Decision of the European Ombudsman on complaint 224/2004/PB against the European Commission

Strasbourg, 23 March 2005

Dear Mr X.,

On 18 January 2004, you made a complaint to the European Ombudsman concerning alleged breaches of EC Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies. In your complaint, you requested me not to publish personal data on yourself. I therefore decided to classify your complaint as confidential.

On 18 February 2004, I forwarded the complaint to the President of the European Commission. The Commission sent its opinion on 27 May 2004 and I forwarded it to you with an invitation to make observations, if you so wished. On 31 July 2004, you sent me a communication containing various remarks. That communication clarified that the remarks should not be considered and dealt with as observations on the Commission's opinion.

I am writing now to let you know the results of the inquiries that have been made.

I apologise for the length of time that it has taken to deal with your complaint.

THE COMPLAINT

On 10 June 2003, the complainant asked the Commission's Representation in Denmark for a 'communication' (in Danish 'meddelelse') under Article 31 of the Danish data protection legislation, which implements Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1). The 'communication' requested was the information referred to in Article 12(a) of Directive 95/46, which gives data subjects a right of access to information on data held on them(2).

In his request, the complainant noted that a member of staff of the Commission's Representation had contacted him by telephone on that same day(3). The complainant had asked the staff member concerned how he had obtained possession of his telephone number. He had been informed that the telephone number was in "some correspondence".

On 13 June 2003, the Representation sent the complainant a reply, the relevant part of which contained the following statement (translation by the Ombudsman's services):

"On 10 June 2003, I telephoned you. Your name, address and telephone number has been indicated by you in your complaint to the European Ombudsman(4). This complaint was subsequently sent by the European Ombudsman to the Commission for comments."

The complainant considered that this reply did not fulfil the requirements relating to a 'data communication'. On 14 June 2003, he complained to the Danish Data Protection Authority.

On 1 July 2003, the Commission's Representation sent the complainant another letter. The letter contained the following statement (translation by the Ombudsman's services):

"As an addendum to my letter to you of 13 June 2003, reference 150603, I enclose a printout from our register of incoming and outgoing mail. As you can see, you have been registered as 'Private Person from [town] in Denmark' with the address '[address]'. Your name is registered as '[name]'. Latest updating is today's date (01/07/2003) when the printout was made. The Commission's Representation in Denmark has not previously registered other personal data under your name."

On 21 July 2003, the Danish Data Protection Authority informed the complainant that it considered the Representation to have acted in conformity with the Danish data protection legislation. It referred to the Representation's letter of 1 July 2003 quoted above, of which it enclosed a copy. It also enclosed a copy of the letter that the Representation had sent to it in response to the complainant's complaint to the Danish Data Protection Authority. This letter primarily contained references to the Representation's letter of 1 July 2003 to the complainant. The Danish Data Protection Authority also sent the complainant a copy of the letter to the Representation.

On 4 August 2003, the complainant asked the Data Protection Authority to review its decision. He remarked that the 'data communication' that he had received did not appear to concern data registered under his name at the date when he had made his request for the communication. He noted that he had made his request on 10 June 2003 but that the Representation's communication referred to a subsequent date (i.e. the updating on 1 July 2003). The complainant furthermore remarked that he did not consider that he had been given all the information that he should have received under Article 31 of the Danish data protection legislation. This article provides that the 'data communication' shall contain the following:

1. the data that are being processed;

2. the purposes of the processing;

3. the categories of recipients of the data; and

4. any available information as to the source of such data.

The complainant considered that he had not been given information on 2 - 4.

The Danish Data Protection Authority informed the complainant on 25 August 2003 that it had asked the Commission's Representation (1) to give it information on whether there had been any revision of the personal data registered under the complainant's name since 10 June 2003 (i.e. the date when he made his request for a 'data communication') and (2) to provide the complainant with information on categories 2 - 4 of Article 31 of the Danish data protection legislation referred to above.

On 27 August 2003, the Commission's Representation sent letters to the Danish Data Protection Authority and to the complainant. The relevant part of the letter to the Data Protection Authority contained the following statement (translation by the Ombudsman's services):

"As an addendum to our letter to you of 3 July 2003, reference 150683, I can inform you that a telephone number has previously been included in our register. This telephone number was deleted after I telephoned [the complainant] and was informed in clear terms that he DID NOT want to speak to me and that he DID NOT wish to be contacted by telephone. NO deletions or additions have subsequently been made to the basic information in our register."

In the letter to the complainant, the Representation wrote the following (translation by the Ombudsman's services):

"It is hereby communicated to you that

• in our internal register, incoming and outgoing mail is recorded under the name of the person or organisation with whom/which we are in contact, including name, address and, when relevant, telephone number, fax number and/or email address. The information is contained in the enclosure in the letter dated 3 July 2003 to you, reference 150681(5);

• the purpose of the processing is to ensure a correct management of our incoming and outgoing mail;

• the register is only for internal use by the European Commission, and the data is not passed on;

• the data in our register came from yourself. However, to contact you we searched for a telephone number in the internet service of TDC [ the Danish Public Telephone Company ]. This number, which turned out not to be correct, has been included in our register, but has subsequently been deleted."

On 16 December 2003, the Data Protection Authority informed the complainant that it considered the Representation to have acted in conformity with the Danish data protection legislation. It referred to the letters of 27 August 2003 quoted above, of which it enclosed copies.

In his complaint to the Ombudsman, the complainant alleged that the Representation had breached Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data(6). He considered that the Representation had breached Article 12(7) of the Regulation in collecting information about him from other sources than himself, and that it had breached Article 13(8) by failing to give him easily understandable information about the Representation's processing of his personal data. With regard to the latter, the complainant remarked in particular that the two letters of 27 August 2003 quoted above seemed inconsistent in one respect. He pointed out that the letter to the Danish Data Protection Authority effectively referred to two telephone numbers, i.e. (i) the incorrect number that had been deleted from the Representation's register and (ii) - at least indirectly - the correct number as the letter referred to a telephone call made to him by the Representation. The letter to the complainant only referred to the incorrect telephone number. The complainant concluded that the Representation must have registered two telephone numbers under his name, and not only one as stated in its letter to himself.

In his complaint, the complainant furthermore set out the following claims (translation by the Ombudsman's services):

"1) that it is recognised, that the Commission's Representation in Copenhagen employs a person who lies, and who is in addition so stupid, that he thinks he can get away with telling different versions to the supervisory authority and the citizen.

2) that it is recognised, that the Commission's Representation in Copenhagen has unlawfully collected telephone numbers concerning a private person who did not himself provide these numbers, and without informing that person about it.

3) that the European Ombudsman shows himself to be capable of handling a citizen's complaint against the Commission without being constrained to simply copy the Commission's opinion into his decision, and at any price without having to stay good friends with the Commission."

For the reasons explained in Part 1 of the Decision, below, the Ombudsman did not request that the Commission address these claims. The Ombudsman's request for an opinion on the complaint only referred to the allegations summarised above.

THE INQUIRY

The Commission's opinion

The complaint was forwarded to the Commission, which made the following comments:

1. The Commission takes note of the comments made by the complainant regarding the allegedly unsatisfactory access to, and notification of, his personal data registered by the European Commission Representation in Denmark.

2. The complainant claims that the way in which his case was dealt with by the Representation constitutes an infringement of Article 12 (concerning compilation of personal data from sources other than the data subject) and Article 13 (concerning intelligible notification hereof) of Regulation (EC) No. 45/2001.

3. This case is related to a previous complaint by the complainant to the European Ombudsman (5/2003/PB). The Representation, in its effort to serve the complainant in the best way possible as regards his subsequent request for access to the documents relating to that complaint, had tried to contact him personally by telephone.

4. As background information it should be noted moreover that the complainant’s present complaint has already been submitted to the Danish Data Supervisory Authority with the claim that the Representation has failed to issue an appropriate notification under Section 31 of the Danish Personal Data Act. Although the Danish Data Supervisory Authority might in principle not have been obliged to deal with this complaint concerning data processing within a European Union institution (as opposed to a national authority), it did in fact examine the case and upon a close examination of the Danish legislation (in which the wording concerning notifications is almost identical to that of Regulation (EC) No. 45/2001) decided on 21 July 2003 that it would not take further actions in this matter.

5. As regards the present complaint to the European Ombudsman the Commission wishes to inform the European Ombudsman about the following course of events:

- On 10 June 2003, the European Commission Representation in Copenhagen telephoned the complainant twice in order to clarify which documents were referred to in his letter of 29 May 2003 to the Representation requesting access to documents relating to his complaint 5/2003/PB to the European Ombudsman.

- The first telephone number used as an effort to contact the complainant was acquired by the Representation from a search through the website of the TDC (the Danish national telephone company) on the basis of the name and address which the complainant himself had given to the Representation in an e-mail dated 4 November 2002. The Representation registered this TDC number in the Representation’s register of incoming and outgoing mail (i.e. Adonis). However, it was not the complainant who answered, and the Representation was told that he could not be found at the telephone number in question. Consequently, the Representation concluded that the number was incorrect.

- In its eagerness to find out what files or documents the complainant was requesting access to, the Representation subsequently realised that a letter of 11 February 2003 from the Directorate-General for Press and Communication to the then Head of Representation, Mr J., had a document attached to it, namely complaint 5/2003/PB to the European Ombudsman, in which the complainant himself had indicated his private telephone number. The Representation then made a telephone call to this number and the complainant answered. However, the complainant reacted very angrily to the call and stated that he did not want to be contacted by telephone anymore. So in fact this number was the correct telephone number but it was never registered. Hereafter, and in line with the complainant’s clear instructions, the Representation deleted the above TDC number from the Adonis register. For the same reason the, Representation instead wrote the complainant a letter dated 11 June 2003 listing the possible relevant documents for complaint 5/2003/PB.

- As a consequence of the above telephone calls, the complainant wrote a letter to the Representation on that same day requesting access to the correspondence that had allowed the Representation to obtain his telephone number and demanding an appropriate notification under Section 31 of the Danish Personal Data Act of all the personal data registered concerning him.

- On 13 June 2003, the Representation replied indicating that the name, address and telephone number of the complainant originated from complaint 5/2003/PB which had been passed to the Representation for comments. The Representation did not explicitly comment on which personal data it had registered.

- On 14 June 2003, the complainant submitted a complaint to the Danish Data Protection Authority.

- On 1 July 2003, the Representation sent the complainant an additional copy of the screen page from the Representation’s register of incoming and outgoing mail (i.e. Adonis), which at that time only contained the complainant’s name and address and no telephone numbers.

- On 4 August 2003, the complainant again complained to the Danish Data Supervisory Authority, claiming not to have received a proper notification according to Section 31 of the Danish Data Protection legislation on the exact date of his original request i.e. 10 June 2003, concerning the telephone numbers used by the Representation to contact him.

- On 27 August 2003, and following a request by the Danish Data Supervisory Authority, the Representation sent the complainant a further notification clearly explaining the processing of his personal data in the mail register and the fact that the telephone number searched for by the Representation at the TDC’s Internet service had been registered for a short while in the mail register. On the same day the Representation also wrote to the Danish Data Supervisory Authority again explaining its processing of the complainant’s data and making a clear reference to the fact that a telephone number obtained from the TDC Internet service had previously been registered. The complainant thereafter claimed that the contents of those two letters were inconsistent and made the present complaint to the European Ombudsman.

6. Having examined the letters of 11 June 2003 and 13 June 2003, 1 July 2003 and 27 August 2003 sent from the Representation to the complainant in this case, the Commission believes that this case has been handled in the correct manner and in compliance with Articles 12 and 13 of Council Regulation 45/2001. In particular, it should be noted that Article 13 sets a deadline of three months from the date of the receipt of the request to communicate the details about the personal data registered, which indeed has been respected by the Representation. As for the complainant’s wish to have a copy of his personal data in the mail register on the very day of his request, i.e. on 10 June 2003, it is unfortunately not technically possible to back-date the Adonis mail register. The Representation has therefore instead attempted to explain to the complainant in writing that a TDC telephone number had previously been registered. Moreover, it should be noted that the Representation has attempted to provide the complainant with a good service both by always providing him with what he asked for and by deleting the data which he indicated he did not want registered, thus following the complainant’s own instructions.

7. Finally, considering that the complainant’s complaint concerns the processing of his personal data within an EU-institution, the Commission is of the opinion that this case should be referred to the European Data Protection Supervisor (EDPS).

The complainant's observations

The Commission's opinion was forwarded to the complainant for observations. On 31 July 2004, he sent the Ombudsman a communication containing various remarks. That communication clarified that the remarks should not be considered and dealt with as observations on the Commission's opinion. It was clear, however, that the complainant maintained his complaint.

THE DECISION

1 Introductory remarks

1.1 The present complaint concerns the response of the Commission's Representation in Copenhagen to the complainant's request for information concerning the processing by the Representation of data relating to him. Not being satisfied with the Representation's response, the complainant initially submitted complaints to the Danish Data Protection Authority. The latter obtained replies from the Representation and found that there were no breaches of the relevant legislation. The review of the Danish Data Protection Authority was made on the basis of the Danish data protection legislation, which implements Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(9). In his complaint to the Ombudsman, the complainant referred to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data(10).

1.2 In light of the fact that the relevant data protection provisions in the Danish legislation (implementing Directive 95/46) and Regulation 45/2001 aim to provide the same kind of protection to data subjects, the Ombudsman carefully examined whether it would be appropriate to open an inquiry notwithstanding the inquiries made by the Danish Data Protection Authority. The Ombudsman concluded that an inquiry would be relevant because (1) the differences in the wording of the Representation's letters of 27 August 2003 to the complainant on the one hand and to the Danish Data Protection Authority on the other made it reasonable for the complainant to question whether he had been given easily understandable information, and (2) because the Danish Data Protection Authority appeared not to have inquired into the issue of whether the Representation had unlawfully collected and registered data on the complainant.

1.3 With regard to the Commission's statement that this case should be referred to the European Data Protection Supervisor, the Ombudsman considers that it is certainly useful for the purpose of information-exchange and consistency of interpretation to inform the European Data Protection Supervisor (EDPS) about decisions concerning data protection. In the present case, the EDPS will therefore be informed about the Ombudsman's decision(11). In appropriate circumstances, for example in cases involving complex issues of legal interpretation, the Ombudsman may furthermore consider it useful to consult the European Data Protection Supervisor directly. The circumstances of the present case do however not appear to make such consultation necessary.

1.4 As regards the three claims made by the complainant (quoted above at the end of the summary of the complaint), the Ombudsman considered that the concerns contained in claim one and two could be adequately responded to in his review of the allegations summarised above under 'The Complaint'. The Commission was therefore not requested to address these claims directly in its opinion. As regards the third claim, it reflects concerns as regards the Ombudsman's independence that had already been raised by the complainant in relation to his complaint 5/2003/(PB)BB. The Ombudsman considers that these concerns have been adequately responded to in the framework of that inquiry. In the present inquiry, the letter informing the complainant of the opening of the inquiry has repeated that the European Ombudsman acts with complete independence.

2 Alleged breach of Regulation 45/2001

2.1 The complainant alleged that the Representation had breached Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data(12). He considered that the Representation had breached Article 12 of the Regulation in collecting information about him from other sources than himself, and that it had breached Article 13 by failing to give him understandable information about the Representation's processing of his personal data.

2.2 In its opinion, the Commission rejected the complainant's allegation.

2.3 As regards the complainant's view that the Commission's Representation breached Article 12 of Regulation 45/2001 by collecting information about him from sources other than himself , the Ombudsman notes that the Article provides as follows:

1. Where the data have not been obtained from the data subject, the controller shall at the time of undertaking the recording of personal data or, if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed, provide the data subject with at least the following information, except where he or she already has it:

(a) the identity of the controller;
(b) the purposes of the processing operation;
(c) the categories of data concerned;
(d) the recipients or categories of recipients;
(e) the existence of the right of access to, and the right to rectify, the data concerning him or her;
(f) any further information such as:
(i) the legal basis of the processing operation for which the data are intended,
(ii) the time-limits for storing the data,
(iii) the right to have recourse at any time to the European Data Protection Supervisor,
(iv) the origin of the data, except where the controller cannot disclose this information for reasons of professional secrecy,
insofar as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.

2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by Community law. In these cases the Community institution or body shall provide for appropriate safeguards after consulting the European Data Protection Supervisor.

2.4 It appears from the facts of the case that the Commission's Representation conducted a search in an online database with a view to contacting the complainant by telephone to obtain clarification of an application for access to documents that he had made on 29 May 2003. The telephone number that it found was registered in the Representation's register under the complainant's name. The telephone number turned out, however, to be incorrect. The Representation then discovered the correct number in a complaint from the complainant that had been forwarded by the European Ombudsman to the European Commission. Having found the correct number, the Representation telephoned the complainant on 10 June 2003. Following the conversation with the complainant, who appears to have expressed a wish not to be contacted by telephone, the Representation deleted the incorrect telephone number from its register. As regards the correct telephone number with which the Representation contacted the complainant on 10 June 2003, it appears that this number was never entered in the Representation's register. This part of the present case therefore only concerns the Representation's handling of the incorrect telephone number.

2.5 It is clear that within the meaning of Regulation 45/2001, the Representation obtained the data (the incorrect telephone number) from a source other than the complainant (the online database) and processed that data (by registering it). The fact that the telephone number subsequently turned out to be wrong does not appear to remove its status as data relating to the complainant, as it was found and registered under his name. In formal terms, therefore, it appears that it was incompatible with Regulation 45/2001 not to inform the complainant in accordance with Article 12 of that regulation. However, it is clear from the Commission's opinion that its Representation telephoned the complainant in his own interest to obtain clarification of an application for documents that he had made shortly beforehand. When the complainant informed the Representation that he did not wish to be contacted by telephone, the Representation duly removed the incorrect telephone number from its register. The Representation therefore appears to have taken reasonable steps to safeguard the complainant's interests. In these circumstances, the Ombudsman considers that it is not necessary to inquire further into this aspect of the complaint. The complainant remains free, however, to contact the European Data Protection Supervisor if he should wish to obtain the latter's assessment(13).

2.6 As regards the complainant's view that the Commission's Representation breached Article 13 of Regulation 45/2001, the Ombudsman notes that the Article provides as follows:

"Right of access
The data subject shall have the right to obtain, without constraint, at any time within three months from the receipt of the request and free of charge from the controller:
(a) confirmation as to whether or not data related to him or her are being processed;
(b) information at least as to the purposes of the processing operation, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;
(c) communication in an intelligible form of the data undergoing processing and of any available information as to their source;
(d) knowledge of the logic involved in any automated decision process concerning him or her."

2.7 According to the complainant, the Representation failed to give him easily understandable information, and thereby breached Article 13 of Regulation 45/2001. This provision sets out categories of information that must be provided to the data subject concerned, such as what data are processed, their source and possible recipients. The Ombudsman considers that it is good administrative practice to ensure that the information thus provided is correct and easy to understand.

2.8 For the purpose of reviewing the complainant's allegation, the Ombudsman considers that it is appropriate to examine the full correspondence between the complainant and the Representation.

- On 10 June 2003, the Representation telephoned the complainant in relation to a request for public access to documents. On that same day, the complainant asked the Representation to inform him about how it had obtained his telephone number. The Representation informed him, on 13 June 2003, that his telephone number had been "indicated by you in your complaint to the European Ombudsman".

- On 14 June 2003, the complainant asked the Representation for full information on its processing of his personal data. His request was made under the Danish data protection legislation which implements Directive 95/46/EC, and which contains essentially the same requirements as those set out in Article 13 of Regulation 45/2001 quoted above. On 1 July 2003, the Representation informed the complainant as follows: "As an addendum to my letter to you of 13 June 2003, reference 150603, I enclose a printout from our register of incoming and outgoing mail. As you can see, you have been registered as 'Private Person from [town] in Denmark' with the address '[address]'. Your name is registered as '[name]'. Latest updating is today's date (01/07/2003) when the printout was made. The Commission's Representation in Denmark has not previously registered other personal data under your name." (Emphasis added.)

- Subsequently, following the complainant's complaint to the Danish Data Protection Authority, the Representation informed the complainant in its letter of 27 August 2003 that "the data in our register came from yourself. However, to contact you we searched for a telephone number in the internet service of TDC. This number, which turned out not to be correct, has been included in our register, but has subsequently been deleted." (Emphasis added.)

2.9 It emerges from the above that the Commission's Representation failed, in its letter of 13 June 2003, to inform the complainant as to whether the telephone number that it had used to contact him on 10 June 2003 had actually been registered or not. It was only in its opinion submitted in the course of the present inquiry that the Commission clarified that no registration of that telephone number had taken place. It further emerges that when the Representation informed the complainant on 27 August 2003 about the incorrect telephone number that had been registered under his name and that had subsequently been deleted, it failed to give any information about when that number had been registered or when it had been deleted. Furthermore, it is clear from the Representation's letter of 27 August 2003 that its letter of 1 July 2003, in which it had stated that the "Commission's Representation in Denmark has not previously registered other personal data under your name", was incorrect since this letter failed to mention the incorrect telephone number that had been registered. On the basis of these findings, the Ombudsman considers that the Representation failed to give correct and easily understandable information in accordance with Article 13 of Regulation 45/2001. This constitutes an instance of maladministration, and the Ombudsman makes the critical remark set out below.

2.10 As regards the complainant's remarks on the possible inconsistency between the letters that the Representation sent to himself and to the Danish Data Protection Authority on 27 August 2003, the Ombudsman considers that further inquiries into this issue are not necessary in the light of the above findings.

3 Conclusion

On the basis of the Ombudsman's inquiries into this complaint, it is necessary to make the following critical remark:

Article 13 of Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies sets out categories of information that must be provided to the data subject concerned, such as what data are processed, their source and possible recipients. The Ombudsman considers that it is good administrative practice to ensure that the information thus provided is correct and easy to understand.

In the present case, the Commission's Representation failed, in its letter of 13 June 2003, to inform the complainant as to whether the telephone number that it had used to contact him on 10 June 2003 had actually been registered or not. It was only in its opinion submitted in the course of the present inquiry that the Commission clarified that no registration of that telephone number had taken place. It further emerges that when the Representation informed the complainant on 27 August 2003 about the incorrect telephone number that had been registered under his name and that had subsequently been deleted, it failed to give any information about when that number had been registered or when it had been deleted. Furthermore, it is clear from the Representation's letter of 27 August 2003 that its letter of 1 July 2003, in which it stated that the "Commission's Representation in Denmark has not previously registered other personal data under your name", was incorrect since this letter failed to mention the incorrect telephone number that had been registered. On the basis of these findings, the Ombudsman considers that the Representation failed to give correct and easily understandable information in accordance with Article 13 of Regulation 45/2001. This constitutes an instance of maladministration.

As regards the possibility of proposing a friendly solution(14), the Ombudsman considers that although the Commission failed to provide correct and easily understandable information as foreseen by Article 13 of Regulation 45/2001 when the complainant asked for such information in 2003, the Commission would appear to have submitted this information in its opinion on the present complaint. He further notes that the Commission has explained that for technical reasons it is not possible to provide the complainant with a copy of the data that were originally registered and subsequently deleted. In these circumstances, the Ombudsman takes the view that it is not appropriate to pursue a friendly settlement of the matter.

As regards the Ombudsman's inquiries into the complainant's allegation that there was a breach of Article 12 of Regulation 45/2001, the Ombudsman considers that no further inquiries are necessary.

The Ombudsman therefore closes the case.

The President of the European Commission will also be informed of this decision, as will the European Data Protection Supervisor.

Yours sincerely,

 

P. Nikiforos DIAMANDOUROS

---

(1) Official Journal 1995 L 281 p. 31.

(2) Article 12(a) provides the following:
Right of access
Member States shall guarantee every data subject the right to obtain from the controller:
(a) without constraint at reasonable intervals and without excessive delay or expense:
- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
- knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1).

(3) It appears from the Commission's opinion (summarised below) that the complainant was contacted in order to obtain clarification of an application for access to documents that he had submitted to the Commission shortly beforehand.

(4) The complainant had previously been in contact with the Commission's Representation concerning the possibility of obtaining advice on Community law. This contact gave rise to complaint 5/2003/(PB)BB to the European Ombudsman.

(5) It appears from the reference number that the letter here referred to is the one sent to the complainant on 1 July 2003 (see above).

(6) Official Journal 2001 L 8 p. 1.

(7) Article 12
Information to be supplied where the data have not been obtained from the data subject
1. Where the data have not been obtained from the data subject, the controller shall at the time of undertaking the recording of personal data or, if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed, provide the data subject with at least the following information, except where he or she already has it:
(a) the identity of the controller;
(b) the purposes of the processing operation;
(c) the categories of data concerned;
(d) the recipients or categories of recipients;
(e) the existence of the right of access to, and the right to rectify, the data concerning him or her;
(f) any further information such as:
(i) the legal basis of the processing operation for which the data are intended,
(ii) the time-limits for storing the data,
(iii) the right to have recourse at any time to the European Data Protection Supervisor,
(iv) the origin of the data, except where the controller cannot disclose this information for reasons of professional secrecy,
insofar as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.
2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by Community law. In these cases the Community institution or body shall provide for appropriate safeguards after consulting the European Data Protection Supervisor.

(8) Article 13
Right of access
The data subject shall have the right to obtain, without constraint, at any time within three months from the receipt of the request and free of charge from the controller:
(a) confirmation as to whether or not data related to him or her are being processed;
(b) information at least as to the purposes of the processing operation, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;
(c) communication in an intelligible form of the data undergoing processing and of any available information as to their source;
(d) knowledge of the logic involved in any automated decision process concerning him or her.

(9) Official Journal 1995 L 281 p. 31.

(10) Official Journal 2001 L 8 p. 1.

(11) As the complaint is confidential, the European Data Protection Supervisor will receive an anonymized version of the Ombudsman's decision. That version will also be published on the Ombudsman's homepage.

(12) Official Journal 2001 L 8 p. 1.

(13) European Data Protection Supervisor, rue Wiertz 60, B-1047 Brussels, edps@edps.eu.int.

(14) Article 3(5) of the Ombudsman's Statute provides that "As far as possible, the Ombudsman shall seek a solution with the institution or body concerned to eliminate the instance of maladministration and satisfy the complaint."