4.5.2007

EN

Official Journal of the European Union

L 116/64

---

DECISION OF THE EUROPEAN CENTRAL BANK

of 17 April 2007

adopting implementing rules concerning data protection at the European Central Bank

(ECB/2007/1)

(2007/279/EC)

THE EXECUTIVE BOARD OF THE EUROPEAN CENTRAL BANK,

Having regard to the Treaty establishing the European Community, and in particular Article 286 thereof,

Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (1), and in particular Article 24(8) thereof,

Whereas:

(1)	Regulation (EC) No 45/2001 lays down the data protection principles and rules applicable to all Community institutions and bodies and provides for a Data Protection Officer (DPO) to be appointed by each Community institution and body.

(2)	Pursuant to Article 24(8) of Regulation (EC) No 45/2001, each Community institution or body must adopt further implementing rules concerning the DPO in accordance with the provisions in the Annex to that Regulation,

HAS DECIDED AS FOLLOWS:

SECTION 1

GENERAL PROVISIONS

Article 1

Subject matter and scope

1.   This Decision lays down the general rules implementing Regulation (EC) No 45/2001 as regards the European Central Bank (ECB). In particular, it supplements the provisions in Regulation (EC) No 45/2001 relating to the DPO’s appointment and status, as well as to their tasks, duties and powers.

2.   This Decision also clarifies the roles, tasks and duties of controllers and data protection coordinators and implements the rules pursuant to which data subjects may exercise their rights.

Article 2

Definitions

For the purposes of this Decision, and without prejudice to the definitions in Regulation (EC) No 45/2001, the following definitions shall apply:

(a)	‘controller’ means a manager responsible for an organisational unit that determines the purposes and means of the processing of personal data;

(b)	‘data protection coordinator’ means a staff member who assists a controller in fulfilling the latter’s data protection obligations. This person shall be a specialist in record management.

SECTION 2

THE DATA PROTECTION OFFICER

Article 3

Appointment, status and organisational matters

1.   The Executive Board shall:

(a)	appoint the DPO from amongst ECB staff who are sufficiently senior to meet the requirements of Article 24 of Regulation (EC) No 45/2001;

(b)	set a term of office for the DPO of between two and five years; and

(c)	register the DPO with the European Data Protection Supervisor (EDPS).

2.   The Executive Board shall ensure that the DPO can carry out DPO tasks and duties in an independent manner. Without prejudice to such independence:

(a)	the DPO shall be subject to the ECB’s conditions of employment;

(b)	for administrative purposes the DPO shall be allocated to one of the ECB’s business areas; and

(c)	the DPO’s appraisers shall consult the EDPS before appraising the DPO’s performance of DPO tasks and duties.

3.   The relevant controller shall ensure that the DPO is kept informed without delay:

(a)	when an issue arises that has, or might have, data protection implications; and

(b)	in respect of all contacts with external parties relating to the application of Regulation (EC) No 45/2001, notably any interaction with the EDPS.

4.   The Executive Board may appoint a Deputy DPO, to whom paragraphs 1 and 2 shall apply. The Deputy DPO shall support the DPO in carrying out DPO tasks and duties and deputise in the event of the DPO’s absence.

5.   Any staff providing support to the DPO in relation to data protection issues shall act solely on the DPO’s instructions.

Article 4

Data Protection Officer’s tasks and duties

When carrying out the tasks specified in Article 24 of Regulation (EC) No 45/2001 and in the Annex to that Regulation, the DPO shall perform the following duties, taking into account input from relevant ECB business areas where necessary:

(a)

advise the Executive Board, the controllers and the data protection coordinators on matters concerning the application of data protection provisions at the ECB. The DPO may be consulted by the Executive Board, any of the controllers concerned, the Staff Committee or any individual on any matter concerning the interpretation or application of Regulation (EC) No 45/2001;

(b)

on the DPO’s own initiative or on the request of the Executive Board, a controller, the Staff Committee or any individual, investigate matters and occurrences directly relating to DPO tasks and duties that come to the DPO’s notice, and report back to the person who commissioned the investigation. The DPO shall consider issues and facts impartially and with due regard to the data subject’s rights. If the DPO deems it appropriate, the DPO shall inform all other parties concerned accordingly. If the requester is an individual, or if the requester acts on behalf of an individual, the DPO shall, to the extent possible, ensure that the request remains confidential, unless the data subject concerned gives their unambiguous consent to treat the request otherwise;

(c)	cooperate with the DPOs of other Community institutions and bodies, in particular by exchanging experience and sharing know-how and representing the ECB in all discussions — excluding court cases — relating to data protection issues; and

(d)	submit an annual work programme and an annual report on DPO activities to the Executive Board and the EDPS.

Article 5

Data Protection Officer’s powers

The DPO may:

(a)	request an opinion from any ECB business area on any matter relating to DPO tasks and duties;

(b)	issue an opinion on the lawfulness of actual or proposed processing operations or on any issue concerning the notification of processing operations;

(c)	bring to the Executive Board’s attention any failure of a staff member to comply with Regulation (EC) No 45/2001; and

(d)	carry out the other tasks specified in the Annex to Regulation (EC) No 45/2001.

SECTION 3

CONTROLLERS AND DATA PROTECTION COORDINATORS

Article 6

Tasks and duties of controllers and data protection coordinators

1.   The controllers shall ensure that all processing operations involving personal data that are performed within their area of responsibility comply with Regulation (EC) No 45/2001.

2.   When fulfilling their obligation to assist the DPO and the EDPS in the performance of their duties, the controllers shall provide full information to them, grant access to personal data and respond to questions within 20 working days of receipt of the request.

3.   Without prejudice to the controllers’ responsibilities:

(a)

The data protection coordinators shall assist the controllers in fulfilling their obligations, either at the controllers’ request or on their own initiative. When doing so, the data protection coordinators shall liaise with the controllers’ staff, who shall provide them with all necessary information. This may, at the relevant controller’s discretion, include accessing personal data processed under that controller’s responsibility.

(b)

The data protection coordinators shall assist the DPO in: (i) identifying the relevant controllers of processing operations relating to personal data; (ii) promulgating the DPO’s advice and supporting the controllers under the DPO’s guidance; (iii) other aspects of the DPO’s work programme as agreed between the DPO and the coordinators’ management.

Article 7

Notification procedure

1.   Before introducing new processing operations relating to personal data, the relevant controller shall notify the DPO thereof using the on-line interface accessible through the DPO website on the ECB’s intranet. Any processing operation that is subject to prior checking pursuant to Article 27(3) of Regulation (EC) No 45/2001 shall be notified sufficiently well in advance of introduction to allow for prior checking by the EDPS.

2.   The controllers shall immediately inform the DPO of any change affecting the information contained in a notification already submitted to the DPO.

SECTION 4

DATA SUBJECTS’ RIGHTS

Article 8

Register

The register kept by the DPO pursuant to Article 26 of Regulation (EC) No 45/2001 shall serve as an index of all processing operations relating to personal data conducted at the ECB. Data subjects may make use of the information contained in the register to exercise their rights under Articles 13 to 19 of Regulation (EC) No 45/2001.

Article 9

Exercise of data subjects’ rights

1.   Further to their right to be appropriately informed about any processing of their personal data, data subjects may approach the relevant controller to exercise their rights pursuant to Articles 13 to 19 of Regulation (EC) No 45/2001, as specified below.

(a)	These rights may only be exercised by the data subject or their duly authorised representative. Such persons may exercise any of these rights free of charge.

(b)

Requests to exercise these rights shall be addressed in writing to the relevant controller. The controller shall only grant the request if the requester’s identity and, if relevant, their entitlement to represent the data subject have been appropriately verified. The controller shall without delay inform the data subject in writing of whether or not the request has been accepted. If the request has been rejected, the controller shall include the grounds for the rejection.

(c)	The controller shall, at any time within three calendar months of receipt of the request, grant access pursuant to Article 13 of Regulation (EC) No 45/2001 by enabling the data subject to consult these data on-site or to receive a copy thereof, according to the applicant’s preference.

(d)

Data subjects may contact the DPO in the event that the controller does not respect either of the time limits in paragraphs (b) or (c). In the event of obvious abuse by a data subject in exercising their rights, the controller may refer the data subject to the DPO. If the case is referred to the DPO, the DPO will decide on the merits of the request and the appropriate follow-up. In the event of disagreement between the data subject and the controller, both parties shall have the right to consult the DPO.

2.   ECB staff members may consult the DPO before lodging a complaint with the EDPS pursuant to Article 33 of Regulation (EC) No 45/2001.

Article 10

Exemptions and restrictions

1.   Provided that the DPO has been consulted in advance, the controller may restrict the rights referred to in Articles 13 to 17 of Regulation (EC) No 45/2001 on the grounds, and in accordance with the conditions, set out in Article 20 of Regulation (EC) No 45/2001.

2.   Any affected person may ask the EDPS to apply Article 47(1)(c) of Regulation (EC) No 45/2001.

Article 11

Investigation procedure

1.   Any request for an investigation under Article 4(b) shall be addressed to the DPO in writing.

2.   The DPO shall send an acknowledgement of receipt to the requester within 20 working days of receipt of the request.

3.   The DPO may investigate the matter on-site and request a written statement from the controller. The controller shall provide their response to the DPO within 20 working days of the controller’s receipt of the DPO’s request. The DPO may ask for additional information or assistance from any ECB business area. The business area shall provide such additional information or assistance within 20 working days of the DPO’s request.

4.   The DPO shall report back to the requester within three calendar months of receipt of the request.

Article 12

Remedies

In addition to the remedies laid down in Article 32 of Regulation (EC) No 45/2001, which are available to all data subjects, the remedies laid down in the ECB’s Conditions of Employment shall be available to data subjects who are ECB staff members.

SECTION 5

ENTRY INTO FORCE

Article 13

Final provision

This Decision shall enter into force on the 20th day following its publication in the Official Journal of the European Union.

---

(1)  OJ L 8, 12.1.2001, p. 1.

---