European Commission

1. Introduction

The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).

This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.

The information in relation to the processing operation “personal data processing in the context of the administration of access rights to the secondary repository established under Commission Implementing Regulation (EU) 2018/574” undertaken by the European Commission’s Directorate-General for Health and Food Safety (hereinafter DG SANTE) is presented below.

2. Why and how do we process your personal data?

Purpose of the processing operation:

DG SANTE collects and uses your personal information to:

1. create your personal electronic account enabling you to review all or selected parts of the tobacco-traceability data stored in the secondary repository, and use the relevant services provided by the operator of the secondary repository;
2. if applicable, enable you to access selected parts of the tobacco-traceability data through the mobile inspection application downloaded to your mobile device;
3. facilitate your communication with the operator of the secondary repository, by enabling the latter to contact you directly and reply to your requests via the EU secondary user interface.

The operator of the secondary repository, Dentsu Aegis Network (‘Dentsu’), collects your personal data through:

1. an online registration form you need to fill in to finalise the creation of your personal electronic account that allows you to review all or selected parts of the tobacco-traceability data stored in the secondary repository, and use the relevant services provided by the operator of the secondary repository;
2. relevant requests sent to Dentsu either via email when users face difficulties in using the online registration form or via the distribution centre when users are downloading the mobile inspection application enabling them to access selected parts of the tobacco-traceability data.

Once your personal data is collected, it is stored on the servers operated by Dentsu.

Your personal data may be then further processed when Dentsu: a) needs to contact you to answer to your request(s) or send you alerts via email; b) provide specific services through the service desk website.

Your personal data will not be used for an automated decision-making including profiling.

3. On what legal ground(s) do we process your personal data

We process your personal data, because:

processing is necessary for the performance of a task carried out in the public interest. In particular, processing is lawful since it is necessary for the proper functioning of the tobacco products traceability system carried out in the public interest, namely for the tobacco control purposes referred to in Directive 2014/40/EU and Commission Implementing Regulation (EU) 2018/574.

4. Which personal data do we collect and further process?

In order to carry out this processing operation, DG SANTE collects and stores the following categories of personal data:

• Name;
• E-mail address
• Organisation
• Country of residence
• Type of user profile (e.g. National Administrator, Advanced User, Standard User, Field Inspector)
• ID of the mobile device where mobile inspection application is loaded.

The provision of personal data is mandatory to meet a statutory requirement of maintaining the history of users access in line with Article 25(1)(m) of Commission Implementing Regulation (EU) 2018/574. If you do not provide your personal data, you will be denied access rights to the secondary repository.

5. How long do we keep your personal data?

The processing of personal data by Dentsu will cease with the end of the concession contract (SANTE/2018/B2/063) singed between Dentsu and DG SANTE unless this contract is terminated sooner in accordance with its terms.

Upon expiry of this period, Dentsu will, at the choice of DG SANTE, return, without any undue delay in a commonly agreed format, all personal data processed on behalf of DG SANTE and the copies thereof or will effectively delete all personal data unless Union or national law requires a longer storage of personal data.

The overall duration of processing of personal data by Dentsu and potentially its successors appointed by the Commission to operate the secondary repository under future concession contracts will not exceed a five-year retention period following the removal of your access rights to the secondary repository.

6. How do we protect and safeguard your personal data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored on the servers operated by Dentsu in its capacity of the operator of the secondary repository. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

Dentsu, acting as the Commission’s contractor is bound by a specific contractual clause for any processing operations of your data on behalf of the Commission, and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679).

In order to protect your personal data, the Commission has put in place a number of technical and organisational measures in place. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

7. Who has access to your personal data and to whom is it disclosed?

Access to your personal data shall only be allowed to:

1. Authorised Commission staff responsible for carrying out this processing operation. Such staff abide by statutory, and when required, additional confidentiality agreements.
2. Authorised staff of Dentsu for the purposes of operating the EU secondary user interface and mobile inspection application enabling the data subjects to connect and have access to the EU secondary user interface. Dentsu staff’s access to your personal data shall be subject to id and password requirements.
3. Authorised staff of auditors appointed by the Commission. Such staff abide by statutory, and when required, additional confidentiality agreements.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability.

You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) on grounds relating to your particular situation.

You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description in your request.

9. Contact information

The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact DG SANTE (SANTE-TT-DP@ec.europa.eu).

The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.