DPO-3398.3 - RTD : External audit and control
General information
Creation : 13/04/2011
Keywords :
Last updated : 15/05/2013
Corporate : No
Registration : 30/11/2011
Language : English
Status : Archived
Model : No Model
Deleted : No
EDPS opinion (prior check) : No
DG.Unit : RTD.M
Target Population : Auxiliary agents, Beneficiaries,
Contractors, Contractual agents, Detached officials,
Controller : BISCONTIN Franco
Local agents, National detached experts, Officials,
Delegate :
Officials on probation, Retired officials and agents,
Special advisers, Temporary agents, Trainees
DPC : BOURGEOIS Thierry, PENEVA Pavlina
DPC Notes :
Processing
1 . Name of the processing
External audit and control
2 . Description
The processing operations are described in the procedure guide of ex-post control which is the result of a
sampling methodology of financial transactions.
http://www.cc.cec/budg/dgb/interdg/_doc/epc/lib/legalframework/doc_080926_expostdefinitionandfaq_fr.pdf
http://www.cc.cec/budg/dgb/interdg/epc/library_en.html
Specific IT tools used in the context of performing an external financial audit are described below:
• A specific tool allowing the exchange of lists of projects (for an auditee) between DGs, supporting life-cycle
management of individual audit and extrapolation cases and containing a summary of the audit conclusions.
No personal data are processed except contact information of Commission staff and auditees.
• A specific tool to facilitate searching and visualisation of information about participants in grants and
contracts. This is used by auditors in the selection, preparation and performance of audits. The tool uses
information on participants in grants and contracts, taken from IT tools for programme management notified to
the DPO under n° DPO-978 (front-end) and DPO-2382 (back-office),. This information includes details of
organisation names, registration numbers, address, audit results, EWS status, phone, fax, email, names of
authorised signatories and contact persons, project reference, acronym, funding, budget.
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
3 . Processors
External auditors of DG RTD.
List of attachments
• BUDG clause-data-protection-en.doc
DPO-3398.3
Page 1 of 5
23/07/2013
4 . Automated / Manual operations
Beneficiary/contractor undertakes to provide any detailed information, including information in electronic
format, requested by the Commission or by any other outside body authorised by the Commission in order to
check that the action and the provisions of the agreement/service contract are being properly implemented.
5 . Storage
Data are stored in computer systems and/or physical archives accessible only to duly authorized staff
(management of IT and physical access rights with respect to the need to know principle).
6 . Comments
N. A.
Purpose & legal basis
7 . Purposes
Checks and financial controls of grant agreements or service contracts aim at verifying beneficiary's or
contractor's or subcontractors' or third parties' compliance with all contractual provisions (including financial
provisions), in view of checking that the action and the provisions of the grant agreement or contract are being
properly implemented and in view of assessing the legality and regularity of the transaction underlying the
implementation of the Community budget.
8 . Legal basis and Lawfulness
The possibility for the EC to carry out checks and financial controls is foreseen in the model grant agreement
or contract signed between the EC and the beneficiary/contractor as required by the Financial Regulation
("FR") applicable to the General Budget of the European Communities (art. 170, 60.4), and its Implementing
Rules ("IR") (art. 47.4):
· Art. 170 FR: Each financing agreement or grant agreement or grant decision must expressly provide for the
Commission and the Court of Auditors to have the power of audit, on the basis of documents and on the spot,
over all contractors and subcontractors who have received Community funds.
· Art. 60.4 FR: The authorizing officer by delegation shall put in place, in compliance with the minimum
standards adopted by each institution and having due regard to the risks associated with the management
environment and the nature of the actions financed, the organizational structure and the internal management
and control procedures suited to the performance of his/her duties, including where appropriate ex post
verifications. Before an operation is authorized, the operational and financial aspects shall be verified by
members of staff other than the one who initiated the operation. The initiation and the ex ante and ex post
verification of an operation shall be separate functions.
· Art. 47.4 IR: The ex post verifications on documents and, where appropriate, on the spot shall check that
operations financed by the budget are correctly implemented and in particular that the criteria referred to in
paragraph 3 are complied with. These verifications may be organized on a sample basis using risk analysis.
The processing operations on personal data carried out in the context of ex post controls are necessary and
lawful under three articles of the Regulation (EC) 45/2001:
· article 5 (a): processing is necessary for the performance of a task carried out in the public interest on the
basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis
thereof…
· article 5 (b): processing is necessary for compliance with a legal obligation to which the controller is subject
· article 20.1.b): necessary measure to safeguard:
· (a) the prevention, investigation, detection and prosecution of criminal offences;
· (b) an important economic or financial interest of a Member State or of the European Communities,
including monetary, budgetary and taxation matters;
· (c) the protection of the data subject or of the rights and freedoms of others;
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
DPO-3398.3
Page 2 of 5
23/07/2013
Data subjects and Data Fields
9 . Data subjects
* Contractors and sub-contractors;
* Beneficiaries of grants;
* Staff;
* Experts.
10 . Data fields / Category
All necessary data to efficiently conduct a control such as:
· Name,
· Function,
· Grade,
· Activities and expertises,
· Professional address,
· Timesheets,
· Salary,
· Accounts,
· Cost accounting,
· Missions,
· Information coming from local IT system used to declare costs as eligible,
· Supporting documents linked to travel costs,
· Minutes from mission and other similar data depending of the nature of the action.
No data which fall under article 10.
Rights of Data Subject
11 . Mandatory Information
The Privacy Statement attached is available with the Commission's letter initiating the control process.
List of attachments
• Ex-post audits notification v1.7.doc
12 . Procedure to grant rights
Functional mailbox to get information and mailbox of the EDPS to lodge a complaint (see Privacy Statement):
xxxxxxxxxxxxxxxxxxxxxxxxxx@xx.xxxxxx.xx
13 . Retention
Each ex post controller is responsible of archiving the documents related to controls. Data are stored until 10
years after the final payment on condition that no contentious issues occurred; in this case, data will be kept
until the end the last possible legal procedure.
DPO-3398.3
Page 3 of 5
23/07/2013
14 . Time limit
The Commission services will respond within 15 working days to any request and if this is considered justified
the relevant correction or deletion will be performed within one calendar month.
15 . Historical purposes
N. A.
Recipients
16 . Recipients
Collected personal data could be submitted to Commission services in charge of ex post controls, without
prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance
with Community law (OLAF, Court of Auditor, Ombudsman, EDPS, IDOC, Internal Audit Service of the
Commission).
17 . Transfer out of UE/EEA
N. A.
Security measures
18 . Technical and organizational measures
Access to personal information stored in IT systems or physical archives used in the context of external audit
and controls is limited to Commission staff who are mandated in the unit.
Files are stored in locked cupboard. Data communicated to OLAF or IDOC are in a safe under the authority of
the Head of unit.
IT data are stored on a common repository with restricted accesses, given only to duly authorized staffs (who
need to know).
Only internal communication.
19 . Complementary information
The attached Audit Process Handbook is a procedural manual describing how ex-post controls are to be
carried out. At each stage of the audit process the assessments are made by auditors or management. IT tools
are used to support this process but no automated decision making is used. During the selection, preparation
and performance of audit and desk controls information on the participation of beneficiaries is retrieved from IT
systems such as those notified under DPO-978 (front-end) and DPO-2382 (back-office) or the tools described
in point 7 above. This information is used as one input to the assessments made by the management of the
External Audit Service and by the auditor as to whether the beneficiary should be audited and the risks related
to the audit. The performance of an audit includes the collection of further information directly from the
beneficiary at his premises, and meetings with the beneficiary to discuss the findings and ensure that the
information has been correctly interpreted. This is followed by a contradictory procedure in which the
beneficiary is able to submit his comment on the draft version of the audit report. These comments are
considered by the auditor in producing the final audit report.
Audit cases which lead to indication or suspicion of fraudulent behaviour are treated as ‘Sensitive Cases’ and
are referred to an Audit Steering Committee. The Audit Steering Committee and the head of the External Audit
Service decide if the file should be transferred to OLAF following the respective procedure of the DG.
The auditor, supported by the Audit Steering Committee, is responsible for indicating and communicating with
the results of an audit whether the audited organisation should be flagged in the Early Warning System based
on the results of an audit, following the respective procedure of the DG.
The DG RTD specific guidance note on grant applicants/beneficiaries flagged in the Early Warning System is
attached.
DPO-3398.3
Page 4 of 5
23/07/2013
List of attachments
• Audit Process Handbook RTD.pdf
• EWS Procedure RTD.pdf
• Note from Controller to Processors.pdf
DPO-3398.3
Page 5 of 5
23/07/2013