Ref. Ares(2014)66853 - 14/01/2014
EUROPEAN COMMISSION
Directorate-General for Communications Networks, Content and Technology
The Director-General
Brussels,
DG CONNECT/RM/AMF/pef
Mr. Akis Nastas
Email: ask+request-852-
xxxxxxxx@xxxxxxxx.xxx
Subject:
Your application for access to documents – Ref GestDem No
2013/4667 under Regulation 1049/2011 regarding public access to
European Parliament, Council and Commission documents
Dear Sir,
We refer to your email dated 19 September 2013 wherein you make a request for access
to documents, registered by us on 19 September 2013 with the above-mentioned
reference number.
We understand that your request might be in relation with the processing of personal data
by the Community institutions and bodies (Regulation (EC) N° 45/2000 of 18.12.2000 on
the protection of individuals with regard to the processing of personal data by the
Community institutions and bodies and on the free movement of such data (JO L 8 of
12.02.2001). Please note that you are entitled to ask clarifications and make requests
only with respect to the processing of your own personal data. If this is the case, we must
draw your attention to the fact that this is an issue which, in substance, cannot be
addressed and dealt with within the scope of Regulation 1049/2001. This Regulation only
relates to the public access of documents which are in the possession of the institution
which are the subject of such specific application. If, as a data subject, you wish to
activate a remedy procedure related to the processing of your personal data by the
Commission, we need to refer you to the remedies foreseen by article 32 of Regulation
(EC) 45/2001 (OJ L8/6 of 12.1.2001) according to which "
every data subject may lodge
a complaint with the European Data protection Supervisor if he or she considers that his
or her rights under article 286 of the Treaty have been infringed as a result of the
processing of his or her personal data by a community institution or body".
The regulation also states that "
the Court of Justice shall have jurisdiction to hear all
disputes which relate to the provision of this regulation".
These means of redress would be the appropriate routes to take and they are fully
available to you as a data subject.
Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111
Office: BU25 06/183 - Tel. direct line +32 229-87412 - Fax +32 229-20125
Email: xxxxxx.xxxxxxxxxxxxxxxxx@xx.xxxxxx.xx
1. The internal administrative 'act' or 'decision' or equivalent appointing the
aforesaid two DG INFSO - DG CNECT officials as DG INFSO - DG CNECT Data
Protection Coordinators
Please be informed that we have identified two documents corresponding to your request.
You will find enclosed the documents requested.
(Annexes 1 and 1b).
Please be aware that Ms Anne Troye was the Data Protection Coordinator in DG CNECT
(as appointed by Mr Robert Madelin in his note of June 26th 2012) between June 2012
and December 2013. Ms Angela Marcos Figueruelo is the Deputy Data Protection
Coordinator, and her appointment was communicated to the Data Protection Officer by
Ms Anne Troye on February 18th, 2013. Please note that the appointment of a Deputy
Data Protection Coordinator in a DG is facultative, and his/her appointment does not
need to be done at Director General level.
Please also note that the document that was released on 19 September 2013 pursuant to
the application GestDem 2013/3773 (Notification DPO-3338.1) is generated by the DPO
Register and always indicates the names of the current Data Protection Coordinators, not
the name of the person appointed as DPC at the time of the registration of the
notification.
2. The document(s) with which DG INFSO - DG CNECT notified the Commission
Data Protection Officer about the appointment of these two officials as Data
Protection Coordinators.
Please refer to our answer under point 1 above.
3. The internal administrative 'act' or 'decision' or equivalent appointing as DG
INFSO - DG CNECT Data Protection Coordinator the predecessor(s) DPC(s).
Please be informed that we have identified one document corresponding to your request.
You will find enclosed the document requested.
(Annex 2)
4. The internal document(s) notifying the predecessor DPC(s) the release from
his/her duties as DG INFSO - DG CNECT Data Protection Coordinator.
We regret to inform you that no document(s) were found that correspond to the
description given in your application. We are, therefore, unable to handle your
application.
5. The document(s) drawn up by the DG INFSO - DG CNECT Data Protection
Coordinators, other than DPO-3338.1 itself and the attached Privacy Statement,
about the personal data processing operations in the context of the financial audits
(both external and desk controls) of DG INFSO - DG CNECT and the compliance
with Regulation No 45/2001.
You will find enclosed the document(s) requested
(Annexes 3 and 3a).
2
You can also find the latest version of Notification DPO-3338.2 in the Public Register of
the DPO by following this link
http://ec.europa.eu/dpo-register/details.htm?id=33543
Please be informed that the previous versions of the notification covering the system
allowing DG CONNECT (former INFSO) to monitor the correct execution of the
projects under its responsibility, albeit less detailed that the current one (DPO-3338.2, see
attachment 3b), comply with Article 25 of Regulation 45/2001.
6. In view of the provisions of article 14(5) of Commission Decision 597/2008 (OJ
2008 L 193/7) and that 'statements' of DPO-3338.1 "This processing has been
submitted to the EDPS who concluded that Article 27 is not applicable." and "3.
Processors -" are entirely divorced from reality, the document (including emails,
notes to file or equivalent) with which (i) the aforesaid two officials DPCs requested
the permission of their superiors for the inclusion of false statements in a statutory
instrument, and (ii) the granting of the permission or the issuance of instructions to
those two DPCs to proceed with the entry into the article 26 of Regulation No
45/2001 register of a prior notification containing a willful and intentional
misrepresentation of facts.
We regret to inform you that no document(s) were found that correspond to the
description given in your application. We are, therefore, unable to handle your
application.
However, please be informed that ex-post controls and audits do not require a prior
checking by the EDPS. The statement in the Notification DPO-3338-1 is following from
the fact that the EDPS had previously been consulted in a similar case and concluded that
ex-post controls and audits were not subject to prior checks.
We would like to draw your attention to the fact that the EDPS himself has consistently
taken the position that audits and ex-post controls do not require a prior check. Should
the EDPS review his position regarding the need to submit some types of ex-post
controls or audits to a prior check, the Commission would comply with such instruction
and with any recommendation the EDPS would issue.
With respect to Article 27 of Regulation 45/2001, Article 27.2 (a) of the Regulation
primarily concerns "
processing operations whose main purpose is to process data
relating to health and to suspected offences, offences, criminal convictions or security
measures". The purpose of these audits and ex- post controls is not the processing of that
data. In fact, the auditors' familiarisation with this type of data is accidental rather than
systematic. The main aim of ex post controls is to curtail the risks related to the quality of
management and control systems, provide recommendations to improve the situation and
promote sound financial management.
Article 27.2 (b) refers to "
processing operations intended to evaluate personal aspects
relating to the data subject, including his or her ability, efficiency and conduct". This is
by no means the purpose of audits and ex-post controls, which focus on the correctness
of financial records on the basis of objective facts and documents.
3
Article 27.2 (c) refers to "
processing operations allowing linkages not provided for
pursuant to national or Community legislation between data processed for different
purposes " Audits and ex-post controls make use of information and document specified
in the contractual documentation.
Article 27.2 (d) refers to "
processing operations for the purpose of excluding individuals
from a right, benefit or contract". Once again, the purpose is the verification of the
correct execution of a contract. The sole possible consequence of such verification is the
triggering of some existing contractual provisions.
7. In view of the provisions of article 14(5) of Commission Decision 597/2008 and
that 'statements' of DPO-3338.1 "This processing has been submitted to the EDPS
who concluded that Article 27 is not applicable." and "3. Processors -" are entirely
divorced from reality, and in case DPO-3338.1 was filed prior to the appointment of
the aforementioned officials as DPCs, the document (including emails, notes to file
or equivalent) with which (i) the predecessor DPCs requested the permission of
his/her superiors for the inclusion of false statements in a statutory instrument, and
(ii) the granting of the permission or the issuance of instructions to the predecessor
DPC to proceed with the entry into the article 26 of Regulation No 45/2001 register
of a prior notification with willful and intentional misrepresentation of facts.
Please refer to our answers under points 1 and 6 above.
In accordance with Article 7(2) of Regulation 1049/2001, you are entitled to make a
confirmatory application requesting the Commission to review the position above.
Such a confirmatory application should be addressed within 15 working days upon
receipt of this letter to the Secretary-General of the Commission at the following address:
European Commission
Secretary-General
Transparency Unit SG-B-4
BERL 5/327
B-1049 Bruxelles
or by email to: xxxxxxxxxx@xx.xxxxxx.xx
Yours sincerely,
(eSigned)
Robert Madelin
Enclosure:
- Annex 1 and 1A: Appointments of Ms Anne Troye and Ms Angela
Marcos Figueruelo as DPC and Deputy DPC.
- Annex 2: Appointment of Ms Isabelle Van Beers as DPC
- Annex 3 and 3A: Notification(s) used up to 31/1/2011
4