Skip to main content
European Union flag
English
European Citizens' Initiative

Privacy policy concerning signatories' personal data collected using the central online collection system

Processing operation: Processing of signatoriesʼ data collected as part of statements of support through the Commission Central Online Collection System

Data Controller: Joint Controllership between, on one side, the European Commission (Operational Data Controller Unit SG.A.1 ‘Policy Priorities & Work Programmeʼ) and, on the other side, the representative of the group of organisers of the initiative or, where appropriate, the legal entity created by it

Record reference: DPR-EC-03486

1. Introduction

The European Citizen’s Initiative (herein also ‘ECIʼ) is a participatory democracy instrument that allows citizens to suggest concrete legal changes in any field where the European Commission (herein also the ‘Commissionʼ) has power to propose legislation. The legal framework applicable to this instrument is set out in Regulation (EU) 2019/788 of the European Parliament and of the Council of 17 April 2019 on the European Citizens’ Initiative (herein also the ‘ECI Regulationʼ).

To support a citizens' initiative you need to provide a series of personal data as part of a statement of support for the initiative. The group of organisers of an ECI needs to collect at least 1 million statements of support (herein also ‘SoSʼ) from EU citizens, with specific thresholds reached in at least 7 countries, and have these statements of support validated and certified by the Member States, in order to submit the initiative to the Commission as a valid one.

This privacy statement concerns the processing of your personal data collected as part of statement of support with regard to a European citizensʼ initiative through the Central Online Collection System (herein ‘COCSʼ), set up and operated by the Commission.

The processing operations on your data are carried out under the joint controllership of, on one side, the Commission, and on the other, the representative of the group of organisers of the initiative concerned or, where appropriate, the legal entity created by such group (herein also ‘initiative organisersʼ). Moreover, in case your data provided in a statement of support have been submitted for verification and certification to the competent authorities of a responsible Member State, these authorities become data controllers with regard to the processing they perform.

The respective responsibilities and duties of the Commission and the organisers are set out in a transparent manner in a joint controllership agreement. The essential elements of this joint controllership agreement are publicly available under: https://citizens-initiative.europa.eu/how-it-works/data-protection_en

The Commission is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data. Likewise, the initiative organisers and the Member Statesʼ authorities are subject to the rules regarding the personal data processing set out in the General Data Protection Regulation (‘GDPRʼ).

This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controllers with whom you may exercise your rights, the Data Protection Officer(s) and the European Data Protection Supervisor.

This privacy statement builds on and supplements the text of the privacy statement set out in Annex III of the ECI Regulation which is an integral part thereof (see Heading 10 below).

NB. This privacy statement does not cover the processing of your personal data provided in a statement of support on paper. The collection and further processing of your data (until their transfer to Member States for verification) is carried out in such case under the exclusive data controllership of the representative of the group of organisers. This data controller is then in charge of providing you, at the time of collection of your data, with the relevant privacy statement which shall include at least the substantial elements of the standard privacy statement set out in Annex III of the ECI Regulation. In case the subsequent transfer of thus collected statements of support to Member States for verification is operated by the Commission using its file exchange service under a joint data controllership with the Representative, the Commission will have no access to your data and will not be in a position to provide you with an additional privacy statement. This privacy statement only provides relevant information as regards the data retention time limits applicable in such case.

2. Why and how do we process your personal data?

The overall purpose of the processing of your data referred to in this privacy statement is to implement Regulation (EU)2019/788 on the European citizensʼ initiative and thereby allow EU citizens to exercise the right granted in Article 11(4) of the Treaty on the European Union to approach the Commission directly with a request inviting to submit a proposal for a legal act of the Union for the purpose of implementing the Treaties.

Your data may be subject to the following main processing operations:

  • Collection of your statement of support, using the online form or the eID, and its subsequent storage in the COCS,
  • Submission of your statement of support to Member States for verification,
  • Verification and certification of your Statement of Support by the Member State of your nationality (this processing operation is carried out under the controllership of the competent Member State authority).

Therefore, the following more specific purposes can be distinguished:

  • To allow you to support European citizensʼ initiatives online,
  • To ensure a secure transfer of your statement of support to the competent Member State for verification,
  • To allow the competent Member State authorities (data controllers for this processing operation) to verify your statement of support, in order to further allow the Commission to confirm the validity of a European citizens' initiative you have supported, when submitted for examination.

Additionally, your data can be processed in the context of supporting operations, such as handling of data subject requests, sample technical quality checks, operations required in view of the maintenance of the IT system and any such operation which may be prescribed by law.

The personal data processed may be reused for the purpose of procedures before the EU Courts, national courts, the European Ombudsman or the European Court of Auditors.

Your personal data will not be used for an automated decision-making including profiling.

3. On what legal ground(s) do we process your personal data?

We process your data provided as part of a statement of support in order to allow you to express your support for a European citizensʼ initiative. The processing of your data serves to advance the cause of a concrete initiative, in order to ultimately bring the issues expressed therein to the attention of the institutions of the Union. While the European citizensʼ initiative thus enhances the democratic functioning of the Union, the processing serves the public interest in line with Article 5(1)(a) of Regulation (EU) 2018/1725 (and Article 6(1)(e) of GDPR).

Moreover, for the Commission, the ECI Regulation provides in Article 10 a legal obligation to set up and operate the COCS to allow the online collection of statements of support and in Article 12(3) the obligation to submit to Member States for verification the statements of support collected through the COCS, in case the required number of statements of support has been reached (see also Article 12(2)). By enabling the processing carried out through COCS (including the transfer) the Commission thus fulfils a legal obligation and therefore the processing is also lawful on the basis of Article 5(1)(b) of Regulation (EU) 2018/1725 (and Article 6(1)(c) of GDPR).

The data you provide as part of a statement of support do not qualify as such as sensitive data for which processing is in principle prohibited by Article 10(1) of Regulation (EU) 2018/1725 (and Article 9(1) of GDPR). However, the interconnection between your data and the supported initiative may reveal information about your health, political, philosophical or religious convictions and beliefs, political affiliations, sex life or sexual orientation, racial or ethnic origin or even trade union membership depending on the subject matter of each initiative. Consequently, the sensitivity of your data may stem from the sensitivity of the topic of the initiative concerned.

In accordance with Article 10(2)(g) of Regulation (EU) 2018/1725 (and Article 9(2)(g) of GDPR) even though your data may be qualified as a special category of data, their processing is still allowed, for the following reason: ‘the processing is necessary for reasons of substantial public interest, on the basis of Union law (…) which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjectʼ.

In this respect, Recital (12) of the ECI Regulation clarifies that: ‘While personal data processed in application of this Regulation might include sensitive data, given the nature of the European citizensʼ initiative as an instrument of participatory democracy, it is justified to require the provision of personal data to support an initiative and to process such data as far as it is necessary in order to allow statements of support to be verified in accordance with national law and practiceʼ.

4. Which personal data do we collect and further process?

For the purpose of registering your support for a citizens' initiative we collect different possible sets of data, depending on the mode of support you chose and your nationality.

If you fill in the statement of support form online, one of the two possible sets of data is collected as defined in Annex III to the ECI Regulation:

Set A:

  • nationality,
  • full first names,
  • family names,
  • residence (street, number, postal code, city, country),
  • date of birth.

Set B:

  • nationality,
  • full first names,
  • family names,
  • personal identification number/personal identification document number,
  • type of personal identification number or document.

According to Article 9(4) of the ECI Regulation, Member States can choose whether they want to use data sets A or B. On 1 January 2020 (time of entry into application of the ECI Regulation) Set A has been chosen by 9 Member States (DE, DK, EL, FI, FR, IE, LU, NL, SK), while Set B has been chosen by 18 Member States (AT, BE, BG, CY, CZ, ET, ES, HR, HU, IT, MT, LT, LV, PL, PT, RO, SE and SI).

Member States can change this choice in the future, without it being reflected in this privacy statement.

If you support an ECI using your eID, your personal data are imported from the national eID system following the authentication you perform. Data concerned are defined under the eIDAS Regulation (Regulation (EU) No 910/2014), as follows:

  • current family name(s),
  • current first name(s),
  • date of birth,
  • unique identifier.

Additionally the data of nationality is collected in such case, based on your choice of the relevant national eID system where you authenticate yourself.

Moreover in order to allow the efficient processing, we collect some (meta)data relating to the electronic transmission/submission of the SoS, notably your IP address, connection data, time of inputting electronically the form on COCS. These (meta)data are kept for a maximum period of six months. In addition, a unique statement of support identifier is automatically generated for each SoS submitted. The identifier is destroyed at the end of the collection period. If the data subject has also provided an email address, the identifier is destroyed at the end of the retention period of the email address.

5. How long do we keep your personal data?

The standard retention period is of 21 months from the beginning of the collection period.

The standard retention period is shortened in the following cases:

  • it expires one month after the submission of the Initiative to the Commission in accordance with Article 13 of the ECI Regulation, and
  • it expires one month after the withdrawal, if the Initiative is withdrawn after the beginning of the collection period, referred to in Article 7 of the ECI Regulation

The standard retention period is extended if necessary for the purpose of legal or administrative proceedings relating to the initiative concerned. In such case data shall be destroyed not later than one month after the date of conclusion of the said proceedings by a final decision.

In the context of COVID-19 pandemic, standard data retention periods set up in Article 19(5) of the ECI Regulation were extended for initiatives which have their data collection period extended based on Regulation (EU) 2020/1042 - a maximum period of extensions is of 12 months.

The above described data retention periods also apply:

  • to the storage in the Commission file exchange service of statements of support collected on paper uploaded therein by the ECI organisers in view of their transfer to Member States for verification, and,
  • to Member States in case they verify the collected statements of support.

6. How do we protect and safeguard your personal data?

All personal data are stored in electronic format on the servers of the Commission. All processing operations are carried out pursuant to Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

In order to protect your personal data, the Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

7. Who has access to your personal data and to whom is it disclosed?

Only Commission staff members, authorised specifically based on the ‘need to knowʼ principle have access to your data, when stored in the COCS. Such staff members abide by statutory, and when required, additional confidentiality agreements.

In case the required number of statements of support has been collected with regard to the initiative concerned, the Commission (on the organisers’ request) submits them to the competent authorities of the responsible Member States for verification and certification in line with Article 12(2) and 12(3) of the ECI Regulation.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725 (and Chapter III of GDPR), in particular you have the right to access your personal data and to rectify them in case your personal data are inaccurate or incomplete. In some cases, you have the right to erase your personal data, to restrict the processing of your personal data and to object to the processing.

Insofar as the right to object to the processing of your personal data is concerned, the exercise of that right must be based on grounds relating to your particular situation.

You can exercise your rights by contacting any of the joint Data Controllers, or (in particular in case of conflict) the Data Protection Officer(s). If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.

Any request for access to personal data will be handled within one month from receipt of the request. Any other request falling under Articles 18-25 of Regulation (EU) 2018/1725 (and Chapter III of GDPR) will be addressed within 15 working days. The period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

9. Contact information

The Data Controllers

If you would like to exercise your rights under Regulation (EU) 2018/1725 and GDPR, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please contact one of the joint Data Controllers.

- As regards the Commission, please use the following contact information of the Operational Data Controller:

European Commission

Secretariat-General

Directorate A ‘Strategy, Better Regulation & Corporate Governance’

Unit A.1 ‘Policy Priorities & Work Programme’

B – 1049 Brussels

Tel. +32 2 29 92165

E-mail: SG-ECI-mailing@ec.europa.eu

- As regards the representative of the group of organisers, or, where appropriate, the legal entity created by such group, their contact details can be found in the online ECI Register as well in the COCS, on the webpages specifically dedicated to the initiative concerned. See: https://citizens-initiative.europa.eu/find-initiative_en.

In case your data provided in a statement of support have been submitted for verification and certification to the competent authorities of a responsible Member State, these authorities become data controllers with regard to the processing they perform. You can address them your comments, questions or requests concerning the processing of your data using the contact details which can be consulted at: https://citizens-initiative.europa.eu/how-it-works/data-protection_en.

The Data Protection Officers (DPOs)

- The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data.

- The Data Protection Officer (DPO) of the group of organisers (if any)

In case the group of organisers has designated a Data Protection Officer, you may also contact such Data Protection Officer using the contact details which can be consulted in the online ECI Register as well as in the COCS, on the webpages specifically dedicated to the initiative concerned. See: https://citizens-initiative.europa.eu/find-initiative_en.

The Data Protection authorities

- The European Data Protection Supervisor (EDPS)

You have the right to lodge a complaint to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

- The national Data Protection authorities

You also have the right to lodge a complaint with a competent national data protection authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that your data is unlawfully processed. The contact details of the national data protection authorities can be consulted at: https://citizens-initiative.europa.eu/how-it-works/data-protection_en.

10. Where to find further information?

The ECI Regulation sets out in its Annex III the core elements of the privacy statement for the statements of support collected online via the Central Online Collection System as follows:

‘In accordance with Regulation (EU) 2018/1725 and Regulation (EU) 2016/679 (the General Data Protection Regulation) your personal data provided on this form will only be used for the support of the initiative and made available to the competent national authorities for the purpose of verification and certification. You are entitled to request from the European Commission and from the representative of the group of organisers of the initiative or, where appropriate, the legal entity created by it, access to, rectification of, erasure and restriction of processing of your personal data. Your data will be stored by the European Commission for a maximum retention period of one month after the submission of the initiative to the European Commission or 21 months after the beginning of the collection period, whichever is the earlier. It might be retained beyond these time limits in the case of administrative or legal proceedings, for a maximum of one month after the date of conclusion of these proceedings. Without prejudice to any other administrative or judicial remedy, you have the right to lodge at any time a complaint with the European Data Protection Supervisor or with a data protection authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that your data is unlawfully processed. The European Commission and the representative of the group of organisers of the initiative or, where appropriate, the legal entity created by it, are joint controllers within the meaning of Regulation (EU) 2018/1725 and the General Data Protection Regulation and can be contacted using the details provided on this form. The contact details of the data protection officer of the group of organisers (if any) are available at the web address of this initiative in the European Commission's register, as provided in point 4 of this form. The contact details of the data protection officer of the European Commission, of the national authority which will receive and process your personal data, of the European Data Protection Supervisor and of the national data protection authorities can be consulted at: http://ec.citizens-initiative.europa.eu/public/data-protection’.

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to the DPO. You may access the register via the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-03486.

Want to learn and collaborate?
Join the Forum