EDPS inspection Europol Encrochat SkyECC #2

Chloé Berthélémy made this access to documents request to European Data Protection Supervisor

Automatic anti-spam measures are in place for this older request. Please let us know if a further response is expected or if you are having trouble responding.

The request was partially successful.

Chloé Berthélémy

Dear European Data Protection Supervisor,

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

- The report of the inspection by the European Data Protection Supervisor's (EDPS) inspection on the support provided by the EU's law enforcement agency, Europol, in relation to investigations related to the take down of three large criminal communication networks, Encrochat, SKY ECC and ANOM as referred page 85 of the EDPS Annual Report 2021 here: https://edps.europa.eu/system/files/2022...

- any document summarising the inspection report and containing the main conclusions and recommendations.

Please note I'm requesting access only to anonymised communications and documents without personally identifiable information.

Yours faithfully,
Chloé Berthélémy

==
My address:
Chloé Berthélémy
Rue Belliard 12
1040 Brussels

European Data Protection Supervisor

3 Attachments

Dear requester,

We acknowledge receipt of your request, registered on 27.01.2023. In
accordance with Article 7(1) of Regulation (EU) No 1049/2001 regarding
public access to European Parliament, Council and Commission documents,
you will receive a reply within 15 working days (by 17.02.2023).

Your case number is 2023-0116.

Please note that your personal data will only be processed for the
purposes of replying to your request and in accordance with the privacy
statement set out below. More information on how the EDPS process personal
information can be found on our [1]website.

Yours sincerely,

 

 

  EDPS Secretariat
[2]cid:image001.png@01D4D8CD.D37C9700
[3]| Tel. (+32) 228 31900  |
Fax (+32) 228 31950  |
› Email: [4][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[5]Twitter [6]@EU_EDPS  
[7]Website [8]www.edps.europa.eu

This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.

Data Protection Notice

According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the
Regulation), we are processing your personal data in order to reply to
your request. The controller is the European Data Protection Supervisor
(EDPS). The legal basis for this processing operation is Article 5(1)(b)
of the Regulation, since processing is necessary for compliance with a
legal obligation to which the EDPS is subject. The data processed include
your contact details, your request, as well as personal data that might be
collected during the investigation of your request. For the EDPS, case
handlers, administrative staff and hierarchy involved in the request
handling will have access to the case file containing your personal data
on a need-to-know basis. All access to case files is logged. Your data
will only be transferred to other EU institutions and bodies or to third
parties when it is necessary to ensure the appropriate investigation or
follow up of your request. Your data will be stored by the EDPS in
electronic files until the end of the reporting period of the current year
(as a rule, until mid-next year), unless legal proceedings require us to
keep them for a longer period. Afterwards, only a brief anonymous note
will be included in a file in order to keep record of the request.

You have the right of access to your personal data and to relevant
information concerning how we use it. You have the right to rectify your
personal data. Under certain conditions, you have the right to ask that we
delete your personal data or restrict its use. We will consider your
request, take a decision and communicate it to you. For more information,
please see Articles 14 to 21, 23 and 24 of the Regulation. Please note
that in some cases restrictions under Article 25 of the Regulation may
apply. Any request to exercise your rights should be addressed to the EDPS
at [9][EDPS request email]. You may also contact the data protection
officer of the EDPS ([10][email address]), if you have any remarks
or complaints regarding the way we process your personal data. You have
the right to lodge a complaint with the EDPS, as supervisory authority.
Any such request should be addressed to the EDPS at
[11][EDPS request email]. You can reach the EDPS in the following ways:
e-mail: [12][EDPS request email]; EDPS postal address: European Data
Protection Supervisor, Rue Wiertz 60, B-1047 Brussels, Belgium.

 

 

References

Visible links
1. https://secure.edps.europa.eu/EDPSWEB/we...
3. file:///tmp/tel:+3222831900
4. mailto:[EDPS request email]
6. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
8. http://www.edps.europa.eu/
http://www.edps.europa.eu/
9. mailto:[EDPS request email]
10. mailto:[email address]
11. mailto:[EDPS request email]
12. mailto:[EDPS request email]

European Data Protection Supervisor

5 Attachments

Dear Ms Berthélémy,

 

Please find attached a letter (+ annex) to your attention electronically
signed by Leonardo Cervera Navas on the above-mentioned subject.

 

Best regards,

 

 

 

  EDPS Secretariat
[1]cid:image001.png@01D4D8CD.D37C9700
[2]| Tel. (+32) 228 31900  |
Fax (+32) 228 31950  |
› Email: [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[4]Twitter [5]@EU_EDPS  
[6]Website [7]www.edps.europa.eu

This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.

Data Protection Notice

According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the
Regulation), we are processing your personal data in order to reply to
your request. The controller is the European Data Protection Supervisor
(EDPS). The legal basis for this processing operation is Article 5(1)(b)
of the Regulation, since processing is necessary for compliance with a
legal obligation to which the EDPS is subject. The data processed include
your contact details, your request, as well as personal data that might be
collected during the investigation of your request. For the EDPS, case
handlers, administrative staff and hierarchy involved in the request
handling will have access to the case file containing your personal data
on a need-to-know basis. All access to case files is logged. Your data
will only be transferred to other EU institutions and bodies or to third
parties when it is necessary to ensure the appropriate investigation or
follow up of your request. Your data will be stored by the EDPS in
electronic files until the end of the reporting period of the current year
(as a rule, until mid-next year), unless legal proceedings require us to
keep them for a longer period. Afterwards, only a brief anonymous note
will be included in a file in order to keep record of the request.

You have the right of access to your personal data and to relevant
information concerning how we use it. You have the right to rectify your
personal data. Under certain conditions, you have the right to ask that we
delete your personal data or restrict its use. We will consider your
request, take a decision and communicate it to you. For more information,
please see Articles 14 to 21, 23 and 24 of the Regulation. Please note
that in some cases restrictions under Article 25 of the Regulation may
apply. Any request to exercise your rights should be addressed to the EDPS
at [8][EDPS request email]. You may also contact the data protection
officer of the EDPS ([9][email address]), if you have any remarks
or complaints regarding the way we process your personal data. You have
the right to lodge a complaint with the EDPS, as supervisory authority.
Any such request should be addressed to the EDPS at
[10][EDPS request email]. You can reach the EDPS in the following ways:
e-mail: [11][EDPS request email]; EDPS postal address: European Data
Protection Supervisor, Rue Wiertz 60, B-1047 Brussels, Belgium.

 

 

 

References

Visible links
2. file:///tmp/tel:+3222831900
3. mailto:[EDPS request email]
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
8. mailto:[EDPS request email]
9. mailto:[email address]
10. mailto:[EDPS request email]
11. mailto:[EDPS request email]

Chloé Berthélémy

Dear European Data Protection Supervisor,

Please forward this to the person responsible for reviewing confirmatory applications.

Pursuant to Article 7(2) of Regulation (EC) No 1049/2001, I ask the EDPS to review its decision to grant only partial access to the Report on Inspection at Europol (Case Reference
2021-0303), taking into consideration the following:

1. The harm test applicable to Article 4(2), third indent, protection of the purpose of inspections, investigations and audits, has not been sufficiently proven to justify as it was not sufficiently demonstrated how further disclosure of the document would cause a reasonable foreseeable, non-hypothetical harm.
2. The public interest test was not properly considered in the application of Article 4(2) of Regulation 1049/2001.

I hereby argue that:

I. The EDPS has committed an error of assessment in its wide application of Article 4(2) of Regulation 1049/2001, protection of the purpose of inspections, investigations and audits

The sweeping application of the exception to all the recommendations, findings, and actions parts of the inspection report is likely abusive or, at best, erroneous. In particular,
the reasons for invoking a protected interest that would justify the wide and generalised application of the exception are not sufficiently substantiated.

Firstly, it is unclear and not sufficiently argued how and why the further disclosure of certain recommendations, findings, and actions would undermine the independency and outcomes of the audit at this particular stage, given that (1) the fieldwork was finalised in September 2021, (2) the minutes and a specific feedback round integrating Europol’s comments were also finalised in 2021. The EDPS is now at the final stage of monitoring the implementation of its recommendations by Europol. The EDPS did not provide reasonable explanations for how an why the disclosure of all of the recommendations, findings and actions, which are final and the subject neither to further internal discussion nor with the auditee, would undermine the independency and purposes of the audit.

Secondly, it raises the question as to when this particular inspection could be considered closed and no longer at risk of being undermined by the further disclosure of its report. If this would mean up until the auditee has exhaustively implemented the entire set of recommendations, this could potentially take many years before it is available to a public access request, considering the contents of the inspection and the potential long-term changes to be monitored by the EDPS. Furthermore, the report notes that “Europol is entitled within two months as of the reception of the report to suggest a different deadline for the implementation of the recommendations, in case they consider that the provided deadlines cannot be met due to the efforts and investments required”, which leaves the door open for a longer time period of implementation monitoring. As a result, this would harm the public interest in the further disclosure of the report, as described in point II. below. With no clear indication as to the criteria determining the effective closure of the investigation, I argue that the application of Article 4(2) was not sufficiently justified and restricted to what would be strictly necessary.

At this point it is worth recalling that the European Court of Justice has found, in relation to the exceptions listed under Article 4 of Regulation 1049/2001, that: “as such exceptions derogate from the principle of the widest possible public access to documents, they must be interpreted and applied strictly.” (C-266-05)

Thirdly, further partial disclosure of at least some of the redacted material is unlikely to pose anything more than a hypothetical risk to the protected interest. Just because the information relates to a protected interest (the purpose of the audit) does not mean that the EDPS is justified in invoking the protected interest, given the obligation to provide the widest possible access. This is especially the case for the non-disclosure of the list on page 31 of internal Europol documents that were consulted.

Lastly, disclosure of the requested document should not have the effect of undermining the EDPS’s powers of inspection. You state that revealing the recommendations, findings and actions of the report would create “distrust in the auditee in the course of the audit, and hinder collaboration”. This stands in contradiction with the clear powers afforded by EU law to the EDPS vis-à-vis Europol (also featuring in the partially disclosed report in Annex 2):

“The EDPS shall have the power to:
(a) obtain from Europol access to all personal data and to all information necessary for his
or her enquiries;
(b) obtain access to any premises in which Europol carries on its activities when there are
reasonable grounds for presuming that an activity covered by this Regulation is being
carried out there”

It is a legal duty for Europol to fully comply with the EDPS requests in the framework of Article 43 of Regulation 2016/794 and to collaborate with the Supervisor for the purpose of exercising its investigative powers – not a matter of trust that could hypothetically be hampered by a citizen exercising their fundamental right of access to documents. Further partial disclosure of at least some of the redacted material is therefore unlikely to pose anything more than a hypothetical risk to the protected interest.

In the present case, the EDPS has obviously made a very wide interpretation of Article 4(2). In doing so, it has not sufficiently demonstrated the reasonably foreseeable harm to the protected interest to such an extend that it would compensate denying a citizen their fundamental right.

II. There is indeed a public interest in the further disclosure of the requested document

You state that you “have not been able to identify” an overriding public interest in disclosing these parts of the documents.

I am arguing that there is an overriding public interest in the disclosure the contents of the investigation report for the following reasons:
• This request follows a considerable increase in concerns expressed by civil society[1] and citizens with regards to Europol’s expanded personal data collection and processing powers and capacities, including of persons with no link to criminal activity (e.g. innocent people) following the 2022 Europol mandate reform (2022/991);
• The reform has been politically justified by Europol’s operational needs to process data in the framework of large-scale investigative operations like the ones investigated by the EDPS. This is therefore of public interest to know how Europol abode by the then applicable data protection rules and whether or not it is clear that they represented a burden to the realisation of Europol’s tasks in these contexts. It is also of public interest to know what are the recommendations of the EDPS to guarantee compliance as Europol’s involvement in such future similar large-scale operations, according to the European legislators who adopted the reform, will become increasingly regular;
• There is great alarm among civil society following the EDPS own decision of 3 January 2022 admonishing Europol for unlawful processing of personal data by in recent years;
• The audit concerns police operations in the EU which raise a lot of controversy and in which the role and actions of Europol arguably contributed to the general lack of transparency and to the interference with the fundamental rights to a fair trial, effective remedy and privacy.[2] Across Europe, defendants are now challenging evidence and convictions, claiming flawed investigations, violations of cross-border evidence-sharing rules and insufficient disclosure of evidence. The EDPS oversight and investigative work to check compliance with data protection rules is thus of paramount importance in these efforts to evaluate a violation or not of the rule of law and other fundamental rights.

There is a high public interest in:
• knowing if there is a suspicion by the EDPS of breaches of Regulation 2016/79 (as mentioned in the Executive summary, page 4 of the partially disclosed report);
• enabling citizens to independently scrutinise the compliance of Europol with data protection and fundamental rights obligations, even more so given the "unprecedented scale" of the OTFs and the vast amounts of personal data involved as pointed out in the partially disclosed report page 30;
• contributing to increasing Europol’s accountability;
• restoring the legitimacy of Europol that has been seriously eroded following revelations of unlawful conduct by the EDPS through greater transparency vis-a-vis citizens.

I am therefore calling on the EDPS to:
• reconsider its assertion that further disclosure of the requested document would seriously undermine its finalised audit;
• take into account the clear public interest in disclosure; and
• further release parts of the requested document.

Yours sincerely,

Chloé Berthélémy

[1] EDRi, ‘Europol’s new powers will enable Big Data analysis and mass surveillance. We say NO!’, 28 April 2022 https://edri.org/our-work/europols-new-p...
Fair Trials, ‘Europol's expanding mandate: European Parliament must stand against unaccountable and discriminatory policing’, 28 April 2022 https://www.fairtrials.org/articles/news...
[2] https://www.fairtrials.org/app/uploads/2...

European Data Protection Supervisor

3 Attachments

Dear applicant,

 

We acknowledge receipt of your confirmatory application in case file
2023-0116. Your application was registered on 09.03.2023.

 

In accordance with Article 8(1) of Regulation (EU) No 1049/2001 regarding
public access to European Parliament, Council and Commission documents,
you will receive a reply within 15 working days (by 30.03.2023).

 

Yours sincerely,

 

 

 

  EDPS Secretariat
[1]cid:image001.png@01D4D8CD.D37C9700
[2]| Tel. (+32) 228 31900  |
Fax (+32) 228 31950  |
› Email: [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[4]Twitter [5]@EU_EDPS  
[6]Website [7]www.edps.europa.eu

This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.

Data Protection Notice

According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the
Regulation), we are processing your personal data in order to reply to
your request. The controller is the European Data Protection Supervisor
(EDPS). The legal basis for this processing operation is Article 5(1)(b)
of the Regulation, since processing is necessary for compliance with a
legal obligation to which the EDPS is subject. The data processed include
your contact details, your request, as well as personal data that might be
collected during the investigation of your request. For the EDPS, case
handlers, administrative staff and hierarchy involved in the request
handling will have access to the case file containing your personal data
on a need-to-know basis. All access to case files is logged. Your data
will only be transferred to other EU institutions and bodies or to third
parties when it is necessary to ensure the appropriate investigation or
follow up of your request. Your data will be stored by the EDPS in
electronic files until the end of the reporting period of the current year
(as a rule, until mid-next year), unless legal proceedings require us to
keep them for a longer period. Afterwards, only a brief anonymous note
will be included in a file in order to keep record of the request.

You have the right of access to your personal data and to relevant
information concerning how we use it. You have the right to rectify your
personal data. Under certain conditions, you have the right to ask that we
delete your personal data or restrict its use. We will consider your
request, take a decision and communicate it to you. For more information,
please see Articles 14 to 21, 23 and 24 of the Regulation. Please note
that in some cases restrictions under Article 25 of the Regulation may
apply. Any request to exercise your rights should be addressed to the EDPS
at [8][EDPS request email]. You may also contact the data protection
officer of the EDPS ([9][email address]), if you have any remarks
or complaints regarding the way we process your personal data. You have
the right to lodge a complaint with the EDPS, as supervisory authority.
Any such request should be addressed to the EDPS at
[10][EDPS request email]. You can reach the EDPS in the following ways:
e-mail: [11][EDPS request email]; EDPS postal address: European Data
Protection Supervisor, Rue Wiertz 60, B-1047 Brussels, Belgium.

 

 

References

Visible links
2. file:///tmp/tel:+3222831900
3. mailto:[EDPS request email]
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
8. mailto:[EDPS request email]
9. mailto:[email address]
10. mailto:[EDPS request email]
11. mailto:[EDPS request email]

European Data Protection Supervisor

3 Attachments

Dear Ms. Berthélémy,

 

We are writing to you concerning your confirmatory application to our
reply to your access to documents request case number 2023-0116.

 

In accordance with Article 8 (1) of Regulation (EU) No 1049/2001 regarding
public access to European Parliament, Council and Commission documents,
you are entitled to receive a reply within 15 working days.

 

However, the EDPS will not be in a position to respond within the original
time limit of 15 working days. We have therefore decided to extend the
time limit by 15 working days in accordance with Article 8(2) of
Regulation (EU) 1049/2001.

 

You should expect to receive a reply from the EDPS by 25.04.2023 at the
latest.

 

Yours sincerely,

 

 

  EDPS Secretariat
[1]cid:image001.png@01D4D8CD.D37C9700
[2]| Tel. (+32) 228 31900  |
Fax (+32) 228 31950  |
› Email: [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[4]Twitter [5]@EU_EDPS  
[6]Website [7]www.edps.europa.eu

This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.

Data Protection Notice

According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the
Regulation), we are processing your personal data in order to reply to
your request. The controller is the European Data Protection Supervisor
(EDPS). The legal basis for this processing operation is Article 5(1)(b)
of the Regulation, since processing is necessary for compliance with a
legal obligation to which the EDPS is subject. The data processed include
your contact details, your request, as well as personal data that might be
collected during the investigation of your request. For the EDPS, case
handlers, administrative staff and hierarchy involved in the request
handling will have access to the case file containing your personal data
on a need-to-know basis. All access to case files is logged. Your data
will only be transferred to other EU institutions and bodies or to third
parties when it is necessary to ensure the appropriate investigation or
follow up of your request. Your data will be stored by the EDPS in
electronic files until the end of the reporting period of the current year
(as a rule, until mid-next year), unless legal proceedings require us to
keep them for a longer period. Afterwards, only a brief anonymous note
will be included in a file in order to keep record of the request.

You have the right of access to your personal data and to relevant
information concerning how we use it. You have the right to rectify your
personal data. Under certain conditions, you have the right to ask that we
delete your personal data or restrict its use. We will consider your
request, take a decision and communicate it to you. For more information,
please see Articles 14 to 21, 23 and 24 of the Regulation. Please note
that in some cases restrictions under Article 25 of the Regulation may
apply. Any request to exercise your rights should be addressed to the EDPS
at [8][EDPS request email]. You may also contact the data protection
officer of the EDPS ([9][email address]), if you have any remarks
or complaints regarding the way we process your personal data. You have
the right to lodge a complaint with the EDPS, as supervisory authority.
Any such request should be addressed to the EDPS at
[10][EDPS request email]. You can reach the EDPS in the following ways:
e-mail: [11][EDPS request email]; EDPS postal address: European Data
Protection Supervisor, Rue Wiertz 60, B-1047 Brussels, Belgium.

 

 

 

 

References

Visible links
2. file:///tmp/tel:+3222831900
3. mailto:[EDPS request email]
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
8. mailto:[EDPS request email]
9. mailto:[email address]
10. mailto:[EDPS request email]
11. mailto:[EDPS request email]

European Data Protection Supervisor

4 Attachments

Dear Ms Berthélémy,

 

Please find attached a letter to your attention electronically signed by
Leonardo Cervera Navas on the above-mentioned subject.

 

Best regards,

 

 

 

  EDPS Secretariat
[1]cid:image001.png@01D4D8CD.D37C9700
[2]| Tel. (+32) 228 31900  |
Fax (+32) 228 31950  |
› Email: [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[4]Twitter [5]@EU_EDPS  
[6]Website [7]www.edps.europa.eu

This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.

Data Protection Notice

According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the
Regulation), we are processing your personal data in order to reply to
your request. The controller is the European Data Protection Supervisor
(EDPS). The legal basis for this processing operation is Article 5(1)(b)
of the Regulation, since processing is necessary for compliance with a
legal obligation to which the EDPS is subject. The data processed include
your contact details, your request, as well as personal data that might be
collected during the investigation of your request. For the EDPS, case
handlers, administrative staff and hierarchy involved in the request
handling will have access to the case file containing your personal data
on a need-to-know basis. All access to case files is logged. Your data
will only be transferred to other EU institutions and bodies or to third
parties when it is necessary to ensure the appropriate investigation or
follow up of your request. Your data will be stored by the EDPS in
electronic files until the end of the reporting period of the current year
(as a rule, until mid-next year), unless legal proceedings require us to
keep them for a longer period. Afterwards, only a brief anonymous note
will be included in a file in order to keep record of the request.

You have the right of access to your personal data and to relevant
information concerning how we use it. You have the right to rectify your
personal data. Under certain conditions, you have the right to ask that we
delete your personal data or restrict its use. We will consider your
request, take a decision and communicate it to you. For more information,
please see Articles 14 to 21, 23 and 24 of the Regulation. Please note
that in some cases restrictions under Article 25 of the Regulation may
apply. Any request to exercise your rights should be addressed to the EDPS
at [8][EDPS request email]. You may also contact the data protection
officer of the EDPS ([9][email address]), if you have any remarks
or complaints regarding the way we process your personal data. You have
the right to lodge a complaint with the EDPS, as supervisory authority.
Any such request should be addressed to the EDPS at
[10][EDPS request email]. You can reach the EDPS in the following ways:
e-mail: [11][EDPS request email]; EDPS postal address: European Data
Protection Supervisor, Rue Wiertz 60, B-1047 Brussels, Belgium.

 

 

 

 

References

Visible links
2. file:///tmp/tel:+3222831900
3. mailto:[EDPS request email]
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
8. mailto:[EDPS request email]
9. mailto:[email address]
10. mailto:[EDPS request email]
11. mailto:[EDPS request email]

European Data Protection Supervisor

4 Attachments

Dear Ms Berthélémy,

 

Please find attached a letter to your attention electronically signed by
Leonardo Cervera Navas on the above-mentioned subject.

 

Best regards,

 

 

  EDPS Secretariat
[1]cid:image001.png@01D4D8CD.D37C9700
[2]| Tel. (+32) 228 31900  |
Fax (+32) 228 31950  |
› Email: [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[4]Twitter [5]@EU_EDPS  
[6]Website [7]www.edps.europa.eu

This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.

Data Protection Notice

According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the
Regulation), we are processing your personal data in order to reply to
your request. The controller is the European Data Protection Supervisor
(EDPS). The legal basis for this processing operation is Article 5(1)(b)
of the Regulation, since processing is necessary for compliance with a
legal obligation to which the EDPS is subject. The data processed include
your contact details, your request, as well as personal data that might be
collected during the investigation of your request. For the EDPS, case
handlers, administrative staff and hierarchy involved in the request
handling will have access to the case file containing your personal data
on a need-to-know basis. All access to case files is logged. Your data
will only be transferred to other EU institutions and bodies or to third
parties when it is necessary to ensure the appropriate investigation or
follow up of your request. Your data will be stored by the EDPS in
electronic files until the end of the reporting period of the current year
(as a rule, until mid-next year), unless legal proceedings require us to
keep them for a longer period. Afterwards, only a brief anonymous note
will be included in a file in order to keep record of the request.

You have the right of access to your personal data and to relevant
information concerning how we use it. You have the right to rectify your
personal data. Under certain conditions, you have the right to ask that we
delete your personal data or restrict its use. We will consider your
request, take a decision and communicate it to you. For more information,
please see Articles 14 to 21, 23 and 24 of the Regulation. Please note
that in some cases restrictions under Article 25 of the Regulation may
apply. Any request to exercise your rights should be addressed to the EDPS
at [8][EDPS request email]. You may also contact the data protection
officer of the EDPS ([9][email address]), if you have any remarks
or complaints regarding the way we process your personal data. You have
the right to lodge a complaint with the EDPS, as supervisory authority.
Any such request should be addressed to the EDPS at
[10][EDPS request email]. You can reach the EDPS in the following ways:
e-mail: [11][EDPS request email]; EDPS postal address: European Data
Protection Supervisor, Rue Wiertz 60, B-1047 Brussels, Belgium.

 

 

 

 

References

Visible links
2. file:///tmp/tel:+3222831900
3. mailto:[EDPS request email]
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
8. mailto:[EDPS request email]
9. mailto:[email address]
10. mailto:[EDPS request email]
11. mailto:[EDPS request email]

European Data Protection Supervisor

5 Attachments

Dear Ms Berthélémy,

 

Please find attached a letter (+ annex) to your attention electronically
signed by Leonardo Cervera Navas on the above-mentioned subject.

 

Best regards,

 

  EDPS Secretariat
[1]cid:image001.png@01D4D8CD.D37C9700
[2]| Tel. (+32) 228 31900  |
Fax (+32) 228 31950  |
› Email: [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[4]Twitter [5]@EU_EDPS  
[6]Website [7]www.edps.europa.eu

This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.

Data Protection Notice

According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the
Regulation), we are processing your personal data in order to reply to
your request. The controller is the European Data Protection Supervisor
(EDPS). The legal basis for this processing operation is Article 5(1)(b)
of the Regulation, since processing is necessary for compliance with a
legal obligation to which the EDPS is subject. The data processed include
your contact details, your request, as well as personal data that might be
collected during the investigation of your request. For the EDPS, case
handlers, administrative staff and hierarchy involved in the request
handling will have access to the case file containing your personal data
on a need-to-know basis. All access to case files is logged. Your data
will only be transferred to other EU institutions and bodies or to third
parties when it is necessary to ensure the appropriate investigation or
follow up of your request. Your data will be stored by the EDPS in
electronic files until the end of the reporting period of the current year
(as a rule, until mid-next year), unless legal proceedings require us to
keep them for a longer period. Afterwards, only a brief anonymous note
will be included in a file in order to keep record of the request.

You have the right of access to your personal data and to relevant
information concerning how we use it. You have the right to rectify your
personal data. Under certain conditions, you have the right to ask that we
delete your personal data or restrict its use. We will consider your
request, take a decision and communicate it to you. For more information,
please see Articles 14 to 21, 23 and 24 of the Regulation. Please note
that in some cases restrictions under Article 25 of the Regulation may
apply. Any request to exercise your rights should be addressed to the EDPS
at [8][EDPS request email]. You may also contact the data protection
officer of the EDPS ([9][email address]), if you have any remarks
or complaints regarding the way we process your personal data. You have
the right to lodge a complaint with the EDPS, as supervisory authority.
Any such request should be addressed to the EDPS at
[10][EDPS request email]. You can reach the EDPS in the following ways:
e-mail: [11][EDPS request email]; EDPS postal address: European Data
Protection Supervisor, Rue Wiertz 60, B-1047 Brussels, Belgium.

 

 

 

 

References

Visible links
2. file:///tmp/tel:+3222831900
3. mailto:[EDPS request email]
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
8. mailto:[EDPS request email]
9. mailto:[email address]
10. mailto:[EDPS request email]
11. mailto:[EDPS request email]

Chloé Berthélémy

Dear European Data Protection Supervisor,

Thank you for your reply.

Yours sincerely,

Chloé Berthélémy