EUROPEAN COMMISSION
Brussels, 06.06.2018
C(2018)3739 final
Mr Dimitar Dimitrov
Rue du Trône 51
1050 Ixelles
Belgium
DECISION OF THE SECRETARY-GENERAL ON BEHALF OF THE COMMISSION PURSUANT TO
ARTICLE 4 OF THE IMPLEMENTING RULES TO REGULATION (EC) NO 1049/20011
Subject:
Your confirmatory application for access to documents under
Regulation (EC) No 1049/2001 - Gestdem 2018/1580
Dear Mr Dimitrov,
I am writing in reference to your e-mail of 3 May 2018, registered on 4 May 2018, by which
you lodge a confirmatory application in accordance with Article 7(2) of Regulation
1049/2001 regarding public access to European Parliament, Council and Commission
documents2 (hereafter: ‘Regulation 1049/2001’).
1. SCOPE OF YOUR APPLICATION
Through your initial application of 15 March 2018, addressed to the Directorate-General for
Communications Networks, Content and Technology, you requested access to ‘[a] copy of
the inbox and outbox correspondence of [X3] related to Article 13 of the Copyright in the
Digital Single Market Directive’.
In its initial reply of 2 May 2018, the Directorate-General for Communications Networks,
Content and Technology stated that it was not in a position to handle your application. It
also informed you that the e-mail correspondence of staff members of the European
1
Official Journal L 345 of 29.12.2001, p. 94.
2
Official Journal L 145, 31.05.2001 p.43
3
In your initial application, you refer to the identified individual (a staff member of the European
Commission not occupying any senior management position). The name of that individual has been
replaced by ‘X’ in this decision.
Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 229 91111
http://ec.europa.eu/dgs/secretariat_general/
E-mail: xxxxxxxxxx@xx.xxxxxx.xx
Commission is protected by privacy rules. The European Commission has access to
electronic correspondence of its staff held in their individual Commission
e-mail accounts only in specific, exceptional circumstances and under strict conditions
linked to security or investigation procedures.
Consequently, the European Commission may not access and perform any search operation
on an individual e-mail account of one of its staff members in the context of handling an
application for access to documents submitted under Regulation 1049/2001.
Through your confirmatory application, you request a review of this position.
2. ASSESSMENT AND CONCLUSIONS UNDER REGULATION 1049/2001
When assessing a confirmatory application for access to documents submitted pursuant to
Regulation 1049/2001, the Secretariat-General conducts a fresh review of the reply given by
the Directorate-General concerned at the initial stage.
Following my review, I regret to inform you that I have to confirm the decision of the
Directorate-General for Communications Networks, Content and Technology, according to
which the European Commission is not in a position to handle your application.
The detailed reasons are set out below.
2.1
Applicability of Regulation 45/2001 and the exception protecting the privacy
and integrity of the individual
Article 4(1)(b) of Regulation 1049/2001 provides that ‘[t]he institutions shall refuse access
to a document where disclosure would undermine the protection of […] privacy and the
integrity of the individual, in particular in accordance with Community legislation regarding
the protection of personal data’.
In your confirmatory application, you argue that ‘[t]he Commission is withholding
information without actual justification, as e-mails are information subject to Regulation
1049/2001 and any privacy concern can be addressed within the process and does not
exclude the information from being processed in the first place.’
It is correct that e-mail messages can, if they are not short-lived and contain important
information which requires an action or follow-up by the Commission, fall under the
definition of a document under Regulation 1049/2001. Therefore, as you rightly point out,
they cannot automatically be excluded from the scope of that Regulation. However, your
initial application concerns a specific category of e-mail messages, namely those sent and/or
received by a specifically identified staff member of the European Commission not holding
any senior management position.
2
As such e-mails originate from, or were sent to, a specifically identified natural person, the
list and content thereof constitute personal data within the meaning of Regulation 45/20014.
According to the definition provided for in Article 2(a) of that Regulation, personal data is
‘any information relating to an identified or identifiable natural person […]’. Indeed, the list
and content of the e-mail messages in question would reveal information about the
exchanges engaged in by the individual concerned, and would therefore qualify as ‘personal
data’.
Consequently, in order to handle your application, it would be necessary to carry out a series
of processing operations on personal data.
Firstly, the e-mails would have to be retrieved from the staff member’s e-mail account on
the exchange server of the European Commission, or other underlying IT systems. Such an
operation (retrieval of e-mails relating to a concretely identified staff member) would
constitute processing of personal data in the meaning of Article 2(b) of Regulation
45/20015.
In line with the provisions of Articles 4 and 5 of the said Regulation, every processing
operation needs to comply with the requirement of legitimacy and lawfulness. To this end
Article 5 of Regulation 45/2001 establishes a limited set of criteria allowing for considering
a processing operation as lawful.
As explained by the Directorate-General for Communications Networks, Content and
Technology in its initial reply, the range of situations where the European Commission
could lawfully access electronic correspondence of its staff members held in their individual
Commission e-mail accounts or other IT systems, is limited. In practice, as clarified in the
initial reply, this applies only to security or investigation procedures, as only in such cases
the requirement of lawfulness, as provided for in the above-mentioned Article 5 of
Regulation 45/2001 can be considered as fulfilled.
Secondly, even if the documents requested were to be retrieved and identified, granting
access thereto would constitute another processing operation on personal data, namely, its
transfer (through the disclosure of the documents) to the applicant within the meaning of
Article 8(b) of Regulation 45/2001.
In accordance with the
Bavarian Lager ruling6, when a request is made for access to
documents containing personal data, Regulation 45/2001 becomes fully applicable.
4 Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the
protection of individuals with regard to the processing of personal data by the Community institutions
and bodies and on the free movement of such data Official Journal L 8, 12.1.2001, p. 1–22.
5
According the definition in Article 2(b) of Regulation 45/2001 ‘processing of personal data’ shall mean
any operation or set of operations which is performed upon personal data, whether or not by automatic
means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or
combination, blocking, erasure or destruction.
6
Judgment of the Court (Grand Chamber) of 29 June 2010 in Case C-28/08 P,
European Commission v the
Bavarian Lager Co. Ltd, (ECLI:EU:C:2010:378), paragraph 63
.
3
According to Article 8(b) of that Regulation, personal data shall only be transferred to
recipients if the recipient establishes the necessity of having the data transferred and if there
is no reason to assume that the data subject's legitimate interests might be prejudiced. Those
two conditions are cumulative7.
Only if both conditions are fulfilled and the transfer constitutes lawful processing in
accordance with the requirements of Article 5 of Regulation 45/2001, can the processing
(transfer) of personal data occur.
In that context, whoever requests such a transfer must first establish that it is necessary. If it
is demonstrated to be necessary, it is then for the Institution concerned to determine that
there is no reason to assume that that transfer might prejudice the legitimate interests of the
data subject8. This has been confirmed in the recent judgment in the
ClientEarth case9. I
refer also to the
Strack case, where the Court of Justice ruled that the Institution does not
have to examine by itself the existence of a need for transferring personal data10.
Neither in your initial, nor in your confirmatory application, have you established the
necessity of disclosing the personal data requested.
Therefore, even if the documents requested were to be retrieved and identified (which, as
explained above, the Commission is not in a position to do), the transfer of personal data
through their public disclosure could not be considered as fulfilling the requirements of
Regulation 45/2001. In consequence, the use of the exception under Article 4(1)(b) of
Regulation 1049/2001 would be justified, as there would be no need to publicly disclose the
personal data included therein, and it could not be assumed that the legitimate rights of the
data subjects concerned would not be prejudiced by such disclosure.
3. PARTIAL ACCESS
Even if the documents requested were to be retrieved and identified, it would not be
possible to grant partial access thereto by providing an anonymised version with the name
and surname of the staff members in question redacted.
Indeed, your application relates to the e-mail correspondence of a concretely identified staff
member. The very identification of documents as falling under the scope of your application
would already reveal personal data about the said staff member, as it would give an
indication of the number of e-mails received and sent, and the dates and times at which
these exchanges occurred.
Consequently, public disclosure of even anonymised documents would involve processing
operation which could not be considered as fulfilling the requirement of lawfulness, as
explained above.
7
Ibid, paragraphs 77-78.
8
Ibid.
9
Judgment of the Court of Justice of 16 July 2015 in Case C-615/13 P,
ClientEarth v EFSA,
(ECLI:EU:C:2015:219), paragraph 47.
10
Judgment of the Court of Justice of 2 October 2014 in Case C-127/13 P,
Strack v Commission,
(ECLI:EU:C:2014:2250), paragraph 106.
4
Therefore, even such partial access would undermine the privacy and integrity of the staff
member concerned protected by Article 4(1)(b) of Regulation 1049/2001.
4. OVERRIDING PUBLIC INTEREST IN DISCLOSURE
The exception laid down in Article 4(1)(b) of Regulation 1049/2001 is absolute exception,
and its applicability does not need to be balanced against overriding public interest in
disclosure.
5. MEANS OF REDRESS
I would like to draw your attention to the means of redress that are available against this
decision, that is, judicial proceedings and complaints to the Ombudsman under the
conditions specified respectively in Articles 263 and 228 of the Treaty on the Functioning of
the European Union.
Yours sincerely,
For the Commission
Martin SELMAYR
Secretary-General
5
Document Outline