Data protection

The OLAF report 2019
8. Data protection
The protection of personal data has always been a
high priority for OLAF, which has worked hard since
its creation to meet the requirements set out in EU
law, including recommendations of the European
Data Protection Supervisor (EDPS). The decisions and
recommendations of the EDPS have a significant impact
on how OLAF carries out its investigative activities,
such as on-the-spot checks or the forensic examination
of digital media. OLAF appoints its own data protection
officer (DPO), who provides advice and assists OLAF
in applying high data protection standards. Since the
entry into force of the new Data Protection Regulation
for EU institutions (13), in December 2018, OLAF has
committed to lead by example.
The Commission Decision laying down internal rules
concerning the processing of personal data by OLAF
(14) ensures compliance with the fundamental right
() Regulation (EU) /  of the European Parliament and of
the Council of  October  on the protec tion of natural
persons with regard to the processing of personal data by the
Union institutions, bodies, oces and agencies and o n the
free movement of such data, and repealing Regulation (EC) No
/ and Decision No //EC, OJ L , ..,
p. –.
() Commission Decision (EU) /  of  December 
laying down internal rules concerning the processing of
personal data by the European Anti-Fraud Oce (OLA F) in
relation to the provision of information to data subjects and
the restriction of certain of their rights in accordance with
Article  of Regulation (EU) /  of the European
Parliament and of the Council, OJ L , .., p. .
to protection of personal data as set out in Article
8 of the Charter, while enabling OLAF to secure the
confidentiality of its investigations as well as ensuring
the protection of the rights and freedoms of persons
concerned, witnesses and informants.
The decision lays out the conditions under which OLAF
informs data subjects of any activity involving processing
of their personal data and handles their rights of
access, rectification, erasure, restriction of processing
and communication of a personal data breach. The
involvement of OLAF’s DPO (or, where applicable, the
Commission DPO or the agency DPO) throughout the
whole procedure ensures an indep endent review of
the applied restrictions. In addition , the codification
of OLAF’s established practices and procedures in the
decision ensures a high degree of legal certainty for all
data subjects, thus also complying with the quality of
law requirements developed by the case law.
The procedures and IT tools needed to ensure the
implementation of the Commission’s decision were
successfully implemented in 2019. OLAF also adopted
rules on reporting possible data breaches and provided
training to staff to increase awareness .
In 2019, OLAF received and handled six requests for
access to personal data as well as two requests for
erasure, concerning 17 investigations and rep orted
cases under the IMS. OLAF handled four requests
within one month each; searches and verifications for
two further replies required more time, but remained
within the time frame required in the regulation. Two
further replies required just over three months.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT