FW: EE-Q1 2024-Fact finding mission on Public Procurement and State Aid (Announcement Letter) - Ares(2024)1091238

Mr. Aivo Orav

Ambassador, Permanent Representative

Permanent Representation of Estonia to the

EU

Rue Guimard 11/13, 1040, Brussels

Mr. Mart Võrklaev

Minister of Finance

Ministry of Finance

Suur-Ameerika 1, 10122 Tallinn

Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË — Tel. +32 22991111

EUROPEAN COMMISSION

DIRECTORATE-GENERAL

ECONOMIC AND FINANCIAL AFFAIRS

Resources and performance management

The Director

Brussels, ECFIN/R4/MV/GG(2024)1266596

Subject: EPM 'System audit on measures implemented to protect the financial

interests of the Union'

Estonian Recovery and Resilience Plan

Ref.: EE-Q1-2024 Fact finding mission on Public Procurement and State Aid (to

be used in all correspondence)

Your Excellency,

I am writing to inform you that Directorate-General for Economic and Financial Affairs

will carry out a fact finding mission in relation to the Estonian Recovery and Resilience

Plan (hereafter “Plan”). The legal basis for the audit is laid down in the Financial

Regulation, namely in its Articles 74(6) and 129(1) and in the Financing Agreement

under Articles 11(4) and 12(1).

The audit is planned to take place (remotely by video-conference) from 20 February 2024

to 21 February 2024.

The main objective of the audit is to assess the Member State's internal control systems

in their capacity to ensure compliance with EU and national law.

The audit will focus in particular on the following objectives:

• Verify that the authorities entrusted with the implementation of the measures carry out

the Public Procurement (PP) and State Aid (SA) procedures according to the EU and

national law.

• Verify the presence of an effective system to ensure the compliance with national and

EU law, especially regarding PP and SA.

The measure selected to verify Public Procurement (PP) is:

SEQUENTIAL

NUMBER (AS IN

CID)

NAME OF MEASURE MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

EE-C[C]-I[3-4-.3-

4-]-T[51]

ACCESS TO DIGITAL PUBLIC

SERVICES THROUGH THE

VIRTUAL ASSISTANT

PLATFORM

target 1 NUMBER OF PUBLIC DIGITAL SERVICES

ACCESSIBLE THROUGH THE VIRTUAL

ASSISTANT

The measure selected to verify State Aid (SA) is:

SEQUENTIAL

NUMBER

(AS IN CID)

NAME OF MEASURE MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

EE-C[B]-I[2-5-.2-

5-]-M[34]

PUBLICATION OF CALL FOR

PROPOSALS FOR GRANTS milestone

PUBLICATION OF THE NOTICE FOR CALLS FOR

PROPOSALS FOR GRANTS

The audit work to be carried out online (by video-conference) will consist of:

1) Inspection and review of the relevant documentation (manuals, procedures, checklists,

supporting documentation, working papers, contracts etc.);

2) Interviews with the staff responsible

3) Checks of PP and SA procedures carried out at the level of Implementing Bodies and

the Audit Authority (or in case of state aid at any other responsible body).

The online audit will be conducted with the authorities responsible (1) for checking

compliance with the applicable SA and PP rules concerning the above indicated selected

measures. Additionally, the Ministry of Finance of the Republic of Estonia as the

Estonian coordinating body and the Estonian Audit Authority will be invited to discuss

how the checks on SA and PP rules are generally organised.

The unit in the European Commission responsible for this audit is ECFIN.R4 and the

responsible auditors are Emese Pásztélyi (+32 229-91945,

[email protected]) and Giulia GALLI, +32 229-88200,

[email protected].

I would be grateful if the Estonian authorities concerned would provide the information

described in Annex III.

Further details regarding this audit, including the detailed agenda will be communicated

later following the analysis of the information requested above.

The Commission services would like to draw your attention to the fact that data collected

during the audit may include information relating to an identified or identifiable natural

person (‘data subject’). Such information could be stored on the servers of the

(1) The responsible authorities will be defined in the final agenda.

Commission. Regulation (EC) No 2018/1725 (OJ L 295, 21.11.2018, p.39) of the

European Parliament and of the Council, applicable to Union institutions, and Regulation

(EU) 2016/679 (OJ L 119, 4.5.2016, p.1), applicable to Member States, protect the right

to privacy of natural persons with respect to the processing of personal data. In order to

inform the data subjects of their rights, you are kindly asked to deliver the enclosed

Information note on Protection of Personal Data collected by DG Economic and

Financial Affairs’ Audit Unit (Annex I) to the bodies or organisations to be audited in

the context of this audit.

Yours faithfully,

Bernadette Frederick

e-signed

Enclosure: Annex I - Information note on Protection of Personal Data collected by

Directorate-General for Economic and Financial Affairs’ audit unit at the

European Commission

c.c.:

Kaur Siruli, Head of Financial Control Department, Ministry of

Finance of the Republic of Estonia, the RRF audit body

Mart Pechter, Advisor of the Financial Control Department, Ministry

of Finance of the Republic of Estonia, the RRF audit body

Triin Tomingas, Head of Foreign Financing Unit, State Budget

Department, Ministry of Finance of the Republic of Estonia

Siret Soosein, Expert, State Shared Service Centre, RRP coordinator

Katri Targama, Head of the Grants Management Unit, State Shared

Services Centre

Directorate-General for Economic and Financial Affairs

Mark Schelfhout, Head of Unit, ECFIN R.4

Jakob Wegener Friis, Director ECFIN E

Joern Griesse, Head of Unit, ECFIN E.2

Recovery and Resilience Task Force

Maria Teresa Fabregas Fernandez, Director, SG.RECOVER.B

Luca Rossi, Head of Unit, SG.RECOVER.B2

Ave Schank-Lukas, SG.RECOVER.B2 – Tallinn

Joint audit service for Cohesion (DAC)

Franck Sebert, Director, REGIO.EMPL.DAC

European Anti-fraud Office (OLAF):

James Sweeney, Director, OLAF.C – Anti-Fraud Knowledge Centre

Charlotte Arwidi, Head of Unit OLAF.C.1 - Anti-Corruption, Anti-

Fraud Strategy and Analysis

European Court of Auditors

[email protected]

Annex I - Information note on Protection of Personal Data collected by Directorate-

General for Economic and Financial Affairs’ audit unit at the European

Commission

1. Introduction

The European Commission (hereafter ‘the Commission’) is committed to protect your

personal data and to respect your privacy. The Commission collects and further processes

personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of

the Council of 23 October 2018 on the protection of natural persons with regard to the

processing of personal data by the Union institutions, bodies, offices and agencies and on

the free movement of such data, is applicable (repealing Regulation (EC) 45/2001).

This privacy statement explains the reason for the processing of your personal data, the

way we collect, handle and ensure protection of all personal data provided, how that

information is used and what rights you have in relation to your personal data. It also

specifies the contact details of the responsible Data Controller with whom you may

exercise your rights, the Data Protection Officer and the European Data Protection

Supervisor.

This privacy statement concerns the processing operation ‘External audits and controls’,

undertaken by the Commission (DG ECFIN, unit R.4) as presented below.

2. Why and how do we collect your personal data?

Purpose of the processing operation: The Commission collects and uses your personal

data to do any kind of financial control including ex-ante controls, desk checks, financial

verifications and audits of grant agreements or contracts to verify beneficiaries’ or

contractors’, subcontractors’ or third parties’ compliance with all contractual provisions

(including financial provisions), in view of checking that the provisions of the grant

agreements or the contracts are being properly implemented and in view of assessing the

legality and regularity of the transaction underlying the implementation of the general

budget of the Union.

Your personal data will not be used for an automated decision-making including

profiling.

3. On what legal ground(s) do we process your personal data?

The possibility for the Commission to carry out checks and financial controls is foreseen

in the model grant agreement and contract signed between the Commission and the

beneficiary/contractor, as required by the Financial Regulation (‘FR’) applicable to the

General Budget of the European Communities (2).

We process your personal data because:

(2) Articles 117-123 FR on internal audits, article 127 on cross-reliance audits, articles 183 and 203 FR on

audits covering grant agreements and articles 254 – 259 FR on external audits by the Court of

Auditors.

The processing operations on personal data carried out in the context of audit and control

activities (3) are necessary and lawful under the following articles of the Regulation (EU)

1725/2018:

a) processing is necessary for the performance of a task carried out in the public interest

or in the exercise of official authority vested in the Union institution or body (4);

b) processing is necessary for compliance with a legal obligation to which the controller

is subject (5).

4. Which personal data do we collect and further process?

In order to carry out any kind of financial controls, ex-ante and ex-post, the Data

Controller could collect the following categories of personal data:

Mandatory:

• Mandatory contact data: name, company, e-mail address, telephone number;

• Mandatory data for access to finance and contractual obligations. Such data can

be: bank account reference (IBAN and BIC codes), VAT number, passport or ID

number; timesheets, salary slips, accounts, details of the costs, missions, reports,

information coming from local IT system used to declare costs as eligible,

supporting documents linked to travel costs, minutes from mission and other

similar data depending of the nature of the grant/contract, etc.;

• Mandatory information for the evaluation of selection criteria or eligibility

criteria: expertise, technical skills and languages, educational background,

professional experience, including details on current and past employment;

Voluntary:

• Voluntary data: other contact details (mobile telephone number, fax number,

professional postal address, function and department, country of residence);

• Voluntary data that may be collected by the website if there is consent to its

cookies: IP address, language preference, etc.

(3) The audit and control activities are varied across the Commission departments as they can be

conducted at any time during the performance of the programme or project and can concern

beneficiaries, projects, system, transactions, etc. depending on the needs of the contracting authority.

The audit and control activities may be carried out on documents and/or on the spot, and may be

carried out either before or after the final payment to the beneficiary. Audits and controls of documents

may be carried out in any place where the funds in question are managed or used; the geographical

scope is therefore worldwide.

The specific contract should specify what the audit and control is to cover (subject and location).

(4) Article 5 (1) (a) of Regulation (EU) 2018/1725 and, in particular, Articles 317, 319 TFEU and Article

106 (a) of the Euratom Treaty.

(5) In particular Articles 117, 183, 203.4 and 5, and 262 of the FR.

5. How long do we keep your data?

The Data Controller only keeps your personal data for the time necessary to fulfil the

purpose of collection or further processing, namely for 5 years after the audit is closed on

condition that no contentious issues occurred; in this case, data will be kept until the end

of the last possible legal procedure.

6. How do we protect and safeguard your personal data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches

of data, etc.) are stored either on the servers of the European Commission or of its

contractors (processors), if contractors are engaged to assist the controller. All

processing operations are carried out pursuant to the Commission Decision (EU,

Euratom) 2017/46 of 10 January 2017 on the security of communication and information

systems in the Commission.

In order to protect your personal data, the Commission has put in place a number of

technical and organisational measures in place. Technical measures include appropriate

actions to address online security, risk of data loss, alteration of data or unauthorised

access, taking into consideration the risk presented by the processing and the nature of

the personal data being processed. Organisational measures include restricting access to

the personal data solely to authorised persons with a legitimate need to know for the

purposes of this processing operation.

If the controller uses (a) contractor(s) (processor(s)) to assist the controller, this will be

indicated in the specific privacy statement and the following paragraph will be provided:

The Commission’s contractors are bound by a specific contractual clause for any

processing operations of your data on behalf of the Commission, and by the

confidentiality obligations deriving from the transposition of the General Data Protection

Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679).

7. Who has access to your data and to whom is it disclosed?

Access to your personal data may be provided on a ‘need to know’ basis to Commission

services and staff dealing with the external audit or control (including those

supervising/approving), inclusive of OLAF.

In addition, staff from the Council, European Parliament, European Court of Auditors

may have access to your personal data. Finally, your data may be shared with national

managing, certifying and audit authorities in shared management, beneficiaries/final

recipients and external contractors.

The information we collect will not be given to any third party, except to the extent and

for the purpose we may be required to do so by Union law, including the possible

transmission of personal data to EU bodies or institutions in charge of audit or inspection

in accordance with the EU Treaties.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of

Regulation (EU) 2018/1725, in particular the right to access, rectify or erase your

personal data and the right to restrict the processing of your personal data. Where

applicable, you also have the right to object to the processing or the right to data

portability.

You have the right to object to the processing of your personal data, which is lawfully

carried out pursuant to Article 5(1)(a) on grounds relating to your particular situation.

You can exercise your rights by contacting the Data Controller, or in case of conflict the

Data Protection Officer. If necessary, you can also address the European Data Protection

Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific

processing operations, please provide their description (i.e. their Record reference(s) as

specified under Heading 10 below) in your request.

9. Contact information

- The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you

have comments, questions or concerns, or if you would like to submit a complaint

regarding the collection and use of your personal data, please feel free to contact the Data

Controller.

European Commission, DG ECFIN, Unit R.4 at [email protected].

- The Data Protection Officer of the European Commission

You may contact the Data Protection Officer ([email protected]) with

regard to issues related to the processing of your personal data under Regulation (EU)

2018/1725.

- The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European

Data Protection Supervisor, https://edps.europa.eu:data-protection/our-role-

supervisor/complaints_en or [email protected], if you consider that your rights under

Regulation (EU) 2018/1725 have been infringed as a result of the processing of your

personal data by the Data Controller.

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing

operations on personal data by the Commission, which have been documented and

notified to him. You may access the register via the following link:

http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with

the following Record reference: 04466.1

Annex II - ANNEX I (6) Key requirements of the Member State’s control system

1) In compliance with Article 22(1) of the RRF Regulation, the Member State shall

provide an effective and efficient internal control system, including separation of

functions and reporting and monitoring arrangements. Member States may rely on

their regular national budget management systems.

This includes:

• the nomination of an authority as “coordinator” having the overall responsibility for

monitoring the implementation of the RRP on behalf of the Member State and being

the single point of contact for the Commission;

• that the coordinator has the (i) administrative capacity in terms of human resources

(staff numbers and profiles), institutional experience and expertise, and (ii) the

mandate and authority to exercise all relevant tasks, including reporting and

monitoring responsibilities;

• the identification of the authorities entrusted with the implementation of the RRP

measures;

• the identification of the authority responsible for signing the management declaration

accompanying the payment requests with procedures ensuring that this authority will

get assurance about the satisfactory fulfilment of the milestones and targets set in the

RRP, that the funds were managed in accordance with all applicable rules, in

particular rules on avoidance of conflicts of interests, fraud prevention, corruption

and double funding;

• an appropriate separation between implementation and audit functions.

2) In compliance with Article 22(2)(a) of the RRF Regulation, the Member State shall

conduct an effective implementation of proportionate anti-fraud and anti-corruption

measures, as well as any necessary measure to effectively avoid conflict of interests.

This includes:

• appropriate measures related to the prevention, detection and correction of fraud,

corruption and conflict of interest, as well as avoidance of double funding and to take

legal actions to recover funds that have been misappropriated;

• a fraud risk assessment and the definition of appropriate anti-fraud mitigating

measures.

3) In compliance with Article 22(2)(c) of the RRF Regulation, the Member State shall

maintain appropriate procedures for drawing up the management declaration and

summary of the audits carried out at national level.

(6) This refers to Annex I of the Financing Agreement between the European Commission and the

Member State in question.

This includes:

• an effective procedure for drawing up the Management Declaration, documenting the

summary of audits and keeping the underlying information for audit trail;

• effective procedures to ensure that all cases of fraud, corruption and conflict of

interests are properly reported and corrected through recoveries.

4) To provide the information necessary for Article 22(2)(c)(i) of the RRF Regulation,

the Member State shall ensure appropriate measures, including procedures for

checking the fulfilment of milestones and targets and compliance with horizontal

principles of sound financial management.

This includes:

• appropriate measures through which authorities entrusted with the implementation of

the RRP measures will check the fulfilment of milestones and targets (e.g. desk

reviews, on-the-spot checks);

• appropriate measures through which the authorities entrusted with the

implementation of the RRP measures will check the absence of serious irregularities

(fraud, corruption and conflict of interest) and double funding (e.g. desk reviews, on-

the-spot checks).

5) In compliance with Article 22(1) of the RRF Regulation and to provide the

information necessary for Article 22(2)(c)(ii) of the RRF Regulation, the Member

State shall conduct adequate and independent audits of systems and cases of support

to investments and reforms.

This includes:

• the identification of the body/ies which will carry out the audits of systems and cases

of support to investments and reforms and how its/their functional independence is

ensured;

• the allocation of sufficient the resources to this body/ies for the purpose of the RRF;

• the effective tackling by the audit body/ies of the risk of fraud, corruption, conflict of

interest and double funding both through system audits and audits of cases of support

to investments and reforms.

6) In compliance with Article 22(2)(d) and (e) of the RRF Regulation, the Member State

shall maintain an effective system to ensure that all information and documents

necessary for audit trail purposes are held.

This includes:

• effective collection and storage of data on the final recipients of funds;

• access for the Commission, OLAF, ECA and EPPO (where applicable) to the data on

final recipients, contractors, subcontractors and beneficial owners for the purpose of

audit and control.

Annex III – List of information requested for the audit

I would be grateful if the German authorities concerned would provide the information

set out below, in order to ensure a satisfactory preparation of the audit:

1. Documentation of public procurement procedures, especially:

a. Evidence of a competitive process

i. Contract notice and prior information notice, if relevant (OJEU);

ii. Procurement documents including technical specifications;

iii. Record of tenders received;

iv. Evidence of the opening of tenderers;

v. Evidence of the selection of tenders including scoring against the set

criteria;

vi. Evidence of the evaluation of tenders including scoring against the set

criteria;

vii. Evaluation report;

viii. Notifications to successful and unsuccessful tenderers;

ix. Formal contract;

x. Contract award notice (OJEU).

b. Evidence of an adequate implementation

i. Proof/acceptance of deliveries;

ii. Evidence that deliveries correspond to the technical specifications;

iii. Justification of contract modifications in specific circumstances, if

relevant.

c. List of all RRF milestones and targets related to the payment request

concerned by PP

d. Checks/Checklist conducted on PP.

2. Documentation on state aid (SA)

a. Guidance documents, procedures, instructions

b. List of RRF measures concerned by SA (notified, pre-notified, existing

GBER, potential SA)

c. Checks/Checklist conducted on SA

d. Any other relevant documentation.

Electronically signed on 13/02/2024 15:24 (UTC+01) in accordance with Article 11 of Commission Decision (EU) 2021/2121

Mr. Aivo Orav

Ambassador, Permanent Representative

Permanent Representation of Estonia to the

EU

Rue Guimard 11/13, 1040, Brussels

Mr. Mart Võrklaev

Minister of Finance

Ministry of Finance

Suur-Ameerika 1, 10122 Tallinn

Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË — Tel. +32 22991111

EUROPEAN COMMISSION

DIRECTORATE-GENERAL

ECONOMIC AND FINANCIAL AFFAIRS

Resources and performance management

The Director

Brussels, ECFIN/R4/MV/GG(2024)1266596

Subject: EPM 'System audit on measures implemented to protect the financial

interests of the Union'

Estonian Recovery and Resilience Plan

Ref.: EE-Q1-2024 Fact finding mission on Public Procurement and State Aid (to

be used in all correspondence)

Your Excellency,

I am writing to inform you that Directorate-General for Economic and Financial Affairs

will carry out a fact finding mission in relation to the Estonian Recovery and Resilience

Plan (hereafter “Plan”). The legal basis for the audit is laid down in the Financial

Regulation, namely in its Articles 74(6) and 129(1) and in the Financing Agreement

under Articles 11(4) and 12(1).

The audit is planned to take place (remotely by video-conference) from 20 February 2024

to 21 February 2024.

The main objective of the audit is to assess the Member State's internal control systems

in their capacity to ensure compliance with EU and national law.

The audit will focus in particular on the following objectives:

• Verify that the authorities entrusted with the implementation of the measures carry out

the Public Procurement (PP) and State Aid (SA) procedures according to the EU and

national law.

• Verify the presence of an effective system to ensure the compliance with national and

EU law, especially regarding PP and SA.

The measure selected to verify Public Procurement (PP) is:

SEQUENTIAL

NUMBER (AS IN

CID)

NAME OF MEASURE MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

EE-C[C]-I[3-4-.3-

4-]-T[51]

ACCESS TO DIGITAL PUBLIC

SERVICES THROUGH THE

VIRTUAL ASSISTANT

PLATFORM

target 1 NUMBER OF PUBLIC DIGITAL SERVICES

ACCESSIBLE THROUGH THE VIRTUAL

ASSISTANT

The measure selected to verify State Aid (SA) is:

SEQUENTIAL

NUMBER

(AS IN CID)

NAME OF MEASURE MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

EE-C[B]-I[2-5-.2-

5-]-M[34]

PUBLICATION OF CALL FOR

PROPOSALS FOR GRANTS milestone

PUBLICATION OF THE NOTICE FOR CALLS FOR

PROPOSALS FOR GRANTS

The audit work to be carried out online (by video-conference) will consist of:

1) Inspection and review of the relevant documentation (manuals, procedures, checklists,

supporting documentation, working papers, contracts etc.);

2) Interviews with the staff responsible

3) Checks of PP and SA procedures carried out at the level of Implementing Bodies and

the Audit Authority (or in case of state aid at any other responsible body).

The online audit will be conducted with the authorities responsible (1) for checking

compliance with the applicable SA and PP rules concerning the above indicated selected

measures. Additionally, the Ministry of Finance of the Republic of Estonia as the

Estonian coordinating body and the Estonian Audit Authority will be invited to discuss

how the checks on SA and PP rules are generally organised.

The unit in the European Commission responsible for this audit is ECFIN.R4 and the

responsible auditors are Emese Pásztélyi (+32 229-91945,

[email protected]) and Giulia GALLI, +32 229-88200,

[email protected].

I would be grateful if the Estonian authorities concerned would provide the information

described in Annex III.

Further details regarding this audit, including the detailed agenda will be communicated

later following the analysis of the information requested above.

The Commission services would like to draw your attention to the fact that data collected

during the audit may include information relating to an identified or identifiable natural

person (‘data subject’). Such information could be stored on the servers of the

(1) The responsible authorities will be defined in the final agenda.

Commission. Regulation (EC) No 2018/1725 (OJ L 295, 21.11.2018, p.39) of the

European Parliament and of the Council, applicable to Union institutions, and Regulation

(EU) 2016/679 (OJ L 119, 4.5.2016, p.1), applicable to Member States, protect the right

to privacy of natural persons with respect to the processing of personal data. In order to

inform the data subjects of their rights, you are kindly asked to deliver the enclosed

Information note on Protection of Personal Data collected by DG Economic and

Financial Affairs’ Audit Unit (Annex I) to the bodies or organisations to be audited in

the context of this audit.

Yours faithfully,

Bernadette Frederick

e-signed

Enclosure: Annex I - Information note on Protection of Personal Data collected by

Directorate-General for Economic and Financial Affairs’ audit unit at the

European Commission

c.c.:

Kaur Siruli, Head of Financial Control Department, Ministry of

Finance of the Republic of Estonia, the RRF audit body

Mart Pechter, Advisor of the Financial Control Department, Ministry

of Finance of the Republic of Estonia, the RRF audit body

Triin Tomingas, Head of Foreign Financing Unit, State Budget

Department, Ministry of Finance of the Republic of Estonia

Siret Soosein, Expert, State Shared Service Centre, RRP coordinator

Katri Targama, Head of the Grants Management Unit, State Shared

Services Centre

Directorate-General for Economic and Financial Affairs

Mark Schelfhout, Head of Unit, ECFIN R.4

Jakob Wegener Friis, Director ECFIN E

Joern Griesse, Head of Unit, ECFIN E.2

Recovery and Resilience Task Force

Maria Teresa Fabregas Fernandez, Director, SG.RECOVER.B

Luca Rossi, Head of Unit, SG.RECOVER.B2

Ave Schank-Lukas, SG.RECOVER.B2 – Tallinn

Joint audit service for Cohesion (DAC)

Franck Sebert, Director, REGIO.EMPL.DAC

European Anti-fraud Office (OLAF):

James Sweeney, Director, OLAF.C – Anti-Fraud Knowledge Centre

Charlotte Arwidi, Head of Unit OLAF.C.1 - Anti-Corruption, Anti-

Fraud Strategy and Analysis

European Court of Auditors

[email protected]

Annex I - Information note on Protection of Personal Data collected by Directorate-

General for Economic and Financial Affairs’ audit unit at the European

Commission

1. Introduction

The European Commission (hereafter ‘the Commission’) is committed to protect your

personal data and to respect your privacy. The Commission collects and further processes

personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of

the Council of 23 October 2018 on the protection of natural persons with regard to the

processing of personal data by the Union institutions, bodies, offices and agencies and on

the free movement of such data, is applicable (repealing Regulation (EC) 45/2001).

This privacy statement explains the reason for the processing of your personal data, the

way we collect, handle and ensure protection of all personal data provided, how that

information is used and what rights you have in relation to your personal data. It also

specifies the contact details of the responsible Data Controller with whom you may

exercise your rights, the Data Protection Officer and the European Data Protection

Supervisor.

This privacy statement concerns the processing operation ‘External audits and controls’,

undertaken by the Commission (DG ECFIN, unit R.4) as presented below.

2. Why and how do we collect your personal data?

Purpose of the processing operation: The Commission collects and uses your personal

data to do any kind of financial control including ex-ante controls, desk checks, financial

verifications and audits of grant agreements or contracts to verify beneficiaries’ or

contractors’, subcontractors’ or third parties’ compliance with all contractual provisions

(including financial provisions), in view of checking that the provisions of the grant

agreements or the contracts are being properly implemented and in view of assessing the

legality and regularity of the transaction underlying the implementation of the general

budget of the Union.

Your personal data will not be used for an automated decision-making including

profiling.

3. On what legal ground(s) do we process your personal data?

The possibility for the Commission to carry out checks and financial controls is foreseen

in the model grant agreement and contract signed between the Commission and the

beneficiary/contractor, as required by the Financial Regulation (‘FR’) applicable to the

General Budget of the European Communities (2).

We process your personal data because:

(2) Articles 117-123 FR on internal audits, article 127 on cross-reliance audits, articles 183 and 203 FR on

audits covering grant agreements and articles 254 – 259 FR on external audits by the Court of

Auditors.

The processing operations on personal data carried out in the context of audit and control

activities (3) are necessary and lawful under the following articles of the Regulation (EU)

1725/2018:

a) processing is necessary for the performance of a task carried out in the public interest

or in the exercise of official authority vested in the Union institution or body (4);

b) processing is necessary for compliance with a legal obligation to which the controller

is subject (5).

4. Which personal data do we collect and further process?

In order to carry out any kind of financial controls, ex-ante and ex-post, the Data

Controller could collect the following categories of personal data:

Mandatory:

• Mandatory contact data: name, company, e-mail address, telephone number;

• Mandatory data for access to finance and contractual obligations. Such data can

be: bank account reference (IBAN and BIC codes), VAT number, passport or ID

number; timesheets, salary slips, accounts, details of the costs, missions, reports,

information coming from local IT system used to declare costs as eligible,

supporting documents linked to travel costs, minutes from mission and other

similar data depending of the nature of the grant/contract, etc.;

• Mandatory information for the evaluation of selection criteria or eligibility

criteria: expertise, technical skills and languages, educational background,

professional experience, including details on current and past employment;

Voluntary:

• Voluntary data: other contact details (mobile telephone number, fax number,

professional postal address, function and department, country of residence);

• Voluntary data that may be collected by the website if there is consent to its

cookies: IP address, language preference, etc.

(3) The audit and control activities are varied across the Commission departments as they can be

conducted at any time during the performance of the programme or project and can concern

beneficiaries, projects, system, transactions, etc. depending on the needs of the contracting authority.

The audit and control activities may be carried out on documents and/or on the spot, and may be

carried out either before or after the final payment to the beneficiary. Audits and controls of documents

may be carried out in any place where the funds in question are managed or used; the geographical

scope is therefore worldwide.

The specific contract should specify what the audit and control is to cover (subject and location).

(4) Article 5 (1) (a) of Regulation (EU) 2018/1725 and, in particular, Articles 317, 319 TFEU and Article

106 (a) of the Euratom Treaty.

(5) In particular Articles 117, 183, 203.4 and 5, and 262 of the FR.

5. How long do we keep your data?

The Data Controller only keeps your personal data for the time necessary to fulfil the

purpose of collection or further processing, namely for 5 years after the audit is closed on

condition that no contentious issues occurred; in this case, data will be kept until the end

of the last possible legal procedure.

6. How do we protect and safeguard your personal data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches

of data, etc.) are stored either on the servers of the European Commission or of its

contractors (processors), if contractors are engaged to assist the controller. All

processing operations are carried out pursuant to the Commission Decision (EU,

Euratom) 2017/46 of 10 January 2017 on the security of communication and information

systems in the Commission.

In order to protect your personal data, the Commission has put in place a number of

technical and organisational measures in place. Technical measures include appropriate

actions to address online security, risk of data loss, alteration of data or unauthorised

access, taking into consideration the risk presented by the processing and the nature of

the personal data being processed. Organisational measures include restricting access to

the personal data solely to authorised persons with a legitimate need to know for the

purposes of this processing operation.

If the controller uses (a) contractor(s) (processor(s)) to assist the controller, this will be

indicated in the specific privacy statement and the following paragraph will be provided:

The Commission’s contractors are bound by a specific contractual clause for any

processing operations of your data on behalf of the Commission, and by the

confidentiality obligations deriving from the transposition of the General Data Protection

Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679).

7. Who has access to your data and to whom is it disclosed?

Access to your personal data may be provided on a ‘need to know’ basis to Commission

services and staff dealing with the external audit or control (including those

supervising/approving), inclusive of OLAF.

In addition, staff from the Council, European Parliament, European Court of Auditors

may have access to your personal data. Finally, your data may be shared with national

managing, certifying and audit authorities in shared management, beneficiaries/final

recipients and external contractors.

The information we collect will not be given to any third party, except to the extent and

for the purpose we may be required to do so by Union law, including the possible

transmission of personal data to EU bodies or institutions in charge of audit or inspection

in accordance with the EU Treaties.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of

Regulation (EU) 2018/1725, in particular the right to access, rectify or erase your

personal data and the right to restrict the processing of your personal data. Where

applicable, you also have the right to object to the processing or the right to data

portability.

You have the right to object to the processing of your personal data, which is lawfully

carried out pursuant to Article 5(1)(a) on grounds relating to your particular situation.

You can exercise your rights by contacting the Data Controller, or in case of conflict the

Data Protection Officer. If necessary, you can also address the European Data Protection

Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific

processing operations, please provide their description (i.e. their Record reference(s) as

specified under Heading 10 below) in your request.

9. Contact information

- The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you

have comments, questions or concerns, or if you would like to submit a complaint

regarding the collection and use of your personal data, please feel free to contact the Data

Controller.

European Commission, DG ECFIN, Unit R.4 at [email protected].

- The Data Protection Officer of the European Commission

You may contact the Data Protection Officer ([email protected]) with

regard to issues related to the processing of your personal data under Regulation (EU)

2018/1725.

- The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European

Data Protection Supervisor, https://edps.europa.eu:data-protection/our-role-

supervisor/complaints_en or [email protected], if you consider that your rights under

Regulation (EU) 2018/1725 have been infringed as a result of the processing of your

personal data by the Data Controller.

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing

operations on personal data by the Commission, which have been documented and

notified to him. You may access the register via the following link:

http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with

the following Record reference: 04466.1

Annex II - ANNEX I (6) Key requirements of the Member State’s control system

1) In compliance with Article 22(1) of the RRF Regulation, the Member State shall

provide an effective and efficient internal control system, including separation of

functions and reporting and monitoring arrangements. Member States may rely on

their regular national budget management systems.

This includes:

• the nomination of an authority as “coordinator” having the overall responsibility for

monitoring the implementation of the RRP on behalf of the Member State and being

the single point of contact for the Commission;

• that the coordinator has the (i) administrative capacity in terms of human resources

(staff numbers and profiles), institutional experience and expertise, and (ii) the

mandate and authority to exercise all relevant tasks, including reporting and

monitoring responsibilities;

• the identification of the authorities entrusted with the implementation of the RRP

measures;

• the identification of the authority responsible for signing the management declaration

accompanying the payment requests with procedures ensuring that this authority will

get assurance about the satisfactory fulfilment of the milestones and targets set in the

RRP, that the funds were managed in accordance with all applicable rules, in

particular rules on avoidance of conflicts of interests, fraud prevention, corruption

and double funding;

• an appropriate separation between implementation and audit functions.

2) In compliance with Article 22(2)(a) of the RRF Regulation, the Member State shall

conduct an effective implementation of proportionate anti-fraud and anti-corruption

measures, as well as any necessary measure to effectively avoid conflict of interests.

This includes:

• appropriate measures related to the prevention, detection and correction of fraud,

corruption and conflict of interest, as well as avoidance of double funding and to take

legal actions to recover funds that have been misappropriated;

• a fraud risk assessment and the definition of appropriate anti-fraud mitigating

measures.

3) In compliance with Article 22(2)(c) of the RRF Regulation, the Member State shall

maintain appropriate procedures for drawing up the management declaration and

summary of the audits carried out at national level.

(6) This refers to Annex I of the Financing Agreement between the European Commission and the

Member State in question.

This includes:

• an effective procedure for drawing up the Management Declaration, documenting the

summary of audits and keeping the underlying information for audit trail;

• effective procedures to ensure that all cases of fraud, corruption and conflict of

interests are properly reported and corrected through recoveries.

4) To provide the information necessary for Article 22(2)(c)(i) of the RRF Regulation,

the Member State shall ensure appropriate measures, including procedures for

checking the fulfilment of milestones and targets and compliance with horizontal

principles of sound financial management.

This includes:

• appropriate measures through which authorities entrusted with the implementation of

the RRP measures will check the fulfilment of milestones and targets (e.g. desk

reviews, on-the-spot checks);

• appropriate measures through which the authorities entrusted with the

implementation of the RRP measures will check the absence of serious irregularities

(fraud, corruption and conflict of interest) and double funding (e.g. desk reviews, on-

the-spot checks).

5) In compliance with Article 22(1) of the RRF Regulation and to provide the

information necessary for Article 22(2)(c)(ii) of the RRF Regulation, the Member

State shall conduct adequate and independent audits of systems and cases of support

to investments and reforms.

This includes:

• the identification of the body/ies which will carry out the audits of systems and cases

of support to investments and reforms and how its/their functional independence is

ensured;

• the allocation of sufficient the resources to this body/ies for the purpose of the RRF;

• the effective tackling by the audit body/ies of the risk of fraud, corruption, conflict of

interest and double funding both through system audits and audits of cases of support

to investments and reforms.

6) In compliance with Article 22(2)(d) and (e) of the RRF Regulation, the Member State

shall maintain an effective system to ensure that all information and documents

necessary for audit trail purposes are held.

This includes:

• effective collection and storage of data on the final recipients of funds;

• access for the Commission, OLAF, ECA and EPPO (where applicable) to the data on

final recipients, contractors, subcontractors and beneficial owners for the purpose of

audit and control.

Annex III – List of information requested for the audit

I would be grateful if the German authorities concerned would provide the information

set out below, in order to ensure a satisfactory preparation of the audit:

1. Documentation of public procurement procedures, especially:

a. Evidence of a competitive process

i. Contract notice and prior information notice, if relevant (OJEU);

ii. Procurement documents including technical specifications;

iii. Record of tenders received;

iv. Evidence of the opening of tenderers;

v. Evidence of the selection of tenders including scoring against the set

criteria;

vi. Evidence of the evaluation of tenders including scoring against the set

criteria;

vii. Evaluation report;

viii. Notifications to successful and unsuccessful tenderers;

ix. Formal contract;

x. Contract award notice (OJEU).

b. Evidence of an adequate implementation

i. Proof/acceptance of deliveries;

ii. Evidence that deliveries correspond to the technical specifications;

iii. Justification of contract modifications in specific circumstances, if

relevant.

c. List of all RRF milestones and targets related to the payment request

concerned by PP

d. Checks/Checklist conducted on PP.

2. Documentation on state aid (SA)

a. Guidance documents, procedures, instructions

b. List of RRF measures concerned by SA (notified, pre-notified, existing

GBER, potential SA)

c. Checks/Checklist conducted on SA

d. Any other relevant documentation.

Electronically signed on 13/02/2024 15:24 (UTC+01) in accordance with Article 11 of Commission Decision (EU) 2021/2121