The European Commission on 30 June 2026 adopted a decision setting internal rules for informing data subjects and restricting their data protection rights when processing personal data for investigations, enforcement, and monitoring under the Foreign Subsidies Regulation (EU) 2022/2560. The decision affects informants, legal representatives, staff of undertakings under investigation, and natural persons whose personal data appears in collected documents, covering identification data, contact details, and other case-related data including special categories and criminal conviction data.
The Commission must publish a data protection notice on its website and individually inform legal representatives, staff, and informants. However, the decision allows the Commission to restrict rights under Articles 14-20 and 35 of Regulation (EU) 2018/1725—such as the right of access, rectification, erasure, and restriction of processing—if exercising those rights would jeopardise investigations, protect the rights of others, or harm cooperation with Member State authorities. Any restriction requires a case-by-case assessment, must be necessary and proportionate, and is reviewed every six months.
Data Protection Coordinators for the Competition and Internal Market Directorates-General must be consulted before imposing restrictions, and the Commission's Data Protection Officer must be informed and may request a review. Restrictions are lifted as soon as the reasons no longer apply, at which point the data subject is informed of the reasons and of their right to complain to the European Data Protection Supervisor.
The decision balances the Commission's investigative powers under the Foreign Subsidies Regulation with data subjects' rights, imposing strict safeguards including mandatory consultation of data protection officials and regular reviews. It impacts undertakings under investigation, their staff and legal representatives, as well as informants, by potentially delaying their access to personal data during investigations. For the Commission, it provides a clear legal framework to process personal data effectively while ensuring compliance with EU data protection law. The European Data Protection Supervisor may scrutinise the application of the rules through complaints or own-initiative inquiries.