Brussels, 16 July 2007 (Case ) 1. Procedure

Similar documents
Brussels, 3 May 2006 (Case ) 1. Procedure

Brussels, 16 May 2006 (Case ) 1. Procedure

Selection procedure at the European Ombudsman's Secretariat

Brussels, 29 November 2007 (Case ) 1. Procedure

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Ombudsman on verification of telephone bills

EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

on the proposal for a Regulation of the European Parliament and of the Council concerning customs enforcement of intellectual property rights

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Opinion on a notification for Prior Checking received from the OLAF Data Protection Officer regarding the Customs File Identification Database (FIDE)

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Commission regarding the database ARDOS

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

GRANT AGREEMENT for an ACTION

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

The Act on Processing of Personal Data

GENERAL CONDITIONS APPLICABLE TO EUROPEAN UNION GRANT AGREEMENTS WITH HUMANITARIAN ORGANISATIONS FOR HUMANITARIAN AID ACTIONS

closer look at Rights & remedies

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

ARTICLE 29 Data Protection Working Party

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

INFORMATION TO BE GIVEN 2

9339/13 IS/kg 1 DG G II A

GENERAL CONDITIONS OF THE CONTRACT

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

EXECUTIVE SUMMARY. 3 P a g e

Data Protection Policy. Malta Gaming Authority

The EDPS has limited the comments below to the provisions of the Proposal that are particularly relevant from a data protection perspective.

PE-CONS 71/1/15 REV 1 EN

GENERAL CONDITIONS OF THE CONTRACT (Applicable to purchase orders)

16 March Purpose & Introduction

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

Opinion of the European Data Protection Supervisor

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

COMP Article 1. Article 1 Subject matter and objectives

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

Act No. 502 of 23 May 2018

5418/16 AV/NT/vm DGD 2

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Opinion 3/2016. Opinion on the exchange of information on third country nationals as regards the European Criminal Records Information System (ECRIS)

Art. I Right to Access to Personal Data

EUROPEAN DATA PROTECTION SUPERVISOR

ARTICLE 29 DATA PROTECTION WORKING PARTY

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

CALL FOR TENDER No D/SE/10/02. Fundamental rights of persons with intellectual disabilities and persons with mental health problems ANNEX B

Financial Regulation and Financial Implementing Rules Synoptic Version European Insurance and Occupational Pensions Authority (EIOPA) September 2014

PROTECTION OF PERSONAL DATA AND SECURITY OF DATA IN THE SCHENGEN INFORMATION SYSTEM

Data Protection Bill [HL]

GRANT AGREEMENT BETWEEN THE COUNCIL OF EUROPE AND <THE GRANTEE>

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

Corrigendum no.2 - Notice of call for expressions of interest

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

General Data Protection Regulation

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

Management Board decision

General guidance on EFSA procurements

Mission of Montenegro to the European Union

9837/09 YV/ml 1 DG H 3B

CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA

EDPS respomse to the Commission public consultation on lowering tfiie fingerprinting âge for children in the visa procédure from 12 years to 6 years

Coordinated text from 10 August 2011 Version applicable from 1 September 2011

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

Data Protection Act 1998

General policy on information gathering Under the Communications Act 2003, Wireless Telegraphy Act 2006, and Postal Services Act 2011

DRAFT SERVICE CONTRACT

REGULATION (EC) No 764/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 9 July 2008

Personal Data Protection Act

European Investment Fund. EIF Procurement Guide

(Legislative acts) DIRECTIVES

DECISION OF THE EEA JOINT COMMITTEE No 76/2009. of 30 June 2009

32000D0520. Official Journal L 215, 25/08/2000 P

REGULATION (EU) No 649/2012 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 4 July 2012 concerning the export and import of hazardous chemicals

L 346/42 Official Journal of the European Union

ARTICLE 29 Data Protection Working Party

EUROPEAN UNION. Brussels, 3 February 2006 (OR. en) 2005/0182 (COD) PE-CONS 3677/05 COPEN 200 TELECOM 151 CODEC 1206 OC 981

CHAPTER I. Definitions

ANNEX IV Procurement by grant Beneficiaries in the context of European Community external actions

STATUTORY INSTRUMENTS. S.I. No. 183 of 2011 EUROPEAN COMMUNITIES (ELECTRONIC MONEY) REGULATIONS 2011

FUJITSU Cloud Service K5: Data Protection Addendum

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

LAW OF THE REPUBLIC OF ARMENIA ON PROTECTION OF PERSONAL DATA CHAPTER 1 GENERAL PROVISIONS

Official Journal of the European Union

Contract Agreement with Special and General Conditions and annexes

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

5567/10 CHA/DOS/hc DG G I

CONTRACT REGULATIONS OF THE EUROCONTROL ORGANISATION

CORE BANKING AGREEMENT SWIFT DIRECT CORPORATE ACCESS. Product & Services Terms & Conditions

Information leaflet about processing of personal data for Newsletter Recipients (hereinafter Data Subject)

EUROPEAN RETURN FUND

SUPPLIER DATA PROCESSING AGREEMENT

REGULATION (EC) No 767/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 9 July 2008

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 172 thereof,

ASSEMBLEIA DA REPÚBLICA [PORTUGUESE PARLIAMENT]

Pursuant to Article 95 item 3 of the Constitution of Montenegro, I hereby issue the DECREE

EUROPEAN UNION. Brussels, 15 May 2014 (OR. en) 2012/0359 (COD) LEX 1553 PE-CONS 27/1/14 REV 1 ANTIDUMPING 8 COMER 28 WTO 39 CODEC 287

(Legislative acts) DIRECTIVES

Transcription:

Opinion on the notification for prior checking from the Data Protection Officer of the European Parliament regarding the "Early Warning System (EWS)" dossier Brussels, 16 July 2007 (Case 2007 147) 1. Procedure By mail received on 6 March 2007, the Data Protection Officer (DPO) of the European Parliament issued a notification within the meaning of Article 27(3) of Regulation (EC) No 45/2001 to the European Data Protection Supervisor (EDPS) regarding the "Early Warning System" dossier. Questions were put to the European Parliament's DPO in an e-mail dated 16 March 2007. Replies were given on 2 April 2007. Additional questions were put on 12 April 2007, and answers were sent on 8 May 2007. Further questions were put on 4 June 2007, and answers were sent on 12 June 2007. The DPO was given 7 days in which to comment on the draft EDPS opinion. At the request of the DPO and the controller, a meeting was held on Friday 13 July 2007 to clarify certain points. 2. Facts The purpose of the processing is to exclude candidates and tenderers from participation in or the awarding of a contract (Articles 93 and 94 of the Financial Regulation hereinafter FR). Article 93 (FR) mentions the cases of exclusion within the framework of a procurement procedure: bankruptcy (Article 93(1)(a)); offence concerning professional conduct (Article 93(1)(b)); being guilty of grave professional misconduct (Article 93(1)(c)); obligations relating to the payment of social security contributions/taxes not fulfilled (Article 93(1)(d)); fraud, corruption, involvement in a criminal organisation or any other illegal activities detrimental to the Communities' financial interests (Article 93(1)(e)); being in serious breach of contract for failure to comply with contractual obligations following another procurement procedure or grant award procedure financed by the Community budget (Article 93(1)(f)). Article 94 of the FR provides that contracts may not be awarded to candidates or tenderers who, during the procurement procedure, are subject to a conflict of interest (Article 94(a)) or are guilty of misrepresentation (Article 94(b)) in supplying the information required by the contracting authority as a condition of participation in the contract procedure or fail to supply this information. Article 96 of the FR further provides that administrative or financial penalties may be imposed by the contracting authority on third parties which are in one of the situations of exclusion specified in Articles 93 and 94 of the FR, after they have been given the Postal address: rue Wiertz 60 - B-1047 Brussels Offices: rue Montoyer 63 E-mail : edps@edps.europa.eu - Website: www.edps.europa.eu Tel.: 02-283 19 00 - Fax : 02-283 19 50

opportunity to present their observations. These penalties may consist in excluding the third parties concerned from the contracts and grants financed by the budget, for a maximum of five years or in imposing financial penalties on the contractor, in the case referred to in Article 93(1)(f) of the FR, and on the candidates or tenderers, in the cases referred to in Article 94 of the FR, where they are very serious, up to the value of the contract in question. For all exclusions, an alert is entered into a database, called Early Warning System (hereinafter EWS), established under Article 95 of the FR. The EWS as such has been significantly modified. Initially the system was established by Article 95 of the Financial Regulation 1, which states that: "each institution shall establish a central database containing details of candidates and tenderers who are in one of the situations described in Articles 93 and 94. The sole purpose of the database shall be to ensure, in compliance with Community rules on the processing of personal data, the correct application of Articles 93 and 94. Each institution shall have access to the databases of the other institutions." The EWS was the subject of a very detailed Commission Decision 2. Some of the institutions have done no more than exchange information using the Commission's EWS database. The European Parliament's services, meanwhile, decided to draw on the Commission's Decision in creating a system of their own, which is currently being set up. Some alerts established by the Commission are simply provided for by the Parliament. However, the system is temporary, since the new Article 95 of Council Regulation (EC, Euratom) No 1995/2006 of 13 December 2006 amending Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities institutes a single EWS database established by the Commission and accessible to all the other institutions (enshrining current majority practice) but also by Member States, third countries and international organisations 3. That database is to become operational on 1 January 2009, which implies that the system established before the revision of the FR remains in operation. In fact the EP already takes into account, through notified processing, some foreseeable effects of the revision of the FR adopted in December 2006, but the entry into force of these provisions entails that the EP's EWS will be modified as a result. 1 2 3 Council Regulation (EC) No 1605/2002 of 25 June 2002. Decision C(2004) 193/3 as modified by Corrigendum C(2004) 517 and last modified by the 2006 internal rules. 95(1) A central database shall be set up and operated by the Commission in compliance with Community rules on the protection of personal data. The database contains details of candidates and tenderers which is in one of the situation referred to in Articles 93, 94, 96 (1)(b) and (2)(a). It shall be common to the institutions, executive agencies and the bodies referred to in Article 185. 95(2) The authorities of the Member States and third countries as well as the bodies, other than those referred to in paragraph 1, participating in the implementation of the budget in accordance with Articles 53 and 54, shall communicate to the competent authorising officer information on candidates and tenderers which are in one of the situations referred to in Article 93(1)(e), where the conduct of the operator concerned was detrimental to the Communities' financial interest. The authorising officer shall receive this information and request the accounting officer to enter it into the database. The authorities and bodies mentioned in the first subparagraph shall have access to the information contained in the database and may take it into account, as appropriate and on their own responsibility for the award of contracts associated with the implementation of the budget. 95(3) Transparent and coherent criteria to ensure proportionate application of the exclusion criteria shall be laid down in the implementing rules. The Commission shall define standardised procedures and technical specifications for the operation of the database. 2

The data subjects are natural persons (and may also represent legal persons) with whom European Union institutions have entered into contracts (or intended to enter into contracts) and who for the restrictive reasons defined in the Financial Regulation (FR) and its implementing rules are excluded from participating in subsequent contracts for up to five years. There is no automatic link between the EWS database and the Parliament's supplier files database (FOUR). The EWS database operated by the Parliament offers three views: A first group of data is stored with the name EOC (Economic Operator Contractor) and contains the following data: External ID Legal type account group legal form title name first name VAT (optional) origin of the entry category (if from EP, coming from FOUR or TENDERER) street street number postal code city remarks (comments optional) A second group of data is stored with the EWI (Early Warning Indicator) name and contains the following data: External ID EW indicator Period of applicability (start date expiry date) origin of the entry contact coordinates (name, first name, function, DG/service, phone number Reference (supporting reference/justification of the warning entry) status (activation/deactivation of the warning entry) validation status of the instance (four eyes control the person who validates must be someone other than the person who created/updated the instance) Standard systems maintenance information There is a third group, which is reserved for CFS staff managing the EWS. The data categories, concerning exclusions alone, are the following: data concerning offences, criminal convictions or security measures; this category deals with names, addresses and company names of excluded companies and the 3

reasons for their exclusion. A link is also made to the relevant Articles of the financial rules (current version), as follows: Article 93(1)(a): bankruptcy, being wound up, etc. Article 93 (1)(b): offence concerning professional conduct Article 93 (1)(c): grave professional misconduct Article 93(1)(d): irregularities concerning tax and/or social security contributions Article 93(1)(e): fraud, corruption, etc. Article 94(a): conflict of interest Article 94(b): misrepresentation Article 94(c): reference to Article 93(1)(a) to 93(1)(f) Article 96(1)(a): misrepresentation giving rise to penalties Article 96(1)(b): serious breach of contract Data shall be collected from the data subjects and other European institutions. The procedure is as follows: As regards use of Commission data, at the beginning of each month the Commission (DG Budget) e-mails to the Parliament (to the EP's Central Financial Service 4 named individuals) an updated list of "excluded" persons, in a PDF-format zip file "secured" by a password. The document can only be opened with a password, which is sent to the EP. The password is not sent automatically, but at the EP's request. In the case of data that come from the Commission services, the Parliament does not open a personal file, but merely records the descriptive data on the data subjects that it receives from the Commission services. If the EP is interested in a candidate mentioned on the Commission list, a dialogue will begin between the EP specifically the head of unit of the Central Financial Service (hereinafter CFS) and the responsible person at the Commission's DG Budget, to clarify why the candidate appears on the list. The decision whether or not to select the candidate will be taken following that dialogue. For transfers of information to the Commission, it must be noted that this situation has not yet arisen. If it happened, the same procedure as described above would be followed, but the other way around. As regards any exclusion of persons with whom the EP services have contractual relationships, or persons involved in invitation to tender procedures, should such a case arise (none has yet), the managing services will have to inform the data subjects of the fact and involve a representative of the legal service in the procedure. At present, the EP is completing the relevant instructions, working with colleagues from the Legal Service. Codification used by the Parliament: The code for the exclusions covered in Articles 93 and 94 of the FR is alert A3. The EWS system only covers exclusion cases corresponding to the Commission's alert W5a (corresponding to the EP's alert A3), the only cases that the EP is obliged to monitor under the terms of the FR, which the Commission services send, in accordance with the FR. The EP did intend to use the EWS system to follow A2 cases (recovery, Commission alert W4) as well. That project was halted, following the three-yearly review of the FR and its 4

implementing rules, since the new provisions specified that from 1 January 2009 there would only be one central database (see above), managed by the Commission's services. Nevertheless, the EP is waiting till such a case occurs or till new instructions on the matter are received from Commission colleagues to set up that alert indicator. Provision has also been made for an A1 alert (corresponding to Commission alerts W1, W2 and W3). The EP database is flexible enough to handle the alert indicators that the Commission asks it to create. There is no equivalent to the Commission's alert W5b 4. The preceding remark also applies to this case. A set of notes on the EWS system is presented on the Parliament's Central Financial Service intranet site. Processing is automated. When the new list arrives it is compared with the old list and changes are encoded by the CFS in the EP's internal database. Updates to the EP's EWS database are carried out manually. The database is integrated into the application for budget management by the authorising officers by delegation (via FINORD). When the awarding of a contract is recorded or a budget operation created with a person indicated in the EWS, an automatically generated warning message tells the user that he must get in touch with the DG contact person so that the appropriate measures can be taken. No other information is transmitted to the operator concerned. Data users in the EP: There are three different user profiles: EWM: this profile is reserved for CFS staff [four members of Central Financial Service staff: Head of Unit, Administrator (administrative and financial supervisor), Assistant (administrative and budgetary manager) and Assistant (CFS secretarial coordination)], which is responsible for the administration of the system and for keeping it up to date these individuals have access to all the data. The EWM manages the system. He can therefore create, change or delete information, activate alert indicators, create or delete profiles, and generate reports. Any exclusion (there have not yet been any) will be introduced by these individuals, on instruction from the services of the authorising officers by delegation (AODs), and only following completion of the adversarial procedure. EWC: this profile is reserved for the accountancy services and has not yet been used. It is designed to allow the same application to be used for dealing with the institution's debtors (entitlements established). EWV: this profile is reserved for contact persons in the Directorates-General appointed by the authorising officers by delegation (hereinafter AODs). These persons will only have access to active indicators (not historical records). The procedures whereby these persons can access information are currently in development. All 4 Where any natural or legal person, group or entity has been listed in accordance with a Council Regulation (such as Council Regulation (EC) No 881/2002 imposing certain specific restrictive measures directed against certain persons and entities associated with Usama bin Laden, the Al-Qaida network and the Taliban) imposing Common Foreign and Security Policy (CFSP-) related financial restrictions and there is a ban on funds and economic resources being made available to, or used for the benefit of, that person, group or entity. In this case the warning W5b is entered in the EWS. 5

necessary steps have been taken to limit access to the data to circumstances where it is necessary to the service, i.e. where the EP's services wish to sign a contract with one of the persons on the EWS list or have to make a payment order in their favour. In practice, the EP's services should have contractual relationships with persons excluded by the Commission services only exceptionally, since the institutions' core businesses, and therefore their contractual relationships, are very different. No such situation has yet arisen. As the data in question are highly sensitive, access to the detailed information is restricted to a limited number of persons, appointed by the authorising officers by delegation within the Directorates-General (those persons have access for consultation only) and by the Accountant within the accounting service. EWC and EWV have access for consultation only. They can see whether there is a warning for the candidate by querying the database. If so, they will see only the information on that candidate. In no case will they be able to see the full list of persons for whom there is a warning. The information provided takes the form of inclusion in the database, which can happen only following an adversarial procedure with the person concerned. The adversarial procedure is carried out through an exchange of letters between the institution and the person (see Article 96 FR and Article 133a of the implementing rules). The grounds for exclusion and the penalties imposed, as well as a deadline for responding, are set out in the exchange of letters. If the EP becomes aware of a problem at the stage of examination of offers, there may be an exchange of letters requesting additional information on the candidate's situation (see Article 96 FR and Article 133a of the implementing rules). The rights of the data subjects are set out in Article 95 FR: "1. a central database shall be set up and operated by the Commission in compliance with Community rules on the protection of personal data." Data access is arranged as follows: Data subjects do not have direct access to the EWS database. However, persons excluded will be informed of their situation following the adversarial exchange that takes place. They will be informed at that point of the data recorded in the database and can have them corrected where appropriate. The data storage medium is the Parliament's network and the pdf document, archived in a safe. The data recipients in cases of exclusion decided on by the EP's services are the corresponding Commission services, which make them available to the other Community institutions. Data are kept for five years following the discharge of the financial year in question. The data received from the Commission in pdf format are kept until the new list is received the following month. The security measures are as follows: the documents are kept locked up; access is possible only with a user name and passwords. Access level is differentiated by profile. There are three profiles (see above, in the section on users). Thus far only the EWM profile is operational. 6

3. Legal aspects 3.1. Prior checking The notification received on 6 March 2007 relates to processing of personal data in the terms of Article 2(b) of Regulation No 45/2001 ("any information relating to an identified or identifiable natural person" Article 2(a)). Actually, the Early Warning System (EWS) includes data relating to natural persons not only in their capacity to represent a legal person, but also in their capacity as individuals liable to be subject to an evaluation under the EWS. The data processing in question is carried out by an institution in the exercise of activities which fall within the scope of Community law (Article 3(1)). Processing under the registration procedure for data subjects in the Early Warning System is at least partially automated within the meaning of Article 3(2) of Regulation No 45/2001. This processing is manual, but the content is intended to form part of an automated system, because when the Parliament receives the information from the Commission, it is integrated into the application for budget management of the authorising officers by delegation (via FINORD). When a contract is awarded or when a budget operation with a person indicated in the EWS database is created, a warning message is generated automatically. In addition, in the other direction, although this has yet to occur, after the Parliament has sent information to the Commission, the W5a warnings (concerning third parties excluded under the rules, namely Articles 93, 94 and 96 of the FR) can be seen in the Commission's accounts and are accessible to the other institutions. Furthermore, these data must in some cases be added to the dossier on the third party. This processing is done manually but the content is intended to form part of a filing system. The Regulation therefore applies in accordance with Article 3(2). Article 27(1) of Regulation No 45/2001 subjects processing operations likely to present specific risks to the rights and freedoms of data subjects to prior checking by the European Data Protection Supervisor. Article 27(2) contains a list of processing operations likely to present such risks including, in Article 27(2)(d) "processing operations for the purpose of excluding individuals from a right, benefit or contract". The recording of a natural person 5 in the EWS entails his exclusion from a contract or from the granting of a subsidy, or the refusal of funds; it therefore comes under Article 27(2)(d) and as such is subject to prior checking by the European Data Protection Supervisor. Furthermore, the Regulation also makes " processing of data relating to health and to suspected offences, offences, criminal convictions or security measures" (Article 27(2)(a)) subject to prior checking. The EWS, insofar as the exclusions covered in Article 93 of the FR may contain data of that kind, should be subjected to a prior check. Finally, the Regulation also subjects to prior checking: "processing operations intended to evaluate personal aspects relating to the data subject, including his or her ability, efficiency and conduct" (Article 27(2)(b)). The EWS is clearly linked to an evaluation procedure by the Parliament, particularly as concerns the financial conduct of a person and to this effect must be subjected to prior checking. The EDPS has already delivered a number of opinions regarding the EWS. The prior checking of the Commission EWS was notified to the EDPS in 2006 and he delivered his 5 As well as legal persons (not covered by Regulation No 45/2001). 7

opinion 6 on 6 December 2006. He also delivered an opinion 7 on the proposed revision of the FR and its implementing rules. Finally, the EDPS delivered an opinion on the use of the Commission EWS by the Court of Justice 8. In principle, checks by the EDPS should be performed before the processing operation is implemented. In this case, as the EDPS was appointed after the system was set up, the check necessarily has to be performed ex post. However, this does not alter the fact that the recommendations issued by the EDPS should be implemented. The official notification was received on 6 March 2007. Further information was requested by e-mails on 16 March 2007. Pursuant to Article 27(4) of Regulation No 45/2001, the twomonth period within which the EDPS must deliver an opinion was suspended. Replies were given on 2 April 2007. Additional questions were put on 12 April 2007, and answers were sent on 8 May 2007. Further questions were put on 4 June 2007, and answers were sent on 12 June 2007. The DPO was given 7 days in which to comment on the draft EDPS opinion. At the request of the DPO and the controller, a meeting was held on Friday 13 July 2007 to clarify certain points. The time limit has been suspended from that date to the present. The EDPS should therefore deliver an opinion by 16 July 2007 (15 July being a Sunday) (7 May plus 69 days of suspension). 3.2 Lawfulness of the processing The lawfulness of the processing must be considered in the light of Article 5(a) of Regulation No 45/2001, which provides that personal data may be processed only if the processing is "necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof or in the legitimate exercise of official authority vested in the Community institution ". Article 5(b) provides that personal data may be processed only if the "processing is necessary for compliance with a legal obligation to which the controller is subject". Furthermore, data concerning offences, criminal convictions or security measures are classified as "special categories of data" under Article 10(5) of the Regulation and therefore grounds must be found in Article 10 in order to allow the data to be processed by the Community institutions (see point 3.3 Special categories of data). The system set up by the Parliament is necessary to comply with its legal obligations and carry out its mission in the public interest, i.e. to protect the financial and economic interests of the European institutions. Processing of personal data in the EWS falls within the legitimate exercise of official authority vested in the institutions, as it aims at ensuring circulation of restricted information concerning third parties who could represent a threat to the Communities' financial interests and reputation, should the Commission enter, or if it has already entered a contractual/conventional relationship with them. 6 7 8 See the EDPS opinion of 6 December 2006, Case 2005 120 (on EDPS web site). Opinion of the European Data Protection Supervisor on the modified proposal for a Council Regulation amending Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities (COM(2006) 213 final) and the proposal for a Commission Regulation (EC, Euratom) amending Regulation (EC, Euratom) No 2342/2002 laying down detailed rules for the implementation of Council Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities (SEC(2006) 866 final), dated 12 December 2006, on the EDPS web site. See the EDPS opinion of 22 December 2006, Case 2006 397 (on EDPS web site). 8

The legal basis of the system set up by the Parliament is Articles 93, 94, 95 and 96 of the FR as adopted in 2002 (see footnote 3 on page 2 above) and Articles 133 and 134 of its implementing rules. But note also the legal basis constituted by Article 95 FR as amended on 13 December 2006, entering into force on 1 May 2007, which states that the central database set up by the Commission (see above) is common to the institutions and executive agencies. That central database is to be established by 1 January 2009. As a reminder, this legal obligation arises from these provisions: Articles 93, 94, 95 and 96 of Council Regulation (EC, Euratom) No 1605/2002 of 25 June 2002 on the Financial Regulation applicable to the general budget of the European Communities as amended by Council Regulation (EC, Euratom) No1995/2006 of 13 December 2006 amending Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities; Articles 133 and 134 of Commission Regulation (EC, Euratom) N 2342/2002 of 23 December 2002 laying down detailed rules for the implementation of Council Regulation (EC, Euratom) N 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities as amended by Council Regulation (EC, Euratom) N 1995/2006 of 13 December 2006 amending Regulation (EC, Euratom) N 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities. The legal basis supports the lawfulness of the processing. 3.3 Processing of special categories of data Among other data, the EWS covers the special categories of data referred to in Article 10(5) of Regulation No 45/2001: "processing of data relating to offences, criminal convictions or security measures may be carried out only if authorised by the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof or, if necessary, by the European Data Protection Supervisor, subject to appropriate specific safeguards". For the alerts used by the Parliament (W5a in the terminology of the Commission Decision on the EWS), data processing is carried out on the basis of the legal instruments referred to (the Financial Regulation and its implementing rules, the Commission Decision on the Early Warning System) and thus complies with Article 10(5) of Regulation (EC) No 45/2001. 3.4 Data quality Article 4 of Regulation (EC) No 45/2001 sets out a number of obligations regarding the quality of personal data. Data must be "processed fairly and lawfully" (Article 4(1)(a)). The lawfulness of the processing has already been discussed (see point 3.2 above). As regards fairness, this relates to the information given to the data subjects (see point 3.9 below). Personal data should be collected for "specified, explicit and legitimate purposes" (Article 4(1)(b)). This provision means that processing of personal data may only be carried out for a specified purpose. It also implies that an approach must be taken that finds the right 9

balance between the need to process personal data and the intrusion it may cause into the private lives of the data subjects. The benefits of the processing of the data must be weighed against any possible adverse impact. While the setting up of the system, designed to protect the financial interests and reputation of the Communities, serves the legitimate interests of the institutions and other bodies, entering a warning against a person may have serious negative effects for the data subject; those data are necessary in terms of the purpose of the data processing. As to the serious effects with regard to the data subject, certain safeguards should be put in place to protect the data subject's legitimate interests. These safeguards should be embodied inter alia in the data subject's right to be informed and to have access to data relating to him (see below 3.9 and 3.8). The data must be "adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed" (Article 4(1)(c)). The processed data described at the beginning of this opinion should be regarded as satisfying these conditions. The data required, as set out on page 3 of the "Facts" section, are administrative in character. They are necessary for the proper functioning of the various stages of the procedure envisaged by the EWS. The EDPS considers that Article 4(1)(c) of Regulation No 45/2001 is respected. Article 4(1)(d) of the Regulation stipulates that data must be "accurate and, where necessary, kept up to date". As regards the warnings used by the Parliament (W5a in the terminology of the EWS Commission Decision), Article 7(2)(b) of the Commission Decision on the EWS provides that "where certifications and evidence obtained by any authorising department in accordance with Article 93(2) FR on the occasion of another award procedure are not consistent with activated W5a warnings, the AOD/AOSD shall immediately inform the AOD/AOSD responsible for the warning, so that deactivation may be requested in accordance with Article 9(3)". This provision leaves scope for the correction of inaccurate or outdated data. However, deactivation does not lead to removal from the system. The EDPS recommended in his opinion on the Commission Decision on the EWS 9 that any trace of a flag which is subsequently removed be made invisible to the common user of the EWS system, and only be kept in a form accessible to a limited number of users for audit reasons. Such audit trails may not be kept for longer than is necessary according to the provisions of the FR (Article 49). Although the precise relationship between a legal person and a natural person is not altogether clear, Article 4(1)(d) of the Regulation implies that any modification of status of a legal person should be reflected in the status of the natural persons linked to that legal person in the EWS. The requirement that data be accurate also demands that any rectification of inaccurate or incomplete data outside the system should be reflected in the EWS. The EDPS also questioned the value of information related to the subcategory W5a10 (exclusion under Article 94 FR: conflict of interest or misrepresentation) which, according to the EWS request form, has to be mentioned and not activated by the system, since mentioning a person in the system under a W5 flag has an immediate legal effect. Even if there is no identical classification in the Parliament's A3 warning, the same reasoning applies when the EP makes an exclusion under Article 94 FR. Therefore the value of a non-activated but visible warning must be questioned. This also applies to the way the Parliament manages data 9 See footnote 6. 10

relating to W5a10 flags when the Parliament is the source of the information. As the Parliament receives the encrypted file from the Commission each month, it is possible to ensure the accuracy of the data as well as ensure that it is kept up to date. Each time the Parliament receives the new list from the Commission, it must update the information in its own files. In the case of data that come from the Commission services, the EP does not open personal files, but merely records the descriptive data on the data subjects that it receives from the Commission services. Therefore it does not open personal files on the persons with whom it has contractual relationships and who could be the subject of Commission warnings. As regards any exclusion of persons with whom the EP services have contractual relationships, or persons involved in invitation to tender procedures, should such a case arise (none has yet), the managing services will have to inform the data subjects of the fact and involve a representative of the Legal Service in the procedure. The EP's Legal Service is currently completing the relevant instructions. The EDPS recommends that the EP open a personal file for each person with whom it is in a contractual relationship, so that it can keep all the data on them up to date, particularly as regards the data that make up the EWS database and the associated warnings, whether they come from the Commission, if the Parliament has a contractual relationship with a person for whom a Commission warning exists, or from the EP itself. In particular, in order to ensure that the data are properly updated as required by Article 4(1)(d), the date of the update should be indicated. The Parliament has to update its own files connected to the persons with whom it has contractual relationships, indicating the actual date of correction and not the date when it receives the list from the Commission, as data may have been updated between the monthly lists. The same applies when the Head of Unit of the Parliament's SFC asks for further information from the contact person at the Commission for a specific case, as the cause of exclusion is not included. The EDPS recommends that the Parliament ensure data quality by updating the personal files that it has to create as soon as it receives new information on the persons with whom it maintains contractual relations. When the Parliament could conclude that a warning is required after the adversarial procedure (this is applicable in the context of Article 93(1)(c) and (f)), updated elements must also be taken into account. The right of access and rectification as provided for by Article 13 of Regulation No 45/2001 should also serve to guarantee the quality of data. This will be discussed further below (see point 3.8). 3.5. Data storage Article 4(1)(e) of Regulation (EC) No 45/2001 sets out the principle that data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed". When the Parliament has to enter a warning, it is the AOD who puts forward the precise duration of the exclusion. In order to ensure equal treatment among third parties in respect of the duration of storage proposed by the Commission, the AOD of the Parliament will take that factor into consideration before presenting a proposal on the matter. 11

As regards the data in its files on third parties, the policy of the Parliament is to store them for five years following the discharge of the financial year in question. The EDPS considers that data storage period compatible with Article 4(1)(e) of the Regulation. 3.6. Compatible use / Change of purpose Article 4(1)(b) of Regulation (EC) No 45/2001 provides that personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes. The processing of the EWS itself and the database used for the personal files of third parties serve the same objective. The EDPS does not detect any incompatible use of the data, since both databases fall within the general framework of sound financial management of Community funds. Accordingly, Article 6(1) of Regulation (EC) No 45/2001 is not applicable to the case in point, and Article 4(1)(b) of the Regulation is complied with, given that the purposes are compatible. 3.7. Transfer of data Transfer of personal data within or between Community institutions or bodies Article 7(1) of the Regulation provides that "personal data may only be transferred within or to other Community institutions or bodies if the data is necessary for the legitimate performance of the tasks covered by the competence of the recipient." Article 7(1) applies to information exchanges with the Commission. The EDPS considers that these transfers comply with Regulation (EC) No 45/2001 as they are "necessary for the legitimate performance of tasks covered by the competence of the recipient". Furthermore, when in accordance with Article 95 FR as amended on 13 December 2006 (see point 3.2 above) the Commission has established a central database common to the institutions, there will still be data exchanges between the institutions, including the Parliament. But that system is not under examination in this opinion. The EDPS recommends the EP to refer to his legislative opinion (see footnote 11) and to the forthcoming EDPS opinion on the future prior checking of the Commission EWS when the modified database is set up. Finally, where Article 2(g) of Regulation (EC) No 45/2001 defines the "recipient" as a "natural or legal person, public authority or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients" is applicable, it is only in cases where those recipients have investigative powers. The exception mentioned in Article 2(g) must be interpreted as an exception to the right to information and not as an exception to the provisions of Articles 7 et seq. of the Regulation as regards data transfers. As to the transfers provided for in Articles 8 and 9 of Regulation No 45/2001, namely transfers of personal data to recipients, other than Community institutions and bodies, subject to Directive 95/46/EC (Article 8) and transfers of personal data to recipients, other than Community institutions and bodies, which are not subject to Directive 95/46/EC (Article 9), they are not carried out by the Parliament, but by the central system of the Commission 10. 10 On this point, see case 2005 120 (opinion of the EDPS on the EWS of the Commission on the EDPS web site). 12

3.8. Right of access and rectification The right of access is the right of the data subject to be informed that personal data relating to him or her is processed by the data controller and to obtain the communication of such data in an intelligible form. As a matter of principle, this right has to be interpreted in the light of how personal data is conceived. The Regulation has in fact adopted a broad concept of personal data. This is based on the need to respect the right of defence, in general; and in the particular field of personal data protection, respect of the rights of access and rectification is directly linked to the data quality principle as described above (point 3.4). Although in most cases leading to a warning in the EWS, the data subjects are aware of the facts leading to such a warning, that does not mean that they should not be granted access to the information contained in the system which relates to them. According to Article 13 of Regulation No 45/2001, "the data subject shall have the right to obtain, without constraint, at any time within three months from the receipt of the request and free of charge from the controller: [ ] information at least as to the purposes of the processing operation, the categories of data concerned, and the recipients [ ] to whom the data are disclosed; [and] communication in an intelligible form of the data undergoing processing and of any available information as to their source". Article 14 provides that: "the data subject shall have the right to obtain from the controller the rectification without delay of inaccurate or incomplete personal data". In its notification, the Parliament considers that the right of access is given to the data subject through the adversarial procedure prior 11 to registration in the Commission database (in cases covered by Article 93(1)(c) and 93(1)(f)). Furthermore, in all cases of W5a warnings, Article 7(2) of the EWS of the Commission Decision leaves scope for the correction of inaccurate or outdated data by the AOD/AOSD. However, the EDPS considers that this does not provide the data subject with right of access to the data processed by the Parliament. At point 3.4 above, the EDPS recommended that the Parliament open a personal file for each person with whom it has a contractual relationship. This is necessary to keep the data up to date. With reference to Articles 13 and 14 of Regulation (EC) No 45/2001, the EDPS recommends that the EP give all data subjects the right of access to personal files concerning them, with the exceptions set out in Article 20. Rules should therefore be designed to grant an unconditional right of access for, at least, the natural persons concerned (see scope of Regulation No 45/2001 in point 3.1 of this opinion). In cases where a personal evaluation is carried out by the EP, access to the data should be given by the EP itself to data subjects, particularly in order to allow the data subject to exercise his rights of defence. However, if the personal evaluation is carried out not by the Parliament, but by another institution and with the consequence that information is entered in the Commission database, and if the Parliament should have opened a specific file relating to the data subject, the right of access should also be given by the EP, if requested. 11 Exclusions from participation in a contract or grant award procedure in accordance with Article 93(1)(c) and (f) FR, based on the assessment by the AOD/AOSD after an adversarial procedure, shall, without prejudice to Article 9(2), give rise to active registration under W5a for a period of three months (renewable) pending a possible decision by the Authorising Officer (Commission) on exclusion in application of Article 96 FR (Article 7 of the EWS Commission Decision). 13

The right of access is also applicable when a data subject requests access to files of other persons, where information relating to him or her is included therein (for example: employees of a tenderer). Access should not be refused, subject to possible restrictions in accordance with Article 20(1)(c) ("necessary measure to safeguard the protection of the data subject or of the rights and freedoms of others"). Article 20 of Regulation No 45/2001 provides for restrictions on the right of access in certain cases, inter alia if such restriction constitutes a measure necessary to safeguard "(a) the prevention, investigation, detection and prosecution of criminal offences; (b) an important economic or financial interest of a Member State or of the European Communities, including monetary, budgetary and taxation matters; (c) the protection of data subjects or the rights and freedoms of others; (d) the national security, public security or defence of the Member States; (e) a monitoring, inspection or regulatory task connected, even occasionally, with the exercise of official authority in the cases referred to in (a) and (b)." In the context of the exception concerning economic or financial interests, the requirement must be specific when applied. It should not be used as a general-purpose exception. The restrictions applicable to the rights of the data subject, mentioned in the Article 20 of Regulation No 45/2001, could not be set up as rules but should remain exceptions. If one of the restrictions set out in Article 20 is cited, the EP is obliged to take into account and comply with Article 20(3), which reads: " If a restriction provided for by paragraph 1 is imposed, the data subject shall be informed, in accordance with Community law, of the principal reasons on which the application of the restriction is based and of his or her right to have recourse to the European Data Protection Supervisor" and Article 20(5), which reads "Provision of the information referred to under paragraphs 3 and 4 may be deferred for as long as such information would deprive the restriction imposed by paragraph 1 of its effect". Concerning the right to information, this provision should be read along with Articles 11 and 12 of the Regulation (see point 3.9 below). If a restriction is imposed on the right of access, the data subject has a right to request indirect access through recourse to the EDPS (Article 20(4)). Article 14 of the Regulation provides the data subject with a right to rectify inaccurate or incomplete data. Given the sensitivity, in most cases, of these investigations, this right is of key importance to ensure the quality of the data used, which, in this specific case, is connected to the right of defence. Any restriction under Article 20 of the Regulation has to be applied in the light of the remarks on the right of access in the paragraphs above. The EDPS recommends providing a right of rectification where the Parliament is responsible for entering the warning in the system, as well as in the context of the forthcoming EWS due to come into effect on 1 January 2009. 3.9. Information to the data subject Article 11 of Regulation (EC) No 45/2001 specifies that the controller must provide information to the data subject except where he or she already has it. This information covers at least the identity of the controller, the purposes of the processing operation for which the data are intended, the recipients or categories of recipients, whether replies to questions are obligatory or not, as well as the possible consequence of a failure to reply and the existence of a right of access to, and right to rectify the data concerning him. Further information may also have to be provided, such as the legal basis of the processing operation, the time-limits for 14

storing the data and the right to have recourse at any time to the EDPS. Where personal data are directly obtained from the data subject (which is the case for the Commission, through its Legal Entity File (FEL); the equivalent at the EP is called the supplier file (FOUR)), the information should be provided at the time the data are obtained. Since data are collected inter alia directly from data subjects, Article 11 applies. The provisions of Article 12 (Information to be supplied where the data have not been obtained from the data subject) are also applicable, due to the fact that the EP can collect information for itself or from the Commission. In such cases, the information must be provided to the data subject at the time of recording of the data or no later than the point when data are disclosed to a third party, unless the person concerned already has this information. Article 20 of Regulation (EC) No 45/2001 lays down certain limits on the obligation to inform, under certain conditions (see above preceding page). A distinction must be made here as concerns general information on the EWS and specific information to be given to data subjects who are the subjects of a warning. General information on the EWS has been provided on the Europa website since 16 August 2006. However, the EDPS emphasised, in his opinion on the Commission decision on the EWS, that most of the information related to the processing of personal data is not provided. Since the EDPS recommendation on that point, all the information referred to in Articles 11 and 12 has been provided by the Commission on the relevant Europa web pages. In order to comply with Regulation No 45/2001, the EDPS recommends that general information on the mere existence of the EWS must be provided to all persons (third parties) for whom a personal file might be opened in the Parliament. That information should include the items listed in Articles 11 and 12 of the Regulation and should be given at the time when the data in the personal files of third parties is being obtained. In addition, the EDPS considers that notes such as those that present the system on the CFS intranet site are a source of confusion and that, as regards Article 4(1)(c) of the Regulation and the adequacy required, all references to A1 and A2 warnings should be deleted, if the EP does not want to provide for those warnings. Article 149(3) provides that, in the case of contracts awarded by the Community institutions on their own account, under Article 105 of the Financial Regulation, the contracting authority shall inform all unsuccessful third parties, simultaneously and individually, as soon as possible after the award decision and within the following week at the latest, by mail and fax or email, that their application or tender has not been accepted; specifying in each case the reasons why the tender or application has not been accepted. The EDPS welcomes this paragraph 3, although, if the reason is inclusion in the EWS, it only gives information a posteriori. This does not, however, allow the data subject to exercise his right of defence before the exclusion in the specific case, although it does give information for future cases. The EDPS therefore recommends that it be made a rule that the data subject has to be informed when a warning is entered against him in the EWS. In the light of these considerations, if the EP restricts the right of information in specific cases on the basis of Article 20(1)(b), that restriction must be the exception rather than the rule (see above). 15

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback