Infringement of the Regulation 45/2001. Part III.
This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.
The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.
The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).
Findings: continued from the previous post.
3) Continued: The Article 6 of Regulation No 45/2001, states that a change in the purpose of the collected data is permitted if expressly provided by the internal rules of the institution. In this case the change in the purpose for which the applicant’s medical data were collected in 2006 and 2007 by the Commission is under no internal rule of either the Commission or the Parliament. The transfer of such data between the institutions involved is based on only a simple practice, but not on internal rules of those institutions In addition, the EDPS argued at the hearing that Article 27 of Regulation No 45/2001 requires a prior check notification if the Parliament seeks the transfer of medical data regarding a job applicant, notification that has never been issued.
However, as rightly pointed out by the EDPS in its intervention statement, the previous Court’s findings do not establish that the disputed transfer of the applicant’s medical data it would comply with the provisions of Regulation No. 45/2001. Indeed, the transfer must be “necessary” for the legitimate performance of tasks of the institution. In this dispute, it must first be established that the transfer was essential for assessing the fitness of the applicant by the Office of the Parliament. Secondly, the Article 7 of the Regulation expressly provides that it applies “without prejudice to Articles 4, 5, 6 and 10” of the same text.
The Article 4, paragraph 1 of this Regulation, requires that personal data must be processed fairly and lawfully, collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes. In addition, Article 6 of that Regulation provides that personal data can not be processed for purposes other than those for which it was collected if the change of purpose is not expressly permitted by the internal rules of the EU institution.
In this case, as correctly contended by the applicant and EDPS, it is undisputed that the medical data collected by the Commission regarding the applicant, as part of the recruitment medical examinations under the provisions of Article 83 of the CEOS, had as exclusive purpose to determine whether the applicant was at the time of his recruitment, physically fit to perform his duties in the Commission services.
It should also be noted, that further processing of medical data necessary to establish the ability of the applicant to perform his employment functions with the Parliament (in December 2008), has another purpose than that for which the data were originally collected in 2006 (by the Commission). The Parliament can not properly rely on the assumption that the medical examinations carried out by all institutions would be based on the same legal basis, nor that they would be conducted in the same manner and be based on the same criteria of competence.
Moreover, the data subject did not give his consent for his data (medical record) to be processed for a different purpose than originaly collected, and neither transferred.
In this case, the various illegalities committed by the Parliament, especially the right to respect for private life and the Regulation No 45/2001 breaches, are sufficient enough to justify the award of compensation for the applicant’s suffering and humiliation.
4) The applicant is not entirely morally compensated by the cancellation of the contested decision. A fair assessment of the damage, especially in view of the seriousness of the illegality and their consequences, could indicate a moral compensation of 20,000 euros.
The Parliament is ordered to pay the applicant the sum of 25,000 euros in respect of pecuniary and moral injury suffered, all including interest.
1. annuls the decision of 19 December 2008 whereby the European Parliament withdrew the offer of employment made to V;
2. orders the European Parliament to pay V the sum of EUR 25 000;
3. dismisses the action for the remainder;
4. orders the European Parliament to pay the applicant’s costs and to bear its own costs;
5. orders the European Data Protection Supervisor, as intervener, to bear its own costs.
Any questions can be submitted to: email@example.com
Additional information can be found at: www.e-crimeexppert.com
What do you think about the findings? Do the findings properly protect the rights to data protection and privacy? Did you know about this Case law? Do you know any other Case law that you would like to share?
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.
- @k3rstin Hi Kerstin. Im fine thank you. Still in Brussels. Can we collaborate on any project/assignment? Best regards, Dan. 1 year ago
- 6 Essential Tips on How to Prevent Online Shopping Fraud wp.me/p1N1s0-jD 3 years ago
- Cyberbullying wp.me/p1N1s0-jz 3 years ago
- 10 Ways to Prevent Your Identity From Being Stolen wp.me/p1N1s0-jv 3 years ago
- Infographic-Privacy and Security on Facebook wp.me/p1N1s0-jp 3 years ago