1. Last update of this record: 24/04/2024

2. Reference number: 03/2020

Ares registration number: Ares(2024)4403408

3. Name and contact details of the controller:

European Ombudsman (EO), 1 avenue du Président Robert Schuman, CS 30403, 67001 Strasbourg Cedex

Responsible department: Department for administration- Budget and Finance Team

E-mail: EOMissions@ombudsman.europa.eu

4. Name and contact details of the Data Protection Officer:

Ms Francesca PAVESI- Deputy DPO: Mr Nicholas HERNANZ

Email: Dpo-Euro-Ombudsman@ombudsman.europa.eu

Dpo-Euro-Ombudsman@ombudsman.europa.eu

5. Name and contact details of the processor:

• Directorate-General for Digital Services (DIGIT)
• AMEX Global Business Travel, as processor of the EC-PMO (AMEX: privacy statement: http://privacy.amexgbt.com/gdpr)
• CIGNA healthcare, as processor of the EC-PMO (CIGNA privacy statement)

6. Name and contact details of the joint controller(s):

European Commission’s Pay Master Office (PMO), which is the system owner of the on-line application “MIPS+”, used by the EO staff members to introduce their missions and authorised travels and obtain the reimbursement of resulting expenses.

Contact email: pmo-missions@ec.europa.eu

7. Purpose(s) of the processing:

The purpose is to manage and monitor the missions and authorised travels in accordance with the Guide to missions and authorised travel adopted by the European Ombudsman on 29.11.2018 (Decision of the European Ombudsman on the general provisions for implementing Articles 11, 12 and 13 of Annex VII to the Staff Regulations of Officials (mission expenses) and on authorised travels).

Short description of the processing:

All transactions are supported by the application MIPS+ (https://webgate.ec.europa.eu/MIPS+plus) owned and managed by the EC-PMO

The information in relation to processing operation “Management of missions and authorised travel, including the online tool MIPS+ (Missions Processing System), OBT (Online Booking Tool) and the Travel Agency(ies), Mission Insurance and Professional Credit Card contracts”

The workflow for the management of a mission/authorised travel in MIPS+ is as follows:

• Creation of the mission order by the staff member;
• Confirmation and signature of the actors of the workflow and approval of the authorising officer;
• The calendar on Sysper indicates the dates during which the staff member is on mission and the object of the latter;
• Introduction of the declaration of the mission expenses by the staff member having gone on mission/authorised travel within 3 months from the return date;
• The supporting documents concerning the declaration of mission expenses are scanned and downloaded in MIPS+;
• Verification and signature of the actors of the workflow and approval of the authorizing officSending of the electronic file to the PMO for calculation via MIPS+;
• Calculation of the mission costs: during the liquidation phase during which the PMO reviews the supporting electronic documents, the staff member having gone on mission/authorised travel must keep the original paper documents to provide the PMO upon request (electronic copy not readable, random control, etc.), until costs are reimbursed.
• Ex-ante control by the PMO;

An alert message informs each officer in working travel that he / she has been selected as part of this check and is requested to submit to PMO 2 the original supporting documentation for this assignment. The documents sent to the PMO will be kept and archived by the PMO. If the file is non-compliant, the interested officer is contacted individually by the PMO 2

• Sending of a payment request by MIPS+ in the ABAC budget application of the EO;
• Verification and payment by the Budget and Finance Team.

8. Description of the categories of data subjects and of the categories of personal data

- Categories of data subjects:

All staff members from the EO Office: officials, temporary and contract agents, seconded national experts and trainees.

- Categories of data: all the data is processed in MIPS+

• Identification data of the staff member on mission/authorised travel: title, surname, first name, personnel number, post (Unit), place of employment, office address, office telephone number, office e-mail address;
• information concerning the mission/authorised travel itself: place(s) of the mission and transit, date of departure and arrival, means of transport,
• name and place of the hotel, hotel invoices, start and end times of the professional commitments, possible combined holidays, possible request
• for anticipating budget for expenses, the budget line on which the mission will be paid, the MIPS+ mission number and the confirmation number created when the authorising officer signs for agreement.

Other details may be provided in certain circumstances by persons going on mission/authorised travel, if they wish to receive more personalised service, mainly through their traveller profile (a travel agencies’ tool englobing information which is necessary and/or useful for the management of commands; this information is formatted and/or structured by the agencies themselves): a mobile telephone number; their nationality, the date and place of issue of their passport and its expiry date; the passport and credit card number; the details of a person who may be asked to make reservations on their behalf; any preferences as regards the conditions of the trip which they might wish to be automatically taken into consideration, seat + meal)

9. Time limit for keeping the data and, where possible, for erasure:

All mission/authorised travel expenses are digitised in MIPS+. The retention period for the digitised documents is 7 years.

The retention period for originals that have been part of a conformity check sampling[1] (recall of the original documents kept by the staff member having gone on mission/authorised travel) is 7 years.

The information received by the travel agency with which the PMO has a contract shall be kept in accordance with the duration laid down in the contractual provisions in force.

Once the legal deadline has expired, the file is deleted.

10. Recipients of the data:

The staff members of the Budget and Finance Team responsible for missions (GEMI, financial initiators and ex-ante controllers) and dealing with ABAC, the Head of the Budget and Finance Team , the  Director for Administration, the Head of team of the staff member on mission/authorised travel, the Secretary General and the EO as authorising Officer.

- PMO (see workflow described above)

- the following service providers: the travel agency, transport firms, hotels, car hire companies, credit card companies, insurance companies and any other entity which the EO (or the data subject) may come into contact with during the organisation of the missions/authorised travel.

11. Are there any transfers of personal data to third countries and/or to International Organisations?

In some cases, personal data may be transferred to a third country. Indeed, the travel agency may have to transmit data concerning the staff member on mission/ authorised travel to a country outside the EU. This transfer is based on Article 48 of Regulation (EC) No 2018/1725 (appropriate safeguards). Such appropriate safeguards shall consist of binding corporate rules, codes of conduct or certification mechanisms pursuant to points (b), (e) and (f) of Article 46(2) of Regulation (EU) 2016/679

12. General description of security measures:

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored either on the servers of the European Commission. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

The Commission’s contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the Commission, and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679).

13. Information on how data subjects can exercise their rights of access and rectification, and where applicable, of erasure, restriction and data portability:

Data subjects have the right to access their personal data and to rectify them in case their personal data are inaccurate or incomplete. Where applicable, they have the right to erase their personal data and to restrict the processing of their personal data. They have the right to object to the processing of their personal data on grounds relating to their particular situation, at any time. They may ask the EO information concerning the processing of their personal data by e-mail within one month. They may also contact the Data Protection Officer any time: dpo-eo-ombudsman@ombudsman.europa.eu

If they wish to complain about the Ombudsman’s handling of their personal data, they may contact the European Data Protection Supervisor: www.edps.europa.eu]

Furthermore, if they wish to obtain specific details pertaining to a mission/authorised travel, they can contact the PMO officer responsible for handling the mission/authorised travel indicated on the mission statement or the functional mailbox: PMO-MISSIONS@ec.europa.eu

Privacy Statement relating to the management of missions and authorised travel in the European Ombudsman’s Office

This privacy statement explains the reason for the processing, the way the European Ombudsman (EO) collects, handles and ensures protection of all personal data provided, how that information is used and what rights the data subjects may exercise in relation to their data.

The controller is the EO. The joint controller is the European Commission’s Paymaster Office (PMO), which is the system owner of the on-line application “MIPS”, used by the EO staff members to introduce their missions and authorised travels and obtain the reimbursement. The processors are (i) the European Commission’s Directorate-General for Digital Services (DIGIT); (ii) AMEX Global Business Travel, as processor of the EC-PMO and (iii) CIGNA healthcare, as processor of the EC-PMO.

1. What personal data will the EO process?

We process the following data of all staff members from the EO Office (officials, temporary and contract agents, seconded national experts and trainees) who request reimbursement of missions and authorised travels’ related expenses:

- Identification data of the staff member on mission/authorised travel: title, surname, first name, personnel number, post (Unit), place of employment, office address, office telephone number, office e-mail address;

- Information concerning the mission/authorised travel itself:

· place(s) of the mission and transit, date of departure and arrival, means of transport, name and place of the hotel, hotel invoices, start and end times of the professional commitments, possible combined holidays,

· possible request for anticipating budget for expenses, the budget line on which the mission will be paid, the MIPS mission/authorised travel number and the confirmation number generated at the time of signature of the mission order/travel authorisation for approval by the authorising officer.

- Other details may be provided in certain circumstances by persons going on mission/authorised travel, if they wish to receive more personalised service, mainly through their traveller profile (a travel agencies’ tool englobing information which is necessary and/or useful for the management of commands.

2. Why does the EO process this personal data?

The purpose is to manage and monitor the missions and authorised travels in accordance with the Guide to missions and authorised travel adopted by the European Ombudsman on 29.11.2018.

3. What are the legal bases and necessity for processing this data?

Processing is necessary for the performance of a task carried out in the public interest (Article 5(1)(a) of Regulation 2018/1725) and for compliance with a legal obligation to which the controller is subject (article 5(1) (b) of Regulation 2018/1725).

The processing of the data is based on Article 71 of the Staff Regulations, Articles 11 to 13 of Annex VII to the Staff Regulations and the Guide to missions 6 and authorised travels adopted by the European Ombudsman on 29.11.2018 (Decision of the European Ombudsman on General Implementing Provisions on Articles 11-12 -13 Annex VII of the SR).

4. Who is responsible for processing the data?

Data is processed by the Director for Administration, Finances and Budget team.

5. Who will be recipients of the data?

The recipients of the personal data are

• the staff members from the Budget and Finance Team responsible for missions and dealing with database ABAC, the Head of Budget and Finance Team, the Director for Administration, the Head of team of the staff member going on mission/authorised travel, the Secretary General, the European Ombudsman as authorising Officer;
• PMO and the service providers used by the EO staff members for the organisation of the missions/authorised travel, such as the travel agency, transport firms, hotels, car hire companies, credit card companies, insurance companies

6. How long will the data be kept?

All mission/authorised travel expenses are digitised in MIPS. The retention period for the digitised documents is 7 years for audit purposes and budgetary discharge. The retention period for originals that have been part of a conformity check sampling (recall of the original documents kept by the staff member having gone on mission/authorised travel) is 7 years.

Once the legal deadline has expired, the files are deleted.

7. How do we protect your data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored either on the servers of the European Commission. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

The Commission’s contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the Commission, and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679).

8. What are your rights and how can you exercise them?

You have the right of access to your own personal data and to relevant information concerning how the EO uses it.

You have also a right to request rectification of any incomplete or inaccurate data concerning you. You can rectify identification data at any time. You have a right to object to the use of your data by the EO on grounds relating to your particular situation, at any time. Under certain conditions, you have the right to ask that the EO deletes your personal data or restrict its use.

The EO will reply to your requests as soon as possible and within one month at the latest.

9. Who to contact in case of queries or complaints concerning data protection issues?

At any time, you may send data protection related questions concerning the management of the mission/authorised travel to the European Ombudsman, at the following email address:

European Ombudsman

1 avenue du Président Robert Schuman

CS 30403

F-67001 Strasbourg Cedex

EOMissions@ombudsman.europa.eu

You also may use the following link: http://intracomm.ec.testa.eu/mips or the functional mailbox: PMO-MISSIONS@ec.europa.eu

You also may contact the Data Protection Officer of the European Ombudsman at the following address: DPO-Euro-Ombudsman@ombudsman.europa.eu

You may lodge a complaint with the European Data Protection Supervisor at any time at the following address: EDPS@edps.europa.eu

 

[1] According to the EC record: DPR-EC-00990.3 : « Les pièces transmises au PMO sont conservées et archivées dans les locaux d’archivage de l’Office. Une fois la mission payée, le chargé de mission peut détruire les documents originaux papier sauf s'il souhaite contester le décompte, en ce cas les documents originaux seront nécessaires pour introduire une réclamation au titre de l'article 90(2) du Statut. Une fois le délai réglementaire expiré, le dossier papier et numérique est détruit. Les dossiers numérisés et papier ne seront détruits par la DIGIT que sur demande expresse du PMO ».