The processing of personal data in the Community institutions and bodies like agencies is regulated by Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.
Scope of the Regulation No. 45/2001
Art. 3.2 provides that the Regulations shall apply to the processing (wholly or partly by automatic means and otherwise as a part of filing system) of personal data by all Community institutions and bodies insofar as such processing is carried out in the exercise of activities all or part of which fall within the scope of Community law.
Processing of personal data
“Processing” means any operation or set of operations performed upon personal data like collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (art. 2(b), Reg. 45/2001).
What is personal data?
Personal data” is any information relating to identifiable or identified person (a data subject). An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. (art. 2(a), Reg. 45/2001)
The processing of special categories of data, defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, is prohibited, subject to certain exceptions. (art. 10, Reg. 45/2001).
The Data Subject
The Data Subject is the person whose personal data are collected, held or processed.
The Data Controller and the Delegated Controller
The Data Controller means “the Community institution or body, the Directorate-General, the unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data”. (art. 2(d), Reg. 45/2001) In practice in EMSA the Controller will be the most often the Head of Unit responsible for the operations unless he/she nominates, for practical reasons, a Head of Section to be a Delegated Controller in relation to the operations done in his/her section.
The data protection principles
• Data must be processed fairly and lawfully;
• It can only be processed for limited and explicit purposes;
• The data collected must be adequate, relevant and not excessive in relation to the purposes for which it was collected;
• It must be kept accurate and up-to-date;
• It should not be kept longer than necessary;
• It can only be processed in accordance with the Data Subject's rights;
• It should be stored in a secure way;
• It shall not transferred to third parties without adequate precautions.
(art. 4, Reg. 45/2001)
Rights of the Data Subject
The Controller must give the Data Subject the following information about data being processed:
(a) information about the legal basis of the processing operation,
(b) the identity of the controller,
(c) purposes of the operation,
(d) the categories of data concerned,
(e) the recipients or categories of recipients to whom the data are disclosed,
(f) whether the replies to the questions asked are mandatory or voluntary,
(g) the existence of the right to access to the data,
(h) the time limits for storing the data, and
(i) the right to have recourse to the EDPS;
2. Right of access
The Data Subject has the right to access his data. Moreover, he can require the Controller to provide him with the following information and the Controller shall do it within maximum three months from the receipt of the request:
(a) confirmation as to whether or not data related to the Data Subject are being processed;
(b) communication of the data undergoing processing and of any available information as to their source;
(c) confirmation as to the purposes of the operation, the categories of data concerned and the recipients or categories of recipients to whom the data are disclosed,
(d) knowledge of the logic involved in any automated decision process concerning him or her.
The Data Subject may require the Controller to rectify without delay any inaccurate or incomplete personal data.
The Data Subject has the right to require the Controller to block the data if they are not necessary anymore for the objective of the operation, if the Data Subject contests the accuracy of the data or if the processing is unlawful.
If the processing is unlawful, the Data Subject may also choose to require the Controller to erase data.
6. Notification to third parties
The Data Subject has a right to require the Controller to notify the third parties who initially have been disclosed the data about their rectification, blocking or erasure.
7. Right to object
The Data subject may any time object, on compelling legitimate reasons relating to his/her particular situation, to the processing of data relating to him/her.
(art. 11-19 under the exception of art. 20, Reg. 45/2001)
The Data Protection Officer (DPO)
Each institution has one or more DPOs to ensure the application of the principles of personal data protection in the institution. Each DPO keeps a register of all personal data processing operations in his/her institution. He/she also provides advice and makes recommendations on rights and obligations. He/she notifies processing of sensitive personal data to the EDPS (see below) and responds to requests from the EDPS. In critical situations he/she may investigate matters and incidents on request or on his/her own initiative.
In big institutions (e.g. the European Commission) there are also DPCs (data protection coordinators).
The DPO in EMSA can be contacted at
European Data Protection Supervisor (EDPS)
The EDPS is an independent supervisory authority established in accordance with Regulation (EC) 45/2001. With respect to the processing of personal data, the EDPS is responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the Community institutions and bodies. The EDPS is also responsible for advising Community institutions and bodies and Data Subjects on all matters concerning the processing of personal data. The Data Subjects have right of recourse at any time to the EDPS.