1. Last update of this record: 11/11/2024

2. Reference number: 7/2020

Ares reg.number: Ares(2024)8064980

3. Name and contact details of the controller: European Ombudsman, 1 avenue du Président Robert Schuman, CS 30403, F-67001 Strasbourg Cedex.

Contact: Directorate of Administration- team “Process & Document Management, Business Continuity and Infrastructure”

E-mail: EO@ombudsman.europa.eu

Responsible departments: Secretary-General (SG), with the support of the Crisis Management Group (CMG).

The CMG is composed of the SG, the Directors, the Ombudsman’s Head of Cabinet, the Head of the Communication Unit, the Business Continuity Plan (BCP) coordinator (the Head of Business Continuity and Infrastructure) and, if necessary, liaison officers.

The Directorate for Administration gives the CMG operational support by acting as its secretariat and putting the measures it adopts into practice.

4. Name and contact details of the Data Protection Officer:

Ms Francesca Pavesi- Deputy DPO Mr Nicholas Hernanz

Dpo-Euro-Ombudsman@ombudsman.europa.eu

5. Name and contact details of the processor: N/A

6. Name and contact details of the joint controller(s):

The European Parliament (EP)- Risk, Crisis, and Business Continuity Unit (RCBC Unit) which manages the SMS Crisis Communication System jointly with the EO Office in the context of the Business Continuity Plan (BCP)

Email: businesscontinuitymanagement@europarl.europa.eu

7. Purpose(s) of the processing: to allow the institution, in the context of the BCP, to contact each staff member of the EO Office when necessary, to make arrangements, in response to a crisis event, for the EO’s services to continue.

Short description of the processing: The Business Continuity Plan (BCP) and the Handbook on its implementation provide the EO Office with a structured approach and guidance to business continuity in order to deal with unforeseen disruptions to the EO’s activities that could affect the EO’s buildings, operations or staff members. Communication channels used to circulate information to staff and to contact each staff member of the EO Office when necessary include SMS, emails and telephone numbers.

In the event of a crisis, the European Parliament (EP) and the EO will, in respect of the duty of care towards the staff hosted in Parliament’s premises, ensure that close and direct contact is maintained between the respective Secretary-Generals. The EO staff of the European Ombudsman is included in the general email lists used in case of a crisis, and an updated telephone number list shall regularly be included in the EP SMS Crisis Communication System.

The legal basis are

· the “Decision of the European Ombudsman adopting a Business Continuity Plan” of 25.05.2022,

· the “Handbook on the implementation of the European Ombudsman's Business Continuity Plan” of 2.10.2023 and

· the Implementing Arrangement on Crisis and Business Continuity to the Framework Agreement on Cooperation between the European Parliament and the European Ombudsman of 23.04.2021.

8. Description of the categories of data subjects and of the categories of personal data:

- Categories of data subjects:

· All staff of the EO Office, including trainees,

· persons of contact at the European Parliament and at the European Commission

- Categories of personal data

• names and surnames (initials in the case of the transfer of the mobile phone numbers to the EP services);
• list of professional phone numbers with professional e-mails and offices;
• private mobile phone numbers;
• personal data contained in the BCP and Handbook (some telephones numbers of persons of contact at the EP and Commission, in case of need for coordination with other EU institutions- ex: coordination of security and safety issues, coordination with EP or ICT infrastructure management related to the availability of networks telephone lines)

9. Time limit for keeping the data and, where possible, for erasure:

The information is kept for as long as necessary to fulfil the purpose indicated above. Personal data will be kept as long as the staff member is a member of the EO Office. As soon as a staff member leaves the EO Office, all his/her personal data will immediately be removed from the BCP and Handbook, as well as from the secure web-based application used to store phone numbers and initials.

Personal data will be stored from the time the data subject enrols in the system, and for as long as he/she is in service in the EO, with which the EP has signed an agreement that covers access of their staff to the EP SMS Crisis Communication System.

10. Recipients of the data:

The EO, the CMG: the Secretary-General; the Directors; the Ombudsman’s Head of Cabinet; the Head of the Communication Unit; the BCP coordinator and, if necessary, liaison officers

In order to join the SMS alert tool set up by the EP, the mobile phone numbers of the EO staff members are communicated to the EP's Business Continuity Service, together with their initials of name and first name. Personal mobile phone numbers will not be disclosed to any further third parties.

The BCP is also sent to the European Parliament to the extent that the EO offices are part of the EP premises. The BCP relies only on having a permanent and reliable contact with the EP security services.

11. Are there any transfers of personal data to third countries and/or to International Organisations?: No.

12. General description of security measures:

The mobile phone numbers communicated by each staff member are stored in a secure web-based application. This application, to which only the CMG members and the ICT staff have access, allows the sending of group SMS messages. The data is partly anonymised in the sense that it only links the mobile phone number with the initials of each staff member.

Personal mobile phone numbers will not be disclosed to any third parties, except to the EP's Business Continuity Service to join its SMS alert tool.

13. Information on how data subjects can exercise their rights of access and rectification, and where applicable, of erasure, restriction and data portability^[1]:

The data subjects have the right of access to their own personal data and to relevant information concerning how the EO uses it. They have also a right to request from the EO rectification of any incomplete or inaccurate data concerning them. They have a right to object to the use of their data by the EO on grounds relating to their particular situation, at any time. Under certain conditions, they have the right to ask that the EO deletes their personal data or restricts its use. The EO will reply to their requests as soon as possible and within one month at the latest. The data subjects may ask the EO information concerning the processing of their personal data by e-mail (eo@ombudsman.europa.eu). Requests from data subjects will be dealt within one month as a maximum. The data subject may also contact the EO Data Protection Officer at any time: dpo-euro-ombudsman@ombudsman.europa.eu.

If the data subjects wish to complain about the Ombudsman’s handling of their personal data, they may contact the European Data Protection Supervisor: www.edps.europa.eu

Privacy Statement relating to the implementation of the European Ombudsman’s Business Continuity Plan and associated Handbook

This privacy statement explains the reason for the processing, the way the European Ombudsman collects, handles and ensures protection of all personal data provided, how that information is used and what rights the data subjects may exercise in relation to their data.

The controller is the European Ombudsman. The joint controller is the European Parliament (EP) which manages the SMS Crisis Communication System with the EO Office in the context of the Business Continuity Plan (BCP).

1. What personal data will the European Ombudsman process?

We process the following personal data of all staff of the EO Office, including trainees:

• names and surnames (initials in the case of the transfer of the mobile phone numbers to the EP services);
• list of professional phone numbers with professional e-mails and offices;
• private mobile phone numbers;
• personal data contained in the BCP and Handbook[2]

2. Why does the European Ombudsman process these personal data?

The purpose of the processing is to allow the institution, in the context of the BCP, to contact each staff member of the EO Office when necessary, to make arrangements, in response to a crisis event, for the EO’s services to continue.

3. What are the legal bases and necessity for processing this data?

Processing is necessary to protect the vital interests of the data subject or another natural person" (Article 5 (1) (e) of Regulation 2018/1725) and in the public interest or in the exercise of official authority vested in the Union institution or body (Article 5 (1) (a) of the Regulation.

The legal basis are the following:

• the “Decision of the European Ombudsman adopting a Business Continuity Plan” of 25.05.2022,

• the “Handbook on the implementation of the European Ombudsman's Business Continuity Plan” of 2.10.2023 and

• the Implementing Arrangement on Crisis and Business Continuity to the Framework Agreement on Cooperation between the European Parliament and the European Ombudsman of 23.04.2021.

4. Who is responsible for processing the data?

Data is processed by the Directorate for Administration, team “Process & Document Management, Business Continuity and Infrastructure” with the support of the Crisis Management Group (CMG)[3].

5. Who will be recipients of the data?

The EO, the CMG.

In order to join the SMS alert tool set up by the EP, the mobile phone numbers of the EO staff members are communicated to the EP's Business Continuity Service, together with their initials of name and first name. Personal mobile phone numbers will not be disclosed to any further third parties.

6. How long will the data be kept?

The information is kept for as long as necessary to fulfil the purpose indicated above. Personal data will be kept as long as the staff member is a member of the EO Office. As soon as a staff member leaves the EO Office, all his/her personal data will immediately be removed from the BCP and Handbook, as well as from the secure web-based application used to store phone numbers and initials.

Personal data will be stored from the time the data subject enrols in the system, and for as long as he/she is in service in the EO, with which the EP has signed an agreement that covers access of their staff to the EP SMS Crisis Communication System.

7. How do we protect the data subject’s data?

The mobile phone numbers communicated by each staff member are stored in a secure web-based application. This application, to which only the CMG members and the ICT staff have access, allows the sending of group SMS messages. The data is partly anonymised in the sense that it only links the mobile phone number with the initials of each staff member.

Personal mobile phone numbers will not be disclosed to any third parties, except to the EP's Business Continuity Service to join its SMS alert tool.

Any other personal data may be transferred to the European Parliament in the same way as the BCP itself was.

8. What are your rights and how can you exercise them?

You have the right of access to your own personal data and to relevant information concerning how the EO uses it.

You have also a right to request from the EO rectification of any incomplete or inaccurate data concerning you in your medical file.

You have a right to object to the use of your data by the EO on grounds relating to your particular situation, at any time. Under certain conditions, you have the right to ask that the EO deletes your personal data or restricts its use.

The EO will reply to your request as soon as possible and within one month at the latest.

9. Who to contact in case of queries or complaints concerning data protection issues?

At any time, you may send data protection related questions concerning the implementation of the EO Business Continuity Plan and associated Handbook to the European Ombudsman, at the following address:

European Ombudsman

1 avenue du Président Robert Schuman

CS 30403

F-67001 Strasbourg Cedex

Email: EO@ombudsman.europa.eu

You also may contact the Data Protection Officer of the European Ombudsman at the following address: DPO-Euro-Ombudsman@ombudsman.europa.eu

You may lodge a complaint with the European Data Protection Supervisor at any time at the following address: https://www.edps.europa.eu/data-protection/our-role-supervisor/complaints/edps-complaint-form_en

 

[1] Consider publishing the relevant part of the privacy statement and providing a link. See Articles 15 and 16 on the information to be provided to the data subject(s) and Article 17 to 22 on the rights of data subjects of Regulation 2018/1725: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018R1725

[2] Some telephones numbers names and contact details of persons of contact at the EP and Commission, in case of need for coordination with other EU institutions- ex: coordination of security and safety issues, coordination with EP or ICT infrastructure management related to the availability of networks telephone lines.

[3] The CMG is composed of the Secretary General, the Directors, the Ombudsman’s Head of Cabinet, the Head of the Communication Unit, the BCP coordinator (the Head of Business Continuity and Infrastructure team) and, if necessary, liaison officers.