Processing of personal data in the context of the Cooperation Mechanism under Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union.
Subject matter of processing
The European Commission and the EU Member States may process personal data in the context of the exchange of information necessary for the screening of foreign direct investments and for ensuring the effectiveness of the cooperation provided for in Regulation (EU) 2019/452.
Responsibilities and roles of the Parties
The European Commission ensures and is responsible for:
- Deciding on the means, requirements, purpose of processing;
- Recording of the processing;
- Ensuring that the personal data undergoing processing are adequate, accurate, relevant and limited to what is necessary for the purpose;
- Deciding to restrict the application of or derogate from data subject rights, where necessary and proportionate;
- Notifying any personal data breaches within IT systems used for the cooperation mechanism to the European Data Protection Supervisor (EDPS);
- Transferring data subjects’ requests to the relevant EU Member States designated authorities if a subject asks questions about its personal data subject to the cooperation mechanism;
- Erasing, when necessary upon a request from a EU Member States designated authority, personal data to which the Commission has access within IT systems;
- Defining, implementing and providing the technical means to ensure availability and smooth functioning of IT systems that will be used for the cooperation mechanism and exchanges between the contact points;
- Performing, when necessary, analysis that may relate to the personal data stored in IT systems;
- Using only processors that meet the requirements of Regulation (EU) 2018/1725 and to govern the latter’s processing by a contract or legal act;
- Defining and implementing, where necessary, with the approval of the EU Member States designated authorities, any system developments that may have an effect on the type of or the way personal data is processed;
- Carrying out a prior consultation with the European Data Protection Supervisor, where needed;
- Ensuring that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Cooperating with the European Data Protection Supervisor, on request, in the performance of his or her tasks.
The EU Member States ensure and are responsible for:
- Deciding on the means, requirements, purpose of processing;
- Recording of the processing;
- Ensuring that the personal data undergoing processing are adequate, accurate, relevant and limited to what is necessary for the purpose;
- Validating personal data submitted under the cooperation mechanism;
- Communicating with data subjects to clarify any technical errors or lack of clarity in the initial registration;
- Communicating any personal data breaches within their processing of personal data under the cooperation mechanism to the competent supervisory authorities of the Member State, in accordance with Articles 33 and 34 of the Regulation (EU) No 2016/679;
- Ensuring that their staff, who have access to personal data within the cooperation mechanism, are adequately trained to ensure that they perform their tasks in compliance with the rules applicable to the protection of personal data;
- Providing opinions to the Commission on any developments that may have an effect on the type of or the way personal data is processed;
- Handling of data subjects’ requests;
- Deciding to restrict the application of or derogate from data subject rights, where necessary and proportionate;
- Using only processors that meet the requirements of Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively and to govern the latter’s processing by a contract or legal act;
- Identifying and assessing the lawfulness, necessity and proportionality of transmissions of personal data;
- Establishing and keeping up to date the list of all recipients of personal data (in the EU Member States;
- Carrying out a prior consultation with national data protection supervisory authority, where needed;
- Ensuring that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Cooperating with national data protection supervisory authority, on request, in the performance of his or her tasks.
Contact point in Malta for data subjects
Functional mailbox: data-screening-mt@nfdismalta.com.