Data protection at the EMCDDA

The EMCDDA takes personal data protection very seriously. Any information relating to an identified or identifiable natural person, as well as its processing, whether automated or not (collection, storage, consultation, use, transmission, destruction etc.) is subject to strict protection rules and procedures as underlined hereafter.

Some definitions relating to the protection of personal data and related subjects, as well as information on the implementation of personal data protection at the EMCDDA, are to be found below. Legal definitions are to be found in Article 3 of Regulation (EU) No 2018/1725 of the European Parliament and of the Council of 23 October 2018.

Data protection principles

Anyone processing personal data should be aware of the basic principles, according to which the data must be:

  • fairly and lawfully processed;
  • processed for limited and explicit purposes;
  • adequate, relevant and not excessive;
  • accurate;
  • not kept longer than necessary;
  • processed in accordance with the data subject's rights;
  • secure;
  • not transferred to third parties without adequate precautions.

Key concepts

What is personal data?

Personal data means any information relating to an identified or identifiable natural person or ‘data subject’.

An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

The processing of special categories of data, defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, is prohibited, subject to certain exceptions (see Article 10 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018).

Data controller and the data subject

  • The data controller means the EU institution or body, the Directorate-General, the unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data.
  • For each processing operation, a data controller must be identified and prior notice must be given to the data protection officer of the institution.
  • The data subject is the person whose personal data are collected, held or processed by the data controller.
  • How to identify the controller? At the EMCDDA, controllers are the Director, the heads of unit and the medical advisor.

Data Protection Officer (DPO)

Each institution has one or more DPOs to ensure the application of the principles of personal data protection in the institution. The DPO also provides advice and makes recommendations on rights and obligations. He/she advises on notifications of risky processing of personal data to the EDPS (see below) and responds to requests from the EDPS. In critical situations he/she may investigate matters and incidents on request or on his/her own initiative.

What is a notification and who is responsible for it?

A notification is a prior notice by the controller to the data protection officer of any processing operation (manual or electronic) in which personal data is involved. It is only needed if personal data is processed.

What are the records of the personal data procedures?

The records are databases containing all procedures on personal data identified by the data controllers and consulted with the data protection officer, including the assessment of the procedures and the related privacy statements. The main purpose of keeping these records is to ensure compliance, and to be able to demonstrate this compliance, with Regulation 2018/1725 of the European Parliament and of the Council of 23 October 2018. The records should be publicly available and should contain the name and contact details of the controller, the data protection officer and, where applicable, the processor and the joint controller. They should also contain information on the purpose of the procedure; a description of the categories of data subjects and the categories of personal data, the categories of the recipients to whom the personal data have been or will be disclosed; where applicable, transfers of personal data to third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards; where possible, the envisaged time limits for erasure of the different categories of data; and where possible, a general description of the technical and organisational security measures.

What is lawful processing?

Article 4 of the Regulation states the principles relating to the processing of personal data, which shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes. Personal data shall also be adequate, relevant and limited to what is necessary in relation with the purposes for which they are processed. They shall also be accurate and, where necessary, kept up to date. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are stored. They shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The data controller is responsible for ensuring that personal data is processed fairly and lawfully.

Rights of the data subject

The controller must give the data subject the following information about data being processed:

  • 1. confirmation as to whether or not data related to him or her are being processed;
  • 2. information about the purposes of the processing operation, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;
  • communication of the data undergoing processing and of any available information as to their source;
  • knowledge of the logic involved in any automated decision process concerning him or her.

The data subject has the right to access his or her data and to require the controller to rectify without delay any inaccurate or incomplete personal data. The data subject has the right to require the controller to erase data if the processing is unlawful.

European Data Protection Supervisor (EDPS)

The EDPS is an independent supervisory authority established in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018. With respect to the processing of personal data, the EDPS is responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the EU institutions and bodies. The EDPS is also responsible for advising EU institutions and bodies and data subjects on all matters concerning the processing of personal data.
Data controllers are obliged to cooperate with the EDPS, in particular by granting access to the records.

Basic data protection rules

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

The purpose of the Regulation is to protect the freedoms and fundamental rights of individuals with regard to processing of personal data carried out by EU institutions and bodies.

It determines the principles to be respected by EU institutions (lawfulness, fairness, purpose, proportionality and security), the obligations of the persons processing personal data (data controllers) and the rights of individuals whose personal data are processed (data subjects), in particular those working for the institutions. The Regulation provides for the appointment of a data protection officer in each institution and also for the appointment of the European Data Protection Supervisor at European level.

EMCDDA implementing rules

The Management Board of the EMCDDA adopted on 4 July 2008 further implementing rules of Regulation (EC) No 45/2001. They deal mainly with the duties of the data protection officer. These implementing rules shall be updated as soon as possible to take into account Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018.

Contact the EMCDDA Data Protection Officer

Data Protection Officer
Tel +351 211 210 231