Processing operation: Promoting and facilitating the European Citizens’ Initiative (ECI) through an Online Collaborative Platform (the European Citizens’ Initiative Forum)

Data Controller: European Commission

Operational Data Controller: Unit SG.DSG1.A.1 'Policy Priorities & Work Programme'

Record reference: DPR-EC-00828

1. Introduction

This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.

The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data in conformity with  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).

This privacy statement concerns the processing operations of the European Citizens’ Initiative (ECI) Online Collaborative Platform ('Platform') undertaken by Unit SG.DSG1.A.1. 'Policy Priorities & Work Programme'.

The operation of the Platform is outsourced by the Commission to an external contractor ('Platform Operator'). The contractor is EUROPEAN CITIZEN ACTION SERVICE, a non- profit organisation registered under the laws of Belgium, having its registered office at Avenue de la Toison d’or, 77, B-1060 Brussels, Belgium. On behalf of the Commission, the Platform Operator acts as data processor with regard to the Registered Users' personal data.

2. Why and how do we process your personal data?

Purpose of the processing operation:

The Platform offers support on preparing European citizens' initiatives and stimulates debate around them and also around the instrument as such and its implementation [1].

The Platform serves the current and potential ECI organisers, experts, civil society stakeholders, the Commission and other institutions and more generally all citizens interested in the ECI.

It is meant to help (potential) organisers interested in starting an ECI to find partners in Europe to form the required group of organisers, formulate the content of their initiative together with more experienced participants, prepare campaigns, learn how to raise funds and run a campaign and exchange experiences and best practices with other organisers. The Platform also allows all interested citizens to participate in, and to follow the discussions concerning both the initiatives at their different stages and those relating to the horizontal aspects of the functioning of the ECI instrument.

The main features of the Platform are:

  • a News & Discussion Forum i.e. online discussion and blog articles on ECI topics with a view to fostering interaction between members of the ECI community, information and best practice exchange, partner identification, etc.

  • a learning space offering guidance materials on relevant aspects on an ECI lifecycle, and

  • a Helpdesk, offering an enquiries and direct support mechanism.

We collect and use your personal information to allow your connection and further interaction with the Platform and its other registered Users, and to facilitate community building, collaboration and exchange among the Users. In particular, your name, and your photo if any, will appear next to inputs which you may provide on the Platform and the other Users will be able to consult the information in your Profile (with the exception of your email address). You may also appear in results of the search performed by the other Users based on "country of residence" and "area of interest" criteria. 

We collect and further process your personal information in the following way:

  • Some of your data are processed by means of automated operations. In particular:

    • upon your first connection with the Platform, once you ask to register as Platform Registered User (by clicking the relevant field in the web form), your first name, family name and e-mail address are automatically imported to the User Profile from the 'EU Login' application (where Registered Users need first to be registered and logged in) [2]

    • once registered, your name, and your photo, if any, will be automatically published next to any contribution you publish on the Platform;

  • You manually complete, save and edit the personal data and other information in your User Profile (with the exception of data imported from 'EU Login');

  • The communication of your email address to another Registered User requires your specific authorisation;

  • Other operations concerning your data are performed manually (in electronic form) by the Platform Operator. The following operations are concerned in particular:

    • handling of your data protection related requests (notably the requests to delete a User Profile sent by email).

The personal data processed may be reused for the purpose of procedures before the EU Courts, national courts, the European Ombudsman or the European Court of Auditors.

Your personal data will not be used for an automated decision-making including profiling.

3. On what legal ground(s) do we process your personal data

The Platform is implemented based on Article 4(2) of Regulation 2019/788 on the European citizens’ initiative.

If you are an external user, the processing of the data you are requested to provide as mandatory ones is lawful in accordance with Article 5(1)(a) and (b) of Regulation (EU) 2018/1725, which refers to a situation where 'processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body' and '(…) for compliance with a legal obligation to which the controller is subject'.

The processing of additional data which you may provide optionally is based on your consent, and it is therefore lawful in accordance with Article 5(1)(d) of Regulation (EU) 2018/1725, which refers to a situation where 'the data subject has given consent to the processing of his or her personal data for one or more specific purposes'.

Taken alone, your processed data do not fall in one of the categories for which processing is prohibited by Article 10(1) of Regulation (EU) 2018/1725 ('special categories of personal data') unless any of the reasons under Article 10(2) of Regulation (EU) 2018/1725 applies. However, the fact of engaging in the Platform activities in view of organising a specific initiative may reveal your political opinions. Sensitivity of your personal data may thus stem from the political sensitiveness of the initiative concerned.

Depending of the subject matter and sensitivity of your initiative your processed personal data may be thus considered as data revealing political opinions.

In this case the processing is not prohibited, as it is based on your explicit consent to the processing of those personal data for specified purposes, in line with Article 10(2)(a).

If you are a Platform Administrator, your data are processed on the contractual basis as referred to in Article 5(1)(c) ('Platform Operator') and Article 5(1)(a) and (b) (Commission staff in charge of the ECI or the Platform’s IT tool) of Regulation 2018/1725.

4. Which personal data do we collect and further process?

In order to connect with the Platform as a Registered User (including Platform Administrators) you need first to register via the European Commission 'EU Login' Authentication Service.

Your data provided on this occasion is subject to the privacy statement of the European Commission Identity & Access Management Service (IAMS)[3].

When you are registered and identified via 'EU Login' Authentication Service, upon your first connection with the Platform, a User Profile will be created for you in the Platform database, where your first name, family name and email address will be automatically imported from the database managed by the IAMS.

You will be further invited to provide the following personal data/information in order to complete your User Profile (optional):

  • nationality

  • preferred language

  • country of residence

  • age group

  • gender

  • interest area

  • profession/role

  • background and motivation to use the Platform

  • photo

Your contributions and comments on the Platform as well as the exchanges with the helpdesk may also contain personal data or be considered as such.

5. How long do we keep your personal data?

We only keep your personal data for the time necessary to fulfil the purpose of collection or further processing. The following time limits shall apply:

  1. Information you have provided as part of your registration at the EU Login Authentication Service

Time limits of the retention of data in the EU Login Authentication Service are defined in the privacy statement of the European Commission's Identity Management Service [4].

  1. Data you have provided as part of your User Profile (as Registered User including Platform Administrator)

Personal data contained in your User Profile, including contributions and comments on the Platform as well as the exchanges with the helpdesk, will be kept (on the site) as long as you remain active, you have not deleted data in your Profile by yourself and you have not requested the Platform Administrator to remove your User Profile from the Platform.

After two years of continuous inactivity, your User Profile will be deleted automatically without the need to submit a specific request to do so.

To ensure the consistency of the Platform and the coherence of its content, your contributions and comments as well as the exchanges with the helpdesk will be kept on the Platform in an anonymised version in case of an eventual deletion of your User Profile (at your request or automatically after two years of not being active on the Platform). 

6. How do we protect and safeguard your personal data?

In order to protect your personal data, the Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored either on the servers of the European Commission or of its contractors (and subcontractors).

The Platform database is securely hosted in the Commission Data Centre Hosting Service. Patches and updates are regularly installed by the IT team to keep the servers protected against intrusion and malicious access. All processing operations carried out using the communication and information systems of the European Commission are subject to the Commission IT Security Decision (EU, Euratom) 2017/46 of 10 January 2017.

7. Who has access to your personal data and to whom is it disclosed?

Access to your personal data is provided to the Commission and the Platform Operator staff members responsible for carrying out this processing operation. Access is limited based on the 'need to know' principle and the staff members concerned abide by statutory (in case of Commission), and contractual (processor) confidentiality agreements.

Your first name and family name, as well as your photo if any, will be displayed next to any content you publish on the Platform and thus will be visible to the general public.

The data and information contained in your User Profile (with the exception of your email address) will be visible to all the Registered Users.

The full content of your User Profile including your email address will be visible to the Platform Administrators.

Your email address being part of your User Profile will be only communicated to the other individual Registered Users, if you explicitly agree to communicate these data via a dedicated functionality of the Platform:

  • In case another Registered User wants to contact you individually he can fill in a contact form provided on the Platform by providing your name and the content of the message to be sent. You will then receive the message from this User at the email address used by your EU Login account. The email address of the User who contacted you will appear if you reply to his message. Sending him a reply will provide him with your email address.

  • Conversely, in case you want to contact individually another Platform User you will need to use the same Platform functionality and provide thereby the User concerned with your e-mail address.

The information we collect will not be given to any third party, except to the extent and for the purpose we may be required to do so by law.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access your personal data and to rectify them in case your personal data is inaccurate or incomplete. You have the right to request to erase your personal data, to restrict the processing of your personal data and to object to the processing.

The processing of optional personal data you provided in your User Profile is based on your consent. You can withdraw your consent at any time by deleting the respective information in your User Profile or by contacting the Data Controller. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent.

You can exercise your rights by contacting the Data Controller and/or the Data Processor (Platform Operator), or in case of conflict the Data Protection Officer and if necessary the European Data Protection Supervisor, using the contact information given under Heading 9 below.

As regards the information you have provided as part of your registration at the EU Login Authentication Service, please consult the specific privacy statement of the European Commission's Identity Management Service [4].

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 9 below) in your request.

Any request for access to personal data will be handled within one month upon receipt of the request. Any other request mentioned above will be addressed within 15 working days.

You can also directly exercise your rights as regards the information you have provided as part of your Registered User Profile: you can check, modify, update and delete the information in your User Profile online by yourself directly (with the exception of the information imported from the EU Login Authentication Service).

9. Contact information

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please contact:

  • The  operational Data Controller:

European Commission

Secretariat General

Directorate A 'Strategy, Better Regulation & Corporate Governance'

Unit A.1 'Policy Priorities & Work Programme '
B – 1049 Brussels, Belgium

Tel. +32 2 29 92165

Fax. +32 2 29 66655

E-mail: SG-ECI-mailing@ec.europa.eu

  • The Data Processor (ECI Platform Operator):

EUROPEAN CITIZEN ACTION SERVICE,

Avenue de la Toison d’or, 77

B-1060 Brussels, Belgium

Email: ECIforum@ecas.org

  • The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

  • The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-00828.

General information on personal data protection in the context of the ECI implementation can be found at: https://europa.eu/citizens-initiative/how-it-works/data-protection

[1] For more information on the European Citizens’ Initiative, see https://europa.eu/citizens-initiative

[2] See data processing notification DPO-839.4 Identity & Access Management Service (IAMS) at http://ec.europa.eu/dpo-register and the corresponding specific 'EU Login' Privacy Statement .

[3]    See data processing notification DPO-839.4 Identity & Access Management Service (IAMS) at http://ec.europa.eu/dpo-register and the corresponding specific privacy statement. Please consult this specific privacy statement for the relevant information corresponding to points 4-9 of the present privacy statement.

[4] https://intragate.ec.europa.eu/cas/privacyStatement.html