Data protection and privacy

The Regulation determines how, when and why EMA (the European Union agency responsible for the evaluation and supervision of medicines) can process personal data. It aims to ensure that your personal information is collected lawfully, stored safely, and used responsibly. 

This statement outlines EMA's key data protection obligations. It does not attempt to cover all its data processing operations.

It is important that you read and retain this statement, together with any other privacy statement EMA may provide on specific occasions when it collects or uses personal data about you so that you are aware of how and why EMA uses such data and what your rights are under the Regulation.

For more information, see:

• Regulation (EU) 2018/1725

• Central register of data processing records

'Personal data' is any information relating to an identified or identifiable natural person ('data subject'). 

An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 3(1) of the Regulation). It does not include data where the identity has been removed (anonymous data).

'Processing' of personal data means any operation or set of operations that is performed upon personal data, whether or not by automated means, such as collection, recording, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, deletion or destruction.

Examples of data processing operations concerning the Agency's stakeholders and other people involved or interested in the activities of the Agency include:

• compiling and publishing a list of participants at a meeting or conference organised by the Agency;
• screening and publication of the declarations of interests of scientific experts;
• evaluation of tenders submitted in response to a procurement procedure managed by the Agency;
• conclusion of contracts with the Agency.

Examples of data processing operations concerning members of staff and other people working with the Agency include:

• procedures relating to staff appraisal and promotion;
• handling of disciplinary and medical files;
• billing of an office telephone number.

The Agency is ultimately responsible for complying with your data protection rights and freedoms as data controller. This means that the Agency is responsible for determining the purposes and means of this personal data processing.

On behalf of the Agency, the relevant Head of Division where the processing is carried out is appointed to act as data controller and ensure the proper implementation of the processing operation.

This internally appointed data controller is also the person to which a request from a data subject to exercise his or her rights should be addressed.

Should you have any queries or concerns regarding your personal data, or wish to exercise any of your rights, you could also contact our Data Protection Officer (DPO), using the contact details below.

EMA values your privacy and data protection rights.

EMA is committed to safeguarding and protecting your personal information and using it in compliance with the Regulation. When collecting and using any personal information about you, EMA is committed to doing so in accordance with our obligations under the Regulation.

More specifically and in accordance with Article 4 of the Regulation, EMA is bound by the following principles when using your personal information:

• Lawfulness, fairness and transparency – EMA uses your personal information lawfully, fairly and in a transparent way.
• Purpose limitation – EMA collects your personal information only for specified, explicit and legitimate purposes that EMA has clearly explained to you and not used in any way that is incompatible with those purposes.
• Data minimisation – EMA uses adequate, relevant and limited to what is necessary personal information in relation to the stated purposes.
• Accuracy – EMA holds your personal information accurate and up to date and we take all reasonable and necessary steps to ensure that. Inaccurate data, having regard to the purposes for which they are processed, are erased or rectified without delay.
• Storage limitation – EMA keeps your personal information only as long as necessary for the specific purposes of the described data processing.
• Integrity and confidentiality – EMA keeps and processes your personal information securely to protect it against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
• Accountability – EMA is in a position to demonstrate its compliance with data protection law and its obligations under the Regulation.

EMA processes personal data on the following bases:

• Public interest – when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Agency;
• Legal obligations – EMA may process personal data in order to meet any legal obligation requiring us to do so, including audits and legal proceedings;
• Contract – when processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. This is the case of the EMA staff, including temporary and contract agents and trainees;
• Consent – when you provide EMA with your personal data directly, for example when you apply for an open vacancy at the Agency;
• Vital interests – when processing is necessary in order to protect the vital interests of the data subject or of another natural person.

When the Agency processes special categories of personal data or personal data relating to criminal convictions and offences, then additional lawful grounds are established under Articles 10 and 11 of Regulation respectively.

The privacy notice associated to each processing activity (see section on More information on specific data processing operations below) includes details as regards the lawful bases used for that processing activity.

EMA is responsible for maintaining a record of processing activities. EMA has created retention schedules to determine the necessary retention periods for your personal information in accordance with the applicable legislation. The retention period for each category of personal data depends on the purpose(s) for which it is collected. 

Upon the completion of the retention period, EMA completely and irreversibly erases your personal data, unless it is required by law to do otherwise. However, EMA may keep your information for a longer period for historical, statistical or scientific purposes with the appropriate safeguards in place.

The privacy notice associated to each processing activity (see the section on more information on specific data processing operations below) includes details regarding the retention periods in place for that processing activity.

EMA may share your personal data with third parties where required by law, where it is necessary to administer EMA's relationship with you or where EMA has another relevant, carefully assessed lawful ground in doing so.

EMA will not disclose your personal information to third parties unless there is a lawful ground for this.

EMA will not share your personal information for marketing purposes.

Personal information held by the Agency may be shared with other Union institutions, bodies, offices and agencies to enable them to exercise their statutory duties as required by law. 

EMA may occasionally share personal data with trusted third parties, including financial accounting services, professional advisors and auditors, IT service providers, to help the Agency deliver efficient and quality services. When EMA does so, it ensures that recipients are contractually bound to safeguard the data EMA entrusts to them before it shares the data. 

EMA also uses data processors who provide services to the Agency. EMA has contracts and data processing agreements in place with its data processors, which ensure that the data processors are responsible for complying with data protection law. 

Where the Agency intends to transfer personal data to a third country or international organisation, it informs data subjects about this transfer and that appropriate safeguards are in place through the relevant specific privacy statement.

Right to information

Everyone has the right to know that their personal data are being processed and for which purpose.

The data controller must respect the right of information of the data subject, irrespectively of whether the personal data have been obtained from the data subject or not. The information to be provided should contain the following:

• the identity of the data controller;
• the purposes of the processing, as well as the legal basis for the processing;
• the recipients of the data (if any), and whether the personal data is intended to be transferred to a third country or international organisation.
• the time-limits for storing the data;
• explanation about the rights of the data subject (see below);
• the right to have recourse to the European Data Protection Supervisor;
• where the processing is based on the consent of the data subject, the right to withdraw consent at any time.

If applicable, additional information should be provided if:

• the collected data will be subject to automated decision-making and what is the logic involved in this;
• it will be further processed for a purpose other than that for which it was originally collected;
• it is mandatory to provide the data, in which case what is the basis for such obligation and what are the consequences for not providing the data.

In the context of the Agency's processing operations, this right is fulfilled by the EMA general privacy statement and the specific privacy statement associated to the relevant data processing practices.

The right of information is subject to certain exceptions, such as in those cases where the data subject has already disposed of the above-mentioned information, or where the provision of the information would involve a disproportionate effort, or where a restriction of the right of information constitutes a necessary measure to safeguard one of the legitimate interests mentioned in Article 25 of the Regulation.

Right to access

The right to access (Article 17 of the Regulation) is the right for any data subject to obtain confirmation from the data controller as to whether his/her personal data is processed, and information on the following:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients to whom the data have been or will be disclosed;
• the period for which the data is intended to be stored;
• the right of the data subject to request rectification or erasure of the personal data or request the restriction of the processing or object to such processing (see below);
• the right to have recourse to the European Data Protection Supervisor;
• source of the data (where personal data are not collected from the data subject);
• information on automated decision-making (if applicable);
• transfer to a third country or international organisation (if applicable).

The data subject has the right to request a copy of his/her personal data processed.

Right of rectification

The data subject has the right to contact the data controller to obtain the rectification, without delay, of inaccurate or incomplete data concerning him or her. (Article 18 of the Regulation)

The right of rectification is an essential complement to the right of access and is important to maintain a high level of data quality.

Right to erasure (‘right to be forgotten’)

The data subject has the right to request his/her personal data to be erased without undue delay when it is no longer needed or if the processing is unlawful. (Article 19 of the Regulation)

Right to restriction of processing

The data subject has the right to obtain from the data controller the restriction of the processing (Article 20 of the Regulation) where:

• their accuracy of the processed personal data is contested by the data subject;
• the data are no longer needed to achieve the purposes of the processing;
• the processing is unlawful but the data subject opposes the erasure of the data (and requests the restriction instead); or
• the data subject objected to the processing but verification is needed whether the data controller has overriding legitimate grounds.

Restriction means the blocking of data by the data controller at a given moment and for a specific period of time.

Blocked personal data can only be processed, with the exception of their storage, with the data subject's consent or for the purposes of legal claims or the protection of the rights of a third party.

Right to data portability

Where the processing is carried out in automated means, a data subject has the right to receive his/her personal data (which was provided to the data controller by him or her) in a machine-readable format. The data subject may also ask the data controller to directly transfer such data to another controller. (Article 22 of the Regulation)

Right to object

Any data subject has the right to object at any time to the processing of data relating to him or her, except in certain cases, such as where the processing is based on a legal obligation of the data controller.

The data controller may no longer process the personal data concerned by the objection, unless the data controller can demonstrate an overriding legitimate interest or for the purposes of legal claims. (Article 23 of Regulation)

Right to refuse

Any data subject has the right to not to be subject to a decisionbased solely on automated processing if such decision has legal effect on him or her (except for certain situations, such as entering into a contract). (Article 24 of the Regulation)

Right to withdraw consent

When EMA relies on your consent to process your personal data, you have the right to withdraw such consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, EMA may not be able to provide certain services to you. EMA will advise you if this is the case at the time you manifest your intention to withdraw consent.

The Agency provides information on action taken on a request under Articles 17 to 24 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Agency informs the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

If you wish to exercise any of these rights, please contact the DPO using the contact details below.

Each European Union institution or body has a data protection officer (DPO) who ensures, in an independent manner, the internal application of Regulation (EU) 2018/1725.

The DPO also provides advice and makes recommendations on the rights and obligations of data controllers and data subjects. In critical situations, he or she may investigate matters and incidents either upon a request of a data subject or on his or her own initiative.

The Agency's DPO can be contacted at dataprotection@ema.europa.eu or at the following address:

European Medicines Agency
PO Box 71010
1008 BA Amsterdam
The Netherlands

The European Data Protection Supervisor (EDPS) is an independent supervisory authority responsible for monitoring and ensuring the application of data protection rules by European Union institutions and bodies, including the Agency.

If you feel that your personal data are being misused by the Agency, or their processing by the Agency is otherwise not compliant with Regulation (EU) 2018/1725, you should notify the data controller for the processing in question and ask him to take action.

You may also contact the Agency's DPO at dataprotection@ema.europa.eu to inform him or her of any issues related to the processing of your data.

Right to lodge a complaint with the EDPS

If you consider that the processing of your personal data is infringing Regulation (EU) 2018/1725, you may also lodge a complaint with the EDPS. The EDPS is empowered to hear and investigate complaints and to conduct inquiries, including on his or her own initiative. If a breach of data protection rules is found to have occurred, the EDPS may exercise the powers assigned to him under Article 58 of the Regulation.

Contact details of the EDPS:

Postal address: Rue Wiertz 60, B-1047
Brussels office address: Rue Montoyer 30, B-1000 Brussels
Telephone: +32 2 283 19 00 
Email: edps@edps.europa.eu

EMA keep its privacy statements under regular review. EMA reserves the right to change its statements from time to time at its sole discretion. If EMA make any changes, EMA will upload the new version and update the ‘last updated’ date. However, if EMA makes relevant changes to this privacy notice, it will notify you by means of a prominent notice on the site prior to the change becoming effective. EMA encourages you to check for updates to this privacy statement on a regular basis.

This privacy statement was last updated in December 2019.

EMA wants to hear from you and keep your data safe, accurate and complete. Please keep EMA updated about any changes regarding your personal data during your relationship with the Agency.

Cookies enable the EMA website to work properly and allow EMA to measure the effectiveness and efficiency of the website using Europa Analytics. The data collected using this type of cookie contain no personal information and cannot be used to identify a particular visitor.

However, users may choose not to be tracked by the cookies from Europa Analytics using an opt-out feature on the EMA website. Users may also set their own devices or web browsers to block cookies or delete them at any time. For more information, see Cookies.