FP7 grant agreements, personal data protection, proof of possession of personal data by the Research DGs

Recherche et de l’innovation n'avait pas les informations demandées.

Mr. Orestis BEKAS

Dear Research and Innovation (RTD),

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

I. ANNEX I OF FOUR FP7 GRANT AGREEMENTS

The following paragraphs provide details of Annex I “Description of Work” of four (4) FP7 Grant Agreements (hereafter ‘four FP7 GA A.I’) found in the public Internet as of 11/7/2013. The range of pages indicated below is full of personal data.

GA1: Grant Agreement nr.242167, Annex I (amendment I): 01.10.2011, SynSys 'Synaptic Systems: dissecting brain function in health and disease', located at http://www.synsys.eu/wp-content/uploads/..., pages 76-100

GA2: Grant Agreement no 227390, date of preparation of Annex I: 19/3/2009, DEEPFISHMAN 'Management And Monitoring of Deep-see Fisheries And Stocks', located at http://deepfishman.hafro.is/lib/exe/fetc..., pages 78-91

GS3: Grant agreement no 244067, date of preparation of Annex I (latest version): July 6th 2009, EUCLIPSE, 'Project full title: EU Cloud Intercomparison, Process Study & Evaluation Project', located at http://www.euclipse.eu/downloads/DOW_EUC..., pages 54-65

GA4: Grant agreement No FP7-212287, date of preparation: 10th April 2008 (version 1) Annex I, ReCosy 'REDOX PHENOMENA CONTROLLING SYSTEMS', located at http://www.recosy.eu/documentos/ReCosy Annex I.pdf, pages 64-69

II. REQUEST FOR DOCUMENTS

I would be obliged if the Commission services would provide me with full, or partial copies, of the following documents:

#1. The article 25 of Regulation No 45/2001 prior notification(s) applicable to the four FP7 GA A.I.

#2. The documents drawn up by the relevant data controller(s) for the prior notification(s) under #1 above.

#3. The documents drawn up by the DG RTD Data Protection Coordinator for the prior notification(s) under #1 above.

#4. The documents drawn up by the Commission services pursuant to article 27 of Regulation No 45/2001 for the kind of personal data processing operations indicated by the four FP7 GA A.I.

#5. The documents with which the Commission services notified every single data subject referred to in the four FP7 GA A.I pursuant to article 12(1) of Regulation No 45/2001.

#6. Partial copies of the four FP7 GA A.I, which are documents held by the Commission services, in particular the range of pages indicated for each FP7 GA listed under section (I) above, and which are full of personal data.

III. NECESSITY OF PERSONAL DATA TRANSFER

According article 8(b) of Regulation No 45/2001:

Without prejudice to Articles 4, 5, 6 and 10, personal data shall only be transferred to recipients subject to the national law adopted for the implementation of Directive 95/46/EC if the recipient establishes the necessity of having the data transferred and if there is no reason to assume that the data subject's legitimate interests might be prejudiced.

As a mere citizen, it is doubtful that this provision is applicable to the present applicant. Nevertheless, the following paragraphs will establish the necessity of the transfer.

1. The data subjects have, presumably, provided to the respective FP7 coordinator or/and the entire consortium their permission to submit their personal data to the Research family DGs and also publish them to the public Internet. Therefore, requesting already public information about individuals cannot be considered as prejudicial to their interest.

2. The Research family DGs hold documents with the requested personal data. Regardless of the fact that the personal data is available in the public Internet, the Commission services are legally obliged to respect article 8(b) and the EU Courts case law, and most notably the Bavarian Lager Judgment of the Court of Justice. They must consult with the data subjects and seek their express permission prior to the release of the requested documents.

3. The sole purpose of the present application is to illustrate to the general public and to the Commission services the perverse effects of the deliberate infringements of Union law about personal data processing by the Research family DGs. In other words, the application aims at establishing the need of transferring the personal data in order to prove that the Commission services are wholly unlawfully in the possession of the requested personal data in the first place.

4. On the one hand, consultations with the data subjects and a possible refusal of the Commission services to release the requested documents without the consent of the data subjects will automatically prove that the Commission services have been diligent in strictly observing Regulation No 45/2001 and Regulation No 1049/2001 in the context of the present application. On the other hand, the consultations with the data subjects will immediately show that the Research family DGs have been gravely infringing Regulation No 45/2001 during the proposal submission and grant agreement negotiations phases.

5. In my opinion, the Research family DGs are between Schulla and Charibdes with this particular application pursuant to Regulation No 1049/2001, that is to say caught in an impossible situation. However, they face this extremely awkward situation simply because they have disregarded Regulation No 45/2001 ever since its entry into force. The Research family DGs were not, seemingly, prepared to change their approach and working practices to be compliant with Regulation No 45/2001, but instead adopted concealed policies to continue with their ‘good old habits’ that were not unlawful prior to entry into force of Regulation No 45/2001.

IV. OVERRIDING PUBLIC INTEREST, REQUESTS 1 - 5

No exception of article 4 of Regulation No 1049/2001 is applicable, except only the data subject contact details of request #5 that are protected by article 4(1)(b).

An overriding public interest is also manifestly obvious, and for this reason no detailed arguments will be set out.

Yours faithfully,

Mr. Orestis BEKAS

Recherche et de l’innovation

1 Attachment

Dear Mr Bekas,

 

Thank you for your e-mail dated 11 July 2013.  We hereby acknowledge
receipt of your application for access to documents, which was registered
on the same day under reference number GestDem2013/3659.

 

In accordance with Regulation (EC) No 1049/2001 regarding public access to
European Parliament, Council and Commission documents, your application
will be handled within 15 working days. The time limit will expire on 2
August 2013. In case this time limit needs to be extended, you will be
informed in due course.

 

Yours faithfully,

 

Silvia BOJINOVA

Head of Unit

 

[1]Description: cid:image001.png@01CDDFB2.68871B70

European Commission

DG Research & Innovation

R5

 

ORBN 09/151

B-1049 Brussels/Belgium

+32 229-85891

[2][email address]

 

[3]http://ec.europa.eu/research

 

 

References

Visible links
2. mailto:[email address]
3. http://ec.europa.eu/research

Recherche et de l’innovation

2 Attachments

Dear Mr Bekas,

We refer to your email dated 11 July 2013 in which you make a request for
access to documents, registered on the same day under the above mentioned
reference number.

1.      We regret to inform you that no documents were found that would
correspond to the description given in Points 1, 2, 3, 4, 5 of your
application. We are, therefore, unable to handle your application.

In respect of the interest reflected by Point 5 of your application,
please find enclosed the Service Specific Privacy Statement which is
published on the Participant Portal.

2.      As far as the documents requested in Point 6 of your application
are concerned, we note that they have already been published in their full
version on the internet by project participants on the links which you
indicated.

 

Yours faithfully,

Silvia BOJINOVA

Head of Unit

 

[1]Description: cid:image001.png@01CDDFB2.68871B70

European Commission

DG Research & Innovation

R5

 

ORBN 09/151

B-1049 Brussels/Belgium

+32 229-85891

[2][email address]

 

[3]http://ec.europa.eu/research

 

 

References

Visible links
2. mailto:[email address]
3. http://ec.europa.eu/research

Mr. Orestis BEKAS

Dear Research and Innovation (RTD),

A confirmatory application is submitted pursuant to Regulation No 1049/2001 for all the requests of the initial application. It is kindly requested that DG RTD transfer the application to the Secretariat-General.

The following paragraphs kindly and respectfully challenge the substance of the initial reply of DG RTD, in the sense that DG RTD released just a single document that happens to be merely informative and immaterial to the fulfillment of the application.

It is also noted that the initial reply does not bear an Ares reference number, which is wholly unexpected for an initial reply pursuant to Regulation No 1049/2001.

1. REQUEST #1

It concerns the prior notification of article 25 of Regulation No 45/2001 covering the manifest personal data processing of the four FP7 GAs cited in the initial application. These GAs are not exceptional at all; on the contrary, Annex I of the four GAs was drawn up by the in compliance with the FP7 Guides for Negotiations.

The attention of DG RTD is drawn to the DG RTD prior notification DPO-2382, which was ‘in force’ until about late 2012 and thus it was conceivably applicable to the 4 GAs. Parts of DPO-2382 read:

“Processing
1. Name of the processing
Back-office notification: processing of data submitted by proposal Applicants and reviewers Experts in the context of Framework Programmes and other Programmes and Initiatives, managed by the Research General Directorate (DG RTD)
(.....)
• The scope of the back-office manual processing operations performed by EU personnel or contractors on their behalf includes:
• Selection of Experts for proposal evaluation, or project review and monitoring purposes. Note that Experts' data are provided and maintained by Experts themselves.
• Managing Expert Contracts and Payments for services during proposal evaluation, or project review and monitoring. Bank account is provided by experts and verified by RTD.
• Managing the list of Proposals for further processing, including negotiation, and selected proposal lists approval.
• Managing the list of selected Projects, for further processing, including contract preparation, and initial payments.
• Managing the projects and further processing, including deliverables, contract amendments, and intermediate or final payments.
(......)”

It is absolutely clear that DPO-2382 covered, at least partially, request #1. Yet, DG RTD failed to spot it.

The publication of FP7 Guides for Negotiations shows the systematic nature of the personal data processing in the context of concluding and signing FP7 GAs. Article 25(1) of Regulation No 45/2001 reads “The controller shall give prior notice to the Data Protection Officer of any processing operation or set of such operations intended to serve a single purpose or several related purposes”.

A ‘data controller’ within the meaning of Regulation No 45/2001 is not a mere administrative Unit/Division/Department of an Institution, whose failure to comply with the said article 25(1) allows an Institution to escape from its relevant obligations by ‘assigning’ the ‘blame’ to a ‘poor’ Unit and then go on infringing Regulation No 45/2001 as completely nothing has happened. In this particular context, the attention of the Commission services is drawn to section 2.2.2 Controllership of the EDPS opinion in the case 2010-0426 dated 22/2/2012, part of which reads:

“In the initial notification, the Commission (represented by the Head of Unit DDG1.A 2 in DG RELEX) was mentioned as the controller (......) As the FPI is part of the
Commission, it is the Commission that shall be considered as data controller. From a legal perspective, the institution as such is the controller, although the practical implementation might be delegated to a person responsible for the processing. (......) In its reply of 3 August 2011, the Commission highlighted that, even in cases where the Council has reserved for itself implementing powers as regards the lists of individuals and entities whose assets have to be frozen, the Commission should also be considered as a data controller for some processing operations.”

It follows therefore, that either DG RTD or the Commission itself is to be considered as the data controller of the personal data processing operations carried out in the framework of negotiating and concluding FP7 GAs. Given the sheer size of the FP7, the scale of these processing operations far surpasses any other personal data processing operations of the Commission services, except those in the framework of FP7 proposal submission and evaluation. That the data subjects are third parties to the FP7 GAs makes the whole matter far worse in terms of having disregarded legality and infringed the fundamental right of personal data protection.

In the light of the above considerations illustrating the apparent disregard of legality by DG RTD, its initial reply that there is no prior notification must be regarded with the utmost skepticism about its veracity.

It is expected that in handling the confirmatory reply the Commission services will take a ‘fresh’ look on this particular request.

2. REQUEST #2

The data controller designated in all versions of DPO-978 and DPO-2382 (the sole ones of DG RTD concerned the proposal submission, evaluation and negotiations) is the highest ranking official of DG RTD. In view of the considerations set out regarding request #1 above, it is difficult to understand how the data controller failed to draw a short paragraph falling under the scope of request #2.

In view of the disciplinary liabilities of article 49 of Regulation No 45/2001, the designation as the data controller is not a mere ‘convenient’ arrangement to put under his ‘protective umbrella’ the staff of DG RTD carrying out personal data processing operations. Instead, as an illustration of the “tone at the top” it means that the data controller has personally assumed the full responsibility for ensuring strict compliance with Regulation No 45/2001 for all corresponding DG RTD personal data processing operations covered by DPO-978 and DPO-2382. It also specifically includes the responsibility for any failure(s) to (i) document in these two prior notifications personal data processing operations in the framework of FP7 proposal submission-evaluation and conclusion of FP7 GAs and (ii) take the additional and necessary measures for compliance (e.g. EDPS prior checks).

It is expected that in handling the confirmatory reply the Commission services will take a ‘fresh’ look on this particular request.

3. REQUEST #3

The attention of the Commission services is drawn to the provisions of article 14 of the Commission Decision 597/2008 about the statutory duties of the DG RTD Data Protection Coordinator - DPC. In case the DPC failed to draw a short paragraph, this will amount to a gross negligence to fulfill statutory duties, bordering complicity in grave infringements of Regulation No 45/2001 for the entire FP6 and FP7 in so far DG RTD is concerned.

4. REQUEST #4

The FP7 Guides for Negotiations expressly requested FP7 participants negotiating the conclusion of GAs to submit short CVs of their key researchers who would be engaged in the FP7 action. DG RTD evaluated the qualifications and experience of these researchers in the context of evaluating the capacity of FP7 participants to carry out a FP7 action. Evaluation of a data subject conduct and abilities is unquestionably subject to an article 27 EDPS prior check.

The DPO-978 and DPO-2382 data controller, as well as the DPC, ought to have drafted a few short paragraphs about it, to say the least. There is documentary evidence strongly suggesting that the DPC indeed drafted documents, or parts thereof, as part of the DPO-978 and DPO-2382 ‘administrative files’.

It is expected that in handling the confirmatory reply the Commission services will take a ‘fresh’ look on this particular request.

5. REQUEST #5

The released privacy statement is immaterial to this request. Article 12(1) imposes to the data controller an absolute obligation to inform the data subject. Posting a privacy statement in the Participant’s Portal does in no way allow DG RTD to escape from its obligations pursuant to article 12(1). DG RTD should not expect that applicants are that much primitive and are not be able to read and understand the provisions of article 12(1). This applies in particular for applications from which it is apparent that the applicant is familiar with Regulation No 45/2001.

Since DG RTD collected the personal data from third parties and not directly from the data subjects, DG RTD was under an absolute legal obligation to inform the data subjects pursuant to article 12(1) of Regulation No 45/2001. DG RTD has had the full work contact details of the FP7 participants (the address of the FP7 participant and lots of other information is in the Legal Entity File), so it was very straightforward to write a letter to the data subjects whose personal data Annex I of the GAs contains, notifying them about the processing of their personal data.

Article 12(1) is not a mere ‘burden’ than it can light-heartedly be overlooked. On the very contrary, it is an essential procedural safeguard to ‘alert’ a data subject about the processing of his/her personal data, thereby afford the opportunity to verify the correctness of the personal data. In case a FP7 participant submitted an inaccurate “short profile”, it is the notification of article 12(1) that will allow a data subject to become aware of it, and take, if deemed necessary remedial action, including the exercise of the data subject rights as laid down in articles 13 to 19 of Regulation No 45/2001.

In case the Commission services confirm that no documents exist falling under request #5, this will be tantamount to an outright admission of having infringed article 12(1).

6. REQUEST #6

Regulation No 1049/2001 concerns documents held by an Institution like the Commission. Referring an applicant to the website of a third party does in no way release the Institution from its obligations to release the requested documents pursuant to Regulation No 1049/2001.

In fact, article 5(3) of the Commission Decision 937/2001 (OJ L 345/94 of 29/12/2001) stipulates that:

“3. The Directorate-General or department holding the document shall grant the application without consulting the third-party author where:
(a) the document requested has already been disclosed either by its author or under the Regulation or similar provisions
(b) the disclosure, or partial disclosure, of its contents would not obviously affect one of the interests referred to in Article 4 of Regulation (EC) No 1049/2001.
(......)”

Accordingly, instead of referring me to third parties DG RTD ought to have either released the request parts of the 4 GAs or inform me than the exceptions of article 4 are applicable. Consequently, it is nearly certain that DG RTD has infringed article 5(3) by its particular handling of this request.

It is expected that in handling the confirmatory reply the Commission services will take a ‘fresh’ look on this particular request, taking into account the issue of data controllership.

7. LAWFULNESS OF PERSONAL DATA PROCESSING

It is pointed out that in the entire FP6 and FP7 the Research family DGs have unlawfully processed personal data of more than a hundred thousand researchers. This is outlined below.

The analysis is centered on the provisions of article 5 of Regulation No 45/2001 which lays down five criteria for the lawfulness of personal data processing.

7.1. FP6 & FP7 calls for proposals, evaluation and negotiations

The Research DGs act as public authorities in this context. Regarding contracts in which a data subject is a party, or takes preparatory steps to become a party, there is a specific provision about the lawfulness of personal data processing, namely article 5(3) of Regulation No 45/2001. It stipulates that the processing takes place solely at the request of the data subject and not at the pleasure of the Institution.
That the EU legislature enacted this provision conclusively proves that articles 5(1) and 5(2) of that Regulation are not a sufficient legal basis. It easy to understand this, as an Institution takes steps to conclude a contract on its own volition, without in principle an obligation imposed by Union law. It applies a fortiori to the terms of the contract or the call for tenders/proposals, for which the Institution enjoys a broad discretion. In other words, an Institution can avoid personal data processing by drafting suitably the call for tenders or call for proposals.

Consequently, regarding FP6 & FP7 calls for proposals without the express consent of the data subject of article 5(4) the personal data processing meets none of the conditions of article 5. It is therefore wholly unlawful.

In FP6 and FP7 calls for proposals, evaluation and negotiations the researchers are neither parties to the contracts/agreements nor have they given their consent to a Research DG to process their personal data. Therefore, none of the criteria of article 5 is satisfied which automatically and necessarily implies that the personal data processing is outright unlawful.

Seen under this spotlight, a whole new dimension of the DG RTD initial reply emerges. In case the confirmatory application does not release documents, it will show that the gravely unlawful personal data processing in FP6 and FP7 was entwined with a host of highly questionable administrative policies and practices, which call into question the very integrity of the entire DG RTD and the Directorates of the other Research DGs entrusted with the execution of FP6 and FP7.

7.2. Execution of FP6 contracts and FP7 grant agreements

Once they are in force and in the context thereof, regarding its contractual counter-parties a Research DGs does not rely on its prerogatives as a public authority. A FP6 contract and a FP7 grant agreement is a private law contract. In the execution of such research actions the personal data processing without the consent of the data subjects is even more unlawful.

Annex I of FP7 GAs is liberally circulated to the entire consortium, including the external experts assisting the Research DGs in the project reviews. It means that personal data are disclosed to third parties at the request of or directly by a Research DG. The personal data are unlawfully in the possession of a Research DG in the first place.

8. CONCLUSION – CONFIRMATORY APPLICATION

As stated above, the confirmatory application concerns all requests of the initial application. It is anticipated that the Commission services will give due consideration to the arguments set out in the initial and confirmatory applications.

Failure to release the requested documents will necessarily imply the admission of gravely unlawful personal data processing by DG RTD in the entire FP7.

Yours faithfully,

Mr. Orestis BEKAS

Recherche et de l’innovation

L'activité des services de la Commission européenne étant réduite durant
le mois d'août, vos demandes d'accès aux documents seront traitées dans
les meilleurs délais. Toutefois, certains retards peuvent se produire, en
particulier lorsque le traitement des données exige la consultation des
administrations nationales, d’organisations extérieures ou d’autres
services.

*  *  *

Die Tätigkeiten der Dienststellen der Europäischen Kommission sind im
August reduziert; Ihre Anträge auf Zugang zu Dokumenten werden dennoch so
schnell wie möglich bearbeitet. Allerdings können Verzögerungen auftreten,
insbesondere wenn die Berarbeitung der Anträge die Konsultierung der
nationalen Verwaltungen, externer Organisationen oder anderer
Dienststellen erforderlich macht.

* *  *

The activity of European Commission departments is likely to be reduced
during August.  We will handle  your requests for access to documents as
soon as possible.  However, some delays may occur, especially where the
processing of data requires the consultation of national administrations,
external organisations or other services.

 

Recherche et de l’innovation

1 Attachment

Dear Mr Bekas,   

 

Thank you for your e-mail dated 23/08/2013, registered on 13/09/2013.  I
hereby acknowledge receipt of your confirmatory application for access to
documents (ref.: Ares(2013)3041053 – gestdem 2013-3659). 

 

In accordance with Regulation 1049/2001 regarding public access to
European Parliament, Council and Commission documents, you will receive a
response to your request within 15 working days (04/10/2013).

 

Yours sincerely,

 

Paul SIMON
European Commission - Secretariat General
Unit SG.B.5, Transparency

 

 

-----Original Message-----

From: Mr. Orestis BEKAS [[1]mailto:[FOI #665 email]]

Sent: Friday, August 23, 2013 8:58 AM

To: RTD ACCESS DOCUMENTS

Subject: Re: Application for access to documents – Ref GestDem No
2013/3659 --- Ares(2013)2813684

 

Dear Research and Innovation (RTD),

 

A confirmatory application is submitted pursuant to Regulation No
1049/2001 for all the requests of the initial application.  It is kindly
requested that DG RTD transfer the application to the Secretariat-General.

 

The following paragraphs kindly and respectfully challenge the substance
of the initial reply of DG RTD, in the sense that DG RTD released just a
single document that happens to be merely informative and immaterial to
the fulfillment of the application.  

 

It is also noted that the initial reply does not bear an Ares reference
number, which is wholly unexpected for an initial reply pursuant to
Regulation No 1049/2001.

 

1. REQUEST #1

 

It concerns the prior notification of article 25 of Regulation No 45/2001
covering the manifest personal data processing of the four FP7 GAs cited
in the initial application. These GAs are not exceptional at all; on the
contrary, Annex I of the four GAs was drawn up by the in compliance with
the FP7 Guides for Negotiations.

 

The attention of DG RTD is drawn to the DG RTD prior notification
DPO-2382, which was ‘in force’ until about late 2012 and thus it was
conceivably applicable to the 4 GAs. Parts of DPO-2382 read:

 

“Processing

1. Name of the processing

Back-office notification: processing of data submitted by proposal
Applicants and reviewers Experts in the context of Framework Programmes
and other Programmes and Initiatives, managed by the Research General
Directorate (DG RTD)

(.....)

• The scope of the back-office manual processing operations performed by
EU personnel or contractors on their behalf includes:

• Selection of Experts for proposal evaluation, or project review and
monitoring purposes. Note that Experts' data are provided and maintained
by Experts themselves.

• Managing Expert Contracts and Payments for services during proposal
evaluation, or project review and monitoring. Bank account is provided by
experts and verified by RTD.

• Managing the list of Proposals for further processing, including
negotiation, and selected proposal lists approval.

• Managing the list of selected Projects, for further processing,
including contract preparation, and initial payments.

• Managing the projects and further processing, including deliverables,
contract amendments, and intermediate or final payments.

(......)”

 

It is absolutely clear that DPO-2382 covered, at least partially, request
#1. Yet, DG RTD failed to spot it.

 

The publication of FP7 Guides for Negotiations shows the systematic nature
of the personal data processing in the context of concluding and signing
FP7 GAs. Article 25(1) of Regulation No 45/2001 reads “The controller
shall give prior notice to the Data Protection Officer of any processing
operation or set of such operations intended to serve a single purpose or
several related purposes”.

 

A ‘data controller’ within the meaning of Regulation No 45/2001 is not a
mere administrative Unit/Division/Department of an Institution, whose
failure to comply with the said article 25(1) allows an Institution to
escape from its relevant obligations by ‘assigning’ the ‘blame’ to a
‘poor’ Unit and then go on infringing Regulation No 45/2001 as completely
nothing has happened. In this particular context, the attention of the
Commission services is drawn to section 2.2.2 Controllership of the EDPS
opinion in the case 2010-0426 dated 22/2/2012, part of which reads:

 

“In the initial notification, the Commission (represented by the Head of
Unit DDG1.A 2 in DG RELEX) was mentioned as the controller (......) As the
FPI is part of the

Commission, it is the Commission that shall be considered as data
controller. From a legal perspective, the institution as such is the
controller, although the practical implementation might be delegated to a
person responsible for the processing.  (......)   In its reply of 3
August 2011, the Commission highlighted that, even in cases where the
Council has reserved for itself implementing powers as regards the lists
of individuals and entities whose assets have to be frozen, the Commission
should also be considered as a data controller for some processing
operations.”

 

It follows therefore, that either DG RTD or the Commission itself is to be
considered as the data controller of the personal data processing
operations carried out in the framework of negotiating and concluding FP7
GAs. Given the sheer size of the FP7, the scale of these processing
operations far surpasses any other personal data processing operations of
the Commission services, except those in the framework of FP7 proposal
submission and evaluation. That the data subjects are third parties to the
FP7 GAs makes the whole matter far worse in terms of having disregarded
legality and infringed the fundamental right of personal data protection.

 

In the light of the above considerations illustrating the apparent
disregard of legality by DG RTD, its initial reply that there is no prior
notification must be regarded with the utmost skepticism about its
veracity.

 

It is expected that in handling the confirmatory reply the Commission
services will take a ‘fresh’ look on this particular request.

 

2. REQUEST #2

 

The data controller designated in all versions of DPO-978 and DPO-2382
(the sole ones of DG RTD concerned the proposal submission, evaluation and
negotiations) is the highest ranking official of DG RTD. In view of the
considerations set out regarding request #1 above, it is difficult to
understand how the data controller failed to draw a short paragraph
falling under the scope of request #2.

 

In view of the disciplinary liabilities of article 49 of Regulation No
45/2001, the designation as the data controller is not a mere ‘convenient’
arrangement to put under his ‘protective umbrella’ the staff of DG RTD
carrying out personal data processing operations. Instead, as an
illustration of the “tone at the top” it means that the data controller
has personally assumed the full responsibility for ensuring strict
compliance with Regulation No 45/2001 for all corresponding DG RTD
personal data processing operations covered by DPO-978 and DPO-2382. It
also specifically includes the responsibility for any failure(s) to (i)
document in these two prior notifications personal data processing
operations in the framework of FP7 proposal submission-evaluation and
conclusion of FP7 GAs and (ii) take the additional and necessary measures
for compliance (e.g. EDPS prior checks).  

 

It is expected that in handling the confirmatory reply the Commission
services will take a ‘fresh’ look on this particular request.

 

3. REQUEST #3

 

The attention of the Commission services is drawn to the provisions of
article 14 of the Commission Decision 597/2008 about the statutory duties
of the DG RTD Data Protection Coordinator - DPC. In case the DPC failed to
draw a short paragraph, this will amount to a gross negligence to fulfill
statutory duties, bordering complicity in grave infringements of
Regulation No 45/2001 for the entire FP6 and FP7 in so far DG RTD is
concerned.

 

4. REQUEST #4

 

The FP7 Guides for Negotiations expressly requested FP7 participants
negotiating the conclusion of GAs to submit short CVs of their key
researchers who would be engaged in the FP7 action. DG RTD evaluated the
qualifications and experience of these researchers in the context of
evaluating the capacity of FP7 participants to carry out a FP7 action.
Evaluation of a data subject conduct and abilities is unquestionably
subject to an article 27 EDPS prior check.

 

The DPO-978 and DPO-2382 data controller, as well as the DPC, ought to
have drafted a few short paragraphs about it, to say the least. There is
documentary evidence strongly suggesting that the DPC indeed drafted
documents, or parts thereof, as part of the DPO-978 and DPO-2382
‘administrative files’. 

 

It is expected that in handling the confirmatory reply the Commission
services will take a ‘fresh’ look on this particular request.

 

5. REQUEST #5

 

The released privacy statement is immaterial to this request. Article
12(1) imposes to the data controller an absolute obligation to inform the
data subject. Posting a privacy statement in the Participant’s Portal does
in no way allow DG RTD to escape from its obligations pursuant to article
12(1). DG RTD should not expect that applicants are that much primitive
and are not be able to read and understand the provisions of article
12(1). This applies in particular for applications from which it is
apparent that the applicant is familiar with Regulation No 45/2001. 

 

Since DG RTD collected the personal data from third parties and not
directly from the data subjects, DG RTD was under an absolute legal
obligation to inform the data subjects pursuant to article 12(1) of
Regulation No 45/2001. DG RTD has had the full work contact details of the
FP7 participants (the address of the FP7 participant and lots of other
information is in the Legal Entity File), so it was very straightforward
to write a letter to the data subjects whose personal data Annex I of the
GAs contains, notifying them about the processing of their personal data.

 

Article 12(1) is not a mere ‘burden’ than it can light-heartedly be
overlooked. On the very contrary, it is an essential procedural safeguard
to ‘alert’ a data subject about the processing of his/her personal data,
thereby afford the opportunity to verify the correctness of the personal
data. In case a FP7 participant submitted an inaccurate “short profile”,
it is the notification of article 12(1) that will allow a data subject to
become aware of it, and take, if deemed necessary remedial action,
including the exercise of the data subject rights as laid down in articles
13 to 19 of Regulation No 45/2001.

 

In case the Commission services confirm that no documents exist falling
under request #5, this will be tantamount to an outright admission of
having infringed article 12(1). 

 

6. REQUEST #6

 

Regulation No 1049/2001 concerns documents held by an Institution like the
Commission. Referring an applicant to the website of a third party does in
no way release the Institution from its obligations to release the
requested documents pursuant to Regulation No 1049/2001.

 

In fact, article 5(3) of the Commission Decision 937/2001 (OJ L 345/94 of
29/12/2001) stipulates that:

 

“3. The Directorate-General or department holding the document shall grant
the application without consulting the third-party author where:

(a) the document requested has already been disclosed either by its author
or under the Regulation or similar provisions

(b) the disclosure, or partial disclosure, of its contents would not
obviously affect one of the interests referred to in Article 4 of
Regulation (EC) No 1049/2001.

(......)”

 

Accordingly, instead of referring me to third parties DG RTD ought to have
either released the request parts of the 4 GAs or inform me than the
exceptions of article 4 are applicable. Consequently, it is nearly certain
that DG RTD has infringed article 5(3) by its particular handling of this
request.

 

It is expected that in handling the confirmatory reply the Commission
services will take a ‘fresh’ look on this particular request, taking into
account the issue of data controllership.

 

7. LAWFULNESS OF PERSONAL DATA PROCESSING

 

It is pointed out that in the entire FP6 and FP7 the Research family DGs
have unlawfully processed personal data of more than a hundred thousand
researchers. This is outlined below.

 

The analysis is centered on the provisions of article 5 of Regulation No
45/2001 which lays down five criteria for the lawfulness of personal data
processing.

 

7.1. FP6 & FP7 calls for proposals, evaluation and negotiations

 

The Research DGs act as public authorities in this context. Regarding
contracts in which a data subject is a party, or takes preparatory steps
to become a party, there is a specific provision about the lawfulness of
personal data processing, namely article 5(3) of Regulation No 45/2001. It
stipulates that the processing takes place solely at the request of the
data subject and not at the pleasure of the Institution.

That the EU legislature enacted this provision conclusively proves that
articles 5(1) and 5(2) of that Regulation are not a sufficient legal
basis. It easy to understand this, as an Institution takes steps to
conclude a contract on its own volition, without in principle an
obligation imposed by Union law. It applies a fortiori to the terms of the
contract or the call for tenders/proposals, for which the Institution
enjoys a broad discretion. In other words, an Institution can avoid
personal data processing by drafting suitably the call for tenders or call
for proposals.

 

Consequently, regarding FP6 & FP7 calls for proposals without the express
consent of the data subject of article 5(4) the personal data processing
meets none of the conditions of article 5. It is therefore wholly
unlawful.

 

In FP6 and FP7 calls for proposals, evaluation and negotiations the
researchers are neither parties to the contracts/agreements nor have they
given their consent to a Research DG to process their personal data.
Therefore, none of the criteria of article 5 is satisfied which
automatically and necessarily implies that the personal data processing is
outright unlawful.

 

Seen under this spotlight, a whole new dimension of the DG RTD initial
reply emerges. In case the confirmatory application does not release
documents, it will show that the gravely unlawful personal data processing
in FP6 and FP7 was entwined with a host of highly questionable
administrative policies and practices, which call into question the very
integrity of the entire DG RTD and the Directorates of the other Research
DGs entrusted with the execution of FP6 and FP7.

 

7.2. Execution of FP6 contracts and FP7 grant agreements

 

Once they are in force and in the context thereof, regarding its
contractual counter-parties a Research DGs does not rely on its
prerogatives as a public authority. A FP6 contract and a FP7 grant
agreement is a private law contract. In the execution of such research
actions the personal data processing without the consent of the data
subjects is even more unlawful.

 

Annex I of FP7 GAs is liberally circulated to the entire consortium,
including the external experts assisting the Research DGs in the project
reviews. It means that personal data are disclosed to third parties at the
request of or directly by a Research DG. The personal data are unlawfully
in the possession of a Research DG in the first place.

 

8. CONCLUSION – CONFIRMATORY APPLICATION

 

As stated above, the confirmatory application concerns all requests of the
initial application. It is anticipated that the Commission services will
give due consideration to the arguments set out in the initial and
confirmatory applications.

 

Failure to release the requested documents will necessarily imply the
admission of gravely unlawful personal data processing by DG RTD in the
entire FP7.

 

Yours faithfully,

 

Mr. Orestis BEKAS

 

-----Original Message-----

 

Dear Mr Bekas,

 

We refer to your email dated 11 July 2013 in which you make a request for

access to documents, registered on the same day under the above mentioned

reference number.

 

1.      We regret to inform you that no documents were found that would

correspond to the description given in Points 1, 2, 3, 4, 5 of your

application. We are, therefore, unable to handle your application.

 

In respect of the interest reflected by Point 5 of your application,

please find enclosed the Service Specific Privacy Statement which is

published on the Participant Portal.

 

2.      As far as the documents requested in Point 6 of your application

are concerned, we note that they have already been published in their full

version on the internet by project participants on the links which you

indicated.

 

 

 

Yours faithfully,

 

Silvia BOJINOVA

 

Head of Unit

 

 

 

[1]Description: [2]cid:image001.png@01CDDFB2.68871B70

 

European Commission

 

DG Research & Innovation

 

R5

 

 

 

ORBN 09/151

 

B-1049 Brussels/Belgium

 

+32 229-85891

 

[2][email address]

 

 

 

[3][3]http://ec.europa.eu/research

 

 

 

 

 

References

 

Visible links

2. [4]mailto:[email address]

3. [5]http://ec.europa.eu/research

 

-------------------------------------------------------------------

Please use this email address for all replies to this request:

[6][FOI #665 email]

 

This message and all replies from Research and Innovation (RTD) will be
published on the AsktheEU.org website. For more information see our
dedicated page for EU public officials at
[7]http://www.asktheeu.org/en/help/officers

 

 

-------------------------------------------------------------------

References

Visible links
1. mailto:[FOI #665 email]
2. file:///tmp/cid:image001.png@01CDDFB2.68871B70
3. http://ec.europa.eu/research
4. mailto:[email
5. http://ec.europa.eu/research
6. mailto:[FOI #665 email]
7. http://www.asktheeu.org/en/help/officers

cacher les sections citées

Recherche et de l’innovation

2 Attachments

Dear Mr Bekas,
Kindly find herewith a letter concerning your confirmatory application for
access to documents (gestdem 2013-3659).
       
Yours sincerely,
 
Paul SIMON
Unit SG.B.5, Transparency
European Commission
 

Recherche et de l’innovation

2 Attachments

 
Dear Mr Bekas,

Kindly find the answer to your confirmatory application concerning your
request for access to documents pursuant to Regulation (EC) N° 1049/2001
regarding public access to European Parliament, Council and Commission
documents (Gestdem 2013/3659).
Yours sincerely,
Carlos Remis
SG.B.5.
Transparence.
Berl. 05/329.
 
 
 
 
 
 
 

 
 
 

Recherche et de l’innovation

1 Attachment

Dear Sir,
 
Please find attached a letter concerning your confirmatory application for
access to documents (GestDem 2013-3659).
 
 
Kind regards,
 
Priscille Schiltz
European Commission
Secretariat General
Unit B5 "Transparency"
 
 
 

Dear Research and Innovation (RTD),

Please pass this message to the Secretariat-General.

***********

Dear Secretary-General,

Thank you very much for the response to the confirmatory application.

I sincerely hope that your staff will appreciate the significance of stating that the documents under requests #1 - #5 are not held by the Commission services, presumably telling that they were not drawn up at all.

Regarding request #6, the response is not compliant with Regulation 1049/2001, simply because the Secretariat-General did not release the documents the services manifestly hold, but instead referred me to a third party.

Yours faithfully,

Mr. Orestis BEKAS