Kommisjonsbeslutning (EU) 2025/628 av 31. mars 2025 om fastsettelse av interne regler for utlevering av informasjon til registrerte personer og begrensningene av visse registrertes rettigheter ved behandling av personopplysninger av Kommisjonen for tilsyn, etterforskning, håndheving og overvåkning i henhold til forordning (EU) 2022/2065
Digitale tjenester i det indre marked (DSA): regler for behandling av personopplysninger
Kommisjonsforordning publisert i EU-tidende 1.4.2025
Bakgrunn
(fra kommisjonsbeslutningen
(1) The Commission conducts investigations for the purpose of enforcing the rules laid down in Regulation (EU) 2022/2065 (2) with respect to providers of very large online platforms and very large online search engines. To that end, it exercises powers of supervision, investigation, enforcement and monitoring conferred on the Commission by Regulation (EU) 2022/2065.
(2) The tasks of the Commission under Regulation (EU) 2022/2065 are carried out by the Directorate-General responsible for Communications Networks, Content and Technology of the Commission.
(3) In the context of exercising its supervision, investigation, enforcement, and monitoring tasks pursuant to Regulation (EU) 2022/2065, the Commission processes information. That information may include personal data of natural persons, such as individual staff of the undertaking (for example, the head of the compliance function, the single point of contact), suspects, victims, whistleblowers, informants, and witnesses as well as other natural persons whose personal data is contained in documents obtained in connection with the exercise of its supervision, investigation, enforcement and monitoring tasks by the Commission pursuant to Regulation (EU) 2022/2065.
(4) Personal data processing, within the meaning of Article 3(3) of Regulation (EU) 2018/1725, carried out in the course of investigation and enforcement activities under Regulation (EU) 2022/2065, might take place even before the Commission formally initiates proceedings pursuant to Article 66 of Regulation (EU) 2022/2065, might continue throughout the conduct of the investigation, and might continue even after the formal closure of the investigation (for example, for compliance monitoring or screening activities, assessing the need for initiating new investigative activities or legal proceedings).
(5) To fulfil its tasks under Regulation (EU) 2022/2065, the Commission processes several categories of personal data, such as identification data, contact details, case involvement data, case related data and any other information deemed necessary. Although unlikely, the categories of personal data processed might also include special categories of personal data as referred to in Article 10(1) of Regulation (EU) 2018/1725 if any of the reasons listed in Article 10(2) or (3) of that Regulation apply as well as personal data relating to criminal convictions and offences as referred to in Article 11 of Regulation (EU) 2018/1725. While carrying out its tasks under Regulation (EU) 2022/2065, the Commission is bound to respect the rights of natural persons in relation to the processing of personal data recognised by Article 8(1) of the Charter of Fundamental Rights of the European Union and by Article 16(1) of the Treaty on the Functioning of the European Union, as well as the rights provided for in Regulation (EU) 2018/1725. At the same time, the Commission, in the context of its activities under Regulation (EU) 2022/2065, is required to comply with strict rules of confidentiality and professional secrecy referred to in Article 84 of that Regulation.
(6) In certain circumstances, it is necessary to reconcile the rights of data subjects under Regulation (EU) 2018/1725 with the effective exercise of Commission’s tasks of supervision, investigation, enforcement and monitoring under Regulation (EU) 2022/2065, while ensuring full respect for the fundamental rights and freedoms of other data subjects. To that effect, Article 25(1) of Regulation (EU) 2018/1725 provides the Commission with the possibility to restrict, under certain conditions, the application of Articles 14 to 22, 35 and 36 of Regulation (EU) 2018/1725, as well its Article 4, insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 of Regulation (EU) 2018/1725.
(7) In certain circumstances, it is necessary to reconcile the rights of data subjects with the need to safeguard the objectives of the supervision, investigation, enforcement, and monitoring conducted under Regulation (EU) 2022/2065 as an important objective of general public interest of the Union pursuant to Article 25(1), point (c), of Regulation (EU) 2018/1725. The Commission might apply restrictions where, for instance, exercising those rights would seriously affect its capacity to conduct the investigation in an effective manner, thus hampering its objective. In such cases, there is a risk of evidence being destroyed or interfering with key actors (for example, witnesses) during an investigation.
(8) In certain circumstances, it is necessary to balance the rights of data subjects against the fundamental rights and freedoms of other persons concerned, such as victims or witnesses. In such a case, the Commission might decide to restrict access to the identity, statements, and other personal data of such persons in order to protect their rights and freedoms pursuant to Article 25(1), point (h), of Regulation (EU) 2018/1725. The Commission might decide to do so, in particular to protect those persons against possible retaliation.
(9) It is necessary to protect confidential information concerning an informant, whistleblower, or any other natural person who has reported information to the Commission in the context of the exercise of its supervision, investigation, enforcement and monitoring tasks pursuant to Regulation (EU) 2022/2065. The Commission should restrict access to the identity, statements and other personal data of such persons in order to protect the rights and freedoms of all concerned pursuant to Article 25(1), point (h), of Regulation (EU) 2018/1725. Only if the reporting person so authorises, the Commission may reveal their identity. If required by law or a judicial authority, the Commission should reveal their identity. In cases where data subjects submit a request to access their personal data, they should be given access to such personal data including that provided by a reporting person. In order to protect their confidentiality, the Commission should not provide the data subject with the name of the reporting person as well as any other information that would allow their direct or indirect identification.
(10) In addition, in order to ensure the effective application of Regulation (EU) 2022/2065, in particular with regard to the cooperation between the Commission and the Member States, the Commission might restrict the application of data subjects’ rights and thus safeguard an important objective of general public interest of the Union or of a Member State, as referred to in Article 25(1), point (c), of Regulation (EU) 2018/1725. The Commission might do so in a situation where the purpose of such a restriction by a Member State authority would be jeopardised were the Commission not to apply an equivalent restriction in respect of the same personal data. Furthermore, in order to ensure an effective application of Regulation (EU) 2022/2065, the Commission might apply restrictions to safeguard the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security in line with Article 25(1), point (b), of Regulation (EU) 2018/1725. In the application of restrictions based on Article 25(1), point (c), of Regulation (EU) 2018/1725, the Commission should consult the Member State of the important objective of the general public interest concerned on the relevant potential grounds for imposing restrictions and the necessity and proportionality of those restrictions, unless this would jeopardise the activities of the Commission. Pursuant to Article 25(1), point (g), of Regulation (EU) 2018/1725, the Commission might decide to restrict the application of data subjects’ rights to safeguard a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases mentioned above, and as referred to in Articles 25(1), points (b) and (c), of Regulation (EU) 2018/1725.
(11) The Commission should apply restrictions only when they respect the fundamental rights and freedoms laid down in the Charter, are strictly necessary and proportionate in a democratic society. The Commission should provide a justification for those restrictions.
(12) Article 25(6) of Regulation (EU) 2018/1725 requires the controller to inform data subjects of the principal reasons on which the application of the restriction is based and of their right to lodge a complaint with the European Data Protection Supervisor.
(13) Pursuant to Article 25(8) of Regulation (EU) 2018/1725, the Commission may defer, omit, or deny the provision of information relating to the principal reasons on which the application of a restriction is based to the data subject if providing that information would in any way cancel the effect of the restriction. The Commission should assess on a case-by-case basis whether the communication of the restriction would cancel its effect.
(14) The Commission should lift the restriction as soon as the conditions that justify the restriction no longer apply and assess those conditions on a regular basis.
(15) In order to comply with Articles 14, 15 and 16 of Regulation (EU) 2018/1725, the Commission should inform all data subjects of its activities involving the processing of their personal data and of their rights, in a transparent and coherent manner, by means of a data protection notice published on the Commission’s website. The Commission should individually inform, by appropriate means, whistleblowers, informants, witnesses and, where relevant for the case, individual staff of the undertaking (for example, the head of the compliance function, the single point of contact), about the processing of their personal data.
(16) Article 16(5) of Regulation (EU) 2018/1725 provides for exceptions to data subjects’ right to information. If those exceptions apply, the Commission does not need to apply a restriction to the right to information under this Decision. Exceptions under Article 16(5), point (b), of Regulation (EU) 2018/1725 are to apply where the provision of information referred to in Article 16(1) to (4) of that Regulation would prove impossible, would involve a disproportionate effort, or would be likely to render impossible or seriously impair the achievement of the objectives of that processing. In cases of data subjects not relevant to the investigation whose personal data is contained in documents collected as part of the supervision, investigation, enforcement, and monitoring pursuant to Regulation (EU) 2022/2065, other than those data subjects individually informed, the provision of such information could prove impossible or could involve a disproportionate effort. This might be the case where the Commission obtains personal data in the context of a whistleblower report or during its monitoring actions to ensure the effective implementation of and compliance with Regulation (EU) 2022/2065. Exceptions under Article 16(5), point (b), of Regulation (EU) 2018/1725 may also be applied when providing such information to suspects and victims related to a case could likely render impossible or seriously impair the achievement of the objectives of that processing.
(17) In application of the principles of transparency, fairness and accountability, the Commission should handle all exceptions and restrictions in a transparent manner and keep a record of its application of those exceptions and restrictions.
(18) To guarantee the protection of the rights and freedoms of data subjects and in accordance with Article 44(1) of Regulation (EU) 2018/1725, the Commission should involve the Data Protection Coordinator of the Directorate-General for Communications Networks, Content and Technology and the Data Protection Officer of the Commission throughout the process of applying restrictions and document that consultation. In particular, the Data Protection Coordinator should be consulted in due time on any restrictions that may be applied and verify their compliance with this Decision.
(19) The Data Protection Officer of the Commission should carry out an independent review of the application of restrictions, with a view to ensuring compliance with this Decision.
(20) The European Data Protection Supervisor has been consulted and delivered his opinion on 22 October 2024,