
Article 1 

1. This Decision lays down the rules to be followed by the Commission to inform data subjects of the processing of their data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725 when carrying out all of its tasks pursuant to Decision (EU, Euratom) 2015/443.It also lays down the conditions under which the Commission may restrict the application of Articles 4, 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725, in accordance with Article 25(1) (c), (d) and (h) of that Regulation.
2. This Decision applies to the processing of personal data by the Commission for the purpose of or in relation to the activities carried out in order to ensure security of persons, assets and information in the Commission pursuant to Decision (EU, Euratom) 2015/443.
Article 2 

1. Where the Commission exercises its duties with respect to data subjects' rights under Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.
2. Subject to Articles 3 to 7 of this Decision, the Commission may restrict the application of Articles 14 to 17, 19, 20 and 35 of Regulation (EU) 2018/1725 as well as the principle of transparency laid down in Article 4(1)(a) of that Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 17, 19 and 20 of Regulation (EU) 2018/1725, where the exercise of those rights and obligations would jeopardise the internal security of Union institutions, bodies, offices or agencies including of their electronic communications networks, inter alia by revealing its investigative tools and methods in the context of security inquiries, or would adversely affect the rights and freedoms of other data subjects.
3. Subject to Articles 3 to 7, the Commission may restrict the rights and obligations referred to in paragraph 2 of this Article in relation to personal data obtained from other Union institutions, bodies, agencies and offices, competent authorities of Member States or third countries or from international organisations, in the following circumstances:
(a) where the exercise of those rights and obligations could be restricted by other Union institutions, bodies, agencies and offices on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or in accordance with Regulation (EU) 2016/794 of the European Parliament and of the Council or Council Regulation (EU) 2017/1939;
(b) where the exercise of those rights and obligations could be restricted by competent authorities of Member States on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council, or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council;
(c) where the exercise of those rights and obligations could jeopardise the Commission's cooperation with third countries or international organisations regarding information exchanges on potential counter-intelligence and counter-terrorist threats and in the conduct of its security inquiries.Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, the Commission shall consult the relevant Union institutions, bodies, agencies, offices or competent authorities of the Member States, unless it is clear to the Commission that the application of a restriction is provided for by one of the acts referred to in those points or such consultation would jeopardise the purpose of its activities under Decision (EU, Euratom) 2015/443.Point (c) of the first subparagraph of this paragraph shall not apply where the interest of the Commission to cooperate with third countries or international organisations is overridden by the interests or fundamental rights and freedoms of the data subjects.
4. Paragraphs 1, 2 and 3 are without prejudice to the application of other Commission decisions laying down internal rules concerning the provision of information to data subjects and the restriction of certain rights under Article 25 of Regulation (EU) 2018/1725 and to Article 23 of the Rules of Procedure of the Commission.
Article 3 

1. The Commission shall publish on its website data protection notices that inform all data subjects of its activities involving processing of their personal data which it carries out in order to fulfil its tasks pursuant to Decision (EU, Euratom) 2015/443.
2. The Commission shall individually inform witnesses and the persons concerned by a security inquiry of the processing of their personal data in an appropriate format. It shall also individually inform persons whose data are processed in the context of security measures taken under Article 7(5) and Article 12(1) (d) and (e) of Decision (EU, Euratom) 2015/443, namely in searches of Commission premises and communication and information systems and equipment.
3. Where the Commission restricts, wholly or partly, the provision of the information to data subjects referred to in paragraph 2 of this Article, it shall record and register the reasons for the restriction in accordance with Article 6 of this decision.
Article 4 

1. Where the Commission restricts, wholly or partly, the right of access to data by data subjects, the right of erasure or the right to restriction of processing as referred to in Articles 17, 19 and 20 respectively of Regulation (EU) 2018/1725, it shall inform the data subject concerned, in its reply to the request for access, erasure or restriction of processing, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union.
2. The provision of information concerning the reasons for the restriction referred to in paragraph 1 of this Article may be deferred, omitted or denied for as long as it would undermine the purpose of the restriction.
3. The Commission shall record and register the reasons for the restriction in accordance with Article 6 of this decision.
4. Where the right of access is wholly or partly restricted, the data subject may exercise his or her right of access through the intermediary of the European Data Protection Supervisor, in accordance with Article 25(6), (7) and (8) of Regulation (EU) 2018/1725.
Article 5 
Where the Commission restricts the communication of a personal data breach to the data subject, as referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 6 of this Decision.
Article 6 

1. The Commission shall record the reasons for any restriction applied pursuant to this Decision, including an assessment of the necessity and proportionality of the restriction taking into account the relevant elements in Article 25(2) of Regulation (EU) 2018/1725.To that end, the record shall state how the exercise of the right would jeopardise the purpose of the Commission's tasks under Decision (EU, Euratom) 2015/443, or of restrictions applied pursuant to Article 2(2) or (3), or would adversely affect the rights and freedoms of other data subjects.
2. The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor on request.
Article 7 

1. Restrictions referred to in Articles 3, 4 and 5 of this decision shall continue to apply as long as the reasons justifying them remain applicable.
2. Where the reasons for a restriction referred to in Article 3 or 5 of this decision no longer apply, the Commission shall lift the restriction and provide the reasons for the restriction to the data subject. At the same time, the Commission shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor at any time or of seeking a judicial remedy in the Court of Justice of the European Union.
3. The Commission shall review the application of the restrictions referred to in Articles 4 and 6 every six months from their application and at the closure of the relevant investigation. Thereafter, the Commission shall monitor the need to maintain any restriction/deferral on an annual basis.
Article 8 

1. The Data Protection Officer of the Commission shall be informed, without undue delay, whenever data subjects' rights are restricted in accordance with this Decision. Upon request, the Data Protection Officer shall be provided with access to the record and any documents containing underlying factual and legal elements.
2. The Data Protection Officer of the Commission may request a review of the restrictions. The Data Protection Officer shall be informed about the outcome of the requested review.
3. The information exchanges with the Data Protection Officer throughout the procedure shall be recorded in the appropriate form.
Article 9 
This Decision shall enter into force on the third day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 7 February 2019.
For the Commission
The President
Jean-Claude JUNCKER