What is a processing of personal data?
Processing of personal data means any operation or set of operations, whether automated or not, performed upon personal data, such as collection, storage, consultation, use, transmission or destruction.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
Who are the data controller and the data subject?
The data controller is the Community institution or body, Directorate-General, unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data. The data subject is the natural person whose personal data are processed by the data controller.
Why are data protection principles important?
Data protection principles determine the basic rules that each controller must observe and implement in practice when processing personal data. According to these principles, personal data must be:
- Fairly and lawfully processed;
- Processed for limited and explicit purposes;
- Adequate, relevant and not excessive;
- Not kept longer than necessary;
- Processed in accordance with the Data Subject's rights;
- Processed in a secure manner;
- Not transferred to third parties without adequate precautions.
Who are the European Data Protection Supervisor and the Data Protection Officers?
The European Data Protection Supervisor is the supervisory authority at European level responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy is respected by the Community institutions and bodies. He is appointed for a five-year term by the European Parliament and the Council on the basis of a list drawn up by the Commission.
Website of the EDPS: www.edps.europa.eu
In addition, each institution or body has to appoint one or more Data Protection Officers (DPO). The task of the DPO is to ensure in an independent manner the internal application of the provisions of the Regulation and to advise controllers in the fulfilment of their obligations, thus ensuring that processing operations do not adversely affect the rights and freedoms of data subjects. Data Protection Officers also respond to requests from, and cooperate with the European Data Protection Supervisor. The list of appointed DPOs can be found on the EDPS website.
What is a notification?
A Notification is a prior notice by the Controller to the DPO of his institution of any processing operation (manual or electronic) in which personal data are involved, giving notice of the existence of the processing operation and its main characteristics.
What is the Register of processing operations?
Each DPO – and therefore each institution – maintains a public Register of the processing operations carried out by that institution. This is a legal obligation under Article 26 of the Regulation. The Register is based on the notifications submitted to the DPO. In the spirit of transparency the Register of the Council DPO is available online.
How do I know if the Council processes my personal data?
If you work for the Council, it is certain that the institution is handling your personal data as necessary for the management of staff and your daily work. If you are not a member of Council staff but maintain contacts with the institution, some of your personal data relating to those contacts could be processed by the Council. In practical terms, the search function of the Council Register based on the categories of data subject will help you to identify the actual processing operations that may concern you.
Who should I contact for information on a given processing operation?
The controller has the best knowledge of the circumstances of processing operations carried out under his authority. Therefore it is recommended that you first contact the controller of the processing operation concerned, who should provide you with the required information and who is obliged to ensure the effective exercise of the rights of data subjects. You may also request the assistance of the DPO and ask him to investigate matters or occurrences directly relating to his or her tasks (see also "Legislation").
How do I identify the data controller?
Data controllers are usually the heads of the administrative entity carrying out the processing operation. They can most easily be identified on the basis of the Register, which contains the identity and contact details of the controller for each processing operation. Should difficulties arise, the DPO can also put you in contact with the appropriate controller or obtain the necessary information.
What are my rights as a data subject?
First and foremost, data subjects have the right to be informed of the existence of a processing operation concerning them and its main characteristics. Data subjects also have the right to obtain communication of the data undergoing processing and to obtain rectification from the controller without delay of any inaccurate or incomplete personal data.
In certain circumstances, data subjects may also ask the controller for the exercise of certain more specific rights, such as the blocking or erasure of data.
Section 5 of the Council implementing rules on data protection determines the procedure to be followed for the exercise of those rights. Requests can be submitted using a form made available by the DPO. To obtain the necessary form, please contact the DPO office indicating your language preference.
Independent of that, you may lodge a complaint at any time with the European Data Protection Supervisor. Further information is available on the EDPS website: www.edps.europa.eu