Skip to main content
European Citizens' Initiative

Data protection

Data Protection guidance for the organisers of the European citizens' initiatives

Key principles

When collecting statements of support for their initiative, organisers process signatories' personal data on a potentially large scale. The representative of the group of organisers (or the legal entity specifically created to manage the initiative, if any) is responsible for processing these personal data and is the so-called data controller.

Where the collection and/or transfer of the collected statements of support is carried out through the central online collection system, the European Commission steps in to alleviate the responsibility of the organisers by acting as a joint data controller for these processing operations.

In case the required number of statements of support has been collected by the group of organisers, these statements are then submitted to the competent national authorities for verification and certification. The national authorities are considered to be data controllers as regards these processing operations.

The data controller has to comply, and ensure compliance, with the data protection obligations and rules of the General Data Protection Regulation (GDPR).

Key terms

Take a look at the glossary related to data protection in the context of the European citizens’ initiative.

Which are the processing operations the organisers are expected to carry out under the ECI Regulation?

  • Processing of signatories’ statements of support:

In order to support an initiative, a signatory needs to complete a statement of support form, providing a set of their personal data. In case of statements of support signed online using eID, these data are imported from a national eID system.

If an initiative successfully collects the required number of statements of support, these statements are submitted to Member States for verification and certification. Personal data collected as part of statements of support cannot be used for any other purpose, such as support for initiatives other than the one for which it has been given, or transferring of the collected data to any other organisation.

  • Processing of signatories’ email addresses:

Optional collection of email addresses of those signatories who wish to be further informed on the progress of the initiative they have signed is also allowed.

Email addresses may not be collected as part of the statement of support forms, but they may be collected simultaneously, provided the signatories are informed that their right to support an initiative is not conditional on giving their consent to collecting their email address.

These email addresses can be only used to inform signatories wishing so on the progress of the initiative they have signed. They cannot be used for other purposes, such as providing signatories with commercial offers or information on a different initiative. They are not subject to Member States’ verification.

  • Processing of personal data of initiative sponsors:

Moreover, the Regulation on the European citizens’ initiative provides some rules regarding the processing of initiative sponsors' data

Articles 17, 18, 19(1) and 19(3) of the Regulation on the European citizens’ initiative specify how these data can be processed.

Data controllership: case scenarios for collection and transfer of statements of support

There are 2 broad case scenarios:

Case scenario 1

  • collection of statements of support is carried out via the Commission central online collection system (joint controllership between the Commission and the representative of the group of organisers)
  • submission of statements of support to Member States’ competent authorities for verification is operated using the Commission’s file exchange service (joint controllership between the Commission and the representative of the group of organisers).

Case scenario 2

  • collection of statements of support is carried out using paper forms and/or via the group of organisers’ own (individual) online collection system (sole controllership of the representative of the group of organisers)
  • submission of statements of support to Member States’ competent authorities for verification is operated either by the group of organisers’ own means (sole controllership of the representative of the group of organisers) OR using the Commission’s file exchange service (joint controllership between the Commission and the representative of the group of organisers).

Please note:

  • The organisers may choose to collect statements of support on paper and online or by using only one of these collection modes
  • While collecting online, the organisers need to choose between using a central online collection system or an individual one, as those two cannot be combined
  • In case the organisers collect statements of support online using the central online collection system and in parallel on paper, different rules may apply to these different collection modes (as described in this document with regard to Case scenario 1 and Case scenario 2).

Questions and answers on data protection for the organisers

  1. Central online collection system – what are the obligations of the Commission and the representative of the group of organisers as joint controllers?
  2. Individual online collection system and collection on paper forms - what are the obligations of the representative of the group of organisers as sole data controller?
  3. ‘Sensitive data’ - when do the signatories’ data qualify as a special category of data?
  4. Security – what steps should you take when collecting signatories’ data on paper?
  5. Security – what are the requirements when collecting signatories’ data using an individual online collection system
  6. When and how should you carry out a data protection impact assessment?
  7. How should you prepare a data processing record
  8. What is the role of a Data Protection Officer (DPO)?
  9. What information should you give to citizens when collecting their data?
  10. What should you do when handling data processing-related requests from signatories?
  11. What should you do in case of a personal data breach?
  12. What is your liability as data controller?
  13. Submission of the collected statements of support to Member States for verification - who is data controller?
  14. Submission of the collected statements of support to Member States for verification – what are the security recommendations?
  15. Submission of the collected statements of support to Member States for verification – what are the roles and responsibilities when using the Commission file exchange service?
  16. What are the data retention time limits?
  17. Which national supervisory authority should you contact for issues relating to the processing of personal data?
  18. Support and funding – what should you be aware of when processing personal data?

Questions and answers on data protection for signatories

See the specific section under FAQ

What are the rules to comply with when processing personal data?

Contacts at national level

  • The contact details of the national authorities responsible for verifying and certifying statements of support are available here.
  • The contact details of the national data protection authorities are available here.

Privacy policy of the European Commission in the context of the European citizens’ initiative

The privacy statements used for the various processing operations carried out by the European Commission in the context of implementation of the European citizens’ initiative instrument are published on the dedicated privacy policy website.

DISCLAIMER

The present guidance is intended to contribute to a better understanding of EU data protection requirements applying to processing operations provided for under Regulation (EU) 2019/788 on the European Citizens’ Initiative (ECI Regulation). Only the texts of the Regulation on the European citizens' initiative, the General Data Protection Regulation (GDPR) and the Regulation on the protection of natural persons with regard to the processing of personal data by the EU institutions (EUDPR) have legal value. This guidance cannot replace the applicable legal framework, including, where applicable, binding contracts such as joint controllership agreements.

This guidance provides practical information to organisers of citizens' initiatives and should not be seen as giving rise to any enforceable right or legitimate expectation. In particular, this guidance is without prejudice to the responsibility of the representative of the group of organisers, as data controller, pursuant to Article 5(2) of the GDPR, to comply and ensure compliance with the obligations and rules of the GDPR.

The binding interpretation of EU legislation is the exclusive competence of the Court of Justice of the European Union. The views expressed in this guidance are without prejudice to the position that the Commission might take before the Court of Justice.

As this guidance reflects the state of the art at the time of its drafting, it should be regarded as a 'living tool' open for improvement and its content may be subject to modifications without notice.

Want to learn and collaborate?