You have a complaint against an EU institution or body?

Make a complaint
Make a complaint
HomeData protectionRegister of recordsDPO Record
Available languages: 
  • English

Public record of processing activity :public consultations carried out by the European Ombudsman in the context of strategic inquiries and initiatives

DPO Record - Date Wednesday | 23 February 2022

1. Last update of this record: 23/02/2022

2. Reference number: 1/2022

3. Name and contact details of the controller:

European Ombudsman,

1, avenue du Président Robert Schuman

CS 30403

F-67001 Strasbourg Cedex

Contact:

Director of Inquiries

EO@ombudsman.europa.eu  

4. Name and contact details of the Data Protection Officer:

Ms Francesca Pavesi

Data Protection Officer (DPO)

Mr Nicholas Hernanz

Deputy DPO

Dpo-Euro-Ombudsman@ombudsman.europa.eu

5. Name and contact details of the processor:

N/A

6. Name and contact details of the joint controller(s):

N/A

7. Purpose(s) of the processing:

In accordance with Article 11 TEU, the European Ombudsman organises stakeholder consultations, the purpose of which is to inform the Ombudsman of the views of those concerned by the topics of strategic inquiries and initiatives, which are of public importance.

A public consultation in the context of strategic inquiries and initiatives generally consists of the following steps:

  • an invitation to contribute is published on the EO website,
  • anyone is invited to contribute until a certain deadline,
  • the contributions can be sent through a contact form, e-mail or post,
  • all contributions are published on the Ombudsman’s website, and
  • a report is drafted, summarising the contributions.

Processing is necessary for the performance of a task carried out in the public interest (Article 5(1)(a) of Regulation 2018/1725).

The personal data are also used to communicate with contributors.

8. Description of the categories of data subjects and of the categories of personal data:

Categories of data subjects

Any natural or legal person can contribute to a European Ombudsman consultation.

Categories of personal data

The personal data collected and further processed are data necessary for participation in the consultation, as follows:

  • first name,
  • surname,
  • job title
  • e-mail address,
  • language one would like to receive an answer in,
  • other language one would accept an answer in,
  • subject (the title of the consultation) and content (for the most part, the views of the individual or organisation on the topic).

Some responses may also contain personal data of third parties, although contributors are asked to avoid including unnecessary personal data in their replies. In principle, special categories of data[1] should not be included. In relation to third party personal data, the European Ombudsman applies the policy on the provision of information to the third party data subject in an inquiry (https://www.ombudsman.europa.eu/en/document/en/70851).

9. Time limit for keeping the data and, where possible, for erasure:

Contributions are stored in the relevant case-file in line with the retention policy of the Ombudsman's case management system for a period of ten years after the case is closed[2]. This includes basic personal information (first name, surname, e-mail address) and language preferences and Individual replies. They will then be archived according to the Ombudsman's policy on archiving[3].

Personal data of contributors is redacted from the version of the contribution that is made public on the European Ombudsman’s website when so requested.[4] Email addresses are always redacted. Should third party personal data be included in a contribution, which contributors are asked to avoid this is redacted as well.

Documents submitted in the context of a consultation, such as position papers or background documents, will be made public as received. As such, should such submissions include third party personal data, appropriate redactions are made.

In the case of mass mailings, meaning where a group of contributors submit identical contributions, responses are saved to the relevant case-file for a period of 10 years, after which they may be archived. They are kept in the European Ombudsman's email system for three months after which they are deleted. One such contributions is made public on the Ombudsman’s website, with an indication that the Ombudsman received several more with the same content.

10. Recipients of the data:

Access to the personal data is provided to the European Ombudsman staff members responsible for carrying out this processing operation and to authorised staff on a ‘need to know’ basis, such as staff members of the ICT unit for managing data submitted on the Ombudsman’s website.

As part of the inquiry procedure, the Ombudsman forwards to the relevant EU institution, body, office or agency all the contributions received.

To avoid misuse, contributors are required to identify themselves or the organisation on behalf of whom they are responding. Anonymous contributions to consultations are not accepted.

Contributors are asked to avoid including unnecessary personal data in their contributions, notably personal data of third parties.

In the interests of transparency, the Ombudsman makes public contributions received to a consultation. Should personal data, of contributors or otherwise, be included, this is redacted (as concerns contributors, only upon request).

11. Are there any transfers of personal data to third countries and/or to International Organisations?:

N/A[5]

12. General description of security measures:

Most contributions to European Ombudsman stakeholder consultations are submitted electronically to dedicated consultation mailboxes. Contributors are invited to complete a contact form on the Ombudsman's website, which directs replies to the dedicated consultation mailbox.

Contributions submitted by post are scanned and added to the digital file by the inquiry officer responsible. The paper copy of the contribution is subsequently destroyed.

Contributions to stakeholder consultations are stored in the Ombudsman's ‘case management system’. Access to the personal data of contributors is provided to the Ombudsman staff responsible for carrying out this processing operation and to authorised staff on a ‘need-to-know’ basis.

The European Ombudsman aims to ensure that data processing systems and services are resilient and that confidentiality of data, where applicable, is protected.

13. Information on how data subjects can exercise their rights of access and rectification, and where applicable, of erasure, restriction and data portability:

After submitting data via the contact form, contributors receive an e-mail with a copy of their data undergoing processing.

Data subjects have the right to access to their own personal data and to relevant information concerning how we use it. They have also a right to request rectification of any incomplete or inaccurate data concerning them. Data subjects have a right to object to the use of their data by the European Ombudsman on grounds relating to their particular situation, at any time. Under certain conditions, they have the right to ask that we delete their personal data or restrict its use.

At any time, data subjects may ask us for information concerning our processing of their personal data by e-mail at EO@ombudsman.europa.eu (an email address of the inquiries officer responsible will also be available on the consultation page on the Ombudsman’s website). Requests from data subjects are responded to as quickly as possible, and in any case within one month.

Data subjects may also contact our Data Protection Officer at: dpo-eo-ombudsman@ombudsman.europa.eu. If they wish to complain about the Ombudsman’s handling of their personal data, they may contact the European Data Protection Supervisor (www.edps.europa.eu) at the following address: EDPS@edps.europa.eu

When organising a stakeholder consultation, the European Ombudsman provides the following information to contributors as regards their privacy: https://www.ombudsman.europa.eu/document/61555

--------------------------------------------------------------------------------------------------------------------------------------

 

Privacy Statement

Relating to European Ombudsman Consultations in the context of strategic inquiries and initiatives[6]

The present Privacy Statement describes how the European Ombudsman protects your personal data when you reply to an Ombudsman consultation, and where, as such, the Ombudsman acts as the data controller. This statement also sets out what rights you have as a data subject.

In particular, it explains the reason for collecting and processing the data; the way the Ombudsman collects, handles and ensures protection of the data provided; and what rights contributors may exercise in relation to their data.

1. What personal data will the European Ombudsman process?

Contributors complete the contact form on the European Ombudsman's website, which directs contributions to the dedicated consultation mailbox. Contributions can also be sent by letter or email. The relevant staff in the European Ombudsman’s office process the contributions.

The European Ombudsman may contact contributors to request clarifications and/or to disseminate the results of the consultation/inquiry. The contact details of the person responsible for the inquiry are provided in the invitation to respond to the consultation.

The personal data collected and further processed are data necessary for participation in the consultation, as follows: first name, surname, email, job description, and the preferred language for further correspondence, other language one would accept an answer in, and content (for the most part, the views of the individual or organisation on the topic).

2. Why does the European Ombudsman process these personal data?

The European Ombudsman wishes to give the public and interested stakeholders the opportunity to express their views in the context of strategic inquiries and initiatives that would benefit from external input and may therefore launch public consultations.

3. What is the legal basis and necessity for processing this data?

The legal basis for this processing operation is Article 11 TEU.

Personal data are processed in accordance with Regulation 2018/1725 on the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies, offices and agencies. Processing is necessary for the performance of a task carried out in the public interest (Article 5(1)(a) of Regulation 2018/1725).

4. Who is responsible for processing the data?

The European Ombudsman’s Information and Communication Technologies (ICT) Sector manages the data submitted to the website. The European Ombudsman staff responsible for carrying out pubic consultations and authorised staff, on a ‘need-to-know’ basis, will further process the data submitted by contributors.

5. Who will be the recipients of the data?

European Ombudsman staff responsible for carrying out this processing operation have access to your personal data; as well as other authorised European Ombudsman staff on a ‘need-to-know’ basis.

As part of the inquiry procedure, the European Ombudsman forwards to the relevant EU institution, body, office or agency all the contributions received. In the interests of transparency, the European Ombudsman makes public contributions received to a consultation.

When contributing to a consultation, you are required to identify yourself and the organisation on whose behalf you are contributing. Anonymous contributions to consultations are not accepted. This is to avoid misuse.

In the interest of transparency, the European Ombudsman makes public contributions she has received in reply to a public consultation. Your personal data will not made public. You should avoid including unnecessary personal data in your contributions, notably personal data of third parties. If such data are included, they will be redacted from the version that is made public.

6. How long will the data be kept?

Contributions are stored in the relevant case-file in line with the retention policy of the Ombudsman's case management system for a period of ten years after the case is closed[7]. This includes basic personal information (first names, surnames, e-mail address), language preferences and the replies. Contributions are archived according to the Ombudsman's policy on archiving[8].

7. How do we protect your data?

The electronic data is stored on the European Ombudsman’s servers. This data is protected by numerous security measures set up by the European Ombudsman’s Information and Communication Technologies sector to protect the integrity and confidentiality of the Institution's electronic property.

Access to personal data is protected through the management of access rights, which are strictly limited and based on the ‘need to know’-principle.

Email addresses are never made public, but they are stored and may be used by the European Ombudsman for correspondence related to the reply provided.

8. What are your rights and how can you exercise them?

When contributing to a consultation, you can choose whether your personal data should be published or not on our website.

You also have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access your personal data and to rectify them in case your personal data are inaccurate or incomplete. Under certain conditions, you have the right to erase your personal data, to restrict the processing of your personal data and the right to object to the processing of your personal data.

The European Ombudsman will reply to your requests as soon as possible and within one month at the latest.

Finally, you have the right of recourse at any time to the European Data Protection Supervisor if you consider that the European Ombudsman has infringed your rights under Regulation 2018/1725 because of the processing of your personal data.

9. Who to contact in case of queries or complaints concerning data protection issues?

At any time, you may send data protection related questions concerning the European Ombudsman’s public consultations, to the following address: EO@ombudsman.europa.eu

You also may contact the Data Protection Officer of the European Ombudsman at the following address: DPO-Euro-Ombudsman@ombudsman.europa.eu

You may lodge a complaint with the European Data Protection Supervisor at any time at the following address: EDPS@edps.europa.eu

 

[1] See Article 10 of Regulation 2018/1725.

[2] See: https://www.ombudsman.europa.eu/en/document/en/70850

[3] See: https://www.ombudsman.europa.eu/en/document/en/70850

[4] See: https://www.ombudsman.europa.eu/en/strategic-issues/public-consultations.

[5] Personal data published on the European Ombudsman’s website are accessible worldwide. The EU courts have found that loading personal data on a webpage does not constitute a transfer of personal data (see judgment of the Court of 6 November 2003, Lindqvist, case C-101/01).

[6] Available on the European Ombudsman’s website here: https://www.ombudsman.europa.eu/en/document/en/61555.

[7] See: https://www.ombudsman.europa.eu/en/document/en/70850.

[8] See: https://www.ombudsman.europa.eu/en/document/en/70850.

Download this publication in PDF format (1.11 MB)