Skip to main content
European Health and Digital Executive Agency (HaDEA)

Data Protection Notice for ex-post controls by HaDEA

The European Health and Digital Executive Agency (HaDEA) processes your personal data1 in line with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 20182 on the protection of personal data by the European Union's institutions, bodies and agencies and on the free movement of such data. The HaDEA collects your personal information only to the extent necessary to fulfil a precise purpose related to our tasks.

What is the purpose(s) of this processing activity?

The purpose(s) of the ex-post audit is to verify the compliance with the financial and contractual provisions of the grant agreement and to verify the legality and regularity of the transaction, underlying the implementation of the EU budget.

The processing operation of the ex-post audit does not mainly intend to:

  • Process data relating to health and to suspected offenses, criminal convictions or security measures;
  • Evaluate personal aspects relating to the data subject, including his ability, efficiency and conduct;
  • Allow linkages not provided for pursuant to national or EU legislation between data processed for different purposes;
  • Exclude individuals from a right, benefit or contract.

Who is the data controller?

The data controller of the processing operation is HaDEA. For organisational reasons, the role of the data controller is exercised by the Head of Unit C.2 - Financial Support and Control of the European Health and Digital Executive Agency (HaDEA).

The following Data Protection Notice for ex post controls your personal data on our behalf:

Deloitte Réviseurs d’Entreprises Belgium :
PKF LittleJohn LLP –

Which personal data is collected?

All necessary data to efficiently conduct a control and audit may be the following:

  • Identification such as first and last name, staff number, title, function, grade, contact details (phone number, professional address, email address) etc.
  • Data concerning the data subjects’ career such as: professional activities and expertise, CV etc.
  • Financial data such as invoices, salaries, payslips as well as relevant information such as performed hours linked to named staff/ staff number, timesheets, individual hourly rate calculation, employment contracts, accounting records (including Payroll), cost accounting, information coming from local IT system used to declare costs etc.
  • Supporting documents substantiating the expenses of the project such as minutes of meetings/ events, mission reports etc.

Data transmitted by the Beneficiary for the purpose of an audit is an obligation set out in the Grant Agreement.

This list of data requested is indicative, without prejudice for the Agency and its contractors to ask any other relevant information as foreseen under the relevant Articles of the grant agreements. Only personal data, which is necessary for the processing operation in the light of its purpose will be used.

Who has access to the personal data of data subjects and to whom can they be disclosed?

Within the Agency, the following recipients will have access to your personal data:
HaDEA staff in charge of ex-post controls Unit C.2.002 (ex post, internal control and anti-fraud sector), audit correspondents, management, relevant project and financial officers.
Other recipients are: the outsourced audit firms performing the audits on behalf of the Agency.
In addition, other potential recipients are Commission services: collected personal data could be submitted to Commission services in charge of ex-ante or ex-post controls.

On a need to know basis and in compliance with the relevant current legislation, bodies charged with monitoring or inspection tasks in application of EU law (e.g. EC internal audit, Court of Auditors, European Anti-fraud Office (OLAF), the European Ombudsman, the European Data Protection Supervisor, the European Public Prosecutor).

For entities based in the United Kingdom, the transfer take places on the basis of an adequacy decision3. Your personal data will not be transferred to other third countries or international organisations.

Which is the legal basis for processing your personal data?

The legal basis for the processing activities is Article 5 (1) (a) of Regulation (EU) 2018/1725 because processing is necessary for the performance of a task carried out in 3 Commission Implementing Decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom C(2021) 4800 3 the public interest (or in the exercise of official authority vested in the Union institution or body)4; the processing is necessary for compliance with a legal obligation to which the controller is subject (Article 5(1)(b) of Regulation), as established by Article 72, Article 74 and Article 129.1 of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012.

How long do we keep your personal data?

Your personal data will be kept for a period of 10 years, as part of Management of grant agreements after the final payment; data will be deleted at the end of this period, provided that no contentious issues (legal proceedings) take place, in which case, data will be kept until the end of the last possible legal procedure.

What are your rights regarding your personal data?

You have the right to access your personal data and to request your personal data to be rectified, if the data is inaccurate or incomplete; where applicable, you have the right to request restriction or to object to processing, to request a copy or erasure of your personal data held by the data controller.

Your request to exercise one of the above rights will be dealt with without undue delay and within one month.

If you have any queries concerning the processing of your personal data or wish to exercise any of the rights described above, you can contact the Head of Sector C.2.002 - Ex-post, Internal Control and Anti-Fraud (entity acting as data controller) via HADEAEXTERNAL- and HaDEA Data Protection Officer (DPO)

You shall have right of recourse at any time to the European Data Protection Supervisor at


Version September 2021


1.Personal data shall mean any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L295/39 of 21.11.2018).

3. Commission Implementing Decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom C(2021) 4800

4. Act of establishment: Commission Implementing Decision (EU) 2021/173 of 12 February 2021 establishing the European Climate, Infrastructure and Environment Executive Agency, the European Health and Digital Executive Agency, the European Research Executive Agency, the European Innovation Council and SMEs Executive Agency, the European Research Council Executive Agency, and the European Education and Culture Executive Agency and repealing Implementing Decisions 2013/801/EU, 2013/771/EU, 2013/778/EU, 2013/779/EU, 2013/776/EU and 2013/770/EU and Commission Decision C(2021) 948 final of 12.2.2021 delegating powers to the European Health and Digital Executive Agency with a view to the performance of tasks linked to the implementation of Union programmes in the field of EU4Health, Single Market, Research and Innovation, Digital Europe, Connecting Europe Facility – Digital, comprising, in particular, implementation of appropriations entered in the general budget of the Union