Name: Commission Decision (EU) 2018/1927 of 5 December 2018 laying down internal rules concerning the processing of personal data by the European Commission in the field of competition in relation to the provision of information to data subjects and the restriction of certain rights
 Type: Decision
 Subject Matter: information technology and data processing;  EU institutions and European civil service;  rights and freedoms;  competition
 Date Published: 2018-12-10

 10.12.2018 EN Official Journal of the European Union L 313/39 COMMISSION DECISION (EU) 2018/1927 of 5 December 2018 laying down internal rules concerning the processing of personal data by the European Commission in the field of competition in relation to the provision of information to data subjects and the restriction of certain rights THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, and in particular Article 249(1) thereof, Whereas: (1) The Commission conducts administrative investigations for the purpose of enforcing the competition rules in accordance with the Treaty and secondary legislation as well as international agreements adopted for that purpose. (1) To that end, it exercises powers of investigation and enforcement (including related operational activities) in the fields of antitrust, merger control and State aid control conferred on the Commission by the relevant Union acts. (2) Commission investigations and enforcement activities in the field of competition target undertakings or Member States which are subject to the competition rules of the Treaty, and not natural persons as such. Nevertheless, during competition investigations, personal data within the meaning of Article 3(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (2) are inevitably processed within the meaning of Article 3(3) of Regulation (EU) 2018/1725. The Commission needs to process such personal data in order to fulfil the tasks assigned to it as the public authority enforcing Union competition rules. Investigation in the field of antitrust, merger control and State aid control, and enforcement of competition rules constitute monitoring, inspection or regulatory functions connected to the exercise of official authority in the cases referred to in Article 25(1)(c) and (g) of Regulation (EU) 2018/1725. Those activities serve the promotion and protection of a competitive internal market, thereby safeguarding an important economic and financial interest of the Union and of the Member States. (3) For the purpose of its investigation and enforcement activities in the fields of antitrust, merger control and State aid control, the Commission processes personal data acquired or received from legal persons, natural persons, Member States and other entities (such as National Competition Authorities, regulatory bodies and other public bodies and authorities), competition authorities of third countries and international bodies and organisations. During competition investigations and enforcement activities, whether acting on its own initiative or on the basis of received input, the Commission may also process personal data acquired or received from publicly available sources (for example, in the context of market monitoring or screening activities), from anonymous sources (for example, whistle-blowers/informants) or identified sources (for example, complainants) that require protection of their identity. (4) The Commission may, in turn, transmit personal data to legal or natural persons (for example, in the context of the access to file procedure), to National Competition Authorities and other authorities and bodies in the context of bilateral or multilateral cooperation with Member States or third country authorities and organisations, as necessary and appropriate to exercise its powers, to safeguard the rights of defence of parties subject to Commission proceedings and to ensure the efficient and effective application of Union competition rules. (5) Personal data processing activities, within the meaning of Article 3(3) of Regulation (EU) 2018/1725, carried out in the course of investigation and enforcement activities in the field of competition, may take place even before the Commission formally initiates proceedings, continue throughout the handling of the investigation and may continue even after the formal closure of the investigation (for example, for the purposes of market or compliance monitoring or screening activities, assessing the need for initiating new investigative activities, legal proceedings, etc.). (6) The personal data processed by the Commission are, for example, identification data, contact data, professional data and data related to or brought in connection with the subject matter of the investigation or procedure. The personal data are stored in a secured electronic environment to prevent unlawful access or transfer of data to persons who do not have a need to know. The personal data are retained in the services of the Commission in charge of the investigation for the time necessary for the investigation, for assessing the need to initiate new investigative activities, during the administrative procedure, and throughout any subsequent judicial review proceedings, and the administrative retention period that follows the definitive closure of the file. At the end of the retention period, the case related information including personal data is transferred to the historical archives of the Commission (3). (7) While carrying out its tasks, the Commission is bound to respect the rights of natural persons in relation to the processing of personal data recognised by Article 8(1) of the Charter of Fundamental Rights of the European Union and by Article 16(1) of the Treaty. At the same time, the Commission is responsible for enforcing competition rules, which requires the Commission to conduct investigations in a timely manner, while respecting rules of confidentiality and professional secrecy (4) as well as the rights of defence of parties subject to its investigations, (5) and the rights of individuals that require protection of their identity. (8) In certain circumstances, it is necessary to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 with the needs of investigations and enforcement activities, as well as with full respect for fundamental rights and freedoms of other data subjects. To that effect, Article 25 of Regulation (EU) 2018/1725 provides the Commission with the possibility to restrict the application of Articles 14 to 22 and 35, as well as Article 4 thereof, insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 of that Regulation. (9) These internal rules should cover all processing operations carried out by the Commission in the performance of its powers of investigation, whether acting on its own initiative or on the basis of received input, and enforcement and related operational activities in the fields of antitrust, merger control and State aid control whenever the exercise of data subjects' rights may jeopardise the conduct of investigations or enforcement activities. These rules should apply to processing operations carried out prior to the formal initiation of proceedings, during the handling of investigations as well as after the formal closure of investigations, including processing in the context of bilateral or multilateral cooperation with National Competition Authorities, Member States or third country authorities and organisations. (10) In order to comply with Articles 14, 15 and 16 of Regulation (EU) 2018/1725, the Commission should inform all individuals of its activities involving processing of their personal data and of their rights in a transparent and coherent manner in the form of the data protection notices published on the Commission's website. (11) Without prejudice to Articles 14(5) and 16(5) of Regulation (EU) 2018/1725, the Commission is also able on the basis of Article 25 of that Regulation to restrict the provision of information to data subjects and the application of other rights of data subjects in order to protect its own competition investigations and enforcement of competition rules, investigations and proceedings of competition authorities of the Member States, the investigation tools and methods, as well as the rights of other persons related to its investigations. (12) In addition, in order to maintain effective cooperation it may be necessary for the Commission to restrict the application of data subjects' rights in order to protect processing operations of other Union institutions, bodies, offices and agencies or of Member States' authorities. To that effect, the Commission should consult those services, institutions, bodies, offices, agencies, and authorities on the relevant grounds for imposing restrictions and the necessity and proportionality of the restrictions. (13) The Commission may also have to restrict the provision of information to data subjects and the application of other rights of data subjects in relation to personal data received from third countries or international organisations, in order to cooperate with those countries or organisation and thus safeguard an important objective of general public interest of the Union. However, in some circumstances the interest or fundamental rights of the data subject may override the interest of international cooperation. (14) The Commission has therefore identified the grounds listed in Article 25(1)(c), (g) and (h) of Regulation (EU) 2018/1725 as grounds for restrictions under Article 25 of the Regulation that may be necessary to apply to data processing operations carried out in the framework of the Commission's investigative and enforcement activities in the area of competition, encompassing antitrust, merger control and State aid control. (15) The Commission should handle all restrictions in a transparent manner and register each application of restrictions in the corresponding record system. (16) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, controllers may defer or refrain from providing information on the reasons for the application of a restriction to the data subject if providing that information would in any way compromise the purpose of the restriction. This is, in particular, the case of restrictions to the rights provided for in Articles 16 and 35 of Regulation (EU) 2018/1725. In order to ensure that the data subject's rights under Articles 16 and 35 of Regulation (EU) 2018/1725 are restricted only as long as the reasons for the restriction last, the Commission should review its position regularly and at the closure of the relevant investigation. (17) Where a restriction of other rights of data subjects is applied, the controller should assess on a case-by-case basis whether the communication of the restriction would compromise its purpose. The controller is the service in charge of the competition policy within the Commission. (18) The Data Protection Officer of the Commission should carry out an independent review of the application of restrictions, with a view to ensuring compliance with this Decision. (19) This Decision is adopted for the purposes of Article 25 of Regulation (EU) 2018/1725 and should enter into force at the same time as that Regulation in order to ensure legal certainty. (20) The European Data Protection Supervisor has been consulted. HAS ADOPTED THIS DECISION: Article 1 Subject-matter and scope 1. This Decision lays down the rules to be followed by the Commission to inform data subjects of the processing of their data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725, in the framework of its activities in the field of competition. It also lays down the conditions under which the Commission may restrict the application of Articles 4, 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725, in accordance with Article 25 thereof. 2. This Decision applies to the processing of personal data by the Commission for the purpose of or in relation to the activities carried out in order to fulfil its tasks pursuant to Articles 101 to 109 of the Treaty. Article 2 Applicable exceptions and restrictions 1. Where the Commission exercises its duties with respect to the data subjects' rights pursuant to Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply. 2. Subject to Articles 3 to 7 of this Decision, the Commission may restrict the application of Articles 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725, as well as the principle of transparency laid down in Article 4(1)(a) in so far as its provisions correspond to the right and obligations provided for in Articles 14 to 17, 19, 20 and 35 of the Regulation (EU) 2018/1725 where the exercise of those rights and obligations would jeopardise the purpose of the Commission's investigative and enforcement activities, including by revealing its investigative tools and methods, or would adversely affect the rights and freedoms of other data subjects. 3. Subject to Articles 3 to 7, the Commission may restrict the rights and obligations referred to in paragraph 2 of this Article in relation to personal data obtained from other Union institutions, bodies, agencies and offices, competent authorities of Member States or third countries or from international organisations, in the following circumstances: (a) where the exercise of those rights and obligations could be restricted by other Union institutions, bodies, agencies and offices on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or in accordance with Regulation (EU) 2016/794 of the European Parliament and of the Council (6) or Council Regulation (EU) 2017/1939 (7); (b) where the exercise of those rights and obligations could be restricted by competent authorities of Member States on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council (8), or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council (9); (c) where the exercise of those rights and obligations could jeopardise the Commission's cooperation with third countries or international organisations in the conduct of competition investigations or enforcement of competition decisions. Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, the Commission shall consult the relevant Union institutions, bodies, agencies, offices or competent authorities of the Member States unless it is clear to the Commission that the application of a restriction is provided for by one of the acts referred to in those points. Point (c) of the first subparagraph shall not apply where the interest of the Commission to cooperate with third countries or international organisation is overridden by the interests or fundamental rights and freedom of the data subjects. 4. Paragraphs 1, 2 and 3 are without prejudice to the application of other Commission decisions laying down internal rules concerning the provision of information to data subjects and the restriction of certain rights under Article 25 of Regulation (EU) 2018/1725 and to Article 23 of the Rules of Procedure of the Commission. Article 3 Provision of information to data subjects 1. The Commission shall publish on its website data protection notices that inform all data subjects of its activities involving processing of their personal data. 2. Without prejudice to Articles 14(5) and 16(5) of Regulation (EU) 2018/1725, where the Commission restricts, wholly or partly, the provision of information to data subjects, whose data are processed for purposes of competition investigation or enforcement (including related operational activities) it shall record and register the reasons for the restriction in accordance with Article 6. Article 4 Right of access by data subject, right of erasure and to restriction of processing 1. Where the Commission restricts, wholly or partly, the right of access to data by data subjects, the right of erasure, or the right to restriction of processing as referred to in Articles 17, 19 and 20 respectively of Regulation (EU) 2018/1725 it shall inform the data subject concerned, in its reply to the request for access, erasure or restriction of processing, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union. 2. The provision of information concerning the reasons for the restriction referred to in paragraph 1 may be omitted for as long as it would undermine the purpose of the restriction. 3. The Commission shall record and register the reasons for the restriction in accordance with Article 6. 4. Where the right of access is wholly or partly restricted, the data subject shall exercise his or her right of access through the intermediary of the European Data Protection Supervisor, in accordance with paragraphs 6, 7 and 8 of Article 25 of the Regulation (EU) 2018/1725. Article 5 Communication of personal data breaches to data subjects Where the Commission restricts the communication of a personal data breach to the data subject, as referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 6 of this Decision. Article 6 Recording and registering of restrictions 1. The Commission shall record the reasons for any restriction applied pursuant to this Decision, including an assessment of the necessity and proportionality of the restriction. 2. To that end, the record shall state how the exercise of the right would jeopardise the purpose of the Commission's investigation and enforcement activities, or of restrictions applied pursuant to Article 2(2) or (3), or would adversely affect the rights and freedoms of other data subjects. 3. The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request. Article 7 Duration of restrictions 1. Restrictions referred to in Articles 3, 4 and 5 shall continue to apply as long as the reasons justifying them remain applicable. 2. Where the reasons for a restriction referred to in Article 3 or 5 no longer apply, the Commission shall lift the restriction and provide the reasons for the restriction to the data subject. At the same time, the Commission shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice of the European Union. 3. The Commission shall review the application of the restrictions referred to in Articles 3 and 5 every year and at the closure of the relevant investigation. Article 8 Review by the Data Protection Officer 1. The Data Protection Officer shall be informed, without undue delay, whenever data subjects' rights are restricted in accordance with this Decision. Upon request, the Data Protection Officer shall be provided with access to the record and any documents containing underlying factual and legal elements. 2. The Data Protection Officer may request a review of the restriction. The Data Protection Officer shall be informed about the outcome of the requested review. Article 9 Entry into force This Decision shall enter into force on the date of entry into force of Regulation (EU) 2018/1725. Done at Brussels, 5 December 2018. For the Commission The President Jean-Claude JUNCKER (1) See in particular for antitrust Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty (OJ L 1, 4.1.2003, p. 1), for merger control Council Regulation (EC) No 139/2004 of 20 January 2004 on the control of concentrations between undertakings (the EC Merger Regulation) (OJ L 24, 29.1.2004, p. 1) and for State aid Council Regulation (EU) 2015/1589 of 13 July 2015 laying down detailed rules for the application of Article 108 of the Treaty on the Functioning of the European Union (OJ L 248, 24.9.2015, p. 9). (2) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). Processing within the meaning of Article 3(3) of Regulation (EU) 2018/1725 also includes a situation where the Commission receives personal data voluntarily submitted to it. (3) Retention of files in the Commission is regulated by the Common retention list, a regulatory document (the last version is SEC(2012)713) in the form of a retention schedule that establishes the retention periods for the different types of Commission files. (4) See, in particular, Article 339 of the Treaty, as well as Article 28 of Regulation (EC) No 1/2003; Article 15(4) of Commission Regulation (EC) No 773/2004 of 7 April 2004 relating to the conduct of proceedings by the Commission pursuant to Articles 81 and 82 of the EC Treaty (OJ L 123, 27.4.2004, p. 18); Article 17 of Regulation (EC) No 139/2004 and Article 18 of Commission Regulation (EC) No 802/2004 of 21 April 2004 implementing Council Regulation (EC) No 139/2004 on the control of concentrations between undertakings (OJ L 133, 30.4.2004, p. 1); Articles 30 and 31 of Regulation (EU) 2015/1589; required declarations on confidential information in State aid notification forms as annexes to Regulation (EC) No 794/2004 in its amended form. (5) Implementation of the rights of data subjects under the Regulation (EU) 2018/1725 and compliance with the obligations of data controllers under that Regulation does not affect the Commission's handling of the rights of defence of parties subject to the competition proceedings. The integrity and authenticity of evidence on file collected in the course of competition investigations can therefore not be compromised by modifying documents received or collected in conformity with the applicable procedural rules in the competition field. (6) Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53). (7) Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor's Office (the EPPO) (OJ L 283, 31.10.2017, p. 1). (8) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). (9) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).