This is the second part of a three part post. In this part Aidan O’Neill considers EU secondary legislation on access to documents.
Data protection and EU Institutions
Regulation (EC) No 45/2001 was made by the EU legislature under reference Article 286 EC (what is now Article 16(2) TFEU, the provisions of which are outlined above). Those protected under the regulations are those identified or identifiable individuals whose personal data are processed by EU institutions or bodies in any context whatsoever. The regulation’s provisions do not apply to wholly anonymised data. But it is not limited, for example, simply to those who are employed by the EU.
“Personal data” for the purposes of the Regulation is any information held on an individual; the Regulation does not apply to information held on a company or other legal person. (See Case T‑198/03 Bank Austria Creditanstalt v Commission  ECR II‑1429 at paragraph 95) Particularly sensitive personal data is that which may disclose details of an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, health or sex life; the lawful processing of such information has to be either expressly consented to or otherwise shown to be specifically necessary for a legitimate purpose (Article 10(2), which may include for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services and be subject to the rules on medical confidentiality (Article 10(3).
Read more on Inforrm.