Data protection at Eurojust: a robust, effective and tailor-made regime Diana ALONSO BLAS, LL.M. Head of the DP Service/Data Protection Officer Data Protection is crucial for Eurojust • Eurojust needs to receive, store and further process personal data to deal with the cases referred by national authorities • Eurojust deals with personal data on persons subject of a criminal investigation or prosecution, witnesses and victims + persons having been convicted under revised Decision • Data Protection is a one factor that can strongly influence the successful performance of the organisation and the trust that other organisations puts on us. The Data Protection Regime of Eurojust : Robust, effective and tailored-made Eurojust Decision contains detailed provisions on data protection (Articles 14-25) Art.14: Processing of personal data Art.15: Restrictions on the processing of personal data Art.16: CMS, index and temporary work files Art. 16a: Functioning of temporary work files and index Article 16b: Access to the CMS at national level Art.17: Data Protection Officer Art.18: Authorised access to personal data Art.19: Right of access to personal data Art.20: Correction and deletion of personal data Art.21: Time limits for the storage of personal data Art.22: Data Security Art.23: Joint Supervisory Body Art.24:Liability for unauthorised or incorrect processing of data Art.25: Confidentiality New Eurojust Decision of 16 December 2008 reinforces the DP system, defining more precisely provisions and introducing some principles of DP RoP in the text . Other European instruments: Eurojust - Treaty of the EU (Article 6) - ECHR (Article 8) - CoE Convention 108 - Charter EU (Articles 7-8) - Article 16 Treaty of Lisbon Rules of Procedure on the processing and protection of personal data (adopted unanimously by College of Eurojust in October 2004 and by Council in February 2005) Title I: Definitions Title II: Scope of application and structure Title III: Principles of general application to Eurojust Title IV: Rules for case-related processing operations Title V: Rules for non-case-related processing operations Additional Rules of the Rules of Procedure to non-case-related operations (Decision of College of June 2006) Main features of the Eurojust DP regime •The Eurojust DP regime complies with all the same general principles of other EU instruments but: -It is adapted to the specific nature of the activities of EJ (in line with declaration 21 of TFEU) -It is very detailed and precise, offering therefore great legal certainty to data subjects; - EJ rules contain additional safeguards for victims and witnesses with strict conditions and time limits for processing of such data; - It has defined rules on possible access to the information; - A system of data retention with regular review of compliance; - Obligations to keep the data updated, relevant and not excessive. •All those rules have been technically implemented in CMS - a good example of “privacy by design”. •Legal certainty is key in this field. Specific rules offer more protection! Main features of Eurojust DP regime II •Rights of the individuals – specificity of the activities (ongoing investigations or prosecutions) •Every request is dealt on a case by case basis and takes into account all interests at stake and makes efforts to provide information whenever possible. •In a recent Court case, the General Court has praised the way EJ was dealing with data subject requests (judgment of 25 November 2010 in case T-277/10AJ K v Eurojust): The General Court of the European Union evaluated very positively the fact that Eurojust had provided the individual information as to the fact that no personal data on him had been processed. The Court found that Eurojust not only duly met the requirements of Article 19(7) of the Eurojust Decision but even exceeded them, since it provided a detailed answer to the applicant’s allegations revealing that no personal data concerning him was processed by Eurojust. •This is also an example of the fact that data subjects are not deprived of their rights to have judicial review of the decisions taken by EJ. System of supervision •Internal control: DPO (article 17 EJ Decision). Independence. -Tasks: ensuring compliance and lawfulness in independent manner - Access to all data and all premises - Issues annual survey on compliance for College and JSB - Procedure in case of non-compliance -Eurojust postholders can address enquiries, information requests, claims and complaints to DPO. No one shall suffer prejudice! DP service is there to advise controllers regarding processing of personal data issues •External control: Joint Supervisory Body (Art. 23): Members are judges or equal level of independence. JSB monitors the correct application of the rules on DP and carries out frequent inspections. Need for specific and effective supervision •EJ has a robust DP system in place, tailor made to the mandate and tasks of EJ and closely monitored by DPO and JSB. •The Lisbon treaty refers to independent DP authorities (plural). •The supervision of processing operations carried out by judicial authorities cooperating in ongoing judicial investigations or prosecutions is often excluded at national level from the scope of the DPAs and, at EU level, the EDPS is also not competent to supervise the ECJ acting in its judicial capacity. •The proposed Directive excludes as well these activities generally from its scope. •At Eurojust such activities are not excluded from supervision. On the contrary, they are fully monitored by the JSB while respecting the specificity of the judicial powers. Specialised supervision •EJ’s present system of specialised supervision works well: - necessary expertise (judges and DPAs combination, fully independent); - effective: 3 elected members, meeting regularly (4-5 times a year) at EJ; - costs about forty thousands euros a year (all in); - in appeal cases appointees of involved MS are called in to join. It offers a quick and not cumbersome appeal procedure for individuals; - carries out on the spot supervision: frequent inspections with direct involvement of national DPAs (3 days x five persons inspections); - full transparency: webpage with regular updates, appeal decisions and reports published and distributed and so forth; - decisions of JSB are final and binding on Eurojust: quasi judicial nature. •Data processed by EJ comes from MS and go back to MS. So it makes sense that national DPAs must be involved in supervision and this is ensured by the JSB appointees. Thanks for your attention! Questions? Comments? Diana ALONSO BLAS, LL.M. Data Protection Officer/ Head of the DP service Eurojust Maanweg 174 NL-2516 AB The Hague Tel: +31 70 412 5510 Fax: + 31 70 412 5505 dalonsoblas@eurojust.europa.eu www.eurojust.europa.eu