Dies ist eine HTML Version eines Anhanges der Informationsfreiheitsanfrage 'EDPS documents, prior notifications DG ENTR DPO-3334.1, DG INFSO DPO-3338.1, DG RTD DPO-3398, DG MOVE-ENER DPO-3420.1, FP6 & FP7 programmes, extenral financial audits'.



 
GIOVANNI BUTTARELLI 
ASSISTANT SUPERVISOR 
 
 
Mr Philippe RENAUDIERE 
Data Protection Officer 
European Commission 
BRU BERL 08/180 
B – 1049 BRUSSELS 
 
Brussels, 27 October 2009 
GB/JL/ktl/ D(2009)1492 C 2009-0565 
 
Subject: Notification for prior checking concerning "ex post
 controls ". 
Dear Mr Renaudiere, 
Having examined the notification concerning the management of ex post controls (ref. EDPS: 
2009-565), we have come to the conclusion that the case is not subject to prior checking by 
the EDPS
.  
 
The processing operation was notified pursuant to Article 27(2)(a) of Regulation (EC) 
No 45/2001 (hereinafter referred to as "the Regulation").  
 
Article 27(1) of the Regulation makes all "processing operations likely to present specific 
risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their 
purposes" 
subject to prior checking.  
 
Specifically, Article 27(2) of the Regulation contains a non-exhaustive list of processing 
likely to present such risks, notably "the processing of data relating to health" (point a).  
The EDPS notes that the processing operation described in the notification is an ex post 
control procedure put in place to enable implementation of the checks required by 
Article 47(3) of the Regulation laying down detailed rules for the implementation of the 
Financial Regulation to issue an opinion on the regularity and legality of the transactions 
verified and the quality of financial management.  The operational units of Directorate K, 
DG RELEX and the Commission delegations at the level of authorising officers by 
subdelegation, persons making financial transactions or their beneficiaries are subject to 
ex post controls. In that context, transactions relating to the remuneration of persons and the 
payment of individual entitlements may be verified.  That implies consulting and checking 
personnel files to ensure the accuracy of entitlements and calculations. Anyone who has 
received a payment or reimbursement falling under the administration's budgetary headings 
may be the subject of an ex post control. Ex post controls may concern, in particular, outgoing 
payments related to medical check-ups, invalidity, etc. In that scenario, the auditors would 
have access to health-related data within the meaning of Regulation (EC) No 45/2001 i.e. 
medical certificates, proof of medical expenditure, invalidity certificates, absence sheets and 
other documents resulting in reimbursement of expenditure generated in the framework of the 
arrangements for medical cover.  
 
Postal address: rue Wiertz 60 - B-1047 Brussels 
Offices: rue Montoyer 63 
E-mail : xxxx@xxxx.xxxxxx.xx - Website: www.edps.europa.eu  
Tel.: 02-283 19 00 - Fax : 02-283 19 50 

 
Article 27(2) of the Regulation primarily concerns processing operations whose main purpose 
is to process data relating to health and to suspected offences, offences, criminal convictions 
or security measures. The purpose of these ex post controls is not the processing of that data. 
In fact, the auditors' familiarisation with this type of data is accidental rather than systematic. 
The main aim of ex post controls is to curtail the risks related to the quality of management 
and control systems, provide recommendations to improve the situation and promote sound 
financial management. 
 
Moreover, if, following an ex post control, investigations can be conducted by the 
Investigation and Disciplinary Office (IDOC), the European Anti-Fraud Office or the national 
authorities, these procedures constitute a particular risk which would justify prior checking by 
the EDPS pursuant to Article 27 of the Regulation.  Nevertheless, the risk is created by the 
investigative procedures themselves and not by the ex post control which is the subject of this 
notification.  The ex post control procedure is general and may not be considered a specific 
investigative task because it does not set out to investigate certain persons or certain 
behaviour.  Instead, its purpose is to examine the systems and the associated risks in general. 
 
If you feel there are other reasons that warrant prior checking by the EDPS we are prepared to 
reconsider our position. Similarly, should there be any change in this processing operation we 
would ask you to consider whether the operation needs to be submitted to the EDPS for prior 
checking.  
 
Yours sincerely,  
 
(Signed) 
 
Giovanni BUTTARELLI 
 
 
 
 
 
2