Deze website zal per 1 september 2018 niet meer bereikbaar zijn

EDPS: privacy in the EU proposal for electronic invoicing in public procurement?

November 18, 2013  |  Electronic Invoicing, Europe, Government

EDPS: privacy in the EU proposal for electronic invoicing in public procurement?The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. The EDPS does so by monitoring the EU administration’s processing of personal data, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

The EDPS has been reading through the latest proposal for a directive on electronic invoicing in public procurement. Based on that they came up with the some interesting privacy conclusions and recommendations:

Conclusions

While the main objective of the Proposal is not the processing of personal data, processing e-invoices under the Proposal may nevertheless require the processing of certain amount of personal data. Therefore, data protection is a relevant consideration for e-invoicing.

4. First, certain elements (data fields) of the e-invoices may contain personal data. The contracting entities can be either legal or natural persons. Where the contracting entities are natural persons, their data will be considered personal data. This will also be the case where the official title of the legal person identifies one or more natural persons.

5. Further, in cases where the contracting entities need to evidence that they have provided certain services (e.g. medical, social or educational services) to a number of defined individuals, the information that they may need to submit to the contracting authority will contain personal data regarding these individuals. This may sometimes also include sensitive data, for example, in the health and social sector the information may include the type of medical/psychological treatment or social services provided, which are linked (or can be linked), to the names of the individuals to whom these treatments/services were provided.

6. Finally, if and when the data contained in the e-invoices will be used for further purposes that ultimately aim linking the data to specific individuals (such as corporate officers, shareholders or employees of a company) – for example, to investigate a specific incident of tax fraud – the initially seemingly innocuous and non-personal data on the invoices will also be considered personal data.

7. In all these cases, personal data will require appropriate protection, and the national rules transposing Directive 95/46/EC become applicable.”

Recommendations

The ‘Opinion of the European Data Protection Supervisor on the Commission Proposal for a Directive of the European Parliament and the Council on electronic invoicing in public procurement, 11 november 2013.’ makes the following recommendations:

  • “including a substantive provision to clarify that the Proposal is not meant to provide for general derogations from data protection principles and that relevant personal data protection legislation (i.e. national rules implementing Directive 95/46/EC) remain fully applicable in the context of e-invoicing;
  • amending Article 3(2) of the Proposal to ensure that the European standards to be adopted will follow a ‘privacy by design’ approach and ensure that data protection requirements are taken into account, and that the standards will respect, in particular, the principles of proportionality, data minimisation and purpose limitation;
  • should it be the intention of the legislator to provide for the publication of personal data for purposes of transparency and accountability, including explicit substantive provisions that would specify what kind of personal data may be made public and for what purpose(s); alternatively, including a reference to EU or national law, which should, in turn, provide appropriate safeguards.”

 

 


Related posts


Comments are closed.