Tag Archives: Regulation 45/2001

CJEU case to follow: purpose limitation, processing sensitive data, non-material damage

A new case received by the General Court of the CJEU was published in the Official Journal of the EU in February, Case T-881/16 HJ v EMA.

A British citizen seeks to engage the non-contractual liability of the European Medicines Agency for breaching data protection law. The applicant claims that “the documents in his personal file, which were made public and accessible to any member of staff of the European Medicines Agency for a period of time, were not processed fairly and lawfully but were processed for purposes other than those for which they were collected without that change in purpose having been expressly authorised by the applicant”.

Further, the applicant claims that “the dissemination of that sensitive data consequently called into question the applicant’s integrity, causing him real and certain non-material harm”.

The applicant asks the Court to “order the defendant to pay the applicant the symbolic sum of EUR 1 by way of compensation for the non-material harm suffered”.

Even if in the published summary there is no mention of the applicable law, it is clear that Regulation 45/2001 is relevant in this case – the data protection regulation applicable to EU institutions and bodies (EMA is an EU body). The rules of Regulation 45/2001 are fairly similar to those of Directive 95/46.

(Thanks dr. Mihaela Mazilu-Babel for bringing this case to my attention)

***

Find what you’re reading useful? Please consider supporting pdpecho.

 

 

Advertisements

Peter Hustinx expressed “serious concerns” in a letter to EU officials regarding the appointment of the new EDPS

The mandate of Peter Hustinx as European Data Protection Supervisor will end on January 16. Mr. Hustinx will thus finish his second five year term as EDPS, leaving behind a strong legacy. The question is: who will further take care of this legacy?

In a letter sent to EU officials and published on January 7, Mr. Hustinx expresses “serious concerns about the procedure for the selection and appointment of a new European Data Protection Supervisor and Assistant Supervisor”, because “at this stage, it is highly unlikely that the appointment of a new Supervisor and Assistant Supervisor will take place either before or shortly after this date (January 16)”.

According to Article 42(1) of Regulation 45/2001, “The European Parliament and the Council shall appoint by common accord the European Data Protection Supervisor for a term of five years, on the basis of a list drawn up by the Commission following a public call for candidates“.

Article 42(2) of the Regulation states that “The European Data Protection Supervisor shall be chosen from persons whose independence is beyond doubt and who are acknowledged as having the experience and skills required to perform the duties of European Data Protection Supervisor, for example because they belong or have belonged to the supervisory authorities referred to in Article 28 of Directive 95/46/EC“.

According to Pcworld.com, although the call for candidates went out last year, Commission spokesman Antony Gravili said that “the selection panel concluded that none of the candidates had the qualities that are needed for the job.”

Mr. Hustinx considers that this fact “opens the perspective of a period of uncertainty as to when the new team of Supervisors will be appointed”. 

He continues with the view that “This uncertainty and the possibly long delays that may be involved, as well as their different consequences, are likely to harm the effectiveness and the authority of the EDPS over the coming months. The EU is presently in a critical period for the fundamental rights of privacy and data protection, and a strong mandate is required to provide the authority to ensure that these fundamental rights are fully taken into account at EU level. In this respect, I would recall that the operation of a fully effective independent control authority is an essential feature of that right, as set out in Article 8 of the Charter and Article 16 of the Treaty”.

In this context, Mr. Hustinx sent the letter to Mr. Maros Sefcovic, vice-president of the European Commission, Mr. Juan Fernando Aguilar, Chairman of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs and to Ambassador Theodors N. Sotiropoulos, Permanent Representative of Greece (as Greece recently took over the 6 months presidency of the European Council), asking them “to take all the steps necessary to ensure that a new Supervisor and Assistant Supervisor will be appointed as soon as possible”.

 

See also

IAPP’s Angelique Carson published an informative piece about Mr. Hustinx’s legacy in December on privacyassociation.org, which I invite you to read HERE.