The EMCDDA takes personal data protection very seriously. Any information relating to an identified or identifiable natural person, as well as its processing, whether automated or not (collection, storage, consultation, use, transmission, destruction etc.) is subject to strict protection rules and procedures as underlined hereafter.
Some definitions relating to the protection of personal data and related subjects as well as information on the implementation of personal data protection at the EMCDDA are to be found below. Legal definitions are to be found in the text of the Regulation (EC) No 45/2001 in Article 2.
The data protection principles
Anyone processing personal data should be aware of the basic principles, according to which it must be:
- fairly and lawfully processed;
- processed for limited and explicit purposes;
- adequate, relevant and not excessive;
- not kept longer than necessary;
- processed in accordance with the Data Subject's rights;
- not transferred to third parties without adequate precautions.
What is personal data?
Personal data means any information relating to an identified or identifiable natural person or ‘Data Subject’.
An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
The processing of special categories of data, defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, is prohibited, subject to certain exceptions (see Article 10 of Regulation (EC) No 45/2001).
The Data Controller and the Data Subject
- The Data Controller means the Community institution or body, the Directorate-General, the unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data.
- For each processing operation, a Data Controller must be identified and prior notice must be given to the Data Protection Officer of the institution.
- The Data Subject is the person whose personal data are collected, held or processed by the Data Controller.
- How to identify the Controller? At the EMCDDA, Controllers are the Heads of Unit.
The Data Protection Officer (DPO)
Each institution has one or more DPOs to ensure the application of the principles of personal data protection in the institution. Each DPO keeps a register of all personal data processing operations in his/her institution. He/she also provides advice and makes recommendations on rights and obligations. He/she notifies risky processing of personal data to the EDPS (see below) and responds to requests from the EDPS. In critical situations he/she may investigate matters and incidents on request or on his/her own initiative.
What is a Notification and who is responsible for it?
A Notification is a prior notice by the Controller to the Data Protection Officer of any processing operation (manual or electronic) in which personal data is involved. It is only needed if personal data is processed.
What is the Register of the Data Protection Officer?
The Register is a database containing all Notifications on the processing of personal data send to the Data Protection Officer by Controllers. Article 26 of Regulation (EC) No 45/2001 requires the Data Protection Officer to keep a Register on processing operations of personal data and requires that this Register may be inspected by any person.
What is lawful processing?
Article 5 of the Regulation states that the processing of personal data must be either necessary or consensual. Personal data may be processed only if:
- processing is necessary for the performance of a task carried out in the public interest on the basis of Community legislation or in the legitimate exercise of Community official authority; or
- processing is necessary for compliance with a legal obligation to which the Controller is subject; or
- processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; or
- the Data Subject has unambiguously given his or her consent (meaning any freely given specific and informed indication of the Data Subject’s wishes signifying agreement to personal data relating to him or her being processed); or
- processing is necessary in order to protect the vital interests of the Data Subject.
The Data Controller is responsible for ensuring that personal data is processed fairly and lawfully.
Rights of the Data Subject
The Controller must give the Data Subject the following information about data being processed:
- confirmation as to whether or not data related to him or her are being processed;
- information about the purposes of the processing operation, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;
- communication of the data undergoing processing and of any available information as to their source;
- knowledge of the logic involved in any automated decision process concerning him or her.
The Data Subject has the right to access his data and to require the Controller to rectify without delay any inaccurate or incomplete personal data. The Data Subject has the right to require the Controller to erase data if the processing is unlawful.
European Data Protection Supervisor (EDPS)
The EDPS is an independent supervisory authority established in accordance with Regulation (EC) No 45/2001. With respect to the processing of personal data, the EDPS is responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the Community institutions and bodies. The EDPS is also responsible for advising Community institutions and bodies and Data Subjects on all matters concerning the processing of personal data.
Data Controllers are obliged to cooperate with the EDPS, in particular by granting access to information.
Basic data protection rules
‘Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data’.
The purpose of the Regulation is to protect the freedoms and fundamental rights of individuals with regard to processing of personal data carried out by EU institutions and bodies.
It determines the principles to be respected by EU institutions (lawfulness, fairness, purpose, proportionality and security), the obligations of the persons processing personal data (data controllers) and the rights of individuals whose personal data are processed (data subjects), in particular those working for the institutions. The Regulation provides for the appointment of a Data Protection Officer (DPO) in each institution and also for the appointment of the European Data Protection Supervisor (EDPS) at European level.
EMCDDA implementing rules
The Management Board of the EMCDDA adopted on 4 July 2008 further implementing rules of Regulation (EC) No 45/2001. They deal mainly with the duties of the Data Protection Officer.
Data Protection Officer
Tel +351 211210287