This privacy statement provides information relating to the processing of personal data of individuals carried out by the European Medicines Agency in fulfilling its tasks. The processing of personal data of individuals by the Agency is regulated by Regulation (EC) No 45/2001 on the protection of personal data by the European Union's institutions and bodies.
What are personal data?
'Personal data' are any information relating to an identified or identifiable person. An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity (Article 2(a), Reg. 45/2001).
The data subject is the person whose personal data are collected, held or processed.
What is processing?
'Processing' of personal data means any operation or set of operations that is performed upon personal data, whether or not by automatic means, such as collection, recording, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, deletion or destruction.
Examples of data processing operations concerning the Agency's stakeholders and other people involved or interested in the activities of the Agency include:
- compiling and publishing a list of participants at a meeting or conference organised by the Agency;
- screening and publication of the declarations of interests of scientific experts;
- evaluation of tenders submitted in response to a procurement procedure managed by the Agency;
- conclusion of contracts with the Agency.
Examples of data processing operations concerning members of staff and other people working with the Agency include:
- procedures relating to staff appraisal and promotion;
- handling of disciplinary and medical files;
- billing of an office telephone number.
Who is responsible for the processing of personal data at the Agency?
The processing of personal data by the Agency is under the responsibility of a designated person or organisational entity within the Agency acting as the data controller.
The data controller is responsible for ensuring, in particular, that technical and organisational measures are undertaken so as to protect the personal data with an appropriate level of security. The data controller remains legally responsible if someone who works for him or her breaches the data protection rules.
The data controller is also the person or entity to which a request from a data subject to exercise his or her rights should be addressed.
Data subjects are informed of the identity of the data controller responsible for the processing of their personal data at the time of the collection or recording of the data by the Agency, unless exceptions to the right of information apply.
What principles should be complied with by the Agency when processing personal data?
The following principles must be complied with by data controllers at the Agency when processing personal data (Article 4):
- Personal data must be processed fairly and lawfully, and only to the extent necessary to fulfil a specific and legitimate purpose. Re-use of the data for further, incompatible purposes is not permitted;
- The data collected must be adequate, relevant and not excessive in relation to the purposes of the processing;
- It must be kept accurate and up-to-date;
- It should be kept no longer than necessary;
- It can only be processed in accordance with the data subject's rights;
- It should be stored securely;
- It should not be transferred to third parties without adequate safeguards (Articles 7, 8 and 9).
What are your rights as data subject?
Right of information
Everyone has the right to know that their personal data are being processed and for which purpose.
The data controller must respect the right of information of the data subject, irrespectively of whether the personal data have been obtained from the data subject or not. The information to be provided relates to:
- the identity of the data controller;
- the purposes of the processing;
- the recipients of the data;
- the existence of the right of access to and the right to rectify the data, as well as the legal basis for the processing;
- the time-limits for storing the data;
- the right to have recourse to the European Data Protection Supervisor (Articles 11 and 12).
In the context of the Agency's processing operations, this right is often fulfilled by the provision of a specific privacy statement to the data subject.
The right of information is subject to certain exceptions, such as in those cases where the data subject has already disposed of the above-mentioned information, or where the provision of the information would involve a disproportionate effort, or where a restriction of the right of information constitutes a necessary measure to safeguard one of the legitimate interests mentioned in Article 20(1).
Right of access
The right of access is the right for any data subject to obtain from the data controller:
- confirmation as to whether or not data related to him or her are being processed;
- information on the purposes of processing and the recipients to whom the data have been disclosed;
- communication in an intelligible form of the data undergoing processing and of any available information on their source;
- knowledge of the logic involved in any automated decision processes concerning him or her (Article 13).
Right of rectification
The data subject has the right to contact the data controller to obtain the rectification, without delay, of inaccurate or incomplete data (Article 14).
The right of rectification is an essential complement to the right of access and is important to maintain a high level of data quality.
The data subject has the right to obtain blocking of data from the data controller where:
- their accuracy is contested by the data subject;
- the data are no longer needed to achieve the purposes of the processing;
- the processing is unlawful and the data subject opposes the erasure of the data and demands their blocking instead.
Blocking means the freezing of data by the data controller at a given moment and for a specific period of time.
Blocked personal data can only be processed, with the exception of their storage, for purposes of proof, or with the data subject's consent, or for the protection of the rights of a third party (Article 15).
Right to object
Any data subject has the right to object at any time to the processing of data relating to him or her, except in certain cases, such as where the processing is based on a legal obligation of the data controller.
Where there is a justified objection based on legitimate grounds relating to the particular situation of the data subject, the processing in question may no longer involve those data (Article 18(a), Reg. 45/2001).
Who should you contact for more information about the processing of personal data by the Agency?
Each European Union institution or body has a data protection officer (DPO) who ensures, in an independent manner, the internal application of Regulation 45/2001 and keeps a register of all personal data processing operations carried out by data controllers in that institution.
The DPO also provides advice and makes recommendations on rights and obligations of data controllers and data subjects. In critical situations, he or she may investigate matters and incidents either upon a request of a data subject or on his or her own initiative.
The Agency's DPO can be contacted at email@example.com.
Who is the European Data Protection Supervisor and how can he help you?
The European Data Protection Supervisor (EDPS) is an independent supervisory authority responsible for monitoring and ensuring the application of data protection rules by European Community institutions and bodies, including the Agency.
If you feel that your personal data are being misused by the Agency, or their processing by the Agency is otherwise not compliant with Regulation (EC) No 45/2001, you should first notify the data controller for the processing in question and ask him to take action.
You may also contact the Agency's DPO at firstname.lastname@example.org to inform him or her of any issues related to the processing of your data.
If the problem cannot be solved this way, you may lodge a complaint with the EDPS. The EDPS is empowered to hear and investigate complaints and to conduct inquiries, including on his or her own initiative. If a breach of data protection rules is found to have occurred, the EDPS may exercise the powers assigned to him under Article 47 of Regulation (EC) No 45/2001.
How are personal data of users of the Agency's website and e-services processed?
You can browse the Agency's website without giving any information about yourself. However, in some cases, personal information is required in order to provide the e-services you request. Pages that require such information treat it according to the policy described in Regulation EC (No) 45/2001.
An e-service on this website is a service or resource made available on the internet in order to improve the communication between citizens and businesses on the one hand and the Agency on the other hand.
Three types of e-services are or may be offered by the Agency:
- information services that provide users with easy and effective access to information, thus increasing transparency and understanding of the Agency's activities;
- interactive communication services that allow better contact with the Agency's target publics, thus facilitating consultations and feedback mechanisms, in order to contribute to the shaping of the Agency's policies, activities and services;
- transaction services that allow access to all basic forms of transactions with the Agency, such as procurement, financial operations, recruitment and event enrolment.
The Agency's website provides links to third-party sites. Since the Agency does not control these sites, it encourages you to review these site's own privacy policies.
Cookies and Europa Analytics
Cookies enable the EMA website to work properly and allow EMA to measure the effectiveness and efficiency of the website using Europa Analytics.
Users may choose not to be tracked by the cookies from Europa Analytics using an opt-out feature on the EMA website. Users may also set their own devices or web browsers to block cookies or delete them at any time. For more information, see Cookies.
More information on specific data processing operations
- Policy 44: European Medicines Agency policy on the handling of declarations of interests of scientific committees' members and experts
- Recruitment at the European Medicines Agency - General information
- Data protection statement: Recruitment of trainees
- Privacy statement for bank-account validation
- Specific privacy statement for public consultations
- Data protection notice for public procurement procedures
- Video surveillance policy