your personal information and the eu administration: what are your
TRANSCRIPT
Your personal information and the EU administration:
What are your rights?
European Data Protection Supervisor
EDPS factsheet 1
Everyday,personal information -alsoknownaspersonaldata - isprocessedwithin theEUadministration.Recruitingactivities,contracttenders,complaintsorrequestsforinforma-tion,videosurveillanceareafewexamples.
Ifsuchinformationisinaccurate,outofdateordisclosedtothewrongperson,thedamagecausedtoyoumaybequiteserious.Youcouldbeunfairlyrefusedaprofessionalcontract,mis-takenforsomebodyelse,blamedforunauthoriseddisclosureofinformation,orevenbecomevictimofanidentitytheft.
Everyoneisentitledtoprotecttheirpersonalinformation.Infact,dataprotectionisafundamentalright,protectedbyEuropeanlawandenshrinedinArticle8oftheCharterofFundamentalRightsoftheEuropeanUnion.TheChartercontainsthreemainelements:1)obligationsonthoseprocess-ingpersonalinformation(forexample,EUinstitutionsorbodies),2)rightsofpersonswhoseinfor-mationisbeingprocessedand3)supervisionbyanindependentauthority(inthiscase,theEDPS).Morespecifically,theprotectionofpersonaldatawithintheEUinstitutionsandbodiesiscontainedinRegulation(EC)No.45/2001.Thisfactsheetfocusesontherightsofindividualsmentionedinpoint2)aboveandonhowyoucanmakethebestuseofyourrightsundertheRegulation.
What are your rights?
YouareentitledtoknowwhetheranEUinstitutionorbodyisprocessinginformationaboutyou;youmustbegiven,eitherinadvanceorassoonasithasbeenregistered,informationthatincludeswhichbodyorinstitutionisprocessingthedata,thepurposeoftheprocessingoperation,therecipientsoftheinformationandyourrightsasthepersonwhoseinformationisbeingpro-cessed.
Youarealsoentitledtochecktheinformationrelatedtoyouwhichisbeingprocessedandobtain,freeofcharge:
– accesstoyourpersonalinformation,forexampleacopyofthedataconcernedandtosomeinformationconcerningtheprocessing,forinstancethepurposeoftheprocessing,therecipientstowhomitisdisclosed,etc.
– therectificationofinaccurateorincompletepersonalinformation;
– theblocking of informationundercertaincircumstances,forexample,whentheaccu-racyofitisinquestion;
– theerasureoftheinformationifitsuseisunlawful,forexample,iftheinformationisnolongerrelevant,orifsensitiveinformationisprocessedwherethisisnotallowed;
– thenotification to third parties,towhomtheinformationhasbeendisclosed,ofanyrectification,erasureorblocking;
Youareentitledtoobjectatanytime,oncompelling and legitimate grounds,tothepro-cessingoftheinformationrelatedtoyou.
Youalsohavetherighttobeinformedbeforeyourinformationisdisclosedforthefirsttimetothirdparties—orbeforeitisusedontheirbehalf—fordirectmarketingpurposes.Youareentitledtoobjecttosuchdisclosureoruse.
What can I do in the event of a problem?
1. NotifytheEU institutionorbodyresponsibleforprocessingandaskthemtotakeaction.
2. Ifyouobtainnoreplyorifyouarenotsatisfiedwithit,contactthedata protection officer (DPO)oftheinstitutionorbodyconcerned(http://www.edps.europa.eu/EDPSWEB/edps/Supervision/DPOnetwork).
3. Youcanalsolodge a complaint with the EDPS,whowillexamineyourrequestandadoptthenecessarymeasures(seeEDPSwebsitefordetails).
Yourcomplaintwill,inprinciple,beinadmissibleifyouhavenotfirstcontactedtheinstitutionconcernedinordertoredressthesituation.AcomplaintsubmissionformisavailableontheEDPSwebsiteundertheSupervisionsection.
4. YoucanalsobringanactionbeforetheCourtofJusticeoftheEuropeanUnion.
Restriction of your rights
Inspecificcircumstances,yourrightsmayberestricted-buttheycannotbewithdrawn.Thislim-itationmaytakeplace,foradeterminedperiodoftimeandonlyifnecessary,tosafeguard:
• theprevention,investigation,detectionandprosecutionofcriminaloffences(includingdis-ciplinaryproceedingsandadministrativeenquiries).Thiscouldapply,forexample,toinves-tigationscarriedoutbytheEuropeanAnti-fraudOffice(OLAF)ortheCommission’sInvesti-gationandDisciplinaryOffice(IDOC);
• animportanteconomicorfinancialinterestofaMemberStateoroftheEuropeanUnion;
• youortherightsandfreedomsofothers;
• nationalsecurity,publicsecurityordefenceoftheMemberStates.
Ifarestrictionapplies,youhavetobeinformedofthereasonsfortherestrictionandofyourrighttorecoursetotheEDPS.Ifitmakesthepolicyforapplyingtherestrictionineffective,youmaynotbeprovidedwiththisinformationstraightaway,forinstance,ifgivingtheinformationrisksdestructionofevidenceinaninvestigation.Thisisdeterminedonacase-by-casebasis.
IfyouhavebeendeniedaccesstoyourinformationandasktheEDPStoinvestigateyourcom-plaint,theEDPSwill,followingtheinvestigation,informyouwhethertheinformationhasbeencorrectlyprocessedand,ifnot,adviseyouofwhatinstructionshehasgiventheinstitu-tionorbodyconcernedtocorrecttheprocessingandalsooutlinetoyouthenextsteps.
What does the EDPS do to uphold your data protection rights?
TheEDPSisanindependentsupervisoryauthorityresponsibleforensuringthatthefundamen-talrighttotheprotectionofpersonalinformationisrespectedbytheEuropeaninstitutionsandbodies,forexample,bysupervisingtheprocessing(collection,use,transfer,etc.)ofper-sonalinformationbytheEUadministration,aswellasensuringthatdataprotectionsafe-guardsareincorporatedinEUlegislationandpolicies,wheneverrelevant.
• YoumayasktheEDPSforadviceonhowtoexerciseyourrights;
• YoumayasktheEDPSto investigate a complaint:ifyouthinkthatyourdataprotec-tionrightshavebeeninfringedbytheEUadministration,youcanlodgeacomplaintwiththeEDPS.Ifnecessary,theEDPScanrecommendtheEUinstitutionorbodyconcernedtoadoptspecificmeasurestoprotectyourrights.TheEDPSwillinformyouoftheoutcome;
• TheEDPSconducts enquiries and inspections,onhisowninitiativeoronthebasisofacomplaint,whenitisnecessarytoobtainmoreinformationontheprocessingofper-sonalinformation;
• TheEDPScanorderthatrequeststoexercisecertainrightsinrelationtopersonalinfor-mationbecompliedwithwheresuchrequestshavebeenrefusedinbreachofyourrights;
• TheEDPScanwarn or admonishtheEuropeaninstitutionorbodywhichisunlawfullyorunfairlyprocessingyourpersonalinformation;
• TheEDPScanimposeatemporaryordefinitivebanonprocessing;
• TheEDPScanrefer a casetotheCourtofJusticeoftheEuropeanUnion.
Tohelphiminvestigateacomplaint,theEDPSisentitledtoobtainallpersonaldataandallinformationnecessaryforhisenquiriesfromtheEUinstitutionorbodyconcerned.Hecanalsoaccess thepremisesof any EU institutionorbody shouldanon-the-spot investigationbeneeded.
What is next?
InJanuary2012,theEuropeanCommissionmadeproposalsforathoroughrevisionoftherulesondataprotectionwhichcurrentlyapplytotheEUMemberStates(e.g.Directive95/46/EC).Theseproposalsincludesomeadditionalrights,suchasthe“righttobeforgotten”andto“dataportability”,thatseemtobeparticularlyusefulintheonlineenvironment.TherevisedrulesarecurrentlybeingdebatedwithintheParliamentandtheCouncil.ItislikelythatthisrevisionwillalsoleadtotheamendmentofRegulation(EC)No.45/2001.
AcomplainttotheEDPScanonlyrelatetotheprocessing of personal information.TheEDPSisnotcompetenttodealwithcasesofgeneralmaladministration,tomodifythecontentofthedocumentsthatthecomplainantwantstochallengeortograntfinancialcompensationfordamages.Theprocessingofpersonalinformationwhichisthesubjectofacomplaintmustbecarriedoutbyone of the EU institutionsorbodies.
Further reading
• Articles 13 to 19 of Regulation (EC) No 45/2001ontheprotectionofindividualswithregardtotheprocessingofpersonaldatabytheCommunityinstitutionsandbodiesandonthefreemovementofsuchdata
• Seethe EDPS website for more information: www.edps.europa.eu
• @EU_EDPS.
Glossary
• Personal data:anyinformationrelatingtoanidentifiedoridentifiablenaturalperson.Anidentifiablenaturalpersonisonewhocanbeidentified,directlyorindirectly,inparticularbyreferencetoanidentificationnumberortooneormorefactorsspecifictohisorherphysical,physiological,mental,economic,culturalorsocialidentity.Examplesofinformationaboutanatural(living)personwhichcanbeusedtoidentifythatpersonincludenames,datesofbirth,photographs,e-mailaddressesandtelephonenumbers.Otherdetailssuchashealthdata,datausedforevaluationpurposesandtrafficdataontheuseoftheinternetarealsoconsideredpersonaldata.
• Data processing:anyoperationorsetofoperationsperformeduponpersonaldata,whetherornotbyautomaticmeans,suchascollection,recording,organisation,storage,adaptationoralteration,retrieval,consultation,use,disclosurebytransmission,disseminationorotherwisemakingavailable,alignmentorcombination,blocking,erasureordestruction.
• Data controller:TheEUinstitutionorbodydeterminingthepurposesandmeansoftheprocessingofpersonaldata.
• DPO:Eachinstitutionorbodyhasadataprotectionofficer.ItisdutyoftheDPOtoensureinanindependentmannerthattheinternalapplicationoftheRegulationandthattherightsandfreedomsofthedatasubjectsarenotlikelytobeadverselyaffectedbytheprocessingoperations.AlistofdataprotectionofficerscanbefoundontheEDPSwebsite.http://www.edps.europa.eu/EDPSWEB/edps/Supervision/DPOnetwork
• EU institutions and bodies/EU administration:allinstitutions,bodies,officesoragenciesoperatingfortheEuropeanUnion(e.g.EuropeanCommission,EuropeanParliament,CounciloftheEuropeanUnion,EuropeanCentralBank,specialisedanddecentralisedEUagencies).
• Sensitive data:includesdatarevealingracialorethnicorigin,politicalopinions,religiousorphilosophicalbeliefs,trade-unionmembershipandtheprocessingofdataconcerninghealthorsexlife.Theprocessingofsuchinformationisinprincipleprohibited,exceptinspecificcircumstances.
• Right to be Forgotten:therighttohavepersonaldataerasedandnolongerprocessed,wherethedataisnolongernecessaryforthepurposesforwhichthedatawascollectedorprocessed,wheretheindividual(s)haswithdrawnhisorherconsentfortheprocessingorobjectstotheprocessingofpersonaldataconcerninghimorher,orwheretheprocessingoftheirpersonaldatadoesnotcomplywithEUrules.Thisrightisparticularlyrelevant,whentheindividualhasgiventheirconsentasachild,whennotbeingfullyawareoftherisksinvolvedbytheprocessingandlaterwantstoremovesuchpersonaldataespeciallyontheinternet.
• Data portability:therighttotransferone’spersonaldatafromoneautomatedapplication,suchasasocialnetwork,toanotherwithoutbeingpreventedfromdoingsobythecontroller.
QT3012766ENCdoi10.2804/45126