OPINION of the European Data Protection Supervisor (EDPS) on the proposal for a Regulation establishing a single digital gateway and on the ‘once-only’ principle.
In this opinion, formulated at the request of the Commission and the Parliament, the EDPS welcomed the Commission’s proposal to modernise administrative services and appreciated the fact that the latter is concerned about the impact of the proposal on the protection of personal data.
As a reminder, the proposal aims to facilitate citizens' and businesses' cross-border activities by offering them user-friendly access, through a single digital gateway, to information, procedures and assistance and problem-solving services they need for exercising their internal market rights.
It is among one of the first EU instruments that explicitly refers to and implements the ‘once-only’ principle and implements it.
The EDPS takes this opportunity to give an introductory overview of the key issues related to the ‘once-only’ principle in general. These issues concern, in particular, the legal basis for the processing; the purpose limitation; data subject rights. Of the three gateway services listed above, this opinion focused on ‘access to procedures’ and in particular, the provisions relating to the ‘cross-border exchange of evidence between competent authorities’.
The EDPS stressed that in order to ensure successful implementation of EU-wide ‘once-only’, and enable lawful cross-border exchange of data, once-only must be implemented in line with relevant data protection principles.
With regard to the proposal itself, the EDPS supported the following points:
Legal basis of the processing, the EDPS recommended that one or more recitals be added to clarify that:
- the proposal itself does not provide a legal basis for exchanging evidence, and that any exchange of evidence must have an appropriate legal basis;
- the proposal itself does not provide a legal basis for the use of the technical system for exchanging information for purposes other than those provided for in the four directives listed or otherwise foreseen under applicable EU or national law;
- the proposal is not intended to restrict the principle of purpose limitation under the General Data Protection Regulation (GDPR);
- that users have the right to object to the processing of their personal data in the technical system, pursuant to the GDPR.
Explicit request of the user before any transfer of evidence between competent authorities: the EDPS recommended that the proposal clarifies (preferably in a substantive provision):
- what makes the request ‘explicit’ and how specific the request must be;
- whether the request can be submitted via the technical system;
- what are the consequences if the user chooses not to make an ‘explicit request’, and whether such request can be withdrawn.
Preview of the data to be exchanged: the proposal should clarify:
- the choices for the user who avails herself of the possibility to ‘preview’ the data to be exchanged;
- that the user is offered a possibility of preview in a timely manner before the evidence is made accessible to the recipient; and can withdraw the request for the exchange of the evidence.
Lastly, as regards the amendments to the Regulation on administrative cooperation through the Internal Market Information System (IMI), the EDPS recommended adding the GDPR to the Annex of the IMI Regulation to allow the potential use of IMI for the purposes of data protection.