This is an HTML version of an attachment to the Freedom of Information request 'Data Protection Coordinators of DG INFSO & DG CNECT'.



 
Ref. Ares(2014)66853 - 14/01/2014
EUROPEAN COMMISSION 
Directorate-General for Communications Networks, Content and Technology 
 
 
  The Director-General 
 
Brussels,  
DG CONNECT/RM/AMF/pef   
Mr. Akis Nastas 
 
 
Email: ask+request-852-
xxxxxxxx@xxxxxxxx.xxx  
 
Subject: 
Your application for access to documents – Ref GestDem No 
2013/4667 under Regulation 1049/2011 regarding public access to 
European Parliament, Council and Commission documents 
Dear Sir, 
We refer to your email dated 19 September 2013 wherein you make a request for access 
to documents, registered by us on 19 September 2013 with the above-mentioned 
reference number. 
We understand that your request might be in relation with the processing of personal data 
by the Community institutions and bodies (Regulation (EC) N° 45/2000 of 18.12.2000 on 
the protection of individuals with regard to the processing of personal data by the 
Community institutions and bodies and on the free movement of such data (JO L 8 of 
12.02.2001).  Please note that you are entitled to ask clarifications and make requests 
only with respect to the processing of your own personal data. If this is the case, we must 
draw your attention to the fact that this is an issue which, in substance, cannot be 
addressed and dealt with within the scope of Regulation 1049/2001. This Regulation only 
relates to the public access of documents which are in the possession of the institution 
which are the subject of such specific application. If, as a data subject, you wish to 
activate a remedy procedure related to the processing of your personal data by the 
Commission, we need to refer you to the remedies foreseen by article 32 of Regulation 
(EC) 45/2001 (OJ L8/6 of 12.1.2001) according to which "every data subject may lodge 
a complaint with the European Data protection Supervisor if he or she considers that his 
or her rights under article 286 of the Treaty have been infringed as a result of the 
processing of his or her personal data by a community institution or body
".  
The regulation also states that "the Court of Justice shall have jurisdiction to hear all 
disputes which relate to the provision of this regulation
".  
These means of redress would be the appropriate routes to take and they are fully 
available to you as a data subject. 
 
 
Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111 
Office: BU25 06/183 - Tel. direct line +32 229-87412 - Fax +32 229-20125 
 
Email: xxxxxx.xxxxxxxxxxxxxxxxx@xx.xxxxxx.xx 

 
1.  The  internal  administrative  'act'  or  'decision'  or  equivalent  appointing  the 
aforesaid two DG INFSO - DG CNECT officials as DG INFSO - DG CNECT Data 
Protection Coordinators 
Please be informed that we have identified two documents corresponding to your request. 
You will find enclosed the documents requested. (Annexes 1 and 1b).  
Please be aware that Ms Anne Troye was the Data Protection Coordinator in DG CNECT 
(as appointed by Mr Robert Madelin in his note of June 26th  2012) between June 2012 
and December 2013. Ms Angela Marcos Figueruelo is the Deputy Data Protection 
Coordinator, and her appointment was communicated to the Data Protection Officer by 
Ms Anne Troye on February 18th, 2013. Please note that the appointment of a Deputy 
Data Protection Coordinator in a DG is facultative, and his/her appointment does not 
need to be done at Director General level.  
Please also note that the document that was released on 19 September 2013 pursuant to 
the application GestDem 2013/3773 (Notification DPO-3338.1) is generated by the DPO 
Register and always indicates the names of the current Data Protection Coordinators, not 
the name of the person appointed as DPC at the time of the registration of the 
notification. 
 
2. The document(s) with which DG INFSO - DG CNECT notified the Commission 
Data  Protection  Officer  about  the  appointment  of  these  two  officials  as  Data 
Protection Coordinators. 
Please refer to our answer under point 1 above. 
 
3.  The  internal  administrative  'act'  or  'decision'  or  equivalent  appointing  as  DG 
INFSO  -  DG  CNECT  Data  Protection  Coordinator  the  predecessor(s)  DPC(s). 
 
Please be informed that we have identified one document corresponding to your request. 
You will find enclosed the document requested. (Annex 2) 
 
4.  The  internal  document(s)  notifying  the  predecessor  DPC(s)  the  release  from 

his/her duties as DG INFSO - DG CNECT Data Protection Coordinator. 
We regret to inform you that no document(s) were found that correspond to the 
description given in your application. We are, therefore, unable to handle your 
application. 
 
5.  The  document(s)  drawn  up  by  the  DG  INFSO  -  DG  CNECT  Data  Protection 
Coordinators,  other  than  DPO-3338.1  itself  and  the  attached  Privacy  Statement, 
about the personal data processing operations in the context of the financial audits 
(both external and desk controls) of DG INFSO - DG CNECT and the compliance 
with Regulation No 45/2001.  
You will find enclosed the document(s) requested (Annexes 3 and 3a). 


 
You can also find the latest version of Notification DPO-3338.2 in the Public Register of 
the DPO by following this link http://ec.europa.eu/dpo-register/details.htm?id=33543 
 
Please be informed that the previous versions of the notification covering the system 
allowing DG CONNECT (former INFSO) to monitor the correct execution of the 
projects under its responsibility, albeit less detailed that the current one (DPO-3338.2, see 
attachment 3b), comply with Article 25 of Regulation 45/2001.  
 
6. In view of the provisions of article 14(5) of Commission Decision 597/2008 (OJ 
2008  L  193/7)  and  that  'statements'  of  DPO-3338.1  "This  processing  has  been 
submitted to the EDPS who concluded that Article 27 is not applicable." and "3. 
Processors  -"  are  entirely  divorced  from  reality,  the  document  (including  emails, 
notes to file or equivalent) with which (i) the aforesaid two officials DPCs requested 
the permission of their superiors for the inclusion of false statements in a statutory 
instrument, and (ii) the granting of the permission or the issuance of instructions to 
those  two  DPCs  to  proceed  with  the  entry  into  the  article  26  of  Regulation  No 
45/2001  register  of  a  prior  notification  containing  a  willful  and  intentional 
misrepresentation of facts. 
We regret to inform you that no document(s) were found that correspond to the 
description given in your application. We are, therefore, unable to handle your 
application. 
However, please be informed that ex-post controls and audits do not require a prior 
checking by the EDPS. The statement in the Notification DPO-3338-1 is following from 
the fact that the EDPS had previously been consulted in a similar case and concluded that 
ex-post controls and audits were not subject to prior checks.  
We would like to draw your attention to the fact that the EDPS himself has consistently 
taken the position that audits and ex-post controls do not require a prior check. Should 
the EDPS review his position regarding the need to submit some types of ex-post 
controls or audits to a prior check, the Commission would comply with such instruction 
and with any recommendation the EDPS would issue.  
With respect to Article 27 of Regulation 45/2001, Article 27.2 (a) of the Regulation 
primarily concerns "processing operations whose main purpose is to process data 
relating to health and to suspected offences, offences, criminal convictions or security 
measures
". The purpose of these audits and ex- post controls is not the processing of that 
data. In fact, the auditors' familiarisation with this type of data is accidental rather than 
systematic. The main aim of ex post controls is to curtail the risks related to the quality of 
management and control systems, provide recommendations to improve the situation and 
promote sound financial management. 
Article 27.2 (b) refers to "processing operations intended to evaluate personal aspects 
relating to the data subject, including his or her ability, efficiency and conduct
". This is 
by no means the purpose of audits and ex-post controls, which focus on the correctness 
of financial records on the basis of objective facts and documents. 


 
Article 27.2 (c) refers to " processing operations allowing linkages not provided for 
pursuant to national or Community legislation between data processed for different 
purposes 
" Audits and ex-post controls make use of information and document specified 
in the contractual documentation. 
Article 27.2 (d) refers to "processing operations for the purpose of excluding individuals 
from a right, benefit or contract
". Once again, the purpose is the verification of the 
correct execution of a contract. The sole possible consequence of such verification is the 
triggering of some existing contractual provisions. 
 
7. In view of the provisions of article 14(5) of Commission Decision 597/2008 and 
that 'statements' of DPO-3338.1 "This processing has been submitted to the EDPS 
who concluded that Article 27 is not applicable." and "3. Processors -" are entirely 
divorced from reality, and in case DPO-3338.1 was filed prior to the appointment of 
the aforementioned officials as DPCs, the document (including emails, notes to file 
or  equivalent)  with  which  (i)  the  predecessor  DPCs  requested  the  permission  of 
his/her superiors for the inclusion of false statements in a statutory instrument, and 
(ii) the granting of the permission or the issuance of instructions to the predecessor 
DPC to proceed with the entry into the article 26 of Regulation No 45/2001 register 
of a prior notification with willful and intentional misrepresentation of facts. 
Please refer to our answers under points 1 and 6 above. 
 
In accordance with Article 7(2) of Regulation 1049/2001, you are entitled to make a 
confirmatory application requesting the Commission to review the position above. 
 
Such a confirmatory application should be addressed within 15 working days upon 
receipt of this letter to the Secretary-General of the Commission at the following address: 
 
European Commission 
Secretary-General 
Transparency Unit SG-B-4 
BERL 5/327 
B-1049 Bruxelles 
or by email to: xxxxxxxxxx@xx.xxxxxx.xx 
 
Yours sincerely, 
 
(eSigned) 
Robert Madelin 
 
Enclosure: 
- Annex 1 and 1A: Appointments of Ms Anne Troye and Ms Angela       
Marcos Figueruelo as DPC and Deputy DPC. 
- Annex 2: Appointment of Ms Isabelle Van Beers as DPC  
- Annex 3 and 3A: Notification(s) used up to 31/1/2011