Privacy statement for the processing of personal data in the context of the Ombudsman’s handling of complaints and inquiries
Document - Date Wednesday | 04 May 2022
1/ Description of the processing operation
The Ombudsman conducts inquiries concerning potential instances of maladministration in an EU institution, body, office or agency (hereinafter, 'EU institution') and reports on them.
The Ombudsman processes personal data of individuals for handling complaints and own initiative inquiries where it collects and registers personal data in its electronic complaints management system (CMS). The Ombudsman processes personal data of complainants and of third parties that are related to the complaint/ inquiry, either because they are provided by the complainant or collected during the inquiry. The Ombudsman might transfer personal data to other EU Institutions or occasionally, to Member State authorities, as described below.
The legal basis for this processing operation is Article 228 of the Treaty on the Functioning of the European Union (TFEU) and the Statute of the European Ombudsman (the 'Statute').
Personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
2/ What personal information do we collect, for what purpose, and through which technical means?
In dealing with complaints and inquiries, the Ombudsman receives and/or collects documents that may contain personal data in relation to:
- i) natural persons making complaints (“complainants”) and
- ii) other persons relevant to the complaint/inquiry or other third parties named in complaints or other inquiry-related documents who are irrelevant or merely incidental to the inquiry.
This personal data includes the identification and contact information (name, address, e-mail, telephone, fax), nationality, professional information and any other information about an individual which is related to the inquiry. There may also be special categories of data included in a complaint, such as, for example, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.
If the Ombudsman decides to carry out a public consultation (general or targeted) in relation to case handling, the contributions s/he receives in response thereto will mostly contain some personal data. Contributors to public consultations (general or targeted) are requested to indicate their prior level of consent regarding disclosure of their data. For further information, please consult the privacy statement regarding the European Ombudsman’s consultations on this website.
The Ombudsman needs to process personal data to investigate possible instances of maladministration for the objectives of:
- (a) finding a solution to the specific issues of the complaint in question,
- (b) Identifying possible systemic issues and make related suggestions whenever appropriate, and
- (c), in so doing, ensuring the continuous long-term consolidation of the related relevant knowledge bases that underlie these activities.
In relation specifically to case related public consultations, the purpose is to ensure that the assessment of the issues concerned is as well informed as possible.
The personal data are also used to communicate with complainants and to determine whether a complaint is within the Ombudsman’s mandate. Some data are used for statistical purposes (country, nationality, professional category and language) in an anonymised way to fulfil the reporting requirement in the European Ombudsman’s Statute.
The Ombudsman normally collects or receives the personal data in documents, including forms, which are mostly electronic.
In some cases, the data form part of information that is initially received orally at meetings, inspections or hearings. During or immediately following such meetings the relevant information is recorded in documents for the file, mostly electronic but in certain cases also by paper.
3/ Who has access to your information and to whom is it disclosed?
The Ombudsman’s staff who are involved in the Office’s case handling have access to the case files and their documents, some of which contain personal data, as well as to the database that contains the said documents and the related data.
Where a complaint is sent to an EU institution in relation to an inquiry, the personal data normally remains visible in the documents. This is also the case when the complainant has asked for confidential treatment of his/her complaint. Such confidentiality does not apply to inquiry related communication between the Ombudsman and the institution, the latter having a right to be fully informed of all the information related to the accusations of which it is the object. However, prior to the sending of the complaint and its possible related documentation, the Ombudsman’s inquiries officer will nevertheless carry out a check to verify whether the transfer of the documents would entail a manifestly unnecessary transfer of personal data. The redaction of the excessive personal data, as here described,is duly recorded in the case note drawn up for the opening of the inquiry. If a complaint contains excessive personal data, the excessive personal data will be deleted.
If the Ombudsman cannot handle or accept the complaint, s/he may also transfer the complaint to another relevant EU institution or body that may be better placed to deal with the issue raised by the complainant. Examples are the European Commission in relation to complaints about possible infringement of EU law, the European Parliament in relation to political issues, the European Anti-Fraud Office in relation to fraud issues, and the European Data Protection Supervisor.
The Ombudsman may send documents for translation to the European Parliament’s translation services or to the Translation Centre for the Bodies of the European Union when translations of documents need to be made. Such documents may sometimes contain personal data. The translators work under confidentiality obligations put in place by the above-mentioned EU bodies.
Other bodies or organisations
Similarly for other complaints that s/he cannot deal with, the Ombudsman may decide to transfer a complaint, without redaction of the personal data, to national institutions or organisations that may be able to help the complainant. S/he may decide to do so if the complainant has given his/her explicit consent. S/he only makes transfers to such bodies or organisations that are located in the EU.
When the Ombudsman learns of facts which might constitute or relate to a criminal offence, s/he shall report to the competent national authorities, the European Public Prosecutor’s Office (EPPO) and/or the European Anti-Fraud Office (OLAF). In doing so, s/he will normally send the relevant documents, un-redacted, to the authority concerned.
Individual requests for public access to documents
EU citizens may exercise their fundamental right to request public access to any document held by the Ombudsman, including documents on the case file or documents related thereto. Such requests are handled on the basis of Regulation (EC) No 1049/2001 regarding public access to documents of the EU institutions.
In responding to requests for public access to documents, the personal data of complainants and third parties not including EU staff, are by default redacted prior to public disclosure of documents held by the Ombudsman.
Data subjects’ rights
Data subjects can exercise their right of access, rectification or erasure of their personal data in the context of the complaints handling, by sending a request by email to the controller at the mailbox indicated below.
They have the possibility to request confidential treatment of their complaint or certain parts thereof by indicating such a requirement in the complaint and by providing supporting reasoning or justification.
The Ombudsman complies with data protection rules, including the duty to inform third-party data subjects about the processing of their personal data and those data subjects' right to have access to their personal data and to have errors in that data rectified, or the data restricted or erased, in accordance with those rules. In view of the principle of data minimisation, the complainant is advised to provide only information which is relevant to the subject-matter of the complaint and to avoid unnecessary and irrelevant detail, especially if it includes third parties' personal data.. The Ombudsman will, however, always take into consideration the circumstances of the complainant when complying with her/his data protection obligations, in particular where the complainant is in a vulnerable situation. The Ombudsman will perform a case by case assessment balancing the rights and legitimate interests of the complainant and the third party data subject.
If the complainant decides to submit an anonymous complaint, such a complaint will always be inadmissible. The Ombudsman may, nevertheless, depending of the information set out in such a complaint, decide to pursue the issue through an own-initiative inquiry.
4/ How do we protect and safeguard your personal data?
Within the organisation, the European Ombudsman protects personal data through rules and practical measures.
All staff are informed about their strict confidentiality obligations, and receive related training and updated information on practices and rules.
Each member of the Ombudsman’s staff has a first-level responsibility for keeping her/his working files in such a way as to guarantee the security of the personal data contained therein.
The case related documents and data forms are almost entirely handled electronically, which provides for configurable access rights and reduces the risk of inadvertent circulation of hard copies. As mentioned further above, the Ombudsman’s staff who are involved in the Office’s case handling have access to the case files and their documents.
Any actual or potential complainant may at any time make a reasoned request for a limited access to be applied to his/her complaint file, a request that may, for instance, be relevant if the complainant is a current or former member of the Ombudsman’s staff, other member of EU staff, a member of networks or similar groups with which several staff of the Ombudsman’s Office have, or can be expected to have, contact. The documents and data forms are stored electronically on virtual servers made available to the Ombudsman by the European Parliament. Access to data by the European Parliament is controlled and strictly for IT administration and support purposes.
Physical archives are kept locked in separate archive rooms and, when relevant, safes.
5/ How can you ask us to verify, modify or erase your information?
Data Subjects have the right to access the personal data we hold about themand to ask the Ombudsman to correct, complete, or, if appropriate, erase them. Any request for access to personal data or for rectifying, restricting and/or erasing personal data should be directed to the responsible inquiry officer and/or to the data controller (e-mail: EO@ombudsman.europa.eu).
You may also contact the European Ombudsman’s Data Protection Officer (DPO-Euro-Ombudsman@ombudsman.europa.eu) if you have any question on the processing of your personal data.
Restrictions under Article 25 of Regulation 2018/1725 may apply, see Ombudsman Decision of 9 November 2020.
6/ How long do we keep your data?
Case files, including documents related data or data integrated into databases, are subject to a retention period of:
- Two years for complaints that fall outside the Office’s mandate.
- Ten years for complaints that fall within the Office’s mandate. This includes complaints in which the Ombudsman opened an inquiry and complaints in which the Ombudsman did not open an inquiry either because they were inadmissible or for lack of grounds. Documents related to complaints which had a significant public importance or which are otherwise considered major cases are later archived, in an anonymised form, for historical purposes. However, exceptionally, personal data may be kept where this is necessary to serve historical or public interests.
Shorter retention periods apply to confidential documents which are part of the case file. In particular, confidential documents shall, generally, be deleted once the case has been closed and, where a complainant is involved, the period of time for dealing with any request for review has expired.
In exceptional cases the standard retention period of 10 years shall apply to confidential documents where:
- (a) it is clear that the information in question is, or may well be, important for an understanding of the case in the future, including circumstances in which the case has precedence or training value;
- (b) retention of the document is likely to serve historical or public interests; or
- (c) retention of the document may be relevant in the context of actual or possible future formal procedures.
Any decisions and actions in relation to the handling of the above mentioned confidential documents are duly recorded on the case file.
Data subjects have at any time the right to address a complaint to the European Data Protection Supervisor (firstname.lastname@example.org), if they consider that their rights under Regulation 2018/1725 have been infringed by the Ombudsman.
 Article 10 of Regulation 2018/1725.
 Article 9(2) of the Ombudsman's Statute.
 Article 2(2) of the Ombudsman's Statute.
 Articles 17 to 20 of Regulation 2018/1725.
 Decision of the European Ombudsman of 9 November 2020 on internal rules to restrict certain data subject rights in the processing of personal data, available at https://www.ombudsman.europa.eu/en/document/en/141577.