You have a complaint against an EU institution or body?

Make a complaint
Make a complaint
HomeData protectionRegister of recordsDPO Record
Available languages: 
  • English

Complaints and own-initiative inquiries dealt with by the European Ombudsman

DPO Record - Date Wednesday | 04 May 2022

European Ombudsman

Complaints and own-initiative inquiries dealt with by the European Ombudsman

Public record of processing activity:

Handling of complaints and own initiative inquiries under Article 228 TEFU, the Statute of the European Ombudsman and the Implementing Provisions. [1]

The Ombudsman processes personal data of individuals for handling complaints and own initiative inquiries. The Office collects and registers personal data in its electronic complaints management system (CMS).

1. Last update of this record: 02/02/2022

2. Reference number: 11/2020

3. Name and contact details of the controller:  European Ombudsman, 1 avenue du Président Robert Schuman, CS 30403, F-67001 Strasbourg Cedex. Contact: Directorate of Inquiries, e-mail: EO@ombudsman.europa.eu

4. Name and contact details of the Data Protection Officer: DPO Ms Francesca Pavesi, deputy DPO: Mr Nicholas Hernanz, dpo-euro-ombudsman@ombudsman.europa.eu]

5. Name and contact details of the processor: not applicable.

6. Name and contact details of the joint controller(s): not applicable. 

7. Purpose(s) of the processing: To deal with cases concerning possible instances of maladministration in EU institutions, offices, bodies and agencies. The personal data are also used to communicate with complainants and to determine whether a complaint is within the Ombudsman’s mandate. Some data are used for statistical purposes (country, nationality, professional category and language).

The legal basis is Article 228 TFEU and the Statute of the European Ombudsman.

8. Description of the categories of data subjects and of the categories of personal data:

Data subjects:

(i) any natural person who submits a complaint to the European Ombudsman.

(ii) officials, agents and other staff working for the EU institutions, bodies, offices and agencies.

(iii) third parties named in complaints or in evidence submitted by complainants or by the institutions, bodies, offices or agencies.

Data categories

Names, postal and email addresses, nationality, languages, telephone numbers, where available, professional category and all other information provided in the context of complaints or gathered in own-initiative inquiries.

As concerns postal addresses: Complainants are not asked to provide postal address when lodging a complaint by electronic means, which is by far the most common way complaints are submitted.

9. Time limit for keeping the data and, where possible, for erasure

The retention periods applicable to the different types of complaints are as follows:

Case files, including documents-related data or data integrated into databases, are subject to a retention period of:

  • Two years for complaints that fall outside the Office’s mandate.
  • Ten years for complaints that fall within the Office’s mandate. This includes complaints in which the Ombudsman opened an inquiry and complaints in which the Ombudsman did not open an inquiry either because they were inadmissible or for lack of grounds. Documents related to complaints which had a significant public importance or which are otherwise considered major cases are later archived, in an anonymised form, for historical purposes. However, exceptionally, personal data may be kept where this is necessary to serve historical or public interests.

Shorter retention periods apply to confidential documents which are part to the case file. In particular, confidential documents shall, generally, be destroyed once the case has been closed and, where a complainant is involved, the period of time for dealing with any request for review has expired.

In exceptional cases, the standard retention period of 10 years shall apply to confidential documents where:

(a) it is clear that the information in question is, or may well be, important for an understanding of the case in the future, including circumstances in which the case has precedence or training value;

(b) retention of the document is likely to serve historical or public interests; or

(c) retention of the document may be relevant in the context of actual or possible future formal procedures.

The retention period runs from the date of registration.

10. Recipients of the data: The Ombudsman’s complaint handling staff and the EU institution, body, office or agency complained against.

The Ombudsman may send documents for translation to the European Parliament’s translation services or to the Translation Centre for the Bodies of the European Union when translations of documents need to be made. Such documents may sometimes contain personal data. The translators work under confidentiality obligations put in place by the above-mentioned EU bodies.

When the Ombudsman learns of facts which might constitute or relate to a criminal offence, s/he shall report to the competent national authorities, the European Public Prosecutor’s Office (EPPO) and/or the European Anti-Fraud Office (OLAF).

Access to data by the European Parliament is controlled and strictly for IT administration and support purposes

In the event of a transfer of a complaint, the data may be sent to another institution at EU or Member State level. In such a case, the data subject’s consent is sought prior to the transfer. Anonymised versions of correspondence and outcomes of inquiries may be published on the Ombudsman’s website.

The data might also be disclosed to any natural or legal person who requests it in accordance with the provisions of Regulation 1049/2001.

11. Are there any transfers of personal data to third countries and/or to International Organisations?: No

12. General description of security measures:

Processing is restricted to staff having access to the case file in the European Ombudsman’s CMS: inquiries officers, the Head of the Case Handling Unit, the Director of inquiries, advisors and experts, Cabinet members and the case-handling assistants.

Electronic confidential documents are stored in an e-safe to which access is restricted, namely to the inquiries officer, the associate inquiries officer (if any), the Head of the Case Handling Unit, the Director of inquiries, the Head of Cabinet, one expert, the assistant to the Director and the assistant to the Head of the Case Handling Unit. To ensure continuity of registration, access is also granted to two further assistants.

Physical confidential documents are normally shredded after having been scanned and put in the e-safe. If they are exceptionally kept, they are stored in locked safes with restricted access.

Inquiries officers are responsible for keeping their working files in order to guarantee the security of personal data contained therein.

Public access may be granted in certain cases, in accordance with the rules on access to documents.

13. Information on how data subjects can exercise their rights of access and rectification, and where applicable, of erasure, restriction and data portability

Data subjects have the right to access their personal data and to rectify them in case their personal data are inaccurate or incomplete. Where applicable, they have the right to erase their personal data and to restrict the processing of their personal data. They have the right to object at any time to the processing of their personal data on grounds relating to their particular situation. Any request to exercise these rights should be addressed to the responsible inquiry officer and/or to the data controller (e-mail: EO@ombudsman.europa.eu).

The European Ombudsman provides information to ‘third-party data subjects’ (data subjects named in complaints or in evidence submitted by complainants or by the institutions, bodies, offices or agencies) in line with the relevant policy.[2]

These rights of the data subjects may be restricted by means of application of the Decision of the European Ombudsman on internal rules concerning restrictions of certain rights of data subjects in relation to processing of personal data by the European Ombudsman.[3]

Privacy statement for the processing of personal data in the context of the Ombudsman’s handling of complaints and inquiries

 

1/ Description of the processing operation

The Ombudsman conducts inquiries concerning potential instances of maladministration in an EU institution, body, office or agency (hereinafter, 'EU institution') and reports on them.

The Ombudsman processes personal data of individuals for handling complaints and own initiative inquiries where it collects and registers personal data in its electronic complaints management system (CMS). The Ombudsman processes personal data of complainants and of third parties that are related to the complaint/ inquiry, either because they are provided by the complainant or collected during the inquiry.  The Ombudsman  might transfer personal data to other EU Institutions or occasionally, to Member State authorities, as described below.

The legal basis for this processing operation is Article 228 of the Treaty on the Functioning of the European Union (TFEU) and the Statute of the European Ombudsman (the 'Statute').

Personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.

2/ What personal information do we collect, for what purpose, and through which technical means?

What

In dealing with complaints and inquiries, the Ombudsman receives and/or collects documents that may contain personal data in relation to:

 i) natural persons making complaints (“complainants”) and

ii) other persons relevant to the complaint/inquiry or other third parties named in complaints or other inquiry-related documents who are irrelevant or merely incidental to the inquiry.

This personal data includes the identification and contact information (name, address, e-mail, telephone, fax), nationality, professional information and any other information about an individual which is related to the inquiry. There may also be special categories of data included in a complaint, such as, for example, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.[1]

If the Ombudsman decides to carry out a public consultation (general or targeted) in relation to case handling, the contributions s/he receives in response thereto will mostly contain some personal data. Contributors to public consultations (general or targeted) are requested to indicate their prior level of consent regarding disclosure of their data. For further information, please consult the privacy statement regarding the European Ombudsman’s consultations on this website.

Why

The Ombudsman needs to process personal data  to investigate possible instances of maladministration for the objectives of:

(a) finding a solution to the specific issues of the complaint in question,

(b) Identifying  possible systemic issues and make related suggestions whenever appropriate, and

(c), in so doing, ensuring the continuous long-term consolidation of the related relevant knowledge bases that underlie these activities.

In relation specifically to case related public consultations, the purpose is to ensure that the assessment of the issues concerned is as well informed as possible.

The personal data are also used to communicate with complainants and to determine whether a complaint is within the Ombudsman’s mandate. Some data are used for statistical purposes (country, nationality, professional category and language) in an anonymised way to fulfil the reporting requirement in the European Ombudsman’s Statute.

How

The Ombudsman normally collects or receives the personal data in documents, including forms, which are mostly electronic.

In some cases, the data form part of information that is initially received orally at meetings, inspections or hearings. During or immediately following such meetings the relevant information is recorded in documents for the file, mostly electronic but in certain cases also by paper.

3/ Who has access to your information and to whom is it disclosed?

Ombudsman’s staff

The Ombudsman’s staff who are involved in the Office’s case handling have access to the case files and their documents, some of which contain personal data, as well as to the database that contains the said documents and the related data.

EU institutions

Where a complaint is sent to an EU institution in relation to an inquiry, the personal data normally remains visible in the documents. This is also the case when the complainant has asked for confidential treatment of his/her complaint. Such confidentiality does not apply to inquiry related communication between the Ombudsman and the institution, the latter having a right to be fully informed of all the information related to the accusations of which it is the object. However, prior to the sending of the complaint and its possible related documentation, the Ombudsman’s inquiries officer will nevertheless carry out a check to verify whether the transfer of the documents would entail a manifestly unnecessary transfer of personal data.  The redaction of the excessive personal data, as here described,is duly recorded in the case note drawn up for the opening of the inquiry. If a complaint contains excessive personal data, the excessive personal data will be deleted.

If the Ombudsman cannot handle or accept the complaint, s/he may also transfer the complaint to another relevant EU institution or body that may be better placed to deal with the issue raised by the complainant. Examples are the European Commission in relation to complaints about possible infringement of EU law, the European Parliament in relation to political issues, the European Anti-Fraud Office in relation to fraud issues, and the European Data Protection Supervisor.

The Ombudsman may send documents for translation to the European Parliament’s translation services or to the Translation Centre for the Bodies of the European Union when translations of documents need to be made. Such documents may sometimes contain personal data. The translators work under confidentiality obligations put in place by the above-mentioned EU bodies.

Other bodies or organisations

Similarly for other complaints that s/he cannot deal with, the Ombudsman may decide to transfer a complaint, without redaction of the personal data, to national institutions or organisations that may be able to help the complainant. S/he may decide to do so if the complainant has given his/her explicit consent. S/he only makes transfers to such bodies or organisations that are located in the EU.

When the Ombudsman learns of facts which might constitute or relate to a criminal offence, s/he shall report to the competent national authorities, the European Public Prosecutor’s Office (EPPO) and/or the European Anti-Fraud Office (OLAF)[2]. In doing so, s/he will normally send the relevant documents, un-redacted, to the authority concerned.

Individual requests for public access to documents

EU citizens may exercise their fundamental right to request public access to any document held by the Ombudsman, including documents on the case file or documents related thereto. Such requests are handled on the basis of Regulation (EC) No 1049/2001 regarding public access to documents of the EU institutions.

In responding to requests for public access to documents, the personal data of complainants and third parties not including EU staff, are by default redacted prior to public disclosure of documents held by the Ombudsman.

Data subjects’ rights

Data subjects can exercise their right of access, rectification or erasure of their personal data in the context of the complaints handling, by sending a request by email to the controller at the mailbox indicated below.

They have the possibility to request confidential treatment of their complaint or certain parts thereof by indicating such a requirement in the complaint and by providing supporting reasoning or justification.

The Ombudsman complies with data protection rules, including the duty to inform third-party data subjects about the processing of their personal data and those data subjects' right to have access to their personal data and to have errors in that data rectified, or the data restricted or erased, in accordance with those rules. In view of the principle of data minimisation, the complainant is advised to provide only information which is relevant to the subject-matter of the complaint and to avoid unnecessary and irrelevant detail, especially if it includes third parties' personal data.. The Ombudsman will, however, always take into consideration the circumstances of the complainant when complying with her/his data protection obligations, in particular where the complainant is in a vulnerable situation. The Ombudsman will perform a case by case assessment balancing the rights and legitimate interests of the complainant and the third party data subject.

If the complainant decides to submit an anonymous complaint, such a complaint will always be inadmissible.[3] The Ombudsman may, nevertheless, depending of the information set out in such a complaint, decide to pursue the issue through an own-initiative inquiry.

4/ How do we protect and safeguard your personal data?

Within the organisation, the European Ombudsman protects personal data through rules and practical measures.

All staff are informed about their strict confidentiality obligations, and receive related training and updated information on practices and rules.

Each member of the Ombudsman’s staff has a first-level responsibility for keeping her/his working files in such a way as to guarantee the security of the personal data contained therein.

The case related documents and data forms are almost entirely handled electronically, which provides for configurable access rights and reduces the risk of inadvertent circulation of hard copies. As mentioned further above, the Ombudsman’s staff who are involved in the Office’s case handling have access to the case files and their documents.

Any actual or potential complainant may at any time make a reasoned request for a limited access to be applied to his/her complaint file, a request that may, for instance, be relevant if the complainant is a current or former member of the Ombudsman’s staff, other member of EU staff, a member of networks or similar groups with which several staff of the Ombudsman’s Office have, or can be expected to have, contact. The documents and data forms are stored electronically on virtual servers made available to the Ombudsman by the European Parliament. Access to data by the European Parliament is controlled and strictly for IT administration and support purposes.

Physical archives are kept locked in separate archive rooms and, when relevant, safes.

5/ How can you ask us to verify, modify or erase your information?

Data Subjects have the right to access the personal data we hold about themand to ask the Ombudsman to correct, complete, or, if appropriate, erase them[4]. Any request for access to personal data or for rectifying, restricting and/or erasing personal data should be directed to the responsible inquiry officer and/or to the data controller (e-mail: EO@ombudsman.europa.eu).

You may also contact the European Ombudsman’s Data Protection Officer (DPO-Euro-Ombudsman@ombudsman.europa.eu) if you have any question on the processing of your personal data.

Restrictions under Article 25 of Regulation 2018/1725 may apply, see Ombudsman Decision of 9 November 2020[5].

6/ How long do we keep your data?

Case files, including documents related data or data integrated into databases, are subject to a retention period of:

  • Two years for complaints that fall outside the Office’s mandate.
  • Ten years for complaints that fall within the Office’s mandate. This includes complaints in which the Ombudsman opened an inquiry and complaints in which the Ombudsman did not open an inquiry either because they were inadmissible or for lack of grounds. Documents related to complaints which had a significant public importance or which are otherwise considered major cases are later archived, in an anonymised form, for historical purposes. However, exceptionally, personal data may be kept where this is necessary to serve historical or public interests.

Shorter retention periods apply to confidential documents which are part of the case file. In particular, confidential documents shall, generally, be deleted once the case has been closed and, where a complainant is involved, the period of time for dealing with any request for review has expired.

In exceptional cases the standard retention period of 10 years shall apply to confidential documents where:

(a) it is clear that the information in question is, or may well be, important for an understanding of the case in the future, including circumstances in which the case has precedence or training value;

(b) retention of the document is likely to serve historical or public interests; or

(c) retention of the document may be relevant in the context of actual or possible future formal procedures.

Any decisions and actions in relation to the handling of the above mentioned confidential documents are duly recorded on the case file.

7/ Recourse

Data subjects have at any time the right to address a complaint to the European Data Protection Supervisor (edps@edps.europa.eu), if they consider that their rights under Regulation 2018/1725 have been infringed by the Ombudsman.

 

[1] Article 10 of Regulation 2018/1725.

[2] Article 9(2) of the Ombudsman's Statute.

[3] Article 2(2) of the Ombudsman's Statute.

[4] Articles 17 to 20 of Regulation 2018/1725.

[5] Decision of the European Ombudsman of 9 November 2020 on internal rules to restrict certain data subject rights in the processing of personal data, available at https://www.ombudsman.europa.eu/en/document/en/141577.

 

 

[1] Respectively Regulation (EU, Euratom) 2021/1163 OF THE EUROPEAN PARLIAMENT of 24 June 2021 laying down the regulations and general conditions governing the performance of the Ombudsman’s duties (Statute of the European Ombudsman) and repealing Decision 94/262/ECSC, EC, Euratom, OJ L 253, 16.7.2021, p. 1, and Decision of the European Ombudsman adopting Implementing Provisions, OJ C 321, 1.9.2016, p. 1. The Implementing  Provisions are currently under revision.

[2] The Ombudsman's policy on the provision of information to the third-party data subject in a complaint or an inquiry, dated 16 July 2019, available at https://www.ombudsman.europa.eu/en/document/en/70851

[3] Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2020.415.01.0081.01.ENG

 

Download this publication in PDF format (1.06 MB)