Processing operation: Activities and events linked to AccessibleEU
Data Controller: European Commission, Directorate-General for Justice and Consumer Unit 4 Disability
Record reference: DPR-EC-31928.1
Table of Contents
- Introduction
- Why and how do we process your personal data?
- On what legal ground(s) do we process your personal data?
- Which personal data do we collect and further process?
- How long do we keep your data?
- How do we protect and safeguard your personal data?
- Who has access to your data and to whom is it disclosed?
- What are your rights and how can you exercise them?
- Contact information
- Where to find more detailed information?
Introduction
The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).
This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.
The information in relation to processing operation “Activities and events linked to AccessibleEU” undertaken by the European Commission, Directorate-General for Justice and Consumers is detailed below. Particularly, the processing activities informed according to this Privacy notice are related to the development of the functions within AccessibleEU and the Consortium, which has been established to carry out the service of support the creation. The following organisations are members of the referred Consortium:
- ONCE Foundation.
- European Association of Service providers for Persons with Disabilities (‘EASPD’).
- European Network for Accessible Tourism (‘ENAT’).
- Spanish Association for Standardization (‘UNE’).
- Johannes Kepler Universität Linz.
- Subcontractors providing support to the foregoing, such as the national experts assigned to the 27 EU countries.
- Process expert organizations, i.e. Deloitte, BCD Meetings and Events and UNISYS.
Why and how do we collect your personal data?
The European Commission collects and uses your personal data for the following purposes:
- Sending of the Newsletter.
- Sending of surveys.
- Event management and organization.
These processing activities will be performed under the responsibility of the European Commission as Data Controller, regarding the collection and processing of personal data.
As for the collection of the personal data, the European Commission will obtain the personal data through the following means:
Applicant forms collected via the ‘Accessible EU’ center website (https://accessible-eu-centre.ec.europa.eu/index_en)
On what legal ground(s) do we process your personal data?
Processing activities based on the data subject's consent
We process your personal data because you have given your consent –representing your organisation– to the processing of your personal data for the purpose of becoming a member of AccessibleEU community of practice, entailing the purposes described in the previous section.
Given that the legal basis for this processing activity is the consent of the data subject, he/she may withdraw his/her consent, in a free and accessible way, at any time, through the means indicated in Section 9. Nevertheless, such withdrawal of the consent will not affect to the validity and lawfulness of the processing activities carried out until that moment.
Notwithstanding the foregoing, the personal data obtained by the Data Controller for this purpose could have been provided by a Consortium member (identified in Section 1) according to the information provided by such organization and to the legal basis identified and applied by the mentioned Consortium member. In that case, the processing activity to be performed by the Data Controller will be carried out under the same purposes as described above, in order to register and include the data subject in the Community of Practice.
For the development of this processing activity, the following categories of personal data will be processed: identification data (name, surname, nationality), contact data (email address and profiles on LinkedIn and Twitter) and labor data (areas of expertise).
Provided that the data subject provides his/her authorization, the Data Controller will periodically send a Newsletter and lighter updates containing information about AccessibleEU, its activities, the events organized by the European Institutions or third parties collaborating with the Controller and information concerning activities of the European Commission related to accessibility. Such communications could also include invitations for the data subject to be part of the Community of Practice.
As indicated before, the data subject may withdraw his/her consent, in a free and accessible way, at any time, through the means indicated in Section 9. Nevertheless, such withdrawal of the consent will not affect to the validity and lawfulness of the processing activities carried out until that moment.
For the development of this processing activity, the following categories of personal data will be processed: identification data (name, surname), contact data (email address).
In the event that the data subject expressly authorizes it, his/her personal data will be transferred to the third parties that are member of the Consortium created by the European Commission (identified in Section 1), to allow them to develop their activities referred for implementing and enforcing accessibility rules with experts and professionals from all areas of accessibility, to share good practices across sectors, to inspire policy development at national and EU level, as well as to develop tools and standards aiming to facilitate implementation of EU law.
The mentioned transfer will also be performed to permit such third parties to send their own communications about their activities related to the implementing and enforcing of accessibility.
The mentioned consent will be requested and obtained through the different forms implemented in the webpage (e.g.: for the participation in specific events organized by the Controller).
For the development of this processing activity, the following categories of personal data will be processed and transferred: identification data (name, surname), contact data (email address, telephone number), data related to accessibility needs, nationality.
The data subjects who have previously accepted the reception of communications and the newsletter of AccessibleEU and the data subjects defined as privileged contacts (described in section 3.2.c) will receive invitations to events, briefings and similar meetings organized by such Controller or by the members of the Consortium.
These invitations may be sent by any means, including telematic means such as email.
Likewise, this processing activity will include the management of the access of the guests to the events and the registration of their attendance. This activity will only be performed when the data subject requests for the participation and assistance to a specific event, providing his/her consent to process the necessary personal data to allow his/her attendance and participation.
In addition, in the event that the data subject has requested for his/her participation in an event organized by any third party (Consortium), the data subject’s personal data will be transferred to such organizers in order to properly manage and allow the participation in the referred event.
For the development of this processing activity, the following categories of personal data will be processed: identification data (name, surname), contact data (email address, telephone number), data related to accessibility needs, nationality.
In the event that the data subject expressly authorizes it, the Controller will process the personal data of the data subjects whose personal data have been collected through the organization of events, the acceptance of the newsletter and the privileged contacts with the purpose of sending them periodic surveys related to AccessibleEU functioning, initiatives, or any other matter related to the improvement and enforce of accessibility.
According to the answers extracted from these surveys, the Controller may make decisions that are necessary to improve the conditions to protect and enforce the accessibility and the interests of people with disabilities. Nevertheless, the results obtained from the surveys will be processed in an anonymous way. Therefore, no personal data related to the responses provided by the data subjects will be processed.
For the development of this processing activity, the following categories of personal data will be processed: identification data (name, surname) and contact data (email address), data related to accessibility needs. The results of the survey will only show anonymized information.
Which personal data do we collect and further process?
The personal data processed for each of the processing activities are listed in the previous Section.
How long do we keep your data?
The European Commission only keeps your personal data for the time necessary to fulfil the purpose of collection or further processing, namely until:
- you select to opt out from any communication from AccessibleEU or indicate your wish for your organisation to be represented by a different contact person or to be wholly removed from any/all of the activities of AccessibleEU. You can write to the functional mailbox accessibleeu
fundaciononce [dot] es (accessibleeu[at]fundaciononce[dot]es). Appropriate action shall be taken within one week of receiving the request. - The end of the contract period for the support services of AccessibleEU in December 2026.
How do we protect and safeguard your personal data?
All personal data in electronic format are stored on the servers of the European Commission. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
The Commission’s contractors are bound by a specific contractual clause for any processing operations of personal data on behalf of the Commission, and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679). Access to the personal data is only given on a need to know basis.
In order to protect your personal data, the Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.
Who has access to your data and to whom is it disclosed?
Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle.
Such staff abide by statutory, and when required, additional confidentiality agreements.
The controller will transmit your personal data to its contractor (processor) based on a contract pursuant to Article 29 of Regulation (EU) 2018/1725.
The personal data of the data subjects may be communicated to the following recipients:
- Administrations, Authorities and/or other Public Bodies, including Courts and Tribunals, always in accordance with the provisions of current regulations on the protection of personal data.
- Police Forces or similar organisms, in order to comply with obligations and always within the functions that such authorities have entrusted by Law.
- Third parties involved in the activities lead or promoted by the Data Controller.
- Consortium members, as identified in Section 1, whether the data subject has authorized such transfer.
- Where the data subject has requested for his/her participation in a specific event, his/her personal data will be transferred to the third party that organizes it.
- In addition, the companies that support the Data Controller in the fulfillment and management of its activity, may also be recipients of the information, as data processors.
The information we collect will not be given to any other third party, except to the extent and for the purpose we may be required to do so by law.
What are your rights and how can you exercise them?
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability.
You have consented to provide your personal data to the European Commission for the present processing operation. You can withdraw your consent at any time by notifying the Data Controller. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent.
You can exercise your rights by contacting the Data Controller or, in case of conflict, the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.
Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.
Contact information
- The Data Controller
If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller, European Commission, Directorate-General for Justice and Consumers JUST-D4ec [dot] europa [dot] eu (JUST-D4[at]ec[dot]europa[dot]eu)
- The Data Protection Officer of the European Commission
You may contact the Data Protection Officer (data-protection-officerec [dot] europa [dot] eu (data-protection-officer[at]ec[dot]europa[dot]eu)) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.
- The European Data Protection Supervisor (EDPS)
You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor, https://edps.europa.eu:data-protection/our-role-supervisor/complaints_en or edpsedps [dot] europa [dot] eu (edps[at]edps[dot]europa[dot]eu), if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
Where to find more detailed information?
The European Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.
This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-31928.1