The European Data Protection Supervisor (EDPS) gave his opinion on the targeted revision of the Regulation of the European Anti-Fraud Office (OLAF), proposed last May (see EUROPE 12025), on Tuesday 24 July in order to organise its collaboration with the European Public Prosecutor's Office (see EUROPE 12014).
Overall satisfied with the Commission's proposal, the EDPS called for a strict framework for the exchange of information between the two bodies and made several suggestions.
First recommendation: insert in the text a provision to clarify that "each indirect access to information from the European Public Prosecutor's Office case management system shall be carried out only for and to the extent necessary for the exercise of OLAF [...] and validated by internal procedure".
To this end, it recommends that the validation of each OLAF access to the management system of the European Public Prosecutor's Office be recorded. "This would allow for 'case-by-case' monitoring [by the OLAF Data Protection Officer and the EDPS as Supervisory Authority] of the need for OLAF to access the data", he explains.
It also believes that the working arrangements that will govern cooperation between the two bodies should address both the exchange of information and the definition of modus operandi.
With regard to investigations, both external and internal, the EDPS is of the opinion that, when OLAF accesses information, it should target the device that is "least intrusive" to privacy.
Thus, it proposes to delete in the text the provision that allows it to access information, "regardless of the medium on which it is stored" and to specify that access to information by OLAF is will do so in a "technologically neutral" manner while "targeting in the first place and, as a rule, devices with a clear indication of professional use".
More generally, the EDPS considers that, in each case, OLAF must delimit the object and purpose of the inspection "with a degree of precision sufficient to enable the economic operator covered by the investigation to limit its cooperation with OLAF to the specific issue under consideration and thus minimise the impact on privacy and data protection rights of its employees," he explains. (Original version in French by Marion Fontana)