This privacy statement explains the reason for the processing, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you may exercise in relation to your personal data (the right to access, rectify, block etc.).
The European institutions are committed to protecting and respecting your privacy. The European Commission, when handling requests for access to documents lodged under Regulation (EC) No 1049/2001, collects and further processes personal data, via the GestDem IT application, which is an internal (European Commission) application established specifically for the handling of applications for access to documents under Regulation (EC) No 1049/2001 by staff responsible for this task in the European Commission Directorates-General and services.
Consequently, Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, is applicable.
This statement concerns the handling of initial and confirmatory requests for access to documents lodged under Regulation (EC) No 1049/2001 (notification DPO-1225), undertaken by the unit ‘Transparency, Document Management & Access to Documents’ in the Secretariat-General and by the units competent for dealing with initial requests for access to documents in other Commission departments.
The purpose of the processing operation: the unit ‘Transparency, Document Management & Access to Documents’ in the Secretariat-General (referred to hereafter as ‘Data Controller’) and the units, competent for access to documents, in other Commission departments collect and further process your personal data in order to manage requests for access to documents pursuant to Regulation (EC) No 1049/2001 and to prepare corresponding statistics.
The legal basis for the processing of your personal data is Article 5(1)(a) of Regulation (EU) 2018/1725. The processing is necessary for the performance of a task carried out in the public interest based on Article 15(3) of the Treaty on the Functioning of the European Union and Regulation (EC) No 1049/2001 adopted on the basis thereof.
The personal data collected and further processed are:
The Commission only keeps the personal data for the time necessary to fulfil the purpose of collection or further processing, i.e. no longer than five years after the closure of a case-file.
At the initial stage, a file is considered closed after the initial decision of the Commission has become final (i.e. there was no confirmatory application), unless follow-up is required by an enquiry of the European Ombudsman. In such case, a file is considered closed if the European Ombudsman has closed its enquiry in relation to the complaint without any need for further action on the part of the Commission with regard to the application for access to documents.
At the confirmatory stage, a file is considered closed after the confirmatory decision of the Commission has become final, namely:
A file is not considered closed despite the confirmatory decision being final in case of an enquiry of the European Ombudsman requiring follow-up. In such case, a file is considered closed if the latter has closed its enquiry in relation to the complaint without any need for further action on the part of the Commission with regard to the application for access to documents.
This ‘administrative retention period’ of five years is based on the retention policy of Commission documents and files (and the personal data contained in them), governed by the common Commission-level retention list for European Commission files SEC(2012)713. It is a regulatory document in the form of a retention schedule that establishes the retention periods for different types of Commission files. That list has been notified to the European Data Protection Supervisor.
The ‘administrative retention period’ is the period during which the Commission departments are required to keep a file depending on its usefulness for administrative purposes and the relevant statutory and legal obligations. This period begins to run from the time when the file is closed.
In accordance with the common Commission-level retention list, after the ‘administrative retention period’, files concerning requests for access to documents (and the personal data contained in them) can be transferred to the Historical Archives of the European Commission for historical purposes (for the processing operations concerning the Historical Archives, please see notification DPO-1530.5 ARES-NOMCOM. ARES (Advanced Records System) et NOMCOM (Nomenclature Commune)).
All data in electronic format (e-mails, documents, uploaded batches of data etc.) are stored either on the servers of the European Commission or of its contractors. Their operations abide by the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
The Commission’s contractors are bound by a specific contractual clause for any processing operations of your personal data on behalf of the Commission, and by the confidentiality obligations deriving from the General Data Protection Regulation.
Access to your personal data is provided to authorised staff of the European Commission according to the ‘need to know’ principle. Such staff abide by statutory, and when required, additional confidentiality agreements.
The information we collect will not be given to any third party, except to the extent and for the purpose we may be required to do so by law.
Pursuant to Regulation (EU) No 2018/1725, you are entitled to access your personal data and to rectify them in case the data are inaccurate or incomplete. You have the rights to (if applicable) request restriction of processing or erasure ('right to be forgotten'), to data portability and to object to the processing of your personal data.
You can exercise your rights by contacting the data controller, or in case of conflict the Data Protection Officer and if necessary the European Data Protection Supervisor using the contact information given at point 8 below.
A request for the erasure of personal data (in case you are an applicant for access to documents), or objection to the processing of your personal data, while your application for access to documents is being handled by the European Commission, means that you renounce your application for access to documents as the European Commission will not be in a position to handle and/or reply to your application for access to documents.
The authorised staff of the European Commission handling requests for access to documents will address any request for access to personal data as soon as the Data Controller receives the request, and at the latest one month after receipt of the request. Any other request mentioned above will be addressed within 15 working days.
If you have comments or questions, any concerns or a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller using the following contact information:
The Data Controller:
The Data Protection Officer (DPO) of the Commission: DATA-PROTECTION-OFFICER@ec.europa.eu.
The European Data Protection Supervisor (EDPS): firstname.lastname@example.org.
The Commission Data Protection Officer publishes the register of all operations processing personal data. You can access the register at the following link: http://ec.europa.eu/dpo-register.
This specific processing has been notified to the DPO with the following reference: DPO-1225.
Relevant legal documents: