Data protection at Eurojust

advertisement
Data protection at Eurojust:
a robust, effective and tailor-made regime
Diana ALONSO BLAS, LL.M.
Head of the DP Service/Data Protection Officer
Data Protection is crucial for Eurojust
• Eurojust needs to receive, store and further process
personal data to deal with the cases referred by
national authorities
• Eurojust deals with personal data on persons subject of
a criminal investigation or prosecution, witnesses and
victims + persons having been convicted under revised
Decision
• Data Protection is a one factor that can strongly
influence the successful performance of the
organisation and the trust that other organisations
puts on us.
The Data Protection Regime of Eurojust :
Robust, effective and tailored-made
Eurojust Decision contains detailed
provisions on data protection
(Articles 14-25)
Art.14: Processing of personal data
Art.15: Restrictions on the processing of
personal data
Art.16: CMS, index and temporary work files
Art. 16a: Functioning of temporary work files
and index
Article 16b: Access to the CMS at national
level
Art.17: Data Protection Officer
Art.18: Authorised access to personal data
Art.19: Right of access to personal data
Art.20: Correction and deletion of personal
data
Art.21: Time limits for the storage of
personal data
Art.22: Data Security
Art.23: Joint Supervisory Body
Art.24:Liability for unauthorised or incorrect
processing of data
Art.25: Confidentiality
New Eurojust Decision of 16 December
2008 reinforces the DP system, defining
more precisely provisions and introducing
some principles of DP RoP in the text .
Other European instruments:
Eurojust
- Treaty of the EU (Article 6)
- ECHR (Article 8)
- CoE Convention 108
- Charter EU (Articles 7-8)
- Article 16 Treaty of Lisbon
Rules of Procedure on the processing and protection of
personal data (adopted unanimously by College of
Eurojust in October 2004 and by Council in February
2005)
Title I: Definitions
Title II: Scope of application and structure
Title III: Principles of general application to Eurojust
Title IV: Rules for case-related processing operations
Title V: Rules for non-case-related processing operations
Additional Rules of the Rules of
Procedure to non-case-related operations
(Decision of College of June 2006)
Main features of the Eurojust DP regime
•The Eurojust DP regime complies with all the same general principles
of other EU instruments but:
-It is adapted to the specific nature of the activities of EJ (in line with
declaration 21 of TFEU)
-It is very detailed and precise, offering therefore great legal certainty
to data subjects;
- EJ rules contain additional safeguards for victims and witnesses with
strict conditions and time limits for processing of such data;
- It has defined rules on possible access to the information;
- A system of data retention with regular review of compliance;
- Obligations to keep the data updated, relevant and not excessive.
•All those rules have been technically implemented in CMS - a good
example of “privacy by design”.
•Legal certainty is key in this field.  Specific rules offer more
protection!
Main features of Eurojust DP regime II
•Rights of the individuals – specificity of the activities (ongoing
investigations or prosecutions)
•Every request is dealt on a case by case basis and takes into account
all interests at stake and makes efforts to provide information
whenever possible.
•In a recent Court case, the General Court has praised the way EJ was
dealing with data subject requests (judgment of 25 November 2010 in
case T-277/10AJ K v Eurojust):
The General Court of the European Union evaluated very positively the
fact that Eurojust had provided the individual information as to the
fact that no personal data on him had been processed. The Court
found that Eurojust not only duly met the requirements of Article
19(7) of the Eurojust Decision but even exceeded them, since it
provided a detailed answer to the applicant’s allegations revealing that
no personal data concerning him was processed by Eurojust.
•This is also an example of the fact that data subjects are not deprived
of their rights to have judicial review of the decisions taken by EJ.
System
of supervision
•Internal control: DPO (article 17 EJ Decision).
Independence.
-Tasks: ensuring compliance and lawfulness in independent
manner
- Access to all data and all premises
- Issues annual survey on compliance for College and JSB
- Procedure in case of non-compliance
-Eurojust postholders can address enquiries, information requests,
claims and complaints to DPO. No one shall suffer prejudice!
DP
service is there to advise controllers regarding processing of
personal data issues
•External control: Joint Supervisory Body (Art. 23): Members are
judges or equal level of independence. JSB monitors the correct
application of the rules on DP and carries out frequent
inspections.
Need for specific and effective
supervision
•EJ has a robust DP system in place, tailor made to the
mandate and tasks of EJ and closely monitored by DPO and
JSB.
•The Lisbon treaty refers to independent DP authorities (plural).
•The supervision of processing operations carried out by judicial
authorities cooperating in ongoing judicial investigations or
prosecutions is often excluded at national level from the scope
of the DPAs and, at EU level, the EDPS is also not competent to
supervise the ECJ acting in its judicial capacity.
•The proposed Directive excludes as well these activities
generally from its scope.
•At Eurojust such activities are not excluded from supervision.
On the contrary, they are fully monitored by the JSB while
respecting the specificity of the judicial powers.
Specialised supervision
•EJ’s present system of specialised supervision works well:
- necessary expertise (judges and DPAs combination, fully independent);
- effective: 3 elected members, meeting regularly (4-5 times a year) at
EJ;
- costs about forty thousands euros a year (all in);
- in appeal cases appointees of involved MS are called in to join. It offers
a quick and not cumbersome appeal procedure for individuals;
- carries out on the spot supervision: frequent inspections with direct
involvement of national DPAs (3 days x five persons inspections);
- full transparency: webpage with regular updates, appeal decisions and
reports published and distributed and so forth;
- decisions of JSB are final and binding on Eurojust: quasi judicial nature.
•Data processed by EJ comes from MS and go back to MS. So it makes
sense that national DPAs must be involved in supervision and this is
ensured by the JSB appointees.
Thanks for your attention!
Questions? Comments?
Diana ALONSO BLAS, LL.M.
Data Protection Officer/
Head of the DP service
Eurojust
Maanweg 174
NL-2516 AB The Hague
Tel: +31 70 412 5510
Fax: + 31 70 412 5505
dalonsoblas@eurojust.europa.eu
www.eurojust.europa.eu
Download