Ceci est une version HTML d'une pièce jointe de la demande d'accès à l'information 'EDPS documents, prior notifications DG ENTR DPO-3334.1, DG INFSO DPO-3338.1, DG RTD DPO-3398, DG MOVE-ENER DPO-3420.1, FP6 & FP7 programmes, extenral financial audits'.

link to page 1

 
 
JOAQUIN BAYO DELGADO 
ASSISTANT SUPERVISOR 
 
 
Mr Philippe RENAUDIERE 
Data Protection Officer 
European Commission  
 BRU BERL 08/180 
B - 1049 BRUSSELS 
 
 
 
Brussels, 19 October 2007 
 
JBD/EDK/ktl D(2007)1606   C 2007-0370 
 
 
 
Dear Mr Renaudière, 
 
I am writing you about the prior checking notification concerning the "Audit of the European 
Regional Development Fund (ERDF), the Cohesion Fund and the Instrument for Structural 
Policies for Pre-accession (ISPA)" which you notified to the EDPS on 4 June 2007 under 
Article 27(2)(b) of Regulation (EC) No 45/2001 (hereinafter referred to as: "the Regulation").  
 
After an examination of the data processing operations as described in the notification for 
prior checking, in the legal basis and on the web site of DG REGIO, and after receiving the 
requested information as to the purposes of the audit activities, the EDPS concludes that the 
processing operation does not fall under the scope of Article 27 of the Regulation.
  
 
DESCRIPTION OF THE PURPOSE OF THE PROCESSING OPERATION 
 
On 2 October 2007, the controller of the processing operation confirmed, at the request of the 
EDPS, the final objective and the overall description of the audit performed by the DG  in 
the following terms: 
 
There is a shared responsibility between Member State/beneficiary countries and the 
Commission as to the sound financial management of Community funds at question (ERDF, 
Cohesion Fund, ISPA/IPA). Member States/ beneficiary countries should put in place a 
system of managing and monitoring the funds received from the Commission, and the 
Commission's main responsibility is to verify the adequacy of the management and 
control systems put in place by Member States/beneficiary countries. 
1 
                                                 
1 The following legal bases describe it in more details: Article 38(2) of Council Regulation (EC) No 1260/1999, 
Article 12 of Council Regulation 1164/94, Chapter II of Commission Regulation (EC) No 1386/2002, Paragraph 
2 of Article 10 of Council Regulation No 1264/1999, Article 11(3) of Council Regulation No 1266/1999, Article 
9(1) and (2) and Annex III and Annex IV of Council Regulation (EC) No 1267/1999, Chapter II of Commission 
Regulation (EC) No 438/2001. 
Postal address: rue Wiertz 60 - B-1047 Brussels 
Offices: rue Montoyer 63 
E-mail : xxxx@xxxx.xxxxxx.xx - Website: www.edps.europa.eu  
Tel.: 02-283 19 00 - Fax : 02-283 19 50 

 
 
In order to see whether the management and control systems put in place by Member 
States/beneficiary countries are well functioning and adequate,  DG REGIO performs 
audits and on the spot-checks in cooperation with the administration or auditors of the 
respective state
. In other words, the audits performed by DG REGIO serve the final 
purpose of verifying whether the Member States/ beneficiary countries' management 
and control system is adequate, or whether systematic irregularities occur because of 
inadequacies in the management and control systems
. This also means that specific audits 
examine particular beneficiaries (organisations) to see how they spent the funds and that 
during an audit certain irregularities committed by the audited organisations can/will be 
detected. 
 
An audit by DG REGIO may detect two types of problem
a)  weaknesses in the functioning of the management and control systems, and 
b) irregularities committed by a particular fund recipient.  
 
In the first case, an improvement of the system is required as a result of the audit, and the 
Member State/beneficiary country may be required to correct expenditure which is considered 
at risk of irregularity as a result of the deficiency detected. In the second case, the Member 
State/beneficiary country will be required to correct the irregular expenditure. 
 
In both cases if the Member State/beneficiary country fails to make the required corrections, 
the Commission has the power to impose financial corrections by formal decision on the basis 
of the applicable legislation.  
 
LEGAL ASSESSMENT  
 
Article 27(1) of the Regulation (EC) No 45/2001 subjects to prior checking by the EDPS 
"processing operations likely to present specific risks to the rights and freedoms of data 
subject by virtue of their nature, their scope or their purposes
".  Article 27(2) of the 
Regulation contains a list of processing operations that are likely to present such risks. Article 
27(2)(b) subjects to prior checking those processing operations which intend "to evaluate 
personal aspects relating to the data subject, including his or her ability, efficiency and 
conduct."
   
 
The reasons to consider the processing operation to be subject to prior checking under Article 
27(2)(b) of the Regulation given in your email of 1 August 2007  can be summarised in the 
following:  
First, the purpose of the auditing is to verify the good use of community funds, rather than the 
quality of a management system. The processing operation is more directly linked to the 
auditees and is more likely to entail concrete consequences for them than in the case of 
internal audit. 
Second, there is an element of evaluation of personal aspects of the data subjects, basically 
the way they have used the Community money. 
Third, the auditees are not EU-civil servants (as it is the case with regard to internal audits) 
and the possibility of opening an IDOC investigation is not available in the auditing 
concerned by the present case. 
 
Concerning the first and second points: 
                                                                                                                                                         
 
 
2

link to page 3  
In the light of the above referred confirmation by the controller, the EDPS considers that the 
auditing activities by DG REGIO do not fall under the scope of Article 27(2)(b
), because 
their main purpose is to examine the management and control systems put in place by 
Member States/beneficiary countries rather than aiming at assessing the particular 
individual conduct of the fund recipients
.  
 
The auditing by DG REGIO is a secondary tier of control with the purpose of scrutinizing the 
national management and control systems with regard to the funds concerned. The aim of an 
audit performed by DG REGIO is more abstract by nature. It is true that in order to reach the 
final purpose and the appropriate conclusions of an audit, as a prior element, personal data of 
funds recipients are collected, analysed and stored by DG REGIO. This nonetheless does not 
mean focused evaluation of individual performances as the purpose of the processing 
operation. Furthermore, the final consequences of an audit by DG REGIO concern the 
Member State/ beneficiary country, as they may be required to correct the irregular 
expenditure. Therefore, the link between the purpose of the audit and the examination of the 
data subjects' use of Community fund is less direct. 
 
Concerning the third point: 
In principle, follow-up investigations may occur with regard to irregularities committed by 
particular funds recipients. It is nevertheless irrelevant for the purpose of Article 27 which is 
the competent authority designated to conduct a possible follow-up investigation, whether it is 
IDOC or the competent authority of a Member State/ beneficiary country. 
 
The EDPS concludes therefore, that the case is not subject to prior checking under Article 
27(2)(b) of the Regulation. 
 
However, if you believe that there are other factors justifying prior checking, we are of course 
prepared to review our position.  
 
 
CONTENT OF PRIVACY STATEMENT 
 
Without prejudice to the above considerations, the EDPS makes further recommendation on 
the issue spotted with regard to the information attached to the notification for prior checking.  
 
Whenever an audit mission is announced, through a notification letter sent to a Member 
State's Representation, DG REGIO will ask them to deliver to the bodies and organisations to 
be audited an annex containing information on the protection of personal data by DG 
REGIO's audit units.2 The Privacy statement, which was annexed to the notification reads as 
follow: "The handling of your letter/mail may involve the recording of your coordinates and 
the processing of your personal data. Under Regulation EC 45/2001 on the Protection of 
Individuals, you have a right to access, erase and modify your data at any time, by sending us 
a message to the following mailbox: region-secretariat-I2@ ec.europa.eu 
Your data will be used solely in the framework of our unit's work; it will only be accessible by 
its members and will not be disclosed outside.  
Your data will be kept as long as required for the mission of the unit, and after will be erased 
or archived according to our internal rules. You can find all relevant information on the 
following Internet site: http://www.edps.eu.int/".
  
 
                                                 
2 Section 7 of the notification for prior checking. 
 
3

 
The EDPS welcomes the means that DG REGIO supplies more "personalised" information to 
bodies or organisations to be audited via the cooperation of the Member State's Permanent 
Representation. This practice ensures transparency and fairness towards the data subjects. 
 
Nevertheless, the EDPS recommends that for reason of fairness towards the data subject, 
more specific information is supplied to the data subjects, under Articles 11 and 12 of the 
Regulation, in the short Privacy Statement as to the following elements: 
 
- the identity of the controller, 
- the categories of  personal data collected and processed by DG REGIO in an audit mission, 
- the description of the purposes of the processing operation, 
-mentioning the categories of recipients (as described in section 12 of the notification for prior 
checking),  
- legal basis of the processing operation for which the data are intended, 
- mentioning the particular time limit for storing data, 
- right to have recourse to the European Data Protection Supervisor. 
 
The EDPS welcomes the possible inclusion of his website address in the Privacy Statement, 
but calls upon the controller to update the information: "You can find further information on 
data protection at: http://www.edps.europa.eu
."  
 
I would appreciate if you could share this position with the controller and inform us of the 
follow up measures taken concerning the information to be supplied to data subjects.  
 
I remain at your disposal should you have any question concerning this matter. 
 
Yours sincerely, 
 
 
 
 
 
 
 
 
Joaquín BAYO DELGADO 
 
 
 
 
 
 
4