Decision of the European Data Protection Board

on Records management

Adopted on 20 September 2023

Adopted
Table of contents
1 Purpose .........................................................................................................................4
2 Definitions .....................................................................................................................4
3 Scope ............................................................................................................................6
4 Roles and responsibilities .................................................................................................6
4.1 The EDPB, represented by its Chair .............................................................................6
4.2 EDPB Chair and Deputy Chairs....................................................................................7
4.3 All EDPB staff...........................................................................................................7
4.4 EDPB members’ representatives and staff....................................................................7
4.5 Records manager .....................................................................................................7
4.6 Document management officer..................................................................................8
5 Principles governing Records Management.........................................................................8
5.1 Records management systems ...................................................................................8
5.2 Capture and filing of records ......................................................................................8
5.3 Storage and Preservation ..........................................................................................9
5.4 Retention, transfer and elimination ............................................................................9
5.5 Access to records ................................................................................................... 10
5.6 Records Management and Personal Data................................................................... 10
5.7 Information security ............................................................................................... 10

Adopted 2
The European Data Protection Board

Having regard to Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing of personal data and on
the free movement of such data (General Data Protection Regulation) 1 ,
Having regard to Regulation (EU) No 2018/1725 of the European Parliament and of the Council of 23
October 2018 on the protection of individuals with regard to the processing of personal data by the
Community institutions and bodies and on the free movement of such data 2 , (hereinafter Reg.
2018/1725)
Having regard to Regulation (EEC, EURATOM) No 354/83 concerning the opening to the public of the
historical archives of the European Economic Community and the European Atomic Energy
Community, and amended by Council Regulation (EC, EURATOM) No 1700/2003 and Council
Regulation (EU) 2015/496 of 17 March 2015 3 ,
Having regard to Regulation (EC) No 1049/2001 regarding public access to European Parliament,
Council and Commission documents 4 ,
Having regard to Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council
of 18 July 2018 on the financial rules applicable to the general budget of the Union 5 ,
Having regard to Article 24 of ‘The European Code of Good Administrative Behaviour’ 6 ,
Whereas:

(1) The European Data Protection Board, as a European body, is subject to legal requirements for
implementing and keeping adequate records of its functions and activities and confirms its
commitment to capturing and managing records with appropriate evidential characteristics in
accordance with the requirements of this legal and regulatory framework.

(2) The European Data Protection Board acknowledges that uniform record-keeping practices are
fundamental to ensure transparency and good administrative behaviour; enhance business continuity;
and facilitate access to knowledge.
(3) All European Data Protection Board records shall be systematically and efficiently managed
throughout their entire lifecycle, i.e. from their capture up to their destruction or permanent archiving.
With this aim in mind, the European Data Protection Board has made an agreement with the European
Commission for the use of their HAN (Hermes, Ares, NomCom) document management system. The
European Commission acts as a data processor in accordance with Article 3 Reg. 2018/1725, under
instructions from the EDPB, which acts as the controller of personal data in its records.
(4) Selected records shall be deposited in the historical archives at the Historical Archives of the
European Union at the European University Institute (EUI) in Florence (hereafter ‘European Union’s
historical archives‘). The EUI acts as a data processor in accordance with Article 3 Reg. 2018/1725,

1
OJ L 119, 4.5.2016, p. 1–88.
2 OJ L 295, 21.11.2018, p. 39.
3 OJ L 043, 15.2.1983, p.1
4 OJ L 145, 31.5.2001, p. 43–48.
5 OJ L 193, 30.7.2018, p. 1–222.
6 Approved by European Parliament resolution of 6 September 2001.

Adopted 3
 under instructions from the EDPB, which acts as the controller of personal data contained in its
historical archives, deposited at the EUI.
(5) This decision aims to provide the basis for consistent, sustainable and efficient records
management by defining the method for the management of both paper and electronic records as a
source of evidence and information. The decision may be complemented by implementing rules on
specific topics.

HAS DECIDED THE FOLLOWING:

1 PURPOSE
1. The EDPB is a body of the European Union with legal personality (Article 68.1 GDPR), composed of its
members (Article 68.3 GDPR). The EDPB is supported by the EDPB Secretariat, which is provided to the
EDPB by the EDPS (Article 75.1 GDPR). A Memorandum of understanding, signed by the EDPB and the
EDPS, defines the relationship between both bodies in relation to the EDPB Secretariat 7 . Managing the
records of the EDPB is one of the functions fulfilled by the EDPB Secretariat. The records of the EDPB
Secretariat, attesting to the fulfilment of its tasks, are inextricably linked with the records of the EDPB.

2 DEFINITIONS
2. For the purpose of this decision, the following definitions shall apply:
(1) ‘European Data Protection Board’ (hereinafter referred to as ‘EDPB’ or the ‘Board’) shall mean the
body defined in Articles 68 to 76 of Regulation 2016/679 (hereinafter referred to as the ‘GDPR’) and
include its Secretariat; Where this decision refers to the EDPB, this shall include the EDPB Secretariat;
(2) ‘EDPB members’ shall mean members of the EEA data protection authorities that compose the
Board, and the European Data Protection Supervisor;
(3) ‘EDPB staff’ shall mean staff of the Secretariat responsible, on behalf of the EDPB and its
Secretariat, for the performance of the activities of the Board that involve records management;
(4) ‘EDPB members’ representatives and staff’ shall mean individuals appointed or employed by EDPB
members who participate in activities of the Board on behalf of that member.
(5) ‘Author’ shall mean the individual, group or organisation which produces a record.
(6) ‘Authenticity’ shall mean that a record must be what it claims to be.
(7) ‘Capture’ shall mean the insertion of a document into an official electronic repository by
combining a unique identifier and metadata.
(8) ‘(Case) file’ shall mean an aggregation of records organised in line with the EDPB’s activities, for
reasons of proof, justification or information and to guarantee efficiency in the work; the group of
records making up the file is organised in such a way as to form a coherent and relevant unit in terms
of the activities conducted by the EDPB, including its Secretariat.

7In light of Article 75 GDPR and the memorandum of understanding between the EDPS and the EDPB signed on
25 May 2018 (https://edpb.europa.eu/our-work-tools/our-documents/memorandum-
understanding/memorandum-understanding en), files related to financial management and human resources
are managed by the EDPS. Records belonging in these files are excluded from the scope of this Decision. EDPB
staff is obliged to assist the EDPS with their obligation to capture records on these matters.

Adopted 4
 (9) ‘Context’ shall mean the organisational, functional, and operational circumstances surrounding
record’s creation, receipt, storage, or use, and its relationship to other records.
(10) ‘Filing plan’ shall mean the logical and hierarchical organisation of files into a tree of topics based
on an analysis of the business functions and activities of the EDPB. It provides a common and standard
framework enabling files to be intellectually organised and linked to the context in which they were
drawn up, on the basis of the functions, activities and working processes.
(11) ‘(Historical) archives’ shall mean:
a. Those records that are appraised as having continuing value. Traditionally the term
has been used to describe records no longer required for current use, which have been
selected for permanent preservation. Also referred to as permanent records.
b. An organisation (or part of an organisation) responsible for appraising, acquiring,
preserving and making available archival material.
(12) ‘Integrity’ shall mean a record must be complete and unaltered.
(13) ‘Metadata ‘shall mean any information describing the context, content and structure of records
and their management over time for the purposes of, inter alia, retrieval, accessibility and reuse.
(14) ‘Preservation’ shall mean processes and operations involved in ensuring the technical and
intellectual survival of authentic records through time.
(15) ‘Record’ shall mean any structured information created or received by the EDPB and set aside by
means of registration, protected ag²ainst intentional or accidental alterations and retained as evidence
and information of EDPB/EDPB Secretariat activities in pursuance of institutional and legal obligations
or in the transaction of its business. Where this decision refers to EDPB records, it should be
understood to also refer to EDPB Secretariat records.
(16) ‘Reliability’ shall mean that a record must be a full and accurate representation of the business
transactions, activities, or facts to which it attests.
(17) ‘Registration’ shall mean capturing a record into a register, establishing that it is complete and
properly constituted from an administrative and/or legal standpoint.
(18) ‘Retention list’ shall mean a description of the administrative retention period for records as well
as the action to be taken following its expiry. The administrative retention period sets out the minimum
period for retaining records and files - in the custody of the EDPB - according to their legal, business
and accountability requirements. After the lapse of specified retention periods, the document
authorises, on a continuing basis, the destruction of those records and files identified as having no
further (archival) value. Further, this document identifies records that shall be transferred to the
historical archives, either in their entirety or following a further assessment. The retention plan is
based on the assessment of the business, legal administrative, financial and historical value of records
and files.

3. For the purpose of this decision, the terms ‘personal data’, ‘controller’ and ‘processor’ shall be
understood within the meaning of Article 3 of Reg. 2018/1725.
4. For the purpose of this decision, the term ‘document’ shall be understood in the meaning of Regulation
(EC) 1049/2001 of 30 May 2001 regarding public access to European Parliament, Council and
Commission documents.

Adopted 5
 3 SCOPE
5. This decision applies to EDPB records, irrespective of their form, medium (e.g. written on paper or
stored in electronic form or as a sound, visual or audiovisual recording), age and location. EDPB records
may arise from EDPB related activities undertaken by the EDPB Chair, the EDPB Deputy Chairs, the
EDPB members’ representatives and staff as well as EDPB staff in their professional capacity. EDPB
records may be created or received through EDPB or non EDPB devices, or through online
communication tools, including social media.

6. This decision covers drafts insofar as they are of significant long-term value, of academic interest,
necessary to protect essential interests of the EDPB or the European Union, or if the content of the
draft in question is likely to be of significant use to the EDPB's future work. Drafts with consolidated
input which are circulated to EDPB Members for discussion in EDPB plenary meetings or expert
subgroup meetings, are in principle considered as EDPB records covered by this decision. Other drafts
are presumed not to fulfil the aforementioned criteria and thus not covered by this decision, unless
decided otherwise by the records manager.
7. Not covered by this decision are

• documents used and kept for reference and information only;

• private and personal documents which were not created or received in pursuance of the
EDPB’s institutional or legal obligations or in the transaction of business of the EDPB or EDPB
Secretariat;

• documents legitimately belonging to the separate spaces of the Staff Committee;

• records related to financial management and human resources which belong in files managed
by the EDPS.

8. Some records, received by the EDPB, are at the same time records of EDPB members. Where needed
and appropriate, implementing rules shall set out how such records are managed.

4 ROLES AND RESPONSIBILITIES

4.1 The EDPB, represented by its Chair
9. The EDPB, represented by its Chair and supported by the EDPB Secretariat, has the overall
responsibility to:
 support the application of this records management decision throughout the organisation;
 validate the specific retention list of the EDPB;
 propose updates to this records management decision to the EDPB;
 validate exceptions to the application of the specific retention list for specific files or
records, in particular to destroy personal data entirely or redact it from records to be
preserved.

10. The EDPB, represented by its Chair, may set out implementing rules, after consulting the records
manager and the EDPB DPO.

Adopted 6
11. Where the implementing rules concern EDPB records originating from EDPB members or their staff,
the EDPB Chair will consult the EDPB members prior to issuing the implementing rules in question.

4.2 EDPB Chair and Deputy Chairs

12. The EDPB Chair and Deputy Chairs shall ensure that any EDPB records drawn up or received by them
are made available to the EDPB Secretariat for capture and further management.

4.3 All EDPB staff

13. All EDPB staff shall:
 distinguish records from non-records and personal documents in accordance with available
records management guidance;
 capture and manage EDPB records they are responsible for, including EDPB records created
or received on personal devices or personal tools;
 act in accordance with the applicable guidance in order to protect records in their custody
from unauthorised access or improper use; and
 handover all relevant records to his or her successor in a timely manner when transferring
responsibility for any function, project, product, transaction or activity.

4.4 EDPB members’ representatives and staff

14. The EDPB members’ representatives and staff shall ensure that any EDPB records drawn up or received
by them are made available to the EDPB Secretariat for capture and further management.
15. Records containing 'special categories of data' in the meaning of Article 10(1) Reg. 2018/1725 / Article
9(1) GDPR shall be marked as such when they are made available to the EDPB Secretariat.
16. Records which are confidential or contain confidential information under national law, shall be marked
as such when they are made available to the EDPB Secretariat.
17. Where implementing rules determine that specified records shall be treated differently, records in
scope of these rules shall be marked as such when they are made available to the EDPB Secretariat.

4.5 Records manager

18. The records manager shall:
 maintain the the filing plan;
 promote and support compliance with the records management decision;
 regularly conduct an appraisal of records and files managed by the EDPB and propose
modifications to the specific retention list accordingly;
 assist the EDPB, represented by its Chair, in developing implementing rules;
 apply and lift ‘legal holds’ on files and propose exemptions from elimination prescribed by
the specific retention list.

Adopted 7
 4.6 Document management officer
19. The document management officer shall oversee the creation of case files and ensure EDPB staff
correctly apply the records management decision when using the records management system.

5 PRINCIPLES GOVERNING RECORDS MANAGEMENT

20. All records created by EDPB staff, experts or consultants carrying out EDPB business-related activities
are the property of the EDPB and all records received are in the custody of the EDPB Secretariat. All of
these records must be handled in accordance with established records management practices.
21. To ensure its integrity, authenticity, reliability and accessibility, a record should be accompanied by
relevant metadata documenting its context.
22. In accordance with Article 23.1 EDPB Rules of Procedure, the working language of the EDPB is English.
This is applicable to records management, meaning that metadata and titles of files and records shall
be in English.

5.1 Records management systems

23. The management of EDPB records is ensured through the use of trustworthy record-keeping systems
designed to capture, maintain and retrieve records while ensuring their continued integrity and
authenticity.
24. A records management system does not only register records, but more broadly captures them to
clearly and reliably identify them, ensure their traceability and make them available to other users
through filing or other means of aggregation of records throughout their life cycle.
25. A record-keeping system must also support the disposal of records in accordance with the retention
list.

5.2 Capture and filing of records

26. Records shall be captured if they contain important information which is not short-lived or if they may
involve action or follow-up by the EDPB.
27. To ensure that records are complete and accurate and the information they contain is reliable and
authentic, records shall:

• contain clear information on their business context (e.g. metadata such as date, title, author,
product information);

• be captured according to the business process they support and document (e.g. a specific
procedure or a project) by the identified owner of the activity;

• be captured in a format / medium compatible with standard office applications available at

the EDPB;

• be filed in corporate record-keeping systems managed and monitored by their respective

application managers; and

• be grouped together in a (case) file with records that relate to the same business activity /
transaction / project / product.

Adopted 8
28. A filing plan exists to ensure a uniform and consistent approach to filing across the EDPB.
29. Where appropriate, records shall be marked, in particular where they

• contain 'special categories of data' in the meaning of Article 10(1) REG. 2018/1725 / Article
9(1) GDPR;

• are confidential or contain confidential information;

• are in scope of implementing rules determining these records shall be treated differently.

5.3 Storage and Preservation

30. The captured records shall not be altered. They may be removed or replaced by subsequent versions
until the file they belong to is closed.

31. The content of records and their relevant metadata must be readable throughout their period of
storage by any person authorised to have access to them.

5.4 Retention, transfer and elimination

32. The administrative retention period for the various categories of files and, in certain cases, records, is
set out in the specific retention lists of the EDPB, drawn up on the basis of the organisational context,
the existing legislation, accountability requirements and the risk associated with keeping or disposing
of records at any particular point in time. Records shall by retained by the EDPB for the duration of the
administrative retention period and then transferred to the European Union’s historical archives or
eliminated in accordance with the EDPB retention list. A set of metadata on records and files shall be
retained in the original electronic repository as evidence of such records and files and their transfer or
elimination.

33. The records manager shall regularly conduct an appraisal of records and files managed by the EDPB to
assess whether they shall be transferred to the European Union’s historical archives or eliminated.

34. To ensure in accordance with this decision that records are retained for as long as they are needed and
that records authorised for elimination are destroyed safely and securely, records shall be eliminated:
• with the assurance that they are no longer required, no work is outstanding and no litigation,
audit or access request is current or pending and
• after written approval and authorisation of the respective Head of Unit or sector responsible
for the activity with a possibility to delegate this task.

35. Where all or part of a closed file is needed in the event of litigation, an investigation or a complaint to
the European Ombudsman, action following expiry of the administrative retention period is suspended
until the case has been dealt with (‘legal hold’). Once this suspension (‘legal hold’) is lifted, the action
scheduled following expiration of the administrative retention period can be carried out.
36. In some situations, external circumstances may justify exemption from an elimination prescribed by
the retention list. Such circumstances could include the uncovering of past maladministration, an
extraordinary public interest in the information or in the records concerned, or other factors that could
make it necessary to preserve the files, at least temporarily.

Adopted 9
 5.5 Access to records
37. Access to EDPB records shall be regulated. Restrictions on access are applied to external third parties
and the general public. 8 Decisions on granting access shall reflect the legal and other rights of the
EDPB, its stakeholders and any other counterparts that might be affected by its actions.

5.6 Records Management and Personal Data

38. The records management decision shall support the compliance with Regulation (EU) 2018/1725 and
help to protect personal data and the privacy of individuals. In particular, regarding the management
of records which contain personal data, it shall be ensured that they are processed only for the purpose
for which they were originally collected, for other compatible purposes or for archiving purposes in
the public interest.
39. Personal data shall be kept for no longer than is necessary for the purposes for which they were
originally collected, for other compatible purposes or for archiving purposes in the public interest. For
this reason, the retention period of records containing personal data should be set based on a careful
evaluation of how long it is strictly necessary to retain the personal data in order to fulfil its purposes.
Records containing personal data may be retained for a longer period without applying a data
protection retention period in case they are anonymised, i.e. kept in a form which no longer permits
the identification of the concerned individuals.

40. The EDPB represented by its Chair, may decide, where appropriate, to reduce retention periods
established by the records management decision to ensure compliance with the above mentioned
legislation. In particular, the EDPB may decide to destroy personal data entirely or redact it from
records to be preserved.

5.7 Information security

41. Records, files, information systems and archives, including their networks and means of transmission,
shall be protected by appropriate security measures.

***

This decision becomes applicable on 20/09/2023.

For the European Data Protection Board

The Chair

(Anu Talus)

8See in particular Regulation (EC) No 1049/2001 regarding public access to European Parliament, Council and
Commission documents.

Adopted 10