Opinion of the European Data Protection Supervisor.
The proposals on the Financial Regulation and the Implementation Rules set out new obligations on the Commission concerning the award of contracts and grants to third parties in the context of management of Community funds. Taking into account that the proposals set forth rules to be followed in order to ensure the protection of the Communities' financial interests, it is essential that in doing so, the data protection and privacy rights of the persons concerned are properly guaranteed when personal data are processed.
The EDPS welcomes to have been consulted on these proposals, which foresee a sound and more transparent financial management of the Community funds. He also welcomes this occasion to highlight a number of specific aspects of data protection relating to their implementation, especially in the context of the Early Warning System.
1) On the substance, the EDPS recommends the following:
- the insertion in the Implementing Rules of references to a proactive approach (prior information and feedback information) which should be widely applied by all the concerned institutions, authorities and bodies in the light of the transparency principle;
- specific safeguards in the light of data protection principles must be implemented when a central database is established;
- the Implementing Rules should clarify, in Article 134a, the notions of candidates and tenderers as well as the categories of entities which are affected by the database;
- a precise timeframe regarding the updating of information contained in the database should be put in place in the Implementing Rules;
- to avoid inconsistency, a system of selection of authorizing officers must be put in place among Member States, authorities and bodies; their access to information, as well as the amount of data which can be accessed according to Article 95(2) should be defined in complementary administrative rules;
- in the context of transfers of personal data from the central database, those transfers are structural and therefore the need for safeguards such as contractual clauses should be laid down in the Implementing Rules;
- when data are received from third countries and international organisations, it will be important to define the data which are covered and the warranties attached to their quality, and the need for these safeguards should thus be included in the Implementing Rules;
- the wording of Article 134a(1) (3) of the Implementing Rules should be reviewed so as to refer to the institutions, executive agencies, authorities and bodies referred to in Articles 95(1) and (2) of the Financial Regulation;
- regarding the right of access of candidates and tenderers, a reference to Article 13 of Regulation 45/2001 should be included;
2) As to procedure, the EDPS:
- recommends that an explicit reference to this Opinion is made in the preamble of the Proposal;
- reminds that, as the processing operations foreseen will introduce substantial changes in the management of the database and thus will fall under Article 27 of Regulation 45/2001, the EDPS must prior check the system before it is implemented.