What Permanent Representation (should not) know about you? 

Data Protection, Newsletter-2025-07-08, Working conditions, workplace bullying and harassment Print This Post

*Update 25.09.2025 See related supervisory opinion on case 2023-1231.*

Remember our article of 25 September 2024, where we wrote about dubious and questionable (if not illegal) transfers of our personal data to the permanent representation of Member States by DG HR? One of our members, Rafal Stanecki took the matter further.
He filed a complaint with the European Data Protection Supervisor (EDPS) against these transfers of an excessive amount of our private data and queried the purposes for which this data had been regularly sent, (3 times per year).  

On 25 March 2025, after over 2-year long investigation, the EDPS issued a favourable decision for Rafal (Decision 11/2025), confirming that these transfers are a violation of Regulation 2018/1725 by the European Commission and ordered the European Commission to stop transmitting all and any personal data categories beyond the legal minimum (i.e. name, grade and [work][*] address).  

A reprimand was also imposed on the Commission for violations of multiple core data-protection principles, including lawfulness, transparency, purpose limitation, data minimisation, and accountability, further, a follow-up was required: The European Commission was obliged to report back within three months on how it intends to comply with the decision. 

Here in a nutshell are the key findings of the EDPS decision: 

  • Unlawful data sharing (‘transmission’): The Commission shared personal data (e.g. gender, job title, [work] phone number) beyond what is legally required under Article 15(2) of the Protocol on Privileges and Immunities (PPI), which allows for the sharing of name, grade, and [work] address only. 
  • Invalid legal basis: The Commission incorrectly relied on Article 4(3) of the Treaty on European Union (TEU) and Article 18 of the PPI to justify these transmissions. EDPS ruled these are not sufficiently precise or clear legal bases under the EU Data Protection Regulation (2018/1725). 
  • Purpose limitation violation: Transmitting data for purposes such as electoral, military, cultural, or social matters, or for compiling statistics, was deemed incompatible with the intended legal basis. 
  • Transparency failure: The Commission failed to provide clear and accurate information to the complainant about his right to object to the data processing. 
  • Data minimisation violation: The EDPS found that unnecessary personal data were transmitted, breaching the principle of limiting data collection to what is necessary. 

You might be surprised that violations of our personal data came from the same institution that was supposed to protect the use and processing of the data of the citizens of the European Union? This is probably what an EU citizen could think. Actually, if it may comfort you, it is DG HR that was the culprit, but since a DG does not have a legal entity, it is the whole Commission that has been sanctioned. 

This decision highlights that there are no “sacred cows” and the EU institutions must not only preach, but also strictly adhere themselves to data-protection laws. This is particularly important with regards to the legal bases for processing and the proportionality and transparency of data-sharing practices as far as that concerns personal data of their own staff. 

Generation 2004 supported the complaint because Generation 2004 defends you and your rights. 

As always, we would love to hear from you. Please do not hesitate to get in touch with us or leave a comment below. 

If you appreciate our work, and want to support us, please consider becoming a member of Generation 2004. 

————————————– 

[*] We use [work] throughout this article since, while this is not specified in the text we reference, it is but understood. 

Leave a Reply