EACEA processes personal data on a daily basis. Processing operations include in particular evaluation of applications for a grant or organising events.
The Agency is committed to privacy and to having its services comply with European legislation on the lawful processing of personal data.
Why does data protection matter at EACEA? How does it affect citizens?
In the digital age, the collection and storage of personal information are essential. Data protection is a fundamental right according to the EU Charter of Fundamental Rights which protects personal data in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet.
As any other EU institution, agency or body, EACEA is subject to specific legal obligations concerning the protection of personal data and the processing thereof. EU data protection rules aim to protect the fundamental rights and freedoms of natural persons, and in particular the right to data protection, as well as the free flow of data. The obligations are prescribed by Regulation (EU) N° 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC Text with EEA relevance. The Regulation lays down rules on how EU institutions, bodies, offices and agencies should treat the personal data they hold, and upholds the individuals’ fundamental right to protection of their personal data.
What is personal data?
Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, personnel number, a photo, name of a legal representative of a beneficiary an email address, bank details, your posts on social networking websites, your medical information, or your computer's IP address etc, which may be contained in electronic forms or paper versions like application forms, CVs, contracts, mailing lists, billing data, electronic databases, medical files, evaluation reports etc.
Information on data transfers to the United Kingdom
The EU-UK Trade and Cooperation Agreement provides that, for a specified period and upon the condition that the UK’s current data protection regime stays in place, all transfers of personal data between the EU and UK entities will not be considered as transfers to a third country subject to the provisions of Chapter V Regulation 2018/1725. This interim provision applies until 30 June 2021 at the latest. Therefore, until this date, the Agency and its processors are able to carry on transferring data to UK organisations without the need to put in place a transfer tool under Regulation 2018/1725 applicable for international transfers (i.e. adequacy decision, adequate safeguards, derogation).
The Data Protection Officer at EACEA
The Data Protection officer (DPO) ensures and monitors in an independent manner the application in the Agency of the Regulation (EU) n° 2018/1725 on the protection of individuals and bodies and on the free movement of such data. The role and function of the DPO are defined in the following decision:
The Data Protection Officer at EACEA can be contacted using functional mailbox: firstname.lastname@example.org”
What are your rights and how can you exercise them?
Regulation (EU) 2018/1725 provides data subjects with rights. The Controller must reply within one month of the receipt of the data subjects’ request. That period may be extended where necessary.
The more relevant rights are outlined below.
- The right to information
- The right of access
- The right of rectification
- The right of restriction of processing
- The right of erasure (‘right to be forgotten’)
- The right to object
- The right to data portability
- The right not to be subject to automated decision making
- The right to claim compensation for any damage
- The right to lodge a complaint with the European Data Protection Supervisor regarding an alleged breach of the provisions of Regulation (EU) 2018/1725.
In order to exercise your rights regarding personal data, you can either:
- Ask the controller to take measures (Head of Unit, Director of the Agency). You shall find the person to contact in the "Privacy statement" or in the record of the processing concerned.
- Contact the DPO of the Agency (cf. contact details above)
- Lodge a complaint with the EDPS at any time: European Data Protection Supervisor
Rue Wiertz 60 - 1047 Brussels - email@example.com Website: http://www.edps.europa.eu
Restrictions to the exercise of rights
Article 25 of Regulation (EU) 2018/1725 provides that, in matters relating to the operation of EU institutions and bodies, the latter can restrict certain rights of individuals in exceptional circumstances and with the safeguards laid down in that Regulation. Such restrictions are provided for in internal rules adopted by EACEA and published in the Official Journal of the European Union.
The internal rules apply to EACEA in the performance of limited activities, such as administrative inquiries, disciplinary proceedings, preliminary activities related to cases of potential irregularities reported to OLAF, whistleblowing procedures, procedures for cases of harassment, and processing of internal and external complaints. Within this context, and following a case-by-case assessment of the necessity and proportionality of the restrictions, the EACEA may decide to restrict certain rights, such as the right of access, rectification, and erasure of personal data, the right to be informed about the processing of personal data, and the right to restriction of processing. These possible restrictions aim at safeguarding important objectives of general EU and national public interest defined in Article 25 of Regulation (EU) 2018/1725, such as the protection of internal security of Union institutions and bodies, the protection of the data subject or the rights and freedoms of others, the protection of an important economic or financial interest of the Union or of a Member State.
Register of processing operations of personal data at EACEA
The register contains the detailed description of data processing operations carried out at EACEA (Which data are processed? By whom? For what purpose? How long are they kept? Who has access to these data? What can I do in case of conflict? etc.). The content of the register is accessible by any citizen and thus contributes to the transparency and accountability of the data processing operations carried out by EACEA.
The Privacy statement informs grants applicants and beneficiaries whose data is collected by the Agency on the conditions of such processing, such as the purpose of the processing, the legal basis, the rights, etc.
The privacy statement applicable to grants updated following the entry into force of Regulation (EU) 2018/1725 can be found at the following links:
- If the submission deadline of the call for proposals was before June 2020, please find the privacy statement:
- If the submission deadline of the call for proposals was after June 2020, please find the privacy statement on the Funding & tender opportunities Portal (see file Privacy Statement on 'Grant management and registration/validation of participants’)
If you are participating to a call for tenders as a tenderer or as a contractor, please find the privacy statement:
If you are working as an external expert to assist in the evaluation of grant applications, projects and tenders, and to provide opinions and advice in specific cases, the privacy statement and its annexes can be found here
MANAGEMENT OF FINANCIAL TRANSACTIONS IN THE FRAMEWORK OF EU PROGRAMMES (LEGACY)
The privacy statement applicable to the grant management of legacy projects (before the 2021-2027 multiannual financial framework) and the related financial transactions can be found here.
If your project is selected for an audit, please find the privacy statement below:
For matters related to the management of suspicions of irregularities/fraud including analysis and signaling to OLAF. Please find the privacy statement below:
EARLY DETECTION AND EXCLUSION SYSTEM (EDES)
Processing of personal data for the protection of the Union's financial interests by means of detection of risks and imposition of administrative sanctions within the Early Detection and Exclusion System (EDES)
VIDEO-SURVEILLANCE (CCTV) - DIGITAL AND ANALOGUE STORAGE
Processing of personal data for the video surveillance of the buildings occupied by EACEA with the aim of protecting persons entering the buildings, their assets and information.
Do you want to learn more?
You can consult the website of the European Data Protection Supervisor (EDPS).