Privacy and data protection
Privacy and data protection have become increasingly significant in our everyday life, both in the private sphere and at work. The rights to privacy and data protection have long been recognised as fundamental rights, set out in article 7 and 8 of the EU Charter of Fundamental Rights. There is a specific legislative act for institutions, bodies, offices and agencies of the European Union (Regulation (EU) 2018/1725) that also applies to the EEAS when processing personal data. The renewed legal framework intends to guarantee a high level of data protection when it comes to collecting and storing personal data for the benefit of Union citizens, EU institution staff and of our external partners all over the world. It entered into force the same year and is harmonised with the principles of the General Data Protection Regulation (the GDPR) which is applicable for Member States' authorities, private sector and civil society organisations.
In the context of its activities such as security, defence and crisis response, public diplomacy, development cooperation as well as human resource management, digital solutions, conference and event organisation, procurements, financial or other administrative procedures and in order to meet its obligations vis-à-vis EU citizens and any individual, the EEAS frequently needs to collect, process and keep personal data, including names, functions, phone numbers, photos, video recordings and many other data. In certain cases, even sensitive information, including health related data, also during the Covid-19 pandemic, ought to be handled.
What is personal data?
Personal data is information relating to you or any identified or identifiable natural person displayed, handled, stored or accessed in a way that would make an individual directly or indirectly recognisable. Examples include a name, photo, birth date, ID number, phone number or e-mail address, and even characteristics if linked to a person, as well as data about behaviour, travel or shopping habits, profiles also on social media platforms.
How does the EEAS process your personal data?
Your personal data is processed in accordance with Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data that entered into force on 11 December 2018 and is aligned with the provisions of Regulation (EU) 2016/679, the GDPR. The EEAS aims at implementing data protection fully in conformity with the standards set out in the revised legislative framework using flexible privacy-friendly tools with appropriate measures achieving compliance.
These rules provide a legal framework and ensure that your data are:
- processed fairly, lawfully and in a transparent manner
- collected for specified, explicit and legitimate purposes and not further processed for any incompatible purpose
- adequate, relevant and limited to what is necessary
- accurate and kept up to date enabling inaccurate or incomplete data to be corrected or erased
- kept for no longer than necessary
- processed securely including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
- not transferred to third parties without adequate safeguards
- processed in a way that you can exercise your rights as a data subject
Each directorate, division and service within the EEAS and all EU Delegations are required to collect, handle and keep data identifying individuals according to the rights and obligations laid down in the data protection legal framework. The EEAS Data Protection Officer is consulted when activities involve such collection, transfer or storage of data. All information of a personal nature provided to the EEAS - namely data which can identify a person directly or indirectly - will be handled with the necessary care.
Data protection in the EU
The EEAS respects the Europe-wide recognised data protection principles for the processing of personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
These principles are set out in Regulation (EU) 2018/1725 applicable to Union institutions and bodies, as well as in Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR).
The GDPR harmonises data protection requirements across all EU Member States, enforcing rights for data subjects, which apply extraterritorially to any organisation controlling and processing data of natural persons in the European Union.
For more information on the GDPR you can check out: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
A functional mailbox has been also set up for specific questions:
Information is also available on all Delegations' website, translated into French, Spanish, Portuguese and Russian and is accessible on the EEAS website at this page.
By means of Privacy Statements or Data Protection Notices, the EEAS provides information on the processing of personal data of individuals who data has been collected, handled and eventually kept for a certain periof of time and on how to exercise individual rights.
You have the right, free of charge:
- to be informed of any processing of your personal data:
- who is in charge of the data processing
- what the purpose and the legal bases are
- what type of data are being processed
- who has access to the collected data
- how long it is kept
- what logic is used in any automated decision-making process concerning your data
- to access your data;
- to correct (rectify) them when inaccurate or incomplete;
- to have your data erased in certain circumstances (such as when the processing is unlawful or the data is inaccurate), their processing restricted (for example while they are rectified or when a dispute about the lawfulness is to be decided) and to object to the processing of your personal data based on your specific circumstances.
You can find more details on individual rights in the articles 14-24 and 35 of Regulation (EU) 2018/1725.
Exercising your rights
To exercise your rights, you can contact the data controller in charge of the processing of personal data. The functional mailbox of the data controller entity appears on the privacy statement or data protection notice for each data processing activity.
If you cannot find the contact details of the data controller, you can send an e-mail to the EEAS Data Protection Office
You may lodge a complaint at any time with the European Data Protection Supervisor (EDPS) who acts as an independent supervisory authority for EU institutions and bodies, offices and agencies devoted to protecting personal data and privacy and promoting good practice on the basis of EU Decision 1247/2002/EC on the regulations and general conditions governing the performance of the European Data Protection Supervisor's duties.
European Data Protection Supervisor (EDPS)
As data protection is a fundamental right in the European Union, it also includes the right to supervision by an independent authority.
The EDPS is responsible for ensuring the protection of personal data by the EU institutions, bodies, offices and agencies.
- supervises and monitors personal data processing activities by the EU administration
- advises on policies and legislation that affect privacy, providing advice to the EU legislator and may appear before the EU Courts
- cooperates with other data protection authorities to ensure consistent data protection
- monitors new technologies with an impact on privacy
Information in the data protection register and privacy statements
The Data Protection Register contains records of personal data processing activities in the EEAS.
The Register provides general information about each record of personal data processing, similarly to the information included in the Privacy Statement or Data Protection Notice:
- purpose of the personal data processing
- controller(s), processor, data protection officer
- type of data processed
- types of people concerned
- how long the data is kept
- to whom the data is disclosed including any transfers
- legal basis
- general security measures
The purpose of the EEAS Data Protection Register is to inform the public about the personal data processing activities. All individuals concerned may exercise their rights recognised by the Regulation (EU) 2018/1725, as described by the information contained in the Register and in the Data Protection Notices, also known as Privacy Statements.
The Register is based on the data processing compliance records submitted by data controllers along with the relevant Privacy Statements and is therefore available only in the language of the record, generally in English. Processing activities that have been prior-checked by the European Data Protection Supervisor under Article 27 of the former data protection Regulation (EC) 45/2001 are available on the webpage about prior-checking opinions of the EDPS.
To be able to comply with the provisions of the revised data protection regulation, the EEAS Register goes through a technical upgrading process. If you look for a specific processing activity, you may also contact the EEAS Data Protection Officer.
Tasks and mission of the Data Protection Officer (DPO)
The Data Protection Officer has multiple tasks:
- supporting and consulting data controllers to demonstrate compliance, record their processes and to prepare privacy statements
- monitoring compliance with Regulation (EU) 2018/1725 and ensuring that the principles of data protection are applied correctly in the EEAS
- raising awareness through events and trainings on data protection for staff and citizens
- providing advice (guidance and recommendations on individual rights and data controller obligations), in particular about
- privacy risk assessment
- reporting of personal data breaches
- transfers of personal data
- maintaining the central register of personal data processing activities based on the records prepared by the data controllers
- investigating matters and incidents on request or on own initiative
- being an interface between the EEAS and the European Data Protection Supervisor
Mission Statement of the Data Protection Officer:
The Data Protection Officer ensures the application of the principles of data protection in an independent manner for activities that involve personal data processing by the European External Action Service and the Union Delegations. The EEAS is a European public service that is committed to applying diligent data protection rules in the activities at all levels, both in Headquarters and in the Delegations.
The DPO provides guidance for data controllers to respect data protection obligations and to inform individuals about their rights with respect to the Regulation (EU) 2018/1725 and how the EEAS is processing their personal data.
The EEAS DPO is in charge of supporting and advising all services in Headquarters as well as EU Delegations - the data controllers processing personal data - to comply with the data protection provisions in accordance with Regulation (EU) 2018/1725. When helping to implement the data protection requirements laid down in the pertinent legislation, the DPO takes into account the specific needs of EEAS services, and of EU Delegations.
The objective of the DPO, when providing guidance to data controllers, is to facilitate free movement of information while ensuring the protection of personal data within the EEAS and the legitimate expectation of data subjects that their right to privacy is respected.
The EEAS appoints Data Protection Coordinators and Correspondents (DPC) in the various directorates and divisions of the EEAS Headquarters and in the Union Delegations.
The Data Protection Office comprises and coordinates:
- Data Protection Officer (DPO)
- Data Protection Compliance Coordinator?
- DPC Network of data protection coordinators in Headquarters
- DPC Network of data protection correspondents in EU Delegations
EEAS Data Protection Officer (DPO)
You are welcome to contact the EEAS Data Protection Officer via DATA-PROTECTION@eeas.europa.eu
EEAS Data Protection Officer (DPO)
EEAS Building, 9A Rond-Point Schuman
+32 584 6235