European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

Similar documents
European Data Protection Supervisor Transparency in the EU administration: Your right to access documents

Brussels, 16 May 2006 (Case ) 1. Procedure

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

Data Protection Bill [HL]

Data Protection Bill [HL]

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

the Commisslone Mazionale per le Sodeta e la Borsa in ItaJy and the Public Company Accounting Oversight Board In the United States

5418/16 AV/NT/vm DGD 2

Privacy policy. 1.1 We are committed to safeguarding the privacy of our website visitors.

COMP Article 1. Article 1 Subject matter and objectives

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

Art. I Right to Access to Personal Data

closer look at Rights & remedies

EXECUTIVE SUMMARY. 3 P a g e

16 March Purpose & Introduction

Data Protection Policy. Malta Gaming Authority

General Data Protection Regulation

Brussels, 3 May 2006 (Case ) 1. Procedure

GDPR. EU General Data Protection Regulation. ebook Version 1.2

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

REGULATION (EU) 2016/679 General Data Protection Regulation

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Ombudsman on verification of telephone bills

Charities & Not-for-Profits Overview of Data Protection Law

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

EUROPEAN PARLIAMENT COMMITTEE ON CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

Access to Personal Information Procedure

DATA PROTECTION (JERSEY) LAW 2018

Factsheet on the Right to be

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

Selection procedure at the European Ombudsman's Secretariat

Brussels, 29 November 2007 (Case ) 1. Procedure

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

The Act on Processing of Personal Data

ASSEMBLEIA DA REPÚBLICA [PORTUGUESE PARLIAMENT]

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

DATA PROTECTION (JERSEY) LAW 2005

Data Protection Act 1998

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

Information leaflet about processing of personal data for Newsletter Recipients (hereinafter Data Subject)

8557/16 SHO/ra 1 DGD 2

Personal Data Protection Act

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

COUNCIL OF THE EUROPEAN UNION. Brussels, 7 July 2005 (28.07) (OR. nl) 10900/05 LIMITE CRIMORG 65 ENFOPOL 85 MIGR 30

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

Declaration on the protection of personal data in the company TAJMAC ZPS, a.s.

Number 5 of Vehicle Registration Data (Automated Searching and Exchange) Act 2018

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

RESTREINT UE/EU RESTRICTED

Schools Subject Access Request Procedures

Law Enforcement processing (Part 3 of the DPA 2018)

(1) General information

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

European Ombudsman. The European Ombudsman s guide to complaints. A publication for staff of the EU institutions, bodies, offices, and agencies

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

DATA PROTECTION (AMENDMENT) REGULATIONS Amendments to the Data Protection Regulations Insertion of new sections...

Data Protection Act 1998 Policy

DECISION no. 52 of 31 st May 2012 on the processing of personal data using video surveillance means

Case C-553/07. College van burgemeester en wethouders van Rotterdam. M.E.E. Rijkeboer. (Reference for a preliminary ruling from the Raad van State)

AIA Australia Limited

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April on the protection of natural persons

DATA PROCESSING AGREEMENT

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

6153/1/18 REV 1 VH/np 1 DGD2

Port Glasgow St Andrew s Data Protection Policy

ARTICLE 29 Data Protection Working Party

How we use Personal Information

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

Data Protection Policy

Privacy International's comments on the Brazil draft law on processing of personal data to protect the personality and dignity of natural persons

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

Reports of Cases. JUDGMENT OF THE COURT (Second Chamber) 20 December 2017 *

Brussels, 16 July 2007 (Case ) 1. Procedure

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

OTrack Data Processing Terms

ACT of August 29, 1997 on the Protection of Personal Data

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Guidelines on the Rights of Individuals with regard to the Processing of Personal Data

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

PRIVACY POLICY STATEMENT ON THE PROCESSING OF PERSONAL AND SENSITIVE DATA OF THE CUSTOMERS WITHIN THE MEANING OF ARTICLE 13 AND FF. OF REGULATION (EU)

CCTV Code of Practice

Agreement between Eurojust and the Republic. of Iceland

Opinion on a notification for Prior Checking received from the OLAF Data Protection Officer regarding the Customs File Identification Database (FIDE)

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

EUROPEAN UNION. Brussels, 3 February 2006 (OR. en) 2005/0182 (COD) PE-CONS 3677/05 COPEN 200 TELECOM 151 CODEC 1206 OC 981

9091/17 VH/np 1 DGD 2C

This unofficial translation is provided for information purposes only and has no legal force. Data Protection Act.

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

LEGAL BASIS OBJECTIVES ACHIEVEMENTS

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Commission regarding the database ARDOS

Transcription:

European Data Protection Supervisor Your personal information and the EU administration: What are your rights? EDPS factsheet 1

Everyday, personal information - also known as personal data - is processed within the EU administration. Recruiting activities, contract tenders, complaints or requests for information, video surveillance are a few examples. If such information is inaccurate, out of date or disclosed to the wrong person, the damage caused to you may be quite serious. You could be unfairly refused a professional contract, mistaken for somebody else, blamed for unauthorised disclosure of information, or even become victim of an identity theft. Everyone is entitled to protect their personal information. In fact, data protection is a fundamental right, protected by European law and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union. The Charter contains three main elements: 1) obligations on those processing personal information (for example, EU institutions or bodies), 2) rights of persons whose information is being processed and 3) supervision by an independent authority (in this case, the EDPS). More specifically, the protection of personal data within the EU institutions and bodies is contained in Regulation (EC) No. 45/2001. This factsheet focuses on the rights of individuals mentioned in point 2) above and on how you can make the best use of your rights under the Regulation. What are your rights? You are entitled to know whether an EU institution or body is processing information about you; you must be given, either in advance or as soon as it has been registered, information that includes which body or institution is processing the data, the purpose of the processing operation, the recipients of the information and your rights as the person whose information is being processed. You are also entitled to check the information related to you which is being processed and obtain, free of charge: access to your personal information, for example a copy of the data concerned and to some information concerning the processing, for instance the purpose of the processing, the recipients to whom it is disclosed, etc. the rectification of inaccurate or incomplete personal information; the blocking of information under certain circumstances, for example, when the accuracy of it is in question; the erasure of the information if its use is unlawful, for example, if the information is no longer relevant, or if sensitive information is processed where this is not allowed;

the notification to third parties, to whom the information has been disclosed, of any rectification, erasure or blocking; You are entitled to object at any time, on compelling and legitimate grounds, to the processing of the information related to you. You also have the right to be informed before your information is disclosed for the first time to third parties or before it is used on their behalf for direct marketing purposes. You are entitled to object to such disclosure or use. What can I do in the event of a problem? 1. Notify the EU institution or body responsible for processing and ask them to take action. 2. If you obtain no reply or if you are not satisfied with it, contact the data protection officer (DPO) of the institution or body concerned (http://www.edps.europa.eu/edpsweb/edps/ Supervision/DPOnetwork). 3. You can also lodge a complaint with the EDPS, who will examine your request and adopt the necessary measures (see EDPS website for details). Your complaint will, in principle, be inadmissible if you have not first contacted the institution concerned in order to redress the situation. A complaint submission form is available on the EDPS website under the Supervision section. 4. You can also bring an action before the Court of Justice of the European Union.

Restriction of your rights In specific circumstances, your rights may be restricted - but they cannot be withdrawn. This limitation may take place, for a determined period of time and only if necessary, to safeguard: the prevention, investigation, detection and prosecution of criminal offences (including disciplinary proceedings and administrative enquiries). This could apply, for example, to investigations carried out by the European Anti-fraud Office (OLAF) or the Commission s Investigation and Disciplinary Office (IDOC); an important economic or financial interest of a Member State or of the European Union; you or the rights and freedoms of others; national security, public security or defence of the Member States. If a restriction applies, you have to be informed of the reasons for the restriction and of your right to recourse to the EDPS. If it makes the policy for applying the restriction ineffective, you may not be provided with this information straightaway, for instance, if giving the information risks destruction of evidence in an investigation. This is determined on a case-by-case basis. If you have been denied access to your information and ask the EDPS to investigate your complaint, the EDPS will, following the investigation, inform you whether the information has been correctly processed and, if not, advise you of what instructions he has given the institution or body concerned to correct the processing and also outline to you the next steps. What does the EDPS do to uphold your data protection rights? The EDPS is an independent supervisory authority responsible for ensuring that the fundamental right to the protection of personal information is respected by the European institutions and bodies, for example, by supervising the processing (collection, use, transfer, etc.) of personal information by the EU administration, as well as ensuring that data protection safeguards are incorporated in EU legislation and policies, whenever relevant. You may ask the EDPS for advice on how to exercise your rights; You may ask the EDPS to investigate a complaint: if you think that your data protection rights have been infringed by the EU administration, you can lodge a complaint with the EDPS. If necessary, the EDPS can recommend the EU institution or body concerned to adopt specific measures to protect your rights. The EDPS will inform you of the outcome;

A complaint to the EDPS can only relate to the processing of personal information. The EDPS is not competent to deal with cases of general maladministration, to modify the content of the documents that the complainant wants to challenge or to grant financial compensation for damages. The processing of personal information which is the subject of a complaint must be carried out by one of the EU institutions or bodies. The EDPS conducts enquiries and inspections, on his own initiative or on the basis of a complaint, when it is necessary to obtain more information on the processing of personal information; The EDPS can order that requests to exercise certain rights in relation to personal information be complied with where such requests have been refused in breach of your rights; The EDPS can warn or admonish the European institution or body which is unlawfully or unfairly processing your personal information; The EDPS can impose a temporary or definitive ban on processing; The EDPS can refer a case to the Court of Justice of the European Union. To help him investigate a complaint, the EDPS is entitled to obtain all personal data and all information necessary for his enquiries from the EU institution or body concerned. He can also access the premises of any EU institution or body should an on-the-spot investigation be needed. What is next? In January 2012, the European Commission made proposals for a thorough revision of the rules on data protection which currently apply to the EU Member States (e.g. Directive 95/46/EC). These proposals include some additional rights, such as the right to be forgotten and to data portability, that seem to be particularly useful in the online environment. The revised rules are currently being debated within the Parliament and the Council. It is likely that this revision will also lead to the amendment of Regulation (EC) No. 45/2001.

Glossary Personal data: any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. Examples of information about a natural (living) person which can be used to identify that person include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of the internet are also considered personal data. Data processing: any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Data controller: The EU institution or body determining the purposes and means of the processing of personal data. DPO: Each institution or body has a data protection officer. It is duty of the DPO to ensure in an independent manner that the internal application of the Regulation and that the rights and freedoms of the data subjects are not likely to be adversely affected by the processing operations. A list of data protection officers can be found on the EDPS website. http://www.edps.europa.eu/edpsweb/edps/supervision/dponetwork EU institutions and bodies/eu administration: all institutions, bodies, offices or agencies operating for the European Union (e.g. European Commission, European Parliament, Council of the European Union, European Central Bank, specialised and decentralised EU agencies). Sensitive data: includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life. The processing of such information is in principle prohibited, except in specific circumstances. Right to be Forgotten: the right to have personal data erased and no longer processed, where the data is no longer necessary for the purposes for which the data was collected or processed, where the individual(s) has withdrawn his or her consent for the processing or objects to the processing of personal data concerning him or her, or where the processing of their personal data does not comply with EU rules. This right is particularly relevant, when the individual has given their consent as a child, when not being fully aware of the risks involved by the processing and later wants to remove such personal data especially on the internet. Data portability: the right to transfer one s personal data from one automated application, such as a social network, to another without being prevented from doing so by the controller. Further reading Articles 13 to 19 of Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data See the EDPS website for more information: www.edps.europa.eu @EU_EDPS. QT3012766ENC doi 10.2804/45126

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback