link to page 1
JOAQUIN BAYO DELGADO
ASSISTANT SUPERVISOR
Mr Philippe RENAUDIERE
Data Protection Officer
European Commission
BRU BERL 08/180
B - 1049 BRUSSELS
Brussels, 19 October 2007
JBD/EDK/ktl D(2007)1606
C 2007-0370
Dear Mr Renaudière,
I am writing you about the prior checking notification concerning the "Audit of the European
Regional Development Fund (ERDF), the Cohesion Fund and the Instrument for Structural
Policies for Pre-accession (ISPA)" which you notified to the EDPS on 4 June 2007 under
Article 27(2)(b) of Regulation (EC) No 45/2001 (hereinafter referred to as: "the Regulation").
After an examination of the data processing operations as described in the notification for
prior checking, in the legal basis and on the web site of DG REGIO, and after receiving the
requested information as to the purposes of the audit activities, the EDPS concludes that
the
processing operation does not fall under the scope of Article 27 of the Regulation. DESCRIPTION OF THE PURPOSE OF THE PROCESSING OPERATION
On 2 October 2007, the controller of the processing operation confirmed, at the request of the
EDPS,
the final objective and the overall description of the audit performed by the DG in
the following terms:
There is a shared responsibility between Member State/beneficiary countries and the
Commission as to the sound financial management of Community funds at question (ERDF,
Cohesion Fund, ISPA/IPA). Member States/ beneficiary countries should put in place a
system of managing and monitoring the funds received from the Commission,
and the
Commission's main responsibility is to verify the adequacy of the management and
control systems put in place by Member States/beneficiary countries. 1
1 The following legal bases describe it in more details: Article 38(2) of Council Regulation (EC) No 1260/1999,
Article 12 of Council Regulation 1164/94, Chapter II of Commission Regulation (EC) No 1386/2002, Paragraph
2 of Article 10 of Council Regulation No 1264/1999, Article 11(3) of Council Regulation No 1266/1999, Article
9(1) and (2) and Annex III and Annex IV of Council Regulation (EC) No 1267/1999, Chapter II of Commission
Regulation (EC) No 438/2001.
Postal address: rue Wiertz 60 - B-1047 Brussels
Offices: rue Montoyer 63
E-mail : xxxx@xxxx.xxxxxx.xx - Website: www.edps.europa.eu
Tel.: 02-283 19 00 - Fax : 02-283 19 50
In order to see whether the management and control systems put in place by Member
States/beneficiary countries
are well functioning and adequate,
DG REGIO performs
audits and on the spot-checks in cooperation with the administration or auditors of the
respective state. In other words, the audits performed by DG REGIO
serve the final
purpose of verifying whether the Member States/ beneficiary countries' management
and control system is adequate, or whether systematic irregularities occur because of
inadequacies in the management and control systems. This also means that specific audits
examine particular beneficiaries (organisations) to see how they spent the funds and that
during an audit certain irregularities committed by the audited organisations can/will be
detected.
An audit by DG REGIO may detect
two types of problem:
a) weaknesses in the functioning of the management and control systems, and
b) irregularities committed by a particular fund recipient.
In the first case, an improvement of the system is required as a result of the audit, and the
Member State/beneficiary country may be required to correct expenditure which is considered
at risk of irregularity as a result of the deficiency detected. In the second case, the Member
State/beneficiary country will be required to correct the irregular expenditure.
In both cases if the Member State/beneficiary country fails to make the required corrections,
the Commission has the power to impose financial corrections by formal decision on the basis
of the applicable legislation.
LEGAL ASSESSMENT
Article 27(1) of the Regulation (EC) No 45/2001 subjects to prior checking by the EDPS
"
processing operations likely to present specific ri
sks to the rights and freedoms of data
subject by virtue of their nature, their scope or their purposes". Article 27(2) of the
Regulation contains a list of processing operations that are likely to present such risks. Article
27(2)(b) subjects to prior checking those processing operations which intend "
to evaluate
personal aspects relating to the data subject, including his or her ability, efficiency and
conduct." The reasons to consider the processing operation to be subject to prior checking under Article
27(2)(b) of the Regulation given in your email of 1 August 2007 can be summarised in the
following:
First, the purpose of the auditing is to verify the good use of community funds, rather than the
quality of a management system. The processing operation is more directly linked to the
auditees and is more likely to entail concrete consequences for them than in the case of
internal audit.
Second, there is an element of evaluation of personal aspects of the data subjects, basically
the way they have used the Community money.
Third, the auditees are not EU-civil servants (as it is the case with regard to internal audits)
and the possibility of opening an IDOC investigation is not available in the auditing
concerned by the present case.
Concerning the first and second points:
2
link to page 3
In the light of the above referred confirmation by the controller, the EDPS considers that
the
auditing activities by DG REGIO do not fall under the scope of Article 27(2)(b), because
their main purpose is to examine the management and control systems put in place by
Member States/beneficiary countries rather than aiming at assessing the particular
individual conduct of the fund recipients.
The auditing by DG REGIO is a secondary tier of control with the purpose of scrutinizing the
national management and control systems with regard to the funds concerned. The aim of an
audit performed by DG REGIO is more abstract by nature. It is true that in order to reach the
final purpose and the appropriate conclusions of an audit, as a prior element, personal data of
funds recipients are collected, analysed and stored by DG REGIO. This nonetheless does not
mean focused evaluation of individual performances as the purpose of the processing
operation. Furthermore, the final consequences of an audit by DG REGIO concern the
Member State/ beneficiary country, as they may be required to correct the irregular
expenditure. Therefore, the link between the purpose of the audit and the examination of the
data subjects' use of Community fund is less direct.
Concerning the third point:
In principle, follow-up investigations may occur with regard to irregularities committed by
particular funds recipients. It is nevertheless irrelevant for the purpose of Article 27 which is
the competent authority designated to conduct a possible follow-up investigation, whether it is
IDOC or the competent authority of a Member State/ beneficiary country.
The EDPS concludes therefore, that
the case is not subject to prior checking under Article
27(2)(b) of the Regulation.
However, if you believe that there are other factors justifying prior checking, we are of course
prepared to review our position.
CONTENT OF PRIVACY STATEMENT
Without prejudice to the above considerations, the EDPS makes further recommendation on
the issue spotted with regard to the information attached to the notification for prior checking.
Whenever an audit mission is announced, through a notification letter sent to a Member
State's Representation, DG REGIO will ask them to deliver to the bodies and organisations to
be audited an annex containing information on the protection of personal data by DG
REGIO's audit units.
2 The Privacy statement, which was annexed to the notification reads as
follow:
"The handling of your letter/mail may involve the recording of your coordinates and
the processing of your personal data. Under Regulation EC 45/2001 on the Protection of
Individuals, you have a right to access, erase and modify your data at any time, by sending us
a message to the following mailbox: region-secretariat-I2@ ec.europa.eu
Your data will be used solely in the framework of our unit's work; it will only be accessible by
its members and will not be disclosed outside.
Your data will be kept as long as required for the mission of the unit, and after will be erased
or archived according to our internal rules. You can find all relevant information on the
following Internet site: http://www.edps.eu.int/".
2 Section 7 of the notification for prior checking.
3
The EDPS welcomes the
means that DG REGIO supplies more "personalised" information to
bodies or organisations to be audited via the cooperation of the Member State's Permanent
Representation. This practice ensures transparency and fairness towards the data subjects.
Nevertheless, the EDPS recommends that for reason of fairness towards the data subject,
more specific information is supplied to the data subjects, under Articles 11 and 12 of the
Regulation, in the short Privacy Statement as to the following elements:
- the identity of the controller,
- the categories of personal data collected and processed by DG REGIO in an audit mission,
- the description of the purposes of the processing operation,
-mentioning the categories of recipients (as described in section 12 of the notification for prior
checking),
- legal basis of the processing operation for which the data are intended,
- mentioning the particular time limit for storing data,
- right to have recourse to the European Data Protection Supervisor.
The EDPS welcomes the possible inclusion of his website address in the Privacy Statement,
but calls upon the controller to update the information: "
You can find further information on
data protection at: http://www.edps.europa.eu."
I would appreciate if you could share this position with the controller and inform us of the
follow up measures taken concerning the information to be supplied to data subjects.
I remain at your disposal should you have any question concerning this matter.
Yours sincerely,
Joaquín BAYO DELGADO
4