Protection of personal data at the General Secretariat of the Council

At the General Secretariat of the Council of the European Union (GSC) we are strongly committed to protecting the personal data of all individuals who come in contact with us.

For the EU at large, the data protection rules are set out in what is commonly known as the General data protection regulation (GDPR). However, as far as the EU institutions, including the Council, are concerned, a 'sister regulation' applies to the protection of the personal data of individuals in their dealings with those institutions. Regulation (EU) 2018/1725 and the GDPR offer individuals the same level of protection and rights. For that reason, those two regulations are interpreted and applied, as far as possible, in the same manner.

• Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC
• Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies, offices and agencies and on the free movement of such data, and repealing regulation (EC) No 45/2001 and decision No 1247/2002/EC

Regulation (EU) 2018/1725

EU regulation 2018/1725, on the protection of personal data by the EU institutions, bodies, offices and agencies

The purpose of the regulation is to protect the freedoms and fundamental rights of individuals with regard to the processing of personal data by the EU institutions and bodies.

It determines the principles and obligations which the EU institutions must observe and fulfil when processing personal data. According to those principles, the EU institutions must ensure that personal data are:

• processed only for clearly defined and legitimate purposes
• accurate, adequate, relevant and not excessive
• processed fairly and lawfully and in a secure manner
• processed in a transparent manner by informing the individuals concerned and respecting their rights
• not kept for any longer than necessary
• processed and documented in a way that can demonstrate compliance with the data protection rules
• not transferred to third parties without adequate precautions

It defines the obligations of the entities processing personal data (data controllers and/or processors) and the rights of individuals whose personal data are processed (data subjects).

The regulation also provides for an independent supervisory authority, the European data protection supervisor (EDPS), and for the appointment of a data protection officer (DPO) in each EU institution, agency and body.

Role of the European data protection supervisor

The European data protection supervisor (EDPS) is the supervisory authority of the European institutions and agencies. 

It is responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the EU institutions. It does so by:

• monitoring and enforcing the application of the regulation
• promoting public awareness
• providing information to data subjects about the exercise of their rights
• handling complaints by data subjects
• conducting investigations in relation to data protection issues
• advising the EU institutions and, as of lately
• issuing fines for failures to comply with the regulation

Individuals have the right to lodge a complaint with the EDPS at any time, although it is recommended first to contact the department in the Council responsible for handling the personal data concerned and/or the Council's data protection officer.

The EDPS can be contacted via email.

• European data protection supervisor (email)
• European data protection supervisor

Role of the data protection officer of the Council Secretariat

The role of the data protection officer (DPO) is to ensure in an independent manner the correct application of the data protection rules within the General Secretariat of the Council (GSC).

Thus he/she contributes to the protection of the rights and freedoms of individuals whose personal data are processed by the GSC. To this end, with the support of the data protection unit, the DPO:

• develops general awareness of data protection obligations
• provides advice to staff and services on data protection
• signals lack of compliance with the applicable rules

In addition, the DPO can guide and support the controllers in their obligations to implement the data protection principles and rules by offering his/her advice. Apart from the general advisory role, the DPO can voluntarily or on request lead investigations into data protection-related matters. The DPO also responds to requests from, and cooperates with, the European data protection supervisor.

You may contact the data protection officer for advice or for requests to investigate a particular matter, access to personal data or any occurrence directly related to his/her tasks.

The DPO can be contacted directly by email.

• Data protection officer (email)

What personal data is processed at the Council Secretariat?

Although most of the personal data processed by the GSC relate to its staff, a substantial quantity of personal data is also handled in relation to all the people who use the house in relation to the activities of the Council and the European Council (ministers, delegates, officials of other institutions, journalists, visitors).

The personal data of citizens are for the most part processed only when those citizens enter into contact with the General Secretariat of the Council, for example if they request a document, subscribe to our email services, visit the Council buildings. 

What is the data protection register?

The register is a database containing records with information about each type of personal data processing operation carried out by the GSC.

The information in the record comprises the name of the processing operation, its legal basis, its purpose, the data subjects and categories of data, the retention period, the recipients of the personal data or a general description of technical and organisational measures.

Practical information about the protection of your personal data

How can you find out if the GSC is processing your personal data?

The GSC register of personal data processing operations will help you find what types of data processing operations may be applicable to you.

Alternatively, the contact details of each data controller are indicated in the register. If you need more information about a particular data processing operation, you should contact the data controller with a copy to the data protection officer.

In case of doubt, you can also contact the DPO to find out more information about your personal data.

What are your rights as a data subject? 

As a data subject (i.e. an individual whose personal data are processed by the GSC) you have the right to:

• be informed of the existence of a data processing operation concerning you and its main characteristics
• have access to your personal data being processed at the GSC
• obtain from the controller, without delay, rectification of any inaccurate or incomplete personal data
• lodge a complaint with the EDPS
• withdraw consent at any time, where the processing activity is based on your consent.

In certain circumstances you may ask the data controller to exercise your specific rights, such as:

• blocking the processing of your personal data
• erasing your personal data
• objecting to the processing of your personal data

You can request access to your personal data by sending an email to the data controller with a copy to the DPO. Their contact details are in the records. There is no specific requirement to word your request in a certain way.

However, for practical reasons it is advisable to provide a description of the processing operation which may concern your personal data and to provide a copy of an identification document to confirm your identity (ID card or passport).

This document should contain an identification number, country of issue, period of validity, your name, address and date of birth. Any other data contained in the copy of the identification document, such as a photo or any personal characteristics, may be blacked out.

Video surveillance on the premises of the Council Secretariat

For the safety and security of our staff, visitors, buildings, assets and information, and for logistical reasons, some parts of GSC premises are equipped with a video protection system.

The GSC's policy on the use of video systems describes the safeguards taken to protect the personal data, privacy and other fundamental rights and legitimate interests of individuals viewed by video protection cameras on GSC premises.

The policy fully complies with the requirements of the data protection regulation and with the European data protection supervisor's video surveillance guidelines. 

• GSC policy on the use of video systems
• EDPS video surveillance guidelines

For access to your personal data collected as a result of video camera use on our premises, please address your requests by email to the director of safety and security with the data protection officer in copy.

• Director of safety and security (email)
• Data protection officer (email)

Please note: You must attach a recent good quality photograph of yourself as well as a copy of your identity card/passport to your request.