On this page

Personal data protection at the EUDA

The European Union Drugs Agency (EUDA), which on 2 July 2024 officially succeeded the European Monitoring Centre for Drugs and Drug Addiction (EMCDDA), takes very seriously the protection of data it holds on individuals. It implements Regulation (EU) No 2018/1725 of the European Parliament and of the Council of 23 October 2018 (European Union Data Protection Regulation – EUDPR), which lays down the rules on how all the European Union institutions and bodies, such as the EUDA, shall treat the personal data they hold on individuals.

The protection of natural persons in relation to the processing of personal data is a fundamental right under the Charter of Fundamental Rights of the European Union (Article 8). The Treaty on the Functioning of the European Union (TFEU) provides that everyone has the right to the protection of personal data concerning them (Article 16).

Key concepts

What is personal data?

Any information relating to an identified or identifiable natural person (known as ‘data subjects’ in the EUDPR) is personal data. An identifiable person is someone who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person (Article 3 of EUDPR). The processing of special categories of data, such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning health or sex life, is prohibited, subject to certain exceptions (Article 10 of EUDPR).

What is processing of personal data?

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data protection principles

The processing of personal data must adhere to the following basic principles:

  • Lawfulness, fairness and transparency: Data can only be processed when there are legal grounds for it and data subjects must be aware about it.
  • Purpose limitation: Data must be processed for specified, explicit and legitimate purposes.
  • Data minimisation: Data must be adequate, relevant and not excessive.
  • Accuracy: data must be accurate and kept up to date.
  • Storage limitation: Data must not be kept longer than necessary.
  • Respect for the rights of data subjects: Data must be processed in accordance with the rights of the data subject.
  • Security: Data must be processed securely.
  • Third-party transfer: Data must not be transferred to third parties without adequate precautions.

Data subjects and their rights

  • Transparency: The data controller (see below) must use clear and plain language when informing data subjects about how their personal data will be processed. The information must be clear, concise and transparent, and it must be provided to the data subjects in an easily accessible format.
  • To be informed: Data subjects have the right to be informed, for example, about the fact that their data has been processed, the purpose for which it was processed and the identity of the controller.
  • To access: Data subjects have the right to receive information on whether their personal data are being processed, the purpose of this processing operation, the categories of data concerned and the recipients to whom their data are disclosed, as well as the right to access their personal data.
  • To rectification: If data from data subjects is inaccurate or incomplete, they have the right to rectify it.
  • To restrict the processing: Under certain circumstances, such as if data subjects contest the accuracy of the processed data or if they are not sure if their data are being lawfully processed, they can ask the controller to restrict the data processing.
  • To data portability: Data subjects can obtain the data that the controller holds on them and ask for the transfer of the data from one controller to another. Where technically possible, the controller will transfer the data to the controller indicated by the data subject.
  • To erasure: Data subjects can obtain erasure of their data under certain circumstances.
  • Not to be subject to automated individual decision-making, including profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which results in legal consequences for them or significantly affects them in a similar way.
  • To object: Data subjects can object, on compelling legitimate grounds, to the processing of data relating to them.

Data controllers and data processors

Data controller: The EU institution or body, the Directorate-General, the unit, or any other organisational entity that determines the purposes and means of processing personal data. For each processing operation, a data controller must be identified and prior notice given to the data protection officer. At the EUDA, controllers include the Executive Director and the heads of unit.

Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Protection Officer (DPO)

Each institution has one or more DPOs to ensure the application of data protection principles and rules. The DPO provides advice, makes recommendations on rights and obligations, advises on notifications of risky processing of personal data to the European Data Protection Supervisor (EDPS), and responds to requests from the EDPS. In critical situations, the DPO may investigate matters and incidents upon request or on their own initiative. The DPO of the EUDA is Gonçalo Felgueiras e Sousa.

European Data Protection Supervisor

The EDPS is an independent supervisory authority established under the EUDPR. It ensures that the fundamental rights and freedoms of natural persons, particularly their right to privacy, are respected by the EU institutions and bodies. The EDPS also advises EU institutions and bodies, as well as data subjects, on data protection matters. Data controllers must cooperate with the EDPS, including by providing access to records.

Notifications and records

What is a notification and who is responsible for it?

A notification is a prior notice by the controller to the data protection officer of any processing operation (manual or electronic) involving personal data. Notifications are required if personal data is processed.

What are the records of personal data procedures? 

Records are databases containing all procedures on personal data identified by data controllers and consulted with the DPO, including assessments of the procedures and related privacy statements. The main purpose of keeping these records is to ensure and demonstrate compliance with the EUDPR. Records should be publicly available and contain the name and contact details of the controller, the DPO, and, where applicable, the processor and the joint controller. They should also include information on the purpose of the procedure, a description of the categories of data subjects and personal data, the recipients of the data, any transfers to non-EU countries or international organisations, envisaged time limits for data erasure, and a general description of technical and organisational security measures.

The EUDA’s implementing rules

Under the EUDA Regulation, the Management Board of the Agency must establish measures for the application of the EUDPR within six months of the date of its first meeting after 2 July 2024. Once adopted, the new measures will replace the implementing rules of Regulation (EC) 45/2001, adopted by the Agency on 4 July 2008.

External links

Contact the EUDA Data Protection Officer

Data Protection Officer
Tel +351 211 210 231
dpo@euda.europa.eu

Top