Opinion of the European Data Protection Supervisor on the Proposal
for a Regulation of the European Parliament and of the Council laying down
the procedure for implementing Regulation (EC) No 883/2004 on the
coordination of social security systems.
The EDPS
welcomes this proposal to the extent that it aims at favouring the free
movement of citizens and improving the standard of living and conditions of
employment of EU citizens moving within the Union. Indeed, coordination of
social security systems could not exist without the processing and the
transmission of different kinds of personal data, in many cases of a
sensitive nature. However, it is also essential that this increased exchange
of personal data between national administrations of Member States, while
providing better conditions for free movement of people, also ensures a high
level of protection of personal data, thereby guaranteeing one of the EU
fundamental rights.
The Proposal
will rely on the harmonised data protection framework laid down by Community
provisions on protection of personal data, and in particular by Directive
95/46/EC and national implementing laws. The EDPS is glad that the
applicability of this data protection framework is recalled by both the basic
Regulation 883/2004 and by the Proposal. However, specific issues relating to
the application of data protection principles in the framework of
coordination of social security systems should be further and explicitly
addressed.
- Purpose
limitation principle: the EDPS considers
that the Proposal respects the basic data protection provisions on
purpose limitation. Furthermore, the EDPS notes that the prohibition to
use personal data for purposes other than social security is not
explicitly laid down in the Proposal but arises from the applicable data
protection legislation, which would allow for exceptions to this general
principle only in specific circumstances and under strict conditions. In
this context, the legislator might consider whether to specifically
refer in the Proposal to the conditions under which social security data
may be processed for a different purpose.
- Proportionality
in data processed: competent bodies and
storage periods, the EDPS highlights that in such a complex system,
whereby personal data are processed and further transmitted through an
asymmetric network of bodies, special attention should be paid to ensure
that personal data are processed by the competent authorities, for a
proportionate period of time, and that duplications of databases are
avoided. In this context, further clarifications on the modalities of
transmitting and storing the data could be added to the Proposal.
- Legal
grounds for processing personal data: the
EDPS, without entering into the details of the various specific
mechanisms laid down by the Proposal, recommends the EU legislator to
ensure that each and every proposed mechanism of processing and
transmission of personal data is clearly based on a specific legal
obligation directly laid down by the Proposal or on other legitimate
grounds for processing pursuant to Articles 7 and 8 of the Directive.
- Information
to insured persons: the EDPS recommends
adding an explicit reference in the Proposal to the need to provide
concerned persons with specific and adequate information on processing
of their personal data.
- Data
subjects' rights: the EDPS warmly welcomes
Article 3.2 of the Proposal and suggests supplementing this provision
with a broader reference to all data subjects' rights, including the
right to and the safeguards concerning automated individual
decisions. Furthermore, the EDPS invites the legislator to facilitate
the effective exercise of data subjects' rights in a trans-border
context by providing that the competent authority which is in direct
contact with the insured person should act as a one-stop shop not only
with regard to social security benefits, but also with regard to all
data processed in connection with those benefits.
- Security
measures: the EDPS recommends that the
‘common secure framework’ for the transmission of data laid down by
Article 4 of the Proposal duly take into account relevant recommendations
on data protection and security of processing. In this context, expert
advisers in data protection and security should be duly involved in the
relevant works of the competent Administrative Commission.