DPO-3036.8 DG DEVCO Meetings/ Workshops/ Information day/ Events/Seminars/ including Experts meetings, Lists and Mailing-Lists
DG International Cooperation and Development
1. Name of the processing
DG DEVCO Meetings/ Workshops/ Information day/ Events/Seminars/ including Experts meetings, Lists and Mailing-Lists
The coordination, organization and management of meetings, workshops, info days, events, seminars, etc... (called "meetings") by the DG.
- to send e-mails, invitation letters; collect names, postal/e-mail addresses, phone/fax numbers, by electronic/manual means; publish participants lists and distribute it to participants and organizers;
- to publish minutes/reports/notices/proceedings/news, photographs/pictures, live webstreaming and/or audio and video recording of speakers and participants, presentations of speakers, including on internet/intranet, in the context of the meetings and in the framework of European Commission activities;
- to collect and manage lists and mailing-lists for meetings, news and publications;
Four different ways to manage the meetings are taken into consideration in this notification and within the model privacy statement:
- Meeting organised by DG staff internally (including or not reimbursement of travel expenses & payment of daily allowances)
- Meeting organised by DG staff by using the SCIC services
- Meeting organised by both DG staff and an external company
- Meeting of DG Expert Groups (formal or informal Groups which are part of the SecGen Registry publicly available on Europa).
The Comitology meetings, under the responsibility of the SG, are covered by the corporate notification DPO-2456
4. Automated / Manual operations
Filing system (on paper) in the DG in ad hoc files within Unit(s) organising each "meeting".
Collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, evaluation, use, disclosure by transmission, dissemination or otherwise making available, including on the internet/intranet, alignment or combination, blocking, erasure or destruction.
Where needed, list of participants (including name/surname/personnel n° or identity/passport n°/date of birth) is sent by e-mail to the Security Office of the Commission for access control purposes by security guards to Commission's premises (under the responsibility of DG ADMIN/DS -see Notification DPO-508)
Where needed, personal data of experts/observers are published in the Register of Expert Groups (http://ec.europa.eu/secretariat_general/regexp/) for as long as the membership upholds and/or until removal from the public site is requested, in view of the transparency policy of the European Institutions and the need to inform the public of the identity and qualifications of the experts advising the Institution. This Register is under the responsibility of SecGen - see Notification DPO-2194).
Where needed, personal data are collected by an external company to build a network of researchers in the development domain. These data will be stored in a data-base. Afterwards, this DB will be filled, on a volontary basis, by researchers wanting to join this network/community. In the future, for maintenance purpose, the data subjects will be asked by DG DEVCO to check and/or update their records on a regular basis.
Where needed, personal data are collected for financial and contractual relations and processed through the IT systems under the responsibility of DG BUDG (see Notification DPO-372 & DPO-300).
Where needed or requested, post-editing of raw recordings of sound and images may be done.
Paper; Electronic data bases, Excel spreadsheets, photographs/pictures, audio and video supports on electronic databases and repositories stored on internal or external servers.
In addition, if it is envisaged that images of participants will be recorded or published, the possibility to opt-out needs to be offered. In these cases, and according to available resources, the organizer could offer those participants an alternative room where to follow meeting and debates by means of live webstreaming displayed on a screen. Clear indication and information to hostesses will be provided for to correctly guide participants.
In case of unavailable resources, those participants can locally follow live meeting and debates at the webstreaming Internet address indicated on the subscription form by the organizer.
The publication of internal events images is covered at DG level by the Model-notifications "Intranet" .
As processing of lists and mailing-lists is almost equivalent than for meetings, it is covered by this notification.
Purpose & legal basis
Organisation and management of meetings with or without outside participants, including management of:
lists for contacts, invitations, participants, presentations, photographs/pictures, live webstreaming and/or audio and video recording, reporting, distribution of reports, feedback on reports, meeting follow-up or evaluation, follow-up meetings, follow-up actions, lists and mailing-lists for invitation, news and publication, including on intranet/internet.
8. Legal basis / Lawfulness
The processing operations on personal data linked to the organisation and management of meetings/workshops/events/etc. is necessary for the management and functioning of the Commission, as mandated by the treaties, and more specifically articles 5, 7 and 211 - 219 of the EC Treaty.
The processing operations on personal data for the organisation and management of Meetings/ workshops/ information days/ events/ seminars with or without outside participants are necessary and lawful under article 5 (a) of Regulation (EC) 45/2001.
Articles 20 "Exemptions and restrictions" and 27 "Prior checking (by the EDPS)" are not applicable.
Data subjects / fields
9. Data subjects
All the persons invited and participating to the "meeting" are subject to this notification.
10. Data fields
Only data necessary for the organisation and management of the meeting, such as Gender (needed for the right title)/ name/surname/profession/ postal & e-mail addresses/phone number/fax number...
Live webstreaming and/or audio and video recording of speakers and participants, presentations of speakers could be published in the context of the meeting (in this case, an opt-out is provided for in the on-line registration form as explained in Model privacy statement attached to Question 11).
For access control purpose by security guards to the Commission's premises (under responsibility of DG ADMIN/DS -see Notification DPO-508): identity/passort n°/date of birth
For purpose of reimbursement of travel expenses/allowances: information about the form of transport use & hotel, and banking information (under the responsibility of DG BUDG - see Notification DPO-372 & DPO-300).
No data fields which fall under article 10.
Rights of D.S.
The attached Model Privacy Statements will be adapted as appropriate related to the meeting:
1. PS for on-line registration
2. PS (short version) to be used for invitations by letter or e-mail of meetings
3. The attached model Note to be adressed by the Controller to all Directors/Head of Units describe the objectives and the scope of this notification covering all these activities of the DG.
It explains how to take a profit of this unique notification by only adapting the provided Model Privacy Statements for any meeting organized by a Unit. It reminds the main principles to comply with Regulation 45/2001 when processing personal data.
4. PS for contact lists
5. PS for personal data stored into a data base, managed by an external company and stored on an external site. This privacy statement will be sent to data subjects when asking them either to be included into the database during the building phase of the DB or them to check/update their personal data in the future.
12. Procedure to grant rights
Personal data is kept as long as follow-up actions to the meeting are necessary with the regard to the purpose(s) of the processing of personal data as well as for the meeting and its related management. All personal data will be deleted from databases 1 year after the last action in relation to the meeting. Reports containing personal data will be archived according to the Commission's legal framework.
Nevertheless, where needed, after this delay, personal data will be part of a list of contact details shared internally amongst the European Commission services for the purpose of contacting data subjects in the future in the context of the Commission's activities. If data subjects do not agree with this, they may contact the Controller by using the Contact Information as mentioned in the Privacy statement.
The Privacy statement informing data subjects that they may contact the Controller if they do not wish to be part of the list of contacts anymore, will be published each time when organising "meetings" and collecting personal data.
14. Time limit
The organizer assesses the arguments of the data subject as soon as the DG staff organising the meeting reads an e-mail message requesting blocking/erasing data for legitimate reasons.
At the latest 3 working days after the reception of the e-mail, the request is answered respectively executed.
15. Historical purposes
For communication and educational purposes of interpreters, some recordings of webcasts could be used longer by the SCIC services for a limited number of persons.
This processing is described in a specific notification to the DPO.
Participants of the meetings and a wider public if it is provided that personal data are published on Internet, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Community legislation.
For transparency purpose, personal data of experts/observers which are members of a Commission's Experts Group are published on Europa in the Register of Expert Groups (http://ec.europa.eu/secretariat_general/regexp/) for as long as the membership upholds and/or until removal from the public site is requested. This Register is under the responsibility of SecGen (see Notification DPO-2194).
For communication and educational purposes of interpreters, some recordings of webcasts could be used by the SCIC services. This processing is described in a specific notification to the DPO.
Participants, citizens, inspection staff, interpreters
If personal data are published on a publicly available website (e.g. Europa), this means that they are accessible worldwide. Following the opinion of the EDPS, this does not constitute a transfer of personal data under art. 9 of Regulation 45/2001.
Anyhow, in these cases, the participants have to be aware of such a publication and the opportunity has to be given to them to opt-out on legitimate grounds which are assessed by the organizer.
Therefore the specific privacy statement attached to question 15 provides for the possibility of opting out.
If a report including the presence list is shared between participants and organisations represented in the meeting, in order to keep the network of the participants operational, and as it is a Commission document, it underlies also Regulation (EC) 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents.