European Data Protection Supervisor
European Data Protection Supervisor

Administrative inquiries in the EU institutions

Administrative inquiries in the EU institutions

Friday, 18 November, 2016

All EU staff are obliged to abide by their Staff Regulations, which outline the rules, principles and working conditions expected from them. But what happens if an EU staff member breaks these rules?

A breach of the rules might be intentional or simply negligent. Examples include psychological or sexual harassment, a staff member carrying out external activities without permission during office hours, a conflict of interest, or suspicion that a staff member is recording more hours on his timesheet than he is actually working. However, though the Staff Regulations help us to identify when someone has broken the rules, they remain silent on how the EU institutions should deal with these cases.

In the absence of specific guidance in the Staff Regulations, the EDPS has developed Guidelines on the processing of personal information in administrative inquiries and disciplinary proceedings. The Guidelines provide advice to the EU institutions on how to prepare and implement appropriate procedures in administrative inquiries or disciplinary proceedings and ensure that the processing of personal data complies with EU data protection rules.

In producing the Guidelines, we consulted with the European Commission’s Investigation and Disciplinary Office (IDOC) and with the network of data protection officers (DPOs). Their input was invaluable. In particular, IDOC provided us with information on the practical aspects of an administrative inquiry, helping us to ensure that our Guidelines are applicable in practice. We also consulted with the Data Protection Officer of the European Central Bank (ECB) and the Data Protection Officer of the Consumers, Health, Agriculture and Food Executive Agency (CHAFEA), whose concrete contributions were valuable to the Guidelines. DPOs should be on board at the early stage of an inquiry process, helping the EU institutions to implement data protection rules. The Guidelines put specific emphasis on their role as an advisor, particularly concerning the choice of the means of investigation or when restrictions of the rights of those involved are envisaged.

To launch an administrative inquiry into a breach of the Staff Regulations, an EU institution must adopt a specific legal instrument. This might be a legally binding decision, policy or implementing rules. These act as a legal basis for launching an inquiry, setting out the process involved and giving those implicated in the inquiry the necessary information about their rights.

Data protection rules, which specify the different ways in which it is possible to collect potential evidence for the investigation, must also be clarified. They should be reflected in a Manual, including specific guidance, which could be included in the specific legal instrument. The hearing of the person under investigation and of witnesses and victim is usually a proportionate option, as it is the least intrusive and the most transparent means to conduct an inquiry. Should a hearing be impossible, the investigators should assess the level of intrusion to the individuals' privacy and use the least invasive means. This balancing exercise should be documented and should take into consideration the seriousness of the misconduct.

An adequate legal basis for conducting administrative inquiries and disciplinary proceedings in the EU institutions is essential if we are to ensure that personal data are treated with the necessary care and respect. For example, in the course of an inquiry, investigators may be required to collect sensitive information, such as that relating to health, to offences, to criminal convictions or to security measures taken against a particular individual. The processing of such data is subject to authorisation according to the Regulation. This is an additional reason why an EU institution should adopt a legal instrument before launching an inquiry.

Furthermore, the principle of data minimisation should be applied throughout the whole process. Only personal data, which is adequate, relevant and necessary to the purpose of the particular case should be collected, and should not be further processed without specific authorisation foreseen in the Regulation.

Informing all individuals involved about the processing of their personal data and their rights is of paramount importance. Though in some cases informing the person under investigation at an early stage of the inquiry or proceeding may be detrimental to the investigation, the EU institution should inform this person of the principal reasons why it is necessary to restrict their right to be informed, as well as their right of recourse to the EDPS. In some cases, the EU institution might decide to defer the provision of such information to the person. It is fundamental that the EU institution have solid evidence that this might harm the investigation and should be able to provide evidence demonstrating detailed reasons for taking such a decision. These reasons should be documented before the decision to apply any restriction is taken.

The EDPS Guidelines aim to fill the gap in the Staff Regulations, by providing the EU institutions with an adequate framework by which to conduct administrative inquiries and disciplinary proceedings. Most importantly, they ensure that EU institutions and their investigators are able to prepare and implement their procedures in a way that ensures that the processing of personal data is lawful, fair and transparent and complies with their data protection obligations.