Personal data protection of DG RTD extenral financial audits, DPO-3398

Die Antwort auf diese Anfrage ist lange im Rückstand. Nach gesetzlicher Vorschrift sollte Generaldirektion Forschung und Innovation Ihnen inzwischen unter allen Umständen geantwortet haben. (Details). Sie können sich beschweren, indem sie Interne Prüfung beantragen .

Dear Research and Innovation (RTD),

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

I. CONTEXT OF THE REQUEST

The prior notification DPO-3398.4 is registered at http://ec.europa.eu/dpo-register/details... (checked on 20/6/2013)

Parts of DPO-3398.4 read:

4. Automated / Manual operations
………………
Contractors (Processors) might use other IT tools, developed in-house or of the shelf…..
………………

8. Legal basis / Lawfulness
………………….
As in the context of previous audits and ex-post controls the EDPS already concluded that Art. 27 was not applicable, this processing does not require a prior checking.
……
16. Recipients
Collected personal data could be submitted to Commission services in charge of ex-post controls, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Community law (OLAF, Court of Auditors, Ombudsman, EDPS, IDOC, Internal Audit Service of the Commission).

II. DEFINITIONS

The following terms are defined:
‘tool’ refers to any single of the ‘IT tools’ of DPO-3398.4 section 4;
‘EDPS opinion’ refers to any document drawn up by the EDPS regarding any version DPO-3398;

The term document in the requests hereunder is to be understood as any kind of written material, regardless its particular form, be it a formal note, an email, or an entry in an information system (e.g. a data base record or a web page).

III. REQUESTS

The present application concerns the following documents regarding all versions of DPO-3398, as detailed below:

1. All versions of DPO-3398 entered in the internal website of article 4(4) of Commission Decision 597/2008.

2. Versions 1, 2, and 3 of DPO-3398 that were registered for some time in the public register of article 26 of Regulation No 45/2001.

3. The documents the DG RTD Data Protection Coordinator has drawn up for every singe version of DPO-3398.

4. The documents the DPO-3398 data controller has drawn up for every singe version of DPO-3398.

5. Every single ‘EDPS opinion’ about DPO-3398.

6. Document(s) DG RTD dispatched to the Legal Services, if any, requesting an opinion about the lawfulness of the DPO-3398 personal data processing operations.

7. The documents setting out an analysis that articles 60.4 FR, 170FR, 47.4IR (first three versions of DPO-3398) and 137.2FR and 180.1.f RAP (DPO-3398.4) is a sufficient and adequate legal basis for the personal data processing of the DG RTD external financial audits.

8. Since by definition ‘Activities and expertise, and CV’ are ‘intended to evaluate personal aspects relating to the data subject’, the DG RTD documents setting out a reasoning why article 27(2)(b) of Regulation No 45/2001 was not applicable to DPO-3398.

9. The ‘forerunner’ prior notification(s) regarding the DG RTD external financial audits prior to the first entry of DPO-3398.1 in the register (i.e. prior to April 2011).

10. The documents the DG RTD Data Protection Coordinator had drawn up about the ‘forerunner’ prior notification(s) being compliant with article 25 of Regulation No 45/2001 regarding the external financial audits.

11. The documents the data controller(s) of the ‘forerunner’ prior notification(s) had drawn up about their ‘coverage’ of the external financial audits.

12. The documents setting out the end-user functionalities of every single ‘tool’.

13. The technical documents comprising the system specifications, system design, and system testing of every single ‘tool’. Such documents are core Information Systems technical documents.

14. The ‘internal administrative act’ having the nature of an ‘internal decision’, or equivalent, to develop every single ‘tool’.

15. The document(s) DG RTD has drawn up pursuant to article 23(1) of Regulation No 45/2001 for every single ‘Processor’ that had conducted an external financial audit.

16. The documents DG RTD has drawn up pursuant to article 23(2)(b) with the instructions to ‘Processors’ and dispatched to them.

17. The document(s) drawn up by DG RTD pursuant to article 23(3) for every single ‘Processor’ that had conducted an external financial audit.

18. Since towards data subjects the organisation of external financial audits is an ‘administrative measure’, the documents DG RTD had drawn up pursuant to article 28(1) of Regulation No 45/2001.

19. The documents setting out the lawfulness of personal data transfer from DG RTD to the Ombudsman.

20. The documents setting out the lawfulness of personal data transfer from DG RTD to the EDPS.

21. The documents laying down the ‘internal rules’ of article 6(1) of Regulation No 45/2001 authorising the change of use of personal data by way of transferring personal data from DG RTD to IDOC.

IV. OVERRIDING PUBLIC INTEREST

Since all requests concern rights enshrined in Regulation No 45/2001, this provision is patently obvious.

Yours faithfully,

Mr. Kostas VITSOS

Generaldirektion Forschung und Innovation

1 Attachment

Dear Mr Vitsos,

 

Thank you for your email dated 21 June 2013.  We hereby acknowledge
receipt of your application for access to documents, which was registered
on 24 June 2013 under reference number GestDem 2013/3351.

 

In accordance with Regulation (EC) No 1049/2001 regarding public access to
European Parliament, Council and Commission documents, your application
will be handled within 15 working days. The time limit will expire on 15
July 2013. In case this time limit needs to be extended, you will be
informed in due course.

 

Yours sincerely,

 

Silvia BOJINOVA

Head of Unit

 

[1]Description: cid:image001.png@01CDDFB2.68871B70

European Commission

DG Research & Innovation

R5

 

ORBN 09/151

B-1049 Brussels/Belgium

+32 229-85891

[2][email address]

 

[3]http://ec.europa.eu/research

 

 

References

Visible links
2. mailto:[email address]
3. http://ec.europa.eu/research

Generaldirektion Forschung und Innovation

1 Attachment

Dear Mr Vitsos,

We refer to your email dated 21 June 2013 in which you make a request for
access to documents, registered on 24 June 2013 under the above mentioned
reference number.

Your application is currently being handled. However, we will not be in a
position to complete the handling of your application within the time
limit of 15 working days, which expires on 15 July 2013.

An extended time limit is needed as your application concerns a very large
number of documents, which in order to be retrieved require large files to
be examined by different Services.

Therefore, we have to extend the time limit with 15 working days in
accordance with Article 7(3) of Regulation (EC) No 1049/2001 regarding
public access to documents. The new time limit expires on 5 August 2013.

We apologise for this delay and for any inconvenience this may cause.

Yours faithfully,

 

Silvia BOJINOVA

Head of Unit

 

[1]Description: cid:image001.png@01CDDFB2.68871B70

European Commission

DG Research & Innovation

R5

 

ORBN 09/151

B-1049 Brussels/Belgium

+32 229-85891

[2][email address]

 

[3]http://ec.europa.eu/research

 

 

 

References

Visible links
2. mailto:[email address]
3. http://ec.europa.eu/research

Dear Research and Innovation (RTD),

Thank for your email dated 9 July 2013.

I must make clear from the outset that in my view DG RTD is to be regarded as an administrative department of the European Commission, fundamentally different from the Institution itself and the very Guardian of the Treaties. The reason for that sharp distinction is the recent emergence in full public view, in particular in asktheeu.org, of the 'inaccuracies' of DG RTD DPO-3398.1 and the whole 'shadowy realm' of the external financial audits of the Research family DGs.

European citizens have a very high regard for the Institution of the European Commission and its fundamental role to the Union. The record of DG COMP as the foremost anti-trust authority in the world doubly underscores that when it comes to its role as a regulator, the Commission itself is the golden standard against which all other authorities are to be compared with.

Having due regard to the above points, I would like to take issue with the undue delay of fully releasing the documents under #1, #2, #3, #4, #5, #7, #8, #9, #10, #11 and #21 of the application.

I must confess that it is extremely odd that an applicant has to lecture DG RTD about, on the one hand, the statutory obligations of its officials pursuant to article 16(1) TFEU, Regulation No 45/2001 and Commission Decision of 3/6/2008 2008/597/EC 'adopting implementing rules concerning the Data Protection Officer....', and on the other hand, the transparency principle embodied in Regulation No 1049/2001 and sound administration (swift release of documents).

Every single document concerning requests #1 to #5 and #7 - #11 is indissociably linked with a statutory duty of Commission officials stipulated by Union law on personal data protection. Not having drawn up these documents will automatically and at a minimum amount to a reckless disregard of duty by the DG RTD data controller(s), the DG RTD Data Protection Coordinator, and the Commission Data Protection Officer. It will also amount to a serious infringement by the said Officer of article 24(1) last sub-paragraph of Regulation 45/2001 "That person shall thus ensure that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations".

Turning to request #2 'Versions 1, 2, and 3 of DPO-3398 that were registered for some time in the public register of article 26 of Regulation No 45/2001', it is simply beyond belief that statutory documents posted in the Europa Website for several months - hence available for downloading by the public - are not released within 15 working days from the registration of an application pursuant to Regulation No 1049/2001.

Regarding request #21 (‘internal rules’ of article 6(1) of Regulation No 45/2001 authorising the change of use of personal data by way of transferring personal data from DG RTD to IDOC), the requested documents must, presumably, have been drawn up. Including in a statutory instrument (i.e. DPO-3398.4, http://ec.europa.eu/dpo-register/details...) IDOC as a recipient of personal data of individuals, who are neither DG RTD staff nor parties to FP7 grant agreements, and whose personal data collected by a DG RTD contractor (the external auditor) pursuant to article FP7.II.22 from another contractor of DG RTD (the auditee) is, simply, borderline absurd. If for more that 2 years DG RTD makes such 'statements' in a statutory instrument, then such 'statements' must be supported by substantive arguments, that is to say the requested 'internal rules'.

Finally, for documents drawn up by DG RTD staff only (e.g. requests #2, #3, #4) no other Directorates-General need be involved in the examination of the files.

Having due regard on the foregoing considerations, I respectfully maintain that DG RTD is legally obliged to full release the documents under #1, #2, #3, #4, #5, #7, #8, #9, #10, #11 and #21 without undue delay.

Yours faithfully,

Kostas VITSOS

Generaldirektion Forschung und Innovation

1 Attachment

Dear Mr Vitsos,

 

We refer to your request for access to documents registered under the
above mentioned Gestdem reference number on 24/06/2013.

We would like hereby to ensure you that your application is currently
being handled. We very much regret that we could not meet our earlier
deadline but we need some additional time for the finalization of the
handling of your application given the fact that the activities of our
department are reduced during the month of August. 

At the same time we would like to reassure you that we are doing our best
to provide you with our reply as soon as it is ready and approved. We
truly apologise for this unexpected additional delay and for any
inconvenience this may cause.

We thank you very much in advance for your patience and kind
understanding.

Faithfully yours,

Silvia BOJINOVA

Head of Unit

 

[1]cid:image001.png@01CDDDFA.7C290D00

European Commission

DG Research & Innovation

R5

 

ORBN 09/151

B-1049 Brussels/Belgium

+32 229-85891

[2][email address]

 

 

References

Visible links
2. mailto:[email address]

Generaldirektion Forschung und Innovation

3 Attachments

 

Dear Mr Vitsos,

We refer to your e-mail dated 12/07/2013 in which you make a request for
access to documents, registered on the same day under the above mentioned
Gestdem reference number.

Please find enclosed the reply of Directorate-General for Research &
Innovation, together with its annexes.

Yours faithfully,

Silvia BOJINOVA

Head of Unit

 

[1]cid:image001.png@01CDF26F.EF7D9990

European Commission

DG Research & Innovation

R5

 

ORBN 09/151

B-1049 Brussels/Belgium

+32 229-85891

[2][email address]

 

[3]http://ec.europa.eu/research

 

 

References

Visible links
2. mailto:[email address]
3. http://ec.europa.eu/research

Dear Research and Innovation (RTD),

The present document is a confirmatory application pursuant to article 7 of Regulation No 1049/2001. It is kindly requested that DG RTD transfer it to the Secretariat-General which is responsible to handle it according to the Commission Decision 837/2001.

The confirmatory application concerns requests #2, #3, #12, #13, #14 - #21.

The first section hereunder discusses that the external financial audits in which the Research DGs gravely infringed article 16(1) TFEU and Regulation No 45/2001 had had several extremely negative consequences. One is the creation of friction with the research community, and the conveyance of the message that the Research DGs care primarily about compliance with bureaucratic rules so that they are not criticised by the Court of Auditors (the infamous 2% tolerance margin of the Court). The second one is that the direct financial cost of the gravely illegal external financial audits is in the order of 250 million Euro in the period 2007-2013.

The second section establishes that the false declarations in DPP-3398 and its entirely bogus and deceitful nature has destroyed for good the public’s confidence in the honesty and integrity of the entire DG RTD as an administrative department.

The remaining sections hereunder analyse the DG RTD initial reply and argue that documents do indeed exist (or DG RTD ought to have drawn them up) that DG RTD failed to identify and release.

1. CONTEXT OF THE APPLICATION WITH RESPECT TO FP6 & FP7

The application concerns the external financial audits of DG RTD (hereafter the ‘RTD audits’) and the fundamental right of personal data protection that is enshrined in article 16(1) TFEU. The FP6 and FP7 external financial audits have generated a great deal of tension and friction with the European Research community. Two indications proving the elevated tension are:

- The statement by the Secretary General of the European Association of Research and
Technology Organisations “Commission’s ex-post FP6 Audit Campaign doing more
Damage to EU Research Policy than Good to the EU Budget”, end of page 6, http://www.earto.eu/fileadmin/content/03...

- The "Trust Researchers" initiative, which was launched in reaction to the extensive external financial audits campaign of the Research DGs and the creation of mistrust between researches and the Research DGs. The initiative collected more than 13,500 signatures in 2010 in favour of a more trust-oriented funding philosophy; see page 14 of the position paper http://ec.europa.eu/research/horizon2020...

The audits did not only divert precious time of researchers to unnecessary bureaucratic paperwork at the expense of research results, but they also have had a very significant cost in terms of remuneration of external audit firms and the costs of the Commission staff. In page 7 of the SEC(2010) 641 document ‘Developing the tolerable risk of error concept for the research, energy and transport policy area’ it is stated: “As per the above methodology established by the Commission, the cost of control in the research, energy and transport policy group totalled around €267m annually”. According to that study, the costs of an external financial audit by Commission staff and contractual external auditors are 122 and 64 thousand Euro respectively.

According to the FP7 audit awareness leaflet, ftp://ftp.cordis.europa.eu/pub/fp6/docs/awareness-leaflet_en.pdf, there were 1230 FP6 audits in total. From the FP7 audit histogram of the leaflet in the period 2009-2013 the total number of FP7 audits is approximately 2,100. Assuming a ratio of audits 20% by Commission staff at € 122,000 each and 80% by contractors at a cost of € 64,000 each the total cost of FP6 and FP7 audits is 261 million Euro. It is evident that the costs are very significant.

2. OVERALL ASSESSMENT OF THE DG RTD INITIAL REPLY AGAINST THE CREDIBILITY AND INTEGRITY OF DG RTD – LIABILITY OF OFFICIALS

The DG RTD has stated that there are no documents for requests #5 and #7. Since there is no EPDS document about DPO-3398, it must be concluded that the DPO-3398 statement “This processing has been submitted to the EDPS who concluded that article 27 is not applicable” is A FALSE DELCARATION.

Turning to the initial reply to request #7 and the non-existence of documents, since there are no documents about “articles 60.4 FR, 170FR, 47.4IR (first three versions of DPO-3398) and 137.2FR and 180.1.f RAP (DPO-3398.4) is a sufficient and adequate legal basis for the personal data processing of the DG RTD external financial audits” and that article 170 FR manifestly does not concern research funding, it must be concluded that there is no legal basis whatsoever about the personal data processing of DG RTD in the context of the RTD audits.

That there is no legal basis should not be a surprise. Two obvious reasons are:

- Personal data processing pursuant to a private law contract (the FP6 contract and the FP7 grant agreement) without the consent of the data subjects (the researchers charged to an audited projects) is outright illegal, since none of the criteria of the article 5 or Regulation NO 45/2001 is fulfilled. In the vast majority of the RTD audits the data subjects are third parties to the contracts, and therefore articles FP6.II.29 and FP7.II.22 are irrelevant in so far the data subject rights are concerned; put differently, the contractual terms cannot and do not affect the data subject rights and compliance with Regulation No 45/2001/

- By definition, a prior notification like DPO-3398 containing false declarations is a deceitful one. If there were a proper legal basis for the RTD external financial audits and the associated personal data processing, no public administration would have dared to include false declarations in a statutory instrument. The mere inclusion of false declaration means that the legal basis is absolutely non-existing.

The second manifestly FALSE DECLARATION of DPO-3398 is that no processors are engaged in the personal data processing operations. This flies in the face or reality, since external auditors-contractors have carried out approximately 80% of the RTD audits. It is evident that this particular FALSE DECLARATION is also a BLATANT LIE.

According to article 2(d) of Regulation No 45/2001 a data controller is, at a minimum, an organizational unit. DPO-3398 states a DG RTD Directorate as a data controller. In all Annual Reports ever since 2007 DG RTD has devoted several pages to the RTD audits. It must thus be inferred that, within the meaning of Regulation No 45/2001, the DPO-3398 data controller is the entire DG RTD.

According to article 1 second indent of Commission Decision 597/2008 of 22/7/2008 (O.J. L 193/7) the data controller is “the official responsible for the organisational unit that has determined the purposes and the means of the processing of personal data”. Consequently, the DPO-3398 data controller within the meaning of that Decision is the DG RTD Director designated in DPO-3398 (hereafter ‘the Director’).

It follows from the above two definitions of the data controllers that both the entire DG RTD as well as the aforesaid Director are both liable for the DPO-3398 false declarations. The aforesaid article 1 second indent has not prejudiced the definition of data controller of Regulation No 45/2001.

In several jurisdictions where strict observance to the rule law is the norm, deliberate misrepresentation of facts by officials in documents provided for by the statute is an offence. There can be no question that the Director is personally liable for the false declarations of DPO-3398 with respect to the Belgian law (place of DG RTD seat). He is also personally liable for infringements of the Staff Regulations, article 49 of Regulation No 45/2001, and article 1(3) second indent of Regulation No 1073/99 “dereliction of the obligations of officials”. The Commission did enact the aforesaid article 1 second indent precisely for holding senior officials accountable as data controllers. Put differently, in doing so the Commission was stating its policy of not tolerating infringements of Regulation No 45/2001 by thinly distributing responsibility across whole Directorates and Directorates-General, in which case officials might be able to evade their personal liabilities by pleading that the responsibility was shared between numerous officials.

That the Director has the benefit of ‘diplomatic immunity’ makes his offence all the more grave, since it gives rise to the suspicion that DG RTD named a Director as a data controller precisely in order to avoid the liabilities of having committed an offence, which, conceivably, was under the jurisdiction of the Member States. In any event, the diplomatic immunity will not save the Director from the condemnation of the public opinion.

DG RTD, as an administrative department and the lead service of FP6, FP7 and Horizon 2020, is also liable for the false declarations of DPO-3398. An administrative department that dares the drawing up of official documents in plain public view with FALSE DECLARATIONS about the fundamental right of personal data protection has completely destroyed - for many years to come - its credibility and integrity.

It the light of the preceding considerations of this section, the truthfulness of the DG RTD initial reply cannot be taken for granted. It cannot be excluded a priori that DG RTD has not been economical with the truth with its initial replies to other than #5 and #7 requests for documents.

Further analysis of the deceitful nature of DPO-3398, beyond the two FALSE DECLARATIONS, is provided further below.

3. REQUEST #2

The request concerns the version of DPO-3398 found in the public register of article 26 of Regulation No 45/2001, which is also provided by article 4(4) of Commission Decision 597/2001. In other words, it is about the versions of DPO-3398 that the public was able to download from the Europa website.

3.1. DPO-3398 IS A “FLUID” DOCUMENT

Annex 1 to 3 give a copies of the three first versions of DPO-3398, as downloaded from Europa website in the autumn of 2011, section of the Data Protection Officer, links http://ec.europa.eu/dataprotectionoffice..., where x takes the value of 1, 2 and 3 for each successive version. Since a third party provided the applicant with those copies of DPO-3398, the applicant is not in a position to categorically confirm their authenticity. Nevertheless, the applicant has no reason to doubt that they are genuine and authentic copies.

It is striking that the 3 versions of DPO-3398 downloaded in 2011 are not identical to the released ones, both in content and in structure. The most important difference is that in autumn 2011 DPO-3398 did indeed state that three different types of processors were used, namely RTD Units M1 & M2 and “Contractors of the RTD framework contracts for external audits”. The four versions of DPO-3398 released with the initial reply state “3 . Processors N.A N.A|N.A N.A|N.A N.A”, the only interpretation of with is ‘not applicable’, which further implies that DG RTD has not been using as processors external contractors-auditor.

The version of DPO-3398.4 at the link http://ec.europa.eu/dpo-register/details... states “3. Sub-Contractors Any in-house external auditor of DG RTD is a processor.”, which is different from what is stated in the released DPO-3398.4.

It can be concluded that each single version of DG RTD DPO-3398 is a fluid document, whose contents in one fundamental aspect changes over time. This indicates that when it comes to prior notifications of article 25 of Regulation No 45/2001, DG RTD has a very elastic interpretation of the “truth”. It is self-evident what than implies for observance to legality.

3.2. REPOSITORY OF THE RELEASED DPO-3398

In addition, the released first three versions of DPO-3398 have fields for entries designated as ‘Delegate’, ‘DPC’, ‘DPC Notes’. Consequently, it must ne inferred that DG RTD released the four versions of DPO-3398 ‘entered in the internal website of
article 4(4) of Commission Decision 597/2008’. Put differently, the released versions of DPO-3398 were stored in a document repository different from the public register of article 4(4) of Commission Decision 597/2008.

3.3. CONCLUSIONS

The inescapable conclusion of the considerations of the above two sub-sections is that DG RTD has not released the versions of DPO-3398 under request #2. The DG RTD initial reply is an implied total refusal to release the requested documents without a statement of reasons.

It is expected that the Secretariat-General will diligently search for the requested documents under request #2 and inform the applicant accordingly.

4. REQUEST #3
The request is about the documents the DG RTD Data Protection Coordinator has drawn up regarding the matters directly relating to DPO-3398.

Article 14 of the Decision 597/2008 provides for several statutory responsibilities of the Data Protection Coordinator (hereafter ‘the DPC’). According to the DG RTD version of the ‘story’, in April 2011 the DPC collaborated with the Director in the preparatory work of entering DPO-3398 is the notification system of DPO – no other DG RTD prior notification was relevant at that time – without the DPC wondering how a mainstream activity of DG RTD had been going on for four years without a prior notification. It is not reasonable to have confidence in that the DG RTD DPC did not draw up a short paragraph about the RTD audits. If this is indeed the case, it must be concluded that the DG RTD DPC recklessly disregarded his statutory duties. This, in turn, will give rise of all kinds of further questions about the extent of elementary compliance of DG RTD with legality and his own personal liabilities according to article 49 of Regulation No 45/2001 and the Staff Regulations.

Moreover, the applicant understands that the DG RTD DPC has drawn up documents about DPO-3398, copies of which were handed over to the DPO.

In view (i) of the DG RTD’s total loss of credibility and (ii) the evidence suggesting that the DG RTD DPC drafted documents were referred to in some versions of DG RTD prior notifications, the applicant respectfully puts to the Commission services that DG RTD has not carried out a diligent search for documents.

5. REQUESTS #12 & #13

The requests are about the documentation of the IT tools expressly referred to in DPO-3398.4.

5.1. FAILURE TO IDENTIFY DOCUMENTS

DG RTD has failed to identify any documents, stating “Nevertheless, we do not have any internal documents corresponding to your request”. DG RTD referred the applicant to DG DIGIT to request documentation about the SAR-WIKI, SAR-PAA and SAR-EAR IT tools. In sections 2.5.1 to 2.5.3 DG RTD has provided brief information about the IT tools. It must therefore be inferred that the term ‘internal documents’ definitely refers to documents held by DG RTD only.

The following observations are made:

- It is extremely difficult to understand how DG RTD has been able to provide the applicant with some very high level information about the IT tools, in the absence of a single lime in a document held by DG RTD about these IT tools.

- It is absolutely impossible to ‘swallow’ the ‘story’ that a senior official (the Director) entered in a statutory document information about “specific IT tools are used by the Commission in the context of performing an external financial audit including:” without the entire administrative department (i.e. DG RTD) holding a single document with two lines about each of those IT tools.

- Section 5 ‘Storage’ of the released DPO-3398.4 reads “Data are stored in computer systems and/or physical archives accessible only to duly authorized staff (management of IT and physical access rights with respect to the need to know principle)”. By definition, the IT access rights providing access control on a ‘need to know principle’ entail the customisation of the IT tools to the specific circumstances of DG RTD (e.g. the two Units carrying out audits, as opposed to a single Unit in DG INFSO, DG ENTR and DG MOVE).

The only logical conclusion from the above is that DG RTD holds indeed documents about the SAR-WIKI, SAR-PAA and SAR-EAR IT tools, which for its own reasons does not wish to release, even though no exception of article 4 of Regulation No 1049/2001 is applicable.

5.2. SPECIFIC CONSIDERATIONS ABOUT USING SAR-WIKI, SAR-PAA and SAR-EAR BY DG RTD

The following paragraphs outline why the development of SAR-WIKI, SAR-PAA and SAR-EAR by DG DIGIT (or any other administrative department) entailed the drawing up of documents handed over to DG RTD, and also the active participation of DG RTD in some stages of the development of the IT tools.

- Even if DG DIGIT developed these 3 IT tools, which is highly doubtful, DG DIGIT elicited the user requirements of the tools from staff of the Research DGs, with DG RTD playing the leading role. Prior to any extensive software design work and subsequently code development, DG DIGIT and the Research DGs would have agreed upon the functional specifications of the IT tools. This entails the drawing up of at least one document and subsequently the express approval by DG RTD of the substance of the functional specifications. DG RTD cannot claim that no functional specifications document was not drawn up and not brought to its attention.

- Any customised IT tool development entails end-user acceptance testing. DG DIGIT would have drawn up test specifications documents, which would have been handed over to DG RTD. Typically, end-users participate, or at a minimum oversee, the execution of such tests. DG RTD cannot claim that no test documents were not drawn up and not brought to its attention.

- The total number of staff of the Research DGs exclusively working in the external financial audits is in the order of 100. It is reasonable to expect that 30-50 officials have been using those 3 IT tools. The DG RTD ‘story’ is that 3 IT tools developed by DG DIGIT for sharing audit results do not have end-user manuals and that the staff of the Research DGs have had no need for such a manuals. Such a ‘story’ defies both common sense and the documented methodologies and practices of DG DIGIT about development and end-user support of IT tools and systems. Indirectly, the DG RTD replies imply a negative criticism of the DG DIGIT professionalism and competence in core IT services. In my view, DG RTD should be very careful in this respect.

We will now turn to the aspect of system administration of these 3 IT tools, which is typically performed by IT specialists (e.g. database administrators).

The very sharing of audit results across the Research DGs implies either a central IT system where all audit results are stored/deposited or the exchange of data and documents between the IT systems of different DGs. In both cases, the audit data and documents are stored in a database such as Oracle and Documentum, which are the Commission’s mainstream databases and document management systems. Databases and document management systems need system administration, which entails, inter alian, monitoring storage space utilization and backups. Such tasks are executed by database administrators. For each different IT system such as SAR-WIKI, SAR-PAA and SAR-EAR there is some kind of system administration manual. Due to the specific nature of sharing of audit results, it is likely that the administration is not performed by DG DIGIT staff but the IT staff of the Research DGs.

The above considerations strongly suggest that there are system administration manuals for the 3 IT tools, which DG RTD failed to release.

5.3 NATURE THE IT TOOLS OF DPO-3398.4

Section 3.5 ‘IT tools’ of the document ‘FP7 Ex-post Audit Strategy 2009-2016’ released in the application GestDem 2013-3488, http://www.asktheeu.org/en/request/596/r..., reads:

“A number of collaborative IT tools are currently in place which reinforce co-ordination efforts across the Commission services and with JUs, in particular in the areas of extrapolation (SAR-EAR) and planning co-ordination (SAR-PAA). The SAR-Wiki, introduced in 2008, is now widely used for sharing audit results, and it will continue to be useful during the FP7 audit campaign. A number of local IT tools already in place will remain and support the practical implementation of this Strategy.”

The abbreviation ‘SAR’ stands for ‘sharing of audit results’, which means that the 3 IT tools are all for the sharing audit results between the Research DGs.

The first bulleted item of section 4 . Automated / Manual operations of DPO-3398.4 item reads:

“A specific tool to facilitate searching and visualisation of information about participants in grants and contracts. This is used by auditors in the selection, preparation and performance of audits. The tool uses information on participants in grants and contracts, on experts, taken from IT tools for programme management notified to the DPO under n° DPO-978. This information includes details of organisation names, registration numbers, address, audit results, EWS status, phone, fax, email, names of authorised signatories and contact persons, project reference, acronym, funding, budget”.

It is obvious that to a large extent this single IT tool is not about sharing of audit results, but about “selection, preparation and performance of audits”. For the purposes of this application we will refer to that IT tool as the ‘data mining & visualization tool’.

As a preliminary observation, the sharing of audit results is necessarily preceded by the completion of the audit, at least the draft audit report. It is evident that SAR-WIKI, SAR-PAA and SAR-EAR are irrelevant to the data mining & visualization tool, since the latter tool is used prior to the sharing of the audit results using the former tools.

In fact, the data mining & visualization tool is the implementation within DG RTD of the DG INFSO PLUTO information system, the first public reference of which is found in slide 13 of a presentation made on 13/10/2009 by senior OLAF official, http://ec.europa.eu/dgs/internal_audit/p.... The DG INFSO Pluto is the very subject of the released document under request #14, note of the then DG RTD Director-General to the Director-General of OLAF, document D586928 of 6/1/1009. Pluto has been the subject of at least two joint DG-INFSO & OLAF publications/presentations, both of which is the subject of the application Gestdem 2013/3681, http://www.asktheeu.org/en/request/prese..., for which the DG CONNECT initial reply is still pending as of 3/10/2013.

The DG RTD initial reply in section 2.5.1 refers the first IT tool of DPO-3398.4 “A specific tool allowing the exchange of lists of projects [...]No personal data are processed except contact information of Commission staff and auditees”. Since only contact information is exchanged with that tool, it must be concluded that most of the personal data listed in DPO-3398 section 10 ‘Data fields / Category’ – for instance, Timesheets, Salary, Employment contracts – are not processed by that tool. Since the third IT tool of DPO-3398.4 section ‘4 . Automated / Manual operations’ is about plagiarism, it must be concluded that personal data such as timesheets and employment contracts are processed either by the data mining & visualization tool or by other IT tools not referred to in DPO-3398.4 and in sections 2.5.1 to 2.5.3 of the initial reply.

5.4. IBM iBase

In section 2.5.2 of the initial reply DG RTD referred the applicant to a link in the IBM corporation public website with information about its iBase product.

As a preliminary observation, this particular reply is incompatible with Regulation No 1049/2001 which concerns documents held by Institutions and not documents held by legal persons incorporated outside the EU.

In fact, the data mining & visualization tool is indeed based on IBM iBase. However, the functionality alluded by the short description in DPO-3398.4 cannot be implemented without any specific customization of iBase to the particular circumstances of DG RTD and its external financial audits. In fact, both OLAF and DG INFSO/CONNECT have developed customised applications, with iBae being the underlying platform. Such developments invariably entail the drawing up of several highly complex IT documents (specifications, design, acceptance testing, user manuals), typically drafted by the IT staff of the Commission services and the intra-muros personnel (i.e. IT experts supplied by private contractors via IT Services Framework Contracts like the ESP DESIS II Lot 1A contracts of DG DIGIT).

The initial reply about IBM iBase is just a semi-transparent fig leaf of excuses, in an attempt to safe face.

In my view, by providing grossly inadequate replies for matters directly relating to IT tools the Research DGs are taking an extremely risky road. Standard IT methodologies and practices at the Commission provide for the drafting of several documents for each information system. External contractors and inta-muros staff have direct access to those documents. It will very difficult, if not impossible, to refuse full access for such documents pursuant to Regulation No 1049/2001.

DG TAXUD provides literally tens of thousand of documentation for its IT applications in its Call for Tenders (in DVDs), with TAXUD/2011/AO-13 (CCN2DEV) and TAXUD/2013/AO-01 (CUST-DEV3) being two recent examples. It would be extremely difficult for the Research DGs to argue that the IT tools of their external audit departments are subject to the exceptions of article 4 of Regulation No 1049/2001, while at the same time DG TAXUD releases all documentation, including all the application source code.

Moreover, the false declarations in DG ENTR DPO-3334.1, DG INFSO DPO-3338.1, DG RTD DPO-3398.1 and DG MOVE DPO-3420 and the manifest disregard of Regulation No 45/2001 in all external financial audits makes all documentation about the IT tools of the external audit units of the Research DGs subject to an overriding public interest. In sum, the Research DGs will not avoid the full release of the IT documents about such tools, if applications pursuant to Regulation No 1049/2001 were to be lodged.

5.5. TOOL FOR PLAGIARISM

In section 2.5.3 of the initial reply DG RTD referred the applicant to documents indicated by a link to the website of a third party. As stated above, such a reply is not compatible with Regulation No 1049/2001.

The plagiarism tool(s) are expressly referred to annual reports of the Research DGs as early as 2009. DG RTD alone is responsible for some 22 billion Euro of subsidies in FP7, which correspond to costs of over 30 billion Euro.

In so far checking for plagiarism with open source tools is concerned, the DG RTD initial reply seems to suggest that for the purposes of checking plagiarism in documents resulting from a R&D effort in the order of 30 billion Euro, all one has to do is download the open source tool indicated by DG RTD, throw the documents-to-be-checked-for-plagiarism in a database, and finally ‘press a button’ and presto the tool will be ready to carry out a full plagiarism check. In providing its replies DG RTD seems to regard applicants as being toddlers, with no idea at all about IT and information management.

That a paid-for service tool plagiarism tool is used is not indicated in DPO-3398.4 at all. In case DG RTD transfers information about authors (i.e. personal data) to the paid-for-service provider, then this is transfer of personal data to third parties at the sole initiation of DG RTD. This is an outright infringement of several provisions of Regulation No 45/2001. In case DG RTD were to remove from the documents transferred to paid-for-service provider the personal data of the document authors, this would require the development of a sophisticated software application, together with the need for operator intervention is cases that system flagged a document as problematic. The development of the sophisticated application would require the use of other IT tools and the associated documentation, which according to DG RTD initial reply such documents do not exist.

The applicant sympathises with the impossible situation of DG RTD in this particular application. DG RTD has tried to give some kind of plausible excuses for the non-existence of documents. Yet, the situation is so hopeless that sometimes it is like trying to put band aid to a small wound (initial reply) and in doing so infecting the wound with some nasty bacteria (replies prompt a host of new questions.

5.6. CONCLUSIONS

In view of all the foregoing in sections 5.1 to 5.5 above, the applicant maintains that DG RTD did not carry out a search for documents. Furthermore, the applicant has establish that there are several existing documents for request #12, for which the Commission services are legally obliged to diligently search and subsequently fully release.

6. REQUEST #14

The request is about the internal administrative decisions of DG RTD to use the IT tools expressly referred to in DPO-3398.4.

According to the initial reply, the sole document identified is the note of the DG RTD Director-General D586928 of 6/1/2009. Although that note has some elements of some kind of an ‘internal’ administrative decision about adopting the DG INFSO Pluto for use within DG RTD, the note is merely the necessary consequence of another preceding ‘internal’ DG RTD administrative decision to use the DG INFSO Pluto within DG RTD in the first place, with the latter decision necessarily predating 6/1/2009. It defies plain common sense and logic to assert that there was no ‘internal’ administrative decision of DG RTD to use Pluto, and that the note of 6/1/2009 is the sole such ‘decision’. Further support is lent to this argument by the released note itself, in which it is stated that DG RTD A.4 staff participated in a presentation on 13/10/2008. It is virtually certain that between 13/10/2008 and 6/1/2009 internal deliberations took place within DG RTD that culminated in the adoption of an ‘internal’ administrative decision to use the DG INFSO Pluto within DG RTD. In so far the adoption of DG INFSO Pluto by DG RTD is concerned, it is the latter decision that is the object of request #14.

The same arguments apply to the SAR-WIKI, SAR-PAA and SAR-EAR tools and the plagiarism tool. For the former 3 IT tools , even if the ‘story’ about DG DIGIT being the administrative department that developed them is true, one would expect that DG RTD would have addressed to DG DIGIT a note broadly similar to that of 6/1/2009 on the basis of an internal DG RTD decision predating the note to DG DIGIT.

In view of all the foregoing in this section, the applicant maintains that DG RTD did not carry out a search for documents.

7. REQUEST #15, #16 & #17

The requests concerns the documents DG RTD (or on a secondary basis the Commission services) ought to have drawn up pursuant to article 23 of Regulation No 45/2001 about processors.

7.1 OBJECTION FOR WITHHOLDING THE IDENTITIES OF THE EXTERNAL CONTRACTORS-AUDITORS

DG RTD unlawfully redacted the parts of the released 3 contract amendments disclosing the identification of the three external contractors-auditors (legal persons). The reasons of the unlawfulness are outlined below.

- The DG RTD initial reply invoked article 4(2) first indent (protection of the commercial interests) without explaining what are the reasonably foreseeable risks of undermining the protected interest. Therefore, the initial reply completely lacks a statement of reasons concerning the partial release.

- DG RTD failed to duly take into account that the three legal persons are fully identified in (i) the contract award notice published in the Supplement of the Official Journal, (ii) the list DG RTD has published with total amounts paid in framework contracts in each of the years 2008 to 2011, (iii) details about amounts paid are given in the DG BUDGET financial transparency system, http://ec.europa.eu/budget/fts/index_en.....

- DG failed to expressly consider the overriding public interest.

7.2. FAILURE TO SEARCH FOR DOCUMETNS FOR TENS OF PROCESSORS AND INFORM THE APPLICANT

If it were to be assumed that DG RTD has been observing Regulation No 45/2001, the mere fact that DG RTD released just three documents under requests #15 - #17 necessarily implies that prior to the entry into force of the contact amendments the Research DGs, with DG RTD as the lead service, had not instructed processors (within the meaning of Regulation No 45/2001) to process personal data in the context of financial audits.

This of course is not the case, as the Research DGs have expressly instructed their external contractors-auditors to process personal data. There are literally tens of independent ways to prove the extensive use of tens of processor prior to mid-2011. For the purposes of brevity two will be outlined below.

1. The DG INFSO letter of 29/4/2009 118637, http://www.asktheeu.org/en/request/714/r..., notifies a FP6 contractor the conduct of an external financial audit by en external-auditor contractor. This particular auditor had signed a framework contract with DG RTD (probably in 2006) and most definitely it not one of the three DG RTD contractors for which DG RTD released the contract amendments. Furthermore, the former contractor had been outsourcing the majority of the audits to subcontractors established in more than 20 Member States. The audit with ID 09-BA-74-025 indicted in the aforesaid letter was conducted by one of those subcontractors. The final audit report was drawn up by the subcontractor and not by the signatory of the framework contract with DG RTD. It is self-evident that the said subcontractor has been a processor. Moreover, the said subcontractor has carried out tens of such audits. The audit ID 11-BA134-013 by the subcontractor is another example; DG INFSO expressly approved the final audit report of the subcontract by way of the letter D(2012) 570941 of 10/5/2012.

2. The object of DG RTD call for tenders OJ S 2005 161-160289 was the conclusion of a series of framework contracts for the conduct of external financial audits by the Research DGs. DG RTD awarded the framework contract to the auditor indicated in the aforesaid DG INFSO letter of 29/4/2009. Annex 2 of the Standard Audit Report of the said framework contract ‘ANALYSIS OF DIRECT PERSONNEL COSTS AND INDIRECT COSTS’ has a column with headings ‘Direct personnel, costs rate, Indirect costs rate, Hours, Total Direct Personnel Costs’. There is a row in that table for every single individual charged to the audited project. This is an express instruction to external auditors to process personal data of third parties to the contractual relationship between the Research DGs and the FP6 contractor – auditee. Pages 30 to 32 of the final audit report of audit ID 11-BA134-013 (drawn up on 15/3/2012 as shown in page 7 of the final audit report) are full of personal data in a table format very similar to the aforesaid Annex 2.

The above line of reasoning puts to the Commission services that the combined provisions of article 23 of Regulation No 45/2001 and article 10 of Commission Decision 597/2008 have placed on DG RTD an absolute duty to sign a written agreement with every single external contractor-auditor that had conducted a field audit and subsequently drew up the draft and final audit reports. Such documents are to be fully released with the reply to the confirmatory application.

If such agreements do not exist, in my view the Commission services are to be frank about and explicitly inform the applicant in the reply to the confirmatory application.

7.3 FAILURE TO RELEASE WRITTEN AGREEMENTS BETWEEN ORGANIATIONAL UNITS

Article 10 of Commission Decision 597/2008 stipulates “[....] A
written agreement between organisational units of the Commission shall be considered equivalent to a legally binding act within the meaning of Article 23(2) of the Regulation [....]”. The released - 02/05/2011 is essentially instructions of a Director to his subordinates, in so far it concerns the two Units of DG RTD.

In my view, this is not a written agreement within the meaning of the article 10 because:

- By definition, an agreement concerns at least two parties. Nowhere in the released note Ares(2011)475763 it is stated, even impliedly, that the addresses of the note have given their consent. Conceivably, they may have objected to some of the terms of the note and annexes thereto.

- A note essentially instructing subordinates is not an agreement. It is some kind of ‘decision’ or ‘directions’ what the addresses have to follow according to the Staff Regulations.

Whereas the note Ares(2011) 475763 and annexes thereto is very informative, and the applicant has appreciated that DG RTD has fully released it, the applicant puts to the Commission services that the note neither falls within the scope of requests #15 - #17, nor does it amount to a written agreement within the meaning of aforesaid article 10.

In conclusion, in so far there have been DG RTD Units acting as processors in the external financial audits, the released note Ares(2011)475763 and annexes thereto is immaterial to requests #15 - #17.

7.4. FAILURE TO RELEASE DOCUMENTS CONCENRING ARTICLE 23(1) OF REGILATION NO 45/2001

Article 23(1) stipulates “Where a processing operation is carried out on its behalf, the controller shall choose a processor providing sufficient guarantees in respect of the technical and organisational security measures required by Article 22 and ensure compliance with those measures”.

The released contract amendments have absolutely nothing about the ‘choosing’ aspect of ‘a processor providing sufficient guarantees in respect of the technical and organisational security measures’. This is expected to have taken place at the stage of publishing the call for tenders (by expressly requesting in the technical specifications for the provision of relevant information and evidence by tenderers) and in the tender evaluation procedure. Any diligent tender evaluation committee would have noted down its assessment about compliance of an evaluated tender with Articles 21 – 23 of Regulation No 45/2001.

Furthermore, the contract amendments merely state the contractual obligations of the external contractors-auditors and not the controller’s instructions to the processors.

The applicant therefore maintains that DG RTD did not carry out a diligent search for documents.

7.5 FAILURE TO RELEASE DOCUMENTS CONCENRING ARTICLE 23(2) OF REGILATION NO 45/2001

The second paragraph of the released contract amendment reads “Where the Contractor requires the processing of personal data, the Contractor may act only under the supervision of the data controller [....]”. Yet, article 23(2) of Regulation 45/2001 stipulates:

“The carrying out of a processing operation by way of a processor shall be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
(a) the processor shall act only on instructions from the controller;
(b) the obligations set out in Articles 21 and 22 shall also be incumbent on the processor unless, by virtue of Article 16 or Article 17(3), second indent, of Directive 95/46/EC, the processor is already subject to obligations with regard to confidentiality and security laid down in the national law of one of the Member States”.

The contractual term concerns “Where the Contractor requires” and it is only about ‘supervision’ and not about the ‘instructions’ of the data controller. The Commission services cannot and should not equate ‘supervision’ with ‘instructions’. It is self-evident that DG RTD has not released documents with the ‘instructions’ to the controllers. By definition, those ‘instructions’ include every single document with templates of audit reports, including those for risk-based and targeted audits.

In my view, article 23(2)(b) places the obligation to the Research DGs to have requested from every single external processor established in a Member State a copy of the notification stipulated in article 18(1) of Directive 95/16/EC, which is the equivalent of the prior notification of the article 25 of Regulation No 45/2001. Furthermore, for processors established in non EU Member States that have carried out audits in their respective countries (there were actions before the General Court about external financial audits from FP6 participants established in Israel and Switzerland), the Research DGs have had the obligation to draw up documents establishing the processors’ compliance with articles 21 and 22 of Regulation No 45/2001.

7.6. AUDIT PROCESS HANDBOOK

Annex 1 of the released DG RTD note Ares(2011)475763 includes as an attachment the Word document “Audit Process Handbook”. It is virtually certain that Annex 1 is one of the key documents with respect to the DPO-3398 notification by the data controller to the DPO. It is therefore in the possession of the DPO. The mere inclusion of the Audit Process Manual in the DPO-3398 ‘extended’ description proves that the Handbook contains the data controller’s instructions to its processors about personal data processing. It is also very probable that the Handbook, or equivalent documents, were handed over to the external contractors-auditors.

The attention of the Commission services is drawn to the fact that the FP6 Audit Manual - Guidelines to on-the-spot financial audits on FP6 Contracts - expressly instructs processors to process personal data in external financial audits. A mere indicative example is the extract from page 16 of the Guidelines: “[....] Time sheets and alternative evidence Contractors must be in a position to justify the allocation of personnel costs to the audited project, and as a result the existence of time sheets or any other time recording system is necessary”.

In view of the data controller definition in article 2(d) of Regulation No 45/2001 and the high priority DG RTD has attached to audits (several pages in its Annual Reports), the Handbook also falls within the scope of request #1. This is so because the Handbook is directly concerned with the provisions of article 25 of Regulation No 45/2001, in particular paragraphs (2)(b) (purposes of processing), and (2)(h) for the field audits in the non-EU Member States.

Furthermore, the Audit Process Handbook falls within the ambit of article 9(1)(b) and 9(1)(c) of Commission Decision 597/2008. This is precisely the reason the DPO-3398 data controller provided the DPO with a copy of the Handbook, in particular as attachment to the DPO’s standard questionnaire about prior notifications.

In view of the whole content of the confirmatory application, I sincerely hope that the Commission services will not refuse total access to the Handbook by relying on the extremely spurious and feeble arguments the have recently advanced for justifying the partial release the FP6 & FP7 Audit Manuals, namely the protection of the Unions’ financial policy according to article 4(1) fourth indent, and article 4(2) third indent (purposes of audits).

It is self-evident that there is an overriding public interest to uncover the DG RTD policy of contravening article 16(1) TFEU and numerous provision of Regulation No 45/2001 that have culminated in the false declarations of DPO-3398. Therefore, Audit Process Handbook is to be fully released.

In conclusion, the present confirmatory application expressly concerns the full release of the Audit Process Handbook.

7.7. CONCLUSIONS

There have been are at least 20 distinct processors of DG RTD, other than those 3 for which DG RTD released the contract amendments. In view of all the foregoing in section 7, the applicant maintains that DG RTD did not carry out a search for documents.

The applicant draws the attention of the Commission services that any implied refusal to fully release all the documents falling under the scope of requests #15 - #17 will immediately amount to the admission of tens of infringements or article 23 of Regulation No 45/2001 by the Research DGs, which have been going on for the last six years for over 2,300 individual external financial audits.

8. REQUEST # 19 & #20

The requests concern the documents providing some kind of justification about what DPO-3398 suggests regarding a ‘systematic’ transfer of personal data from DG RTD (processed in the context of external financial audits) to the EDPS and the Ombudsman, seemingly on the DG RTD initiative.

According to the initial reply “DG RTD does not own such documents”. As a preliminary observation, the use of the verb ‘own’ is ambiguous for an initial reply pursuant to Regulation No 1049/2001, since the Regulation concerns documents ‘held’ by an Institution and not ‘owned’ by an Institution. Furthermore, third-party documents held by an Institution are not, in principle, ‘owned’ by the Institution, unless and until the document owner transfers the ownership to the Institution.

There is a very substantial issue with the Ombudsman and the EDPS being declared as recipients of personal data that DG RTD has been processing in the context of external financial audits. DPO-3398 and the attached Privacy Statement clearly indicate that DG RTD will systematically transfer, on its own initiative and where necessary, personal data to those two Bodies. Such kind of transfer is unlawful (infringement of article 8), since except in the cases of the exceptions of article 20 of Regulation No 45/2001, an Institution may not, in principle, transfer on its own initiative personal data to other Institutions and Bodies. This is one of the main outcomes of the case F 46-09 V v European Parliament. It is also noteworthy that the DPO-3398 data controller did not list the Court of Justice as a recipient, which is odd given that the Commission services must have submitted as evidence numerous final audits reports of the Research DGs.

If the DPO-3398 data controller had even informally consulted the EDPS, the latter would have advised the data controller that the EDPS and the Ombudsman inquiries and the associated likely transfer of personal data by an Institution to those Bodies is subject to article 2(g) of Regulation No 45/2001 “however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients”. It means that there was no need to list the EDPS and the Ombudsman as recipients of personal data. Therefore, the DG RTD references to article 7(1) in the initial reply stem from a misinterpretation of the combined provisions of articles 2(g) and 7(1) of Regulation 45/2001, since in carrying out an inquiry and requesting personal data being transferred from a Research DG, the EDPS and the Ombudsman are not recipients within the meaning of the Regulation. Consequently, article 7(1) is not applicable to such transfers.

Additional support that article 7 is not applicable to personal data transfers to the Ombudsman is lent by the express requirement that the Ombudsman notify the Institution concerned about unlawful acts of the officials unearthed by the Ombudsman investigations of complaints for maladministration. Conceivably, an Ombudsman investigation of a complaint by a citizen may unearth illegal acts of a Commission official, including contravention of article 339 TFEU. Such a contravention may be self-evident in a final audit report drawn up by an external audit Unit of a Research DGs, in which the head of the audit Unit has disclosed to the auditte personal data of an individual that the Unit collected form other, distinct external financial audits. In such a case, the Ombudsman would be legally obliged to notify the President of the Commission. The Ombudsman’s possession of the final audit report signed by the said head of Unit may constitute the transfer of personal data of the head of Unit to the Ombudsman. Since this transfer would have taken in the context of a lawful inquiry, article 7 would not be applicable to the Ombudsman.

The above legal analysis culminates to the conclusion that, contrary to the implied ‘excuses’ of DG RTD, the inclusion of the EDPS and the Ombudsman as potentially ‘regular’ recipients of personal data of the same category like OLAF is highly questionable. There is a strictly binary choice: Either the data controller has drawn up such documents justifying the EDPS and the Ombudsman being recipients (or at the very least that he relied on other documents drawn up by the Commission services) or this ‘statement’ is yet another piece in the collection of misrepresentations and false declarations of DPO-3398 and the attached Privacy Statement.

9. REQUEST #21

The requests concerns the internal rules according to which DG RTD were ‘authorised’ to transfer personal data to the Commission’s disciplinary body – IDOC.

The substance of the DG RTD initial reply under section 2.9.1 is based on a manifest misreading of articles 6 and 7 of Regulation No 45/2001. Notwithstanding that the personal data processing is gravely unlawful in every single external financial audit of DG RTD, including IDOC as a recipient of personal data that DG RTD processed in an external financial audit is literally preposterous. This is shortly explained below.

The sole task of IDOC is disciplinary investigations of Commission officials and servants. By definition, IDOC has no competence whatsoever with respect to individuals not in the service of the Commission. The external financial audits invariably process personal data of such individuals – third parties to the audited contracts. It is self-evidence that such personal data have nothing to do with IDOC’s mandate and tasks. Even if the Commission services were to advance the bizarre argument that listing IDOC only covers audits of the JRC, this would be an non-starter as the JRC is the same legal person as the Commission and therefore it is legally impossible to audit an administrative department pursuant to article FP6.II.29 and FP7.II.22. Such audit would be tantamount to the auditor and the auditee being the very same legal person; in such a case the audit must be conducted by the DG IAS.

Since the tasks of IDOC have nothing to do with the tasks of an external financial audit, any transfer of personal data of third parties from DG RTD to IDOC is manifestly a change of purpose within the meaning of article 6(1) of Regulation No 45/2001. There is a strictly binary choice: Either there is a document(s) with the ‘internal rules’ about transferring personal data from DG RTD to IDOC or the inclusion of IDOC as a recipient is yet another piece in the collection of misrepresentations and false declarations of DPO-3398.

10. CONCLUSIONS

In the foregoing sections the applicant has argued that there are several documents that DG RTD ought to have drawn up if DG RTD would have tried to ensure a rudimentary compliance with Regulation No 45/2001.

In view of the false declarations of DPO-3398, DG RTD has destroyed for good the public’s confidence in its honesty and integrity.

The Commission services are obliged to carry out a diligent search for documents, taking due account of the applicant’s arguments herein, and release the documents falling under the scope of the application. There is an overriding public interest in fully releasing all documents at issue.

Should it be useful, I would be glad to provide the Commission services with additional information about the manifest processing of personal data in all external financial audits that has taken place in contravention of Regulation No 45/2001.

**** ANNEX 1: DPO-3398.1 AS DOWNLOADED IN AUTUMN 2011 FROM EUROPA *****

Notification to the Data Protection Officer DPO-3398 version 1
1) Date of submission:
26-May-11
2) Name and First Name of the Controller:
BISCONTIN Franco
4) Directorate, Unit or Service to which the Controller is attached:
M
5) Directorate General to which the Controller is attached:
Research
This notification is a sub-notification of:
6) Name of Processing:
External audit and control
7) Description of Processing: Attention: Please describe in the answer to this question if you process personal data falling under article 27 "Prior-Checking (by the EDPS - European Data Protection Supervisor)"
The processing operations are described in the procedure guide of ex-post control which is the result of a sampling methodology of financial transactions.
http://www.cc.cec/budg/dgb/interdg/_doc/...
http://www.cc.cec/budg/dgb/interdg/epc/l...
Specific IT tools used in the context of performing an external financial audit are described below:
• A specific tool allowing the exchange of lists of projects (for an auditee) between DGs, supporting life-cycle management of individual audit and extrapolation cases and containing a summary of the audit conclusions. No personal data are
processed except contact information of Commission staff and auditees.
• A specific tool to facilitate searching and visualisation of information about participants in grants and contracts. This is used by auditors in the selection, preparation and performance of audits. The tool uses information on participants in
grants and contracts, taken from IT tools for programme management notified to the DPO under n° DPO-978 (front-end) and DPO-2382 (back-office),. This information includes details of organisation names, registration numbers, address,
audit results, EWS status, phone, fax, email, names of authorised signatories and contact persons, project reference, acronym, funding, budget.
11) Legal basis of Processing:
The possibility for the EC to carry out checks and financial controls is foreseen in the model grant agreement or contract signed between the EC and the beneficiary/contractor as required by the Financial Regulation ("FR") applicable to the
General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4):
• Art. 170 FR: Each financing agreement or grant agreement or grant decision must expressly provide for the Commission and the Court of Auditors to have the power of audit, on the basis of documents and on the spot, over all contractors
and subcontractors who have received Community funds.
• Art. 60.4 FR: The authorizing officer by delegation shall put in place, in compliance with the minimum standards adopted by each institution and having due regard to the risks associated with the management environment and the nature of
the actions financed, the organizational structure and the internal management and control procedures suited to the performance of his/her duties, including where appropriate ex post verifications. Before an operation is authorized, the
operational and financial aspects shall be verified by members of staff other than the one who initiated the operation. The initiation and the ex ante and ex post verification of an operation shall be separate functions.
• Art. 47.4 IR: The ex post verifications on documents and, where appropriate, on the spot shall check that operations financed by the budget are correctly implemented and in particular that the criteria referred to in paragraph 3 are
complied with. These verifications may be organized on a sample basis using risk analysis.
12) Lawfulness of Processing: Answering this question please also verify and indicate if your processing has to comply with articles 20 "Exemptions and restrictions" and 27 "Prior checking (by the EDPS)"
The processing operations on personal data carried out in the context of ex post controls are necessary and lawful under three articles of the Regulation (EC) 45/2001:
• article 5 (a): processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof…
• article 5 (b): processing is necessary for compliance with a legal obligation to which the controller is subject
• article 20.1.b): necessary measure to safeguard:
• (a) the prevention, investigation, detection and prosecution of criminal offences;
• (b) an important economic or financial interest of a Member State or of the European Communities, including monetary, budgetary and taxation matters;
• (c) the protection of the data subject or of the rights and freedoms of others;
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
13) Purpose(s) of Processing:
Checks and financial controls of grant agreements or service contracts aim at verifying beneficiary's or contractor's or subcontractors' or third parties' compliance with all contractual provisions (including financial provisions), in view of
checking that the action and the provisions of the grant agreement or contract are being properly implemented and in view of assessing the legality and regularity of the transaction underlying the implementation of the Community budget.
14) Data Subject(s) concerned:
Contractors and sub-contractors
Beneficiaries of grants
Staff
Experts
15) Information to the data subjects:
1 Attachment(s)
a) Which kind of communication(s) have you foreseen to inform the Data Subjects as described in articles 11 - 12 under 'Information to be given to the Data Subject'
The Privacy Statement attached is available with the Commission's letter initiating the control process.
b) Which procedure(s) did you put in place to enable Data Subjects to exert their rights: access, verify, correct, etc., their Personal Data as described in articles 13 - 19 under 'Rights of the Data
Subject' :
Functional mailbox to get information and mailbox of the EDPS to lodge a complaint (see Privacy Statement):
[email address]
16) Category(ies) of Data Subjects:
See point 14)
17) Data field(s) of Data Subjects: Attention: Please indicate and describe in the answer to this question also data fields which fall under article 10
All necessary data to efficiently conduct a control such as:
• Name,
• Function,
• Grade,
• Activities and expertises,
• Professional address,
• Timesheets,
• Salary,
• Accounts,
• Cost accounting,
• Missions,
• Information coming from local IT system used to declare costs as eligible,
• Supporting documents linked to travel costs,
• Minutes from mission and other similar data depending of the nature of the action.
No data which fall under article 10.
18) Category(ies) of data fields of Data Subjects: Attention: Please indicate and describe in the answer to this question also categories of data fields which fall under article 10
See point 17).
20) Recipient(s) of the Processing:
Collected personal data could be submitted to Commission services in charge of ex post controls, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Community law (OLAF,
Court of Auditor, Ombudsman, EDPS, IDOC, Internal Audit Service of the Commission).
21) Category(ies) of recipients:
See point 20).
22 a) Retention policy of (categories of) personal data
Each ex post controller is responsible of archiving the documents related to controls. Data are stored until 10 years after the final payment on condition that no contentious issues occurred; in this case, data will be kept until the end the last
possible legal procedure.
22 b) Time limit to block/erase data on justified legitimate request from the data subjects
The Commission services will respond within 15 working days to any request and if this is considered justified the relevant correction or deletion will be performed within one calendar month.
22 c) Historical, statistical or scientific purposes - If you store data for longer periods than mentioned above, please specify, if applicable, why the data must be kept under a form which permits identification
N.A.
25) External Company or Directorate, Unit or Service to which the Processor is attached:
1. M
. 1
2. M
. 2
3. .
.
26) External Company or Directorate General to which the Processor is attached:
1. RTD
2. RTD
3. Contractors of the RTD framework contracts for external audits.
27) Legal foundation of transfer: Only transfers to third party countries not subject to Directive 95/46/EC (Article 9) should be considered for this question. Please treat transfers to other community institutions
and bodies and to member states under question 20.
N.A.
28) Category(ies) of Personal Data or Personal Data to be transferre
N.A.

**** ANNEX 2: DPO-3398.2 AS DOWNLOADED IN AUTUMN 2011 FROM EUROPA *****

Notification to the Data Protection Officer DPO-3398 version 2
1) Date of submission:
16-Jun-11
2) Name and First Name of the Controller:
BISCONTIN Franco
4) Directorate, Unit or Service to which the Controller is attached:
M
5) Directorate General to which the Controller is attached:
Research
This notification is a sub-notification of:
6) Name of Processing:
External audit and control
7) Description of Processing: Attention: Please describe in the answer to this question if you process personal data falling under article 27 "Prior-Checking (by the EDPS - European Data Protection Supervisor)"
The processing operations are described in the procedure guide of ex-post control which is the result of a sampling methodology of financial transactions.
http://www.cc.cec/budg/dgb/interdg/_doc/...
http://www.cc.cec/budg/dgb/interdg/epc/l...
Specific IT tools used in the context of performing an external financial audit are described below:
• A specific tool allowing the exchange of lists of projects (for an auditee) between DGs, supporting life-cycle management of individual audit and extrapolation cases and containing a summary of the audit conclusions. No personal data are
processed except contact information of Commission staff and auditees.
• A specific tool to facilitate searching and visualisation of information about participants in grants and contracts. This is used by auditors in the selection, preparation and performance of audits. The tool uses information on participants in
grants and contracts, taken from IT tools for programme management notified to the DPO under n° DPO-978 (front-end) and DPO-2382 (back-office),. This information includes details of organisation names, registration numbers, address,
audit results, EWS status, phone, fax, email, names of authorised signatories and contact persons, project reference, acronym, funding, budget.
11) Legal basis of Processing:
The possibility for the EC to carry out checks and financial controls is foreseen in the model grant agreement or contract signed between the EC and the beneficiary/contractor as required by the Financial Regulation ("FR") applicable to the
General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4):
• Art. 170 FR: Each financing agreement or grant agreement or grant decision must expressly provide for the Commission and the Court of Auditors to have the power of audit, on the basis of documents and on the spot, over all contractors
and subcontractors who have received Community funds.
• Art. 60.4 FR: The authorizing officer by delegation shall put in place, in compliance with the minimum standards adopted by each institution and having due regard to the risks associated with the management environment and the nature of
the actions financed, the organizational structure and the internal management and control procedures suited to the performance of his/her duties, including where appropriate ex post verifications. Before an operation is authorized, the
operational and financial aspects shall be verified by members of staff other than the one who initiated the operation. The initiation and the ex ante and ex post verification of an operation shall be separate functions.
• Art. 47.4 IR: The ex post verifications on documents and, where appropriate, on the spot shall check that operations financed by the budget are correctly implemented and in particular that the criteria referred to in paragraph 3 are
complied with. These verifications may be organized on a sample basis using risk analysis.
12) Lawfulness of Processing: Answering this question please also verify and indicate if your processing has to comply with articles 20 "Exemptions and restrictions" and 27 "Prior checking (by the EDPS)"
The processing operations on personal data carried out in the context of ex post controls are necessary and lawful under three articles of the Regulation (EC) 45/2001:
• article 5 (a): processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof…
• article 5 (b): processing is necessary for compliance with a legal obligation to which the controller is subject
• article 20.1.b): necessary measure to safeguard:
• (a) the prevention, investigation, detection and prosecution of criminal offences;
• (b) an important economic or financial interest of a Member State or of the European Communities, including monetary, budgetary and taxation matters;
• (c) the protection of the data subject or of the rights and freedoms of others;
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
13) Purpose(s) of Processing:
Checks and financial controls of grant agreements or service contracts aim at verifying beneficiary's or contractor's or subcontractors' or third parties' compliance with all contractual provisions (including financial provisions), in view of
checking that the action and the provisions of the grant agreement or contract are being properly implemented and in view of assessing the legality and regularity of the transaction underlying the implementation of the Community budget.
14) Data Subject(s) concerned:
Contractors and sub-contractors
Beneficiaries of grants
Staff
Experts
15) Information to the data subjects:
1 Attachment(s)
a) Which kind of communication(s) have you foreseen to inform the Data Subjects as described in articles 11 - 12 under 'Information to be given to the Data Subject'
The Privacy Statement attached is available with the Commission's letter initiating the control process.
b) Which procedure(s) did you put in place to enable Data Subjects to exert their rights: access, verify, correct, etc., their Personal Data as described in articles 13 - 19 under 'Rights of the Data
Subject' :
Functional mailbox to get information and mailbox of the EDPS to lodge a complaint (see Privacy Statement):
[email address]
16) Category(ies) of Data Subjects:
See point 14)
17) Data field(s) of Data Subjects: Attention: Please indicate and describe in the answer to this question also data fields which fall under article 10
All necessary data to efficiently conduct a control such as:
• Name,
• Function,
• Grade,
• Activities and expertises,
• Professional address,
• Timesheets,
• Salary,
• Accounts,
• Cost accounting,
• Missions,
• Information coming from local IT system used to declare costs as eligible,
• Supporting documents linked to travel costs,
• Minutes from mission and other similar data depending of the nature of the action.
No data which fall under article 10.
18) Category(ies) of data fields of Data Subjects: Attention: Please indicate and describe in the answer to this question also categories of data fields which fall under article 10
See point 17).
20) Recipient(s) of the Processing:
Collected personal data could be submitted to Commission services in charge of ex post controls, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Community law (OLAF,
Court of Auditor, Ombudsman, EDPS, IDOC, Internal Audit Service of the Commission).
21) Category(ies) of recipients:
See point 20).
22 a) Retention policy of (categories of) personal data
Each ex post controller is responsible of archiving the documents related to controls. Data are stored until 10 years after the final payment on condition that no contentious issues occurred; in this case, data will be kept until the end the last
possible legal procedure.
22 b) Time limit to block/erase data on justified legitimate request from the data subjects
The Commission services will respond within 15 working days to any request and if this is considered justified the relevant correction or deletion will be performed within one calendar month.
22 c) Historical, statistical or scientific purposes - If you store data for longer periods than mentioned above, please specify, if applicable, why the data must be kept under a form which permits identification
N.A.
25) External Company or Directorate, Unit or Service to which the Processor is attached:
1. M
. 1
2. M
. 2
3. .
.
26) External Company or Directorate General to which the Processor is attached:
1. RTD
2. RTD
3. Contractors of the RTD framework contracts for external audits.
27) Legal foundation of transfer: Only transfers to third party countries not subject to Directive 95/46/EC (Article 9) should be considered for this question. Please treat transfers to other community institutions
and bodies and to member states under question 20.
N.A.
28) Category(ies) of Personal Data or Personal Data to be transferred:
Notification
N/A

**** ANNEX 3: DPO-3398.3 AS DOWNLOADED IN AUTUMN 2011 FROM EUROPA *****

Notification to the Data Protection Officer DPO-3398 version 3
1) Date of submission:
30-Nov-11
2) Name and First Name of the Controller:
BISCONTIN Franco
4) Directorate, Unit or Service to which the Controller is attached:
M
5) Directorate General to which the Controller is attached:
Research
This notification is a sub-notification of:
6) Name of Processing:
External audit and control
7) Description of Processing: Attention: Please describe in the answer to this question if you process personal data falling under article 27 "Prior-Checking (by the EDPS - European Data Protection Supervisor)"
The processing operations are described in the procedure guide of ex-post control which is the result of a sampling methodology of financial transactions.
http://www.cc.cec/budg/dgb/interdg/_doc/...
http://www.cc.cec/budg/dgb/interdg/epc/l...
Specific IT tools used in the context of performing an external financial audit are described below:
• A specific tool allowing the exchange of lists of projects (for an auditee) between DGs, supporting life-cycle management of individual audit and extrapolation cases and containing a summary of the audit conclusions. No personal data are
processed except contact information of Commission staff and auditees.
• A specific tool to facilitate searching and visualisation of information about participants in grants and contracts. This is used by auditors in the selection, preparation and performance of audits. The tool uses information on participants in
grants and contracts, taken from IT tools for programme management notified to the DPO under n° DPO-978 (front-end) and DPO-2382 (back-office),. This information includes details of organisation names, registration numbers, address,
audit results, EWS status, phone, fax, email, names of authorised signatories and contact persons, project reference, acronym, funding, budget.
11) Legal basis of Processing:
The possibility for the EC to carry out checks and financial controls is foreseen in the model grant agreement or contract signed between the EC and the beneficiary/contractor as required by the Financial Regulation ("FR") applicable to the
General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4):
• Art. 170 FR: Each financing agreement or grant agreement or grant decision must expressly provide for the Commission and the Court of Auditors to have the power of audit, on the basis of documents and on the spot, over all contractors
and subcontractors who have received Community funds.
• Art. 60.4 FR: The authorizing officer by delegation shall put in place, in compliance with the minimum standards adopted by each institution and having due regard to the risks associated with the management environment and the nature of
the actions financed, the organizational structure and the internal management and control procedures suited to the performance of his/her duties, including where appropriate ex post verifications. Before an operation is authorized, the
operational and financial aspects shall be verified by members of staff other than the one who initiated the operation. The initiation and the ex ante and ex post verification of an operation shall be separate functions.
• Art. 47.4 IR: The ex post verifications on documents and, where appropriate, on the spot shall check that operations financed by the budget are correctly implemented and in particular that the criteria referred to in paragraph 3 are
complied with. These verifications may be organized on a sample basis using risk analysis.
12) Lawfulness of Processing: Answering this question please also verify and indicate if your processing has to comply with articles 20 "Exemptions and restrictions" and 27 "Prior checking (by the EDPS)"
The processing operations on personal data carried out in the context of ex post controls are necessary and lawful under three articles of the Regulation (EC) 45/2001:
• article 5 (a): processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof…
• article 5 (b): processing is necessary for compliance with a legal obligation to which the controller is subject
• article 20.1.b): necessary measure to safeguard:
• (a) the prevention, investigation, detection and prosecution of criminal offences;
• (b) an important economic or financial interest of a Member State or of the European Communities, including monetary, budgetary and taxation matters;
• (c) the protection of the data subject or of the rights and freedoms of others;
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
13) Purpose(s) of Processing:
Checks and financial controls of grant agreements or service contracts aim at verifying beneficiary's or contractor's or subcontractors' or third parties' compliance with all contractual provisions (including financial provisions), in view of
checking that the action and the provisions of the grant agreement or contract are being properly implemented and in view of assessing the legality and regularity of the transaction underlying the implementation of the Community budget.
14) Data Subject(s) concerned:
Contractors and sub-contractors
Beneficiaries of grants
Staff
Experts
15) Information to the data subjects:
1 Attachment(s)
a) Which kind of communication(s) have you foreseen to inform the Data Subjects as described in articles 11 - 12 under 'Information to be given to the Data Subject
The Privacy Statement attached is available with the Commission's letter initiating the control process.
b) Which procedure(s) did you put in place to enable Data Subjects to exert their rights: access, verify, correct, etc., their Personal Data as described in articles 13 - 19 under 'Rights of the Data
Subject' :
Functional mailbox to get information and mailbox of the EDPS to lodge a complaint (see Privacy Statement):
[email address]
16) Category(ies) of Data Subjects:
See point 14)
17) Data field(s) of Data Subjects: Attention: Please indicate and describe in the answer to this question also data fields which fall under article 10
All necessary data to efficiently conduct a control such as:
• Name,
• Function,
• Grade,
• Activities and expertises,
• Professional address,
• Timesheets,
• Salary,
• Accounts,
• Cost accounting,
• Missions,
• Information coming from local IT system used to declare costs as eligible,
• Supporting documents linked to travel costs,
• Minutes from mission and other similar data depending of the nature of the action.
No data which fall under article 10.
18) Category(ies) of data fields of Data Subjects: Attention: Please indicate and describe in the answer to this question also categories of data fields which fall under article 10
See point 17).
20) Recipient(s) of the Processing:
Collected personal data could be submitted to Commission services in charge of ex post controls, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Community law (OLAF,
Court of Auditor, Ombudsman, EDPS, IDOC, Internal Audit Service of the Commission).
21) Category(ies) of recipients:
See point 20).
22 a) Retention policy of (categories of) personal data
Each ex post controller is responsible of archiving the documents related to controls. Data are stored until 10 years after the final payment on condition that no contentious issues occurred; in this case, data will be kept until the end the last
possible legal procedure.
22 b) Time limit to block/erase data on justified legitimate request from the data subjects
The Commission services will respond within 15 working days to any request and if this is considered justified the relevant correction or deletion will be performed within one calendar month.
22 c) Historical, statistical or scientific purposes - If you store data for longer periods than mentioned above, please specify, if applicable, why the data must be kept under a form which permits identification
N.A.
25) External Company or Directorate, Unit or Service to which the Processor is attached:
1. M
. 1
2. M
. 2
3. .
.
26) External Company or Directorate General to which the Processor is attached:
1. RTD
2. RTD
3. Contractors of the RTD framework contracts for external audits.
27) Legal foundation of transfer: Only transfers to third party countries not subject to Directive 95/46/EC (Article 9) should be considered for this question. Please treat transfers to other community institutions
and bodies and to member states under question 20.
N.A.
28) Category(ies) of Personal Data or Personal Data to be transferred:
Notification
N/A

**********************************

Yours faithfully,

Kostas VITSOS

Generaldirektion Forschung und Innovation

1 Attachment

Dear Mr Vitsos,   

 

Thank you for your e-mail dated 04/10/2013, registered on 10/10/2013.  I
hereby acknowledge receipt of your confirmatory application for access to
documents (ref.: Ares(2013)3219316 – gestdem 2013-3351). 

 

In accordance with Regulation 1049/2001 regarding public access to
European Parliament, Council and Commission documents, you will receive a
response to your request within 15 working days (31/10/2013).

 

Yours sincerely,

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

Zitate anzeigen

Generaldirektion Forschung und Innovation

2 Attachments

Dear Mr Vitsos,
Kindly find herewith a letter concerning your confirmatory application for
access to documents (gestdem 2013-3351).
       
Yours sincerely,
 
Paul SIMON
Unit SG.B.5, Transparency
European Commission
 

Generaldirektion Forschung und Innovation

2 Attachments

 
Dear Mr Vitsos,

Kindly find herewith a letter concerning your confirmatory application for
access to documents (gestdem 2013/3351).
Yours sincerely,
Carlos Remis
SG.B.5.
Transparence.
Berl. 05/329.
 
 
 
 

 
 
 

Dear Research and Innovation (RTD),

Please forward this email to the Secretariat-General.

************

Dear Secretariat-General,

This is to kindly make enquiries about the status of the response to the confirmatory application, and more importantly draw the attention of the Secretariat-General about information recently disclosed proving the existence of documents.

DG IAS has recently released under Regulation 1049/2001, GestDem No 2013/5195, the report entitled "Final Audit Report on DG RTD's Control Strategy for on-the-spot controls and fraud prevention and detection", http://www.asktheeu.org/en/request/912/r.... There are several references to the Charon IT tool. Very notably, page of 25 of the DG IAS report states:

"Action 1 states that the new advanced data search tool CHARON would be used as a basis for the risk based selection of audits and as a preparation of satch audits. CHARON is used firstly to analyse information to identify projects, beneficiaries or individuals with a potential risk of irregularities or fraud, for possible audit. However, in practice the use of CHARON in this regard is still in the early stages. Secondly, CHARON is used to further analyse projects, beneficiaries or individuals for which suspicions have already been raised (e.g. in the framework of an OLAF investigation), either to decide on the need to launch an audit, or to prepare the audits. Here the use of CHARON is more advanced"

It is manifestly evident that Charon concerns personal data processing for the DG RTD risk-based audits. Consequently, all documents concerning Charon (requests #12, #13, #14) are to be fully released.

In the light of the DG IAS revelations about Charon, it is patently obvious that in its initial reply for requests #12 - #14 DG RTD has manifestly and intentionally made serious misrepresentations. In my view, this is an extremely serious matter, which is yet another nail in the coffin of the integrity of the administrative department DG RTD.

DG RTD should be under no illusion that its conduct will not be subjected to further close scrutiny.

Yours faithfully,

Kostas VITSOS

Dear Research and Innovation (RTD),

Please forward this email to the Secretariat-General.

************

Dear Secretariat-General,

I refer to the email of 11/12/2013, http://www.asktheeu.org/en/request/perso..., kindly making enquiries about the status of the response to the confirmatory application, which according to the asktheueu.org has so far remained unanswered.

This email further elaborates on how the substance of the requested documents fits into the big picture of the disregard by the Research DGs of the fundamental right of the personal data protection in FP6 and FP7.

The instant application concerns the aforementioned right in the context of the external financial audits of DG RTD. More than six and a half months after the registration of the application the Commission services have not fully released the documents falling under the scope of the application. The DG RTD reply to requests #13 and #13 DG RTD is totally divorced from reality; the mere existence of the CHARON IT tool, which manifestly and directly concerns the DG RTD external financial audits, means that DG RTD ought to have fully released all relevant documents. Instead, DG RTD claimed that the IT tools of requests #12 and #13 were developed by DG DIGIT.

The more documents the Commission services release pursuant to Regulation No 1049/2001 about FP6 and FP7, the more disturbing evidence emerges about the grave disregard of Regulation 45/2001 about the Research DGs. Two examples are discussed below.

Firstly, on 23/12/2013 another applicant submitted a confirmatory application pursuant to Regulation 1049/2001 to the EDPS, http://www.asktheeu.org/en/request/fp6_f.... In section II.2 'Request #6' that applicant stated 'it
emerges that the O2 Unit of DG INFSO had collected copies of documents with personal data to third parties, such as time-sheets, contracts and invoices. This is a proof of the illegal practices of DG INFSO to collect from the auditees documents with personal data of third parties'. This appears to be yet another solid piece of evidence proving the grave disregard of Regulation 45/2001 by another Research DG, namely DG INFSO.

Secondly, in the initial response to the application Gestdem 2013/3350 of 6/12/2013, http://www.asktheeu.org/en/request/585/r..., DG RTD totally refused access to internal documents about the Commission's Horizon 2020 proposal COM(2011) 810. In view of article 25 of COM(2011) 810 and the total refusal to grant access in that initial reply, the whole tone of handling the instant application strongly suggests that the Research DG, the Secretariat-General, and the Legal Services, are to share among themselves - as administrative departments distinct from the Commissioners - the responsibilities of the grave and deliberate disregard of Regulation 45/2001 in FP6 and FP7.

Turning to the big picture, in the last six months there have been nearly two dozen applications pursuant to Regulation 1049/2001 submitted via asktheeu.org that are directly concern with different facets of the compliance with Regulation 45/2001 and Directive 95/46/EC of FP6 and FP7. From the released documents further evidence has emerged about the illegal policies. The long delays in providing final answers in such kind of applications, together with the numerous refusals to fully disclose documents directly concerned with the fundamental right of personal data protection shows that the Commission services are in a very tight spot.

Very often, to refuse access the Commission services had relied on the exception of article 4(2) third indent of Regulation 1049/2001 'purposes of audits'. Despite the conclusively convincing arguments of applicants that the external financial audits of the Research DGs are mere contractual measures in the context of a private law contact (where the Commission does not rely on its prerogatives as a public authority), the services have 'borrowed' the legitimacy conferred by the word 'audit' to refuse access. They have ignored the settled case-law of the EU Courts, according to which an act or a measure of an Institution is not characterised by its form (or expression in words) but by its substance only. Consequently, there can be no doubt that the aforementioned audits are NOT protected by that exception.

The undersigned expects that the Secretariat-General and the Legal Services will duly take into account the entire body of arguments in support of the full release of the requested documents, including the above considerations.

Finally, I would appreciate if the Transparency Unit would inform me the status of the reply to the confirmatory application.

Yours faithfully,

Kostas VITSOS

Dear Research and Innovation (RTD),

This email concerns the confirmatory application GestDem 2013/3351. It is to be forwarded to the Transparency Unit.

*********

Dear official of the Transparency Unit,

I refer to:

- the acknowledgement of the registration of the confirmatory application GestDem 2013/3351 of 10/10/2013 http://www.asktheeu.org/en/request/perso...

- the holding of the reply of 19/11/2013 http://www.asktheeu.org/en/request/587/r...,

- the unanswered enquiry of 11/12/2013 http://www.asktheeu.org/en/request/perso...

- the unanswered enquiry of 12/1/2014 http://www.asktheeu.org/en/request/perso....

It is reasonable to think that four months after the registration of the confirmatory application and two unanswered enquiries on, the conduct of the Commission services is far from justified.

I would therefore appreciate if you promptly inform me the status of the reply.

Yours faithfully,

Kostas VITSOS

Generaldirektion Forschung und Innovation

2 Attachments

 
Dear Mr Vitsos,

Kindly find the answer to your confirmatory application concerning your
request for access to documents pursuant to Regulation (EC) N° 1049/2001
regarding public access to European Parliament, Council and Commission
documents (Gestdem 2013/3351).
Yours sincerely,

Carlos Remis
SG.B.4.
Transparence.
Berl. 05/329.