Factsheet van de
Europees Toezichthouder voor gegevensbescherming
Data protection goes digital
Technology has transformed our lives in many positive ways. In the digital era we live
in, the internet, big data, artificial intelligence, and other technological developments
play a significant role in our daily activities.
Yet we must ensure that technological developments do not dictate our values.
We should be able to reap the benefits of new technologies while still enjoying our
fundamental rights. This includes the fundamental right to data protection.
The EU’s new data protection rules, applicable from 2018, are future-oriented. They
aim to ensure effective protection of personal data in the digital era.
The General Data Protection Regulation (GDPR) applies to all businesses and
organisations operating in the EU. It sets the standard for data protection worldwide,
by ensuring the protection of personal data in the digital world.
New data protection rules for the EU institutions have also been introduced, to
ensure that the standard of data protection within the EU institutions and bodies is
in line with the standard of data protection provided for in the GDPR. These rules
reflect the same values, providing EU citizens with the reassurance that they can
enjoy the same strengthened rights when dealing with the EU institutions as they
do when dealing with other companies, organisations or public bodies under the
GDPR.
Data protection in the EU institutions: What are your rights?
The very nature of the EU project requires the processing of personal data by
the EU institutions in many fields of work. This might include processing personal
data in the fight against serious organised crime and terrorism at EU level, in the
distribution of EU funds or in the management of large scale IT systems, like the
Visa Information System.
The EU institutions are also employers. They therefore process personal data as
part of the recruitment process and handle medical information on their staff,
for example.
Processing large amounts of data on a daily basis comes with big responsibility.
For this reason, it is important that the EU institutions lead by example in
applying the new EU data protection rules.
If your personal data is collected, held or processed in any other way, you are
referred to under data protection law as a data subject. This entitles you to
certain rights relating to the processing of your personal data.
The EU institutions must process your personal data fairly, lawfully and only
for legitimate purposes. This general right is complemented by several specific
rights: - Right to transparency
The data controller must use clear
and plain language when informing
you about how your personal data
will be processed. The information
must be clear, concise and
transparent, and it must be provided
to you in an easily accessible format.
- Right to access
You have the right to receive
information from an EU institution on
whether your personal data is being
processed by them, the purpose
of this processing operation, the
categories of data concerned and
the recipients to whom your data
are disclosed, as well as the right to
access this personal data, processed
by the EU institution.
- Right to erasure /
Right to be forgotten
If your personal data is no longer
needed by the EU institution, if you
withdraw your consent or if the
processing operation is unlawful, you
have the right to erase your data.
- Right to restrict the
processing
Under certain circumstances, such
as if you contest the accuracy of the
processed data or if you are not sure
if your data is lawfully processed, you
can ask the controller to restrict the
data processing.
- Right to data portability
This right allows you to obtain the
data that the controller holds on you
and to transfer it from one controller
to another. Where technically
possible, the controller has to do the
work for you.
- Right to be informed
You have the right to be informed,
for example, about the fact that
your data has been processed, the
purpose for which it was processed
and the identity of the controller.
- Right to rectification
If your data is inaccurate or
incomplete, you have the right to
rectify it.
You have the right not to be
subject to a decision based solely
on automated processing, including
profiling, which results in legal
consequences for you or significantly
affects you in a similar way.
- Right to object
You can object, on compelling
legitimate grounds, to the processing
of data relating to you.
Right not to be subject
to automated individual
decision-making, including
profiling
Personal data:
means any information relating to an identifiable (directly or indirectly) natural
person. An identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.
Examples: name, e-mail address, annual appraisal file, medical health records, but also indirectly
identifying information such as personnel number, IP address, connection logs, fax number,
biometrics, etc.
Data controller: means the institution or body that determines the purposes and means of
the processing of personal data. In particular, the controller has the duties of ensuring the quality
of data and, in the case of the EU institutions and bodies, of notifying the processing operation
to the data protection officer (DPO). In addition, the data controller is also responsible for the
security measures protecting the data. The controller is also the entity that receives requests
from data subjects to exercise their rights. The controller must cooperate with the DPO, and may
consult him or her for an opinion on any data protection related question.
Processing: refers to any operation or set of operations performed on personal data or on sets
of personal data, whether or not by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or
destruction.
Examples: recruitment procedure, grant award procedure, list of external experts, managing
an event, publication of pictures, creating a collaborative online platform for citizens or staff
members.
Processing also occurs in situations where European institutions provide Member States with
a technical tool or solution to facilitate information exchange, while retaining access to the
personal data concerned or keeping a register of connection logs relating to the platform.
This factsheet is issued by the European Data Protection Supervisor
(EDPS) - an independent EU authority established in 2004 to:
• monitor the processing of personal data by EU institutions and bodies;
• give advice on data protection legislation;
• cooperate with similar authorities to ensure consistent data
protection.
Bron: EDPS,
https://edps.europa.eu/sites/edp/files/publication/18-12-11_factsheet1_your_rights_in_digital_era_en...
