Ceci est une version HTML d'une pièce jointe de la demande d'accès à l'information 'DG INFSO S.5 Unit extenral financial audits of FP5 contractors, personal data protection'.


Ref. Ares(2013)3079939 - 19/09/2013
 
 
 
 
DPO-3338.1 - CNECT : DG INFSO External Audit and Control 
General information 
 
 Creation : 12/01/2011 
 
Keywords :  
 Last updated : 13/03/2012 
 
Corporate : No 
 Registration : 02/02/2011 
 
Language : English 
 Status : Archived 
 
Model : No Model 
 Deleted : No 
 
EDPS opinion (prior check) : No 
  
 
 DG.Unit : CNECT.S.5 
 
Target Population :  
 Controller : DEZEURE Freddy 
 
DPC Notes :  
 Delegate :  
 
 DPC : MARCOS FIGUERUELO Angela, TROYE Anne 
 
 
Processing 
 1 . Name of the processing 
 DG INFSO External Audit and Control 
 
 2 . Description 

 The processing operations performed by most DGs are described in the procedure guide of ex-post control 
which is the result of a sampling methodology of financial transactions. 
http://www.cc.cec/budg/dgb/interdg/_doc/epc/lib/legalframework/doc_080926_expostdefinitionandfaq_fr.pdf
http://www.cc.cec/budg/dgb/interdg/epc/library_en.html 
 
Research family DGs are using specific IT tools in the context of performing an external financial audit which are 
described below: 
 
• A specific tool allowing the exchange of lists of projects (for an auditee) between DGs, supporting life-cycle 
management of individual audit and extrapolation cases and containing a summary of the audit conclusions. No 
personal data are processed except contact information of Commission staff and auditees. 
 
• A specific tool to facilitate searching and visualisation of information about participants in grants and 
contracts. This is used by auditors in the selection, preparation and performance of audits. The tool uses 
information on participants in grants and contracts, taken from IT tools for programme management (front-
office notified to the DPO under n° DPO-978 and back-office n° DPO-1260). This information includes details of 
organisation names, registration numbers, address, audit results, EWS status, phone, fax, email, names of 
authorised signatories and contact persons, project reference, acronym, funding, budget. 
 
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable. 
 
 3 . Processors 
 - 
 
 4 . Automated / Manual operations 
 n/a 
 
 
 
Beneficiary/contractor undertakes to provide any detailed information, including information in electronic 
format, requested by the Commission or by any other outside body authorised by the Commission in order to 
check that the action and the provisions of the agreement/service contract are being properly implemented. 
 
 5 . Storage 
 Data are stored in computer systems and/or physical archives accessible only to duly authorized staff 
(management of IT and physical access rights with respect to the need to know principle). 
 

 6 . Comments 
 n/a 
 
 
Purpose & legal basis 
 7 . Purposes 
 Checks and financial controls of grant agreements or service contracts aim at verifying beneficiary's or 
contractor's or subcontractors' or third parties' compliance with the all contractual provisions (including 
financial provisions), in view of checking that the action and the provisions of the grant agreement or contract 
are being properly implemented and in view of assessing the legality and regularity of the transaction 
underlying the implementation of the Community budget. 
 
 8 . Legal basis and Lawfulness 
 The possibility for the EC to carry out checks and financial controls is foreseen in the model grant agreement or 
contract signed between the EC and the beneficiary/contractor as required by the Financial Regulation ("FR") 
applicable to the General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules 
("IR") (art. 47.4): 
• Art. 170 FR: Each financing agreement or grant agreement or grant decision must expressly provide for the 
Commission and the Court of Auditors to have the power of audit, on the basis of documents and on the spot, 
over all contractors and subcontractors who have received Community funds 
• Art. 60.4 FR: The authorizing officer by delegation shall put in place, in compliance with the minimum 
standards adopted by each institution and having due regard to the risks associated with the management 
environment and the nature of the actions financed, the organizational structure and the internal management 
and control procedures suited to the performance of his/her duties, including where appropriate ex post 
verifications. Before an operation is authorized, the operational and financial aspects shall be verified by 
members of staff other than the one who initiated the operation. The initiation and the ex ante and ex post 
verification of an operation shall be separate functions 
• Art. 47.4 IR: The ex post verifications on documents and, where appropriate, on the spot shall check that 
operations financed by the budget are correctly implemented and in particular that the criteria referred to in 
paragraph 3 are complied with. These verifications may be organized on a sample basis using risk analysis 
 
 
 
The processing operations on personal data carried out in the context of external audits and controls are 
necessary and lawful under three articles of the Regulation (EC) 45/2001: 
• article 5 (a): processing is necessary for the performance of a task carried out in the public interest on the 
basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis 
thereof… 
• article 5 (b): processing is necessary for compliance with a legal obligation to which the controller is subject 

• article 20.1.b): necessary measure to safeguard: 
(a) the prevention, investigation, detection and prosecution of criminal offences; 
(b) an important economic or financial interest of a Member State or of the European 
Communities, including monetary, budgetary and taxation matters; 
(c) the protection of the data subject or of the rights and freedoms of others; 
 
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable. 
 
 
Data subjects and Data Fields 
 9 . Data subjects 
 Contractors and sub-contractors 
Beneficiaries of grants 
Staff 
Experts 
 
 10 . Data fields / Category 

 All necessary data to efficiently conduct a control such as: 
• Name, 
• Function, 
• Grade, 
• Activities and expertises, 
• Professional address, 
• Timesheets, 
• Salary, 
• Accounts, 
• Cost accounting, 
• Missions, 
• Information coming from local IT system used to declare costs as eligible, 
• Supporting documents linked to travel costs, 
• Minutes from mission and other similar data depending of the nature of the action. 
 
No data which fall under article 10. 
 
 
 
See point 17) 
 
 
Rights of Data Subject 
 11 . Mandatory Information 
 The Privacy Statement attached is available with the Commission's letter initiating the audit or control process 
===> could you please personalize the attached model Privacy statement 
 
 List of attachments 
 • 2011-01 INFSO SSPS (clean).doc 
 
 
 12 . Procedure to grant rights 
 Functional mailbox to get information and mailbox of the EDPS to lodge a complaint (see Privacy statement ). 
 

 13 . Retention  
 Each external audits and controls Controller is responsible of archiving the documents related to these 
operations. Data are stored until 10 years after the final payment on condition that no contentious occurred; in 
this case, data will be kept until the end the last possible legal procedure. 
 
 14 . Time limit 
 The Commission services will respond within 15 working days to any request and if this is considered justified 
the relevant correction or deletion will be performed within one calendar month. 
 
 15 . Historical purposes 
 n/a 
 
 
Recipients 
 16 . Recipients 
 Collected personal data could be submitted to Commission services in charge of external audits and controls, 
without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in 
accordance with Community law (OLAF, Court of Auditor, Ombudsman, EDPS, IDOC, Internal Audit Service of the 
Commission). 
 
 
 
See point 20) 
 
 17 . Transfer out of UE/EEA 
 n/a