Privatsphäre in den EU-Organen

OLAF assists competent authorities in the Member States of the EU referred to in Council Regulation (EC) 515/97 in preventing, investigating and prosecuting violations of customs or agricultural legislation and to enhance the effectiveness of the cooperation among Member States and between them and the European Commission. For this purpose, competent authorities of Member States communicate and exchange anti-fraud information with each other and with the Commission [OLAF]. Anti-fraud information is also exchanged with Third countries under Mutual Assistance Agreements. These exchanges are made by means of the mailing applications of OLAF Anti-Fraud Information System (AFIS) and are organised via the use of screens, called modules, which are designed to cover a specific type of information regarding a particular area of movement of goods and/or means of transport. Three main categories of stakeholders are involved in the processing operation whose personal data therefore are processed: the persons concerned by the investigation or prosecution, the providers of information to the system and the recipients of the information (both of these latter can be OLAF agents or individuals in Member States authorities). The personal data processed concerns identification data, professional data, financial data, case involvement and criminal record data.

 

Within the general framework of Time management regulated by the "SYSPER 2 Time management system", DG INFSO added to the application of Flexitime an additional and important component in the element of a RFID chip integrated in the personal badge necessary to clock in and out. The inclusion of such a technology into a flexitime system thus reinforces the specific risks already present in the system. Therefore, the EDPS considered the case as such subject to prior checking.

 

In his analysis, the EDPS concluded that the system does process personal data because the data relate to natural persons who are identifiable, for instance by the use of names, personal numbers. Furthermore, the EDPS analysed closely the necessity test applied to the system and concluded that there was not a specific need to develop a badging system using RFID to implement a flexitime system, as the same purpose (management of working hours) could be reached by other, less intrusive, means.  However, the EDPS also accepted that "need" does not mean that it is unavoidable but that it can be considered reasonably necessary in the specific context for fulfilling the purpose aimed at. Therefore, a margin of appreciation is left at the discretion of the administration in deciding to implement this system using RFID. If the safeguards and proportionality are present, it can be considered that such a system fulfils the conditions of need.