The Delegation of the European Union to Yemen

Data Protection

10/06/2016 - 15:33

The protection of your privacy, including your personal data, is of great importance to the European External Action Service (EEAS).

The protection of the right to privacy and the protection of personal data – as set out in article 8 of the EU Charter on Fundamental Rights – are important concerns for the European External Action Service (EEAS) as a European public administration.

To meet its obligations to citizens, the EEAS frequently needs to collect, process and retain personal data, such as names, office addresses, phone numbers, photos or other data, including more sensitive information through procurements, calls for tenders or conference invitations.

What is personal data?

Personal data is information relating to you only, which makes you identifiable – your name, photo, phone number, birth date, e mail address, car number plate, etc.

How does the EEAS process your personal data?


The data protection legislation for EU institutions,  bodies, agencies and offices goes through a reform process, including Regulation (EU) 2018/1725 on the processing of personal data, as implemented in the EEAS by its Decision of 8 December 2011. These rules provide a framework and ensure that your data are:

  • processed fairly and lawfully
  • collected for limited and explicit purposes
  • accurate and kept up-to-date
  • kept for no longer than necessary
  • secure
  • not transferred to third parties without adequate precautions
  • processed in accordance to your rights as a data subject.

Each directorate, division and service within the EEAS and all EU Delegations process information identifying individuals according to the Europe-wide recognised data protection principles. The EEAS Data Protection Office must be notified in advance of any operation involving such data collection, transmission, transfer or storage. All data of a personal nature provided to the EEAS - namely data which can identify a person directly or indirectly - will be handled with the necessary care.

The EEAS respects these principles for personal data processing set out in the Regulation (EU) 2018/1725, and its successive legislative act to enter into force before the end of 2018 as well as the Regulation EU 2016/679, the General Data Protection Regulation (also known abbreviated as 'the GDPR') that is applicable for EU Member State public authorities, private sector enterprises and NGOs with an impact on any organisation which processes personal data of individuals who are in the Union:

  • Fairness and Transparency: processed lawfully, fairly and in a transparent way
  • Purpose limitation: collected for specified, explicit and legitimate purposes and not further processed for any incompatible purpose
  • Data minimisation: adequate, relevant and limited to what is necessary for the purpose
  • Accuracy: accurate and, where necessary, kept up to date;  enabling inaccurate or incomplete data to be corrected or erased
  • Storage limitation: kept in a form that allows identification for no longer than necessary
  • Integrity and confidentiality: processed securely including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
  • Transfer to a Third country is permitted only with appropriate safeguards

The GDPR harmonises data protection requirements across all 28 EU Member States, introducing new rights for data subjects, which apply extraterritorially to any organisation controlling and processing data on natural persons in the European Union.

For more information on the GDPR and a functional mailbox has been also set up for specific questions:

Information is also accessible on the EEAS internet and it is available on all Delegations' website, translated into French, Spanish, Portuguese and Russian.

See also: 


The Data Protection (DP) team has a triple role:

  • raising awareness about data protection issues for staff and citizens
  • supporting data controllers to notify and record their processes and to prepare privacy statements
  • providing advice (formal guidance and informal tips, recommendations on rights and obligations).

The Data Protection Office comprises:

  • Data Protection Officer (DPO)
  • DPC Network of data protection coordinators in Headquarters with 20 coordinators at present
  • DPC Network of data protection correspondents in EU Delegations with pilot delegations to be further developed.

The Data Protection Office:

  • ensures that the principles of personal data protection are applied correctly within the EEAS
  • manages the notification system of all personal data processing operations in the EEAS
  • notifies processes of personal data that present risks to individuals to the European Data Protection Supervisor (EDPS) and responds to requests from the EDPS
  • investigates matters and incidents on request or on its own initiative.

The EEAS intends to inform people whose personal data is being processed, i.e. any concerned individual whose data has been collected, processed and eventually kept for a period of time.  By means of Privacy Statements, the EEAS provides information on the processing and on how to exercise individual rights.

The Data Controller, i.e. the service or Union Delegation who is responsible for the personal data processing is obliged to notify the Data Protection Officer. In addition to the notification, a distinct Privacy Statement is elaborated to provide information among others on the purpose, the retention as well as the Controller.

See all Privacy Statements concerning the activities of the EEAS

You have the right to (at no cost to yourself):

  • be informed of any processing of your personal data:
    • who is in charge of it
    • what the purpose and the legal bases are
    • what type of data are being processed
    • who has access to the collected data
    • how long it is kept
    • what logic is used in any automated decision-making process concerning your data.
  • access and correct your data — when inaccurate or incomplete.
  • have your data blocked or erased and object to the processing of personal data in certain circumstances (such as when the processing is unlawful, the data is inaccurate, etc., see articles 15, 16 and 18 of Regulation (EU) 2018/1725 ​).


Exercising your rights

To exercise your rights, you must contact the controller in charge of your data processing. The controller's functional mailbox address appears and on the privacy statement for each data processing.

If you cannot find the controller's contact details, you can email the EEAS Data Protection Office.

You may lodge a complaint at any time with the European Data Protection Supervisor (EDPS) who acts as an independent supervisory authority for all the institutions (see art. 41 to 45 of Regulation (EU) 2018/1725) devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies on the basis of EU Decision 1247/2002/EC on the regulations and general conditions governing the performance of the European Data Protection Supervisor's duties.


  • monitors the EU administration's processing of personal data
  • advises on policies and legislation that affect privacy
  • cooperates with similar authorities to ensure consistent data protection.

European Data Protection Supervisor (EDPS)



The EEAS's Data Protection Register records notified personal data processing operations in the EEAS. It was set up in accordance with articles 24.1 (d), 25 and 26 of Regulation (EU) 2018/1725.

The Register contains basic information about each case of personal data processing, similarly to the information included in the Privacy Statement:

  • purpose
  • name of the controller
  • type of data involved
  • legal basis
  • types of people concerned
  • how long the data will be kept
  • whether the data will be transferred
  • to whom the data is disclosed.

The Register's search function allows you to select processing operations that may concern you. The EEAS Register is under a migration process due to the upcoming successor data protection regulation for European institutions, bodies, agencies and offices. If you look for a specific process, you are invited to contact the EAES DPO.

Processing operations likely to present specific risks to the rights and freedoms of individuals whose data have been collected, processed and retained (data subjects) are included in the register held by the European Data Protection Supervisor (Article 27 of Regulation (EU) 2018/1725).

The purpose of the EEAS Data Protection Register and the EDPS Register is to inform the public about the existence of personal data processing operations. All persons concerned may exercise their rights as recognised by the Regulation on the basis of the information contained in the Register.

The Register is based on the notifications submitted by controllers and is therefore available only in the language of the notification, generally in English or French.



Editorial Sections: