- EN English
Decision on how the European Anti-Fraud Office (OLAF) dealt with a request for public access to final reports and recommendations related to investigations into misconduct by EU staff that were closed in 2023 (case 2773/2025/MIG)
Decision
Case 2773/2025/MIG - Opened on Wednesday | 08 October 2025 - Decision on Tuesday | 16 December 2025 - Institution concerned European Anti-Fraud Office ( No maladministration found ) - Country Ireland
Complaint submitted
08/09/2025Analysis of the complaint
29/09/2025Inquiry ongoing
08/10/2025Inquiry outcome
16/12/2025
The case concerned the refusal by the European Anti-Fraud Office (OLAF) to give sufficiently wide public access to the OLAF final reports and recommendations related to two investigations into misconduct by EU staff members. In refusing access to parts of those documents, OLAF relied on two exceptions under the EU legislation on public access to documents, arguing that disclosure would undermine the need to protect the privacy and integrity of the individuals mentioned in the documents, including the persons concerned by the OLAF investigations, as well as the need to protect the commercial interests of the companies and legal persons named in the documents.
The Ombudsman found that the complainant had not established a need for disclosure of the personal data at issue in the public interest, as required by the EU legislation on data protection. Following an inspection of the documents at issue, the Ombudsman also considered the redactions of commercial information to be reasonable and that there was no overriding public interest in disclosure in this regard. The Ombudsman therefore concluded that OLAF’s decision to refuse public access to parts of the documents at issue was justified. Welcoming OLAF’s decision to disclose significant details about the two investigations concerned, the Ombudsman closed the inquiry finding no maladministration.
Background to the complaint
1. One of the tasks of the European Anti-Fraud Office (OLAF) is to conduct independent administrative investigations into serious misconduct by staff and members of the EU institutions. Following its investigations, OLAF can make recommendations for actions to be taken by the EU institution concerned, including ‘disciplinary recommendations’ aimed at sanctioning any wrongdoing by staff and members of EU institutions.[1] OLAF informs the public about its investigations concerning EU institutions, for example, in its annual reports.[2]
2. The complainant, a journalist, wanted to know more about OLAF’s findings in relation to two investigations into misconduct by EU staff that it had concluded in 2023 and highlighted in its 2023 annual report.[3] Therefore, in June 2025, the complainant made a request[4] for public access to documents to OLAF, asking for disclosure of the OLAF final reports and recommendations related to these two investigations.
3. In July 2025, OLAF granted wide partial access to five documents related to the investigations at issue, that is, two OLAF final reports and three recommendations. In refusing access to parts of those documents, OLAF relied on the need to protect personal data and, in relation to one investigation, the need to protect commercial interests.[5]
4. The complainant requested a review of OLAF’s position that parts of the documents had to be withheld (he made a ‘confirmatory application’).
5. In September 2025, OLAF confirmed its position that the redacted parts of the documents cannot be disclosed.
6. Dissatisfied, the complainant turned to the Ombudsman, challenging the redaction of personal data other than email addresses, personal identification numbers and phone numbers as well as those redactions made to protect commercial interests.
The inquiry
7. The Ombudsman opened an inquiry into OLAF’s refusal to give public access to the relevant redacted parts of the two OLAF final reports and the three recommendations at issue.
8. During the inquiry, the Ombudsman inquiry team inspected these documents.
Arguments presented
9. When requesting public access, the complainant noted that the two OLAF investigations at issue had already been completed. In addition, he considered that, because “gross misconduct”, including fraud, had been found, the “public interest in transparency, accountability, and institutional integrity outweighs any possible remaining grounds for withholding [the documents at issue].”
10. In his confirmatory application, the complainant added that, due to the nature of the misconduct found, there is a legitimate right of the public to know the names of the EU institutions, bodies, offices and agencies (IBOAs) that failed to prevent this. The complainant also contended that the names of those EU IBOAs could not reasonably be considered personal data[6] and that disclosure of this information was necessary to enable the public to assess the accountability of the EU IBOAs concerned and the need for institutional reform.
11. The complainant also suggested that it is the standard practice of other EU IBOAs to disclose OLAF final reports and recommendations once the related OLAF investigation has been closed.
12. Further, the complainant contended that transparency is particularly important in cases involving public funds or misconduct[7], and that transparency and data protection must be balanced.[8]
13. Finally, the complainant argued that the companies at issue were “used as vehicles for laundering money and fabricating tenders”. Therefore, their names should be disclosed to enable public scrutiny.
14. OLAF stated that the documents at issue contain information related to individuals, such as their names, initials, and contact details, gender-specific pronouns or role descriptors, unique functions, responsibilities, or positions within specific institutions or geographical areas, references of contracts or procurement procedures, and contextual clues or operational details.
15. OLAF stated that this information, possibly in combination with publicly available information, would make the individuals at issue identifiable, meaning that it constitutes personal data. Therefore, given that the complainant had not put forward a necessity for disclosure in the public interest, this information could not be disclosed.
16. As regards the protection of commercial interests, OLAF argued that it had to withhold information such as the names of companies, procurement or contract reference numbers, call for tender details, project titles and specific descriptions of commercial arrangements. In light of the nature of the documents, OLAF considered that disclosure of this information would give rise to reputational harm or negative public perception of the companies concerned.
17. OLAF also stated that it had not identified an overriding public interest in disclosure and that the arguments put forward by the complainant were too general in this regard.
18. In its confirmatory decision, OLAF added that, while institutional affiliations alone are not inherently personal data, disclosure of the EU IBOAs concerned could lead to the identification of individuals due to their specific role and the small size of the institutions concerned as well as the timeframe of events. OLAF considered it particularly likely that persons familiar with the professional environment would be able to identify individuals based on this information.
19. OLAF also stated that the investigations at issue did not concern systemic or institutional failings but wrongdoing by individuals, which, it said, is illustrated by the fact that no administrative recommendations were issued.
20. Finally, OLAF stated that the identification of the persons concerned could damage their reputation and infringe their right to the presumption of innocence, which is particularly important given that its findings are not binding and that different conclusions might be reached in the context of the follow-up by other authorities. Therefore, OLAF concluded that, even if there were a necessity, disclosure would jeopardise the legitimate interests of the individuals concerned.
The Ombudsman's assessment
21. EU citizens and residents have the right to access the documents that the EU institutions hold.[9] While transparency is the rule, the EU institutions may refuse to give public access, if disclosure would reasonably undermine certain interests protected by the EU legislation on public access to documents (Regulation 1049/2001).[10] This includes private interests such as the protection of personal data and the protection of commercial interests.
22. The concept of ‘personal data’[11] is very broad. It covers any information related to an identified or identifiable person. The information does not need to be linked to a person’s private life. Information concerning a person’s professional activity can also constitute personal data, namely if it allows, “directly or indirectly”, for the identification of the individual concerned. According to EU case-law[12], “[t]he use by the EU legislature of the word ‘indirectly’ suggests that, in order to treat information as personal data, it is not necessary that that information alone allows the [individual concerned] to be identified.” Rather, it is sufficient if that information, in combination with other information from the same or from different sources, allows for the identification of the individual in question. In addition, it is not necessary that the public at large can deduce the individual’s identity on that basis. It is enough if one person, for example, someone working in the same field as the individual in question and familiar with their professional background, can identify them.[13]
23. It was therefore reasonable for OLAF to consider that not only the names and contact details of individuals contained in the documents at issue constitute personal data, but also other information that would make the individuals concerned identifiable, on its own or in combination, including with publicly available information. This includes the individuals’ gender, their position and tasks, information on specific tenders and contracts and, in light of the small size of the institutions at issue and the detailed information that OLAF disclosed about the two investigations, the names of those institutions.
24. Based on the inspection of the documents, the Ombudsman confirms that the information that OLAF redacted to protect the privacy and integrity of individuals can reasonably be considered personal data.
25. Any disclosure of personal data must fulfil the conditions for transfer of personal data set out in the EU legislation on data protection[14]. According to these rules, EU institutions must follow a three-stage analysis in considering whether they can grant public access[15] and they must conduct this assessment in each case individually. First, they must assess whether the applicant established a specific need for disclosure of the personal data that is in the public interest. For such a ‘necessity’ to be established, it must be demonstrated that disclosure of the personal data is the most appropriate means among other possible measures to achieve the objective pursued.[16] Second, if a ‘necessity’ exists, EU institutions must assess whether disclosure of the personal data in question might undermine the legitimate interests of the individual(s) concerned. Third, if this is the case, they must establish that, in light of the objective pursued by the applicant, disclosure would be proportionate nevertheless.
26. As regards the need for disclosure, the complainant argued in essence that wider access to the documents at issue should be provided given the seriousness of the OLAF findings. This would ensure transparency, accountability and public trust. The complainant also contended that the public interest in disclosure should set aside the right of the persons concerned to have their personal data protected.
27. While the Ombudsman considers that the objective pursued by the complainant is legitimate, she is not convinced that disclosure of the identity of the persons concerned (who were found to have breached the Staff Regulations[17]), directly or indirectly, would be necessary to achieve it. Specifically, it should be noted that OLAF has granted significant public access to the OLAF final reports and recommendations at issue and the redactions made do not render the documents illegible. Rather, the access granted allows the reader to understand the content of the documents, such as the allegations at issue and OLAF’s findings and recommendations and, thus, allows for public scrutiny. OLAF could disclose this detailed information precisely because the individuals concerned remained unidentified.
28. In addition, staff members who breach their obligations under the EU Staff Regulations[18] do not forfeit their right to privacy.[19] Such misconduct is addressed by the relevant administrative procedures, including investigations by OLAF and possible disciplinary measures. These procedures have been applied here and there is nothing to suggest that they were flawed in any way.
29. In light of all this, the Ombudsman finds that the complainant did not establish a necessity for disclosure of the personal data at issue. Therefore, the assessment of the second and third stages of the test described above is unnecessary and the redaction of personal data was justified.
30. As regards one of the two OLAF investigations at issue, OLAF also redacted information to protect the commercial interests of the companies mentioned in the documents. This included, for example, the names of the companies, details about tenders such as project titles, and contract reference numbers.
31. The complainant did not challenge that disclosure of this information could undermine the reputation and business relationships of the companies concerned. However, he considered that there is an overriding public interest in disclosure with respect to those companies that were involved in the wrongdoing, namely, to allow for public scrutiny.
32. The inspection of the documents showed that the relevant redactions are limited.
33. In addition, it is not clear that disclosure of the names of companies that were found to have been involved in wrongdoing would enable further public scrutiny. OLAF has already disclosed detailed information about its findings and the related recommendations made. If the complainant is interested in whether there has been an appropriate follow-up to OLAF’s recommendations, he could seek this information from OLAF. The Ombudsman can therefore not identify the existence of an overriding public interest in disclosure.
34. Besides this, the Ombudsman considers that disclosure of the redacted commercial information could render the individuals mentioned in the documents identifiable. This information should therefore be regarded as personal data for the disclosure of which it a necessity must be established.
35. The Ombudsman thus concludes that the redactions that OLAF made based on the need to protect commercial interests were justified.
36. Finally, the Ombudsman notes that, by providing significant information about the two investigations at issue, OLAF recognised the importance of accountability and transparency of its work. The Ombudsman has recently welcomed this positive development in OLAF’s approach to public access to final reports and recommendations related to closed investigations in parallel inquiries into the matter[20] and encourages OLAF to maintain this open approach.
Conclusion
Based on the inquiry, the Ombudsman closes this case with the following conclusion:
There was no maladministration by the European Anti-Fraud Office in refusing to give public access to parts of the documents at issue.
The complainant and OLAF will be informed of this decision.
Teresa Anjinho
European Ombudsman
Strasbourg, 16/12/2025
[1] For more information, visit: https://anti-fraud.ec.europa.eu/about-us/what-we-do_en.
[2] See, for example, the OLAF report 2024: https://ec.europa.eu/olaf-report/2024/investigative-activities/investigative-mandate/investigating-within-the-eu-institutions_en.html.
[3] See the OLAF report 20023: https://ec.europa.eu/olaf-report/2023/investigative-activities/investigative-mandate/investigating-within-the-eu-institutions_en.html. The two investigations at issue concerned “kickback and fraud linked to IT-related procurements by an EU agency staff member” (OC/2017/1293) and “abuse of diplomatic privileges by EU Delegation staff in South East Asia” (OC/2020/0423).
[4] Under Regulation 1049/2001 regarding public access to European Parliament, Commission and Council documents: http://data.europa.eu/eli/reg/2001/1049/oj.
[5] In accordance with Articles 4(1)(b) and 4(2), first indent of Regulation 1049/2001,
[6] In his complaint, the complainant referred to the Judgment of the Court of 20 December 2017, Nowak v DPC, C-434/16 (preliminary ruling): https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1827490.
[7] The complainant referred to the Judgment of the Court of 11 May 2017, Sweden v Commission, C-562/14 P: https://curia.europa.eu/juris/document/document.jsf?text=&docid=190582&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1827490.
[8] The complainant referred to the Judgment of the Court of 29 June 2010, Bavarian Lager, C-28/08: https://curia.europa.eu/juris/document/document.jsf?text=&docid=84752&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1827490.
[9] Article 15 of the Treaty on the Functioning of the European Union: http://data.europa.eu/eli/treaty/tfeu_2012/oj.
[10] Article 4 of Regulation 1049/2001.
[11] Article 3(1) of Regulation 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data: http://data.europa.eu/eli/reg/2018/1725/oj.
[12] See Judgment of the Court of 7 March 2024, OC v Commission, C-479/22 P, paragraphs 46f.: https://curia.europa.eu/juris/document/document.jsf?text=&docid=283526&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=26709.
[13] Ibid, paragraph 60.
[14] Regulation 2018/1725, see footnote 11 above.
[15] Article 9(1)(b) of Regulation 2018/1725.
[16] See, for example, Judgment of the General Court of 18 June 2025, Zver v European Commission, T-235/24, paragraph 66: https://curia.europa.eu/juris/document/document.jsf?text=&docid=301286&pageIndex=0&doclang=FR&mode=lst&dir=&occ=first&part=1&cid=601186.
[17] Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Economic Community and the European Atomic Energy Community: http://data.europa.eu/eli/reg/1962/31(1)/2014-05-01
[18] See footnote 17 above.
[19] See, for example, also the European Ombudsman’s decision on the European Committee of the Regions’ (CoR) refusal to give full public access to documents related to its follow-up to an investigation by the European Anti-Fraud Office (OLAF) (case 1686/2024/MIG): https://www.ombudsman.europa.eu/en/decision/en/199244.
[20] See Decision on the European Anti-Fraud Office’s (OLAF) refusal to grant public access to documents in relation to closed investigations (cases 2327/2024/ACB, 2328/2024/ACB, 2329/2024/OAM, and 203/2025/NH): https://www.ombudsman.europa.eu/en/decision/en/217043.