1.   The rules of procedure on the processing and protection of personal data at Eurojust (hereinafter ‘rules of procedure’) implement the data protection provisions of the Eurojust Regulation and Regulation (EC) No 2018/1725.

2.   They shall apply to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

3.   The rules of procedure shall apply to all personal data processed by Eurojust, including those personal data contained in information drawn up or received by it and in its possession, concerning matters relating to the policies, activities and decisions falling within the framework of its competence.

1.   These rules of procedure apply to both operational and administrative personal data processed by Eurojust.

2.   Operational data shall be processed in accordance with Title II.

3.   Administrative data shall be processed in accordance with Title III.

1.   Requests for the exercise of data subject rights shall be dealt with by the National Member(s) concerned with the request, who shall provide a copy of the request to the Data Protection Officer for its registration.

2.   The National Member(s) concerned shall consult the competent authorities of the Member States on the decision to be taken in response to a request.

3.   The Data Protection Officer shall, should the case so require, carry out additional checks in the Case Management System and inform the National Member(s) concerned if any additional relevant information has been found through these checks. The National Member(s) concerned shall take into account the information provided by the Data Protection Officer and, when appropriate, reconsider the initial decision.

4.   The legal and factual reasons on which the decision is taken by the National Member(s) shall be documented in the Temporary Work File concerning the request in the Case Management System and shall be made available to the EDPS on request.

5.   The Data Protection Officer shall communicate the decision taken by the National Member(s) concerned on behalf of Eurojust to the data subject, and shall inform the data subject of the possibility to lodge a complaint with the EDPS if he or she is not satisfied with the decision or to seek a judicial remedy before the Court of Justice.

6.   In the cases where the request has been received through a national supervisory authority, Eurojust shall inform this authority of a decision communicated by the Data Protection Officer to the data subject.

1.   The case management system shall automatically allocate a unique reference number (identifier) to each new temporary work file opened.

2.   When a National Member responsible for the management of a temporary work file as defined in Article 24(1) of the Eurojust Regulation gives access to a temporary work file or a part of it to one or more involved National Member(s), the case management system shall ensure that the authorised users under the profile of that national desk under the responsibility of the National Member have access to the relevant parts of the file but that they can not modify the data introduced by the original author. The authorised users can, however, add any relevant information to the new parts of the temporary work files. Likewise, information contained in the index can be read by all authorised users of the system but can only be modified by its original author.

3.   The Data Protection Officer shall be automatically informed by the case management system of the creation of each new work file that contains personal data.

4.   The case management system shall ensure that only operational personal data referred in paragraph 1(a) to (i), (k) and (m) and (2) of Annex II of the Eurojust Regulation can be recorded by the National Member concerned, who has opened a temporary work file, in the index in accordance with Articles 23(4) and 24(3) of the Eurojust Regulation.

5.   When, in accordance with Article 23(6) of the Eurojust Regulation, National Members wish to temporarily store and analyse personal data for the purpose of determining whether such data are relevant to Eurojust’s tasks, they shall create a draft temporary work file which shall remain only accessible to them and those authorised by them within their desk’s profile. After three months the draft temporary work file should either be converted into a temporary work file in the case management system or shall be automatically deleted by the system. The system shall provide an alert to the National Member concerned before such time has elapsed to remind him/her of the need to take a decision regarding the draft file.

6.   The National Member(s) concerned shall ensure that the information contained in the index is sufficient to comply with the tasks of Eurojust as defined in Article 2 of the Eurojust Regulation.

1.   Eurojust shall take appropriate technical measures to ensure that the Data Protection Officer is automatically informed of the exceptional cases in which recourse is made to Article 27(4) of the Eurojust Regulation. The case management system shall ensure that such data cannot be included in the index referred to in Article 23(1) and 23(4) of the Eurojust Regulation.

2.   When such data refer to witnesses or victims within the meaning of Article 27(2) of the Eurojust Regulation the case management system shall not record this information unless the national members concerned decide otherwise. The decision to process such data shall be documented.

1.   Eurojust shall take appropriate technical measures to ensure that the Data Protection Officer is automatically informed of the exceptional cases in which, for a limited period of time, recourse is made to Article 27(3) of the Eurojust Regulation. The case management system shall mark such data in a way that will remind the person who has introduced the data in the system of the obligation to keep these data for a limited period of time.

2.   When such data refer to witnesses or victims within the meaning of Article 27(2) of the Eurojust Regulation, the case management system shall not record this information unless the national members concerned decide otherwise. The decision to process such data shall be documented.

1.   Each National Member of Eurojust shall document and inform the Data Protection Officer regarding the access policy he or she has authorised in line with Article 34 of the Eurojust Regulation within his or her national desk regarding operational personal data.

2.   National Members may, on a case by case basis, decide to give a specific authorisation to access to a temporary work file or to parts of it to a person who is not an Eurojust staff member but who is working on behalf of Eurojust and belongs to a specific category of postholders who has beforehand been authorised by the Administrative Director of Eurojust in line with Article 24(2) of the Eurojust Regulation to be granted access to the Case Management System.

3.   National Members shall ensure that appropriate organisational arrangements are made and complied with within their desks and that proper use is made of the technical and organisational measures, including following the required training, put at their disposal by Eurojust.

4.   In accordance with Article 34 of the Eurojust Regulation, the College may authorise other Eurojust staff to have access to operational personal data where necessary for the performance of the tasks of Eurojust.

1.   The Eurojust Case Management System as defined in Article 23 of the Eurojust Regulation shall serve as the record of all processing activities mentioned in Article 35 of the Eurojust Regulation in as far as operational personal data is concerned.

2.   The Eurojust Case Management System shall contain a full record of transmission and receipt of operational personal data making it possible to establish any transmission of operational personal data and the identification of the national authority, organisation or third country or international organisation which transmitted or received such information to/from Eurojust.

1.   A decision on the transfer of personal data to third countries or international organisations in accordance with the Article 58(1) of the Eurojust Regulation shall be taken by the College of Eurojust at the request of the National Member(s) concerned, following an assessment carried out by the Data Protection Officer.

2.   The assessment referred to in paragraph 1 shall be provided by the Data Protection Officer within ten working days. When necessary for reasons of urgency, indicated by the National Member(s) concerned, the assessment shall be provided as soon as possible. In particularly complex cases, the Data Protection Officer may agree a longer timeframe for completing the assessment with the National Member(s) concerned.

3.   The assessment by the Data Protection Officer shall in particular address the issues referred to in Recitals 51 and 52 of the Eurojust Regulation. Where, in the course of carrying out the assessment of the appropriateness of the safeguards in the specific case, the Data Protection Officer has reservations, he/she may consult the EDPS before issuing an assessment on a specific transfer

1.   Eurojust shall put in place appropriate technical measures to ensure that the time limits for the storage of operational personal data defined in Article 29 of the Eurojust Regulation are observed and that, when no justified decision is taken on the continued storage of operational personal data at the time of the review, those data shall be automatically deleted.

2.   The case management system shall in particular ensure that a review of the need to store data in a temporary work file is carried out every three years after they were entered. Such a review must be properly documented in the system, including the motivation for a decision taken on the continued storage of operational personal data, and it shall be automatically communicated to the Data Protection Officer. The results of such a decision, or lack of it, shall apply to the case as a whole, as defined in Article 29(2) of the Eurojust Regulation.

3.   The case management system shall particularly mark the data recorded for a limited period of time in accordance with Article 27(3) as well as the data mentioned in Article 27(4) of the Eurojust Regulation. If any operational personal data referred to in Article 27(4) are stored for a period exceeding five years the Case Management System will generate an alert to ensure that such information is automatically provided to the EDPS.

4.   In exceptional cases, where a National Member considers that operational personal data are further needed for archiving purposes in the public interest or statistical purposes as referred to in Article 29(7)(e) of the Eurojust Regulation, the College shall decide, after having heard the opinion of the Data Protection Officer, about the necessity to retain the data, in this particular case, for that specific purpose. The EDPS shall be informed when recourse is made to this procedure.

1.   Requests for the exercise of rights shall be addressed directly to the Administrative Director of Eurojust or to the Data Protection Officer. The Data Protection Officer shall be provided in any case with a copy of the request for its registration.

2.   If necessary, the Data Protection Officer shall assist the data subject and shall make available specific forms that can be used by the individuals to make their requests.

3.   The Administrative Director shall, on the basis of the information provided by the administrative entity directly involved in the processing of the personal data and of the advice of the Data Protection Officer, take a decision regarding the specific case.

4.   The Data Protection Officer shall communicate the decision taken by the Administrative Director to the data subject and shall inform the data subject of the possibility to lodge a complaint with the EDPS if he or she is not satisfied with the decision rendered by Eurojust.

5.   The request shall be dealt with in full within a month from the date of receipt. That period may be extended by another two months where necessary taking into account the number and complexity of the request. The Administrative Director shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. The data subject may lodge a complaint with the EDPS if Eurojust has not rendered a decision on the basis of his or her request within this time limit.

1.   Each individual processing operation of administrative personal data taking place at Eurojust shall, in the light of its defined purpose and in full compliance with Article 4(1)(d) and Article 31(1)(f) of Regulation (EC) No 2018/1725, have a clear and defined time limit for storage in order to ensure that the data are only kept for no longer than is necessary for the purposes for which the administrative personal data are processed. Such time limit shall be established for each category of data processed and documented in the record of processing activities.

2.   Eurojust shall keep administrative personal data in accordance with paragraph 1, for as long as necessary and in any case no longer than the periods indicated for each category of processing activities in the table appended as an annex to these rules.

3.   The Executive Board, acting on a proposal from the Administrative Director, may determine shorter retention periods than the ones included in the annex to these rules.

1.   These rules shall be reviewed regularly to assess if any amendment is necessary. Any amendment to the rules of procedure shall follow the same procedure established for their approval in the Eurojust Regulation.

2.   The EDPS shall bring to the attention of the College any suggestions or recommendations regarding amendments to the rules of procedure.