Compliance of the Court with Regulation No 45/2001, FP6 & FP7 Financial Audits , Personal Data Protection
Dear European Court of Auditors,
Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:
I refer to the audits of the Court of the FP6 & FP7 projects. The Court has audited the Research family DGs and has relied on the personal data in the possession of those DGs to check the compliance of the underlying transactions with legality. In other words, the Court has processed personal data originating from the contractual financial audits of those DGs pursuant to articles FP6.II.29 and FP7.II.22.
Approximately 80% of all external financial audits of the Research family DGs have been conducted by external auditors pursuant to a private law contract between the DG RTD and the external auditors. It follows therefore that for 80% of the said audits, the personal data of employees or service providers of the auditees end up in the possession of a Research family DG solely pursuant to two private law contracts. There can be no doubt that the Research family DGs end up with personal data of third parties to the audited FP6 contracts or FP7 grant agreements, as the case may be.
There are huge questions about how exactly personal data acquired by the Commission services in such a solely contractual context, and which also concern third parties to the research contracts, is lawfully in the possessed by the Commission services. An analysis of article 25 of Regulation No 45/2001 immediately discloses that none of the conditions of article 5 of the said Regulation is even remotely satisfied, unless the data subject has expressly stated his/her consent. It is absolutely certain that the data subject has not given its consent, as the personal data are collected in the field audit from the auditee (a legal person in the vast majority of audits) and not from the data subject. Furthermore, the data subject is not even aware about it.
The above reasoning calls immediately to question to what extent the Court of Auditors has lawfully processed personal data in its audits of the Research family DGs. As the Court itself has stated in its opinion 1/2006, in the FP4, FP5 and FP6 Programmes the relationship between the contractor-beneficiary and the Commission is a ‘private law contract’. Equally, the FP7 grant agreement is a ‘private law contract’. It cannot be accepted that the Court has ‘overlooked’ article 5 of Regulation No 45/2001 and its implications about the lawfulness of the personal data in the possession of the Research family DGs.
Since the Court is primarily concerned with verifying the legality of the underlying transactions, prior to any processing by itself of the personal data in the possession of the Research DGs, the Court has had an absolute obligation to satisfy itself that the latter DGs were indeed in a fully lawful possession. To this end, the Court has had an absolute obligation to verify that the data subjects had provided their express consent.
There are also huge issues about the article 25 prior notifications of Regulation No 45/2001 about the external financial audits of the Research family DGs. The very first one, DG INFSO DPO-3338.1 was filed as late as 2/2/2011, i.e. when more than approximately 1,500 audits had been carried out.
The prior notifications DPO-3334.1, DPO-3338.1, DPO-3398, DPO-3420.1 and DPO-3455.1 have the ‘statements’ “This processing has been submitted to the EDPS who concluded that Article 27 is not applicable. 3. Sub-Contractors —”. These statements are manifestly extremely inaccurate, to say the least simply because:
1. The Annual Activity Reports of the Research family DGs state that approximately 80% of the audits were outsource.
2. The EDPS calls prior notifications referred to him for article 27 consultations as a ‘non-prior check’. In accordance to Regulation No 45/2001, the EDPS publishes his opinion about every single ‘non-prior check’ in his website. A rudimentary ‘check’ of the EDPS website discloses that DPO-3334.1, DPO-3338.1, DPO-3398, DPO-3420.1 and DPO-3455.1 were never submitted to the EDPS for any type of ‘consultations’. It is thus evident that the statement “This processing has been submitted to the EDPS who concluded that Article 27 is not applicable” is in total contradiction with the contents of the EDPS public website.
It cannot be accepted that the Court was not diligent enough to realise that up to 2/2/2011 there was no prior notification at all about the external financial audits in question and that those filed afterwards have had highly inaccurate statements, with the ‘no subcontractors’ as blatantly inaccurate. This inaccuracy alone ought to have raised red alerts to the Court, since the Court supposedly verifies the legality of the transactions.
It is worth recalling that legality is far more than the protection of financial interests. After all, democracy, the rule of law, fundamental rights, education, and publicly-funded art do not come without a price tag. Arguably, the taxpayers’ financial interests take a hit, as taxation is raised to pay for elections, the Parliament, the Courts and so on. Dispensing with such ‘expensive’ Institutions would certainly lower taxation, thus positively impacting the taxpayer’s financial interests.
Furthermore, the Court itself costs the taxpayer money. The very fact that the Treaties provide for the Court proves that legality is above the financial interests. It appears that the Court has somewhat ‘forgotten’ such fundamental considerations in its audits of the Research family DGs when it came to compliance with Regulation No 45/2001.
For the purposes of this application, the abbreviation ‘PDTPRCPC’ stands for ‘Personal Data of Third Parties to Research Contracts Processed by the Court originating from the external financial audits of the Research family DGs pursuant to articles FP6.II.29 and FP7.II.22’.
Copies of the following documents drawn up by the Court are kindly applied for:
1. The documents setting out the lawfulness of the PDTPRCPC.
2. The article 25 of Regulation 45/2001 prior notification(s) about the PDTPRCPC.
3. The documents drawn up by the Data Protection Officer about the PDTPRCPC.
4. Since the Court has processed personal data it did not itself obtain/collect from the data subjects but from a third party (i.e. Commission services), copies of any 20 letters the Court dispatched to data subjects pursuant to article 12(1) or Regulation No 45/2001 for the personal data the Court processed from 1/1/2019 to 31/12/2011.
5. The documents setting our an analysis of the compliance with article 7 of Regulation No 45/2001 regarding the PDTPRCPC.
****** OVERRIDING PUBLIC INTEREST *******
First, it is worth recalling that:
1. The Schecke Judgement has made absolutely clear the fundamental importance of personal data protection in the European Union, Joined Cases C-92/09 and C-93/09.
2. The Bavarian Lager Judgement, as well as the Commission’s refusal to disclose personal data without the express consent of a data subject, has illustrated (i) that strict compliance with the Regulation No 45/2001 is of the essence, and (ii) the Commission services are in general very diligent in observing the said Regulation.
3. The Commission referred Austria to Court of Justice for lack of independence of data protection authority, Case C‑614/10.
4. The Commission referred Germany to the Court of Justice for lack of independence of the data protection supervisory authority, Case C-518/07.
Due to the extremely sensitive nature of the subject-matter of the application, it is manifestly evident that there is an overriding public interest for the full release of very single document held by the Court and applied for above.
Yours faithfully,
Mr. Orestis BEKAS
Dear Orestis Bekas,
Thank you for your email of 4 July 2013, in which you request copies of
the folowing documents:
1. The documents setting out the lawfulness of the PDTPRCPC (Personal
Data of Third Parties to Research Contracts Processed by the Court
originating from the external financial audits of the Research family DGs
pursuant to articles FP6.II.29 and FP7.II.22’.).
2. The article 25 of Regulation 45/2001 prior notification(s) about
the PDTPRCPC.
3. The documents drawn up by the Data Protection Officer about the
PDTPRCPC.
4. Copies of any 20 letters the Court dispatched to data subjects
pursuant to article 12(1) or Regulation No 45/2001 for the personal data
the Court processed from 1/1/2019 to 31/12/2011.
5. The documents setting our an analysis of the compliance with
article 7 of Regulation No 45/2001 regarding the PDTPRCPC.
Under the terms of Decision No 12-2005 of the Court of Auditors regarding
public access to Court documents you will receive a reply within 15
working days, that is by the end of business on Wednesday 24 July 2013.
Kindest regards,
ECA Info
From: "Mr. Orestis BEKAS" <[FOI #628 email]>
To: information requests at European Court of Auditors
<[European Court of Auditors request email]>
Date: 04/07/2013 11:48
Subject: access to information request - Compliance of the Court
with Regulation No 45/2001, FP6 & FP7 Financial Audits , Personal Data
Protection
--------------------------------------------------------------------------
Dear European Court of Auditors,
Under the right of access to documents in the EU treaties, as
developed in Regulation 1049/2001, I am requesting documents which
contain the following information:
I refer to the audits of the Court of the FP6 & FP7 projects. The
Court has audited the Research family DGs and has relied on the
personal data in the possession of those DGs to check the
compliance of the underlying transactions with legality. In other
words, the Court has processed personal data originating from the
contractual financial audits of those DGs pursuant to articles
FP6.II.29 and FP7.II.22.
Approximately 80% of all external financial audits of the Research
family DGs have been conducted by external auditors pursuant to a
private law contract between the DG RTD and the external auditors.
It follows therefore that for 80% of the said audits, the personal
data of employees or service providers of the auditees end up in
the possession of a Research family DG solely pursuant to two
private law contracts. There can be no doubt that the Research
family DGs end up with personal data of third parties to the
audited FP6 contracts or FP7 grant agreements, as the case may be.
There are huge questions about how exactly personal data acquired
by the Commission services in such a solely contractual context,
and which also concern third parties to the research contracts, is
lawfully in the possessed by the Commission services. An analysis
of article 25 of Regulation No 45/2001 immediately discloses that
none of the conditions of article 5 of the said Regulation is even
remotely satisfied, unless the data subject has expressly stated
his/her consent. It is absolutely certain that the data subject has
not given its consent, as the personal data are collected in the
field audit from the auditee (a legal person in the vast majority
of audits) and not from the data subject. Furthermore, the data
subject is not even aware about it.
The above reasoning calls immediately to question to what extent
the Court of Auditors has lawfully processed personal data in its
audits of the Research family DGs. As the Court itself has stated
in its opinion 1/2006, in the FP4, FP5 and FP6 Programmes the
relationship between the contractor-beneficiary and the Commission
is a ‘private law contract’. Equally, the FP7 grant agreement is a
‘private law contract’. It cannot be accepted that the Court has
‘overlooked’ article 5 of Regulation No 45/2001 and its
implications about the lawfulness of the personal data in the
possession of the Research family DGs.
Since the Court is primarily concerned with verifying the legality
of the underlying transactions, prior to any processing by itself
of the personal data in the possession of the Research DGs, the
Court has had an absolute obligation to satisfy itself that the
latter DGs were indeed in a fully lawful possession. To this end,
the Court has had an absolute obligation to verify that the data
subjects had provided their express consent.
There are also huge issues about the article 25 prior notifications
of Regulation No 45/2001 about the external financial audits of the
Research family DGs. The very first one, DG INFSO DPO-3338.1 was
filed as late as 2/2/2011, i.e. when more than approximately 1,500
audits had been carried out.
The prior notifications DPO-3334.1, DPO-3338.1, DPO-3398,
DPO-3420.1 and DPO-3455.1 have the ‘statements’ “This processing
has been submitted to the EDPS who concluded that Article 27 is not
applicable. 3. Sub-Contractors —”. These statements are manifestly
extremely inaccurate, to say the least simply because:
1. The Annual Activity Reports of the Research family DGs state
that approximately 80% of the audits were outsource.
2. The EDPS calls prior notifications referred to him for article
27 consultations as a ‘non-prior check’. In accordance to
Regulation No 45/2001, the EDPS publishes his opinion about every
single ‘non-prior check’ in his website. A rudimentary ‘check’ of
the EDPS website discloses that DPO-3334.1, DPO-3338.1, DPO-3398,
DPO-3420.1 and DPO-3455.1 were never submitted to the EDPS for any
type of ‘consultations’. It is thus evident that the statement
“This processing has been submitted to the EDPS who concluded that
Article 27 is not applicable” is in total contradiction with the
contents of the EDPS public website.
It cannot be accepted that the Court was not diligent enough to
realise that up to 2/2/2011 there was no prior notification at all
about the external financial audits in question and that those
filed afterwards have had highly inaccurate statements, with the
‘no subcontractors’ as blatantly inaccurate. This inaccuracy alone
ought to have raised red alerts to the Court, since the Court
supposedly verifies the legality of the transactions.
It is worth recalling that legality is far more than the protection
of financial interests. After all, democracy, the rule of law,
fundamental rights, education, and publicly-funded art do not come
without a price tag. Arguably, the taxpayers’ financial interests
take a hit, as taxation is raised to pay for elections, the
Parliament, the Courts and so on. Dispensing with such ‘expensive’
Institutions would certainly lower taxation, thus positively
impacting the taxpayer’s financial interests.
Furthermore, the Court itself costs the taxpayer money. The very
fact that the Treaties provide for the Court proves that legality
is above the financial interests. It appears that the Court has
somewhat ‘forgotten’ such fundamental considerations in its audits
of the Research family DGs when it came to compliance with
Regulation No 45/2001.
For the purposes of this application, the abbreviation ‘PDTPRCPC’
stands for ‘Personal Data of Third Parties to Research Contracts
Processed by the Court originating from the external financial
audits of the Research family DGs pursuant to articles FP6.II.29
and FP7.II.22’.
Copies of the following documents drawn up by the Court are kindly
applied for:
1. The documents setting out the lawfulness of the PDTPRCPC.
2. The article 25 of Regulation 45/2001 prior notification(s) about
the PDTPRCPC.
3. The documents drawn up by the Data Protection Officer about the
PDTPRCPC.
4. Since the Court has processed personal data it did not itself
obtain/collect from the data subjects but from a third party (i.e.
Commission services), copies of any 20 letters the Court dispatched
to data subjects pursuant to article 12(1) or Regulation No 45/2001
for the personal data the Court processed from 1/1/2019 to
31/12/2011.
5. The documents setting our an analysis of the compliance with
article 7 of Regulation No 45/2001 regarding the PDTPRCPC.
****** OVERRIDING PUBLIC INTEREST *******
First, it is worth recalling that:
1. The Schecke Judgement has made absolutely clear the fundamental
importance of personal data protection in the European Union,
Joined Cases C-92/09 and C-93/09.
2. The Bavarian Lager Judgement, as well as the Commission’s
refusal to disclose personal data without the express consent of a
data subject, has illustrated (i) that strict compliance with the
Regulation No 45/2001 is of the essence, and (ii) the Commission
services are in general very diligent in observing the said
Regulation.
3. The Commission referred Austria to Court of Justice for lack of
independence of data protection authority, Case C‑614/10.
4. The Commission referred Germany to the Court of Justice for lack
of independence of the data protection supervisory authority, Case
C-518/07.
Due to the extremely sensitive nature of the subject-matter of the
application, it is manifestly evident that there is an overriding
public interest for the full release of very single document held
by the Court and applied for above.
Yours faithfully,
Mr. Orestis BEKAS
-------------------------------------------------------------------
This is a request for access to information under Article 15 of the
TFEU and, where applicable, Regulation 1049/2001 which has been
sent via the AsktheEU.org website.
Please kindly use this email address for all replies to this
request: [FOI #628 email]
If [European Court of Auditors request email] is the wrong address for information
requests to European Court of Auditors, please tell the
AsktheEU.org team on email [email address]
This message and all replies from European Court of Auditors will
be published on the AsktheEU.org website. For more information see
our dedicated page for EU public officials at
[1]http://www.asktheeu.org/en/help/officers
-------------------------------------------------------------------
**********************
Disclaimer: If you have received this message in error, please contact the
sender immediately.
**********************
Avertissement : Si ce message vous a été adressé par erreur, nous vous
prions de vous mettre immédiatement en rapport avec l’expéditeur.
References
Visible links
1. http://www.asktheeu.org/en/help/officers
Dear Orestis Bekas,
We would like to inform you that - pursuant to Article 6(3) and (4) of
Decision 12-2005 of the Court of Auditors regarding public access to Court
documents - and due to the vacation period, the initial deadline of 15
working days (ending on 25 July 2013) was exceptionnally extended for
another 15 working days.
You will receive a reply by the end of the business day on 16 August 2013.
Kind regards,
ECA Info
From: "Mr. Orestis BEKAS" <[FOI #628 email]>
To: information requests at European Court of Auditors
<[European Court of Auditors request email]>
Date: 04/07/2013 11:48
Subject: access to information request - Compliance of the Court
with Regulation No 45/2001, FP6 & FP7 Financial Audits , Personal Data
Protection
--------------------------------------------------------------------------
Dear European Court of Auditors,
Under the right of access to documents in the EU treaties, as
developed in Regulation 1049/2001, I am requesting documents which
contain the following information:
I refer to the audits of the Court of the FP6 & FP7 projects. The
Court has audited the Research family DGs and has relied on the
personal data in the possession of those DGs to check the
compliance of the underlying transactions with legality. In other
words, the Court has processed personal data originating from the
contractual financial audits of those DGs pursuant to articles
FP6.II.29 and FP7.II.22.
Approximately 80% of all external financial audits of the Research
family DGs have been conducted by external auditors pursuant to a
private law contract between the DG RTD and the external auditors.
It follows therefore that for 80% of the said audits, the personal
data of employees or service providers of the auditees end up in
the possession of a Research family DG solely pursuant to two
private law contracts. There can be no doubt that the Research
family DGs end up with personal data of third parties to the
audited FP6 contracts or FP7 grant agreements, as the case may be.
There are huge questions about how exactly personal data acquired
by the Commission services in such a solely contractual context,
and which also concern third parties to the research contracts, is
lawfully in the possessed by the Commission services. An analysis
of article 25 of Regulation No 45/2001 immediately discloses that
none of the conditions of article 5 of the said Regulation is even
remotely satisfied, unless the data subject has expressly stated
his/her consent. It is absolutely certain that the data subject has
not given its consent, as the personal data are collected in the
field audit from the auditee (a legal person in the vast majority
of audits) and not from the data subject. Furthermore, the data
subject is not even aware about it.
The above reasoning calls immediately to question to what extent
the Court of Auditors has lawfully processed personal data in its
audits of the Research family DGs. As the Court itself has stated
in its opinion 1/2006, in the FP4, FP5 and FP6 Programmes the
relationship between the contractor-beneficiary and the Commission
is a ‘private law contract’. Equally, the FP7 grant agreement is a
‘private law contract’. It cannot be accepted that the Court has
‘overlooked’ article 5 of Regulation No 45/2001 and its
implications about the lawfulness of the personal data in the
possession of the Research family DGs.
Since the Court is primarily concerned with verifying the legality
of the underlying transactions, prior to any processing by itself
of the personal data in the possession of the Research DGs, the
Court has had an absolute obligation to satisfy itself that the
latter DGs were indeed in a fully lawful possession. To this end,
the Court has had an absolute obligation to verify that the data
subjects had provided their express consent.
There are also huge issues about the article 25 prior notifications
of Regulation No 45/2001 about the external financial audits of the
Research family DGs. The very first one, DG INFSO DPO-3338.1 was
filed as late as 2/2/2011, i.e. when more than approximately 1,500
audits had been carried out.
The prior notifications DPO-3334.1, DPO-3338.1, DPO-3398,
DPO-3420.1 and DPO-3455.1 have the ‘statements’ “This processing
has been submitted to the EDPS who concluded that Article 27 is not
applicable. 3. Sub-Contractors —”. These statements are manifestly
extremely inaccurate, to say the least simply because:
1. The Annual Activity Reports of the Research family DGs state
that approximately 80% of the audits were outsource.
2. The EDPS calls prior notifications referred to him for article
27 consultations as a ‘non-prior check’. In accordance to
Regulation No 45/2001, the EDPS publishes his opinion about every
single ‘non-prior check’ in his website. A rudimentary ‘check’ of
the EDPS website discloses that DPO-3334.1, DPO-3338.1, DPO-3398,
DPO-3420.1 and DPO-3455.1 were never submitted to the EDPS for any
type of ‘consultations’. It is thus evident that the statement
“This processing has been submitted to the EDPS who concluded that
Article 27 is not applicable” is in total contradiction with the
contents of the EDPS public website.
It cannot be accepted that the Court was not diligent enough to
realise that up to 2/2/2011 there was no prior notification at all
about the external financial audits in question and that those
filed afterwards have had highly inaccurate statements, with the
‘no subcontractors’ as blatantly inaccurate. This inaccuracy alone
ought to have raised red alerts to the Court, since the Court
supposedly verifies the legality of the transactions.
It is worth recalling that legality is far more than the protection
of financial interests. After all, democracy, the rule of law,
fundamental rights, education, and publicly-funded art do not come
without a price tag. Arguably, the taxpayers’ financial interests
take a hit, as taxation is raised to pay for elections, the
Parliament, the Courts and so on. Dispensing with such ‘expensive’
Institutions would certainly lower taxation, thus positively
impacting the taxpayer’s financial interests.
Furthermore, the Court itself costs the taxpayer money. The very
fact that the Treaties provide for the Court proves that legality
is above the financial interests. It appears that the Court has
somewhat ‘forgotten’ such fundamental considerations in its audits
of the Research family DGs when it came to compliance with
Regulation No 45/2001.
For the purposes of this application, the abbreviation ‘PDTPRCPC’
stands for ‘Personal Data of Third Parties to Research Contracts
Processed by the Court originating from the external financial
audits of the Research family DGs pursuant to articles FP6.II.29
and FP7.II.22’.
Copies of the following documents drawn up by the Court are kindly
applied for:
1. The documents setting out the lawfulness of the PDTPRCPC.
2. The article 25 of Regulation 45/2001 prior notification(s) about
the PDTPRCPC.
3. The documents drawn up by the Data Protection Officer about the
PDTPRCPC.
4. Since the Court has processed personal data it did not itself
obtain/collect from the data subjects but from a third party (i.e.
Commission services), copies of any 20 letters the Court dispatched
to data subjects pursuant to article 12(1) or Regulation No 45/2001
for the personal data the Court processed from 1/1/2019 to
31/12/2011.
5. The documents setting our an analysis of the compliance with
article 7 of Regulation No 45/2001 regarding the PDTPRCPC.
****** OVERRIDING PUBLIC INTEREST *******
First, it is worth recalling that:
1. The Schecke Judgement has made absolutely clear the fundamental
importance of personal data protection in the European Union,
Joined Cases C-92/09 and C-93/09.
2. The Bavarian Lager Judgement, as well as the Commission’s
refusal to disclose personal data without the express consent of a
data subject, has illustrated (i) that strict compliance with the
Regulation No 45/2001 is of the essence, and (ii) the Commission
services are in general very diligent in observing the said
Regulation.
3. The Commission referred Austria to Court of Justice for lack of
independence of data protection authority, Case C‑614/10.
4. The Commission referred Germany to the Court of Justice for lack
of independence of the data protection supervisory authority, Case
C-518/07.
Due to the extremely sensitive nature of the subject-matter of the
application, it is manifestly evident that there is an overriding
public interest for the full release of very single document held
by the Court and applied for above.
Yours faithfully,
Mr. Orestis BEKAS
-------------------------------------------------------------------
This is a request for access to information under Article 15 of the
TFEU and, where applicable, Regulation 1049/2001 which has been
sent via the AsktheEU.org website.
Please kindly use this email address for all replies to this
request: [FOI #628 email]
If [European Court of Auditors request email] is the wrong address for information
requests to European Court of Auditors, please tell the
AsktheEU.org team on email [email address]
This message and all replies from European Court of Auditors will
be published on the AsktheEU.org website. For more information see
our dedicated page for EU public officials at
[1]http://www.asktheeu.org/en/help/officers
-------------------------------------------------------------------
**********************
Disclaimer: If you have received this message in error, please contact the
sender immediately.
**********************
Avertissement : Si ce message vous a été adressé par erreur, nous vous
prions de vous mettre immédiatement en rapport avec l’expéditeur.
References
Visible links
1. http://www.asktheeu.org/en/help/officers
Dear Mr Bekas,
I sent to you a reply to your access to information request, but got
mistaken.
Please forgive me. I am going to send to you shortly the correct reply, as
appropriate.
Please ignore my previous message, as it does not concern your case.
I apologise for any inconvenience caused,
sincerely yours,
_______________________________________________
Helena PIRON MÄKI-KORVELA
EUROPEAN COURT OF AUDITORS
12, rue Alcide De Gasperi - 1615 Luxembourg - LUXEMBOURG
Office K1 5.01 - Tel. +352 4398-45314 - Fax +352 4398-46314
Mobile +352 621-552 314
Twitter @EUAuditorsECA - YouTube EUAuditorsECA
[1]http://www.eca.europa.eu
**********************
Disclaimer: If you have received this message in error, please contact the
sender immediately.
**********************
Avertissement : Si ce message vous a été adressé par erreur, nous vous
prions de vous mettre immédiatement en rapport avec l’expéditeur.
References
Visible links
1. http://www.eca.europa.eu/
Dear Mr Bekas,
hereby the ECA's reply to your access to information request of 4 July:
sincerely yours,
Helena Piron Mäki-Korvela
From: "Mr. Orestis BEKAS" <[FOI #628 email]>
To: information requests at European Court of Auditors
<[European Court of Auditors request email]>
Date: 04/07/2013 11:48
Subject: access to information request - Compliance of the Court
with Regulation No 45/2001, FP6 & FP7 Financial Audits , Personal Data
Protection
--------------------------------------------------------------------------
Dear European Court of Auditors,
Under the right of access to documents in the EU treaties, as
developed in Regulation 1049/2001, I am requesting documents which
contain the following information:
I refer to the audits of the Court of the FP6 & FP7 projects. The
Court has audited the Research family DGs and has relied on the
personal data in the possession of those DGs to check the
compliance of the underlying transactions with legality. In other
words, the Court has processed personal data originating from the
contractual financial audits of those DGs pursuant to articles
FP6.II.29 and FP7.II.22.
Approximately 80% of all external financial audits of the Research
family DGs have been conducted by external auditors pursuant to a
private law contract between the DG RTD and the external auditors.
It follows therefore that for 80% of the said audits, the personal
data of employees or service providers of the auditees end up in
the possession of a Research family DG solely pursuant to two
private law contracts. There can be no doubt that the Research
family DGs end up with personal data of third parties to the
audited FP6 contracts or FP7 grant agreements, as the case may be.
There are huge questions about how exactly personal data acquired
by the Commission services in such a solely contractual context,
and which also concern third parties to the research contracts, is
lawfully in the possessed by the Commission services. An analysis
of article 25 of Regulation No 45/2001 immediately discloses that
none of the conditions of article 5 of the said Regulation is even
remotely satisfied, unless the data subject has expressly stated
his/her consent. It is absolutely certain that the data subject has
not given its consent, as the personal data are collected in the
field audit from the auditee (a legal person in the vast majority
of audits) and not from the data subject. Furthermore, the data
subject is not even aware about it.
The above reasoning calls immediately to question to what extent
the Court of Auditors has lawfully processed personal data in its
audits of the Research family DGs. As the Court itself has stated
in its opinion 1/2006, in the FP4, FP5 and FP6 Programmes the
relationship between the contractor-beneficiary and the Commission
is a ‘private law contract’. Equally, the FP7 grant agreement is a
‘private law contract’. It cannot be accepted that the Court has
‘overlooked’ article 5 of Regulation No 45/2001 and its
implications about the lawfulness of the personal data in the
possession of the Research family DGs.
Since the Court is primarily concerned with verifying the legality
of the underlying transactions, prior to any processing by itself
of the personal data in the possession of the Research DGs, the
Court has had an absolute obligation to satisfy itself that the
latter DGs were indeed in a fully lawful possession. To this end,
the Court has had an absolute obligation to verify that the data
subjects had provided their express consent.
There are also huge issues about the article 25 prior notifications
of Regulation No 45/2001 about the external financial audits of the
Research family DGs. The very first one, DG INFSO DPO-3338.1 was
filed as late as 2/2/2011, i.e. when more than approximately 1,500
audits had been carried out.
The prior notifications DPO-3334.1, DPO-3338.1, DPO-3398,
DPO-3420.1 and DPO-3455.1 have the ‘statements’ “This processing
has been submitted to the EDPS who concluded that Article 27 is not
applicable. 3. Sub-Contractors —”. These statements are manifestly
extremely inaccurate, to say the least simply because:
1. The Annual Activity Reports of the Research family DGs state
that approximately 80% of the audits were outsource.
2. The EDPS calls prior notifications referred to him for article
27 consultations as a ‘non-prior check’. In accordance to
Regulation No 45/2001, the EDPS publishes his opinion about every
single ‘non-prior check’ in his website. A rudimentary ‘check’ of
the EDPS website discloses that DPO-3334.1, DPO-3338.1, DPO-3398,
DPO-3420.1 and DPO-3455.1 were never submitted to the EDPS for any
type of ‘consultations’. It is thus evident that the statement
“This processing has been submitted to the EDPS who concluded that
Article 27 is not applicable” is in total contradiction with the
contents of the EDPS public website.
It cannot be accepted that the Court was not diligent enough to
realise that up to 2/2/2011 there was no prior notification at all
about the external financial audits in question and that those
filed afterwards have had highly inaccurate statements, with the
‘no subcontractors’ as blatantly inaccurate. This inaccuracy alone
ought to have raised red alerts to the Court, since the Court
supposedly verifies the legality of the transactions.
It is worth recalling that legality is far more than the protection
of financial interests. After all, democracy, the rule of law,
fundamental rights, education, and publicly-funded art do not come
without a price tag. Arguably, the taxpayers’ financial interests
take a hit, as taxation is raised to pay for elections, the
Parliament, the Courts and so on. Dispensing with such ‘expensive’
Institutions would certainly lower taxation, thus positively
impacting the taxpayer’s financial interests.
Furthermore, the Court itself costs the taxpayer money. The very
fact that the Treaties provide for the Court proves that legality
is above the financial interests. It appears that the Court has
somewhat ‘forgotten’ such fundamental considerations in its audits
of the Research family DGs when it came to compliance with
Regulation No 45/2001.
For the purposes of this application, the abbreviation ‘PDTPRCPC’
stands for ‘Personal Data of Third Parties to Research Contracts
Processed by the Court originating from the external financial
audits of the Research family DGs pursuant to articles FP6.II.29
and FP7.II.22’.
Copies of the following documents drawn up by the Court are kindly
applied for:
1. The documents setting out the lawfulness of the PDTPRCPC.
2. The article 25 of Regulation 45/2001 prior notification(s) about
the PDTPRCPC.
3. The documents drawn up by the Data Protection Officer about the
PDTPRCPC.
4. Since the Court has processed personal data it did not itself
obtain/collect from the data subjects but from a third party (i.e.
Commission services), copies of any 20 letters the Court dispatched
to data subjects pursuant to article 12(1) or Regulation No 45/2001
for the personal data the Court processed from 1/1/2019 to
31/12/2011.
5. The documents setting our an analysis of the compliance with
article 7 of Regulation No 45/2001 regarding the PDTPRCPC.
****** OVERRIDING PUBLIC INTEREST *******
First, it is worth recalling that:
1. The Schecke Judgement has made absolutely clear the fundamental
importance of personal data protection in the European Union,
Joined Cases C-92/09 and C-93/09.
2. The Bavarian Lager Judgement, as well as the Commission’s
refusal to disclose personal data without the express consent of a
data subject, has illustrated (i) that strict compliance with the
Regulation No 45/2001 is of the essence, and (ii) the Commission
services are in general very diligent in observing the said
Regulation.
3. The Commission referred Austria to Court of Justice for lack of
independence of data protection authority, Case C‑614/10.
4. The Commission referred Germany to the Court of Justice for lack
of independence of the data protection supervisory authority, Case
C-518/07.
Due to the extremely sensitive nature of the subject-matter of the
application, it is manifestly evident that there is an overriding
public interest for the full release of very single document held
by the Court and applied for above.
Yours faithfully,
Mr. Orestis BEKAS
-------------------------------------------------------------------
This is a request for access to information under Article 15 of the
TFEU and, where applicable, Regulation 1049/2001 which has been
sent via the AsktheEU.org website.
Please kindly use this email address for all replies to this
request: [FOI #628 email]
If [European Court of Auditors request email] is the wrong address for information
requests to European Court of Auditors, please tell the
AsktheEU.org team on email [email address]
This message and all replies from European Court of Auditors will
be published on the AsktheEU.org website. For more information see
our dedicated page for EU public officials at
[1]http://www.asktheeu.org/en/help/officers
-------------------------------------------------------------------
**********************
Disclaimer: If you have received this message in error, please contact the
sender immediately.
**********************
Avertissement : Si ce message vous a été adressé par erreur, nous vous
prions de vous mettre immédiatement en rapport avec l’expéditeur.
References
Visible links
1. http://www.asktheeu.org/en/help/officers