FP6, FP7, ESF audits, personal data protection, prior notifications

Response to this request is long overdue. By law, under all circumstances, European Court of Auditors should have responded by now (details). You can complain by requesting an internal review.

Dear European Court of Auditors,

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

I. PRIOR NOTIFICATIONS FOUND IN THE COURT'S REGISTER OF ARTICLE 26 OF REGULATION NO 45/2001

Copies of the following prior notifications of article 25 of Regulation No 45/2001 are kindly requested:

#1. No 38, 19/04/2007, Head of Unit, AUDIT, NR2, Statement of assurance (DAS), -Selecting beneficiaries; -Verification of the declarations and eligibility criteria

#2. No 66, 19/07/2007, Head of Unit, AUDIT, NR5, Reliability of SPS/IACS controls and inspections in EU-15 auditing if the payments have been carried out correctly

#3. No 75, 28/09/2007, Head of Unit, AUDIT, AEI, Audit of salaries, allowances and pensions for staff employed (or formerly employed) by European Institutions Audit of documents which serve as evidence for the grade/step and the entitlement to other allowances, e.g. latest decision on promotion, certificate of marriage, children's schooling certificates.....

#4. No 90, 08/11/2007, Head of Unit, AUDIT, NR4, Statement of assurance

#5. No 92, 08/11/2007, Head of Unit, AUDIT, NR4, Cross compliance

#6. No 107, 05/12/2007, Head of Unit, AUDIT, NR5, The system of milk quotas in the new Member States Auditing quotas allocated

#7. No 114, 04/04/2008, Head of Unit, AUDIT, SPD, DAS audit, In the execution of the DAS transactions for Structural actions and more specifically for the Social fund, personal data is audited in order to verify the requirements of the Regulations. This can take the form of collecting, consulting and/or storage of personal data.

#8. No 132, 05/05/2008, Head of Unit, CEAD, AMS, ASSYST: Time Recording In ASSYST, there is a module for time recording. Each auditor who has access to ASSYST and are planned for in the Annual Work Programme is requested to record their

#9. No 199, 19/02/2009, Head of Unit, AUDIT, IPB, DAS 2008

#10. No 211, 18/06/2009, Head of Unit, AUDIT, NR3, Préenquête sur les bénéficiaires de la PAC Traitement des données des montants reçus par les bénéficiaires de la PAC

#11. No 214, 09/07/2009, Head of Unit, AUDIT, TRE, Performance Audit of the Adequacy and Effectiveness of Selected FP6 Instruments
The audit procedures defined included surveys, testing at project level and reviews of studies and reports. Throughout the audit, data contained in several Commission's databases were used. Furthermore, the audit involved the review of documentation prepared by or containing information about individuals.

#12. No 224, 05/01/2010, Head of Unit, AUDIT, AEI, Audit on performance of OLAF investigations Audit of documents gathered by OLAF in the framework of its investigations.

#13. No 224, 05/01/2010, Head of Unit, AUDIT, AEI, Audit on performance of OLAF investigations Audit of documents gathered by OLAF in the framework of its investigations.

II. OTHER PRIOR NOTIFICATIONS OF ARTICLE 25 OF REGULATION No 45/2001

Copies of the prior notifications of article 25 of Regulation No 45/2001 regarding the following audit activities of the Court are kindly requested:

#14. Annual report covering FY 2009, European Social Fund audit. An example of the Court’s manifest personal data processing is given in page 102, ‘Overdeclaration of staff costs: In the case of an ESF project supporting professional training courses for pupils from secondary schools, the beneficiary incorrectly charged various indirect costs (staff salaries, insurance, fuel, telephone and depreciation) to the project.’

#15.Annual report covering FY 2009, Research Energy and Transport. An example of the Court’s manifest personal data processing is given in page 121 ‘The Court found that the audited beneficiary reported 17 person-months as input to the Commission’.

#16. Annual report covering FY 2010, Research and other Internal Policies. An example of the Court’s manifest personal data processing is given in page 173 ‘Example 6.1 Ineligible costs and incorrectly calculated costs A beneficiary managing an FP6 project claimed overheads using a f lat rate which was based on direct staff costs. Following an ex-post audit carried out in 2007, the beneficiary changed its allocation of overheads methodology without fully and correctly implementing the recommendations made by the ex-post auditors. Errors and inconsistencies, noted during the Court’s audit led to an over-claim of 731 652 euro’.

#17. Annual report covering FY 2011, Employment and social affairs. An example of the Court’s manifest personal data processing is given in page 155 ‘a) Ineligible training participants: ESF funding was provided for training courses to increase the qualifications and knowledge of employees working in the electronics sector. The Court found that many of the participants were employed outside of the electronics sector and were therefore not eligible for such training. The cost declared for the ineligible participants was 29 % of the audited amount’.

#18. Annual report covering FY 2011, Research and other internal policies. An example of the Court’s manifest personal data processing is given in page 193 ‘Example 8.1 — Error identified in a cost claim relating to personnel costs A beneficiary involved in a FP7 project declared 308 000 euro of personnel costs. The Court’s audit revealed that the beneficiary: — underestimated the productive hours worked by its employees; — over-charged hours for several employees involved in the audited project. In total these findings resulted in the over-declaration of 45 000 euro of personnel costs.’

It is noted that the above five prior notifications are statutory documents. In view of the combined provisions of article 24(1) last sub-paragraph ‘That person shall thus ensure that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations’, article 25 and article 24(1)(d) of Regulation No 45/2001, any defect, and a fortiori a non-existence, of any of these five prior notification will be tantamount that the Court has likely not respected ‘the rights and freedoms of the data subjects’.

It is thus expected that the Court will carry out a diligent search to identity and release these five prior notifications.

III. DOCUMENTS DRAWN UP BY THE AUDIT DIRECTORATE

Referring to the auditing activities documented in the annual report of financial years 2009, 2010 and 2011 in the area of ‘research and other internal policies’ (requests #15, #16 and #18 concern that area), copies of the following documents drawn up by the Audit Directorate - or its predecessor(s), if applicable - are requested:

#19. The documents drawn up from 1/1/2004 onwards setting out some kind of an analysis of the lawfulness of processing personal data of third parties to the audited projects or/and Community/Union actions.

#20. The documents draw up from 1/1/2004 onwards setting out some kind of an analysis of the lawfulness of processing personal data in the legal context of a private law contract between a Research family and DG and an FP6 contractor/FP7 beneficiary.

#21. The documents drawn up from 1/1/2004 onwards with which the Audit Directorate requested the advice or opinion of the Data Protection Officer about the Court’s personal data processing in its audits of the FP6 and FP7 programmes.

#22. The documents drawn up from 1/1/2004 onwards with which the Audit Directorate requested the advice or opinion of the Court’s Legal Services about the Court’s personal data processing in its audits of the FP6 and FP7 programmes.

#23. The documents drawn up from 1/1/2004 onwards with which the Audit Directorate requested the advice, instruction or direction of the Court’s Member(s) about the Court’s personal data processing in its audits of the FP6 and FP7 programmes.

IV. DOCUMENTS DRAWN UP THE LEGAL SERVICES AND THE DATA PROTECTION OFFICER

Copies of the following documents are requested:

#24. The documents drawn up by the Legal Services in response to the request under #22 above.

#25. The documents drawn up by the Data Protection Officer in response to the request under #21 above.

#26. Notwithstanding the above requests, any other documents drawn up by the Legal Services regarding the Court’s personal data processing in the context of auditing FP6 and FP7 programmes.

#27. Notwithstanding the above requests, any other documents drawn up by the Data Protection Officer regarding the Court’s personal data processing in the context of auditing FP6 and FP7 programmes.

V. OVERRIDING PUBLIC INTEREST

It is patently obvious that the applicant entertains serious doubts as to what extent the Court has been diligent in observing Regulation No 45/2001 and for the activities described above.

Requests #24 and #26 concern legal opinions and therefore the Court may find appropriate to refuse access. However, the substance of these legal opinions is whether the Court was either negligent or willful or both in risking serious infringements of Regulation No 45/2001 in its audits of financial statements of contractors/beneficiaries in the FP6 and FP7 programmes. Refusing total access will further strengthen the doubts.

In a Union governed by the rule of law, where Institutions are held accountable for the lawfulness of their acts, no exception of article 4 of the Court’s Decision 12/2005 may be relied upon to refuse full access. On the contrary, article 4(8) is fully applicable to shed light into the Court’s observance of Regulation No 45/2001.

At the end of the day, checking the legality of financial transactions presupposes that the checks and audits are themselves lawful. Relying on unlawful audit practices renders the whole audit meaningless.

Yours faithfully,

Zois Zervos

European Court of Auditors

Dear Zois Zervos,
Thank you for your email of 25July 2013, in which you apply for access to
a list of documents as set forth below in your email.

Under the terms of Decision No 12-2005 of the Court of Auditors regarding
public access to Court documents you will receive a reply within 15
working days, that is by the end of business on 15 August 2013.

Kindest regards,

Aidas Palubinskas

From:        Zois Zervos <[FOI #713 email]>
To:        information requests at European Court of Auditors
<[European Court of Auditors request email]>
Date:        25/07/2013 14:53
Subject:        access to information request - FP6, FP7, ESF audits,
personal data protection, prior notifications

--------------------------------------------------------------------------

Dear European Court of Auditors,

Under the right of access to documents in the EU treaties, as developed in
Regulation 1049/2001, I am requesting documents which contain the
following information:

I. PRIOR NOTIFICATIONS FOUND IN THE COURT&#x27;S REGISTER OF ARTICLE 26 OF
REGULATION NO 45/2001

Copies of the following prior notifications of article 25 of Regulation No
45/2001 are kindly requested:

#1. No 38, 19/04/2007, Head of Unit, AUDIT, NR2, Statement of assurance
(DAS), -Selecting beneficiaries; -Verification of the declarations and
eligibility criteria

#2. No 66, 19/07/2007, Head of Unit, AUDIT, NR5, Reliability of SPS/IACS
controls and inspections in EU-15 auditing if the payments have been
carried out correctly

#3. No 75, 28/09/2007, Head of Unit, AUDIT, AEI, Audit of salaries,
allowances and pensions for staff employed (or formerly employed) by
European Institutions Audit of documents which serve as evidence for the
grade/step and the entitlement to other allowances, e.g. latest decision
on promotion, certificate of marriage, children&#x27;s schooling
certificates.....

#4. No 90, 08/11/2007, Head of Unit, AUDIT, NR4, Statement of assurance

#5. No 92, 08/11/2007, Head of Unit, AUDIT, NR4, Cross compliance

#6. No 107, 05/12/2007, Head of Unit, AUDIT, NR5, The system of milk
quotas in the new Member States Auditing quotas allocated

#7. No 114, 04/04/2008, Head of Unit, AUDIT, SPD, DAS audit, In the
execution of the DAS transactions for Structural actions and more
specifically for the Social fund, personal data is audited in order to
verify the requirements of the Regulations. This can take the form of
collecting, consulting and/or storage of personal data.

#8. No 132, 05/05/2008, Head of Unit, CEAD, AMS, ASSYST: Time Recording In
ASSYST, there is a module for time recording. Each auditor who has access
to ASSYST and are planned for in the Annual Work Programme is requested to
record their

#9. No 199, 19/02/2009, Head of Unit, AUDIT, IPB, DAS 2008

#10. No 211, 18/06/2009, Head of Unit, AUDIT, NR3, Préenquête sur les
bénéficiaires de la PAC Traitement des données des montants reçus par les
bénéficiaires de la PAC

#11. No 214, 09/07/2009, Head of Unit, AUDIT, TRE, Performance Audit of
the Adequacy and Effectiveness of Selected FP6 Instruments
The audit procedures defined included surveys, testing at project level
and reviews of studies and reports. Throughout the audit, data contained
in several Commission&#x27;s databases were used. Furthermore, the audit
involved the review of documentation prepared by or containing information
about individuals.

#12. No 224, 05/01/2010, Head of Unit, AUDIT, AEI, Audit on performance of
OLAF investigations Audit of documents gathered by OLAF in the framework
of its investigations.

#13. No 224, 05/01/2010, Head of Unit, AUDIT, AEI, Audit on performance of
OLAF investigations Audit of documents gathered by OLAF in the framework
of its investigations.

II. OTHER PRIOR NOTIFICATIONS OF ARTICLE 25 OF REGULATION No 45/2001

Copies of the prior notifications of article 25 of Regulation No 45/2001
regarding the following audit activities of the Court are kindly
requested:

#14. Annual report covering FY 2009, European Social Fund audit. An
example of the Court’s manifest personal data processing is given in page
102, ‘Overdeclaration of staff costs: In the case of an ESF project
supporting professional training courses for pupils from secondary
schools, the beneficiary incorrectly charged various indirect costs (staff
salaries, insurance, fuel, telephone and depreciation) to the project.’

#15.Annual report covering FY 2009, Research Energy and Transport. An
example of the Court’s manifest personal data processing is given in page
121 ‘The Court found that the audited beneficiary reported 17
person-months as input to the Commission’.

#16. Annual report covering FY 2010, Research and other Internal Policies.
An example of the Court’s manifest personal data processing is given in
page 173 ‘Example 6.1 Ineligible costs and incorrectly calculated costs A
beneficiary managing an FP6 project claimed overheads using a f lat rate
which was based on direct staff costs. Following an ex-post audit carried
out in 2007, the beneficiary changed its allocation of overheads
methodology without fully and correctly implementing the recommendations
made by the ex-post auditors. Errors and inconsistencies, noted during the
Court’s audit led to an over-claim of 731 652 euro’.

#17. Annual report covering FY 2011, Employment and social affairs. An
example of the Court’s manifest personal data processing is given in page
155 ‘a) Ineligible training participants: ESF funding was provided for
training courses to increase the qualifications and knowledge of employees
working in the electronics sector. The Court found that many of the
participants were employed outside of the electronics sector and were
therefore not eligible for such training. The cost declared for the
ineligible participants was 29 % of the audited amount’.

#18. Annual report covering FY 2011, Research and other internal policies.
An example of the Court’s manifest personal data processing is given in
page 193 ‘Example 8.1 — Error identified in a cost claim relating to
personnel costs A beneficiary involved in a FP7 project declared 308 000
euro of personnel costs. The Court’s audit revealed that the beneficiary:
— underestimated the productive hours worked by its employees; —
over-charged hours for several employees involved in the audited project.
In total these findings resulted in the over-declaration of 45 000 euro of
personnel costs.’

It is noted that the above five prior notifications are statutory
documents. In view of the combined provisions of article 24(1) last
sub-paragraph ‘That person shall thus ensure that the rights and freedoms
of the data subjects are unlikely to be adversely affected by the
processing operations’, article 25 and article 24(1)(d) of Regulation No
45/2001, any defect, and a fortiori a non-existence, of any of these five
prior notification will be tantamount that the Court has likely not
respected ‘the rights and freedoms of the data subjects’.

It is thus expected that the Court will carry out a diligent search to
identity and release these five prior notifications.

III. DOCUMENTS DRAWN UP BY THE AUDIT DIRECTORATE

Referring to the auditing activities documented in the annual report of
financial years 2009, 2010 and 2011 in the area of ‘research and other
internal policies’ (requests #15, #16 and #18 concern that area), copies
of the following documents drawn up by the Audit Directorate - or its
predecessor(s), if applicable - are requested:

#19. The documents drawn up from 1/1/2004 onwards setting out some kind of
an analysis of the lawfulness of processing personal data of third parties
to the audited projects or/and Community/Union actions.

#20. The documents draw up from 1/1/2004 onwards setting out some kind of
an analysis of the lawfulness of processing personal data in the legal
context of a private law contract between a Research family and DG and an
FP6 contractor/FP7 beneficiary.

#21. The documents drawn up from 1/1/2004 onwards with which the Audit
Directorate requested the advice or opinion of the Data Protection Officer
about the Court’s personal data processing in its audits of the FP6 and
FP7 programmes.

#22. The documents drawn up from 1/1/2004 onwards with which the Audit
Directorate requested the advice or opinion of the Court’s Legal Services
about the Court’s personal data processing in its audits of the FP6 and
FP7 programmes.

#23. The documents drawn up from 1/1/2004 onwards with which the Audit
Directorate requested the advice, instruction or direction of the Court’s
Member(s) about the Court’s personal data processing in its audits of the
FP6 and FP7 programmes.

IV. DOCUMENTS DRAWN UP THE LEGAL SERVICES AND THE DATA PROTECTION OFFICER

Copies of the following documents are requested:

#24. The documents drawn up by the Legal Services in response to the
request under #22 above.

#25. The documents drawn up by the Data Protection Officer in response to
the request under #21 above.

#26. Notwithstanding the above requests, any other documents drawn up by
the Legal Services regarding the Court’s personal data processing in the
context of auditing FP6 and FP7 programmes.  

#27. Notwithstanding the above requests, any other documents drawn up by
the Data Protection Officer regarding the Court’s personal data processing
in the context of auditing FP6 and FP7 programmes.  

V. OVERRIDING PUBLIC INTEREST

It is patently obvious that the applicant entertains serious doubts as to
what extent the Court has been diligent in observing Regulation No 45/2001
and for the activities described above.  

Requests #24 and #26 concern legal opinions and therefore the Court may
find appropriate to refuse access. However, the substance of these legal
opinions is whether the Court was either negligent or willful or both in
risking serious infringements of Regulation No 45/2001 in its audits of
financial statements of contractors/beneficiaries in the FP6 and FP7
programmes. Refusing total access will further strengthen the doubts.

In a Union governed by the rule of law, where Institutions are held
accountable for the lawfulness of their acts, no exception of article 4 of
the Court’s Decision 12/2005 may be relied upon to refuse full access. On
the contrary, article 4(8) is fully applicable to shed light into the
Court’s observance of Regulation No 45/2001.

At the end of the day, checking the legality of financial transactions
presupposes that the checks and audits are themselves lawful. Relying on
unlawful audit practices renders the whole audit meaningless.

Yours faithfully,

Zois Zervos

-------------------------------------------------------------------

This is a request for access to information under Article 15 of the TFEU
and, where applicable, Regulation 1049/2001 which has been sent via the
AsktheEU.org website.

Please kindly use this email address for all replies to this request:
[FOI #713 email]

If [European Court of Auditors request email] is the wrong address for information requests to
European Court of Auditors, please tell the AsktheEU.org team on email
[email address]

This message and all replies from European Court of Auditors will be
published on the AsktheEU.org website. For more information see our
dedicated page for EU public officials at
[1]http://www.asktheeu.org/en/help/officers

-------------------------------------------------------------------

**********************
Disclaimer: If you have received this message in error, please contact the
sender immediately.

**********************
Avertissement : Si ce message vous a été adressé par erreur, nous vous
prions de vous mettre immédiatement en rapport avec l’expéditeur.

References

Visible links
1. http://www.asktheeu.org/en/help/officers

European Court of Auditors

Dear Zois Zervos,
We would like to inform you that pursuant to Article 6(3) and (4) of
Decision 12-2005 of the Court of Auditors regarding public access to Court
documents, and due to the vacation period, the initial deadline of 15
working days (ending on 16 August 2013) must be exceptionally extended for
another 15 working days.

You will receive a reply by the end of the business day on Friday 6
September 2013.

Kind regards,
ECA Info

From:        Zois Zervos <[FOI #713 email]>
To:        information requests at European Court of Auditors
<[European Court of Auditors request email]>
Date:        25/07/2013 14:53
Subject:        access to information request - FP6, FP7, ESF audits,
personal data protection, prior notifications

--------------------------------------------------------------------------

Dear European Court of Auditors,

Under the right of access to documents in the EU treaties, as developed in
Regulation 1049/2001, I am requesting documents which contain the
following information:

I. PRIOR NOTIFICATIONS FOUND IN THE COURT&#x27;S REGISTER OF ARTICLE 26 OF
REGULATION NO 45/2001

Copies of the following prior notifications of article 25 of Regulation No
45/2001 are kindly requested:

#1. No 38, 19/04/2007, Head of Unit, AUDIT, NR2, Statement of assurance
(DAS), -Selecting beneficiaries; -Verification of the declarations and
eligibility criteria

#2. No 66, 19/07/2007, Head of Unit, AUDIT, NR5, Reliability of SPS/IACS
controls and inspections in EU-15 auditing if the payments have been
carried out correctly

#3. No 75, 28/09/2007, Head of Unit, AUDIT, AEI, Audit of salaries,
allowances and pensions for staff employed (or formerly employed) by
European Institutions Audit of documents which serve as evidence for the
grade/step and the entitlement to other allowances, e.g. latest decision
on promotion, certificate of marriage, children&#x27;s schooling
certificates.....

#4. No 90, 08/11/2007, Head of Unit, AUDIT, NR4, Statement of assurance

#5. No 92, 08/11/2007, Head of Unit, AUDIT, NR4, Cross compliance

#6. No 107, 05/12/2007, Head of Unit, AUDIT, NR5, The system of milk
quotas in the new Member States Auditing quotas allocated

#7. No 114, 04/04/2008, Head of Unit, AUDIT, SPD, DAS audit, In the
execution of the DAS transactions for Structural actions and more
specifically for the Social fund, personal data is audited in order to
verify the requirements of the Regulations. This can take the form of
collecting, consulting and/or storage of personal data.

#8. No 132, 05/05/2008, Head of Unit, CEAD, AMS, ASSYST: Time Recording In
ASSYST, there is a module for time recording. Each auditor who has access
to ASSYST and are planned for in the Annual Work Programme is requested to
record their

#9. No 199, 19/02/2009, Head of Unit, AUDIT, IPB, DAS 2008

#10. No 211, 18/06/2009, Head of Unit, AUDIT, NR3, Préenquête sur les
bénéficiaires de la PAC Traitement des données des montants reçus par les
bénéficiaires de la PAC

#11. No 214, 09/07/2009, Head of Unit, AUDIT, TRE, Performance Audit of
the Adequacy and Effectiveness of Selected FP6 Instruments
The audit procedures defined included surveys, testing at project level
and reviews of studies and reports. Throughout the audit, data contained
in several Commission&#x27;s databases were used. Furthermore, the audit
involved the review of documentation prepared by or containing information
about individuals.

#12. No 224, 05/01/2010, Head of Unit, AUDIT, AEI, Audit on performance of
OLAF investigations Audit of documents gathered by OLAF in the framework
of its investigations.

#13. No 224, 05/01/2010, Head of Unit, AUDIT, AEI, Audit on performance of
OLAF investigations Audit of documents gathered by OLAF in the framework
of its investigations.

II. OTHER PRIOR NOTIFICATIONS OF ARTICLE 25 OF REGULATION No 45/2001

Copies of the prior notifications of article 25 of Regulation No 45/2001
regarding the following audit activities of the Court are kindly
requested:

#14. Annual report covering FY 2009, European Social Fund audit. An
example of the Court’s manifest personal data processing is given in page
102, ‘Overdeclaration of staff costs: In the case of an ESF project
supporting professional training courses for pupils from secondary
schools, the beneficiary incorrectly charged various indirect costs (staff
salaries, insurance, fuel, telephone and depreciation) to the project.’

#15.Annual report covering FY 2009, Research Energy and Transport. An
example of the Court’s manifest personal data processing is given in page
121 ‘The Court found that the audited beneficiary reported 17
person-months as input to the Commission’.

#16. Annual report covering FY 2010, Research and other Internal Policies.
An example of the Court’s manifest personal data processing is given in
page 173 ‘Example 6.1 Ineligible costs and incorrectly calculated costs A
beneficiary managing an FP6 project claimed overheads using a f lat rate
which was based on direct staff costs. Following an ex-post audit carried
out in 2007, the beneficiary changed its allocation of overheads
methodology without fully and correctly implementing the recommendations
made by the ex-post auditors. Errors and inconsistencies, noted during the
Court’s audit led to an over-claim of 731 652 euro’.

#17. Annual report covering FY 2011, Employment and social affairs. An
example of the Court’s manifest personal data processing is given in page
155 ‘a) Ineligible training participants: ESF funding was provided for
training courses to increase the qualifications and knowledge of employees
working in the electronics sector. The Court found that many of the
participants were employed outside of the electronics sector and were
therefore not eligible for such training. The cost declared for the
ineligible participants was 29 % of the audited amount’.

#18. Annual report covering FY 2011, Research and other internal policies.
An example of the Court’s manifest personal data processing is given in
page 193 ‘Example 8.1 — Error identified in a cost claim relating to
personnel costs A beneficiary involved in a FP7 project declared 308 000
euro of personnel costs. The Court’s audit revealed that the beneficiary:
— underestimated the productive hours worked by its employees; —
over-charged hours for several employees involved in the audited project.
In total these findings resulted in the over-declaration of 45 000 euro of
personnel costs.’

It is noted that the above five prior notifications are statutory
documents. In view of the combined provisions of article 24(1) last
sub-paragraph ‘That person shall thus ensure that the rights and freedoms
of the data subjects are unlikely to be adversely affected by the
processing operations’, article 25 and article 24(1)(d) of Regulation No
45/2001, any defect, and a fortiori a non-existence, of any of these five
prior notification will be tantamount that the Court has likely not
respected ‘the rights and freedoms of the data subjects’.

It is thus expected that the Court will carry out a diligent search to
identity and release these five prior notifications.

III. DOCUMENTS DRAWN UP BY THE AUDIT DIRECTORATE

Referring to the auditing activities documented in the annual report of
financial years 2009, 2010 and 2011 in the area of ‘research and other
internal policies’ (requests #15, #16 and #18 concern that area), copies
of the following documents drawn up by the Audit Directorate - or its
predecessor(s), if applicable - are requested:

#19. The documents drawn up from 1/1/2004 onwards setting out some kind of
an analysis of the lawfulness of processing personal data of third parties
to the audited projects or/and Community/Union actions.

#20. The documents draw up from 1/1/2004 onwards setting out some kind of
an analysis of the lawfulness of processing personal data in the legal
context of a private law contract between a Research family and DG and an
FP6 contractor/FP7 beneficiary.

#21. The documents drawn up from 1/1/2004 onwards with which the Audit
Directorate requested the advice or opinion of the Data Protection Officer
about the Court’s personal data processing in its audits of the FP6 and
FP7 programmes.

#22. The documents drawn up from 1/1/2004 onwards with which the Audit
Directorate requested the advice or opinion of the Court’s Legal Services
about the Court’s personal data processing in its audits of the FP6 and
FP7 programmes.

#23. The documents drawn up from 1/1/2004 onwards with which the Audit
Directorate requested the advice, instruction or direction of the Court’s
Member(s) about the Court’s personal data processing in its audits of the
FP6 and FP7 programmes.

IV. DOCUMENTS DRAWN UP THE LEGAL SERVICES AND THE DATA PROTECTION OFFICER

Copies of the following documents are requested:

#24. The documents drawn up by the Legal Services in response to the
request under #22 above.

#25. The documents drawn up by the Data Protection Officer in response to
the request under #21 above.

#26. Notwithstanding the above requests, any other documents drawn up by
the Legal Services regarding the Court’s personal data processing in the
context of auditing FP6 and FP7 programmes.  

#27. Notwithstanding the above requests, any other documents drawn up by
the Data Protection Officer regarding the Court’s personal data processing
in the context of auditing FP6 and FP7 programmes.  

V. OVERRIDING PUBLIC INTEREST

It is patently obvious that the applicant entertains serious doubts as to
what extent the Court has been diligent in observing Regulation No 45/2001
and for the activities described above.  

Requests #24 and #26 concern legal opinions and therefore the Court may
find appropriate to refuse access. However, the substance of these legal
opinions is whether the Court was either negligent or willful or both in
risking serious infringements of Regulation No 45/2001 in its audits of
financial statements of contractors/beneficiaries in the FP6 and FP7
programmes. Refusing total access will further strengthen the doubts.

In a Union governed by the rule of law, where Institutions are held
accountable for the lawfulness of their acts, no exception of article 4 of
the Court’s Decision 12/2005 may be relied upon to refuse full access. On
the contrary, article 4(8) is fully applicable to shed light into the
Court’s observance of Regulation No 45/2001.

At the end of the day, checking the legality of financial transactions
presupposes that the checks and audits are themselves lawful. Relying on
unlawful audit practices renders the whole audit meaningless.

Yours faithfully,

Zois Zervos

-------------------------------------------------------------------

This is a request for access to information under Article 15 of the TFEU
and, where applicable, Regulation 1049/2001 which has been sent via the
AsktheEU.org website.

Please kindly use this email address for all replies to this request:
[FOI #713 email]

If [European Court of Auditors request email] is the wrong address for information requests to
European Court of Auditors, please tell the AsktheEU.org team on email
[email address]

This message and all replies from European Court of Auditors will be
published on the AsktheEU.org website. For more information see our
dedicated page for EU public officials at
[1]http://www.asktheeu.org/en/help/officers

-------------------------------------------------------------------

**********************
Disclaimer: If you have received this message in error, please contact the
sender immediately.

**********************
Avertissement : Si ce message vous a été adressé par erreur, nous vous
prions de vous mettre immédiatement en rapport avec l’expéditeur.

References

Visible links
1. http://www.asktheeu.org/en/help/officers

European Court of Auditors

13 Attachments

Dear Zois Zervos,
please find attached the requested documents no. 1 -11 as no 12 is
identical to 11.

II. For request 14 and 17 it is the DPO notification AUD-114-ESD-DAS.pdf
that is applicable.
For request 15 it is  the DPO notification AUD-090-ETE-DAS.pdf that is
applicable.
For request 16 and 18 it is  the DPO notification The reason why this
notification contains a date in 2012 is due to a reorganisation of the
audit units which triggered an update of the DPO notification from 2008.

III. For the requests 19 - 23 there are no documents drawn up by the DPO
as this was not necessary because the legal basis for the processing is
quite clear and very strong:
Art. 287 of the Treaty of Functioning of the EU

Art. 140 to 142 of the Financial Regulation (Council Regulation (EC,
Euratom) No. 1605/2002 as amended (Art. 159 to 161 of Regulation (EU,
Euratom) No 966/2012 of the European Parliament and of the Council which
apply from 01/01/2013

IV. For the requests 25 & 27 there are no documents drawn up to our
knowledge neither for the requests 24 & 26.

with best regards,

Helena Piron Mäki-Korvela

From:        Zois Zervos <[FOI #713 email]>
To:        information requests at European Court of Auditors
<[European Court of Auditors request email]>
Date:        25/07/2013 14:53
Subject:        access to information request - FP6, FP7, ESF audits,
personal data protection, prior notifications

--------------------------------------------------------------------------

Dear European Court of Auditors,

Under the right of access to documents in the EU treaties, as developed in
Regulation 1049/2001, I am requesting documents which contain the
following information:

I. PRIOR NOTIFICATIONS FOUND IN THE COURT&#x27;S REGISTER OF ARTICLE 26 OF
REGULATION NO 45/2001

Copies of the following prior notifications of article 25 of Regulation No
45/2001 are kindly requested:

#1. No 38, 19/04/2007, Head of Unit, AUDIT, NR2, Statement of assurance
(DAS), -Selecting beneficiaries; -Verification of the declarations and
eligibility criteria

#2. No 66, 19/07/2007, Head of Unit, AUDIT, NR5, Reliability of SPS/IACS
controls and inspections in EU-15 auditing if the payments have been
carried out correctly

#3. No 75, 28/09/2007, Head of Unit, AUDIT, AEI, Audit of salaries,
allowances and pensions for staff employed (or formerly employed) by
European Institutions Audit of documents which serve as evidence for the
grade/step and the entitlement to other allowances, e.g. latest decision
on promotion, certificate of marriage, children&#x27;s schooling
certificates.....

#4. No 90, 08/11/2007, Head of Unit, AUDIT, NR4, Statement of assurance

#5. No 92, 08/11/2007, Head of Unit, AUDIT, NR4, Cross compliance

#6. No 107, 05/12/2007, Head of Unit, AUDIT, NR5, The system of milk
quotas in the new Member States Auditing quotas allocated

#7. No 114, 04/04/2008, Head of Unit, AUDIT, SPD, DAS audit, In the
execution of the DAS transactions for Structural actions and more
specifically for the Social fund, personal data is audited in order to
verify the requirements of the Regulations. This can take the form of
collecting, consulting and/or storage of personal data.

#8. No 132, 05/05/2008, Head of Unit, CEAD, AMS, ASSYST: Time Recording In
ASSYST, there is a module for time recording. Each auditor who has access
to ASSYST and are planned for in the Annual Work Programme is requested to
record their

#9. No 199, 19/02/2009, Head of Unit, AUDIT, IPB, DAS 2008

#10. No 211, 18/06/2009, Head of Unit, AUDIT, NR3, Préenquête sur les
bénéficiaires de la PAC Traitement des données des montants reçus par les
bénéficiaires de la PAC

#11. No 214, 09/07/2009, Head of Unit, AUDIT, TRE, Performance Audit of
the Adequacy and Effectiveness of Selected FP6 Instruments
The audit procedures defined included surveys, testing at project level
and reviews of studies and reports. Throughout the audit, data contained
in several Commission&#x27;s databases were used. Furthermore, the audit
involved the review of documentation prepared by or containing information
about individuals.

#12. No 224, 05/01/2010, Head of Unit, AUDIT, AEI, Audit on performance of
OLAF investigations Audit of documents gathered by OLAF in the framework
of its investigations.

#13. No 224, 05/01/2010, Head of Unit, AUDIT, AEI, Audit on performance of
OLAF investigations Audit of documents gathered by OLAF in the framework
of its investigations.

II. OTHER PRIOR NOTIFICATIONS OF ARTICLE 25 OF REGULATION No 45/2001

Copies of the prior notifications of article 25 of Regulation No 45/2001
regarding the following audit activities of the Court are kindly
requested:

#14. Annual report covering FY 2009, European Social Fund audit. An
example of the Court’s manifest personal data processing is given in page
102, ‘Overdeclaration of staff costs: In the case of an ESF project
supporting professional training courses for pupils from secondary
schools, the beneficiary incorrectly charged various indirect costs (staff
salaries, insurance, fuel, telephone and depreciation) to the project.’

#15.Annual report covering FY 2009, Research Energy and Transport. An
example of the Court’s manifest personal data processing is given in page
121 ‘The Court found that the audited beneficiary reported 17
person-months as input to the Commission’.

#16. Annual report covering FY 2010, Research and other Internal Policies.
An example of the Court’s manifest personal data processing is given in
page 173 ‘Example 6.1 Ineligible costs and incorrectly calculated costs A
beneficiary managing an FP6 project claimed overheads using a f lat rate
which was based on direct staff costs. Following an ex-post audit carried
out in 2007, the beneficiary changed its allocation of overheads
methodology without fully and correctly implementing the recommendations
made by the ex-post auditors. Errors and inconsistencies, noted during the
Court’s audit led to an over-claim of 731 652 euro’.

#17. Annual report covering FY 2011, Employment and social affairs. An
example of the Court’s manifest personal data processing is given in page
155 ‘a) Ineligible training participants: ESF funding was provided for
training courses to increase the qualifications and knowledge of employees
working in the electronics sector. The Court found that many of the
participants were employed outside of the electronics sector and were
therefore not eligible for such training. The cost declared for the
ineligible participants was 29 % of the audited amount’.

#18. Annual report covering FY 2011, Research and other internal policies.
An example of the Court’s manifest personal data processing is given in
page 193 ‘Example 8.1 — Error identified in a cost claim relating to
personnel costs A beneficiary involved in a FP7 project declared 308 000
euro of personnel costs. The Court’s audit revealed that the beneficiary:
— underestimated the productive hours worked by its employees; —
over-charged hours for several employees involved in the audited project.
In total these findings resulted in the over-declaration of 45 000 euro of
personnel costs.’

It is noted that the above five prior notifications are statutory
documents. In view of the combined provisions of article 24(1) last
sub-paragraph ‘That person shall thus ensure that the rights and freedoms
of the data subjects are unlikely to be adversely affected by the
processing operations’, article 25 and article 24(1)(d) of Regulation No
45/2001, any defect, and a fortiori a non-existence, of any of these five
prior notification will be tantamount that the Court has likely not
respected ‘the rights and freedoms of the data subjects’.

It is thus expected that the Court will carry out a diligent search to
identity and release these five prior notifications.

III. DOCUMENTS DRAWN UP BY THE AUDIT DIRECTORATE

Referring to the auditing activities documented in the annual report of
financial years 2009, 2010 and 2011 in the area of ‘research and other
internal policies’ (requests #15, #16 and #18 concern that area), copies
of the following documents drawn up by the Audit Directorate - or its
predecessor(s), if applicable - are requested:

#19. The documents drawn up from 1/1/2004 onwards setting out some kind of
an analysis of the lawfulness of processing personal data of third parties
to the audited projects or/and Community/Union actions.

#20. The documents draw up from 1/1/2004 onwards setting out some kind of
an analysis of the lawfulness of processing personal data in the legal
context of a private law contract between a Research family and DG and an
FP6 contractor/FP7 beneficiary.

#21. The documents drawn up from 1/1/2004 onwards with which the Audit
Directorate requested the advice or opinion of the Data Protection Officer
about the Court’s personal data processing in its audits of the FP6 and
FP7 programmes.

#22. The documents drawn up from 1/1/2004 onwards with which the Audit
Directorate requested the advice or opinion of the Court’s Legal Services
about the Court’s personal data processing in its audits of the FP6 and
FP7 programmes.

#23. The documents drawn up from 1/1/2004 onwards with which the Audit
Directorate requested the advice, instruction or direction of the Court’s
Member(s) about the Court’s personal data processing in its audits of the
FP6 and FP7 programmes.

IV. DOCUMENTS DRAWN UP THE LEGAL SERVICES AND THE DATA PROTECTION OFFICER

Copies of the following documents are requested:

#24. The documents drawn up by the Legal Services in response to the
request under #22 above.

#25. The documents drawn up by the Data Protection Officer in response to
the request under #21 above.

#26. Notwithstanding the above requests, any other documents drawn up by
the Legal Services regarding the Court’s personal data processing in the
context of auditing FP6 and FP7 programmes.  

#27. Notwithstanding the above requests, any other documents drawn up by
the Data Protection Officer regarding the Court’s personal data processing
in the context of auditing FP6 and FP7 programmes.  

V. OVERRIDING PUBLIC INTEREST

It is patently obvious that the applicant entertains serious doubts as to
what extent the Court has been diligent in observing Regulation No 45/2001
and for the activities described above.  

Requests #24 and #26 concern legal opinions and therefore the Court may
find appropriate to refuse access. However, the substance of these legal
opinions is whether the Court was either negligent or willful or both in
risking serious infringements of Regulation No 45/2001 in its audits of
financial statements of contractors/beneficiaries in the FP6 and FP7
programmes. Refusing total access will further strengthen the doubts.

In a Union governed by the rule of law, where Institutions are held
accountable for the lawfulness of their acts, no exception of article 4 of
the Court’s Decision 12/2005 may be relied upon to refuse full access. On
the contrary, article 4(8) is fully applicable to shed light into the
Court’s observance of Regulation No 45/2001.

At the end of the day, checking the legality of financial transactions
presupposes that the checks and audits are themselves lawful. Relying on
unlawful audit practices renders the whole audit meaningless.

Yours faithfully,

Zois Zervos

-------------------------------------------------------------------

This is a request for access to information under Article 15 of the TFEU
and, where applicable, Regulation 1049/2001 which has been sent via the
AsktheEU.org website.

Please kindly use this email address for all replies to this request:
[FOI #713 email]

If [European Court of Auditors request email] is the wrong address for information requests to
European Court of Auditors, please tell the AsktheEU.org team on email
[email address]

This message and all replies from European Court of Auditors will be
published on the AsktheEU.org website. For more information see our
dedicated page for EU public officials at
[1]http://www.asktheeu.org/en/help/officers

-------------------------------------------------------------------

**********************
Disclaimer: If you have received this message in error, please contact the
sender immediately.

**********************
Avertissement : Si ce message vous a été adressé par erreur, nous vous
prions de vous mettre immédiatement en rapport avec l’expéditeur.

References

Visible links
1. http://www.asktheeu.org/en/help/officers

European Court of Auditors

13 Attachments

Dear Zois Zervos,

Regarding your request of 25 July, please find attached the requested
documents no. 1 -11 as no 12 is identical to 11.

For request 14 and 17 it is the DPO notification AUD-114-ESD-DAS.pdf that
is applicable.
For request 15 it is  the DPO notification AUD-090-ETE-DAS.pdf that is
applicable.
For request 16 and 18 it is  the DPO notification The reason why this
notification contains a date in 2012 is due to a reorganisation of the
audit units which triggered an update of the DPO notification from 2008.

For the requests 19 - 23 there are no documents drawn up by the DPO as
this was not necessary because the legal basis for the processing is quite
clear and very strong:
Art. 287 of the Treaty of Functioning of the EU

Art. 140 to 142 of the Financial Regulation (Council Regulation (EC,
Euratom) No. 1605/2002 as amended (Art. 159 to 161 of Regulation (EU,
Euratom) No 966/2012 of the European Parliament and of the Council which
apply from 01/01/2013

IV. For the requests 25 & 27 there are no documents drawn up to our
knowledge neither for the requests 24 & 26.

Kindest regards,

Aidas Palubinskas

From:        Zois Zervos <[FOI #713 email]>
To:        information requests at European Court of Auditors
<[European Court of Auditors request email]>
Date:        25/07/2013 14:53
Subject:        access to information request - FP6, FP7, ESF audits,
personal data protection, prior notifications

--------------------------------------------------------------------------

Dear European Court of Auditors,

Under the right of access to documents in the EU treaties, as developed in
Regulation 1049/2001, I am requesting documents which contain the
following information:

I. PRIOR NOTIFICATIONS FOUND IN THE COURT&#x27;S REGISTER OF ARTICLE 26 OF
REGULATION NO 45/2001

Copies of the following prior notifications of article 25 of Regulation No
45/2001 are kindly requested:

#1. No 38, 19/04/2007, Head of Unit, AUDIT, NR2, Statement of assurance
(DAS), -Selecting beneficiaries; -Verification of the declarations and
eligibility criteria

#2. No 66, 19/07/2007, Head of Unit, AUDIT, NR5, Reliability of SPS/IACS
controls and inspections in EU-15 auditing if the payments have been
carried out correctly

#3. No 75, 28/09/2007, Head of Unit, AUDIT, AEI, Audit of salaries,
allowances and pensions for staff employed (or formerly employed) by
European Institutions Audit of documents which serve as evidence for the
grade/step and the entitlement to other allowances, e.g. latest decision
on promotion, certificate of marriage, children&#x27;s schooling
certificates.....

#4. No 90, 08/11/2007, Head of Unit, AUDIT, NR4, Statement of assurance

#5. No 92, 08/11/2007, Head of Unit, AUDIT, NR4, Cross compliance

#6. No 107, 05/12/2007, Head of Unit, AUDIT, NR5, The system of milk
quotas in the new Member States Auditing quotas allocated

#7. No 114, 04/04/2008, Head of Unit, AUDIT, SPD, DAS audit, In the
execution of the DAS transactions for Structural actions and more
specifically for the Social fund, personal data is audited in order to
verify the requirements of the Regulations. This can take the form of
collecting, consulting and/or storage of personal data.

#8. No 132, 05/05/2008, Head of Unit, CEAD, AMS, ASSYST: Time Recording In
ASSYST, there is a module for time recording. Each auditor who has access
to ASSYST and are planned for in the Annual Work Programme is requested to
record their

#9. No 199, 19/02/2009, Head of Unit, AUDIT, IPB, DAS 2008

#10. No 211, 18/06/2009, Head of Unit, AUDIT, NR3, Préenquête sur les
bénéficiaires de la PAC Traitement des données des montants reçus par les
bénéficiaires de la PAC

#11. No 214, 09/07/2009, Head of Unit, AUDIT, TRE, Performance Audit of
the Adequacy and Effectiveness of Selected FP6 Instruments
The audit procedures defined included surveys, testing at project level
and reviews of studies and reports. Throughout the audit, data contained
in several Commission&#x27;s databases were used. Furthermore, the audit
involved the review of documentation prepared by or containing information
about individuals.

#12. No 224, 05/01/2010, Head of Unit, AUDIT, AEI, Audit on performance of
OLAF investigations Audit of documents gathered by OLAF in the framework
of its investigations.

#13. No 224, 05/01/2010, Head of Unit, AUDIT, AEI, Audit on performance of
OLAF investigations Audit of documents gathered by OLAF in the framework
of its investigations.

II. OTHER PRIOR NOTIFICATIONS OF ARTICLE 25 OF REGULATION No 45/2001

Copies of the prior notifications of article 25 of Regulation No 45/2001
regarding the following audit activities of the Court are kindly
requested:

#14. Annual report covering FY 2009, European Social Fund audit. An
example of the Court’s manifest personal data processing is given in page
102, ‘Overdeclaration of staff costs: In the case of an ESF project
supporting professional training courses for pupils from secondary
schools, the beneficiary incorrectly charged various indirect costs (staff
salaries, insurance, fuel, telephone and depreciation) to the project.’

#15.Annual report covering FY 2009, Research Energy and Transport. An
example of the Court’s manifest personal data processing is given in page
121 ‘The Court found that the audited beneficiary reported 17
person-months as input to the Commission’.

#16. Annual report covering FY 2010, Research and other Internal Policies.
An example of the Court’s manifest personal data processing is given in
page 173 ‘Example 6.1 Ineligible costs and incorrectly calculated costs A
beneficiary managing an FP6 project claimed overheads using a f lat rate
which was based on direct staff costs. Following an ex-post audit carried
out in 2007, the beneficiary changed its allocation of overheads
methodology without fully and correctly implementing the recommendations
made by the ex-post auditors. Errors and inconsistencies, noted during the
Court’s audit led to an over-claim of 731 652 euro’.

#17. Annual report covering FY 2011, Employment and social affairs. An
example of the Court’s manifest personal data processing is given in page
155 ‘a) Ineligible training participants: ESF funding was provided for
training courses to increase the qualifications and knowledge of employees
working in the electronics sector. The Court found that many of the
participants were employed outside of the electronics sector and were
therefore not eligible for such training. The cost declared for the
ineligible participants was 29 % of the audited amount’.

#18. Annual report covering FY 2011, Research and other internal policies.
An example of the Court’s manifest personal data processing is given in
page 193 ‘Example 8.1 — Error identified in a cost claim relating to
personnel costs A beneficiary involved in a FP7 project declared 308 000
euro of personnel costs. The Court’s audit revealed that the beneficiary:
— underestimated the productive hours worked by its employees; —
over-charged hours for several employees involved in the audited project.
In total these findings resulted in the over-declaration of 45 000 euro of
personnel costs.’

It is noted that the above five prior notifications are statutory
documents. In view of the combined provisions of article 24(1) last
sub-paragraph ‘That person shall thus ensure that the rights and freedoms
of the data subjects are unlikely to be adversely affected by the
processing operations’, article 25 and article 24(1)(d) of Regulation No
45/2001, any defect, and a fortiori a non-existence, of any of these five
prior notification will be tantamount that the Court has likely not
respected ‘the rights and freedoms of the data subjects’.

It is thus expected that the Court will carry out a diligent search to
identity and release these five prior notifications.

III. DOCUMENTS DRAWN UP BY THE AUDIT DIRECTORATE

Referring to the auditing activities documented in the annual report of
financial years 2009, 2010 and 2011 in the area of ‘research and other
internal policies’ (requests #15, #16 and #18 concern that area), copies
of the following documents drawn up by the Audit Directorate - or its
predecessor(s), if applicable - are requested:

#19. The documents drawn up from 1/1/2004 onwards setting out some kind of
an analysis of the lawfulness of processing personal data of third parties
to the audited projects or/and Community/Union actions.

#20. The documents draw up from 1/1/2004 onwards setting out some kind of
an analysis of the lawfulness of processing personal data in the legal
context of a private law contract between a Research family and DG and an
FP6 contractor/FP7 beneficiary.

#21. The documents drawn up from 1/1/2004 onwards with which the Audit
Directorate requested the advice or opinion of the Data Protection Officer
about the Court’s personal data processing in its audits of the FP6 and
FP7 programmes.

#22. The documents drawn up from 1/1/2004 onwards with which the Audit
Directorate requested the advice or opinion of the Court’s Legal Services
about the Court’s personal data processing in its audits of the FP6 and
FP7 programmes.

#23. The documents drawn up from 1/1/2004 onwards with which the Audit
Directorate requested the advice, instruction or direction of the Court’s
Member(s) about the Court’s personal data processing in its audits of the
FP6 and FP7 programmes.

IV. DOCUMENTS DRAWN UP THE LEGAL SERVICES AND THE DATA PROTECTION OFFICER

Copies of the following documents are requested:

#24. The documents drawn up by the Legal Services in response to the
request under #22 above.

#25. The documents drawn up by the Data Protection Officer in response to
the request under #21 above.

#26. Notwithstanding the above requests, any other documents drawn up by
the Legal Services regarding the Court’s personal data processing in the
context of auditing FP6 and FP7 programmes.  

#27. Notwithstanding the above requests, any other documents drawn up by
the Data Protection Officer regarding the Court’s personal data processing
in the context of auditing FP6 and FP7 programmes.  

V. OVERRIDING PUBLIC INTEREST

It is patently obvious that the applicant entertains serious doubts as to
what extent the Court has been diligent in observing Regulation No 45/2001
and for the activities described above.  

Requests #24 and #26 concern legal opinions and therefore the Court may
find appropriate to refuse access. However, the substance of these legal
opinions is whether the Court was either negligent or willful or both in
risking serious infringements of Regulation No 45/2001 in its audits of
financial statements of contractors/beneficiaries in the FP6 and FP7
programmes. Refusing total access will further strengthen the doubts.

In a Union governed by the rule of law, where Institutions are held
accountable for the lawfulness of their acts, no exception of article 4 of
the Court’s Decision 12/2005 may be relied upon to refuse full access. On
the contrary, article 4(8) is fully applicable to shed light into the
Court’s observance of Regulation No 45/2001.

At the end of the day, checking the legality of financial transactions
presupposes that the checks and audits are themselves lawful. Relying on
unlawful audit practices renders the whole audit meaningless.

Yours faithfully,

Zois Zervos

-------------------------------------------------------------------

This is a request for access to information under Article 15 of the TFEU
and, where applicable, Regulation 1049/2001 which has been sent via the
AsktheEU.org website.

Please kindly use this email address for all replies to this request:
[FOI #713 email]

If [European Court of Auditors request email] is the wrong address for information requests to
European Court of Auditors, please tell the AsktheEU.org team on email
[email address]

This message and all replies from European Court of Auditors will be
published on the AsktheEU.org website. For more information see our
dedicated page for EU public officials at
[1]http://www.asktheeu.org/en/help/officers

-------------------------------------------------------------------

**********************
Disclaimer: If you have received this message in error, please contact the
sender immediately.

**********************
Avertissement : Si ce message vous a été adressé par erreur, nous vous
prions de vous mettre immédiatement en rapport avec l’expéditeur.

References

Visible links
1. http://www.asktheeu.org/en/help/officers

Dear European Court of Auditors,

This is an application for reconsideration pursuant to article 7 of the Court’s Decision 12/2005 regarding requests under #16, and #19 to #27.

I. OBSERVATIONS

I.1 PRELIMINARY REMARKS

It is worth recalling that article 6 of the Court’s Decision 12/2005 lays down the essential steps of processing initial applications. The Director of Audit and Communications may have informed other officials of the Court about this particular application. It is thus likely means that the initial reply has been approved by more than one official.

As the EU Courts have consistently held for applications according to Regulation No 1049/2001, in handling the initial application the Institution is obliged to undertake a diligent search and inform the applicant about the results of the search, in particular the documents the Institution has indentified. There is no reason to assume that the Court has a lower standard to meet in searching for documents regarding an application pursuant to the Decision 12/2005.

The EU Courts have also consistently held that acts of Institutions are presumed legal. Applying the reasoning of the EU Courts in Judgments about Regulation No 1049/2001, in the framework of an application pursuant to the Decision 12/2005 the Court’s initial reply about the non-existence of documents does not leave, in principle, much room for applying for a reconsideration, which is relevant in cases the Court has refused access, either partially or
totally.

However, the present confirmatory application is very exceptional in several respects, since (i) it concerns the fundamental right of personal data protection, (ii) that the Court has manifestly processed personal data of individuals who were not ‘in receipt of payments from the budget’ as stipulated in article 278(3) TFEU (arguably a misuse of powers), and (iii) that the Court has manifestly failed to observe articles 4, 5, 7, 12(1), 25 and 28(1) of Regulation No 45/2001 in so far data subjects - third parties to the audited legal ‘instruments’ - were concerned. The last failure amounts to a serious infringement of several essential procedural requirements and safeguards expressly provided by Union law.

I.2. SERIOUS INFRINGEMENTS OF REGULATION NO 45/2001 BY THE RESEARCH FAMILY DGs – FALSE DECLARATIONS IN STATUTORY INSTRUMENTS AND IN PLAIN PUBLIC VIEW

It has recently emerged that the article 25 of Regulation No 45/2001 prior notifications DG ENTR DPO-3334.1, DG INFSO DPO-3338.1, DG RTD DPO-3398.1-3 and DG MOVE & ENER DPO-3420.1 have two false declarations, namely the statements:

“This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.

3. Sub-Contractors —”

To convince itself about the false declarations the Court may find interesting to take a glance at the following documents:

1. http://www.asktheeu.org/en/request/677/r... , pages 1-2

2. http://www.asktheeu.org/en/request/587/r...

3. http://www.asktheeu.org/en/request/595/r...

4. http://www.asktheeu.org/en/request/exter..., in particular the initial reply of DG MOVE

What is really interesting is the DG RTD initial reply to the request under #7 of GestDem 2013/3351 (document pointed by link #2 above) “7. The documents setting out an analysis that articles 60.4 FR, 170FR, 47.4IR (first three versions of DPO-3398) and 137.2FR and 180.1.f RAP (DPO-3398.4) is a sufficient and adequate legal basis for the personal data processing of the DG RTD external financial audits”, which is that no such documents exist. This answer alone proves that the external financial audits of the Research DGs have no basis whatsoever in Union law. The contractual obligations of the FP6 model contract and the FP7 model grant agreement do not make the personal data processing for a host of reason, not least because the data subjects are third parties to these private law contracts.

Moreover, that there is no such legal basis should not be surprising at all. Since the researchers – third parties to the audited FP6/FP7 actions – have not given their consent (in fact, they do not even know that their personal data were processed), none of the conditions for the lawfulness of processing of article 5 of Regulation No 45/2001 is satisfied.

This, in turn, might explain why the Research DGs were ‘compelled’ to file completely bogus prior notifications marred by false declarations. Following the Bavarian Lager and Schecke rulings of the Court of Justice, the Research DGs desperately needed a fig leaf with respect to a prior notification covering their external financial audits. The aforesaid prior notifications were indeed the fig leaf.

However, it appears that it escaped the attention of the Research DGs that the fig leaf might grow some thorns in the future with regards to the data controllers. The definition of “Controller” in article 1 of Commission Decision 597/2008 (OJ 2008 L 193/7) renders the individuals designated as data controllers in the prior notifications personally liable for the false declarations. In several jurisdictions, the wilful and intentional misrepresentation of facts by civil servants in documents drawn up pursuant to express legal obligations is a criminal offence.

Needless to say that such conduct by an administrative department of the Commission places those departments in a position for which the lines distinguishing a grossly substandard administrative conduct from some kind of an administrative “fraud” are really blurred.

I.3. DATES OF THE RELEASED PRIOR NOTIFICATIONS

Several of the released prior notifications, such as AUD-066 and AUD-090, are supposed to have been drawn up for the first time in 2007, 2008 and 2009. Yet they contain references to Regulation No 966/2012 as a legal basis. It is evident that the released documents are modified versions of the first version of a prior notification, and that the modification necessarily took place after September 2012.

A prior notification that is modified does not cease to be a document that an Institution holds. In fact, there is a legal obligation to keep copies of every single successive version of a prior notification. There is no other possible interpretation of article 25(3) of Regulation No 45/2001.

Nevertheless, except for AUD-160, for procedural economy a confirmatory application is NOT submitted for the first versions of the prior notifications.

I.4. SUBSTANCE OF AUD-160

This section establishes that AUD-160 is in itself highly problematic and that the underlying personal data processing entails several manifest infringements of Regulation No 45/2001. The numbers cited in the headings hereunder correspond to the numbering of AUD-160.

I.4.A. Legal basis of processing under (6)

The cited legal basis is article 276 TFEU, which is patently obvious that it is
wholly incorrect. The correct article 277(3) TFEU “(...) any natural or legal person in receipt of payments from the budget (...)".

I.4.B. Lawfulness of processing under (7)

This section of AUD-160 quotes verbatim the article 5 of Regulation No 45/2001. However, the legal basis of processing personal data is necessarily found in other provisions of EU law, and not article 5 itself. I find extremely odd than an applicant has to bring to the attention of the Court’s Data Processing Officer that the EU Civil Service Tribunal held in paragraph 128 of the Judgment of the case F-46/09, F v Parliament:

“As a preliminary point, it should be recalled that Article 1 of Regulation No 45/2001 expressly provides that, in accordance with that regulation, the institutions and bodies of the European Union are to protect the fundamental rights and freedoms of natural persons. Consequently, the provisions of that regulation cannot be interpreted as conferring legitimacy on an interference with the right to respect for private life as guaranteed by Article 8 of the ECHR (see Österreichischer Rundfunk and Others, paragraph 91). ”

I.4.C. Data subjects under (9)

The prior notification concerns data subjects as the beneficiaries who received payments from the budget. In other words, the data subjects according to section 9 of AUD-160 are either a FP6 contractor or a FP7 beneficiary who has acceded to the FP6 contract or the FP7 grant agreement.

However, only in truly exceptional cases natural persons are participants in FP6/FP7 actions. The Court cannot be, and is not, ignorant of all this. Therefore, the data subjects of AUD-160 are wholly incorrectly defined. In this respect the prior notification fails to state that for the vast majority of cases, the data subjects are not themselves beneficiaries of payments from the EU budget.

That the Data Protection Officer has failed to spot it is wholly inexplicable.

I.4.D. Informing data subjects under (13)

The Data Protection Officer has completely ignored that the Court is an Institution that is distinct from the Commission. The very fact that the DPO has drawn up a prior notification, and the Court did not rely on the Commission’s ones, must have given him a pause to think that if the Court draws up a prior notification, then the Court ought to have complied with article 12(1) of Regulation No 45/2001 by informing the data subjects when it processed their personal data it obtained from third parties (e.g. the Commission).

The statement under (13) “Through the request for EU subventions form/application by the EU Commission” implies that the Officer has been aware that the Research DGs do not inform the data subjects, but only the legal persons that are the Commission’s counter-parties to a FP6 contract and a FP7 grant agreement. This means that the Officer has been aware that the data subjects are not informed by the Research DGs.

Furthermore, the Officer has not bothered to state what information provided to data subjects the “national audit body, control/payment agency” he has stated in section 14 of AUD-160.

I.4.E. Guaranteeing data subjects rights under (14)

According to the Officer, data subjects are not entitled to exercises the rights afforded in articles 14 – 18 of Regulation, simply because the Court obtained the data from third parties (i.e. the Commission). This is in my view both truly astonishing and extremely disturbing regarding the Court’s attitude in respecting the fundamental right of personal data protection. Some reasons are outlined below.

- The EU legislature provided that articles 14-17 may be restricted only under the conditions laid down in article 20 of Regulation No 45/2001.

- There is no provision of Union law authorising an Institution to refuse the rights of articles 13-19 on account of the personal data being transferred by the Commission or other third parties. If that were the intention of the EU legislature, a clear provision would have been enacted to that effect.

- Whereas the Court has unlawfully absolved itself from its obligation to inform the data subjects pursuant to article 12(1), it has also found that it is entitled to absolve itself from the obligations of articles 14-19. This is like rubbing salt to the wounds.

- Regarding the FP6 & FP7 actions, both the Commission and the Court are in unlawful possession of the personal data in the first place, as none of the conditions of article 5 of Regulation No 45/2001 is satisfied. It is borderline absurd to say that articles 12(1) and 14-19 are not applicable for personal data unlawfully in the possession of the Court.

- Since none of the conditions of article 5 of Regulation are satisfied and several articles of Regulation No 45/2001 were gravely infringed upon, data subjects are entitled to invoke article 18(a) and request that the processing in question no longer involve their data. The Court cannot legally refuse such a request, which in turn means that the restrictions of articles 14-19 are entirely meaningless.

- To contemplate such a light-hearted approach, which in unlawful anyway, the Officer ought to have at least ascertain that the data subjects have been informed as provided by articles 11 and 12(1) of Regulation No 45/2001. Apparently, he has not done so; should he have done it, he would have been immediately aware about the infringements of those articles by the Research DGs.

As a final remark, that an applicant is able to lecture the Court’s Data Protection Officer about such elementary matters does not really inspire confidence on how seriously the Court has taken compliance with Regulation No 45/2001 and legality.

II. CONFIRMATORY APPLICATION

II.1. REQUEST #16

The request concerns the prior notification of article 25 of Regulation No 45/2001 about personal data processing expressly referred to in the Court’s Annual Report of FY 2010. The Court’s reply for request #16 and #18 has a typing mistake in that it has omitted the reference number. The applicant has inferred from the year of the notification (i.e. 2012) in the Court’s answer that the prior notification is AUD-160 RIP-DAS.

The Court’s personal data processing manifestly took place prior to 13/8/2012 (date on which the released AUD-160 was drawn up). According to the Court, the processing in question was covered by a prior notification drawn up in 2008, that is to say AUD-160 of 2008.

The Court has released a prior notification that is wholly immaterial to the request #16, since the released AUD-160 postdates the personal data processing operations in question. It necessarily follows that the Court has refused access to a document which it demonstrably holds and is obliged to release according to Decision 12/2005.

A confirmatory application is respectfully submitted for request #16.

II.2. REQUESTS #19 - #23

The requests concern documents drawn up by “the Audit Directorate - or its predecessor(s), if applicable” from 1/1/2004 onwards. The Court’s initial reply concerns solely documents drawn up by the Data Protection Officer. Furthermore, the Court may have appointed an Officer for the first time later than 1/1/2004. Other officials of the Court’s Audit Directorate or its predecessor(s) might have drawn up documents.

By restricting the search of documents to those drawn up by the Officer only and not the entire Audit Directorate, the Court effectively deprives the applicant the opportunity have access to documents, if they exist, for which he is legally entitled to have access.

Furthermore, the underlying substance of requests #19 - #23 are about the very legality of the Court’s audits with regards to the FP6 and FP7 and the fundamental right of personal data protection. When Regulation No 45/2001 came into force in 2002, it had fundamental consequences to the personal data processing operations by the Institutions. There is no coincidence that the express provisions of personal data processing of Annex II of the FP5 model contract (e.g. article 23.1.a last paragraph) are not found in the FP6 model contract and the FP7 model grant agreement.

It is inconceivable that the Audit Directorate did not take notice of the effects of Regulation No 45/2001 to its audit practices. The Court’s assurances of strict observance to its code of ethics and professional standards and the international audit standards will be seriously undermined if compliance with Regulation No 45/2001 was compromised by negligence.

In its opinion No 1/2006 “on the proposal for a regulation of the European Parliament and of the Council laying down the rules for the participation of undertakings,(...)” the Court stated:

“45. Since the beginning of the European RTD framework programmes, the Community has used private law contracts (or grant agreements) to establish a legal relationship between participants in an indirect action and the Commission (...)

46. In the Court’s view, it should not be the Commission’s role to be directly involved in managing individual indirect actions. Such an interpretation of the Commission’s role significantly contributes to the burdensome ‘red tape’ deplored by many stakeholders in the RTD framework programmes (...)”.

It is clear that the Court itself is very well versed in both the essence and also the important details of the legal aspects of the research programmes, in particular FP5, FP6 and FP7. If the Court was able to make an analysis on the fundamental fact that the legal relationship between the Commission and the participants to FP6 and FP7 actions has always been a private law contract (where the Commission does not exercise its prerogatives as a public authority), it is extremely difficult to see why the Court has seemingly failed to appreciate that personal data processing pursuant to private law contract without the consent of the data subject is outright unlawful. This is exactly what articles FP6.II.29 and FP7.II.22 are, and on which the external financial audits of the Research DGs are solely based upon.

In view of the above considerations, unless and until the Court states that documents do indeed exist for requests #19 - #23 but they were drawn up prior to 1/1/2004, in which case they are not in scope of this application, the applicant, and also the public, will harbour serious suspicions that the Audit Directorate has been recklessly negligent with regards to compliance with Regulation No 45/2001.

A confirmatory application is respectfully submitted for request #19 - #23.

II.3. REQUESTS #24 - #27

In case the Court restricted its search for documents drawn up by the Data Protection Officer, it cannot be excluded that other officials had indeed drawn up documents falling under the scope of the requests. The confirmatory application for requests #24 - #27 is a mere consequence of that regarding requests #19 - #23.

A confirmatory application is respectfully submitted for request #24 - #27.

Yours faithfully,

Zois Zervos

Dear European Court of Auditors,

As it appears from the publicly visible asktheeu.org records, the Court has not registered my application for reconsideration, in spite of ten working days having run from the lodging of the application on 21 September 2013.

A quick glance at the other applications lodged with the Court via asktheueu.org shows that the Court has promptly registered fresh applications, as well as applications for reconsideration.

I would therefore be obliged if the Court would register my application for reconsideration.

Yours faithfully,

Zois Zervos

Dear European Court of Auditors,

I refer to the application for reconsideration of 21/9/2013 and my enquiries of 7/10/2013, http://www.asktheeu.org/en/request/fp6_f.... It seems that the Court has totally ignored them.

On the 21/11/2013 the Court provided the response to two applications for reconsideration, http://www.asktheeu.org/en/request/on_th... and http://www.asktheeu.org/en/request/fp6_f.... The Court explained that the delays in processing those two applications were due to "rather than appearing in the inbox were being bounced into a folder where they were not immediately visible".

It seems that the emails of the present application have also gone astray to the same email folder. On the other hand, it cannot be excluded that the Court provided the response after that applicant notified the Court that he would seek the intervention of the President of the Court and put in cc several national authorities.

In view of the above, in the event the Court does not acknowledge the registration of the application for reconsideration within the next few days, the applicant will submit a request to the President of the Court to intervene, placing all national authorities in cc, and explaining to the President and to the authorities the underlying substance.

Yours faithfully,

Zois Zervos