Data Protection Impact Assessment| Europass 11 June 2019

1. Data Protection Impact Assessment| Europass 11 June 2019

2. BackgroundIdentifying the need for DPIA Article 35 of the General Data Protection Regulation (GDPR), in particular with reference to Article 39 of Regulation (EU) 2018/1725 New technologiesmay carry high risk to the rights and freedoms of the individual in case of processing on a large scale of special categories of personal data in cases of systematic and extensive evaluation of personal aspects based on automated processing, including profiling

3. Background The new Europass platform’s proposed processing will • Process special category personal datawhich may directly or indirectly be uploaded by the end-user related to • racial or ethnic origin; • political affiliation; • religious or philosophical beliefs; • trade union membership; and • data concerning health or sexual orientation. • May result in significant decisions made through automated means with regard to employment and educational opportunities and initiatives proposed to the end-user • Under no circumstances produce legal or quasi-legal effects

4. PurposesData Protection Impact Assessment • outline proposed processing • identify prospective risks to the data subject propose mitigating measures to prevent the possibility of personal data breaches and breaches to the GDPR affecting the freedoms and rights of the end-user data subject

5. MethodologyData Protection Impact Assessment WHAT detailed questionnaire • WHO • numerous parties involved in the creation of the new Europass platform WHY require detailed descriptions of proposed processing, storage of personal data, envisaged transfers of personal data, technical measures and prospected risks* *Answers are routinely clarified and expanded due to the complexity of the proposed platform.

6. ProgressData Protection Impact Assessment – Completed tasks • The completed tasks include the identification of: • The proposed processing, including collection, expected use, storage, deletion, end-user access and control, location; • Third-party recipients of end-user personal data and processing by third-parties; • The existence of automated decision making and profiling; • Special categories of data subjects; and • Lawful grounds for processing.

7. ProgressData Protection Impact Assessment – Ongoing tasks • The ongoing tasks include: • Identification of the risks associated with the proposed processing; and • Completion of the risk analysis to fully identify all risks and propose adequate prevention measures. • The executive summary of the findings gathered to date includes a description of the risks identified so far and appropriate measures to mitigate them.

8. Risks and ConsequencesIdentifying potential risks and consequences for the new Europass platform Risks Consequences Risk to the rights and freedoms of the end-user may vary in likelihood and severity leading to potential material or non-material damage Wilful attacks on the Europass platform or the data stored within it, resulting in threats to confidentiality and integrity of end-user personal data. Possible breaches of the data subject’s rights involving severe consequences: Human error attributable to end-users and platform administrators may impact the confidentiality, integrity and availability of personal data. • Possibility of identity theft or fraud; Wilful attack resulting in the deliberate alternation of end-user information, as well as the abuse of access privileges which may result in the wilful alteration, destruction or dissemination of end-user personal data. • Dissemination of sensitive personal data contained within uploaded end-user documentation; • Inability to exercise control over personal data; Errors and unintentional failures, which may result in a threat to the confidentiality, availability and integrity of end-user personal data particularly in the context of accidental alteration, deletion and dissemination of end-user personal data. • Loss of confidentiality of personal data; and • Damage to reputation particularly if personal data is altered or edited. • Service risks concerning cloud services and services provided by approved third-parties which may result in less secure interfaces and application programming interfaces regarding the Europass platform and its storage database system. Potential abuse and dissemination of data belonging to vulnerable end-users and minors

9. Implementation of strict access control and confidentiality protocols, limiting the access to end-user personal data only to persons and in situations where it is strictly necessary, for example: • cases of technical maintenance; • system support; and • specific end-user query response. • Use technical measures including two-factor authentication and the entering into confidentiality agreements with processing staff First recommendations Encryption and routine backup of databases containing end-user data Routine review and updating of security measures Adoption of appropriate organisational and technical measures containing or mitigating identified risks at design stage reflecting the data protection by design principle contained within the GDPR Documentation of access

10. First recommendations • Implementation of policies regarding: • IT system security; • retention and purging of personal-data; • personal data breach management and reporting; and • regulation of contractual relationships with third-parties having access to or receiving personal data, particularly where recipients are located in third-countries not subject to adequacy decisions regarding the security of personal data processing. • Europass data will be hosted on infrastructure that is either operated by: • DG DIGIT (and hence meets DG DIGIT's security standards); OR • Third-party infrastructure that has been contracted by DG DIGIT and that meets their security requirements, providing for further guarantees in terms of security of processing and risk reduction also in terms of the physical infrastructure hosting the new Europass databases and operating systems.