E-Ten extenral finanical audits by audit firms, personal data protection

Die Antwort auf diese Anfrage ist lange im Rückstand. Nach gesetzlicher Vorschrift sollte Generaldirektion Kommunikationsnetze, Inhalte und Technologien Ihnen inzwischen unter allen Umständen geantwortet haben. (Details). Sie können sich beschweren, indem sie Interne Prüfung beantragen .

Dear Communications Networks, Content and Technology (CNECT),

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

The requested documents concern external financial audits of E-Ten contractors whose legal seat is in Luxembourg, and for which the DG INFSO – DG CNECT letter notifying the audit was drawn up in the period 1/1/2012 to 31/7/2012, and the audit was outsourced to an audit firm.

The requested documents are:

1. The DG INFSO – DG CNECT letters notifying the external financial audits to the E-Ten participants

2. All annexes to the letters under (1), including the Privacy Statement

3. The DG INFSO – DG CNECT documents notifying the audit firm(s) about the conduct of the external financial audits

4. The correspondence between DG CNECT and the audit firm about the organisation of the on-the-spot audits

5. The letters drawn up by the audit firms and held by DG CNECT, with which the audit firms dispatched preliminary, draft and final audit reports to the auditees.

6. The DG CNECT letters dispatching to the auditees final reports of the audit firms, or expressly approving the final audit reports of the audit firms.

7. The documents drawn up by the Commission services setting out the instructions of DG INFSO – DG CNECT to the respective audit firms to process personal data of third parties in relation to the auditees, that is to say employees and service providers the auditees charged to the E-Ten audited projects. Such documents may be Audit Manuals, or Audit Handbooks, or similar documents, which DG INFSO – DG CNECT was aware, or ought to be aware, that the audit firms were holding, while also the audit firms had reasonably presumed that DG INFSO – DG CNECT expected that such instructions were to be followed.

8. The notification of audit firms to the respective national supervising authorities pursuant to the national law provisions transposing article 18(1) or Directive 95/46/EC. Such notification is the equivalent of an article 25 of Regulation No 45/2001 prior notification of a Community Institution or body.

9. Notwithstanding request #7, the documents laying down the controller’s instructions to the audit firms as provided for by article 23(2)(a) “the processor shall act only on instructions from the controller;”. It is clarified that the request does not concern the documents with the “contractual obligations” but the controller’s “instructions”.

10. Inasmuch the preliminary, draft and final audit reports have personal data of third parties to the audited E-Ten projects, the documents drawn up by the audit firms pursuant to the national law provisions transposing article 11(1) of Directive 95/46/EC into national law. Those provisions are similar to article 12(1) of Regulation No 45/2001.

11. Inasmuch the final audit reports has personal data of third parties to the audited E-Ten projects, the documents DG CNECT drew up pursuant to article 12(1) of Regulation No 45/2001 (e.g. on the occasion of storing electronically the audit report in an IT system providing full-text indexing and retrieval facilities).

12. Regarding the personal data processed by the audit firms in the context of the on-the-spot auditing activities, the documents DG CNECT drew up in order to verify and validate that the audit firms have been compliant with the national data personal protection legislation.

13. Notwithstanding request #12, the documents DG CNECT drew up in order to verify and validate that the audit firms have been compliant with the national data personal protection legislation in activities other than the on-the-spot auditing activities.

14. Insofar the audit firms were processors within the meaning of Regulation No 45/2001, the documents DG CNECT drew up in order to verify and validate that the audit firms have been compliant with Regulation No 45/2001.

15. The documents DG CNECT drew up in order to verify and validate that its own personal data processing - e.g. final audit report stored in the DG CNECT information systems enabling (a) ad-hoc retrieval of textual information, (b) full-text indexing and retrieval, (c) data-mining of the kind of “Pluto” - has been compliant with Regulation No 45/2001.

*********

OBSERVATIONS

In GestDem 2013/3956 DG CNECT released a letter notifying to a Luxembourg-based FP6 & FP7 contractor an external financial audit, http://www.asktheeu.org/en/request/714/r..., page 3. It is expected that it will do likewise in this application.

The requested letters and correspondence do not contain commercially-sensitive information, so article 4(2) first indent is not applicable.

The requested notification of article 18(1) of Directive 95/46/EC is a document accessible to public, so should DG CNECT hold it, DG CNECT is obliged to release it.

Requests #11 and #12 concern documents containing personal data, because the documents are addressed to data subjects. Provided that DG CNECT redacts the parts containing the personal data, the other parts of the documents are to be fully released.

Requests #7 and #9 are subject to an overriding public interest for their full release. There are two reasons for this: First, they concern the fundamental right of personal data protection. Second, they concern instructions of DG CNECT to audit firms to process personal data, in a contact where the audit firm and DG CNECT are solely bound by a private law contract having an arbitration clause before the Courts of a Member State. In such a particular legal context, the public is entitled to scrutinise how personal data of third parties to the audited E-Ten projects were processed by the audit firms at the instructions of DG CNECT.

Yours faithfully,

Mr. Sifis RAPTIS

Generaldirektion Kommunikationsnetze, Inhalte und Technologien

1 Attachment

Dear Mr Raptis ,

 

Thank you for your e-mail dated 19/10/2013 registered on 21/10/2013. I
hereby acknowledge receipt of your request for access to documents (ref.:
gestdem 2013-5208).

 

In accordance with Regulation 1049/2001 regarding public access to
European Parliament, Council and Commission documents, you will receive a
response to your request within 15 working days (12/11/2013).

 

Yours sincerely,

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

Zitate anzeigen

Dear Communications Networks, Content and Technology (CNECT),

This is to make enquiries about the status of the initial response, which according to the email acknowledging the registration of the application was scheduled to be sent by 12/11/2013.

Even if the time-limit were to be extended by 15 days, this time-second limit has also expired.

I would therefor be obliged if DG CNECT would provide me with the initial response without further delays.

Yours faithfully,

Mr. Sifis RAPTIS

Dear Communications Networks, Content and Technology (CNECT),

This is a reminder that DG CNECT has not yet provided an initial reply to the application GestDem No 2013/5208, even though that 37 working days have elapsed since its registration. That DG CNECT has not extended the 15-day limit at all makes the delay even more surprising.

From the public Internet one can readily identify a Luxembourg-based company that has participated in several E-Ten projects. I will be glad to inform the DG CNECT R.4 Unit with the name of one company, although the Unit should be able to identify that particular company since it has oversaw the audit. In addition, since it appears that the R.4 Unit has not engaged a Luxembourg-based audit firm for external financial audits of E-Ten projects, I suggest that the R.4 Unit searches for audits conducted by U.K. audit firms.

I would therefore expect that DG CNECT will provide the overdue initial response without further delays.

Yours faithfully,

Mr. Sifis RAPTIS

EC ARES NOREPLY, Generaldirektion Kommunikationsnetze, Inhalte und Technologien

6 Attachments

Dear Sir,

Please find attached document Ares(2014)37783 regarding "Your application for access to documents – Ref GestDem No 2013/ 5208 under Regulation 1049/2011 regarding public access to European Parliament, Council and Commission documents" sent by Mr Madelin Robert on 10/01/2014.

Kind regards.

-------------------------------------------------------------------------------------------------------------
Note: This e-mail was automatically generated by the European Commission's central mail registration system.
Replies by e-mail must be addressed to the original sender Madelin Robert (mailto:[email address]).
Remarque : Cet e-mail a été généré automatiquement par le système d'enregistrement central du courrier de la Commission européenne.
Toute réponse éventuelle par e-mail doit être adressée à l'expéditeur en personne, à savoir Madelin Robert (mailto:[email address]).

Dear Communications Networks, Content and Technology (CNECT),

Pursuant to article 7(2) of Regulation (EC) No 1049/2001 (hereafter ‘the Regulation’) a confirmatory application is respectfully submitted.

According to the Commission Decision 937/2001 published in the OJ L 345/94 of 29/12/2001 the Secretariat-General will assume the responsibility to handle it and therefore it is to be transferred to it.

I. RELIANCE ON ARTICLE 4(2) FIRST INDENT OF REGULATION 1049/2001 TO REFUSE ACCESS

DG CNECT relied on article 4(2) third indent of Regulation to refuse to disclose the identities of the auditees.

For instance, in request #1 (letters notifying the audit to the beneficiary) DG CNECT redacted the parts of the document disclosing the identity of the auditee, quoting the relevant provision but without explaining at all how the disclosure of the auditee’s identity would entail the risk of undermining the legitimate commercial interests of the auditee.

Clearly, DG CNECT did not provide a statement of reasons in so far article 4(2) first indent is applicable to any of the 15 requests. The DG CNECT ‘cunning procedural device’ of quoting the text of an exception of article 4 of Regulation 1049/2001 and then be TOTALLY SILENT on the reasonably foreseeable risk of undermining the protected interest would immediately render Regulation 1049/2001 entirely meaningless.

It must be concluded that in the requests for which DG CNECT relied on article 4(2) first indent to refuse access, it did so without a statement of reasons.

II. HIGHLY INCONSISTENT POSITION AS REGARDS TRANSPARENCY AND THE PROTECTION OF COMMERCIAL INTERESTS

DG CNECT has published exact figures of the funding of each single FP7 beneficiary in the Digital Agenda for Europe http://ec.europa.eu/digital-agenda/en/do..., Excel file https://ec.europa.eu/digital-agenda/site....

The Financial Transparency System (‘FTS’) of DG BUDGET http://ec.europa.eu/budget/fts/index_en.... provides financial details - frequently down to the level of a single specific contract – of legal entities that receive funds from the EU budget directly managed by the Commission. For instance, there are 20 entries in the FTS for payments in 2012 by DG INFSO to the Luxembourg-registered economic operator with the VAT number LU16853659. As DG CNECT is fully aware, one of the audits at issue in this application concerns that economic operator.

In GestDem 2013/3956 the Secretariat-General granted access to 2 DG INFSO letters notifying FP6 & FP7 participants about two financial audits http://www.asktheeu.org/en/request/714/r.... The auditee of the letter whose identity was revealed in the document Ares(2011) 258273 - 09/03/2011 is the Luxembourg-registered economic operator whose VAT number is LU16853659. The FTS shows that in 2012 DG INFSO paid that operator (in a consortium) the total amount of € 1,371,753; details for 13 specific contracts are also given.

In view of the above considerations and the Commission’s transparency policy, there is no justification whatsoever to rely on article 4(2) third indent to withhold the identities of auditees.

III. EXAMINATION OF REPLY TO INDIVIDUAL REQUESTS

1. Request #1
As argued above, the identity of the auditee is to be disclosed, since no exception of article 4 of Regulation 1049/2001 is applicable.

2. Request #2
DG CNECT redacted the few rows of the table in the last page of Annex 2 (Annex A of the amendment to the specific contract) corresponding to the E-Ten audits in question, even though no exception is applicable. Whereas rows not relevant to this application may be redacted, the relevant rows are to be disclosed in the reply to confirmatory application.

3. Requests #4 & #6
As argued above, the identity of the auditee is to be disclosed in Annexs 3, 3A, and 4, since no exception of article 4 of Regulation 1049/2001 is applicable.

4. Request #7
The application indicated that type of documents falling under request #7 were of the kind ‘Audit Manuals or Audit Handbooks’. Yet, although DG CNECT copy-pasted in the initial reply a whole page from another unidentified document that is related to ‘standard public procurement procedures following the provisions of the Financial Regulation and Regulation 45/2001’, it did not disclose any document at all.

This particular reply is not compatible at all with Regulation 1049/2001. It amounts to a total refusal to grant access with no statement of reasons, which is the worst kind of a reply.

4. Request #8
The DG CNECT reply that no document is held and the explanation about it – ‘the processing of personal data by EU institutions and bodies is not governed by the national legislation of the respective Member State, but by Regulation 45/2001’ – seems to suggest that Directive 95/46/EC is not applicable to the field audit. Regulation No 45/2001 applies to the processing of personal data is so far the processing takes place within the Institutions, and to processors - provided that all applicable provisions of Regulation No 45/2001 have been fully complied with as regards the processors.

The tenor of the entire initial reply is that DG CNECT did NOT provide audit firms with any instructions to process personal data of third parties at the field audit. This can only mean that the audit firms did so on their own initiative, and in the absence of any such direction by DG CNECT. Consequently, the audit firms determined and carried out at the field audit the personal data processing solely on their own initiative, which implies that the audit firms were controllers within the meaning of Directive 95/46/EC and Regulation No 45/2001. The final conclusion is that Directive 95/46/EC was applicable at the field audit.

Furthermore, that Directive 95/46/EC is not applicable at the field audit is a truly astonishing novelty, since:

(i) There is no provision of Union law to this effect in audits of E-Ten contractors. This is to be contrasted with the provisions of Regulation 1/2003 empowering duly authorised Commission inspectors to raid the premises of economic operators in investigations for anti-competitive conduct and copy documents pertaining to the investigation.

(ii) Regulation 766/2006 concerning the Customs Information Systems shows that in the field audit Directive 95/46/EC applies. In particular, article 12 reads:

12. Article 34(3) shall be replaced by the following:
"3. To ensure the correct application of the data protection provisions of this Regulation, the Member States and the Commission shall regard the CIS as a personal data-processing system which is subject to:
- national provisions implementing Directive 95/46/EC,
- Regulation (EC) No 45/2001, and
- any more stringent provisions of this Regulation.";

In view of the seriousness of the matter as regards legality in the event that no documents are held, it is suggested that the Secretariat-General review the DG CNECT initial reply.

5. Request #9
If no documents are held, this automatically implies that DG CNECT infringed article 23(2)(a) of Regulation No 45/2001. It is suggested that the Secretariat-General review the DG CNECT initial reply.

6. Request #10
If no documents are held, this automatically implies that DG CNECT was recklessly negligent by not verifying the compliance of its contractors-audit firms with compliance with the national personal data protection legislation. It is suggested that the Secretariat-General review the DG CNECT initial reply.

7. Request #11
Storing audit reports in IT systems like Pluto that does a full-text indexing of audit reports is personal data processing within the meaning of Regulation 45/2001. Furthermore, reliance on an audit report by DG CNECT to demand reimbursement of unduly claimed/paid personnel costs is a second instance of personal data processing of third parties to the audited projects, who have not given their express consent. In these circumstances, such kind of processing is outright illegal.

The DG CNECT ‘excuses’ about ‘It is the beneficiary's obligation to inform its employees and subcontractors about the audit to take place and also about the data protection provisions foreseen in the Privacy Statement’ are outright absurd, since it amounts to the transferring of an express obligation of an Institution under Union law to a third party. Such kind of ‘excuses’ might be ‘swallowed’ by un-informed auditees (e.g. an SME), but they are entirely unconvincing even to first-year students of law. It is respectfully put to the DG CNECT officials who drafted the initial reply that causing the DG CNECT Director-General to offer such kind of explanations amounts to some kind of an affront to the Director-General.

8. Requests #12 - #15
The arguments set out in section (6) above apply to these 3 requests.

IV. CONFIRMATORY APPLICATION

It concerns requests all 15 requests, except #3 and #5.

Yours faithfully,

Mr. Sifis RAPTIS

Generaldirektion Kommunikationsnetze, Inhalte und Technologien

Dear Sir,

Thank you for your email dated 31/01/2014.

We hereby acknowledge receipt of your confirmatory application for access to documents, which was registered on 31/01/2014 under reference number GestDem 2013/5208 – Ares(2014) 229164.

In accordance with Regulation (EC) No 1049/2001 regarding public access to European Parliament, Council and Commission documents, your application will be handled within 15 working days.

The time limit will expire on 21/02/2014. In case this time limit needs to be extended, you will be informed in due course.

Yours faithfully,

Carlos Remis
SG.B.4
Transparence.
Berl. 05/329.

Zitate anzeigen

Generaldirektion Kommunikationsnetze, Inhalte und Technologien

2 Attachments

 
Dear Mr Raptis,

Kindly find the answer to your confirmatory application concerning your
request for access to documents pursuant to Regulation (EC) N° 1049/2001
regarding public access to European Parliament, Council and Commission
documents (Gestdem 2013/5208).
Yours sincerely,

Carlos Remis
SG.B.4.
Transparence.
Berl. 05/329.