EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 52023XX0713(01)

Activity Report of the Controller of procedural guarantees for 2022


OJ C 248, 13.7.2023, p. 1–14 (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)



Official Journal of the European Union

C 248/1


(2023/C 248/01)


Today more than ever it is vital to protect and preserve human rights in Europe and to ensure that every individual can live a life of dignity.

Fundamental rights include procedural guarantees: e.g., the right to be heard, the presumption of innocence, the rights of defence, the right to independent, impartial, fair, and effective judicial protection for a reasonable time, and the principles of legality and proportionality.

These rights and principles are inherent to the constitutional orders of Member States, the instruments of the Council of Europe and the European Union (EU), the Charter of Fundamental Rights of the EU and the case-law of the courts.

Against this background, it has been an honour and an immense responsibility for me to take up office as the Controller of procedural guarantees for investigations conducted by the European Anti-Fraud Office (OLAF).

The Controller deals with complaints regarding possible breaches by OLAF of fundamental rights, procedural guarantees, and rules applicable to OLAF investigations.

The challenge is even greater because I am the first to hold the post of Controller, it having been created quite recently (under the new Articles 9a and 9b of the OLAF Regulation, adopted on 23 December 2020).

The year 2022 was thus an important landmark in strengthening the protection of procedural guarantees. It marked a milestone not only for OLAF but for the EU institutions in general, and in particular for the persons concerned by OLAF investigations. Whether they are individuals or legal entities, persons concerned can now, where necessary, seek help from the Controller — someone whose specific role it is to protect their fundamental rights and procedural guarantees, and examine and resolve their complaints in a fully independent and timely manner.

Having served as a judge for 9 years at the European Court of Human Rights in Strasbourg, and as a professor of European law and a current member of the Supreme Court of Estonia, I have always devoted myself to upholding fundamental rights, democracy, and the rule of law.

As Controller I consider it paramount to nurture a fundamental rights culture based on citizen-friendly means of resolving complaints. Properly and efficiently protecting the financial interest of the EU is to the benefit of Member States and EU taxpayers; at the same time, it is essential that OLAF investigations into possible fraud are conducted in full compliance with the protection of fundamental rights and procedural guarantees.

I also see it as the Controller’s mission to prevent possible violations of procedural guarantees and to improve the rules and practices applicable to OLAF investigations. I hope that through the annual report on my activities, I can raise awareness of the kind of general problems and systemic issues that will need to be addressed by OLAF to avoid possible future complaints and increase the knowledge and awareness of anyone concerned about their rights. This will also contribute to strengthening public confidence and trust in OLAF and the EU.

Taking office as the first Controller meant starting from scratch and putting in place new working methods, arrangements, and practices. One of the first things that had to be done was to draft and adopt Implementing Provisions for the handling of complaints as required by Article 9b(11) of the OLAF Regulation. I see the Implementing Provisions as a living document that will evolve in time. In 2022 I also had to deal with the many complaints that had been lodged well before my appointment, and to examine them within the strict deadlines laid down by the OLAF Regulation.

I am happy to report that all the above challenges were met successfully and promptly. I would like to acknowledge the invaluable administrative and legal support I received from the excellent Secretariat of the Supervisory Committee of OLAF.

This first annual report sets out details of the efforts made, and results achieved in the initial dynamic phase of application of the complaints mechanism provided for by Article 9b of the OLAF Regulation.

Of course, this is just the beginning. There is a long way to go to make the Controller not only a well-established function within the overall antifraud architecture of the EU, but one that further reinforces OLAF’s transparency and, most of all, its accountability.

Let this annual report be a visiting card presenting the work of the Controller and showing the importance of compliance with procedural guarantees.

Yours sincerely,


The Controller

Table of contents

Foreword 1


The Controller in brief 4


Setting up the new complaints mechanism 4


Implementing Provisions 4


Access to information 5


A dynamic start on complaints resolution 5


Overview of complaints in 2022 5


How the Controller examines complaints 8


First step: assessing admissibility 10


The time-limits set out by the OLAF Regulation 10


Complaints relating to the protection of personal data 11


Next step: an adversarial procedure 11


Results achieved 12


Cases closed 12


Proposing solutions 13


Relations with stakeholders 13


Administrative and legal support 14


Communicating with the Controller 14

1.   The Controller in brief

The Controller of procedural guarantees is a function established by amended Regulation (EU, Euratom) No 883/2013 (the ‘OLAF Regulation’) for the purpose of protecting the procedural guarantees and fundamental rights of the persons concerned by investigations carried out by the European Anti-Fraud Office (OLAF).

A person concerned is any natural person or economic operator suspected of having committed fraud, corruption or any other illegal activity affecting the financial interests of the Union and who is, therefore, subject to investigation by OLAF. Complaints submitted by persons other than persons concerned, including witnesses and informants, fall outside the Controller’s mandate.

The Controller examines complaints submitted by persons concerned regarding OLAF’s compliance with procedural guarantees and the rules applicable to investigations, in particular procedural requirements and fundamental rights. Her role is not to substitute her own assessment for that of OLAF on how to conduct an investigation, how to assess evidence and what conclusions to reach. When assessing complaints, the Controller pays particular attention to the Charter of Fundamental Rights of the European Union (1), the general principles of EU law and the relevant case-law of the European Courts.

The Controller carries out her tasks in complete independence and does not take instructions from anyone in the performance of her duties. Given that persons concerned cannot, in principle, seek judicial recourse against OLAF’s acts or omissions during the course of an investigation, the fact that they can now turn to the Controller becomes of great importance. Complainants can contact the Controller within the prescribed deadlines to seek an independent and thorough examination of their grievances. If the Controller finds that no breach has occurred, the Controller’s assessment serves as reassurance that OLAF has acted in conformity with the rules. Conversely, if she finds that OLAF has breached procedural guarantees or the rules governing investigations, she will invite it to take action to put things right. That said, the Controller can only issue a recommendation to OLAF — she cannot impose on it a concrete course of action, nor can she interfere with the ongoing OLAF investigation.

On 3 May 2022, the European Commission appointed Dr Julia Laffranque as the first Controller for a non-renewable term of 5 years. Dr Laffranque, a judge at the Supreme Court of Estonia and a former judge at the European Court of Human Rights, took up office in September 2022.

The Secretariat of the Supervisory Committee (‘Secretariat’) provides the Controller with all necessary administrative and legal support.

2.   Setting up the new complaints mechanism

One of the first priorities of the Controller was to put in place all the necessary legal and administrative arrangements to ensure that the complaints mechanism provided for by Article 9b of the OLAF Regulation is fully operational and to facilitate citizen-friendly and optimal complaints resolution in line with the principles of good administration. With the support of the Secretariat, the Controller anticipated issues related to documents management, compliance with data protection rules and communication with complainants. Two specific issues should be highlighted as they were of particular importance for setting up the new complaints mechanism: (a) the adoption of Implementing Provisions; and (b) access to case-related information.

2.1.    Implementing Provisions

While the OLAF Regulation provides the general framework for the creation and operation of a new complaints mechanism, it does not lay down detailed rules for the handling of complaints. Instead, Article 9b(11) empowers the Controller to adopt Implementing Provisions for the handling of complaints.

On 16 November 2022, the Controller, after consulting both OLAF and the Supervisory Committee (2), adopted Implementing Provisions (3). The Implementing Provisions were translated into all EU official languages and published in the Official Journal. They are available on the Controller’s webpage (4).

The Implementing Provisions include detailed rules regarding the lodging of a complaint, the exchange of information between the parties, the organisation of hearings, the different actions taken to solve the complaint, and the relations of the Controller with OLAF and the Supervisory Committee. The Implementing Provisions also provide clarification of a number of issues not explicitly addressed by the Regulation, such as what happens in cases where there are parallel legal proceedings or when a complaint raises issues relating to the protection of personal data.

These rules are a first attempt to anticipate the immediate needs of the newly created function. Their aim is twofold: (i) to provide complainants with transparency and legal certainty about the complaints mechanism and the procedures that the Controller follows; and (ii) to establish a procedure that enables the Controller to be efficient and effective while adopting a result-driven approach to complaints. As the practice of the Controller evolves, these rules may be reviewed in order to reflect the experience gained and to address issues arising from the complaint mechanism itself.

2.2.    Access to information

The OLAF Regulation provides that the Controller should have access to all information necessary to fulfil their duties. It also provides that OLAF must communicate to the Controller all information necessary for the Controller to assess whether the complaint is justified, and all information necessary to resolve the complaint and enable the Controller to issue a recommendation.

From an early stage, the Director-General of OLAF expressed his intention to facilitate the work of the Controller and to grant her and the relevant staff members of the Secretariat electronic access to the case files of the investigations subject to complaints for a limited period of time, corresponding in principle to the maximum duration for the handling of complaints. The solution provided by OLAF gives the Controller privileged, targeted access and allows her and the Secretariat to fulfil their tasks. Details will be set out in future working arrangements to be agreed and signed between the Controller and the Director-General of OLAF.

For the Controller, privileged access to the OLAF case file is of paramount importance for reassuring complainants that she was able to look thoroughly into the case file, even in cases where part of the relevant information is confidential and cannot be disclosed to them (5).

3.   A dynamic start on complaints resolution

The opportunity for persons concerned to submit complaints to Controller became a reality with the entry into force of the revised OLAF Regulation. However, by the time all the necessary institutional and administrative arrangements were in place and the Controller took up her duties, a significant number of complaints (13) were already pending. The Controller took care to deal with these complaints quickly in a thorough and professional manner. The result was more than satisfactory. The Controller made an initial assessment of all the complaints within the prescribed time limit. By the end of the year, she had concluded the examination of 6 complaints and issued an invitation to OLAF to resolve part of a complaint. In this very short period of less than 4 months, the Controller had the opportunity to deal with interesting legal questions and start laying the ground for some principles relating to the complaints mechanism.

3.1.    Overview of complaints in 2022

In 2022 the Controller received 14 complaints: 13 forwarded to the Controller by OLAF, and 1 submitted directly to her. The complainants, both individuals and legal entities (Figure 1), were persons concerned in OLAF internal (6) and external investigations (7) (Figure 3). The majority of complaints were submitted in English (Figure 2) by lawyers acting on behalf of the persons concerned (Figure 1).

Figure 1

Who submitted complaints?

Image 1

Figure 2

Languages in which complaints were submitted

Image 2

Figure 3

Types of OLAF investigations complained against

Image 3

For the most part, the complainants invoked breaches of their procedural guarantees under Article 9 of the OLAF Regulation and their fundamental rights under the Charter of Fundamental Rights (Figure 4). In particular, they complained about (i) the right to be heard and the effective exercise of their right to submit observations regarding facts concerning them (Article 9(4) of the OLAF Regulation); and (ii) the right to have their affairs handled within a reasonable time (Article 41 of the Charter of Fundamental Rights). Complainants also put forward allegations about their right to be informed (Article 9(3) of the OLAF Regulation) and allegations of breaches of the principles of fairness and impartiality (Figure 5). Complainants complained to a lesser extent about the rules applicable to OLAF investigations (8) (Figure 6).

Figure 4

Subject matter of the complaints

Image 4

Figure 5

Analysis of the different allegations regarding procedural guarantees

Image 5

Figure 6

Analysis of allegations regarding the rules applicable to investigations

Image 6

3.2.    How the Controller examines complaints

The Controller deals with complaints in a fair, independent, and impartial manner. The procedure, in line with the OLAF Regulation and the Implementing Provisions, comprises, in essence, two stages: (i) assessment of admissibility; and (ii) scrutiny of the substance and, if possible, proposal of solutions.

The following flowchart gives an outline of the lifecycle of a complaint before the Controller.

Image 7

3.3.    First step: assessing admissibility

The Controller needs to conduct the preliminary assessment of complaints within 10 working days of the date of receipt in order to decide on admissibility. The conditions are set out in paragraphs 1 and 2 of Article 9b of the OLAF Regulation, and Article 5 of the Implementing Provisions. In 2022 the Controller assessed the admissibility of all pending complaints within the prescribed time limit. All three inadmissible complaints failed to comply with the deadlines set in Article 9b(2) (9). Out of the 11 admissible complaints, 3 were partially admissible, as they included allegations that were submitted belatedly or concerned data protection issues (Figures 7 and 8). In all instances where complaints or allegations were found to be inadmissible, the Controller explained her decision to the complainant.

Figure 7


Image 8

*including partial admissible complaints

Figure 8

Grounds for inadmissibility (including 2 partially admissible complaints)

Image 9

3.3.1.   The time-limits set out by the OLAF Regulation

One of the first and recurrent issues that the Controller had to deal with concerned the deadlines for lodging a complaint. The Controller adopted an approach that seeks to respect both the wording and purpose of the relevant provisions of the OLAF Regulation. Article 9b(2) provides that complaints must be lodged within one month of the complainant becoming aware of the relevant facts constituting an alleged infringement of the procedural guarantees or rules referred to in paragraph 1 of that Article, and states that in any event, complaints must be lodged no more than 1 month after the closure of the investigation.

The Controller understands that the reason the Regulation provides for these short deadlines is to preserve the effectiveness of the Controller’s role while respecting OLAF’s investigative activities. In other words, the Controller needs to be informed about alleged breaches when she can still act and propose effective and meaningful solutions that could be implemented by OLAF without compromising the outcome of ongoing investigations or the progress of any follow-up procedure that has been opened at national or EU level to implement the recommendations issued by OLAF. From the complainant’s side, it is equally important to seek redress at an early stage and avoid exacerbating the impact of a potential breach. These are the reasons why a person concerned needs to lodge a complaint shortly after they become aware of the facts leading to a specific infringement. For instance, if an economic operator wants to complain about alleged irregularities during an on-the-spot check at its premises, it should contact the Controller within 1 month after the end of this investigative activity.

When it comes to closed investigations, the OLAF Regulation sets an additional stricter and clear condition of admissibility: complaints must be submitted no more than 1 month after the closure of the investigation, regardless of when the complainant becomes aware of the relevant facts. The Controller considers that this additional condition for closed investigations is there to preserve not only the effectiveness of any follow-up procedure at national or EU level, but also the effectiveness of her own recommendations and suggestions for solutions to the specific complaints. The Controller cannot propose any useful solution for cases that have left OLAF’s sphere of control and for which there may be ongoing procedures before national or other EU authorities. In such cases, the Controller considers that persons concerned can raise their grievances before these authorities and make use of the available (judicial or administrative) remedies.

3.3.2.   Complaints relating to the protection of personal data

OLAF’s daily work involves the processing of large amounts of personal data, including sensitive data. OLAF may also conduct investigative activities that could be perceived as intrusive for the protection of personal data, such as digital forensic operations. It is therefore not surprising that complainants raised allegations pertaining to their right to the protection of their personal data, as guaranteed by Article 8 of the EU Charter of Fundamental Rights and Regulation (EU) 2018/1725 (‘EU Data Protection Regulation’) (10).

Although the Controller’s mandate includes checking OLAF’s compliance with fundamental rights, the EU has an independent supervisory authority, the European Data Protection Supervisor (EDPS), that has a number of responsibilities concerning the rights to privacy and data protection. Article 52 of the EU Data Protection Regulation provides that the EDPS is responsible for monitoring and ensuring the application of this Regulation and of any other Union act relating to the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data by an EU institution or body. Since the EU has created a specialised body to guarantee the fundamental right to the protection of personal data, it is for that body, i.e., the EDPS, rather than the Controller to deal with complaints concerning alleged breaches of data protection rules. Under those rules, any person can lodge a complaint with the EDPS within 2 years of the date they became aware of the facts on which the complaint is based. In the interest of transparency, the Controller included a corresponding provision in the Implementing Provisions to reflect this division of competences (11).

While the Controller will not deal with allegations that concerned purely the interpretation and application of the EU Data Protection Regulation, she will consider aspects relating to privacy and data protection when assessing OLAF’s overall compliance with procedural guarantees.

3.4.    Next step: an adversarial procedure

After completing the preliminary assessment, the Controller invited OLAF to provide its views on the 11 complaints declared admissible. In a number of cases the Controller requested additional information from OLAF or complimentary translation of OLAF’s replies into the language of the complaint. The Controller then sent OLAF’s replies to the complainants and invited them to comment on OLAF’s views.

As a matter of principle, the Controller endeavours to give the fullest possible effect to the principle of adversarial proceedings. Thus, both OLAF and the complainants were given the opportunity to state their case and submit supporting documentation. In principle, they were also informed of each other’s submissions and could comment on them. That said, in three duly justified cases the Controller decided to derogate from this principle and allow the confidential treatment of information submitted by OLAF in line with Article 7(2) of the Implementing Provisions.

In particular, the Controller applied this provision to complaints concerning the duration of investigations. In these cases, to assess whether the duration of the investigations was reasonable, the Controller had to receive from OLAF specific, comprehensive, and detailed information about the investigative activities carried out and the various legal and factual elements that had an impact on the duration of the investigations. At the same time, as the complaints concerned ongoing OLAF investigations, the Controller was conscious that OLAF’s views could not be simply transmitted to the complainants as this could compromise the confidentiality and efficiency of the relevant investigations. In particular, it would risk revealing OLAF’s working methods or preventing it from collecting the necessary evidence or even jeopardising the overall investigative strategy in a given investigation.

In those cases, the Controller therefore agreed with OLAF that the latter would provide (i) a non-confidential version of OLAF’s replies to be sent to the complainant so that the latter can understand the reasons underpinning OLAF’s conduct and thus be in a position to challenge OLAF’s reply and provide counter-arguments; and (ii) a confidential, more detailed version to further explain the reasons put forward by OLAF in the non-confidential version. This balanced solution allowed the Controller to conduct a thorough assessment of all relevant cases while complying with her obligation to ensure the confidentiality of OLAF investigations. Although complainants are not entitled to receive all pieces of information, they can be confident that the Controller carries out an independent and thorough examination of the case, especially in light of her privileged access to the case file.

3.5.    Results achieved

In 2022, out of the 11 admissible complaints, the Controller assessed the merits of 4 (Figure 9) and closed 3 of them, having found no breach of the complainants’ procedural guarantees and rights. In the fourth case, she found that OLAF had breached the complainant’s right to be informed under Article 9(3) of the OLAF Regulation. She thus invited OLAF to resolve this part of the complaint. Of the remaining 7 pending admissible complaints, 5 were at an advanced stage and were concluded in early 2023.

Figure 9

Admissible complaints in 2022

Image 10

3.5.1.   Cases closed

In 2022, the Controller concluded the examination of 6 out of the 14 complaints received: 3 were declared inadmissible and 3 were closed, after receiving OLAF’s and the complainant’s views on the matters under examination (Figure 10). Two of these cases concerned the duration of the investigations subject to the complaints. The third case concerned the digital forensic acquisition of data and the application of the OLAF Guidelines on Digital Forensic Procedures. In all 3 cases, the Controller reached the conclusion that OLAF had acted in accordance with the rules in force and did not breach the complainants’ procedural guarantees.

Figure 10

Cases closed in 2022

Image 11

3.5.2.   Proposing solutions

The Controller issued her first invitation to OLAF to resolve a complaint. The case concerned the right to be informed pursuant to Article 9(3) of the OLAF Regulation. The Controller found that there had been a breach of the complainant’s right to be promptly informed, because the email that OLAF had sent to inform the complainant that they were a person concerned never reached them. The Controller referred to established case-law to point out that when it comes to important notifications, OLAF should have a procedure in place to ensure they are actually received by the intended recipients.

However, since the complainant was ultimately informed of their status as person concerned and of their corresponding rights, the Controller could only invite OLAF to improve its practice and prevent such situations from occurring in the future. Thus, she invited OLAF to take all necessary steps to ensure that means of communication used in the future enable persons concerned to become aware of the information under Article 9(3) of the OLAF Regulation.

In January 2023, in his response to the Controller, the Director-General of OLAF acknowledged the need to improve OLAF’s practices and to ensure that similar problems did not occur in the future. To the Controller’s satisfaction, OLAF’s Director-General made an unconditional commitment to take action to resolve the issue, and on 13 February 2023 he adopted ‘Instructions on the means of notification to be used in correspondence with persons concerned’. These instructions are mandatory for OLAF staff.

4.   Relations with stakeholders

During the first months of her mandate, the Controller sought to establish fruitful working relations based on mutual trust and good cooperation with her main interlocutor, the Director-General of OLAF. On 25 October 2022, the Controller met with Mr Ville Itälä. They had a preliminary discussion on working methods and agreed on the need to adopt formal working arrangements.

On 15 November 2022, the Controller was invited to the plenary meeting of the Supervisory Committee, where she thanked the members of the Committee for the productive exchanges in the framework of the adoption of her Implementing Provisions. They also discussed issues of common interest.

In 2023, the Controller will endeavour to uphold good relations with the various parties operating in the EU antifraud, integrity and accountability landscape and to meet further stakeholders.

Image 12

Courtesy meeting with the Director-General of OLAF, Mr Ville Itälä

5.   Administrative and legal support

With a view to the efficient use of resources, the OLAF Regulation entrusted to the Secretariat of the Supervisory Committee the tasks of providing legal and administrative support to the Controller. This choice is further justified by the complementarity of the missions and the common goal pursued by the Controller and the Supervisory Committee. The presence of the Secretariat ensures continuity, undisrupted communication, and smooth cooperation with both the complainants and OLAF. A dedicated team of highly qualified staff within the Secretariat, acting under the direction of its Head, provided valuable advice and assistance to the Controller while respecting professional secrecy and confidentiality.

6.   Communicating with the Controller

By email:

By post:

Controller of Procedural Guarantees/Secretariat of the Supervisory Committee of OLAF

Rue Joseph II, 30

1049 Bruxelles/Brussel



(1)  OJ C 326, 26.10.2012, p. 391.

(2)  Article 9b(11) requires the Controller to formally consult the Supervisory Committee before adopting implementing provisions. The Controller also consulted OLAF, although she was not legally required to do, so in the spirit of mutual trust and good cooperation.

(3)  Decision of the Controller of procedural guarantees adopting implementing provisions for the handling of complaints 2022/C 494/07 (OJ C 494, 28.12.2022, p. 17).


(5)  See point 3.4 below.

(6)  Article 4 of the OLAF Regulation.

(7)  Article 3 of the OLAF Regulation.

(8)  These include rules on how OLAF conducts its various investigative activities. They are contained in various texts, including the OLAF Regulation, the Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the Commission in order to protect the European Communities’ financial interests against fraud and other irregularities (OJ L 292, 15.11.1996, p. 2), the Guidelines on investigations for OLAF staff (GIPs), and the Guidelines on Digital Forensic Procedures for OLAF Staff.

(9)  The time-limits set out in Article 9b(2) are explained in par. 3.3.1.

(10)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

(11)  Article 5(3) of the Implementing Provisions provides ‘The Controller shall also declare inadmissible any complaint raising issues that fall under the competence of the European Data Protection Supervisor (EDPS), that is complaints relating to the application of Regulation 2018/1725 (EU, Euratom) and the respect of the fundamental right to the protection of personal data’.