Brussels, 11 January 2023
WK 274/2023 INIT
LIMITE
FIN
This is a paper intended for a specific community of recipients. Handling and
further distribution are under the sole responsibility of community members.
MEETING DOCUMENT
From:
General Secretariat of the Council
To:
Budget Committee
N° prev. doc.:
WK 10436/2022
Subject:
Financial Regulation revision (recast proposal): Commission's follow-up of the
EDPS opinion 14/2022
Delegations will find enclosed Commission's follow-up of the European Data Protection Supervisor's
opinion 14/2022 of 7 July 20221 on the proposal for a recast of the Financial Regulation.
WK 274/2023 INIT
ECOFIN.2.A GT/AT/ab
LIMITE
EN
Follow-up of the European Data Protection Supervisor’s opinion 14/2022
of 7 July 20221 on the proposal for a recast of the Financial Regulation
This non-paper provides a preliminary technical assessment of the potential changes to the
wording of the recast of the Financial Regulation2 in order to reflect the recommendations of
the European Data Protection Supervisor (EDPS). The non-paper aims at facilitating the
decision-making process and is without prejudice to the position of the Commission on future
legislative amendments.
Recommendation 1: “to clarify the role of all entities that would be using and accessing
any personal data processed by the single integrated IT system for data-mining and
risk-scoring.”
In chapter 3.2 of the EDPS opinion, EDPS comments that the distinction of roles of the
entities is not sufficient and clear enough. The opinion also presumes that apart from the
Commission, the other entities using the system would be also controllers. However, part 1 of
the Record3 on processing of personal data DPR-EC-00598.3 on Arachne4 (hereinafter
“Record on processing of personal data on Arachne”) mentions that the Commission is the
only controller. Other entities (e.g. Member States) act as the processors. OLAF, ECA and
EPPO act as recipients and they may get access upon their request and on a "case by case"
basis.
Possible steps to take:
Proposal for a modification of recital 27:
“(…)
The Commission should act as a controller and be responsible for the development,
management and supervision of the single integrated IT system for data-mining and risk-
scoring. The Commission, tThe Member States, the persons or entities implementing the
budget pursuant to Article 62(1) of this Regulation, shall act as processors. The processors,
the European Anti-Fraud Office (‘OLAF’), the European Court of Auditors (‘ECA’), the
European Public Prosecutor’s Office (‘EPPO’) and other Union investigative and control
bodies should have the necessary access to those data within the exercise of their respective
competences. The rules related to the recording, storage, transfer and processing of data
should comply with applicable data protection rules.”
Proposal for additions to Article 36(7), third subparagraph:
“The Commission shall be the controller within the meaning of Article 3(8) of Regulation
(EU) 2018/1725 and shall be responsible for the development, management and supervision
of the single integrated IT system for data-mining and risk-scoring, for ensuring the security,
integrity and confidentiality of data, the authentication of the users and for protecting the IT
system against mismanagement and misuse. The Member States, the persons or entities
1 Proposal for a Regulation of the European Parliament and of the Council on the financial rules applicable to the
general budget of the Union (recast) | European Data Protection Supervisor (europa.eu).
2 COM(2022)223 final of 16.5.2022.
3 On the basis of Article 31 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23
October 2018, each controller is required to keep a record of processing operations. The Data Protection Officer
of the European Commission created a publicly available register of all the processing operations on personal
data carried out by the Commission. Apart from the categories requested in paragraph 1 of Article 31 of
Regulation (EU) 2018/1725, the register must contain information explaining the purpose and conditions of all
processing operations, and shall be accessible to any interested person.
4 DPO Public register (europa.eu).
1
implementing the budget pursuant to Article 62(1) of this Regulation, shall act as processors.
The processors, the European Anti-Fraud Office (‘OLAF’), the European Court of Auditors
(‘ECA’), the European Public Prosecutor’s Office (‘EPPO’) and other Union investigative
and control bodies shall have the necessary access to those data within the exercise of their
respective competences.”
Recommendation 2: “to clarify the type of the IT system to be used, in particular
whether the Commission plans to base the system on the already existing IT system
“Arachne” or to create a completely new IT system.”
Paragraph 4 of the EDPS opinion’s Executive summary points out that the Proposal lacks
clarifications of the IT system to be used. In addition, point 7 of the EDPS opinion further
refers to Case C‑817/19 (paragraphs 183-187) to “
indicate in a sufficiently clear and precise
manner the database concerned”. The case-law in question concerns Directive (EU)
2016/6815, which provides in its Article 6(3)(a) that “…
PIU ‘may’ compare PNR data
against the databases”. The Court concluded that such a wording created lack of clarity
concerning the purpose limitation.
Article 36(6) of the Financial Regulation recast proposal clearly indicates that the created IT
tool is used for the established purposes (our emphasis):
“
For the purposes of point (d) of paragraph 2, the following data shall be recorded and
stored electronically in an open, interoperable and machine-readable format and regularly
made available in the single integrated IT system for data-mining and risk-scoring provided
by the Commission”.
There is no need for further details on the IT data-mining tool with regards to this element of
the EDPS opinion, because the purposes of processing are clearly indicated in Article
36(2)(d). Moreover, identifying with precision which IT tool will be used (i.e. Arachne or
another one) does not seem appropriate, since for any change in the future as regards the name
or the identification of the IT tool a change in the Financial Regulation would be required.
In point 18 of the opinion, EDPS pointed out that the terms “open” and “interoperable” are
not further clarified in the Proposal. The term “interoperable” was introduced by the Inter-
institutional Agreement of 16 December 20206 in its point 32. The term “open” was
introduced within the Common Provisions Regulation7 (Article 49(4) CPR). The recast of the
Financial Regulation should be consistent with the applicable legal framework. Therefore, the
terms “interoperable” and “open” cannot be deleted but may be further clarified.
5 Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of
passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist
offences and serious crime, OJ L 119, 4.5.2016, p. 132–149.
6 Interinstitutional Agreement between the European Parliament, the Council of the European Union and the
European Commission on budgetary discipline, on cooperation in budgetary matters and on sound financial
management, as well as on new own resources, including a roadmap towards the introduction of new own
resources Interinstitutional Agreement of 16 December 2020 between the European Parliament, the Council of
the European Union and the European Commission on budgetary discipline, on cooperation in budgetary matters
and on sound financial management, as well as on new own resources, including a roadmap towards the
introduction of new own resources, OJ L 433I , 22.12.2020, p. 28–46.
7 Regulation (EU) 2021/1060 of the European Parliament and of the Council of 24 June 2021 laying down
common provisions on the European Regional Development Fund, the European Social Fund Plus, the Cohesion
Fund, the Just Transition Fund and the European Maritime, Fisheries and Aquaculture Fund and financial rules
for those and for the Asylum, Migration and Integration Fund, the Internal Security Fund and the Instrument for
Financial Support for Border Management and Visa Policy, OJ L 231, 30.6.2021, p. 159–706.
2
Possible steps to take:
a) a definition of the term “interoperable” by adding a new paragraph 6a within Article 36:
“For the purposes of this Article, “interoperability” shall mean the minimum necessary
collection of data from and communication between various sources in order to have the
data assessed and potential risks evaluated effectively.”
b) an explanation of term “open” by adding a new paragraph 6b within Article 36:
“
For the purposes of this Article, “open” shall mean a file format of data that is made
accessible and readable to authorised users who shall have access only to the data
necessary for and proportionate to the exercise of their respective competences related to
the objectives of point (d) of paragraph 2.
”
Recommendation 3: “to explicitly identify all the categories of data concerned, i.e. which
data will be processed/brought into connection with the identification data mentioned in
Article 36 paragraph 6 of the Proposal, as well as the sources of those data.”
Paragraph 3.3. of the EDPS opinion indicates that an explicit list of data categories, as well as
sources, should be listed. In addition, the judgment in cases C-92/09 and C-93/09, in its
paragraph 32, provides that the publication of personal data may take place only if categories
are clearly defined, no adverse effect to the rights and freedoms of data subjects is established
and there is a proper register of processing operations.
Certain data categories are listed in Article 36(6). A wider list of data categories, as well as
the sources, is included in point 3 of the Record on processing of personal data on Arachne.
The sources are sufficiently addressed in the Record on processing of personal data on
Arachne, however an alignment between the list of data categories listed in Article 36(6) of
the Proposal and point 3 of the Record on processing of personal data on Arachne is
necessary.
Possible steps to take:
a) add the following data categories under a new point (c) of Article 36(6) of the proposal:
“
(c)
address, date of birth, function, information from regulatory and governmental
authorities, including warnings and actions against individuals and companies, money
launderers, human traffickers, fugitives and other criminals, aggregated and proprietary
information from public external trustworthy or contracted sources;”
b) in addition, due to the dynamic nature of the system, it is appropriate to add a new (third8)
subparagraph under Article 36(6) empowering the Commission to update the data by a
delegated act so that the Financial Regulation does not need to be modified with every
small change of the system:
“The Commission is empowered to adopt delegated acts in accordance with Article 274 to
update the personal data categories listed in point (c) of the first subparagraph by
amending, adding or removing any of such categories.”
8 A new second subparagraph is suggested under recommendation 4 below.
3
Recommendation 4: “introduce appropriate safeguards to ensure the quality and
accuracy of data, particularly in case those other data would be collected from third
parties.”
Point 13 of the EDPS opinion raised the introduction of appropriate safeguards in cases when
the data is collected from third parties.
Point 3 of the Record on processing of personal data on Arachne includes detailed
information about what third parties/external sources are used. The data is collected from
trustworthy public data sources, namely from Orbis which collects public data and UBO
(Ultimate Beneficial Owner) and World Compliance Database- Lexi Nexis which collects
data from regulatory and governmental authorities as well as sanction and media lists.
Apart from the fact that the data stem from public sources, the external sources are bound by a
contract or a licence agreement ensuring an adequate quality of public data sources used to
produce ARACHNE database. Last but not least, the Controller makes regular verification of
the data.
Possible steps to take:
Introduce a second subparagraph under Article 36(6), right after the list of categories of
personal data:
“The Commission shall use trustworthy sources and shall regularly audit and review the data
in order to safeguard its quality and accuracy.”
Recommendation 5: “regardless of whether the Commission intends to make use of
existing structures, to include in the Proposal itself a high level description of the IT tool,
including data protection roles and responsibilities and relevant applicable safeguards.”
Paragraph 19 of the EDPS opinion recommends inclusion of a high-level description of the IT
tool.
Possible step to take:
Add a new subparagraph under Article 36(7) of the proposal allowing for an implementing act
as regards technical specifications:
“The Commission shall be empowered to adopt an implementing act setting out the uniform
technical specifications of the IT data mining and risk-scoring tool referred to in point (d) of
paragraph 2, including rules in relation to common structure of the IT system, security of
personal data and interoperability with international standards and/or technological
systems.”
Recommendation 6: “to apply additional safeguards for the non-published types of data.
For instance, pseudonymisation of data should be considered.”
The Commission shall consider pseudonymisation as additional safeguard during the revision
of the Record on processing of personal data DPR-EC-05067.39 on managing award
procedures for procurement, grants and the selection of experts.
9 DPO Public register (europa.eu).
4
Recommendation 7: “to clarify whether electronic recording and storage of data would
be done within the IT system for data-mining and risk-scoring or the IT system would
only have access to data stored elsewhere.”
Point 21 of the EDPS opinion states that the electronic recording and storage of data
mentioned in Article 36(2)(d) does not contain sufficient information in order to understand
whether the data would be stored within the tool itself.
Point 6 of the Privacy statement that is included in part 7 of the Record on processing of
personal data on Arachne indicates that the data is stored on the servers of the European
Commission. In addition, the data is stored in a database on a virtual machine hosted on a
VMware cluster in EC datacenter following the secured standard data storage protocols
defined by DIGIT. The data is stored on VMDK disks, accessed via SCSI protocol of the
Operation System isolated from external access.
Possible steps to take:
The Privacy statement linked to the Record on processing of personal data on Arachne
include all the necessary information. It is not appropriate for the Financial Regulation to
include such a level of technical information.
Recommendation 8: “to clearly define the maximum duration for which the data
referred to in Article 36 of the Proposal may be stored and made available in the single
integrated IT system for data-mining and risk-scoring provided by the Commission.”
Chapter 3.5 and point 22 of the EDPS opinion calls for inclusion of a maximum storage
limitation.
Point 4 of the Record on processing of personal data on Arachne and point 5 of the Privacy
statement includes the maximum storage limitation of 10 years.
The retention periods are followed by the Common Retention List SEC(2019)900/210, which
indicates 10 years as a maximum retention period for:
Protection of the EU financial interest in regard to files of investigation in its part 4.7;
Information on programmes, projects and grants in its part 7; and
Financial management in its part 12.6.
Possible steps to take:
New paragraph 11 to be added to Article 36 of the proposal:
“Data shall be stored for the period necessary and proportionate to fulfil the purpose
determined in point (d) of paragraph 2. The maximum possible storage period shall not
exceed 10 years from the last payment claim for the period submitted to the Commission.”
10 SEC(2019)900/2 - EN (europa.eu).
5
Annex:
Summary table
Title of
Description of
Recital/
Potential
No.
Assessment
recommendation
recommendation
Article
modifications/additions
1
to clarify the role of Chapter 3.2 of the EDPS Part 1 of the Record11 on Recital 27
“(...) The Commission should act as
all entities that would opinion, EDPS comments that processing of personal data DPR-
a controller and be responsible for
be
using
and the distinction of roles of the EC-00598.3 on Arachne12 mentions
the development, management and
accessing
any entities is not sufficient and clear the Commission is the only
supervision of the single integrated
personal
data enough. The opinion also controller. Other entities (e.g.
IT system for data-mining and risk-
processed
by
the presumes that apart from the Member States) act as the
scoring. The Commission, tThe
Member States, the persons or
single integrated IT Commission, the other entities processors. OLAF, ECA and EPPO
entities implementing the budget
system
for
data- using the system would be also act as recipients and they may get
pursuant to Article 62(1) of this
mining
and
risk- controllers.
access upon their request and on a
Regulation, shall act as processors.
scoring
case by case basis.
The processors, the European Anti-
Fraud
Office
(‘OLAF’),
the
European Court of Auditors (‘ECA’),
the European Public Prosecutor’s
Office (‘EPPO’) and other Union
investigative and control bodies
should have the necessary access to
those data within the exercise of their
respective competences. The rules
related to the recording, storage,
transfer and processing of data
should comply with applicable data
protection rules.”
Art.36.7
“The Commission shall be the
controller within the meaning of
11 On the basis of Article 31 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018, each controller is required to keep a record of
processing operations. The Data Protection Officer of the European Commission created a publicly available register of all the processing operations on personal data carried out
by the Commission. Apart from the categories requested in paragraph 1 of Article 31 of Regulation (EU) 2018/1725, the register must contain information explaining the purpose
and conditions of all processing operations, and shall be accessible to any interested person.
12 DPO Public register (europa.eu).
6
Article 3(8) of Regulation (EU)
2018/1725 and shall be responsible
for the development, management
and supervision of the single
integrated IT system for data-mining
and risk-scoring, for ensuring the
security, integrity and confidentiality
of data, the authentication of the
users and for protecting the IT
system against mismanagement and
misuse. The Member States, the
persons or entities implementing the
budget pursuant to Article 62(1) of
this Regulation, shall act as
processors. The processors, the
European
Anti-Fraud
Office
(‘OLAF’), the European Court of
Auditors (‘ECA’), the European
Public Prosecutor’s Office (‘EPPO’)
and other Union investigative and
control bodies shall have the
necessary access to those data within
the exercise of their respective
competences.”
2
to clarify the type of Paragraph 4 of the EDPS The text of Article 36(6) of the n/a
n/a
the IT system to be opinion’s Executive summary proposal leaves no doubt that the
used, in particular points out that the Proposal lacks created IT tool is used for the
whether
the clarifications of the IT system to established
purposes
(our
Commission plans to be used. In addition, point 7 of emphasis):
base the system on the the EDPS opinion further refers “
For the purposes of point (d) of
7
already existing IT to Case C‑817/19 (paragraphs
paragraph 2, the following data
system “Arachne” or 183-187) to “
indicate in a shall be recorded and stored
to create a completely sufficiently clear and precise electronically
in
an
open,
new IT system
manner
the
database interoperable
and
machine-
concerned”. The case-law in
readable format and regularly
question concerns Directive
made available in the single
(EU)
2016/68113,
which
integrated IT system for data-
provides in its Article 6(3)(a)
mining and risk-scoring provided
that “…
PIU ‘may’ compare by the Commission”.
PNR
data
against
the
databases”.
The
Court There is no need for further details
concluded that such a wording on the IT data-mining tool with
created
lack
of
clarity regards to this element of EDPS
concerning
the
purpose opinion, because the purposes of
limitation.
processing are clearly indicated in
Article
36(2)(d).
Moreover,
identifying with precision which IT
tool will be used (i.e. Arachne or
another one) does not seem
appropriate, since for any change in
the future as regards the name or
the identification of the IT tool a
change in the Financial Regulation
would be required.
2
to clarify the type of In point 18 of the opinion, EDPS The term “interoperable” was New
“For the purposes of this Article,
the IT system to be pointed out that the terms introduced by the Inter-institutional paragraph 6a
“interoperability” means the
used, in particular “open” and “interoperable” are Agreement of 16 December 202014 in Article 36
minimum necessary collection of
13 Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection,
investigation and prosecution of terrorist offences and serious crime, OJ L 119, 4.5.2016, p. 132–149.
14 Interinstitutional Agreement between the European Parliament, the Council of the European Union and the European Commission on budgetary discipline, on cooperation in
budgetary matters and on sound financial management, as well as on new own resources, including a roadmap towards the introduction of new own resources Interinstitutional
Agreement of 16 December 2020 between the European Parliament, the Council of the European Union and the European Commission on budgetary discipline, on cooperation in
8
whether
the not further clarified in the in its point 32. The term “open”
data from and communication
Commission plans to Proposal.
was introduced within the Common
between various sources in order
base the system on the
Provisions
Regulation15,
to have the data assessed and
already existing IT
particularly Article 49(4). The
potential
risks
evaluated
system “Arachne” or
recast of the Financial Regulation
effectively.”
to create a completely
should be consistent with the
new IT system
applicable
legal
framework.
Therefore,
the
terms
“interoperable” and “open” cannot
be deleted but may be further
clarified.
New
“For the purposes of this Article,
paragraph 6b
“open” means a file format of
in Article 36
data that is made accessible and
readable to authorised users who
shall have access only to the data
necessary for and proportionate
to the exercise of their respective
competences related to the
objectives of point (d) of
paragraph 2.”
3
to explicitly identify Paragraph 3.3. of the EDPS Certain data categories are listed in New point (c)
“(c) address, date of birth,
all the categories of opinion indicates that an explicit Article 36(6). A wider list of data under
the
function,
information
from
data concerned, i.e. list of data categories, as well as categories, as well as the sources, is first
regulatory and governmental
which data will be sources should be listed. In included in point 3 of the Record subparagraph
authorities, including warnings
processed/brought
addition, the judgment in cases on processing of personal data on of
Article
and actions against individuals
budgetary matters and on sound financial management, as well as on new own resources, including a roadmap towards the introduction of new own resources, OJ L 433I ,
22.12.2020, p. 28–46.
15 Regulation (EU) 2021/1060 of the European Parliament and of the Council of 24 June 2021 laying down common provisions on the European Regional Development Fund, the
European Social Fund Plus, the Cohesion Fund, the Just Transition Fund and the European Maritime, Fisheries and Aquaculture Fund and financial rules for those and for the
Asylum, Migration and Integration Fund, the Internal Security Fund and the Instrument for Financial Support for Border Management and Visa Policy, OJ L 231, 30.6.2021, p.
159–706.
9
into connection with C-92/09 and C-93/09, in its Arachne.
36(6) and a
and
companies,
money
the identification data paragraph 32, provides that the The
sources
are
sufficiently new
(third)
launderers, human traffickers,
mentioned in Article publication of personal data may addressed in the Record on subparagraph
fugitives and other criminals,
36 paragraph 6 of the take place only if categories are processing of personal data on under
that
aggregated
and
proprietary
Proposal, as well as clearly defined, no adverse Arachne, however an alignment same
information from public external
the sources of those affect to the rights and freedoms between the list of data categories provision
trustworthy
or
contracted
data
of data subjects is established listed in Article 36(6) of the (see also the
sources;
and there is a proper register of Proposal and point 3 of the Record new second
processing operations.
on processing of personal data on subparagraph
“The Commission is empowered
Arachne is necessary.
suggested
to adopt delegated acts in
under
accordance with Article 274 to
recommendat
update
the
personal
data
ion 4 below)
categories listed in point (c) of the
first subparagraph by amending,
adding or removing any of such
categories.”
4
introduce appropriate Point 13 of the EDPS opinion Point 3 of the Record on processing New second
“The Commission shall use
safeguards to ensure raised the introduction of of personal data on Arachne subparagraph
trustworthy sources and shall
the
quality
and appropriate safeguards in cases includes detailed information about under Article
regularly audit and review the
accuracy
of
data, when the data is collected from what third parties/external sources 36(6)
data in order to safeguard its
particularly in case third parties.
are used. The data is collected from
quality and accuracy.”
those
other
data
trustworthy public data sources,
would be collected
namely from Orbis which collects
from third parties
public data and UBO (Ultimate
Beneficial Owner) and World
Compliance Database- Lexi Nexis
which collects data from regulatory
and governmental authorities as
well as sanction and media lists.
Apart from the fact that the data
stem from public sources, the
10
external sources are bound by a
contract or a licence agreement
ensuring an adequate quality of
public data sources used to produce
ARACHNE database. Last but not
least, the Controller makes regular
verification of the data.
5
regardless of whether Paragraph 19 of the EDPS To include a new indent under New
“The Commission shall be
the
Commission opinion requires inclusion of a paragraph 7 of Article 36 of the subparagraph
empowered
to
adopt
an
intends to make use of high-level description of the IT Proposal to be added with the under Article
implementing act setting out the
existing structures, to tool
possibility
to
create
an 36(7)
uniform technical specifications of
include
in
the
implementing act with these
the IT data mining and risk-
Proposal itself a high
regards
scoring tool referred to in point
level description of
(d) of paragraph 2, including
the IT tool, including
rules in relation to common
data protection roles
structure of the IT system, security
and
responsibilities
of
personal
data
and
and
relevant
interoperability with international
applicable safeguards
standards and/or technological
systems.”
6
to apply additional Point 20 of the EDPS opinion The Commission shall consider n/a
n/a
safeguards for the relates to Article 38 of the pseudonymisation as additional
non-published types Proposal
and
concerns
a safeguard during the revision of the
of data. For instance, recommendation
to
apply Record on processing of personal
pseudonymisation of additional safeguards for the data DPR-EC-05067.316.
data
should
be non-published types of data.
considered
7
to clarify whether Point 21 of the EDPS opinion Point 6 of the Privacy statement n/a
n/a
electronic recording states
that
the
electronic that is included in part 7 of the
and storage of data recording and storage of data Record on processing of personal
16 DPO Public register (europa.eu)
11
would be done within mentioned in Article 36(2)(d) data on Arachne indicates that the
the IT system for does not contain sufficient data is stored on the servers of the
data-mining and risk- information
in
order
to European Commission. In addition,
scoring or the IT understand whether the data the data is stored in a database on a
system would only would be stored within the tool virtual machine hosted on a
have access to data itself.
VMware cluster in EC datacenter
stored elsewhere
following the secured standard data
storage protocols defined by
DIGIT. The data is stored on
VMDK disks, accessed via SCSI
protocol of the Operation System
isolated from external access.
It is not appropriate for the
Financial Regulation to include
such
a
level
of
technical
information.
8
to clearly define the Chapter 3.5 and point 22 of the Point 1.5 of the DPIA, point 4 of New
“Data shall be stored for the
maximum
duration EDPS opinion calls for inclusion the Record on processing of paragraph 11
period
necessary
and
for which the data of a maximum storage limitation personal data and point 5 of the under Article
proportionate to fulfil the purpose
referred to in Article
Privacy statement includes the 36
determined in point (d) of
36 of the Proposal
maximum storage limitation of 10
paragraph 2. The maximum
may be stored and
years.
possible storage period shall not
made available in the
exceed 10 years from the last
single integrated IT
The retention periods are followed
payment claim for the period
system
for
data-
by the Common Retention List
submitted to the Commission.”
mining
and
risk-
SEC(2019)900/217,, which indicates
scoring provided by
10 years as a maximum retention
the Commission
periods for:
Protection of the EU financial
interest in regard to files of
17 SEC(2019)900/2 - EN (europa.eu).
12
investigation in its part 4.7;
Information on programmes,
projects and grants in its part 7;
and
Financial management in its
part 12.6.
13
Document Outline
