External financial audits of DG ENER and DG MOVE, personal data protection, DPO-3340/1

The request was partially successful.

Mr. Aris KOLIMATSIS

Dear Mobility and Transport (MOVE),

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

I refer to the prior notification DPO-3420.1 DG MOVE and DG ENER External Audit and Control, as found on 24/6/2013. It is given as an annex to this application.

The last paragraph of section 2 reads ‘This processing has been submitted to the EDPS who concluded that Article 27 is not applicable’.

This application concerns the following documents, all of which are directly related to DPO-3420.1 and the stipulations of Regulation No 45/2001 and Commission Decision 597/2008 ‘adopting implementing rules concerning the Data Protection Officer……’:

1. The documents drawn up by the DPO-3420.1 data controller.

2. The documents drawn up by the DG MOVE and DG ENER Data Protection Coordinator about the processing operations of DPO-3420.1

3. The documents drawn up by the European Commission Data Protection Officer about the processing operations of DPO-3420.1, including those he dispatched to the EDPS.

4. The EDPS document with his conclusion that ‘Article 27 is not applicable’

5. The DG MOVE and DG ENER prior notification of article 25 of Regulation No 45/2001 concerning the DG ENTR external financial audits prior to 8/9/2011.

6. DG ENER and DG MOVE drawn up documents bringing to the attention of the Members of the Commission responsible for them:

a. That DPO-3420.1 essentially states that no subcontractors had been engaged in DG ENER and DG MOVE external financial audits of FP6 contractors and FP7 beneficiaries, which appears to be in total contradiction with reality. For instance, page 35 of the 2011 DG ENER and DG MOVE Annual Report, table 5 states that DG ENER and DG MOVE paid in 2010 – 2011 for ‘Cost of outsourced auditing (in €)’ nearly 3 million Euro.

b. That it is not immediately obvious that the particular passage of the statement of assurance in page 57 of the said annual report ‘Confirm that I am not aware of anything not reported here which could harm the interests of the institution’ is fully in line with what a diligent public administration ought to have ensured in terms of legality. This is even more the case when the matter solely concerns compliance with article TFEU 16(1) and Regulation No 45/2001.

The documents under request (3) concern the Secretariat-General and not DG ENTR.

Since all requested documents concern directly compliance with article TFEU 16(1) and Regulation No 45/2001, there is an overriding public interest for their full release.

Yours faithfully,

Mr. Aris KOLIMATSIS

************ ANNEX *************

DPO-3420.1 DG MOVE and DG ENER External Audit and Control

Directorate-General: Mobility and Transport

Controller: MERCIOL Jean-Claude

Publication: 2011-09-09
Processing
1. Name of the processing
DG MOVE and DG ENER External Audit and Control
2. Description
The processing operations performed by most DGs are described in the procedure guide of ex-post control which is the result of a sampling methodology of financial transactions.
http://www.cc.cec/budg/dgb/interdg/_doc/...

Research family DGs are using specific IT tools in the context of performing an external financial audit which are described below:
• A specific tool allowing the exchange of lists of projects (for an auditee) between DGs, supporting life-cycle management of individual audit and extrapolation cases and containing a summary of the audit conclusions. No personal data are processed except contact information of Commission staff and auditees.
• A specific tool to facilitate searching and visualisation of information about participants in grants and contracts. This is used by auditors in the selection, preparation and performance of audits. The tool uses information on participants in grants and contracts, taken from IT tools for programme management (front-office notified to the DPO under n° DPO-978 and back-office 1. This information includes details of organisation names, registration numbers, address, audit results, EWS status, phone, fax, email, names of authorised signatories and contact persons, project reference, acronym, funding, budget.
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
3. Sub-Contractors

4. Automated / Manual operations
n/a

Beneficiary/contractor undertakes to provide any detailed information, including information in electronic format, requested by the Commission or by any other outside body authorised by the Commission in order to check that the action and the provisions of the agreement/service contract are being properly implemented.
5. Storage
Data are stored in computer systems and/or physical archives accessible only to duly authorized staff (management of IT and physical access rights with respect to the need to know principle).
6. Comments
n/a
Purpose & legal basis
7. Purposes
Checks and financial controls of grant agreements or service contracts aim at verifying beneficiary's or contractor's or subcontractors' or third parties' compliance with all contractual provisions (including financial provisions), in view of checking that the action and the provisions of the grant agreement or contract are being properly implemented and in view of assessing the legality and regularity of the transaction underlying the implementation of the Community budget.
8. Legal basis / Lawfulness
The possibility for the EC to carry out checks and financial controls is foreseen in the model grant agreement or contract signed between the EC and the beneficiary/contractor as required by the Financial Regulation ("FR") applicable to the General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4):
• Art. 170 FR: Each financing agreement or grant agreement or grant decision must expressly provide for the Commission and the Court of Auditors to have the power of audit, on the basis of documents and on the spot, over all contractors and subcontractors who have received Community funds.
• Art. 60.4 FR: The authorizing officer by delegation shall put in place, in compliance with the minimum standards adopted by each institution and having due regard to the risks associated with the management environment and the nature of the actions financed, the organizational structure and the internal management and control procedures suited to the performance of his/her duties, including where appropriate ex post verifications. Before an operation is authorized, the operational and financial aspects shall be verified by members of staff other than the one who initiated the operation. The initiation and the ex ante and ex post verification of an operation shall be separate functions.
• Art. 47.4 IR: The ex post verifications on documents and, where appropriate, on the spot shall check that operations financed by the budget are correctly implemented and in particular that the criteria referred to in paragraph 3 are complied with. These verifications may be organized on a sample basis using risk analysis.

The processing operations on personal data carried out in the context of ex post controls are necessary and lawful under three articles of the Regulation (EC) 45/2001:
• article 5 (a): processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof…
• article 5 (b): processing is necessary for compliance with a legal obligation to which the controller is subject
• article 20.1.b): necessary measure to safeguard:
(a) the prevention, investigation, detection and prosecution of criminal offences;
(b) an important economic or financial interest of a Member State or of the European Communities, includingmonetary, budgetary and taxation matters;
(c) the protection of the data subject or of the rights and freedoms of others;
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
Data subjects / fields
9. Data subjects
Contractors and sub-contractors
Beneficiaries of grants
Staff
Experts
10. Data fields
All necessary data to efficiently conduct a control such as:
• Name,
• Function,
• Grade,
• Activities and expertises,
• Professional address,
• Timesheets,
• Salary,
• Accounts,
• Cost accounting,
• Missions,
• Information coming from local IT system used to declare costs as eligible,
• Supporting documents linked to travel costs,
• Minutes from mission and other similar data depending of the nature of the action.

No data which fall under article 10.

See point 17)
Rights of D.S.
11. Information
The Privacy Statement attached is available with the Commission's letter initiating the audit or control process
EXTERNAL AUDIT PRIVACY STATEMENT.doc
12. Procedure to grant rights
Functional mailbox to get information and mailbox of the EDPS to lodge a complaint (see Privacy statement ).
13. Retention
Each ex post controller is responsible of archiving the documents related to controls. Data are stored until 10 years after the final payment on condition that no contentious issues occurred; in this case, data will be kept until the end the last possible legal procedure.
14. Time limit
The Commission services will respond within 15 working days to any request and if this is considered justified the relevant correction or deletion will be performed within one calendar month.
15. Historical purposes
n/a
Recipients
16. Recipients
Collected personal data could be submitted to Commission services in charge of ex post controls, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Community law (OLAF, Court of Auditor, Ombudsman, EDPS, IDOC, Internal Audit Service of the Commission).

See point 20)
17. Transfer
n/a

Mobility and Transport

Dear Sir,

Thank you for your e-mail dated 28/06/2013.

We hereby acknowledge receipt of your application for access to documents concerning: "the documents drawn up by the European Commission Data Protection Officer about the processing operations of DPO-3420.1, including those he dispatched to the EDPS", which was registered on 02/07/2013 under reference number GestDem 2013/3488

In accordance with Regulation (EC) No 1049/2001 regarding public access to European Parliament, Council and Commission documents, your application will be handled within 15 working days.

The time limit will expire on 23/07/2013. In case this time limit needs to be extended, you will be informed in due course.

Yours faithfully,

Agatino Valastro
European Commission

Directorate General for Mobility and Transport
Unit MOVE A-1
Planning, Communication, Interinstitutional relations.
▪ Postal address: DM 28 - 8/51, B-1049 Brussels
▪ Office address: Rue de Mot 28, B-1040 Brussels
▪ Tel. +32 2 29 52499
▪ Fax. +32 2 2969632
E-mail: [email address]

show quoted sections

Mr. Aris KOLIMATSIS

Dear Mobility and Transport (MOVE),

Thank you very much for the acknowledgement and registration of the initial application.

The very wording of the registration by DG MOVE A-1 pursuant to article 10 (first sub-paragraph) of the Commission Decision 937/2001 suggests, seemingly, that DG MOVE has significantly underestimated the scope of the application.

It must be stressed from the outset that most of the documents of the present application are documents drawn up by DG MOVE and DG ENER. Therefore, the whole tone of the DG MOVE acknowledgment/registration is, in my view, completely out of of line with what Union law stipulates, in terms of what documents DG MOVE and DG ENER officials ought to have drawn up for the purposes of elementary compliance with Regulation No 45/2001.

The following sections establish that DG MOVE & DG ENER are to assume responsibility for the initial reply of all requests save that under (3), and that Union law mandates that the Commission services had had an absolute legal obligation to have drawn up documents falling under the scope of requests (1) to (5) of the initial application.

I. INTERPRETATION OF THE DG MOVE REGISTRATION OF THE INITIAL APPLICATION

Referring to the DG MOVE acknowledgement, in particular ‘the documents drawn up by the European Commission Data Protection Officer about the processing operations of DPO-3420.1, including those he dispatched to the EDPS’, one would reasonably infer that DG MOVE is not to deal at all with the initial application. The consequences for such an interpretation are explained below.

The tasks entrusted to the European Commission Data Protection Officer and the Data Protection Coordinators are laid down in Commission Decision 597/2008 ‘adopting implementing rules concerning the Data Protection Officer….’ (henceforth the ‘DPO Decision’). According to the article 15 §1 of the DPO Decision, the Data Protection Officer is attached to the Secretariat-General. Consequently, by virtue of the said sub-paragraph the Secretariat-General will assume the full responsibility to provide the initial reply to the application.

As it will be elaborated further below, there are documents falling under the scope of the application that are most likely held by DG MOVE only, that it to say they are not held by any other Directorates-General.

Currently, there is no Commission-wide registry of documents. For documents solely held by DG MOVE, it follows therefore that any search by any other Directorate-General will most certainly fail to indentify several documents falling under the scope of any request for DG MOVE-only held documents. The initial reply will necessarily inform the applicant that no documents are held. This is effectively one of the worst kinds of a total refusal for access. Faced with such kind of an initial reply, an applicant will have to ponder if the initial search for documents had been diligent enough. If the applicant’s conclusion is that a confirmatory application is to be lodged, then he/she will have to argue, first, for the existence of documents, and second, that that the several provisions of article 4 of Regulation No 1049/2001 exceptions are either non applicable or partially applicable.

To the extent that the above reasoning is correct – it is reiterated that it is solely based on the very wording of the registration - it can therefore be concluded that the scope of the application was underestimated by DG MOVE.

II. LEGAL FRAMEWORK

This section recalls some highly relevant and most certainly applicable provisions of Union law.

As preliminary observation, compliance of an administrative unit or officials with Union law necessarily entails the drawing up of documents. Even in oral proceedings, the important points are noted down to a ‘Note to the file’. It is worth bearing in mind that while the Commission’s deliberations are confidential, full meeting minutes are drawn up and published.

The publication of a document drawn up by an Institution, or the public’s right to obtain a copy, serves several important purposes, including the demonstration of the Institution’s compliance with legality for the relevant subject-matter.

II.A Regulation No 45/2001

A1. Article 25 lays down the essential provisions about prior notifications such as DPO-3420.1, one of which concerns the data controller.

A2. Article 26 has stipulations about the registry of prior notifications.

A3. Article 27 is concerned with ‘Processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes shall be subject to prior checking by the European Data Protection Supervisor’. The wording of DPO-3340.1 shows that the Commission services paid due care attention to that provision and consulted the EDPS for his ‘opinion’. Consequently, by way of a document the EDPS must have informed DG MOVE via the Data Protection Officer that DPO.3420.1 was not subject to an Article 27 prior check.

A4. Article 28(1) stipulates that an Institution ‘shall inform the European Data Protection Supervisor when drawing up administrative measures relating to the processing of personal data involving a Community institution’. Recitals 7 and 14 of Regulation No 45/2001 make abundantly clear that is provisions apply to all activities of an Institution. Even though a DG MOVE external financial audit is a mere contractual measure towards the auditee (i.e pursuant to FP6.II.29 & FP7.II.22), it is an administrative measure towards the data subjects who are not parties to the contract, since external financial audits entail by definition the systematic processing of the data elements of section 10 of the DPO-3420. Regarding third parties to the contracts, DG MOVE has always been a Public Authority. A search of the relevant section the EDPS website discloses the Research family DGs have not informed the EDPS about their external financial audits as ‘administrative measures’. If the reasoning under (A4) is not flawed, it is difficult to square (i) that the EDPS has not listed DPO-3420.1 in the ‘Administrative measures’ of his public website and (ii) according to DPO-3420.1 ‘This processing has been submitted to the EDPS who concluded that Article 27 is not applicable’.

A5. Article 49 stipulates ‘Any failure to comply with the obligations pursuant to this Regulation, whether intentionally or through negligence on his or her part, shall make an official or other servant of the European Communities liable to disciplinary action…….’. This provision alone shows that compliance with the Regulation is indeed ‘serious business’.

II.B DPO Decision, Data Protection Coordinator

Article 14 lays down several responsibilities of the Data Protection Coordinators. More specifically:

B1. Article 14(4)(a) stipulates the Coordinator shall ‘establish an inventory of processing operations in the Directorate-General, keep it up to date, and help to define an appropriate risk level for each of the processing operations; he shall use the online Inventory Management System for DPCs put in place for those purposes by the DPO on his website on the Commission’s Intranet’

B2. Article 14(5)(a) stipulates that a Coordinator will mandatorily assist the data controller with their legal obligations.

B3. Article 15(5)(c) prescribes that the Coordinator shall input ‘simplified notifications into the online notification system of the DPO’

II.C Highly interesting features of DPO-3420.1

The prior notification was filed in early September 2011, by which time DG MOVE and DG ENER had carried out hundreds of external financial audits. This immediately raises the question which other prior notification(s) was covering these audits. DG MOVE cannot and should not argue that it was DG RTD DPO-978 or DG RTD DPO-2382 for several reasons, including that (i) the data elements of section 10 of DPO-3420.1 are essentially very different from their counterparts in DPO-978 and DPO-2382, (ii) the DG RTD two DPOs have their own problems (e.g. are silent about ‘profiles’), (iii) the DG RTD DPOs concern administrative procedures and the exercise of public authority, while DPO-3420.1 concerns contractual measures in a framework in which the Commission ‘does not rely on its prerogatives as a public authority’, (iv) the legal basis the DPO-3420.1 cites is completely different from that of the two DG RTD DPOs, and (v) most important of all, calls for proposals and negotiations rely on a fundamentally different legal basis than the DG MOVE external financial audits that are conducted by external contractors pursuant to FP6.II.29 and FP7.II.22.

DPO-3420 reads “3. Sub-Contractors —”. The initial application hinted that the applicant is highly skeptical with that ‘statement’, which, to say the least, appears to be in total contradiction with the practice so far, as well as the DG MOVE declared plans for the future of external audits.

According to the DPO-3420, the legal basis on which the contractual audits are based are the provisions ‘(art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4’. It is highly debatable to what extent this is the case. Three arguments in support of the utmost skepticism about the cited legal basis are:
1. Article 170 FR is about grants for activities for development and humanitarian aid, which by definition do not concern FP6 and FP7.
2. Both articles 60.4 FR and article 47.4 FR solely concern the internal financial control within an Institution, and under no circumstances they apply to external audits. The former are pursuant to Union law and the latter pursuant to contractual provisions of private law contracts.
3. External financial audits for FP6 and FP7 are expressly provided by articles 18(3) of Regulation 2321/2002 and 19(3) of Regulation No 1906/2006 respectively, which for some inexplicable reasons DG MOVE has ‘overlooked’.

The said article 18(3) provides ‘The Commission, or any representative authorised by it, shall have the right to carry out scientific, technological and financial audits on the participants, in order to ensure that the indirect action is being or has been performed under the conditions claimed and in accordance with the terms of the contract’. It is exceedingly difficult to understand why for the DPO-3420.1 legal basis DG MOVE has relied on seemingly irrelevant provisions of the Financial Regulation, while it has also overlooked article 18(3) that expressly provides for ‘financial audits’ and checks for compliance with the contract.

It is nearly impossible not to conclude that DPO-3420.1 (i) was filed excessively late, (ii) is highly inaccurate, and (iii) has a very shaky legal basis.

III. CONCLUSIONS FOR THE INITIAL APPLICATION GESTDEM 2013/3488

If in an application pursuant to Regulation No 1049/2001 such arguments can be made, it necessarily follows that the DPO-3420.1 data controller and the DG MOVE & DG ENER Data Protection Officer must have drawn up several documents which indisputably are to be fully released.

In view of all the foregoing, the applicant respectfully puts forth that:

1. DG MOVE should assume the full responsibility to provide the initial reply for all requests, save that under (3).

2. In the event that at least one document is not released in the initial reply for every single of those ‘DG MOVE’ five requests, then for a host of reasons several new questions will arise about the very legality of DPO-3340.1 itself, and, far more significantly, for every single external financial audit of DG MOVE and DG ENER.

I will be delighted to provide further information and clarifications to the Commission services.

Yours faithfully,

Mr. Aris KOLIMATSIS

Mobility and Transport

Dear Sir,

Thank you for your e-mail dated 28/06/2013 and 02/07/2013.

We hereby acknowledge receipt of your application for access to documents concerning: "the documents drawn up by the European Commission Data Protection Officer about the processing operations of DPO-3420.1, including those he dispatched to the EDPS", which was registered on 02/07/2013 under reference number GestDem 2013/3488

In accordance with Regulation (EC) No 1049/2001 regarding public access to European Parliament, Council and Commission documents, your application will be handled within 15 working days.

The time limit will expire on 23/07/2013. In case this time limit needs to be extended, you will be informed in due course.

Yours faithfully,

show quoted sections

Mr. Aris KOLIMATSIS

Dear Mobility and Transport (MOVE),

Thank for your email.

It is respectfully put to DG MOVE and DG ENER that it cannot disregard my application, and in doing so essentially 'pass the ball' to the Data Protection Officer for its very own DPO-3340.

1. OBSERVATIONS

Referring to the DG MOVE email dated 5/7/2013, I should admit that in my view it is truly astonishing that DG MOVE has fully disregarded my very detailed and comprehensive email setting out the reasoning why at least two DG MOVE and DG ENER officials have drawn up documents that DG MOVE and ENER is legally obliged to fully release.

The whole tone of the DG MOVE and ENET is, in my view, a prelude to a total DG MOVE and DG ENER total refusal to release documents, or, alternatively, a desperate attempt to avoid the extremely serious admission that DG MOVE and ENER does not hold the requested documents.

2. PLAUSIBLE EXPLANATION OF DG MOVE AND DG ENER DISREGARD OF INITIAL APPLICATION

I am therefore compelled to put to DG MOVE and DG ENER, and to the public via asktheeu.org, the gross inaccuracies of DPO-3340, in spite of the provisions of article 49 of Regulation No 45/2001, the Staff Regulations, and conceivably the laws of Belgium. While DG MOVE and DG ENER may continue to misconstrue my application, it will be obvious what are the motives of DG MOVE and DG ENER.

As it was stated in my initial application, DPO-3420.1 essentially states that no external auditors-subcontractors had been engaged in DG ENER and DG MOVE external financial audits of FP6 contractors and FP7 beneficiaries, which was, and still is, in total contradiction with reality. For instance, page 35 of the 2011 DG ENER and DG MOVE Annual Report, table 5 states that DG ENER and DG MOVE paid in 2010 – 2011 for ‘Cost of outsourced auditing (in €)’ nearly 3 million Euro.

As of today, DPO-3340 essentially states

- DG MOVE & DG ENER has been conducting the audits with its own staff ONLY, and will continue doing so in the future.
- The EDPS was supposedly consulted about DPO-3420 and conclude article 27 is not applicable.

There can be no doubt that the statement ‘3. Sub-Contractors — ’ is manifestly as inaccurate as it gets.

There is also a second, and probably even more offending statement in DPO-3420, namely that about the purported EDPS ‘consultation’.

When an Institution refers to the EDPS a prior notification for an article 27 of Regulation No 45/2001 prior check, and subsequently the EDPS finds that the notification is not subject to a prior check, the EDPS publishes his opinion/decision and refers to such prior notifications dispatched to him for consultation/prior check as a ‘non-prior check’. The EDPS ‘non-prior check’ opinions are published in https://secure.edps.europa.eu/EDPSWEB/ed....

According to the EDPS 2010 and 2011 Annual Activity Reports, the non-prior checks were 8 and 6 respectively. The annex further below gives extracts for the two Annual Reports about the non-prior checks, the 14 the Institution and titles of the non-prior checks. There is no single prior nonfiction from DG MOVE & DG ENER in those 14 prior notifications communicated to the EDPS for some kind of consultation. The only logical conclusion is, therefore, that the DPO-3420 statement ‘This processing has been submitted to the EDPS who concluded that Article 27 is not applicable’ is as inaccurate as it gets.

It is also hugely astonishing that the prior notifications DG ENTR DPO-3334, DG INFSO DPO-3338 and DG RTD DPO-3339 (in middle 2012) have included each the two grossly inaccurate statements of DPO-3340. One has to assume that the gold prize for the astonishingly gross inaccuracies goes to DPO-3338, since it was the first one to be filled in the article 26 of Regulation No 45/2001 register, and the rest ones being mere copies of DPO-3338. Nevertheless, the DPO-3420 data controller and the DG MOVE & DG ENER cannot escape their own liabilities for the DPO-3420 content.

It is not obvious why all those prior notifications contain such factual inaccuracies, especially in consideration of the provisions of article 49 of Regulation No 45/2001 and the Staff Regulations, and conceivably the laws of Belgium.

The next and far more important issue is what other illegal acts DG MOVE and DG ENER has been up to in its external financial audits, since it has been prepared in DPO-3420 to be as inaccurate as it gets.

In view of the above, the only logical conclusion is that DG MOVE and DG ENER wishes to ‘protect’ its officials, at the price of infringing Regulation No 1049/2001 in the harsh light of the full public view.

3. CONCLUSION

I maintain that DG MOVE and DG ENER is legally obliged to furnish an initial reply for the documents it holds, or expressly state that it does not hold documents under requests (1), (2), (4), (5), and (6).

ANNEX: EDPS NON-PRIOR CHECKS IN 2010 AND 2011

I. EDPS Annual Activity Report 2010, Page 28

2.3.5. Notifications not subject to prior checking or withdrawn

Following careful analysis, eight cases were not found to be subject to prior checking in 2010. In these situations (also referred to as ‘non-prior checks’), the EDPS may still make recommendations. Furthermore, three notifications were withdrawn and one was replaced.

II. EDPS Annual Activity Report 2011, Page 26

2.3.5. Notifications not subject to prior checking or withdrawn

Following careful analysis, six cases were found not to be subject to prior checking in 2011. In these situations (also referred to as ‘non-prior checks’), the EDPS may still make recommendations. Furthermore, one notification was withdrawn and one was replaced.

III. Non-prior checks of the EDPS in 2010 and 2011

One visits the link:
https://secure.edps.europa.eu/EDPSWEB/ed...

In the field ‘Year’ one enters ‘2010’ or ‘2011 ’and presses the button ‘Filter’. The results are given below.

----- 2010 -----

1. Transfer of officials to the Committee of the Regions - EESC; Answer of 25 November 2010 to a notification for prior checking in relation to the transfer of officials to the Committee of the Regions (Case 2010-0900)

2. Training policy - EFSA; Answer of 11 November 2010 to a notification of prior checking concerning training policy (Case 2010-0638)

3. European Job Mobility Portal; Answer of 3 September 2010 to a notification of prior checking EURES, the European Job Mobility Portal (Case 2009-012)

4. Local Time Accounting System - Joint Research Center; Answer of 27 July 2010 to a notification for prior checking on the "Local Time Accounting System" at JRC-ITU (Case 2010-0292)

5. ECA Directory and e-Admin - Court of Auditors; Answer of 24 March 2010 to a notification for prior checking concerning "ECA Directory" and "e-Admin" (Cases 2010-102 and 2010-103)

6. Provision of Quality Interpretation - Commission; Answer of 3 March 2010 to a notification for prior checking concerning Provision of Quality Interpretation (Case 2010-0003)

7. Clearance of Audit Trail System - Commission; Answer of 9 February 2010 to a notification of prior checking concerning "Clearance Audit Trail System" (Case 2009-680)

8. Promotion of permanent staff members - CPVO; Answer of 14 January 2010 to a notification of prior checking concerning promotion of permanent staff members (Case 2009-759)

------ 2011 -----

1. Implementation of SYSLOG - Court of Auditors; Answer of 19 October 2011 regarding the notification for prior checking on the implementation of SYSLOG (training management system from the Commission) by the Court of Auditors (Case 2011-0744)

2. Datapool;
Letter of 27 May 2011 regarding the notification for prior checking on "Datapool" at the European Commission - Joint Research Centre (Case 2010-0965)

3. Management of the technical archives of the JRC Ispra site; Answer of 23 March 2011 to a notification of prior checking concerning management of the technical archives of the JRC Ispra site (Case 2010-964)

4. Gestion des formations ΰ la Cour de justice;
Rιponse du 24 fιvrier 2011 ΰ une notification de contrτle prιalable relative au traitement de donnιes ΰ caractθre personnel effectuι dans le cadre de la gestion des formations ΰ la Cour de justice (case 2011-0199)

5. Management of leave, missions and flexitime - EAHC;
Letter of 25 January 2011 to a notification for Prior Checking regarding management of leave, missions and flexitime at the Executive Agency for Health and Consumers (EAHC) (Case 2010-0957)

6. Training Programme - European Network and Information Security Agency (ENISA); Answer of 14 January 2011 to a notification for prior checking in relation to Training Programme of the European Network and Information Security Agency (ENISA) (Case 2010-0932)

Yours faithfully,

Mr. Aris KOLIMATSIS

Mobility and Transport

Dear Sir,

Concerning your request for access to documents "External financial audits of DG ENER and DG MOVE, personal data protection, DPO-3340/1"

Thank you for your e-mails dated 28/06/2013, 02/07/2013 and 05/07/2013.
In principle, all documents of the institutions should be accessible to the public.

The regulation 1049/2001 is indicated in Article 7 (1) "Processing of initial applications".

- Within 15 working days from registration of the application, the institution shall either grant access to the document requested and provide access in accordance with Article 10 within that period or, in a written reply, state the reasons for the total or partial refusal and inform the applicant of his or her right to make a confirmatory application in accordance with paragraph 2 of this Article.

Agatino Valastro
European Commission

Directorate General for Mobility and Transport
Unit MOVE A-1
Planning, Communication, Interinstitutional relations.
▪ Postal address: DM 28 - 8/51, B-1049 Brussels
▪ Office address: Rue de Mot 28, B-1040 Brussels
▪ Tel. +32 2 29 52499
▪ Fax. +32 2 2969632
E-mail: [email address]

show quoted sections

Mobility and Transport

5 Attachments

 
 
 
Dear Mr. Aris Kolimatsis,
Subject:        Your application for access to documents – Ref GestDem No
2013/3488
We refer to your e-mails dated 28/06/2013 and 02/07/2013 in which you make
a request for access to documents, in accordance with only Regulation
1049/2001 regarding public access to European Parliament, Council and
Commission documents, registered on 02/07/2013 under the above mentioned
reference number.
Regarding your request:
"This application concerns the following documents, all of which are
directly related to DPO-3420.1 and the stipulations of Regulation No
45/2001 and Commission Decision 597/2008 ‘adopting implementing rules
concerning the Data Protection Officer"
 
Please find our answer point by point:
1. The documents drawn up by the DPO-3420.1 data controller.
 
This document corresponds to the privacy statement sent by the controller.
This privacy statement is annexed to the notification DPO-3420.1.
 
 
 
2. The documents drawn up by the DG MOVE and DG ENER Data Protection
Coordinator about the processing operations of DPO-3420.1
 
The DG MOVE and DG ENER Data Protection Coordinator is only registering in
the Data protection IT-system the documents such as the one you have
requested under point 1.  Therefore, on the basis of your request, we
inform you that there is not a different document as from the one
requested under point 1.
 
 
3. The documents drawn up by the European Commission Data Protection
Officer about the processing operations of DPO-3420.1, including those he
dispatched to the EDPS.
 
DG MOVE-and DG ENER don't have this document.  We have been informed by
our Secretariat General (SG) that you have already received it on July 5,
2013 with the reply issued by SG to the request under reference: ref.
GESTDEM 2013/3421.
 
 
4. The EDPS document with his conclusion that ‘Article 27 is not
applicable’
We enclose for your perusal, the requested document to this e-mail. 
Please note that this document cannot be reproduced or disseminated for
commercial purposes without prior consent given by the Commission.
 
5. The DG MOVE and DG ENER prior notification of article 25 of Regulation
No 45/2001 concerning the DG ENTR external financial audits prior to
8/9/2011.
 
DG MOVE and DG ENER don't have this document. However, we have been
informed that you sent a similar request to DG Enterprise under reference:
ref. GESTDEM 2013/3418. Directorate General Enterprise will answer to you
on this point when together with its reply to GESTDEM 2013/3418.
 
6. DG ENER and DG MOVE drawn up documents bringing to the attention of the
Members of the Commission responsible for them:
 
a . That DPO-3420.1 essentially states that no subcontractors had been
engaged in DG ENER and DG MOVE external financial audits of FP6
contractors and FP7 beneficiaries, which appears to be in total
contradiction with reality. For instance, page 35 of the 2011 DG ENER and
DG MOVE Annual Report, table 5 states that DG ENER and DG MOVE paid in
2010 – 2011 for ‘Cost of outsourced auditing (in €)’ nearly 3 million
Euro.
 
b. That it is not immediately obvious that the particular passage of the
statement of assurance in page 57 of the said annual report ‘Confirm that
I am not aware of anything not reported here which could harm the
interests of the institution’ is fully in line with what a diligent public
administration ought to have ensured in terms of legality. This is even
more the case when the matter solely concerns compliance with article TFEU
16(1) and Regulation No 45/2001.
 
For your information we enclosed the document "FP7 Ex-post Audit Strategy
2009-2016" which presents the Ex-post control Audit Strategy related to
the Commission’s services, and needs to be seen in the wider context of
the internal control systems which are already in place within each of
them, where the focus remains intentionally very much on ex-post controls
in order to simplify the beneficiaries' burden in providing evidence
before payments are made.
 
 
However, your request for point 6 is too wide and enables us to identify
concrete documents which would correspond to your request.
We therefore invite you, pursuant to Article 6(2) of Regulation (EC) No
1049/2001 regarding public access to documents, to clarify your demand and
reduce its scope.
Only after your clarification DG MOVE will be in a position to answer to
your request.  Nevertheless due to the summer holiday's period, we would
like you to acknowledge that our services will be unlikely able to give
you an answer at least before 15/09/2013.
Otherwise, we are ready to meet you in our premises or by videoconference
as from 15/09/2013 for more explanations. 
Please contact us by email to [1][DG MOVE request email] for
fixing this appointment.
Thank you in advance for your understanding.
Yours faithfully,
MOVE ACCES DOCUMENTS
European Commission
 
European Commission
DG MOVE
Postal address: DM 28, B-1049 Brussels
Office address: Rue de Mot 28, B-1040 Brussels
E-mail: [2][DG MOVE request email]
 
 
 
 
 
 

show quoted sections

Mr. Aris KOLIMATSIS

Dear Mobility and Transport (MOVE),

This is confirmatory application for requests #1, #2, #4 and #5. It also provides further information and clarifications about request #6.

Requests #1, #2, #4 and #5 are to be handled by the Secretariat-General

As a preliminarily observation, the initial reply does not bear an Ares reference number, and at least to the applicant appears to be an irregular one from the formalities perspective. It is even more so as it concerns an initial answer pursuant to Regulation No 1049/2001.

I. DOCUMENT SEARCH AND IMPLICATIONS OF THE INITIAL ANSWER

According to the case law of the EU Courts about Regulation No 1049/2001, during the handling of the initial application the Institution has a duty to carry out a diligent search for documents falling under the scope of the application. Because the acts of Institutions are presumed to be legal, an initial reply specifically informing the applicant about the identified documents must be taken both as a complete answer and also at its face value.

Having due regard to the foregoing paragraph, the following sections set out the consequences of the DG MOVE & ENER initial answer.

II. REQUEST #1

The request is about ‘The documents drawn up by the DPO-3420.1 data controller’. The DG MOVE & ENER answer is that the sole document drawn up by the data controller is the Privacy Statement. In other words, the data controller drew up and the prior notification itself and the Privacy Statement.

This would be sufficient for an ‘ordinary’ prior notification. However, DPO-3420.1 has a host of huge problems, including (i) the false statement about the purported EDPS ‘consultation’ than never took place, (ii) the manifestly false statement that DG ENER & MOVE has not been relying on subcontractors, (iii) that the purported legal basis – “the grant agreement and the stipulations ‘(art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4)” – is entirely wrong since the FR and IR articles are for the Commission’s internal controls and by definition do not extend to the contractual counter-parties, and (iv) personal data processing in the framework of a private law contract without the consent of the data subject does not meet any of the conditions of article 5 of Regulation No 45/2001 and thus it is outright unlawful.

It follows therefore that DPO-3420.1 has had no legal basis whatsoever. In order to solve these insurmountable problems with legality, the DPO-3340.1 data controller entered a completely ‘bogus’ prior notification in the article 26 of Regulation No 45/2001 register (henceforth the ‘register’), which is also stipulated in article 12 of Commission Decision 597/2008 ‘adopting implementing rules concerning the Data Protection Officer......)’. In other words, the data controller created ‘smoke and mirrors’ for DPO-3420.1 when it came to its legal basis. Yet, as section VII below sets out the DG MOVE & ENER Annual Reports of 2011 and 2012 devote several pages about the external financial audits, which show that such audits have been at the core of the DG MOVE & ENER management controls.

Notwithstanding the outright infringements of article 49 of Regulation No 45/2001 and a few articles of the Staff Regulations DPO-3340.1 entails, according to the DG MOVE & ENER initial reply the data controller took all those grave personal risks without having written a single line of an email or a note to the file. Taking the initial reply its face value, it must be concluded that not only DG ENER & MOVE does not observe legality, but its officials are also essentially free to gravely disregard legality without any control whatsoever from the DG ENER & MOVE top management. One logical conclusion of all this is that DG ENER & MOVE organizational structure is wholly inadequate to manage the FP6 & FP7 programmes entrusted to it.

It is self-evident that DG MOVE & ENER has caused to be caught between a rock and a hard place. On the one hand, maintaining that no other documents (except the prior notification itself and the Privacy Statement) were drawn by the DPO-3340.1 data controller leaves wide open the door for an extremely harsh criticism about the management of all Directorates/Units which had been involved in the FP6 & FP7 programmes. On the other hand, releasing further documents drawn up by the data controller will add more nails in the coffin of having gravely infringed legality.

The initial reply has to be considered either (i) as an admission of outright failure to observe legality in external financial audits and also properly manage the parts of the FP6 and FP7 entrusted to DG MOVE & ENER (which means that indeed no other documents were drawn up by the data controller), or (ii) there are other documents that were not released.

III. REQUEST #2

The request is about ‘The documents drawn up by the DG MOVER & ENER Data Protection Coordinator’. The initial reply is that the DG MOVE & ENER Data Protection Coordinator – DPC did not drawn up a single like about DPO-3340.1, but he merely entered into the register what the data controlled handed over to the DPC about the prior notification. Put differently, the DPC just encoded information.

This ‘position’ is highly contradictory with the roles and responsibilities of Data Protection Coordinators as laid down in article 14 of Decision 597/2008; paragraph 4(a) reads “establish an inventory of processing operations in the Directorate-General, keep it up to date, and help to define an appropriate risk level for each of the processing operations; he shall use the online Inventory Management System for DPCs put in place for those purposes by the DPO on his website on the Commission’s Intranet”. It is evident that the DPC has infringed this stipulation because (i) DPO-3340.1 was entered into the register more than 3 years after the aforesaid Decision entered into force, and (ii) it appears that the DPC dismally failed to spot the certainty of infringing Regulation No 45/2001 in every single DG MOVER & ENER external financial audit. The stipulation of paragraph 14(5)(c) of the Decision renders the DPC directly liable for the factual accuracy of DPO-3340.1.

Taking the initial answer at its face value, the only logical conclusion is that DPC infringed numerous provisions of Union law without having written a single line. The considerations about the data controller of section II above and the initial reply of request #1 apply mutatis mutandis to the DPC and the request #2.

IV. REQUEST #4

DG MOVE & ENER provided as the initial answer the EDPS letter of 27/10/2009, case C 2009-0565, which concerns the former DG RELEX. This EDPS opinion is supposed to be the very EDPS opinion about the DPO-3340.1 statement ‘This processing has been submitted to the EDPS who concluded that Article 27 is not applicable’. The following are noted:

- The DG RELEX EDPS opinion predates DPO-3340.1 by almost two years.

- It concerns the Commission’s internal audit operations, since the audits concern DG RELEX Directorate K. The audited accounts concern officials, temporary and auxiliary staff employed at the Commission’s delegations. The data subjects are subject to Staff Regulations.

- At the FP6 contractor – FP7 beneficiary level, the DG RELEX Directorate K audits are equivalent to an internal audit of the contractor/beneficiary by its own audit department. The DG MOVE & ENER external financial audits are fundamentally different.

- The DG MOVE & ENER external financial audits are solely based on contractual provisions, in a context where the Commission does not exercise its prerogatives as a public authority. Such audits of DG MOVE & ENER are worlds apart from the DG RELEX ones.

It must therefore be concluded that the EDPS opinion of case C 2009-0565 is wholly irrelevant to DPO-3420.1.

The initial answer must be understood as an implied decision to totally refuse access without a statement of reasons.

V. REQUEST #5

This request is about the DG MOVE & ENER prior notification covering the external financial audits prior to September 2011. The initial answer is that no documents exist. Moreover, the initial answer was linked to the answer of DG ENTR to a similar request. The following are noted:

- The last paragraph of article 24(1) of Regulation No 45/2001 reads “That person shall thus ensure that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations”. Read in conjunction with paragraph (d) of this article and also article 25, it follows that by not entering a prior notification covering the external financial audits DG MOVE & ENER took the extremely serious risk of adversely affecting the data subject rights of all the persons whose personal data were processed in external financial audits.

- Considering together article 24(1)(c), article 25 of Regulation No 45/2001 and the total absence of a prior notification, the personal data processing is probably unlawful, regardless of the other grave infringements of that Regulation by the audits.

- According to the 2010 Annual Reports of DG MOVE & DG ENER, each reported 3 and 1 new cases to OLAF respectively in 2010. It seems all 4 concern FP6/FP7 programmes. Consequently, personal data were transferred to OLAF without a prior notification in force. This adds another dimension to the illegalities, as there is a distinct possibility that OLAF might have interviewed suspects (i.e. persons concerned) and witnesses on the basis of gravely unlawful information.

- Linking request #5 with an application concerning DG ENTR is in my opinion an infringement of Regulation No 1049/2001 and also of article 10 fist sub-paragraph of Commission Decision 937/2001 of 5/12/2001.

In view of the above analysis, a confirmatory application is submitted for request #5.

VI. REQUEST #6

VI.1 INTRODUCTION

First of all, the full release of the "FP7 Ex-post Audit Strategy 2009-2016" (without the 3 annexes) is highly appreciated. Indeed, it sets out eloquently the overall context of the strategy. However, there is still the question about the legality of personal data processing of third parties to the FP6 contracts and FP7 grant agreements. Should the audits have refrained from unlawfully processing personal data, then this application would not have been lodged in the first place.

VI.2 FURTHER INFORMATION PURSUANT TO ARTICLE 6(2) OF REGULATION NO 1049/2001

The crux of the issue of the present request is whether the Member of the Commission overseeing DG MOVE & ENER was briefed about (i) the manifestly false statement of DPO-3340.1 that no subcontractors have been engaged and (ii)that the statement of assurance of the Director-General was itself based on gravely illegal external financial audits that have infringed numerous provisions of Union law, including several articles of Regulation No 45/2001, Commission Decision 597/2008 and article 57(2) of Regulation 1605/2002 (as amended).

In my opinion, there can be no doubt that the DG MOVE & ENER management, all the way to the Director-General, has been fully aware of the vast illegalities of the external financial audits and has willfully and intentionally condoned it.

Page 22 of the 2012 Annual Report reads:

“2.3 Information to the Commissioner
The working arrangements between DG MOVE and the Vice-President in charge of Mobility and Transport have been defined and approved in writing. They were published on the internal intranet on 18 January 2011.

A report with information on work programme implementation, financial management, agencies, human resources management and internal control is sent to the Cabinet every six months.

The main elements of this report and assurance declaration, including the reservations envisaged, have been brought to the attention of Vice-President Kallas, responsible for Mobility and Transport.”

The six-month reports contain information on financial management. External financial audits are at the very core of the DG MOVE & ENER financial management. Two questions are whether or not in one of these six-month reports the Vice-President was briefed about (ii) the DPO-3340.1 false statement on sub-contractors and (ii) that the Director-General statement of assurance was based on illegal external financial audits.

Even if the six-month reports are completely silent about these two issues, other more ‘informal’ documents may have briefed a member(s) of the Vice-President about them. Such documents may be emails, note to the file or similar ones. By definition, provided that they exist in the first place such documents are held by DG MOVE & ENER only. It is worth bearing in mind that it cannot be excluded that the Vice-President or his cabinet was briefed orally only and no note has been ever written.

Should no document be released, the public will keep on wondering whether the administrative department (i.e. DG MOVE & ENER) did all this without dully informing the Vice-President, whether or a member(s) of the Vice-President’s cabinet was aware about what was going on. In the former case, the administrative department has a lot of things to explain to the Commission and the public. In the latter case, there may also be a political dimension regarding the external financial audits.

In my opinion, the administrative department is in a tight spot and has to face the consequences of its acts. Not having informed the Vice-President’s cabinet is another dimension of tremendous significance. There is an overriding public interest of shining the harsh light of full public view into this matter.

Unless I am advised to the contrary by DG MOVE & ENER, I will assume that I have clarified my request #6.

VII. EXTRACTS FROM THE DG MOVE & ENER 2011 AND 2012 ANNUAL REPORTS

VII.1. 2011 ANNUAL REPORT

Page 30 – 39 are fully devoted to the external financial audits of DG MOVER & ENER.

Page 18
Ex-post controls
The main type of ex-post control in the DG is financial audit. These are carried out in line the work programme approved by the Director-General.
[.....]
Reporting by the Authorised officers by sub-delegation (AOSD)
Each year each Director prepares their annual report to the Director-General, in which they identify potential weaknesses in internal control and may propose areas for a ‘reservation’ or ‘risk’, as well as reporting on political achievements and progress on programmes and policies. These reports, approved by the responsible Deputy Director- General where appropriate, include input from the Heads of Unit, who are also AOSD for payments and recoveries

VII.2. 2012 ANNUAL REPORT
Pages 27 to 34 are fully devoted to the external financial audits of DG MOVER & ENER.

Part of page 44 reads:
C) Continued control and audit
The DG will carry out an appropriate number of ex-post audits based on cost effectiveness considerations, together with the subsequent recovery actions to ensure a further reduction of the residual error rate. However, it cannot greatly extend its audit campaign without adversely affecting the other objectives of the research programme (attractiveness, reduction of administrative burden, widening, etc.)

Yours faithfully,

Mr. Aris KOLIMATSIS

Mobility and Transport

2 Attachments

Dear Mr Kolimatsis,

 

Kindly find herewith a letter concerning your e-mail to DG MOVE about a
confirmatory application for access to documents (gestdem 2013-3488).

 

Yours sincerely,

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

 

show quoted sections

Mr. Aris KOLIMATSIS

Dear Mobility and Transport (MOVE),

This provides clarifications are requested by the Secretariat-General letter Ares(2013)2829787 - 05/08/2013. It is to be forwarded to that Directorate-General.

I. INTEGRITY OF DG MOVE & ENER IN FP6 & FP7

It has been established in full public view that the prior notification DG MOVE & ENER DPO-3340.1 contains two false statements and also that that its legal basis is essentially non-existing.

As an administrative department that infringes legality on a massive scale in its external financial audits, reaching so low as to file a completely bogus prior notification with two false statements, DG MOVE & ENER itself has gravely compromised its own integrity, honesty and good standing. In so much the FP6 and FP7 are concerned, in principle the public can be sceptical with the truthfulness of any statement of DG MOVE & ENER. Furthermore, there can be no confidence whatsoever on the truthfulness of DG MOVE & ENER on any matter relating to the external financial audits and compliance with the Regulation.

The false statements of DPO-3340.1 will beg for a long time the question whether DG MOVE & ENER was telling blatant lies in DPO-3340.1 only, or it has continued telling lies in a more ‘elegant’ manner in all other directly related matters.

II. PRESENT CONFIRMATORY APPLICATION

In view of the above short analysis, in the absence of corroborating ‘evidence’ or ‘statements’ from other administrative departments, or bodies like the EDPS, there can be no confidence in the veracity of the DG MOVE & ENER initial answer for all initial replies other than request #3. There are in full public view via asktheeu.org copies of EDPS letters stating that the EDPS was not consulted, not even informally, for DPO-3340.1 and therefore the initial reply to request #3 is truthful.

In my opinion, the Secretariat-General should take into consideration that (i) the false statements of DG ENTR DPO-3334, DG INFSO DPO-3338, DG RTD DPO-3398, DG MOVE & ENER DPO-3420 and DG MARE DPO-3455, (ii) the active involvement of the DPO for their entry and continuous presence into the article 4(4) public register of prior notifications of the Commission Decision 597/2008, (iii) the anti-fraud policies of the Research DGs that are based on the external financial audits, and (iv) the numerous infringements of the Regulation in FP6 & FP7 call for proposals call into question the very integrity of several administrative departments (but not all) of the Commission, including the Legal Services and the Secretariat-General.

III. EXISTENCE OF DOCUMENTS

One of the basic premises of the confirmatory application is that elementary compliance with Union law by an administrative department necessarily entails the drawing up of documents. In the interests of brevity this application does not remind the Secretariat-General several provisions of the Commission Decisions about document management, from which it is obvious the compliance with sound administrative practices and Union law dictate the drawing up of documents.

While the Commission services can always claim that a requested document does not exist, the public is entitled to draw the associated conclusions from any apparent failure to release documents on account of an assertion of their non-existence. Having gravely infringed the Regulation by DG MOVE & ENER may be equated to the ‘wounds’. Non-disclosure of documents by DG MOVE & ENER claiming their non-existence is the ‘salt’ in the saying ‘rubbing salt to the wounds’.

IV. FURTHER CONSIDERATIONS ABOUT REQUEST #1

A very important point regarding prior notifications of the Regulation is that the ‘data controller’ is not necessarily the official whose name is indicated in a prior notification found in the article 4(4) register of Commission Decision 597/2008. In other words, the DPO-3340.1 data controller is not necessarily the official in the section entitled ‘Controller:’ of DPO-3340.1. Indeed, the EDPS has stated that ultimately the data controller is the Institution that carries out the personal data processing. One of the reasons is that organisational changes may result in the Unit filing a prior notification being merged with or subsumed by another Unit. While the structure of administrative departments may evolve over time, the responsibilities towards fulfilling legal requirements are borne by an Institution and not its organisationally Units that are subject to organisational changes like the recent one of DG INFSO to DG CNET. In the event of legal action for the personal data processing of DPO-3340.1 before the General Court, the party to the litigation will be the Commission and not the ‘data controller’ indicated in DPO-3340.1. Therefore, even if the DPO-3340.1 ‘Controller: ...’ states that no documents exist, this does not necessarily imply that DG MOVE & ENER as a ‘data controller’ has not drawn up a short paragraph about DPO-3340.1.

It is therefore kindly requested that the Secretariat-General consider in handling the confirmatory reply that the DPO-3340.1 ‘data controller’ as being either the entire DG MOVE & ENER or the Commission.

It is expected that in framework of re-examining the confirmatory application the Secretariat-General will search for documents drawn up by DG MOVER & ENEAR or the Commission services as the DPO-3340.1 ‘data controller’.

V. CONCLUSIONS

For the reasons set out about above, the truthfulness of the DG MOVE & ENER initial answer cannot be accepted. In my view, DG ENET & MOVE has prima facie not performed a diligent search for documents, and therefore has impliedly refused their release without a statements of reasons. It cannot be a coincidence that the initial answer lacks both an Ares reference number and a signatory.

While at this point in time it is the word of an applicant against the word of an administrative department of the guardian of the Treaties, and while one must also acknowledge that the EU Courts have consistently held that acts of Institutions are to be presumed as legal, the situation regarding this application is a truly extraordinary one. Regarding external financial audits and the fundamental right of personal data protection, DG MOVE & ENER has been in the business of disregarding legality and in doing so it filed false declarations in statutory instruments. This means that the ‘burden of proof’ has been reversed in anything relating to DG ENER & MOVE DPO-3340.1.

The wholly deplorable conduct of DG MOVE & ENER in its external financial audits and DPO-3340.1 has rightly caused the public to regard DG MOVE & ENER as being very economical with the truth, and with a very elastic interpretation of what the fundamental right of personal data protection is about.

The confirmatory application respectfully challenges the truthfulness of the DG ENER & MOVE initial answer concerning the requests at issue, trusting that the Secretariat-General will carry out a diligent search of DG MOVE & ENER documents.

Yours faithfully,

Mr. Aris KOLIMATSIS

Mobility and Transport

L'activité des services de la Commission européenne étant réduite durant
le mois d'août, vos demandes d'accès aux documents seront traitées dans
les meilleurs délais. Toutefois, certains retards peuvent se produire, en
particulier lorsque le traitement des données exige la consultation des
administrations nationales, d’organisations extérieures ou d’autres
services.

*  *  *

Die Tätigkeiten der Dienststellen der Europäischen Kommission sind im
August reduziert; Ihre Anträge auf Zugang zu Dokumenten werden dennoch so
schnell wie möglich bearbeitet. Allerdings können Verzögerungen auftreten,
insbesondere wenn die Berarbeitung der Anträge die Konsultierung der
nationalen Verwaltungen, externer Organisationen oder anderer
Dienststellen erforderlich macht.

* *  *

The activity of European Commission departments is likely to be reduced
during August.  We will handle  your requests for access to documents as
soon as possible.  However, some delays may occur, especially where the
processing of data requires the consultation of national administrations,
external organisations or other services.

Mobility and Transport

1 Attachment

Dear Mr Kolimatsis,   

 

Thank you for your e-mail dated 26/08/2013, registered on 13/09/2013.  I
hereby acknowledge receipt of your confirmatory application for access to
documents (ref.: Ares(2013)3040930 – gestdem 2013-3488). 

 

In accordance with Regulation 1049/2001 regarding public access to
European Parliament, Council and Commission documents, you will receive a
response to your request within 15 working days (04/10/2013).

 

Yours sincerely,

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

show quoted sections

Mr. Aris KOLIMATSIS

Dear Mobility and Transport (MOVE),

This is to make enquiries about the DG MOVE & ENER initial reply to GESTDEM 2013/3488 requests under 6(a) and 6(b).

In its initial reply of 23 July regarding requests under (1) to (5), pursuant to article 6(2) of Regulation No 1049/2001 DG MOVE requested the provision of additional information from the applicant for request under (6) in order DG MOVE to precisely identify the requested documents.

By way of the email of 24 July the applicant lodged a confirmatory application for requests under (1) to (5) and provided additional information regarding request under (6). More specifically, in section VI. REQUEST #6 of the said email the applicant defined precisely the documents at issue. He went on to put to DG MOVE the consequences of not having drafted such documents.

In its email of 23 July DG MOVE & ENER undertook to provide an initial reply for request under (6) by the 15th of September if the applicant would provide clarifications, which the applicant did indeed provide in the next day. DG MOVE & ENER has not further communicated with the applicant about the request under (6), even though more than two months have elapsed ever since. It must be inferred that the documents at issue are precisely identified.

I would therefore be obliged if DG MOVE & ENER would inform me the status of the initial reply concerning the requests under 6(a) and 6(b).

Yours faithfully,

Mr. Aris KOLIMATSIS

Mobility and Transport

2 Attachments

Dear Mr Kolimatsis,
Kindly find herewith a letter concerning your confirmatory application for
access to documents (gestdem 2013-3488).
       
Yours sincerely,
 
Paul SIMON
Unit SG.B.5, Transparency
European Commission
 

Mr. Aris KOLIMATSIS

Dear Mobility and Transport (MOVE),

This is the second email making enquiries about the DG MOVE initial reply to GESTDEM 2013/3488 as regards requests under 6(a) and 6(b).

On the 27th of September 2013, http://www.asktheeu.org/en/request/exter..., the applicant wrote to DG MOVE making enquiries about the DG MOVE initial reply regarding those two requests. So far, DG MOVE reply has been a loud silence.

I find really disturbing that over three and a half months later than the DG MOVE registration of the initial application, that is to say 2 July, the applicant is compelled to write reminders to DG MOVE in order to point out to DG MOVE that all this has been taking place in the first stage of the Regulation No 1049/2001 administrative procedure. Under such circumstances, DG MOVE is obliged to follow the Regulation and the principle of sound administration. It is therefore necessary to write a nasty reminder drawing DG MOVE's attention to the following.

The DG MOVE DPO-3420.1 data controller is personally liable for the two false statements of the prior notification and that DPO-3420.1 is nothing but an exercise of deceiving the public and the research community in plain public view. By virtue of article 1, second indent, of Commission Decision 597/2008 of 22/7/2008 the DG MOVE official DPO-3420.1 designates as a data controller is personally liable for the false statements in the prior notification (i.e. a statutory document), and their inclusion in the Europa website, register of processing operations of article 4(4) of Decision 597/2008.

In case the DPO-3420.1 data controller had not obtained some kind of indemnification from his superiors about the two false statements and the deceitfulness of the prior notification, then he is deep in a "mess" as far as the personal liabilities of (i) the Staff Regulations, (ii) article 49 of Regulation no 45/2001, and (iii) conceivably even the penal code of Belgium, are concerned. Moreover, in case DG MOVE had neither informed about it nor requested the permission of the Member of the Commission overseeing it, then the top management of the entire administrative department must have been involved in those utterly deplorable acts.

In view of the above, I reiterate that I would be obliged if DG MOVE would inform me the status of the initial reply concerning the requests under 6(a) and 6(b).

Yours faithfully,

Mr. Aris KOLIMATSIS

Mobility and Transport

2 Attachments

 
Dear Mr Kolimatsis,

Kindly find the answer to your confirmatory application concerning your
request for access to documents pursuant to Regulation (EC) N° 1049/2001
regarding public access to European Parliament, Council and Commission
documents (Gestdem 2013/3488).
Yours sincerely,
Carlos Remis
SG.B.5.
Transparence.
Berl. 05/329.
 
 
 
 
 
 
 

 
 
 

Mobility and Transport

1 Attachment

Dear M. Kolimatsis,
 
Thank you for your four E-mails of 24 July and 27 September 2013
[registered on DG MOVE - GESTDEM 2013/3488] , providing with further
details on your initial request for access to documents of 25 June 2013
under items 6(a) and 6(b).   
 
I regret to inform you that after analysis by DG MOVE services of the
additional information you have provided, we have not been able to
identify any other document different from those already provided with our
answer of 23 July 2013. 
 
Therefore, we consider that this request  in accordance with Regulation
(EC) N° 1049/2001 regarding public access to European Parliament, Council
and Commission documents is completed and we will proceed to  close it.
 
 
MOVE ACCESS DOCUMENTS
European Commission
Directorate General for Mobility and Transport

Planning, Communication, Interinstitutional relations.
▪ Postal address: DM 28 - B-1049 Brussels
▪ Office address: Rue de Mot 28, B-1040 Brussels
▪ Fax. +32 2 2969632
E-mail: [DG MOVE request email]
 
 
 
 

Mr. Aris KOLIMATSIS

Dear Mobility and Transport (MOVE),

This is confirmatory application pursuant to Regulation No 1049/2001 for the requests under 6(a) and 6(b). It is to be handled by the Secretariat-General.

**************

Dear Secretariat-General

The confirmatory application regarding requests 6(a) and 6(b) is submitted because the administrative department DG MOVE has manifestly compromised its integrity as regards its external financial audits of FP6 and FP7 projects.

The two false statements of DPO-3420:

"This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
3. Sub-Contractors
—"

tell a lot about the honesty of the administrative department DG MOVE. In fact, DG MOVE has reached the point of filing on 14/10/2013 a revision of DPO-3340.1, in which the same two false statements are repeated (see annex below and http://ec.europa.eu/dpo-register/details...). Apparently, the DG MOVE services are indifferent in their lies being exposed in full public view and continue with the same "story".

It can therefore be presumed that services of DG MOVE might have not undertaken a diligent search for documents regarding requests 6(a) and 6(b).

In case the confirmatory application discloses that documents under requests 6(a) and 6(b), or parts thereof, were not drawn up, this will amount to an admission that the Member of the Commission overseeing DG MOVE was not informed about the policy of the DG MOVE services to disregard Regulation No 45/2001.

----------- ANNEX: DPO 3320.2 -----------

DPO-3420.2 DG MOVE and DG ENER External Audit and Control

Directorate-General: Mobility and Transport

Controller: ABA GARROTE Paloma

Publication: 2013-10-14
Processing
1. Name of the processing
DG MOVE and DG ENER External Audit and Control
2. Description
The processing operations performed by most DGs are described in the procedure guide of ex-post control which is the result of a sampling methodology of financial transactions.
http://www.cc.cec/budg/dgb/interdg/_doc/...

Research family DGs are using specific IT tools in the context of performing an external financial audit which are described below:
• A specific tool allowing the exchange of lists of projects (for an auditee) between DGs, supporting life-cycle management of individual audit and extrapolation cases and containing a summary of the audit conclusions. No personal data are processed except contact information of Commission staff and auditees.
• A specific tool to facilitate searching and visualisation of information about participants in grants and contracts. This is used by auditors in the selection, preparation and performance of audits. The tool uses information on participants in grants and contracts, taken from IT tools for programme management (front-office notified to the DPO under n° DPO-978 and back-office 1. This information includes details of organisation names, registration numbers, address, audit results, EWS status, phone, fax, email, names of authorised signatories and contact persons, project reference, acronym, funding, budget.
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
3. Sub-Contractors

4. Automated / Manual operations
n/a

Beneficiary/contractor undertakes to provide any detailed information, including information in electronic format, requested by the Commission or by any other outside body authorised by the Commission in order to check that the action and the provisions of the agreement/service contract are being properly implemented.
5. Storage
Data are stored in computer systems and/or physical archives accessible only to duly authorized staff (management of IT and physical access rights with respect to the need to know principle).
6. Comments
n/a
Purpose & legal basis
7. Purposes
Checks and financial controls of grant agreements or service contracts aim at verifying beneficiary's or contractor's or subcontractors' or third parties' compliance with all contractual provisions (including financial provisions), in view of checking that the action and the provisions of the grant agreement or contract are being properly implemented and in view of assessing the legality and regularity of the transaction underlying the implementation of the Community budget.
8. Legal basis / Lawfulness
The possibility for the EC to carry out checks and financial controls is foreseen in the model grant agreement or contract signed between the EC and the beneficiary/contractor as required by the Financial Regulation ("FR") applicable to the General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4):
• Art. 170 FR: Each financing agreement or grant agreement or grant decision must expressly provide for the Commission and the Court of Auditors to have the power of audit, on the basis of documents and on the spot, over all contractors and subcontractors who have received Community funds.
• Art. 60.4 FR: The authorizing officer by delegation shall put in place, in compliance with the minimum standards adopted by each institution and having due regard to the risks associated with the management environment and the nature of the actions financed, the organizational structure and the internal management and control procedures suited to the performance of his/her duties, including where appropriate ex post verifications. Before an operation is authorized, the operational and financial aspects shall be verified by members of staff other than the one who initiated the operation. The initiation and the ex ante and ex post verification of an operation shall be separate functions.
• Art. 47.4 IR: The ex post verifications on documents and, where appropriate, on the spot shall check that operations financed by the budget are correctly implemented and in particular that the criteria referred to in paragraph 3 are complied with. These verifications may be organized on a sample basis using risk analysis.

The processing operations on personal data carried out in the context of ex post controls are necessary and lawful under three articles of the Regulation (EC) 45/2001:
• article 5 (a): processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof…
• article 5 (b): processing is necessary for compliance with a legal obligation to which the controller is subject
• article 20.1.b): necessary measure to safeguard:
(a) the prevention, investigation, detection and prosecution of criminal offences;
(b) an important economic or financial interest of a Member State or of the European Communities, includingmonetary, budgetary and taxation matters;
(c) the protection of the data subject or of the rights and freedoms of others;
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
Data subjects / fields
9. Data subjects
Contractors and sub-contractors
Beneficiaries of grants
Staff
Experts
10. Data fields
All necessary data to efficiently conduct a control such as:
• Name,
• Function,
• Grade,
• Activities and expertises,
• Professional address,
• Timesheets,
• Salary,
• Accounts,
• Cost accounting,
• Missions,
• Information coming from local IT system used to declare costs as eligible,
• Supporting documents linked to travel costs,
• Minutes from mission and other similar data depending of the nature of the action.

No data which fall under article 10.

See point 17)
Rights of D.S.
11. Information
The Privacy Statement attached is available with the Commission's letter initiating the audit or control process
EXTERNAL AUDIT PRIVACY STATEMENT.doc
12. Procedure to grant rights
Functional mailbox to get information and mailbox of the EDPS to lodge a complaint (see Privacy statement ).
13. Retention
Each ex post controller is responsible of archiving the documents related to controls. Data are stored until 10 years after the final payment on condition that no contentious issues occurred; in this case, data will be kept until the end the last possible legal procedure.
14. Time limit
The Commission services will respond within 15 working days to any request and if this is considered justified the relevant correction or deletion will be performed within one calendar month.
15. Historical purposes
n/a
Recipients
16. Recipients
Collected personal data could be submitted to Commission services in charge of ex post controls, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Community law (OLAF, Court of Auditor, Ombudsman, EDPS, IDOC, Internal Audit Service of the Commission).

See point 20)
17. Transfer
n/a

Yours faithfully,

Mr. Aris KOLIMATSIS

Mobility and Transport

1 Attachment

Dear Mr Kolimatsis,   

 

Thank you for your e-mail dated 05/11/2013, registered on 06/11/2013.  I
hereby acknowledge receipt of your confirmatory application for access to
documents (ref.: Ares(2013)34223125 – gestdem 2013-3488). 

In accordance with Regulation 1049/2001 regarding public access to
European Parliament, Council and Commission documents, you will receive a
response to your request within 15 working days (27/11/2013).

 

Yours sincerely, 

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

 

 

show quoted sections

Mobility and Transport

3 Attachments

  • Attachment

    image001.gif

    3K Download

  • Attachment

    Delivery delayed Acknowledgement of receipt Request under Regulation 1049 2001 for access to documents held by the European Commission GESTDEM 2013 3488 KOLIMATSIS.html

    0K Download

  • Attachment

    Delivery delayed Acknowledgement of receipt Request under Regulation 1049 2001 for access to documents held by the European Commission GESTDEM 2013 3488 KOLIMATSIS.delivery status

    0K Download

Dear Mr Kolimatsis,

 

Last week, we tried to send you the message below.

Unfortunately, the website "Ask the EU" encountered problems that made
impossible to reach you (see annex).

I hope that, this time, the sending will function.

Yours sincerely,

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

From: SG ACCES DOCUMENTS
Sent: Wednesday, November 06, 2013 4:30 PM
To: '[FOI #596 email]'
Subject: Acknowledgement of receipt - Request under Regulation 1049-2001
for access to documents held by the European Commission - GESTDEM
2013-3488 - KOLIMATSIS

 

Dear Mr Kolimatsis,   

 

Thank you for your e-mail dated 05/11/2013, registered on 06/11/2013.  I
hereby acknowledge receipt of your confirmatory application for access to
documents (ref.: Ares(2013)34223125 – gestdem 2013-3488). 

In accordance with Regulation 1049/2001 regarding public access to
European Parliament, Council and Commission documents, you will receive a
response to your request within 15 working days (27/11/2013).

 

Yours sincerely, 

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

 

 

show quoted sections

Mobility and Transport

2 Attachments

 
Dear Mr Kolimatsis,

Kindly find herewith a letter concerning your confirmatory application for
access to documents (gestdem 2013/3488).
Yours sincerely,
 
Carlos Remis
SG.B.5.
Transparence.
Berl. 05/329.
 
 
 
 

 
 
 

Mobility and Transport

1 Attachment

 

 

Dear Mr Kolimatsis,

 

End June 2013, you contacted DG MOVE/DG ENER to obtain a number of
documents. Within the list of documents, there was a request to provide
you with documents where DG MOVE and DG ENER brought to the attention of
the Members of the Commission that DG ENER and DG MOVE have not engaged
any subcontractor for the external financial audits of FP6 contractors and
FP7 beneficiaries, which appeared to be in contradiction with reality.

 

This is the request we received:

"6. DG ENER and DG MOVE drawn up documents bringing to the attention of
the Members of the Commission responsible for them:

a . That DPO-3420.1 essentially states that no subcontractors had been
engaged in DG ENER and DG MOVE external financial audits of FP6
contractors and FP7 beneficiaries, which appears to be in total
contradiction with reality. For instance, page 35 of the 2011 DG ENER and
DG MOVE Annual Report, table

b. That it is not immediately obvious that the particular passage of the
statement of assurance in page 57 of the said annual report ‘Confirm that
I am not aware of anything not reported here which could harm the
interests of the institution’ is fully in line with what a diligent public
administration ought to have ensured in terms of legality. This is even
more the case when the matter solely concerns compliance with article TFEU
16(1) and Regulation No 45/2001."

 

On 23 July 2013, the Commission stated that the question was so large that
we were not able to identify the document you were looking for, and
provided a document on the ex-post strategy, where the objectives, the
principles and the tools for the audits (including the resources and the
type of audits-in-house and external - for this see point 3.4 of the
document) in Research were established. By the same e-mail, you were also
requested to provide more specific information who could help the
Commission to identify the document you were  looking for, as we were not
able to identify one.

 

The same request was received with your confirmative e-mail and the same
reply was given by our services as there are no documents where  DG
MOVE/DG ENER brought to the attention of the Members of the Commission
that DG ENER and DG MOVE have not engaged any subcontractor for the
external financial audits of FP6 and FP7 programmes. We are not aware that
this document exists.

 

Therefore, in reply to your-mail of 15^th November where under REQUESTS OF
DOCUMENTS, you request that:

 

2. REQUEST FOR DOCUMENTS

 

Copies of the following documents are kindly requested:

 

1. The document(s) with which the DPO-3402.2 controller requested the
permission of her superiors to include blatant misrepresentation of facts
in the prior notification.

 

2. The document(s) of the DPO-3420.2 controller superiors granting their
permission to the said blatant misrepresentation of facts.

 

3. The document(s) with which the administrative department DG MOVE has
notified the Member of the Commission (or his cabinet) about the
continuation of the false statements in DPO-3420.2, even though the
DPO-3420.1 controller had been publicly exposed.

 

We can only reiterate that, these documents do not exist, as no request
for permission to make misrepresentations of facts was made , nor any
department of DG MOVE has notified the Member of the Commission (or his
cabinet) about the continuation of any false statements.

 

 

MOVE ACCES TO DOCUMENTS
European Commission

[1]Description: cid:image001.gif@01CD32BB.D96747B0
Directorate General for Mobility and Transport
Unit MOVE A-1
Planning, Communication, Interinstitutional relations.
▪ Office address: Rue de Mot 28, B-1040 Brussels
▪ Fax. +32 2 2969632
E-mail: MOVE-ACCES-DOCUMENTS[2]@ec.europa.eu

 

 

 

 

 

 

 

 

 

 

 

show quoted sections

Mobility and Transport

1 Attachment

 

 

Dear Mr Kolimatsis,

 

End June 2013, you contacted DG MOVE/DG ENER to obtain a number of
documents. Within the list of documents, there was a request to provide
you with documents where DG MOVE and DG ENER brought to the attention of
the Members of the Commission that DG ENER and DG MOVE have not engaged
any subcontractor for the external financial audits of FP6 contractors and
FP7 beneficiaries, which appeared to be in contradiction with reality.

 

This is the request we received:

"6. DG ENER and DG MOVE drawn up documents bringing to the attention of
the Members of the Commission responsible for them:

a . That DPO-3420.1 essentially states that no subcontractors had been
engaged in DG ENER and DG MOVE external financial audits of FP6
contractors and FP7 beneficiaries, which appears to be in total
contradiction with reality. For instance, page 35 of the 2011 DG ENER and
DG MOVE Annual Report, table

b. That it is not immediately obvious that the particular passage of the
statement of assurance in page 57 of the said annual report ‘Confirm that
I am not aware of anything not reported here which could harm the
interests of the institution’ is fully in line with what a diligent public
administration ought to have ensured in terms of legality. This is even
more the case when the matter solely concerns compliance with article TFEU
16(1) and Regulation No 45/2001."

 

On 23 July 2013, the Commission stated that the question was so large that
we were not able to identify the document you were looking for, and
provided a document on the ex-post strategy, where the objectives, the
principles and the tools for the audits (including the resources and the
type of audits-in-house and external - for this see point 3.4 of the
document) in Research were established. By the same e-mail, you were also
requested to provide more specific information who could help the
Commission to identify the document you were  looking for, as we were not
able to identify one.

 

The same request was received with your confirmative e-mail and the same
reply was given by our services as there are no documents where  DG
MOVE/DG ENER brought to the attention of the Members of the Commission
that DG ENER and DG MOVE have not engaged any subcontractor for the
external financial audits of FP6 and FP7 programmes. We are not aware that
this document exists.

 

Therefore, in reply to your-mail of 15^th November where under REQUESTS OF
DOCUMENTS, you request that:

 

2. REQUEST FOR DOCUMENTS

 

Copies of the following documents are kindly requested:

 

1. The document(s) with which the DPO-3402.2 controller requested the
permission of her superiors to include blatant misrepresentation of facts
in the prior notification.

 

2. The document(s) of the DPO-3420.2 controller superiors granting their
permission to the said blatant misrepresentation of facts.

 

3. The document(s) with which the administrative department DG MOVE has
notified the Member of the Commission (or his cabinet) about the
continuation of the false statements in DPO-3420.2, even though the
DPO-3420.1 controller had been publicly exposed.

 

We can only reiterate that, these documents do not exist, as no request
for permission to make misrepresentations of facts was made , nor any
department of DG MOVE has notified the Member of the Commission (or his
cabinet) about the continuation of any false statements.

 

 

MOVE ACCES TO DOCUMENTS
European Commission

[1]Description: cid:image001.gif@01CD32BB.D96747B0
Directorate General for Mobility and Transport
Unit MOVE A-1
Planning, Communication, Interinstitutional relations.
▪ Office address: Rue de Mot 28, B-1040 Brussels
▪ Fax. +32 2 2969632
E-mail: MOVE-ACCES-DOCUMENTS[2]@ec.europa.eu

 

 

 

 

 

 

 

 

 

 

 

show quoted sections

Mobility and Transport

2 Attachments

Dear Mr Kolimatsis,
 
Please find herewith our answer to your confirmatory application for
access to documents under Regulation (EC) n° 1049/2001 – GESTDEM
2013/3488.
 
Yours sincerely,
 
BLURIOT-PUEBLA Madeleine
Cellule 'Accès aux documents'
 
European Commission
SG/B/5 - Transparence

BERL 05/330
B-1049 Brussels/Belgium
+32 2 296 09 97
[1][email address]
 
 

References

Visible links
1. mailto:[email address]