The protection of the right to privacy and the protection of personal data – as set out in article 8 of the EU Charter on Fundamental Rights – are important concerns for the European External Action Service (EEAS) as a European public administration.
To meet its obligations to citizens, the EEAS frequently needs to collect, process and retain personal data, such as names, office addresses, phone numbers, photos or other data, including more sensitive information through procurements, calls for tenders or conference invitations.
Personal data is information relating to you only, which makes you identifiable – your name, photo, phone number, birth date, e mail address, car number plate, etc.
These rules apply to all departments within the EEAS and all EU Delegations that process information identifying individuals. The EEAS Data Protection Office must be notified in advance of any operation involving such data collection, consultation, transmission or organisation. All data of a personal nature provided to the EEAS - namely data which can identify a person directly or indirectly - will be handled with the necessary care.
1. Notice – people whose data is being collected, processed and kept should be informed
2. Purpose – data collected should be used only for the stated purpose(s) and for no other
3. Consent – personal data should not be disclosed or shared with third parties without the consent of the person concerned
4. Security – once collected, personal data should be kept safe and secure from potential abuse, theft, or loss
5. Disclosure – people whose personal data is being collected should be told which party or parties are doing this
6. Access – people should granted access to their personal data and allowed to correct any inaccuracies
7. Accountability – people should be able to hold personal data collectors accountable for following all these principles.
See also: EEAS Data Protection – detailed overview [111 KB]
The Data Protection (DP) team has a triple role:
The Data Protection team comprises:
The Data Protection Office:
The EEAS intends to inform people whose personal data is being processed, i.e. any concerned individual whose data has been collected, processed and eventually retained by means of a Privacy Statement, so that they may exercise their rights.
The Controller, i.e. the department or delegation who is responsible for the personal data processing is obliged to notify the Data Protection Officer. In addition to the notification, a distinct Privacy Statement is elaborated to provide information among others on the purpose, the retention as well as the Controller.
The following generic Privacy Statements are available:
The following specific Privacy Statements are available:
For further specific processing operations, see the Privacy Statement provided by the department or delegation concerned.
You have the right to (at no cost to yourself):
To exercise your rights, you must contact the controller in charge of your data processing. The controller's functional mailbox address appears on the notification and on the privacy statement associated with each case of data processing, and also in the
If you cannot find the controller's contact details, you can email the EEAS Data Protection Office.
You may lodge a complaint at any time with the European Data Protection Supervisor (EDPS) who acts as an independent supervisory authority for all the institutions (see art. 41 to 45 of Regulation 45/2001 ) devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies on the basis of EU Decision 1247/2002/EC on the regulations and general conditions governing the performance of the European Data Protection Supervisor's duties.
The EEAS's Data Protection Register records all notified personal data processing operations in the EEAS. It was set up in accordance with articles 24.1 (d), 25 and 26 of Regulation 45/2001 .
The Register contains basic information about each case of personal data processing, for example:
• name of the controller
• type of data involved
• legal basis
• types of people concerned
• how long the data will be kept
• whether the data will be transferred
• to whom the data is disclosed.
The Register's search function allows you to select processing operations that may concern you.
Processing operations likely to present specific risks to the rights and freedoms of individuals whose data have been collected, processed and retained (data subjects) are included in the register held by the European Data Protection Supervisor (Article 27 of Regulation 45/2001 ).
The purpose of the EEAS Register and the EDPS Register is to inform the public about the existence of personal data processing operations. All persons concerned may exercise as recognised by the Regulation on the basis of the information contained in the Register.
The Register is based on the notifications submitted by controllers and is therefore available only in the language of the notification, generally English or French.