IT POLICY UNIT
Mr Alexander FANTA
by email only: ask+request-7711-
TZ/ALS/ / C 2020-0251
Please use firstname.lastname@example.org
Subject: Your request for access to documents under Regulation (EC) 1049/2001
Dear Mr Fanta,
On 26 February 2020 you sent an access to documents request to the EDPS on the basis of
Regulation (EC) 1049/2001, which was registered on the same day. On 12 March 2020, the
EDPS informed you about the extension of the deadline in accordance with Article 7(3) of
Regulation (EC) 1049/2001.
Your request concerns a list of all personal data breach notifications the EDPS received since
12 December 2018, including which EU institutions, bodies and agencies (EUIs) that reported
the breach, the date, the type of breach and a brief summary in each case.
The EDPS has received 128 data breach notifications since 12 December 2018 and the EDPS
holds a register where these notifications are listed. From these 128 cases, 28 of them are closed.
Regarding access to the information about the 100 cases that are open, we regret to inform you
that access is denied in line with Article 4(2) third indent of Regulation (EC) 1049/2001 relating
to the protection of the purpose of inspections, investigations and audits. According to this
provision, access should be refused if the disclosure of a document could possibly undermine
the completion of inspections, investigations or audits.
In order for the EDPS's investigations to be effective and lead to the desired result as regards
the correct application of Regulation (EU) 2018/1725, it is essential that confidentiality of such
investigations in these cases are preserved. Disclosing any information and/or documents
related to these ongoing investigations would unduly interfere with the procedure and may
undermine the rights and interests of the entities concerned. Additionally, disclosure of the
information could possibly undermine the completion of these investigations.
Postal address: rue Wiertz 60 - B-1047 Brussels
Offices: rue Montoyer 30 - B-1000 Brussels
E-mail: email@example.com - Website: www.edps.europa.eu
Tel.: 32 2-283 19 00 - Fax : 32 2-283 19 50
Regarding the 28 closed cases, we have consulted the EUIs that reported the breaches in
accordance with Article 4(4) of Regulation (EC) 1049/2001.
We are pleased to inform you that access is granted to the information included in our register
in line with your request with one exception. This concerns one of Europol’s cases (notified on
11/12/2018), where they are of the opinion that partial access can be granted. Europol considers
Article 4(1)(a) first indent applicable for parts of the description of the case, since disclosure of
this information would undermine the protection of the public interest as regards public
security, such as the proper fulfilment of Europol’s tasks.
Please note that pursuant to Article 7(2) of Regulation 1049/2001, you may make a
confirmatory application asking the EDPS to reconsider his position as regards to the partially
refusal of your request. Such a confirmatory application should be addressed within 15 working
days upon receipt of this letter to the EDPS general e-mail: firstname.lastname@example.org.
Thomas ZERDICK, LL.M.
Head of IT Policy Unit
Data Protection Notice
According to Articles 15 and 16 of Regulation (EU) 2018/1725 on the protection of natural
persons with regard to the processing of personal data by the Union institutions, bodies, offices
and agencies and on the free movement of such data, please be aware that your personal data
will be processed by the EDPS, where proportionate and necessary, for the purpose of
answering your request. The legal base for this processing operation is Regulation (EC)
1049/2001 and Article 52(4) of the Regulation (EU) 2018/1725. Subject to applicable rules
under EU legislation, the personal data relating to you, as provided in your request, are used
solely for the purpose of replying to your request. EDPS staff members dealing with the request
will have access to the case file containing your personal data on a need-to-know basis. Your
personal data are not disclosed outside the EDPS. Your personal data will be stored
electronically for a maximum of ten years after the closure of the case, or as long as the EDPS
is under a legal obligation to do so. You have the right to access your personal data held by the
EDPS and to obtain the rectification thereof, if necessary. Any such request should be
addressed to the EDPS at email@example.com. You may contact the data protection officer
of the EDPS (firstname.lastname@example.org), if you have any remarks or complaints regarding
the way we process your personal data.