Regulation (EC) No 45/2001 of the European Parliament and of the Council (hereinafter Regulation 45/2001) provides a layered approach to guaranteeing data protection in the institutions and bodies: EDA, its controllers, the Data Protection Officer (DPO) and the European Data Protection Supervisor (EDPS) all contribute to the application of the Regulation at the Agency. EDA protects the fundamental rights and freedoms of natural persons and in particular their right to privacy with respect to the processing of personal data (Article 1.1 of Regulation No 45/2001).
Data protection – Definitions & general principles
What is personal data?
Any information about a natural person (i.e. a human being) can be personal data. If an individual is identified by name, or by an identifier, it is likely that the information processed is personal data. An identifier could be an identification number or one or more specific factors specific to the individual's physical, psychological, mental, economic, cultural or social identity.
Personal data may include names, dates of birth, photographs, email addresses or other details such as identity numbers. Sounds recording or images are also personal data, if a person can be identified. The processing of such data needs to be justified by reference to a specific purpose.
Some categories of personal data requires special attention; these are:
- Data revealing racial or ethnic origin;
- Political opinion;
- Religious or philosophical beliefs;
- Trade union membership;
- Data about health and sex life.
Personal data in the form of paper records as well as data processed by electronic means are subject to the Regulation.
Personal data are to be kept for a period no longer than necessary for carrying out the purpose for which they were collected.
What is a processing operation?
Almost anything that can be done to personal data constitutes a processing operation. Collecting, storing, consulting, diffusing data are all examples of kind of processing, as are erasing or destroying data.
Data processing may be justified by either necessity – to carry out a contract or meet a legal obligation – or by the consent of the data subject. The data processed must be up to date, adequate, relevant and not excessive for the purpose of processing which must be determined in advance of collection. Unless a change of purpose explicitly authorised by internal rules, the purpose of processing may not be altered subsequently. As well as ensuring that data are up to date, the data controller must allow data subjects to access their data.
What information shall be given to the data subjects whose personal data are being processed?
The data controller has to give certain information when data are collected. This information includes the identity of the data controller, the purpose of the processing, any recipients of the data, and the existence of the rights of access and of rectification.
The EDA Data Protection Officer keeps a register of processing operations, based on notifications received from data controllers. This register enables data subjects to find out which administrative entity is keeping what information about them.
Transfer of personal data
Under certain conditions, personal data may be transferred to recipients either within or outside the institutions of the European Union. With respect to transfers within or to other Community institutions or bodies, the data must be necessary for the legitimate performance of tasks within the recipient's competence, among other conditions.
Another set of conditions govern transfers to recipients covered by national legislation transposing Directive 95/46/EC: such recipients may be Member State authorities or private bodies. Special conditions apply to recipients not subject to Directive 95/46/EC, namely third countries and international organisations.
Rights and obligations
The data subject enjoys certain rights and the data controller has certain obligations under the Regulation.
What are my rights as a data subject?
The rights granted to data subjects are the cornerstone of the data protection Regulation.
The rights include:
- Access to your personal data, free of charge, and without constraint, within three months;
- Rectification of inaccurate or incomplete personal data;
- Blocking data processing in certain circumstances;
- Erasure of unlawfully processed data;
- The right to object to a processing operation on compelling grounds.
To exercise your rights, address yourself directly to the data controller.
You may also consult the EDA Data Protection Officer for an opinion on processing operations either concerning you or carried out by you. Please refer to the contact details at the end of this site.
What are my obligations as a data controller?
The data controller's primary duty is to identify personal data processing operations he or she carries out and to notify them to the Data Protection Officer. Notification should take place before the operation is undertaken. Operations already in place should be notified as soon as possible.
As mentioned previously, the data controller also has a responsibility to furnish certain information to data subjects. The data controller must also facilitate data subjects' access to their data and their exercising other rights such as rectification and erasure.
The data controller must also ensure that appropriate security measures are in place, and issue appropriate instructions to ensure confidentiality if data are processed by others (for example, by a sub‐contractor).
Furthermore, in the event of a transfer of data, the controller has to check that requirements of the Regulation (such as the necessity of the transfer) have been met.
How to submit a notification?
The notification form is to be found on the data protection page of the EDA's intranet site, together with a guide to fill it in. Please fill it in, sign and date it and send it as a paper version and by email to the address given. The Data Protection Officer will acknowledge the notification.
What remedies do I have?
If you think that your rights have been infringed you may lodge a complaint directly with the European Data Protection Supervisor.
In the absence of a response within six months, it is possible to bring an action, including claims for damages, before the Court of Justice of the European Union.
For more detailed information, please consult the web site of the European Data Protection Supervisor (see 'Further information’).
Further information and contact details
The EDA’s current Data Protection Officer (DPO) is Ms Clarisse Ribeiro. Please do not hesitate to direct any questions or queries concerning data protection to the DPO by email under email@example.com.