Table of contents
- What is personal data?
- What is processing?
- Who is responsible for the processing of personal data at the Agency?
- What principles should be complied with by the Agency when processing personal data?
- What are your rights as data subject?
- Who should you contact for more information about the processing of personal data by the Agency?
- Who is the European Data Protection Supervisor and how can he help you?
- How are personal data of users of the Agency's website and e-services processed?
- Cookies and Europa Analytics
- More information on specific data processing operations
This privacy statement provides information relating to the processing of personal data of individuals carried out by the European Medicines Agency (EMA) in fulfilling its tasks.
The processing of personal data of individuals by the Agency is regulated by Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
'Personal data' is any information relating to an identified or identifiable person. An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity (Article 3(1) of the Regulation).
The data subject is the person whose personal data are collected, held or processed.
'Processing' of personal data means any operation or set of operations that is performed upon personal data, whether or not by automated means, such as collection, recording, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, deletion or destruction.
Examples of data processing operations concerning the Agency's stakeholders and other people involved or interested in the activities of the Agency include:
- compiling and publishing a list of participants at a meeting or conference organised by the Agency;
- screening and publication of the declarations of interests of scientific experts;
- evaluation of tenders submitted in response to a procurement procedure managed by the Agency;
- conclusion of contracts with the Agency.
Examples of data processing operations concerning members of staff and other people working with the Agency include:
- procedures relating to staff appraisal and promotion;
- handling of disciplinary and medical files;
- billing of an office telephone number.
The processing of personal data by the Agency is under the responsibility of a designated person or organisational entity within the Agency acting as the data controller. The designated data controller is your main contact point and acts on behalf of the Agency, while the Agency remains ultimately responsible to comply with data protection obligations.
The data controller is responsible for ensuring, in particular, that technical and organisational measures are undertaken so as to protect the personal data with an appropriate level of security. The data controller remains legally responsible if someone who works for him or her breaches the data protection rules.
The data controller is also the person or entity to which a request from a data subject to exercise his or her rights should be addressed.
Data subjects are informed of the identity of the data controller responsible for the processing of their personal data at the time of the collection or recording of the data by the Agency, unless exceptions to the right of information apply.
The following principles must be complied with by data controllers at the Agency when processing personal data:
- Personal data must be processed lawfully, fairly and in a transparent manner;
- Personal data must be collected for a clearly specified and legitimate purpose. Re-use of the data in a manner that is incompatible with those purposes is not permitted;
- The data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing;
- It must be kept accurate and up-to-date;
- It should be kept no longer than necessary the purposes of the processing;
- It can only be processed in accordance with the data subject's rights;
- It should be stored securely;
- It should not be transferred to third parties without adequate safeguards.
Right to information
Everyone has the right to know that their personal data are being processed and for which purpose.
The data controller must respect the right of information of the data subject, irrespectively of whether the personal data have been obtained from the data subject or not. The information to be provided should contain the following:
- the identity of the data controller;
- the purposes of the processing, as well as the legal basis for the processing;
- the recipients of the data (if any), and whether the personal data is intended to be transferred to a third country or international organisation.
- the time-limits for storing the data;
- explanation about the rights of the data subject (see below);
- the right to have recourse to the European Data Protection Supervisor;
- where the processing is based on the consent of the data subject, the right to withdraw consent at any time.
If applicable, additional information should be provided if:
- the collected data will be subject to automated decision-making and what is the logic involved in this;
- it will be further processed for a purpose other than that for which it was originally collected;
- it is mandatory to provide the data, in which case what is the basis for such obligation and what are the consequences for not providing the data.
In the context of the Agency's processing operations, this right is often fulfilled by the provision of a specific privacy statement to the data subject.
The right of information is subject to certain exceptions, such as in those cases where the data subject has already disposed of the above-mentioned information, or where the provision of the information would involve a disproportionate effort, or where a restriction of the right of information constitutes a necessary measure to safeguard one of the legitimate interests mentioned in Article 25 of the Regulation.
Right to access
The right to access (Article 17 of the Regulation) is the right for any data subject to obtain confirmation from the data controller as to whether his/her personal data is processed, and information on the following:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients to whom the data have been or will be disclosed;
- the period for which the data is intended to be stored;
- the right of the data subject to request rectification or erasure of the personal data or request the restriction of the processing or object to such processing (see below);
- the right to have recourse to the European Data Protection Supervisor;
- source of the data (where personal data are not collected from the data subject);
- information on automated decision-making (if applicable);
- transfer to a third country or international organisation (if applicable).
The data subject has the right to request a copy of his/her personal data processed.
Right of rectification
The data subject has the right to contact the data controller to obtain the rectification, without delay, of inaccurate or incomplete data concerning him or her. (Article 18 of the Regulation)
The right of rectification is an essential complement to the right of access and is important to maintain a high level of data quality.
Right to erasure (‘right to be forgotten’)
The data subject has the right to request his/her personal data to be erased without undue delay when it is no longer needed or if the processing is unlawful. (Article 19 of the Regulation)
Right to restriction of processing
The data subject has the right to obtain from the data controller the restriction of the processing (Article 20 of the Regulation) where:
- their accuracy of the processed personal data is contested by the data subject;
- the data are no longer needed to achieve the purposes of the processing;
- the processing is unlawful but the data subject opposes the erasure of the data (and requests the restriction instead); or
- the data subject objected to the processing but verification is needed whether the data controller has overriding legitimate grounds.
Restriction means the blocking of data by the data controller at a given moment and for a specific period of time.
Blocked personal data can only be processed, with the exception of their storage, with the data subject's consent or for the purposes of legal claims or the protection of the rights of a third party.
Right to data portability
Where the processing is carried out in automated means, a data subject has the right to receive his/her personal data (which was provided to the data controller by him or her) in a machine-readable format. The data subject may also ask the data controller to directly transfer such data to another controller. (Article 22 of the Regulation)
Right to object
Any data subject has the right to object at any time to the processing of data relating to him or her, except in certain cases, such as where the processing is based on a legal obligation of the data controller.
The data controller may no longer process the personal data concerned by the objection, unless the data controller can demonstrate an overriding legitimate interest or for the purposes of legal claims. (Article 23 of Regulation)
Right to refuse
Any data subject has the right to not to be subject to a decision based solely on automated processing if such decision has legal effect on him or her (except for certain situations, such as entering into a contract). (Article 24 of the Regulation)
Each European Union institution or body has a data protection officer (DPO) who ensures, in an independent manner, the internal application of Regulation (EU) 2018/1725.
The DPO also provides advice and makes recommendations on rights and obligations of data controllers and data subjects. In critical situations, he or she may investigate matters and incidents either upon a request of a data subject or on his or her own initiative.
The Agency's DPO can be contacted at email@example.com.
The European Data Protection Supervisor (EDPS) is an independent supervisory authority responsible for monitoring and ensuring the application of data protection rules by European Union institutions and bodies, including the Agency.
If you feel that your personal data are being misused by the Agency, or their processing by the Agency is otherwise not compliant with Regulation (EU) 2018/1725, you should notify the data controller for the processing in question and ask him to take action.
You may also contact the Agency's DPO at firstname.lastname@example.org to inform him or her of any issues related to the processing of your data.
Right to lodge a complaint with the EDPS
If you consider that the processing of your personal data is infringing Regulation (EU) 2018/1725, you may also lodge a complaint with the EDPS. The EDPS is empowered to hear and investigate complaints and to conduct inquiries, including on his or her own initiative. If a breach of data protection rules is found to have occurred, the EDPS may exercise the powers assigned to him under Article 58 of the Regulation.
You can browse the Agency's website without giving any information about yourself. However, in some cases, personal information is required in order to provide the e-services you request. Pages that require such information treat it according to the requirements of Regulation (EU) 2018/1725.
An e-service on this website is a service or resource made available on the internet in order to improve the communication between citizens and businesses on the one hand and the Agency on the other hand.
Three types of e-services are or may be offered by the Agency:
- information services that provide users with easy and effective access to information, thus increasing transparency and understanding of the Agency's activities;
- interactive communication services that allow better contact with the Agency's target publics, thus facilitating consultations and feedback mechanisms, in order to contribute to the shaping of the Agency's policies, activities and services;
- transaction services that allow access to all basic forms of transactions with the Agency, such as procurement, financial operations, recruitment and event enrolment.
The Agency's website provides links to third-party sites. Since the Agency does not control these sites, it encourages you to review these site's own privacy policies.
Cookies enable the EMA website to work properly and allow EMA to measure the effectiveness and efficiency of the website using Europa Analytics.
Users may choose not to be tracked by the cookies from Europa Analytics using an opt-out feature on the EMA website. Users may also set their own devices or web browsers to block cookies or delete them at any time. For more information, see Cookies.
EMA is currently revising the following documents and will update them in accordance with Regulation (EU) 2018/1725:
- Policy 44: European Medicines Agency policy on the handling of declarations of interests of scientific committees' members and experts
- Privacy statement for selection and recruitment
- Data protection statement: Recruitment of trainees
- Privacy statement for bank-account validation
- Specific privacy statement for public consultations
- Privacy statement on the processing of personal data in the context of public procurement procedures
- Video surveillance policy