Privacy statement (ex-post control)
1. Context and Controller
As the Agency collects and further processes personal data in the context of ex-post controls, it is subject to Regulation (EC) 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Union institutions and bodies and on the free movement of such data.
Ex-post controls comprise performance of financial audits and other checks on the compliance of implementation of the specific actions (projects) co-financed by the TEN-T programme through individual financing decisions.
Ex-post controls aim at verifying whether the costs declared in the financial statements have been properly incurred and are eligible costs, as defined under the decision granting financial aid for TEN-T projects. These ex-post controls are either carried out directly by staff of the TEN-T Executive Agency or the European Commission ("own-resource-audits") or outsourced to external audit firms. During these controls documents that may contain personal information (such as salary slips, time-recording systems, presence sheets, credit assessment reports, etc) may be collected by the controllers as evidence of the eligibility of claims from the Union budget (such as: claims for co-financing of staff costs, travel expenses etc.). If collected, such information will be processed by the Agency and by the European Commission in the exercise of its duties to ensure the regular use of the Union budget in accordance with the Financial Regulation (Council Regulation (EC, Euratom) N° 1605/2002 of 25 June 2002, as amended) and Implementing Rules (Commission Regulation (EC, Euratom) N° 2342/2002 of 23 December 2002, as amended by Commission Regulations N° 1261/2005, N° 1248/2006 and N° 478/2007), applicable to the general budget of the European Communities.
In order to carry out efficient ex-post controls and to detect anomalies, relevant Agency staff make use of information available on the Internet (open source data mining). In accordance with international professional audit standards the Agency has developed an audit policy which includes a risk-analysis component in view of fraud prevention and stronger detection capabilities.
Processing operations are under the responsibility of the Head of the Resources Unit, acting as Controller.
2. What personal information do we collect, for what purpose, under which legal bases and through which technical means?
Types of personal data
Personal data collected and further processed are all relevant data that may be requested by the Agency with a view to verifying that the co-financed action is properly managed in accordance with provisions of the project financing decision. The indicative list of data requested is given in the annex to the letter initiating the ex-post control, without prejudice for the Agency to ask any other relevant information as foreseen under the relevant Article of the financing decision.
Ex-post controls of TEN-T projects aim at verifying beneficiary's or subcontractors' or third parties' compliance with all provisions of the financing decision (including financial provisions), in view of checking that the co-financed project is properly implemented and in view of assessing the legality and regularity of the transaction underlying the implementation of the European Union budget.
The possibility for the Agency and the European Commission to carry out ex-post controls is foreseen in the model financing decision adopted by the EC, as required by the Financial Regulation applicable to the General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules (art. 47.4).
For the preparation of audit file and audit selection: use of data already existing in the Agency's or Commission's secured applications accessible only to relevant staff.
During the audit procedure, personal data are collected when relevant either by e-mail or on paper or as electronic files and stored in computer systems accessible only to relevant staff.
Data collected from open sources including information available from internet sources is kept under the same conditions as set out above. All data are kept under the responsibility of the Controller mentioned under point 1.
3. Who has access to your personal data and to whom is it disclosed?
For the purpose detailed above, access to your personal data is given to the staff of the Agency in charge of ex-post controls, without prejudice to a possible transmission to the authorising officer responsible of the project and to the bodies in charge of a monitoring or inspection task in accordance with Union law (European Commission, OLAF, Court of Auditors, Ombudsman, EDPS, IDOC, Internal Audit Service of the Commission).
4. How do we protect and safeguard your information?
The collected personal data and all related information are stored after closure of the desk control or audit on the premises and on local servers of the Agency. The Agency's premises and operations of all servers abide by the European Commission's security decisions and provisions established by the Security Directorate of the European Commission.
5. How can you verify, modify or delete your information?
In case you wish to verify which personal data that relate to you are stored by the responsible Controller, have it modified, corrected, or deleted, please make use of the contact information mentioned below, by explicitly describing your request.
6. How long do we keep your personal data?
Data are stored until 7 years after the closure of the ex-post control on condition that no contentious occurred; in this case, data will be kept until the end of the last possible legal procedure.
7. Contact information
For any questions related to your rights, feel free to contact the Controller, by using the following contact information, and by explicitly specifying your request: TENEA-EXT-AUDIT@ec.europa.eu
You have right of recourse at any time to the Data Protection Officer of the Agency (TENEA-DPO@ec.europa.eu) or in case of conflict with the Controller or data protection officer concerning the processing of your personal data, you have the right to submit a complaint at any time to the directly to the European Data Protection Supervisor.