Esta es la versión HTML de un fichero adjunto a una solicitud de acceso a la información 'Personal data breaches'.

Mr Patrick BREYER
by email only: ask+request-7801-
Brussels, 30 April 2020
TZ/SP/ / C 2020-0335
Please use xxxx@xxxx.xxxxxx.xx  for all 
Subject: Your request for access to documents under Regulation (EC) 1049/2001
Dear Mr Breyer,
On 19 March 2020, you sent an access to documents request to the EDPS on the basis of 
Regulation (EC) 1049/2001, which was registered on the same day. On 23 March 2020, the 
EDPS informed you about the extension of the deadline in accordance with Article 7(3)  of 
Regulation (EC) 1049/2001.
You request “access to the personal data breaches notifications received in 2019. I agree to 
you removing/anonymizing the names of natural persons.”
The EDPS has received 95 data breach notifications in 2019. From these cases, 25 of them are 
1. Open cases
Regarding access to the data breach notifications on cases that are open, we regret to inform 
you that access is denied in line with Article 4(2) third indent of Regulation (EC) 1049/2001 
relating to the protection of the purpose of inspections, investigations and audits. According 
to  this  provision,  access  should  be  refused  if  the  disclosure  of  a  document  could  possibly 
undermine the completion of inspections, investigations or audits.
In order for the EDPS's investigations to be effective and lead to the desired result as regards 
the correct application of Regulation (EU) 2018/1725, it is essential that confidentiality of such 
investigations  in  these  cases  is preserved.  Disclosing  any  information  and/or  documents 
related  to  ongoing  investigations  would  unduly  interfere  with  the  procedure  and  may 
undermine the rights and interests of the entities concerned. Additionally, disclosure of the 
information could possibly undermine the completion of these investigations.
Postal address: rue Wiertz 60 - B-1047 Brussels
Offices: rue Montoyer 30 - B-1000 Brussels
E-mail: xxxx@xxxx.xxxxxx.xx - Website:
Tel.: 32 2-283 19 00 - Fax : 32 2-283 19 50

link to page 2 2. Closed cases
Regarding the 25 closed cases, the EDPS has consulted the EUIs that reported the breaches in 
accordance with Article 4(4) of Regulation (EC) 1049/2001. 
We are pleased to inform you that partial access is granted in line with your request with the 
exception of access to personal data in line with Article 4(1)(b) of Regulation (EC) 1049/2001 
to some of these notifications, stemming from the following EUIs:
European Chemicals Agency (ECHA): 1 document
European Medicines Agency (EMA): 1 document
European Commission - DG SANTE: 2 documents
Innovation and Networks Executive Agency (INEA): 1 document
European Commission - Paymaster's Office (PMO): 4 documents
European Food Safety Authority (EFSA): 1 document
Research Executive Agency (REA): 1 document
European Commission - DG HR: 2 documents
European Commission - DG JUST: 1 document
European Union Intellectual Property Office (EUIPO): 2 documents
European Asylum Support Office (EASO): 1 document
Education, Audiovisual and Culture Executive Agency (EACA): 7 documents
If you would like to request access to the redacted personal data please provide the EDPS with 
a  legitimate  justification  or  compelling  argument  to  demonstrate  the  necessity  for  the 
personal data to be disclosed(see below for information about the confirmatory application).
In addition with the exception of personal data in line with Article 4(1)(b) of Regulation (EC) 
1049/2001,  partial  access  is  granted  to  some  of  these  notifications,  stemming  from  the 
following EUIs based on the following specific reasons:
Council of the European Union: except the first sentence under D18 based on 4.1.a) 
first indent of Regulation 1049/2001: disclosure would undermine the protection of 
public interest as regards public security. (2 documents)
EUROPOL: except the name of the company based on Article 4(2) of the Management 
Board Decision laying down the rules for applying Regulation 1049/2001 with regard 
to Europol documents as the disclosure would undermine the commercial interests of 
a legal person. (2 documents)
European  Global  Navigation  Satellite  System  Agency (GSA):  the  disclosure  of  the 
information indicated in some sections would undermine the commercial interests of 
the  GSA  contractor  (i.e.  the  data  processor)  which  committed  the  data  breach 
(exception under Article 4(2) Regulation (EC) 1049/2001). (1 document)
European Commission - DG DEVCO: some parts have been withheld on the basis of the
exception  pursuant  to  the  third  indent  of  Article  4(1)(a)  of  Regulation  (EC)  No 
1049/2001 (protection of the public interest as regards international relations). Some 
other parts have been blanked out not to undermine the protection of the purpose of 
the  Commission’s  investigation  provided  for  in  the  third  indent  of  Article  4(2)  of 
Regulation (EC) No 1049/2001. (2 documents)
1 In accordance with Article 8(b) of Regulation 45/2001 (current Article 9 of Regulation 2018/1725) as interpreted 
by the Court of Justice in Case C-28/08 P Bavarian Lager.

European Union Agency for Fundamental Rights (FRA): some parts have been withheld 
because the document has to be considered as containing opinions for internal use, as 
part of deliberations and preliminary consultations within the Agency in the sense of 
Article 4(3), second subparagraph of Regulation (EC) No 1049/2001. (1 document)
Executive Agency for Small and Medium-sized Enterprises (EASME): some parts have 
been withheld because the disclosure would undermine the protection of commercial 
interests of a legal person, including intellectual property (exceptions based on Article 
4(2) first intend of Regulation 1049/2001. Some other parts have also been withheld 
because the document has to be considered as containing opinions for internal use, as 
part of deliberations and preliminary consultations within the Agency in the sense of 
Article 4(3), second subparagraph of Regulation (EC) No 1049/2001. (5 documents)
Please be informed that transmission of the documents above to you may have to be done in 
parts, given the volume of some of the documents.
Please  note  that  pursuant  to  Article  7(2)  of  Regulation  1049/2001,  you  may  make  a 
confirmatory application asking the EDPS to reconsider his position as regards to the refusal
and  partial  refusal of  your  request.  Such  a  confirmatory  application  should  be  addressed 
within  15  working  days  upon  receipt  of  this  letter  to  the  EDPS  general  e-mail: 
Yours sincerely,
[electronically signed]
Head of IT Policy Unit
Annex: Data breach notifications to which partial access is given (zip file)
Data Protection Notice
According to Articles 15 and 16 of Regulation (EU) 2018/1725 on the protection of natural persons with 
regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on 
the free movement of such data, please be aware that your personal data will be processed by the 
EDPS, where proportionate and necessary, for the purpose of answering your request. The legal base 
for this processing operation is Regulation (EC) 1049/2001 and Article 52(4) of the Regulation (EU) 
2018/1725.  Subject  to  applicable  rules  under  EU  legislation,  the  personal  data  relating  to  you,  as 
provided  in  your  request,  are  used  solely  for  the  purpose  of  replying  to  your  request.  EDPS  staff 
members dealing with the request will have access to the case file containing your personal data on a 
need-to-know basis. Your personal data are not disclosed outside the EDPS. Your personal data will be 
stored electronically for a maximum of ten years after the closure of the case, or as long as the EDPS is 
under a legal obligation to do so. You have the right to access your personal data held by the EDPS and 
to obtain the rectification thereof, if necessary. Any such request should be addressed to the EDPS at 
xxxx@xxxx.xxxxxx.xx.  You  may  contact  the  data  protection  officer  of  the  EDPS  (EDPS-
xxx@xxxx.xxxxxx.xx), if  you  have any  remarks or complaints  regarding  the way we process your 
personal data.

Document Outline