Data Protection under GDPR in EU Aid Operations   (Published: 07.06.2018)


There is a default value that data processes under the GDPR are valid and substantiated and compliant with the Charter of Fundamental Rights (2000 with additions/amendments) provisions of Citizens fundamental rights, security and justice including the Charter of Fundamental Rights as follows:

The Charter of Fundamental Rights brings together in one single text all the rights of the individual, grouping them around several major principles: human dignity, fundamental freedoms, equality, solidarity, citizens’ rights and justice. All citizens have the right to petition Parliament on any matter in a field for which the Union is competent. The European Citizens’ Initiative enables citizens to promote the adoption of laws deemed necessary for the purpose of implementing the Treaties. The Lisbon Treaty introduced several new features to the area of freedom, security and justice, including a more efficient and democratic decision-making procedure, increased powers for the Court of Justice of the EU, and a new role for national parliaments.

The GDPR Premises

As of 25th May the New General Data Protection Regulation (GDPR) entered into force, harmonizing and strengthening all personal regulation including selection and assessment of performance of experts and other personnel across the EU operations through strengthening control of data at national level and through establishment of a European Data Protection Board.  

The GDPR strengthens existing rights, provides for new rights and gives citizens more control over their personal data, including:

  • easier access to their data

  • a new right to data portability

  • a right to erasure (Right to be forgotten)

  • right to know when their personal data has been hacked.

From a contract law viewpoint, the new GDPR regulates bilateral contractual obligations of expert and EU-contractor/sub-contractor, as well as contractor/subcontractor and EU institutions under the EU PRAG and other procurement regulations.  The GDPR recognizes the right of data subjects to lodge a complaint with the supervisory m authority, as well as their right to judicial remedy, compensation and liability.

To ensure proximity for individuals in the decisions that affect them, data subjects will have the right to have a decision of their data protection reviewed by national court.  This is irrespective of the member state in which the data controller concerned is established.    

In addition, the regulation provides for very severe sanctions against controllers or processors who violate data protection rules. Data controllers can face fines up to E20 million of 4%of their global annual turnover.  These administrative sanctions will be imposed by the national data protection authorities. 

Present EU Practice

The new GDPR regulation draws attention to the Institutional relations while protecting personal data being processed and protected under the new regulatory basis.  It, like the existing contractual practices until now between the EC institutions, contractors/sub-contractors and individual experts within the tripartite contracting parties in an aid interventions or EU-funded operations under the EU PRAG/Aid operations regulatory basis.

There is no provision under perjury and penalty with regard to substantiation of validity, reliability and accuracy of data during the processing of the protected data regulated under the GDPR. The EU aid procurement system is a tripartite mechanism, where the three parties (B2B, B2G, and G2G) are not equal in terms of jurisprudence obligations and legal rights.

According to my personal cases and other similar cases with FWC and budget-instrument funded contracts, the appealing individual expert has no rights according the proclaimed EU Charter of Human Rights or PRAG regulations, because an individual has no contract with the EU and such a case falls outside of jurisdiction applicable with the EU institutions.  The GDPR addresses this grey area of human rights protection under the existing EU legislation.  But, the GDPR does not address the issue of whether the subject’s supplied data/controller’s and/or EU/national authorities or third-party data are false or true and how their authentication will be done. 

Lessons Learned

I am very skeptic about this new GDPR framework with a deductive priority focus on G2G regulation in improving data protection in data protection in the EU without consequences under perjury and penalty to all tripartite parties.  Until now, the EU authorities have had no penalties or subject to perjury obligations, because the individual experts are not in direct contractual relationship with the EU institutions what so ever statements, changes, alterations, judgements and additions of original data presented/proclaimed by an individual expert with non-contractual relationship with the EU. 

There are numerous such cases that should be reviewed and assessed before executing and implementing further the GDPR.  In all aid interventions, like also in social media transaction, an expert and individual are and should be also in the future the sole contractor with the institutional setup/service provider.  All the contract should be based on dialogic principle with equal rights, de-facto transparency contract and unification of interests to create more balanced dialogic regimes.  Appeal and alternative options can also be based on cross-border and cross-sector solutions.

Octal Matrix Framework

On this website, one can find lot of methodological material on how to improve development aid through introducing a quality assurance (QA) mechanism for the Agenda 2030 for SDGs implementation at country level.  The past hierarchical PCM/LFM approach for aid interventions is not the best methodological approach to aid interventions where systems thinking and digitizing are more involved. 

Systemic approach with Octal Matrix country framework will provide a more suitable methodological framework for functional review/business processes descriptions at country/sector levels for aid interventions.  The more valid is the methodological approach, the less issues with data content and semantic meaning will appear in aid/donor operations and data protection as well. 


© 2018/Heikki K. Auvinen/Asumer Oy


« Back
News & Commentaries
15.06.2019 Self-defense in independent states More >>
28.04.2019 The Starting Point for New Defense Thinking More >>
22.04.2019 Corruption in Wider Russianness Perspective More >>
31.03.2019 Feedback to Mr. Mark Zuckerberg More >>
16.03.2019 Childhood memory More >>

Archive >>

Asumer Oy, Espoo, Finland   e-mail address:  Telephone + 358 400 638 660



©2019 Heikki K. Auvinen - Development Consultant - Asumer Oy