PROTECTION OF YOUR PERSONAL DATA
2. Why and how do we process your personal data?
- To authenticate you as an authorised user and therefore grant you access to your cases (disputes/complaints/drafts) on the ODR platform through your personal dashboard;
- If you have purchased a good or service online, to complain to and access an alternative dispute resolution body registered on the ODR platform as established by the Regulation (EU) No. 524/2013 on online dispute resolution for consumer disputes.
3. On what legal ground(s) do we process your personal data
4. Which personal data do we collect and further process?
- Your name and first name;
- Your e-mail address;
- The languages that you speak.
- Your name and first name;
- Your contact details: e-mail address, phone number and geographic address (street, street number, postal code, country);
- Language in which you would like to receive the notifications from the ODR platform. These notifications are messages that alert you when there was some progress related to your disputes, such as response from a trader or a closure of the case.
5. How long do we keep your personal data?
6. How do we protect and safeguard your personal data?
7. Who has access to your personal data and to whom is it disclosed?
8. What are your rights and how can you exercise them?
9. Contact information
- The Data Controller
- The Data Protection Officer (DPO) of the Commission
- The European Data Protection Supervisor (EDPS)
10. Where to find more detailed information?
The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).
This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.
This statement is addressed to you if you are a consumer or a consumer representative and you or the consumer you represent fill out a complaint form on the ODR platform. A separate privacy statement for the traders registered on the platform and their representatives is available as well.
The information in relation to processing operation “ODR Platform: Online Dispute Resolution” on the European Online Dispute Resolution Platform for the resolution of consumer disputes related to online purchases undertaken by Unit E3 “Consumer Enforcement and Redress” of the Directorate-General Justice and Consumers is presented below.
Purpose of the processing operation: The Unit E3 “Consumer Enforcement and Redress” within the Consumer Directorate of the Directorate General for Justice and Consumers collects and uses your personal information for two reasons:
Your personal data will not be used for an automated decision-making including profiling.
We process your personal data, because processing is necessary for compliance with a legal obligation to which the controller is subject under the Regulation (EU) No. 524/2013 on online dispute resolution for consumers disputes.
The dispute resolution procedure on the platform is an example of "joint controllership", where the responsibility for ensuring data protection is allocated between the Commission, the ADR entities and ODR advisors as clarified in Article 12 of the ODR Regulation. Where ADR entities and ODR contact points decide to keep some data related to disputes handled on the platform in national files outside of the ODR platform, the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data on the free movement of such data (GDPR) will apply, if such processing takes place outside the platform.
In order to carry out this processing operation, the European Commission collects the following categories of personal data:
This data is processed when you create your account to register on the ODR platform. It is collected and stored in EU Login, which is the authentication system developed by the European Commission for its different IT-systems, including the ODR platform.
When you decide to submit your case to the ODR platform, you are asked to complete an electronic complaint form. The data in this complaint form will be processed directly on the ODR platform. It will be communicated to the respondent party (the trader), and, if you both agree, to an alternative dispute resolution body selected to resolve your dispute.
The personal data collected through the electronic complaint form is determined by Regulation (EU) No 524/2013 on online dispute resolution of consumer disputes:
Personal data may also be contained in the documents that you may decide to attach to your complaint or that you may be invited to provide by the dispute resolution body during the dispute resolution procedure. There may also be personal data in the documents that are provided by the other party of the dispute.
The provision of personal data is mandatory to meet a statutory requirement under Regulation (EU) No 524/2013. If you do not provide your personal data, you will not be able to submit your complaint.
In some countries a trader is allowed to use an alternative dispute resolution body to complain against a consumer. If the national legislation of your country allows such a complaint, the ODR platform will also process, your personal data that the trader has encoded in a complaint form when it complained against you. You will be notified of a complaint against you and will have access to your personal data encoded by the trader on the ODR platform.
The Directorate General for Justice and Consumers only keeps your personal data for the time necessary to fulfil the purpose of collection or further processing, namely as long as your case remains open on the platform, and six months after the closure of your case. Following that period, your data will be automatically deleted by the system.
Your case is closed if you or the trader decide to discontinue the procedure on the platform at any time, if you reached an outcome by the dispute resolution body, or if the dispute resolution body could not accept your complaint.
Your case may also be automatically closed by the system if you submitted a complaint, but it was not possible to agree with the trader on the alternative dispute resolution body within 30 days.
You can save your complaint as a draft. You may choose to share this draft with the trader to try to find the solution bilaterally (direct talks). If you do not share the draft and do not submit a complaint, your draft will be automatically deleted by the system six months after you created it. If you share the draft, the system will give you 90 days to reach a solution, and will delete your data six months after this period, or six months after you have reached the solution, whichever is the earliest.
For the data processed in EU Login, the authentication system used for your registration on the platform, please refer to the EU Login privacy statement:
If you start using the platform and fill in a complaint form as a guest, without creating an EU Login, the system will generate a link and e-mail it to you, so you could access your complaint form. This link is protected by a one-click token, meaning that it can only be used once, but you can always request a new link. Please note that, once the trader responds, you will need to create a EU Login in order to progress on your case.
All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored on the servers of the European Commission All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
In order to protect your personal data, the Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.
Please note that a dispute resolution body that handles your dispute or a national contact point you ask for assistance may decide to keep the data related to your dispute outside the ODR platform. In this case, the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDRP) will apply. You can always find the contact details of the alternative dispute resolution bodies and the ODR contact points on the ODR platform.
Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements. The Commission is only allowed to access this data to monitor the functioning and performance of the ODR platform.
The trader registered on the ODR platform will only have access to your name and contact data you indicated in the complaint form, if you submitted a case against this trader (or in the draft complaint form, if you decided to share this draft with the trader to try and find the solution bilaterally).
The national contact point will only have access to your contact data if you or the trader you have a dispute with asked for the assistance on a particular case (and only to the data you encoded in this particular case).
The alternative dispute resolution entity will only have access to the data in the case this dispute resolution body is handling, following an agreement between a trader and yourself.
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability.
You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.
Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.
If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller:
Unit E3 “Consumer Enforcement and Redress”, Consumer Directorate, Directorate-General Justice and Consumers
If your dispute has reached the alternative dispute resolution body, and you have a request on the data in your dispute file that you cannot change on the platform, please address the dispute resolution body directly.
You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.
You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (firstname.lastname@example.org) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.
This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-01407