SDPC, DPA and TIA for the use of personal data processing software by the EDPS
Dear European Data Protection Supervisor,
Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:
1) Indication of whether, which and for what purpose personal data processing services / software of organizations (e.g., as processor / data importer) located outside the EU/EEA are actually used by the EDPS.
2) Indication of whether, which and for what purpose such personal data processing services of organizations located within the EU/EEA, but with subcontractors outside the EU/EEA, are actually used by the EDPS.
3) Per individual of these services with the aforementioned third country references:
a) I request an indication as to whether and which transfers pursuant to Art. 44 et seq. GDPR are triggered by the use of these services.
b) I ask for all contracts concluded with the providers of these services in this respect, which are necessary under data protection law, or for a missing indication if there are no such contracts. In particular, namely: contract for commissioned processing according to Art. 28 DSGVO as well as standard data protection clauses according to Art. 46 GDPR.
c) I request the provision of the documented "Transfer Impact Assessment" required according to clause 14 of the current standard data protection clause sets of the EU Commission or the documented "Transfer Impact Assessment" required according to Art. 46 (1) GDPR in conjunction with the principles from ECJ judgment "Schrems II" regarding the data transfers associated with the use of such services.
It should be possible to find the above information without major effort, in particular by means of corresponding information and links in the official processing directory pursuant to Art. 30 GDPR.
Yours faithfully,
Heiko Roth
Dear Mr Roth,
We acknowledge receipt of your request, registered on 13.01.2022. In
accordance with Article 7(1) of Regulation (EU) No 1049/2001 regarding
public access to European Parliament, Council and Commission documents,
you will receive a reply within 15 working days (by 03.02.2022).
Your case number is 2022-0081.
Please note that your personal data will only be processed for the
purposes of replying to your request and in accordance with the privacy
statement set out below. More information on how the EDPS process personal
information can be found on our [1]website.
You have lodged your application via the AsktheEU.org website. Please note
that this is a private website which has no link with any institution of
the European Union. The European Data Protection Supervisor is not
accountable for any technical issues or problems linked to the use of this
system.
Yours sincerely,
EDPS Secretariat
[2]cid:image001.png@01D4D8CD.D37C9700
[3]| Tel. (+32) 228 31900 | Fax +32(0)22831950 | ›
Email [4][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60, B-1047 Brussels
Office address: Rue Montoyer 30, B-1000 Brussels
[5]Twitter [6]@EU_EDPS [7]Website [8]www.edps.europa.eu
This email (and any attachment) may contain information that is internal or confidential. Unauthorised access,
use or other processing is not permitted. If you are not the intended recipient please inform the sender by
reply and then delete all copies. Emails are not secure as they can be intercepted, amended, and infected with
viruses. The EDPS therefore cannot guarantee the security of correspondence by email.
According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the Regulation) on the protection of natural
persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies
and on the free movement of such data, we are processing your personal data, where proportionate and
necessary, for the purpose of answering your request. The legal base for this processing operation is
Regulation (EU) 1049/2001 and Article 52(4) of the Regulation (EU) 2018/1725. Subject to applicable rules
under EU legislation, the personal data relating to you, as provided in your request as well as personal data
that might be collected while processing your request, are used solely for the purpose of replying to your
request. EDPS staff members dealing with the request will have access to the case file containing your
personal data on a need-to-know basis. All access to case files is logged. Your personal data are not
disclosed outside the EDPS. Your personal data will be stored electronically for a maximum of ten years after
the closure of the case, or as long as the EDPS is under a legal obligation to do so. You have the right to
access your personal data held by the EDPS and to relevant information concerning how we use it. You have the
right to rectify your personal data. Under certain conditions, you have the right to ask that we delete your
personal data or restrict its use. We will consider your request, take a decision and communicate it to you.
For more information, please see Articles 14 to 21, 23 and 24 of the Regulation. Please note that in some
cases restrictions under Article 25 of the Regulation may apply. Any request to exercise your rights should be
addressed to the EDPS at [9][EDPS request email]. You may contact the data protection officer of the EDPS
([10][email address]), if you have any remarks or complaints regarding the way we process your
personal data. You have the right to lodge a complaint with the EDPS, as supervisory authority. Any such
request should be addressed to the EDPS at [11][EDPS request email]. You can reach the EDPS in the following
ways: E-mail: [12][EDPS request email]; EDPS postal address: European Data Protection Supervisor, Rue Wiertz
60, B-1047 Brussels, Belgium. For more information, please refer to the extended version of the data
protection notice available on the EDPS website:
[13]https://edps.europa.eu/data-protection/o....
References
Visible links
1. https://secure.edps.europa.eu/EDPSWEB/we...
3. file:///tmp/tel:+3222831900
4. mailto:[EDPS request email]
6. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
8. http://www.edps.europa.eu/
http://www.edps.europa.eu/
9. mailto:[EDPS request email]
10. mailto:[email address]
11. mailto:[EDPS request email]
12. mailto:[EDPS request email]
13. https://edps.europa.eu/data-protection/o...
Dear Mr. Roth,
We are writing you concerning your access to documents request case number
2022-0081.
In accordance with Article 7 (1) of Regulation (EU) No 1049/2001 regarding
public access to European Parliament, Council and Commission documents,
you are entitled to receive a reply within 15 working days.
However, due to the amount of documents, the EDPS will not be in a
position to respond within the original time limit of 15 working days. We
have therefore decided to extend the time limit by 15 working days in
accordance with Article 7(3) of Regulation (EU) 1049/2001.
You should expect to receive a reply from the EDPS by 24.02.2022 at the
latest.
Yours sincerely,
EDPS Secretariat
[1]cid:image001.png@01D4D8CD.D37C9700
[2]| Tel. (+32) 228 31900 |
Fax +32(0)22831950 | ›
Email [3][EDPS request email]
European Data Protection Supervisor
Postal address: Rue Wiertz 60,
B-1047 Brussels
Office address: Rue Montoyer 30,
B-1000 Brussels
[4]Twitter [5]@EU_EDPS
[6]Website [7]www.edps.europa.eu
This email
(and any
attachment)
may contain
information
that is
internal or
confidential.
Unauthorised
access, use or
other
processing is
not permitted.
If you are not
the intended
recipient
please inform
the sender by
reply and then
delete all
copies. Emails
are not secure
as they can be
intercepted,
amended, and
infected with
viruses. The
EDPS therefore
cannot
guarantee the
security of
correspondence
by email.
According to Articles 15 and 16 of Regulation (EU) 2018/1725 (the
Regulation) on the protection of natural persons with regard to the
processing of personal data by the Union institutions, bodies, offices and
agencies and on the free movement of such data, we are processing your
personal data, where proportionate and necessary, for the purpose of
answering your request. The legal base for this processing operation is
Regulation (EU) 1049/2001 and Article 52(4) of the Regulation (EU)
2018/1725. Subject to applicable rules under EU legislation, the personal
data relating to you, as provided in your request as well as personal data
that might be collected while processing your request, are used solely for
the purpose of replying to your request. EDPS staff members dealing with
the request will have access to the case file containing your personal
data on a need-to-know basis. All access to case files is logged. Your
personal data are not disclosed outside the EDPS. Your personal data will
be stored electronically for a maximum of ten years after the closure of
the case, or as long as the EDPS is under a legal obligation to do so. You
have the right to access your personal data held by the EDPS and to
relevant information concerning how we use it. You have the right to
rectify your personal data. Under certain conditions, you have the right
to ask that we delete your personal data or restrict its use. We will
consider your request, take a decision and communicate it to you. For more
information, please see Articles 14 to 21, 23 and 24 of the Regulation.
Please note that in some cases restrictions under Article 25 of the
Regulation may apply. Any request to exercise your rights should be
addressed to the EDPS at [8][EDPS request email]. You may contact the data
protection officer of the EDPS ([9][email address]), if you have
any remarks or complaints regarding the way we process your personal data.
You have the right to lodge a complaint with the EDPS, as supervisory
authority. Any such request should be addressed to the EDPS at
[10][EDPS request email]. You can reach the EDPS in the following ways:
E-mail: [11][EDPS request email]; EDPS postal address: European Data
Protection Supervisor, Rue Wiertz 60, B-1047 Brussels, Belgium. For more
information, please refer to the extended version of the data protection
notice available on the EDPS website:
[12]https://edps.europa.eu/data-protection/o...
References
Visible links
2. file:///tmp/tel:+3222831900
3. mailto:[EDPS request email]
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/
8. mailto:[EDPS request email]
9. mailto:[email address]
10. mailto:[EDPS request email]
11. mailto:[EDPS request email]
12. https://edps.europa.eu/data-protection/o...