FP6 & FP7 calls for proposals and negotiations, personal data processing, DG RTD DPO-978 & DPO-2382

La demande est partiellement réussie.

Mr. Tasos Ntetsikas

Dear European Data Protection Supervisor,

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

This application concerns the Research family DGs of the Commission (hereafter “Research DGs”), and in particular the FP6 & FP7 call for proposals and the ensuing negotiations aiming at concluding a contract. DG RTD has always been the lead service.

A. PRELIMINARY OBSERVATIONS ON CALL FP6 & FP7 CALLS FOR PROPOSALS

The following paragraphs set out some observations that are highly relevant to the present application.

Firstly, the calls and negotiations are operational procedures pursuant to Community/Union law, which means the Research DGs have been operating as Public Authorities.

Secondly, calls for proposals are very similar to public calls for tenders of the Institutions. There is considerable body of EU case law about actions for annulment of tender awards. The EU Courts have consistently held that in call for tenders the Institutions enjoy a wide margin of discretion in drawn up the tender specifications, provided that the general legal principles are observed, such as open access to market, fairness, non-discriminatory treatment of tenderers and genuine competition. It must thus be conclude that in organising calls for proposals the Research family DGs enjoy a similar margin of discretion.

Thirdly, article 5(c) of Regulation No 45/2001 specifically stipulates “Personal data may be processed only if: [….] (c) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. That the EU legislature enacted a specific legal provision for contracts only signals its underlying reasoning and intention that articles 5(a) and 5(b) are not, by definition, a sufficient basis to process personal data in contracts.

Fourthly, in view of the foregoing considerations, it must be concluded that personal data processing in the context of FP6 and FP7 calls for proposals and negotiations is lawful only if article 5(d) of Regulation No 45/2001 is satisfied, that is to say “the data subject has unambiguously given his or her consent”.

Fifthly, the single prior notification about call for proposals is DG RTD DPO-978. Versions DPO-978.1 to DPO-978.5 had been totally silent about “profiles”, that is to say CVs. It is absolutely certain that the Research DGs have not even attempted to obtain the consent of the data subjects whose personal data were recorded in FP6 & FP7 proposals submitted for evolution following calls for proposals. It is easy to confirm this, simply by taking a quick glance in the numerous FP6 and FP7 Applicants Guides, save calls for proposals for research work of a specific individual such as Marie Curie. For instance, the Guide for Applicants, FP7-ICT-2011-C FET-Open Scheme, Page 56/69 reads:

“2.2 Individual participants
For each participant in the proposed project, provide a brief description of the legal entity, the main tasks they have been attributed, and the previous experience relevant to those tasks.
Provide also a short profile of the individuals who will be undertaking the work”

Finally, it can thus be concluded with absolute certainty that there are, rightly, extremely serious doubts regarding the compliance with Regulation No 45/2001 of the vast majority of the FP6 and FP7 calls for proposals.

B. PRELIMINARY OBSERVATIONS ON CALL FP6 & FP7 NEGOTIATIONS GUIDES

In an FP7 Negotiations Guide it is stated:
“Provide also a short profile of the personnel who will be undertaking the work. If the named key persons do not in fact take part in the work, or are substituted by other persons without the knowledge of the Commission, this could be seen as beneficiaries not fulfilling their obligations towards the technical quality of the work. This could lead to a more in-depth review of the project”

In my opinion this is truly astonishing. The Commission services state, essentially, a thinly veiled threat to FP7 prospective beneficiaries that any change of key personnel without notifying the Commission services may be regarded as a breach of contract, that is to say an “irregularity”. Even though Annex II of the FP7 grant agreement does not contain that particular provision, all this begs the question why it has been inserted in the Negotiations Guide in the first place.

In substance, this “position” of the Research DGs in the Guides amounts the introduction to the FP7 grant agreements the obligation to notify to the Research DGs about internal matters of the beneficiary, which also amounts to a double intrusion into the private affairs of a legal person (beneficiary) and a natural person (key researcher). For all intends and purposes, researchers are third parties to the FP7 grant agreement.

Until late 2012, the DG RTD prior notification about FP6 and FP7 negotiations is DPO-2382, which was first filed in October 2007. It means that every single FP6 DG RTD negotiation was not covered by an article 25 prior notification. It appears that DG RTD “retired” DPO-2382 sometime in late 2012, maintaining that DPO-978.6 has “taken over” the DPO-2382 data processing operations. However, neither DPO-978.1 – DPO-978.5 nor DPO-2382 mentioned the slightest about “profiles” of key researchers. Expectedly, they were silent about the “veiled” threat.

C. PRELIMINARY CONCLUSIONS

The aggregate funding of FP6 and FP7 is in the order of 65 billion Euro. A rough and conservative estimation of the total number of “profiles” submitted in all FP6 & FP7 calls for proposals suggests a figure in the order of a few hundreds of thousands (100,000), which is a staggering figure.

In my opinion, there are extremely serious doubts whether in FP6 & FP7 calls for proposals the Research family DGs have observed Regulation No 45/2001. If anything, the above reasoning suggests that the Research DGs have flagrantly disregarded it.

Turning to the duties of the EDPS, it is reasonable to expect that the EDPS holds documents about the above matters, either drafted by its own staff or submitted by the Commission services.

D. REQUEST FOR DOCUMENTS

The present application is submitted pursuant to article 42 of the Charter of the Fundamental Rights of the European Union. It concerns the following documents:

1. Internal EDPS documents about FP6 & FP7 calls for proposals.

2. Internal EDPS documents about FP6 & FP7 negotiations aiming at concluding contracts and agreements.

3. Documents the Commission services dispatched to the EDPS about FP6 & FP7 calls for proposals.

4. Documents the Commission services dispatched to the EDPS about FP6 and FP7 negotiations aiming at concluding contracts and agreements.

5. Notwithstanding requests (1) – (4) above, correspondence between the EDPS and the Commission services about FP6 and FP7 calls for proposals and negotiations.

6. Notwithstanding requests (1) – (5) above, meeting minutes for meetings held between the EDPS and the Commission services about the FP6 and FP7 programmes, irrespective of the particular topics discussed at the meetings.

7. Notwithstanding requests (1) – (6) above, any internal EDPS document about visits of the EPDS to the Commission services about the FP6 and FP7 programme, irrespective of the particular topics discussed at the visits.

As the documents concern the fundamental right of privacy, the documents are to be fully released, with the identities of the of the EDPS and Commission staff redacted.

Yours faithfully,

Mr. Tasos Ntetsikas

European Data Protection Supervisor, Contrôleur européen de la protection des données

Subject : Acknowledgement of receipt

 

Dear Sir,

 

We acknowledge receipt of your request which was registered on 28 June
2013.

 

In accordance with Article 7(1) of Regulation (EC) No 1049/2001 regarding
public access to European Parliament, Council and Commission documents,
you will receive a reply within 15 working days (by 18/07/2013).

 

Your case has been registered with case number 2013-0733 .

 

Sincerely, 
 

  EDPS Secretariat

Tel. +32 2 283 19 00 | Fax +32 2 283 19 50

[1]Email [2][EDPS request email]

European Data Protection Supervisor
Postal address: Rue Wiertz 60, B-1047 Brussels
Office address: Rue Montoyer 30, B-1040 Brussels

[3]Twitter [4]@EU_EDPS   [5]Website [6]www.edps.europa.eu

This email (and any attachment) may contain information that is internal
or confidential. Unauthorised access, use or other processing is not
permitted. If you are not the intended recipient please inform the sender
by reply and then delete all copies. Emails are not secure as they can be
intercepted, amended, and infected with viruses. The EDPS therefore cannot
guarantee the security of correspondence by email.

 

References

Visible links
2. mailto:[EDPS request email]
mailto:[EDPS request email]
4. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
6. http://www.edps.europa.eu/
http://www.edps.europa.eu/

European Data Protection Supervisor, Contrôleur européen de la protection des données

7 Attachments

Dear Mr Ntetsikas,

 

Please find attached a scanned version of a letter together with 2
annexes.

 

Yours sincerely,

 

 

 [1]https://secure.edps.europa.eu/EDPSWEB/we... EDPS Secretariat 

Tel. +32 2 283 19 00 | Fax +32 2 283 19 50

 

[2]https://secure.edps.europa.eu/EDPSWEB/we... request email]

European Data Protection Supervisor
Postal address: Rue Wiertz 60, B-1047 Brussels
Office address: Rue Montoyer 30, B-1000 Brussels

[4]https://secure.edps.europa.eu/EDPSWEB/we...   [6]https://secure.edps.europa.eu/EDPSWEB/we...

 

This email (and any attachment) may contain information that is internal
or confidential. Unauthorised access, use or other processing is not
permitted. If you are not the intended recipient please inform the sender
by reply and then delete all copies. Emails are not secure as they can be
intercepted, amended, and infected with viruses. The EDPS therefore cannot
guarantee the security of correspondence by email.

 

 

 

References

Visible links
3. mailto:[EDPS request email]
5. http://twitter.com/EU_EDPS
http://twitter.com/EU_EDPS
7. http://www.edps.europa.eu/
http://www.edps.europa.eu/