DATA PROTECTION PRIVACY STATEMENT
Privacy Statement on the processing of personal data in the context of EMSA’s Dynamic Overview of National Authorities (DONA) Application
The protection of privacy is of high importance to the European Maritime Safety Agency (´EMSA´). EMSA is responsible for the personal data it processes. Therefore, we are committed to respecting and protecting the personal data of every individual and to ensuring efficient exercising of data subject’s rights. All the data of personal nature, namely data that can identify an individual directly or indirectly, will be handled fairly and lawfully with the necessary due care.
This processing operation is subject to Regulation 2018/1725 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data. The information in this Privacy Statement is given pursuant to Articles 15 and 16 of the Regulation 2018/1725.
1. Nature and the purpose(s) of the processing operation
DONA is a threefold application developed and maintained by EMSA; it is comprised of the following sections:
- Country Profile; here information on the EU Member States’ (MSs) maritime authorities is displayed for the wide public, without access restrictions. The data is supplied by the MSs and the provided contact details of the authorities may include email addresses created using the names of actual persons.
- MS Maritime Statistics section, with restricted access to the accredited users from the MS in question only; no personal data is displayed in this section.
- The Reporting Gate, where the MSs accredited users can draft and submit their reports to the European Commission (EC), fulfilling the reporting requirements foreseen by most of the EU maritime acts; this section is accessible to the selected registered users of the reporting MS, EC and EMSA (to the latter, under specified conditions). The personal data stored in the MSs report headers includes e.g. the names and contact details (telephone/fax numbers, email addresses) of the officials submitting these reports to EC and the contact details for the EC to send their feedback, if different from the report submitter’s details.
The term “Registered User” means a DONA user, for whom a profile has been created in EMSA’s existing user identity management system (IdM), which is already used for several other EMSA’s applications.
The purposes of the processing of personal data are:
- identification of DONA’s registered users and the management of their user profiles;
- responding to the requests and other emails sent to DONA helpdesk’s email address;
- sending of automatic or manually created email notifications to the users from DONA’s dedicated email address;
- publication (in the Country Profile section) of the contact details of the MSs authorities responsible for maritime matters; (if the data for publicising such details received from the MSs includes personal data, e.g. the names of the contact points, or email addresses which reflect the names of real persons);
- personal data in the MSs report headers, e.g. the names and contact details (telephone numbers, email addresses) of the officials submitting the report to EC, is included to allow EC to send their feedback.
EMSA will not reuse the personal data for another purpose that is different to the one stated above.
The processing is not intended to be used for any automated decision making, including profiling.
2. Categories/types of personal data processed
The categories/types of personal data processed are the following:
- Similarly to the other EMSA’s maritime applications, DONA’s user management is handled by EMSA’s user Identity Management System (IdM); the data stored includes the registered user’s name, email address, username, and the names of the employing Authority and of the Member State;
- The requests received by DONA’s helpdesk from its registered users would allow identification of the sender for the purposes of responding and possibly, for solving of the request (e.g., if it is related to the user profile);
- The requests received by DONA’s helpdesk from its public users would reveal the sender’s email address which is used for responding to the request, and personal information, which the sender would reveal in the email;
- The personal data of submitters and contact points provided in the Member States’ report headers comprises the person’s name, email address and/or a telephone number, and the names of the relevant Authority and the name of the Member State; These reports are accessible (for viewing and extracting) to DONA users (whose profile includes relevant competence) from the reporting MS, EC and EMSA. DONA stores the MS reports until archived, which action establishes inaccessibility condition; archiving can be reversed by the EMSA Administrators.
3. Processing the personal data
The processing of the personal data is carried out under the responsibility of the Head of Unit 1.3, acting as a delegated EMSA data controller.
Personal data are processed for the purposes of DONA users’ management by DONA users with the following profiles: EMSA Administrator, EMSA Coordinator, MS National Coordinator, EC Coordinator.
4. Access to and disclosure of personal data
The information concerning personal data stored by IdM will only be shared with people as necessary for the implementation of such measures on a need to know basis. The data are not used for any other purposes nor disclosed to any other recipient.
The personal information in question will not be communicated to third parties, except where necessary for the purpose(s) of e.g. sharing of the (modified) MSs reports to EC with the International Organisations, like the Barcelona and Helsinki Conventions.
Personal data are not intended to be transferred to third countries
5. Protecting and safeguarding personal information
EMSA implements appropriate technical and organisational measures in order to safeguard and protect data subjects’ personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to them.
All personal data related to DONA’s user management are stored in secure IT applications according to the security standards of the Agency as well as in specific electronic folders accessible only to the authorised recipients. Appropriate levels of access (user profiles) are granted individually only to the above recipients.
The database is password protected under single sign-on system and automatically connected to the user ID. The e-records are held securely so as to safeguard the confidentiality and privacy of the data therein.
All persons dealing with personal data in the context of the DONA’s user management procedures, at any stage, sign a confidentiality declaration that is kept in the folder of the procedure.
Paper documents (if any) are kept in safe cupboards in EMSA’s premises and the key is held by the relevant staff.
6. Access, rectification, erasure or restriction of processing of personal data
Data subjects have the right to access, rectify, erase, and receive their personal data, as well as to restrict and object to the processing of the data, in the cases foreseen by Articles 17 to 24 of Regulation 2018/1725.
If data subjects would like to exercise any of these rights, they should send a written request explicitly specifying their query to the delegated Data Controller, via an email to DONA’s helpdesk at email@example.com .
The right of rectification can only apply to inaccurate or incomplete factual data processed within the user management procedure.
The above requests will be answered without undue delay, and in any event within one month of receipt of the request. However, according to article 14 (3) of Regulation 2018/1725, that period may be extended by two further months where necessary, taking into account the complexity and number of the requests. EMSA shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
7. Legal basis for Data processing
Processing is based on Article 5(a) of Regulation 2018/1725. Following Article 2(3)(b) of its founding Regulation (EC) 1406/2002, EMSA was tasked by the Member States a task to create DONA, which requires the processing of users’ personal data to fulfil it.
Article 2 Core tasks of the Agency:
3. The Agency shall work with the Member States to:
(b) develop technical solutions, including the provision of relevant operational services, and provide technical assistance, to the building up of the necessary national capacity for the implementation of relevant legal acts of the Union;
The personal data are collected and processed in accordance with the internal rules governing the use of EMSA’s IdM.
8. Storing Personal data
EMSA does not keep personal data longer than necessary for the purpose(s) for which that personal data is collected.
The users’ personal data will be only retained for the period of the individual user being active. The current period of keeping the former user’s data in IdM in deleted status is 12 months after having been asked to be deleted by the National-, EMSA- or EC Coordinators. During this period the account is disabled, meaning that accessing and using it isn’t possible.
The MSs’ reports (which bear some elementary information on the submitter) will be archived on the 11th year following their creation. Archived documents in DONA remain out of reach for the DONA users, except for the DONA Administrator, who can only reverse the archiving on a request by the MS National Coordinator.
In the event of a formal appeal, all data held at the time of the formal appeal should be retained until the completion of the appeal procedures.
9. Data protection points of contact
Should data subjects have any queries/questions concerning the processing of their personal data, they should address them to the delegated Data Controller, via an email to DONA’s Helpdesk at firstname.lastname@example.org .
Any data subject may also consult EMSA Data Protection Officer at: DPO@emsa.europa.eu.
Complaints, in cases where the conflict is not resolved by the delegated Data Controller and/or the Data Protection Officer, can be addressed at any time to the European Data Protection Supervisor: email@example.com.