The EDPS: competences and processing of personal data in EU funds Expert hearing on data protection legislation Hielke Hijmans Head of Sector Policy and Consultation European Data Protection Supervisor
Overview Legal framework Supervision Consultation Cooperation
Legal Framework Article 16 TFEU Directive 95/46/EC + 2002/58/EC Right to Data Protection Establishment of an independent supervisory authority Directive 95/46/EC + 2002/58/EC Adoption of Regulation (EC) N° 45/2001 Entry into force January 2001 Data protection legal framework under revision
Supervision Task of EDPS is to monitor and ensure that the provisions of Regulation (EC) No 45/2001, as well as other Community acts on the protection of fundamental rights and freedoms, are complied with when EU institutions and bodies process personal data; Prior checks of processing operations in the EU Institutions: Biometric databases, Recruitments, medical files, exclusion databases etc Inspections and audits
Consultation Task of the EDPS to advise the EU institutions and bodies on all matters relating to the processing of personal data; this includes consultation on proposals for legislation and monitoring new developments that have an impact on the protection of personal data Opinions on data protection framework, Financial Regulation, European statistics. Evaluation of FP7 research projects
Cooperation Task of EDPS to cooperate with national supervisory authorities and supervisory bodies in the ‘third pillar’ of the EU with a view to improving consistency in the protection of personal data Observer in Expert Groups Article 29 Data Protection Working Party: Opinion No 4/2007 on the concept of personal data (2008)
Personal data in ESF Requirement: Justification of transfer: Commission Regulation 1828/2006: legal obligations on Member States to collect data on participants in ESF supported activities (gender, age, participant belongs to a minority or vulnerable group, etc) Justification of transfer: Transfer from EU institutions to authorities in Member States is covered by Regulation 45/2001 (Art 8). Not applicable here. Analogy can not be used here General transfer of personal data within the EU is covered by Directive 95/46 Articl 7) c): processing is necessary for compliance with a legal obligation to which the controller is subject
Sensitive Data (I) ESF legal framework foresees collection of sensitive data by Member States. Principle of Directive 95/46 = prohibition Art 8: Processing of personal data revealing racial or ethnic origin, religious or philosophical beliefs […], and the processing of data concerning health or sex life is prohibited
Sensitive data (II) Exceptions ? Art 8 lists possible exceptions: Art 8, 2) explicit consent, data made public by data subject, required by employment law vital interest of the data subject → not applicable here
Sensitive data (III) Other ground? Art 8) 4): Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority. →Would require further amendements of current national legislation
Micro data Defined by Eurostat as confidential data which contain information about individual statistical units. Eurostat: access to anonymised microdata available at Eurostat only for scientific purposes. EDPS adopted two consultative Opinions on Community statistics on health data and on European Statistics: Discrepancy of concepts: Statistical anonymity may still allows indirect identification of data subjects Microdata are the data which are more likely to contain personal data. Commission set up ESAC (European Statistical Advisory Committee) to discuss, among others, access to statistical data by researchers. EDPS is a member of ESAC
Other problems National implementations: Databases of data submitted to notifications, prior control by DPAs The list of sensitive data is implemented differently, depending on the Member States’ interpretation.