The processing of personal data in the Community institutions and bodies like the European Environment Agency (EEA) is regulated by Regulation (EC) No 45/2001 - - on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.

Scope of Regulation No. 45/2001

Article 3.2 provides that the Regulations shall apply to the processing (wholly or partly by automatic means and otherwise as a part of filing system) of personal data by all Community institutions and bodies insofar as such processing is carried out in the exercise of activities all or part of which fall within the scope of Community law.

Processing of personal data

“Processing” means any operation or set of operations performed upon personal data like collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (Article 2(b), Reg. 45/2001).

What is personal data?

"Personal data" is any information relating to identifiable or identified person (a data subject). An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. (Article. 2(a), Reg. 45/2001).

The processing of special categories of data, defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, is prohibited, subject to certain exceptions. (Article 10, Reg. 45/2001).

The Data Subject

The Data Subject is the person whose personal data is collected, held or processed.

The Data Controller and the Delegated Controller

The Data Controller means “the Community institution or body, the Directorate-General, the unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data” (Article 2(d), Reg. 45/2001).

Principles of  Data Protection

  • Data must be processed fairly and lawfully;
  • It can only be processed for limited and explicit purposes;
  • The data collected must be adequate, relevant and not excessive in relation to the purposes for which it was collected;
  • It must be kept accurate and up-to-date;
  • It should not be kept longer than necessary;
  • It can only be processed in accordance with the Data Subject's rights;
  • It should be stored in a secure way;
  • It shall not be transferred to third parties without adequate precautions (Article 4, Reg. 45/2001).

Rights of the Data Subject

1. Information

The Controller must give the Data Subject the following information about data being processed:
(a) information about the legal basis of the processing operation,
(b) the identity of the controller,
(c) purposes of the operation,
(d) the categories of data concerned,
(e) the recipients or categories of recipients to whom the data are disclosed,
(f) whether the replies to the questions asked are mandatory or voluntary,
(g) the existence of the right to access to the data,
(h) the time limits for storing the data, and
(i) the right to have recourse to the EDPS; 

2. Right of access

The Data Subject has the right to access his/her data. Moreover, s/he can require the Controller to provide him/her with the following information and the Controller shall do so within a maximum of three months from the receipt of the request thereby providing:
(a) confirmation as to whether or not data related to the Data Subject is being processed;
(b) communication of the data undergoing processing and the source of any available information;
(c) confirmation as to the purposes of the operation, the categories of data concerned and the recipients or categories of recipients to whom the data are disclosed,
(d) knowledge of the logic involved in any automated decision process concerning the Data Subject.

3. Rectification

The Data Subject may require the Controller to rectify without delay any inaccurate or incomplete personal data.

4. Blocking

The Data Subject has the right to require the Controller to block the data if
(a) it is no longer necessary for the objective of the operation;
(b) the Data Subject contests the accuracy of the data or
(c) the processing is unlawful. If the processing is unlawful, the Data Subject may also choose to require the Controller to destroy the data.

5. Notification to third parties

The Data Subject has a right to require the Controller to notify the third parties who initially have been disclosed the data about any rectification, blocking or destruction of data.

7. Right to object

The Data Subject may at any time object to the processing of his/her data for compelling legitimate reasons relating to his/her particular situation as noted in Articles 11-19 under the exception of Article 20, Reg. 45/2001).

8. Retention of data

The data shall not be kept for longer than is necessary for the purpose for which it was collected.

The Data Protection Officer (DPO)

Each institution has one or more DPO to ensure the application of the principles of personal data protection in the institution. Each DPO keeps a register of all personal data processing operations in his/her institution. S/he also provides advice and makes recommendations on rights and obligations.

S/he notifies processing of sensitive personal data to the EDPS (see below) and responds to requests from the EDPS. In critical situations s/he may investigate matters and incidents either upon a request or on his/her own initiative.
EEA's DPO can be contacted at

European Data Protection Supervisor (EDPS)

The EDPS is an independent supervisory authority established in accordance with Regulation (EC) 45/2001.

With respect to the processing of personal data, the EDPS is responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the Community institutions and bodies. The EDPS is also responsible for advising Community institutions and bodies and Data Subjects on all matters concerning the processing of personal data.
Data Subjects have right of recourse at any time to the EDPS.

Site usage information

This website uses Google Analytics, a web analytics service provided by Google, Inc. ('Google'). Google Analytics uses 'cookies', which are text files placed on your computer, to help the web team analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Cookies do not contain any personal information about you and cannot be used to identify an individual user.

Sign up to receive our reports (print and/or electronic) and quarterly e-newsletter.
Follow us
European Environment Agency (EEA)
Kongens Nytorv 6
1050 Copenhagen K
Phone: +45 3336 7100