Ceci est une version HTML d'une pièce jointe de la demande d'accès à l'information 'Data Breach Notifications'.


THOMAS ZERDICK
IT POLICY UNIT
Mr Alexander FANTA
by email only: ask+request-7711-
xxxxxxxx@xxxxxxxx.xxx

Brussels,
TZ/ALS/ / C 2020-0251
Please use xxxx@xxxx.xxxxxx.xx  for all 
correspondence
Subject: Your request for access to documents under Regulation (EC) 1049/2001
Dear Mr Fanta,
On 26 February 2020 you sent an access to documents request to the EDPS on the basis of 
Regulation (EC) 1049/2001, which was registered on the same day. On 12 March 2020, the 
EDPS  informed  you  about the  extension  of  the  deadline  in  accordance  with  Article  7(3) of 
Regulation (EC) 1049/2001.
Your request concerns a list of all personal data breach notifications the EDPS received since 
12 December 2018, including which EU institutions, bodies and agencies (EUIs) that reported 
the breach, the date, the type of breach and a brief summary in each case. 
The EDPS has received 128 data breach notifications since 12 December 2018 and the EDPS 
holds a register where these notifications are listed. From these 128 cases, 28 of them are closed.
Open cases
Regarding access to the information about the 100 cases that are open, we regret to inform you 
that access is denied in line with Article 4(2) third indent of Regulation (EC) 1049/2001 relating 
to the  protection  of  the  purpose  of  inspections,  investigations  and  audits.  According  to this
provision, access should be refused if the disclosure of a document could possibly undermine 
the completion of inspections, investigations or audits.
In order for the EDPS's investigations to be effective and lead to the desired result as regards 
the correct application of Regulation (EU) 2018/1725, it is essential that confidentiality of such 
investigations  in  these  cases  are preserved.  Disclosing  any  information  and/or  documents 
related  to  these  ongoing  investigations  would  unduly  interfere  with  the  procedure  and  may 
undermine  the  rights  and  interests  of  the  entities  concerned.  Additionally,  disclosure  of  the 
information could possibly undermine the completion of these investigations.
Postal address: rue Wiertz 60 - B-1047 Brussels
Offices: rue Montoyer 30 - B-1000 Brussels
E-mail: xxxx@xxxx.xxxxxx.xx - Website: www.edps.europa.eu
Tel.: 32 2-283 19 00 - Fax : 32 2-283 19 50

Closed cases
Regarding  the  28  closed  cases,  we  have  consulted  the  EUIs  that  reported  the  breaches  in 
accordance with Article 4(4) of Regulation (EC) 1049/2001. 
We are pleased to inform you that access is granted to the information included in our register
in line with your request with one exception. This concerns one of Europol’s cases (notified on 
11/12/2018), where they are of the opinion that partial access can be granted. Europol considers
Article 4(1)(a) first indent applicable for parts of the description of the case, since disclosure of 
this  information  would  undermine  the  protection  of  the  public  interest  as  regards  public 
security, such as the proper fulfilment of Europol’s tasks.
Please  note  that  pursuant  to  Article  7(2)  of  Regulation  1049/2001,  you  may  make  a 
confirmatory application asking the EDPS to reconsider his position as regards to the partially
refusal of your request. Such a confirmatory application should be addressed within 15 working 
days upon receipt of this letter to the EDPS general e-mail: xxxx@xxxx.xxxxxx.xx.
Yours sincerely,
[electronically signed]
Thomas ZERDICK, LL.M.
Head of IT Policy Unit
Data Protection Notice
According to Articles 15 and 16 of Regulation (EU) 2018/1725 on the protection of natural 
persons with regard to the processing of personal data by the Union institutions, bodies, offices 
and agencies and on the free movement of such data, please be aware that your personal data 
will  be  processed  by  the  EDPS,  where  proportionate  and  necessary,  for  the  purpose  of 
answering  your  request.  The  legal  base  for  this  processing  operation  is  Regulation  (EC) 
1049/2001 and Article 52(4) of the Regulation (EU) 2018/1725. Subject to applicable rules 
under EU legislation, the personal data relating to you, as provided in your request, are used 
solely for the purpose of replying to your request. EDPS staff members dealing with the request 
will have access to the case file containing your personal data on a need-to-know basis. Your 
personal  data  are  not  disclosed  outside  the  EDPS.  Your  personal  data  will  be  stored 
electronically for a maximum of ten years after the closure of the case, or as long as the EDPS 
is under a legal obligation to do so. You have the right to access your personal data held by the 
EDPS  and  to  obtain  the  rectification  thereof,  if  necessary.  Any  such  request  should  be 
addressed to the EDPS at xxxx@xxxx.xxxxxx.xx. Y
ou may contact the data protection officer 
of the EDPS (xxxxxxxx@xxxx.xxxxxx.xx), if you have any remarks or complaints regarding 
the way we process your personal data.

Document Outline