Extenral financial audits of DG ENTR, personal data protection, DPO-3334.1

Die Anfrage wurde abgelehnt durch Internal Market, Industry, Entrepreneurship and SMEs.

Mr. Aris KOLIMATSIS

Dear Enterprise and Industry (ENTR),

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

I refer to the prior notification DPO-3334.1 DG ENTR External Audit and Control, found in 25/6/2013 at http://ec.europa.eu/dpo-register/details.... It is given an annex to this application.

The last paragraph of section 2 reads ‘This processing has been submitted to the EDPS who concluded that Article 27 is not applicable’.

This application concerns the following documents, all of which are directly related to DPO-3324.1 and the stipulations of Regulation No 45/2001 and Commission Decision 597/2008 ‘adopting implementing rules concerning the Data Protection Officer……’:

1. The documents drawn up by the DPO-3334.1 data controller.

2. The documents drawn up by the DG ENTR Data Protection Coordinator about the processing operations of DPO-3334.1

3. The documents drawn up by the European Commission Data Protection Officer about the processing operations of DPO-3334.1, including those he dispatched to the EDPS.

4. The EDPS document with his conclusion that ‘Article 27 is not applicable’

5. Concerning the ‘specific tool allowing the exchange of lists of projects (for an auditee’)….’ the following documents drawn up either by Commission staff (including intra-muros), or the Commission’s external informatics contractors, but NOT by vendors of Information Technology products:

a. The user manuals

b. The technical documentation of the tool, or their equivalents, which include the documents ‘Software Requirements Specifications Document’, the ‘Software Design Document’, the ‘Test Cases Specifications’, the ‘Test Report’ and the ‘System Administration Manual’.

c. The document(s) describing in detail how information from the Information Systems of the Research family DGs is to be accessed or extracted for use in the tool.

d. The internal ‘decision’ about the development and further maintenance of the tool. The term ‘decision’ includes also the implied ‘decision’ of DG ENTR to develop or use the tool.

6. Concerning the ‘specific tool to facilitate searching and visualisation of information about participants in grants and contracts ….’ the following documents drawn up either by Commission staff (including intra-muros), or the Commission’s external informatics contractors, but NOT by vendors of Information Technology products:

a. The user manuals

b. The technical documentation of the tool, or their equivalents, which include the documents ‘Software Requirements Specifications Document’, the ‘Software Design Document’, the ‘Test Cases Specifications’, the ‘Test Report’ and the ‘System Administration Manual’.

c. The document(s) describing in detail how information from the Information Systems of the Research family DGs is to be accessed or extracted for use in the tool.

d. The internal ‘decision’ about the development and further maintenance of the tool. The term ‘decision’ includes also the implied ‘decision’ of DG ENTR to develop or use the tool.

7. The DG ENTR prior notification of article 25 of Regulation No 45/2001 concerning the DG ENTR external financial audits prior to 20/3/2011.

8. DG ENTR drawn up documents bringing to the attention of the Member of the Commission responsible for DG ENTR:

a. That DPO-3334.1 essentially states that no subcontractors had been engaged in DG ENTR external financial audits of FP6 contractors and FP7 beneficiaries, which appears to be in total contradiction with reality. For instance, page 36 of the 2011 DG ENTR Annual Report, table 3.3 states that DG ENTR paid in 2008 – 2011 for ‘Cost of outsourced auditing (in €)’ over 2.2 million Euro.

b. That it is not immediately obvious that the particular passage of the statement of assurance in page 58 of the said annual report ‘Confirm that I am not aware of anything not reported here which could harm the interests of the institution’ is fully in line with what a diligent public administration ought to have ensured in terms of legality. This is even more the case when the matter solely concerns compliance with article TFEU 16(1) and Regulation No 45/2001.

Regarding the requests under (5)(b) and (6)(b) above, the following is noted. In essence, the documents in the quotation marks are expressly prescribed by the Informatics Systems Development Methodologies and Standards of the European Commission. The actual document title may be somewhat different, but a member of the DG DIGIT staff will be able to immediately identify those documents from the list of technical documents drawn up for that tool.

The documents under request (3) concern the Secretariat-General and not DG ENTR.

Since all requested documents concern directly compliance with article TFEU 16(1) and Regulation No 45/2001, there is an overriding public interest for their full release.

Yours faithfully,

Mr. Aris KOLIMATSIS

************ ANNEX *************

DPO-3334.1 DG ENTR External Audit and Control
Directorate-General: Enterprise and Industry
Controller: PRATS Lluis

Publication: 2011-03-21
Processing

1. Name of the processing
DG ENTR External Audit and Control

2. Description
The processing operations are described in the procedure guide of ex-post control which is the result of a sampling methodology of financial transactions.
http://www.cc.cec/budg/dgb/interdg/_doc/...
http://www.cc.cec/budg/dgb/interdg/epc/l...

Research family DGs are using specific IT tools in the context of performing an external financial audit which are described below:
• A specific tool allowing the exchange of lists of projects (for an auditee) between DGs, supporting life-cycle management of individual audit and extrapolation cases and containing a summary of the audit conclusions. No personal data are processed except contract information of Commission staff and auditees.
• A specific tool to facilitate searching and visualisation of information about participants in grants and contracts. This is used by auditors in the selection, preparation and performance of audits. The tool uses information on participants in grants and contracts taken from IT tools for programme management (front-office notified to the DPO under n° DPO-978 and back-office. This information includes details of organisation names, registration numbers, address, audit results, EWS status, phone, fax, email, names of authorised signatories and contact persons, project reference, acronym, funding, budget.

This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.

3. Sub-Contractors

4. Automated / Manual operations
n/a

Beneficiary or contractor undertakes to provide any detailed information, including information in electronic format, requested by the Commission or by any other outside body authorised by the Commission in order to check that the action and the provisions of the agreement/service contract are being properly implemented.

5. Storage
Data are stored in computer systems and/or physical archives accessible only to duly authorized staff (management of IT and physical access rights with respect to the need to know principle).

6. Comments
n/a
Purpose & legal basis

7. Purposes
Checks and financial controls of grant agreements or service contracts aim at verifying beneficiary's or contractor's or subcontractors' or third parties' compliance with all contractual provisions (including financial provisions), in view of checking that the action and the provisions of the grant agreement or contract are being properly implemented and in view of assessing the legality and regularity of the transaction underlying the implementation of the Community budget.

8. Legal basis / Lawfulness
The possibility for the EC to carry out checks and financial controls is foreseen in the model grant agreement or contract signed between the EC and the beneficiary/contractor as required by the Financial Regulation ("FR") applicable to the General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4):
• Art. 170 FR: Each financing agreement or grant agreement or grant decision must expressly provide for the Commission and the Court of Auditors to have the power of audit, on the basis of documents and on the spot, over all contractors and subcontractors who have received Community funds
• Art. 60.4 FR: The authorizing officer by delegation shall put in place, in compliance with the minimum standards adopted by each institution and having due regard to the risks associated with the management environment and the nature of the actions financed, the organizational structure and the internal management and control procedures suited to the performance of his/her duties, including where appropriate ex post verifications. Before an operation is authorized, the operational and financial aspects shall be verified by members of staff other than the one who initiated the operation. The initiation and the ex ante and ex post verification of an operation shall be separate functions
• Art. 47.4 IR: The ex post verifications on documents and, where appropriate, on the spot shall check that operations financed by the budget are correctly implemented and in particular that the criteria referred to in paragraph 3 are complied with. These verifications may be organized on a sample basis using risk analysis
The processing operations on personal data carried out in the context of ex post controls are necessary and lawful under three articles of the Regulation (EC) 45/2001:
• article 5 (a): processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof…
• article 5 (b): processing is necessary for compliance with a legal obligation to which the controller is subject
• article 20.1.b): necessary measure to safeguard:
• (a) the prevention, investigation, detection and prosecution of criminal offences;
• (b) an important economic or financial interest of a Member State or of the European Communities, including monetary, budgetary and taxation matters;
• (c) the protection of the data subject or of the rights and freedoms of others;
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
Data subjects / fields

9. Data subjects
Contractors and sub-contractors
Beneficiaries of grants
Staff
Experts

10. Data fields
All necessary data to efficiently conduct a control such as:
• Name,
• Function,
• Grade,
• Activities and expertises,
• Professional address,
• Timesheets,
• Salary,
• Accounts,
• Cost accounting,
• Missions,
• Information coming from local IT system used to declare costs as eligible,
• Supporting documents linked to travel costs,
• Minutes from mission and other similar data depending of the nature of the action.

No data fall under article 10.

See point 17)
Rights of D.S.

11. Information
The Privacy Statement attached is available with the Commission's letter initiating the audit or control process

11 01 privacy statement.doc

12. Procedure to grant rights
Functional mailbox to get information and mailbox of the EDPS to lodge a complaint (see Privacy Statement ).

13. Retention
Each external audits and controls Controller is responsible of archiving the documents related to controls. Data are stored until 7 years after the final payment on condition that no contentious issues occurred; in this case, data will be kept until the end the last possible legal procedure.

14. Time limit
The Commission services will respond within 15 working days to any request and if this is considered justified the relevant correction or deletion will be performed within one calendar month.

15. Historical purposes
n/a
Recipients
16. Recipients
Collected personal data could be submitted to Commission services in charge of external audits and controls, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Community law (OLAF, Court of Auditor, Ombudsman, EDPS, IDOC, Internal Audit Service of the Commission).

See point 20)
17. Transfer
n/a

Internal Market, Industry, Entrepreneurship and SMEs

1 Attachment

Dear Sir,

 

Thank you for your e-mail dated 25/06/2013.  We hereby acknowledge receipt
of your application for access to documents, which was registered on
25/06/2013 under reference number GestDem 2013/3418.

 

In accordance with Regulation (EC) No 1049/2001 regarding public access to
European Parliament, Council and Commission documents, your application
will be handled within 15 working days. The time limit will expire on
16/07/2013. In case this time limit needs to be extended, you will be
informed in due course.

 

Your request under the point  3. "the documents drawn up by the European
Commission Data Protection Officer about the processing operations of
DPO-3334.1,  including those he dispatched to the EDPS" will be as
requested reattributed to the Secretariat-General.

 

Yours faithfully,

 

Michaela Vavrikova

Legal Officer/Access to documents Coordinator

      [1]cid:image001.png@01CE734F.5C82F520

European Commission

DG Enterprise and Industry

Unit R4 Information Activities

BREY 13/085 | 1049 Brussels

----------------------------

Follow us on Twitter

[2]http://twitter.com/EU_enterprise

----------------------------

 

 

Zitate anzeigen

Internal Market, Industry, Entrepreneurship and SMEs

1 Attachment

Dear Sir,

Thank you for your e-mail dated 25/06/2013.

 

We hereby acknowledge receipt of your application for access to documents
concerning: "the documents drawn up by the European Commission Data
Protection Officer about the processing operations of DPO-3334.1,
 including those he dispatched to the EDPS" will be as requested
reattributed to the Secretariat-General", which was registered on
27/06/2013 under reference number GestDem 2013/3421.

In accordance with Regulation (EC) No 1049/2001 regarding public access to
European Parliament, Council and Commission documents, your application
will be handled within 15 working days.

The time limit will expire on 18/07/2013. In case this time limit needs to
be extended, you will be informed in due course.

Yours faithfully,

 

Carlos Remis

SG.B.5.

Transparence.

Berl. 05/329.

 

 

From: VAVRIKOVA Michaela (ENTR)
Sent: Thursday, June 27, 2013 4:37 PM
To: 'Mr. Aris KOLIMATSIS'
Cc: ENTR ACCES DOCUMENTS; SG DOSSIERS ACCES
Subject: Acknowledgement of receipt- KOLIMATSIS- Gestdem 2013/3418

 

Dear Sir,

 

Thank you for your e-mail dated 25/06/2013.  We hereby acknowledge receipt
of your application for access to documents, which was registered on
25/06/2013 under reference number GestDem 2013/3418.

 

In accordance with Regulation (EC) No 1049/2001 regarding public access to
European Parliament, Council and Commission documents, your application
will be handled within 15 working days. The time limit will expire on
16/07/2013. In case this time limit needs to be extended, you will be
informed in due course.

 

Your request under the point  3. "the documents drawn up by the European
Commission Data Protection Officer about the processing operations of
DPO-3334.1,  including those he dispatched to the EDPS" will be as
requested reattributed to the Secretariat-General.

 

Yours faithfully,

 

Michaela Vavrikova

Legal Officer/Access to documents Coordinator

      [1]cid:image001.png@01CE734F.5C82F520

European Commission

DG Enterprise and Industry

Unit R4 Information Activities

BREY 13/085 | 1049 Brussels

----------------------------

Follow us on Twitter

[2]http://twitter.com/EU_enterprise

----------------------------

 

 

Zitate anzeigen

Internal Market, Industry, Entrepreneurship and SMEs

Dear Mr KOLIMATSIS
 
Thank you for your message addressed to DG ENTR and SEC GEN
This message concerns point 3 of your request:
 
3. The documents drawn up by the European Commission Data     Protection
Officer about the processing operations of DPO-3334.1,
including those he dispatched to the EDPS.
 
Please note that no document have been drawn up by the DPO.
Kind regards
Philippe Renaudière
Data Protection Officer
    
 
 

Mr. Aris KOLIMATSIS

Dear Enterprise and Industry (ENTR),

This is a confirmatory application in accordance with article 8 of Regulation No 1040/2001 regarding the request under (3) of the application 'The documents drawn up by the European Commission Data Protection Officer about the processing operations of DPO-3334.1,
including those he dispatched to the EDPS'.

The present is to be forwarded by DG ENTR to the Secretariat-General, which is responsible for handling the confirmatory applications.

I. PRELIMINARY OBSERVATIONS ABOUT THE REGULARITY OF THE INITIAL REPLY

Supposedly, the email of the Data Protection Officer (hereafter ‘DPO’) dated 5/7/2013 is the initial reply of article 7 of Regulation No 1049/2001, which is the very expression and culmination of an internal process whereby an Institution provides its initial reply to an applicant. However, this email does not bear an Ares reference number, even though it is definitely formal correspondence pursuant to an express stipulation of Union law. This practice is in sharp contrast with the DG CNET practice in application GestDem No 2013/3375, Ares(2013) 2577815, ‘http://www.asktheeu.org/en/request/597/r... copy.pdf’.

II. SECRETARIAT-GENERAL HELD DOCUMENTS FOR DG ENTR DPO-3334.1

According to the reply of the DPO, the SG.DSG1.DP Unit has not drawn up a single paragraph about prior notification of article 25 of Regulation No 45/2011 DG ENTR DPO-3334.1. Yet, this is total contradiction with several provisions of Union law. This is outlined below:

- Article 24(1)(b) essentially stipulates that the Officer is the foremost official of the Commission for the ‘correspondence’ with the EDSP.

- Article 24(1)(d), arguably, requires that the DPO does not willfully and intentionally permits the entry into the register of materially incorrect prior notifications.

- Article 24(1)(f) stipulates that the DPO bears the sole responsibility for ‘notifying the European Data Protection Supervisor of the processing operations likely to present specific risks within the meaning of Article 27’.

- Article 24(1), last sub-paragraph, implies that strict observance of the article 24(1) stipulations is of the essence to ensure that ‘the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations’.

- Article 27(3) stipulates ‘The prior checks shall be carried out by the European Data Protection Supervisor following receipt of a notification from the Data Protection Officer who, in case of doubt as to the need for prior checking, shall consult the European Data Protection Supervisor’.

It is recalled that DG ENTR DPO-3334.1 reads ‘This processing has been submitted to the EDPS who concluded that
Article 27 is not applicable’.

In the light of the foregoing, it must be concluded with absolute certainty that the SG.DSG1.DP Unit must have drawn up at least a few paragraphs in a document that was dispatched to the EDPS. Otherwise, the DPO-3334.1 would not have been submitted to the EDPS, and it is impossible that the EDPS concluded that article 27 is not applicable to DPO-3334.1.

The only alternative, which is in line with the DPO statement ‘Please note that no document have been drawn up by the DPO.’ is to conclude that the statement in DPO-3334.1 ‘This processing has been submitted to the EDPS who concluded that Article 27 is not applicable’ is a willful and intentional false declaration in a prior notification of article 25 of Regulation 45/2001. It is very difficult to see why a false declaration was inserted in DPO-3334.1 in view of the provisions of (i) article 49 of Regulation No 45/2001, (ii) the Staff Regulations, (iii) second indent of article 1(3) of Regulation No 1073/99 ‘dereliction of the obligations of officials and other servants of the Communities liable to result in disciplinary or, as the case may be, criminal proceedings’, and (iv) criminal liabilities according to the Belgian law for willful and intentional false declarations of civil servants.

On other occasions and in reply to enquiries of data subjects about the statement of DG INFSO DPO-3338.1, DG RTD DPO-3398.1 and DG MOVE DPO-3420.1 ‘This processing has been submitted to the EDPS who concluded that Article 27 is not applicable’, the DPO has referred the data subjects to two EDPS opinions concerning respectively of the former DG RELEX and DG REGIO. According to the DPO, the EDPS had concluded for the former DG RELEX and DG REGIO personal data processing operations that in the EDPS’ view ex-post controls and audits were not subject to prior-checking. The DPO had drawn some ‘preliminary conclusions’ from the EDPS findings about the former DG RELEX and DG REGIO regarding the external financial audits of the Research family DGs. Drawing such conclusions by the DPO must have entailed the drawing up of a few paragraphs. For instance, the DPO must have communicated his ‘preliminary conclusions’ to the Research DGs by means of documents. Even if the communication was mainly effected orally, some kind of ‘note to the file’ must have been drawn up. It is not reasonable to assume that the DPO fulfilled his statutory responsibilities without having drawn up a single paragraph.

III. IMPLIED TOTAL REFUSAL TO RELEASE DOCUMENTS DRAWN UP BY THE DATA PROTECTION OFFICER

The considerations of section II above lead to the strictly binary choice:

- C1: Either the DPO has drawn up documents concerning DG ENTR DPO-3334.1, which the Secretariat-General has totally refused to release to the applicant,

or

- C2: The statement of DG ENTR DPO-3334.1 ‘This processing has been submitted to the EDPS who concluded that Article 27 is not applicable’ is a willful, intentional false declaration, for which the DPO, the DPO-3334.1 data controller and the DG ENTR Data Protection Coordinator are jointly liable.

Furthermore, to the extent that the DPO email of 5/7/2013 is an initial answer, it is not compliant with article 7(2) of Regulation No 1049/2001, since the reply did not inform the applicant about his right to lodge a confirmatory application.

IV. CONFIRMATORY APPLICATION

A confirmatory application is hereby respectfully submitted. I trust that the Secretariat-General will have due regard to all the foregoing.

Yours faithfully,

Mr. Aris KOLIMATSIS

Internal Market, Industry, Entrepreneurship and SMEs

1 Attachment

Dear Mr. Kolimatsis,

 

The 25/06/2013, you sent directly to DG ENTR a broad request for access to
documents (see below).

After analysis, DG ENTR concluded that it was not competent for the n° 5
and n° 6 of your request, falling under the competency of DG Research (DG
RTD).

That is why, hereby, I register and acknowledge receipt of that part of
your request for access to documents (ref.: gestdem 2013-3608).

In accordance with Regulation 1049/2001 regarding public access to
European Parliament, Council and Commission documents, you will receive a
response to this request within 15 working days (31/07/2013).

 

Yours sincerely,

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

Zitate anzeigen

Mr. Aris KOLIMATSIS

Dear Enterprise and Industry (ENTR),

I refer to the email of the Transparency Unit informing me that requests (5) and (6) were transferred from DG ENTR to DG RTD.

Although the reasons for assigning the request to DG RTD are understood by the applicant - DG RTD has always been the lead service in the FP6 and FP7 programmes - for the sake of completeness of the application pursuant to Regulation No 1049/2001 the following observations are made:

1. The statutory responsibility for the factual correctness of DG ENTR DPO-3334.1 lies exclusively with the data controller, the DG ENTR Data Protection Coordinator and the European Commission Data Protection Officer.

2. The application itself concerns DG ENTR DPO-3334.1 and not DG RTD DPO-3398. In case an applicant aimed at obtaining information about the 'tools' of DG RTD DPO-3398, the applicant would have lodged an application referring to DG RTD DPO-3398 and not DG ENTR DPO-3334.1. That the application was framed in terms of DG ENTR DPO-3334.1 shows that the application concerns documents drawn up by DG ENTR.

3. Whatever the arguments about DG RTD assuming the responsibility for the documents under (5) and (6) of the application, it is worth recalling that the very first prior notification of the Research DGs external financial audits is DG INFSO DPO-3338. DG RTD DPO-3398, DG ENTR DPO-3334 and DG MOVE & ENER DPO-3420 are essentially mere copies of DPO-3338, except the names of the Unit and the officials.

4. The 'tools' of DG ENTR DPO-3334 and DG RTD DPO-3398 are nothing more than the DG INFSO Pluto information system and anti-fraud 'strategy'. The 'tools' description of DPO-3338, DPO-3398, DPO-3334 and DPO-3420 is deliberately written in an 'innocuous' and abstract form, in order not to give the slightest hint that the 'innocuous' tools are, in fact, a sophisticated anti-fraud system entailing a vast enterprise of personal data processing in contravention of numerous provisions of Regulation No 45/2001. The factual incorrectness of those four prior notifications about 'no subcontractors' and the EDPS purported 'consultation' concluding that 'article 27 is not applicable' is in itself a sufficient proof about the said numerous contraventions.

5. While a man in the street may not realise that the 'tools' is the 'Pluto disguise', a person who is aware of: (a) the highly intrusive nature of the risk-based audits of the Research DGs, (b) the particular 'undocumented' practices at the filed audit by both the external auditors and the Commission staff to collect copies of hundreds to thousand of pages of documents without some kind of 'statement of contents' of what copies they collected, (c) the contents of a risk-based final audit report, (d) the publications of DG INFSO, OLAF and DG RTD officials about the anti-fraud strategy and the and external financial audits (e.g. http://www.intosaijournal.org/technicala..., https://www.nsf.gov/oig/brussels2011/14m...), and (e) the written reply of the Member of the Commissioner responsible for DG RTD to the Parliament (hearing on 26/11/2012, pages 8-9, http://www.europarl.europa.eu/document/a...), has no difficulty in figuring out the close connection of the 'tools' with Pluto.

6. It is not reasonable for DG ENTR to 'pass the bucket' for the contents of its own DPO-3334.1 to another Directorate-General to provide an 'answer' for the 'tools'. DG ENTR ought to have thought through the implications of (a) blindly copying DG INFSO DPO-3338 in its own DPO-3334.1, and (b) having filed DPO-3334.1 after the Schecke Judgement and several years after its own campaign of external financial audits, which are discussed in several pages of its Annal Activity Reports.

7. The ultimate logical conclusion of the above is that DG CNET Unit R.4 'Compliance' is the most 'appropriate and competent' Directorate-General/Unit to deal with requests (5) and (6).

Notwithstanding the above considerations, I am looking forward to receive the DG RTD initial reply for the documents requested under (5) and (6) of the application.

Yours faithfully,

Mr. Aris KOLIMATSIS

Internal Market, Industry, Entrepreneurship and SMEs

1 Attachment

Dear Sir,

 

We refer to your e-mail  dated 25/06/2013 in which you make a request for
access to documents, registered on 25/06/2013 under the above mentioned
reference number.

 

Your application is currently being handled. However, we will not be in a
position to complete the handling of your application within the time
limit of 15 working days, which expires on 16/07/2013.

 

An extended time limit is needed as your application concerns a large
number of documents and large files have to be examined. The application
also concerns documents held by different Services of the Commission which
have been consulted and we are waiting for their answer.

 

Therefore, we have to extend the time limit with 15 working days in
accordance with Article 7(3) of Regulation (EC) No 1049/2001 regarding
public access to documents. The new time limit expires on 06/08/2013.

 

We apologise for this delay and for any inconvenience this may cause.

 

Yours faithfully,

 

Michaela Vavrikova

Legal Officer/Access to documents Coordinator

   [1]cid:image001.png@01CE821C.2335B2E0

European Commission

DG Enterprise and Industry

Unit R4 Information Activities

BREY 13/085 | 1049 Brussels

----------------------------

Follow us on Twitter

[2]http://twitter.com/EU_enterprise

----------------------------

 

 

Zitate anzeigen

Mr. Aris KOLIMATSIS

Dear Enterprise and Industry (ENTR),

This is a confirmatory application pursuant to article 8 of Regulation (EC) No 1049/2001 (hereafter the ‘Regulation’) with regards to the request under (3) of the application GestDem 2013/3418.

According to Commission Decision 937/2001 the Secretariat-General is responsible to handle it.

I. INITIAL REPLY

For the purposes of being a stand-alone document, the initial reply is given hereunder:

“Dear Mr KOLIMATSIS

Thank you for your message addressed to DG ENTR and SEC GEN
This message concerns point 3 of your request:

3. The documents drawn up by the European Commission Data Protection
Officer about the processing operations of DPO-3334.1, including those he dispatched to the EDPS.

Please note that no document have been drawn up by the DPO.
Kind regards
Philippe Renaudière
Data Protection Officer”

II. OBSERVATIONS ON THE INITIAL REPLY

In view of the provisions of article 10 of the Commission Decision 837/2001 and that it concerns a legal right of citizens enshrined by the Regulation, that the reply does not bear an Ares reference number is highly irregular.

The request reads “3. The documents drawn up by the European Commission Data Protection Officer about the processing operations of DPO-3334.1, including those he dispatched to the EDPS”. It is self-evident that the request has a wide scope and concerns inter alia internal documents drawn up by the EDPS, including emails, note(s) to file, meeting minutes and the like.

Even if the Data Protection Officer (hereafter the ‘DPO’) did not dispatch any document to the EDPS (which immediately means that the purported EDPS consultation is a false statement in a statutory instrument) the DPO, the DG ENTR Data Protection Coordinator and the DPO-3334.1 are jointly liable for the compliance of DPO-3334.1 with Union law, and especially under the Regulation No 45/2001 and the Staff Regulations.

It will be beyond belief if the DPO accepted the insertion into the prior notification DG ENTR DPO-3334.1 of two false statements without the DPO having drawn up a few lines in an email. It would be tantamount to outright complicity to the unlawful acts of the DPO-3334.1 data controller.

In view of the above considerations, the initial reply has to be interpreted as an implied refusal to release the requested documents, without an explanation of what the protected interests are and what the foreseeable risks to those interests are, and also marred by the aforesaid procedural irregularities (i.e. no Ares number).

III. CONFIRMATORY APPLICATION

A confirmatory application is hereby submitted for the request under (3) of GestDem 2013/3418.

Yours faithfully,

Mr. Aris KOLIMATSIS

Internal Market, Industry, Entrepreneurship and SMEs

2 Attachments

 
Dear Mr Kolimatsis,

Kindly find herewith a letter concerning your application for access to
documents (gestdem 2013/3421).
Yours sincerely,
Carlos Remis
SG.B.5.
Transparence.
Berl. 05/329.
 
 
 
 
 
 
 

 
 
 

Mr. Aris KOLIMATSIS

Dear Enterprise and Industry (ENTR),

This note is addressed to the Secretariat-General, so I would be obliged if you would promptly forward it.

Referring to the reply to the confirmatory application, Ares(2013) 2649417 - 12/07/2013, the promptness of the Secretariat-General reply is appreciated.

That reply marks the end of the road of the administrative procedure pursuant to Regulation No 1049/2001 regarding the documents drawn up by the European Commission Data Protection Officer (henceforth the ‘DPO’) for DG ENTR DPO-3334.1.

This note sets out further considerations about the extremely sensitive matters concerning the personal data processing in the external financial audits of the Research family DGs and their interplay with Regulation No 1049/2001. In my view, the Commission services cannot ignore the seriousness of the underlying factual and legal situation.

There are additional requests pursuant to Regulation No 1049/2001 concerning the statement ‘This processing has been submitted to the EDPS who concluded that Article 27 is not applicable’, of which GestDem 2013/3351 for DG RTD DPO-3398, GestDem 2013/3488 for DG ENER & MOVE DPO-3340, and GESTDEM 2013/3823 for DG CNET DPO-3338.2 are the prime examples. Moreover, a request was lodged with the EDPS about this very statement and DPO-3334, DPO-3338, DPO-3398 and DPO-3420, http://www.asktheeu.org/en/request/edps_....

It is self-evident that DG ENTR DPO-3334.1 has two false statements, namely about subcontracting and the purported, yet non-existing, EDPS ‘consolation’. This implies - necessarily and unavoidably - that the DPO-3334.1 data controller is personally liable for the two false statements; he/she has gravely infringed Regulation No 45/2001 and several provisions of Staff Regulations, while it cannot be ruled out that he/she is not criminally liable for a wilful, intentional, and blatant misrepresentation of facts in a statutory instrument. DPO-3334.1 was instrumental in deceiving the public and concealing the other grave breaches of Regulation No 45/2001 by DG ENTR in its external financial audits.

The DG ENTR Data Protection Coordinator and the DPO are also disciplinary liable for a host of infringements of Union law, and arguably criminally liable as accessories to the wrongful acts of the DPO-3334.1 data controller.

The DPO has manifestly infringed several provisions of articles 24 and 25 of Regulation 45/2001, by placing into the register of article 26 of Regulation No 45/2001 a prior notification with two false statements and a non-existing legal basis, and subsequently tolerating its continued presence in the register for nearly two years. By definition, there can be no confidence whatsoever about the veracity of any statement of the DPO about the personal data processing in the context of the FP6 and FP7 programmes.

It is evident from the very wording of the reply to the confirmatory application that the Secretariat-General did not do a search for documents drawn up by the DPO, but instead it solely relied on the word of the DPO. In other words, the Secretariat-General was fully confident in the assurances of an official who is manifestly liable for disciplinary proceedings for the very same subject-matter, and may even be criminally liable.

In my view, the Unit of the Secretariat-General that carried out the underlying work and subsequently drew up the reply to the confirmatory application did a rather superficial job in searching for documents, and essentially created the supposedly factual background on which the reply was based upon.

Turning to the substance of the reply, the mere admission that DPO did not draw up a single line opens in itself a can of worms for the Commission services, since taken in its face value it means that:

- The very official entrusted with ensuring the fundamental right of personal data protection was fully respected by the Commission services did not only dismally failed to discharge his duties, but - on the very contrary - he also actively participated in the grave infringements of that right for at least 100,000 individuals who have never had any legal relationship with the Commission.

- It illustrates to the public that Commission officials are ‘free’ to infringe Union law at will and with total impunity.

- It allows wondering to what extent the Commission services are rife with mismanagement of an astonishing scale.

- It calls into question the extent to which the top management of the Commission services has been diligent in overseeing elementary compliance with Union law.

- It gives rise to a host of other extremely difficult questions, like whether the Commission itself was informed or kept totally in the dark.

Finally, regarding the notion that a request pursuant to Regulation No 1049/2001 is devoid of purpose when no documents are found to be held by the Commission services, this is truly a big novelty which has no basis whatsoever in Regulation No 1049/2001, the relevant EU Courts case law , not even the Commission’s own guide for handling applications, http://www.statewatch.org/news/2009/apr/....

Seen from the perspective of the particular factual and legal background of the present application, it appears to be completely out of place.

Yours faithfully,

Mr. Aris KOLIMATSIS

Internal Market, Industry, Entrepreneurship and SMEs

4 Attachments

Dear Mr Kolimatsis,
 
Please find attached DG Enterprise and Industry reply to your request for
access to documents.
 
 
Kind regards,
 
 
Annalisa La Rovere
Legal assistance/Access to documents
European Commission
DG Enterprise and Industry
Unit R4
BREY 13/73 | 1049 Brussels

----------------------------
Follow us on Twitter
[1]http://twitter.com/EU_enterprise
----------------------------
 
 
 

Zitate anzeigen

Mr. Aris KOLIMATSIS

Dear Enterprise and Industry (ENTR),

This is confirmatory application for all requests of the initial application, except that under #3.

This application is to be transferred to the Secretariat-General to be processed according to article 8 of Regulation No 1049/2001 and the Commission Decision 937/2001.

The paragraphs below analyse the initial reply of DG ENTR and advance arguments for the existence of documents (or parts thereof) that DG ENTR failed to identify and release.

I. IMPLICATIONS OF THE INITIAL ANSWER

This section sets out in an outline fashion the implications from the fact that the prior notification DG ENTR DPO-3334.1 contains two false statements and also that that its legal basis is essentially non-existing.

I.1 DPO-3334.1 TWO FALSE STATEMENTS AND TOTAL LACK OF LEGAL BASIS

By way of the answer of request #3 DG ENTR has admitted that the statement of DPO-3334.1 “This processing has been submitted to the EDPS who concluded that Article 27 is not applicable” is false. The Commission Data Protection Officer (hereafter the ‘DPO’) has not submitted any document about DPO-3334.1 to the EDPS. There can be no doubt that this particular statement is false.

DPO-3334.1 also states “3. Sub-Contractors —”, from which it must be concluded that in so far DPO-3334.1 is concerned DG ENTR has not been relying on sub-contractors (i.e. ‘processor’ or private-contractors ‘data controllers’, both within the meaning of Regulation No 45/2001). This is manifestly false, since approximately for almost three quarters of all DG ENTR external financial audits DG ENTR had been engaging sub-contactors (i.e. private auditors bound to the Commission through the DG RTD framework contracts).

The DPO-3334.1 very legal basis, i.e. “Financial Regulation ("FR") applicable to the General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4)”, is also entirely baseless, because those provisions apply to the Commission’s end of a financial transaction and not to the end of the FP6 contractor or/and FP7 beneficiary.

Finally, DPO-3334.1 was filed in March 2011, that is to say after DG ENTR had carried out hundreds of external financial audits. According to the answer to the request #7, no prior notification covered the external financial audits of DG ENTR prior to March 2011. Therefore, for more than 3 years after the Commission Decision 597/2011 was duly adopted (OJ L 193/7 of 22 July 2008) DG ENTR had been gravely disregarding it, together with numerous additional grave infringements of Regulation No 45/2001 (hereafter ‘the Regulation’).

To conclude, in so far the external financial audits and the fundamental right of personal data protection are concerned DG ENTR has been a factory ‘mass-producing’ infringements of the Regulation and nearly certainly of the national personal data protection legislation.

I.2 INTEGRITY OF DG ENTR IN FP6 & FP7

An administrative department that infringes legality on a massive scale, reaching so low as to file a completely bogus prior notification with two false statements, DG ENTTR itself has gravely compromised its own integrity, honesty and good standing. In so much the FP6 and FP7 are concerned, in principle the public can be sceptical with the truthfulness of any statement of DG ENTR. Furthermore, there can be no confidence whatsoever on the truthfulness of DG ENTR on any matter relating to the external financial audits and compliance with the Regulation.

It is also highly pertinent to point that that both the DPO-3334.1 ‘data controller’ and the signatory of the DG ENTR initial reply is the very same official. It is really difficult to distinguish the truth and ‘gross inaccuracies’ of the very same official between (i) DPO-3334.1 and (ii) the initial reply Ares(2013)2844428 - 06/08/2013. The Commission services should not underestimate the importance of this point.

The false statements of DPO-3334.1 will beg for a long time the question whether DG ENTR was telling blatant lies in DPO-3334.1 only, or it has continued telling lies in a more ‘elegant’ manner in all other directly related matters.

I.3 PRESENT CONFIRMATORY APPLICATION

In view of the above analysis, in absence of corroborating ‘evidence’ or ‘statements’ from other administrative departments, or bodies like the EDPS, there can be no confidence in the veracity of the DG ETNR initial answer for all initial replies other than request #3. There are in full public view via asktheeu.org copies of EDPS letters stating that the EDPS was not consulted, not even informally, for DPO-3334.1 and therefore the initial reply to request #3 is truthful.

In my opinion, the Secretariat-General should take into consideration that (i) the false statements of DG ENTR DPO-3334, DG INFSO DPO-3338, DG RTD DPO-3398, DG MOVE & ENER DPO-3420 and DG MARE DPO-3455, (ii) the active involvement of the DPO for their entry and continuous presence into the article 4(4) public register of prior notifications of the Commission Decision 597/2008, (iii) the anti-fraud policies of the Research DGs that are based on the external financial audits, and (iv) the numerous infringements of the Regulation in FP6 & FP7 call for proposals call into question the very integrity of several administrative departments (but not all) of the Commission, including the Legal Services and the Secretariat-General.

I.4. EXISTENCE OF DOCUMENTS

One of the basic premises of the confirmatory application is that elementary compliance with Union law by an administrative department necessarily entails the drawing up of documents. In the interests of brevity this application does not remind the Secretariat-General several provisions of the Commission Decisions about document management, from which it is obvious the compliance with sound administrative practices and Union law dictate the drawing up of documents.

While the Commission services can always claim that a requested document does not exist, the public is entitled to draw the associated conclusions from any apparent failure to release documents on account of an assertion of their non-existence. Having gravely infringed the Regulation by DG ENTR may be equated to the ‘wounds’. Non-disclosure of documents by DG ENTR claiming their non-existence is the ‘salt’ in the saying ‘rubbing salt to the wounds’.

II. REQUEST #1

A very important point regarding prior notifications of the Regulation is that the ‘data controller’ is not necessarily the official whose name is indicated in a prior notification found in the article 4(4) register of Commission Decision 597/2008. In other words, the DPO-3334.1 data controller is not necessarily the official in the section entitled ‘Controller:’ of DPO-3334.1. Indeed, the EDPS has stated that ultimately the data controller is the Institution that carries out the personal data processing. One of the reasons is that organisational changes may result in the Unit filing a prior notification being merged with or subsumed by another Unit. While the structure of administrative departments may evolve over time, the responsibilities towards fulfilling legal requirements are borne by an Institution and not its organisationally ‘transitory’ Units. In the event of legal action for the personal data processing of DPO-3334.1 before the General Court, the party to the litigation will be the Commission and not the ‘data controller’ indicated in DPO-3334.1. Therefore, even if the DPO-3334.1 ‘Controller: ...’ states that no documents exist, this does not necessarily imply that DG ENTR as a ‘data controller’ has not drawn up a short paragraph about DPO-3334.1.

It is therefore kindly requested that the Secretariat-General consider in handling the confirmatory reply that the DPO-3334.1 ‘data controller’ as being either the entire DG ENTR or the Commission.

As stated above, DPO-3334.1 has had no legal basis whatsoever. In order to solve these insurmountable problems with legality, the DPO-3334.1 data controller entered a completely ‘bogus’ prior notification in the article 4(4) public register. In other words, the data controller created ‘smoke and mirrors’ for DPO-3334.1 when it came to its legal basis.

Notwithstanding the outright infringements of article 49 of Regulation No 45/2001 and a few articles of the Staff Regulations DPO-3334.1 entails, according to the DG ENTR initial reply the data controller took all those grave personal risks without having written a single line of an email or a note to the file. Taking the initial reply its face value, it must be concluded that not only DG ENTR does not observe legality, but its officials are also essentially free to gravely disregard legality without any control whatsoever from the DG ENTR top management. One logical conclusion of all this is that DG ENTR organizational structure is wholly inadequate to manage the FP6 & FP7 programmes entrusted to it.

It is self-evident that DG ENTR has caused to be caught between a rock and a hard place. On the one hand, maintaining that no other documents (except the prior notification itself and the Privacy Statement) were drawn by the DPO-3334.1 data controller leaves wide open the door for an extremely harsh criticism about the management of all Directorates/Units which had been involved in the FP6 & FP7 programmes. On the other hand, releasing further documents drawn up by the data controller will add more nails in the coffin of having gravely infringed legality.

The initial reply has to be considered either (i) as an admission of outright failure to observe legality in external financial audits and also properly manage the parts of the FP6 and FP7 entrusted to DG ENTR (which means that indeed no other documents were drawn up by the data controller), or (ii) there are other documents that were not released.

It is expected that in framework of re-examining the confirmatory application the Secretariat-General will search for documents drawn up by DG ENTR or the Commission services as the DPO-3334.1 ‘data controller’.

III. REQUEST #2

The request is about ‘The documents drawn up by the DG ENTR Data Protection Coordinator’. The initial reply is that the DG ENTR Data Protection Coordinator – DPC did not drawn up a single like about DPO-3334.1, but he merely entered into the register what the data controlled handed over to the DPC about the prior notification. Put differently, the DPC just encoded information.

This ‘position’ is highly contradictory with the roles and responsibilities of Data Protection Coordinators as laid down in article 14 of Decision 597/2008; paragraph 4(a) reads “establish an inventory of processing operations in the Directorate-General, keep it up to date, and help to define an appropriate risk level for each of the processing operations; he shall use the online Inventory Management System for DPCs put in place for those purposes by the DPO on his website on the Commission’s Intranet”. It is evident that the DPC has infringed this stipulation because (i) DPO-3334.1 was entered into the register more than 3 years after the aforesaid Decision entered into force, and (ii) it appears that the DPC dismally failed to spot the certainty of infringing Regulation No 45/2001 in every single DG ENTR external financial audit. The stipulation of paragraph 14(5)(c) of the Decision renders the DPC directly liable for the factual accuracy of DPO-3334.1.

Taking the initial answer at its face value, the only logical conclusion is that DPC infringed numerous provisions of Union law without having written a single line. The considerations about the data controller of section II above and the initial reply of request #1 apply mutatis mutandis to the DPC and the request #2.

IV. REQUEST #4

DG ENTR stated that no document exists. It then went on to provide as additional information the EDPS letter of 27/10/2009, case C 2009-0565, which concerns the former DG RELEX. This EDPS opinion is supposed to be the very EDPS opinion about the DPO-3340.1 statement ‘This processing has been submitted to the EDPS who concluded that Article 27 is not applicable’. The following are noted:

- The DG RELEX EDPS opinion predates DPO-3334.1 by almost one and half year.

- It concerns the Commission’s internal audit operations, since the audits concern DG RELEX Directorate K. The audited accounts concern officials, temporary and auxiliary staff employed at the Commission’s delegations. The data subjects are subject to Staff Regulations.

- At the FP6 contractor – FP7 beneficiary level, the DG RELEX Directorate K audits are equivalent to an internal audit of the contractor/beneficiary by its own audit department. The DG ENTR external financial audits are fundamentally different.

- The DG ENTR external financial audits are solely based on contractual provisions, in a context where the Commission does not exercise its prerogatives as a public authority. Such audits of DG ENTR are worlds apart from the DG RELEX ones.

It must therefore be concluded that the EDPS opinion of case C 2009-0565 is wholly irrelevant to DPO-3334.1.

The initial reply must be understood as an implied decision to totally refuse access without a statement of reasons.

V. REQUEST #5

A prior notification is not just a ‘piece of paper’ where anything can be written with no consequences at all. The request #5 concerns documents expressly referred to in a statutory instrument. Unless the DPO-3334.1 data controller has inserted more ‘bogus’ statements in that prior notification, the tools referred to are to be presumed as existing, in which case the requested documents do indeed exist.

While the initial reply has provided some ‘fragments’ of information (just abbreviations of the IT tools, without even their full titles), no documents were released. DG ENTR has stated that “We do not have any of the requested documents”. This assertion is in itself highly problematic, since it calls into question how the DPO-3334.1 data controller drew the conclusion that those IT tools were ‘useful’ in the personal data processing operations without he himself, or his subordinates, having examined documents about those IT tools. Not possessing copies of the requesting documents is, inter alia, tantamount to grossly substandard administrative practices.

Turning to request #5(d), the released document of the DG RTD Director-General, reference no RTD.A.4/SG A.4/2008/D/586298, is in my view immaterial to the present application, which concerns the DG ENTR ‘decision’ to use those tools. Failure to release the DG ENTR ‘decision’ at issue will be tantamount to another ‘bogus’ element in DPO-3334.1.

As regards the statement that “DG DIGIT has developed those IT tools”, the applicant would like to take issue with the substance of this statement. In case the IT tools were developed by ‘intra-muros’ staff, DG DIGIT has only signed the ESP-DESIS framework contracts from which the Research DGs may have taken intra-muros staff. Even this is questionable, as DG RTD had its own framework contracts that were in force until late 2012. In all cases, the intra-muros staff had been working under the direction and supervision of officials of the Research DGs, which implies that DG DIGIT has in essence nothing to do with them. Pointing an applicant to DG DIGIT document may be misleading.

The fact of the matter is that DG ENTR has refused to release the requested documents by relying on extremely superficial excuses. The initial reply must be understood as an implied decision to totally refuse access without a statement of reasons. It is expected that the Secretariat-General will look all over again the whole request #5.

VI. REQUEST #6

The first two paragraphs of section V above are equally applicable to the request and the DG ENTR initial reply.

Referring an applicant to the website of a software vendor (which was expressly left out of the scope of the initial request) is not compliant with Regulation No 1049/2001 and the Commission Decision 937/2001.

Even if the IBM iBase software is the underlying software platform of the IT tools, iBase is not about external financial audits of FP6 and FP7 and personal data processing, which means some kind of customisation/tailoring of iBase was performed for the purposes of the external financial audits of the Research DGs. Such customisation/tailoring entails the drawing up of several IT-specific documents.

Apparently, DG ENTR is of the opinion that the applicant is completely ignorant of highly technical IT matters, not realising that an applicant can seek assistance from IT experts. There are also huge questions regarding whether IBM iBase is relevant at all to the external financial audits of the Research DGs in the first place. Typical users of such software are law enforcement organisations and private sector entities seeking to establish ‘suspicious’ behaviour (e.g. private security firms). A simple glance at the iBase websites confirms that indeed this is the business of a typical iBase user organisation. Also, within the Commission services iBase was originally used by OLAF only in its ant-fraud information systems. A use of an OLAF IT tool by DG ENTR in the run-of-the-mill external financial audits (taking DPO-3334.1 at its face-value) requires some training and some used manuals, i.e. requested documents. The DG RTD released document in immaterial to the present application, since the application specifically requested the DG ENTR internal decision.

All the above make the iBase ‘story’ of DG ENRT even more worrisome, also adding yet another element of ‘bogusness’ to an already fully-laden with ‘bogus’ statements DPO-3334.1.

The fact of the matter is that DG ENTR has refused to release the requested documents by relying on extremely superficial excuses. The initial reply must be understood as an implied decision to totally refuse access without a statement of reasons. It is expected that the Secretariat-General will look all over again the whole request #6.

V. REQUEST #7

This request is about the DG ENTR prior notification covering the external financial audits prior to March 2011. The initial answer is that no documents exist. The following are noted:

- The last paragraph of article 24(1) of Regulation No 45/2001 reads “That person shall thus ensure that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations”. Read in conjunction with paragraph (d) of this article and also article 25, it follows that by not entering a prior notification covering the external financial audits DG ENTR took the extremely serious risk of adversely affecting the data subject rights of all the persons whose personal data were processed in external financial audits.

- Considering together article 24(1)(c), article 25 of Regulation No 45/2001 and the total absence of a prior notification, the personal data processing is probably unlawful, regardless of the other grave infringements of that Regulation by the audits.

In view of the above analysis, a confirmatory application is submitted for request #7.

VIII. REQUEST #8

The crux of the issue of the present request is whether the Member of the Commission overseeing DG ENTR was briefed about (i) the manifestly false statement of DPO-3334.1 that no subcontractors have been engaged and (ii) that the statement of assurance of the Director-General was itself based on gravely illegal external financial audits that have infringed numerous provisions of Union law, including several articles of Regulation No 45/2001, Commission Decision 597/2008 and article 57(2) of Regulation 1605/2002 (as amended).

In my opinion, there can be no doubt that the DG ENTR management, all the way to the Director-General, has been fully aware of the vast illegalities of the external financial audits and has wilfully and intentionally condoned it.

The DG ENTR assertion that the DPO-3334.1 statement “This point of notification does not state that DG ENTR doesn’t engage subcontractors” is totally divorced from what a reasonable person would understand. For all intends and purposes it is blatant lie in full public view.

The other DG ENTR excuses about call for tenders and contractual clauses are so flimsy that they do not withstand the slightest challenges. For instance, no contractual clause may legally empower private contractors of the Commission (i.e. those with the ‘subcontractors’ of the Research DGs) to process personal data of third parties (i.e. the researchers) in a context of another private law contract (i.e. the FP6 contract or the FP7 grant agreement).

Turning to the DG ENTR annual activity reports, the requested documents are about DG ENTR (as an administrative department) informing the respective Member of the Commission about the grave breaches of Regulation No 45/2001 by DG ENTR in its external financial audits. The initial reply did not state that the requested documents do not exist. It attempted to fudge the issue by providing information that is immaterial to a request pursuant to Regulation No 1049/2001.

Once more, it is noted that the signatory of the DG ENTR initial reply is the same official indicted in the completely ‘bogus’ DPO-3334.1.

In view of the above analysis, a confirmatory application is submitted for request #8.

Yours faithfully,

Mr. Aris KOLIMATSIS

Mr. Aris KOLIMATSIS

Dear Enterprise and Industry (ENTR),

This concerns the status of registering the confirmatory application GestDem 2013/3421, which was lodged via email - visible to be public - on 26 August 2013. The present enquiry is to be transferred to the Secretariat-General, which will handle the confirmatory application according to article 8 of Regulation No 1049/2001 and the Commission Decision 937/2001.

As it appears the Secretariat-General has not notified the applicant about the registration of the confirmatory application. I would therefore appreciate if the Secretariat-General would inform me about the status of handling the confirmatory application.

Yours faithfully,

Mr. Aris KOLIMATSIS

Internal Market, Industry, Entrepreneurship and SMEs

1 Attachment

Dear Mr Kolimatsis,   

 

Thank you for your fax/letter/e-mail dated 26/08/2013, registered
on 13/09/2013.  I hereby acknowledge receipt of your confirmatory
application for access to documents (ref.: Ares(2013)3040910 – gestdem
2013-3418). 

 

In accordance with Regulation 1049/2001 regarding public access to
European Parliament, Council and Commission documents, you will receive a
response to your request within 15 working days (04/10/2013).

 

Yours sincerely,

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

_____________________________________________

Zitate anzeigen

Internal Market, Industry, Entrepreneurship and SMEs

2 Attachments

Dear Mr Kolimatsis,
Kindly find herewith a letter concerning your confirmatory application for
access to documents (gestdem 2013-3418).
       
Yours sincerely,
 
Paul SIMON
Unit SG.B.5, Transparency
European Commission
 

Internal Market, Industry, Entrepreneurship and SMEs

2 Attachments

 
Dear Mr Kolimatsis,

Kindly find the answer to your confirmatory application concerning your
request for access to documents pursuant to Regulation (EC) N° 1049/2001
regarding public access to European Parliament, Council and Commission
documents (Gestdem 2013/3418).
Yours sincerely,
Carlos Remis
SG.B.5.
Transparence.
Berl. 05/329.
 
 
 
 
 
 
 

 
 
 

Internal Market, Industry, Entrepreneurship and SMEs

1 Attachment

Dear Sir,
 
Please find attached a letter regarding your confirmatory application for
access to documents (ref. Gestdem 2013-3822).
 
 
Yours sincerely,
Priscille Schiltz
SG B5 - Transparency, 'Access to documents'
 
 

Internal Market, Industry, Entrepreneurship and SMEs

2 Attachments

Dear Mr Kolimatsis,
Kindly find the answer to your confirmatory application concerning your
request for access to documents pursuant to Regulation (EC) N° 1049/2001
regarding public access to European Parliament, Council and Commission
documents (gestdem 2013-3418).
Yours sincerely,
Paul SIMON
Unit SG.B.5, Transparency
European Commission
 

Mr. Aris KOLIMATSIS

Dear Enterprise and Industry (ENTR),

Please forward this email to the Secretariat-General.

-------------------------------------------

Dear Madam/Sir,

I respectfully protest about the substance of the response of 18 November to the confirmatory application, Ares(2013) 3504828. The primary reasons are outlined below.

1. The Secretariat-General did not carry out a search for documents held by the Commission services. Instead it relied on a 'detailed search' of DG ENTR and took the DG ENTR result of the search at its face value.

2. The Secretariat-General has manifestly ignored that the prior notification DG ENTR DPO-3334.1 still states (on 19 November) "This processing has been submitted to the EDPS who concluded that Article 27 is not applicable" and "3. Sub-Contractors — ", both of which are manifestly false. In other words, the Secretariat-General took as truthful the statement of an administrative department that misrepresents basic facts in full public view. This proves that the response of the Secretariat-General is wholly inadequate in in contravention of Regulation 1049/2001 and Commission Decision 937/2001.

3. Request #1: There is a much longer version of the Data Protection Officer ('DPO') questionnaire that the DPO-3334.1 data controller has most likely filled in. The questionnaire template was released by the DPO in GestDem 2013/4985, http://www.asktheeu.org/en/request/857/r.... DG RTD released the DPO filled-in questionnaire regarding DG RTD DPO-3398.1 in GestDem 2013/3351; the DG RTD filled-in questionnaire is annex 1 to the document Ares(2011)475763 - 02/05/2011. It is reasonable to presume that DG ENTR filled in the same questionnaire - a document drawn up by the DPO-3334.1 data controller - that the Secretariat-General ought to fully to release.

4. Request #5: The IT tool in question manifestly exists, and therefore there are some documents falling under (a), (b), (and c). Sooner or later this will come out in full public view. Even if DG ENTR does not hold the requested documents, the Secretariat-General ought to search for them and fully release them.

5. Request #6. Essentially the IT tool is either DG INFSO PLUTO, or DG RTD CHARON, or a modification of either. Even if DG ENTR does not hold the requested documents, the Secretariat-General ought to search for them and fully release them.

In view of the above considerations, the result of the application will be marked as "REFUSED".

As the underlying matter is gravely serious, the applicant will draw the attention of the respective Member of the Commission and of other third parties. In my view, the conduct of DG ENTR cannot be accepted in a Union governed by the rule of law.

Yours faithfully,

Mr. Aris KOLIMATSIS