Data Protection Impact Assessment (DPIA) related to the software and services solution developed for the preparatory phase of the European Elections 2019

The request was refused by European Parliament.

Dear European Parliament,

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

The Data Protection Impact Assessment (DPIA) related to the software and services solution developed for the preparatory phase of the European Elections 2019. Such a document was indeed under preparation when the following document was published (see point 8): https://www.europarl.europa.eu/data-prot....

Yours faithfully,

Pierre Dewitte

AccesDocs, European Parliament

Our ref.: A(2019)10012 - Acknowledgment of receipt

Dear Mr Dewitte,

The European Parliament hereby acknowledges receipt of your application for access to the Data Protection Impact Assessment (DPIA) related to the software and services solution developed for the preparatory phase of the European Elections 2019. The application was registered on 12 August 2019 under the reference A(2019)10012.

All requests for public access to documents are treated in compliance with Regulation (EC) No 1049/2001 of 30 May 2001 regarding public access to European Parliament, Council and Commission documents.

In accordance with the above-mentioned Regulation, your application will be handled within 15 working days upon registration of your request.
The European Parliament reserves the right to ask for additional information regarding your identity in order to verify compliance with Regulation (UE) 2018/1725 and the European Parliament’s implementing measures.

Your attention is drawn to the fact that you have lodged your application via the AsktheEU.org website, which is a private website not officially related to the European Parliament. Therefore, the European Parliament cannot be held accountable for any technical issues or problems linked to the use of this system.

Kind regards,

TU

TRANSPARENCY UNIT
European Parliament
Directorate General for the Presidency
Directorate for Inter-Institutional Affairs
and Legislative Coordination

Public Register webpage
[email address]

show quoted sections

AccesDocs, European Parliament

1 Attachment

Dear Mr Dewitt,

 

In principle, the time limit reply to your application A(2019)10012 should
expires at the end of Monday 3 September 2019. However, the internal
consultations with the competent services are taking more time than
expected, and exceptionally Parliament will need more time to reply to
you.

 

Therefore, the time limit to reply to your application A(2019)10012 is
hereby extended by 15 working days, in accordance with Article 7(3) of
regulation (EC) No 1049/2001.

 

We thank you for your understanding and apologise for any inconvenience,

 

Kind regards,  

 

 

TU

[1]LOGO_EP TRANSPARENCY UNIT
European Parliament
Directorate General
for the Presidency
Directorate for
Inter-Institutional
Affairs
and Legislative
Coordination

 

[2]Public Register webpage
[3][email address]

 

 

 

 

References

Visible links
2. http://www.europarl.europa.eu/RegWeb/app...
3. mailto:[email address]

AccesDocs, European Parliament

Dear Mr Dewitte,

The decision in reply to you application is being finalized. Can you please forward your address in response to this email or directly to AccesDocs[at]europarl.europa.eu so that the decision can be duly notified to you by certified post.

Where a decision may be appealed, it needs to be notified to the addressee by certified post, as it is the only way to ascertain when the addressee received the decision and when the time limit to appeal starts running.

The European Parliament reserves the right to ask for additional information regarding your identity in order to verify compliance with Regulation (UE) 2018/1725 and the European Parliament’s implementing measures.

Your attention is drawn to the fact that you have lodged your application via the AsktheEU.org website, which is a private website not officially related to the European Parliament. Therefore, the European Parliament cannot be held accountable for any technical issues or problems linked to the use of this system.

We look forward to reading from you,

Kind regards,

TU

TRANSPARENCY UNIT
European Parliament
Directorate General for the Presidency
Directorate for Inter-Institutional Affairs
and Legislative Coordination

Public Register webpage
[email address]

show quoted sections

Dear European Parliament,

Please pass this on to the person who reviews confirmatory applications.

I am filing the following confirmatory application with regards to my access to documents request 'Data Protection Impact Assessment (DPIA) related to the software and services solution developed for the preparatory phase of the European Elections 2019'.

In your reply from September 23rd, you refused to grant access to the documents requested because their publicity would “undermine the protection of the purpose of inspections, investigations and audits” (Art. 4(2) third indent Regulation 1049/2001). Besides, your own assessment has not uncovered any “overriding public interest” that would justify their disclosure. Through this confirmatory application, I would like to challenge that decision on the grounds that:
- The publicity of the documents requested does not necessarily “undermine the protection of the purpose of inspections, investigations and audits” and;
- Even if the Parliament would maintain its position as to the former, there is an “overriding public interest” in the disclosure of the documents requested.

As to the former, it is worth highlighting that accountability has been one of the cornerstones of the data protection reform – be it for regular controllers, law enforcement authorities or EU institutions. This is illustrated by a series of provisions in Regulation 2016/679, Directive 2016/680 and Regulation 2018/1725. The latter instruments is particularly relevant in the present context. While Article 4(2) establishes the general principle of accountability, Art. 26(1) obliges controllers to ensure and demonstrate that the processing operations are performed in accordance with data protection rules. Such an exercise usually takes the form of a Data Protection Impact Assessment (DPIA). While Regulation 2018/1725 does not specifically require the publication of DPIA reports, the European Data Protection Supervisor (EDPS) nonetheless considers such publication to be good practice. In the same vein, the EDPS encourage EU bodies to – at the very least – publish a shortened version of the report by removing technical details on, for instance, the security measures implemented. This, in turn, fosters trust and shows that EU institutions lead by example when it comes to complying with fundamental rights (EDPS, ‘Accountability of the ground Part II: Data Protection Impact Assessments & Prior Consultation’, July 2019; available at: https://edps.europa.eu/sites/edp/files/p..., last accessed 10/10/2019). In light of the above, I strongly believe that the documents requested could be published while also ensuring the confidentiality of the measures the disclosure of which could contradict the objective of the DPIA.

As to the latter, it is important to highlight that the Directorate-General for Communication of the European Parliament (hereinafter, ‘the controller’) has collected and further processed the personal data in a very sensitive context, i.e. the institutional communication strategy for the European Elections 2019. According to both the notification of personal data processing made following Art. 25 Regulation 45/2001 (https://www.europarl.europa.eu/data-prot...), and the privacy policy of the platform at stake (https://europarl.europa.eu/together/en/p...), the personal data include basic information such as the name, surname, email address and country of residence, but also information about the actions undertaken on the platform (e.g. polls answer, calls to actions, RSVP, participation at events, singing up to a newsletter) and the social media activities (e.g. Shares, Likes, Comments, Retweets and Posts). As indicated in the privacy policy, the above-mentioned data can be used, among other purposes, to provide data subjects with information pertinent to their interests (i.e. profiling). It is also crucial to emphasize that the purpose of a DPIA is not only – as specified in your answer from September 23rd – to “assure that personal data held or controlled by the Parliament are securely held”, but also to document the process of identifying and mitigating all the risks to data subjects’ rights and freedom – including but not limited to the relevant security countermeasure. As such, it also encompasses information as to how the controller has implemented all the general principles governing the processing of personal data. In light of the above, I am convinced that there is an “overriding public interest” in the disclosure of the documents requested.

A full history of my request and all correspondence is available on the Internet at this address: https://www.asktheeu.org/en/request/data...

Yours faithfully,

Pierre Dewitte

AccesDocs, European Parliament

1 Attachment

Our reference: A(2019)10012C (to be quoted in future correspondence)

 

 

Dear Mr Dewitte,

 

On the 10 October 2019, Parliament received your confirmatory application
asking our Institution to reconsider its decision not to grant public
access to the Data Protection Impact Assessment (DPIA) related to the
software and services solution developed for the preparatory phase of the
European Elections 2019.

 

In principle, the time limit reply to your application A(2019)10012C
should expires tomorrow. However, the reconsideration process is taking
more time than expected and the legal assessment of the two documents,
identified at initial level, in the light of the arguments you put forward
in your confirmatory application is still ongoing.  This is the first time
our Institution is confronted with a request for public disclosure of a
DPIA and all the implications of a potential publication need to be
carefully evaluated, in close cooperation with the competent services and
the Data Protection Officer. Unfortunately, Parliament will need more time
to take a final position on your request.

 

Therefore, the time limit to reply to your application A(2019)10012C is
hereby extended by 15 working days, in accordance with Article 8(2) of
regulation (EC) No 1049/2001. The new deadline expires on 22/11/2019.

 

We thank you for your understanding and apologise for any inconvenience,

 

Kind regards, 

 

 

TRANSPARENCY UNIT

 
European Parliament
Directorate-General for the Presidency
Directorate for Interinstitutional Affairs and Legislative Coordination
[1][European Parliament request email]
[2]www.europarl.europa.eu/RegistreWeb

 

 

References

Visible links
1. mailto:[European Parliament request email]
2. http://www.europarl.europa.eu/RegistreWeb