When collecting statements of support for their initiative, organisers process signatories' personal data on a potentially large scale. The representative of the group of organisers (or the legal entity specifically created to manage the initiative, if any) is responsible for processing these personal data and is the so-called data controller.
Where the collection and/or transfer of the collected statements of support is carried out through the central online collection system, the European Commission steps in to alleviate the responsibility of the organisers by acting as a joint data controller for these processing operations.
In case the required number of statements of support has been collected by the group of organisers, these statements are then submitted to the competent national authorities for verification and certification. The national authorities are considered to be data controllers as regards these processing operations.
What are the rules to comply with when processing personal data?
For the representative: the General Data Protection Regulation (GDPR) and the relevant national provisions
For the European Commission: the Regulation on data protection obligations for EU institutions
More generally: the Regulation on the European citizens' initiative and its specific provisions on data protection (see Article 19).
Obligations of data controllers - Case scenario 1
The European Commission and the representative of the group of organisers act as joint data controllers, based on a standard joint controllership agreement.
The Commission takes on the majority of the obligations described in the section above:
- It sets up and operates the online collection system
- It establishes a data protection impact assessment and a record of the processing activities
- It provides the service of the Data Protection Officer
- It ensures that the signatories are presented with the appropriate privacy statement and that their questions and requests under GDPR/regulation 2018/1725 are given a proper follow-up
- It ensures the transfer of the collected statements of support to Member States for verification and destroys the collected statements of support in line with the applicable data retention periods.
The obligations of the representative are limited to the following:
- They decide the start date and on the end date of the collection of statements of support, as well as the date of transfer of the collected statements of support to Member State authorities
- They transfer to the Commission the data subjects’ requests for further handling
- They inform the Commission in case standard data retention time limits need to be adjusted in accordance with Article 19 of the Regulation on the European citizens’ initiative.
Obligations of data controllers - Case scenario 2
The representative of the group of organisers acts as sole data controller and must ensure that data are processed in line with the General Data Protection Regulation (GDPR) and the Regulation on the European citizens’ initiative.
In particular, the representative of the group of organisers must:
- Prior to the processing, assess the impact of the processing operations on the data subjects’ rights and freedoms, which includes the assessment on whether the data collected are sensitive (in case signatories’ data are sensitive, a position of Data Protection Officer should be set up)
- Establish and maintain a record of processing activities to demonstrate that processing is performed in accordance with the GDPR
- Take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing
- Inform the signatories (in particular via a privacy statement following a model set up in Annex III to the Regulation on the European citizens’ initiative) about the processing of their personal data, how their protection is ensured and what rights the signatories may exercise in relation to their personal data (when collection on paper, such a privacy statement should be made separately available to the interested signatories in form of hand-outs)
- Ensure the appropriate follow-up to signatories' questions and requests under the GDPR
- Ensure data security while transferring collected statements of support to Member States for verification
- Ensure that personal data collected as part of statements of support are not used for any purpose other than supporting that specific initiative
- Destroy all statements of support and any copies in line with the applicable data retention periods.
Contacts at national level
The contact details of the national authorities responsible for verifying and certifying statements of support are available here.
The contact details of the national data protection authorities are available here.
Please note that this webpage provides limited information and does not cover rules as regards personal data processing in the context of collection of signatories' email addresses, initiative sponsors, initiative voluntary collaborators, etc.