
Article 1 

1. This Decision lays down the rules to be followed by the European Anti-Fraud Office (‘the Office’) to inform data subjects of the processing of their data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725.It also lays down the conditions under which the Office may restrict the application of Articles 4, 14 to 20 and 35 Regulation (EU) 2018/1725, in accordance with Article 25 of that Regulation.
2. This Decision applies to the processing of personal data by the Office for the purpose of or in relation to the activities carried out in order to fulfil the Office's tasks referred to in Article 2 of Decision 1999/352/EC, ECSC, Euratom and Regulation (EU, Euratom) No 883/2013.
3. This Decision applies to the processing of personal data by Commission services and executive agencies in so far as they process personal data contained in information which they are required to transmit to the Office pursuant to Article 8(1) of Regulation (EU, Euratom) No 883/2013 or personal data already processed by the Office for the purpose of or in relation to the activities referred to in paragraph 2 of this Article.
Article 2 

1. Where the Office exercises its duties with respect to the data subjects' rights pursuant to Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.
2. Subject to Articles 3 to 6 of this Decision, the Office may restrict the application of Articles 14 to 20 and 35 of Regulation (EU) 2018/1725, as well as its Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 20 and 35 of Regulation (EU) 2018/1725 where the exercise of those rights and obligations would jeopardise the purpose of the Office's investigative activities, including by revealing its investigative tools and methods, or would adversely affect the rights and freedoms of others.
3. Subject to Articles 3 to 6 of this Decision, the Office may restrict the rights and obligations referred to in paragraph 2 of this Article in relation to personal data obtained from Commission services or other Union institutions, bodies, agencies and offices, competent authorities of Member States or third countries or from international organisations, in the following circumstances:
(a) where the exercise of those rights and obligations could be restricted by Commission services or other Union institutions, bodies, agencies and offices on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or with the founding acts of other Union institutions, bodies, agencies and offices;
(b) where the exercise of those rights and obligations could be restricted by competent authorities of Member States on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council, or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council;
(c) where the exercise of those rights and obligations could jeopardise the Office's cooperation with third countries or international organisations in the conduct of its tasks.Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, the Office shall consult the relevant Commission services, Union institutions, bodies, agencies, offices or the competent authorities of Member States unless it is clear to the Office that the application of a restriction is provided for by one of the acts referred to in those points.Point (c) of the first subparagraph shall not apply where the interest of the Union to cooperate with third countries or international organisations is overridden by the interests or fundamental rights and freedoms of the data subjects.
4. Where Commission services and executive agencies process personal data in instances referred to in Article 1(3), they may, where necessary, apply restrictions in accordance with this Decision. To that end, they shall consult the Office, unless it is clear to the Commission service or executive agency concerned that the application of a restriction is justified under this Decision.
Article 3 

1. The Office shall publish on its website data protection notices that inform all data subjects of its activities involving processing of their personal data.
2. The Office shall individually inform all data subjects whom it considers to be persons concerned, witnesses or informants within the meaning of Regulation (EU, Euratom) No 883/2013.
3. Where the Office restricts, wholly or partly, the provision of information to the data subjects referred to in paragraph 2, it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction.To that end, the record shall state how the provision of the information would jeopardise the purpose of the Office's investigative activities, or of restrictions applied pursuant to Article 2(3), or would adversely affect the rights and freedoms of others.The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.
4. The restriction referred to in paragraph 3 shall continue to apply as long as the reasons justifying it remain applicable.Where the reasons for the restriction no longer apply, the Office shall provide the information concerned and the reasons for the restriction to the data subject. At the same time, the Office shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice of the European Union.The Office shall review the application of the restriction every six months from its adoption and at the closure of the relevant investigation. Thereafter, the controller shall monitor the need to maintain any restriction on an annual basis.
Article 4 

1. Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of Regulation (EU) 2018/1725, the Office shall limit its assessment of the request to such personal data only.
2. Where the Office restricts, wholly or partly, the right of access, referred to in Article 17 of Regulation (EU) 2018/1725, it shall take the following steps:
(a) it shall inform the data subject concerned, in its reply to the request, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union;
(b) it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction; to that end, the record shall state how providing access would jeopardise the purpose of the Office's investigative activities or of restrictions applied pursuant to Article 2(3), or would adversely affect the rights and freedoms of other data subjects.The provision of information referred to in point (a) may be deferred, omitted or denied in accordance with Article 25(8) of Regulation (EU) 2018/1725.
3. The record referred to in point (b) of paragraph 2 and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request. Article 25(7) of Regulation (EU) 2018/1725 shall apply.
Article 5 
Where the Office restricts, wholly or partly, the application of the right to rectification, erasure or restriction of processing, referred to in Articles 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, it shall take the steps set out in Article 4(2) of this Decision and register the record in accordance with Article 4(3) thereof.
Article 6 
Where the Office restricts the communication of a personal data breach to the data subject, referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 3(3) of this Decision. Article 3(4) of this Decision shall apply.
Article 7 

1. The Data Protection Officer of the Office (‘the Office DPO’), shall be informed, without undue delay, whenever data subjects' rights are restricted in accordance with this Decision. The Office DPO shall be provided with access to the record and any documents containing underlying factual and legal elements.The Office DPO may request a review of the restrictions. The Office DPO shall be informed in writing of the outcome of the requested review.
2. Where Commission services and executive agencies process personal data in instances referred to in Article 1(3), the Data Protection Officer of the Commission (‘the Commission DPO’) or, where applicable, the Data Protection Officer of the executive agency concerned (‘the Agency DPO’), shall be informed, without undue delay, whenever data subjects' rights are restricted in accordance with this Decision. Upon request, the Commission DPO or, where applicable, the Agency DPO shall be provided with access to the record and any documents containing underlying factual and legal elements.The Commission DPO or, where applicable, the Agency DPO, may request a review of the restrictions. The Commission DPO or the Agency DPO shall be informed in writing about the outcome of the requested review.
3. All information exchanges with the DPO throughout the procedure shall be recorded in the appropriate form.
Article 8 
This Decision shall enter into force on the day of its publication in the Official Journal of the European Union.
It shall apply from 11 December 2018.
Done at Brussels, 11 December 2018.
For the Commission
The President
Jean-Claude JUNCKER