Compliance of the Court with Regulation No 45/2001, FP6 & FP7 Financial Audits , Personal Data Protection

Ihre Anfrage war teilweise erfolgreich.

Mr. Orestis BEKAS

Dear European Court of Auditors,

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

I refer to the audits of the Court of the FP6 & FP7 projects. The Court has audited the Research family DGs and has relied on the personal data in the possession of those DGs to check the compliance of the underlying transactions with legality. In other words, the Court has processed personal data originating from the contractual financial audits of those DGs pursuant to articles FP6.II.29 and FP7.II.22.

Approximately 80% of all external financial audits of the Research family DGs have been conducted by external auditors pursuant to a private law contract between the DG RTD and the external auditors. It follows therefore that for 80% of the said audits, the personal data of employees or service providers of the auditees end up in the possession of a Research family DG solely pursuant to two private law contracts. There can be no doubt that the Research family DGs end up with personal data of third parties to the audited FP6 contracts or FP7 grant agreements, as the case may be.

There are huge questions about how exactly personal data acquired by the Commission services in such a solely contractual context, and which also concern third parties to the research contracts, is lawfully in the possessed by the Commission services. An analysis of article 25 of Regulation No 45/2001 immediately discloses that none of the conditions of article 5 of the said Regulation is even remotely satisfied, unless the data subject has expressly stated his/her consent. It is absolutely certain that the data subject has not given its consent, as the personal data are collected in the field audit from the auditee (a legal person in the vast majority of audits) and not from the data subject. Furthermore, the data subject is not even aware about it.

The above reasoning calls immediately to question to what extent the Court of Auditors has lawfully processed personal data in its audits of the Research family DGs. As the Court itself has stated in its opinion 1/2006, in the FP4, FP5 and FP6 Programmes the relationship between the contractor-beneficiary and the Commission is a ‘private law contract’. Equally, the FP7 grant agreement is a ‘private law contract’. It cannot be accepted that the Court has ‘overlooked’ article 5 of Regulation No 45/2001 and its implications about the lawfulness of the personal data in the possession of the Research family DGs.

Since the Court is primarily concerned with verifying the legality of the underlying transactions, prior to any processing by itself of the personal data in the possession of the Research DGs, the Court has had an absolute obligation to satisfy itself that the latter DGs were indeed in a fully lawful possession. To this end, the Court has had an absolute obligation to verify that the data subjects had provided their express consent.

There are also huge issues about the article 25 prior notifications of Regulation No 45/2001 about the external financial audits of the Research family DGs. The very first one, DG INFSO DPO-3338.1 was filed as late as 2/2/2011, i.e. when more than approximately 1,500 audits had been carried out.

The prior notifications DPO-3334.1, DPO-3338.1, DPO-3398, DPO-3420.1 and DPO-3455.1 have the ‘statements’ “This processing has been submitted to the EDPS who concluded that Article 27 is not applicable. 3. Sub-Contractors —”. These statements are manifestly extremely inaccurate, to say the least simply because:

1. The Annual Activity Reports of the Research family DGs state that approximately 80% of the audits were outsource.

2. The EDPS calls prior notifications referred to him for article 27 consultations as a ‘non-prior check’. In accordance to Regulation No 45/2001, the EDPS publishes his opinion about every single ‘non-prior check’ in his website. A rudimentary ‘check’ of the EDPS website discloses that DPO-3334.1, DPO-3338.1, DPO-3398, DPO-3420.1 and DPO-3455.1 were never submitted to the EDPS for any type of ‘consultations’. It is thus evident that the statement “This processing has been submitted to the EDPS who concluded that Article 27 is not applicable” is in total contradiction with the contents of the EDPS public website.

It cannot be accepted that the Court was not diligent enough to realise that up to 2/2/2011 there was no prior notification at all about the external financial audits in question and that those filed afterwards have had highly inaccurate statements, with the ‘no subcontractors’ as blatantly inaccurate. This inaccuracy alone ought to have raised red alerts to the Court, since the Court supposedly verifies the legality of the transactions.

It is worth recalling that legality is far more than the protection of financial interests. After all, democracy, the rule of law, fundamental rights, education, and publicly-funded art do not come without a price tag. Arguably, the taxpayers’ financial interests take a hit, as taxation is raised to pay for elections, the Parliament, the Courts and so on. Dispensing with such ‘expensive’ Institutions would certainly lower taxation, thus positively impacting the taxpayer’s financial interests.

Furthermore, the Court itself costs the taxpayer money. The very fact that the Treaties provide for the Court proves that legality is above the financial interests. It appears that the Court has somewhat ‘forgotten’ such fundamental considerations in its audits of the Research family DGs when it came to compliance with Regulation No 45/2001.

For the purposes of this application, the abbreviation ‘PDTPRCPC’ stands for ‘Personal Data of Third Parties to Research Contracts Processed by the Court originating from the external financial audits of the Research family DGs pursuant to articles FP6.II.29 and FP7.II.22’.

Copies of the following documents drawn up by the Court are kindly applied for:

1. The documents setting out the lawfulness of the PDTPRCPC.

2. The article 25 of Regulation 45/2001 prior notification(s) about the PDTPRCPC.

3. The documents drawn up by the Data Protection Officer about the PDTPRCPC.

4. Since the Court has processed personal data it did not itself obtain/collect from the data subjects but from a third party (i.e. Commission services), copies of any 20 letters the Court dispatched to data subjects pursuant to article 12(1) or Regulation No 45/2001 for the personal data the Court processed from 1/1/2019 to 31/12/2011.

5. The documents setting our an analysis of the compliance with article 7 of Regulation No 45/2001 regarding the PDTPRCPC.

****** OVERRIDING PUBLIC INTEREST *******

First, it is worth recalling that:

1. The Schecke Judgement has made absolutely clear the fundamental importance of personal data protection in the European Union, Joined Cases C-92/09 and C-93/09.

2. The Bavarian Lager Judgement, as well as the Commission’s refusal to disclose personal data without the express consent of a data subject, has illustrated (i) that strict compliance with the Regulation No 45/2001 is of the essence, and (ii) the Commission services are in general very diligent in observing the said Regulation.

3. The Commission referred Austria to Court of Justice for lack of independence of data protection authority, Case C‑614/10.

4. The Commission referred Germany to the Court of Justice for lack of independence of the data protection supervisory authority, Case C-518/07.

Due to the extremely sensitive nature of the subject-matter of the application, it is manifestly evident that there is an overriding public interest for the full release of very single document held by the Court and applied for above.

Yours faithfully,

Mr. Orestis BEKAS

Der Europäische Rechnungshof

Dear Orestis Bekas,

Thank you for your email of 4 July 2013, in which you request copies of
the folowing documents:

     
    1. The documents setting out the lawfulness of the PDTPRCPC (Personal
Data of Third Parties to Research Contracts Processed by the Court
originating from the external financial audits of the Research family DGs
pursuant to articles FP6.II.29 and FP7.II.22’.).
   
    2. The article 25 of Regulation 45/2001 prior notification(s) about
the PDTPRCPC.
   
    3. The documents drawn up by the Data Protection Officer about the
PDTPRCPC.
   
    4. Copies of any 20 letters the Court dispatched to data subjects
pursuant to article 12(1) or Regulation No 45/2001 for the personal data
the Court processed from 1/1/2019 to 31/12/2011.
   
    5. The documents setting our an analysis of the compliance with
article 7 of Regulation No 45/2001 regarding the PDTPRCPC.

Under the terms of Decision No 12-2005 of the Court of Auditors regarding
public access to Court documents you will receive a reply within 15
working days, that is by the end of business on Wednesday 24 July 2013.

Kindest regards,

ECA Info

From:        "Mr. Orestis BEKAS" <[FOI #628 email]>
To:        information requests at European Court of Auditors
<[European Court of Auditors request email]>
Date:        04/07/2013 11:48
Subject:        access to information request - Compliance of the Court
with Regulation No 45/2001, FP6 & FP7 Financial Audits , Personal Data
Protection

--------------------------------------------------------------------------

     Dear European Court of Auditors,
   
    Under the right of access to documents in the EU treaties, as
    developed in Regulation 1049/2001, I am requesting documents which
    contain the following information:
   
    I refer to the audits of the Court of the FP6 & FP7 projects. The
    Court has audited the Research family DGs and has relied on the
    personal data in the possession of those DGs to check the
    compliance of the underlying transactions with legality. In other
    words, the Court has processed personal data originating from the
    contractual financial audits of those DGs pursuant to articles
    FP6.II.29 and FP7.II.22.
   
    Approximately 80% of all external financial audits of the Research
    family DGs have been conducted by external auditors pursuant to a
    private law contract between the DG RTD and the external auditors.
    It follows therefore that for 80% of the said audits, the personal
    data of employees or service providers of the auditees end up in
    the possession of a Research family DG solely pursuant to two
    private law contracts. There can be no doubt that the Research
    family DGs end up with personal data of third parties to the
    audited FP6 contracts or FP7 grant agreements, as the case may be.
   
    There are huge questions about how exactly personal data acquired
    by the Commission services in such a solely contractual context,
    and which also concern third parties to the research contracts, is
    lawfully in the possessed by the Commission services. An analysis
    of article 25 of Regulation No 45/2001 immediately discloses that
    none of the conditions of article 5 of the said Regulation is even
    remotely satisfied, unless the data subject has expressly stated
    his/her consent. It is absolutely certain that the data subject has
    not given its consent, as the personal data are collected in the
    field audit from the auditee (a legal person in the vast majority
    of audits) and not from the data subject. Furthermore, the data
    subject is not even aware about it.
   
    The above reasoning calls immediately to question to what extent
    the Court of Auditors has lawfully processed personal data in its
    audits of the Research family DGs. As the Court itself has stated
    in its opinion 1/2006, in the FP4, FP5 and FP6 Programmes the
    relationship between the contractor-beneficiary and the Commission
    is a ‘private law contract’. Equally, the FP7 grant agreement is a
    ‘private law contract’. It cannot be accepted that the Court has
    ‘overlooked’ article 5 of Regulation No 45/2001 and its
    implications about the lawfulness of the personal data in the
    possession of the Research family DGs.
   
    Since the Court is primarily concerned with verifying the legality
    of the underlying transactions, prior to any processing by itself
    of the personal data in the possession of the Research DGs, the
    Court has had an absolute obligation to satisfy itself that the
    latter DGs were indeed in a fully lawful possession. To this end,
    the Court has had an absolute obligation to verify that the data
    subjects had provided their express consent.
   
    There are also huge issues about the article 25 prior notifications
    of Regulation No 45/2001 about the external financial audits of the
    Research family DGs. The very first one, DG INFSO DPO-3338.1 was
    filed as late as 2/2/2011, i.e. when more than approximately 1,500
    audits had been carried out.
   
    The prior notifications DPO-3334.1, DPO-3338.1, DPO-3398,
    DPO-3420.1 and DPO-3455.1 have the ‘statements’ “This processing
    has been submitted to the EDPS who concluded that Article 27 is not
    applicable. 3. Sub-Contractors —”. These statements are manifestly
    extremely inaccurate, to say the least simply because:
   
    1. The Annual Activity Reports of the Research family DGs state
    that approximately 80% of the audits were outsource.
   
    2. The EDPS calls prior notifications referred to him for article
    27 consultations as a ‘non-prior check’. In accordance to
    Regulation No 45/2001, the EDPS publishes his opinion about every
    single ‘non-prior check’ in his website. A rudimentary ‘check’ of
    the EDPS website discloses that DPO-3334.1, DPO-3338.1, DPO-3398,
    DPO-3420.1 and DPO-3455.1 were never submitted to the EDPS for any
    type of ‘consultations’. It is thus evident that the statement
    “This processing has been submitted to the EDPS who concluded that
    Article 27 is not applicable” is in total contradiction with the
    contents of the EDPS public website.
   
    It cannot be accepted that the Court was not diligent enough to
    realise that up to 2/2/2011 there was no prior notification at all
    about the external financial audits in question and that those
    filed afterwards have had highly inaccurate statements, with the
    ‘no subcontractors’ as blatantly inaccurate. This inaccuracy alone
    ought to have raised red alerts to the Court, since the Court
    supposedly verifies the legality of the transactions.
   
    It is worth recalling that legality is far more than the protection
    of financial interests. After all, democracy, the rule of law,
    fundamental rights, education, and publicly-funded art do not come
    without a price tag. Arguably, the taxpayers’ financial interests
    take a hit, as taxation is raised to pay for elections, the
    Parliament, the Courts and so on. Dispensing with such ‘expensive’
    Institutions would certainly lower taxation, thus positively
    impacting the taxpayer’s financial interests.
   
    Furthermore, the Court itself costs the taxpayer money. The very
    fact that the Treaties provide for the Court proves that legality
    is above the financial interests. It appears that the Court has
    somewhat ‘forgotten’ such fundamental considerations in its audits
    of the Research family DGs when it came to compliance with
    Regulation No 45/2001.
   
    For the purposes of this application, the abbreviation ‘PDTPRCPC’
    stands for ‘Personal Data of Third Parties to Research Contracts
    Processed by the Court originating from the external financial
    audits of the Research family DGs pursuant to articles FP6.II.29
    and FP7.II.22’.
   
    Copies of the following documents drawn up by the Court are kindly
    applied for:
   
    1. The documents setting out the lawfulness of the PDTPRCPC.
   
    2. The article 25 of Regulation 45/2001 prior notification(s) about
    the PDTPRCPC.
   
    3. The documents drawn up by the Data Protection Officer about the
    PDTPRCPC.
   
    4. Since the Court has processed personal data it did not itself
    obtain/collect from the data subjects but from a third party (i.e.
    Commission services), copies of any 20 letters the Court dispatched
    to data subjects pursuant to article 12(1) or Regulation No 45/2001
    for the personal data the Court processed from 1/1/2019 to
    31/12/2011.
   
    5. The documents setting our an analysis of the compliance with
    article 7 of Regulation No 45/2001 regarding the PDTPRCPC.
   
    ****** OVERRIDING PUBLIC INTEREST *******
   
    First, it is worth recalling that:
   
    1. The Schecke Judgement has made absolutely clear the fundamental
    importance of personal data protection in the European Union,
    Joined Cases C-92/09 and C-93/09.
   
    2. The Bavarian Lager Judgement, as well as the Commission’s
    refusal to disclose personal data without the express consent of a
    data subject, has illustrated (i) that strict compliance with the
    Regulation No 45/2001 is of the essence, and (ii) the Commission
    services are in general very diligent in observing the said
    Regulation.
   
    3. The Commission referred Austria to Court of Justice for lack of
    independence of data protection authority, Case C‑614/10.
   
    4. The Commission referred Germany to the Court of Justice for lack
    of independence of the data protection supervisory authority, Case
    C-518/07.
   
    Due to the extremely sensitive nature of the subject-matter of the
    application, it is manifestly evident that there is an overriding
    public interest for the full release of very single document held
    by the Court and applied for above.
   
    Yours faithfully,
   
    Mr. Orestis BEKAS
   
    -------------------------------------------------------------------
   
    This is a request for access to information under Article 15 of the
    TFEU and, where applicable, Regulation 1049/2001 which has been
    sent via the AsktheEU.org website.
   
    Please kindly use this email address for all replies to this
    request: [FOI #628 email]
   
    If [European Court of Auditors request email] is the wrong address for information
    requests to European Court of Auditors, please tell the
    AsktheEU.org team on email [email address]
   
    This message and all replies from European Court of Auditors will
    be published on the AsktheEU.org website. For more information see
    our dedicated page for EU public officials at
    [1]http://www.asktheeu.org/en/help/officers
   
   
   
    -------------------------------------------------------------------

**********************
Disclaimer: If you have received this message in error, please contact the
sender immediately.

**********************
Avertissement : Si ce message vous a été adressé par erreur, nous vous
prions de vous mettre immédiatement en rapport avec l’expéditeur.

References

Visible links
1. http://www.asktheeu.org/en/help/officers

Der Europäische Rechnungshof

Dear Orestis Bekas,

We would like to inform you that - pursuant  to Article 6(3) and (4) of
Decision 12-2005 of the Court of Auditors regarding public access to Court
documents - and due to the vacation period, the initial deadline of 15
working days (ending on 25 July 2013) was exceptionnally extended for
another 15 working days.

You will receive a reply by the end of the business day on 16 August 2013.

Kind regards,
ECA Info

From:        "Mr. Orestis BEKAS" <[FOI #628 email]>
To:        information requests at European Court of Auditors
<[European Court of Auditors request email]>
Date:        04/07/2013 11:48
Subject:        access to information request - Compliance of the Court
with Regulation No 45/2001, FP6 & FP7 Financial Audits , Personal Data
Protection

--------------------------------------------------------------------------

     Dear European Court of Auditors,
   
    Under the right of access to documents in the EU treaties, as
    developed in Regulation 1049/2001, I am requesting documents which
    contain the following information:
   
    I refer to the audits of the Court of the FP6 & FP7 projects. The
    Court has audited the Research family DGs and has relied on the
    personal data in the possession of those DGs to check the
    compliance of the underlying transactions with legality. In other
    words, the Court has processed personal data originating from the
    contractual financial audits of those DGs pursuant to articles
    FP6.II.29 and FP7.II.22.
   
    Approximately 80% of all external financial audits of the Research
    family DGs have been conducted by external auditors pursuant to a
    private law contract between the DG RTD and the external auditors.
    It follows therefore that for 80% of the said audits, the personal
    data of employees or service providers of the auditees end up in
    the possession of a Research family DG solely pursuant to two
    private law contracts. There can be no doubt that the Research
    family DGs end up with personal data of third parties to the
    audited FP6 contracts or FP7 grant agreements, as the case may be.
   
    There are huge questions about how exactly personal data acquired
    by the Commission services in such a solely contractual context,
    and which also concern third parties to the research contracts, is
    lawfully in the possessed by the Commission services. An analysis
    of article 25 of Regulation No 45/2001 immediately discloses that
    none of the conditions of article 5 of the said Regulation is even
    remotely satisfied, unless the data subject has expressly stated
    his/her consent. It is absolutely certain that the data subject has
    not given its consent, as the personal data are collected in the
    field audit from the auditee (a legal person in the vast majority
    of audits) and not from the data subject. Furthermore, the data
    subject is not even aware about it.
   
    The above reasoning calls immediately to question to what extent
    the Court of Auditors has lawfully processed personal data in its
    audits of the Research family DGs. As the Court itself has stated
    in its opinion 1/2006, in the FP4, FP5 and FP6 Programmes the
    relationship between the contractor-beneficiary and the Commission
    is a ‘private law contract’. Equally, the FP7 grant agreement is a
    ‘private law contract’. It cannot be accepted that the Court has
    ‘overlooked’ article 5 of Regulation No 45/2001 and its
    implications about the lawfulness of the personal data in the
    possession of the Research family DGs.
   
    Since the Court is primarily concerned with verifying the legality
    of the underlying transactions, prior to any processing by itself
    of the personal data in the possession of the Research DGs, the
    Court has had an absolute obligation to satisfy itself that the
    latter DGs were indeed in a fully lawful possession. To this end,
    the Court has had an absolute obligation to verify that the data
    subjects had provided their express consent.
   
    There are also huge issues about the article 25 prior notifications
    of Regulation No 45/2001 about the external financial audits of the
    Research family DGs. The very first one, DG INFSO DPO-3338.1 was
    filed as late as 2/2/2011, i.e. when more than approximately 1,500
    audits had been carried out.
   
    The prior notifications DPO-3334.1, DPO-3338.1, DPO-3398,
    DPO-3420.1 and DPO-3455.1 have the ‘statements’ “This processing
    has been submitted to the EDPS who concluded that Article 27 is not
    applicable. 3. Sub-Contractors —”. These statements are manifestly
    extremely inaccurate, to say the least simply because:
   
    1. The Annual Activity Reports of the Research family DGs state
    that approximately 80% of the audits were outsource.
   
    2. The EDPS calls prior notifications referred to him for article
    27 consultations as a ‘non-prior check’. In accordance to
    Regulation No 45/2001, the EDPS publishes his opinion about every
    single ‘non-prior check’ in his website. A rudimentary ‘check’ of
    the EDPS website discloses that DPO-3334.1, DPO-3338.1, DPO-3398,
    DPO-3420.1 and DPO-3455.1 were never submitted to the EDPS for any
    type of ‘consultations’. It is thus evident that the statement
    “This processing has been submitted to the EDPS who concluded that
    Article 27 is not applicable” is in total contradiction with the
    contents of the EDPS public website.
   
    It cannot be accepted that the Court was not diligent enough to
    realise that up to 2/2/2011 there was no prior notification at all
    about the external financial audits in question and that those
    filed afterwards have had highly inaccurate statements, with the
    ‘no subcontractors’ as blatantly inaccurate. This inaccuracy alone
    ought to have raised red alerts to the Court, since the Court
    supposedly verifies the legality of the transactions.
   
    It is worth recalling that legality is far more than the protection
    of financial interests. After all, democracy, the rule of law,
    fundamental rights, education, and publicly-funded art do not come
    without a price tag. Arguably, the taxpayers’ financial interests
    take a hit, as taxation is raised to pay for elections, the
    Parliament, the Courts and so on. Dispensing with such ‘expensive’
    Institutions would certainly lower taxation, thus positively
    impacting the taxpayer’s financial interests.
   
    Furthermore, the Court itself costs the taxpayer money. The very
    fact that the Treaties provide for the Court proves that legality
    is above the financial interests. It appears that the Court has
    somewhat ‘forgotten’ such fundamental considerations in its audits
    of the Research family DGs when it came to compliance with
    Regulation No 45/2001.
   
    For the purposes of this application, the abbreviation ‘PDTPRCPC’
    stands for ‘Personal Data of Third Parties to Research Contracts
    Processed by the Court originating from the external financial
    audits of the Research family DGs pursuant to articles FP6.II.29
    and FP7.II.22’.
   
    Copies of the following documents drawn up by the Court are kindly
    applied for:
   
    1. The documents setting out the lawfulness of the PDTPRCPC.
   
    2. The article 25 of Regulation 45/2001 prior notification(s) about
    the PDTPRCPC.
   
    3. The documents drawn up by the Data Protection Officer about the
    PDTPRCPC.
   
    4. Since the Court has processed personal data it did not itself
    obtain/collect from the data subjects but from a third party (i.e.
    Commission services), copies of any 20 letters the Court dispatched
    to data subjects pursuant to article 12(1) or Regulation No 45/2001
    for the personal data the Court processed from 1/1/2019 to
    31/12/2011.
   
    5. The documents setting our an analysis of the compliance with
    article 7 of Regulation No 45/2001 regarding the PDTPRCPC.
   
    ****** OVERRIDING PUBLIC INTEREST *******
   
    First, it is worth recalling that:
   
    1. The Schecke Judgement has made absolutely clear the fundamental
    importance of personal data protection in the European Union,
    Joined Cases C-92/09 and C-93/09.
   
    2. The Bavarian Lager Judgement, as well as the Commission’s
    refusal to disclose personal data without the express consent of a
    data subject, has illustrated (i) that strict compliance with the
    Regulation No 45/2001 is of the essence, and (ii) the Commission
    services are in general very diligent in observing the said
    Regulation.
   
    3. The Commission referred Austria to Court of Justice for lack of
    independence of data protection authority, Case C‑614/10.
   
    4. The Commission referred Germany to the Court of Justice for lack
    of independence of the data protection supervisory authority, Case
    C-518/07.
   
    Due to the extremely sensitive nature of the subject-matter of the
    application, it is manifestly evident that there is an overriding
    public interest for the full release of very single document held
    by the Court and applied for above.
   
    Yours faithfully,
   
    Mr. Orestis BEKAS
   
    -------------------------------------------------------------------
   
    This is a request for access to information under Article 15 of the
    TFEU and, where applicable, Regulation 1049/2001 which has been
    sent via the AsktheEU.org website.
   
    Please kindly use this email address for all replies to this
    request: [FOI #628 email]
   
    If [European Court of Auditors request email] is the wrong address for information
    requests to European Court of Auditors, please tell the
    AsktheEU.org team on email [email address]
   
    This message and all replies from European Court of Auditors will
    be published on the AsktheEU.org website. For more information see
    our dedicated page for EU public officials at
    [1]http://www.asktheeu.org/en/help/officers
   
   
   
    -------------------------------------------------------------------

**********************
Disclaimer: If you have received this message in error, please contact the
sender immediately.

**********************
Avertissement : Si ce message vous a été adressé par erreur, nous vous
prions de vous mettre immédiatement en rapport avec l’expéditeur.

References

Visible links
1. http://www.asktheeu.org/en/help/officers

Der Europäische Rechnungshof

Dear Mr Bekas,

I sent to you a reply to your access to information request, but got
mistaken.

Please forgive me. I am going to send to you shortly the correct reply, as
appropriate.

Please ignore my previous message, as it does not concern your case.

I apologise for any inconvenience caused,

sincerely yours,
_______________________________________________
Helena PIRON MÄKI-KORVELA
EUROPEAN COURT OF AUDITORS
12, rue Alcide De Gasperi - 1615 Luxembourg - LUXEMBOURG
Office K1 5.01  - Tel. +352 4398-45314  - Fax +352 4398-46314
Mobile +352 621-552 314
Twitter @EUAuditorsECA - YouTube EUAuditorsECA
[1]http://www.eca.europa.eu

**********************
Disclaimer: If you have received this message in error, please contact the
sender immediately.

**********************
Avertissement : Si ce message vous a été adressé par erreur, nous vous
prions de vous mettre immédiatement en rapport avec l’expéditeur.

References

Visible links
1. http://www.eca.europa.eu/

Der Europäische Rechnungshof

3 Attachments

Dear Mr Bekas,

hereby the ECA's reply to your access to information request of 4 July:

sincerely yours,

Helena Piron Mäki-Korvela

From:        "Mr. Orestis BEKAS" <[FOI #628 email]>
To:        information requests at European Court of Auditors
<[European Court of Auditors request email]>
Date:        04/07/2013 11:48
Subject:        access to information request - Compliance of the Court
with Regulation No 45/2001, FP6 & FP7 Financial Audits , Personal Data
Protection

--------------------------------------------------------------------------

     Dear European Court of Auditors,
   
    Under the right of access to documents in the EU treaties, as
    developed in Regulation 1049/2001, I am requesting documents which
    contain the following information:
   
    I refer to the audits of the Court of the FP6 & FP7 projects. The
    Court has audited the Research family DGs and has relied on the
    personal data in the possession of those DGs to check the
    compliance of the underlying transactions with legality. In other
    words, the Court has processed personal data originating from the
    contractual financial audits of those DGs pursuant to articles
    FP6.II.29 and FP7.II.22.
   
    Approximately 80% of all external financial audits of the Research
    family DGs have been conducted by external auditors pursuant to a
    private law contract between the DG RTD and the external auditors.
    It follows therefore that for 80% of the said audits, the personal
    data of employees or service providers of the auditees end up in
    the possession of a Research family DG solely pursuant to two
    private law contracts. There can be no doubt that the Research
    family DGs end up with personal data of third parties to the
    audited FP6 contracts or FP7 grant agreements, as the case may be.
   
    There are huge questions about how exactly personal data acquired
    by the Commission services in such a solely contractual context,
    and which also concern third parties to the research contracts, is
    lawfully in the possessed by the Commission services. An analysis
    of article 25 of Regulation No 45/2001 immediately discloses that
    none of the conditions of article 5 of the said Regulation is even
    remotely satisfied, unless the data subject has expressly stated
    his/her consent. It is absolutely certain that the data subject has
    not given its consent, as the personal data are collected in the
    field audit from the auditee (a legal person in the vast majority
    of audits) and not from the data subject. Furthermore, the data
    subject is not even aware about it.
   
    The above reasoning calls immediately to question to what extent
    the Court of Auditors has lawfully processed personal data in its
    audits of the Research family DGs. As the Court itself has stated
    in its opinion 1/2006, in the FP4, FP5 and FP6 Programmes the
    relationship between the contractor-beneficiary and the Commission
    is a ‘private law contract’. Equally, the FP7 grant agreement is a
    ‘private law contract’. It cannot be accepted that the Court has
    ‘overlooked’ article 5 of Regulation No 45/2001 and its
    implications about the lawfulness of the personal data in the
    possession of the Research family DGs.
   
    Since the Court is primarily concerned with verifying the legality
    of the underlying transactions, prior to any processing by itself
    of the personal data in the possession of the Research DGs, the
    Court has had an absolute obligation to satisfy itself that the
    latter DGs were indeed in a fully lawful possession. To this end,
    the Court has had an absolute obligation to verify that the data
    subjects had provided their express consent.
   
    There are also huge issues about the article 25 prior notifications
    of Regulation No 45/2001 about the external financial audits of the
    Research family DGs. The very first one, DG INFSO DPO-3338.1 was
    filed as late as 2/2/2011, i.e. when more than approximately 1,500
    audits had been carried out.
   
    The prior notifications DPO-3334.1, DPO-3338.1, DPO-3398,
    DPO-3420.1 and DPO-3455.1 have the ‘statements’ “This processing
    has been submitted to the EDPS who concluded that Article 27 is not
    applicable. 3. Sub-Contractors —”. These statements are manifestly
    extremely inaccurate, to say the least simply because:
   
    1. The Annual Activity Reports of the Research family DGs state
    that approximately 80% of the audits were outsource.
   
    2. The EDPS calls prior notifications referred to him for article
    27 consultations as a ‘non-prior check’. In accordance to
    Regulation No 45/2001, the EDPS publishes his opinion about every
    single ‘non-prior check’ in his website. A rudimentary ‘check’ of
    the EDPS website discloses that DPO-3334.1, DPO-3338.1, DPO-3398,
    DPO-3420.1 and DPO-3455.1 were never submitted to the EDPS for any
    type of ‘consultations’. It is thus evident that the statement
    “This processing has been submitted to the EDPS who concluded that
    Article 27 is not applicable” is in total contradiction with the
    contents of the EDPS public website.
   
    It cannot be accepted that the Court was not diligent enough to
    realise that up to 2/2/2011 there was no prior notification at all
    about the external financial audits in question and that those
    filed afterwards have had highly inaccurate statements, with the
    ‘no subcontractors’ as blatantly inaccurate. This inaccuracy alone
    ought to have raised red alerts to the Court, since the Court
    supposedly verifies the legality of the transactions.
   
    It is worth recalling that legality is far more than the protection
    of financial interests. After all, democracy, the rule of law,
    fundamental rights, education, and publicly-funded art do not come
    without a price tag. Arguably, the taxpayers’ financial interests
    take a hit, as taxation is raised to pay for elections, the
    Parliament, the Courts and so on. Dispensing with such ‘expensive’
    Institutions would certainly lower taxation, thus positively
    impacting the taxpayer’s financial interests.
   
    Furthermore, the Court itself costs the taxpayer money. The very
    fact that the Treaties provide for the Court proves that legality
    is above the financial interests. It appears that the Court has
    somewhat ‘forgotten’ such fundamental considerations in its audits
    of the Research family DGs when it came to compliance with
    Regulation No 45/2001.
   
    For the purposes of this application, the abbreviation ‘PDTPRCPC’
    stands for ‘Personal Data of Third Parties to Research Contracts
    Processed by the Court originating from the external financial
    audits of the Research family DGs pursuant to articles FP6.II.29
    and FP7.II.22’.
   
    Copies of the following documents drawn up by the Court are kindly
    applied for:
   
    1. The documents setting out the lawfulness of the PDTPRCPC.
   
    2. The article 25 of Regulation 45/2001 prior notification(s) about
    the PDTPRCPC.
   
    3. The documents drawn up by the Data Protection Officer about the
    PDTPRCPC.
   
    4. Since the Court has processed personal data it did not itself
    obtain/collect from the data subjects but from a third party (i.e.
    Commission services), copies of any 20 letters the Court dispatched
    to data subjects pursuant to article 12(1) or Regulation No 45/2001
    for the personal data the Court processed from 1/1/2019 to
    31/12/2011.
   
    5. The documents setting our an analysis of the compliance with
    article 7 of Regulation No 45/2001 regarding the PDTPRCPC.
   
    ****** OVERRIDING PUBLIC INTEREST *******
   
    First, it is worth recalling that:
   
    1. The Schecke Judgement has made absolutely clear the fundamental
    importance of personal data protection in the European Union,
    Joined Cases C-92/09 and C-93/09.
   
    2. The Bavarian Lager Judgement, as well as the Commission’s
    refusal to disclose personal data without the express consent of a
    data subject, has illustrated (i) that strict compliance with the
    Regulation No 45/2001 is of the essence, and (ii) the Commission
    services are in general very diligent in observing the said
    Regulation.
   
    3. The Commission referred Austria to Court of Justice for lack of
    independence of data protection authority, Case C‑614/10.
   
    4. The Commission referred Germany to the Court of Justice for lack
    of independence of the data protection supervisory authority, Case
    C-518/07.
   
    Due to the extremely sensitive nature of the subject-matter of the
    application, it is manifestly evident that there is an overriding
    public interest for the full release of very single document held
    by the Court and applied for above.
   
    Yours faithfully,
   
    Mr. Orestis BEKAS
   
    -------------------------------------------------------------------
   
    This is a request for access to information under Article 15 of the
    TFEU and, where applicable, Regulation 1049/2001 which has been
    sent via the AsktheEU.org website.
   
    Please kindly use this email address for all replies to this
    request: [FOI #628 email]
   
    If [European Court of Auditors request email] is the wrong address for information
    requests to European Court of Auditors, please tell the
    AsktheEU.org team on email [email address]
   
    This message and all replies from European Court of Auditors will
    be published on the AsktheEU.org website. For more information see
    our dedicated page for EU public officials at
    [1]http://www.asktheeu.org/en/help/officers
   
   
   
    -------------------------------------------------------------------

**********************
Disclaimer: If you have received this message in error, please contact the
sender immediately.

**********************
Avertissement : Si ce message vous a été adressé par erreur, nous vous
prions de vous mettre immédiatement en rapport avec l’expéditeur.

References

Visible links
1. http://www.asktheeu.org/en/help/officers