Navigation path

Privacy statement

  1. Introduction
  2. Why do we process your personal data?
  3. Which personal data do we collect and process?
  4. How long do we keep your personal data?
  5. How do we protect your personal data?
  6. Who has access to your personal data and to whom are they disclosed?
  7. What are your rights and how can you exercise them?
  8. Contact information
  9. Where to find information that is more detailed?
  1. Introduction

  2. This privacy statement explains the reason for the processing, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you may exercise in relation to your personal data (the right to access, rectify, block etc.).

    The European institutions are committed to protecting and respecting your privacy. The European Commission, when handling requests for access to documents lodged under Regulation (EC) No 1049/2001, collects and further processes personal data, via the GestDem IT application, which is an internal (European Commission) application established specifically for the handling of applications for access to documents under Regulation (EC) No 1049/2001 by staff responsible for this task in the European Commission Directorates-General and services.

    Consequently, Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, is applicable.

    This statement concerns the handling of initial and confirmatory requests for access to documents lodged under Regulation (EC) No 1049/2001 (notification DPO-1225), undertaken by the unit ‘Transparency, Document Management & Access to Documents’ in the Secretariat-General and by the units competent for dealing with initial requests for access to documents in other Commission departments.

  3. Why do we process your personal data?

  4. The purpose of the processing operation: the unit ‘Transparency, Document Management & Access to Documents’ in the Secretariat-General (referred to hereafter as ‘Data Controller’) and the units, competent for access to documents, in other Commission departments collect and further process your personal data in order to manage requests for access to documents pursuant to Regulation (EC) No 1049/2001 and to prepare corresponding statistics.

    The legal basis for the processing of your personal data is Article 5(1)(a) of Regulation (EU) 2018/1725. The processing is necessary for the performance of a task carried out in the public interest based on Article 15(3) of the Treaty on the Functioning of the European Union and Regulation (EC) No 1049/2001 adopted on the basis thereof.

  5. Which personal data do we collect and process?

  6. The personal data collected and further processed are:

    1. Personal data, provided by the applicant via the online form:
      • Compulsory data: Name, specific contact details (e-mail and postal address, country of residence), subject of the request (it may contain personal data in case it relates to an identified or identifiable natural person);
      • Non-compulsory data: other contact details (telephone and telefax numbers), category and organisation;
    2. Personal data, which the applicant provided in his/her application, submitted in another electronic or paper format;
    3. Personal data contained in the documents requested if released under Regulation (EC) No 1049/2001, as well as in the reply to the application and in related correspondence with the applicant.
  7. How long do we keep your personal data?

  8. The Commission only keeps the personal data for the time necessary to fulfil the purpose of collection or further processing, i.e. no longer than five years after the closure of a case-file.

    At the initial stage, a file is considered closed after the initial decision of the Commission has become final (i.e. there was no confirmatory application), unless follow-up is required by an enquiry of the European Ombudsman. In such case, a file is considered closed if the European Ombudsman has closed its enquiry in relation to the complaint without any need for further action on the part of the Commission with regard to the application for access to documents.

    At the confirmatory stage, a file is considered closed after the confirmatory decision of the Commission has become final, namely:

    • the deadline for bringing proceedings before the EU Court has elapsed; or
    • the EU Court confirmed the confirmatory decision; or
    • the European Commission completed the follow-up requested by the EU Court in its Judgment.

    A file is not considered closed despite the confirmatory decision being final in case of an enquiry of the European Ombudsman requiring follow-up. In such case, a file is considered closed if the latter has closed its enquiry in relation to the complaint without any need for further action on the part of the Commission with regard to the application for access to documents.

    This ‘administrative retention period’ of five years is based on the retention policy of Commission documents and files (and the personal data contained in them), governed by the common Commission-level retention list for European Commission files SEC(2012)713. It is a regulatory document in the form of a retention schedule that establishes the retention periods for different types of Commission files. That list has been notified to the European Data Protection Supervisor.

    The ‘administrative retention period’ is the period during which the Commission departments are required to keep a file depending on its usefulness for administrative purposes and the relevant statutory and legal obligations. This period begins to run from the time when the file is closed.

    In accordance with the common Commission-level retention list, after the ‘administrative retention period’, files concerning requests for access to documents (and the personal data contained in them) can be transferred to the Historical Archives of the European Commission for historical purposes (for the processing operations concerning the Historical Archives, please see notification DPO-1530.5 ARES-NOMCOM. ARES (Advanced Records System) et NOMCOM (Nomenclature Commune)).

  9. How do we protect your personal data?

  10. All data in electronic format (e-mails, documents, uploaded batches of data etc.) are stored either on the servers of the European Commission or of its contractors. Their operations abide by the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

    The Commission’s contractors are bound by a specific contractual clause for any processing operations of your personal data on behalf of the Commission, and by the confidentiality obligations deriving from the General Data Protection Regulation.

  11. Who has access to your personal data and to whom are they disclosed?

  12. Access to your personal data is provided to authorised staff of the European Commission according to the ‘need to know’ principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

    The information we collect will not be given to any third party, except to the extent and for the purpose we may be required to do so by law.

  13. What are your rights and how can you exercise them?

  14. Pursuant to Regulation (EU) No 2018/1725, you are entitled to access your personal data and to rectify them in case the data are inaccurate or incomplete. You have the rights to (if applicable) request restriction of processing or erasure ('right to be forgotten'), to data portability and to object to the processing of your personal data.

    You can exercise your rights by contacting the data controller, or in case of conflict the Data Protection Officer and if necessary the European Data Protection Supervisor using the contact information given at point 8 below.

    A request for the erasure of personal data (in case you are an applicant for access to documents), or objection to the processing of your personal data, while your application for access to documents is being handled by the European Commission, means that you renounce your application for access to documents as the European Commission will not be in a position to handle and/or reply to your application for access to documents.

    The authorised staff of the European Commission handling requests for access to documents will address any request for access to personal data as soon as the Data Controller receives the request, and at the latest one month after receipt of the request. Any other request mentioned above will be addressed within 15 working days.

  15. Contact information

  16. If you have comments or questions, any concerns or a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller using the following contact information:

    The Data Controller:

    • Secretariat-General
    • Unit C.1 – Transparency, Document Management & Access to Documents
    • E-mail: Sg-acc-doc@ec.europa.eu

    The Data Protection Officer (DPO) of the Commission: DATA-PROTECTION-OFFICER@ec.europa.eu.

    The European Data Protection Supervisor (EDPS): edps@edps.europa.eu.

  17. Where to find information that is more detailed?

  18. The Commission Data Protection Officer publishes the register of all operations processing personal data. You can access the register at the following link: http://ec.europa.eu/dpo-register.

    This specific processing has been notified to the DPO with the following reference: DPO-1225.

    Relevant legal documents: