European Data Protection Supervisor
European Data Protection Supervisor

Anti-fraud procedures

Anti-fraud procedures

What you should know about anti-fraud procedures

Anti-fraud procedures help an organisation analyse information about potential fraud and financial irregularities to assess whether there are grounds to transmit the information to the relevant authorities for investigation; for EU institutions and bodies, this authority is the European Anti-Fraud Office (OLAF).

At EU level, anti-fraud procedures exist to protect the financial interests of the European Union. The EU budget finances a wide range of programmes and projects across the EU and beyond. If these funds are not correctly used, European taxpayers' money may go to waste. EU staff members have an obligation to report possible cases of fraud, corruption, other illegal activity or professional conduct which may constitute a serious failure to comply with the obligations of EU staff members.  
 

What are the main data protection issues?

Data quality - It is important not to process more personal data (also referred to as personal information) than necessary. How? By only collecting relevant - and not more information than necessary - in the first place.

Right of information - In conjunction with the investigating authority, those people implicated (informants, the accused etc.) in an anti-fraud procedure should receive information on how and why their personal information will be processed as soon as practically possible. It is not enough to provide a general privacy notice on the organisation's website.

Right of access - Ordinarily, people have a right to access the personal information being processed about them. However, in anti-fraud cases, the organisation will have to balance the interests of both the informants and the person(s) concerned before deciding when and how much access can be given. 

Retention period - Organisations must often keep personal information on file for certain purposes (HR, legal, and so on). However, it is against the law to keep such information indefinitely, so organisations must make sure that information relating to anti-fraud cases are not kept on their files for longer than the period of time that the investigating authority keeps it on theirs.

Data security - Special care must be taken to ensure the security of the personal data that is collected, processed and stored. Given that the information processed in anti-fraud cases is sensitive, leaks or unauthorised disclosure of it may have severe consequences for both informants and the persons accused. Appropriate technical and organisational measures must be taken to secure the data to reflect this risk.
 

More information

The following non-exhaustive list is a selection of documents for further reading on anti-fraud:

EDPS prior check Opinion on the procedure on handling internally and reporting potential fraud and irregularities at the ERCEA (European Research Council Executive Agency) (case 2015-0061)

EDPS prior check Opinion on processing of data in the context of the EIB's Exclusion Procedures (case 2014-1110)

To know more about what happens after files are sent to the investigating authority (OLAF):

EDPS prior check Opinion on OLAF investigations (case 2011-1127 and 2011-1129-1132)
 

Related topics:

Whistleblowing procedures

Administrative Inquiries & Disciplinary Proceedings