EUDA Personal Data Protection Record on Leave, absences and teleworking (DPO-019)

Data protection record

Data protection notice

1. Introduction / Why do we process your personal data?

This data protection notice explains how the EUDA process your personal data for the purposes of the time management of staff including, annual leave entitlements and special leave including travelling time, parental leave, part-time work, registration of teleworking, mission, sick leave and compensation at the EUDA. Data cannot be used for purposes of performance appraisal, promotion, or assessing contract renewal, and the use of the data shall not lead to dismissal, exclusion from contract renewals, promotion, or training opportunities, exclusion when tasks are allocated or team leaders and managers are selected, or to other similar prejudices to staff members. This does not mean that staff members who are unable to account for a productive use of their time cannot be dismissed or excluded when tasks are distributed. However, these decisions must be made based on information other than data collected for time management purposes.

2. Who is responsible for the processing of your personal data (the controller) and under which legal grounds is it processed?

The EUDA, Praça Europa 1, 1249-289 Lisboa, Portugal, is the controller of your personal data for the purposes described above. The data controller[1] is the Head of the Administration, who may be contacted through the following e-mail address: EUDA-HR@euda.europa.eu.

The legal basis of the processing are the Staff regulations and the Conditions of Employment of Other Servants of the European Communities laid down by Council Regulation (EEC, EURATOM, ECSC) No. 259/68, in particular Article 55, 57, 58 and 61 of the Staff Regulations and Articles 16 and 91 of the CEOS. Furthermore, the European Commission Decisions on General implementing provisions on leave (C(2013) 9051) adopted by MB on 2 April 2014, on working time (C(2014) 2502) adopted by MB on 1 March 2015, on teleworking (C(2015) 9151) adopted by MB on 13 December 2017, on family leave and parental leave (C(2010) 7494) adopted by MB on 18 May 2011, on absences as a result of sickness or accident (C(2004) 1597) adopted on 27 February 2007, on leave on personal grounds and unpaid leave (C(2015) 5320) adopted by MB on 9 September 2015 and on outside activities and assignments (C(2018) 4048) adopted by MB on 12 December 2018.

Any data collected or information provided in the framework described under point 1 above will be processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

3. What personal data do we collect and further process?

The following personal data are processed: a) family name, name, and personnel number; b) working time, annual leave and special leave taken, including maternity leave, parental leave, part-time work, registration of absences because of mission, sick leave and compensation.

4. Who has access to your personal data and to whom is it disclosed?

Your personal data may be disclosed to the following: a) the external company doctor; b) the hierarchical superior for approval – who can appoint a delegate for approving requests for short periods of time; and c) EUDA staff working for the Human Resources Management Sector (HRMS).

The sick leave certificates shall be submitted directly to the external company doctor and will be processed in strict confidentiality and exclusively for the purpose for which they were submitted. The medical certificates are then stored in the digital platform of the external company with whom the EUDA has a framework contract. The HRMS staff and the hierarchical superiors will in no case have access to the medical data. For medical advice, medical data may be transferred to the external company doctor assisting the EUDA on medical issues. Only in the case of transfer to another European institution, the relevant information on the rights and entitlements of the staff concerned will be transmitted to the institution concerned.

5. Are your personal data subject to any international transfers?

No personal data are subject to international transfers.

6. For how long do we keep your personal data?

In the case of carry-over of days of annual leave from one year to the next, data will be kept not beyond the year after the one of the carry over. Data related to sick leave and teleworking will be kept for a period of three years. Data related to some special categories of special leave (i.e. family, maternity or parental leave) will be kept up to seven years after the budgetary discharge. All working time related data will be deleted once a year in correspondence with the end of the month of January of the following year. Flexitime related data of staff members whose employment relationship with the EUDA comes to an end will be immediately deleted.

After the mentioned periods, only data related to a macroscopic vision of the time management of staff (number of days of absences from work, total number of sick leave days taken, etc.) will be kept for statistical reasons and will be kept anonymous.

7. How do we protect your personal data?

The data is stored in the HRMS’s offices in locked cabinets. The management of leave and absences of the EUDA staff is done through the web application ‘EUDA Time Management Tool’. This tool with all its components are exclusively installed on EUDA servers in the EUDA internal network, and can only be accessed by authenticated users that are EUDA staff members, and only with the access rights according to their role in the organisation, which are set one by one by the HRMS personnel responsible.

8. What are your rights regarding your personal data?

How can you verify, modify or delete your personal data?

As the individual to whom the personal data relate, you can exercise the following rights, all recognised under Regulation (EU) 2018/1725 (point 2 above):

1. access to your personal data under its Article 17;

2. rectify your personal data under its Article 18;

3. erase your personal data under its Article 19; or

4. restrict the processing concerning yourself under its Article 20.

For this, you need to contact the EUDA’s HRMS in writing (EUDA-HR@euda.europa.eu).

9. How long do you have to wait to receive our reply to your data subject rights’ request?

After receiving your request, we have one month to provide information on action taken on your request. We may extend this period by two further months, taking into account the complexity and number of the requests. In those cases, we will inform you of the extension and its reasons within one month of receipt of your request.

10. Who can you contact to ask questions or exercise your rights?

In case of any difficulties or questions relating to the processing of your personal data, you may contact the DPO of the EUDA, Gonçalo Felgueiras e Sousa, at the following address: dpo@euda.europa.eu

11. Who can you lodge a complain with about the processing of your personal data

We encourage you to always contact us, as data controllers, first as described under point 10 above to raise your questions or concerns. In any case, if you believe that your rights under Regulation (EU) 2018/1725 have been infringed, you remain entitled to send a complaint to the EDPS, as a supervisory authority, using the following contact information:

European Data Protection Supervisor (EDPS)
Rue Wiertz 60 B-1047 Brussels,
Belgium