The European Committee of the Regions is committed to ensuring the protection of personal data when performing its tasks and providing its services.
The protection of personal data is a fundamental right enshrined both in the Treaty on the Functioning of the European Union (Article 16) and in the Charter of Fundamental Rights of the EU (Article 8).
Regulation (EU) No 2018/1725 lays down the rules for data protection in the EU institutions, bodies, offices and agencies. In addition to outlining the legal principles regarding the processing of personal data, it sets out the rights of data subjects, the obligations of data controllers and the role of the Data Protection Officer (DPO).
Data subjects (persons whose personal data are processed) have the right to request access to their personal data, free of charge and without constraint. They have the right to request rectification or erasure or restriction of the processing of their personal data. Data subjects also have the right to object to the processing of their personal data.
Where applicable, data subjects have the right to receive their personal data that has been provided to the controller or to have these personal data transmitted directly to another controller (data portability). They also have the right to withdraw consent at any time, in cases where their personal data are processed on this legal basis.
Delegated controllers (organisational entities of the controller, that is the European Committee of the Regions) determine the purpose and the means of processing personal data and must ensure that personal data are processed only for clearly defined and legitimate purposes, are processed fairly and lawfully and in a secure manner. They are also responsible for ensuring that data are accurate, adequate, relevant and not excessive, as well as are not kept longer than necessary. Delegated controllers must also inform data subjects how their data are processed and ensure that data are transferred to third parties only after adequate safeguards have been put in place.
The role of the data protection officer (DPO) is to ensure in an independent manner the correct application of the data protection rules within the European Committee of the Regions. The DPO informs and advises the controller, the delegated controllers and the processor, cooperates with the EDPS (European Data Protection Supervisor), as well as informs data subjects of their rights and obligations. The DPO maintains also a central register that gathers records on the processing of personal data carried out by the European Committee of the Regions in compliance with Article 31 of Regulation (EU) No 2018/1725.
What personal data is processed at the European Committee of the Regions?
Most of the personal data processed by the European Committee of the Regions relate to its active and former members and staff members.
Personal data of citizens are processed notably when they visit the European Committee of the Regions, register to an event, submit a request or subscribe to an e-service, such as
- Interactive communication services that allow better contacts with citizens, business, civil society and public actors thus facilitating policy consultations, and feedback mechanisms, in order to contribute to the shaping of policies, the activities and the services of the EU.
- Transaction services that allow access to all basic forms of transactions with the EU, e.g. procurement, financial operations, recruitment, event enrolment, acquisition or purchase of documents etc.
For precise information on a specific personal data processing, please refer to the relevant Data Protection Notice.
If you have any questions about the processing of your personal data, you may contact the relevant service in charge of the personal data processing (delegated controller) as indicated in the relevant Data Protection Notice, or the CoR DPO data.protection@cor.europa.eu. You may also contact the European Data Protection Supervisor.