GIOVANNI BUTTARELLI
ASSISTANT SUPERVISOR
Mr Philippe RENAUDIERE
Data Protection Officer
European Commission
BRU BERL 08/180
B – 1049 BRUSSELS
Brussels, 27 October 2009
GB/JL/ktl/ D(2009)1492
C 2009-0565
Subject: Notification for prior checking concerning "ex post controls ". Dear Mr Renaudiere,
Having examined the notification concerning the management of
ex post controls (ref. EDPS:
2009-565), we have come to the conclusion that the case
is not subject to prior checking by
the EDPS.
The processing operation was notified pursuant to Article 27(2)(a) of Regulation (EC)
No 45/2001 (hereinafter referred to as "the Regulation").
Article 27(1) of the Regulation makes all "
processing operations likely to present specific
risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their
purposes" subject to prior checking.
Specifically, Article 27(2) of the Regulation contains a non-exhaustive list of processing
likely to present such risks, notably "
the processing of data relating to health" (point a).
The EDPS notes that the processing operation described in the notification is an
ex post control procedure put in place to enable implementation of the checks required by
Article 47(3) of the Regulation laying down detailed rules for the implementation of the
Financial Regulation to issue an opinion on the regularity and legality of the transactions
verified and the quality of financial management. The operational units of Directorate K,
DG RELEX and the Commission delegations at the level of authorising officers by
subdelegation, persons making financial transactions or their beneficiaries are subject to
ex post controls. In that context, transactions relating to the remuneration of persons and the
payment of individual entitlements may be verified. That implies consulting and checking
personnel files to ensure the accuracy of entitlements and calculations. Anyone who has
received a payment or reimbursement falling under the administration's budgetary headings
may be the subject of an
ex post control.
Ex post controls may concern, in particular, outgoing
payments related to medical check-ups, invalidity, etc. In that scenario, the auditors would
have access to health-related data within the meaning of Regulation (EC) No 45/2001 i.e.
medical certificates, proof of medical expenditure, invalidity certificates, absence sheets and
other documents resulting in reimbursement of expenditure generated in the framework of the
arrangements for medical cover.
Postal address: rue Wiertz 60 - B-1047 Brussels
Offices: rue Montoyer 63
E-mail : xxxx@xxxx.xxxxxx.xx - Website: www.edps.europa.eu
Tel.: 02-283 19 00 - Fax : 02-283 19 50
Article 27(2) of the Regulation primarily concerns processing operations whose main purpose
is to process data relating to health and to suspected offences, offences, criminal convictions
or security measures. The purpose of these
ex post controls is not the processing of that data.
In fact, the auditors' familiarisation with this type of data is accidental rather than systematic.
The main aim of
ex post controls is to curtail the risks related to the quality of management
and control systems, provide recommendations to improve the situation and promote sound
financial management.
Moreover, if, following an
ex post control, investigations can be conducted by the
Investigation and Disciplinary Office (IDOC), the European Anti-Fraud Office or the national
authorities, these procedures constitute a particular risk which would justify prior checking by
the EDPS pursuant to Article 27 of the Regulation. Nevertheless, the risk is created by the
investigative procedures themselves and not by the
ex post control which is the subject of this
notification. The
ex post control procedure is general and may not be considered a specific
investigative task because it does not set out to investigate certain persons or certain
behaviour. Instead, its purpose is to examine the systems and the associated risks in general.
If you feel there are other reasons that warrant prior checking by the EDPS we are prepared to
reconsider our position. Similarly, should there be any change in this processing operation we
would ask you to consider whether the operation needs to be submitted to the EDPS for prior
checking.
Yours sincerely,
(Signed)
Giovanni BUTTARELLI
2