SDPC, DPA and TIA for the use of personal data processing software by the European Parliament
Dear European Parliament,
Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:
1) Indication of whether, which and for what purpose personal data processing services / software of organizations (e.g., as processor / data importer) located outside the EU/EEA are used acutally by the European Parliament.
2) Indication of whether, which and for what purpose such personal data processing services of organizations located within the EU/EEA, but with subcontractors outside the EU/EEA, are actually used by the European Parliament.
3) Per individual of these services with the aforementioned third country references:
a) I request an indication as to whether and which transfers pursuant to Art. 44 et seq. GDPR are triggered by the use of these services.
b) I ask for all contracts concluded with the providers of these services in this respect, which are necessary under data protection law, or for a missing indication if there are no such contracts. In particular, namely: contract for commissioned processing according to Art. 28 DSGVO as well as standard data protection clauses according to Art. 46 GDPR.
c) I request the provision of the documented "Transfer Impact Assessment" required according to clause 14 of the current standard data protection clause sets of the EU Commission or the documented "Transfer Impact Assessment" required according to Art. 46 (1) GDPR in conjunction with the principles from ECJ judgment "Schrems II" regarding the data transfers associated with the use of such services.
It should be possible to find the above information without major effort, in particular by means of corresponding information and links in the official processing directory pursuant to Art. 30 GDPR.
Yours faithfully,
Heiko Roth
Our reference: 2022-002
Dear Mr Roth,
The European Parliament hereby acknowledges receipt of your message, which
was registered on January 13^th, 2022.
All applications for public access to documents are treated in compliance
with Regulation (EC) No 1049/2001 of 30 May 2001 regarding public access
to European Parliament, Council and Commission documents.
In accordance with the above-mentioned Regulation, your application will
be handled within 15 working days upon registration of your request.
Your personal data will be processed in accordance with Regulation (EU)
2018/1725 of 23 October 2018 on the protection of natural persons with
regard to the processing of personal data by the Union institutions,
bodies, offices and agencies and on the free movement of such data. A
detailed privacy statement is available [1]here.
The European Parliament reserves the right to ask for additional
information regarding your identity in order to verify compliance with
Regulation (EC) No 1049/2001 and the European Parliament’s implementing
measures.
Your attention is drawn to the fact that you have lodged your application
via the AsktheEU.org website, which is a private website not officially
related to the European Parliament. Therefore, the European Parliament
cannot be held accountable for any technical issues or problems linked to
the use of this system.
In addition, please note that any personal data that you provide by using
AsktheEU.org website may be disclosed to the general public and visible on
this private website. The European Parliament cannot be held responsible
for such disclosure. Should you need to communicate directly to Parliament
any personal data and would like to avoid public disclosure, you may do so
from your private email address by using the following functional mailbox
address: AccesDocs(at)europarl.europa.eu
Best regards,
TRANSPARENCY UNIT
European Parliament
Directorate-General for the Presidency
Directorate for Interinstitutional Affairs and Legislative Coordination
[2][European Parliament request email]
[3]www.europarl.europa.eu/RegistreWeb
References
Visible links
1. https://www.europarl.europa.eu/RegistreW...
2. mailto:[European Parliament request email]
3. http://www.europarl.europa.eu/RegistreWeb
Our reference: 2022-002
Dear Mr Roth,
The time limit for replying to your application under Regulation (EC) No
1049/2001 of January 13^th concerning public access to documents expires
on February 3^rd.
However, our consultations are taking more time than expected so that
Parliament exceptionally needs to extend the time limit provided for in
Article 7(1) of Regulation (EC) No 1049/2001 by a further 15 working days,
in accordance with Article 7(3) of that Regulation, in order to reply to
your application.
Please accept our apologies for any inconvenience. We thank you for your
understanding.
Kind regards,
TRANSPARENCY UNIT
European Parliament
Directorate-General for the Presidency
Directorate for Interinstitutional Affairs and Legislative Coordination
[1][European Parliament request email]
[2]www.europarl.europa.eu/RegistreWeb
References
Visible links
1. mailto:[European Parliament request email]
2. http://www.europarl.europa.eu/RegistreWeb
Our reference: 2022-002
Dear Mr Roth,
your application for public access to documents, submitted under
Regulation (EC) No 1049/2001, was registered on 13 January 2022.
As a preliminary remark, Parliament draws your attention to the fact that
the scope of Regulation (EC) No 1049/2001, as defined in its Article 2(3),
extends only to existing documents held by an institution, whereas it does
not cover the broader concept of information. Information may be
distinguished from a document, in particular, as far as it is defined as a
data element that may appear in one or multiple documents.
Regarding points (1) and (2) of your application, we inform you that we do
not hold a document containing the requested information, i.e. a list of
actually used processing operations that entail a direct or indirect
transfer of personal data to third countries. This is because the relevant
database, [1]Parliament's register of processing records, can only be
searched by a certain number of criteria which do not include the location
or the country of processing. This reflects the purpose of the register,
which, in light of Article 31 of [2]Regulation (EU) 2018/1725, is not
geared towards research but intended as a source of information for data
subjects seeking to understand how their data are processed.
However, you may obtain the information you have requested by consulting
the above-mentioned register of processing records (a user guide for
searching the register is available [3]here).
Given the above, point (3) of your application no longer refers to a
sufficiently clear and specific set of documents. However, we encourage
you to consult the above-mentioned register of processing records in order
to identify one or more individual processing operations with regard to
which you would like to request access to certain underlying documents.
On this basis Parliament considers your request handled and the file
closed. Please do not hesitate to submit a new request should you identify
specific Parliament documents for which you would like to request public
access.
Kind regards,
[4]cid:image001.png@01D58B31.E2CF1C20 TRANSPARENCY UNIT
European Parliament
Directorate-General for the
Presidency
Directorate for Interinstitutional
Affairs and Legislative Coordination
[5][email address]
[6]www.europarl.europa.eu/RegistreWeb
References
Visible links
1. https://www.europarl.europa.eu/data-prot...
2. https://eur-lex.europa.eu/legal-content/...
3. https://www.europarl.europa.eu/data-prot...
5. mailto:[email address]
6. http://www.europarl.europa.eu/RegistreWeb