You have a complaint against an EU institution or body?

Available languages:
  • ENEnglish

Decision in case 2063/2014/PMC concerning the European Commission's processing of personal data

The complaint concerned the Commission's allegedly unlawful processing of the complainant's personal data, in particular that the Commission had transferred his personal data to a third party without his consent.

The Ombudsman found that the Commission's transfer of the complainant's personal data to a third party constituted maladministration. Given that the protection of personal data is a fundamental right provided for in the Charter of Fundamental Rights of the EU, and due to the fact that the Commission's approach in this case was very intrusive, the maladministration was particularly serious.

The Ombudsman concluded that the Commission had resolved an issue of an incorrect data entry in a database. The Ombudsman informed the complainant that the European Data Protection Supervisor would be better placed to deal with the specific question of whether some of the Commission's actions breached EU rules on data protection.

The background to the complaint

1. In September 2013, a German citizen requested access to certain documents held by the European Anti-Fraud Office ('OLAF') and by the European Commission in accordance with EU rules on public access to documents[1]. However, OLAF and the Commission had doubts about his identity. OLAF and the Commission therefore temporarily suspended their handling of the access requests, because in order to have a right of access to documents you have to be a natural or legal person residing in, or being the citizen of, an EU Member State.

2. The fact that OLAF and the Commission had temporarily suspended their handling of the access requests led the requester to complain to the Ombudsman (cases 2309/2013/JAS and 2310/2013/JAS against OLAF and the Commission[2]). In the course of the Ombudsman's inquiries into those complaints, the complainant learned that the Commission or OLAF had contacted what they thought to be his employer, a German university, to verify that he was a real person and to establish his profession[3].

3. The complainant was dissatisfied with the Commission or OLAF having contacted a university for which he had never said that he worked and he complained to the Ombudsman also about this issue. He made one complaint - the present against the Commission and a similar complaint against OLAF[4].

The inquiry

4. The Ombudsman opened an inquiry into the allegation that the Commission had unlawfully processed the complainant's personal data.

5. In the course of the inquiry, the Ombudsman received the opinion of the Commission on the complaint and, subsequently, the comments of the complainant in response to the Commission's opinion. In conducting the inquiry, the Ombudsman has taken into account the arguments and opinions put forward by the parties.

Allegation of unlawful processing of the complainant's personal data

Arguments presented to the Ombudsman

6. In support of his allegation, the complainant argued that the Commission had a) incorrectly registered information about his professional activity, b) transferred his personal data to a third party without his consent, and c) retained personal data in its database for a disproportionate period of time.

7. In its opinion, the Commission stated that information about one's profession is not a condition for exercising the right of access to documents. The Commission asked for this information purely for statistical purposes. It will make it optional to provide this kind of information in the future.

8. The inaccurate information about the complainant's professional links with the German university had been put into the database for access requests by OLAF, probably due to a clerical error. The Commission stated that OLAF regrets any inconvenience caused to the complainant and that OLAF has corrected the data.

9. However, the Commission wishes to reserve the right to check the identity and address of an applicant seeking public access to documents. The Commission says it makes these checks, using publicly available information, in order to determine whether applicants are natural persons residing in, or being the citizen of, an EU Member State.

10. Regarding the allegedly disproportionate data retention period, the Commission argued that it stores personal data in line with EU data protection rules. It is justified to keep personal data of applicants after having finished the handling of an access request in order to ensure legal and procedural consistency. The Commission needs to know if it has dealt with previous access requests from the same applicant or requests concerning the same or similar documents to determine if these documents could be considered already to be "in the public domain". Also, decisions refusing to grant access to documents could be brought to the Ombudsman or to the Court of Justice. Personal information about applicants is necessary for the Commission to deal with requests correctly and in full knowledge of all circumstances, such as when deciding whether to contact applicants informally to find a fair solution in case an application is for a very long document or for a very large number of documents[5].

11. In his observations, the complainant expressed his disappointment with the Commission not having apologised for having incorrectly registered his profession in its database.

12. The complainant forwarded to the Ombudsman a letter to him from the Commission, in which the Commission stated that it had revealed his name to the university[6].

13. The complainant maintained that it is justified for the Commission to keep personal data only until the deadlines for going to Court or to the Ombudsman have passed. In support of his view, he attached a decision of the European Data Protection Supervisor (EDPS) finding that OLAF's practice of retaining personal data in its investigation database for 15 years was disproportionate.

The Ombudsman's assessment

14. It is likely that the incorrect information about the complainant working for a German university was put into the database as a result of a clerical mistake by OLAF. Given that OLAF has regretted the mistake and corrected the data, the Ombudsman considers this aspect of the complainant's allegation to have been resolved. It is not clear to the Ombudsman why the Commission should apologise for a mistake made by OLAF.

15. The Ombudsman welcomes the fact that the public access to documents request form on the Commission's website no longer has the professional activities' field as a compulsory one[7].

16. The Commission has neither denied, nor confirmed, that it transferred the complainant's personal data, that is, his name, to the German university where it thought he was working. In fact, the Commission did not address this matter at all in its opinion, even though the complainant had raised this argument in support of his allegation. However, the Commission's letter of 4 February 2014 to the complainant leaves no doubt as regards the question of whether the Commission had contacted the university and disclosed the complainant's name to it. The letter - which predates the Commission's opinion to the Ombudsman - explicitly says that "concerning your professional activity, you indicated to OLAF that you were working for the Institute of International and European Law of [a German university]. However, this Institute does not exist under the said name. Following our [i.e. the Commission's] request, the university noted that it did not have any employee with the name ['Mr X']"[8], that is, with the complainant's name.

17. The Commission’s contact with the German university was not something provided for in its own internal rules on data protection issues (its notification to its Data Protection Officer as regards the processing of personal data in the context of its handling of public access to document requests[9]). These internal rules do not provide for the transmission of personal data to third parties[10].

18. In its opinion, it merely referred to its alleged right to carry out identity and address verification using publicly available information.

19. The Ombudsman considers that the Commission's insistence on confirming an applicant's identity is not based on any concrete provision nor does it promote any of the objectives of EU rules on public access to documents.

20. In addition, contacting what the Commission believes to be a person's employer goes beyond consulting publicly available information, to which the Commission refers in its opinion. Arguably, such an action could have negative effects for an applicant by raising suspicions on the part of his or her employer as to the reason for an EU institution seeking to confirm the applicant's identity, thus constituting a serious interference with his or her personal life.

21. Therefore, by disclosing the complainant's name to the university, without a valid justification, the Commission committed maladministration. Given that the protection of personal data is a fundamental right[11], and due to the intrusive nature of the Commission's action, the maladministration is particularly serious in this case.

22. Having found maladministration, it is not necessary for the Ombudsman to deal with the issue of whether the Commission breached specifically the EU rules on data protection[12]. If the complainant wishes to pursue this particular aspect further, he remains free to complain to the European Data Protection Supervisor, who has specialist expertise and responsibility in the field of data protection.

23. Regarding the allegedly disproportionate data retention period of personal data in the Commission's access to documents database, the Ombudsman notes that the decision of the European Data Protection Supervisor referred to by the complainant concerns OLAF and not the Commission. The Commission's access to documents database also has another purpose than that of OLAF. While the Commission's database holds personal data in relation to public access to documents requests only, OLAF's database holds information about its investigations.

24. The Commission's notification to its Data Protection Officer as regards the processing of personal data in the context of its handling of public access to document requests states that personal data of applicants are stored for no longer than five years, and are normally deleted thereafter[13]. The retention period can thus be extended in certain cases.

25. Both the notification to the Commission's Data Protection Officer - as well as the Commission's opinion in this case - explain that this retention period is necessary because decisions granting no or only partial access may be brought to Court or to the Ombudsman. In the Ombudsman's view, a retention period of five years is proportionate to the aims pursued, given that proceedings before the EU Courts can last a number of years. The Commission's letter of 4 February 2014 to the complainant refers, among other things, to an access to documents request made by the complainant in 2007[14]. It is thus clear that, in 2014, the Commission was still storing personal data of the complainant that he had submitted six or seven years before. Accordingly, in the complainant's case, the Commission had retained his personal data for longer than five years.

26. The Commission has not provided any justification as to why it had not deleted the complainant's personal data relating to an access to documents request made in 2007. Given that the question of whether the Commission should have provided a justification for having kept the complainant's personal data from 2007 was not explicitly covered by the present inquiry, the Ombudsman does not find it appropriate to determine whether the Commission held the complainant's personal data for a disproportionate amount of time and in breach of its notification.

27. The Ombudsman again informs the complainant of the possibility to complain to the European Data Protection Supervisor, should he wish to have a specialist decision on whether the Commission's data retention period specifically violates EU rules on data protection. She therefore considers that no further inquiries are justified into this aspect of the complaint.

28. The maladministration on the part of the Commission cannot now be remedied and the complainant did not put forward any claim wishing the Commission to take any particular action. The Ombudsman will therefore close this aspect of the complaint with a critical remark to the Commission.

Conclusion

On the basis of the inquiry into this complaint, the Ombudsman closes it with the following findings:

By rectifying the incorrectly registered information about the complainant's professional activity in the relevant database, this aspect of the complainant's grievance has been resolved.

Regarding the retention period for personal data in the Commission's database, the Ombudsman considers that no further inquiries are justified.

Critical remark

By transferring the complainant's personal data to a third party without a valid justification, the Commission committed maladministration. Given that the protection of personal data is a fundamental right provided for in the Charter of Fundamental Rights of the EU, and due to the fact that the Commission's action in this case was very intrusive, the maladministration is particularly serious.

The complainant and the Commission will be informed of this decision.

Emily O'Reilly

Strasbourg, 12/07/2016

 

[1] Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents OJL 145/43 of 31.5.2001;

[2] OLAF's and the Commission's decisions to stop the handling of the access requests were thus dealt with separately and do not therefore fall within the scope of the present inquiry.

[3] The Commission requested this data from applicants in order to process their requests for public access to documents.

[4] Dealt with separately under case reference 139/2015/PMC.

[5] See, in this respect, Article 6(3) of Regulation 1049/2001.

[6] This letter was also sent by the Commission to the complainant in the context of the Ombudsman's inquiry into the complaint 2310/2013/JAS.

[7] https://ec.europa.eu/transparency/regdoc/index.cfm?fuseaction=fmb&&CFID=6076842&CFTOKEN=2e4472e118d31678-CA79D075-9960-F842-29FFB98461CB0B5B

[8] The Commission's letter is written in German.

[9] See notification 'DPO-1225.2 GestDem' on the processing of personal data in relation to the Commission's public access to documents database, available online: http://ec.europa.eu/dpo-register/details.htm?id=35247

[10] See, in this respect, Point 16.

[11] Article 8 the Charter of Fundamental Rights of the European Union.

[12] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8/1 of 12.1.2001

[13] Point 13.

[14] Gestdem 2007/4845.