FP6 & FP7 Programmes, Personal Data Protection - Compliance with Regulation 45/2001, Commission Policy

The request was successful.

Mr. Orestis BEKAS

Dear Secretariat General (SG),

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

I. COMMISSION’S POLICIES RELATING TO PERSONAL DATA PROTECTION IN FP6 & FP7 PROGRAMMES

Article 2 ‘Scope’, of the Commission Decision of 3/6/2008 ‘adopting implementing rules concerning the Data Protection Officer pursuant to Article 24(8) of Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data’, 2008/597/EC, stipulates:
‘This Decision defines the rules and procedures for implementation of the function of Data Protection Officer (hereinafter referred to as the ‘DPO’) within the Commission pursuant to Article 24(8) of the Regulation. It shall not apply to the activities of the Commission when defining policies relating to the protection of individuals with regard to the processing of personal data. ’

Copies of the following documents are kindly applied for:

1. The documents setting out the Commission’s policy regarding the FP7 call for proposals in relation to the processing of personal data by the Research DGs, including the requirement in most Guide to Applicants to include a ‘short profile’ (i.e. a short CV) of the key researchers.

2. The documents setting out the Commission’s policy in relation to the personal data processing in the context of the FP7 negotiations aiming at the conclusion and signing of the FP7 grant agreement, including the requirement in most FP7 Negotiations Guide to submit a ‘short profile’ (i.e. a short CV) of the key researchers.

3. The documents setting out the Commission’s policy on the personal data processing in the context of the execution of the FP7 grant agreements and the processing of personal data by the Research DGs by way of the typical inclusion in the Annex I of the FP7 grant agreement of tens of ‘short profiles’ of key researchers.

4. Referring to the “Guide to Financial Issues relating to FP7 Indirect Actions” (first was issued in 2007) and the ‘recommendations’ about the structure and content of researcher’s time-sheets (e.g. page 57 of the Guide dated 18/3/2013), the documents setting out the Commission’s policy on the personal data processing in relation to the personal data processing those FP7 Guides ‘encourage’ FP7 beneficiaries to undertake.

5. Referring to the various ‘recommendations’ of the Research family DGs about what checks an auditor is supposed to carry out in issuing a certificate of financial statements according to article 34(2) of Regulation No 1906/2006, and in particular the need of the auditor to process personal data in the context of a private law contract (the FP7 grant agreement), the documents setting out the Commission’s policy on the personal data processing in such a context and the compliance of both the contractor-beneficiary and the auditor with the national personal data protection legislation. It is worth recalling that the U.K. Data Protection Act 1998, as amended, expressly excludes a data controller’s contractual obligation to process personal data as a lawful mandate to process such data.

6. The documents setting out the Commission’s policy on the personal data processing in relation to the compliance with article 12(1) of Regulation No 45/2001 in the context of (i) FP7 calls for proposals, (ii) FP7 negotiations, (iii) external financial audits pursuant to article 29 of Annex II of the FP6 model grant agreement, (iv) external financial audits pursuant to articles FP6.II.29 and FP7.II.22.

7. Regarding contractual disputes before the Courts of the European Union between the Commission and FP4/FP5/FP6/FP7 contractors-beneficiaries, the documents setting out the Commission’s policy on the personal data processing in relation to the submission by the Legal Services of personal data obtained by the Commission services in the context of external financial audits, and the Commission’s reliance on such personal data to argue its case against a contractor-beneficiary. Thisconcerns in particular compliance with article 7 of Regulation No 45/2001 and the fact the transfer of personal data is carried out exclusively at the ‘pleasure’ of the Legal Services.

8. Regarding the field audits of FP6 contractors and FP7 beneficiaries on the territory of a Member State pursuant to article FP6.II.29 and FP7.II.22 and those conducted solely by Commission officials and servants, the documents setting out the Commission’s policy with respect to the compliance with the national personal data protection legislation.

9. Regarding the field audits of FP6 contractors and FP7 beneficiaries on the territory of a Member State pursuant to article FP6.II.29 and FP7.II.22 and conducted by external contractors of the Research family DGs and pursuant to a private law contract between the external auditor and the Research family DGs, the documents setting out the Commission’s policy with respect to the compliance with the national personal data protection legislation. Such compliance is essential in view of national legislation like the aforementioned U.K. Data Protection Act 1998.

10. Regarding the article 25 of Regulation No 45/2001 prior notifications concerning the FP6 & FP7 programmes, the documents setting out the Commission’s policy in relation to (i) a late filing of a prior notification to the article 26 register (e.g. more than 2 year overdue), (ii) inaccuracies in prior notifications, such as the statements in DPO-3334.1, DPO-3338.1, DPO-3398.1, DPO-3420.1 and DPO-3455.1 “This processing has been submitted to the EDPS who concluded that Article 27 is not applicable. 3. Sub-Contractors —”, (iii) reliance on EDPS opinions about audits pursuant to Union law (i.e. audits of structural funds and audits of expenditure concerning officials, servants and auxiliary staff of the Commission’s delegations) to draw conclusions that article 27 of Regulation No 45/2001 is not applicable to the external financial audits pursuant to article FP6.II.29 and FP.II.22 (e.g current DPO-3338.2).

11. Regarding the article 28(1) of Regulation No 45/2001 and in view that the external financial audits pursuant to article FP6.II.29 and FP.II.22 are, arguably, administrative measures towards data subjects (not parties to the FP6 contract and FP7 grant agreement), the documents setting out the Commission’s policy with respect to the compliance with article 28(1) in the FP6 and FP7 external financial audits.

12. Regarding the OLAF external investigations of FP6 contractors or FP7 beneficiaries pursuant to articles FP6.II.29.6 and FP.II.22.8, the documents setting out the Commission’s policy with respect to the compliance of such “investigations” – contractual measures with Regulation No 45/2001, given the seemingly contractual provision nature of those two terms.

13. Regarding the OLAF external investigations of FP6 contractors or FP7 beneficiaries pursuant to Regulation No 2185/96 and in view of that OLAF is not a distinct legal person from the Commission itself, the documents setting out the Commission’s policy with respect to the compliance of such Union law ‘external investigations’ with Regulation No 45/2001. It is pointed out that this particular situation is a very unusual one, as the whole relationship between the contractor-beneficiary is a private law contract (FP6 contract and FP7 grant agreement) and it is not immediately obvious which particular provision of ‘Community law’ the contractor-beneficiary is supposed to have infringed to the detriment of the Union’s financial interests.

14. Regarding the practice of DG INFSO to check for ‘double booking’ of a researcher’s time in two distinct contractors-beneficiaries (two or more distinct external financial audits) and the divulging of such ‘double booking’ to at least one of them in order to rely on it to conclude about the ‘unreliability of the time recording system’ of the contractor-beneficiary (e.g. DG INFSO final audit report dispatched as annex to the letter Ares(2013)73917 - 22/01/2013, http://www.asktheeu.org/en/request/fp7_a...), the documents setting out the Commission’s policy with respect to such practices in the personal data processing by the Research family DGs. Ostensibly, the ‘double booking’ disclosure is justified by the Commission services on the grounds of ‘protecting the Commission’s financial interest’, even though it is not immediately obvious (i) which contractual provision has been breached by the wholly uninformed and unsuspecting two contractors-beneficiaries, (ii) which provision of Union law has been infringed by either the wholly uninformed and unsuspecting two contractors-beneficiaries or even the ‘double booker’, (iii) whether such ‘double booking’ disclosure is in compliance with article 339 TFEU and article 7(2) of Regulation No 45/2001.

15. Regarding the practice of the Research family DGs to collect in several external financial audits pursuant to FP6.II.29 and FP.II.22 copies of documents with personal data (e.g. signed time-sheets, employment or service contracts, pay-slips, bank transfer records) that end up in the offices of the Research family DGs in Brussels, the documents setting out the Commission’s policy with respect to such practices which necessarily entail personal data processing.

16. Regarding the practice of the Research family DGs to collect in several external financial audits pursuant to FP6.II.29 and FP.II.22 copies of documents with personal data (e.g. signed time-sheets, employment or service contracts, pay-slips, bank transfer records), the documents setting out the Commission’s policy with respect to the compliance of such practices with the national personal data protection legislation.

17. Referring to the Commission-organised conference on 13/10/2009 ‘Finding the frontier for internal audit’, the presentation entitled ‘The EU Model’ (http://ec.europa.eu/dgs/internal_audit/p...), slide 13 ‘«Pluto» is an intelligence database storing all information about the 15,000 beneficiaries and 5,000 research projects funded by DG Infso. Pluto allows for a visual analysis of relationships between the various entities it contains (beneficiaries, projects, persons, addresses, telephones). With this analysis, risky areas of the contractual environment are identified facilitating the auditing and investigative work. At the end of the day, it will still be the job of auditors and investigators to demonstrate the fraud, but their task is made easier as far as locating the possible wherabouts is concerned’, the documents setting out the Commission’s policy with respect to the compliance of the DG INFSO Pluto ‘system’ with the Union law governing personal data processing by Institutions.

18. Referring to the documents containing personal data in the possession of the Research family DGs that were obtained from the external financial audits pursuant to FP6.II.29 and FP7.II.22 (‘the PDCD’ for Personal Data Containing Documents), and the disclosure of the personal data to the European Court of Auditors in the context of Court’s audits of FP6 and FP7 programmes (either by making the PDCD directly available to the Court’s official while at the Commission’s premises, or by dispatching copies of PDCDs to the Court) the documents setting out the Commission’s policy with respect to the compliance with Regulation No 45/2001 of the disclosure or transfer of such personal data to another Institution. This request concerns inter alia the Commission’s policy of compliance with article 7 of Regulation No 45/2001, in view of the fact that the very source of the personal data has been a contractual measure carried out on the territory of a Member State (i.e. the field audit pursuant to article FP6.II.29 and FP7.II.22) and then in the case of field audits conducted by external auditors such personal data were transferred to a Research family DG pursuant to another private law contract, i.e. that between the external auditor and the Research family DGs.

19. The documents setting out the Commission’s overall policy with respect to personal data processing pursuant to a private law contract, i.e. the FP6 contract and the FP7 grant agreement.

20. Referring to the personal data processing by the Research family DGs in the context of the entire FP6 and FP7 programmes (calls for proposals, negotiations, execution of project, external financial audits), the documents setting out the Commission’s policy with respect to handling requests for personal data pursuant to article 13 of Regulation No 45/2001.

Since the requested documents concern the Commission’s policy regarding the fundamental right of personal data protection, it is expected that they will be autonomous Decisions of the Commission, having been adopted either by the written procedure or by the empowerment procedure. It will be rather unexpected if those Decisions have been adopted by delegating powers to senior Commission officials.

II. OVERRIDING PUBLIC INTEREST

First, it is worth recalling that:

1. The Commission is the Guardian of the Treaties.

2. The Schecke Judgement has made absolutely clear the fundamental importance of personal data protection in the European Union, Joined Cases C-92/09 and C-93/09.

3. The Bavarian Lager Judgement, as well as the Commission’s refusal to disclose personal data without the express consent of a data subject, has illustrated (i) that strict compliance with the Regulation No 45/2001 is of the essence, and (ii) the Commission services are in general very diligent in observing the said Regulation.

4. The Commission referred Austria to Court of Justice for lack of independence of the data protection authority, Case C‑614/10.

5. The Commission referred Germany to the Court of Justice for lack of independence of the data protection supervisory authority, Case C-518/07.

Due to the extremely sensitive nature of the subject-matter of the application, it is manifestly evident that there is an overriding public interest for the full release of very single document held by the Commission relating to any of the above requests.

Yours faithfully,

Mr. Orestis BEKAS

Mr. Orestis BEKAS

Dear Secretariat General (SG),

I am contacting you to make enquiries about the statues of registering the application lodged with the Transparency Unit on the 4th of July 2013.

The public records of asktheeu.org show that the Unit has not registered the application, in spite of five working days having run since its dispatch.

I would therefore appreciate if the Unit would register the application without undue delay.

Yours faithfully,

Mr. Orestis BEKAS

Secretariat General of the European Commission

1 Attachment

  • Attachment

    Picture Device Independent Bitmap 1.jpg

    1K Download

Dear Mr. Bekas,
 
We hereby acknowledge receipt of your requests for access to documents
dated 04/07/2013 and 11/07/2013.
 
As your requests cover a large number of documents, we are currently
analysing them in order to establish which DGs are responsible for the
requested documents.
 
We will contact you next week after the meeting with the different DGs.
 
Yours faithfully,
 
 
BLURIOT-PUEBLA Madeleine
Cellule 'Accès aux documents'
 
European Commission
SG/B/5 - Transparence

BERL 05/330
B-1049 Brussels/Belgium
+32 2 296 09 97
[1][email address]
 
 
 

show quoted sections

Secretariat General of the European Commission

1 Attachment

  • Attachment

    Picture Device Independent Bitmap 1.jpg

    1K Download

Dear Mr. Bekas,
 
We refer to your e-mail dated 04/07/2013.  We hereby acknowledge receipt
of your application for access to documents registered on 18/07/2013 under
reference numbers GESTDEM 2013/3822 (DG RTD), GESTDEM 2013/3823 (DG
CONNECT) and GESTDEM 2013/3824 (OLAF).
 
In accordance with Regulation (EC) No 1049/2001 regarding public access to
European Parliament, Council and Commission documents, your application
will be handled within 15 working days. The time limit will expire on
08/08/2013.  In case this time limit needs to be extended, you will be
informed in due course.
 
Yours faithfully,
 
BLURIOT-PUEBLA Madeleine
Cellule 'Accès aux documents'
 
European Commission
SG/B/5 - Transparence

BERL 05/330
B-1049 Brussels/Belgium
+32 2 296 09 97
[1][email address]
 
 
 

show quoted sections

Mr. Orestis BEKAS

Dear Secretariat General (SG),

Thank you for registering my application.

I would like to draw the attention of the Transparency Unit that request under (7) concerns the production before the EU Courts by the Legal Services of documents and personal data obtained by the Research family DGs in external financial audits. The decisive feature is the submission before the EU Courts by the Legal Services of personal data obtained in what appears to be questionable circumstances.

It is respectful suggested that the Legal Services assume the responsibility of the initial answer.

Yours faithfully,

Mr. Orestis BEKAS

Secretariat General of the European Commission

2 Attachments

Dear Mr Bekas,

 

Please find herewith a note from our head of unit Mr Wasmeier for your
information.

 

Best regards,

 

 

  [1]cid:image001.png@01CE1437.0F722A20

European Commission

DG OLAF

Unit C.4- Legal advice

 

 

 

References

Visible links

Mr. Orestis BEKAS

Dear Secretariat General (SG),

This note is a reply to the OLAF letter Ares(2013)2794632 - 31/07/2013. It is to be forwarded to OLAF for handling the requests under #12 and #13 of the application GESTDEM 2013/3824.

1. OBSERVATIONS ON OLAF’S REQUEST FOR MAKING THE APPLICATION SUFFICIENTLY PRECISE

According to the very wording of initial application, its overall context is defined by article 2 ‘Scope’, of the Commission Decision of 3/6/2008 2008/597/EC. The paragraph below request #20 of the application clarifies that in the applicant’s view the requested documents, which set out Commission policy on the fundamental right of personal data protection, are probably autonomous Commission Decisions adopted by the written procedure and less likely than Decisions adopted by delegating powers.

For the particular case of requests #12 and #13, and in view of OLAF’s complete operational independence and article 8(4) of Regulation No 1073/1999, it is reasonable to expect the documents were drawn up at the request of and under the authority of the Director of the Office.

1.1. PUBLIC REGISTER OF COMMISSION DOCUMENTS

It is logical to expect that there are not that many Commission Decisions concerning OLAF’s personal data processing operations. A search of the public register of Commission’s documents for ‘C – Documents relating to official instruments for which the Commission ha(…)’, Department responsible ‘OLAF’ indicates that there are in total 22 and 119 Decisions classified as ‘final’ and ‘all versions’ respectively. Three examples are given below:

- C(2006)5986/1, 01/12/2006, ‘Commission Regulation (EC) No 1848/2006 of 14 December 2006 concerning irregularities and the recovery of sums wrongly paid in connection with the financing of the common agricultural policy and the organisation of an information system in this field and repealing Council Regulation (EEC) No 595/91’

- C(2005)5859/1, 20/12/2005, ‘Commission Regulation (EC) No 2168/2005 of 23 December 2005 amending Regulation (EC) No 1831/94 concerning irregularities and the recovery of sums wrongly paid in connection with the financing of the Cohesion Fund and the organisation of an information system in this field’

- C(2005)4768/1, 02/12/2005, ‘Commission Regulation (EC) No 2035/2005 amending Commission Regulation EC 1681/94 concerning irregularities and the recovery of sums wrongly paid in connection with the financing of the strucutral policies and the organisaiton of an information system in this field’

According to the titles of these 119 OLAF Decisions, none appears to concern either the Commission’s policy on personal data protection or external investigations of the Research family DGs FP4/FP5/FP6/FP7 per se. However, since the full text of the Decision is not publicly available, it is quite likely that the main body of one or more Decisions deals with either of those two areas.

1.2 REGULATIONS NO 1073/99 & 2195/96

Article 8(4) of Regulation No 1073/99 reads ‘The Director of the Office and the members of the
Supervisory Committee referred to in Article 11 shall ensure that this Article and Articles 286 and 287 of the Treaty are applied’.

Article 8(4)of Regulation No 2185/96 reads ‘The Commission shall ensure that, when implementing this Regulation, its inspectors comply with Community and national provisions on the protection of personal data, in particular those laid down in Directive 95/46/EC of the European Parliament and of the Council’.

It is thus self-evident that the EU legislature intended that the operational independence of OLAF goes in tandem with strict compliance with Regulation No 45/2001 and the national legislation of personal data protection.

1.3 ARTICLE 27 OF REGULATION (EC) NO 45/2001 PRIOR CHECKS

OLAF has submitted to the EDPS tens of personal data processing operations for an article 27 prior check. The total number of pages of the EDPS opinions on these prior checks is approximately in order of 500 pages.

This means that the OLAF Data Protection Officer – ODPO is well versed in ensuring compliance with Regulation No 45/2001.

According to the 2007 prior checks of OLAF’s external investigations and the corresponding EDSP’ opinions, it is not immediately evident that OLAF had dully notified the EDPS about personal data processing operations in the context of investigations of FP6 contractors and FP7 beneficiaries.

1.4. OLAF’S EXTERNAL INVESTIGATIONS OF FP6 CONTRACTORS AND FP7 BENEFICIARIES

The Order of the General Court in the Case T-435/09 dismissing an application for interim measures refers in para. 6 to an OLAF on-the-spot check to an FP6 beneficiary.

The OLAF press release OLAF No 11/07 of 4/5/2011 is entitled ‘Italian authorities investigate suspected fraud network in EU-funded research projects’. The press release concerns inter alia the OLAF investigation OF/2007/0267, CMS Title ‘I/UF/UK/Computer science projects’. Several OLAF on-the-spot checks were conducted for that case. For instance, OLAF document ref. no ‘V 012563 02/12/2008’ in an ‘Investigation Authority’ duly signed by a senior OLAF official. The cited legal basis is:
“- Art. 3 of Regulation 1073/1999,
- Art. 9(2) of Regulation 2988/95,
- Reg.2185/1996,
- Art. 16 Commission Reg. 996/1999 (5th Framework Programme),
- Art. 18 and art. 20 Reg 2321/2002 (6th Framework Programme),
- Art. 5 Decision 1982/2006/EC (7th Framework Programme)
- Art. 12 Council Reg. 2236/1995 (trans~European networks)”

On the basis of that investigation, DG INFSO drew up a final audit report ref. no ’ 08-INFS-030/031/033’. As OLAF is fully aware, dozens of citizens are in lawful possession of several such documents.

In my view, a first analysis of the above legal basis does not lend any support to any conclusion, even tentative, that the above provisions duly authorise OLAF to carry out investigations to participants in FP6 and FP7 actions (eTEN is not considered). This is outlined below:

- Article 3 of Regulation 1073/99 essentially refers to Regulations No 2185/96 and 2188/95.

- The entire Regulation No 2188/95 concerns infringements of Community law; there is no provisions whatsoever about infringements of private law contracts.

- Article 16 of Commission Regulation 996/1999 is about financial controls by the Commission itself or its ‘authorised representatives’ (contractors-auditors), and by no means authorise on-the-spot checks of FP5 contractors pursuant to Community law.

- Articles 18 of Regulation 2321/2002 is about ‘Scientific, technological and financial monitoring and audits’ and thus irrelevant to OLAF’s on-the-spot checks. Similarly article 20 of the same Regulation is about ‘effective checks and by deterrent measures’, which are essentially the audits, the liquidated damages and the termination of participation. It cannot be interpreted as duly authorising on-the-spot checks, since it would have violated the foreseeability cardinal principle of the EU legislation.

- Although article 5 of Decision 1982/2006 appears at first sight to apply the provisions of Regulation No 2185/96 to FP7 contractual infringements, Regulation No 2188/95 places a stumbling block since it concerns infringements of Community law.

Moreover, the OLAF’s investigations pursuant to Union law of FP6 and FP7 participants in on-going or terminated actions is diametrically opposed with the case law of the Courts of the Union and the Commission’s pleas in law before those Courts; in particular in FP6 contracts and FP7 grant agreements the Commission does not rely on its prerogatives as a public authority. This is natural since they are private law contracts. The contractual provisions FP6.II.29.6 and FP7.II.22.8 provide for OLAF’s on-the-spot checks, but those are mere provisions of a private law contract and completely different from provisions of Community law such as article 12(4) of Council Regulation No 2236/1995.

Consequently and in so far the cited legal basis is concerned, that particular OLAF on-the-spot inspection in December 2008 appears to be without a legal basis for the FP6 and FP7 projects.

This, in turn, calls into question the legality of OLAF’s personal data processing in the context of on-the-spot checks and inspections of FP6 contractors and FP7 beneficiaries, because none of the conditions of article 5 of Regulation No 45/2001 is satisfied. OLAF cannot claim that article 20 ‘Exemptions and restrictions’ of Regulation No 45/2001 is applicable when article 5 is not satisfied.

1.5 CONCLUSIONS

It appears that:

- The EU legislature has expressly required that OLAF strictly complies with the Union/Community legislation about personal data processing. OLAF’s operations in the Member States must strictly comply with the national personal data protection legislation.

- The Director of the Office is personally responsible for ensuring that article 16(1) TFEU and Regulation No 45/2001 are strictly observed.

- On the basis of the titles of Commission Decisions in the register of Commission Documents, it seems that no Decision has been adopted by the Commission about its policy as regards personal data processing in the context of OLAF’s external investigations of FP6 contractors and FP7 beneficiaries.

- In one particular on-the-spot check of a FP6 contractor & FP7 beneficiary, the cited legal basis appears not to duly authorise pursuant to Community law the intervention of a public authority into the private affairs of a legal person. That calls into question inter alia the legality of the associated personal data processing.

2. PROPOSAL FOR A PRECISE IDENTIFICATION OF DOCUMENTS

As a preliminary observation, in case the requested documents were not drawn up, not even a few passages, this will call into question the very legality of OLAF’s personal data processing in the context of external investigations of FP6 contractors and FP7 beneficiaries.

A whole operational Unit of OLAF is responsible for investigations concerning centrally managed expenditure; approximately 50% of such expenditure concerned the Research family DGs programmes. OLAF has been conducting interviews of persons concerned (i.e. suspects for criminal offences to the detriment of the Union’s financial interests) in its Brussels offices regarding the role of individuals in FP6 programmes and FP7 grant agreements. By definition, such interviews entail personal data processing. The leaked OLAF Supervisory Committee report on the former Member of the Commission Dalli investigation stated that there is no legal basis for OLAF’s interview of a person concerned in an external investigation (e.g. interview of Mr. Zammit). Interviews of such ‘suspects’ in OLAF’s Brussels offices rob ‘suspects’ the protection national legislation affords to ‘suspects’. In other words, it is doubly unlawful.

In view of all of the above, it is respectfully put that OLAF cannot pretend that my request is not sufficiently precise. The very fact that this application was lodged means that the applicant entertains serious doubts about the legality of the external investigations of FP6 contractors and FP7 beneficiaries. The ‘authors’ of the requested documents are either a Member of the Commission or the Director of the Office, in the sense that they delegated the drawing up of the documents to other officials but they retained and authority and responsibility of their contents. In case not even a few paragraphs were drawn up, this will not only call into question the legality of the particular personal data processing operations but it will also probably amount to an extremely serious disregard of duty by OLAF officials, in the sense that they have had a duty to bring the matter to the attention of OLAF’s top management and the Supervisory Committee.

The OLAF officials handling the underlying matters are very well known. It is therefore suggested that the Legal Services Unit make enquiries with (order is of no importance):

- Its own legal officers
- The OLAF Data Protection Officer (she has written a note summarising the Courts of the Union case law on personal data protection, so she is well versed into personal data protection)
- Data controller(s) of prior notifications covering the external investigations
- Head of Unit of Investigations for centrally managed expenditure

According to article 49 of Regulation No 45/2001, some of them may be personally liable for any infringement of Regulation No 45/2001 in the context of external investigations of FP6 contractors and FP7 beneficiaries. It will be wholly unexpected if they have disregarded that provision.

In case the above enquiries are not fruitful, I will be glad to elaborate on OLAF’s concrete operational measures in external investigations of FP6 contractors and FP7 beneficiaries quoting several pages of its reports dispatched to Judicial authorities, hoping that this will prompt some of the above officials to assist the Legal Services in precisely identifying the documents.

3. FURTHER REMARKS

The applications GESTDEM 2013/3822 (DG RTD), GESTDEM 2013/3823 (DG CNET) and GESTDEM 2013/3824 (OLAF) are about the Commission’s policy in complying with Regulation No 45/2001 in FP6 and FP7 programmes. It is obvious that the application seeks copies of documents according to which the administrative departments were duly authorised to process personal data.

OLAF should bear in mind that nobody will find particularly relevant requesting DG COMP the documents setting out the Commission policy regarding personal data processing in anti-trust investigations, with the motivation being that an applicant has some doubts. The DG COMP prior notifications are crystal-cleat; moreover, its record as a regulator and its strict observance of legality is second to none.

In my view, this is not the case for the Research family DGs and OLAF’s external investigations of FP6 contractors and FP7 beneficiaries and their staff. The false declarations in the DG INFSO prior notification DPO-3338.1 are a prime example of how disregard for legality leads to the need of committing further illegalities to create deceptions. The OLAF A.3 Unit has been too closely associated with the former DG INFSO S.5 Unit, This may generate some interest in obtaining copies of documents about the legal basis of operational measures of the OLAF A.3 Unit.

OLAF may find interesting to read the confirmatory application of GESTDEM 2013/3375 dated 31/7/2013, which concerns the DG INFSO Anti-fraud polity and its wider context, http://www.asktheeu.org/en/request/dg_cn.... I am confident that OLAF A.3 will understand what the applicant is saying between the lines.

Yours faithfully,

Mr. Orestis BEKAS

Secretariat General of the European Commission

1 Attachment

Dear Mr Bekas,

 

We would like to assure you that your application is currently being
processed. However, we regret to inform you that, as your application
concerns a very large number of documents, their handling cannot be
carried out within the normal time limits set out in Article 7 of
Regulation (EC) N° 1049/2001.

 

Yet, the Regulation also provides for a possibility to confer with
applicants in order to find a fair solution when an application concerns a
very large number of documents. Article 6(3) provides that "in the event
of an application relating to a very long document or to very large number
of documents, the institution concerned may confer with the applicant
informally, with a view to finding a fair solution".

 

Based on this provision, we would kindly ask you whether you would agree
that we extend the deadline for handling your above mentioned application
until 30/09/2013.  Needless to say, we will try to finalise the handling
of your application for access to documents as fast as possible.

 

If you have any questions concerning this proposal, you can contact us by
email to: [1][email address]

 

Yours faithfully,

 

Silvia BOJINOVA

Head of Unit

 

[2]Description: Description: Description: Description: Description:
Description: cid:image001.png@01CDF26F.EF7D9990

European Commission

DG Research & Innovation

R5

 

ORBN 09/151

B-1049 Brussels/Belgium

+32 229-85891

[3][email address]

 

[4]http://ec.europa.eu/research

 

 

 

References

Visible links
1. mailto:[email address]
3. mailto:[email address]
4. http://ec.europa.eu/research

Secretariat General of the European Commission

2 Attachments

Dear Mr Bekas,

 

Please find attached the reply to your request for access to documents.

 

Yours sincerely,

 

 

 

Diana TILOUCHE
 
European Commission
Legal Service

BERL 1/111
B-1049 Brussels/Belgium
+32 2-299 57 49
[1][email address]

 

References

Visible links
1. mailto:[email address]

Dear Secretariat General (SG),

Referring to GestDem 2013/3822 (DG RTD) this is a reply to the DG RTD email dated 7 August 2013. It is to be forwarded to DG RTD.

As a preliminary observation, the Commission's policy on the fundamental right of personal data protection enshrined in article 16 TFEU and Regulation No 45/2001 is likely to be set forth in Decisions adopted by the Commission's Rule of Procedure, namely the oral and written procedures. It will be very surprising if such Decisions were adopted by the delegation procedure, that is to say by senior officials. In all cases, regardless of the particular procedure with which the Decisions were duly adopted, the number of documents is small, probably less than ten.

Having said the above, the DG RTD proposal to extend the time-limit to the 30th of September is accepted.

Yours faithfully,

Mr. Orestis BEKAS

Dear Secretariat General (SG),

This is to make enquiries for the status of the GestDem 2013/3824 initial reply for which OLAF has assumed responsibilities. It is to be forwarded to OLAF.

By way of the letter Ares(2013)2794632 31/7/2013 OLAF requested further information from the applicant in order to precisely identify the requested documents. By way of an email dated 1/8/2013 the applicant provided to OLAF a great deal of information about the legal context of the requested documents, and thereby, hopefully, precisely identifying the requested documents.

OLAF should bear in mind that the leaked Supervisory Committee Report on the former Commissioner Dalli internal investigation has identified (i) infringements of article 12(1) of Regulation No 45/2001 (OLAF has not informed the data subjects who are third parties to the OLAF investigation and (ii) that there is no legal mandate to interview persons concerned (i.e. suspects) in external investigations. Consequently, it is clear that OLAF has a very spotty record is so much the fundamental right of personal data processing is concerned in external investigations.

Regarding the application GestDem 2013/3824, in a nutshell:

- Request #12 concerns compliance with Regulation No 45/2001 of OLAF checks pursuant to the contractual provisions of article 29.6 of the FP6 model contract and article 22.8 of the FP7 model grant agreement. Such provisions are not there by accident to 'scare' the FP6 contractors and FP7 beneficiaries. There are there for an express purpose. In case OLAF has not carried out such checks, there has been no reason to draft documents concerning request #12, in which case OLAF can simply inform the applicant about it.

- Request #13 concerns compliance with Regulation No 45/2001 of OLAF's external investigations of FP6 contractors and FP7 beneficiaries pursuant to Regulations No 2185/96 and 2988/95. In so far personal data processing is concerned, the email of 1/8/2013 has put to OLAF that its legal mandate for such external investigations is far from clear. If an applicant advances such arguments in full public view for the external investigations at issue, it is inconceivable that OLAF has not drafted a few paragraphs about those matters. This means that documents, or parts thereof, must exist and are to be released.

I would appreciate if OLAF would inform me the status of providing the initial reply

Yours faithfully,

Mr. Orestis BEKAS

Dear Secretariat General (SG),

Referring to GestDem 2013/3823 (DG CONNECT), this is to make enquiries about the status of the DG CNET initial reply. This message is to be forwarded to DG CNET.

Apparently, DG CNET has been handling the requests under points 14 & 17 of the initial application. Even though more than 30 working days have elapsed since the registration of the application, DG CNET has been totally silent about it.

I would be obliged if DG CNET would inform me about the time-frame of providing an initial reply.

Yours faithfully,

Mr. Orestis BEKAS

Secretariat General of the European Commission

25 Attachments

Dear Mr Bekas,
 
We refer to your email dated 04/07/2013 in which you make a request for
access to documents, registered on 18/07/2013 under the above mentioned
reference number.
 
We regret to inform you that no documents were found that would correspond
to the description given in points 5; 7; 8; 9; 10(i),(ii); 11; and 16 to
19 of your application. We are, therefore, unable to handle your
application in respect of these points.
 
As far as points 1 to 4 and points 15 are concerned, please find attached
the following corresponding documents:
 
Please also kindly note in relation to CVs, that specific instructions
have been circulated in 2011 by the Controller/DG to Processors within the
scope of the update of notification DPO-2978 on public procurement
procedures. The model was intended to address as well calls for proposals,
except for the Research family which had already its very specific ad hoc
notifications- 978 and former 2382 for RTD, namely:
 
Moreover, more specifically in relation to points 1,2 and 3, please find
attached below a Note of 10 June 2009 and its Annex 4.
 
 
As far as points 6(i), (ii) and 20 are concerned, please find attached
below DPO-978 and DPO-2382 in their successive versions. 
 
 
                              
 
Furthermore, in relation to point 6(iii), please find attached in addition
to the above documents, the successive versions of DPO-3398 as from 2011
onwards.
 
 
 
In respect of point 10(iii), please, find attached the following
corresponding documents:
 
 
Please note that these documents cannot be reproduced or disseminated for
commercial purposes without prior consent given by the Commission.
 
Yours faithfully,
 
 
Silvia BOJINOVA
Head of Unit
 
European Commission
DG Research & Innovation
R5
 
ORBN 09/151
B-1049 Brussels/Belgium
+32 229-85891
[1][email address]
 
[2]http://ec.europa.eu/research
 
 

References

Visible links
1. mailto:[email address]
2. http://ec.europa.eu/research

EC ARES NOREPLY, Secretariat General of the European Commission

1 Attachment

Dear Sir,

Please find attached document Ares(2013)3180822 concerning "Your application for access to documents – Ref GestDem No 2013/3823 under Regulation 1049/2011 regarding public access to European Parliament, Council and Commission documents – partial reply" sent by Mr. Roberto Viola on behalf of Mr. Robert Madelin on 03/10/2013.

Kind regards.

-------------------------------------------------------------------------------------------------------------
Note: This e-mail was automatically generated by the European Commission's central mail registration system.
Replies by e-mail must be addressed to the original sender Madelin Robert (mailto:[email address]).
Remarque : Cet e-mail a été généré automatiquement par le système d'enregistrement central du courrier de la Commission européenne.
Toute réponse éventuelle par e-mail doit être adressée à l'expéditeur en personne, à savoir Madelin Robert (mailto:[email address]).

Dear Secretariat General (SG),

A confirmatory application is hereby submitted pursuant to Regulation No 1049/2001 for all the requests of DG RTD GestDem 2013-3822.

The confirmatory application does not concern requests #7, #12, #13, #14 and #17 of the initial application, because they were handled by the Legal Services, DG CNECT and OLAF under GestDem 2013-3866, 3822, and 3824 respectively.

1. GLOBAL ASSESSMENT OF THE DG RTD INITIAL REPLY

This chapter analyses some general features of the initial reply, as well as the prior notification DPO-3398.

It is stressed from the outset that all requested documents, if they were drawn up in the first place, are autonomous Commission Decisions adopted by the written procedure, or by a delegation of powers to senior officials of the Commission services, or by some kind of an implied ‘internal administrative decision’ of the top echelons DG RTD.

The confirmatory application delves into the legal provisions of Regulation No 45/2001, EDPS opinions and other prior notifications. This is necessary, because an detailed analysis of the DG RTD initial reply is required in order to establish, first, that DG RTD has not been completely frank with the outcome of its search for documents, and second, that DG RTD has released for several requests irrelevant documents, instead of frankly stating that the requested documents are not held.

1.1. Released prior notification DPO-3398, versions 1-3

DG RTD released the prior notification DPO-3398 of article 25 of Regulation No 45/2001 as some kind of a document falling under the scope of the application. The DG RTD prior notification DPO-3398.1 to DPO-3398.1 is a mere transposition of the DG INFSO prior notification DPO-3338.1. According to the European Data Protection Supervisor - EDPS note to the file of case 2012-0758 of 24/1/2013 (under points 3.a. 3.b and 3.c), available for downloading at http://www.asktheeu.org/en/request/677/r..., the DG INFSO prior notification contains (i) a misleading statement about a purported - but non existing - EDPS ‘consultation’, (ii) “does not mention that subcontractors are used” and (iii) “refers to the wrong legal basis”. The EDPS conclusions about DG INFSO DPO-3338.1 apply equally to DG RTD DPO-3398.1. It is so because DPO-3398.1 to DPO-3398.3 are mere transpositions of DPO-3338.1 into the DG RTD organisational structure, with most of the wording about the processing operations and the legal basis being the same.

DG RTD has effectively admitted all this in its initial reply to GestDem 2013-3351, available for download at http://www.asktheeu.org/en/request/587/r....

In the note of case 2012-0758 the EDPS has put the DG INFSO DPO-3338.1 fundamental problems very mildly. The correct assessment of the statements of DPO-3338.1 – and of DPO-3398.1 to DPO-3398.3 - is that they are wilful and intentional false statements intended to deceive the public. According to the stipulations of article 1 second intend of Commission Decision 597/2008 – the Decision was prominently referred to in the present initial application – the DPO-3398.1 data controller is personally liable for the false statements of the prior notification, and also that in substance it is fake and deceitful statutory document posted into the Europa website. In December 2011 DPO-3398.3 was posted at http://ec.europa.eu/dataprotectionoffice... and in summer 2012 http://ec.europa.eu/dpo-register/details....

The fundamental importance of posting such kind of a prior notification to Europe is not to be underestimated. No matter how the DG RTD tries to downplay it, an administrative department of the Institution that is the guardian of the Treaties has had for more than two years posted in the website of the Institution a deceitful statutory document about the fundamental right of personal data protection. That activities covered by that statutory document lie at the core of the external financial audits - for which DG RTD had been devoting between five to ten pages in every single Annual Activity report - makes the deceit all the more grave. Therefore, this kind of “acts” by an administrative department call into question the ethics and the moral fabric of the top echelons of that department.

That DG RTD ‘adopted’ some kind of a ‘decision’ to release versions 1 to 3 of DPO-3398 as documents falling under the scope of this application, whereas in the initial reply GestDem 2013-3351 DG RTD essentially admitted its deceitful purpose, gives rise to extremely serious concerns about the frankness of the DG RTD initial reply.

In the applicant’s view, this particular ‘decision’ of GestDem 3822-2013 warrants a confirmatory application, since the Secretariat-General will review the DG RTD initial ‘position’.

1.2. Reply is not a signed letter bearing an Ares reference number

The initial reply is not a signed letter bearing an Ares reference number. This might have been acceptable, if DG RTD had indeed informed the applicant in a comprehensive and frank manner about the outcome of a search for documents; in case no documents were held because they were not drawn up in the first place, DG RTD ought to explicitly state so. Such type ofconsiderations become all the more important for documents that DG RTD had a legal obligation to draw up. All the requested documents are about the “Commission’s policy” on personal data processing in FP6 and FP7, which DG RTD has manifestly been processing.

There is also a stark contrast of the DG RTD initial reply with the reply of Legal Services to request #7 and the DG CNECT initial reply to request #14 and #17, in that they both are letters singed under the authority of the respective Directors-General and bear proper Ares reference numbers.

In the light of the considerations of section 1.1 above and from a formal perspective, in the applicant’s view the DG RTD initial reply is inadequate as a document stating the position of an administrative department at the end of the first stage of a two-stage administrative procedure.

1.3. Released documents for public procurement

DG RTD stated “Please also kindly note in relation to CVs, that specific instructions (.....) on public procurement (.....) its very specific ad hoc
notifications- 978 and former 2382 for RTD, namely:”

As a point of minor importance, it appears that the paragraph is incomplete since nothing follows the “namely:”.

Turning to the substance of the reply, there is a very substantial issue with regards the notion that personal data processing in the context of public procurement can be equated with such processing in FP6 and FP7. To simplify matters, the discussion will be confined to the Financial Regulation No 1605/2002, as amended, because the entire FP6 and most of FP7 are governed by it. Two fundamental differences between public procurement and FP6-FP7 are given below:

1. The public procurement calls for tenders and contracts are governed by the articles of tile V “Procurement” of the Financial Regulation. The FP6 and FP7 calls for proposals and grant agreements are governed by article VI “Grants”.

2. Contracts concluded from tenders contain an arbitration clause according to which the Courts of the seat of the Authorising Officer have exclusive jurisdiction about contractual disputes. In the vast majority of contracts this is the Courts of Brussels and Luxembourg. The corresponding clause of FP6 contracts and FP7 grant agreements provides arbitration before the EU General Court.

Since the prior notification DPO-3398.3 has based its legal basis (section 8) in articles “(art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4):” it follows that DG RTD is fully competent to appreciate the fundamental differences between titles V and VI of the Financial Regulation. Therefore, insofar the initial reply has released documents about the DG RTD public procurement instead of FP6 and FP&, those documents are wholly irrelevant with respect to the requested ones.

In my view, DG RTD seriously underestimates the intelligence of applicants, and, arguably, in mixing public procurement with FP6 & FP7 grants DG RTD attempts “to pool wool over the applicant’s eyes”. It is therefore appropriate to conclude that the DG RTD initial reply warrants a review by the Secretariat-General.

1.4. Initial reply lacks clarity in two specific points

As stated above, the fourth paragraph “Please also kindly note in relation to CVs (.....)” is incomplete, in the sense that the author intended to refer to the released documents in subsequent lines, i.e. following “namely:”. The same is the case of the third paragraph (“corresponding documents:”).

1.5. Ambiguity about the outcome of searching for documents

The initial reply stated “We regret to inform you that no documents were found that would correspond to the description given in points 5; 7; 8; 9; 10(i),(ii); 11; and 16 to 19 of your application.”.

In view of the remarks of sections 1.1 and 1.2 above, the applicant suggests that DG RTD might have not undertaken a diligent search for documents.

1.6. Concluding remark

In the light of all the foregoing considerations, a confirmatory is absolutely necessary such that the Secretariat-General reviews the initial reply of DG RTD.

2. ANALYSIS OF REPLIES TO INDIVIDUAL REQUESTS

This chapter analyses DG RTD initial reply in terms of the ‘grouping’ of requests by DG RTD.

2.1. Initial reply regarding request 10.iii

The request concerns the “Commission’s policy” about “reliance on EDPS opinions about audits pursuant to Union law (i.e. audits of structural funds and audits of expenditure concerning officials, servants and auxiliary staff of the Commission’s delegations) to draw conclusions that article 27 of Regulation No 45/2001 is not applicable to the external financial audits pursuant to article FP6.II.29 and FP.II.22 (e.g. current DPO-3338.2).”.

The prior notification DG RTD DPO-3398.2 includes the statement “As in the context of previous audits and ex-post controls the EDPS already concluded that Art. 27 was not applicable, this processing does not require a prior checking.”

It is recalled that in the aforementioned EDPS note to file, case 2012-0758, under point 3.c it is stated: “In fact, while similar processing operations were submitted to the EOPS for prior checking, with the result that they were not subject to prior checking, this specific processing operation was not submitted for prior checking. The Commission DPO has acknowledged this.”.

Insofar the applicant understands from the text of the initial reply, DG RTD has released the following two EDPS opinions regarding request 10.iii:

1. Case C 2007-0370 on the prior check about DG REGIO audits in the Member States.

2. Case C 2009-0565, which is about “to enable implementation of the checks required by Article 47(3) of the Regulation laying down detailed rules for the implementation of the Financial Regulation to issue an opinion on the regularity and legality of the transactions verified and the quality of financial management. The operational units of Directorate K, DG RELEX”

The following paragraphs analyse the initial reply.

Regarding the EDPS documents being impliedly regarded as equivalent to “Commission policy” on personal data protection the following are noted:

- It appears that DG RTD has not released a Commission document wherein the Commission services have ‘adopted’ some kind of a ‘decision’ to rely on those EDPS opinion for other prior notifications.

- Yet, it must be pointed out that releasing EDPS documents in the place of documents drawn up by the Commission services and impliedly stating that the EDPS opinions are to be construed as Commission-drafted documents is bordering the absurd.

- It must be concluded that DG RTD has failed to properly inform the applicant what has been the outcome of its searches for documents about the “Commission policy”.

Turning to the substance of the DG RTD reply, it must be observed that the former DG RELEX auditing activities concern internal auditing activities within the Commission services. The data subjects are officials subject to the Staff Regulations. The DG REGIO prior notification corresponding to the EDPS opinion in case C 2007-0370 is DPO-3226; the legal basis stated in section 8 of DPO-3226 lists several Regulations expressly authorising DG REGIO to audit recipients of Community funds. Furthermore, the data elements of DPO-3226 are far fewer than those of DPO-3398 (e.g. no time sheets, employment contracts and pay slips). At the time the beneficiaries-data subjects of the subsidies were applying for Community funds via some kind of applications-declarations lodged with the Member State Authorities, Community law expressly provided for audits; it means that those beneficiaries were fully aware that a limited set of personal data might be processed in the event of an audit. This is miles away from the DG RTD external financial audits, which are conducted pursuant to stipulations of a private law contract.

In conclusion, the data subjects of DG RTD DPO-3398.2 (and DG CNECT DPO-3338.2) are third parties to the audited FP7 grant agreements. In terms of statutory provisions, there is an abyss separating, on the one hand officials subject to Staff Regulations (i.e. DG RELEX) and direct recipients-beneficiaries of Community aid (e.g. DG REGIO), and on the other hand the third parties to private law contracts (i.e. the FP7 GA).

It must therefore be concluded that insofar reliance on the EDPS ‘opinions’ is concerned, from the blatant lies of the first three version of DPO-3398 DG RTD switched in DPO-3398.2 to a well-camouflaged deceit, which nevertheless amounted to relying on totally irrelevant EDPS opinions. Irrespective of the camouflage, the DPO-3398.2 statement about relying on other the EDPS opinions is also deceitful. The difference between the first three version of DPO-3398 and DPO-3398.4 is that the former stated blatant lies, whereas the uncovering of the DPO-3398.4 deceit requires delving into a legal analysis.

The failure to properly reply to request 10.iii is essentially a refusal to state that no documents are held. Apparently, DG RTD does not want to admit it, and opted to overlook it.

The applicant maintains that DG RTD did not comply with its obligations under Regulation No 1049/2001 and therefore a confirmatory application regarding request 10.iii is necessary.

2.2. Initial reply to requests #1, #4 and #15

The initial reply in question is the third paragraph, which is very ambiguous about which particular one of the released documents are supposed to correspond to those three requests. The applicant, who evidently is not a novice in the matters of Regulation No 45/2001, has failed to identify, save the released prior notifications DPO-978, DPO-2382 and DPO-3398, which of the released documents can be understood, even remotely, as a “Commission policy” - in the widest meaning of the term – as regards the personal data processing in FP6 & FP7.

The applicant has understood the DG RTD initial reply for those three requests as extremely ambiguous, being probably an attempt either to conceal documents or to avoid the frank answer that there are no documents setting out “Commission policy” in the respective relevant fields of FP6 and FP7.

The applicant maintains that DG RTD did not comply with its obligations under Regulation No 1049/2001 for requests #1, #4 and #15, and therefore a confirmatory application regarding those three requests is necessary.

2.2. Initial reply to requests #1 - #3

The reply reads “Moreover, more specifically in relation to points 1,2 and 3, please find attached below a Note of 10 June 2009 and its Annex 4.”.

The released Note RTD R6/TB/I(2009) 11291 is about public procurement. As stated in section 1.3 above, that note it irrelevant to FP6 and FP7. Moreover, being drawn up in 2009 it does not cover the FP6 calls for proposal and negotiations.

The applicant maintains that DG RTD did not comply with its obligations under Regulation No 1049/2001 for requests #1- #3, and therefore a confirmatory application regarding those three requests is necessary.

2.3. Requests 6.i, 6.ii and 20

The initial reply reads “As far as points 6(i), (ii) and 20 are concerned, please find attached below DPO-978 and DPO-2382 in their successive versions”.

As a first remark, those two prior notifications are totally silent about personal data of third parties to a FP6-FP7 proposal and the negotiations subsequent conclusion of a FP6 contract and FP7 grant agreement. It is fundamental to appreciate that in that particular context DG RTD has been processing personal data of third parties. DG RTD collects the third party personal data from another third party (broadly speaking from the employers of the data subjects and not directly from the data subjects), while DG RTD has invariably been disregarding it legal obligation to inform the data subjects pursuant to article 12(1) of Regulation No 45/2001. Therefore, DPO-978 and DPO-2382 being silent about data subjects, who are third parties, are irrelevant to the requested documents.

There is also a serious degree of attempting to mislead the applicant with the DG RTD initial reply, for which the applicant feels somewhat insulted, simply because DG RTD appears to regard the applicant as a moron. This is briefly explained below.

1. Prior notifications are drawn up pursuant to article 25 of Regulation No 45/2001. Even a man in the street realises that the documents drawn up pursuant to article 12(1) are profoundly different than a prior notification.
The provisions of article 12(1) concern data subject rights, whereas a prior notification is about an obligation of a data controller, i.e. an Institution. Whereas both are documents drawn up by an Institution, under no circumstance a prior notification does it come close to a document pursuant to article 12(1).

2. Even if article 25 of Regulation No 45/2001 is not complied with, the data controller has an absolute obligation to comply with article 12(1). Mingling the obligations of article 12(1) with article 25 is totally out of the question.

3. The first versions of DPO-978 and DPO-2382 were filed 6/2/2006 and in 26/10/2007. It means that about 90% of the entire FP6 was not covered by those two prior notifications.

4. In his numerous prior checks, the EDPS has never stated – not even implied – that the data subjects right of article 12(1) have anything to do with a prior notification.

5. In leaked OLAF Supervisory Committee – which consists of eminent legal professionals and one of its mandate is to ensure that OLAF complies with article 286 EC, now article 16 TFEU - report on the former Commissioner Dalli case, https://docs.google.com/file/d/0B7Swai6S..., under point (40) in page 17, the Committee stated that under Regulation No 45/2001 OLAF has an absolute obligation to inform third parties unrelated to its investigations about the processing of their personal data. The Committee did not find that the OLAF prior notifications – which unlike DPO-978, DPO-2382 and DPO-3398 were submitted for an EDPS prior check - absolved OLAF from its obligations pursuant to article 12(1).

The substance of this particular request is the following: DG RTD has manifestly failed to comply with article 12(1) of Regulation No 45/2001 for about one, or several, hundred thousand data subjects. The object of the request is the release of documents laying down the “Commission policy” to infringe the data subjects’ rights of article 12(1) for one hundred thousand data subjects. The Commission services are expected to be frank about whether documents about the adoption of such a “Commission policy” were ever drawn up. It is not acceptable to provide evasive replies to an application pursuant to Regulation No 1049/2001 in order to avoid stating that no documents are held.

The applicant maintains that DG RTD did not comply with its obligations under Regulation No 1049/2001 for requests #6.1, #6.ii and #20, and therefore a confirmatory application regarding those three requests is necessary.

2.4. Request 6.iii

According to the initial reply, the successive versions of the prior notifications DPO-3398 are to be understood as the sole documents laying down the Commission’s policy regarding compliance with article 12(1) of Regulation No 45/2001.

It cannot be accepted that the released first three versions of DPO-3398 lay down a “Commission policy” in the proper sense of the word “policy” for host of reasons, including the two false statements of the prior notification:

- “3. Processors N.A N.A|N.A N.A|N.A N.A”

- “This processing has been submitted to the EDPS who concluded that Article 27 is not applicable”

Turning to DPO-3338.4, the following are noted:

1. For the reasons set out above about the DG REGIO and the former DG RELEX prior notifications the statement “As in the context of previous audits and ex-post controls the EDPS already concluded that Art. 27 was not applicable, this processing does not require a prior checking.” is essentially deceitful. If one were prepared to give the benefit of the doubt, the corresponding statement of the predecessor versions of DPO-3398 being a blatant lie dispels any doubts.

2. The legal basis of DPO-3398.4 is non-existing. The FP7 grant agreement remains to be a private law contract. Regulation No 966/2012 does not provide as a matter of EU law a mandate to the Commission to process personal data of third parties to the grant agreements. The very wording of the DPO-3398.4, section 8 ‘Legal basis and Lawfulness’, states “Each grant decision or agreement shall provide expressly (...)” and “The grant agreement shall at least lay down the following (...)”. The term ‘grant agreement’ is there. The fact of the matter is that FP7 grant agreement remains to be a private law contract after the entry into force of Regulation No 966/2012.

3. The DG RTD initial reply to request #7 of GestDem 2013-3351, http://www.asktheeu.org/en/request/587/r..., is a loud admission that all versions of DPO-3398 have no legal basis.

In conclusion, DPO-3398 is not a document laying down the “Commission’s policy” as regards the personal data processing in relation to the compliance with article 12(1) of Regulation No 45/2001 in the context of external financial audits pursuant to article 29 of Annex II of the FP6 model grant agreement and external financial audits pursuant to articles FP6.II.29 and FP7.II.22, in the sense that it is not a “policy” duly adopted by the written procedure according to the Commission’s rules of procedure.

DPO-3398 might be a “Commission policy” regarding items (iii) and (iv) duly adopted by the delegation or sub-delegation procedure according to the Commission’s rules of procedure. If this indeed is the case, there must be one or more Commission decisions adopted by the written procedure duly authorising the DG RTD Director-General to adopt decisions by delegation and further authorising him to sub-delegate the adoption of a “Commission policy” for the matters in question.

In the applicant’s view, due to the grave infringements of numerous provisions of Union law regarding the personal data processing of the DG RTD external financial audits, such a “Commission policy” – even if it were assumed that it was indeed adopted, which is in itself extremely doubtful – has never existed in the Community’s legal order. In other words, it has always been legally non-existent.

DG RTD ought to be frank, and not attempt to “pool wool over the applicant’s eye” with respect to request 6.iii and 6.iv.

The applicant maintains that DG RTD did not comply with its obligations under Regulation No 1049/2001 for requests #6.iii and #6.iv, and therefore a confirmatory application regarding those requests is necessary.

3. OBJECT OF THE APPLICATION AND RAMIFICATIONS

It is worth stating that ultimately the applicant seeks the release of documents enabling the scrutiny of the policies of the Research DGs as regards the fundamental right of personal data protection.

All requests concern the "Commission policy", because the focus of this particular scrutiny is whether the Research DGs administrative "acts" and contractual "measures" entailing the personal data processing in FP6 and FP7 were duly authorised by the Institution, or whether the administrative departments adopted those administrative "acts" and contractual "measures" without bothering to duly request and obtain the Institution's authorisation. In the former case, there are fundamental political questions that the College will have to answer. In the latter case, the administrative departments will have a lot of explaining to do to the College and the public.

The underlying questions are also directly related to the provisions of article 25 of the Commission's Horizon 2020 proposal for a Regulation of the Parliament and the Council COM(2010) 810.

4. CONFIRMATORY APPLICATION

The confirmatory application concerns requests #1 to #6, #8 to #11, #15, #16, 18# to #20, for which DG RTD provided the initial reply.

Yours faithfully,

Mr. Orestis BEKAS

Secretariat General of the European Commission

1 Attachment

Dear Mr Bekas,   

 

Thank you for your e-mail dated 19/10/2013, registered on 21/10/2013.  I
hereby acknowledge receipt of your confirmatory application for access to
documents (ref.: Ares(2013)3300340 – gestdem 2013-3822). 

 

In accordance with Regulation 1049/2001 regarding public access to
European Parliament, Council and Commission documents, you will receive a
response to your request within 15 working days (12/11/2013).

 

Yours sincerely,

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

show quoted sections

Dear Secretariat General (SG),

This is an email concerning OLAF's handling of requests under (12) and (13), GestDem 2013/3824. I would appreciate if the Secretariat-General would forward it to OLAF.

**************

Dear OLAF,

The is a reminder about GestDem 2013/3824 (OLAF), and specifically requests under (12) and (13) of the initial application, for which OLAF has not provided an initial reply, in spite of nearly four months having elapsed since its registration.

It is recalled that:

- By way of the letter Ares(2013)2794632 - 31/07/2013 OLAF requested the applicant for more information enabling the precise identification of the requested documents.

- The applicant provided the additional information on 1 August, http://www.asktheeu.org/en/request/fp6_f....

- On 3 October DG CNECT informed the applicant, Ares(2013) 3180822, that “Please be informed that you will receive an answer to the remaining request from DG RTD and OLAF”.

- According to asktheeu.org, OLAF has not provided an initial reply to requests under (12) and (13).

The applicant draws the attention of OLAF to Annex II “Correlation table” of Regulation 883/2013. It is obvious that in Regulation 1073/99 there was no provision equivalent to:

-Article 3(2) of Regulation 883/2013, from which it follows that OLAF was not duly empowered to investigate pursuant to Regulations 1073/99, 2195/96 and 2188/95 FP6 contractors and FP7 beneficiaries.

-Article (9) or Regulation 883/2013, from which it follows that OLAF was not duly empowered to interview persons concerned (i.e. suspects) in external investigations.

Consequently, requests (12) & (13) concern the extent to which OLAF might have infringed Regulation 45/2001 in every single external investigation of FP5-FP6 contractors and FP7 beneficiaries, in the sense that OLAF – as a functionally independent administrative department – had disregarded the Commission’s policy of respecting Regulation 45/2001.

It is also worth recalling that the two requests do not fall under the scope of Article 2(1) and (2) of Decision 1999/352/EC, which implies that a confirmatory application would be handled by the Secretariat-General.

I would therefore appreciate if OLAF would promptly provide me with the reply of the first stage of the administrative procedure of Regulation 1049/2001.

Yours faithfully,

Mr. Orestis BEKAS

Secretariat General of the European Commission

2 Attachments

Dear Mr Bekas,
Kindly find the answer to your confirmatory application concerning your
request for access to documents pursuant to Regulation (EC) N° 1049/2001
regarding public access to European Parliament, Council and Commission
documents (gestdem 2013-3822).
Yours sincerely,
Paul SIMON
Unit SG.B.5, Transparency
European Commission
 

Dear Secretariat General (SG),

Thank you for providing me with the response to the confirmatory application, which is the end of the road of the administrative procedure.

I would like to take this opportunity to make the following observations.

1. With the prior notification DPO-3398.1 DG RTD has been misrepresenting facts and deceiving the public. The whole administrative department DG RTD is liable for DPO-3398.1.

2. The DPO-3398.1 data controller within the meaning of article 1 of Commission Decision 597/2008(a Director) is personally liable for the misrepresentations and deceit of DPO-3398.1.

3. The prior notification DPO-978 does not cover the personal data processing of third parties, that is to say the short profiles of the researchers.

4. The confirmatory application response means that the Research DGs, as administrative departments, have adopted a policy of massively infringing Regulation 45/2001, reaching so low as to draw up deceitful prior notifications of article 25 of Regulation 45/2001. The illegal policy and conduct was, presumably, not officially disclosed to the Commission (the College). This will probably give rise to further several questions.

5. That the Secretariat-General did not carry out a search for documents itself, but instead relied on RG RTD - an administrative department that is manifestly in the business of deceiving the public in so far its compliance with Regulation 45/2001 is concerned - means that the Secretariat-General took the word of an administrative department that has every interest to conceal documents. Consequently, it cannot be excluded that a document does indeed exist, it is held by the Secretariat-General, the DG RTD had misplaced or even lost it, and was not released because the Secretariat-General did not bother to search for documents.

6. The public will no doubt take note of all this.

7. The Commission services should not be surprised if in the future data subjects will rely on responses to confirmatory applications like this one in support of claims for damages against the Commission due to infringements of Regulation 45/2001.

Yours faithfully,

Mr. Orestis BEKAS

Dear Secretariat General (SG),

This is the confirmatory application of GestDem 2013/3824, which concerns requests under (12) and (13) of the initial application, for which OLAF had assumed the responsibility to provide the initial reply.

I. OLAF’S SILENCE

By the letter Ares (2013)2794632 - 31/07/2013 OLAF requested the provision of additional information enabling the precise identification of the documents.

By email of 1 August - http://www.asktheeu.org/en/request/fp6_f... - I provided OLAF with the additional information.

By the letter Ares(2013) 3180822 – 3/10/2013 DG CNECT informed me “Please be informed that you will receive an answer to the remaining request from DG RTD and OLAF”.

On 14 November I made enquiries about the status of the OLAF initial reply, http://www.asktheeu.org/en/request/fp6_f....

As indicated by asktheeu.org and except the DG CNECT provision of information two months ago, OLAF has been silent since 31 July. It must thus be inferred that OLAF has decided to ignore my application. This necessarily means OLAF has totally refused access, with the additional factor of not bothering to provide me with some sort of statements of reasons.

II. OVERRIDING PUBLIC INTEREST

In my previous emails addressed to OLAF I advanced several arguments for an overriding public interest. The following paragraphs discuss that citizens have rightly doubts about the legality of OLAF’s external investigations of research projects prior to 1 October 2013 when Regulation 883/2013 entered into force.

First, another applicant lodged on 28 November 2013 a confirmatory application to OLAF, http://www.asktheeu.org/en/request/exter.... In section “I.3. Request #7 – Authorisation of Commission officials, participation of DG INFSO officials” that applicant called into question “the fairness and objectivity of OLAF’s investigations – including OLAF’s obligation to seek both inculpatory and exculpatory evidence”.

Second, the OLAF Supervisory Committee Opinion 2/2012 amounts to a scathing attack to several aspects of the legality of the investigation OF/2012/0617, https://docs.google.com/file/d/0B7Swai6S.... In particular, the Committee’s recommendations set out in the paragraphs enclosed in a box immediately following paragraphs 34, 38 and 40 show a systematic disregard by OLAF of several provisions of Regulation 45/2001.

Third, in the confirmatory application GestDem 2013/3681, http://www.asktheeu.org/en/request/prese..., a third applicant has questioned the close association of OLAF with the S.5 Unit of the former DG INFSO. More specifically, in a section entitled “2. REQUESTS #9 & #10, PERMISSION TO PUBLISH PRESENTATION “RISK-BASED AUDITS”, http://www.asktheeu.org/en/request/prese..., that third applicant has argued that an DG INFSO official – thus also the OLAF co-author of the publication – have infringed article 339 TFEU and article 8(2) of Regulation 45/2001.

Forth, the very recently published summary in the Official Journal of the action before the General Court T-483/13, Oikonomopoulos v Commission, and the Order of the President of the General Court of 27 November 2013 dismissing the application for interim measures show that a person concerned has challenged in a wholesale fashion the legality of OLAF’s external investigations of research projects. Although the published Order shows that – in as much the application for interim measures is concerned – the applicant has not relied on Regulation 45/2001 to challenge the legality of OLAF’s investigations, nevertheless the published summary shows that the applicant claims “misuse of powers” and infringement of article 8 of Regulation 45/2001.

Turning to the underlying substance regarding Regulation 45/2001 and OLAF’s external investigations of research projects, either the Commission had adopted some sort of a policy that OLAF were obliged to follow, or OLAF felt it was entitled to carry out such kind of external investigations unfettered by Regulation 45/2001 and national laws on personal data protection.

The above points illustrate that there is an overriding public interest for the full release of the requested documents. The Commission services ought to be forthright and timely inform the undersigned whether the requested documents are held, and in the event that they are held to fully release them.

Finally, the applicant is in total agreement with what was stated by another applicant in the confirmatory application of 29 November 2013, http://www.asktheeu.org/en/request/custo... :

“The application does not fall within the ambit of articles 2(1) and (2) of Commission Decision 1999/352, and consequently according to article 10 of the Commission Decision 937/2001 the Secretariat-General has the sole responsibility to provide the response to the confirmatory application.”

Consequently, the undersigned expects that the Secretariat-General will provide the response to the present confirmatory application.

Yours faithfully,

Mr. Orestis BEKAS

Secretariat General of the European Commission

1 Attachment

Dear Mr Bekas,

 

Your confirmatory request below has been forwarded to OLAF on 04/12/2013
for useful follow-up.

Sincerely yours,

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

show quoted sections

Dear Secretariat General (SG),

As it appears from the email of 5 December, the Transparency Unit has disregarded my remark (last two paragraphs of the confirmatory application of 2 December) that according to article 10 of Commission Decision 937/2001 the confirmatory application is to be handled by the Secretariat-General.

Whereas an applicant is not in a position to dictate how an Institution acts internally within the administrative procedure of Regulation 1049/2001, nevertheless the above-mentioned Decision is binding on the Secretariat-General and OLAF.

Due regard it to be had that OLAF's handling of the initial application is tantamount to either a refusal to disclose documents without a statement of reasons or an attempt to avoid to state that such documents were not drawn up.

That OLAF has been functionally independent does not mean that the Director-General may disregard Regulation 45/2001 or Commission Decisions on personal data processing. This all the more so in view of article 8(4) of Regulation 1073/99 (repealed on 1/10/2013).

I would therefore maintain that the confirmatory application is to be handled by the Secretariat-General.

Yours faithfully,

Mr. Orestis BEKAS

Secretariat General of the European Commission

1 Attachment

Dear Mr Bekas,
 
We refer to your request for access to documents of 4 July 2013.  The
Secretariat General of the European Commission, which received your
request, has asked OLAF to respond to points 12 and 13.  We wish to inform
you that we are in the process of preparing a response to these points.
 However, in view of the complexity of the case, we will need 15
additional working days to provide you with our response.
 
Thank you for your understanding in this matter.
 
Yours sincerely,
 
 
On Behalf Of WASMEIER Martin (OLAF)
 
European Commission
DG OLAF
Unit C.4- Legal advice
 
 
 
 

Secretariat General of the European Commission

1 Attachment

Dear Mr Bekas,

 

Article 4 of the Commission Decision 937/2001 stipulates: "However, where
the confirmatory application concerns documents concerning OLAF activities
referred to in Article 2(1) and (2) of Decision 1999/352/EC, ECSC,
Euratom, the decisionmaking power is delegated to the Director of OLAF.".

Article 10 to which you refer to, concerns only the role of the
Secretariat General as a coordinator in matters concerning access to
documents.

So, I can only confirm you that we transferred your confirmatory request
to OLAF, as a responsible service, and will do again for a right
follow-up.

Yours sincerely,

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

show quoted sections

Dear Secretariat General (SG),

Thank you for letting my know that despite my arguments the Secretariat-General has transferred the confirmatory application to OLAF.

I would like to respectfully take issue with that decision of the Secretariat-General.

Applicants expect that the Commission services, including OLAF, will strictly respect Union law. This includes Commission Decision 937/2001.

The public rightly believes that the Secretariat-General, together with the Legal Services, is the foremost expert in the Union about compliance with Regulation 1049/2001, Decision 937/2001 and the relevant case-law of the Courts of the Union.

When applicant insists that a confirmatory application like the present one is to be handled by the Secretariat-General, invoking article 10 of Decision 937/2001 and further stating "The application does not fall within the ambit of articles 2(1) and (2) of Commission Decision 1999/352, and consequently according to article 10 of the Commission Decision 937/2001 the Secretariat-General has the sole responsibility to provide the response to the confirmatory application”, in essence he advances the argument that the subject matter of the application "does not fall within the ambit of articles 2(1) and (2) of Commission Decision 1999/352" and consequently the confirmatory application is to be handled by the Secretariat-General.

Whereas the undersigned did not invoke article 4 of Decision 937/2001, which the Secretariat-General did invoke in its email of 11 December, the reasoning, and thus the conclusion, is the same: The confirmatory application does not fall under the ambit of articles 2(1) and (2) of Commission Decision 1999/352, and OLAF is not to handle the confirmatory application.

The Secretariat-General cannot credibly insist that documents setting out a Commission POLICY about OLAF's protection of personal data falls within the mandate of the OLAF Director-General. Article 8(4) of the repealed Regulation 1073/99 imposed the obligation to the Director to ensure that OLAF complies with the personal data protection Union law; this is about operational matters only. Until autumn 2013, no Regulation had empowered the Director to define a POLICY on personal data protection within the meaning of POLICY in the Commission Decision 597/2001.

The OLAF Supervisory Committee Opinion 2/2012, which is now a public document, https://docs.google.com/file/d/0B7Swai6S..., has criticised OLAF in its conduct of the OF/2012/0617 investigation for several infringements of Regulation 45/2001. The public is entitled to scrutinise whether OLAF had been complying with Regulation 45/2001 and the Commission POLICY on personal data protection.

The Secretariat-General should also bear in mind that essentially the same application may be submitted as a fresh one, but framed in slightly different terms. In that event, it may become inevitable that the application will be handled by the Secretariat-General.

How the Commission services handle a confirmatory application is a purely internal arrangement. Nevertheless, non-compliance with article 4 of Decision 937/2001 is a significant matter.

In the light of the above, I respectfully maintain that the DECISION of the Secretariat-General to transfer the confirmatory application to OLAF is non-compliant with Decision 937/2001.

Yours faithfully,

Mr. Orestis BEKAS

Secretariat General of the European Commission

1 Attachment

 

Dear Mr. Bekas,

 

We refer to your e-mail dated 02/12/2013 requesting access to certain
information.  Your application is currently being handled. However, in
view of the difficulty in identifying the documents requested, we will not
be in a position to complete the handling of your application within this
week.  An extended time limit is needed in order to supply you with an
answer.  Therefore we need to extend the time limit to 20/01/2014.

 

We apologize for this delay and for any inconvenience this may cause.

 

Yours faithfully,

 

 

  

European Commission

DG OLAF

Unit C.4- Legal advice

 

 

 

 

 

 

show quoted sections

Dear Secretariat General (SG),

This message concerns GESTDEM 2013/3824 and is to be passed on to OLAF.

******

Dear Member of the OLAF Unit C.4- Legal advice

This is make enquiries about the status the initial response to GESTDEM 2013/3824.

It is worth noting the chronology of the events of GESTDEM 2013/3824, that it to say the first stage of the administrative procedure of Regulation 1049/2001.

The application was attributed to OLAF on 19 July
http://www.asktheeu.org/en/request/fp6_f....

On 31/7/2013 OLAF OLAF requested the applicant for more information enabling the precise identification of the requested documents, letter Ares(2013)2794632 http://www.asktheeu.org/en/request/627/r....

On 1/8/2013 I provided information to OLAF enabling the precise identification of the documents at issue http://www.asktheeu.org/en/request/fp6_f....

On 3 October in the third last paragraph of the letter Ares(2013)3180822 DG CNECT informed me that OLAF would provide soon the initial response to this application
http://www.asktheeu.org/en/request/627/r...

On 14/11/2013 I made enquiries with OLAF, also pointing out some legal consequences of Annex II “Correlation table” of Regulation 883/2013 vis-a-vis GESTDEM 2013/3824 http://www.asktheeu.org/en/request/fp6_f...

On 2/12/2013 I made further enquiries with OLAF, noting OLAF's silence, and further advancing arguments for an overriding public interest.

On 6/12/2013 I protested to the Secretariat-General that the application was attributed to OLAF because the Commission had not empowered the OLAF Director-General to adopt Decisions on a POLICY as regards the personal data processing http://www.asktheeu.org/en/request/fp6_f....

On 6/12/2013 OLAF informed me that 15 working days were needed to provide the initial response.

On 12 and 13 December I protested again that the application was attributed to OLAF.

On 13/1/2014 OLAF Unit C.4 informed that the it would provide me with a reply on 20 January.

The asktheeu.org website shows that OLAF has not provided the response.

It is respectfully submitted that such excessively protractive conduct in an application under Regulation 1049/2001 is simply not acceptable. It is even more so since the documents at issue concern the fundamental right of personal data protection and COMMISSION POLICY on that fundamental right.

In view of the foregoing, I would expect that OLAF would promptly provide me with the long overdue initial reply to GESTDEM 2013/3824.

Yours faithfully,

Mr. Orestis BEKAS

Secretariat General of the European Commission

1 Attachment

Dear Mr Bekas,

 

Please find herewith a letter from our Director Ms Sanz Redrado for your
information.

 

Best regards,

 

 

EUROPEAN COMMISSION
EUROPEAN ANTI-FRAUD OFFICE (OLAF)
Directorate  C: Investigation Support
Unit  C.4 – Legal Advice
Rue Joseph II, 30 • B-1000 Brussels (Belgium)

[1]http://ec.europa.eu/anti_fraud

Our policy regarding personal data protection can be viewed on
[2]http://ec.europa.eu/anti_fraud/about-us/...

 

 

References

Visible links
1. http://ec.europa.eu/anti_fraud
2. http://ec.europa.eu/anti_fraud/about-us/...