New EU funding rules: processing of personal data must be clarifiedIn its Opinion published today, the EDPS fully supports the goals of the proposed amendments to thefinancial rules on the general budget of the European Union, but strongly recommends specifying thetypes of personal data to be processed, from where this data is sourced, as well as the means andduration of the processing.According to the European Commission’s proposal, the amendments of the financial rules aim to improvethe way financial and personal data is processed to prevent, detect, investigate, correct fraud or financialirregularities effectively, when distributing EU funding. Concretely, the Proposal introduces an obligation,for the different bodies implementing the EU budget, to record data aboutthe recipients of EU funding, andto use a single-integrated IT system for data-mining and risk-scoring to analyse this data.Wojciech Wiewiórowski, EDPS, said: “Whilst processing personal data to ensure the proper managementof EU funds may be necessary, the new rules should also include further safeguards to protect individualsconcerned againstthe risks of their data being misused. In addition to these clear and precise rules, the necessarytechnical and organisational measures should be put in place to protect this data, in compliance with EU dataprotection law, namely Regulation (EU) 2018/1725 and the General Data Protection Regulation”.In its Opinion, the EDPS advises the EU legislator to specify explicitly all the categories of financial andpersonal data that are necessary to process in light of the Financial Regulation’s objectives. The sourcesfrom which these categories of data come from should also be identified clearly, especially if this data is tobe compared to other categories of data to analyse and draw potential conclusions about an entity’sfinancial profile, or to assess an entity’s financial risk to determine whether they may be entitled to EUfunding. It is also important that measures are put in place to ensure the quality and accuracy of this data,in particular if this data comes from third parties, underlines the EDPS.The EDPS recommends that the EU legislator clarifies the type of single-integrated IT system that may beutilised for the processing of this data. In particular, new rules should provide a general description of thesystem, including entities that may make use of the single-integrated IT system for data-mining, riskscoring, and relevant applicable safeguards. The EDPS also advises further clarifying the type of dataprocessing operations and the logic involved in data-mining and risk-scoring, as envisaged by the Proposal.Any new, or pre-existing, IT system foreseen must include, in its design and development, appropriate androbust safeguards that ensure the protection of this data, according to EU data protection law, highlightsthe EDPS. To complement these recommendations, the duration of processing of this data must be definedin the EU legislator’s amendments, insists the EDPS.