The protection of the right to privacy and personal data – as set out in article 7 and 8 of the EU Charter on Fundamental Rights – are of great importance to the European External Action Service (EEAS) as a European public administration.

Privacy and data protection have become increasingly important in our daily life, both in private and at work. The rights to privacy and data protection have long been recognised as fundamental rights, and a new regulation Regulation (EU) 2018/1725 applies also to the EEAS when processing personal data. The revised legal framework intends to guarantee a high level of data protection when it comes to collecting and storing personal data for the benefit of EU institutions staff, Union citizens and of our partners in the world. Only 6 months after the entry into force of the General Data Protection Regulation (GDPR) which applies to Member States authorities, NGOs and the private sector, the new legislative act is harmonised with the principles of the GDPR.

To meet its obligations to citizens, the EEAS frequently needs to collect, process and retain personal data, such as names, functions, office addresses, phone numbers, photos or other data, including specific information in relation to individuals in the context of any EEAS activity, including Security, Defence and Crisis response, Public diplomacy, Development cooperation, as well as HR management, IT applications, procurements, conference, meeting and event organisation, budget or other administrative procedures.

What is personal data?

Personal data is information relating to you only, which makes you identifiable – your name, photo, phone number, birth date, e-mail address, ID number, and many other personal details.

How does the EEAS process your personal data?

Your personal data is processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC as of 11 December 2018, aligned with provisions of the General Data Protection Regulation /Reg. (EU) 2016/679/. The EEAS aims at implementing data protection fully in line with the standards set out in the new legal framework using flexible privacy friendly tools with appropriate safeguards.

These rules provide a framework and ensure that your data are:

• processed fairly, lawfully and in a transparent manner
• collected for limited and explicit purposes
• accurate and kept up-to-date
• kept for no longer than necessary
• secure
• not transferred to third parties without adequate precautions
• processed respecting your rights as a data subject

Each directorate, division and service within the EEAS and all EU Delegations are required to collect, handle and keep data identifying individuals according to the data protection provisions laid down in the data protection legal framework. The EEAS Data Protection Office is consulted when activities involve such data collection, transmission, transfer or storage. All data of a personal nature provided to the EEAS - namely data which can identify a person directly or indirectly - will be handled with the necessary care.

/file/eeasdataprotectionoverview-newregulationdec2018revjpg_freeas_data_protection_overview_-_new_regulation_dec_2018rev.jpg

The EEAS respects these principles for personal data processing set out in the Regulation (EU) 2018/1725, as well as the Regulation EU 2016/679, the General Data Protection Regulation (also known abbreviated as 'the GDPR') that is applicable for EU Member State public authorities, private sector enterprises and NGOs with an impact on any organisation which processes personal data of individuals who are in the Union:Fairness and Transparency: processed lawfully, fairly and in a transparent way

• Purpose limitation: collected for specified, explicit and legitimate purposes and not further processed for any incompatible purpose
• Data minimisation: adequate, relevant and limited to what is necessary for the purpose
• Accuracy: accurate and, where necessary, kept up to date;  enabling inaccurate or incomplete data to be corrected or erased
• Storage limitation: kept in a form that allows identification for no longer than necessary
• Integrity and confidentiality: processed securely including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
• Transfer to a Third country is permitted only with appropriate safeguards

The GDPR harmonises data protection requirements across all EU Member States, introducing new rights for data subjects, which apply extraterritorially to any organisation controlling and processing data on natural persons in the European Union.

For more information on the GDPR: 

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en and a functional mailbox has been also set up for specific questions: JUST-GDPR-INFO-REQUESTS@ec.europa.eu

Information is available on all Delegations' website, translated into French, Spanish, Portuguese and Russian and is also accessible on the EEAS internet https://eeas.europa.eu/headquarters/headquarters-homepage/44163_en