EDPS Guidelines on conflicts of interest: data protection strengthens good public administration
The European Data Protection Supervisor (EDPS) encourages EU institutions and bodies (EU institutions) to balance transparency in the interests of the public and the data protection rights of individuals when managing the declarations of the conflicts of interest of people working for them. This balancing exercise can strengthen their efforts to foster the trust of the public as well as those who work for them.
Of the EDPS Guidelines on the collection and publication of Personal Data with regard to the management of conflicts of interest in EU institutions and bodies, Giovanni Buttarelli, Supervisor, said: "By taking data protection fully into account, EU institutions can ensure openness and transparency and better manage declarations of interests in a fair way, demonstrating the independence of those working for them as well as exercising a duty of care towards them".
The EU institutions collect declarations of interests for certain categories of individuals whose positions require a high level of impartiality in the performance of their duties - such as MEPS, Commissioners, other senior management and holders of political and sensitive posts.
The EU institutions may also need to monitor any potential conflict of interest for those who do not occupy senior posts but who nevertheless make or influence decisions affecting the public or involving the expenditure of public money.
There is clearly a legitimate public interest in knowing that any potential conflicts are monitored, to ensure that the decisions and actions of officials, experts or others working for the EU institutions, are not influenced by their private interests. Therefore, there is a legitimate interest in publishing certain declarations of interest to foster trust in the EU institutions.
EU institutions should carefully consider what information needs to be made public. This will include whether those concerned have decision- making roles or influence and the extent to which such disclosure would impact on their private lives.
While the EDPS Guidelines have been developed for the EU institutions and bodies, they may offer valuable general guidance on fundamental rights for others, for example, public sector bodies and international organisations.
Background information
Privacy and data protection are fundamental rights in the EU. Under the Data Protection Regulation (EC) No 45/2001, one of the duties of the EDPS is to advise the European Commission, the European Parliament and the Council on proposals for new legislation and a wide range of other issues that have an impact on data protection. Furthermore, EU institutions and bodies processing personal data presenting specific risks to the rights and freedoms of individuals ('data subjects') are subject to prior-checking by the EDPS. If in the opinion of the EDPS, the notified processing may involve a breach of any provision of the Regulation, he shall make proposals to avoid such a breach.
The Staff Regulations is the official document describing the rules, principles and working conditions of the European civil service. The Staff Regulations as well as other legislative instruments and ethics rules provide for the independence, impartiality, objectivity and loyalty of staff members and other persons working for the EU institutions. EU institutions have set up procedures such as the management of conflicts of interest to comply with these legal obligations.
Conflicts of interest: According to the Staff Regulations, a conflict of interest arises if in the performance of their duties for the EU institutions, a person deals with a matter in which s/he, directly or indirectly, has a personal interest that impairs their independence, and in particular, family and financial interests.
Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e‑mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data.
Privacy: The right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
EU institutions and bodies/EU administration: All institutions, bodies, offices or agencies operating for the European Union (e.g. European Commission, European Parliament, Council of the European Union, European Central Bank, specialised and decentralised EU agencies).
Accountability: Under the accountability principle, EU institutions and bodies should put in place all those internal mechanisms and control systems that are required to ensure compliance with their data protection obligations and should be able to demonstrate such compliance to supervisory authorities such as the EDPS.
Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction."
Personal data may be processed in many activities which relate to the professional life of a data subject. Examples from within the EU institutions and bodies include: the procedures relating to staff appraisals and to the billing of an office phone number, lists of participants at a meeting, the handling of disciplinary and medical files, as well as compiling and making available on-line a list of officials and their respective field of responsibilities.
Personal data relating to other natural persons than staff may also be processed. Such examples may concern visitors, contractors, petitioners, etc.