The protection of personal data is a fundamental right enshrined both in the Treaty on the Functioning of the European Union (Article 16) and in the Charter of Fundamental Rights of the EU (Article 8).
Regulation (EU) No 2018/1725 lays down the rules for data protection in the EU institutions, bodies, offices and agencies. In addition to outlining the legal principles regarding the processing of personal data, it sets out the rights of data subjects, the obligations of data controllers and the role of the Data Protection Officer (DPO).
Data subjects (persons whose personal data are processed) have the right to request access to their personal data, free of charge and without constraint. They have the right to request rectification or erasure or restriction of the processing of their personal data. Data subjects also have the right to object to the processing of their personal data.
Where applicable, data subjects have the right to receive their personal data that has been provided to the controller or to have these personal data transmitted directly to another controller (data portability). They also have the right to withdraw consent at any time, in cases where their personal data are processed on this legal basis.
In certain cases, by virtue of article 25 of Regulation (EU) 2018/1725 and of the Internal Rules laid down under EESC Decision No 160/21 A, one or several of the data subjects rights may be restricted for a temporary period of time inter alia, on the grounds of prevention, investigation, detection and prosecution of criminal offences or other applicable grounds (as laid down in the Internal Rules). Any such restriction will be limited in time, proportionate and respect the essence of the above-mentioned rights. It will be lifted as soon as the circumstances justifying the restriction are no longer applicable. Data subjects will receive a more specific data protection notice when this period has passed. As a general rule, data subjects will be informed on the principal reasons for a restriction unless this information would cancel the effect of the restriction as such.
Controllers (organisational entities that determine the purpose and the means of processing personal data) must ensure that personal data are processed only for clearly defined and legitimate purposes and are processed fairly and lawfully and in a secure manner. They are also responsible for ensuring that data are accurate, adequate, relevant and not excessive, and are not kept longer than necessary. Controllers must also inform data subjects how their data are processed and ensure that data are transferred to third parties only after adequate safeguards have been put in place.
In addition, Regulation (EU) No 2018/1725 stipulates that each institution or body must appoint a DPO. The DPO is responsible for informing and advising the controller or the processor and employees who carry out processing of their obligations, and for informing data subjects of their rights and obligations. The DPO must ensure in an independent manner the internal application of the provisions of the Regulation within the institution concerned.
The DPO provides advice where requested as regards the necessity for a notification or a communication of a personal data breach and regarding the need to carry out a data protection impact assessment (including concerning prior consultation of the European Data Protection Supervisor (EDPS)). In addition, the DPO responds to requests from the EDPS and cooperates with the supervising authority, and may make recommendations for the improvement of data protection within the organisation. The DPO may also investigate matters and occurrences directly related to his or her duties, and may be consulted by any individual without going through the official channels on any matter concerning the interpretation or application of the Regulation.
If you have any questions about the processing of your personal data, you may contact the relevant service in charge of the personal data processing as indicated in the privacy statement. You may also contact, at any time, the EESC DPO) and/or the European Data Protection Supervisor (edpsedps [dot] europa [dot] eu).EESC Data Protection Officer
European Economic and Social Committee
Rue Belliard, 99-101, JDE 4030
Tel: +32 2 546 9836
e-mail: EESC data protection