Public register of prior notifications, previous versions, Regulation No 45/2001

Secretaría General de la Comisión Europea no tenía la información solicitada.

Dear Secretariat General (SG),

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

The application is concerned with the practice of the European Commission Data Protection Officer – DPO not to make available in the public register of prior notifications http://ec.europa.eu/dpo-register/search.... previous versions of prior notifications.

To place the application in a proper context, the first section sets out the basis legal framework and the second one discusses the current practices of the DPO.

I. LEGAL FRAMEWORK

I.A Regulation (EC) No 45/2001

Article 24
Appointment and tasks of the Data Protection Officer 1. Each Community institution and Community body shall appoint at least one person as data protection officer. That person shall have the task of:
(......)

(d) keeping a register of the processing operations carried out by the controller, containing the items of information referred to in Article 25(2);

Article 25 ‘Notification to the Data Protection Officer’

(.......)
3. Any change affecting information referred to in paragraph 2 shall be notified promptly to the Data Protection Officer.

Article 26 ‘Register’
A register of processing operations notified in accordance with Article 25 shall be kept by each Data Protection Officer.

The registers shall contain at least the information referred to in Article 25(2)(a) to (g). The registers may be inspected by any person directly or indirectly through the European Data Processing Supervisor.

I.B Commission Decision of 3/6/2008 adopting implementing rules concerning the Data Protection Officer (.....), 2008/597/EC

Article 4(4):
The DPO shall make the register of processing operations, provided for in Article 26 of the Regulation, available on the internal and external websites of the Commission.

Article 12 ‘Register’
The electronic register of processing operations of the Commission mentioned in Article 4(4) hereof shall be accessible through the website of the DPO on the Intranet of the Commission for all staff of Community institutions and bodies and on the Europa website for any person having access to the Internet. Extracts of the register can be requested by any person not having access to the Internet in writing to the DPO, who shall reply within 10 working days.

II. PAST AND CURRENT DPO PRACTICES ABOUT THE REGISTER OF ARTICLE 26

In the end of 2011 it was possible to directly access from the register located in the Europa website http://ec.europa.eu/dpo-register/search.... the current and previous versions of a prior notification.

Sometime in 2012 the DPO modified the functionality of the article 12 electronic register, and thereafter it has not been possible to have access via the Europa website to previous versions of a prior notification.

By reading together the provisions quoted in section I above, it is obvious that the public register must contain the ‘processing operations notified in accordance with Article 25’, which implies that it must contain the previous versions of every single prior notification.

Notwithstanding the legal obligation to keep in the public register all previous all versions of a prior notification, the current practice of the DPO has the undesirable effect of frustrating the legal right of citizens of having unimpeded access to the public register.

A first example of the negative effects of the DPO practice of removing from the public register access to the previous versions of prior notifications is GestDem 2013/3351, http://www.asktheeu.org/en/request/perso.... Presumably, the applicant was compelled to submit a request pursuant to Regulation No 1049/2001 to obtain copies of DG RTD DPO-3398.1, DPO-3398.2, and DPO-3398.3. Fifteen working days after the registration of the application, DG RTD has not released the previous versions of DPO-3398. Should the applicant had lodged a request to the DPO pursuant to the aforesaid article 12, the DPO would have been obliged to release the previous versions in 10 working days. As things stand as of 15/7/2013, DG RTD will release the DPO-3398 previous versions after 30 working days.

A second example is the DG MARE DPO-3455.1. A version downloaded in early 2013 is given in the annex part of this document. The last sentence of section 8 of DPO-3455.1 of early 2013 reads:

“This processing has been submitted to the EDPS who concluded that Article 27 is not applicable”

This statement is no longer found in DPO-3455.1 as of July 2013. The raises several important questions, and gives rise to concerns that a few data controllers and the DPO have been ‘fiddling’ with some prior notifications without due regard that they are statutory instruments.

As a final remark, the practice of removing older versions from the public register has the additional negative consequence of imposing additional administrative burden to the Commission services, in so far they have to deal with requests pursuant to Regulation No 1049/2001 or article 12 of Decision 2008/597/EC for older versions of prior notifications by launching each time a separate administrative procedure. Put differently, the current practice is an antithesis to sound administration.

III. REQUEST FOR DOCUMENTS

The requests hereunder concern documents drawn up by the Secretariat-General and the DPO.

1. The documents setting out how prior notifications entered in the article 26 register are checked for factual accuracy.

2. The documents setting out the rationale for not making available in the public register the previous versions of prior notifications, even though this is provided in Union law.

3. The document(s), if any, with which the DPO informed his superiors about his ‘implied’ decision sometime in 2012 to remove from the public register the already existing functionality of making available previous versions of the prior notifications.

4. The document(s), if any, with which the superiors of the DPO agreed with the DPO practice of not making available the previous versions of the prior notifications in the public register.

IV. OVERRIDING PUBLIC INTEREST

The requested documents are directly concerned with the fundamental right of personal data protection and the current practices of the DPO that, apparently, are not compliant with the provisions listed in section I above. The overriding public interest for a full release is manifestly evident.

***********************

ANNEX: DG MARE DPO-3455.1 AS OF EARLY 2013

Content of DPO-3455.1 in the ling http://ec.europa.eu/dpo-register/details...

European Commission
Data Protection Officer

DPO-3455.1 DG MARE-External Audit and Control

Directorate-General: Maritime Affairs and Fisheries

Controller: JOHNSTON Mark

Publication: 2011-09-16

Processing

1. Name of the processing
DG MARE-External Audit and Control

2. Description
The ex-post controls are organised on a regular basis in order to provide assurance to the authorising officer on the proper use of EU funds by the beneficiaries and thereby ensure the protection of financial interests of the European Union.
During these controls the auditors may need to see, collect and process various personal data in order to justify the costs declared.

These data may include (non exhaustive list):

• Salaries of the persons concerned;
• Time sheets of the same people;
• Any other document that identifies the time of work done and the actual earnings of these people;
• Travel documents;
• Documents relating to outsourcing.
This information is only used as proof of eligibility of the operations and is classified as supporting documents (eg. If the European Court of Auditors would review the work of the auditors of the Commission).

Article 27 of Reg 45/2001 does not apply.

3. Sub-Contractors

4. Automated / Manual operations
n/a

Beneficiarry undertakes to provide any detailed information, including information in electronic format, requested by the Commission or by any other outside body authorised by the Commission in order to check that the action and the provisions of the agreement/decision/programme are being properly implemented.

5. Storage
Personal data in paper format is stored in the financial unit of the DG. Data are stored in coputer system and /or phisical archives accessible only to duly authorized staff.

6. Comments
n/a

Purpose & legal basis

7. Purposes
Checks and financial controls are carried out in view of assessing the legality and regularity of the transaction underlying the implementation of the Community budget

8. Legal basis / Lawfulness
The possibility for the EC to carry out checks and financial controls is foreseen in the model grant agreement or contract signed between the EC and the beneficiary/contractor as required by the Financial Regulation ("FR") applicable to the General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4).

Relevant legislation in the area of fisheries.

Legal basis for audits on the expenditure related to the common organisation of the markets incl. outermost regions:

• In accordance with Article 36(1) of the of Regulation 1290/2005 of 21 June 2005, Member States shall make available to the Commission all information necessary for the smooth operation of the EAGF and shall take all appropriate measures to facilitate the checks which the Commission deems appropriate in connection with the management of Community financing, including on-the-spot checks.

• Pursuant to Article 37(1)(a) and (b) of the same regulation, the Commission may organise on-the-spot checks with a view to verifying in particular compliance of administrative practices with Community rules and the existence of requisite supporting documents.

• Article 44 of the same regulation clarifies that Member States and the Commission shall take all necessary steps to ensure the confidentiality of the information communicated or obtained under inspection

Legal basis for audits on expenditure related to collection and management of the basic fisheries data and measure in the area of control and enforcement of CFP:

• Article 28 of Council Regulation n°861/2006 of 22 May 2006 establishing Community financial measures for the implementation of common fisheries policy and in the area of the Law of the Sea provides that officials of the Commission, or their representatives, may carry out on-the-spot audits on actions financed by this Regulation at any time for a period up to three years after the final payment made by the Commission

The processing operations on personal data carried out in the context of external audits and controls are necessary and lawful under three articles of the Regulation (EC) 45/2001:

• article 5 (a): processing is necessary for the performance of a task carried out in the public interest
on the basis of the Treaties establishing the European Communities or other legal instruments adopted
on the basis thereof…
• article 5 (b): processing is necessary for compliance with a legal obligation to which the controller is subject
• article 20.1.b): necessary measure to safeguard:
(a) the prevention, investigation, detection and prosecution of criminal offences;
(b) an important economic or financial interest of a Member State or of the European Communities, including monetary, budgetary and taxation matters;
(c) the protection of the data subject or of the rights and freedoms of others;

This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.

Data subjects / fields

9. Data subjects
Any person/administration involved in the implementation of an action/programme financed by the EU budget

Contractors and sub-contractors
Beneficiaries of grants
Staff
Experts

10. Data fields
All necessary data to efficiently conduct a control such as:

• Name,
• Function,
• Grade,
• Activities and expertises,
• Professional address,
• Timesheets,
• Salary,
• Accounts,
• Cost accounting,
• Missions,
• Information coming from local IT system used to declare costs as eligible,
• Supporting documents linked to travel costs,
• Minutes from mission and other similar data depending of the nature of the action.
No data which fall under article 10.

See point 17)

Rights of D.S.

11. Information
The Privacy Statement is attached to the Commission's letter initiating the control process.

(See model letter and annex to the letter in copy)

attachments:
-08a_1stNotificationLetter_Announcing the Mission_NEW0911.rtf
-external_audit_model_privacystatement_Mare.doc

12. Procedure to grant rights
Functional mailbox to get information and mailbox of the EDPS to lodge a complaint (see Privacy statement ).

13. Retention
Each external auditors is responsible of archiving the documents related to these audits. Data are stored until 10 years after the final payment on condition that no contentious issues occurred; in this case, data will be kept until the end the last possible legal procedure.

14. Time limit
The Commission services will respond within 15 working days to any request and if this is considered justified the relevant correction or deletion will be performed within one calendar month.

15. Historical purposes

Recipients

16. Recipients
Collected personal data could be submitted to Commission services in charge of external audits and controls, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Community law (OLAF, Court of Auditor, Ombudsman, EDPS, IDOC, Internal Audit Service of the Commission).

See point 20)

17. Transfer
n/a

Yours faithfully,

Mr. Akis NASTAS

Secretaría General de la Comisión Europea

Dear Sir:

Thank you for your email dated 15 July 2013, registered today under the reference Gestdem 2013/3713.

I hereby acknowledge receipt of your request for access to documents.

In accordance with Regulation 1049/2001 regarding public access to European Parliament, Council and Commission documents, you will receive a response to your request within 15 working days. The time limit will expire on 06 August 2013. In case this time limit needs to be extended, you will be informed in due course.

Yours sincerely,

Priscille Schiltz
European Commission
SG B5 – Transparency
'Access to documents'
B-1049 Brussels/Belgium

mostrar partes citadas

Dear Secretariat General (SG),

I refer to application GestDem 2013/3713 and the email of the Transparency Unit dated 16/7/2013 with which the Unit informed me about the registration of the application.

The time-limit for the initial reply was set on the 6th of August 2013. Even though more than 20 working days have elapsed since that date, the Commission services have been silent about the initial application.

I would therefore be obliged if the Commission services would inform me about the status of the initial reply.

Yours faithfully,

Mr. Akis NASTAS

Secretaría General de la Comisión Europea

Dear Sir,
 
 
The Secretariat general of the Commission has asked me to reply to your
request for documents registered under the above mentioned reference
(GestDem 2013/3713) which concerns documents drawn up by the
Secretariat-General and the DPO.
 
     1. The documents setting out how prior notifications entered in the
     article 26 register are checked for factual accuracy.
 
Such documents do not exist
 
     2. The documents setting out the rationale for not making available
     in the public register the previous versions of prior
     notifications, even though this is provided in Union law.
 
Such documents do not exist
 
     3. The document(s), if any, with which the DPO informed his
     superiors about his ‘implied’ decision sometime in 2012 to remove
     from the public register the already existing functionality of
     making available previous versions of the prior notifications.
 
Such documents do not exist
 
     4. The document(s), if any, with which the superiors of the DPO
     agreed with the DPO practice of not making available the previous
     versions of the prior notifications in the public register.
 
Such documents do not exist
 
 
Kind regards
 
Philippe Renaudière
Data Protection Officir
 
 

Dear Secretariat General (SG),

Pursuant to article 7(2) of Regulation No 1049/2001, this is confirmatory application for requests #2 to #4. According to article 4 of the Commission Decision 937/2001 (OJ 2001 L 345/94, 29/12/2001) it is to be handled by the Secretariat-General.

1. JUSTIFICATION OF THE CONFIRMATORY APPLICATION

The article 25 of Regulation No 45/2001 prior notifications DG ENTR DPO-3333.1, DG INFSO DPO-3338.1, DG RTD DPO-3398.1 and DG MOVE DPO-3420.1 contain the following two false declarations:

"- This processing has been submitted to the EDPS who concluded that article 27 is not applicable

- 3. Subcontractors -"

In their respective initial replies

1. DG ENTR GESTDEM 2013/3418, http://www.asktheeu.org/en/request/exten...

2. DG MOVE GESTDEM 2013/3488, http://www.asktheeu.org/en/request/exter...

3. DG RTD GESTDEM 2013/3351, http://www.asktheeu.org/en/request/perso...

each respective Directorate-General admitted that the purported EDPS 'consultation' never took place. The EDPS has also confirmed that the corresponding DG INFSO statement is also false (see the EDPS document C 2012 0457, http://www.asktheeu.org/en/request/677/r...).

According to the Commission Decision 597/2008 (OJ 2008 L 193/7 of 22/7/2008) and articles 24 and 26 of Regulation No 45/2001 the Data Protection Officer (DPO) has several responsibilities, including correspondence with the EDPS. The DPO was therefore fully aware about the false statement of the purported, but non-existing, EDPS 'consultation'.

Instead of being the 'guardian' of the data subjects rights as stipulated in article 24(1) of Regulation No 45/2001, the DPO actively participated in the deception scheme of the Research DGs concerning the above four prior notifications. The false declarations in statutory documents makes the whole matter extremely serious.

In doing all this, the DPO completely destroyed his credibility. For this reason, any statement of the DPO about the non-existence of documents, whereas both the relevant EU law and also the principle of sound administration indicate that the DPO ought to have drawn up such documents, cannot be taken as truthful.

In conclusion, the truthfulness of the DPO initial reply is called into question by the DPO's own conduct.

2. REQUEST #2

The initial application argued that both the EU law on personal data protection and the principle of sound administration dictate that older versions of prior notifications are to be directly accessible to the public. The DPO's 'decision' to remove the functionality of the public register of prior notification to display earlier versions is both arbitrary and likely unlawful.

Furthermore, the public register of prior notifications is technically implemented by a Cold-Fusion application. An internal database of the DPO stores more information about a prior notification than that 'published' in the register prior notification. To filter out the information of the internal database and display a prior notification in the public register, specific Cold-Fusion code has been developed. It is extremely unlikely that the DPO, or the staff of his Unit, are competent in Cold-Fusion programming. This line of reasoning suggests that the DPO Unit gave specific instructions to the Cold-Fusion programmers who have implemented the Cold-Fusion applications displaying to the public the prior notifications. The issuance of such instructions to these programmers in order to remove the display of older versions of the prior notifications and the associated workflow entails the drawing up of documents, even in the form of a short email. All this means that it is nearly certain that some kind of a DPO 'decision' was communicated in writing to the Cold-Fusion programmers. Such a 'decision' falls within the scope of request #2.

It is expected that the Secretariat-General will take a second look at the whole matter in considering request #2 of the confirmatory application.

3. REQUEST #3

Given the complete operational independence of the DPO (e.g. article 3(3) of Decision 597/2008), his superiors are not those in the hierarchy of the Secretariat-General, but a Member of the Commission, or the whole College.

It cannot be accepted that the DPO removed from the Europa website register of article 4(4) of Decision 597/2008 the earlier versions of prior notifications (statutory documents) in contravention of EU law without consulting a Member of the Commission.

If indeed the DPO did not bother to duly inform a Member of the Commission about it, then on top of actively participating in deception schemes the DPO has further been infringing the EU law governing the personal data protection by the European Commission.

In case the DPO did not consult with a Member of the Commission about this matter, this would immediately call into question the very integrity of the DPO and his diligence in observing legality.

It is expected that the Secretariat-General will take a second look at the whole matter in considering request #3 of the confirmatory application.

4. REQUEST #4

The confirmatory application about request #4 is a simple consequence of request #3.

Yours faithfully,

Mr. Akis NASTAS

Secretaría General de la Comisión Europea

1 Adjuntos

Dear Mr Nastas,   

 

Thank you for your e-mail dated 29/09/2013, registered on 16/16/2013.  I
hereby acknowledge receipt of your confirmatory application for access to
documents (ref.: Ares(2013)3251888 – gestdem 2013-3713). 

In accordance with Regulation 1049/2001 regarding public access to
European Parliament, Council and Commission documents, you will receive a
response to your request within 15 working days (07/11/2013).

 

Yours sincerely,

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

--Original Message-----

From: Mr. Akis NASTAS [[1]mailto:[FOI #680 email]]

Sent: Sunday, September 29, 2013 5:53 PM

To: RENAUDIERE Philippe (SG)

Subject: Re: GestDem 2013/3713

 

Dear Secretariat General (SG),

 

Pursuant to article 7(2) of Regulation No 1049/2001,  this is confirmatory
application for requests #2 to #4. According to article 4 of the
Commission Decision 937/2001 (OJ 2001 L 345/94, 29/12/2001) it is to be
handled by the Secretariat-General.

 

1. JUSTIFICATION OF THE CONFIRMATORY APPLICATION

 

The article 25 of Regulation No 45/2001 prior notifications DG ENTR
DPO-3333.1, DG INFSO DPO-3338.1, DG RTD DPO-3398.1 and DG MOVE DPO-3420.1
contain the following two false declarations:

 

"- This processing has been submitted to the EDPS who concluded that
article 27 is not applicable

 

- 3. Subcontractors -"

 

In their respective initial replies

 

1. DG ENTR GESTDEM 2013/3418,
[2]http://www.asktheeu.org/en/request/exten...

 

2. DG MOVE GESTDEM 2013/3488,
[3]http://www.asktheeu.org/en/request/exter...

 

3. DG RTD GESTDEM  2013/3351,
[4]http://www.asktheeu.org/en/request/perso...

 

each respective Directorate-General admitted that the purported EDPS
'consultation' never took place. The EDPS has also confirmed that the
corresponding DG INFSO statement is also false (see the EDPS document C
2012 0457,
[5]http://www.asktheeu.org/en/request/677/r...

 

According to the Commission Decision 597/2008 (OJ 2008 L 193/7 of
22/7/2008) and articles 24 and 26 of Regulation No 45/2001 the Data
Protection Officer (DPO) has several responsibilities, including
correspondence with the EDPS. The DPO was therefore fully aware about the
false statement of the purported, but non-existing, EDPS 'consultation'.

 

Instead of being the 'guardian' of the data subjects rights as stipulated
in article 24(1) of Regulation No 45/2001, the DPO actively participated
in the deception scheme of the Research DGs concerning the above four
prior notifications. The false declarations in statutory documents makes
the whole matter extremely serious.

 

In doing all this, the DPO completely destroyed his credibility. For this
reason, any statement of the DPO about the non-existence of documents,
whereas both the relevant EU law and also the principle of sound
administration indicate that the DPO ought to have drawn up such
documents, cannot be taken as truthful.

 

In conclusion, the truthfulness of the DPO initial reply is called into
question by the DPO's own conduct.

 

2. REQUEST #2

 

The initial application argued that both the EU law on personal data
protection and the principle of sound administration dictate that older
versions of prior notifications are to be directly accessible to the
public. The DPO's 'decision' to remove the functionality of the public
register of prior notification to display earlier versions is both
arbitrary and likely unlawful.

 

Furthermore, the public register of prior notifications is technically
implemented by a Cold-Fusion application. An internal database of the DPO
stores more information about a prior notification than that 'published'
in the register prior notification. To filter out the information of the
internal database and display a prior notification in the public register,
specific Cold-Fusion code has been developed. It is extremely unlikely
that the DPO, or the staff of his Unit, are competent in Cold-Fusion
programming. This line of reasoning suggests that the DPO Unit gave
specific instructions to the Cold-Fusion programmers who have implemented
the Cold-Fusion applications displaying to the public the prior
notifications. The issuance of such instructions to these programmers in
order to remove the display of older versions of the prior notifications
and the associated workflow entails the drawing up of documents, even in
the form of a short email. All this means that it is nearly certain that
some kind of a DPO 'decision' was communicated in writing to the
Cold-Fusion programmers. Such a 'decision' falls within the scope of
request #2.

 

It is expected that the Secretariat-General will take a second look at the
whole matter in considering request #2 of the confirmatory application.

 

3. REQUEST #3

 

Given the complete operational independence of the DPO (e.g. article 3(3)
of Decision 597/2008), his superiors are not those in the hierarchy of the
Secretariat-General, but a Member of the Commission, or the whole
College. 

 

It cannot be accepted that the DPO removed from the Europa website
register of article 4(4) of Decision 597/2008 the earlier versions of
prior notifications (statutory documents) in contravention of EU law
without consulting a Member of the Commission.

 

If indeed the DPO did not bother to duly inform a Member of the Commission
about it, then on top of actively participating in deception schemes the
DPO has further been infringing the EU law governing the personal data
protection by the European Commission.

 

In case the DPO did not consult with a Member of the Commission about this
matter, this would immediately call into question the very integrity of
the DPO and his diligence in observing legality.

 

It is expected that the Secretariat-General will take a second look at the
whole matter in considering request #3 of the confirmatory application.

 

4. REQUEST #4

 

The confirmatory application about request #4 is a simple consequence of
request #3.

 

Yours faithfully,

 

Mr. Akis NASTAS

 

mostrar partes citadas

Secretaría General de la Comisión Europea

5 Adjuntos

  • Attachment

    Picture Device Independent Bitmap 1.jpg

    1K Download

  • Attachment

    Picture Device Independent Bitmap 2.jpg

    1K Download

  • Attachment

    NASTAS 2013 3713.pdf

    66K Download View as HTML

  • Attachment

    Delivery delayed Confirmatory application for access to documents pursuant to Regulation 1049 2001 GESTDEM 2013 3713 NASTAS.html

    0K Download

  • Attachment

    Delivery delayed Confirmatory application for access to documents pursuant to Regulation 1049 2001 GESTDEM 2013 3713 NASTAS.delivery status

    0K Download

Dear Mr Nastas,
 
Last week, we tried to send you the message below.
Unfortunately, the website "Ask the EU" encountered problems that made
impossible to reach you ( ).
I hope that, this time, the sending will function.
Yours sincerely,
 
Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency
 
 
 
_____________________________________________
From: SG ACCES DOCUMENTS
Sent: Wednesday, November 06, 2013 10:44 AM
To: '[FOI #680 email]'
Subject: Confirmatory application for access to documents pursuant to
Regulation 1049-2001 - GESTDEM 2013-3713 - NASTAS
 
 
Dear Mr Nastas,
Kindly find herewith a letter concerning your confirmatory application for
access to documents (gestdem 2013-3713).
       
Yours sincerely,
 
Paul SIMON
Unit SG.B.5, Transparency
European Commission
 

Secretaría General de la Comisión Europea

2 Adjuntos

 
Dear Mr Nastas,

Kindly find herewith a letter concerning your confirmatory application for
access to documents (gestdem 2013/3713).
Yours sincerely,
 
Carlos Remis
SG.B.5.
Transparence.
Berl. 05/329.
 
 
 
 

 
 
 

Secretaría General de la Comisión Europea

2 Adjuntos

 
Dear Mr Nastas,

Kindly find the answer to your confirmatory application concerning your
request for access to documents pursuant to Regulation (EC) N° 1049/2001
regarding public access to European Parliament, Council and Commission
documents (Gestdem 2013/3713).
Yours sincerely,
Carlos Remis
SG.B.5.
Transparence.
Berl. 05/329.