The processing of personal data in the Union institutions and bodies and agencies is regulated by Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC
Scope of the Regulation No. 2018/1725
Art. 2 provides that the Regulation shall apply to the processing of personal data by all Union institutions and bodies.
Processing of personal data
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The data protection principles
Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 13, not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 13 subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
The Data Controller
‘Controller’ means the Union institution or body or the directorate-general or any other organisational entity which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by a specific Union act, the controller or the specific criteria for its nomination can be provided for by Union law. Union institutions and bodies’ means the Union institutions, bodies, offices and agencies set up by, or on the basis of, the TEU, the TFEU or the Euratom Treaty;
For each processing operation, a Data Controller/Delegated Controller must be identified and prior notice must be given to the Data Protection Officer of the institution.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
The Data Subject
The Data Subject is the person whose personal data are collected, held or processed by the Data Controller.
The Data Protection Officer (DPO)
Each Union institution or body shall designate a Data Protection Officer. Union institutions and bodies may designate a single data protection officer for several of them, taking into account their organisational structure and size.
The Data Protection Officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks. The Union institutions and bodies shall publish the contact details of the data protection officer and communicate them to the European Data Protection Supervisor. The Union institutions and bodies shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data (email@example.com).
European Data Protection Supervisor (EDPS)
The European Data Protection Supervisor (EDPS) is an independent supervisory authority established in accordance with Regulation (EC) 45/2001, later amended by Regulation 2018/1725. With respect to the processing of personal data, the EDPS is responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the Union institutions and bodies. The EDPS is also responsible for advising Union institutions and bodies and Data Subjects on all matters concerning the processing of personal data.
Data Subjects Rights
1. Right to access
2. Right to rectification
3. Right to erasure (right to be forgotten)
4. Right to restriction of processing
5. Right to data portability
6. Right to object
7. Right not to be subject to automated individual decision-making, including profiling
For the safety and security of its buildings, assets, staff and visitors, the European Union Satellite centre operates a video-surveillance system. The purpose of the video surveillance system is the reduction and prevention of security incidents. The system helps to ensure the security of the buildings, the safety of staff and visitors, as well as property and information located or stored on the premises, by means of controlling access to the Agency buildings in compliance with Regulation(EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC .
The video surveillance system, which operates through a CCTV camera system, complements other physical security measures, such as access control systems and physical intrusion control systems. It forms part of all the security measures taken within the Agency and helps to prevent, deter, and if necessary, investigate unauthorised physical access, including unauthorised access to secure premises and protected rooms, ICT infrastructure, or operational information. In addition, video surveillance helps to prevent, detect and investigate theft of equipment or assets owned by the Agency, visitors or staff, or threats to the safety of personnel working at the offices (e.g. fire, physical assault).
We use social media to present our work through widely used communications channels.
Each social media channel has their own policy on the way they process your personal data when you access their sites. For example, if you choose to watch one of our videos on YouTube, you will be asked for explicit consent to accept YouTube cookies; if you look at our Twitter activity on Twitter, you will be asked for explicit consent to accept Twitter cookies; the same applies for LinkedIn.
If you have any concerns or questions about their use of your personal data, you should read their privacy policies carefully before using them.