Data protection

Data Protection guidance for the organisers of European citizens' initiatives

Key principles

When collecting statements of support for their initiative, organisers process signatories' personal data on a potentially large scale. The representative of the group of organisers (or the legal entity specifically created to manage the initiative, if any) is responsible for processing these personal data and is the so-called data controller.

Where the collection and/or transfer of the collected statements of support is carried out through the central online collection system, the European Commission steps in to alleviate the responsibility of the organisers by acting as a joint data controller for these processing operations.

In case the required number of statements of support has been collected by the group of organisers, these statements are then submitted to the competent national authorities for verification and certification. The national authorities are considered to be data controllers as regards these processing operations.

The data controller has to comply, and ensure compliance, with the data protection obligations and rules of the General Data Protection Regulation (GDPR).

Key terms

Take a look at the glossary related to data protection in the context of the European citizens’ initiative.

Which processing operations are the organisers expected to carry out under the ECI Regulation?

• Processing of signatories’ statements of support:

In order to support an initiative, a signatories need to complete a statement of support form, providing a set of their personal data. In case of statements of support signed online using eID, these data are imported from a national eID system.

If an initiative successfully collects the required number of statements of support, these statements are submitted to Member States for verification and certification. Personal data collected in the  statements of support cannot be used for any other purpose, such as support for initiatives other than the one for which the data have been given, or transferring of the collected data to any other organisation.

• Processing of signatories’ email addresses:

Optional collection of email addresses of those signatories who wish to be further informed on the progress of the initiative they have signed is also allowed.

Email addresses may not be collected as part of the statement of support forms, but they may be collected simultaneously, provided the signatories are informed that their right to support an initiative is not conditional on giving their consent to collecting their email address.

These email addresses can only be used to inform signatories who so wish on the progress of the initiative they have signed. They cannot be used for other purposes, such as providing signatories with commercial offers or information on a different initiative. They are not subject to Member States’ verification.

• Processing of personal data of initiative sponsors:

Moreover, the Regulation on the European citizens’ initiative provides some rules regarding the processing of initiative sponsors' data

Articles 17, 18, 19(1) and 19(3) of the Regulation on the European citizens’ initiative specify how these data can be processed.

Data controllership: case scenarios for collection and transfer of statements of support

There are 2 broad case scenarios:

Case scenario 1

• collection of statements of support is carried out via the Commission central online collection system (joint controllership between the Commission and the representative of the group of organisers)
• submission of statements of support to Member States’ competent authorities for verification is operated using the Commission’s file exchange service (joint controllership between the Commission and the representative of the group of organisers).

Case scenario 2

• collection of statements of support is carried out using paper forms (sole controllership of the representative of the group of organisers)
• submission of statements of support to Member States’ competent authorities for verification is operated either by the group of organisers’ own means (sole controllership of the representative of the group of organisers) OR using the Commission’s file exchange service (joint controllership between the Commission and the representative of the group of organisers).

Please note:

• The organisers may choose to collect statements of support on paper and online or by using only one of these collection methods
• In order to collect statements of support online, the organisers must use the central online collection system.
• If the organisers collect statements of support online using the central online collection system and in parallel on paper, different rules may apply to these different collection methods.

Questions and answers on data protection for the organisers

1. Central online collection system – what are the obligations of the Commission and the representative of the group of organisers as joint controllers?
2. Collection on paper forms - what are the obligations of the representative of the group of organisers as sole data controller?
3. ‘Sensitive data’ - when do the signatories’ data qualify as a special category of data?
4. Security – what steps should you take when collecting signatories’ data on paper?
5. Security – what are the requirements when paper statements of support are collected by voluntary or contracted campaigners?
6. When and how should you carry out a data protection impact assessment?
7. How should you prepare a data processing record?
8. What is the role of a Data Protection Officer (DPO)?
9. What information should you give to citizens when collecting their data?
10. What should you do when handling data processing-related requests from signatories?
11. What should you do in case of a personal data breach?
12. What is your liability as data controller?
13. Submission of the collected statements of support to Member States for verification - who is data controller?
14. Submission of the collected statements of support to Member States for verification – what are the security recommendations?
15. Submission of the collected statements of support to Member States for verification – what are the roles and responsibilities when using the Commission file exchange service?
16. What are the data retention time limits?
17. Which national supervisory authority should you contact for issues relating to the processing of personal data?
18. Support and funding – what should you be aware of when processing personal data?

Questions and answers on data protection for signatories

See the specific section under FAQ

What are the rules to comply with when processing personal data?

• The Regulation on the European citizens' initiative and its specific provisions on data protection (see Article 19)
• For the representative: the General Data Protection Regulation (GDPR) and the relevant national provisions
• For the European Commission: the Regulation on the protection of natural persons with regard to the processing of personal data by the EU institutions (EUDPR).

Contacts at national level

• The contact details of the national authorities responsible for verifying and certifying statements of support are available here.
• The contact details of the national data protection authorities are available here.

Privacy policy of the European Commission in the context of the European citizens’ initiative

The privacy statements used for the various processing operations carried out by the European Commission in the context of implementation of the European citizens’ initiative instrument are published on the dedicated privacy policy website.