OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR on the proposal for a Regulation on the marketing and use of explosives precursors.
The EDPS recalls that this proposal addresses the problems of the misuse of certain chemicals, which are widely available to the general public on the market, as precursors to home- made explosives.
- Articles 4 and 5 of the proposal deal with the prohibition of sale to the general public, which is combined with a licensing scheme and requirement to record all licensed transactions.
- Article 6 requires economic operators to report suspicious transactions and thefts.
- Lastly, Article 7 addresses the need for data protection.
The EDPS welcomes that the proposal contains a separate provision (Article 7) on data protection. With that said, this single — and very general — provision foreseen in the proposal is insufficient to adequately address the data protection concerns raised by the proposed measures. In addition, the relevant articles of the proposal (Articles 4, 5 and 6) also fail to describe in sufficient detail the specificities of the data processing operations foreseen.
For these reasons, the EDPS recommends that the proposal should contain further and more specific provisions to adequately address these concerns.
In addition, the EDPS recommends that the Commission guidelines on suspicious transactions and on the technical details of the licenses should include further specific provisions on data processing and data protection. Both guidelines, as well as any possible implementing decision in the area of data protection, should be adopted after consulting the EDPS and — where the implementation at the national level is at stake — the Article 29 Data Protection Working Party.
Article 5 of the Regulation should specify a maximum retention period (prima facie, not exceeding two years) as well as the categories of personal data to be recorded (not exceeding name, license number and items purchased). The collection and conservation of personal data should be limited to what is strictly necessary. The collection of special categories of data should be expressly prohibited.
The role and nature of the contact points should be clarified in Article 6 of the proposal. This provision should also specify a maximum retention period for the data reported on suspicious transactions (prima facie, not exceeding two years) as well as the personal data to be recorded (not exceeding name, license number, items purchased, and reasons giving rise to suspicion). Processing of special categories of data should be expressly prohibited
Further, the guidelines/implementing decision should:
- specify the data that can be collected by the licensing authorities in connection with the license application and clearly limit the purposes for which data can be used. Similar provisions should also apply to the records of suspicious transactions;
- specify that the licensing authority should inform license holders about the fact that their purchases will be recorded and may be subject to reporting if found ‘suspicious’;
- further specify who should have access to the data received (and stored) by the national contact points. Access/disclosures should be limited on a strict need-to-know basis;
- provide for appropriate rights of access to data subjects and clearly set forth and justify any exceptions.
Lastly, the effectiveness of the measures foreseen should be periodically reviewed, at the same time also considering their impact on privacy.