Article 286 of the Treaty requires that Community acts on the protection of individuals with regard of the processing of personal data and the free movement of data shall apply to the institutions and bodies set up by, or on the basis of, this Treaty.
The Regulation 45/2001 on the protection of individuals data by the Community institutions and bodies was decided in order to comply with the Treaty and provide the individuals with legally enforceable rights, to specify the data processing obligations of the Data Controllers and to create an independent supervisory authority.
The main issue of Regulation 45/2001 is to protect individuals rights when Community institutions or bodies process their personal data.
Some definitions relating to the protection of personal data and related subjects as well as information on the implementation of personal data protection at the Court are to be found below:
The data protection principles
Anyone processing personal data should be aware of the basic principles, according to which it must be:
Fairly and lawfully processed;
Processed for limited and explicit purposes;
Adequate, relevant and not excessive;
Not kept longer than necessary;
Processed in accordance with the Data Subject's rights;
Not transferred to third parties without adequate precautions.
What is personal data?
Personal data means any information relating to an identified or identifiable natural person ("Data Subject").
An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
The processing of special categories of data, defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, is prohibited, subject to certain exceptions (see Article 10 of Regulation 45/2001).
The Data Controller and the Data Subject
a. The Data Controller means the Community institution or body, the Directorate-General, the unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data.
b. For the Court, the Secretary General, the Directors and the Heads of Division are the Data Controllers.
c. For each processing operation, a Data Controller must be identified and prior notice must be given to the Data Protection Officer of the institution.
d. The Data Subject is the person whose personal data are collected, held or processed by the Data Controller.
If the Data Controller does not execute the processing of personal data himself, this processing operation is carried out by a Processor on behalf of the Data Controller. He has to provide sufficient guarantees in respect of the technical and organisational security measures required and ensuring compliance with those measures. The Processor can be a natural or legal person, public authority, agency or any other body, acting on instruction, and only on instruction, from the Data Controller. Data Controller and Processor need to be bound by a contract or legal act for the carrying out of the processing operations of personal data.
The Contact person (Delegated Controller)
The Contact person (Delegated Controller) is "appointed" by the Data Controller and acts on the Data Controllers instructions. Its task is to prepare the notifications to be send to the DPO by the responsible Data Controller (after validation) and to liaise with the DPO where there is a need.
The Data Protection Officer
Each institution has one or more DPOs to ensure in an independent way the application of the principles of personal data protection in the institution. Each DPO keeps a register of all personal data processing operations in his/her institution. He/she also provides advice and makes recommendations on rights and obligations. He/she notifies risky processing of personal data to the EDPS (see below) and responds to requests from the EDPS. He/she may investigate matters and incidents on request or on his/her own initiative.
What is a Notification and who is responsible for it?
A Notification is a prior notice by the Data Controller to the DPO of any processing operation (manual or electronic) in which personal data is involved. It is only needed if personal data is processed.
What is the Register of the DPO
The Register is a data base containing all Notifications on the processing of personal data send to the DPO by Data Controllers. Article 26 of Regulation 45/2001 requires the DPO to keep a Register on processing operations of personal data and requires that this Register may be inspected by any person.
What is a Filing System?
The regulation 45/2001 applies in all cases where personal data which form part of a filing system or are intended to form part of a filing system are processed. Filing system shall mean any structured set of personal data accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
It does not matter where the system is located. It can be located at Courts level, but also at institutional, national, regional, local or even at "private" level (within an audited firm).
What is processing?
Processing is any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, consultation, use, etc...
What is lawful processing?
Article 5 of the Regulation states that the processing of personal data must be either necessary or consensual. Personal data may be processed only if:
a. processing is necessary for the performance of a task carried out in the public interest on the basis of Community legislation or in the legitimate exercise of Community official authority, or
b. processing is necessary for compliance with a legal obligation to which the Data Controller is subject, or
c. processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract, or
d. the Data Subject has unambiguously given his or her consent (meaning any freely given specific and informed indication of the Data Subject's wishes signifying agreement to personal data relating to him or her being processed) or
e. processing is necessary in order to protect the vital interests of the Data Subject.
The Data Controller is responsible for ensuring that personal data is processed fairly and lawfully.
Whenever the Courts services process personal data contained in a filing system (manual or electronic), wherever this system is located, whatever kind of personal data are contained therein and for whatever purpose the processing is made this is to be considered as a processing of personal data within the meaning of Regulation 45/2001. The Regulation 45/2001 also applies in cases where personal data, which are intended to form part of a filing system, are processed by the Courts services.
The processing has to be notified to the DPO using the notification system installed at the Court.
Rights of the Data Subject
The Data Controller must give the Data Subject the following information about data being processed:
1. confirmation as to whether or not data related to him or her are being processed;
2. information about the purposes of the processing operation, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;
3. communication of the data undergoing processing and of any available information as to their source;
4. knowledge of the logic involved in any automated decision process concerning him or her.
The Data Subject has the right to access his data and to require the Data Controller to rectify without delay any inaccurate or incomplete personal data.
The Data Subject has the right to require the Data Controller to erase data if the processing is unlawful.
European Data Protection Supervisor (EDPS)
The EDPS is an independent supervisory authority established in accordance with Regulation 45/2001. With respect to the processing of personal data, the EDPS is responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the Community institutions and bodies. The EDPS is also responsible for advising Community institutions and bodies and Data Subjects on all matters concerning the processing of personal data.
Data Controllers are obliged to co-operate with the EDPS, in particular by granting access to information.