Processing operation: Processing of signatoriesʼ email addresses collected through the Commission Central Online Collection System.
Data Controller: Joint Controllership between, on one side, the European Commission (Operational Controller Unit SG.A.1 ‘Policy Priorities & Work Programmeʼ) and, on the other side, the representative of the group of organisers of the initiative or, where appropriate, the legal entity created by it.
Record reference: DPR-EC-03486
1. Introduction
The European Citizen’s Initiative (herein also ‘ECIʼ) is a participatory democracy instrument that allows citizens to suggest concrete legal changes in any field where the European Commission (herein the ‘Commissionʼ) has power to propose legislation. The legal framework applicable to this instrument is set out in Regulation (EU) 2019/788 of the European Parliament and of the Council of 17 April 2019 on the European Citizens’ Initiative (herein the ‘ECI Regulationʼ).
In order to submit a European citizensʼ initiative to the Commission as a valid one, its group of organisers needs to collect at least 1 million statements of support from EU citizens, with specific thresholds reached in at least 7 Member States. While supporting a European citizens' initiative as its signatory, you may optionally choose to also provide your email address if you wish to remain informed by the Commission and by the group of organisers of the progress of the initiative concerned.
This privacy statement concerns the processing of your email addresses provided in the above context through the Commission Central Online Collection System (herein ‘COCSʼ), set up and operated by the Commission.
The processing operations on your email addresses are carried out under the joint controllership of, on one side, the Commission, and on the other, the representative of the group of organisers of the initiative concerned or, where appropriate, the legal entity created by such group (herein also ‘initiative organisersʼ). The respective responsibilities and duties of the Commission and the organisers are set out in a transparent manner in a joint controllership agreement. The essential elements of this joint controllership agreement are publicly available under: https://citizens-initiative.europa.eu/how-it-works/data-protection_en
The Commission is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data. Likewise, the initiative organisers are subject to the rules regarding the personal data processing set out in the General Data Protection Regulation (‘GDPRʼ).
This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controllers with whom you may exercise your rights, the Data Protection Officer(s) and the European Data Protection Supervisor.
2. Why and how do we process your personal data?
The overall purpose of the processing of personal data under the ECI Regulation is to implement Regulation (EU)2019/788 on the European citizensʼ initiative and thereby allow EU citizens to exercise the right granted in Article 11(4) of the Treaty on the European Union to approach the Commission directly with a request inviting it to submit a proposal for a legal act of the Union for the purpose of implementing the Treaties.
In this context your email address is collected to allow the Commission and the initiative organisers to inform you on the progress of the initiative concerned, subject to your explicit consent (‘opt-inʼ).
Additionally, your data can be processed in the context of supporting processing operations, such as handling of data subject requests, sample technical quality checks, operations required in view of the maintenance of the IT system and any such operation which may be prescribed by law.
The personal data processed may be reused for the purpose of procedures before the EU Courts, national courts, the European Ombudsman or the European Court of Auditors.
Your personal data will not be used for an automated decision-making including profiling.
3. On what legal ground(s) do we process your email address?
The processing with regard to this purpose is explicitly foreseen in the ECI Regulation (Article 18(2)). However as providing your email address is not necessary to support an initiative, it is based on your separate and explicit consent, in line with Article 5(1)(d) of Regulation (EU) 2018/1725 (and Article 6(1)(a) of GDPR).
Your email address does not qualify as such as sensitive data for which processing is in principle prohibited by Article 10(1) of Regulation (EU) 2018/1725 (and Article 9(1) of GDPR). However, the interconnection between your data and the supported initiative may reveal information about your health, political, philosophical or religious convictions and beliefs, political affiliations, sex life or sexual orientation, racial or ethnic origin or even trade union membership depending on the subject matter of each initiative. Consequently, the sensitivity of your data may stem from the sensitivity of the topic of the initiative concerned.
In accordance with Article 10(2)(a)of Regulation (EU) 2018/1725 (and Article 9(2)(a) of GDPR), even though your data may be qualified as a special category of data, their processing is still allowed for the following reason: ‘the data subject has given explicit consent to the processing of those personal data for one or more specified purposes (…)ʼ.
4. Which personal data do we collect and further process?
We collect your email address to inform you on the progress of the initiative concerned, subject to your explicit consent.
Moreover in order to allow the efficient processing of the data above we collect some (meta)data relating to the electronic transmission/submission of the email address, notably the language used by your browser, your IP address, time of inputting electronically. These (meta)data are kept for a maximum period of six months. In addition, a unique identifier is automatically generated on the submission of your statement of support. The identifier is destroyed at the end of the retention period of the email address.
5. How long do we keep your personal data?
The standard retention period is 1 month after the withdrawal of an initiative or 12 months after the end of the collection period or the submission of the initiative to the Commission, respectively.
This standard retention period is extended where the Commission sets out, by means of a communication, the actions it intends to take with regard to the European citizensʼ initiative concerned in accordance with Article 15(2) of the ECI Regulation. In such case data shall be destroyed not later than three years after the publication of the said communication.
This is without prejudice to your right to unsubscribe from receiving information on the progress of the initiative concerned at any time.
You can unsubscribe by clicking on the unsubscribe option when you receive an email on the progress of an initiative or by writing an email to SG-ECI-mailing@ec.europa.eu and your e-mail address will be deleted in due time.
6. How do we protect and safeguard your personal data?
All personal data are stored in electronic format on the servers of the Commission. All processing operations are carried out pursuant to Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
In order to protect your personal data, the Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.
7. Who has access to your personal data and to whom is it disclosed?
Only Commission staff members, authorised specifically based on the ‘need to knowʼ principle have access to your data, when stored in the COCS. Such staff members abide by statutory, and when required, additional confidentiality agreements.
The initiative organisers may use your email address to send you and the other signatories their messages via a dedicated functionality of the COCS, but they have no access to your personal data.
8. What are your rights and how can you exercise them?
You can withdraw your consent to process your email address at any time by notifying any of the joint Data Controllers. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent.
Moreover, you have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725 (and Chapter III of GDPR), in particular you have the right to access your personal data and to rectify them in case your personal data are inaccurate or incomplete. In some cases, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing and the right to data portability.
You can exercise your rights by contacting any of the joint Data Controllers, or (in particular in case of conflict) the Data Protection Officer(s). If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.
Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.
Any request for access to personal data will be handled within one month upon receipt of the request. Any other request falling under Articles 18-25 of Regulation (EU) 2018/1725 (and Chapter III of GDPR) will be addressed within 15 working days. The period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
9. Contact information
The Data Controllers
If you would like to exercise your rights under Regulation (EU) 2018/1725 and GDPR, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please contact one of the joint Data Controllers.
- As regards the Commission, please use the following contact information of the Operational Data Controller:
European Commission
Secretariat General
Directorate A ‘Strategy, Better Regulation & Corporate Governance’
Unit A.1 ‘Policy Priorities & Work Programme’
B – 1049 Brussels
Tel. +32 2 29 92165
E-mail: SG-ECI-mailing@ec.europa.eu
- As regards the representative of the group of organisers, or, where appropriate, the legal entity created by such group, their contact details can be found in the online ECI Register as well as in the COCS, on the webpages specifically dedicated to the initiative concerned. See: https://citizens-initiative.europa.eu/find-initiative_en.
The Data Protection Officers (DPOs)
- The Data Protection Officer (DPO) of the Commission
You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data.
-The Data Protection Officer (DPO) of the group of organisers (if any)
In case the group of organisers has designated a Data Protection Officer, you may also contact such Data Protection Officer using the contact details which can be consulted in the online ECI Register as well as in the COCS, on the webpages specifically dedicated to the initiative concerned. See: https://citizens-initiative.europa.eu/home_en.
The Data Protection authorities
- The European Data Protection Supervisor (EDPS)
You have the right to lodge a complaint to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
- The national Data Protection authorities
You also have the right to lodge a complaint with a competent national data protection authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that your data is unlawfully processed. The contact details of the national data protection authorities can be consulted at: https://citizens-initiative.europa.eu/find-initiative_en.
10. Where to find further information?
The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to the DPO. You may access the register via the following link: https://ec.europa.eu/info/about-european-commission/service-standards-and-principles/transparency/data-processing-register_en.
This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-03486.
