The European Commission is committed to protect your personal data and to respect your privacy. The European Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).
This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.
This privacy statement concerns the processing of personal data by the European Commission when handling initial and confirmatory requests for access to documents lodged under Regulation (EC) No 1049/2001, undertaken by the unit ‘Transparency, Document Management & Access to Documents’ in the Secretariat-General (corporate Data Controller on behalf of the European Commission) and by the units responsible for dealing with initial requests for access to documents in the competent Commission department or service (de facto Data Controller on behalf of the European Commission).
2. Why and how do we process your personal data?
The European Commission collects and uses your personal data in order to handle requests for access to documents lodged under Regulation (EC) No 1049/2001 within the prescribed legal deadlines and to establish an annual statistical report as required by Article 17(1) of the latter regulation. Furthermore, certain processing of personal data contained in the documents to be disclosed is necessary to provide public access to a register of documents, as required by Article 11 of the latter regulation. The personal data may be processed for the purpose of following up on an inquiry by the European Ombudsman, the European Court of Auditors or in case of EU Court of Justice court proceedings.
Your personal data will not be used for an automated decision-making including profiling.
You can submit your requests for access to documents of the European Commission in two ways, which will have an impact on the way we process your personal data.
2.1. Submitting the requests via the online portal
The European Commission ‘Request a Commission document’ online portal ‘(hereafter: ‘the portal’) allows you to submit requests for access to documents of the European Commission under Regulation (EC) No 1049/2001.
In order to submit a request via this portal, it is necessary to have an ‘EU Login’ account, which is an authentication service for a wide range of European Commission information systems and services.
If the applicant already has an EU login account, they can log in with existing credentials. If the applicant does not have an EU login account, they will be prompted to create it when clicking on ‘Submit a request’ or ‘Create an account’ button on the home page of the portal.
When creating the EU login account the applicant indicates their name, surname and e-mail address. The applicant manages name and surname via the EU login account. For further information on the processing of your personal data specific to ‘EU Login’, please refer to the privacy notice of ‘EU Login’ and the corresponding processing operation ‘Identity & Access Management Service (IAMS)' (reference number in the public DPO register: DPR-EC-03187).
When the user logs in with their EU login account on the portal for the first time, the portal automatically creates a linked account (hereafter: ‘access-to-document account’). The access-to-document account reuses the name, surname and e-mail address from EU login account but allows the applicant to add and manage additional personal data such as the profile of the applicant, phone number, postal address, country, legal representative and organisation. The applicant manages these data via the access-to-document account management space (available when clicking on ‘Logged in’ button on the top of any page on the portal).
Modifications done in EU Login account concerning name and surname are automatically reflected on the access-to-document account.
2.1.1. Submitting initial requests via the portal
When submitting the first initial request via the portal, in addition to name, surname and e-mail address (linked to the EU login account), the applicant is requested to indicate their country of residence, unless they already specified it in their access-to-document account. This is required because under the Data Protection Regulation (EU) 2018/1725, different sets of obligations apply whether the personal data contained in the document requested are transmitted to an applicant residing in an EU/EEA country or not. The applicant can modify this information at any moment on the access-to-document account management page on the portal.
The applicant does not need to indicate the postal address when submitting the request via the portal since the Commission sends its reply electronically via the portal (accessible under ‘Reply to initial request’ tab), with all the necessary legal guarantees concerning the date of notification of the reply.
The postal address is required if the applicant explicitly requests to receive the reply to an initial request not only electronically via the portal but also via post (i.e. in paper form).
2.1.2. Submitting confirmatory requests for initial requests submitted via the online portal
The applicant can ask for a review of the Commission reply to the initial request by submitting a confirmatory request for access to documents, in accordance with Article 7(2) of Regulation (EC) No 1049/2001.
For initial requests submitted via the portal, the applicant can do this either:
a) via the ‘Ask for a review’ button on the relevant request page on the portal;
b) via e-mail or mail. E-mail and postal address to which the applicant can send a confirmatory request are indicated in the Commission reply to the initial request.
In both cases, the applicant does not need to indicate their postal address since the Commission sends the reply to the confirmatory request electronically via the portal (under the tab ‘Reply to confirmatory request), with all the legal guarantees as of the date of notification of the reply.
If the applicant explicitly requests to receive the reply to confirmatory request not only electronically via the portal but also by post (i.e. in paper form) they need to provide their postal address otherwise the reply will only be sent electronically.
If the applicant explicitly requests that they do not wish to receive the reply to the confirmatory request via portal but only via other means, the postal address is required and the Commission does not start handling the confirmatory request until it is provided.
2.2. Submitting the request via e-mail or mail
If the applicant submits the request via e-mail or mail they need to indicate their name, surname, e-mail address (only for requests sent via e-mail) and postal address. If the applicant does not indicate their postal address, the Commission will not start handling the request. The postal request is required for a number of reasons:
- Firstly, to obtain legal certainty as regards the date you received the Commission reply to your request which may include sending the reply via post or other means that provide the necessary legal guarantees regarding the date of notification of the reply.
- Secondly, to know whether you are resident in the EU/EEA, and, if not, in which third country you are residing, so that data protection rules are correctly applied to any personal data that may be contained in documents to which you request access. The Data Protection Regulation (EU) 2018/1725 provides for different rules depending on whether the recipient of personal data is established in the EU/EEA or elsewhere. As the vast majority of the documents requested contain personal data, the European Commission cannot ensure the correct application of the data protection rules without knowing the postal address;
- Thirdly, to apply correctly Regulation (EC) No 1049/2001. Article 4(1)(b) of that Regulation refers to the protection of the privacy and integrity of the individual and has to be applied in line with the Data Protection Regulation;
For requests submitted in this way, the Commission will send the reply to an initial request in a manner that guarantees legal certainty concerning the date of notification of the reply (e.g. by post).
If the request was submitted via e-mail or mail, the applicant can submit the confirmatory request in accordance with Article 7(2) of Regulation (EC) No 1049/2001 via e-mail or mail. The e-mail and postal address to which the confirmatory request can be sent are indicated in the Commission reply to the initial request.
The Commission will send the reply to a confirmatory request in a manner that guarantees legal certainty as of the date of notification of the reply (e.g. by post).
3. On what legal ground(s) do we process your personal data?
The European Commission processes your personal data, because:
- processing is necessary for the performance of a task carried out in the public interest (Article 5(1)(a) of Regulation (EU) 2018/1725); and
- processing is necessary for compliance with a legal obligation to which the European Commission is subject (Article 5(1)(b) of Regulation (EU) 2018/1725).
Furthermore, the processing of non-compulsory personal data you provide in your request for access to documents (see section 4 below) or in the portal is based on your consent (Article 5(1)(d) of Regulation (EU) 2018/1725).
The processing pursuant to Articles 5(1)(a) and (b) needs to be based on Union law, namely Article 15(3) of the Treaty on the Functioning of the European Union and Regulation (EC) No 1049/2001.
4. Which personal data do we collect and process?
The personal data collected and further processed are:
a) Personal data provided by the applicant when submitting the request:
i. Mandatory personal data:
- name and surname
- e-mail (for requests submitted via portal or e-mail)
- country of residence (for requests submitted via portal, see 2.1.)
- postal address (for request submitted via e-mail or mail, see 2.2.
ii. Optional personal data: phone number, postal address (only for requests submitted via portal see 2.1.), organisation, legal representative, profile of the applicant.
b) Personal data of the applicant and other individuals contained in the request, as well as in any other correspondence exchanged between the applicant and Commission (reply to the request, deadline extension letter, clarification request etc.)
c) Personal data contained in the documents requested if released under Regulation (EC) No 1049/2001
d) ) contact data of third-party representatives for third-party consultations
e) When there are reasonable doubts concerning the identity of the natural person making the request, the European Commission may ask the applicant to provide a copy of an identification document (for example, a passport or identity card) in order to verify his/her identity, in the following exceptional circumstances:
- where the documents concerned by the request contain the applicant’s own personal data and the applicant is granted individual access to such documents;
- where there are legitimate reasons to consider that the right to access stemming from Regulation (EC) No 1049/2001 is being abused by that particular applicant.
The identification document should contain the applicant’s name and, if applicable, his/her postal address, while any other data such as a photograph or any personal characteristics may be blacked out.
5. How long do we keep your personal data?
The European Commission only keeps your personal data for the time necessary to fulfil the purpose of collection or further processing, as set out below.
5.1. Personal data contained in documents, files and related metadata stored in HAN
All documents/correspondence (hereafter ‘documents’) exchanged between the Commission and the applicant, independently of the manner in which the applicant submits the requests, is registered in the Commission’s corporate document management system Hermes-Ares-NomCom (herafter ‘HAN’). This includes, for example, the initial request, acknowledgment of receipt, deadline extension letter, Commission reply to the initial request or closing letter, confirmatory request etc. HAN stores:
- Documents (including personal data). Documents related to the same case are grouped in the same folder called a ‘file’;
- Mandatory metadata accompanying documents and files (such as the author, addressee, title of the document/correspondence etc).
5.1.1. Document and files
As mentioned above, files are folders grouping documents related to the same case. The ‘administrative retention period’ is the period during which the European Commission departments are required to keep a file depending on its usefulness for administrative purposes and the relevant statutory and legal obligations. This period begins to run from the time when the file is closed.
At the initial stage, a file is considered closed when the Commission sends the reply to the initial request or a closing letter to the applicant, unless the applicant has submitted a confirmatory application within 15 working days after the notification of the reply to the initial request (in such case, see confirmatory stage below).
At the confirmatory stage, a file is considered closed when the Commission notifies the reply to the confirmatory request or a closing letter to the applicant. If the applicant brought an action for annulment before the EU Court of Justice or submitted a complaint with the Ombudsman, the file is reopened. In that case, the confirmatory file is definitively closed either when:
- the EU Court upholds the confirmatory decision; or
- the Ombudsman closed the inquiry in relation of the complaint without any need for further action on the side of the Commission, or
- the European Commission completes the follow-up requested by the EU Court in its judgment or the Ombudsman
This ‘administrative retention period’ of five years is based on the retention policy for European Commission files (and documents and the personal data contained in them), governed by the common Commission-level retention list for European Commission files SEC(2019)900. It is a regulatory document in the form of a retention schedule that establishes the retention periods for different types of European Commission files. That list has been notified to the European Data Protection Supervisor.
Under the current practice, for reasons of document management and for archiving purposes in the public interest, after the five-years ‘administrative retention period’ expires, the initial and confirmatory files (and the personal data contained in them) are transferred to the Historical Archives of the European Commission for historical purposes. For further information regarding the processing for the European Commission’s Historical Archives, please refer to the processing operation 'Management and long-term preservation of the European Commission's Archives’ (registered in the public DPO register under reference number DPR-EC-00837).
5.1.2. Metadata accompanying documents and files
Personal data in mandatory metadata in relation to any document stored in HAN are kept indefinitely. For further information on processing specific to the Commission’s document management system please refer to the processing operation ‘Management and (short- and medium-term) preservation of Commission documents` (reference number in the public DPO register: DPR-EC-00536).
5.3. Applicant’s personal data in the EU login account and access-to-document account
The EU login account and access to document account (see section 2.1.) stay active unless deleted by the applicant. In order to see what happens when you delete your account, see section 8.2.
5.2. Applicant’s personal data in the EASE IT System
IT system ‘Electronic Access to European Commission Documents’ (hereafter ‘EASE’) is used for handling requests for access to Commission documents. Apart from the case-related information (e.g. deadline, language of request etc.), it also stores applicant’s personal data such as name, surname, e-mail address, postal address, country, phone number, legal representative, organisation and profile. Depending on the manner in which the applicant submits the requests, different personal data of the applicant are provided and stored (see section 2 and 4 for more details).
Your personal data from the EASE system are deleted once the five-year administrative retention period of the corresponding file expires and the file is transferred to the Historical Archives (see section 5.1.1.). If the applicant has multiple files linked to their profile (e.g. if they use portal account to submit multiple requests), the applicant’s personal data from the EASE IT system are deleted as of the expiry of the five year administrative retention period of the file with the latest closing date.
5.3. Applicant’s personal data in the identification documents
The use of information contained in an identification document of an applicant (see section 4 above) is strictly limited: the data will only be used to verify the identity of the applicant and will not be stored for longer than necessary for this purpose.
6. How do we protect your personal data?
All data in electronic format (e-mails, documents, uploaded batches of data etc.) are stored either on the servers of the European Commission or of its contractors. Their operations abide by the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
The European Commission’s contractors are bound by a specific contractual clause for any processing operations of your personal data on behalf of the European Commission, and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation in the EU Member States.
In order to protect your personal data, the European Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.
7. Who has access to your personal data and to whom are they disclosed?
Access to your personal data is provided to authorised staff of the European Commission responsible for carrying out the processing operation and according to the ‘need to know’ principle. Such staff abide by statutory, and when required, additional confidentiality agreements.
Personal data that appear in the documents requested may be disclosed to the public following an assessment under Regulation (EC) No 1049/2001, read in conjunction with Article 9 of Regulation (EU) 2018/1725. If you reside outside the EU and the European Commission grants you access to documents, personal data included in these documents will only be disclosed to you if such transfer fulfils the conditions of Chapter V of the Regulation (EU) 2018/1725 on transfers of personal data to third countries or international organisations.
In addition to transmitting to the applicant the disclosed documents, the Commission also publishes them on the dedicated ‘Request a Commission document’ online portal.
The personal information we collect on the applicants who request access to documents will not be given to any third party, except:
- to the extent and for the purpose we may be required to do so by law; and
- for the purpose of dispatching access-to-documents decisions of the European Commission by registered mail via the processor DHL International (established in Belgium) (for further information, see corresponding processing operation Traitement du courrier’ of the European Commission’s Office for Infrastructure and Logistics in Brussels, registered in the public DPO register under reference number DPR-EC-00884..
Pursuant to point (13) of Article 3 of Regulation (EU) 2018/1725, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients. The further processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Decisions of the European Commission pursuant to Regulation (EC) No 1049/2001 on confirmatory applications are adopted through Decide (the information system supporting the Commission decision-making process) and are made available on the European Commission’s (non-public) VISTA system. For information concerning the processing of personal data through the Decide and VISTA systems, please see the respective records of processing operations ‘DPR-EC-00107 Decide (information system supporting the Commission decision-making process’ and ‘DPR-EC-00914 VISTA system’.
8. What are your rights and how can you exercise them?
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access your personal data and to rectify them in case your personal data are inaccurate or incomplete. Under certain conditions, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing of your personal data and the right to data portability. You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) on grounds relating to your particular situation.
Insofar the processing of your personal data is based on your consent (namely concerning non-mandatory personal data as described under sections 3 and 4 above) you can withdraw your consent at any time by notifying the Data Controller. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent.
You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under section 'Contact information' below.
Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under section 10 ‘Where to find information that is more detailed’ below) in your request.
Your request as a data subject will be handled within one month. The period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
If you use the portal to submit requests (see section 2.1.) you have the following additional possibilities regarding your personal data:
8.1. Modifying personal data contained in accounts
In case you submitted a request via the portal account (see point 2.1), you can modify your personal data yourself at any time. As explained in section 2:
- you can manage and edit your name and surname in the EU Login account. Modifications done in EU Login account concerning name and surname are automatically reflected on the access-to-document account;
- you can manage your other personal data (postal address, country, phone number, organisation, legal representative, profile) in the ‘access-to-document’ account.
8.2. Deletion of accounts
If the applicant is using the portal to submit the request (see point 2.1), they have a possibility to delete their EU login or access-to-document account at any moment (see section 2.1. for more information about both accounts).
The applicant deletes the access-to-document account by clicking on ‘Delete my account’ button on the account management page on the portal.
The applicant deletes the EU login account on the EU login account management page.
Deleting ‘access to document’ account does not automatically delete EU login account, which has to be done separately as this account can be used for a wide range of European Commission information systems.
If you use EU Login for other information systems than access to documents, you should not delete your EU Login account as it will not only automatically delete the ‘access to document’ account (this feature is not yet available) but might also prevent you from further using other European Commission information systems.
Since the deletion of either of these two accounts entails the same consequences for applicant’s personal data processed under this processing operation, the following part refers only to ‘the account’, irrelevantly of which of these two accounts the applicant deletes.
If the applicant deletes the account before the Commission has sent a reply to the request(s), the system will send a closing letter for all ongoing cases and the Commission will not send its reply to such request(s), in line with Terms and Conditions which the applicant accepts when submitting each initial request via the portal.
Concerning the applicant’s personal data contained in HAN (see section 5.1 above) and EASE IT system (see section 5.2 above), the following three scenarios are possible when the applicant deletes the account:
- The applicant deletes their account while no request has been submitted yet:
- personal data are deleted from the EASE IT tool;
- Since no request has been submitted yet, there are no files (and therefore no personal data of the applicant) in HAN;
The applicant has submitted one or more requests but has not received a Commission reply to any request at the moment of the deletion of the account:
- personal data are deleted from the EASE IT tool;
- concerning the files and metadata stored in HAN, they continue to be handled in line with the Commission retention policy (as explained in section 5.1.)
The applicant has received the Commission reply to at least one of their requests at the moment of the deletion of the account:
- personal data are not deleted from the EASE IT system. They are deleted after the expiry of the five years administrative retention period of the corresponding file (as explained in section 5.2.);
- concerning the files and metadata stored in HAN, they continue to be handled in line with the Commission retention policy (as explained in section 5.1.)
9. Contact information
- The (corporate) Data Controller:
If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the corporate Data Controller
- Unit C.1 – Transparency, Document Management & Access to Document
- E-mail: Sgfirstname.lastname@example.org
- The Data Protection Officer (DPO) of the European Commission:
You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.
- The European Data Protection Supervisor (EDPS):
You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (email@example.com) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
10. Where to find information that is more detailed?
The Data Protection Officer of the European Commission publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register at the following link: http://ec.europa.eu/dpo-register.
This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-00793.