Frequently Asked Questions (F.A.Q.)
Frequently Asked Questions (F.A.Q.) The following information aims to clarify the concepts of personal data protection and the application of personal data principles. The legally binding text is
Regulation (EU) 2018/1725.
What is ‘personal data’?
Personal data means any information relating to a living identified or identifiable natural person (‘the Data Subject’).
Examples of personal data are:
- surname, first name, picture, staff number, date of birth, etc.
- behaviour or actions by an individual: websites visited, metadata in a document about the author/modifier of the document, tasks performed, opening a door controlled by an access check with access registration, sending of e-mails, etc.
- evaluation or assessment: documenting how a task is carried out (e.g. excellent, good, average, bad, insufficient), evaluation report, audit working papers containing an assessment of a person or function, etc.
- documentation/report: witness statement in an administrative investigation, denunciation letter about a potential fraud, etc.
An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online ID or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
The following are prohibited, subject to certain exceptions (see Article 10 of Regulation 2018/1725):
- the processing of special categories of data, defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership; and
- the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning an individual’s health or sexual orientation.
What is processing?
Processing is any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, storage, consultation, use, disclosure by transmission, erasure, destruction, etc.
What is a Processor?
If Data Controllers do not process personal data themselves, processing is carried out by a Processor on their behalf. The Processor must provide sufficient guarantees in respect of the technical and organisational security measures required, and ensure compliance with those measures. The Processor can be a natural or legal person, a public authority, an agency or any other body, acting on instructions – and only on instructions – from the Data Controller. Both the Data Controller and the Processor shall be bound by a contract or legal act governing the processing of personal data.
What is lawful processing?
Article 5 of the Regulation states that the processing of personal data must be either necessary or by consent. Personal data may be processed only if:
(a) processing is necessary for the performance of a task carried out in the public interest on the basis of EU legislation or in the exercise of official EU authority;
(b) processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
(c) processing is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract;
(d) the Data Subject has unambiguously given consent (meaning any freely given specific and informed indication of the Data Subject’s wishes signifying agreement to their personal data being processed);
(e) processing is necessary in order to protect the vital interests of the Data Subject.
The Data Controller is responsible for ensuring that personal data is processed fairly and lawfully.
When is Regulation 2018/1725 applicable when processing Personal Data?
Regulation 2018/1725 applies in all cases where personal data that forms part of a filing system, or is intended to form part of a filing system, is processed, where personal data is processed wholly or partly by automatic means, or wholly or partly by manual means.
It does not matter where the system is located. It may be located at Court level, but also at institutional, national, regional, local or even ‘private’ level (at an audited firm).
What is automatic treatment?
When data is collected, calculated, destroyed, copied, etc. without the intervention of a human being. For example, firewall log files containing the web sites visited and indicating the date, time, the category to which the web site belongs, if the visit was allowed or not, and for troubleshooting support, if the visit was successful or not.
What is a filing system?
A filing system is any structured set of data that can be accessed according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
For example, a file containing all holiday requests sorted by individual or entity.
Who are the Data Controller and the Data Subject?
The Data Controller is the EU institution or body, Director-General, Secretary General, Director, Principal Manager or any other function which, alone or jointly with others, determines the purposes and means of processing personal data.
The Court’s Data Controllers are the Members, the Secretary-General, the Directors and the Principal Managers.
For each processing operation, a Data Controller must be identified and prior notice must be given to the institution’s Data Protection Officer.
The Data Subject is the natural person whose personal data is collected and processed.
Who are the European Data Protection Supervisor and the Data Protection Officers?
The European Data Protection Supervisor (EDPS) (www.edps.europa.eu) is the independent supervisory authority at European level responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the EU institutions and bodies. They are also responsible for monitoring and ensuring the application of the data protection legislation by EU Institutions, and for advising the Institutions and Data Subjects on all matters concerning the processing of personal data. They are appointed for a five-year term, by the European Parliament and the Council, from a shortlist drawn up by the Commission.
Data Controllers are required to cooperate with the EDPS, in particular by granting access to information.
Each institution has one or more Data Protection Officers (DPO) to ensure in an independent manner that the principles of personal data protection are applied in the institution. Each DPO keeps a register of all personal data processing operations in their institution. They also provide advice and make recommendations on rights and obligations. They notify ‘risky’ processing of personal data to the EDPS (see below) and respond to the EDPS’ requests. They may investigate matters and incidents upon request or on their own initiative.
What are the data protection principles?
The data protection principles determine the basic rules that each Controller must observe and implement in practice when processing personal data. The Controller shall be responsible and be able to demonstrate compliance “accountability”. Anyone processing personal data should be aware of certain basic principles, which require such data to be:
- processed lawfully, fairly and in a transparent manner in relation to the Data Subject (“lawfulness, fairness and transparency”);
- processed for specified, explicit and legitimate purposes (“purpose limitation”);
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (“data minimisation”);
- accurate and, where necessary, kept up to date (“accuracy”);
- not kept longer than necessary (“storage limitation”);
- processed in a manner that ensures appropriate security (“integrity and confidentiality”);
- not transferred to third parties without adequate precautions;
- processed in accordance with the Data Subject's rights.
What is a Notification (“RECORD of processing activities”)?
A Notification is a prior communication from the Controller to the DPO of the institution informing them of any processing activity (manual or automatic) involving personal data, giving notice of the existence of the processing operation and its main characteristics. The Controller fills in a “Record” that documents the process, who is involved and how collection and processing take place, how rights are guaranteed for the persons concerned, a risk evaluation of the process, the security measures taken and the evaluation results from the DPO.
What is the Register of Records of processing activities?
Under Article 31 of the Regulation, each Controller is obliged to keep a record of all processing operations under its responsibility. To avoid keeping several registers, the ECA’s DPO is responsible for keeping a central register of records of processing operations carried out by the ECA. The Register is based on the records submitted to the DPO and is publicly accessible on the ECA’s website and Intranet under the heading “Access Register” on the DPO’s pages.
Whom should I contact for information on a given processing operation?
The Controller has the best knowledge of the circumstances of processing operations carried out under their authority. Therefore, it is recommended that you first contact the Controller of the processing operation concerned, who is obliged to ensure that Data Subjects can effectively exercise their rights and should provide you with the required information. You may also request assistance from the DPO and ask them to investigate matters or occurrences directly relating to their tasks (see also "Legislation").
How do I identify the Data Controller?
Data Controllers are usually the Member responsible for an audit, or the heads of the administrative entity carrying out the processing operation. The Register is the easiest way to identify the Controller, as it contains the function or title of the Controller for each processing operation. Should any difficulties arise, the DPO can also put you in contact with the appropriate Controller or obtain the necessary information.
What are my rights as a Data Subject?
First and foremost, Data Subjects have the right to be informed of the existence of a processing operation concerning them, and its main characteristics. Data Subjects also have the right to obtain communication of the data undergoing processing and to obtain rectification by the Controller of any inaccurate or incomplete personal data without delay. In certain circumstances, Data Subjects may also exercise more specific rights, such as asking the Controller to block or erase data.
Certain rights can be restricted for very specific reasons like the prevention, investigation and detection of a potential fraud. The rights that can be restricted are also limited, for example the right to be informed that an investigation has been opened against one or more persons with the objective of preserving the documents and information and other assets for use as proof during the investigation. The full list of reasons for restrictions and the rights that can be restricted are listed in Article 25 of
the Regulation. Decision 042/2021 of the Court specifies which reasons and rights have been retained for which process.
The Data Protection Officer can be contacted for any further questions on the processing of personal data at the ECA on +352 4398 47777, by e-mail at
ECA-Data-Protection@eca.europa.eu or at the following address:
European Court of Auditors
Data Protection Officer
12 rue Alcide de Gasperi
What is a "Privacy Statement"?
It is information statement explaining the processing of personal data to the persons from whom personal data will be collected directly or were obtained (indirectly collected) by ECA for further processing, e.g. the users of a web site.
Why is a "Privacy Statement" needed?
It is needed to inform the persons concerned, of the processing of their personal data and of their rights relating to this processing. In the case of a survey, even if it is run on an anonymous way (normally only their e-mail address, to be able to invite them to participate in the survey), a Privacy Statement is needed to inform the participants of the Data Controller /DPO/EDPS contact details, retention period, from whom their data was obtained, etc..
I am a successful candidate in a selection procedure. Do I have the right not to be mentioned in the publically available reserve list?
Yes, simply e-mail EPSO asking them to remove you from the publically available reserve list before publication.
If the ECA organises the selection procedure you also can ask the HR Service not to publish your name on the publically available list.
Is there a privacy-friendly search engine I can use?
Yes, there are several, such as
searX.me. You can even make them your browser’s default search engine or add them to your ‘Favorites’ bar for easy access!