- Bulgarian (bg)
- Czech (cs)
- Danish (da)
- German (de)
- Greek (el)
- English (en)
- Spanish (es)
- Estonian (et)
- Finnish (fi)
- French (fr)
- Hungarian (hu)
- Icelandic (is)
- Italian (it)
- Lithuanian (lt)
- Latvian (lv)
- Maltese (mt)
- Dutch (nl)
- Norwegian (no)
- Polish (pl)
- Portuguese (pt)
- Romanian (ro)
- Slovak (sk)
- Slovenian (sl)
- Swedish (sv)
- Turkish (tr)
The processing of personal data in the Community institutions and bodies like the European Environment Agency (EEA) is regulated by Regulation (EC) No 45/2001 - http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32001R0045:EN:NOT - on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.
- See also: "Data protection at a glance" guide
Scope of Regulation No. 45/2001
Article 3.2 provides that the Regulations shall apply to the processing (wholly or partly by automatic means and otherwise as a part of filing system) of personal data by all Community institutions and bodies insofar as such processing is carried out in the exercise of activities all or part of which fall within the scope of Community law.
Processing of personal data
“Processing” means any operation or set of operations performed upon personal data like collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (Article 2(b), Reg. 45/2001).
What is personal data?
"Personal data" is any information relating to identifiable or identified person (a data subject). An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. (Article. 2(a), Reg. 45/2001).
The processing of special categories of data, defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, is prohibited, subject to certain exceptions. (Article 10, Reg. 45/2001).
The Data Subject
The Data Subject is the person whose personal data is collected, held or processed.
The Data Controller and the Delegated Controller
The Data Controller means “the Community institution or body, the Directorate-General, the unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data” (Article 2(d), Reg. 45/2001).
Principles of Data Protection
- Data must be processed fairly and lawfully;
- It can only be processed for limited and explicit purposes;
- The data collected must be adequate, relevant and not excessive in relation to the purposes for which it was collected;
- It must be kept accurate and up-to-date;
- It should not be kept longer than necessary;
- It can only be processed in accordance with the Data Subject's rights;
- It should be stored in a secure way;
- It shall not be transferred to third parties without adequate precautions (Article 4, Reg. 45/2001).
Rights of the Data Subject
The Controller must give the Data Subject the following information about data being processed:
(a) information about the legal basis of the processing operation,
(b) the identity of the controller,
(c) purposes of the operation,
(d) the categories of data concerned,
(e) the recipients or categories of recipients to whom the data are disclosed,
(f) whether the replies to the questions asked are mandatory or voluntary,
(g) the existence of the right to access to the data,
(h) the time limits for storing the data, and
(i) the right to have recourse to the EDPS;
2. Right of access
Data Subject has the right to access his/her data. Moreover, s/he can
require the Controller to provide him/her with the following information
and the Controller shall do so within a maximum of three months from
the receipt of the request thereby providing:
(a) confirmation as to whether or not data related to the Data Subject is being processed;
(b) communication of the data undergoing processing and the source of any available information;
(c) confirmation as to the purposes of the operation, the categories of data concerned and the recipients or categories of recipients to whom the data are disclosed,
(d) knowledge of the logic involved in any automated decision process concerning the Data Subject.
The Data Subject may require the Controller to rectify without delay any inaccurate or incomplete personal data.
The Data Subject has the right to require the Controller to block the data if
(a) it is no longer necessary for the objective of the operation;
(b) the Data Subject contests the accuracy of the data or
(c) the processing is unlawful. If the processing is unlawful, the Data Subject may also choose to require the Controller to destroy the data.
5. Notification to third parties
The Data Subject has a right to require the Controller to notify the third parties who initially have been disclosed the data about any rectification, blocking or destruction of data.
7. Right to object
The Data Subject may at any time object to the processing of his/her data for compelling legitimate reasons relating to his/her particular situation as noted in Articles 11-19 under the exception of Article 20, Reg. 45/2001).
8. Retention of data
The data shall not be kept for longer than is necessary for the purpose for which it was collected.
The Data Protection Officer (DPO)
institution has one or more DPO to ensure the application of the
principles of personal data protection in the institution. Each DPO
keeps a register of all personal data processing operations in his/her
institution. S/he also provides advice and makes recommendations on
rights and obligations.
S/he notifies processing of sensitive personal data to the EDPS (see below) and responds to requests from the EDPS. In critical situations s/he may investigate matters and incidents either upon a request or on his/her own initiative.
EEA's DPO can be contacted at firstname.lastname@example.org
European Data Protection Supervisor (EDPS)
The EDPS is an independent supervisory authority established in accordance with Regulation (EC) 45/2001.
With respect to the processing of personal data, the EDPS is responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the Community institutions and bodies. The EDPS is also responsible for advising Community institutions and bodies and Data Subjects on all matters concerning the processing of personal data.
Data Subjects have right of recourse at any time to the EDPS.
Site usage information
For references, please go to www.eea.europa.eu/soer or scan the QR code.
This briefing is part of the EEA's report The European Environment - State and Outlook 2015. The EEA is an official agency of the EU, tasked with providing information on Europe’s environment.
PDF generated on 22 May 2015, 07:38 PM