EUROPEAN EXTERNAL ACTION SERVICE
DG Budget and Administration
The Director-General
Brussels, 25 May 2020
eeas.sg.affgen.2 (2020) 2573598
Mr Alexander Fanta
Subject: Your request for access to documents
Our ref: 2020/032
Dear Mr Fanta,
Thank you for your confirmatory application of 27/4/2020, following your request for access to
documents.
I have carefully studied your initial request, dated 29/2/2020, as well as the EEAS reply
2020/032 of 24/4/2020. You initially requested documents related to the "robust instant
messaging solution" that the EEAS has deployed since September 2019, including contracts
with external suppliers. In your confirmatory application, you asked the EEAS to re-examine
your request and specifically requested for the Data Protection Impact Assessment for the
classified communication system.
Following your confirmatory request, relevant EEAS Divisions have been contacted and asked
to search for the documents stored in their filing system, based on the description included in
your application.
As our services explained in the initial reply, the messaging solution is an integral part of the
Restreint UE / EU Restricted classified communication system of the EEAS.
While there are specific documents related to the classified communication system, the EEAS
cannot provide further details on its secure communications devices, infrastructure and
networks. The public release of such details would compromise the security as it would be
exploited by adverse actors to the EU and thereby making the system more exposed to cyber-
attacks. Therefore, given the sensitivity of the information exchanged through this system, any
potential compromise of its security would be detrimental as per Article 4(1)(a) of the Regulation.
Service Européen pour l'Action Extérieure, B-1049 Bruxelles / Europese dienst voor extern optreden, B-1049 Brussel - Belgium.
Telephone: (32-2) 584 11 11.
As regards the assessments made, including data protection elements to evaluate whether a
particular data processing activity, such as the messaging application, is likely to result in a high
risk to the rights and freedoms of natural persons, various analysis have been made relating to
the Restreint UE / EU Restricted classified communication systems. In line with the security
regulations, each classified communication system has to undergo an accreditation procedure,
which includes an evaluation of risks, the elements of which cannot be disclosed.
At the same time, it is to be underlined that, as stated above and in accordance with Article 39
of Regulation (EU) 2018/1725 which concerns data protection impact assessments (DPIA), the
institution has the obligation to carry out a DPIA only when processing is “likely to result in a
high risk to the rights and freedoms of natural persons”. In the case of a messaging system, the
data subjects are the users of the system and the fact that it is a secure messaging solution
decreases the risk to the data subjects instead of increasing it. Therefore, no specific DPIA has
been prepared to the messaging solution, which is an integral part of the Restreint UE / EU
Restricted classified communication system of the EEAS.
Furthermore, it is to be noted that there is no obligation in Regulation (EU) 2018/1725 to prepare
a DPIA about systems created before the entry into force of the aforementioned Regulation.
According to Paragraph 1 of Article 39, a DPIA has to be carried out prior to the processing, and
a review has to be carried out when there is a change in the risk represented by the processing
operation.
If you are not satisfied with this response, you may, in accordance with Article 8 of the
Regulation, institute court proceedings against the European External Action Service or make
a complaint to the Ombudsman, under the conditions laid down in Articles 263 and 228 of the
Treaty on the Functioning of the EU respectively.
Yours sincerely,
Gianmarco Di Vita
2