INFORMATION TO BE GIVEN2

Similar documents
Prior Checking Opinion

EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

Brussels, 7 May 2009 (Case ) 1. Procedure

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

The draft Opinion was sent to the DPO for comments on 24 November These were received on 16 January 2012.

EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

Tourettes Action Data Protection Policy

General Optical Council. Data Protection Policy

Opus2 or an Opus2 Affiliate within the Group (as applicable), shall be the Data Controller in respect of the Personal Data covered in this Notice.

CANDIDATE DATA PROTECTION STANDARDS

GUIDELINES CONCERNING THE PROCESSING OPERATIONS IN THE FIELD OF STAFF RECRUITMENT

Guidelines on the protection of personal data in IT governance and IT management of EU institutions

Data Protection Policy & Procedures

Data Protection Policy

EU General Data Protection Regulation (GDPR)

Data Protection. Policy

GDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS

Template Vacancy Notice

ARTICLE 29 Data Protection Working Party

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

Humber Information Sharing Charter

How employers should comply with GDPR

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

Personal data: By Personal data we understand all information about identified or identifiable natural ( data subject ) according to GDPR

ARTICLE 29 DATA PROTECTION WORKING PARTY

Brussels, 2 0 SEP, 2017

General Personal Data Protection Policy

COUNCIL OF EUROPE COMMITTEE OF MINISTERS. RECOMMENDATION No. R (89) 2 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL

Data Protection Policy

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

Policy No: 42. Recruitment & Selection Policy

Guidelines on the management body of market operators and data reporting services providers

General Data Protection Regulation. What should community energy organisations be doing to prepare?

closer look at Definitions The General Data Protection Regulation

Conducting privacy impact assessments code of practice

Data Protection Policy

Structural Assistance Act

Getting Ready for the GDPR

Introduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance

Tallinn, Estonia. Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011, OJ L 286,

Data Protection Policy

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

GDPR Privacy Notice for Staff

Executive Assessment & Coaching Module Overview Center for Creative Leadership. All rights reserved.

CITRIX SYSTEMS, INC. CORPORATE GOVERNANCE GUIDELINES. 1. Separation of the Positions of Chairperson and CEO

Whistleblower policy

This privacy policy (the 'conditions') was last amended in May 2016.

PROCESS APPRAISAL OF CHAIR

General Data Protection Regulation (GDPR) Frequently Asked Questions

Humber Information Sharing Charter

NHS North West Leadership Academy Coaching Hub A guide to using the Mentoring Hub as a mentee

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

Whistleblowing policy

Managing personal relationships in the workplace

GENERAL TERMS AND CONDITIONS FOR USING THE JUVENTUS eprocurement PORTAL

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018

You will note that we require details of two referees, one of which must be your current or most recent employer.

MEMORANDUM OF UNDERSTANDING BETWEEN THE SINGLE RESOLUTION BOARD AND THE EUROPEAN CENTRAL BANK IN RESPECT OF COOPERATION AND INFORMATION EXCHANGE

Terms of Reference (TOR) Provision of consultancy services for payroll verification exercise

DECISIONS. (Text with EEA relevance) Having regard to the Treaty on the Functioning of the European Union, and in particular Article 149 thereof,

FRAMEWORK PARTNERSHIP AGREEMENT WITH HUMANITARIAN ORGANISATIONS

BISHOP WORDSWORTH S SCHOOL REDUNDANCY PROCEDURE

HCCA Professional Code of Ethics

Code of Conduct: Obligation to Stakeholders

Europol Public Information VACANCY NOTICE

WSGR Getting Ready for the GDPR Series

Memorandum of understanding between the Competition and Markets Authority and the Office of Communications concurrent competition powers

360 FEEDBACK SURVEY. Prepared for Organisation Name [NAME] 27 October AIM Research HR

Conducting privacy impact assessments code of practice

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

BRATHAY TRUST WHISTLE BLOWING POLICY & PROCEDURES. This document is live as at date of printing 16/08/2013 Page 1 of 8

Data protection (GDPR) policy

Data protection. The employment practices code

C 227 A of the European Union

St Mark s Church of England Academy Data Protection Policy

STANDARD ON INTERNAL AUDIT (SIA) 7 QUALITY ASSURANCE IN INTERNAL AUDIT *

General Rules of Conduct of Civil Servant. I. General Provisions

PERFORMANCE APPRAISAL SYSTEM

Recruitment and Selection

Whistleblowing Policy and Procedure

Equality Act 2010: Obtaining Information

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

What you need to know. about GDPR. as a Financial Broker. Sponsored by

PRA RULEBOOK: CRR FIRMS NON-CRR FIRMS: INDIVIDUAL ACCOUNTABILITY INSTRUMENT (NO 3) 2015

Oracle Fusion Applications Workforce Development Guide. 11g Release 5 (11.1.5) Part Number E

Whistle-blowing. Policy and Procedure

General Data Protection Regulation (GDPR) A brief guide

EUROPEAN AVIATION SAFETY AGENCY VACANCY NOTICE REF.: EASA/AD/2007/072. Certification Policy Officer (F/M) Temporary Agent (AD 7)

(Legislative acts) DIRECTIVE 2014/55/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 April 2014 on electronic invoicing in public procurement

Data Privacy Policy for Employees and Employee Candidates in the European Union

EQUASS 2018 ASSURANCE PROCEDURES

Medical Devices. LATVIA LAWIN Klavins & Slaidins

Information Governance and Records Management Policy March 2014

GDPR Webinar 4: Data Protection Impact Assessments

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

FARMER BROS. CO. CORPORATE GOVERNANCE GUIDELINES (Adopted February 1, 2017)

Transcription:

(To be filled out in the EDPS' office) REGISTER NUMBER: 1306 (To be filled out in the EDPS' office) NOTIFICATION FOR PRIOR CHECKING DATE OF SUBMISSION: 19/05/2015 CASE NUMBER: 2015-0441 INSTITUTION: EUROPEAN COMMISSION (DG COMP) 1 LEGAL BASIS: ARTICLE 27-5 OF THE REGULATION CE N 45/2001( ) INFORMATION TO BE GIVEN2 1/ NAME AND ADDRESS OF THE CONTROLLER Mr Philippe RENAUDIERE SG.DSG1.DP European Commission 1049 Brussels 2/ ORGANISATIONAL PARTS OF THE INSTITUTION OR BODY ENTRUSTED WITH THE PROCESSING OF PERSONAL DATA PERSICHELLI SCOLA Roberta EAC.R.1 European Commission 1049 Brussels The external processor is Deloitte Consulting CVBA, Berkenlaan 8 В, 1831 Diegem, Belgique. Contractor under framework contract EPSO/EAS/2010/116 Lot 4. 3/ NAME OF THE PROCESSING 360 feedback exercise for DG EAC managers 1 OJ L 8, 12.01.2001. 2 Please attach all necessary backup documents

4/ PURPOSE OR PURPOSES OF THE PROCESSING The purpose of the processing is to allow DG EAC managers to obtain anonymous feedback on their management and leadership style and to improve their management and leadership skills. The data will not be used in any form of evaluation (appraisal) process of any of the persons involved. Terminology: - Managers: senior and middle managers who agree on a voluntary basis to take part in the 360 feedback exercise for DG EAC. - Participants: managers participating on a voluntary basis to the 360 feedback exercise for DG EAC. - Raters: all the staff members who agree on a voluntary basis to give feedback to the manager, i.e. collaborators, peers, and superiors. - Collaborators: staff members working or having worked for the participating manager. - Data subject: managers and raters. - External coach: debriefer from the processor. Following the Action Plan in follow-up of the internal audit on HR, the EAC Directors' Board has decided to launch a development programme for the managers of which the 360 feedback exercise is the central element (DB 13/01/2015). This programme will allow managers to obtain anonymous feedback on their management and leadership style and to improve their management and leadership skills. This programme consists of: - The drawing up of a top-level shared vision for management in DG EAC. - The offer to EAC managers of a 360 feedback tool, a questionnaire that combines self-perception input and feedback from raters, to help EAC managers learn about their professional skills and identify strengths and areas for development. - The offer of individual debriefing session with an external coach and the drafting of a development plan. - The offer to EAC managers of a debriefing session with the respective manager and the external coach to discuss development priorities and appropriate learning activities. - The offer to EAC managers of a debriefing session with the respective collaborators and the external coach in view of the learning and development objectives of this process. The 360 tool takes the form of a self-assessment of the management and leadership style of managers and feedback given by raters by answering, on a voluntary basis, an online questionnaire composed of a set of closed questions and open questions for further individual comments to be made. A disclaimer will explicitly make the raters aware of that their comments made under the open questions will be transmitted to the participants as they write them with the risk of potentially being recognised. The contributions of the raters, collected via the web-based questionnaire, will be processed by the processor and will not be transferred to DG EAC. From these contributions, an individual feedback report for each participating manager will be produced on an aggregated basis per group of rater, one for the colleagues, one for the peers and one for the superior. Quantitative feedback given by each participant's own line manager (direct superior) is visible as such to the participant. Otherwise, people providing feedback are not identified in the feedback report received the participating manager or by the coach (for the

feedback session with the participant). Except for the quantitative report of the direct line manager, the reports will not allow the identification of raters and the answers given by each rater; it will only indicate the aggregate contributions and the total number of raters. In the individual report, a table will show the average score of all the participants as shown in the example annexed. To preserve the anonymity of participants, in case the number of participants is too reduced, no individual report will be generated. The individual feedback reports will be transferred by the processor only to the respective managers participating in the exercise. Each manager will therefore remain in full control of the data contained in his/her report. Group feedback reports will be also be produced by the processor in such a way as to preserve the anonymity of the raters. To preserve the anonymity of participants, in case the number of participants is too reduced, no group feedback report be generated. The group feedback reports will be transferred by the processor to the EAC.HR team in charge of the exercise, and will not contain personal data. They will only be retained in anonymous form. Key figures of these anonymous group reports might be made available on the DG EAC Intranet. The participating managers will be offered to discuss key learning and development findings with their external coach. On an entirely voluntary basis, the participating managers might decide to share the/some of results of the exercise with their colleagues and their line manager in view of the learning and development objectives of this process. Around 7 senior managers and 20 EAC middle managers are concerned by the programme. The participation in this exercise is totally voluntary for participating managers and for the raters. Anyone participating in the exercise in either capacity can opt-out at any time, before the launching of the exercise and while the exercise is underway, and request the deletion of their personal data. Moreover, there is no obligation for the participating managers to share the reports with anybody but the external coach. In cases of recent internal mobility participants and/or raters will have the option to receive/give feedback from/on their former colleague (s).info sessions will be organised both for the managers and the raters during which the programme and conditions of the participation of managers and raters will by explained. The processing of personal data falls under article 27 "Prior-Checking by the EDPS" as the processing operations intend to evaluate personal aspects relating to the data subject, including his or her ability, efficiency and conduct. The notification takes into account the recommendations made by the EDPS concerning procedures related to "360 " Leadership feedback report (Case 20090215), self-perception questionnaire "PERFORMANSE" (Cases 2012-0590 and 2013-1290), and the "360 Feedback leadership Circle" (Case 2014-0906).A description of the exercise is attached to this topic. EDPS recommended that: "To preserve the anonymity of participants, the data controller should ensure that, in case the number of participants is too reduced, no group report be generated. Furthermore, group reports should only be retained in anonymous form". is this measures taken into consideration? 5/ DESCRIPTION OF THE CATEGORY OR CATEGORIES OF DATA SUBJECTS - Managers: senior and middle managers who agree on a voluntary basis to take part in the 360 feedback exercise for DG EAC. - Raters: all the staff members who agree on a voluntary basis to give feedback to the manager, i.e. collaborators, peers, and superiors.

6/ DESCRIPTION OF THE DATA OR CATEGORIES OF DATA (including, if applicable, special categories of data (Article 10) and/or origin of data) Data of a personal nature allowing the identification (name, first name, electronic address, position, administrative entity) of the data subject (participant and rater) Information provided by the participants on their own perception of their competencies related to the DG's leadership competency model Information provided by raters on their perception of the participating managers' competencies related to the DG EAC leadership competency model Feedback reports regarding the participating managers mentioning strengths and areas for development (in relation to the DG's established leadership competency model) Recommendations on training and on-the-job development activities matching development needs of participating managers. Only data that are necessary for the processing will be collected. No sensitive data in the sense of Article 10 of the Regulation will be processed. 7/ INFORMATION TO BE GIVEN TO DATA SUBJECTS All persons participating in this activity receive information about the 360 feedback exercise process. The privacy statement (attached to this topic) is sent to all by email at the start of the exercise. The processor was instructed to respect the provisions of the Regulation (EC) 45/2001 and provided specific statements in this regard. 8/ PROCEDURES TO GRANT RIGHTS OF DATA SUBJECTS (Rights of access, to rectify, to block, to erase, to object) The way the data subject can access and rectify their data is explained in the privacy statement attached hereto, above. Also see response in the annex to point 11. 9/ AUTOMATED / MANUAL PROCESSING OPERATION The data for the self-perception questionnaire and the 360 feedback are entered into a restricted-use website to which the participating managers and the raters have a unique, individual and separated access. The information is processed automatically to process the reports. There should not be any personal input from the staff and the peers identifiable at least in the quantitative report case. 10/ STORAGE MEDIA OF DATA Data for the 360 feedback exercise are stored on secure computing facilities provided by the processor, subject to the framework contract and the specific contract signed with DG EAC.

11/ LEGAL BASIS AND LAWFULNESS OF THE PROCESSING OPERATION Legal basis: The Commission decision of 7 May 2002 on Staff Training states: - in Article 1 that learning is both a right and a duty for all persons working in the Commission, regardless of their assigned functions or their place of employment. - in Article 2 that staff training in the Commission shall have as fundamental objective to expand and improve individuals competencies so that each staff member can contribute optimally to achievement of the Institution s goals. - in Article 7 that the Directors General and Heads of Service shall, within their areas of responsibilities, (e) establish a strategic framework within the DG and (f) put mechanisms in place to manage training at DG level in line with central instructions and recommendations. The development programme for DG EAC managers forms part of the Action Plan in follow-up of the internal audit on HR, approved by the EAC Director's Board on 13/01/2015 which includes coaching of managers as one of the priorities for the development of professional and personal competencies. To organise the development programme for DG EAC managers, DG EAC uses a framework service contract (contract number: 30-CE-0428585/00-08 EPSO/EAS/PO/2010/116) which has been signed between the European School of Administration (EUAS) and the processor for the delivery of training coaching/consultancy services for the staff in the European institutions, bodies and agencies. This contract concerns lot 2 - "Training for middle managers (heads of unit)" and includes an article I.9 for data protection. The texts of the decision are detailed in the section 19 complementary information. Lawfulness: Art. 5.d of Regulation 45/2001, the data subjects participating in the development programme give their consent to the processing of personal data. This consent can be revoked at any time, also while the exercise is underway. When this happens, the exercise as regards this specific participant has to be stopped and any personal data collected will be deleted. Article 27 of Regulation 45/2001 will apply. 12/ THE RECIPIENTS OR CATEGORIES OF RECIPIENT TO WHOM THE DATA MIGHT BE DISCLOSED After agreement of the participating managers, their professional email address will be communicated to the processor which will then send by mail the necessary instructions to complete the questionnaire. The unique recipient of the individual report, automatically generated by the processor (combining both self- perception questionnaire and raters' feedback) is the participating manager. When requested by the participating managers, the external coach will receive his/her report in order to provide him/her individual feedback. DG EAC will receive only group reports, without the possibility of identifying any personal data. 13/ RETENTION POLICY OF (CATEGORIES OF) PERSONAL DATA The data collected for the launch and completion of the individual feedback questionnaire are kept by the processor for 3 months after the questionnaire completion and then deleted. Once the

participating manager has obtained the individual feedback report, the report will be deleted automatically by the processor after 3 months. The group reports, containing aggregated information without any possibility to track or identify individual answers, will be kept by EAC HR unit for a period of 2 years. The reason is to allow an analysis of the evolution in case DG EAC decides to repeat the exercise. 13 A/ TIME LIMIT TO BLOCK/ERASE ON JUSTIFIED LEGITIMATE REQUEST FROM THE DATA SUBJECTS (Please, specify the time limits for every category, if applicable) For all requests received by the controller, a response will be given within 15 working days from the day the responsible service receives the correspondence, which may however send a justified holding reply, in the circumstances set out in point 4 on the Code of Good Administrative Conduct. 14/ HISTORICAL, STATISTICAL OR SCIENTIFIC PURPOSES (If you store data for longer periods than mentioned above, please specify, if applicable, why the data must be kept under a form which permits identification) N/A 15/ PROPOSED TRANSFERS OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS N/A 16/ THE PROCESSING OPERATION PRESENTS SPECIFIC RISK WHICH JUSTIFIES PRIOR CHECKING (Please describe) AS FORESEEN IN: Article 27.2.(a) (Processing of data relating to health and to suspected offences, offences, criminal convictions or security measures,) Article 27.2.(b) (Processing operations intended to evaluate personal aspects relating to the data subject,) Article 27.2.(c) (Processing operations allowing linkages not provided for pursuant to national or Community legislation between data processed for different purposes,) Article 27.2.(d) (Processing operations for the purpose of excluding individuals from a right, benefit or contract) Other (general concept in Article 27.1)

17/ COMMENTS All data are processed solely for the purposes of providing feedback. Nobody within the Institutions, offices or agencies have access to any data contained in the individual feedback reports. Participant will be made aware of the above. The data processing will be carried out by the processor, subject to the framework contract and the specific contract signed with DG EAC. PLACE AND DATE: BRUSSELS, BELGIUM, 19/05/2015 DATA PROTECTION OFFICER: PHILIPPE RENAUDIERE INSTITUTION OR BODY: EUROPEAN COMMISSION

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback