In case you are managing a contract with several communication activities, you will may have to collect personal data for events, meetings, interviews or consultations, etc. Please check carefully the section below:
- The protection of personal data is a fundamental right in the European Union (see Articles 8 and 16 of the Treaty on the Functioning of the European Union and the Charter of Fundamental Rights).
- EU Institutions & their contractors have their proper legislation on data protection: CINEA is not directly subject to GDPR, but applies the same principles! Thus, the Regulation applicable to CINEA shall not be confused with the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679), which is applicable to Member States since 25 May 2018. Hence, as services provider under a contract with CINEA, you are bound at national level by the GDPR but, within your contractual relationship with CINEA, data protection is regulated by Regulation (EU) 2018/1725 (applicable to EU institutions and bodies). The need for the contractor to comply with data protection obligations resulting from both Regulations - GDPR and Regulation (EU) 2018/1725 - is clearly indicated in the service contract (e.g. Art. II.4.2, etc.).
- Personal data means any information relating to an identified or identifiable natural person (i.e. data subject). Identification may be direct or indirect, including factors specific to his or her physical, physiological, mental, economic, cultural or social identity (e.g. name, photo, phone number, staff number, CV of an applicant/tenderer).
- Data processing means any operation or set of operations with personal data, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
- The golden rule is that processing of personal data is permitted as long as it is: lawful (with a legal basis) & necessary for the performance of the contract to which CINEA is party; limited to specified, explicit & legitimate purposes; limited to what is necessary (Data minimisation); accurate & kept up-to-date; kept no longer than necessary (with a maximum retention period); secured through measures to guarantee integrity & confidentiality where applicable.
- Based on contractual obligations, the Data Controller is always the CINEA Unit or Department which is party to the service contract (e.g.: Head of Unit, CINEA D.3. for EMFF/EMFAF). Being CINEA’s contractor means that you are a Processor of personal data as you are acting on behalf of the data controller based on a service/specific contract and Art. 29 Regulation (EU) 2018/1725. In line with the provision of such a contract (e.g.: Art. II. 9.2) you are obliged to:
- process the personal data related to the contract solely for its purpose;
- assist CINEA for the fulfilment of its obligation as controller to respond to requests for exercising rights of persons whose personal data are processed in relation to this contract (If you come across such a request, please inform CINEA immediately);
- grant personnel access to your staff to the personal data to the extent strictly necessary for the implementation of the contract. In that context, you must ensure that your staff, who is authorised to process personal data, is bound by confidentiality;
- implement appropriate technical and organisational security measures (e.g.: pseudonymisation and encryption, regular testing of the measures, ability to restore access in case of a physical or technical incident, protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of etc.);
- notify to CINEA any personal data breaches (The breach shall concern personal data. This obligation does not apply if no personal data is concerned by the breach.) immediately and at the latest within 48 hours after you become aware of the breach. In that context, the following information shall be provided to CINEA: nature of the breach and approximate number of categories of data and number of data subjects concerned; consequences of the breach; mitigation measures taken or proposed to be taken; if applicable any possible infringements to GDPR, Regulation (EU) 2018/1725 or Member State data protection provisions as referred to in the tender specifications; you may also need to assist CINEA acting as controller in its obligations deriving from the personal data breach (notification to the EDPS, etc.);
- maintain a record of all data processing operations carried on behalf of CINEA for transfers of personal data, security breaches, responses to requests for exercising rights of people whose personal data are processed and requests for access to personal data by third parties;
- inform CINEA immediately of any request for disclosure of the personal data that you may receive from any national public authority, including an authority from a third country. You cannot not give such access without the prior written authorisation of CINEA;
- Keep personal data no longer than required: the duration of processing of personal data shall not exceed a period of five years starting from the payment of the balance. Upon expiry of this period, you should, depending on what CINEA requires: either return immediately, in a commonly agreed format, all personal data processed on behalf CINEA; or effectively delete these data.
In line with Article 29 of Regulation (EU) 2018/1725, you cannot engage other sub-processors than those agreed under the contract without informing beforehand CINEA and having our authorisation. Those new sub-processors shall be bound by the same obligations on data protection (a document providing evidence of this commitment may be requested).
- Personal data collection and processing for events, external communications (on the web, social media, etc.) should be always based on prior consent, which should be given by a clear affirmative act (in written form like ‘ticking a box’, please see an example of the CINEA template for data protection notice for events) establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her (Art. 19 Regulation (EU) 2018/1725).
- Data localisation. Please check your contract (e.g.: Art. I 9.2) as in principle: the personal data shall only be processed or be held in data centre located within the EEA2 territory; you cannot change the location of data processing without the prior written authorisation of CINEA.
- If the contractor is in breach of the data protection obligations or does not comply with such obligations, CINEA may terminate the contract with this contractor (Art. II.18): in this case the contractor may be held liable for damage incurred by CINEA as a result of the termination of the contract.
- For more info on data protection, please check the data protection notice relating to your respective tender. The CINEA template of Data Protection Notice for events and consent request should be used whenever contractor is organising events on behalf of the Agency. For your reference please see an example of a complete data protection notice for an event being organised by CINEA’s contractor. Please get inspired by details provided in this example and adapt it in relation to your event. Please copy only what is relevant for you in your specific case/event. In case of doubt, please contact your Project Manager.
If you are managing a contract with several communication activities, you will likely create a website or online platform to manage the communication with all stakeholders. In this case it is important to always use the following disclaimer:
“’The contents of this website are the sole responsibility of [name of the implementing partner] and do not necessarily reflect the opinion of the European Union. The content has been prepared for informational purposes only, and should not be considered legally-binding in any nature. The authors are not responsible for the content of external websites referred to by hyperlink [if relevant]. The illustrative maps shown on the country pages should not be interpreted as a legal representation of jurisdictional boundaries [if relevant].”
See the example of disclaimer below: