1. Introduction

In addition to processing personal data of individuals who submit complaints, the Ombudsman may, depending on the facts of the case, have to process personal data in relation to other individuals ('third-party data subjects').

Upon receipt of a complaint, the Ombudsman assesses whether the information provided contains any personal data of third parties, that is, any information relating to an identified or identifiable natural person, other than the complainant.

The concept of personal data is very broad[1]. By way of example, it includes information on a person's identity and personal characteristics, statements and opinions, and civil and employment statuses[2].

The present policy concerns the way the Ombudsman gives effect to the duty to inform data subjects about the processing of their personal data in the context of a complaint or an inquiry, where the data have not been obtained from those data subjects. In drafting the present policy, the Ombudsman has taken account of the guidance of the European Data Protection Supervisor ('EDPS')[3].

2. The duty to inform

When a third-party data subject's personal data are included in a complaint or other inquiry-related documents, the Ombudsman has a duty to provide the person in question with certain information[4], namely:

(a) the identity and the contact details of the controller, that is, the Ombudsman[5];

(b) the contact details of the Ombudsman’s Data Protection Officer;

(c) the purpose of the processing operation (for example, handling of a complaint) and the legal basis for the processing (for example, the rules relating to processing of personal data by EU institutions[6] and/or the Ombudsman's Statute[7]);

(d) the categories of data concerned (for example, the identity and the employment status of the person in question);

(e) the recipients of the data[8];

(f) where applicable, that the Ombudsman intends to transfer the personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission or of appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available; and

(g) the following further information, necessary to guarantee fair and transparent processing of the person’s personal data:

(i) the time-limits for storing the relevant data;

(ii) the fact that the person has the right to request access to,  rectification, erasure or restriction of the processing of his/her personal data or the right to object to the processing[9];

(iii) the person's right to have recourse to the EDPS, and

(iv) the origin of the data (including, if applicable, publicly available sources).

3. The policy

A - Outside the mandate complaints

If the Ombudsman finds that a complaint containing personal data of third parties does not fall within her mandate, she informs the complainant accordingly and advises him/her, where possible, about the body that could deal with the complaint. Where the complainant has agreed to a transfer of his or her complaint in case the Ombudsman is unable to deal with it, the Ombudsman forwards the complaint to the competent body (for example, a national Ombudsman).

In such cases, the Ombudsman does not consider the provision of the individual information mentioned in point 2 above to be required because (i) the purpose for which the Ombudsman processes these personal data (assessment on whether the complaint is within the Ombudsman’s mandate and, if not, possible transfer of the complaint to another body) does not require the identification of the third-party data subject by the Ombudsman[10]; and (ii) informing third-party data subjects individually about the fact that the Ombudsman may be processing data relating to them, even if possible, would result in an unnecessary multiplication of personal data and therefore involve a disproportionate effort[11].

Instead, the Ombudsman publishes an information note on her website informing the general public that she may be processing personal data of persons other than the complainant's in the context of her handling of complaints. This note includes a link to this policy and to a statement for the processing of personal data in the context of the Ombudsman's handling of complaints and inquiries. This note, the present policy and the statement are deemed sufficient to provide all relevant information to individuals whose personal data the Ombudsman may be handling[12] and to allow them to request access, rectification, erasure and restriction of the processing of their personal data if they so wish[13].

B - Within the mandate but inadmissible and admissible no grounds complaints

In the above cases, the Ombudsman does not consider the provision of individual information mentioned in point 2 above to be required because informing third-party data subjects individually about the fact that the Ombudsman may be processing data relating to them, even if possible, would result in an unnecessary multiplication of personal data which, having regard to the limited actions involved, namely the absence of any transfer of the complaint outside the Ombudsman's office, would involve a disproportionate effort[14].

The information note published on the Ombudsman's website and the present policy and the statement are deemed sufficient to provide all relevant information to individuals whose personal data the Ombudsman may be handling[15] and to allow them to request access, rectification, erasure and restriction of the processing of their personal data if they so wish[16].

C - Inquiries

In the above cases, the Ombudsman must first decide whether the data relating to third parties is or is not of relevance to the subject matter of the inquiry. One way of doing this is to examine whether the Ombudsman would deal with the inquiry any differently if the third-party data subject had not been mentioned or identified in the inquiry file.

Relevant data could, for example, be that relating to former professional experience of the EU official who is a member of a selection board alleged to have a conflict of interest. Irrelevant data could, for example, be that related to the marital status of that EU official. Further irrelevant data that is likely to be collected during the Ombudsman's investigation in a purely incidental fashion is, for example, that of names of other EU officials mentioned in the relevant institution's decisions and documents collected during the Ombudsman's inquiry.

The decision as to the relevance of that data and the underlying analysis will be set out in the summary which is registered in the relevant case file of the Ombudsman's Case Management System (CMS).

Irrelevant data

In cases where the data is irrelevant to the subject-matter of the inquiry, the Ombudsman does not consider the provision of individual information to the third party to be required because (i) since the data are irrelevant, the purpose for which the Ombudsman processes these personal data (handling of the complaint/inquiry) does not require the identification of the third-party data subjects by the Ombudsman[17]; and (ii) informing such third-party data subjects individually, even if possible, would result in an unnecessary multiplication of personal data and involve disproportionate effort having regard to the fact that the Ombudsman makes no use of the data in question in the context of her inquiry[18]. Manifestly irrelevant data included in the text of the complaint will not be further processed by the Ombudsman[19].

The information note published on the Ombudsman's website, the present policy and the statement are deemed sufficient to provide all relevant information to individuals whose personal data the Ombudsman may be handling[20] and to allow them to request access, rectification, erasure and restriction of the processing of their personal data if they so wish[21].

Relevant data

If the data is relevant, the Ombudsman considers providing the information of point 2 above to the third-party data subject.

However, if the assessment of the complaint allows for the conclusion that the third-party data subject already has the information (when, for example, the EU official alleged to have a conflict of interest has a full copy of the complaint and the supporting documents)[22], or that providing the information is impossible or involves disproportionate effort (when, for example, the person in question has, in the meantime, left the service and cannot be traced)[23], the Ombudsman records the detailed assessment leading to that conclusion in the summary of the case in the CMS and the note published on the Ombudsman's website, together with the present policy and statement, are deemed sufficient to provide the necessary information to individuals whose personal data the Ombudsman may be handling[24] and to allow them to request access, rectification, erasure and restriction of the processing of their personal data if they so wish[25].

In cases where the third-party data subject does not have the information and where  informing him/her is possible and does not involve a disproportionate effort, the Ombudsman examines whether informing the third-party data subject is likely to render impossible or seriously impair the achievement of the objectives of that processing, namely to properly investigate and decide on possible maladministration in the activities of EU institutions, bodies, offices or agencies, following an exercise of a fundamental right (a complaint to the Ombudsman) or on the Ombudsman’s own initiative[26].

This would be the case if, for example, the third-party data subject were in a position to influence the investigation: by hiding important evidence, for instance, or by retaliating against the complainant for his having exercised a fundamental right (to complain to the Ombudsman) with this having an impact on the investigation (with the complainant no longer willing to contribute to the inquiry, for example).

If, following the above analysis, the Ombudsman concludes that the provision of information to the third-party data subject is likely to render impossible or seriously impair the inquiry and the ability of the Ombudsman to reach a decision on the allegations of maladministration, the assessment and the ensuing conclusion will be recorded in the case file in the CMS. The note published on the Ombudsman's website, together with the present policy and statement, are deemed sufficient to provide the necessary information to individuals whose personal data the Ombudsman may be handling in such exceptional cases[27] and to allow them to request access, rectification, erasure and restriction of the processing of their personal data if they so wish[28].

If, on the contrary, the Ombudsman concludes that the provision of information to the third-party data subject is not likely to render impossible or seriously impair the inquiry and the ability of the Ombudsman to reach a decision on the allegations of maladministration, s/he provides the third-party data subject with the information set out in point 2 above as soon as the examination of the complaint is completed and the institution is informed[29].

4. Contributions in response to the Ombudsman's public consultations

The principles set out in this policy apply also to any personal data received in the context of the Ombudsman's public consultations.

 

Emily O'Reilly

Strasbourg, 16/07/2019

 

[1] Article 3(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ 2018 L 295, p. 39: “’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

[2] For a detailed analysis of the concept of personal data, please consult the opinion 4/2007 of the Article 29 Data Protection Working Party available here: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf

[3] https://secure.edps.europa.eu/EDPSWEB/

[4] Article 16(1) and (2) of Regulation 2018/1725.

[5] Article 3(8) of Regulation 2018/1725: "’’controller’' means the Union institution or body or the directorate-general or any other organisational entity which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by a specific Union act, the controller or the specific criteria for its nomination can be provided for by Union law”.

[6] Article 5 of Regulation 2018/1725.

[7] Decision of the European Parliament of 9 March 1994 on the regulations and general conditions governing the performance of the Ombudsman's duties (94/262/ECSC, EC, Euratom), OJ 1994 L 113, p. 15, and amended by its decisions of 14 March 2002, OJ 2002 L 92, p. 13, and of 18 June 2008, OJ 2008 L 189, p. 25.

[8] Article 3(13) of Regulation 2018/1725: "'recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing”.

[9] Articles 17 to 20, and 23 of Regulation 2018/1725.

[10] Article 12(1) of Regulation 2018/1725: “If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation”.

[11] Article 16(5)(b) of Regulation 2018/1725: “Paragraphs 1 to 4 shall not apply where and insofar as:... the provision of such information proves impossible or would involve a disproportionate effort...”

[12] Article 16(6) of Regulation 2018/1725: “In the cases referred to in point (b) of paragraph 5 the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available”.

[13] Article 12(2) of Regulation 2018/1725: “Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 17 to 22 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification”. This could be the case for example, when a third-party data subject requests access to his/her personal data processed by the Ombudsman and, after a search in the Ombudsman’s Case Management System (CMS), the Ombudsman informs him/her that his/her data could not be found. However, if the data subject subsequently provides additional information, such as the number of the complaint or the name of the complainant, for example, this may then allow for his/her identification in the Ombudsman’s files and for the Ombudsman to take a decision on the request.

[14] Article 16(5)(b) of Regulation 2018/1725.

[15] Article 16(6) of Regulation 2018/1725.

[16] Article 12(2) of Regulation 2018/1725. See footnote 13 above.

[17] Article 12(1) of Regulation 2018/1725

[18] Article 16(5)(b) of Regulation 2018/1725.

[19] It is possible that data which may not be considered as relevant to the subject matter of an inquiry at its early stages, may however ultimately be used for the purposes of the inquiry and have an impact on its outcome.

[20] Article 16(6) of Regulation 2018/1725.

[21] Article 12(2) of Regulation 2018/1725. See footnote 13 above.

[22] Article 16(5)(a) of Regulation 2018/1725: “Paragraphs 1 to 4 shall not apply where and insofar as:...  the data subject already has the information...”

[23] Article 16(5)(b) of Regulation 2018/1725 : “Paragraphs 1 to 4 shall not apply where and insofar as:... the provision of such information proves impossible or would involve a disproportionate effort...”

[24] Article 16(6) of Regulation 2018/1725.

[25] Article 12(2) of Regulation 2018/1725. See footnote 13 above.

[26] Article 16(5)(b) of Regulation 2018/1725: “Paragraphs 1 to 4 shall not apply where and insofar as: ... the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing...”

[27] Article 16(6) of Regulation 2018/1725.

[28] Article 12(2) of Regulation 2018/1725. See footnote 13 above.

[29] Article 16(3) of Regulation 2018/1725: “The controller shall provide the information referred to in paragraphs 1 and 2:... (c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.”