Skip to main content
European Citizens' Initiative

Data Protection Guidance - Question 2

Go back to the main page of the Data Protection Guidance for the organisers


Data Protection Guidance - Question 2

Collection on paper forms - what are the obligations of the representative of the group of organisers as sole data controller? 

Applies to Case scenario 2, except as regards the use of the Commission file exchange service

As a representative of the group of organisers, when acting as sole data controller, you must ensure that data are processed in line with the GDPR, applicable national law and the Regulation on the European citizens' initiative and you must be able to demonstrate it.

Among others, you need to:

  • Assess the impact of the processing operations on the data subjects’ rights and freedoms, which includes the assessment on whether the data collected are sensitive prior to the processing (in case signatories’ data are sensitive, you should appoint a Data Protection Officer and carry out a data protection impact assessment.
  • Establish and maintain a record of processing activities.
  • Take appropriate measures to protect personal data against unlawful forms of processing (accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, etc.); These measures may vary depending on whether the collection is carried out on paper or online.
  • Inform the signatories about the processing of their personal data, how their protection is ensured and what rights the signatories may exercise.
  • Ensure the appropriate follow-up to signatories’ questions and requests under the GDPR.
  • Ensure data security while submitting collected statements of support to Member States for verification.
  • Ensure that personal data collected are not used beyond the purpose defined in the Regulation on the European citizens’ initiative.
  • Notify any personal data breach to the competent data protection supervisory authority in principle within 72 hours after having become aware of it and cooperate, on request, with the data protection supervisory authorities.
  • Ensure that all statements of support and any copies are destroyed within the applicable data retention periods.

The above list is given for information purposes only and does not relieve the organisers from fulfilling the obligations directly applicable to them under the GDPR.


Want to learn and collaborate?