PROTECTION OF YOUR PERSONAL DATA
This privacy statement provides information about the processing and the protection of your personal data.
Processing operation: European Migration Network Information Exchange System (EMN IES)
Data Controller: Directorate-General for Migration and Home Affairs
Record reference: DPR-EC-00932
Privacy Statement (10 July 2019)
European Migration Network Information Exchange System (EMN IES)
1. Introduction
The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).
This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.
2. Why and how do we process your personal data?
The European Migration Network Information Exchange System (EMN IES) is a web-based platform developed by sub-contractors of the Commission with the objective to support the European Migration Network in sharing information and providing comparable information on migration and asylum. The EMN is composed of the Commission and national contact points designated by the Member States.
The EMN IES provides a secure electronic system coordinated and managed by the Commission to authenticate the identity of the users and to authorise access for migration and asylum professionals in Member States’ authorities, the EU institutions, certain international organisations, non-governmental organisations, and other entities to collaborate in migration and asylum-related issues.
This privacy statement covers the part of EMN IES that concerns the authentication, authorisation, registration, storage, deletion and use of the personal data of EMN IES users to permit their access to the system and various workspaces in it.
Certain personal data of all users are processed in EMN IES. Data subject users include staff of EU institutions, staff of national authorities and organisations in Member States and Schengen Associated Countries, staff of international organisations, staff of non-governmental organisations, staff of private companies and academic institutions and any other persons who have registered a user account in EMN IES.
The Commission acts as data controller of users’ personal data processed in the EMN IES.
Personal data of users shall only be processed in EMN IES in order to provide the service, verify the identity of users, manage permissions and enable contacts between users.
3. On what legal ground(s) do we process your personal data?
We process your personal data, because:
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
The Union law which forms the basis for the processing is Council Decision (2008/381/EC) establishing a European Migration Network based on Article 74 of the Treaty on the Functioning of the European Union. The objective of EMN is to meet the information needs of EU institutions and of Member States’ authorities and institutions on migration and asylum, by providing up-to-date, objective, reliable and comparable information on migration and asylum. Norway and Switzerland also participate in the work of the EMN. The EMN, among other things, collects and exchanges data from a wide range of sources, undertakes analysis of such data as well as coordinates information and cooperates with other relevant European and international bodies. According to point (e) of Article 2(1) of the Council Decision, the EMN shall create and maintain an Internet-based information exchange system which provides access to relevant documents and publications in the area of migration and asylum.
4. Which personal data do we collect and further process in the EMN IES?
In order to carry out this processing operation, the Directorate General for Migration and Home Affairs collects the following categories of user data:
- First name, last name
- E-mail address
- Telephone number
- Work address
- Scanned copy of passport identification page
- Organisation of employment and job title
- Log data: IP address and location, browser details, operating system, timestamps of creation and modification of account, most recent use, and other actions within the EMN IES.
The file containing the scanned copy of a user’s passport id page is deleted automatically upon decision to accept or decline the user.
All personal data for which the Commission is the controller in EMN IES is collected from users.
The provision of personal data is not a statutory or contractual requirement, but is necessary for the proper functioning of the system.
5. How long do we keep your personal data?
Your personal data will only be kept for the time necessary to fulfil the purpose of collection or further processing. More specifically, contact details collected from each user will be stored in EMN IES from the time the user submits the information until the user account is deleted. This applies to first name, last name, e-mail address, telephone number, work address and organisation of employment and job title.
The file containing a scanned copy of the user’s passport identification page is collected from the user during the creation of a new request for a user account and will only be used during the validation process. The file will be automatically deleted once the request has been treated, i.e. when a decision to accept or refuse the request has been taken.
Log data includes IP address and location, browser details, operating system, timestamps of creation and modification of account, most recent, and other actions within the EMN IES. Log data is retained in accordance with the Commission’s standard operating procedures and the Commission’s common retention list established on the basis of Article 6 of the Annex to Commission Decision 2002/47/EC, ECSC, Euratom of 23 January 2002 amending its Rules of Procedure.
6. How do we protect and safeguard your personal data?
The Commission ensures that the EMN IES complies with the requirements applicable to all IT systems at EU level on security of Information Systems and its implementing rules established by the Directorate of Security for these kind of services.
EMN IES users’ personal data are stored in a database hosted at the European Commission Data Centre, with specific security protection measures. All data, including personal data, in electronic format are stored either on the servers of the European Commission or of its contractors or sub-contractors. The Commission’s contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the Commission, and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679). All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
At the level of the EMN IES, security measures applied include:
- Encryption: all documents possibly including personal data of third parties shall be encrypted
- Secure transfer: HTTPS protocol will be used for secure transfer
- Authentication and authorisation: EU Login – only users authenticated and whose identity and permission has been verified have access to EMN IES
- Hosting: the EMN IES (and thus the user data of the system’s users) is securely hosted.
All persons having access to personal data other than contact details of users are bound by confidentiality, data protection and non-disclosure agreements under specific contractual arrangements.
Moreover, in order to protect your personal data, the Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.
7. Who has access to your personal data and to whom is it disclosed?
Users operating in the same Communities within EMN IES are able to see certain personal data of other users in those Communities. These categories of personal data are limited to contact details to enable contact between users.
The data subject users have access only to modify their own personal details. In very specific situations (e.g. upon request from the user due to a technical glitch), admin users may have access to modify a user’s personal data.
Only certain authorised Commission staff members and IT developers have access to users’ personal data other than the contact details, i.e. log data and, only for the duration of taking a decision on the application for a user account, the file containing a scanned copy of the user’s passport identification page. Such staff abide by statutory, and when required, additional confidentiality agreements.
The Commission, acting as controller, will transfer your personal data to the following recipients in a third country or to an international organisation in accordance with Regulation (EU) 2018/1725: any and all users, employed by international organisations or by any other entities located on the territory of a third country, that have access to the same Communities as you on the EMN IES.
The Commission will transfer your personal data based on Article 50(1)(a) and 50(1)(d) of Regulation (EU) 2018/1725. All users have given their explicit consent to the transfers upon giving consent to the processing of their personal data in EMN IES in accordance with the terms of use and the applicable laws on data protection.
8. What are your rights and how can you exercise them?
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability.
You can at any time exercise your rights as an EMN IES user by contacting the data controller and explicitly stating your request. Contact details are provided below under point 9.
You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) on grounds relating to your particular situation.
The EMN IES allows you to modify at any time the contact details that you have provided in order to create a user account on the EMN IES in ‘edit profile’.
You have consented to provide your personal data to DG Migration and Home Affairs for the present processing operation. You can withdraw your consent at any time by notifying the Data Controller. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent.
However, please bear in mind that if you exercise your right to erasure, right to restriction of processing or right to object or if you withdraw consent to process your personal data, the user account will be disabled and all personal data will be deleted.
You can exercise your rights as an EMN IES user by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.
Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under point 10 below) in your request.
If you want to file a complaint regarding the processing of your personal data, please contact the European Data Protection Supervisor:
European Data Protection Supervisor (EDPS) 60 Rue Wiertz
B-1047 Brussels
Belgium
Phone: +32 2 283 19 00
E-mail: edps@edps.europa.eu
9. Contact information
The Data Controller
If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller,
The contact address is:
European Commission
Directorate General for Migration and Home Affairs (DG HOME)
E-mail: HOME-NOTIFICATIONS-C1@ec.europa.eu
The Data Protection Officer (DPO) of the Commission
You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.
The European Data Protection Supervisor (EDPS)
You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
10. Where to find more detailed information?
The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.
This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-00932.