Szanowni Państwo,
Poniżej przedstawiam informację z Komisji Europejskiej na temat ochrony danych osobowych w twinningu.
KPK
The General Data protection Regulation – Regulation (EU) 2016/679 (GDPR) has modified the rules on data protection in the EU. However, it does not apply to EU institutions and bodies. A separate legal instrument Regulation (EU) 2018/1725 (IDPR) – in force as from 11 December 2018 (repealing Regulation (EC) No 45/2001), governs personal data processing operations by EU institutions and bodies. The objective of the IDPR is to align the rules applicable to EU institutions and bodies with the GDPR and adapt them to the specificities of the EU institutions.
Twinning is a European Union instrument for institutional cooperation between Public Administrations of EU Member States and of partner or beneficiary countries. Twinning projects bring together public sector expertise from EU Member States and beneficiary countries with the aim of achieving concrete mandatory operational results through peer-to-peer activities. To set up Twinning projects, the European Union relies on the co-operation and administrative experience of EU Member States, which mobilise public expertise both from public administrations and from semi-public bodies.
In this context, the question that arises concerns the instances where “transfers of personal data” might occur in the course of cooperation with third countries.
It shall be highlighted that in the absence of a formal definition of “transfer of personal data” in either the IDPR or the GDPR, these reference should be made to the guidance provided in the European Data Protection Supervisor position paper, according to which the term would normally imply “communication, disclosure or otherwise making available of personal data, conducted with the knowledge or intention of a sender subject to the regulation that the recipient(s) will have access to it”.
With regard to Twinning projects, processing of personal data of the EU MS experts encompasses two steps: (1) preliminary and preparatory activities that involves, inter alia, training activities and (2) selection/award and grant implementation. Processing of personal data corresponding to each of the two steps of the Twinning procedures are covered by two separate records1, which explain in detail the processing of personal data while information to data subjects is provided in the related Privacy Statements2.
Twinning projects being financed by grants awarded in the framework of EU external aid programmes are managed according to one of the procedures set out in Article 58 of the Financial Regulation3.
Where the Commission implements actions in direct management, contracts are awarded and managed directly by its departments either at headquarters or in EU Delegations. The relevant EU service then becomes the contracting authority in charge of procedures and of signing and managing the contracts. In those instances, the Commission acts as the data controller and carries out personal data processing operations necessary for the implementation of the actions. The transfer of information to third countries follows the safeguards foreseen by IDPR. Articles 1.3 and 1.4 of the General Conditions**** to the Twinning contract specify the data protection requirements.
In indirect management, the Commission delegates the implementation of an action including the award and management of contracts to a third country or to the bodies it has designated. When third countries (beneficiaries or partner countries) are entrusted with budget implementation, they shall respect the principles of sound financial management, transparency and non-discrimination and guarantee the protection of the financial interests of the Union. Requirements that follow directly from the EU’s legislative framework, such as data protection rules, are not applicable to them; however, they have to be taken into account for the implementation of EU-funded actions. The Financial Regulation stipulates that third countries entrusted with budget implementation have to ensure “a level of protection of personal data equivalent to that of Article 5 of the Financial Regulation5”. In this respect, the contractual obligations in the financing agreements have been reinforced with the requirements set by Article 4 of IDPR (see Annex I – Financing agreement). Furthermore, article 7.3.16 of the Special Conditions of the Twinning contracts signed after September 2019 adapts the articles 1.3 and 1.4 of the General Conditions from Direct to Indirect Management.
Given that the transfer of personal data takes place in the context of preliminary activities and processing of contracts with partner or beneficiary countries, the associated risk appears rather limited. On the one hand, the data subjects voluntarily provide the personal data required being fully aware that processing will take place for the evaluation of their application and for the conclusion of a contract (which is equivalent to consent). On the other hand, the degree of risk is not significant as personal data are treated solely in the framework of the preparatory and grant award procedures, which are covered by the relevant provisions of the financing agreement with the partner or beneficiary countries. Indeed, the financing agreement with the partner or beneficiary countries lays down the terms and conditions on which the financial assistance will be made available and establishes for the Commission and the partner and beneficiary countries mutual rights and obligations, among which, requirements on data protection. The partner or beneficiary countries are bound by clauses on the protection of personal data and by an obligation of confidentiality pursuant to Articles 1(7) and 22 of the financing agreement general conditions.
In line with the provisions of the IDPR, the lawfulness of processing of personal data in the context of external action with partner or beneficiary countries stems from Article 5.1, in particular:
