European Data Protection Supervisor (EDPS) Ms Petra Candellier Head of Complaints and Litigation

 

Strasbourg, 12/02/2021

Complaint 274/2021/TE

Subject of case: The European Data Protection Supervisor's refusal to grant public access to documents related to a report concerning the Schrems II judgment

Dear Ms Candellier,

The Ombudsman has received a complaint from Ms X against the European Data Protection Supervisor (EDPS). She has asked me to deal with the case on her behalf.

The complainant asked the EDPS for access to:

a) the mapping exercise identifying which on-going contracts, procurement procedures and other types of cooperation involve transfers of data that the EDPS carried out for itself, in the context of its ‘Strategy for Union institutions, offices, bodies and agencies to comply with the Schrems II ruling’;^[1]

b) a copy of any privacy assessment, including data protection impact assessments, carried out by the EDPS for the use by the EDPS of the following tools: Microsoft Office365, Microsoft Teams, Zoom, Cisco Webex, Skype.

The EDPS refused public access, arguing that the requested documents are an integral and inseparable part of a larger ongoing decision-making process and that revealing the documents at this stage would seriously undermine the trust and spirit of cooperation among EU institutions and would jeopardise the outcome of the process. The EDPS further noted that it cannot confirm the existence or number of any other documents, besides a report on the mapping exercise, that may fall within the scope of the request “as they are part of ongoing procedures and thus their status or number is still pending”.

We have decided to open an inquiry into the complaint against the EDPS’s decision to refuse access under Regulation 1049/2001 to the report on the mapping exercise and its position that it cannot confirm the existence or number of any other documents that may fall within the scope of the request.

Regulation 1049/2001 states that applications for access should be handled promptly. It is in line with this principle that the Ombudsman also seeks to deal with cases such as this as quickly as possible.

As a first step, I consider it necessary to review the documents at issue in the complainant’s request. I would therefore be grateful if the EDPS could provide us with a copy of the report on the mapping exercise that it carried out, preferably in electronic format (through encrypted e-mail^[2]), by Friday, 19 February 2021.

The documents subject to the public access request will be treated confidentially, along with any other material the EDPS chooses to share with us that it marks confidential. Documents of this kind will be handled and stored in line with this confidential status and will be deleted from the European Ombudsman’s files shortly after the inquiry has ended.

The EDPS’s position has been set out in its confirmatory reply of 8 February 2021. However, should the EDPS wish to provide additional views, to be taken into account by the European Ombudsman during this inquiry, I would be grateful if they could be provided to me within fifteen working days from the receipt of this letter, that is, 5 March 2021.

In addition, we consider it would be helpful to schedule a meeting between the EDPS and the Ombudsman’s inquiry team at which we can discuss this case. Could you please take contact with my colleague, Ms Tanja Ehnert to arrange the details of this meeting, ideally to take place before 26 February 2021.

Yours sincerely,

Rosita Hickey
Director of Inquiries

 

[1] https://edps.europa.eu/sites/edp/files/publication/2020-10-29_edps_strategy_schremsii_en_0.pdf

[2] Encrypted emails can be sent to Mr Gaël Lambert, Information Technology Officer at the European Ombudsman