29 September 2021
24 August 2021
The purpose of this Personal Data Protection Policy (Chapter 9 of EUMETSAT’s Management System) is to ensure fair and transparent processing of personal data and to ensure compliance with relevant and recognised personal data protection frameworks.
Under this Policy all Data Subjects (see ‘Definitions’), whether internal or external, are granted rights of access, correction, deletion and objection. At the same time all those tasked with the collecting and processing of personal data for EUMETSAT are obliged to observe a set of Basic Principles of Processing Personal Data (Sec. 9.1; hereafter referred to as ‘the Basic Principles’).
The Basic Principles laid down in this Policy are applicable to but not restricted to the processing of personal data via email communication; online requests and portals; computer applications and paper communication. The Basic Principles apply equally in the context of transfer of personal data to third parties by EUMETSAT.
The nature, scope, and purpose of processing personal data must always be balanced against the potential risks to the rights of Data Subjects. Ensuring continuity of EUMETSAT activity, defending organisational interests and responding to security concerns are situations that unequivocally warrant the processing of personal data.
As the holder of personal data, EUMETSAT is under an obligation to implement technical and organisational measures that will allow processing of personal data across the Organisation to be performed in accordance with the Basic Principles. EUMETSAT must ensure that it can protect against unauthorised processing, accidental loss, destruction or damage of personal data in an effort to safeguard its integrity and confidentiality. Instructions in support of this objective will be laid down in relevant working practices.
For the purposes of this Policy, the following terms are understood to mean:
Data Subject: any natural person who can be identified, directly or indirectly, by reference to their personal data.
personal data: any information relating to a Data Subject that allows for conclusions to be drawn as to their physical, professional, online, cultural, economic or social identity. The following examples are typically considered forms of personal data:
- name, email address, address, phone numbers, passport or other identification numbers;
- age, gender, nationality, ethnicity, religious belief or affiliation, sexual orientation;
- connection information (e.g. IP address, approximate host location, pages visited);
- data related to physical or mental health, including the provision of health care services, which reveal information about one’s health status;
- event registration information (e.g. dietary, medical requirements, etc.);
- recruitment information (e.g. CV, certificates, date of birth, performance assessments, reference letters etc.);
- areas of personal interest.
processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. Examples of processing include:
- collecting, recording or keeping personal data;
- organising, updating and completing personal data;
- retrieving, consulting or referring to personal data;
- disclosing personal data by transmitting, disseminating or otherwise making it available;
- aligning, combining, redacting, deleting or destroying personal data.
consent (by the Data Subject): any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
personal data breach: a breach of security leading to the accidental, negligent or wilful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
9.1 Basic principles of processing of personal data
For the purposes of accountability EUMETSAT obliges all those tasked with the processing of personal data to apply the following data protection principles:
9.1.1 The principle of justified processing
Processing of personal data shall be considered justified if and to the extent that at least one of the following conditions is met:
- Contractual obligation: processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- Legal obligation: processing is necessary for compliance with a legal obligation to which EUMETSAT is subject;
- Vital interests: processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
- Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by EUMETSAT.
- Consent: the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes.
Consent is required in instances where the processing of personal data cannot be justified based on any of the other conditions listed above it.
Business and organisational interests of EUMETSAT will be considered legitimate for the processing of personal data, except where the processing is unwarranted by reason of prejudice to the interests of the Data Subject. A careful assessment is required on a case-by-case basis. Where doubts arise the Data Protection Officer (Sec. 9.3) should be asked to provide further guidance.
In the context of EUMETSAT’s day-to-day work, processing of personal data may by example be considered legitimate in the following situations:
- for recruitment purposes;
- the performance of an employment or commercial procurement procedure;
- event organisation;
- ensuring information security and responding to abuse incidents as described in the Policy on the Acceptable Use of EUMETSAT ICT Systems;
- for managing scientific services, activities or online content that the Data Subject requested to access;
- to generate statistical reports (to which only the Management Board has access);
- for the administration of complaint procedures, appeals and procedural measures.
9.1.2 The principle of collecting personal data for specified and explicit purposes
Personal data may only be collected for specified and explicit purposes and must not be further processed in a manner that is incompatible with those purposes.
220.127.116.11 Specified and explicit purpose
It must be clear from the outset why EUMETSAT is collecting personal data and what it intends to do with the personal data.
18.104.22.168 Compatible with the original purpose
Processing of personal data will only be considered permissible if and to the extent that it is compatible with the original purpose for which it was originally collected. Processing for another purpose which is not deemed compatible requires additional consent or a condition for justified processing according Sec.9.1.1 (above).
Any link to the original purpose, the context in which personal data has been collected, the nature of the personal data, the possible consequences of the intended further processing for Data Subjects or the existence of appropriate safeguards are all indications for whether a later purpose is compatible with an original purpose.
9.1.3 The principle of personal data minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is being collected and processed.
This means that only the minimum amount of personal data which is required to achieve the specified and explicit purpose should be collected. Collecting personal data on a ‘just in case’ basis is not legitimate.
9.1.4 The principle of personal data retention
It must be clear to the Data Subject for what length of time personal data is being retained and the reasons for keeping personal data beyond the specified period e.g. for archiving or to meet certain legal requirements.
Once personal data is no longer needed for the purpose for which it was collected it must be disposed of securely. The method should be appropriate to the manner in which it is retained.
9.1.5 The principle of personal data accuracy
Reasonable steps must be taken to ensure that any personal data obtained, either directly from the Data Subject or through a third party source, is accurate. Updates to personal data should be made as soon as EUMETSAT is made aware of any information changes.
9.1.6 Derogation from the basic principles
Derogations from the principles set out in 9.1.1 – 9.1.5 are admissible when:
- responding to criminal investigations;
- enforcing disciplinary measures levied against a Data Subject pursuant to Article 36 of the Staff Rules or equivalent contractual employment provisions;
- protecting the rights and interests of other Data Subjects.
In these exceptional circumstances, the obligation to inform a Data Subject about the processing of his/her personal data and the overall obligation to ensure compliant personal data management may be lifted. A decision to this end must be approved by the Director-General in consultation of the Data Protection Officer.
9.2 Rights of the Data Subject
To ensure fair and transparent processing of personal data, Data Subjects may avail themselves of the right of access, correction, deletion, and objection.
9.2.1 Right of access
The Data Subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, information regarding:
- the categories of personal data concerned;
- the purpose for processing the personal data;
- the grounds on which processing is justified (sec. 9.1.1)
- the recipient or categories of recipients (including third parties) to whom personal data have or will be disclosed, in particular recipients outside of the EU;
- the envisaged period for which the personal data will be processed;
- the existence of the Data Subject’s rights to correction and deletion of personal data or to object to such processing;
- the right to lodge a complaint with the Director-General (sec. 9.5).
The Data Protection Officer maintains a working practice on how to address Data Subject access requests. The working practice is available on the intranet page of the Data Protection Officer.
9.2.2 Right to correction
The Data Subject shall have the right to obtain the correction of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed.
9.2.3 Right to deletion
The Data Subject shall have the right to obtain the deletion of personal data concerning him or her. An obligation to delete personal data without undue delay applies where either:
- the personal data are no longer necessary in relation to the purpose for which they were collected or otherwise processed and there are no overriding legitimate interests for the processing;
- the Data Subject withdraws consent on which the processing is based and there are no other compelling grounds for justified processing according to Sec.9.1.1.
9.2.4 Right to object
The Data Subject shall have the right to object to processing of personal data, relating to his or her particular situation, unless EUMETSAT can demonstrate that there are compelling grounds for the justified processing (Sec. 9.1.1.) which override the interests and rights of the Data Subject.
9.2.5 Formal requests by the Data Subject
Requests to exercise Data Subject rights (9.2.1 – 9.2.4) need to be made in writing (in paper or electronic form) and referred to the Data Protection Officer: firstname.lastname@example.org. In examining the individual requests, the Data Protection Officer will examine in first instance whether:
- the Data Subject making the request is entitled to receive the information;
- the disclosure is not subject to obligations of confidentiality owed to other individuals third parties who may be mentioned in the relevant documents;
- the context of the request may have wider implications for the Organisation.
Based on the above considerations, the Data Protection Officer will make a decision on the extent to which the request by the Data Subject can be satisfied. A written report will be drawn up accordingly and shared with the Data Subject. Reasons for granting or refusing the request must be clearly substantiated.
9.3 Responsibilities of the Data Protection Officer
The Data Protection Officer is appointed by EUMETSAT to address all issues which relate to the protection of personal data in an independent manner. Furthermore, the Data Protection Officer must ensure and be able to demonstrate that processing within the Organisation is performed in accordance with the principles set out under Sections 9.1 and 9.2 of this Policy.
9.3.1 General mandate
The Data Protection Officer has the mandate to:
- monitor compliance with this Policy in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of all those tasked with the processing of personal data;
- make final decisions upon formal request by a Data Subject in line with the procedure set out under Sec. 9.2.5 of this Policy;
- provide advice where requested as regards personal data protection issues;
- ensure that mandatory documentation is maintained;
- implement and monitor privacy impact assessments;
- consult on changes to local working practices;
- record personal data breaches;
- initiate and coordinate organisational measures necessary to mitigate the possible adverse effects of a personal data breach;
- act as a contact point for the Director-General when personal data breaches have been identified.
9.3.2 Periodic reviews
Periodic reviews should be carried out by the Data Protection Officer to examine whether:
- the various channels through which personal data is collected are sufficiently specific regarding the purpose for which personal data will be processed;
- personal data retained is not excessive for the purpose for which it was originally collected;
- the purpose for which personal data was processed has ceased.
9.4 Notification of a Personal Data Breach
In the case of a personal data breach, or suspicion thereof, the Data Protection Officer shall be informed without undue delay by contacting email@example.com
This in turn obliges the Data Protection Officer to promptly notify the Director-General, except for in such circumstances where the Data Protection Officer reasonably believes that the personal data breach is unlikely to result in a risk to the rights and interests of the Data Subject(s) in question.
9.4.1 Notification to the Director-General
The notification of a personal data breach shall:
- describe the nature of the personal data breach including where possible, the categories of personal data affected as well as the approximate number of Data Subjects and number of personal data records concerned;
- describe the likely consequences of the personal data breach;
- describe the measures to be taken or proposed to be taken by EUMETSAT to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;
- describe how similar breaches can be avoided in future.
The Data Protection Officer shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
The documentation shall enable the Director-General to verify that the Organisation is complying with its own Policy and personal data protection principles, in such instances where a Data Subject submits a complaint or lodges an appeal against the actions or decisions of EUMETSAT (see Sec. 9.5).
9.4.3 Communication to the Data Subject(s)
Communication of a personal data breach to the Data Subject(s) shall not be required if the Data Protection Officer has taken subsequent measures which ensure that the high risk to the rights and interests of the Data Subject(s) is not likely to materialise.
Where communication is necessary, the Data Protection officer shall describe in clear and plain language the nature of the personal data breach and contain the information and measures referred to in Sec. 9.4.1 (a) (b) and (c).
9.4.4 Working practice
The Data Protection Officer maintains a working practice on how to handle personal data breaches. The working practice is available on the intranet page of the Data Protection Officer.
9.5 Resolving disputes
(External Data Subjects who wish to invoke their rights under section 9.5 are kindly requested to contact firstname.lastname@example.org.)
The Data Subject shall have the right to submit to the Director-General a complaint against a decision and/or action taken by the Data Protection Officer, provided the Data Subject has reasonable grounds to believe that it directly and adversely affects him/her.
In the event that a complaint cannot be resolved at the level of the Director-General, the Data Subject shall have the right to lodge an appeal with the Personal Data Protection Supervisory Authority (‘the Supervisory Authority’) through the secretary to the Supervisory Authority (‘the Secretary’).
The conditions governing the complaints and appeals procedures are detailed in the annexed Rules of Procedure.
9.5.1 The Supervisory Authority
22.214.171.124 The Supervisory Authority is competent to rule on disputes arising out of this Policy. To this end, it shall have jurisdiction with regard to appeals brought by any Data Subject against a decision of the Director-General.
126.96.36.199 The Supervisory Authority shall only act provided the Data Subject has exhausted the complaints procedure set out in the Annex to this Policy.
188.8.131.52 The Supervisory Authority shall be composed of three members and two deputies. All members must be external experts with demonstrable data protection expertise.
184.108.40.206 The members of the Supervisory Authority shall be appointed by the Council from a list proposed by the Director-General composed of candidates independent from EUMETSAT for a period of three years. This period may be extended. If a member is at any time unable to continue to serve, a new appointment shall be made for the unexpired term.
220.127.116.11 The members of the Supervisory Authority shall be fully independent in the exercise of their duties.
18.104.22.168 The Director-General shall fix the emoluments of the members of the Supervisory Authority. The emoluments shall consist of travel expenses, a daily subsistence allowance and a daily fee.
9.5.2 The Secretary
22.214.171.124 The Secretary shall be appointed by the Director-General on recommendation of the Data Protection Officer and shall be a staff member of EUMETSAT.
126.96.36.199 In the exercise of his/her duties, the Secretary shall be subject only to the authority of the Supervisory Authority.
188.8.131.52 The Secretary is responsible for receiving, transmitting and managing appeals lodged by Data Subject(s).
Annex: Rules of Procedure for Personal Data Protection Complaints and Appeals
These Rules of Procedure supplement the provisions set out in Sec. 9.5 of the Personal Data Protection Policy of EUMETSAT.
I Complaints Procedure
1. Submitting a complaint
1.1 A complaint must be submitted in writing via the Director of Administration within twenty (20) days from either (i) the date of decision by the Data Protection Officer under Sec. 9.2.5 of the Personal Data Protection Policy or (ii) communication of a personal data breach according to Sec. 9.4.3 of the Personal Data Protection Policy.
1.2 In exceptional cases, the Director of Administration in consultation with the Director-General may accept a complaint submitted after the expiry of the twenty (20) day period.
1.3 In the absence of communication of a personal data breach, the Data Subject may submit a complaint within a reasonable period but no later than one year after the personal data breach occurred.
1.4 The Director of Administration shall acknowledge receipt of the complaint and pass it on to the Director-General.
2. Decision by the Director-General
2.1 The Director-General shall give a reasoned decision on the complaint as soon as possible and shall notify the Data Subject no later than twenty (20) days from the date of its receipt.
2.2 The Director-General has the discretion to seek advice from experts, internal and external to EUMETSAT, in order to arrive at a reasoned decision.
2.3 The absence of a reply to the complaint within the twenty (20) day period shall be deemed an implicit decision rejecting the complaint.
2.4 A complaint shall not have suspensive effect. However, for duly justified reasons, the Director-General may stay the execution of the decision/action that is the subject of the complaint.
2.5 In the event of either explicit or implicit rejection of a complaint, the Data Subject may appeal to the Supervisory Authority.
II Appeals Procedure
3. Lodging an appeal
3.1 Appeals shall be lodged with the Secretary of the Supervisory Authority.
3.2 Appeals shall be made in writing. They shall state the grounds of appeal and be accompanied by documentary evidence in support thereof.
3.3 The Secretary will promptly transmit the appeal and all documentary evidence to the Supervisory Authority.
3.4 Only once the Supervisory Authority has taken a decision on the admissibility of the appeal, will EUMETSAT through the Director-General receive all documentary evidence from the Secretary.
3.5 Lodging an appeal shall not stay the execution of the decision/action appealed.
4. Conflict of interest
Members of the Supervisory are under an obligation to recuse themselves in cases where an actual or perceived conflict of interest exists, notably if they:
- have a personal or professional interest in the appeal;
- have previous professional ties to one of the parties involved in the appeal;
- participated in preparing the decision challenged or the appeal lodged.
5. Admissibility assessment
5.1 The Supervisory Authority shall only admit appeals provided:
- the Data Subject has exhausted the complaints procedure as set out in Section I of these Rules of Procedure; and
- the Data Subject has lodged the appeal with the Secretary within two months from the date of implicit or explicit rejection of the complaint by the Director-General.
5.2 In exceptional cases, the Supervisory Authority may admit appeals lodged after two months.
5.3 The Supervisory Authority has the discretion to reject appeals prima facie should it consider the grounds for the appeal to be manifestly unfounded.
5.4 As part of the admissibility assessment, the Supervisory Authority may determine whether longer deadlines should apply to the particular appeal and whether any interim measures are necessary until the Supervisory Authority arrives at its final Decision.
5.5 The Supervisory Authority must complete the admissibility assessment within twenty (20) days of the appeal being lodged with the Secretary.
6. Revoking an appeal
Should the Data Subject choose to withdraw his/her appeal, the Supervisory Authority must consult the Director-General before accepting the decision to withdraw. The admissibility assessment may establish other legitimate grounds for continuing the examination and issuing a Decision.
7. Written comments and reply
7.1 After the Supervisory Authority has ruled the appeal admissible, EUMETSAT shall make its comments on the appeal in writing.
7.2 These comments shall, within twenty (20) days from completion of the admissibility assessment, be communicated through the Secretary to the Data Subject who may, within twenty (20) days, submit a reply in writing.
7.3 Depending on the complexity of the appeal, the Supervisory Authority may exercise his/her discretion to extend these deadlines (see Section 5.4).
8. Examination of the appeal
Following receipt of EUMETSAT’s written comments and the written reply by the Data Subject, the Supervisory Authority has the discretion to decide whether to proceed with a written examination or to call for an oral examination of the appeal.
8.1 Written Examination
Conducting a purely written examination of the appeal does not preclude phone calls and in-person discussions to further the examination and establish the facts, but does not take on the formal setting of a Hearing as described in Section 8.2, below.
The Supervisory Authority may at any time:
- request additional information from EUMETSAT or the Data Subject(s), which it deems necessary and appropriate for the examination of the appeal;
- speak to involved parties/stakeholders, upon its own initiative or upon proposal of EUMETSAT or the Data Subject(s).
8.2 Oral Examination (‘Hearing’)
A Hearing can be held if this is considered conducive to examining the appeal. Hearings should be public, unless the Supervisory Authority ex officio or at the request of EUMETSAT or the Data Subject(s), for valid reasons, decides otherwise.
If the Data Subject(s), although duly summoned, fails to appear before the Supervisory Authority, without producing a valid reason, the Supervisory Authority may close the Hearing and make its final Decision.
All Hearings will take place at EUMETSAT premises.
9. Decision by the Supervisory Authority
9.1 Upon completion of the examination, the Supervisory Authority will deliver its written decision (‘the Decision’). The Supervisory Authority must clearly state its grounds for the Decision and provide a summary of the main findings.
9.2 The Secretary is responsible for transmitting the Decision to the Data Subject, the Director-General and the Data Protection Officer immediately after being delivered.
9.3 Remedial measures imposed by the Supervisory Authority must be observed and implemented by EUMETSAT to the deadline set out in the Decision. Where a deadline has not been stipulated, implementation must take effect within a reasonable timeframe.
9.4 The Supervisory Authority does not have the power to award financial compensation to the Data Subject for identified infringements.
9.5 The Decision may be published in redacted form provided the Supervisory Authority does not consider the publication detrimental to EUMETSAT’s overall personal data protection compliance efforts.
9.6 The Decision of the Supervisory Authority shall be final and binding; no further appeal is possible. However, the Supervisory Authority may be requested to rectify a clerical or accidental mistake in a Decision delivered.
10. Request for interpretation and review
10.1 The Data Subject(s), the Director-General or the Data Protection Officer may request the Supervisory Authority to interpret a Decision, should difficulties arise as to the meaning or scope of the Decision.
10.2 The Supervisory Authority may decline a request for interpretation should the request – in nature - amount to an appeal against the Decision.
10.3 If a fact of decisive importance comes to the knowledge of the Supervisory Authority, it may consider a review of the Decision upon request by the Data Subject, Director-General or the Data Protection Officer.
10.4 The request for review must be submitted within three (3) months from the date of discovery of the fact or evidence and at the latest five (5) years after the Decision was delivered.
III Administrative Aspects
11. Responsibilities of the Secretary
The overall responsibilities of the Secretary of the Supervisory Authority include:
- registering the appeal and any documentary evidence, written comment, reply or other information submitted to the Supervisory Authority in relation to the appeal;
- transmitting the appeal and all necessary documentary evidence to EUMETSAT through the Director-General;
- communicating the written comments submitted by EUMETSAT in response to the appeal to the Data Subject;
- providing the Supervisory Authority with the written comments by EUMETSAT and written reply by the Data Subject in consolidated form for examination;
- coordinating, as required, dates of a Hearing;
- sending reminders of pending deadlines and critical appointments;
- transmitting the Decision of the Supervisory Authority to the Data Subject, the Director-General and Data Protection Officer;
- publishing the Decision of the Supervisory Authority;
- managing requests for interpretation or review of the Decision delivered by the Supervisory Authority.
12.1 Access to the Supervisory Authority shall be free of charge for the Data Subject.
12.2 Any costs incurred by the Data Subject(s) in the course of the proceedings, shall be borne by him/her, unless the Supervisory Authority decides otherwise in accordance with Section 12.3 below.
12.3 In cases where the Supervisory Authority has found that there were good grounds for the appeal, it may decide that EUMETSAT shall reimburse, within reasonable limits, justified expenses incurred by the Data-Subject, e.g. travel costs and fees payable to external representation.
12.4 The Supervisory Authority may also decide that EUMETSAT shall reimburse travel and subsistence expenses incurred by witnesses who have been heard, within limits which it shall fix in agreement with the Director-General. In taking such decisions, the Supervisory shall take into account the nature of the dispute and the amount involved.
The official language of the Supervisory Authority shall be English.