Divulgare la privacy e la cybersecurity nelle aziende
con spiegazioni semplici e operative, AI assisted
Osservatorio a cura del dott. V. Spataro 



   europol 2024-10-25 ·  NEW:   Appunta · Stampa · Cita: 'Doc 98963' · pdf

EDPS contro EUROPOL: limitare la durata del trattamento

abstract:



Continua lo scontro. Edps indica, Europol non segue.

Ricordiamo che in Italia la banca dati del DNA dei condannati per reati gravi (e probabilmente delle immagini) ha durata di 40 anni.

Tuttavia la banca dati viene usata per cercare probabilisticamente i parenti partendo da dna di sconosciuti trovato sul luogo del delitto, nonostante gli esperti dicano che non e' un metodo affidabili e nonostante che in almeno due casi il principale sospettato aveva alibi di ferro, passando cosi' con naturalezza al secondo della lista della probabilità.

Fonte: EDPS
Link: https://www.edps.europa.eu/system/files/2024-10/24




analisi:

L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni

-




index:




testo:

E

EDPS issues the Supervisory opinion on the draft Europol Management Board Decision laying down rules to determine time limits for the storage of administrative personal data.

...

4. CONCLUSION

As indicated above, in order to ensure compliance of the processing with the EUDPR, the
EDPS deems necessary that Europol:

1. Recommendation 1: include as part of the retention schedule annexed to the draft
Management Board Decision the criteria and elements (including possible legal
obligations) justifying each retention period.

2. Recommendation 2: carry out a review of the respective records of processing
operations in order to verify the Accuracy of the information in the records regarding
the retention periods set.

3. Recommendation 9: amend the Annex of the draft Decision in order to set what is
the starting date or the action/event that determines the starting date at which each
retention period starts to run.

4. Recommendation 10: clarify what is the set starting date or the activity/event
determining the starting date of the retention period set up for data processing
activities related to the management of public relations, marketing, press and media and
any other related processing activities. In addition, Europol should explain why they
have decided to keep personal data related to those processing activities for such
period.

5. Recommendation 11: clarify what is the set starting date or the activity/event
determining the starting date of the retention period set up for data processing
activities related to handling of data subject’s access requests.

6. Recommendation 12: make a distinction between the different processing activities
related to the monitoring of compliance with Europol data protection legislation, adapt
the respective retention periods and to clarify what is their set starting date or
activity/event determining their starting date.

7. Recommendation 15: clarify what is the set starting date or the activity/event
determining the starting date of the retention period set up for data processing
activities related to business continuity management.

8. Recommendation 18: clarify what is the set starting date or the activity/event
determining the starting date of the retention period set up for data processing
activities related to the organisation and management of Europol events, translation
services and any other related processing activities.

9. Recommendation 19: make an Assessment of the need to retain the files related to
the Internal Audit Capability for seven years and clarify what is the set starting date
or the activity/event determining the starting date of the retention period.

10. Recommendation 20: clarify what is the specific legal instrument that Europol is
referring to in order to keep the files related to the implementation of the budget of
Europol according to legal obligations for such period.

11. Recommendation 21: provide information on when the retention period set up for
data processing activities related to the functioning of the Europol Liaison Bureaux starts
and what criteria have been used to determine it.

12. Recommendation 22: make the relevant distinctions between the different
categories of day-to-day management related processing activities according to the
purpose for which the relevant personal data are processed.

13. Recommendation 23: provide further clarification on when the retention period
starts for data processing activities related to the management of procurement
procedures and contract administration, and what criteria have been used to determine
it, including legal requirements and / or contractual obligations.

14. Recommendation 24: carry out a renewed Assessment on the necessity to keep the
files related the security and safety services for such period, and clarify what is the set
starting date or the activity/event determining the starting date of the retention
period.

15. Recommendation 26: clarify what is the set starting date or the activity/event
determining the starting date of the retention period set up for the data processing
related to the implementation of the EU Staff Regulation.

16. Recommendation 28: clarify what is the set starting date or the activity/event
determining the starting date of the retention period set up for the data processing
activities related to the IT governance and IT management of Europol.

17. Recommendation 29: provide more details in regards to the scope of the activities
related to the functioning of, and performed by, the Europol Medical Centre to which
this retention period is referring. In addition, to provide further information on when
the proposed retention period starts and what criteria have been used to determine
it.

18. Recommendation 30: clarify since when the retention period set up for data
processing activities related to subsisting rights and obligations of staff members would
apply.

19. Recommendation 31: make the relevant distinction between the different
categories of staff members and adapt the respective retention periods set up for data
processing activities related to subsisting rights and obligations of staff members, taking
into consideration that their subsisting rights and obligations may differ.

20. Recommendation 33: reconsider the specific retention period of one hundred years
set up for data processing activities related to subsisting rights and obligations of staff
members.

Moreover, the EDPS recommends that Europol:

21. Recommendation 3: confirm that information systems are properly updated to
ensure that retention periods are implemented accordingly, in a secure and verifiable
manner.

22. Recommendation 4: amend Article 3.3 of the draft Decision to explicitly mention
that the storage of personal data for longer periods for such purposes is in accordance
with Article 13 of the EUDPR (‘safeguards relating to the processing for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes’).

23. Recommendation 5: amend Article 3.4 of the draft Decision to indicate that Europol
should document its Assessment on the criteria followed to determine the retention
periods for each category of data processed.

24. Recommendation 6: amend the Article 5.3 of the draft Decision to mention that the
controller’s documentation includes an analysis of the criteria taken into
consideration for the Assessment of the necessity of the continued storage of
administrative personal data.

25. Recommendation 7: amend the Article 5.3 of the draft Decision to specify how
regularly the controller should carry out the review of the need for continued storage
of administrative personal data.

26. Recommendation 8: amend the Article 5.3 of the draft Decision to make clear that
controllers shall be aware of and responsible for the correct management of the
established retention periods.

27. Recommendation 13: specify the categories of personal data processed in the
corresponding records of the processing activities related to the monitoring of
compliance with Europol data protection legislation.

28. Recommendation 14: implement a specific administrative procedure for deleting
special categories of personal data for processing activities related to the monitoring
of compliance with Europol data protection legislation before the end of the standard
retention period of five years.

29. Recommendation 16: assess the specific processing activities related to business
continuity management to understand whether any of them could require a shorter
retention period.

30. Recommendation 17: provide the justification of the Assessment on the necessity
to keep the files related to data processing activities related to the organisation and
management of Europol events, translation services for such period.

31. Recommendation 25: set the retention period for processing activities related to the
implementation of the EU Staff Regulation for seven years.

32. Recommendation 27: carry out a further Assessment of the evidence, including any
legal obligations of the controller, justifying the retention period set up for the data
processing activities related to the IT governance and IT management of Europol and any
other related processing activities.

33. Recommendation 32: put in place technical and organisational measures to, where
necessary and appropriate, extend retention periods related to data processing
activities related to subsisting rights and obligations of staff members in exceptional
circumstances to safeguard the subsisting rights of the staff members. Moreover, to
implement the necessary procedure to assess on a regular basis whether they must
delete the personal data for which Europol decided to extend the retention period, or
whether the circumstances that justified such extended retention periods still exist.
In light of the Accountability principle, the EDPS expects Europol to implement the above
recommendations accordingly and has decided to close the case.
Done in Brussels, October 2024[e-signed]

WOJCIECH RAFAŁ WIEWIÓROWSKI

Download Pdf


Link: https://www.edps.europa.eu/system/files/2024-10/24

Testo del 2024-10-25 Fonte: EDPS




Commenta



i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.


Ricevi gli aggiornamenti su EDPS contro EUROPOL: limitare la durata del trattamento e gli altri post del sito:

Email: (gratis Info privacy)






Nota: il dizionario è aggiornato frequentemente con correzioni e giurisprudenza