The protection of your privacy, including your personal data, is of great importance to the European External Action Service (EEAS).
The protection of the right to privacy and personal data – as set out in article 7 and 8 of the EU Charter on Fundamental Rights – are of great importance to the European External Action Service (EEAS) as a European public administration.
Privacy and data protection have become increasingly important in our daily life, both in private and at work. The rights to privacy and data protection have long been recognised as fundamental rights, and a new regulation Regulation (EU) 2018/1725 applies also to the EEAS when processing personal data. The revised legal framework intends to guarantee a high level of data protection when it comes to collecting and storing personal data for the benefit of EU institutions staff, Union citizens and of our partners in the world. Only 6 months after the entry into force of the General Data Protection Regulation (GDPR) which applies to Member States authorities, NGOs and the private sector, the new legislative act is harmonised with the principles of the GDPR.
To meet its obligations to citizens, the EEAS frequently needs to collect, process and retain personal data, such as names, functions, office addresses, phone numbers, photos or other data, including specific information in relation to individuals in the context of any EEAS activity, including Security, Defence and Crisis response, Public diplomacy, Development cooperation, as well as HR management, IT applications, procurements, conference, meeting and event organisation, budget or other administrative procedures.
What is personal data?
Personal data is information relating to you only, which makes you identifiable – your name, photo, phone number, birth date, e-mail address, ID number, and many other personal details.
How does the EEAS process your personal data?
Your personal data is processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC as of 11 December 2018, aligned with provisions of the General Data Protection Regulation /Reg. (EU) 2016/679/. The EEAS aims at implementing data protection fully in line with the standards set out in the new legal framework using flexible privacy friendly tools with appropriate safeguards.
These rules provide a framework and ensure that your data are:
- processed fairly, lawfully and in a transparent manner
- collected for limited and explicit purposes
- accurate and kept up-to-date
- kept for no longer than necessary
- not transferred to third parties without adequate precautions
- processed respecting your rights as a data subject
Each directorate, division and service within the EEAS and all EU Delegations are required to collect, handle and keep data identifying individuals according to the data protection provisions laid down in the data protection legal framework. The EEAS Data Protection Office is consulted when activities involve such data collection, transmission, transfer or storage. All data of a personal nature provided to the EEAS – namely data which can identify a person directly or indirectly – will be handled with the necessary care.
The EEAS respects these principles for personal data processing set out in the Regulation (EU) 2018/1725, as well as the Regulation EU 2016/679, the General Data Protection Regulation (also known abbreviated as ‘the GDPR’) that is applicable for EU Member State public authorities, private sector enterprises and NGOs with an impact on any organisation which processes personal data of individuals who are in the Union:Fairness and Transparency: processed lawfully, fairly and in a transparent way
- Purpose limitation: collected for specified, explicit and legitimate purposes and not further processed for any incompatible purpose
- Data minimisation: adequate, relevant and limited to what is necessary for the purpose
- Accuracy: accurate and, where necessary, kept up to date; enabling inaccurate or incomplete data to be corrected or erased
- Storage limitation: kept in a form that allows identification for no longer than necessary
- Integrity and confidentiality: processed securely including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
- Transfer to a Third country is permitted only with appropriate safeguards
The GDPR harmonises data protection requirements across all EU Member States, introducing new rights for data subjects, which apply extraterritorially to any organisation controlling and processing data on natural persons in the European Union.
For more information on the GDPR:
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en and a functional mailbox has been also set up for specific questions: JUST-GDPR-INFO-REQUESTS@ec.europa.eu(link sends e-mail)
Information is available on all Delegations’ website, translated into French, Spanish, Portuguese and Russian and is also accessible on the EEAS internet https://eeas.europa.eu/headquarters/headquarters-homepage/44163_en
The EEAS intends to inform people whose personal data is being processed, i.e. any concerned individual whose data has been collected, processed and eventually kept for a period of time. By means of Privacy Statements, the EEAS provides information on the processing and on how to exercise individual rights.
You have the right – free of charge – to:
- be informed of any processing of your personal data:
- who is in charge of it
- what the purpose and the legal bases are
- what type of data are being processed
- who has access to the collected data
- how long it is kept
- what logic is used in any automated decision-making process concerning your data.
- access and correct your data, when inaccurate or incomplete.
- have your data restricted or erased and object to the processing of personal data in certain circumstances (such as when the processing is unlawful, the data is inaccurate)
Please see articles 14-24 and 35 of Regulation (EU) 2018/1725.
Exercising your rights
To exercise your rights, you must contact the controller in charge of your data processing. The controller’s functional mailbox address appears on the privacy statement for each data processing.
If you cannot find the controller’s contact details, you can email the EEAS Data Protection Office(link sends e-mail).
You may lodge a complaint at any time with the European Data Protection Supervisor (EDPS) who acts as an independent supervisory authority for all the EU devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies on the basis of EU Decision 1247/2002/EC on the regulations and general conditions governing the performance of the European Data Protection Supervisor’s duties.
European Data Protection Supervisor (EDPS)
- monitors the EU administration’s processing of personal data
- advises on policies and legislation that affect privacy
- cooperates with similar authorities to ensure consistent data protection.
Information in the Data Protection Register and Privacy Statements
The EEAS’s Data Protection Register records personal data processing activities in the EEAS.
The Register contains basic information about each record of personal data processing, similarly to the information included in the Privacy Statement:
- controller, processor, data protection officer
- type of data involved
- legal basis
- types of people concerned
- how long the data will be kept
- to whom the data is disclosed including any transfers
To be able to comply with the provisions of new data protection regulation, the EEAS Register goes through a migration process. If you look for a specific processing activity, you may also contact the EEAS DPO(link sends e-mail).
Processing operations that have been prior-checked by the European Data Protection Supervisor under Article 27 of the former data protection Regulation (EC) 45/2001 are included in the register held by the EDPS.
The purpose of the EEAS Data Protection Register(link is external) and the EDPS Register is to inform the public about the existence of personal data processing operations. All persons concerned may exercise their rights as recognised by the Regulation on the basis of the information contained in the Register and in Data Protection Notices, also known as Privacy Statements.
The Register is based on the records submitted by data controllers along with the relevant Privacy Statements and is therefore available only in the language of the notification, generally in English.
EEAS Data Protection Officer (DPO)
The Data Protection Officer has multiple tasks:
- raising awareness about data protection issues for staff and citizens
- supporting data controllers to record their processes and to prepare privacy statements
- providing advice (formal guidance and informal tips, recommendations on rights and obligations).
- monitoring compliance with Regulation (EU) 2018/1725
- providing advice where requested as regards the necessity for a notification or a communication of a personal data breach as well as related to a data protection impact assessment
- being a liaison officer between the EEAS and the European Data Protection Supervisor and provide advice where requested as regards the need for prior consultation as well as to respond to requests from the European Data Protection Supervisor
The Data Protection Office furthermore:
- ensures that the principles of personal data protection are applied correctly within the EEAS
- manages the notification system of all personal data processing operations in the EEAS
- notifies processes of personal data that present risks to individuals to the European Data Protection Supervisor (EDPS) and responds to requests from the EDPS
- investigates matters and incidents on request or on its own initiative.
The Data Protection Office comprises:
- Data Protection Officer (DPO)
- DPC Network of data protection coordinators in Headquarters
- DPC Network of data protection correspondents in EU Delegations
You are welcome to contact the EEAS Data Protection Officer via DATA-PROTECTION@eeas.europa.eu(link sends e-mail)