Data Protection

The protection of the right to privacy and the protection of personal data – as set out in article 8 of the EU Charter on Fundamental Rights – are important concerns for the European External Action Service (EEAS) as a European public administration.

To meet its obligations to citizens, the EEAS frequently needs to collect, process and retain personal data, such as names, office addresses, phone numbers, photos or other data, including more sensitive information through procurements, calls for tenders or conference invitations.

What is personal data?

Personal data is information relating to you only, which makes you identifiable – your name, photo, phone number, birth date, e mail address, car number plate, etc.

How does the EEAS process your personal data?

EU Regulation 45/2001 on the processing of personal data, as implemented in the EEAS by its Decision of 8 December 2011 ensure that your data are:

  • processed fairly and lawfully
  • collected for limited and explicit purposes
  • accurate and kept up-to-date
  • kept for no longer than necessary
  • secure
  • not transferred to third parties without adequate precautions
  • processed in accordance to your rights as a data subject.

These rules apply to all departments within the EEAS and all EU Delegations that process information identifying individuals. The EEAS Data Protection Office must be notified in advance of any operation involving such data collection, consultation, transmission or organisation. All data of a personal nature provided to the EEAS - namely data which can identify a person directly or indirectly - will be handled with the necessary care.

The EEAS respects the 7 principles for personal data processing set out in the EU Directive 95/46/EC and in the EU Regulation 45/2001

1. Notice – people whose data is being collected, processed and kept should be informed
2. Purpose – data collected should be used only for the stated purpose(s) and for no other
3. Consent – personal data should not be disclosed or shared with third parties without the consent of the person concerned
4. Security – once collected, personal data should be kept safe and secure from potential abuse, theft, or loss
5. Disclosure – people whose personal data is being collected should be told which party or parties are doing this
6. Access – people should granted access to their personal data and allowed to correct any inaccuracies
7. Accountability – people should be able to hold personal data collectors accountable for following all these principles.

See also: EEAS Data Protection – detailed overview pdf - 111 KB [111 KB]

Data Protection Team

The Data Protection (DP) team has a triple role:

  • raising awareness about data protection issues for staff and citizens
  • providing notifications and privacy statements
  • providing advice (formal advice and informal tips, recommendations on rights and obligations).

The Data Protection team comprises:

  • Data Protection Officer (DPO)
  • DP Assistant and DP Coordinator & Correspondent (DPC) Networks Coordinator
  • DPC Network of data protection coordinators in Headquarters with 20 coordinators at present
  • DPC Network of data protection correspondents in EU Delegations with pilot delegations to be further developed.

The Data Protection Office:

  • ensures that the principles of personal data protection are applied correctly within the EEAS
  • keeps a register of all personal data processing operations in the EEAS
  • notifies risky processing of personal data to the European Data Protection Supervisor (EDPS) and responds to requests from the EDPS
  • investigates matters and incidents on request or on its own initiative.


Data Protection - What are your rights?

The EEAS intends to inform people whose personal data is being processed, i.e. any concerned individual whose data has been collected, processed and eventually retained by means of a Privacy Statement, so that they may exercise their rights.

The Controller, i.e. the department or delegation who is responsible for the personal data processing is obliged to notify the Data Protection Officer. In addition to the notification, a distinct Privacy Statement is elaborated to provide information among others on the purpose, the retention as well as the Controller.

The following generic Privacy Statements are available:

The following specific Privacy Statements are available:

For further specific processing operations, see the Privacy Statement provided by the department or delegation concerned.

You have the right to (at no cost to yourself):

  • be informed of any processing of your personal data:
    • who is in charge of it
    • what the purpose is
    • what types of data are being processed
    • who is receiving the collected data
    • what logic is used in any automated decision-making process concerning your data.
  • access and rectify your data — when inaccurate or incomplete.
  • have your data blocked or erased and object to the processing of personal data in certain circumstances (such as when the processing is unlawful, the data is inaccurate, etc., see articles 15, 16 and 18 of Regulation 45/2001 ).
  • be informed before your data are disclosed for the first time to third parties and to object to such disclosure.

Exercising your rights

To exercise your rights, you must contact the controller in charge of your data processing. The controller's functional mailbox address appears on the notification and on the privacy statement associated with each case of data processing, and also in the register of notifications.

If you cannot find the controller's contact details, you can email the EEAS Data Protection Office.

You may lodge a complaint at any time with the European Data Protection Supervisor (EDPS) who acts as an independent supervisory authority for all the institutions (see art. 41 to 45 of Regulation 45/2001 ) devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies on the basis of EU Decision 1247/2002/EC on the regulations and general conditions governing the performance of the European Data Protection Supervisor's duties.


  • monitors the EU administration's processing of personal data
  • advises on policies and legislation that affect privacy
  • cooperates with similar authorities to ensure consistent data protection.

The Register

The EEAS's Data Protection Register records all notified personal data processing operations in the EEAS. It was set up in accordance with articles 24.1 (d), 25 and 26 of Regulation 45/2001 .

The Register contains basic information about each case of personal data processing, for example:

• purpose
• name of the controller
• type of data involved
• legal basis
• types of people concerned
• how long the data will be kept
• whether the data will be transferred
• to whom the data is disclosed.

The Register's search function allows you to select processing operations that may concern you.

Processing operations likely to present specific risks to the rights and freedoms of individuals whose data have been collected, processed and retained (data subjects) are included in the register held by the European Data Protection Supervisor (Article 27 of Regulation 45/2001 ).

The purpose of the EEAS Register and the EDPS Register is to inform the public about the existence of personal data processing operations. All persons concerned may exercise their rights as recognised by the Regulation on the basis of the information contained in the Register.

The Register is based on the notifications submitted by controllers and is therefore available only in the language of the notification, generally English or French.

EEAS Data Protection Office


European Data Protection Supervisor (EDPS)



  • Print
  • resize text to normal
  • Increase font size by 150 percent
  • Increase font size by 200 percent