Opinion of the European Data Protection Supervisor on the legal proposals for the common agricultural policy after 2013.
On 12 October 2011, the Commission adopted a package of seven proposals on the common agricultural policy (CAP) after 2013 that were sent to the EDPS for consultation on the same day.
The Proposals aim at providing a framework for (1) viable food production, (2) sustainable management of natural resources and climate action, and (3) balanced territorial development. To this end, they establish several support schemes for farmers as well as other measures to stimulate agricultural and rural development.
In the course of these programmes, personal data — mainly relating to aid beneficiaries but also to third parties — are processed at various stages (processing of aid applications, ensuring the transparency of payments, control and fight against fraud, etc.) While the bulk of the processing is carried out by and under the responsibility of the Member States, the Commission is able to access most of these data. Beneficiaries and in some instances third parties (-e.g. for the purpose of fraud checks — have to provide information to the designated competent authorities.)
The EDPS welcomes that references to the applicability of Directive 95/46/EC and Regulation (EC) No 45/2001 are included in the preambles of the proposed Regulation on direct payments, the proposed Regulation establishing a common organisation of the markets in agricultural products, the proposed Regulation on rural development and the proposed “horizontal” Regulation.
The goal of this Opinion is not to analyse the whole set of proposals, but to offer input and guidance for designing the processing of personal data necessary for the administration of the CAP in a way that respects the fundamental rights to privacy and data protection.
To this end, the present Opinion is structured in two parts: a first, more general part includes analysis and recommendations relevant for most of the proposals. This mostly refers to comments on delegated and implementing powers for the Commission. A second part then discusses specific provisions contained in several of the proposals and gives recommendations to address the issues identified therein.
Delegated and implementing acts: in general, it is observed that many questions central to data protection are not included in the present proposals, but will be regulated by implementing or delegated acts. This applies, for example, to measures to be adopted regarding the monitoring of aid, the establishment of IT systems, transfers of information to third countries and on-the-spot checks.
However, The EDPS considers that the central aspects of the processing envisaged in the proposals and the necessary data protection safeguards cannot be regarded as ‘non-essential elements’, as required by Article 290 of the Treaty on the Functioning of the EU. Therefore, at least the following elements should be regulated in the main legislative texts in order to increase legal certainty:
· the specific purpose of every processing operation should be explicitly stated. This is especially relevant as regards publication of personal data and transfers to third countries;
· the categories of data to be processed should be specified;
· access rights should be clarified, in particular as regards access to data by the Commission. In this regard, it should be specified that the Commission may only process personal data where necessary, e.g. for control purposes;
· maximum retention periods should be laid down, as in some cases only minimum retention periods are mentioned in the proposals;
· the rights of data subjects should be specified, especially as regards the right of information; while beneficiaries might be aware of their data being processed, third parties should also be adequately informed that their data could be used for control purposes;
· the scope and the purpose of transfers to third countries should also be limited to what is necessary end should be fixed in an appropriate manner in the proposals.
Once these elements are specified in the main legislative proposals, delegated or implementing acts might be used to implement in more detail these specific safeguards. The EDPS expects to be consulted in this regard.
Rights of data subjects: the rights of data subjects should be specified, especially as regards the right of information and the right of access. This is especially relevant as regards the horizontal regulation, according to which commercial documents of beneficiaries, but also of suppliers, customers, carriers and other third parties can be checked. While beneficiaries might be aware of their data being processed, third parties should also be adequately informed that their data could be used for control purposes (e.g. by a privacy notice to be given at the moment of collection and information provided on all relevant websites and documents). The obligation to inform data subjects, including third parties, should be included in the proposals.
Security measures: in addition, security measures should be provided at least by implementing or delegated acts, especially as regards computerised databases and systems. The principles of accountability and Privacy by Design should also be taken into account.
Prior check: lastly, taking into account that in some cases data relating to (suspected) offences may be processed (e.g. related to fraud), a prior check by the competent national DPAs or the EDPS may be needed.