Dear Mobility and Transport (MOVE),

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

1. INTRODUCTION

I refer to the prior notification of article 25 of Regulation 45/2001 DPO-3420.2, http://ec.europa.eu/dpo-register/details... (last checked on 15 November 2013), a copy of which is given hereunder as Annex.

DPO-3420.2 has the ‘statements’:

A. “This processing has been submitted to the EDPS who concluded that Article 27 is not applicable”

B. “3. Sub-Contractors —“

C. “The possibility for the EC to carry out checks and financial controls is foreseen in the model grant agreement or contract signed between the EC and the beneficiary/contractor as required by the Financial Regulation ("FR") applicable to the General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4) ”

The first two statements are manifestly false. DG MOVE has admitted it by way of its initial response to the application pursuant to Regulation 1049/2001, initial response of GestDem 2013/3488 of 23/7/2013, http://www.asktheeu.org/en/request/exter.... The EDPS opinion C 2009-0565 is wholly irrelevant to the DG MOVE external financial audits.

Articles 170FR & 60.4FR and 47.4IR are also wholly irrelevant to the DPO-3420.2 purported legal basis. DG RTD has stated so in its initial response to GestDem 2013/3351, http://www.asktheeu.org/en/request/587/r..., reply to request under (7).

According to article 1, second indent, of Commission Decision 597/2008 (Official Journal 2008 L 193 p8) the DPO-3420.2 controller (Head of the SRD.1 Unit) is personally liable for its factual accuracy. Consequently, the controller is liable according to
- article 49 of Regulation 45/2001
- article 12
- article 1(4) of Regulation 883/2001 ‘dereliction of duty’

Furthermore, misrepresentation of facts in official documents is most probably an offence.

That the false statement of DPO-3420.1 were exposed in full public view in the application GestDem 2013/3488, and yet the DPO-3420.2 controller went on with the very same misrepresentations of facts is literally beyond belief.

The present application aims at the disclosure of the DG MOVE internal documents shedding some light into how DPO-3340.2 could have ever been drawn up and posted into the public register of article 4(4) of Decision 597/2008, after the ‘exposure’ of DPO-3420.1.

2. REQUEST FOR DOCUMENTS

Copies of the following documents are kindly requested:

1. The document(s) with which the DPO-3402.2 controller requested the permission of her superiors to include blatant misrepresentation of facts in the prior notification.

2. The document(s) of the DPO-3420.2 controller superiors granting their permission to the said blatant misrepresentation of facts.

3. The document(s) with which the administrative department DG MOVE has notified the Member of the Commission (or his cabinet) about the continuation of the false statements in DPO-3420.2, even though the DPO-3420.1 controller had been publicly exposed.

3. OVERRIDING PUBLIC INTEREST

It cannot be accepted that an administrative department like DG MOVE sees no constraint in deceiving the public about the fundamental right of personal data protection.

The public deserves to form an opinion about the personal liabilities of DG MOVE officials, and their systematic disregard of legality.

************* ANNEX **************

DPO-3420.2 DG MOVE and DG ENER External Audit and Control

Directorate-General: Mobility and Transport

Controller: ABA GARROTE Paloma

Publication: 2013-10-14
Processing

1. Name of the processing
DG MOVE and DG ENER External Audit and Control

2. Description
The processing operations performed by most DGs are described in the procedure guide of ex-post control which is the result of a sampling methodology of financial transactions.
http://www.cc.cec/budg/dgb/interdg/_doc/...

Research family DGs are using specific IT tools in the context of performing an external financial audit which are described below:

• A specific tool allowing the exchange of lists of projects (for an auditee) between DGs, supporting life-cycle management of individual audit and extrapolation cases and containing a summary of the audit conclusions. No personal data are processed except contact information of Commission staff and auditees.

• A specific tool to facilitate searching and visualisation of information about participants in grants and contracts. This is used by auditors in the selection, preparation and performance of audits. The tool uses information on participants in grants and contracts, taken from IT tools for programme management (front-office notified to the DPO under n° DPO-978 and back-office 1. This information includes details of organisation names, registration numbers, address, audit results, EWS status, phone, fax, email, names of authorised signatories and contact persons, project reference, acronym, funding, budget.

This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.

3. Sub-Contractors
—
4. Automated / Manual operations
n/a

Beneficiary/contractor undertakes to provide any detailed information, including information in electronic format, requested by the Commission or by any other outside body authorised by the Commission in order to check that the action and the provisions of the agreement/service contract are being properly implemented.

5. Storage
Data are stored in computer systems and/or physical archives accessible only to duly authorized staff (management of IT and physical access rights with respect to the need to know principle).

6. Comments
n/a
Purpose & legal basis

7. Purposes
Checks and financial controls of grant agreements or service contracts aim at verifying beneficiary's or contractor's or subcontractors' or third parties' compliance with all contractual provisions (including financial provisions), in view of checking that the action and the provisions of the grant agreement or contract are being properly implemented and in view of assessing the legality and regularity of the transaction underlying the implementation of the Community budget.

8. Legal basis / Lawfulness
The possibility for the EC to carry out checks and financial controls is foreseen in the model grant agreement or contract signed between the EC and the beneficiary/contractor as required by the Financial Regulation ("FR") applicable to the General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4):

• Art. 170 FR: Each financing agreement or grant agreement or grant decision must expressly provide for the Commission and the Court of Auditors to have the power of audit, on the basis of documents and on the spot, over all contractors and subcontractors who have received Community funds.

• Art. 60.4 FR: The authorizing officer by delegation shall put in place, in compliance with the minimum standards adopted by each institution and having due regard to the risks associated with the management environment and the nature of the actions financed, the organizational structure and the internal management and control procedures suited to the performance of his/her duties, including where appropriate ex post verifications. Before an operation is authorized, the operational and financial aspects shall be verified by members of staff other than the one who initiated the operation. The initiation and the ex ante and ex post verification of an operation shall be separate functions.

• Art. 47.4 IR: The ex post verifications on documents and, where appropriate, on the spot shall check that operations financed by the budget are correctly implemented and in particular that the criteria referred to in paragraph 3 are complied with. These verifications may be organized on a sample basis using risk analysis.

The processing operations on personal data carried out in the context of ex post controls are necessary and lawful under three articles of the Regulation (EC) 45/2001:

• article 5 (a): processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof…

• article 5 (b): processing is necessary for compliance with a legal obligation to which the controller is subject

• article 20.1.b): necessary measure to safeguard:
(a) the prevention, investigation, detection and prosecution of criminal offences;
(b) an important economic or financial interest of a Member State or of the European Communities, includingmonetary, budgetary and taxation matters;
(c) the protection of the data subject or of the rights and freedoms of others;

This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.

Data subjects / fields
9. Data subjects
Contractors and sub-contractors
Beneficiaries of grants
Staff
Experts

10. Data fields
All necessary data to efficiently conduct a control such as:
• Name,
• Function,
• Grade,
• Activities and expertises,
• Professional address,
• Timesheets,
• Salary,
• Accounts,
• Cost accounting,
• Missions,
• Information coming from local IT system used to declare costs as eligible,
• Supporting documents linked to travel costs,
• Minutes from mission and other similar data depending of the nature of the action.

No data which fall under article 10.

See point 17)
Rights of D.S.

11. Information
The Privacy Statement attached is available with the Commission's letter initiating the audit or control process
EXTERNAL AUDIT PRIVACY STATEMENT.doc

12. Procedure to grant rights
Functional mailbox to get information and mailbox of the EDPS to lodge a complaint (see Privacy statement ).

13. Retention
Each ex post controller is responsible of archiving the documents related to controls. Data are stored until 10 years after the final payment on condition that no contentious issues occurred; in this case, data will be kept until the end the last possible legal procedure.

14. Time limit
The Commission services will respond within 15 working days to any request and if this is considered justified the relevant correction or deletion will be performed within one calendar month.

15. Historical purposes
n/a

Recipients
16. Recipients
Collected personal data could be submitted to Commission services in charge of ex post controls, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Community law (OLAF, Court of Auditor, Ombudsman, EDPS, IDOC, Internal Audit Service of the Commission).

See point 20)

17. Transfer
n/a

*************** END OF ANNEX ***************

Yours faithfully,

Mr. Aris KOLIMATSIS

Dear Mobility and Transport (MOVE),

According to asktheeu.org DG MOVE has not registered the application submitted on 15 November, even though 15 working days have elapsed.

Whereas DG MOVE might have found the application as very tricky, I respectfully submit that both the administrative department and DG MOVE individual officials ought to be far more careful in not repeating in the prior notification DPO-3420.2 the very same false statements DG MOVE has admitted for DPO-3420.1.

DG MOVE must have due regard to article 1, second indent, of Commission Decision 597/2008 according to which the DPO-3420.2 data controller is personally liable for the false statements.

Unless DG MOVE would promptly register the application, I will write to the Commissioner, the EDPS and the Ombudsman about the false statements of DPO-3420 and the insistence of DG MOVE in continuing with its deceitful practices, which apparently attempt to create an air of legitimacy in what in reality have been grave infringements of the fundamental right of personal data protection.

Yours faithfully,

Mr. Aris KOLIMATSIS

Dear Mobility and Transport (MOVE),

This email is a confirmatory application. I would appreciate if you would forward it to the Secretariat-General.

******

Dear Secretariat-General

The present document is a confirmatory application under Regulation 1049/2001. It concerns the initial application
dated 15 November 2013 http://www.asktheeu.org/en/request/prior..., and the DG MOVE initial response of 23 December 2013 http://www.asktheeu.org/en/request/prior....

1. ANALYSIS OF THE INITIAL RESPONSE OF DG MOVE

The second version of the DG MOVE prior notification of article 25 of Regulation 45/2001 DPO-3420.2 is found at the link http://ec.europa.eu/dpo-register/details.... For the sake of completeness it is given as an Annex to this application.

Two differences between the first and the second version of DPO-3420 are (i) the name of the controller ( ABA GARROTE Paloma in the second version) and (ii) the publication date (2013-10-14 in the second version). According to article 1 second indent of the Commission Decision 597/2008 the DPO-3420.2 controller has assumed personal liabilities for any misrepresentation in DPO-3402.2.

In its response of 23 July 2013 to GestDem 2013/3488 http://www.asktheeu.org/en/request/exter...
DG MOVE has, in essence, publicly admitted that the statement of DPO-3420.1 'This processing has been submitted to the EDPS who concluded that Article 27 is not applicable' is outright false. The EDPS was not never consulted for DPO-3420.1, not even informally.

Since approximately 80% of the DG MOVE external financial audits were outsourced to external audit firms under the framework contracts of DG RTD, the statement of DPO-3420.2 '3. Sub-Contractors — ' is also outright false.

DPO-3420.2 is dated 14 October 2013. Consequently, the DPO-3420.2 controller willfully and intentionally kept those two blatant false statements in DPO-3420.2.

The DPO-3420.2 controller could have disguised the two false statements by copying in DPO-3420.2 what DG RTD and DG CNECT have stated in their DPO-3398.4 and DPO-3338.2 in the corresponding sections:

' 2. Description
The processing operations are described in the Commission's FP7 Audit Strategy:
http://cordis.europa.eu/audit-certificat...

3. Sub-Contractors
Any in-house external auditor of DG RTD is a processor ...'

Prior to mid-June 2013, these two DG RTD and DG CNECT prior notifications had had the same two false statements. Apparently, DG RTD and DG CNECT came up with the cunning idea to replace outright lies with obscure statements, which at least disguises the plain false statements.

DG ENTR DPO-3334.1 http://ec.europa.eu/dpo-register/details... suffers from the very same two false statements. However, DG ENTR has maintained the content of DPO-3334.1 unchanged, even though in GestDem 2013/3418 DG MOVE admitted in the initial response (answer to point 4) Ares(2013)2844428 - 06/08/2013 http://www.asktheeu.org/en/request/595/r... the two false statements.

In view of the above, in a comparison of the DG MOVE conduct with that of other three Research DGs DG MOVE comes out as the worst, since it filed a NEW version of DPO-3420 with the very same false statements.

According to the DG MOVE initial reply, the DPO-3420.2 controller was wholly indifferent in being personally liable for such kind of false statements, which have been in plain public view and after all this had been exposed in an application under Regulation 1049/2001. In other words, the controller was willing to compromise her integrity and in plain public view, without some kind of indemnification and instructions from her superiors.

If such kind of an 'explanation' is to be accepted, then the ultimate logical conclusion is that as far DG MOVE is concerned anything is possible as regards an utter disregard of several provisions of the Staff Rules and Regulation 45/2001.

Of course, such an explanation cannot and must not be accepted by the public.

Furthermore, there is the big issue how DG MOVE officials have dared to repeat in DPO-3420.2 the same false statements - which were exposed in plain public view - without bothering to inform the Commissioner. Such king of conduct might suggest that the administrative department feels unrestrained in misleading the public in spite of having been exposed, and without a sense of duty for duly and promptly informing the Commissioner about such serious matters compromising the integrity of the whole administrative department. In turn, this give rise to questions like (i)the extent to which the administrative department has in effect been acting with full autonomy and without being accountable to the Commissioner, and (ii) to what extent the cabinet of the Commissioner oversees the administrative department.

2. CONFIRMATORY APPLICATION

Ever if one were prepared to give DG MOVE the benefit of the doubt, the blatant false statements of DPO-3420.2 cast a long shadow over the integrity of DG MOVE in anything connected with its external financial audits.

For this reason, a confirmatory application is respectfully submitted for all 3 requests.

Yours faithfully,

Mr. Aris KOLIMATSIS

****************

ANNEX: DPO-3420.2 as of 24 January 2014

DPO-3420.2 DG MOVE and DG ENER External Audit and Control

Directorate-General: Mobility and Transport

Controller: ABA GARROTE Paloma

Publication: 2013-10-14
Processing
1. Name of the processing
DG MOVE and DG ENER External Audit and Control
2. Description
The processing operations performed by most DGs are described in the procedure guide of ex-post control which is the result of a sampling methodology of financial transactions.
http://www.cc.cec/budg/dgb/interdg/_doc/...

Research family DGs are using specific IT tools in the context of performing an external financial audit which are described below:
• A specific tool allowing the exchange of lists of projects (for an auditee) between DGs, supporting life-cycle management of individual audit and extrapolation cases and containing a summary of the audit conclusions. No personal data are processed except contact information of Commission staff and auditees.
• A specific tool to facilitate searching and visualisation of information about participants in grants and contracts. This is used by auditors in the selection, preparation and performance of audits. The tool uses information on participants in grants and contracts, taken from IT tools for programme management (front-office notified to the DPO under n° DPO-978 and back-office 1. This information includes details of organisation names, registration numbers, address, audit results, EWS status, phone, fax, email, names of authorised signatories and contact persons, project reference, acronym, funding, budget.
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
3. Sub-Contractors
—
4. Automated / Manual operations
n/a

Beneficiary/contractor undertakes to provide any detailed information, including information in electronic format, requested by the Commission or by any other outside body authorised by the Commission in order to check that the action and the provisions of the agreement/service contract are being properly implemented.

5. Storage
Data are stored in computer systems and/or physical archives accessible only to duly authorized staff (management of IT and physical access rights with respect to the need to know principle).

6. Comments
n/a

Purpose & legal basis

7. Purposes
Checks and financial controls of grant agreements or service contracts aim at verifying beneficiary's or contractor's or subcontractors' or third parties' compliance with all contractual provisions (including financial provisions), in view of checking that the action and the provisions of the grant agreement or contract are being properly implemented and in view of assessing the legality and regularity of the transaction underlying the implementation of the Community budget.

8. Legal basis / Lawfulness
The possibility for the EC to carry out checks and financial controls is foreseen in the model grant agreement or contract signed between the EC and the beneficiary/contractor as required by the Financial Regulation ("FR") applicable to the General Budget of the European Communities (art. 170, 60.4), and its Implementing Rules ("IR") (art. 47.4):

• Art. 170 FR: Each financing agreement or grant agreement or grant decision must expressly provide for the Commission and the Court of Auditors to have the power of audit, on the basis of documents and on the spot, over all contractors and subcontractors who have received Community funds.

• Art. 60.4 FR: The authorizing officer by delegation shall put in place, in compliance with the minimum standards adopted by each institution and having due regard to the risks associated with the management environment and the nature of the actions financed, the organizational structure and the internal management and control procedures suited to the performance of his/her duties, including where appropriate ex post verifications. Before an operation is authorized, the operational and financial aspects shall be verified by members of staff other than the one who initiated the operation. The initiation and the ex ante and ex post verification of an operation shall be separate functions.

• Art. 47.4 IR: The ex post verifications on documents and, where appropriate, on the spot shall check that operations financed by the budget are correctly implemented and in particular that the criteria referred to in paragraph 3 are complied with. These verifications may be organized on a sample basis using risk analysis.

The processing operations on personal data carried out in the context of ex post controls are necessary and lawful under three articles of the Regulation (EC) 45/2001:
• article 5 (a): processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof…
• article 5 (b): processing is necessary for compliance with a legal obligation to which the controller is subject
• article 20.1.b): necessary measure to safeguard:
(a) the prevention, investigation, detection and prosecution of criminal offences;
(b) an important economic or financial interest of a Member State or of the European Communities, includingmonetary, budgetary and taxation matters;
(c) the protection of the data subject or of the rights and freedoms of others;
This processing has been submitted to the EDPS who concluded that Article 27 is not applicable.
Data subjects / fields

9. Data subjects
Contractors and sub-contractors
Beneficiaries of grants
Staff
Experts

10. Data fields
All necessary data to efficiently conduct a control such as:
• Name,
• Function,
• Grade,
• Activities and expertises,
• Professional address,
• Timesheets,
• Salary,
• Accounts,
• Cost accounting,
• Missions,
• Information coming from local IT system used to declare costs as eligible,
• Supporting documents linked to travel costs,
• Minutes from mission and other similar data depending of the nature of the action.

No data which fall under article 10.

See point 17)

Rights of D.S.

11. Information
The Privacy Statement attached is available with the Commission's letter initiating the audit or control process
EXTERNAL AUDIT PRIVACY STATEMENT.doc

12. Procedure to grant rights
Functional mailbox to get information and mailbox of the EDPS to lodge a complaint (see Privacy statement ).

13. Retention
Each ex post controller is responsible of archiving the documents related to controls. Data are stored until 10 years after the final payment on condition that no contentious issues occurred; in this case, data will be kept until the end the last possible legal procedure.

14. Time limit
The Commission services will respond within 15 working days to any request and if this is considered justified the relevant correction or deletion will be performed within one calendar month.

15. Historical purposes
n/a
Recipients

16. Recipients
Collected personal data could be submitted to Commission services in charge of ex post controls, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Community law (OLAF, Court of Auditor, Ombudsman, EDPS, IDOC, Internal Audit Service of the Commission).

See point 20)

17. Transfer
n/a