European Data Protection Supervisor
European Data Protection Supervisor

Search

Search

Publication Invoicing for private use of services GSMs - OLAF

Wednesday, 25 April, 2007
25
Apr
2007

Answer to a notification for prior checking on invoicing for private use of services GSMs (Case 2007-204)

Publication Time management system - OLAF

Friday, 6 July, 2007
6
Jul
2007

Answer to a notification for prior checking concerning the time management system (Case 2007-300)

Publication Investigations by the OLAF Data Protection Officer - OLAF

Monday, 21 May, 2007
21
May
2007

Answer to a notification for prior checking concerning the investigations by the OLAF Data Protection Officer (Case 2007-214)

Publication FIDE database - OLAF

Friday, 4 May, 2007
4
May
2007

Answer to a notification for prior checking on the FIDE database (Customs Files Identification Database) (Case 2007-178)

Publication Analysis and transfer of information related to fraud to OLAF

Thursday, 14 March, 2013
14
Mar
2013

Opinion of 14 March 2013 on a notification for Prior Checking received from the Data Protection Officer of EACI regarding the "Analysis and transfer of information related to fraud to OLAF" (Case 2012-0652)

Publication Investigative function - OLAF

Thursday, 19 July, 2007
19
Jul
2007

Opinion of 19 July 2007 on a notification for prior checking on regular monitoring of the implementation of the investigative function (Case 2007-73)

The purpose of the processing activity under analysis is to reinforce OLAF's independence by regular monitoring of the implementation of the investigative function. At the Request of the Director or on its own initiative, the committee shall deliver opinions to the Director concerning the activities of the Office, without however interfering with the conduct of investigations in progress, as required by Article 11 of Regulation 1073/99. The Supervisory Committee (SC) is neither part of OLAF, nor part of an institution. It is a committee set up by the Commission under Community law (Article 4 of Commission Decision 1999/352/EC, ECSC, Euratom and Article 11 of Regulation 1073/99). Just as any other consultative committee established by the Commission, the SC must be considered, for the purposes of Regulation 45/2001, as an emanation of the Commission and thus bound by the Regulation.
 
The EDPS has issued an opinion on this procedure which concludes that on a general basis the procedure complies with the principles established in the data protection regulation. However, the EDPS did make some recommendations mainly as concerns the respect for the data quality principle. Indeed, a methodology should be established describing the different steps to be followed in the access' requests, previous to the access to the whole CMS (Case Management System) file. Furthermore, access to the CMS files (on-going, closed and non-cases) may only take place on a case-by-case basis. When such access is requested, a note should be included in the CMS file specifying the reasons that justify the provision of access.

Publication Intelligence databases - OLAF

Wednesday, 21 November, 2007
21
Nov
2007

Opinion of 21 November 2007 on a notification for prior checking on information and intelligence data pool and intelligence databases (Joint cases 2007-27 and 2007-28)

Information and Intelligence Data Pool” is the description given to all data held within the remit of Operational Intelligence Unit C4 in OLAF, including the Intelligence Databases.

Operational Information and Intelligence support are essential aspects of OLAF’s mandate to fight fraud, corruption, and any other illegal activity affecting the financial interests of the European Community, and serious matters relating to the discharge of professional duties - as established in Article 1 of Regulation (EC) n° 1073/1999 and Commission Decision 1999/352/EC Article 2 (5).

The purpose of the processing under analysis is then to further OLAF intelligence/analysis and operational activity. It also aims to support specific case requests, operations and investigations with a view to ensuring the optimum accuracy and relevance of information received, disseminated and otherwise processed for intelligence, financial, administrative, disciplinary and judicial use. This support may be provided throughout the various stages of OLAF investigation and operational activities, over all sectors and is recorded within the CMS (Case Management System) where applicable.

OLAF’s operational intelligence role also includes supporting the control, intelligence and enforcement activities in Member States, for OLAF partners and Operational DGs. Chapter 2.4.3 of the OLAF Manual further explains the role of OLAF's operational intelligence.

In his prior checking Opinion, the EDPS issued the main following recommendations:

  • to acknowledge in the intelligence files when any restriction based on Article 20 of the Regulation is operated;
  • to respect the confidentiality of the identity of whistleblowers during OLAF intelligence activities and in the later stages when appropriate;
  • to provide the information (Article 12 of the Regulation) to the data subjects whose names appear in the documentation under analysis, but who are not persons concerned, witnesses, whistleblowers or informants, unless such activity would be impossible or would involve a disproportionate effort, in which case the obligation to provide directly the information could only be replaced by the indirect provision through the privacy statement published on the OLAF website. The same principle should be applied when intelligence activities are conducted independently of an investigation;
  • to supplement the publication on the website with personalised information notices addressed to individuals (unless such activity would be impossible or would involve a disproportionate effort). The EDPS therefore calls upon OLAF to develop practices in providing personalised information to the individuals concerned to the degree it is appropriate in the context of intelligence activities and inform the EDPS about such guidelines.

Publication Follow-up data processing operations - OLAF

Monday, 26 March, 2007
26
Mar
2007

Opinion of 26 March 2007 on "follow-up" data processing operations (disciplinary, administrative, judicial, financial) (Cases 2006-544, 2006-545, 2006-546, 2006-547)
The four data processing operations concern the processing of personal data that takes place within the third stage of OLAF investigations, the so called "follow-up phase".  In this phase, OLAF's follow-up team carries out various activities entailing the processing of persona data which are designed to ensure that the competent Community and/or national authorities have executed the measures recommended by OLAF. The nature of the measures may be administrative, disciplinary, financial or  judicial. 

 
The EDPS has issued an opinion on these data processing operations which concludes that on a general basis they comply with the principles established in the data protection regulation. However the EDPS did make some recommendations mainly as concerns the accuracy of the data, data transfers and the right of information. The EDPS also recommended taking into account his recommendations when updating the OLAF Manual.

Publication Processing of personal data related to OLAF cases - TEN-T EA

Thursday, 30 October, 2014
30
Oct
2014

Opinion on Prior checking notification of the processing of personal data related to OLAF cases (Case 2013-0757)

Publication Interventions of the Chambre d’écoute in the Framework of the Reorganization of OLAF’s Organigram

Friday, 16 December, 2011
16
Dec
2011

Opinion of 16 December 2011 on the notification for prior checking regarding Interventions of the Chambre d’écoute in the Framework of the Reorganization of OLAF’s Organigram (case 2011-1021)

Publication Free phone service - OLAF

Wednesday, 6 June, 2007
6
Jun
2007

Opinion of 6 June 2007 on a notification for prior checking on a free phone service (Case 2007-74)

OLAF has put this tool at the public's disposal, enabling individuals to provide information that may be useful in the fight against fraud, corruption and other illegal activities affecting the financial interests of the Community. Anyone, EU staff as well as citizens, can use the Free Phone Service to report such types of unlawful behaviour.
After listening to the voice messages and deleting those that are deemed fully improper and pointless, OLAF investigators summarise the remaining messages in a "free phone screening form". This form indicates whether or not the messages are relevant to OLAF's work or to that of other authorities, such as member states or European Commission services. Based on this assessment, OLAF will deem them irrelevant, investigate them further and potentially open an investigation, or send them to other authorities if the case is relevant for them.
The OLAF Free Phone Service is subject to prior checking as it deals with data which may relate to suspected offences, criminal convictions or security measures. In his opinion, the EDPS concluded that OLAF has substantially followed all the principles of the Regulation. Nevertheless some recommendations were made, including:
  • ensuring the deletion of voice messages with information deemed irrelevant. This should not be recorded in writing or, if so, should be deleted immediately after confirmation of their irrelevance.
  • ensuring the right to information to those who have been named by callers who use the Free Phone Service, subject to the application of the exceptions provided for in the Regulation.
  • setting up a voice recording so that, upon calling the Free Phone Service, a short version of the privacy statement is provided or, alternatively, publishing it on OLAF's website.

Publication Complaints under Article 90a of the Staff Regulations - OLAF

Monday, 16 July, 2012
16
Jul
2012

Opinion of 16 July 2012 on the notification for prior checking from the Data Protection Officer of the European Anti-Fraud Office (OLAF) regarding the processing of personal data in relation to complaints under Article 90a of the Staff Regulations (Case 2012-0274)

Publication Monitoring cases - OLAF

Wednesday, 11 July, 2007
11
Jul
2007

Opinion of 11 July 2007 on a notification for prior checking on monitoring cases (Case 2006-548)

OLAF engages in processing of personal data when it opens a Monitoring case. These are cases where OLAF would be competent to conduct an external investigation, but where a Member State or other authority is in a better position to do so.  OLAF main action in such cases consists in monitoring the activities of the national authorities or EU institutions that are responsible for a case in order to ensure that the appropriate judicial or administrative actions are taken to protect the Community's financial interests.  The type of personal information processed by OLAF in these cases includes identification, professional data and information concerning activities related to matters which are the subject of monitoring.  
 

The EDPS has issued an opinion on the processing of personal data in the context of OLAF's Monitoring cases. The Opinion concludes that on a general basis the data processing complies with the principles established in the data protection Regulation. However the EDPS did make some recommendations. Among others, the EDPS asked OLAF to ensure that individuals whose data are processed by OLAF are informed of the data processing that takes place in the context of Monitoring cases. It also suggested some amendments to the privacy statement and asked OLAF to conduct a preliminary evaluation of the necessity of the 20 years conservation period vis-à-vis the purpose of such conservation.

Publication Fraud notification service - OLAF

Tuesday, 18 December, 2007
18
Dec
2007

Opinion of 18 December 2007 on a notification for prior checking on the fraud notification service (Case 2007-481)

The Fraud Notification Service is a web based information system that OLAF has put at the public's disposal in order to facilitate the collection of information to use in the fight against fraud, corruption and other illegal activities affecting the financial interests of the Community.  Members of the public can provide the information by completing a questionnaire and they can register to have two-way communications with OLAF. The messages are reviewed automatically and also by review officers. Upon review of the information, OLAF decides whether the matter merits initiation of the assessment stage, or should be classified as a prima facie non-case. If an assessment is initiated, then the matter will be assigned a CMS number and the investigator will place all information received through the system in the CMS file.
 
In his opinion, the EDPS concluded that OLAF should implement certain recommendations, including: 
  • ensuring the deletion of pointless messages as well as avoiding asking questions that would lead informants to disclose information that is irrelevant for the purposes of detecting fraud and corruption affecting the financial interests of the Community.
  • ensuring the right to information, access and rectification to those who have been named by the users of the Fraud Notification Service, subject to the application of the exceptions provided for in the Regulation.
  • ensuring that the conservation period of irrelevant information is kept as short as possible and in any event for no longer than one year.
  • inserting a link in the privacy policy at the webpage through which visitors who want to use the Fraud Notification Service must necessarily go through or alternatively in a very prominent way, immediately after or before the information on the Fraud Notification Service.

Publication Customs File Identification Database - OLAF

Wednesday, 17 December, 2014
17
Dec
2014

Opinion on a notification for prior checking received from the Data Protection Officer of the European Anti-Fraud Office (OLAF) regarding the Customs File Identification Database (FIDE) (Case 2013-1003)

Publication Identity and access control system - OLAF

Monday, 7 April, 2008
7
Apr
2008

Opinion of 7 April 2008 on a notification for prior checking on identity and access control system (Case 2007-635)
The Identity and Access Control System is part of the security infrastructure that protects OLAF premises and IT systems. The purpose of the data processing is to ensure that only authorised persons have access to OLAF's premises.  The system is designed to control the identity and permit or deny access of persons entering and exiting from OLAF's premises outside working hours and special secure zones. To do so, OLAF uses a smartcard and the use of fingerprints authentication. Users' biometrics data are stored only on the smartcard which cannot be used for any other purpose. For the EDPS, the processing operation is not in breach of Regulation 45/2001 if OLAF takes into account the following recommendations, for instance regarding a reassessment of the concerned data subjects submitted to enrolment; the development of fallback procedures; the setting of a shorter conservation period of data after the first year of operation of the new system; the amendment of the privacy statement and the reconsideration of the technological taking into consideration the choice of the best available techniques and discussions on future security systems.

Publication Custom Information System - OLAF

Tuesday, 24 July, 2007
24
Jul
2007

Opinion of 24 July 2007 on a notification for prior checking on the Custom Information System (Case 2007-177)
The CIS is a database containing personal information managed by OLAF which is accessible by each Member State and by OLAF. It is used to assist national authorities in preventing, investigating and prosecuting operations which are in breach of customs or agricultural provisions. 

 
In his Opinion the EDPS has recommended various actions in order to ensure that the data processing fully complies with Regulation (EC) No 45/2001.  In particular, among others, the EDPS has recommended that the data controller issues guidelines addressed to OLAF agents with access to CIS describing the application of the quality principle in CIS.  He has also recommended that OLAF agents use the possibility for extending the retention of the information only when there is a real necessity to keep the data. As far as the obligation to inform individuals is concerned, the EDPS has asked OLAF to ensure that individuals are personally informed of their data being uploaded in CIS when such data have been uploaded by OLAF.  When data concerning an individual in a Member State is uploaded by OLAF, and used in an OLAF investigation/case or a mutual assistance exchange, the data subject may be informed in the context of the case or the mutual assistance exchange.

Publication Human resources needs analysis - OLAF

Wednesday, 23 July, 2014
23
Jul
2014

Opinion on a notification for Prior Checking received from the Data Protection Officer of OLAF regarding their "human resource needs analysis" (Case 2014-0012)

Publication Antifraud Transit Information System - OLAF

Wednesday, 18 May, 2016
18
May
2016

Prior Checking Opinion on Antifraud Transit Information System (ATIS) at the European Anti-Fraud Office (OLAF) (Case 2013-1296)

Publication Investigative procedures - OLAF

Friday, 3 February, 2012
3
Feb
2012

Opinion of 3 February 2012 on the notifications for prior checking regarding new OLAF investigative procedures (internal investigations, external investigations, dismissed cases and incoming information of no investigative interest, coordination cases and implementation of OLAF recommendations), European Anti-Fraud Office (OLAF) (Cases 2011-1127, 2011-1129, 2011-1130, 2011-1131, 2011-1132)

Pages