The protection of the right to privacy and personal data – as set out in article 7 and 8 of the EU Charter on Fundamental Rights – are of great importance to the European External Action Service (EEAS) as a European public administration.
Privacy and data protection have become increasingly important in our daily life, both in private and at work. The rights to privacy and data protection have long been recognised as fundamental rights, and a new regulation Regulation (EU) 2018/1725 applies also to the EEAS when processing personal data. The revised legal framework intends to guarantee a high level of data protection when it comes to collecting and storing personal data for the benefit of EU institutions staff, Union citizens and of our partners in the world. Only 6 months after the entry into force of the General Data Protection Regulation (GDPR) which applies to Member States authorities, NGOs and the private sector, the new legislative act is harmonised with the principles of the GDPR.
To meet its obligations to citizens, the EEAS frequently needs to collect, process and retain personal data, such as names, functions, office addresses, phone numbers, photos or other data, including specific information in relation to individuals in the context of any EEAS activity, including Security, Defence and Crisis response, Public diplomacy, Development cooperation, as well as HR management, IT applications, procurements, conference, meeting and event organisation, budget or other administrative procedures.
Personal data is information relating to you only, which makes you identifiable – your name, photo, phone number, birth date, e-mail address, ID number, and many other personal details.
Your personal data is processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC as of 11 December 2018, aligned with provisions of the General Data Protection Regulation /Reg. (EU) 2016/679/. The EEAS aims at implementing data protection fully in line with the standards set out in the new legal framework using flexible privacy friendly tools with appropriate safeguards.
These rules provide a framework and ensure that your data are:
Each directorate, division and service within the EEAS and all EU Delegations are required to collect, handle and keep data identifying individuals according to the data protection provisions laid down in the data protection legal framework. The EEAS Data Protection Office is consulted when activities involve such data collection, transmission, transfer or storage. All data of a personal nature provided to the EEAS - namely data which can identify a person directly or indirectly - will be handled with the necessary care.
The EEAS respects these principles for personal data processing set out in the Regulation (EU) 2018/1725, as well as the Regulation EU 2016/679, the General Data Protection Regulation (also known abbreviated as 'the GDPR') that is applicable for EU Member State public authorities, private sector enterprises and NGOs with an impact on any organisation which processes personal data of individuals who are in the Union:Fairness and Transparency: processed lawfully, fairly and in a transparent way
The GDPR harmonises data protection requirements across all EU Member States, introducing new rights for data subjects, which apply extraterritorially to any organisation controlling and processing data on natural persons in the European Union.
For more information on the GDPR:
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en and a functional mailbox has been also set up for specific questions: JUST-GDPR-INFO-REQUESTS@ec.europa.eu
Information is available on all Delegations' website, translated into French, Spanish, Portuguese and Russian and is also accessible on the EEAS internet https://eeas.europa.eu/headquarters/headquarters-homepage/44163_en
The EEAS intends to inform people whose personal data is being processed, i.e. any concerned individual whose data has been collected, processed and eventually kept for a period of time. By means of Privacy Statements, the EEAS provides information on the processing and on how to exercise individual rights.
You have the right – free of charge - to:
Please see articles 14-24 and 35 of Regulation (EU) 2018/1725.
To exercise your rights, you must contact the controller in charge of your data processing. The controller's functional mailbox address appears on the privacy statement for each data processing.
If you cannot find the controller's contact details, you can email the EEAS Data Protection Office.
You may lodge a complaint at any time with the European Data Protection Supervisor (EDPS) who acts as an independent supervisory authority for all the EU devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies on the basis of EU Decision 1247/2002/EC on the regulations and general conditions governing the performance of the European Data Protection Supervisor's duties.
The EEAS's Data Protection Register records personal data processing activities in the EEAS.
The Register contains basic information about each record of personal data processing, similarly to the information included in the Privacy Statement:
To be able to comply with the provisions of new data protection regulation, the EEAS Register goes through a migration process. If you look for a specific processing activity, you may also contact the EEAS DPO.
Processing operations that have been prior-checked by the European Data Protection Supervisor under Article 27 of the former data protection Regulation (EC) 45/2001 are included in the register held by the EDPS.
The purpose of the EEAS Data Protection Register and the EDPS Register is to inform the public about the existence of personal data processing operations. All persons concerned may exercise their rights as recognised by the Regulation on the basis of the information contained in the Register and in Data Protection Notices, also known as Privacy Statements.
The Register is based on the records submitted by data controllers along with the relevant Privacy Statements and is therefore available only in the language of the notification, generally in English.
The Data Protection Officer has multiple tasks:
The Data Protection Office furthermore:
The Data Protection Office comprises:
You are welcome to contact the EEAS Data Protection Officer via DATA-PROTECTION@eeas.europa.eu