Rules and policies on the protection of personal data

Any personal data collected by the European Environment Agency (EEA) shall be processed pursuant to Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. 

This means in particular that personal data shall be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject (principle of ‘lawfulness, fairness and transparency’)
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (principle of ‘purpose limitation’)
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of ‘data minimisation’)
• accurate and, where necessary, kept up to date; every reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (principle of ‘accuracy’)
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (principle of ‘storage limitation’)
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (principle of ‘integrity and confidentiality’).

In order to ensure that the objective to protect your personal data is met and that the Agency complies with the above regulation, the Agency has adopted in May 2017 a policy on data protection and privacy of personal data, which is designed to inform all staff members about their obligations to protect the privacy of all individuals and the security of their personal data and on the associated processes and behaviour to follow within the Agency.

In accordance with the provisions in Article 45(3) of Regulation (EU) 2018/1725, the Agency has adopted further implementing rules concerning the data protection officer.