An official website of the European Union. See all European Institutions
The protection of the right to privacy and the protection of personal data – as set out in article 8 of the EU Charter on Fundamental Rights – are important concerns for the European External Action Service (EEAS) as a European public administration.
To meet its obligations to citizens, the EEAS frequently needs to collect, process and retain personal data, such as names, office addresses, phone numbers, photos or other data, including more sensitive information through procurements, calls for tenders or conference invitations.
Personal data is information relating to you only, which makes you identifiable – your name, photo, phone number, birth date, e mail address, car number plate, etc.
The data protection legislation for EU institutions, bodies, agencies and offices goes through a reform process, including Regulation (EU) 2018/1725 on the processing of personal data, as implemented in the EEAS by its Decision of 8 December 2011. These rules provide a framework and ensure that your data are:
Each directorate, division and service within the EEAS and all EU Delegations process information identifying individuals according to the Europe-wide recognised data protection principles. The EEAS Data Protection Office must be notified in advance of any operation involving such data collection, transmission, transfer or storage. All data of a personal nature provided to the EEAS - namely data which can identify a person directly or indirectly - will be handled with the necessary care.
The EEAS respects these principles for personal data processing set out in the Regulation (EU) 2018/1725, and its successive legislative act to enter into force before the end of 2018 as well as the Regulation EU 2016/679, the General Data Protection Regulation (also known abbreviated as 'the GDPR') that is applicable for EU Member State public authorities, private sector enterprises and NGOs with an impact on any organisation which processes personal data of individuals who are in the Union:
The GDPR harmonises data protection requirements across all 28 EU Member States, introducing new rights for data subjects, which apply extraterritorially to any organisation controlling and processing data on natural persons in the European Union.
For more information on the GDPR https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en and a functional mailbox has been also set up for specific questions: JUST-GDPR-INFO-REQUESTS@ec.europa.eu
Information is also accessible on the EEAS internet https://eeas.europa.eu/headquarters/headquarters-homepage/44163_en and it is available on all Delegations' website, translated into French, Spanish, Portuguese and Russian.
The Data Protection (DP) team has a triple role:
The Data Protection Office comprises:
The Data Protection Office:
The EEAS intends to inform people whose personal data is being processed, i.e. any concerned individual whose data has been collected, processed and eventually kept for a period of time. By means of Privacy Statements, the EEAS provides information on the processing and on how to exercise individual rights.
The Data Controller, i.e. the service or Union Delegation who is responsible for the personal data processing is obliged to notify the Data Protection Officer. In addition to the notification, a distinct Privacy Statement is elaborated to provide information among others on the purpose, the retention as well as the Controller.
You have the right to (at no cost to yourself):
Exercising your rights
To exercise your rights, you must contact the controller in charge of your data processing. The controller's functional mailbox address appears and on the privacy statement for each data processing.
If you cannot find the controller's contact details, you can email the EEAS Data Protection Office.
You may lodge a complaint at any time with the European Data Protection Supervisor (EDPS) who acts as an independent supervisory authority for all the institutions (see art. 41 to 45 of Regulation (EU) 2018/1725) devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies on the basis of EU Decision 1247/2002/EC on the regulations and general conditions governing the performance of the European Data Protection Supervisor's duties.
European Data Protection Supervisor (EDPS)
The EEAS's Data Protection Register records notified personal data processing operations in the EEAS. It was set up in accordance with articles 24.1 (d), 25 and 26 of Regulation (EU) 2018/1725.
The Register contains basic information about each case of personal data processing, similarly to the information included in the Privacy Statement:
The Register's search function allows you to select processing operations that may concern you. The EEAS Register is under a migration process due to the upcoming successor data protection regulation for European institutions, bodies, agencies and offices. If you look for a specific process, you are invited to contact the EAES DPO.
Processing operations likely to present specific risks to the rights and freedoms of individuals whose data have been collected, processed and retained (data subjects) are included in the register held by the European Data Protection Supervisor (Article 27 of Regulation (EU) 2018/1725).
The purpose of the EEAS Data Protection Register and the EDPS Register is to inform the public about the existence of personal data processing operations. All persons concerned may exercise their rights as recognised by the Regulation on the basis of the information contained in the Register.
The Register is based on the notifications submitted by controllers and is therefore available only in the language of the notification, generally in English or French.