|The public register of data processing activities of the European Fisheries Control Agency is available here.|
Below you will find the essentials about the processing of personal data of individuals carried out by the Agency to fulfil its tasks.
The processing of personal data of individuals by EFCA is regulated by Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of personal data by the EU institutions and bodies.
- Information on data processing operations carried out at EFCA
- What are personal data?
- What is processing?
- Who is responsible for the processing of personal data at the Agency?
- What principles should be complied with by the Agency when processing personal data?
- What are your rights as data subject?
- Who should you contact for more information about the processing of personal data by the Agency?
- Who is the European Data Protection Supervisor and how can he help you?
- How are personal data of users of the Agency's website and e-services processed?
Information on specific data processing operations carried out at EFCA
All EU institutions have the legal obligation to keep a central register of records of activities processing personal data (Article 31 of Regulation 2018/1725). The register of the European Fisheries Control Agency, including the relevant privacy statements, is published on its webpage (see above).
Each record contains:
- name and contact details of the controller, the DPO and, where applicable, the processor and the joint controller;
- the purposes of the processing;
- description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed;
- where applicable, transfers of personal data to a third country or an international organisation and the documentation of suitable safeguards;
- the envisaged time limits for erasure of the different categories of data;
- a general description of the technical and organisational security measures to protect those personal data.
'Personal data' are any information relating to an identified or identifiable person. An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
The data subject is the person whose personal data are collected, held or processed.
'Processing' of personal data means any operation or set of operations that is performed upon personal data, whether or not by automatic means, such as collection, recording, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, deletion or destruction.
Examples of data processing operations concerning the Agency's stakeholders and other people involved or interested in the activities of the Agency include:
- publication of the declarations of interests of Administrative Board members;
- evaluation of tenders submitted in response to a procurement procedure managed by the Agency;
- conclusion of contracts with the Agency.
Examples of data processing operations concerning members of staff and other people working with the Agency include:
- procedures relating to staff appraisal and reclassification;
- leave management.
Who is responsible for the processing of personal data at the Agency?
The processing of personal data by the Agency is under the responsibility of a designated person or organisational entity within the Agency acting as the data controller.
The data controller is responsible for ensuring, in particular, that technical and organisational measures are undertaken so as to protect the personal data with an appropriate level of security. The data controller remains legally responsible if someone who works for him or her breaches the data protection rules.
The data controller is also the person or entity to which a request from a data subject to exercise his or her rights should be addressed.
Data subjects are informed of the identity of the data controller responsible for the processing of their personal data at the time of the collection or recording of the data by the Agency, unless exceptions to the right of information apply.
What principles should be complied with by the Agency when processing personal data?
The following principles must be complied with by data controllers at the Agency when processing personal data:
- Personal data must be processed fairly and lawfully, and only to the extent necessary to fulfil a specific and legitimate purpose. Re-use of the data for further, incompatible purposes is not permitted;
- The data collected must be adequate, relevant and not excessive in relation to the purposes of the processing;
- It must be kept accurate and up-to-date;
- It should be kept no longer than necessary;
- It can only be processed in accordance with the data subject's rights;
- It should be stored securely;
- It should not be transferred to third parties without adequate safeguards.
What are your rights as data subject?
Right of information
Everyone has the right to know that their personal data are being processed and for which purpose.
The data controller must respect the right of information of the data subject, irrespectively of whether the personal data have been obtained from the data subject or not. The information to be provided relates to:
- the identity of the data controller;
- the purposes of the processing;
- the recipients of the data;
- the existence of the right of access to and the right to rectify the data, as well as the legal basis for the processing;
- the time-limits for storing the data;
- the right to have recourse to the European Data Protection Supervisor.
In the context of the Agency's processing operations, this right is often fulfilled by the provision of a specific privacy statement to the data subject.
The right of information is subject to certain exceptions, such as in those cases where the data subject has already disposed of the above-mentioned information, or where the provision of the information would involve a disproportionate effort.
Right of access
The right of access is the right for any data subject to obtain from the data controller:
- confirmation as to whether or not data related to him or her are being processed;
- information on the purposes of processing and the recipients to whom the data have been disclosed;
- communication in an intelligible form of the data undergoing processing and of any available information on their source;
- knowledge of the logic involved in any automated decision processes concerning him or her.
Right of rectification
The data subject has the right to contact the data controller to obtain the rectification, without delay, of inaccurate or incomplete data.
The right of rectification is an essential complement to the right of access and is important to maintain a high level of data quality.
The data subject has the right to obtain blocking of data from the data controller where:
- their accuracy is contested by the data subject;
- the data are no longer needed to achieve the purposes of the processing;
- the processing is unlawful and the data subject opposes the erasure of the data and demands their blocking instead.
Blocking means the freezing of data by the data controller at a given moment and for a specific period of time.
Blocked personal data can only be processed, with the exception of their storage, for purposes of proof, or with the data subject's consent, or for the protection of the rights of a third party.
Right to object
Any data subject has the right to object at any time to the processing of data relating to him or her, except in certain cases, such as where the processing is based on a legal obligation of the data controller.
Where there is a justified objection based on legitimate grounds relating to the particular situation of the data subject, the processing in question may no longer involve those data.
Internal rules on exceptional restrictions have been laid down by the EFCA Administrative Board through its Decision No 20-W-3 of 22 April 2020. In such cases, the DPO shall be involved throughout all the procedure.
Who should you contact for more information about the processing of personal data by the Agency?
Each European Union institution or body has a data protection officer (DPO) who ensures, in an independent manner, the internal application of Regulation (EU) 2018/1725 and keeps a register of all personal data processing operations carried out by data controllers in that institution.
The DPO also provides advice and makes recommendations on rights and obligations of data controllers and data subjects. In critical situations, he or she may investigate matters and incidents either upon a request of a data subject or on his or her own initiative.
The Agency's DPO can be contacted at EFCA-DPO@efca.europa.eu.
Who is the European Data Protection Supervisor and how can he help you?
The European Data Protection Supervisor (EDPS) is an independent supervisory authority responsible for monitoring and ensuring the application of data protection rules by European Union institutions and bodies, including the Agency.
If you feel that your personal data are being misused by the Agency, or their processing by the Agency is otherwise not compliant with Regulation (EU) 2018/1725, you should first notify the data controller for the processing in question and ask him to take action.
You may also contact the Agency's DPO at EFCA-DPO@efca.europa.eu to inform him or her of any issues related to the processing of your data.
If the problem cannot be solved this way, you may lodge a complaint with the EDPS. The EDPS is empowered to hear and investigate complaints and to conduct inquiries, including on his or her own initiative. If a breach of data protection rules is found to have occurred, the EDPS may exercise the powers assigned to him under Article 58 of Regulation (EU) 2018/1725.
How are personal data of users of the Agency's website and e-services processed?
You can browse the Agency's website without giving any information about yourself. However, in some cases, personal information is required in order to provide the e-services you request, and will be processed according to the data protection law.
An e-service on this website is a service or resource made available on the internet in order to improve the communication between citizens and businesses, on the one hand, and the Agency on the other hand.
Three types of e-services are or may be offered by the Agency:
- information services that provide users with easy and effective access to information, thus increasing transparency and understanding of the Agency's activities;
- interactive communication services that allow better contact with the Agency's target publics, thus facilitating consultations and feedback mechanisms, in order to contribute to the shaping of the Agency's policies, activities and services.
- transaction services that allow access to all basic forms of transactions with the Agency, such as procurement, financial operations, recruitment and event enrolment.