Data protection

• Pages: 48-48

48

The OLAF report 2019

8. Data protection

The protection of personal data has always been a

high priority for OLAF, which has worked hard since

its creation to meet the requirements set out in EU

law, including recommendations of the European

Data Protection Supervisor (EDPS). The decisions and

recommendations of the EDPS have a significant impact

on how OLAF carries out its investigative activities,

such as on-the-spot checks or the forensic examination

of digital media. OLAF appoints its own data protection

officer (DPO), who provides advice and assists OLAF

in applying high data protection standards. Since the

entry into force of the new Data Protection Regulation

for EU institutions (13), in December 2018, OLAF has

committed to lead by example.

The Commission Decision laying down internal rules

concerning the processing of personal data by OLAF

(14) ensures compliance with the fundamental right

() Regulation (EU) /  of the European Parliament and of

the Council of  October  on the protec tion of natural

persons with regard to the processing of personal data by the

Union institutions, bodies, oces and agencies and o n the

free movement of such data, and repealing Regulation (EC) No

/ and Decision No //EC, OJ L , ..,

p. –.

() Commission Decision (EU) /  of  December 

laying down internal rules concerning the processing of

personal data by the European Anti-Fraud Oce (OLA F) in

relation to the provision of information to data subjects and

the restriction of certain of their rights in accordance with

Article  of Regulation (EU) /  of the European

Parliament and of the Council, OJ L , .., p. .

to protection of personal data as set out in Article

8 of the Charter, while enabling OLAF to secure the

confidentiality of its investigations as well as ensuring

the protection of the rights and freedoms of persons

concerned, witnesses and informants.

The decision lays out the conditions under which OLAF

informs data subjects of any activity involving processing

of their personal data and handles their rights of

access, rectification, erasure, restriction of processing

and communication of a personal data breach. The

involvement of OLAF’s DPO (or, where applicable, the

Commission DPO or the agency DPO) throughout the

whole procedure ensures an indep endent review of

the applied restrictions. In addition , the codification

of OLAF’s established practices and procedures in the

decision ensures a high degree of legal certainty for all

data subjects, thus also complying with the quality of

law requirements developed by the case law.

The procedures and IT tools needed to ensure the

implementation of the Commission’s decision were

successfully implemented in 2019. OLAF also adopted

rules on reporting possible data breaches and provided

training to staff to increase awareness .

In 2019, OLAF received and handled six requests for

access to personal data as well as two requests for

erasure, concerning 17 investigations and rep orted

cases under the IMS. OLAF handled four requests

within one month each; searches and verifications for

two further replies required more time, but remained

within the time frame required in the regulation. Two

further replies required just over three months.