Transparency and accountability

In R. 2018/1725, the principle of transparency requires that any information and communications relating to the processing of personal data is accessible and easy to understand, and that clear and plain language is used. This principle concerns, in particular, information to individuals on the identity of the controller,³¹ the purposes of fair and transparent processing, and citizens’ rights to obtain confirmation and communication on personal data concerning them. Individuals should be made aware of risks, rules, safeguards, and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.’ "

The principle of transparency means - among other things’ ’ - that EU institutions and their services need to publish clear, user-friendly information on their reasons for processing personal data, and help individuals to access this information. According to Article 31(1) of R. 2018/1725, controllers need to maintain a record of processing activities under their responsibility. The record is considered an internal tool to help implement R. 2018/1725, as it supports the analysis of the implications of any data processing, whether existing or planned. It facilitates the factual assessment of the risk of the processing activities performed by a controller on individuals’ rights, and the identification and implementation of appropriate security measures to safeguard personal data - both key components of the principle of accountability³⁴ contained in R. 2018/1725.

The record must be in writing (including in electronic form), clear and intelligible, and must contain specific information about every processing activity carried out. It must include the name and contact data of the controller, and if necessary state other organizations with whom the controller has established common purposes and means of the processing; and clearly indicate the Data Protection Officer and the purposes for which the EU institutions process personal information.³⁵ When the EU institutions share data with a foreign country or an international organization outside the EU, they have to clearly refer to their agreements or memoranda of understanding in the record. The EU institutions need to describe the technology, applications, and software used for data processing in their general description of the technical and organizational measures taken in order to secure personal data. They also need to clearly state when they outsource processing activities to third-party providers (processors) while remaining fully responsible as controllers. The record can contain any additional information that is considered of importance by the Data Protection Officer of the activities carried out, for example, an indication of the legal basis for data processing. For the European Data Protection Supervisor, records represent prerequisites for compliance and effective accountability measures.’ ' Records help the Data Protection Officers to perform their tasks of monitoring compliance, informing, and advising the controller or the processor.

Data Protection Officers³' are certainly key players in data protection in the EU institutions. They assist the controller in all issues related to the protection of personal data, supervise the activities, and collaborate with the records’ creators. The Data Protection Officers inform and advise the controllers and their assistants of their obligations under R. 2018/1725, and inform individuals of their rights. They also monitor compliance by ensuring the correct internal application of the Regulation and by handling queries and complaints. They should also provide advice as regards the data protection impact assessment and cooperate with the supervisory authority. The EU institutions have, however, an advantage over public authorities and private bodies of the member states, which must now appoint a Data Protection Officer under the GDPR. Indeed, while the appointment of a Data Protection Officer has not been considered compulsory by national entities prior to the GDPR, it has been a legal requirement for all EU institutions, regardless of their size and core activities, for over 17 years.

Archiving purposes and data minimization

One of the most interesting aspects of R. 2018/1725 for information managers concerns the concept of “archiving purposes in the public interest.” Recital 25 does not fully explain the meaning of this concept, but states that it “should be considered compatible lawful processing operations.” Article 13 is dedicated to “processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.” The first paragraph of this article lays down rules that are common both for processing of personal data “for archiving purposes in the public interest” and for “scientific or historical research purposes or statistical purposes.” These processing activities are subject to appropriate safeguards to protect the rights and freedoms of individuals. The safeguards need to ensure that technical and organizational measures are in place and that they respect the principle of data minimization, i.e. they must ensure that a controller collects only the strict minimum amount of personal data necessary to fulfil the purpose of the processing. The measures may also include pseudonymization³⁹ or other means, which do not or no longer allow for the identification of individuals.

The European Data Protection Supervisor, however, warns controllers against the interpretation of this concept as a blanket permission to store everything for an extended period of time for archiving, scientific research, and historical or statistical purposes. Instead:

In each case, [the controller] must have an appropriate legal basis for the processing and assess the necessity and proportionality of any data storage. In addition, [the controller] must also think of safeguards you can apply - e.g. aggregating personal data kept/disclosed for research purposes, banning reidentification in the conditions for granting access for research purposes.

Although not a new concept, data minimization needs some reflection." This principle was already established in Regulation 45/2001, which indicated that personal data should be collected and processed only if it is really necessary, and should be “kept in a form which pennits identification of individuals for no longer than is necessary for the purpose for which the data was collected.”⁴² If interpreted in a strict sense, this principle could have led to the destruction of records containing personal data. Instead, EU lawmakers have acknowledged that "personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes,” under the condition that it “safeguard[s] the rights and freedoms of the data subject.”⁴³

The principle of data minimization and the obligation of taking appropriate safeguards in order to protect individuals’ rights are therefore common to both “processing for archiving purposes in the public interest” and processing for “scientific or historical research purposes or statistical purposes,” with differences according to the area of application. Pseudonymization of records is, for example, commonly applied as an appropriate measure in health research, where it is important to preserve the correlation of different health data regarding patients, but their identity is irrelevant. In another case, an EU institution that holds records in the public interest has to preserve the integrity of its records selected for permanent preservation, whether the records are sensitive (e.g., medical records⁴⁴) or not with regards to the individuals’ interest.

Information managers are accustomed to enforcing the principle of data minimization when they select records that contain personal data for permanent preservation through the application of retention schedules. They furthermore enforce laws concerning access to records within the framework of public access to documents legislation⁴⁵ and in conformity with archival policies,⁴⁶ and are bound by ethical codes for the non-disclosure of personal data.⁴⁷ In ensuring that access to records is managed appropriately and that correct organizational and technical safeguards are in place, EU institutions comply with article 80 of R. 2018/1725, which gives the right to individuals to access the data that concern them.⁴⁸