Advanced Search

Deliberation No. 2014-447 November 13, 2014 With Opinion On A Draft Decree Relating To The Implementation Of A Teleservice Administration Called 'my Approach European Social Fund' (Opinion No. 1788645 V1 Request)

Original Language Title: Délibération n° 2014-447 du 13 novembre 2014 portant avis sur un projet d'arrêté relatif à la mise en œuvre d'un téléservice de l'administration dénommé « Ma démarche Fonds social européen » (demande d'avis n° 1788645 V1)

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

Text information




JORF 0007 of January 9, 2015
text #71




Deliberation n ° 2014-447 of 13 November 2014 concerning a project d ' order for the implementation of d ' a telesservice of l ' administration named " My approach European Social Fund " (d ' notice n ° 1788645 V1)

NOR: CNIX1500038X ELI: Not available


The National Commission on Informatics and Liberties,
Seizure by the Minister of Labour, Employment, Vocational Training and Social Dialogue of a request for an opinion on an approved draft order Automated processing of personal data relating to the dematerialised service of the management tools of the European Social Fund for the period 2014-2020;
In view of the Council of Europe Convention 108 for The protection of persons with regard to the automatic processing of personal data;
Having regard to Regulation (EU) No 1303/2013 of the European Parliament and of the Council of 17 December 2013 laying down common provisions on the European Fund for Regional development, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural Development and the European Fund for Maritime Affairs and Fisheries, laying down general provisions applicable to the European Fund for Regional development, the European Social Fund, the Cohesion Fund and the European Fund for Maritime Affairs and Fisheries, and repealing Council Regulation (EC) No 1083/2006;
Having regard to Regulation (EU) No 1304/2013 of the European Parliament and of the Council of 17 December 2013 on the European Social Fund and repealing Council Regulation (EC) No 1081/2006;
In view of Directive 95 /46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and free Circulation of this data;
Seen Law n ° 78-17 of January 6, 1978 as amended relating to computers, files and freedoms, including its article 27-II (4 °);
Seen decree n ° 2005-1309 of 20 October 2005 modified for the application of Law n ° 78-17 of 6 January 1978 relating to computers, files and freedoms;
Seen decree n ° 2014-580 of 3 June 2014 relating to the management of all or part of the European funds for the period 2014-2020;
Given the file and its supplements;


On the proposal of Ms Laurence DUMONT, Commissioner, and after hearing Mr. Jean-Alexandre SILVY, Commissioner of the Government, in his Comments,
Emet the following notice:
The National Commission on Informatics and Liberties was seized by the Minister of Labour, Employment, Vocational Training and Social Dialogue of a request for an opinion on a draft order for the authorisation of treatment Computerised personal data relating to the dematerialised service of the management tools of the European Social Fund (ESF).
Each Member State shall establish, in partnership with the European Commission, one or more operational programmes of ESF funding for the seven-year programming
. CNIL has pronounced, by deliberation n ° 2012-265 of 19 July 2012, on the teleservice of the electronic administration named " My ESF approach " Set up under the responsibility of the General Delegation for Employment and Vocational Training (DGEFP), for monitoring the management of the ESF in the framework of the 2007-2013 programming.
This draft decree is intended to authorise the Changes to the treatment envisaged to meet the new requirements of the European regulation for programming 2014-2020, which is characterised by the implementation of a results-oriented policy and the willingness to measure Performance and progress made with ESF intervention.
To this end, the European regulation requires a strengthening of monitoring and evaluation systems which, in particular, requires the continuous and individual monitoring of programme participants and the obligation of Member States to use a A dematerialised system to deal with the information necessary for monitoring, evaluation, financial management, audits and audits (Regulation No 1303/2013, Art. 125, paragraph 2, point d, which worked so far, in France, on a voluntary basis.
These new regulatory obligations have led the DGEFP to change the information system " My ESF approach " Which is intended to henceforth include identity and follow-up data on participants, final beneficiaries of ESF funds, and to be used now by project promoters and a number of management bodies (the State, The " Delegated management authorities " The
considers that the treatments implemented give access to a teleservice of the administration in the conditions referred to in Article 27-II (4 °) of the amended Act of 6 January 1978 which submits to Authorisation by ministerial order taken after reasoned and published opinion of the committee, the treatment carried out by the state or legal persons under public law " For the purposes of making available to the users of the administration one or more teleservices of the electronic administration, if such processing involves data including the registration number of persons in the directory National identification or any other identifier of natural persons ".
The Committee notes that, pending the implementation of the tele-service, as amended, and to the extent that European legislation took effect on 1 January 2014, a questionnaire " Paper " Has been made available to project holders by the DGEFP, to enable them to collect data on the participants. These questionnaires are temporarily stored under their responsibility and will feed the information system when it is available.
On the Purpose of
Processing Telesservice " My ESF approach " Aims to dematerialise the deposit of ESF grant applications, the study of their admissibility and their appraisal by the managing bodies.
The same applies to the deposit of the execution balance sheets on the expenditure incurred by the promoters, That are the object of " Service controls " By the manager service for a reliable recovery of data to the European Commission.
It is for each management authority to submit an annual implementation report to the European Commission by electronic means, Expenditure evidence and structured data for each investment priority.
The provisions laid down in Article 1 of the draft order concerning the above-mentioned purposes have not been amended.
Article 1 of the However, the draft decree was completed with the following purposes:


" -speed up the processing of the payment of the European Social Fund to beneficiaries;
-enable detailed and reliable monitoring of the implementation of the programme, as well as the evaluation of its effectiveness, efficiency and impact through, inter alia, surveys of participants in accordance with the obligations of the regulations Mentioned above. "


These changes are intended to take into account the main developments in programming 2014-2020.
The acceleration of the payment processing of the ESF to the beneficiaries, now included in the number of purposes of the teleservice, Reflects the goal of mandatory dematerialization of procedures.
Tracking " Detailed and reliable " The implementation of the programme as well as " The evaluation of its effectiveness, efficiency and impact ', aim to ascertain the actual impact of the projects financed by the ESF on the specific situation of participants, as well as the impact of the programmes in terms of reducing Social exclusion and the fight against poverty, in particular with regard to disadvantaged populations.
To this end, personal data relating to each participant will be collected by the promoters at the entrance of the Participating in a project funded by the ESF and its exit.
A follow-up of participants Shall also be carried out six months after the end of their participation, in the context of surveys carried out under the responsibility of the DGEFP, on representative samples of participants.
The Commission considers that these purposes are Specific, explicit and legitimate.
On the nature of the data processed
Article 2 of the project lists the categories of personal data that will be processed through the teleservice " My ESF approach ".
Data will be collected using indicators. A common set of indicators, listed in the Annex to Regulation No 1304/2013, has been defined in order to produce reliable and robust statistics which can easily be aggregated at the French and European level. Other programme-specific indicators have also been defined in the context of the project piloting by the DGEFP.
The Commission has taken note that the data listed in the draft decree constitute a closed list (in the form " Yes/no "), and not categories of data likely to give rise to more detailed data collection.
The personal data that are processed in the teleservice are for participants and carriers of
Commission notes that the list of data referred to in Article 2-II has not been amended.
It points out, however, that only the data strictly necessary for the attestation of the competences of the Staff assigned to projects financed by the European Commission, as well as Expenses incurred to pay them must be collected. It also recalls the obligation to inform the persons concerned in accordance with the conditions laid down in Article 32 of the amended law of 6 January 1978.
As regards the participants, Article 2-I of the draft provides for the processing of data relating to:


-the identification of natural persons (surname, given name, date and commune of birth, including, where applicable, the indication of the birth abroad provided by code 99999, sex);
-their coordinates (address, telephone, E-mail address);
-their working life (status in the labour market [employment or training], degree of degree);
-their family situation (household or single-parent, dependent children); their disability;
-their difficulties Indication of the benefit of social minima; Housing difficulties);
-the indication of a parent born abroad;
-individual data relating to participants (list of participants, diplomas, CV, training contracts, training certificates, remuneration of participants, Attendance sheets, proof of absence, elements of connecting the public to the operation, supporting documents to identify the type of exit).


On the relevance of the data relating to the identity and contact details of the People
The DGEFP indicated that the identity data and The contact details will be strictly necessary:


-tracking participants by project holders, who are responsible for querying them about their situation as a result of the operations they have received;
-the control of operations whose middle managers have Responsibility (control of eligibility for action, results of actions);
-follow-up of cohort to samples of individuals it will be up to the DGEFP to perform.


These data will also be Likely to be used for control purposes in the context of audits conducted By the European Commission and the Interministerial Committee for the Coordination of Controls (CICC).
The Commission takes note that the NIR is not seized as such in the teleservice ' My ESF approach " And cannot be used as a query criterion or transmitted to third party organizations or operated or used as an identifier.
As far as the mailing address is concerned, the department indicated that this data is necessary for the follow-up of participants By project promoters who must be able to contact them by any means. It is also necessary for proof of the eligibility of persons for the benefit of certain devices, subject to their geographical affiliation to a priority area (in relation to city policy) or to a region, This Eligibility will be automatically verified by the information system using integrated repositories, in order to limit the risk of error. The committee takes note of this.
On the relevance of the other data relating to the characteristics of the participants
The Committee notes that, according to Article 3 of Regulation No 1304/2013 on the ESF, it " Intervenes in favour of persons, in particular disadvantaged persons such as the long-term unemployed, persons with disabilities, migrants, ethnic minorities, marginalised communities and persons of all categories Age victims of poverty and social exclusion ", in particular the Roma (recital 16).
In order to ensure that the funds are used for the benefit of those populations identified as priorities, the Regulation recommends, as follows: Common indicators on ESF investments, the collection of Data relating, in particular, to the participants " Migrants, participants of foreign origin, minorities (including marginalised communities such as Roma) ".
The Commission notes that this indicator will be informed by the reference to the municipality of birth, informed by the code 99999 in Case of birth abroad, and the answer to the closed question concerning the "indication of a parent born abroad", the first, according to the ministry, allowing to characterize the migrant participants, the second, the participants of origin
The DGEFP has indicated that it has adopted the UN definition of Migrants, said that there was no statistical definition of persons of foreign origin and accepted the statistical risk attached to the criteria. It also indicated that it chose not to collect information on minorities because of the lack of a national definition of minorities and their collection having been found to be contrary to French
. The EU has characterised these same populations with regard to data which are intended to be aggregated at European level, the DGEPF indicated that it was not informed.
It also stated that it has chosen to inform the common indicator ' Other disadvantaged persons " Prescribed by the above Regulation to target participants such as former prisoners, people who use drugs or alcohol, persons in situations of extreme poverty, using objective criteria derived from the benefit of minima The
takes note of the fact that the participants will be free not to answer the two questions. Are you homeless or facing the exclusion of your home?" And " Is one of your parents born abroad?" By checking the box " Does not wish to answer/do not know ".
The Commission takes note of the fact that, by this mechanism, the administration is responsible for not proceeding with the collection of sensitive data within the meaning of Article 8 of the law of 6 January 1978 amended, relating to In particular the racial or ethnic origins of the participants, while laying down criteria which can be used to meet those defined by the Community authorities.
It takes note that a joint note by the Association of the Regions of France (ARF) and DGEFP is being prepared to inform the Commission European interpretation of the above indicators by the French management authorities.
On the relevance of the recording of supporting documents in the information system
The DGEFP indicated that the information relating to the The characteristics of the participants will be informed by the promoters on a declarative basis and will not give rise to registration in the tele-service of supporting documents. The Commission takes note of this.
On the other hand, it indicated that the registration of the documents necessary for the assessment of the eligibility of project participants was inherent in the dematerialisation of the procedures and that, in the context of certain Projects financed by the ESF, the European Commission now required supporting documents for the results of the actions carried out.
The Committee requests that the processing of supporting documents be strictly limited to the control of eligibility Participants in the projects, as well as the results of actions To the extent that these documents are required by the European Commission. It takes note of the department's commitments to modify the draft order in this sense.
It takes note, finally, that the paper questionnaires sent by the DGEFP and informed by the promoters waiting for the teleservice to be opened Are in full compliance with the provisions of the draft decree and request that these paper documents be deleted after the data have been entered into " My ESF approach ".
On the shelf life of data
Article 5 of the draft decree provides that" The information referred to in Article 2 of this Order shall be retained for a period of nineteen years from 1 January 2014. This period shall be extended, where appropriate, by the suspension of a period following a judicial proceeding or a reasoned request by the Commission. "
As with the 2007-2013 programming period, the national ESF programme of the European Union's cohesion policy is scheduled for seven years. Its closure comes at best two years after the end of the programming period. In addition, the European Commission is in a position to carry out checks on the use of the funds allocated for ten years from the end of the programme.
The personal data are thus kept to the maximum 19 years, starting from the beginning of the program.
The Panel finds that the retention period retained does not exceed that which is necessary for the purposes of the purposes pursued.
It requires that the identifying characteristics Relating to the persons concerned, who are treated for legal purposes, Be kept the time and to the extent strictly necessary for these purposes, under physical and logical conditions such as to guarantee their confidentiality, then deleted.
However, queried on the fate of the data after the duration of the EFP has indicated that the data would be anonymized. The Commission notes the Ministry's commitments to amend the draft decree on this point.
It notes that the DGEFP envisages, in the long term, the provision of data previously anonymized.
In this regard, the Committee recalls that The anonymization of the data thus made available will have to be effective. It will therefore be necessary to demonstrate the conformity of the solution and the anonymization techniques implemented, to the three criteria defined by the Opinion of G 29 n ° 05/2014, and to forward it to the committee.
If one of the three criteria was not It will then be necessary to carry out a review of the risk of reidentification showing that the possible residual risks are sufficiently low to not infringe the privacy of the data subjects.
The demonstration Of conformity or the study of the risk of re-identification, and if so the Solution, will need to be reviewed regularly to take account of developments in anonymization and reidentification techniques.
On the recipients of the data
Article 4 of the project provides that " The data referred to in Article 2 shall be available to the officials of the bodies responsible for managing the European Social Fund and national and European services responsible for monitoring the proper use of the European Social Fund, due to their Responsibilities and the need to know.
The personal data processed will be accessible to the authorised staff of the managers of the European Social Fund (management authorities, delegated management authorities and bodies Intermediaries), on the one hand, and the authorities and services responsible for Monitoring the proper use of the Social Fund at national and Community level, on the other
The Committee notes that these rights will be limited to the personal data strictly necessary for their intervention, within the limit of Their functions and geographic scope of intervention and that rigorous management of data access (read and write) clearances has been implemented according to the responsibilities of the users of the system.
It reports The European Commission will only be the recipient of data The
considers that these addressees have a legitimate interest in accessing the data of the tele-service referred to as "the tele-service". My ESF approach ".
It points out that, in any case, access to the data must be carried out in accordance with the law of 6 January 1978 amended and the doctrine of the

. Concerned will be informed, in accordance with Article 32 of the law of 6 January 1978, as amended, orally by the promoters, as well as by means of a mention on the remote service website.
The Commission considers that only Clear, complete and explicit information is likely to enable the Participants to exercise their rights fully. It considers that, in order to be satisfactory, the oral information made to them by the authorised personnel of the promoters must be accompanied by the furnishing of an information notice in accordance with the provisions of Article 32 of the Law of 6 January 1978, as amended.
This notice shall be provided in a manner adapted to their condition and shall, in particular, contain information on the modalities for the implementation of the follow-up, with the possibility of opposing the Surveys conducted by the DGEFP on representative samples of participants.
The information referred to in Article 32 shall also appear on the questionnaires completed by the promoters, as well as on the forms which the participants will have to complete in order to participate in a training
. Participants should, in particular, be informed of the possibility of not answering questions whose collection does not comply with a legal obligation to which the controller is subject.
The Commission also considers that it is important to Make project leaders aware of these issues and take note of the
addition, it points out that the staff of the promoters must be duly informed of the processing of data concerning them within the framework of the information system. My ESF approach ", in accordance with the provisions of Article 32.
On the rights of access, rectification and opposition of persons
The rights of access and rectification shall be exercised with the DGEFP by means of a Postal mail accompanied by the copy of a credential.
The Commission requests that the procedures for the implementation of all the rights granted to persons by the law of January 6, 1978, as amended, be clearly specified in the Information notice and takes note that an audit procedure In
circumstances, the Commission considers that the rights of access, rectification and opposition are implemented in accordance with the provisions of the law of 6 January 1978 as amended
Data and traceability of actions
The Commission considers that, taking into account the issue of the information system retained in terms of data protection, in particular its national scope and the stigmatizing nature of the data which Concern vulnerable populations, special attention Must be brought to the confidentiality and security of the data.
It points out that the controller must take all necessary technical and organisational precautions to preserve the data security and, in particular, to prevent That they are distorted or damaged or that unauthorized third parties have access to it.
It also recalls that the teleservice " My ESF approach " Must comply with the General Safety Repository (RGS) and that the approval of the tele-service to the RGS must be made by the administrative authority, on the one hand, and that this decision must be accessible from the login page to the Teleservice, on the other.
In this regard, the Commission takes note of the compliance procedures set up by the controller and that a regular audit of the teleservice " My ESF approach " Will be carried out and an update of the RGS study will be carried out on an annual basis.
As regards the transmission of personal data via the Internet, the Committee notes that the data transmitted will be encrypted using the protocol " Https ". The Commission points out that this measure should be reviewed on a regular basis in order to remain in the state of art.
In terms of user authentication, the Commission notes that its recommendations have been implemented by the Department, in particular for the management of clearances and access to the necessary data only.
As regards used storage media, the Commission takes note that the latter will be destroyed by specialised
. Traceability metrics, a log of application connections Will detect any intrusion attempts and trace the set of data creation or modification operations. These logs will be kept for six months, in accordance with the recommendations of the Commission.
Security Measures for Tele-service " My ESF approach "
Committee notes, on the other hand, that it has little information on the security conditions implemented at the local level by the promoters to whom the RGS is not
It takes note, however, that project carriers will be able to access aggregated data about their participants for pilotage purposes, but will not be able to retrieve individual data from the teleservice " My ESF approach ".
The Commission believes that it is important to make project holders aware of the need for confidentiality, which is linked to the data collected in the framework of ESF management. In this regard, it notes the Department's commitment that the security policy currently being developed for managers will be extended to project holders. This security policy will include recommendations for good data management practices, whether they are collected in hard copy pending the opening of the portal, or on electronic media.
La In this respect, the Commission considers that promoters who do not have to collect the information necessary for the management of the ESF in the context of their current missions will have to be subject to the obligation to use the portal to collect the Data and, if impossibility, will have to delete the data Hold as soon as they have been registered in the portal " My ESF approach ".
In these circumstances, the security measures put in place comply with the security requirement laid down in Article 34 of the law of 6 January 1978, as amended
The updating of security measures in relation to the regular reassessment of risks.
On the responsibility of the salaries and formalities to be carried out
The Commission points out that, as the managing authority, the DGEFP is responsible Treatments performed as part of participant follow-up.
It is Responsible for compliance with data protection rules by the implementing departments (including its own agents, delegated management authorities, intermediary bodies, sub-contractors such as consultants) External to the six-month insertion surveys), as well as project promoters who collect data exclusively by means of tele-service " My ESF approach ".
The Committee observes, in this respect, that the regional councils, also management authorities for their own account, will be subject to the same obligations, including declarations to the CNIL
Are not responsible for the processing of information that they enter only in the management application made available to them by the managing authority, but must inform the persons concerned, on behalf of the managing authority, in the conditions Section 32 of the Act of January 6, 1978, as amended.
However, If they transfer to the competent management authority information which they already have in place for processing under their responsibility, they will be subject to the obligation to make an amending declaration concerning the existence of a New recipient of the data, and will need to inform interested parties.


The President,

I. Falque-Pierrotin


Downloading the document in RTF (weight < 1MB) Excerpt from the authenticated Official Electronic Journal (format: pdf, weight: 0.25 MB)