Statement for the processing of personal data in the context of the Ombudsman’s handling of complaints and inquiries
Document - Date Thursday | 27 May 2021
1/ Description of the processing operation
The Ombudsman conducts inquiries concerning potential instances of maladministration in an EU institution, body, office or agency (hereinafter, 'EU institution') and reports on them. The processing of personal data in relation to complaints or inquiries consists of registration and transfer of personal data relating to the complainant and to third parties, when provided or collected during the inquiry.
The legal basis for this processing operation is Article 228 of the Treaty on the Functioning of the European Union (TFEU) and the Statute of the European Ombudsman (the 'Statute').
Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
2/ What personal information do we collect, for what purpose, and through which technical means?
In dealing with complaints and inquiries, the Ombudsman receives and/or collects documents that may contain personal data in relation to i) natural persons making complaints (“complainants”) and ii) other persons relevant to the complaint/inquiry or other third parties named in complaints or other inquiry-related documents who are irrelevant or merely incidental to the inquiry. This personal data includes the identification and contact information (name, address, e-mail, telephone, fax), nationality, professional information and any other information about an individual which is related to the inquiry. There may also be special categories of data included in a complaint, such as, for example, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.
If the Ombudsman decides to carry out a public consultation in relation to case handling, the contributions s/he receives in response thereto will mostly contain some personal data. Contributors to public consultations are requested to indicate their prior level of consent regarding disclosure of their data. For further information, please consult the privacy statement regarding the European Ombudsman’s consultations.
The purpose of the processing by the Ombudsman is to investigate possible instances of maladministration for the objectives of (a) possibly finding a solution to the specific issues of the complaint in question, (b) identify possible systemic issues and make related suggestions whenever appropriate, and (c), in so doing, ensure the continuous long term consolidation of the related relevant knowledge bases that underly these activities.
In relation specifically to case related public consultations, the purpose is to ensure that the assessment of the issues concerned is as well informed as possible.
The contact information data will also be used for the purpose of correspondence and for the purpose of drawing up basic anonymised statistical data, the latter for the purpose of management and to fulfil the reporting requirement in the European Ombudsman’s Statute.
The Ombudsman normally collects or receives the personal data in text documents, including forms, which are mostly electronic.
In some cases, the data form part of information that is initially received orally at meetings, inspections or hearings. During or immediately following such meetings the relevant information is recorded in documents for the file, mostly electronic but in certain cases also by paper.
3/ Who has access to your information and to whom is it disclosed?
The Ombudsman’s staff who are involved in the Office’s case handling have access to the case files and their documents, some of which contain personal data, as well as to the database that contains the said documents and the related data.
Where a complaint is sent to an EU institution in relation to an inquiry, the personal data normally remains visible in the documents sent to the institution. This is also the case when the complainant has asked for confidential treatment of his/her complaint. Such confidentiality does not apply to inquiry related communication between the Ombudsman and the institution, the latter having a right to be fully informed of all the information related to the accusations of which it is the object. However, prior to the sending of the complaint and its possible related documentation, the Ombudsman’s inquiries officer will nevertheless carry out a check to verify whether the transfer of the documents would entail a manifestly unnecessary transfer of personal data. The non-sending of data/documents as here described is duly recorded in the case note drawn up for the opening of the inquiry. If a complaint contains excessive personal data, the excessive personal data will be deleted.
If the Ombudsman cannot handle or accept the complaint, s/he may also transfer the complaint to another relevant EU institution or body that may be better placed to deal with the issue raised by the complainant. Examples are the European Commission in relation to complaints about possible infringement of EU law, the European Parliament in relation to political issues, the European Anti-Fraud Office in relation to fraud issues, and the European Data Protection Supervisor (cf. 2007 Memorandum of Understanding).
The Ombudsman frequently sends documents for translation to the European Parliament’s translation services or to the Translation Centre for the Bodies of the European Union when translations of documents need to be made. Such documents will sometimes contain personal data. The translators work under confidentiality obligations put in place by the above-mentioned EU bodies.
Other bodies or organisations
Similarly for other complaints that s/he cannot deal with, the Ombudsman may decide to transfer a complaint, without redaction of the personal data, to national institutions or organisations that may be able to help the complainant. S/he may decide to do so if the complainant has given his/her explicit consent. S/he only makes transfers to such bodies or organisations that are located in the EU.
When the Ombudsman learns of facts which s/he deems to be relevant from a criminal and/or disciplinary point of view, she may decide to inform the competent national authorities. In doing so, s/he will normally send the relevant documents, unredacted, to the authority concerned.
Individual requests for public access to documents
EU citizens may exercise their fundamental right to request public access to any document held by the Ombudsman, including documents on the case file or documents related thereto. Such requests are handled on the basis of Regulation 1049/2001 regarding public access to documents of the EU institutions.
In responding to requests for public access to documents, the personal data of complainants and third parties not including EU staff, are by default redacted prior to public disclosure of documents held by the Ombudsman.
Data subjects’ rights
The Ombudsman complies with data protection rules, including the duty to inform third-party data subjects about the processing of their personal data and those data subjects' right to have access to their personal data and to have errors in that data rectified, or the data restricted or erased, in accordance with those rules. Therefore, when completing the complaint form, the complainant is advised to provide only information which is relevant to the subject-matter of the complaint and to avoid unnecessary and irrelevant detail, especially if it includes third parties' personal data. This is because full confidentiality cannot be guaranteed if a third party's personal data are mentioned in the complaint, for instance if reference is made in the complaint to the behaviour or characteristics of the third party. The Ombudsman will, however, always take into consideration the circumstances of the complainant when complying with her/his data protection obligations, in particular where the complainant is in a vulnerable situation. The Ombudsman will perform a case by case assessment balancing the rights and legitimate interests of the complainant and the third party data subject.
If the complainant decides to submit an anonymous complaint, such a complaint will always be inadmissible. The Ombudsman may, nevertheless, depending of the information set out in such a complaint, decide to pursue the issue through an own-initiative inquiry.
4/ How do we protect and safeguard your personal data?
Within the organisation, the European Ombudsman protects personal data through rules and practical measures.
All staff are informed about their strict confidentiality obligations, and receive related training and updated information on practices and rules.
Each member of the Ombudsman’s staff has a first-level responsibility for keeping her/his working files in such a way as to guarantee the security of the personal data contained therein.
The case related documents and data forms are almost entirely handled electronically, which provides for configurable access rights and reduces the risk of inadvertent circulation of hard copies. As mentioned further above, the Ombudsman’s staff who are involved in the Office’s case handling have access to the case files and their documents. Any actual or potential complainant may at any time make a reasoned request for a limited access to be applied to his/her complaint file, a request that may, for instance, be relevant if the complainant is a current or former member of the Ombudsman’s staff, other member of EU staff, a member of networks or similar groups with which several staff of the Ombudsman’s Office have, or can be expected to have, contact. The documents and data forms are stored electronically on virtual servers made available to the Ombudsman by the European Parliament. Access to data by the European Parliament is controlled and strictly for IT administration and support purposes.
Physical archives are kept locked in separate archive rooms and, when relevant, safes.
5/ How can you ask us to verify, modify or erase your information?
You have the right to access the personal data we hold about you and to ask the Ombudsman to correct, complete, or, if appropriate, erase them. Any request for access to your personal data or for rectifying, restricting and/or erasing your personal data should be directed to the responsible inquiries officer or to the Ombudsman's Data Protection Officer.
6/ How long do we keep your data?
Case files, including documents related data or data integrated into databases, are subject to a retention period of:
- Two years for complaints that fall outside the Office’s mandate.
- Ten years for complaints that fall within the Office’s mandate. This includes complaints in which the Ombudsman opened an inquiry and complaints in which the Ombudsman did not open an inquiry either because they were inadmissible or for lack of grounds. Documents related to complaints which had a significant public importance or which are otherwise considered major cases are later archived, in an anonymised form, for historical purposes. However, exceptionally, personal data may be kept where this is necessary to serve historical or public interests.
Shorter retention periods apply to confidential documents which are part of the case file. In particular, confidential documents shall, generally, be deleted once the case has been closed and, where a complainant is involved, the period of time for dealing with any request for review has expired.
In exceptional cases the standard retention period of 10 years shall apply to confidential documents where:
(a) it is clear that the information in question is, or may well be, important for an understanding of the case in the future, including circumstances in which the case has precedence or training value;
(b) retention of the document is likely to serve historical or public interests; or
(c) retention of the document may be relevant in the context of actual or possible future formal procedures.
Any decisions and actions in relation to the handling of the above mentioned confidential documents are duly recorded on the case file.
You have at any time the right to address yourself to the European Data Protection Supervisor (email@example.com), if you consider that your rights under Regulation 2018/1725 have been infringed as a result of the processing of your personal data by the Ombudsman.
 Decision of the European Parliament on the regulations and general conditions governing the performance of the Ombudsman's duties adopted by Parliament on 9 March 1994 (OJ L 113, 4.5.1994, p. 15) and amended by its decisions of 14 March 2002 (OJ L 92, 9.4.2002, p. 13) and 18 June 2008 (OJ L 189, 17.7.2008, p. 25).
 Article 10 of Regulation 2018/1725.
 Article 4(2) of the Ombudsman's Statute.
 Article 2(3) of the Ombudsman's Statute.
 Articles 17 to 20 of Regulation 2018/1725.
 Decision of the European Ombudsman of 9 November 2020 on internal rules to restrict certain data subject rights in the processing of personal data, available at https://www.ombudsman.europa.eu/en/document/en/141577.