Data protection
In case you are managing a contract with several communication activities, you may have to collect personal data for events, meetings, interviews, consultations, subscriptions to newsletters, etc. You may also be collecting personal data to conduct studies or analysis in the framework of your contract with CINEA. Personal data is any data that identifies or allows the identification of a natural person (data subject). Identification may be direct or indirect, including factors specific to his or her physical, physiological, mental, economic, cultural or social identity (e.g. name, photo, phone number, staff number, CV of an applicant/tenderer).
Please check carefully the section below. You will find templates at the end of this section that you can customise to your activity.
is a fundamental right in the European Union (see Art. 16 of the Treaty on the Functioning of the European Union and Art. 8 of the Charter of Fundamental Rights of the EU).
have their proper legislation on data protection: EU Member States are subject to the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679), applicable since 25 May 2018. CINEA, as all EU institutions, bodies, offices and agencies, is bound by Regulation (EU) 2018/1725, which however applies the same principles as the GDPR.
are bound at national level by the GDPR but, within your contractual relationship with CINEA, you have to comply with Regulation (EU) 2018/1725. The need for the contractor to comply with data protection obligations resulting from both Regulations - GDPR and Regulation (EU) 2018/1725 - is clearly indicated in the contract (e.g. Art. II.4.2, etc.).
any operation or set of operations done with personal data, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
that the processing of personal data is permitted as long as it is:
- lawful (with a legal basis) and necessary for the performance of the contract to which CINEA is party;
- limited to specified, explicit and legitimate purposes, and to what is necessary (data minimisation);
- accurate and kept up-to-date;
- kept no longer than necessary (with a maximum retention period);
- secured through measures to guarantee integrity and confidentiality where applicable.
a fundamental right in the European Union (see Art. 16 of the Treaty on the Functioning of the European Union and Art. 8 of the Charter of Fundamental Rights of the EU).
the Data Controller, that determines the purposes for which and the means by which personal data is processed, is always the CINEA Unit or Department which is party to the contract (e.g. Head of Unit, CINEA D.3. for EMFF/EMFAF). Being CINEA’s contractor means that you are a Processor of personal data as you are acting on behalf of the data controller based on the contract and Art. 29 of Regulation (EU) 2018/1725.
(see Art. I.9, Art. II.9.2, Art. II.24 of your contract) you are obliged to:
- process the personal data related to the contract solely for its purpose;
- assist CINEA for the fulfilment of its obligation as controller to respond to requests for exercising rights of persons whose personal data are processed in relation to this contract (If you come across such a request, please inform CINEA immediately);
- grant your personnel access to the personal data to the extent strictly necessary for the implementation of the contract. In that context, you must ensure that your staff, who is authorised to process personal data, is bound by confidentiality;
- implement appropriate technical and organisational security measures (e.g.: pseudonymisation and encryption, regular testing of the measures, ability to restore access in case of a physical or technical incident, protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of etc.);
- notify to CINEA any personal data breaches (the breach shall concern personal data; this obligation does not apply if no personal data is concerned by the breach) immediately and at the latest within 48 hours after you become aware of the breach. In that context, the following information shall be provided to CINEA: nature of the breach and approximate number of categories of data and number of data subjects concerned; consequences of the breach; mitigation measures taken or proposed to be taken; if applicable any possible infringements to GDPR, Regulation (EU) 2018/1725 or Member State data protection provisions as referred to in the contract; you may also need to assist CINEA acting as controller in its obligations deriving from the personal data breach (notification to the EDPS, etc.);
- maintain a record of all data processing operations carried on behalf of CINEA for transfers of personal data, security breaches, responses to requests for exercising rights of people whose personal data are processed and requests for access to personal data by third parties;
- inform CINEA immediately of any request for disclosure of the personal data that you may receive from any national public authority, including an authority from a third country. You cannot not give such access without the prior written authorisation of CINEA;
- keep personal data no longer than required: the duration of processing of personal data shall not exceed a period of ten years starting from the payment of the balance/ reception of the last document. Upon expiry of this period, you should, depending on what CINEA requires: either return immediately, in a commonly agreed format, all personal data processed on behalf CINEA, or effectively delete these data. Please refer to Art. II.24 of your contract (Checks and audits) and Art. II.9.2 (Processing of personal data by the contractor).
you cannot engage other sub-processors than those agreed under the contract without informing beforehand CINEA and having our authorisation. Those new sub-processors shall be bound by the same obligations on data protection (a document providing evidence of this commitment may be requested).
external communications (on the web, social media, etc.) should be always based on prior consent, which should be given by a clear affirmative actin written form (e.g. like ‘ticking a box’). Please see the templates and examples at the bottom of this page. Consent should be freely given, specific, informed and an unambiguous indication of the data subject’s agreement to the processing of their personal data (Art. 7 of Regulation (EU) 2018/1725).
please check your contract (e.g. Art. I.9.2) as in principle the personal data shall only be processed or be held in data centres located within the EEA2 territory; you cannot change the location of data processing without the prior written authorisation of CINEA.
in breach of the data protection obligations or does not comply with such obligations, CINEA may terminate the contract with this contractor (Art. II.18). In this case the contractor may be held liable for damage incurred by CINEA as a result of the termination of the contract.
Events and communication activities
Whenever you organise events on behalf of CINEA, or deal with communication-related activities implementing your contract, you should produce a data protection notice and make it accessible to data subjects (natural persons whose personal data is processed).
To help you in this process we have prepared a template that you can customise according to your activities (see section “Templates & useful links” below) as well as examples of consent forms. Please get inspired by details provided in the template and adapt it in relation to your activity. Please keep only what is relevant for you in your specific case. In case of doubt, please contact your Contract Manager in CINEA.
Websites
If you are managing a contract with several communication activities, you will likely create a website or online platform to manage the communication with all stakeholders. In this case it is important to always use the following disclaimer:
The contents of this website are the sole responsibility of [name of the implementing partner] and do not necessarily reflect the opinion of the European Union. The content has been prepared for informational purposes only, and should not be considered legally-binding in any nature. The authors are not responsible for the content of external websites referred to by hyperlink (if relevant). The illustrative maps shown on the country pages should not be interpreted as a legal representation of jurisdictional boundaries (if relevant).
It is also important to publish a data protection notice (DPN) on your website so that it is available to end users visiting your page.
In the Templates & useful links section below, you will find a general DPN template as well as one specific for communication activities, including websites.
Templates & useful links
- Template of general data protection notice for EMFF/EMFAF contractors, not prefilled, not linked to communication activities
- Template of data protection notice for EMFAF contractors, prefilled, to be used for events, websites, communication activities
- Template of data protection notice for EMFF contractors, prefilled, to be used for events, websites, communication activities
- Examples of consent forms, including for events
- Disclaimer to be used on websites
- Webmaster data protection checklist
- Key elements of data protection rules for contractors
- EDPS guidelines for web services
- Communication toolkit for contractors