Data protection at the EUDA website

The European Union Drugs Agency (EUDA), which on 2 July 2024 officially succeeded the European Monitoring Centre for Drugs and Drug Addiction (EMCDDA), takes very seriously the protection of data it holds on individuals. It implements Regulation (EU) No 2018/1725 of the European Parliament and of the Council of 23 October 2018 (European Union Data Protection Regulation – EUDPR), which lays down the rules on how all the European Union institutions and bodies, such as the EUDA, shall treat the personal data they hold on individuals.

The protection of natural persons in relation to the processing of personal data is a fundamental right under the Charter of Fundamental Rights of the European Union (Article 8) . The Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her (Article 16).

Key concepts

What is personal data?

Any information relating to an identified or identifiable natural person (known as ‘data subjects’ in the EUDPR). An identifiable person is someone who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to her/his physical, physiological, mental, economic, cultural, or social identity (Article 3 of EUDPR) The processing of special categories of data, such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life, is prohibited, subject to certain exceptions (Article 10 of EUDPR).

What is Processing of personal data?

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data protection principles

The processing personal data must adhere to the following basic principles:

  • Lawfulness, Fairness and Transparency: data can only be processed when there is legal ground for it and data subjects must be aware about it.
  • Purpose limitation: data must be processed for specified, explicit, and legitimate purposes.
  • Data minimization: data must be adequate, relevant, and not excessive.
  • Accuracy: data must be accurate and kept up to date.
  • Storage limitation: data must not be kept longer than necessary.
  • Respect for data subject's rights: data must be processed in accordance with the data subject's rights.
  • Security: data must be processed securely.
  • Third-party transfer: data must not be transferred to third parties without adequate precautions.

Data Subjects and their rights

  • Transparency: the data controller (see below) must use clear and plain language when informing data subjects about how their personal data will be processed. The information must be clear, concise and transparent, and it must be provided to the data subjects in an easily accessible format.
  • To be informed: data subjects have the right to be informed, for example, about the fact that their data has been processed, the purpose for which it was processed and the identity of the controller.
  • To access. data subjects have the right to receive information on whether their personal data is being processed, the purpose of this processing operation, the categories of data concerned and the recipients to whom their data are disclosed, as well as the right to access this personal data.
  • To rectification: if data from data subjects is inaccurate or incomplete, they have the right to rectify it.
  • To restrict the processing: under certain circumstances, such as if data subjects contest the accuracy of the processed data or if they are not sure if the data subjects’ data is lawfully processed, they can ask the controller to restrict the data processing.
  • To data portability: data subjects can obtain the data that the controller holds on them and ask the transfer of the data from one controller to another. Where technically possible, the controller has to do the work for the data subject.
  • To erasure: data subjects can obtain erasure of their data under certain circumstances.
  • Not to be subject to automated individual decision-making, including profiling: data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which results in legal consequences for them or significantly affects them in a similar way.
  • To object: data subjects can object, on compelling legitimate grounds, to the processing of data relating to them.

Data Controllers and data processors

Data controller: The EU institution or body, the Directorate-General, the unit, or any other organizational entity that determines the purposes and means of processing personal data. For each processing operation, a data controller must be identified and prior notice given to the data protection officer. At the EUDA, controllers include the Director and the heads of unit.

Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Protection Officer (DPO)

Each institution has one or more DPOs to ensure the application of data protection principles and rules. The DPO provides advice, makes recommendations on rights and obligations, advises on notifications of risky processing of personal data to the EDPS, and responds to requests from the EDPS. In critical situations, the DPO may investigate matters and incidents on request or on their own initiative. The DPO of the EUDA is Gonçalo Felgueiras e Sousa.

European Data Protection Supervisor (EDPS)

The EDPS is an independent supervisory authority established under the EUDPR. It ensures that the fundamental rights and freedoms of natural persons, particularly their right to privacy, are respected by the EU institutions and bodies. The EDPS also advises EU institutions, bodies, as well as data subjects on data protection matters. Data controllers must cooperate with the EDPS, including granting access to records.

Notifications and records

What is a notification and who is responsible for it?

A notification is a prior notice by the controller to the data protection officer of any processing operation (manual or electronic) involving personal data. Notifications are required if personal data is processed.

What are the Records of Personal Data Procedures? 

Records are databases containing all procedures on personal data identified by data controllers and consulted with the DPO, including assessments of the procedures and related privacy statements. The main purpose of keeping these records is to ensure and demonstrate compliance with the EUDPR. Records should be publicly available and contain the name and contact details of the controller, the data protection officer, and, where applicable, the processor and the joint controller. They should also include information on the purpose of the procedure, a description of the categories of data subjects and personal data, the recipients of the data, any transfers to third countries or international organizations, envisaged time limits for data erasure, and a general description of technical and organizational security measures.

EUDA implementing rules

The Regulation on the EUDA, determines that the Management Board of the Agency has to establish measures for the application of the EUDPR within six months of the date of its first meeting after 2 July 2024. Once adopted, the new measures will replace the implementing rules of Regulation (EC) 45/2001, adopted by the Agency on 4 July 2008.

External links

Contact the EUDA Data Protection Officer

Data Protection Officer
Tel +351 211 210 231
dpo@euda.europa.eu

Top