The Regulation determines how, when and why EMA (the European Union agency responsible for the evaluation and supervision of medicines) can process personal data. It aims to ensure that your personal information is collected lawfully, stored safely, and used responsibly. 

This statement outlines EMA's key data protection obligations. It does not attempt to cover all its data processing operations.

It is important that you read and retain this statement, together with any other privacy statement EMA may provide on specific occasions when it collects or uses personal data about you so that you are aware of how and why EMA uses such data and what your rights are under the Regulation.

For more information, see:

What is personal data?

'Personal data' is any information relating to an identified or identifiable natural person ('data subject'). 

An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 3(1) of the Regulation). It does not include data where the identity has been removed (anonymous data).

What is processing?

'Processing' of personal data means any operation or set of operations that is performed upon personal data, whether or not by automated means, such as collection, recording, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, deletion or destruction.

Examples of data processing operations concerning the Agency's stakeholders and other people involved or interested in the activities of the Agency include:

  • compiling and publishing a list of participants at a meeting or conference organised by the Agency;
  • screening and publication of the declarations of interests of scientific experts;
  • evaluation of tenders submitted in response to a procurement procedure managed by the Agency;
  • conclusion of contracts with the Agency.

Examples of data processing operations concerning members of staff and other people working with the Agency include:

  • procedures relating to staff appraisal and promotion;
  • handling of disciplinary and medical files;
  • billing of an office telephone number.

Who is responsible for the processing of personal data at EMA?

The Agency is ultimately responsible for complying with your data protection rights and freedoms as data controller. This means that the Agency is responsible for determining the purposes and means of this personal data processing.

On behalf of the Agency, the relevant Head of Division where the processing is carried out is appointed to act as data controller and ensure the proper implementation of the processing operation.

This internally appointed data controller is also the person to which a request from a data subject to exercise his or her rights should be addressed.

Should you have any queries or concerns regarding your personal data, or wish to exercise any of your rights, you could also contact our Data Protection Officer (DPO), using the contact details below.

What principles should be complied with by EMA when processing personal data?

EMA values your privacy and data protection rights.

EMA is committed to safeguarding and protecting your personal information and using it in compliance with the Regulation. When collecting and using any personal information about you, EMA is committed to doing so in accordance with our obligations under the Regulation.

More specifically and in accordance with Article 4 of the Regulation, EMA is bound by the following principles when using your personal information:

  • Lawfulness, fairness and transparency – EMA uses your personal information lawfully, fairly and in a transparent way.
  • Purpose limitation – EMA collects your personal information only for specified, explicit and legitimate purposes that EMA has clearly explained to you and not used in any way that is incompatible with those purposes.
  • Data minimisation – EMA uses adequate, relevant and limited to what is necessary personal information in relation to the stated purposes.
  • Accuracy – EMA holds your personal information accurate and up to date and we take all reasonable and necessary steps to ensure that. Inaccurate data, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • Storage limitation – EMA keeps your personal information only as long as necessary for the specific purposes of the described data processing.
  • Integrity and confidentiality – EMA keeps and processes your personal information securely to protect it against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  • Accountability – EMA is in a position to demonstrate its compliance with data protection law and its obligations under the Regulation.

The lawful grounds for the processing

EMA processes personal data on the following bases:

  • Public interest – when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Agency;
  • Legal obligations – EMA may process personal data in order to meet any legal obligation requiring us to do so, including audits and legal proceedings;
  • Contract – when processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. This is the case of the EMA staff, including temporary and contract agents and trainees;
  • Consent – when you provide EMA with your personal data directly, for example when you apply for an open vacancy at the Agency;
  • Vital interests – when processing is necessary in order to protect the vital interests of the data subject or of another natural person.

When the Agency processes special categories of personal data or personal data relating to criminal convictions and offences, then additional lawful grounds are established under Articles 10 and 11 of Regulation respectively.

The privacy notice associated to each processing activity (see section on More information on specific data processing operations below) includes details as regards the lawful bases used for that processing activity.

How long does EMA keep your personal data?

EMA is responsible for maintaining a record of processing activities. EMA has created retention schedules to determine the necessary retention periods for your personal information in accordance with the applicable legislation. The retention period for each category of personal data depends on the purpose(s) for which it is collected. 

Upon the completion of the retention period, EMA completely and irreversibly erases your personal data, unless it is required by law to do otherwise. However, EMA may keep your information for a longer period for historical, statistical or scientific purposes with the appropriate safeguards in place.

The privacy notice associated to each processing activity (see the section on more information on specific data processing operations below) includes details regarding the retention periods in place for that processing activity.

Does EMA share your personal data with third parties?

EMA may share your personal data with third parties where required by law, where it is necessary to administer EMA's relationship with you or where EMA has another relevant, carefully assessed lawful ground in doing so.

EMA will not disclose your personal information to third parties unless there is a lawful ground for this.

EMA will not share your personal information for marketing purposes.

Personal information held by the Agency may be shared with other Union institutions, bodies, offices and agencies to enable them to exercise their statutory duties as required by law. 

EMA may occasionally share personal data with trusted third parties, including financial accounting services, professional advisors and auditors, IT service providers, to help the Agency deliver efficient and quality services. When EMA does so, it ensures that recipients are contractually bound to safeguard the data EMA entrusts to them before it shares the data. 

EMA also uses data processors who provide services to the Agency. EMA has contracts and data processing agreements in place with its data processors, which ensure that the data processors are responsible for complying with data protection law. 

Where the Agency intends to transfer personal data to a third country or international organisation, it informs data subjects about this transfer and that appropriate safeguards are in place through the relevant specific privacy statement.

What are your rights as a data subject?

Right to information

Everyone has the right to know that their personal data are being processed and for which purpose.

The data controller must respect the right of information of the data subject, irrespectively of whether the personal data have been obtained from the data subject or not. The information to be provided should contain the following:

  • the identity of the data controller;
  • the purposes of the processing, as well as the legal basis for the processing;
  • the recipients of the data (if any), and whether the personal data is intended to be transferred to a third country or international organisation.
  • the time-limits for storing the data;
  • explanation about the rights of the data subject (see below);
  • the right to have recourse to the European Data Protection Supervisor;
  • where the processing is based on the consent of the data subject, the right to withdraw consent at any time.

If applicable, additional information should be provided if:

  • the collected data will be subject to automated decision-making and what is the logic involved in this;
  • it will be further processed for a purpose other than that for which it was originally collected;
  • it is mandatory to provide the data, in which case what is the basis for such obligation and what are the consequences for not providing the data.

In the context of the Agency's processing operations, this right is fulfilled by the EMA general privacy statement and the specific privacy statement associated to the relevant data processing practices.

The right of information is subject to certain exceptions, such as in those cases where the data subject has already disposed of the above-mentioned information, or where the provision of the information would involve a disproportionate effort, or where a restriction of the right of information constitutes a necessary measure to safeguard one of the legitimate interests mentioned in Article 25 of the Regulation.

Right to access

The right to access (Article 17 of the Regulation) is the right for any data subject to obtain confirmation from the data controller as to whether his/her personal data is processed, and information on the following:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients to whom the data have been or will be disclosed;
  • the period for which the data is intended to be stored;
  • the right of the data subject to request rectification or erasure of the personal data or request the restriction of the processing or object to such processing (see below);
  • the right to have recourse to the European Data Protection Supervisor;
  • source of the data (where personal data are not collected from the data subject);
  • information on automated decision-making (if applicable);
  • transfer to a third country or international organisation (if applicable).

The data subject has the right to request a copy of his/her personal data processed.

Right of rectification

The data subject has the right to contact the data controller to obtain the rectification, without delay, of inaccurate or incomplete data concerning him or her. (Article 18 of the Regulation)

The right of rectification is an essential complement to the right of access and is important to maintain a high level of data quality.

Right to erasure (‘right to be forgotten’)

The data subject has the right to request his/her personal data to be erased without undue delay when it is no longer needed or if the processing is unlawful. (Article 19 of the Regulation)

Right to restriction of processing

The data subject has the right to obtain from the data controller the restriction of the processing (Article 20 of the Regulation) where:

  • their accuracy of the processed personal data is contested by the data subject;
  • the data are no longer needed to achieve the purposes of the processing;
  • the processing is unlawful but the data subject opposes the erasure of the data (and requests the restriction instead); or
  • the data subject objected to the processing but verification is needed whether the data controller has overriding legitimate grounds.

Restriction means the blocking of data by the data controller at a given moment and for a specific period of time.

Blocked personal data can only be processed, with the exception of their storage, with the data subject's consent or for the purposes of legal claims or the protection of the rights of a third party.

Right to data portability

Where the processing is carried out in automated means, a data subject has the right to receive his/her personal data (which was provided to the data controller by him or her) in a machine-readable format. The data subject may also ask the data controller to directly transfer such data to another controller. (Article 22 of the Regulation)

Right to object

Any data subject has the right to object at any time to the processing of data relating to him or her, except in certain cases, such as where the processing is based on a legal obligation of the data controller.

The data controller may no longer process the personal data concerned by the objection, unless the data controller can demonstrate an overriding legitimate interest or for the purposes of legal claims. (Article 23 of Regulation)

Right to refuse

Any data subject has the right to not to be subject to a decisionbased solely on automated processing if such decision has legal effect on him or her (except for certain situations, such as entering into a contract). (Article 24 of the Regulation)

Right to withdraw consent

When EMA relies on your consent to process your personal data, you have the right to withdraw such consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, EMA may not be able to provide certain services to you. EMA will advise you if this is the case at the time you manifest your intention to withdraw consent.

The Agency provides information on action taken on a request under Articles 17 to 24 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Agency informs the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

If you wish to exercise any of these rights, please contact the DPO using the contact details below.

Who should you contact for more information about the processing of personal data by EMA?

Each European Union institution or body has a data protection officer (DPO) who ensures, in an independent manner, the internal application of Regulation (EU) 2018/1725.

The DPO also provides advice and makes recommendations on the rights and obligations of data controllers and data subjects. In critical situations, he or she may investigate matters and incidents either upon a request of a data subject or on his or her own initiative.

The Agency's DPO can be contacted at dataprotection@ema.europa.eu or at the following address:

European Medicines Agency
PO Box 71010
1008 BA Amsterdam
The Netherlands

Who is the European Data Protection Supervisor and how can they help you?

The European Data Protection Supervisor (EDPS) is an independent supervisory authority responsible for monitoring and ensuring the application of data protection rules by European Union institutions and bodies, including the Agency.

If you feel that your personal data are being misused by the Agency, or their processing by the Agency is otherwise not compliant with Regulation (EU) 2018/1725, you should notify the data controller for the processing in question and ask him to take action.

You may also contact the Agency's DPO at dataprotection@ema.europa.eu to inform him or her of any issues related to the processing of your data.

Right to lodge a complaint with the EDPS

If you consider that the processing of your personal data is infringing Regulation (EU) 2018/1725, you may also lodge a complaint with the EDPS. The EDPS is empowered to hear and investigate complaints and to conduct inquiries, including on his or her own initiative. If a breach of data protection rules is found to have occurred, the EDPS may exercise the powers assigned to him under Article 58 of the Regulation.

Contact details of the EDPS:

Postal address: Rue Wiertz 60, B-1047
Brussels office address: Rue Montoyer 30, B-1000 Brussels
Telephone: +32 2 283 19 00 
Email: edps@edps.europa.eu

About this privacy statement

EMA keep its privacy statements under regular review. EMA reserves the right to change its statements from time to time at its sole discretion. If EMA make any changes, EMA will upload the new version and update the ‘last updated’ date. However, if EMA makes relevant changes to this privacy notice, it will notify you by means of a prominent notice on the site prior to the change becoming effective. EMA encourages you to check for updates to this privacy statement on a regular basis.

This privacy statement was last updated in December 2019.

EMA wants to hear from you and keep your data safe, accurate and complete. Please keep EMA updated about any changes regarding your personal data during your relationship with the Agency.

More information on specific data processing operations

European Medicines Agency’s data protection notice for the exploration of the DEEP platform

European Medicines Agency’s Data Protection Notice for the HMA-EMA Catalogue of real-world data studies

European Medicines Agency's Data Protection Notice for the HMA-EMA Catalogue of real-world data sources (and networks and institutions)

European Medicines Agency’s Data Protection Notice for the Antimicrobials Sales and Use platform

European Medicines Agency’s data protection notice for grant procedures

European Medicines Agency's data protection notice for the Security Operation Centre (SOC)

European Medicines Agency’s Data Protection Notice for the user test of the Critical Medical Device Shortages (CMDS) system

European Medicines Agency’s Data Protection Notice for publication of contact details of industry representatives in Agile teams

European Medicines Agency’s privacy statement for WebEx

European Medicines Agency Data Protection Notice concerning the 3rd Veterinary Stakeholder Forum on 23 November 2023

European Medicines Agency Data Protection Notice concerning the EMA Veterinary Awareness Day event on 12-13 September 2023

European Medicines Agency’s Data Protection Notice For the electronic EMA newsletters published via Newsroom

European Medicines Agency’s privacy statement for MS Suite

European Medicines Agency’s privacy statement for ServiceNow

European Medicines Agency's data protection notice for Microsoft Edge

European Medicines Agency's data protection notice for use of Microsoft Intune for personal and corporate-owned devices

European Medicines Agency’s data protection notice for the European Union (EU) Metadata Catalogue

European Medicines Agency’s data protection notice for the procedure for handling and reporting internally potential fraud and irregularities

European Medicines Agency’s privacy statement for the Network Portfolio website

European Medicines Agency's data protection notice concerning the Veterinary Info Day meeting on 16-17 February 2023

European Medicines Agency’s privacy statement for the operation of the Security Access Control System

European Medicines Agency’s data protection notice for the Raw data proof-of-concept pilot

European Medicine Agency's data protection notice for the Interactive Regulatory Information System (IRIS)

European Medicines Agency’s data protection on notice for certificates of medicinal products

European Medicines Agency’s data protection notice concerning the processing of patient and product traceability data for Zynteglo following the withdrawal of the marketing authorisation

European Medicines Agency’s data protection notice use of personal data as part of the emergency mass notification system

European Medicines Agency data protection notice concerning the Veterinary Info Day meeting on 12-13 May 2022

European Medicines Agency's data protection notice concerning the Annual ESVAC Network meeting on 3 May 2022

European Medicines Agency’s Privacy Statement for the provision of hotel and travel services through the Agency’s online booking tool

European Medicines Agency's data protection notice concerning the VMP-Reg stakeholders meetings

European Medicines Agency’s data protection notice for the processing of the contact points of scientific committees (CXMP) members/alternates’ for internal use by the same committees

European Medicines Agency's data protection notice concerning the Multistakeholder Workshop on EMA extended mandate on 1 April 2022

European Medicines Agency’s Privacy Statement for the clinical data publication website

European Medicines Agency’s privacy statement for the Union Product Database

European Medicines Agency’s privacy statement for the operation of video-surveillance (CCTV) system

Privacy Statement regarding the Experts database and the handling of competing interests of scientific committees’ members and experts

European Medicines Agency’s privacy statement for the Industry Single Point of Contact (i-SPOC) system

European Medicines Agency’s privacy statement for the usability testing of the restricted area of the Union Product Database

European Medicines Agency's privacy statement for SME status applications submitted by natural persons

European Medicines Agency’s privacy statement for user research for the design of the Union Product Database

European Medicines Agency’s privacy statement for the use of audience interaction tool Slido

European Medicines Agency privacy statement for the publication of post-employment decisions regarding senior staff (Article 16 of Staff Regulations)

Privacy statement concerning European Medicines Agency’s public stakeholder meetings on COVID-19 vaccines

European Medicines Agency's privacy statement for media professionals

European Medicines Agency’s Privacy Statement for the EU Innovation Network

European Medicines Agency’s Privacy Statement For the Regulatory Science Strategy interviews

European Medicines Agency’s privacy statement for the use of Microsoft Teams and SharePoint Online pilot users (obsolete)

European Medicines Agency privacy statement for EnprEMA network database

European Medicines Agency’s privacy statement for managed print services

European Medicines Agency’s privacy statement for electronic newsletters

European Medicines Agency’s privacy statement for the European Network of Centres for Pharmacoepidemiology and Pharmacovigilance (ENCePP) Resource Database

European Medicines Agency’s privacy statement for the European Union electronic Register of Post-Authorisation Studies (EU PAS Register)

European Medicines Agency’s privacy statement for the Information Centre

European Medicines Agency’s privacy statement for the pre-employment medical examination

European Medicines Agency’s privacy statement public and targeted consultations

European Medicines Agency's privacy statement for the organisation of meetings and events

European Medicines Agency's privacy statement for selection and recruitment

European Medicines Agency's data protection notice for the processing of personal data in the context of public procurement procedures

European Medicines Agency’s privacy statement concerning requests for information or access to documents

Privacy statement on the processing of personal data in the context of administrative inquiries and disciplinary proceedings

European Medicines Agency’s Privacy Statement: Small and Medium Enterprises (SME) Office activities

Privacy Statement for the EMA individual experts’ stakeholder database

Privacy Statement concerning Public Hearings at the European Medicines Agency

European Medicines Agency’s privacy statement for the EMA Account Management system

European Medicines Agency’s data protection notice for validation of proof of establishment when natural persons apply for orphan designation or a transfer of an orphan designation

Privacy statement for legal entity and bank account validation

European Medicines Agency’s data protection notice for EudraVigilance Human (EV)

European Medicines Agency’s data protection notice for recording of telephone calls to the EMA official telephone number received at the EMA switchboard

European Medicines Agency’s privacy statement for the visitor management application

European Medicines Agency’s data protection notice for parking access and record of lost and found items (Filemaker internal security database)

Cookies on the EMA website and Europa Analytics

Cookies enable the EMA website to work properly and allow EMA to measure the effectiveness and efficiency of the website using Europa Analytics. The data collected using this type of cookie contain no personal information and cannot be used to identify a particular visitor.

However, users may choose not to be tracked by the cookies from Europa Analytics using an opt-out feature on the EMA website. Users may also set their own devices or web browsers to block cookies or delete them at any time. For more information, see Cookies.

Related content

Related EU legislation

How useful do you find this page?

Average: