European Institute for Gender Equality (EIGE) is highly committed to best practices in protecting personal data. Data protection is a fundamental right, protected not only by national legislation, but also by European Law.
What is personal data?
Any information relating to an identified or identifiable person is considered to be a personal data (for a full definition see Article 3) of the Regulation (EU) 2018/1725. It is important to note that, where the ability to identify an individual depends partly on the data held and partly on other information (not necessarily data), the data held will still be “personal data”.
The categories of personal data are broadly drawn so that, for example, personal data are considered to be telephone numbers, addresses, financial information, photographs, satellite images, car registrations, ID numbers, e-mail addresses, health records, etc. Personal data can be contained in computer files (e.g. in databases, on the Internet or other closed networks) or in paper records.
The main players
Data Subject refers to individuals who are within the European Union whose data is processed. This encompasses all natural persons, who can be distinguished as persons with rights in regards to the processing of their personal data.
Data Controller is the institution or organisational entity that determines the purpose(s) and mean(s) of the processing. Alone or jointly with others, data controller shall ensure and be able to demonstrate that the processing is performed according to the Regulation (Article 26).
Data Processor is a natural or legal person, public authority or other bodies and organisations that process personal data on behalf of the controller.
Data Protection Officer (DPO) is the official responsible for ensuring, in an independent manner, the internal application of the provisions of Data Protection Regulation. DPO informs data subjects on their rights and obligations; advises where requested on the notification or communication of a personal data breach (Art. 34 and 35) or the data protection impact assessment (Art. 39) and monitors it; responds, cooperates with and consults the EDPS (Art. 40); and may make recommendations to the controller and processor. EIGE’s DPO can be contacted via e-mail at: email@example.com.
European Data Protection Supervisor (EDPS) is an independent supervisory authority responsible for monitoring and ensuring the application of data protection rules by European Union institutions and bodies, including the Agency.
Collection of personal data by EIGE
A number of EIGE’s activities involve the collection and processing of personal data, for instance as part of the recruitment procedures, or collection of data for salaries or reimbursements, contractual arrangements with suppliers or organization of events, etc.
It shall be noted that collecting and processing of personal data and its subsequent utilization is done lawfully, fairly and in a transparent manner in relation to the data subject (Art. 4 paragraph 1a).
Purpose of the collection
Whenever personal data are requested, it is essential that the data subject knows for what purposes the data is being collected. According to the Article 4 Paragraph 1b of the Regulation, personal data "shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 13, not be considered to be incompatible with the initial purposes."
Moreover, personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
According to Article 31 of Regulation (EU) 2018/1725, EIGE has a legal obligation to keep a register of all personal data processing operations which have been notified to the Data Protection Officer (DPO). The register aims at ensuring transparency to the public and it is accessible to any interested person.
Rights of data subjects
When personal data are requested, data subjects have the rights:
- to be informed of the processing operations (Articles 15 and 16);
- to access, rectify, erase the data (Articles 17-19);
- to restrict the processing and to be notified regarding rectification or erasure of personal data or restrictions of processing (Articles 20-21);
- to data portability (Article 22);
- to object an automated individual decision-making (Article 24);
- to lodge a complaint with the European Data Protection Supervisor, to receive to an effective judicial remedy, to receive compensation for any infringement of this Regulation (Articles 63-65).
Principles of data processing
- Processing shall be lawful only if and to the extent that at least one of the following applies (Article 5):
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- The Data Controller (the institution or organisational entity that determines the purpose(s) and mean(s) of the processing) must ensure that all provisions of the Regulation (EU) 2018/1725 are complied with.
- Processing is based on consent. The processing of personal data by the Agency is not only governed by the Regulation 2018/1725, but also by specific legal instruments, such as implementing rules, internal rules and information is provided to you via the means of a privacy notice.
- Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection, as the context of their processing could create significant risks to the fundamental rights and freedoms. Such personal data should not be processed unless the specific conditions set out in this Regulation are met. In addition to the specific requirements for processing of sensitive data, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing.
- Access to personal data is provided to authorised staff of EIGE who is responsible for carrying out the processing operation and according to the ‘need to know’ principle. Such staff abide by statutory, and when required, additional confidentiality agreements. The Agency will not make personal data available to the public, unless the party concerned has given his or her express statement of consent.
Personal data that appear in the documents requested may be disclosed to the public following an assessment under Regulation (EC) No 1049/2001, read in conjunction with Article 9 of Regulation (EU) 2018/1725. If you reside outside the EU and the European Commission grants you access to documents, personal data included in these documents will only be disclosed to you if such transfer fulfils the conditions of Chapter V of the Regulation (EU) 2018/1725 on international transfers of personal data. Data subjects have the right to be informed about the recipients of the data (if any), and whether the personal data is intended to be transferred to a third country or international organisation.
- Charter of Fundamental Rights of the EU - Article 8(1)
- European Convention for the Protection of Human Rights and Fundamental Freedoms – Article 8
- Treaty establishing the European Community - Article 286
EIGE, as an EU agency, collects and further processes personal data in accordance with the provisions of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, L295, 21.11.2018.
This regulation aims to protect the liberties and fundamental rights of individuals and in particular their right to privacy with respect to the processing of personal data about them.
It only applies within the institutions and bodies set up by, or on the basis of, the Treaties establishing the European Communities. The legal basis for data protection concerning the general public is not ruled by this Regulation.
This Regulation applies to the processing of personal data by all Union institutions and bodies, insofar as such processing is carried out in the exercise of activities all or part of which fall within the scope of Community law (Article 2.2.).
The United Kingdom's withdrawal from the European Union and data protection
The United Kingdom (UK) formally left the European Union (EU) on 31 January 2020 and became a third country. A transition period began on 1 February 2020, which is due to end on 31 December 2020. After the end of the transition period, the UK will continue to apply EU data protection rules to the current “stock of personal data”, until the EU, through an adequacy decision, establishes that the UK’s data protection rules provide safeguards which are essentially equivalent to those in the EU.
EIGE will continue to operate in accordance with the timelines set by its rules and regulations throughout the BREXIT process.
Who should you contact for more information about the processing of your personal data by the Institute?
If you feel that your personal data are being misused by EIGE, or their processing is otherwise not compliant with Regulation (EU) 2018/1725, you should first notify the Data Controller for the processing in question and ask him or her to take action.
You may also contact the Institute's DPO at firstname.lastname@example.org to inform him or her of any issues related to the processing of your data.
If you consider that the processing of your personal data is infringing Regulation (EU) 2018/1725, you may also lodge a complaint with the EDPS. The EDPS is empowered to hear and investigate complaints and to conduct inquiries, including on his or her own initiative. If a breach of data protection rules is found to have occurred, the EDPS may exercise the powers assigned to him under Article 58 of Regulation (EU) 2018/1725.
Any personal data you submit to the Institute in the context of the EIGE website will be processed in accordance with Regulation (EU) 2018/1725 of 23 October 2018.
In this regard, the EIGE informs you through a privacy notice linked to the specific processing operation.
Although you can browse through EIGE's web pages without giving any information about yourself, in certain cases, personal information is required in order to provide the e-services you request.
The European Union's family of institutional websites, within the 'europa.eu' domain, provides links to third party sites. Since we do not control them, we encourage you to review their privacy policies.