Personal data protection
This section explains how ECDC processes personal data in relation to the use of its website and related e-services.
ECDC processes your personal data only to the extent that is necessary to fulfil a purpose related to our tasks as an EU Agency, as described in Regulation 851/2004.
The controller is the European Centre for Disease Prevention and Control.
The legal basis for the processing of personal data is Article 5(1)(a) of Regulation 2018/1725 (‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body’) and, in certain cases, Article 5(1)(d) of the Regulation – consent.
What is an e-service?
An e-service on this website is a service or resource made available on the Internet in order to improve communication between citizens and businesses on the one hand and ECDC on the other hand. Three types of e-services are, or may be offered by ECDC:
- Information services that provide users with easy and effective access to information, increasing transparency and understanding of ECDC’s activities.
- Interactive communication services that enable better contact with ECDC’s target public, facilitating consultations, and feedback mechanisms that help to shape ECDC’s policies, activities and services.
- Transaction services that allow access to all basic forms of transaction with ECDC (e.g. procurement, financial operations, recruitment, event enrolment, etc.)
Please note that the ECDC website provides links to third party sites. ECDC has no control over their content and takes no responsibility for their personal data processing operations. We encourage you to review their privacy policies separately.
For specific information on how your personal data is processed by cookies, see the Cookie policy/Site usage information.
How is personal data processed by ECDC?
Although you can browse through most of ECDC’s website without giving any information about yourself, in some cases personal information is required in order to provide the e-services you request. For each specific e-service, a controller determines the purposes and means for processing personal data and ensures conformity of the specific e-service with the applicable legal framework. For the specific information on how your data are processed by ECDC in relation to a particular e-service, please refer to the relevant section of ECDC’s website.
The following information will be provided in relation to each e-service:
- What information is collected, the purpose of collection and the technical means by which it is collected: ECDC collects personal information only to the extent necessary to fulfil a specific purpose. The information will not be re-used for a different purpose.
- To whom your information is disclosed: ECDC will only disclose information to third parties if it is necessary for the fulfilment of the purpose(s) identified and to the (categories of) recipients specified. ECDC will not use your personal data for direct marketing purposes.
- How you can access your information, verify its accuracy and, if necessary, correct it or object to its processing.
- How long your data is kept: all cookies used by ECDC are session cookies that disappear once you close your browser. In principle, ECDC does not retain any personal information in connection with e-services. If any personal data are stored, users are informed of the retention period for the specific e-service.
ECDC does not actively transfer personal data to third countries. However, transfers might occur when using third party cookies. We refer you to the page on cookies where we have included links to the respective privacy policies of the services that we use.
Your rights when we process your personal data
When your personal information is processed by ECDC, you have the right to know.
You have the right to access the information and have it corrected without undue delay if it is inaccurate or incomplete. Under certain conditions, you have the right to ask that we delete your personal data or restrict its use. Where applicable, you have the right to object to our processing of your personal data, in relation to your particular situation, at any time, and the right to data portability (the right to have your data transmitted elsewhere in a readable format).
We will consider your request, take a decision and communicate it to you without undue delay, and at the latest within one month of receiving the request. This period may be extended by an additional two months where necessary.
Where possible, you can request that we communicate any changes to your personal data to other parties to whom it may have been disclosed.
You also have the right not to be subject to automated decisions (made solely by machines) which affect you, as defined by law.
Restrictions to data subject rights may apply in accordance with the internal rules concerning restrictions of certain data subject rights (link is external).
ECDC’s Data Protection Officer and the European Data Protection Supervisor
If you have any concerns relating to how ECDC processes your personal data, please contact ECDC’s Data Protection Officer. You can write to dpo@ecdc.europa.eu
If you believe that ECDC is processing your personal data unlawfully, you can contact the European Data Protection Supervisor: edps@edps.europa.euwww.edps.europa.eu
Register
Pursuant to Art. 31 of Regulation EU No. 2018/1725, ECDC keeps a record of all the personal data processing that it undertakes.
This register gives a brief overview of the type of data being processed by ECDC, the purpose, the legal basis under which it is processed, who it is shared with and who is responsible for the data processing. In addition, you can obtain basic information about the security measures implemented to keep your data safe from accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access.
Data processing register (periodically updated).
For certain data processing operations, ECDC has conducted a Data Protection Impact Assessment (DPIA), pursuant to Art. 39 of Regulation No 2018/1725.
See the DPIA for the core functions of Microsoft 365.
If you have further questions concerning the processing of your personal data, please do not hesitate to contact ECDC’s data protection officer: (dpo@ecdc.europa.eu)
Terms and condition for the Media Request Log
The Media Request Log (MRL) is an automated request form, intended for members of the press and other media entities who send requests to ECDC’s press team.
Those requesting data through the MRL are covered by the media request log privacy statement.
Information regarding social monitoring for epidemic intelligence activities
ECDC processes personal data to collect information on public health threats from communicable diseases. Processing includes the monitoring of information and data uploaded on social media for epidemic intelligence activities, including early detection of public health threats. You can learn more about how ECDC processes personal data in this context.
Information regarding processing of personal data for the analysis of pathogen genome data
ECDC accesses and processes data from the GISAID EpiCov and EpiFlu databases and the COVID-19 data portal for the purpose of epidemiological surveillance – to detect new pathogen variants and follow global trends in known variants. This includes the processing of pseudonymised personal data. You can find more information in the privacy statement for the analysis of pathogen genome data.
Information regarding processing of personal data in the context of vaccine effectiveness related studies
ECDC is data controller for a processing operation aiming to collect personal data for the evaluation of vaccine effectiveness, including COVID-19 vaccination, and the impact of vaccination programmes. You can find more information in the privacy statement on vaccine effectiveness studies. For this processing operation, a data protection impact assessment has been conducted.
Information regarding the use of Cisco WebEx for virtual meetings with external parties
ECDC uses Cisco WebEx for virtual meetings with external parties. You can find information on how your personal data is processed by ECDC in the WebEx privacy statement. You can find further information on how Cisco processes personal data on the Cisco Online privacy statement (link is external).