
CHAPTER 1
Article 1 

1. This Decision provides rules and procedures for the application of Regulation (EU) 2018/1725 by the Commission, and sets out implementing rules concerning the Data Protection Officer for the Commission (‘DPO’).
2. This Decision also lays down the rules to be followed by the Commission, in relation to the monitoring, investigative, auditing or consultative tasks of the DPO, to inform data subjects of the processing of their personal data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725.
3. This Decision also lays down the conditions under which the Commission, in relation to the monitoring, investigative, auditing or consultative tasks of the DPO, may restrict the application of Articles 4, 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725, in accordance with Article 25(1)(c), (g) and (h) thereof.
4. This Decision applies to the processing of personal data by the Commission for the purpose of or in relation to the tasks of the DPO referred to in Article 45 of Regulation (EU) 2018/1725, in particular the monitoring, investigative, auditing and consultative tasks of the DPO.
Article 2 
For the purposes of this Decision, the Commission shall be considered to be the controller within the meaning of Article 3(8) of Regulation (EU) 2018/1725.
Article 3 
For the purpose of this Decision, the following definitions apply:

((1)) ‘Data Protection Officer’ (DPO) means the person whom the Commission has designated pursuant to Article 43 of Regulation (EU) 2018/1725;
((2)) ‘DPO tasks’ means the DPO tasks referred to in Article 45 of Regulation (EU) 2018/1725, in particular the monitoring, investigative, auditing and consultative tasks of the DPO;
((3)) ‘Data Protection Coordinator’ (DPC) means the Commission staff member whom a Directorate-General or Service of the Commission appointed to advise and assist that Directorate-General or Service in all aspects of the protection of personal data;
((4)) ‘delegated controller’ means the Head of the Directorate-General, Service or Cabinet, which carries out a processing operation on behalf of the Commission in fulfilment of the mission of that Directorate-General, Service or Cabinet;
((5)) ‘operational controller’ means the Commission staff member of middle or senior management level, designated by the delegated controller to ensure record keeping for the processing operation and to serve as primary contact point for data subjects in relation to that processing operation;
((6)) ‘internal arrangement’ means any arrangement between two or more Directorates-General or Services to determine their respective responsibilities and coordinate the keeping of a record of processing regarding a processing operation which they carry out jointly or where one or more Directorates-General or Services carry out a part of the delegated controller’s processing operation;
((7)) ‘informant’ means an individual who brings a matter alleging that a breach of the provisions of Regulation (EU) 2018/1725 has taken place to the attention of the DPO, or requests that the DPO investigate matters and occurrences directly relating to the DPO’s tasks, which that individual brings to the DPO’s notice.
CHAPTER 2
Article 4 
The DPO shall be selected from the staff of the Commission on the basis of his or her professional qualities, including a sound knowledge of the Commission Services, their structure, and their administrative rules and procedures.
Article 5 

1. The DPO shall contribute to creating a culture of protection of personal data within the Commission based on risk assessment and accountability.
2. The DPO shall monitor implementation of Regulation (EU) 2018/1725 in the Commission by, inter alia, annually establishing and carrying out a work programme on inspections and audits.
3. The DPO shall organise and chair regular meetings of DPCs.
4. The DPO shall keep the Commission’s records of processing activities in a central register and shall make it publicly accessible.The DPO shall also keep an internal Commission register of personal data breaches within the meaning of Article 3(16) of Regulation (EU) 2018/1725.
5. In the discharge of his or her functions, the DPO shall cooperate with the data protection officers designated by the other Union institutions and bodies.
6. The DPO shall be considered to be the delegated controller for the purpose of individual decisions concerning the rights of data subjects under Regulation (EU) 2018/1725 in relation to processing operations of the DPO.
Article 6 
In performing the DPO tasks, the DPO:

((a)) shall, where necessary for his or her tasks have access to the data forming the subject matter of processing operations on personal data and to all offices, data processing installations and data carriers;
((b)) may request legal opinions from the Legal Service of the Commission;
((c)) may, in the event of conflict between the DPO and the delegated controller, operational controller or processor relating to the interpretation or implementation of Regulation (EU) 2018/1725, inform the competent delegated controller and the Secretary-General;
((d)) may assign files to the Commission’s Directorates-General or Services concerned for appropriate follow-up;
((e)) may perform investigations on request, or upon the DPO’s own initiative, into matters and occurrences directly relating to the DPO tasks in accordance with the procedure set out in Article 11;
((f)) may, when making recommendations and rendering advice:

((i)) call upon the delegated controller or the processor to comply with a data subject’s request for the exercise of his or her rights pursuant to Regulation (EU) 2018/1725;
((ii)) issue warnings to the delegated controller or the processor when a processing operation infringes provisions of Regulation (EU) 2018/1725, and call upon them to bring processing operations into compliance, where appropriate, in a specified manner and within a specified period;
((iii)) call upon the delegated controller or the processor to suspend data flows to a recipient in a Member State, to a third country or to an international organisation;
((iv)) request the delegated controller or the processor to report within a set deadline to the DPO on the follow-up given to the DPO’s recommendation or advice;
((g)) may bring to the attention of the Secretary-General any failure of a delegated controller, an operational controller or a processor to comply with the measures taken pursuant to Article 6(f);
((h)) shall be responsible for initial decisions on requests for access to documents held by his or her office under Regulation (EC) No 1049/2001 of the European Parliament and of the Council.
Article 7 

1. The delegated controller shall appoint a DPC and, where appropriate one or more assistant DPCs in the Directorate-General or Service under his or her responsibility. Two or more delegated controllers may, for reasons of coherence or efficiency, decide to appoint a common DPC or assistant DPC or share the services of an already appointed DPC or assistant DPC. The delegated controllers concerned shall record their agreement to do so in writing.
2. The DPC appointed by a Directorate-General or Service shall also be competent for the Cabinet responsible for that Directorate-General or Service. The DPC appointed for the Secretariat-General shall be competent for the President’s Cabinet as well as for Cabinets for which the Secretariat-General is the only supporting Service. Where a Cabinet is responsible for several Directorates-General or Services, the delegated controllers shall decide which of their respective DPCs are to be competent for that Cabinet.
3. The DPO, the staff of the relevant Directorate-General or Service and the relevant Cabinet shall be informed whenever a new DPC is appointed.Newly appointed DPCs shall complete training to acquire the necessary competences for the role of DPC within six months of appointment. A DPC who has previously held a DPC post in another Directorate-General or Service or has been a staff member of the DPO within two years prior to appointment as DPC shall be exempt from that training requirement.
4. Delegated controllers shall put appropriate arrangements in place in order to ensure that the DPC is involved properly and in a timely manner in all issues which relate to data protection in their Directorate-General or Service and that opinions delivered by the DPC are promptly brought to the attention of the delegated controller at the request of the DPC.
5. DPCs shall be chosen on the basis of their knowledge and experience of the functioning of the respective Directorate-General or Service, motivation for the function, competences relating to data protection, understanding of information systems principles, and communication skills.
6. The function of DPC may be combined with other functions. The delegated controller shall ensure that those functions are compatible with the function of DPC.
7. The DPC function shall be part of the job description of each member of staff appointed as DPC. Reference to their responsibilities and achievements shall be made in the annual appraisal report.
8. The DPC shall act as a contact point between the delegated controller, the operational controller and the processor, and the DPO.
9. DPCs shall have the right to obtain any information in their Directorate-General or Service to the extent that this is necessary for the performance of the tasks of DPC. DPCs shall access personal data, only if it is necessary for the performance of their tasks.
10. The DPC shall keep records and provide anonymised statistics of requests from data subjects to the Directorate-General, Service or Cabinet, specifying the numbers of requests and the number of requests rejected fully or in part. The DPO shall specify the categories of requests of which statistics shall be kept. The DPO may specify which further details are to be provided.The DPC shall keep anonymised statistics of personal data breaches managed by the Directorate-General, Service or Cabinet, specifying the total number of personal data breaches, the number of personal data breaches notified to the EDPS and the number of personal data breaches communicated to data subjects.
11. The DPC shall raise awareness on data protection matters within his or her DG or Service and shall advice and assist the delegated controllers and operational controllers in complying with their obligations, especially as regards:
(a) implementation of the general principles of Regulation (EU) 2018/1725;
(b) documentation of the processing operations;
(c) submission of the records of delegated controllers’ processing operations to the DPO pursuant to Article 10;
(d) the preparation of privacy statements.
12. DPCs shall participate in the meetings and, where necessary, in working groups of the DPCs.
13. The DPO shall issue additional guidance on the responsibilities and the functions of the DPC.
CHAPTER 3
Article 8 

1. Delegated controllers shall act on behalf of the Commission as controller for the purposes of the application of Regulation (EU) 2018/1725.
2. Delegated controllers and operational controllers:
(a) may consult the DPO, through the DPC, on the conformity of processing operations, in particular in the event of doubt as to conformity;
(b) shall report to the DPO, through the DPC, on the handling of any request received from a data subject for the exercise of his or her rights.
3. The delegated controller shall:
(a) designate an operational controller to assist the delegated controller in ensuring compliance with Regulation (EU) 2018/1725, in particular vis-à-vis data subjects;
(b) ensure that internal arrangements with other Directorates-General or Services are in place, where the delegated controller carries out processing operations jointly with those Directorates-General or Services or where those Directorates-General or Services carry out a part of the delegated controller’s processing operation.The arrangements referred to in point (b) of the first subparagraph shall determine their respective responsibilities for compliance with their data protection obligations. In particular, it shall include identification of the delegated controller determining the means and purposes of the processing operation as well as the operational controller for the processing operation, and where appropriate, which person and/or entities which shall assist the operational controller, inter alia, with information in case of data breaches or to accommodate data subjects rights.
4. The operational controller shall:
(a) receive and process all requests from data subjects;
(b) notify the European Data Protection Supervisor (EDPS) in case of personal data breaches;
(c) inform the DPC and the DPO in case of personal data breaches, and notify the data subject, when relevant;
(d) ensure that the DPC is kept aware of all matters relating to data protection, in particular requests from data subjects;
(e) carry out any other task within the scope of this Decision at the request of the delegated controller.
CHAPTER 4
Article 9 
The delegated controller, in cooperation with the DPC, shall inform the DPO when it consults or informs the EDPS in accordance with Regulation (EU) 2018/1725, and in particular pursuant to Articles 40 and 41 of that Regulation. In addition, the delegated controller, operational controller or DPC shall inform the DPO of any other direct interactions with EDPS related to the implementation of Regulation (EU) 2018/1725.
Article 10 

1. The DPO shall ensure that the register of processing operations of the Commission is accessible through the website of the DPO on the Commission’s Intranet and through the website of the DPO on the Europa website.
2. Delegated controllers shall notify the records of their processing operations, through their DPC, to the DPO by using the online notification system of the Commission, accessible through the website of the DPO on the Commission’s Intranet.
Article 11 

1. The requests for an investigation referred to in Article 6(e) shall be addressed to the DPO in writing. Within 15 working days following receipt, the DPO shall send an acknowledgement of receipt to the person who commissioned the investigation, and verify whether the request is to be treated as confidential to ensure confidentiality governing the request, unless the data subjects concerned gives their unambiguous consent for the request to be handled otherwise. In the event of manifest abuse of the right to request an investigation, the DPO shall not be obliged to report to the requester.
2. The DPO shall request a written statement on the matter from the delegated controller who is responsible for the data-processing operation in question. The delegated controller shall provide their response to the DPO within 15 working days. The DPO may request complementary information from the delegated controller, the processor or other parties within 15 working days.
3. The DPO shall report back to the person who commissioned the investigation no later than three months following the receipt of the request. This period may be suspended until the DPO has obtained all necessary information that he or she may have requested.
4. No one shall suffer prejudice on account of a matter brought to the attention of the DPO alleging a breach of the provisions of Regulation (EU) 2018/1725.
Article 12 

1. The DPO shall be attached for administrative purposes to the Secretariat-General. In this context, the DPO shall participate in preparing the Annual Management Plan and the Draft Preliminary Budget of the Secretariat-General.
2. The DPO shall be the reporting officer for the staff of the Data Protection Office. The Deputy Secretary-General shall be the countersigning officer. The DPO shall participate in the management coordination of the Secretariat-General as appropriate.
CHAPTER 5
Article 13 

1. Where the Commission exercises its duties with respect to data subjects’ rights pursuant to Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.
2. Subject to Articles 14 to 18 of this Decision, the Commission may restrict the application of Articles 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725, as well as the principle of transparency laid down in Article 4(1)(a) of that Regulation insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19 and 20 of Regulation (EU) 2018/1725, where the exercise of those rights and obligations would jeopardise the purpose of the DPO tasks, inter alia, by revealing its investigative or auditing tools and methods, or would adversely affect the rights and freedoms of other data subjects in accordance with Article 25(1)(c), (g) and (h).
3. Subject to Articles 14 to 18 of this Decision, the Commission may restrict the rights and obligations referred to in paragraph 2 of this Article, in relation to personal data obtained by the DPO from Commission services, or other Union institutions and bodies. The Commission may do so where the exercise of those rights and obligations could be restricted by those Commission services, Union institutions or bodies on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or in accordance with Regulation (EU) 2016/794 of the European Parliament and of the Council or Council Regulation (EU) 2017/1939.Before applying restrictions in the circumstances referred to in the first subparagraph, the Commission shall consult the relevant Union institution or bodies unless it is clear to the Commission that the application of a restriction is provided for by one of the acts referred to in that subparagraph.
4. Any restriction of the application of rights and obligations, referred to in paragraph 2 of this Article, shall be necessary and proportionate taking into account the risks to the rights and freedoms of data subjects.
Article 14 

1. The Commission shall publish, on its website, data protection notices that inform all data subjects of the DPO tasks involving processing of their personal data.
2. The Commission shall individually inform, in an appropriate format, any natural person whom it considers a person concerned by the DPO tasks or an informant.
3. Where the Commission restricts, wholly or partly, the provision of the information to data subjects referred to in paragraph 2, the Commission shall record and register the reasons for the restriction, in accordance with Article 17.
Article 15 

1. Where the Commission restricts, wholly or partly, the right of access to personal data by data subjects, the right to erasure, or the right to restriction of processing as referred to in Articles 17, 19 and 20 respectively of Regulation (EU) 2018/1725, it shall inform the data subject concerned, in its reply to the request for access, erasure or restriction of processing of the restriction applied and of the principal reasons therefor, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union.
2. The provision of information concerning the reasons for the restriction referred to in paragraph 1 may be deferred, omitted or denied for as long as it would undermine the purpose of the restriction.
3. The Commission shall record and register the reasons for the restriction in accordance with Article 17.
4. Where the right of access is wholly or partly restricted, the data subject is entitled to exercise his or her right of access through the intermediary of the EDPS, in accordance with Article 25(6), (7) and (8) of Regulation (EU) 2018/1725.
Article 16 
Where the Commission restricts the communication of a personal data breach to the data subject, as referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 17 of this Decision.
Article 17 

1. The Commission shall record the reasons for any restriction applied pursuant to this Decision, including a case-by-case assessment of the necessity and proportionality of the restriction taking into account the relevant elements in Article 25(2) of Regulation (EU) 2018/1725.To that end, the record shall state how the exercise of the right would jeopardise the purpose of the DPO tasks under this Decision, or of restrictions applied pursuant to Article 13(2) or (3), or would adversely affect the rights and freedoms of other data subjects.
2. The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the EDPS on request.
Article 18 

1. Restrictions referred to in Articles 14, 15 and 16 shall continue to apply as long as the reasons justifying them remain applicable.
2. Where the reasons for a restriction referred to in Article 14 or 16 no longer apply, the Commission shall lift the restriction and provide the reasons for the restriction to the data subject. At the same time, the Commission shall inform the data subject of the possibility of lodging a complaint with the EDPS at any time or of seeking a judicial remedy in the Court of Justice of the European Union.
3. The Commission shall review the application of the restrictions referred to in Articles 14 and 16 every six months from their adoption and in any case at the closure of the relevant DPO activity. Thereafter, the Commission shall monitor the need to maintain any restriction or deferral on an annual basis.
Article 19 

1. Where other Commission services conclude that a data subject’s rights should be restricted pursuant to this Decision, they shall inform the DPO. They shall also provide the DPO with access to the record and any documents containing underlying factual and legal elements.
2. The DPO may request that the delegated controller of the Commission service concerned review the application of the restrictions. The delegated controller of the Commission service concerned shall inform the DPO in writing about the outcome of the requested review.
CHAPTER 6
Article 20 
Decision 2008/597/EC is repealed.
Article 21 
This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 3 July 2020.
For the Commission
The President
Ursula VON DER LEYEN