Ceci est une version HTML d'une pièce jointe de la demande d'accès à l'information 'EDPS documents, prior notifications DG ENTR DPO-3334.1, DG INFSO DPO-3338.1, DG RTD DPO-3398, DG MOVE-ENER DPO-3420.1, FP6 & FP7 programmes, extenral financial audits'.


EDPS - European Data Protection Supervisor 
  CEPD - Contrôleur européen de la protection des données 
 
 
 
Opinion on the notification for prior checking received regarding the "Manager 
Desktop" file of the European Investment Bank 
 
Brussels, 12 July 2005 (Case 2004-307) 
 
 
Procedure 
 
On 20 July 2004 the European Data Protection Supervisor (EDPS) sent a letter to the 
Data Protection  Officers  asking them to contribute to the preparation of an inventory of 
data processing that might be subject to prior checking by the EDPS as provided for by 
Article 27 of Regulation (EC) No 45/2001. The EDPS requested notification of all 
processing operations subject to prior checking, including those that commenced before 
the Supervisor was appointed and for which checking could never be regarded as prior, 
but which would be subject to "ex post" checking. 
 
On 13 September 2004 the European Investment Bank's Data Protection Officer presented 
the list of cases that required prior checking ex-post, in particular those concerning the 
evaluation of aspects of the data subject (ability, efficiency, conduct). 
 
The European Data Protection Supervisor identified certain priority topics and selected a 
number of processing operations subject to prior checking ex-post that required 
notification. Staff evaluation is among them. 
 
Notification within the meaning of Article 27(3) of Regulation (EC) No 45/2001 was 
given by Mr Jean-Philippe MINNAERT, Data Protection Officer of the European 
Investment Bank (hereinafter EIB) by letter dated 21 April 2005.  
 
Information was requested in e-mails dated 2 and 11 May 2005. On 20 May 2005, the 
Manager Desktop database was demonstrated at the premises of the EIB in Brussels. 
 
Further information was requested by e-mail on 9 June 2005 and received on 27 June 
2005. 
 
Facts 
 
The Manager Desktop programme allows hierarchical superiors on-line access to 
professional data that they need in order to manage staff under their responsibility, with 
the exception of any personal data such as address, place of birth, family circumstances or 
data relating to dependants. 
 
Each hierarchical superior (Director-General, Director, Head of Division, Head of 
External Office, Head of Unit or persons delegated by them) may consult only the data 
relating to the staff members under their responsibility. 
 
 

The following data are accessible:
 
•  linguistic knowledge; 
•  career profile at the bank (reasons for change of grade or step are indicated: merit, 
promotion, new posting, reclassification, reorganisation); 
•  diplomas; 
•  basic salary; 
•  resumé of courses followed since recruitment; 
•  official telephone calls. 
 
Furthermore, the Job History Summary screen also shows: 
 
•  date of birth; 
•  nationality; 
•  the type of employment contract (for an indefinite or definite period, with, in the 
latter case, expiry date of the contract); 
•  basic salary. 
 
The database also makes it possible to see the data contained in the REVIEW ALL 
APPLICANTS folder. This heading enables the manager to see the candidates for a post; 
the data given after selecting this heading are professional qualifications, experience inside 
and outside the EIB, foreign languages, continuous training followed and the candidate's 
motivation. 
 
Origin and retention of data 
 
Personal files are kept on paper only. The data mentioned above comes from personal 
files. Three persons (IT specialists) from the Directorate for Human Resources encode the 
data taken from the personal files for the purpose of inserting them into the Manager 
Desktop application. 
 
According to information received after the EDPS was notified of the processing 
operation, the data contained in the Manager Desktop application are erased when the staff 
member ceases to be employed. 
 
The data subjects are informed as follows: 
 
The data subjects were informed when the data was collected at the time of recruitment, 
with the staff member's agreement, in order to enable the EIB to analyse the applications. 
 
Initial information on the functioning of the system was provided by means of oral 
presentations on its functionality in February 2002, and in an explanatory note dated 27 
February 2002 from the HR Directorate. 
 
Since then, a presentation of the system has been given systematically to new colleagues 
in the framework of information sessions given on induction. All staff can access notes 
and reference documents concerning manager desktop via the Internet. 
 
An explicit warning as to the confidential nature of the data accessible via manager 
desktop, together with a reference in the form of a hyperlink to Regulation (EC) N° 
45/2001 of 18 December 2000, is given on the PSFT RH application home page 
 
 
2

Lastly, staff members can individually access all their own personal data contained in 
manager desktop via the free service PSFT <My HR> (in addition to the data of a private 
nature mentioned in 4 above which are not included in the manager desktop). 
 
Access to data 
 
The number of persons with access to information is very limited. Hierarchical superiors 
may consult only the data relating to staff under their responsibility. 
 
Access to such data is protected by three passwords: one to enter the system, a personal 
password to enter the RH domain, followed by a third password that only Managers 
possess (this password is changed every three months). Each staff member has the right to 
access and, if necessary, correct his or her personal data. This can be done via "Self-
service Employee" or by submitting a reasoned request to RH (e.g. career data prior to 
taking up a post, diplomas). 
 
Managers have access to data on members of their team for as long as they remain in post 
(except where access is suspended by RH). 
 
Managers who change posts no longer have access to the data corresponding to their 
former function, except where they have been promoted within the same department. 
 
Data on persons who have left the EIB are no longer accessible to managers. 
 
Official telephone calls 
 
Telephone calls can be made at the EIB by dialling the prefixes 0 or 10. Calls with the 
prefix 0 are official and are paid for by the EIB. 
 
Calls using the prefix 10 are private, are paid for by staff members and are not known to 
the Managers. 
 
The data indicated on the lists of official calls are as follows: date, time, number called, 
duration, cost, total monthly cost of calls. The Bank's human resources intranet enables 
every staff member to consult the list of telephone calls he or she has made and to approve 
("approved" box) or modify the classification (official or private) of the numbers listed. 
The list of officials call is updated at the end of each month. 
 
While mobile phones can also be used for both official and private calls, such official calls 
made from mobile phones are not recorded on the list that can be accessed by the manager 
via the Manager desktop application. 
 
Thus, the list of official calls contained in the Manager Desktop enables managers to see 
the cost of telephone calls made by their staff for official reasons. The telephone call 
database is updated once a month. The list of official calls shows the manager what is 
charged to his management budget. Telephone data are erased each month when the list is 
updated. 
 
 
 
 
 
 
3

Legal aspects 
 
1. 

Prior checking 
 
The notification received by e-mail on 21 April 2005 signifies the processing of personal 
data ("any information relating to an identified or identifiable natural person" - Art. 2(a), 
and therefore comes within the scope of Regulation (EC) N° 45/2001. 
 
Article 27(1) of Regulation No 45/2001 makes "processing operations likely to present 
specific risks to the rights and freedoms of data subjects by virtue of their nature, their 
scope or their purposes" subject to prior checking by the European Data Protection 
Supervisor. This is the case here, since official telephone calls are checked. 
 
Processing is also subject to the provisions of Article 27(2)(b): "The following processing 
operations are likely to present such risks: processing operations intended to evaluate 
personal aspects relating to the data subject, including his or her ability, efficiency and 
conduct", which is the case here. 
 
The Manager Desktop database can be seen as a tool for collecting data for use, in 
particular, in determining which persons correspond to a desired profile or choosing 
persons on the basis of their abilities when allocating a project or dossier. The reasons for 
changes in grade or step throughout an employee's career are also indicated and clearly 
show that the information obtained is used for the purpose of evaluation. In these respects, 
Manager Desktop falls within the scope of Article 27(2)(b) of Regulation (EC) No 
45/2001.  
 
Furthermore, the listing of official telephone calls raises the problem of data protection in 
the context of internal telecommunications networks. The processing of traffic data 
presents particular problems of such importance that Chapter IV of the Regulation 
provides for specific arrangements and special guarantees (Articles 34 to 40 of Regulation 
No 45/2001). Checks on telephone calls can also represent  a way of evaluating official 
telephone use and the appropriateness of that use. This has direct consequences both for 
telecommunications budget management (Article 37(2) of the Regulation)  and for 
evaluating personal aspects (Article 27(2)(b)). 
 
The EIB Data Protection Officer's notification was received on 21 April 2005. Various 
information was provided in e-mails dated 2 and 11 May 2005. 
 
On 12 May 2005 (22nd day) an appointment was made for a demonstration of the EIB's 
Manager Desktop database. Pursuant to Article 27(4) of Regulation (EC) No 45/2001, the 
two-month period within which the European Data Protection Supervisor has to deliver 
his opinion was suspended, to allow time for this demonstration to take place. 
 
On 20 May 2005 the Manager Desktop database was demonstrated at the EIB's office in 
Brussels. By e-mail dated 20 May 2005 and following the appointment at the EIB, many 
questions were asked. The period therefore continued to be suspended since then. Replies 
were given by e-mail on 26 May 2005. 
 
Other information was requested in an e-mail dated 9 June 2005. Some of the replies were 
provided on a CD-ROM received on 20 June 2005. The period continued to be suspended. 
The most recent information was provided by telephone on 27 June 2005. 
 
 
4

The European Data Protection Supervisor will therefore deliver his opinion by 21 July 
2005 at the latest, as laid down in Article 27(4) of the Regulation. 
 
In principle, checks by the European Data Protection Supervisor should be carried out 
prior to introduction of the data processing operation. In this case, as the  European Data 
Protection Supervisor was appointed after the system was set up, the check necessarily has 
to be performed ex-post. However, this does not alter the fact that it would be desirable for 
the recommendations issued by the  European Data Protection Supervisor to be 
introduced.  
 
2. 
Legal basis and lawfulness of the processing operation 
 
Under its Statute, the European Investment Bank enjoys autonomy of decision-making 
within the Community institutional system. Pursuant to Article 29 of the Bank's Rules of 
Procedure, the Administrative Board adopts regulations concerning staff. The staff 
regulations lay down the general conditions of employment of staff. 
 
The legal basis for this processing operation derives from the regulations governing the 
institution's relations with its staff and from the administrative provisions and information 
notes intended for all staff. The legal basis is therefore admissible in the sense that the 
database is required for the purpose of better personnel management. 
 
Analysis of the legal basis in relation to Regulation (EC) No 45/2001 and analysis of the 
lawfulness of the processing operation are complementary. Article 5(a) of Regulation (EC) 
No 45/2001 stipulates that "processing is necessary for the performance of a task carried 
out in the public interest on the basis of the Treaties establishing the European 
Communities … or in the legitimate exercise of official authority vested in the Community 
institution".  
Management of the European Investment Bank's official data on the Bank's 
staff comes under the legitimate exercise of official authority vested in the institution and 
is useful for the management of personnel services. Thus the processing operation is 
lawful. 
 
Reference to Article 5(c) in the staff note ("the processing is necessary for the 
performance of a contract to which the data subject is party or in order to pre-contractual 
measures at the request of the data subject") does not seem relevant in that it is the 
legitimate exercise of official authority vested in the institution that is inherent in the 
process, not the performance of the contract. 
 
The listing of official telephone calls raises the problem of the legal basis in a much 
broader sense. The retention of traffic data and the establishment of average costs is 
clearly covered by the definition of "processing" given in Article 2(b) of the Regulation. 
The system makes it possible to link the various internal telephone numbers to information 
on the user. In this specific case, the total amount charged to an internal telephone number 
is associated with a user. The data must therefore be described as "personal data" within 
the meaning of Article 2(a). 
 
One objective was identified in the information provided subsequently: to enable the 
manager to see what is charged to his management budget. Furthermore, we are told that 
"Manager Desktop has this facility because we regard it as having a professional purpose 
and it avoids having to create another computer tool solely for this function". This is 
acceptable only in the context of IT effectiveness, and then solely provided the staff are 
informed of it (see point 8 above). 
 
5

 
The lawfulness of the processing of such data is covered by the legitimate exercise of 
official authority vested in the EIB as an institution by virtue of which it must effectively 
manage the use of the telecommunications tools in its offices (Article 5(a)). This first 
point is borne out by the provisions of Article 37(2), which imply that such processing is 
lawful if carried out "for the purpose of telecommunications budget and traffic 
management…". 
 
3. 
Data quality
 
Data must be "adequate, relevant and not excessive" (Article 4(1)(c) of Regulation (EC) 
No 45/2001) in relation to the purposes for which they are collected. The processed data 
described at the beginning of this opinion must be regarded as meeting these descriptions 
as regards processing, with the following exceptions. 
 
Data relating to official telephone calls must be examined in the light of the 
proportionality rule contained in Regulation (EC) No 45/2001. Some data appear 
excessive in relation to this rule, and it would seem sufficient to mention only the number 
and the cost. Other details are not necessary. 
 
Indication of the basic salary seems pointless, which is why the European Data Protection 
Supervisor recommends its removal. In fact, without a specific explanation as to why the 
data are there, the manager does not need them. Even if they are public knowledge, their 
presence is excessive from the viewpoint of the purpose of processing and therefore does 
not meet the requirements of Article 4(1)(c). 
 
Furthermore, data  must be processed  fairly and lawfully (Article 4(1)(a) of Regulation 
(EC) No 45/2001. The lawfulness has already been examined. Given the sensitivity of the 
subject, fairness warrants considerable attention. It is linked to the information that has to 
be forwarded to the data subject (see point 8 below). 
 
Lastly, the data must be "accurate and, where necessary, kept up to date; every 
reasonable step must be taken to ensure that data which are inaccurate or incomplete, 
having regard to the purposes for which they were collected or for which they are further 
processed, are erased or rectified
" (Article 4(1)(d) of the Regulation). The information 
sheet on the Manager Desktop process clearly mentions the right of rectification available 
to staff  and the means of exercising it. In this instance Article 4(1)(d) of the Regulation is 
duly complied with.  
 
4. 
Data retention 
 
Article 4(1)(e) of Regulation (EC) No 45/2001 posits the principle that data must be "kept 
in a form which permits identification of data subjects for no longer than is necessary for 
the purposes for which the data were collected or for which they are further processed

 
As far as the retention of the data themselves is concerned, the data contained in the 
Manager Desktop application are erased when the staff member ceases to be employed. 
While the data in a personal file are in fact retained throughout a staff member's career, 
including retirement, the same cannot be said for data contained in the Manager Desktop 
database. The criteria which apply to personal files cannot be applied to the Manager 
Desktop application. That is why the criterion of erasure when the staff member ceases to 
be employed is relevant. 
 
6

 
The possibility of storing data for historical, statistical or scientific reasons is not 
mentioned in the notification. Should it prove necessary to keep data for historical, 
statistical or scientific use, the data should be stored anonymously. In the context of 
storing data for historical, statistical or scientific reasons, the European Data Protection 
Supervisor recommends rendering the data anonymous when the staff member ceases to 
be employed.  
 
With respect to the retention of data on telephone calls, we are told that data are erased on 
a monthly basis, following the update of the list (once a month). The conditions set out in 
Article 37(2) are fulfilled (6 months). Furthermore, given that there is no need here for 
prior checking of the system which manages the list of official calls and that the data are 
erased rapidly, everything is in accordance with the provisions of Regulation (EC) No 
45/2001. 
 
5. 
Change of purpose, compatible use  
 
Most data have been extracted from staff databases. The processing operation being 
reviewed involves no general change of the specified purpose of staff databases and is not 
incompatible with that purpose. Accordingly, Article 6(1) of Regulation (EC) No 45/2001 
is not applicable to the case in point and the conditions of Article 4(1)(b) of the Regulation 
are fulfilled. 
 
6. 
Transfer of data 
 
There is no transfer in the sense that Manager Desktop is in a way an electronic copy of 
certain data from the personal files. Besides, some parts of that file are subject to prior 
checking. On the other hand, traffic data are transferred by the persons handling billing, 
traffic or budget management in the directorate responsible for equipment and telephones. 
 
The processing operation should also be scrutinised in the light of Article 7(1) of 
Regulation (EC) No 45/2001. This processing is the transfer of personal data within or to 
other Community institutions or bodies  "if the data are necessary for the legitimate 
performance of tasks covered by the competence of the recipient.

 
As this an internal transfer within the institution, the conditions of Article 7(1) are indeed 
fulfilled since the data collected are necessary for carrying out the processing and, 
furthermore, are necessary for the legitimate performance of tasks covered by the 
competence of the recipient.
 
 
7.  
Processing including the personnel number or identifying number
 
The European Investment Bank uses the staff number. While the use of an identifier is, in 
itself, no more than a means (and a legitimate one in this case) of facilitating the task of 
the personal data controller, its effects may nevertheless be significant. This was why the 
European legislator decided to regulate the use of identifying numbers under Article 10(6) 
of the Regulation, which makes provision for action by the European Supervisor. In this 
case, the use of the personnel number may allow the linkage of data processed in different 
contexts. Here, it is not a case of establishing the conditions under which the European 
Investment Bank may process the personnel number, but rather of drawing attention to 
this point in the Regulation. In this instance, the European Investment Bank's use of the 
personnel number is reasonable because it is a means of facilitating the processing task. 
 
7

 
8. 
Information for data subjects  
The notification states that the data subjects, in this instance the staff of the European 
Investment Bank, are informed by means of administrative arrangements, the Human 
Resources intranet page and internal memoranda. 
 
The provisions of Article 12 on information for the data subject apply in this case. The 
provisions set out in subparagraphs (a) (identity of the controller), (b) (purposes of the 
processing operation), (c) (categories of data concerned) (d) (recipients or categories of 
recipients) and (e) ("the existence of the right of access to, and the right to rectify, the data 
concerning him or her"
) are indeed complied with. 
 
There is no reference to data on official telephone calls. The information note and the staff 
note have to be amended accordingly. Nor is any reference to the basic salary (while these 
data are included with the others). They are not mentioned in the notification to the 
controller either. The lawfulness of the processing operation must be stated in the 
information note and in the staff note. That is why the European Data Protection 
Supervisor is asking that the two notes be rectified accordingly. 
 
However, there is no mention in either the notification or its annexes of any of the 
following possibilities: subparagraph (f) of the same Article which refers to information 
that is not compulsory (legal basis for the processing operation, time-limits for storing the 
data, right to have recourse at any time to the European Data Protection Supervisor)

This ensures fair processing.  These aspects should be made known to the person to be 
informed. 
 
In view of these considerations, the European Data Protection Supervisor would like the 
information referred to in Article 12(1)(f) of the Regulation to be mentioned in every 
information medium (staff notes, information notes, intranet Human Resources page, etc.) 
and through any other appropriate means. 
 
9. 
Right of access and of rectification
 
Article 13 of Regulation (EC) No 45/2001 makes provision, and sets out the rules, for 
right of access at the request of the data subject. Article 14 of Regulation (EC) No 45/2001 
allows the data subject a right to rectification. The notification mentions the possibility of 
access to and rectification of the file by a staff member, as does the information note. 
 
In this instance Article 13 of Regulation (EC) No 45/2001 as well as Article 14 have 
indeed been complied with. 
 
Regarding the "approved" box, given that there is no prior checking of the system that 
manages the telephone calls and that, moreover, it is established that they are solely 
official calls, the European Data Protection Supervisor is merely commenting on the 
appropriateness of such a box in the context of the Manager Desktop application. It is a 
tool that ensures the quality of the data and allows the data subject to exercise his/her right 
to rectification. 
 
10.  Security
 
In accordance with Article 22 of Regulation (EC) No 45/2001 on security of processing, 
"the controller shall implement appropriate technical and organisational measures to 
 
8

ensure a level of security appropriate to the risks represented by the processing and the 
nature of the personal data to be protected."

 
In view of the security measures presented, the European Data Protection Supervisor 
deems them to be adequate and in accordance with Article 22 of Regulation (EC) No 
45/2001. 
 
 
Conclusion 
 
The proposed processing operation does not appear to infringe the provisions of 
Regulation (EC) No 45/2001, subject to the comments made above. This implies in 
particular, that the European Investment Bank should: 
 
•  mention only the data required in view of the principle of proportionality referred to in 
Article 4(1)(c).  It would appear sufficient to mention only the number and the cost. 
No other data is necessary; 
 
•  remove the reference to the basic salary, as this information does not appear to be 
relevant in the light of the purpose of the processing operation; 
 
•  where the data are stored for historical, statistical or scientific reasons, they should be 
rendered anonymous when the professional relationship ceases; 
 
•  mention in the information note and in the staff note the fact that official telephone 
calls and the basic salary (where the latter is included among the others) are data that 
appear in the Manager Desktop database. The lawfulness of the processing operation 
must be reflected in the information note and in the staff note. The information note 
and the staff note must be amended accordingly; 
 
•  mention the information referred to in Article 12(1)(f) of the Regulation (legal basis of 
the processing operation, time-limits for storing the data, right to have recourse at any 
time to the European Data Protection Supervisor)
 in every information medium (staff 
notes, information notes, intranet Human Resources page, etc.) and through any other 
appropriate means. 
 
 
 
Brussels, 12 July 2005 
 
 
 
The European Data Protection Supervisor 
 
Peter HUSTINX 
 
 
 
9