EDPS mapping exercise
Dear European Data Protection Supervisor,
I read your interesting document "Strategy for Union institutions, offices, bodies and agencies to comply with the Schrems II ruling". In the document you require the Commission and the other Institutions to do a mapping exercise.
Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:
a) the mapping exercise that I expect the EDPS should have carried out for itself
If the EDPS did not carry out such mapping exercise also for itself, I would like to know why.
b) If the EDPS uses any of the following tools: Microsoft Office365, Microsoft Teams, Zoom, Cisco Webex, Skype, I request any privacy assessment or similar document (including DPIA) that the EDPS should have done in view of adopting the use of such tools. Kindly note that I do not want generic guidelines. Instead I seek specifically any privacy assessment that relates to the internal use by the EDPS of any of the tools I listed.
For both categories of documents you can redact any personal data and any information that would imperil the security of your IT systems. Please send the documents electronically.
Yours faithfully,
Nicole Maes
Dear European Data Protection Supervisor,
I have not received a reply to my request within the legal deadline, therefore I hereby introduce a confirmatory application.
Yours faithfully,
Nicole Maes
Dear Mrs Maes,
We acknowledge receipt of your request which was registered 25 November
2020. Your case has been registered with case number 2020-1124.
Please note that in our records we have not found any requests addresses
from you to the European Data Protection Supervisor (EDPS). Could you
please provide us with more details.
Be advised, this case will remain open for another 30 days. In case you do
not provide additional information we will close it administratively.
Please note that your personal data will only be processed for the
purposes of replying to your request and in accordance with the privacy
statement set out below. More information on how the EDPS process personal
information can be found on our website.
You have lodged your application via the AsktheEU.org website. Please note
that this is a private website which has no link with any institution of
the European Union. The European Data Protection Supervisor is not
accountable for any technical issues or problems linked to the use of this
system.
Yours sincerely,
[1]cid:image001.png@01D6ADDD.F732FD60 EDPS Secretariat
' (+32) 228 319 00 | Fax +32 2
283 19 50
[2]Email [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[4]Twitter [5]@EU_EDPS
[6]Website [7]www.edps.europa.eu
This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.
Dear European Data Protection Supervisor,
I sent you an application on 3 November. It looks like you did not receive it. Here it comes again. I am requesting under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, documents which contain the following information:
a) the mapping exercise that the EDPS has carried out following the Schrems II judgment, including any related report detailing the outcome (the EDPS published a strategy document requiring EU institutions to carry out such exercise . I expect that the EDPS must have done one for itself).
b) If the EDPS uses any of the following tools: Microsoft Office365, Microsoft Teams, Zoom, Cisco Webex, Skype, I request any privacy assessment or similar document (including DPIA) done by the EDPS in view of adopting the use of such tools. Kindly note that I do not want generic guidelines. Instead I seek specifically any privacy assessment that relates to the internal use by the EDPS of any of the tools I listed.
For both categories of documents you can redact any personal data and any information that would imperil the security of your IT systems. Please send the documents electronically.
Yours sincerely,
Nicole Maes
Dear Mrs Maes,
We acknowledge receipt of your request which was registered 2 December
2020.
In accordance with Article 7(1) of Regulation (EC) No 1049/2001 regarding
public access to European Parliament, Council and Commission documents,
you are entitled to receive a reply within 15 working days.
Your case has been registered with case number 2020-1124.
Please note that your personal data will only be processed for the
purposes of replying to your request and in accordance with the privacy
statement set out below. More information on how the EDPS process personal
information can be found on our website.
You have lodged your application via the AsktheEU.org website. Please note
that this is a private website which has no link with any institution of
the European Union. The European Data Protection Supervisor is not
accountable for any technical issues or problems linked to the use of this
system.
Yours sincerely,
[1]cid:image001.png@01D6ADDD.F732FD60 EDPS Secretariat
' (+32) 228 319 00 | Fax +32 2
283 19 50
[2]Email [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[4]Twitter [5]@EU_EDPS
[6]Website [7]www.edps.europa.eu
This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.
Dear European Data Protection Supervisor,
Please pass this on to the person who reviews confirmatory applications.
I am filing the following confirmatory application with regards to my access to documents request 'EDPS mapping exercise'.
I have not received any reply to my question, and your deadline to reply has expired. Therefore in accordance with article 7.4 of the Regulation on public access to documents I introduce a confirmatory application.
A full history of my request and all correspondence is available on the Internet at this address: https://www.asktheeu.org/en/request/edps...
I would appreciate if you could acknowledge receipt of this message.
Yours faithfully,
Nicole Maes
Dear Mr Maes,
We are writing you concerning your access to documents request case number
2020-1124. In accordance with Article 7(1) of Regulation (EC) No 1049/2001
regarding public access to European Parliament, Council and Commission
documents, you are entitled to receive a reply within 15 working days.
However, due to the complexity of the matter, the EDPS will not be in a
position to respond within the original time limit of 15 working days. We
have therefore decided to extend the time limit by 15 working days in
accordance with Article 7(3) of Regulation (EC) 1049/2001. You should
expect to receive a reply from the EDPS by 25 January 2021 at the latest.
Yours sincerely,
EDPS Secretariat
' (+32) 228 319 00 | Fax +32 2 283 19 50
[1]Email [2][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60, B-1047 Brussels
Office address: Rue Montoyer 30, B-1000 Brussels
[3]Twitter [4]@EU_EDPS [5]Website [6]www.edps.europa.eu
References
Visible links
2. mailto:[EDPS request email]
4. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
6. http://www.edps.europa.eu/
http://www.edps.europa.eu/
Dear European Data Protection Supervisor,
Thank you for replying to my confirmatory application.
I take note of the fact that you extended the timeline to reply to my request.
However, I ask you to take into account the following. We are already at the stage of confirmatory application. As you can see, I submitted a confirmatory application on 23 December 2020 due to your lack of reply to my initial application of 2 December 2020.
Therefore, while you wrote that you are extending the deadline in accordance with art. 7(3) of Regulation 1049/2001, in reality you are extending the deadline in accordance to art 8(2) of the same Regulation.
It is important for me to stress out this point, also to make you aware that, if I will not be satisfied by your reply, or if you will not reply at all, the remedies of art 8(3) of the Regulation will be immediately applicable. The reason is that your upcoming reply is going to be the reply to the confirmatory application that I introduced on 23 December.
Yours sincerely,
Nicole Maes
Dear Madam,
Please find attached a letter signed electronically by Mr Leonardo Cervera
for the above mentioned subject.
Kind regards,
[1]cid:image001.png@01D6ADDD.F732FD60 EDPS Secretariat
' (+32) 228 319 00 | Fax +32 2 283
19 50
[2]Email [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[4]Twitter [5]@EU_EDPS
[6]Website [7]www.edps.europa.eu
This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.
References
Visible links
3. mailto:[EDPS request email]
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
Nicole Maes dejó un comentario ()
The Ombudsman replied that I introduced my confirmatory application too early and that could not process my complaint. The Ombudsman is right. I will therefore introduce a confirmatory application now.
Dear European Data Protection Supervisor,
Please pass this on to the person who reviews confirmatory applications.
I am filing the following confirmatory application with regards to my access to documents request 'EDPS mapping exercise'.
Your reference: LCN/SP/TT/ktl/D(2021)0072 C2020-1124
After going through your reply, unfortunately I disagree with your assessment.
My original application had two parts:
1) The mapping exercise that the EDPS has carried out for itself following Schrems II
2) A copy of any privacy assessment (including DPIA) carried out by the EDPS for the use by the EDPS of the following tools: Microsoft Office365, Microsoft Teams, Zoom, Cisco Webex, Skype.
You replied that you cannot disclose the documents “as they are part of ongoing procedure, where the decision is not yet taken by EDPS and thus fall within the exceptions of art. 4(3) of Regulation 1049/2001”.
You then confirm that the EDPS has done a report for the mapping exercise.
I appeal against your initial decision for the reasons below.
First, your assertion that the EDPS has done a report for the mapping exercise is by itself incompatible with your claim that a decision has not been taken by the EDPS. Unless the report of the EDPS mapping exercise has not been finalized yet (which would surprise me, as it should have been finalized by 15 November 2020 according to the strategy document produced by the EDPS itself) it means that the report that yourself confirmed exists must be considered as final, hence it cannot fall under the exception of art. 4(3).
Second, for the second part of my request (the privacy assessments, including DPIA), you do not provide information if any document exists at all. What is the status: did the EDPS do privacy assessments for all the tools I listed, but they cannot be shared because of the exception of art. 4(3) of Regulation 1049/2001? This is what I understood from your reply, but it is not clear. Or did I misunderstood, and the EDPS does not use any of the tools I mentioned? Then the documents would not exist, I assume. I kindly ask you to explicitly clarify this point, and for the future I humbly suggest adopting the good practice of the European Commission which always provides a list of the documents that are identified as falling under the scope of an access to document request, even if the documents are not disclosed. In any case for the present confirmatory application I take as an assumption that the EDPS uses the tools, and therefore the documents should exist.
Third, on the substance of your reply: the exceptions of art. 4(3) of Regulation 1049/2001 cannot apply to the documents that I request. As you certainly know, exceptions must be interpreted and applied strictly. It does not seem you respected this principle this time. In reality, you did not provide any argument or explanation at all on why disclosure would seriously undermine the decision making process of the EDPS. You should have done an individual assessment for every document, and provide an explanation based on risks that are not purely hypothetical. As you also know, the simple fact that the documents might still be preliminary drafts, or their informal character, are not reason enough to invoke art. 4(3). I would also make a point on the fact that you had extended the deadline to reply to my initial application “due to the complexity of the matter”: a complex matter would have required a more elaborated reply from your side.
Finally, even if disclosure would undermine the EDPS decision making process (which I do not believe and you have not demonstrated), there would be an overriding public interest for disclosure.
Regarding the EDPS mapping exercise, you certainly agree that the public has an overriding interest verifying that the EDPS is leading by example. This translates in the need for the public of knowing if the EDPS has carried out any transfer without any transfer tool, or based on a derogation, or any high-risk transfer to the US.
Regarding copy of the privacy assessments: there is an overriding public interest in knowing which IT tools the EDPS is using internally, and in knowing the outcome of any analysis of the EDPS (in the form of DPIA and any other assessment) previous to the adoption of the tools. Citizens and economical operators can expect the European Data Protection Supervisor being the most compliant and most knowledgeable entity in the EU with regards to data protection. Therefore, if the EDPS is using any of the tools (Microsoft Office365, Microsoft Teams, Zoom, Cisco Webex, Skype) the corresponding privacy assessment could inspire as reference and golden standard any other individual and actor in need to do an assessment exercise on the same tools. For such reasons there is an overriding interest in making public the internal privacy assessments of the EDPS.
I would be grateful if you could acknowledge receipt. You can send me any reply (and any document) electronically throug AskTheEU.
A full history of my request and all correspondence is available on the Internet at this address: https://www.asktheeu.org/en/request/edps...
Yours faithfully,
Nicole Maes
Dear Mr Maes,
We acknowledge receipt of your confirmatory application for case file
2020-1124 which was registered 22 January 2021.
In accordance with Article 8(1) of Regulation (EC) No 1049/2001 regarding
public access to European Parliament, Council and Commission documents,
you are entitled to receive a reply within 15 working days from the date
of your request (by 12 February 2021)
Please note that your personal data will only be processed for the
purposes of replying to your request and in accordance with the privacy
statement set out below. More information on how the EDPS process personal
information can be found on our [1]website.
You have lodged your application via the AsktheEU.org website. Please note
that this is a private website which has no link with any institution of
the European Union. The European Data Protection Supervisor is not
accountable for any technical issues or problems linked to the use of this
system.
Yours sincerely,
EDPS Secretariat
' (+32) 228 319 00 | Fax +32 2 283 19 50
[2]Email [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60, B-1047 Brussels
Office address: Rue Montoyer 30, B-1000 Brussels
[4]Twitter [5]@EU_EDPS [6]Website [7]www.edps.europa.eu
This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.
References
Visible links
1. https://secure.edps.europa.eu/EDPSWEB/we...
3. mailto:[EDPS request email]
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
Dear Ms Maes,
I am preparing the reply to your confirmatory application.
I would like to discuss with you some details concerning you request,
before finalising it.
Would it be possible to possible to contact you over the phone?
As you publish publically your communications with EDPS I cannot give you
my private mobile number for direct contact.
I will appreciate if you reply to this email and provide me with a number
to contact you directly.
Thank you in advance
Tsanko Tsankov
Tsanko Tsankov
[1]cid:image001.png@01D69BD0.15A53620 Transparency Officer – EDPS Secretariat
[2]| Tel. (+32) 228 31902 | Fax +32(0)22831950 | MTS
06X038
Email [3][email address]
European Data Protection Supervisor
Postal address: Rue Wiertz 60, B-1047 Brussels
Office address: Rue Montoyer 30, B-1000 Brussels
[4]cid:image002.png@01D6A617.F0ED7200 [5]@EU_EDPS
[6]cid:image003.png@01D69BD0.15A53620 [7]www.edps.europa.eu
This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.
References
Visible links
2. file:///tmp/tel:+3222831900
3. mailto:[email address]
4. file:///tmp/http:/
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
Dear TSANKOV Tsanko,
I prefer that any communication goes through the current channel (AskTheEU). In this way the correspondence is transparent and can be seen by the public that is following this request. Further to this, written correspondence is preferable because it entails less risk of misunderstandings compared to phone communications. Finally it is also a safeguard for both me and the EDPS having in mind the formal context of a confermatory application.
This said, just drop a line here if there is anything in my application that you want to clarify, I am happy to reply!
Yours sincerely,
Nicole Maes
Dear Madam,
Please find attached a letter signed electronically by Mr Leonardo Cervera
for the above mentioned subject.
Kind regards,
EDPS Secretariat
[1]cid:image001.png@01D6F3C9.BF776FA0
' (+32) 228 319 00 | Fax +32 2 283
19 50
[2]Email [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[4]Twitter [5]@EU_EDPS
[6]Website [7]www.edps.europa.eu
This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.
References
Visible links
3. mailto:[EDPS request email]
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
Nicole Maes dejó un comentario ()
The reply does not comply with Regulation 1049/2001 because the exception is applied wrongly. Therefore I have introduced a complaint with the European Ombudsman.
Dear Ms Maes,
Please find attached a letter and its annexes (6 documents), signed by Mr
Cervera Navas, for the above-mentioned subject.
Kind regards,
[1]cid:image001.png@01D4D8CD.D37C9700 EDPS Secretariat
[2]| Tel. (+32) 228 31900 | Fax +32(0)22831950 | ›
Email [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60, B-1047 Brussels
Office address: Rue Montoyer 30, B-1000 Brussels
[4]Twitter [5]@EU_EDPS [6]Website [7]www.edps.europa.eu
This email (and any attachment) may contain information that is internal or confidential. Unauthorised access,
use or other processing is not permitted. If you are not the intended recipient please inform the sender by
reply and then delete all copies. Emails are not secure as they can be intercepted, amended, and infected with
viruses. The EDPS therefore cannot guarantee the security of correspondence by email.
Data Protection Notice
According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the Regulation) on the protection of natural
persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies
and on the free movement of such data, we are processing your personal data, where proportionate and
necessary, for the purpose of answering your request. The legal base for this processing operation is
Regulation (EC) 1049/2001 and Article 52(4) of the Regulation (EU) 2018/1725. Subject to applicable rules
under EU legislation, the personal data relating to you, as provided in your request as well as personal data
that might be collected while processing your request, are used solely for the purpose of replying to your
request. EDPS staff members dealing with the request will have access to the case file containing your
personal data on a need-to-know basis. All access to case files is logged. Your personal data are not
disclosed outside the EDPS. Your personal data will be stored electronically for a maximum of ten years after
the closure of the case, or as long as the EDPS is under a legal obligation to do so. You have the right to
access your personal data held by the EDPS and to relevant information concerning how we use it. You have the
right to rectify your personal data. Under certain conditions, you have the right to ask that we delete your
personal data or restrict its use. We will consider your request, take a decision and communicate it to you.
For more information, please see Articles 14 to 21, 23 and 24 of the Regulation. Please note that in some
cases restrictions under Article 25 of the Regulation may apply. Any request to exercise your rights should be
addressed to the EDPS at [8][EDPS request email]. You may contact the data protection officer of the EDPS
([9][email address]), if you have any remarks or complaints regarding the way we process your personal
data. You have the right to lodge a complaint with the EDPS, as supervisory authority. Any such request should
be addressed to the EDPS at [10][EDPS request email]. You can reach the EDPS in the following ways: E-mail:
[11][EDPS request email]; EDPS postal address: European Data Protection Supervisor, Rue Wiertz 60, B-1047
Brussels, Belgium. For more information, please refer to the extended version of the data protection notice
available on the EDPS website:
[12]https://edps.europa.eu/data-protection/o....
References
Visible links
2. file:///tmp/tel:+3222831900
3. mailto:[EDPS request email]
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
8. mailto:[EDPS request email]
9. mailto:[email address]
10. mailto:[EDPS request email]
11. mailto:[EDPS request email]
12. https://edps.europa.eu/data-protection/o...
Nicole Maes dejó un comentario ()
The EDPS replied to my request as if it was a request to an initial application and not a reply to a confirmatory application. But we were already at the confirmatory application stage. Therefore I filed a case at the Ombudsman against their refusal to disclose the documents.