in automated processing systems: collection, alteration, consultation, disclosure including transfers, combination and erasure. The logs of consultation and disclosure shall make it possible to establish the justification for, and the date and time of, such operations, the identification of the person who consulted or disclosed personal data, and, as far as possible, the identity of the recipients of such personal data. 2. The logs shall be used solely for verification of the lawfulness of processing, self-monitoring, ensuring the integrity and security of the personal data, and for criminal proceedings. Such logs shall be deleted after three years, unless they are required for on-going control. 3. Union agencies or missions shall make the logs available to their data protection officer and to the European Data Protection Supervisor on request. ARTICLE XXX Transfers subject to appropriate safeguards 1. In the absence of an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 or Article 36 of Directive (EU) 2016/680, Union agencies and missions may transfer personal data to a third country or an international organisation where: (a) appropriate safeguards with regard to the protection of personal data are provided for in a legally binding instrument; or (b) Union agencies and missions have assessed all the circumstances surrounding the transfer of personal data and conclude that appropriate safeguards exist with regard to the protection of personal data. 2. Union agencies and missions shall seek authorisation from the European Data Protection Supervisor when transferring personal data under point (b) of paragraph 1. 3. When a transfer is based on point (b) of paragraph 1, such a transfer shall be documented and the documentation shall be made available to the European Data Protection Supervisor on request, including the date and time of the transfer, information about the receiving competent authority, the justification for the transfer and the personal data transferred. ARTICLE XXX Derogations for specific situations 1. In the absence of an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 or Article 36 of Directive (EU) 2016/680, or of appropriate safeguards pursuant to Article 52p, Union agencies and missions may, on a case-by-case basis, transfer personal data to a third country or an international organisation only on the condition that the transfer is proportionate and necessary: (a) in order to protect the vital interests of the data subject or another person; (b) to safeguard legitimate interests of the data subject; (c) for the prevention of an immediate and serious threat to public security of a Member State or a third country; or (d) in individual cases for the performance of the tasks of Union agencies and missions, unless they determine that fundamental rights and freedoms of the data subject concerned override the public interest in the transfer. 2. Union agencies shall seek authorisation from the European Data Protection Supervisor when transferring personal data under point (b) of paragraph 1. 3. Where a transfer is based on paragraph 1, such a transfer shall be documented and the documentation shall be made available to the European Data Protection Supervisor on request, including the date and time of the transfer, and information about the receiving competent authority, about the justification for the transfer and about the personal data transferred.