EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

Similar documents
EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

General Personal Data Protection Policy

COUNCIL OF EUROPE COMMITTEE OF MINISTERS. RECOMMENDATION No. R (89) 2 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES

RULES GOVERNING THE SECONDMENT OF NATIONAL EXPERTS TO THE EUROPEAN PARLIAMENT BUREAU DECISION 4 MAY 2009

EU GENERAL DATA PROTECTION REGULATION

Data Privacy Policy for Employees and Employee Candidates in the European Union

Data Protection. Policy

St Mark s Church of England Academy Data Protection Policy

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

Brussels, 16 August 2017

CANDIDATE DATA PROTECTION STANDARDS

Template Vacancy Notice

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

General Optical Council. Data Protection Policy

Vacancy for a post of Data Protection Officer (Temporary Agent, AD 5) in the European Asylum Support Office (EASO) REF.

Data Protection Policy

Vacancy for a post of Procurement Officer (Temporary Agent, AD 6) in the European Asylum Support Office (EASO) REF.

DATA PROTECTION POLICY

UK Research and Innovation (UKRI) Data Protection Policy

EUROPE OF NATIONS AND FREEDOM GROUP IN THE EUROPEAN PARLIAMENT NOTICE OF RECRUITMENT IRC

European Data Protection Supervisor (Controleur europeen de la protection des donnees)

Data Protection Policy

AmCham s HR Committee s

Tallinn, Estonia. Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011, OJ L 286,

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

(Announcements) ADMINISTRATIVE PROCEDURES COURT OF AUDITORS VACANCY NOTICE ECA/2018/1. One (1) Director s post Audit. (AD function group, grade 14)

GROUP DATA PROTECTION POLICY

ARTICLE 29 Data Protection Working Party

Vacancy for a post of HR Assistant (Temporary Agent, AST 3) in the European Asylum Support Office (EASO) REF.: EASO/2017/TA/029

EXECUTIVE DIRECTOR OF THE EUROPEAN CHEMICALS AGENCY (ECHA) HELSINKI

KRONOS WORLDWIDE, INC. SAFE HARBOR PRIVACY POLICY Effective December 1, 2009 Amended and Restated as of July 20, 2012

Data Protection Policy

Data Protection Policy

Unfair Dismissals Acts, 1977 to 2001

Data Protection Policy

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

How employers should comply with GDPR

EUROPEAN UNION. Brussels, 27 March 2013 (OR. en) 2011/0374 (COD) PE-CONS 80/12 CONSOM 164 MI 853 JUSTCIV 382 CODEC 3131 OC 774

Vacancy for a post of Assistant to the Head of Department (Temporary Agent, AST 5) in the European Asylum Support Office (EASO)

Vacancy for a post of HR Officer (Temporary Agent, AD 5) in the European Asylum Support Office (EASO) REF.: EASO/2017/TA/030

Vacancy for a post of Senior Officer Executive Support (Temporary Agent, AD 7) in the European Asylum Support Office (EASO) REF.

Vacancy for a post of Communications Assistant (Contract Agent, FG III) in the European Asylum Support Office (EASO) REF.

Data Protection Policy & Procedures

COMMITTEE OF THE REGIONS

Data protection (GDPR) policy

General Data Protection Regulation

Group of the European People s Party (Christian Democrats) in the European Parliament NOTICE OF RECRUITMENT N 2013/1/AD

Rules governing the 2015 official traineeships scheme of the European Foundation for the Improvement of Living and Working Conditions (Eurofound)

REPORT FORM. TERMINATION OF EMPLOYMENT CONVENTION, 1982 (No. 158)

- 1 - VACANCY NOTICE No CDR/AD14-AD15/6/2016 concerning a post of. DIRECTOR (M/F) at the Directorate for Communication

ARTICLE 29 DATA PROTECTION WORKING PARTY

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018

PRIVACY POLICY MAW Men at Work S.p.A. Agenzia per il Lavoro S.p.A

EUROPE OF NATIONS AND FREEDOM GROUP IN THE EUROPEAN PARLIAMENT NOTICE OF RECRUITMENT ICR

Vacancy for two posts of Programme Manager (Contract Agent FG IV) in the Shift2Rail Joint Undertaking. REF.: Shift2Rail/2016/01.

Draft European Parliament & European Commission Agreement. on the establishment of a "Transparency Register"

Humber Information Sharing Charter

Data protection. The employment practices code

LAW ON LABOUR IN KOSOVO

VACANCY NOTICE 06/04/2017 AT NOON, BARCELONA GMT+1

DATA PROTECTION POLICY

EUROPEAN MEDICINES AGENCY

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Human Resources People and Organisational Development. Disciplinary Procedure Manual Staff

EEAS Vacancy Notice Administrator. Administrator co-desk Officer Pakistan ASIAPAC.2. (EU Staff Members: AD5-12/ Candidates from Member States: AD05)

To: The Chief Executives of Education and Training Boards

General Terms and Conditions for Grazing and Meadow Dairy Products of the Grazing Foundation

General Guide to Employment Law Introduction

Supplier Code of Conduct

DIVERSITY AND INCLUSION POLICY

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

Template Vacancy Notice

ROSNEFT OIL COMPANY'S REGULATION ON

Applications are invited for the above Contract Agent post at the European Centre for Disease Prevention and Control (ECDC).

Policy and Procedure on Contracts of Employment

FIXED TERM CONTRACT POLICY. Recruitment and Selection Policy Secondment Policy. Employment Policy. Officer / CSP

EUROPEAN AVIATION SAFETY AGENCY VACANCY NOTICE REF.: EASA/AD/2007/072. Certification Policy Officer (F/M) Temporary Agent (AD 7)

General Data Protection Regulation. The changes in data protection law and what this means for your church.

Recruitment and Selection: Procedure and Guidance

Europol Public Information VACANCY NOTICE

Regulates the way data controllers process personal data

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

DIRECTORATE-GENERAL FOR COMMUNICATION DIRECTORATE FOR MEDIA CONDITIONS FOR SUBMITTING A TENDER INVITATION TO TENDER NEGOCIATED PROCEDURE

Administrator Head of Sector Crisis Response INTCEN.3. (EU Staff Members: AD5-AD12/ Candidates from Member States: AD07) Job n.

Group of the European People s Party (Christian Democrats) in the European Parliament NOTICE OF RECRUITMENT N 2013/3/AST

EU General Data Protection Regulation (GDPR)

Discussion Paper on innovative uses of consumer data by financial institutions

The Implementation of UN Economic Sanctions by the European

Data Protection Audit Self-assessment toolkit

Guidelines on the management body of market operators and data reporting services providers

DECISIONS. (Text with EEA relevance) Having regard to the Treaty on the Functioning of the European Union, and in particular Article 149 thereof,

Explanatory Memorandum: The Natural Mineral Water, Spring Water and Bottled Drinking Water (Wales) (Amendment) Regulations 2010

Review date: July 2018 Responsible Manager: Head of Human Resources. Accessible to Students: No. Newcastle College: Group Services:

* Availability of this new posts in Frontex is subject to the final decision on amendment of the budget (establishment plan) of Frontex.

Europol/2017/TA/AD6/307

RIVERSIDE SCHOOL. Capability Procedure for Support Staff

The General Data Protection Regulation An Overview

This privacy policy (the 'conditions') was last amended in May 2016.

ROSTERS OF JUNIOR AND SENIOR EXPERTS Specifications of the Call for expression of interest

Transcription:

EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données Opinion on the notification for prior checking received from the Data Protection Officer at the Court of Justice of the European Communities relating to the "SUIVI des traductions" Brussels, 13 January 2006 (Case 2005-212) 1. Procedure 1.1. On 20 July 2004 the European Data Protection Supervisor (EDPS) wrote to the Data Protection Officers (DPOs) asking them to prepare an inventory of data processing that might be subject to prior checking by the EDPS as provided for by Article 27 of Regulation (EC) No 45/2001 (hereinafter referred to as "the Regulation"). The EDPS requested notification of processing operations subject to prior checking, including those begun before the Supervisor was appointed, for which checking could never be regarded as prior, but which would be subject to "ex post facto" checking. 1.2. On the basis of the inventories received from the Data Protection Officers, the EDPS identified priority topics, namely data processing operations in disciplinary, staff evaluation and medical files. 1.3. On 30 November 2004 the EDPS wrote to the DPO at the Court of Justice of the European Communities, asking to be notified of the data processing operations which fell within the scope of the priority topics. 1.4. On 4 August 2005, the EDPS received the notification for prior checking regarding data processing in the context of the use of the "SUIVI des traductions" application. 1.5. Questions were asked on the following dates: 8 September 2005, 19 September 2005 and 15 November 2005. Answers were received on 16 September 2005, 14 November 2005 and 21 December 2005 respectively. 2. Examination of the case 2.1. The facts SUIVI is an Oracle database for the entire management of the workflow of the Translation Directorate. Data on work rates are collected and processed in order to draw up periodical reports on officials and temporary staff in the Directorate, in accordance with Article 43 of the Staff Regulations of Officials of the European Communities, Article 15(2) of the Conditions of employment of other servants of the European Communities, and the Decision of the Court of Justice of 18 October 2000 adopting the general implementing provisions on staff reports (Annex 1). The data are also used to analyse the production capacity of the service, particularly in relation to its workload. Postal address: rue Wiertz 60- B-1047 Brussels Offices: rue Montoyer 63 E-mail: edps@edps.eu.int - Web site: www.edps.eu.int Tel.: 02-283 19 00 - Fax: 02-283 19 50

Those concerned by this processing are the legal/linguistic experts, proofreaders and secretaries in the twenty language units of the Translation Directorate. The various sorts of data which might be used in connection with the productivity of officials and other staff in the Translation Directorate - legal/linguistic experts, proofreaders, and secretaries - are as follows (see Annexes II, III, IV and V). Surname and first name of the person Unit to which he or she belongs Category (LA, B or C) Production (number of pages translated, revised, corrected or typed) by court (Court of Justice or Court of First Instance) Types of document processed Type of processing Original language of translated documents Translation deadlines Production period (see Annexes II and III: for example from 1.1.2004 to 31.12.2004) Weighting (division by 2 of number of revised pages) Working days during a reference period (working days - part-time, corrected by dates of arrival and departure) Effective days during a reference period [working days following deduction of leave and absences (The table relating to days of service (Annex III of the dossier) shows that the cause of absence is specified as follows: annual leave, special or maternity leave, sickness, mission, training, other, public holidays)]. Staff in the Translation Directorate are individually informed of the personal data concerning their work rate in their annual periodical reports. In addition, every official or other member of staff may have manual access to the personal data concerning them in the SUIVI application upon request to the data controller. In practice, this happens regularly in respect of work rate data. It is intended that in future all members of staff will be able to access directly the personal data concerning them in the SUIVI application, via the Intranet. Access will be protected by a password. The technical implications of this direct access via the Intranet are currently being studied. If a data subject considers that his personal work rate data are not correct, he may ask for them to be corrected (e.g., as regards the number of effective days, or the production figure). This correction is made following verification. The information listed in Article 11 of the Regulation will be provided to staff when direct access is established and introduced, and whenever anyone accesses their personal data (pop-up window). The procedure is partly manual and partly automatic. The head of the secretariat or management assistant in each language unit enters data in SUIVI concerning the activities of officials as regards documents handled, on the basis of the worksheet for each translation request (Annex VI).

The secretariat of the Translation Directorate enters in SUIVI the data needed to calculate working days and effective days. Absences for training are entered directly in SUIVI by a secretary in the General Services Division. The surname and first name, date of birth, unit, staff number, post and status under the Staff Regulations can be entered in SUIVI automatically from the personnel management database of the institution. In the case in hand, after each reporting exercise, the heads of unit destroy the tables distributed to them. However, the data sources are kept. After asking an additional question, the EDPS was informed that the period for which data have to be kept in the SUIVI database depending on their purpose is currently under consideration. The new Staff Regulations create new obligations for the administration as regards the evaluation of an official's career: the certification and attestation procedures, and the possibility of promotion for officials who were previously at the end of their career paths. These procedures reflect the progress of officials' careers over what may be long periods, and require all the information on which evaluation is based to be kept, for example to make possible a comparative examination of situations and a complete overview of the service of every official concerned. The internal annual promotions mechanism takes account of an official's entire career in his grade before promotion. This overall view may be a determining factor in the rate at which his career progresses. On the other hand, once an official has been promoted, the retention of the data on which his promotion was based is no longer necessary. To meet these obligations, the administration must have comprehensive data on which to justify the decisions it takes. For this reason, the data controller has emphasised that it is difficult to determine a fixed period for the retention of data. Only experience will show what is the minimum retention period allowing data to be deleted as soon as possible while at the same time ensuring that there is fair and transparent handling of officials' careers, on the basis of all the relevant information. At the end of every promotions exercise, the data concerning those officials who have been promoted may be erased. Access to the data is restricted to those persons who are involved in evaluating officials, namely the Director for translation, the two deputy Directors and the head of the unit concerned. The data are not transferred to third countries or international organisations. Security measures have been taken. 2.2. Legal aspects 2.2.1. Prior checking The management of work rate data constitutes processing of personal data ("any information relating to an identified or identifiable natural person" - Article 2(a)). The data processing is

carried out by an institution in the exercise of activities which fall within the scope of Community law (Article 3(1)), and it is done wholly or partly by automatic means or involves data intended to form part of a filing system (Article 3(2)). It therefore falls within the scope of Regulation (EC) No 45/2001. This case relates to processing activities in the context of use of the SUIVI application. The EDPS has already issued an opinion in case 2004-0279 concerning "SUIVI: Sick leave of Translation Directorate". The area to be evaluated in the present case, as in case 2004-0279, is defined by the purpose of the processing, i.e. the drawing up of a periodical report on officials and other staff of the Translation Directorate in accordance with the Staff Regulations, and the checking of absences on grounds of sickness, respectively. Article 27(1) of Regulation (EC) No 45/2001 imposes prior checking by the EDPS on all "processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes". Article 27(2) of the Regulation contains a list of processing operations likely to present such risks. This case qualifies for prior checking (Article 27(2)(b)) since it involves "processing operations intended to evaluate personal aspects relating to the data subject, including his or her ability, efficiency and conduct" (Article 27(2)(b) of the Regulation). The processing carried out using SUIVI is "intended" to evaluate the efficiency of officials, even if decisions on reports are not made solely on the basis of the results from SUIVI. In principle, checks by the European Data Protection Supervisor should be conducted prior to the introduction of the data processing operation. In this case, since the European Data Protection Supervisor was appointed after the system was created, the check necessarily has to be ex post facto. However, this does not alter the fact that it would be desirable for the recommendations issued by European Data Protection Supervisor to be implemented. The DPO's notification was received on 4 August 2005. In accordance with Article 27(4), this opinion had to be delivered within two months, i.e. by 5 October 2005. The procedure was interrupted for 100 days. The Supervisor therefore has to deliver his opinion by 13 January 2006. 2.2.2. Legal basis and lawfulness of the processing operation Processing is carried out on the legal basis of Article 43 of the Staff Regulations of Officials of the European Communities (the Staff Regulations), Article 15(2) of the Conditions of employment of other servants of the European Communities (the Conditions of employment), and the Decision of the Court of Justice of 18 October 2000 adopting the general implementing provisions on staff reports (the Decision of the Court). Article 43 of the Staff Regulations states that: "The ability, efficiency and conduct in the service of each official shall be the subject of a periodical report made at least once every two years as provided for by each institution in accordance with Article 110. Each institution shall lay down provisions conferring the right to lodge an appeal within the reporting procedure, which has to be exercised before lodging a complaint as referred to in Article 90(2).

As of grade 4, for officials in function group AST, the report may also contain an opinion as to whether, on the basis of performance, he has the potential to carry out an administrator's function. The report shall be communicated to the official. He shall be entitled to make any comments thereon which he considers relevant." Article 15 of the Conditions of employment states that: " ( ) 2. The provisions of Article 43 of the Staff Regulations, concerning reports, shall apply by analogy" to the staff referred to in Article 2(a), (c) and (d). The Decision of the Court, annexed to the notification, establishes the procedure to be followed in reporting on staff. Alongside the legal basis in relation to the Regulation of the lawfulness the processing must also be considered. Article 5 of the Regulation provides that "Personal data may be processed only if: (a) processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof or in the legitimate exercise of official authority vested in the Community institution or body or in a third party to whom the data are disclosed ( )." In the present case, the legislative acts mentioned above relate to the exercise of a task carried out in the public interest, such as the evaluation of the ability, efficiency and conduct of officials and other staff of the European institutions. That being so, the proposed processing is therefore lawful. 2.2.3. Data quality "Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed" (Article 4(1)(c) of the Regulation). The data processed in the "SUIVI des traductions" application, described in paragraph 2.1 of this opinion, must be considered as fulfilling these conditions for processing, since they do not include data other than those directly connected with the work rate of the data subject. The data must also be "processed fairly and lawfully" (Article 4(1)(a) of the Regulation). Lawfulness has already been considered in paragraph 2.2.2 of this opinion. As for fairness, this relates to the information which must be transmitted to the data subject (see paragraph 2.2.7 below). Finally, the data must be "accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified" (Article 4(1)(d) of the Regulation). The notification for prior checking sent by the DPO of the Court of Justice specifies that if a person considers that his personal work rate data are not correct, he may ask for them to be corrected (for example as regards the number of effective days, or the production figure). This correction is made following verification.

2.2.4. Processing of special categories of data Article 10(1) provides that "the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, are prohibited". The table on days of service (Annex III) shows that the cause of absence is specified as follows: annual leave, special or maternity leave, sickness, mission, training, other, public holidays. The term "sickness" implies data on health, and a justification under Article 10(2) of the Regulation must therefore be found to authorise its processing. Article 10(2) reads as follows: "paragraph 1 shall not apply where: ( )(b) processing is necessary for the purposes of complying with the specific rights and obligations of the controller in the field of employment law insofar as it is authorised by the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof ( )". This point has already been covered in case 2004-0279, mentioned in paragraph 2.2.1 above, which noted that "The Directorate has also justified the inclusion of this element in the data base on the grounds that, in a notation exercise or in view of promotion, it enables the persons involved in this exercise to have a more precise picture of the personal circumstances of data subjects and to take this into account when evaluating them or establishing proposals for promotions" (Opinion of 15 November 2005, case 2004-0279, page 5). Paragraph 2.2.2 of this opinion sets out the legal basis for the reporting exercise, and thus the inclusion of this data is justified in the light of Article 10(2)(b) of the Regulation. Nonetheless, the EDPS would like to stress that specific guarantees must be provided to ensure that such data is not used to the detriment of the data subject. For example, the information provided to the data subject must specify the existence of such data and the purpose for which they are to be used. Those who have access to such data must use them strictly for the purpose for which they were collected (see the opinion of 15 November 2005, case 2004-0279, page 5). 2.2.5. Retention of data Personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed ( )" (Article 4(1)(e) of the Regulation). As already indicated in paragraph 2.1, the period for which data will be retained has not yet been determined. The EDPS notes this, and would like to stress how important it is for this period to be determined as soon as possible. Account must be taken of the fact that the purpose of the processing is the reports and promotion of officials and other staff. The data must be retained, in principle, until the evaluation and promotion exercises have taken place, and until the end of the period in which reports and promotions may be contested. A more precise timelimit should be determined as soon as possible on the basis of this practice. After that period the data must be deleted. The data are not kept for historical, statistical or scientific purposes (Article 4(1)(b)).

2.2.6. Processing including the staff number or identification number Article 10(6) of the Regulation provides that the European Data Protection Supervisor shall determine the conditions under which a personal number or other identifier of general application may be processed by an institution. The official's staff number is collected and processed in the context of this procedure, and Article 10(6) therefore applies. However, it should be pointed out that there is no need to examine how the staff number is used in general, but only how it is used in the current case. The use of an identifier is in itself no more that a means - a legitimate one, in this case - to facilitate the work of the personal data controller; however, such use may have significant implications. This is what induced the European legislator to control the use of identifiers in Article 10(6) of the Regulation, which provides for the involvement of the European Data Protection Supervisor. In this case, the use of the staff number may have the result of allowing data processed in different contexts to be linked. The use of identifiers is reasonable since its use is a means to facilitate the processing task. 2.2.7. Provision of information to the data subject The Regulation stipulates that the data subject must be informed when his personal data is processed, and lists points which must be included in the information provided. In the current case, the data are obtained partly from the data subject. Article 11 (Information to be supplied where the data have been obtained from the data subject) and Article 12 (Information to be supplied where the data have not been obtained from the data subject) on the provision of information to the data subject apply in this case. The EDPS has been informed that the rules laid down in Articles 11 and 12 will be fulfilled in future by the various means described in paragraph 2.1. The EDPS would like to stress that this obligation must be complied with as soon as possible, as it is a key element of data protection and therefore one of the principal responsibilities of the data controller, constituting the measures necessary to guarantee fair processing in respect of the data subject. 2.2.8. Right of access and rectification Article 13 of the Regulation provides that there should be a right of access - and lays down the form it should take - at the request of the data subject. Article 14 of the Regulation gives the data subject a right of rectification. In the case in hand, any member of staff may, on request, access his personal data in the SUIVI application. In practice, this happens regularly in respect of work rate data. It is intended that in future all members of staff will be able to access directly the personal data concerning them in the SUIVI application, via the Intranet. If a data subject considers that his personal work rate data are not correct, he may ask for them to be corrected (e.g. as regards the number of effective days, or the production figure). This correction is made following verification. The provisions concerning the right of access and rectification have therefore been complied with.

2.2.9. Automated individual decisions SUIVI processes data concerning work rate in an automated fashion, so that a periodical staff report can be produced. However, report decisions are not based only on the figures produced by SUIVI. Article 7 of the Court's Decision states that before drawing up the report, the reporting officer must consult the official's immediate superior, if they are not one and the same person. He may also consult anyone else he deems appropriate. He must also hold a preliminary interview with the reportee. The Court's Decision also provides various procedural guarantees ensuring the official's right to be heard (see Articles 8, 9, 10, 11 and 12). For example, Article 8 of the Decision stipulates that the reporting officer must draw up the report and forward it to the reportee within 45 days of the end of the reference period. The official has ten working days to initial the report and return it to the reporting officer; he may add any comments he deems to be relevant. Within the same timelimit, the reportee may refer the matter to the appeal assessor under the conditions set out in Article 10. Article 19 of the Regulation provides a guarantee in respect of automated individual decisions, to ensure that the legitimate interests of the data subject are safeguarded. In the case in hand, the decision (in this case the evaluation in the report) is not made solely on the basis of automated processing, since the reporting officer consults the immediate superior of the reportee, and the official has an opportunity to put his point of view. 2.2.10. Security The EDPS considers that the security measures described in the notification are adequate in the light of Article 22 of the Regulation. Conclusion The proposed processing does not appear to violate the provisions of Regulation (EC) No 45/2001, so long as account is taken of the observations set out above. In particular: Specific guarantees must be given to ensure that processing operations involving special categories of data (in this case, data relating to health) are not used to the detriment of the data subject. The period for which data may be retained must be determined. Data must be retained, in principle, until the reporting and promotion exercises have taken place, and until the end of the period in which reports and promotions may be contested. A more precise timelimit should be determined as soon as possible, on the basis of this practice. The data subject must be informed when his personal data are processed, in accordance with Articles 11 and 12 of the Regulation. Done at Brussels, 13 January 2005 Peter HUSTINX European Data Protection Supervisor

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback