New EU funding rules: processing of personal data must be clarified


New EU funding rules: processing of personal data must be clarified

In its Opinion published today, the EDPS fully supports the goals of the proposed amendments to the financial rules on the general budget of the European Union, but strongly recommends specifying the types of personal data to be processed, from where this data is sourced, as well as the means and duration of the processing.  

According to the European Commission’s proposal, the amendments of the financial rules aim to improve the way financial and personal data is processed to prevent, detect, investigate, correct fraud or financial irregularities effectively, when distributing EU funding. Concretely, the Proposal introduces an obligation, for the different bodies implementing the EU budget, to record data about the recipients of EU funding, and to use a single-integrated IT system for data-mining and risk-scoring to analyse this data.

Wojciech Wiewiórowski, EDPS, said: “Whilst processing personal data to ensure the proper management of EU funds may be necessary, the new rules should also include further safeguards to protect individuals concerned against the risks of their data being misused. In addition to these clear and precise rules, the necessary technical and organisational measures should be put in place to protect this data, in compliance with EU data protection law, namely Regulation (EU) 2018/1725 and the General Data Protection Regulation”.

In its Opinion, the EDPS advises the EU legislator to specify explicitly all the categories of financial and personal data that are necessary to process in light of the Financial Regulation’s objectives. The sources from which these categories of data come from should also be identified clearly, especially if this data is to be compared to other categories of data to analyse and draw potential conclusions about an entity’s financial profile, or to assess an entity’s financial risk to determine whether they may be entitled to EU funding. It is also important that measures are put in place to ensure the quality and accuracy of this data, in particular if this data comes from third parties, underlines the EDPS.

The EDPS recommends that the EU legislator clarifies the type of single-integrated IT system that may be utilised for the processing of this data. In particular, new rules should provide a general description of the system, including entities that may make use of the single-integrated IT system for data-mining, risk-scoring, and relevant applicable safeguards. The EDPS also advises further clarifying the type of data processing operations and the logic involved in data-mining and risk-scoring, as envisaged by the Proposal. Any new, or pre-existing, IT system foreseen must include, in its design and development, appropriate and robust safeguards that ensure the protection of this data, according to EU data protection law, highlights the EDPS. To complement these recommendations, the duration of processing of this data must be defined in the EU legislator’s amendments, insists the EDPS.

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.

The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.

Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.

The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725, which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.

Available languages: English