Do you know what your Perm Rep knows about you?

Do you know that your personal data is being transferred on regular basis to your national EU Permanent Representation? And not only there. Actually, DG HR has been sending mass quantity of sensitive data of tens of thousands of active Commission staff, 3 times per year to your Member State Perm Reps plus your host country Perm Reps: Belgium or Luxembourg.

According to DG HR you cannot object to these transfers.

The transferred data include:

First and family name, birth date, gender, function group, type of post, job title, office address, DG and unit, office phone number, professional email and information on existence of other nationalities

The administration justifies these massive data transfers on basis of Article 15 of protocol (No 7) on the privileges and Immunities (PPI of the European Union and Article 4(3) of the Treaty on European Union.) (“principle of sincere cooperation”)

However the abovementioned Article 15 of protocol (no 7) says that DG HR can transmit our personal data to national administrations only for the privileges and immunities (e.g. regarding an exemption from national taxes on salaries, or the right to import free of duty a motor car, or avoidance of double taxation, death duties etc.), while this article does not allow to transfer our personal data to national administrations on questions related to cultural and social issues as well as data regarding electoral and military issues. Art 15 of protocol (7) only indicates names, grades and addresses. [*]

[*] We understand this to be professional and not private information, but the protocol is not specific on this point. The text states: “The names, grades and addresses of officials and other servants included in such categories shall be communicated periodically to the governments of the Member States.”

Doesn’t it look like breach of Regulation (EU) No 2018/1725 on the protection of natural persons with regards to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data?

Even if you do not give your consent to the transmission of your personal data to the Perm Rep for purposes related to cultural and social issues…it will still be sent.

Considering that the general purpose of the personal-data transfer is to enable the administrative follow-up that the national administration of the country of origin has to carry out, the HR data controller clearly sends too many categories of personal data such as gender, job title, the address of DG, phone number.

A Generation 2004 member filed a complaint with the European Data Protection Supervisor (EDPS) in December 2022 and since January 2022 the EDPS has been investigating it. This is the same authority that Generation 2004 and the Central Staff Committee asked to investigate the (obligatory) use of messaging groups on private mobiles.

What is the conclusion of the investigation?

Actually nothing as yet, but being pushed now also by the Ombudsman, the EDPS said only that the case was complex on sensitive issues, which might have wide implications as it potentially concerns many staff members.

Interestingly, already in 2014 in an EDPS publication on Data Protection Rules Concerning the Transfer of Personal Data of EU Institutions’ and Bodies’ Staff to Member States’ Governments, the EDPS stated that “Member States request such transfers for reasons that are not related to Protocol No. 7, such as inviting their citizens to social events, Article 5(b) of the Regulation cannot be considered as a valid legal ground for lawfulness.”

Why so much fuss for some data?

First of all, it can be critical for colleagues who are citizens of Member States which violate EU law, human rights and fundamental freedoms. We consider that the Commission should not help such governments to track down colleagues, who might demonstrate against illegal actions or colleagues who could be a focus of interest of these Member States because of their role in the decision-making process, or ones who are working on sensitive files or control financial flows. We consider that such excessive data transfers can put at risk the interests of Commission employees and even expose them to the risk of repressive actions. The Commission already reacted to threats to the staff by removing non-management colleagues from EU institution’s “who is who” in April last year. It would appear that in the case of Member States the protection offered to Commission staff is weaker.

Secondly, we don’t know what happens with transferred data and who has access to it, as use of our data by Member States is not reported to the Commission.

Finally, shouldn’t the Commission, which proposed Regulation (EU) No 2018/1725, be exemplary in its respect?

We consider that possible large-scale breach of Regulation 2018/1725 can be extremely detrimental to the image and reputation of the EU institutions and can result in a high risk to the rights and freedoms of EU employees.

What happens now ?

It seems that the above case confirms what the saying says “The darkest place is under the candlestick”. We at Generation 2004 continue to monitor this situation and, after 2 years and 8 months of investigation, are keen to see the EDPS findings, to make sure that our personal data protection is in line with the existing legal base!

As always, we would love to hear from you. Please do not hesitate to get in touch with us or leave a comment below.

If you appreciate our work, please consider becoming a member of Generation 2004.

Cookie	Duration	Description
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Generation 2004

United against career inequality in the EU institutions

Leave a Reply Cancel reply