Your personal information and the EU administration:

What are your rights?

European Data Protection Supervisor

EDPS factsheet 1

Everyday,personal information -alsoknownaspersonaldata - isprocessedwithin theEUadministration.Recruitingactivities,contracttenders,complaintsorrequestsforinforma-tion,videosurveillanceareafewexamples.

Ifsuchinformationisinaccurate,outofdateordisclosedtothewrongperson,thedamagecausedtoyoumaybequiteserious.Youcouldbeunfairlyrefusedaprofessionalcontract,mis-takenforsomebodyelse,blamedforunauthoriseddisclosureofinformation,orevenbecomevictimofanidentitytheft.

Everyoneisentitledtoprotecttheirpersonalinformation.Infact,dataprotectionisafundamentalright,protectedbyEuropeanlawandenshrinedinArticle8oftheCharterofFundamentalRightsoftheEuropeanUnion.TheChartercontainsthreemainelements:1)obligationsonthoseprocess-ingpersonalinformation(forexample,EUinstitutionsorbodies),2)rightsofpersonswhoseinfor-mationisbeingprocessedand3)supervisionbyanindependentauthority(inthiscase,theEDPS).Morespecifically,theprotectionofpersonaldatawithintheEUinstitutionsandbodiesiscontainedinRegulation(EC)No.45/2001.Thisfactsheetfocusesontherightsofindividualsmentionedinpoint2)aboveandonhowyoucanmakethebestuseofyourrightsundertheRegulation.

What are your rights?

YouareentitledtoknowwhetheranEUinstitutionorbodyisprocessinginformationaboutyou;youmustbegiven,eitherinadvanceorassoonasithasbeenregistered,informationthatincludeswhichbodyorinstitutionisprocessingthedata,thepurposeoftheprocessingoperation,therecipientsoftheinformationandyourrightsasthepersonwhoseinformationisbeingpro-cessed.

Youarealsoentitledtochecktheinformationrelatedtoyouwhichisbeingprocessedandobtain,freeofcharge:

– accesstoyourpersonalinformation,forexampleacopyofthedataconcernedandtosomeinformationconcerningtheprocessing,forinstancethepurposeoftheprocessing,therecipientstowhomitisdisclosed,etc.

– therectificationofinaccurateorincompletepersonalinformation;

– theblocking of informationundercertaincircumstances,forexample,whentheaccu-racyofitisinquestion;

– theerasureoftheinformationifitsuseisunlawful,forexample,iftheinformationisnolongerrelevant,orifsensitiveinformationisprocessedwherethisisnotallowed;

– thenotification to third parties,towhomtheinformationhasbeendisclosed,ofanyrectification,erasureorblocking;

Youareentitledtoobjectatanytime,oncompelling and legitimate grounds,tothepro-cessingoftheinformationrelatedtoyou.

Youalsohavetherighttobeinformedbeforeyourinformationisdisclosedforthefirsttimetothirdparties—orbeforeitisusedontheirbehalf—fordirectmarketingpurposes.Youareentitledtoobjecttosuchdisclosureoruse.

What can I do in the event of a problem?

1. NotifytheEU institutionorbodyresponsibleforprocessingandaskthemtotakeaction.

2. Ifyouobtainnoreplyorifyouarenotsatisfiedwithit,contactthedata protection officer (DPO)oftheinstitutionorbodyconcerned(http://www.edps.europa.eu/EDPSWEB/edps/Supervision/DPOnetwork).

3. Youcanalsolodge a complaint with the EDPS,whowillexamineyourrequestandadoptthenecessarymeasures(seeEDPSwebsitefordetails).

Yourcomplaintwill,inprinciple,beinadmissibleifyouhavenotfirstcontactedtheinstitutionconcernedinordertoredressthesituation.AcomplaintsubmissionformisavailableontheEDPSwebsiteundertheSupervisionsection.

4. YoucanalsobringanactionbeforetheCourtofJusticeoftheEuropeanUnion.

Restriction of your rights

Inspecificcircumstances,yourrightsmayberestricted-buttheycannotbewithdrawn.Thislim-itationmaytakeplace,foradeterminedperiodoftimeandonlyifnecessary,tosafeguard:

• theprevention,investigation,detectionandprosecutionofcriminaloffences(includingdis-ciplinaryproceedingsandadministrativeenquiries).Thiscouldapply,forexample,toinves-tigationscarriedoutbytheEuropeanAnti-fraudOffice(OLAF)ortheCommission’sInvesti-gationandDisciplinaryOffice(IDOC);

• animportanteconomicorfinancialinterestofaMemberStateoroftheEuropeanUnion;

• youortherightsandfreedomsofothers;

• nationalsecurity,publicsecurityordefenceoftheMemberStates.

Ifarestrictionapplies,youhavetobeinformedofthereasonsfortherestrictionandofyourrighttorecoursetotheEDPS.Ifitmakesthepolicyforapplyingtherestrictionineffective,youmaynotbeprovidedwiththisinformationstraightaway,forinstance,ifgivingtheinformationrisksdestructionofevidenceinaninvestigation.Thisisdeterminedonacase-by-casebasis.

IfyouhavebeendeniedaccesstoyourinformationandasktheEDPStoinvestigateyourcom-plaint,theEDPSwill,followingtheinvestigation,informyouwhethertheinformationhasbeencorrectlyprocessedand,ifnot,adviseyouofwhatinstructionshehasgiventheinstitu-tionorbodyconcernedtocorrecttheprocessingandalsooutlinetoyouthenextsteps.

What does the EDPS do to uphold your data protection rights?

TheEDPSisanindependentsupervisoryauthorityresponsibleforensuringthatthefundamen-talrighttotheprotectionofpersonalinformationisrespectedbytheEuropeaninstitutionsandbodies,forexample,bysupervisingtheprocessing(collection,use,transfer,etc.)ofper-sonalinformationbytheEUadministration,aswellasensuringthatdataprotectionsafe-guardsareincorporatedinEUlegislationandpolicies,wheneverrelevant.

• YoumayasktheEDPSforadviceonhowtoexerciseyourrights;

• YoumayasktheEDPSto investigate a complaint:ifyouthinkthatyourdataprotec-tionrightshavebeeninfringedbytheEUadministration,youcanlodgeacomplaintwiththeEDPS.Ifnecessary,theEDPScanrecommendtheEUinstitutionorbodyconcernedtoadoptspecificmeasurestoprotectyourrights.TheEDPSwillinformyouoftheoutcome;

• TheEDPSconducts enquiries and inspections,onhisowninitiativeoronthebasisofacomplaint,whenitisnecessarytoobtainmoreinformationontheprocessingofper-sonalinformation;

• TheEDPScanorderthatrequeststoexercisecertainrightsinrelationtopersonalinfor-mationbecompliedwithwheresuchrequestshavebeenrefusedinbreachofyourrights;

• TheEDPScanwarn or admonishtheEuropeaninstitutionorbodywhichisunlawfullyorunfairlyprocessingyourpersonalinformation;

• TheEDPScanimposeatemporaryordefinitivebanonprocessing;

• TheEDPScanrefer a casetotheCourtofJusticeoftheEuropeanUnion.

Tohelphiminvestigateacomplaint,theEDPSisentitledtoobtainallpersonaldataandallinformationnecessaryforhisenquiriesfromtheEUinstitutionorbodyconcerned.Hecanalsoaccess thepremisesof any EU institutionorbody shouldanon-the-spot investigationbeneeded.

What is next?

InJanuary2012,theEuropeanCommissionmadeproposalsforathoroughrevisionoftherulesondataprotectionwhichcurrentlyapplytotheEUMemberStates(e.g.Directive95/46/EC).Theseproposalsincludesomeadditionalrights,suchasthe“righttobeforgotten”andto“dataportability”,thatseemtobeparticularlyusefulintheonlineenvironment.TherevisedrulesarecurrentlybeingdebatedwithintheParliamentandtheCouncil.ItislikelythatthisrevisionwillalsoleadtotheamendmentofRegulation(EC)No.45/2001.

AcomplainttotheEDPScanonlyrelatetotheprocessing of personal information.TheEDPSisnotcompetenttodealwithcasesofgeneralmaladministration,tomodifythecontentofthedocumentsthatthecomplainantwantstochallengeortograntfinancialcompensationfordamages.Theprocessingofpersonalinformationwhichisthesubjectofacomplaintmustbecarriedoutbyone of the EU institutionsorbodies.

Further reading

• Articles 13 to 19 of Regulation (EC) No 45/2001ontheprotectionofindividualswithregardtotheprocessingofpersonaldatabytheCommunityinstitutionsandbodiesandonthefreemovementofsuchdata

• Seethe EDPS website for more information: www.edps.europa.eu

• @EU_EDPS.

Glossary

• Personal data:anyinformationrelatingtoanidentifiedoridentifiablenaturalperson.Anidentifiablenaturalpersonisonewhocanbeidentified,directlyorindirectly,inparticularbyreferencetoanidentificationnumberortooneormorefactorsspecifictohisorherphysical,physiological,mental,economic,culturalorsocialidentity.Examplesofinformationaboutanatural(living)personwhichcanbeusedtoidentifythatpersonincludenames,datesofbirth,photographs,e-mailaddressesandtelephonenumbers.Otherdetailssuchashealthdata,datausedforevaluationpurposesandtrafficdataontheuseoftheinternetarealsoconsideredpersonaldata.

• Data processing:anyoperationorsetofoperationsperformeduponpersonaldata,whetherornotbyautomaticmeans,suchascollection,recording,organisation,storage,adaptationoralteration,retrieval,consultation,use,disclosurebytransmission,disseminationorotherwisemakingavailable,alignmentorcombination,blocking,erasureordestruction.

• Data controller:TheEUinstitutionorbodydeterminingthepurposesandmeansoftheprocessingofpersonaldata.

• DPO:Eachinstitutionorbodyhasadataprotectionofficer.ItisdutyoftheDPOtoensureinanindependentmannerthattheinternalapplicationoftheRegulationandthattherightsandfreedomsofthedatasubjectsarenotlikelytobeadverselyaffectedbytheprocessingoperations.AlistofdataprotectionofficerscanbefoundontheEDPSwebsite.http://www.edps.europa.eu/EDPSWEB/edps/Supervision/DPOnetwork

• EU institutions and bodies/EU administration:allinstitutions,bodies,officesoragenciesoperatingfortheEuropeanUnion(e.g.EuropeanCommission,EuropeanParliament,CounciloftheEuropeanUnion,EuropeanCentralBank,specialisedanddecentralisedEUagencies).

• Sensitive data:includesdatarevealingracialorethnicorigin,politicalopinions,religiousorphilosophicalbeliefs,trade-unionmembershipandtheprocessingofdataconcerninghealthorsexlife.Theprocessingofsuchinformationisinprincipleprohibited,exceptinspecificcircumstances.

• Right to be Forgotten:therighttohavepersonaldataerasedandnolongerprocessed,wherethedataisnolongernecessaryforthepurposesforwhichthedatawascollectedorprocessed,wheretheindividual(s)haswithdrawnhisorherconsentfortheprocessingorobjectstotheprocessingofpersonaldataconcerninghimorher,orwheretheprocessingoftheirpersonaldatadoesnotcomplywithEUrules.Thisrightisparticularlyrelevant,whentheindividualhasgiventheirconsentasachild,whennotbeingfullyawareoftherisksinvolvedbytheprocessingandlaterwantstoremovesuchpersonaldataespeciallyontheinternet.

• Data portability:therighttotransferone’spersonaldatafromoneautomatedapplication,suchasasocialnetwork,toanotherwithoutbeingpreventedfromdoingsobythecontroller.

QT3012766ENCdoi10.2804/45126