LEONARDO CERVERA NAVAS
DIRECTOR
Ms Nicole MAES
by email only:
ask+request-8729-
xxxxxxxx@xxxxxxxx.xxx
Brussels, 14 June 2021
LCN/TT/ktl/D(2021)1340
C 2020-1124
Please use xxxx@xxxx.xxxxxx.xx for all
correspondence
Subject:
Your Confirmatory Request for access to documents under Regulation
(EC) 1049/2001
Dear Ms Maes,
On 2 December 2020, you sent an access to documents request to the European Data
Protection Supervisor (“EDPS”) on the basis of Regulation (EC) 1049/2001, which was
registered on the same day.
Your request concerned the following:
“a) the mapping exercise that the EDPS has carried out following the Schrems II
judgment, including any related report detailing the outcome (the EDPS published a
strategy document requiring EU institutions to carry out such exercise . I expect that
the EDPS must have done one for itself).
b) If the EDPS uses any of the following tools: Microsoft Office365, Microsoft Teams,
Zoom, Cisco Webex, Skype, I request any privacy assessment or similar document
(including DPIA) done by the EDPS in view of adopting the use of such
tools. Kindly
note that I do not want generic guidelines. Instead I seek specifically any privacy
assessment that relates to the internal use by the EDPS of any of the tools I listed.
For both categories of documents you can redact any personal data and any
information that would imperil the security of your IT systems.”.
edps.europa.eu
By letter of 14 January 2020, we informed you that the EDPS could not provide you with
access to the documents related to your request of access to documents linked to EDPS
mapping exercise and DPIA as they fall within the exceptions of art. 4(3) of Regulation
1049/2001.
On 22 January 2021, you submitted a confirmatory application, reiterating your request for
access to the documents listed above, by arguing that (i) “
the report that yourself confirmed
exists must be considered as final; hence it cannot fall under the exception of art. 4(3)”, (ii) EDPS
did not provide the status or information if any other document exists at all, (iii) “
the
exceptions of art. 4(3) of Regulation 1049/2001 cannot apply” as EDPS “
did not provide any
argument or explanation at all on why disclosure would seriously undermine the decision making
process” and (iv) existence of
“overriding public interest for disclosure”.
By letter of 08 February 2021, we informed you that the EDPS confirmed its position and
could not provide you with access to the requested documents, as they are part of ongoing
procedure, where the decision is not yet taken by EDPS and thus fall within the exceptions
of art. 4(3) of Regulation 1049/2001.
On 12 February 2021, the European Ombudsman (“EO”) informed us that following your
complaint before this institution, it had opened an inquiry regarding the EDPS’s decision to
refuse access under Regulation 1049/2001. Following several meetings and exchanges of
communications, by letter from 26 April 2021 the EO informed us that considered “
it
reasonable for the EDPS to conclude that disclosure of the report on the EDPS mapping exercise
is likely to undermine the purpose of the ongoing investigation, as protected by Article 4(2), third
indent, of Regulation 1049/2001. I note - and welcome - that the EDPS committed during the
meeting with my inquiry team to reconsider partial or, if possible, full disclosure of the document
at a later stage.”
With the same letter, the EO proposed
“that the EDPS now reviews its position on the second
part of the complainant’s public access request, taking into account my above observations,
with a view to granting the widest possible public access to the identified documents.”
Having in mind the EDPS’s commitment to transparency and following the proposal from
the EO, the EDPS has decided to review its Confirmatory Response by re-examining
specifically the requested documents in order to assess whether at least partial disclosure is
possible. You will find hereafter the EDPS’s renewed analysis and response to your
confirmatory request dated 22 January 2021.
Pursuant to our renewed analysis of the documents you requested in your initial request of
2 December 2020, the EDPS has concluded the following:
1) The exception of Article 4(2), third indent, of Regulation 1049/2001 (disclosure would
undermine the protection of the purpose of inspections, investigations and audits) still
applies to the documents falling within the scope of the first part of your request. In
particular, disclosure at this point in time of the mapping exercise relating to the
implementation of the Schrems II judgment may endanger the completion of the exercise by
2
hindering cooperation on the part of the supervised European Institutions and bodies subject
to it. We note that the CJEU has clarified that the concept of "investigation" is likely to also
cover the activity aimed at ascertaining facts in order to assess a given situation1. In that
context, the EDPS, using its investigatory powers may gather and analyse information
relating to the implementation of data protection requirements by the supervised institutions
and bodies.
However, we have identified two documents to which we decided to grant you full access:
1. Letter from EDPS to the heads of all Union institutions, bodies and agencies dated 2
October 2020
2. Letter from EPDS to DG ITEC dated 23 October 2020
Moreover, we would like to inform you that we plan updating the public about the
developments of our investigation via our Press Office. Please follow EDPS website for
relevant press releases and information.
2) With regards to the second part of your request - “
privacy assessment or similar document
(including DPIA) done by the EDPS of the following tools: Microsoft Office365, Microsoft
Teams, Zoom, Cisco Webex, Skype” we have identified to following documents falling within
the scope of your request:
DOC ID
DATE
TYPE
NAME
ACCESS
1 COO.6515.100.2.431394
11/07/2019 WORD
ZOOM Assessment
FULL
2 COO.6515.100.2.396786
23/04/2020 EXCEL
VC tools v.1.2
FULL
3 COO.6515.100.2.404299
07/09/2020 EXCEL
VC tools v.1.3
FULL
4 COO.6515.100.4.396865
27/04/2020 WORD
Note to the file
FULL
5 COO.6515.100.2.405488
16/09/2020 WORD
EDPS INSPECTION
NONE
TOOLS v.2
6 COO.6515.100.4.404299
07/09/2020 WORD
EDPS INSPECTION
NONE
TOOLS
The EDPS would like to inform you that it has granted you access to four of the documents
identified (1-4), with the exception of personal data of the staff members involved in the
correspondence, in accordance with Article 4(1)(b) of Regulation 1049/2001.
The documents under part 2 of your request not disclosed by the EDPS (5 and 6) fall within
the exceptions of Article 4(2), third indent, of Regulation 1049/2001 as they contain details of
the working tools and methods utilized during our inspections. In this regard, the disclosure
of the said documents containing information about the EDPS-s internal methodologies
could compromise the effective use of the EDPS’s means of investigation in the future.
Finally, please note that pursuant to Article 8(1) of the Regulation (EC) 1049/2001, you are
entitled to initiate proceedings before the Court of Justice of the European Union against
1 Judgment of the General Court of 4 October 2018 in case T-128/14, Daimler v Commission.
3
this Confirmatory Response of the EDPS, under the conditions laid down in, respectively,
Article 228 and 263 of the Treaty on the Functioning of the European Union.
Yours sincerely,
Cc:
Ms Emily O'REILLY, European Ombudsman
Ms Rosita HICKEY, Director of Inquiries, EO
Annexes: 6 files
Data Protection Notice
According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the Regulation) on the protection
of natural persons with regard to the processing of personal data by the Union institutions,
bodies, offices and agencies and on the free movement of such data, we are processing your
personal data, where proportionate and necessary, for the purpose of answering your request.
The legal base for this processing operation is Regulation (EC) 1049/2001 and Article 52(4) of the
Regulation (EU) 2018/1725. Subject to applicable rules under EU legislation, the personal data
relating to you, as provided in your request as well as personal data that might be collected while
processing your request, are used solely for the purpose of replying to your request. EDPS staff
members dealing with the request will have access to the case file containing your personal data
on a need-to-know basis. All access to case files is logged. Your personal data are not disclosed
outside the EDPS. Your personal data will be stored electronically for a maximum of ten years
after the closure of the case, or as long as the EDPS is under a legal obligation to do so. You have
the right to access your personal data held by the EDPS and to relevant information concerning
how we use it. You have the right to rectify your personal data. Under certain conditions, you
have the right to ask that we delete your personal data or restrict its use. We will consider your
request, take a decision and communicate it to you. For more information, please see Articles 14
to 21, 23 and 24 of the Regulation. Please note that in some cases restrictions under Article 25 of
the Regulation may apply. Any request to exercise your rights should be addressed to the EDPS
4
at xxxx@xxxx.xxxxxx.xx. You may contact the data protection officer of the EDPS (EDPS-
xxx@xxxx.xxxxxx.xx), if you have any remarks or complaints regarding the way we process
your personal data. You have the right to lodge a complaint with the EDPS, as supervisory
authority. Any such request should be addressed to the EDPS at xxxx@xxxx.xxxxxx.xx. You can
reach the EDPS in the following ways: E-mail: xxxx@xxxx.xxxxxx.xx; EDPS postal address:
European Data Protection Supervisor, Rue Wiertz 60, B-1047 Brussels, Belgium. For more
information, please refer to the extended version of the data protection notice available on the
EDPS
website:
https://edps.europa.eu/data-protection/our-work/publications/other-
documents/requests-access-documents_en.
5