Procedures related to fraud investigations - EIB

Opinion of 14 October 2010 on a notification for Prior Checking on procedures related to fraud investigations in the EIB Group (Case 2009-0459)

The European Data Protection Supervisor issued a prior check opinion regarding the data processing operations that take place in the context of procedures related to fraud investigations at the European Investment Bank (EIB). The purpose of the processing operation is precisely to investigate credible allegations of fraudulent practices in EIB-financed operations.

The Bank’s Fraud Investigation Division of the EIB (IG/IN) investigates allegations of prohibited practices in accordance with the EIB Anti Fraud procedures. In order to conduct investigations the IG/IN has full access to all relevant personnel information, documents and data, including electronic data within the EIB however no interception of communications and conversations is permitted.

At the term of the investigation, the Head of IG/IN will determine if a complaint or allegation has been substantiated and will refer the case to the relevant authorities within and/or outside the EIB for appropriate action. If, after reasonable investigation, IG/IN determines that a complaint or allegation has not been substantiated, it shall document the findings in a note to the file and close the case.

After closely examining the case, the EDPS made a number of recommendations.  Amongst other things, the EDPS requested that the EIB examine the legal basis of the investigations by the EIB; recommended the adoption of a formal protocol for the conduction of computer forensics investigations by the EIB; recommended the harmonization of the conservation periods; and recommended to provide information to data subjects in compliance with Regulation (EC) 45/2001.