Data Protection at the EUI
NOTICE: In light of the new rules applicable to EU Member States (Regulation (EU) 2016/679, GDPR) as well as the recent adoption of the new rules applicable to Union institutions, bodies, offices and agencies (Regulation (EU) 2018/1725), the EUI is currently revising its internal rules on data protection (currently President’s Decision 40/2013). This revision focuses in particular on further improving the following aspects of data protection at the EUI:
- Legal remedies in case of infringements of data subjects’ rights;
- Rules on data breaches;
- Protection of sensitive personal data in case of transfer to third parties.
The updated policy will shortly be adopted.
The internal regulation of the European University Institute (EUI) regarding Data Protection (see President’s Decision No. 40 of 27 August 2013 regarding Data Protection at the EUI - Data Protection Policy) is drafted in accordance with the principles contained in the Convention establishing the EUI, signed on 19 April 1972, and with the Protocol on Privileges and Immunities annexed to it.
The EUI takes also inspiration for its action in the field of data protection from the general principles contained in the European Convention on Human Rights, the Charter of the Fundamental Rights of the European Union and the relevant European Union legislation (particularly Regulation (EC) No 45/2001 with regard to the processing of personal data by the Community institutions and bodies and Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data).
Article 8: Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
What follows is a summary of the main aspects of the data protection policy at the EUI.
Definitions & Actors Involved
What are personal data?
- any information relating to an identified or identifiable natural person (data subject).
Who is an identifiable natural person?
- One who can be identified, directly or indirectly, in particular by reference to an indentification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
What is processing of personal data?
Certainly, a broad concept!
- Any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
What do we mean by the “data subject’s consent”?
- The data subject's consent shall mean any freely given specific and informed indication of his or her wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed.
Who are the main actors in data processing and which are their roles?
The Secretary General has overall responsibility for the implementation of the Data Protection Policy, including the appointment of controllers.
- Controller: the EUI or the Service or Unit or Department or any other organisational entity who alone or jointly with others determines the purposes and means of the processing of personal data on behalf of the EUI.
Who can in practice be a Controller within the EUI?
The Secretary General, the Director of Service/Head of Unit or Department of the EUI
Responsibilities of controllers:
- Fair and lawful processing of data
- Management of data inside their units and implementation of data quality requirements
- Notification to the Data Protection Officer (DPO) of any new processing operation unless it falls under the usual administrative and/or academic practise such as organisation of conferences or processing and assessment of scientific works.
- Identification of persons in charge of processing (“processors”) and notification to them about scope of processing operation they have to accomplish.
- Inform & Allow Data Subjects to exercise their rights.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.
- Processor: natural or legal person within the EUI structure who processes personal data on behalf of the Controller.
- External Processor: natural or legal person, public authority, agency or any other body (e.g. organisational entity of an event, Settlements Office of the Joint Sickness Insurance Scheme) which is external to the EUI and processes personal data on behalf of the EUI.
What are the other actors involved (apart from the data subject)?
- Recipient: a natural or legal person to whom data are disclosed
- Data Protection Officer (DPO): EUI staff member nominated to ensure in an independent way respect for data protection principles within the EUI. The DPO’s main tasks, apart from an advisory function, consist in the provision of information and raising awareness, monitoring of compliance and assisting in the handling of complaints.
- Data Protection Committee (DPC): interservice and interdepartamental EUI Committee mandated to monitor application of the provisions of the Data Protection Policy and related policy instruments, to provide advice or make recommendations for improvement and to review complaints submitted to the Controller regarding a breach of data protection principles.
Composition of the Data Protection Committee
- The Internal Auditor: Anca Busila (alternate: Dieter Schlenker, Historical Archives of the EU)
- A Professor from the Law Department nominated for a period of 3 years by the Executive Committee upon the proposal of the Head of the Law Department: Giorgio Monti (alternate: Hans Micklitz)
- The Dean of Graduate Studies: Martin Scheinin (alternate: Anton Hemerijck, Director of Graduate Studies, Department of Political and Social Sciences)
- A member of staff nominated by the Staff Committee for a period of 3 years: Camilla Salvi, Language Centre (alternate: Lorenzo Ortiz Jimenez (Library).
- A researcher nominated by the Researcher Representatives for a period of 2 years:Theo Fournier (alternate: Felix Christian Corell)
- A staff member with knowledge of data protection: Mario Viola de Azevedo Cunha, RSCAS (alternate: Antoaneta Tasheva, Internal Audit Office)
Purposes of processing personal data
The Institute can process personal data for institutional purposes only (e.g. educational activities, administrative and accounting activities, security purposes, activities of academic and scientific research) and shall not store or process data for commercial purposes; mailing commercial advertising material or performing market research is therefore excluded.
Principles of data processing
- How should the EUI process personal data?
Personal data must be:
- Processed fairly and lawfully
- Collected for specified, explicit and legitimate institutional purposes (purpose binding principle)
- Adequate, relevant and not excessive in relation to the purpose (proportionality)
- Stored not longer than necessary (proportionality)
- Processed under the responsibility and liability of the controller
- What are the rules on lawful data processing?
Personal data may be processed only if:
- Unambiguous Consent of the data subject has been given
- Necessary for the performance of an institutional task of the EUI or task carried out in the public interest or in the legitimate exercise of official authority
- Necessary for compliance with legal obligation of the controller
- Necessary for the performance of a contract
- Necessary to protect the vital interests of the data subject or of a third party
Special rules apply to special categories of “sensitive” personal data
- What are these types of “sensitive data”?
- Those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life.
Processing of those data is prohibited.
- Explicit Consent by the Data Subject
- Compliance with rights and obligations of the controller in field of employment law
- Protection of vital interests of the data subject or of another person
- Data manifestly made public or legal claims
- Legitimate activities of non-profit organisation, under the conditions set out in the President's Decision 40/2013.
- Purposes of preventive medicine, medical diagnosis, management of health-care services, provision of care or treatment.
NB: the consent is considered implicit when the data subject provides data for administrative procedures established by the Institute. Processing by the Institute of special categories of data, as described above, when they are not necessary for complying with the specific rights and obligations of the Controller in the field of employment law would require the explicit consent of the data subject.
What are the principles for carrying out a processing operation by a processor?
- Acting only on instructions of the controller
- Compliance with the Data Protection Rules of the EUI
- Respect for confidentiality and security according to the EUI’s Data Security Policy
When the processing operation is carried out by way of an external processor, the above principles shall be stipulated also in the binding contract or legal act.
What are the principles for processing for research purposes?
- Data collected by the EUI for research purposes can be processed only for the scientific objectives for which they were collected.
- Such data may be publicly disclosed only if:
- the data subject has given consent or
- the publication of personal data is necessary to present research findings or to facilitate research; or
- the data subject has made the data public.
No distribution or only limited when required by overriding interests or fundamental rights of the data subject.
Data subject rights & Data Protection Complaints
The data subject has the right to:
- Be informed from the controller about the carrying out and the “context” of the processing operation (e.g. identity of controller, categories of data being processed, legal basis, purpose, source, time-limits for storing the data, recipients of data etc.)
- Rectification of inaccurate or incomplete personal data
- Erasure of data of which processing by the EUI is unlawful
- Block the processing of data of which he/she contests the accuracy until accuracy is checked.
If the data subject believes that there has been a breach of the data protection principles of the President's Decision No 40 of 27 August 2013, he/she can address a complaint to the Controller with simultaneous notification to the DPO at the following e-mail address: [email protected]
If the reply is not satisfactory, or it is not given within 30 Institute working days, the data subject can appeal to the Data Protection Committee under the terms and conditions outlined in the President’s Decision 40/2013.
The Institute assures the confidentiality & security of the processing of personal data, for both paper or electronic files.
In that respect, all staff involved (employed within the EUI or contracted by the EUI) and acting as processors on behalf of the EUI are bound by the duty of confidentiality and shall not process them except on instructions from the controller.
They are also made aware of the security procedures they must follow when handling personal data.
How is the security of personal data safeguarded?
- Through adequate technical and organisational measures (having regard to the state of the art and the cost of their implementation)
What is the purpose?
- To ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data processed.
- To prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration, and to prevent all other unlawful forms of processing.
The Decision contains specific provisions in relation to the measures and risks specifically of the processing of personal data by automated means.
Transfer of data
Personal data can be transferred, for institutional purposes, between the EUI and third parties such as Member States, public authorities, institutions, companies ONLY when all parties of the transfer have in place adequate safeguards for the protection of privacy compatible with Directive 95/46/EC.
Requirements for data transfer:
- the data are necessary for the legitimate performance of tasks covered by the competence of the recipient
- the data are necessary for the performance of a task carried out in the public interest or subject to the exercise of public authority or
- the data need to be transferred (burden of proof upon the recipient) and there is no reason to assume that the data subject’s legitimate interests might be prejudiced.
- Transfer of personal data to third parties such as the European Commission, the Settlements Offices of the Joint Sickness Insurance Scheme common to the institutions of the European Union (JSIS), Van Breda International, the Institute's medical advisers, the Institute's diagnostic laboratory falls within the standard institutional practices of the EUI.
Disclaimer: The summary above is provided for information purposes only and in no way replaces or substitutes the relevant regulatory documents of the EUI.