Go back to the main page of the Data Protection Guidance for the organisers
Central Online Collection System (COCS)
A secured IT system set up and operated by the European Commission under the explicit provision of Regulation on the European citizens' initiative (Article 10). It allows for the collection (including by webforms and by eID) of statements of support, their storage and secured submission to Member States for verification, as well as the collection and further processing of signatories' email addresses.
Data controller
A natural or legal person or other body responsible for the personal data processing and that determines the purpose and means thereof. See also ‘Joint controllers’.
Data Protection Impact Assessment (DPIA)
An assessment of the impact of the envisaged processing operations on the rights and freedoms of data subjects. See Regulation (EU) 2018/1725, Article 39 and Regulation (EU) 2016/679, Article 35.
Data subject
A natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, etc.
See also ‘Personal data’ and ‘Sensitive data’.
‘EU Data Protection Regulation’ (EUDPR)
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
File exchange service
An IT solution provided by the Commission to allow secure submission of statements of support to Member States for their verification and certification, operated using the existing Commission IT system S-CircaBC. This term is also used on this site with regard to the submission of statements of support collected on paper (instead of the term ‘central online collection system’ used in Article 10(1)(5) of Regulation on the European citizens' initiative).
General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Joint controllers
Where two or more controllers jointly determine the purpose and means of processing. A transparent arrangement is needed to determine their respective responsibilities regarding personal data processing. The essence of the arrangement shall be made available to the data subject. In the context of the European Citizens’ Initiative, this relates in particular to the Central Online Collection System.
Legal entity
In the context of the European Citizens’ Initiative, a legal entity can be created for the purpose of managing the initiative. In such case, this legal entity shall be considered as a group of organisers or its members. It shall also replace the representative in its role of data controller.
Organisers (Group of)
Natural persons responsible for the preparation and management of a European citizens’ initiative throughout its lifecycle. The Regulation on the European citizens' initiative provides that different data processing operations are managed by the group of organisers (notably: collection, submission for verification and destruction). When carried out by the group of organisers as a whole or its concrete members other than the representative, these data processing operations are deemed performed under the control of the representative.
Personal data
Any information relating to an identified or identifiable natural person (‘data subject’).
Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Representative
A member (leader) of the group of organisers of a citizens’ initiative, holding the function of data controller or joint data controller with regard to all data processing operations carried out with regard to personal data processed by the group of organisers
Where this guidance refers to the representative of the group of organisers as data controller, it is to be understood as referring to a legal entity managing the initiative in case such entity has been created.
Sensitive data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a natural person’s sex life or sexual orientation. Also referred to as 'special categories of personal data'. Read more
Signatory
A citizen of the Union who has supported a given initiative by completing a statement of support form for that initiative; signatories are the main group of data subjects concerned by this guidance.
Statement of support
A declaration by which a signatory supports a European citizens’ initiative, which can be either filled in and signed on paper, filled in online using a webform or signed online with an eID. In the first two cases, statements of support need to follow a model provided for in Regulation on the European citizens' initiative. In all cases, they contain a set of signatory’s personal data.
DISCLAIMER
The present guidance is intended to contribute to a better understanding of EU data protection requirements applying to processing operations provided for under Regulation (EU) 2019/788 on the European Citizens’ Initiative (ECI Regulation). Only the texts of the Regulation on the European citizens' initiative, the General Data Protection Regulation (GDPR) and the Regulation on the protection of natural persons with regard to the processing of personal data by the EU institutions (EUDPR) have legal value. This guidance cannot replace the applicable legal framework, including, where applicable, binding contracts such as joint controllership agreements.
This guidance provides practical information to organisers of citizens' initiatives and should not be seen as giving rise to any enforceable right or legitimate expectation. In particular, this guidance is without prejudice to the responsibility of the representative of the group of organisers, as data controller, pursuant to Article 5(2) of the GDPR, to comply and ensure compliance with the obligations and rules of the GDPR.
The binding interpretation of EU legislation is the exclusive competence of the Court of Justice of the European Union. The views expressed in this guidance are without prejudice to the position that the Commission might take before the Court of Justice.
As this guidance reflects the state of the art at the time of its drafting, it should be regarded as a 'living tool' open for improvement and its content may be subject to modifications without notice.