To: Mr Heiko Roth
xxxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxx.xxx
Brussels, 28/02/2022
Subject: Case 2022-04 - Your application for access to documents
Dear Mr Roth,
We refer to your e-mail dated 12/01/2022 in which you make a request for access to documents,
registered on 17/01/2022 under reference number 2022-04.
In accordance with article 7(8) of Regulation 1049/2001, a 15-working day extension of the
initial deadline was submitted to you on 07/02/2022. Thus, the final deadline for replying to
the initial request is 28/02/2022.
You requested access to documents containing the following information:
“1) Indication whether and how the service Confluence of the company Atlassian is
used by the EDPB. According to information from the BfDI (Federal Commissioner for
Data Protection and Freedom of Information), the EDPB currently uses Confluence.
This was the result of an inquiry (in German) via: https://fragdenstaat.de/anfrage/avv-
sdpc-und-tia-fur-die-nutzung-des-dienstes-confluence-durch-die-
dsk/657648/anhang/920_2022ScNAMENAMEeibenanAntNAMEagstelleNAME_gesch
waerzt.pdf
2) If this service is used by the EDPB, for example to conduct meetings of the authority
representatives:
a) I would like to know which authority is the contractual partner of the service
provider Atlassian.
b) Please indicate whether and which transfers according to Art. 44 S. 1, 46
DSGVO are triggered by the use of the Confluence service and what purpose
these transmissions serve.
c) I request all contracts concluded with Atlassian in this regard that are
necessary under data protection law (redacted). At least by name: contract for
commissioned processing according to Art. 28 DSGVO as well as standard data
protection clauses according to Art. 46 DSGVO.
d) I request the provision of the "Transfer Impact Assessment" required
pursuant to clause 14 of the current standard data protection clause sets of the
EU Commission or the "Transfer Impact Assessment" required pursuant to Art.
46 (1) DSGVO in conjunction with the principles from Schrems II with respect
1
to the data transfers that may be associated with the use of the Confluence
service.”
Assessment
We would like to take this opportunity to clarify that the Regulation applicable to the European
Data Protection Board for any processing of personal data as a controller is the one that applies
to all EU institutions, bodies and agencies, namely Regulation 2018/1725,1 and not the General
Data Protection Regulation.
We have identified 21 documents falling within the scope of your request.
You may reuse the documents requested free of charge for non-commercial and commercial
purposes provided that the source is acknowledged and that you do not distort the original meaning
or message of the document/documents. Please note that neither the EDPB, nor its Secretariat
assume liability stemming from the reuse.
To facilitate our assessment and your consultation of the files, the titles of the files have been
adequately numbered. We will refer to the numbers of each single file in our assessment below.
1. Full non-disclosure
Having examined the documents requested under the provisions of Regulation (EC) No
1049/2001 regarding public access to documents, we have come to the conclusion that the
documents mentioned below cannot be disclosed. Their disclosure is prevented by the following
exceptions to the right of access laid down in Article 4 of the Regulation, namely:
Exceptions applicable under Article 4 Regulation 1049/2001:
(a) Exception 4(1)(b) (“Privacy and integrity of the individual”). The following
documents to which you request access contain personal data, in particular names and
contact details of data subjects, as well as other personal information. Pursuant to Article
4(1)(b) of Regulation (EC) No 1049/2001, access to a document has to be refused if its
disclosure would undermine the protection of privacy and the integrity of the individual,
in particular in accordance with EU legislation regarding the protection of personal data.
The applicable legislation in this field is Regulation (EU) 2018/1725 of the European
Parliament and of the Council of 23 October 2018 on the protection of natural persons
with regard to the processing of personal data by the Union institutions, bodies, offices
and agencies and on the free movement of such data, and repealing Regulation (EC) No
45/2001 and Decision No 1247/2002/EC. When access is requested to documents
containing personal data, Regulation 2018/1725 becomes fully applicable2. According to
Article 9(1)(b) of this Regulation, personal data shall only be transferred to recipients if
1
2 Judgment of the Court of Justice of the European Union of 29 June 2010 in Case C-28/08 P,
Commission/The
Bavarian Lager Co. Ltd, ECR 2010 I-06055. This case concerns the previous Regulation (EC) No 45/2001 of the
European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the
processing of personal data by the Community institutions and bodies and on the free movement of such data.
2
they establish the necessity of having the data transferred to them for a specific purpose in
the public interest and the controller considers it proportionate. We consider that, with the
information available, the necessity of disclosing the aforementioned personal data to you
has not been established and/or that it cannot be assumed that such disclosure would not
prejudice the legitimate rights of the persons concerned. Therefore, we are disclosing a
version of the documents requested in which these personal data have been redacted.
Please, note that the personal data redacted concern staff members and other private
persons, whereas the full names of those holding publicly known positions have been kept.
In addition, all metadata containing direct or indirect identifiers that would allow for an
identification of a specific data subject was removed for the entirety of documents assessed
in accordance with the exception mentioned above.
This exception applies to the following documents:
Documents: 11, 12, 13, 14, 15, 16
(b) Exception 4(3), 1st paragraph: The disclosure of these documents would seriously
undermine the decision-making process of the EDPB as they relate to matters where a
decision has not been taken by the Board and contain discussions, views and/or opinions
of the EDPB Secretariat. The disclosure of said discussions, views and/or opinions would
prevent the involved parties of contributing for internal discussions in an unrestrained and
uncensored manner, thus seriously impairing the quality of the discussions and, ultimately,
of the decision-making process of the EDPB, of which the Secretariat is an integral part.
Furthermore, due to ongoing discussions regarding some of these documents and their
content, their disclosure can lead the public to consider them, and the opinions they
contain, as final, which is bound to create confusion about any final views adopted by the
Board and/or its Secretariat as a whole.
This exception applies to the following documents:
Documents: 11, 14, 15, 16
(c) Exception 4(3), 2nd paragraph: These documents contain discussions, views and/or
opinions of the EDPB Secretariat staff members concerning decisions that have already
been taken. Their disclosure would seriously undermine the decision-making process of
the EDPB as it would curtail the staff members “space to think”, as it would prevent them
from freely submitting their uncensored views on the matter, and freely discussing the
issues at stake and provide their legal opinions and advice on specific issues.
This exception applies to the following documents:
Documents: 12, 13
We have considered whether partial access could be granted to the documents requested.
However, the document(s) are either entirely covered by the exception(s), or the expungement of
the information falling under the exception(s) is so significant that it renders the document
irrelevant, which is why they are not provided.
3
Finally, we have examined whether there could be an overriding public interest in disclosing these
documents, but we have not been able to identify such an interest. For these reasons, access to
these documents is denied.
3. Partial disclosure
Having examined the documents requested under the provisions of Regulation (EC) No
1049/2001 regarding public access to documents, alongside the scope of your request, I have come
to the conclusion that full disclosure of the documents cannot be granted. Some parts of the
documents have been redacted as the information either falls outside the scope of your request or
its disclosure is prevented by the following exceptions to the right of access laid down in Article
4 of Regulation 1049/2001:
Documents falling partially outside the scope of the request:
Documents 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 17, 18, 19, 20, 21
Exceptions applicable under Article 4 Regulation 1049/2001:
(a) Exception 4(1)(b) (“Privacy and integrity of the individual”). The following
documents to which you request access contain personal data, in particular names and
contact details of data subjects, as well as other personal information. Pursuant to Article
4(1)(b) of Regulation (EC) No 1049/2001, access to a document has to be refused if its
disclosure would undermine the protection of privacy and the integrity of the individual,
in particular in accordance with EU legislation regarding the protection of personal data.
The applicable legislation in this field is Regulation (EU) 2018/1725 of the European
Parliament and of the Council of 23 October 2018 on the protection of natural persons
with regard to the processing of personal data by the Union institutions, bodies, offices
and agencies and on the free movement of such data, and repealing Regulation (EC) No
45/2001 and Decision No 1247/2002/EC. When access is requested to documents
containing personal data, Regulation 2018/1725 becomes fully applicable3. According to
Article 9(1)(b) of this Regulation, personal data shall only be transferred to recipients if
they establish the necessity of having the data transferred to them for a specific purpose in
the public interest and the controller considers it proportionate. We consider that, with the
information available, the necessity of disclosing the aforementioned personal data to you
has not been established and/or that it cannot be assumed that such disclosure would not
prejudice the legitimate rights of the persons concerned. Therefore, we are disclosing a
version of the documents requested in which these personal data have been redacted.
Please, note that the personal data redacted concern staff members and other private
persons, whereas the full names of those holding publicly known positions have been kept.
3 Judgment of the Court of Justice of the European Union of 29 June 2010 in Case C-28/08 P,
Commission/The
Bavarian Lager Co. Ltd, ECR 2010 I-06055. This case concerns the previous Regulation (EC) No 45/2001 of the
European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the
processing of personal data by the Community institutions and bodies and on the free movement of such data.
4
In addition, all metadata containing direct or indirect identifiers that would allow for an
identification of a specific data subject was removed for the entirety of documents assessed
in accordance with the exception mentioned above.
This exception applies to the following documents:
Documents: 1, 3, 4, 5, 6, 7, 8
5.
Exception 4(3), 2nd paragraph. The redacted sections of these documents contain
discussions, views and/or opinions of the EDPB members and/or of its Secretariat
concerning decisions that have already been taken. Their disclosure would seriously
undermine the decision-making process of the EDPB as it would curtail the Members
“space to think”, since it would prevent them from freely submitting their uncensored
views on the matter, and freely discussing the issues at stake. The disclosure of these
opinions will also have consequences in forthcoming discussions, since specific
discussions/opinions/views of the EDPB are subject to updates and revisions and can thus
be reopened at any time.
Furthermore, one of the documents which you seek to obtain contain information, namely
links, whose disclosure could jeopardise the security of our IT systems. Disclosure of such
information could potentially threaten the security of the IT systems used by the EDPB
and, therefore, it would undermine the decision-making process of the EDPB. This
exception applies to 1 document of the total number of documents identified.
This exception applies to the following documents:
Documents: 6, 9, 10, 18
In the case of documents 9 and 18, these had been previously provided in the context of other
requests for access to documents, which means they were already in the public sphere. We have
reassessed them in order to determine whether the applicable exceptions could be removed, but
considered that they remained applicable.
The exceptions laid down in Articles 4(2) and 4(3) of Regulation 1049/2001 apply unless there is
an overriding public interest in disclosure of the documents. We have not been able to identify
such an interest.
In accordance with Article 7(2) of Regulation 1049/2001, you are entitled to make a confirmatory
application requesting the European Data Protection Board to review this position.
Such a confirmatory application should be addressed within 15 working days upon receipt of this
letter to the following email address: xxxx@xxxx.xxxxxx.xx. Please make reference to the case
number of your request in the subject.
Yours faithfully,
Ventsislav Karadjov
5
Vice-Chair of the EDPB
6