Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE AND CONSUMERS Directorate C: Rule of Law, Fundamental Rights and Democracy The Director

Brussels, JUST/C4/MO/ms (2024)5474762s

Subject: Invitation to the next meeting of the Commission’s Expert group against

SLAPP joined by the focal points on SLAPP and Member States

representatives (remote format)

Dear Madam/Sir,

I have the pleasure to invite you to the next meeting of the Expert Group against SLAPP

which will be held virtually on Monday 9th September 2024. (indicatively between 10.00

and 12.00). A link will be shared in due course.

Member States’ focal points had participated to the eighth meeting of the Expert Group

against SLAPP of 21 November 2022. Since then, important developments have taken place

in the fight against SLAPP, such as the entry into force of the Anti-SLAPP Directive1 in May

2024. More and more Member States have now appointed Focal Points.

The goal of extending this expert group meeting’s invitation to Member States Focal Points

will be to introduce recently established national Focal Points and exchange best practices and

information related to Member States’ work on support mechanisms.

Questions about the meeting can be directed to the functional mailbox JUST-ANTI-SLAPP-

[email protected].

We would be grateful for a confirmation of your participation by 26 August 2024 ideally via

the AGM system.

We are looking forward to the continuation of our meaningful exchanges at the meeting.

Yours sincerely,

Julien MOUSNIER

1 Directive (EU) 2024/1069 of the European Parliament and of the Council of 11 April 2024 on protecting

persons who engage in public participation from manifestly unfounded claims or abusive court proceedings

(‘Strategic lawsuits against public participation’), available at the following link: https://eur-lex.europa.eu/legal-

content/EN/TXT/?uri=CELEX%3A32024L1069

Electronically signed on 05 07/2024 16:44 (UTC+02) in accordance with Article 11 of Commission Decision (EU) 2021/2121

EUROPEAN COMMISSION

PROTECTION OF YOUR PERSONAL DATA

This privacy statement provides information about the processing and the protection of your personal data.

Processing operation: Organisation and management of meetings of expert groups

Data Controller: European Commission, DG JUST, Unit C4 – Democracy, union citizenship and free movement

Record reference: DPR-EC-00744

Table of Contents

1. Introduction

2. Why and how do we process your personal data?

3. On what legal ground(s) do we process your personal data?

4. Which personal data do we collect and further process?

5. How long do we keep your personal data?

6. How do we protect and safeguard your personal data?

7. Who has access to your personal data and to whom is it disclosed?

8. What are your rights and how can you exercise them?

9. Contact information

10. Where to find more detailed information?

2

1. Introduction

The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.

This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.

This privacy statement concerns the processing operation Organisation and management of Commission expert group meetings undertaken by the European Commission, DG JUST, Unit C4 – Democracy, union citizenship and free movement as presented below.

For the purpose of this privacy statement and the corresponding record, the term “expert groups” describes Commission expert groups in the sense of Article 2(1) of Commission Decision C(2016)3301 of 30 May 20161 and their sub-groups, as well as other similar entities in the sense of Article 2(2) of Commission Decision C(2016)3301 and their sub-groups.

2. Why and how do we process your personal data?

Purpose of the processing operation: The European Commission collects and uses your personal information only for the organisation, preparation, management and follow-up of expert groups meetings. More specifically, this concerns the following processing activities:

• communication activities such as sending e-mails and invitations (this entails the management of contact lists for correspondence);

• exchange of meeting documents (notably through information sharing and circulation of documents via e-mail, the Advanced Gateway to EU Meetings (AGM) online system for meeting organisation (see Record of processing DPR-EC-01141 - Information system supporting the organisation of meetings (former notification DPO-3911)) or CIRCABC (see Record of Processing DPR-EC-01666 - CIRCA and CIRCABC – Global User Directory (former notification DPO-1008))) and sharing of information with other Commission services to follow-up on the expert group meeting concerned;

• publication of minutes of meetings, including list of participants, in the Register of Commission expert groups and other similar entities (‘the Register of expert groups’) for reasons of transparency. The minutes and the list of participants include the names of individuals appointed as members either in a personal capacity who are due to act independently and in the public interest, or to represent a common interest shared by stakeholders in a particular policy area. The minutes may also include the positions of these individuals as expressed at the meeting. In the case of organisations, Member States’ authorities and other public entities, the names of their representatives may only be included in the minutes and published in the Register of expert groups subject to their prior freely given, specific, informed and unambiguous consent, in compliance with Article 3(15) and Article 7 of Regulation (EU) 2018/1725. Furthermore, in agreement with the competent Commission department, the expert group may, by

1 Commission Decision C(2016)3301 of 30 May 2016 establishing horizontal rules on the creation and

operation of Commission expert groups.

simple majority of its members, decide that deliberations shall be public, in compliance with Article 13.6 of Commission Decision C(2016)3301 of 30 May 2016 establishing horizontal rules on the creation and operation of Commission expert groups.

Your personal data will not be used for an automated decision-making including profiling.

3. On what legal ground(s) do we process your personal data

We process your personal data, because processing is necessary for the performance of a task carried out in the public interest (Article 5(1)(a) of Regulation (EU) No 2018/1725).

Expert groups play an important role in enabling the Commission to collect advice and views from a variety of key actors, such as Member States' authorities, private stakeholders, scientists and professionals. The Commission uses advice and expertise received as a basis for sound policy making and implementation.

The natural way for the Commission to obtain the opinion of the expert groups is in meetings. Furthermore, preparing minutes of the meetings of expert groups allows for the proper documentation of the work of the expert groups and also increases the transparency on expert groups and their work.

Processing of your personal data is also necessary to comply with a legal obligation to which the controller is subject (Article 5(1)(b) of Regulation (EU) No 2018/1725), namely Commission Decision C(2016)3301 of 30 May 2016 establishing horizontal rules on the creation and operation of Commission expert groups, and in particular its Articles 13, 20 and 26.

The latter Commission Decision also constitutes the Union law on which the processing under Article 5(1)(a) and (b) of Regulation (EU) No 2018/1725 is based.

For specific processing activities the consent of the data subject is necessary: The names of representatives of organisations, Member States’ authorities and other public entities are included in the minutes of the meetings only subject to their prior freely given, specific, informed and unambiguous consent, in compliance with Article 3(15) and Article 7 of Regulation (EU) No 2018/1725.

Your consent is required for the processing of your personal data relating to your dietary requirements and/or access requirements. If you opt-in, you are giving us your explicit consent under Article 5(1)(d) of Regulation (EU) 2018/1725 to process your personal data for those specific purposes. You can give your consent form by informing the controller for the expert group in question. You can withdraw your consent for these services at any time by contacting the controller for the expert group in question.

4. Which personal data do we collect and further process?

In order to carry out this processing operation the Data Controller may collect the following categories of personal data: ▪ Personal data necessary for organising and managing meetings such as gender (Mr/Ms),

name, organisation to which he/she belongs, e-mail address, phone/fax number;

▪ Personal data necessary for security (access control to Commission premises) such as ID card/Passport number and date of birth, name, surname, organisation he/she belongs to, gender;

4

▪ Personal data necessary for reimbursements purposes such as name, means of transport, hotel accommodation and banking details;

▪ Personal data necessary for payment of special allowances, such as name and banking details;

▪ Personal data included in the minutes of meetings, such as names of meeting participants and their positions expressed (in case of representatives of organisations, Member States’ authorities and other public entities, only based on their prior freely given, specific, informed and unambiguous consent, if at all);

▪ Personal data necessary for establishing the attendance list and the minutes: signature, audio-visual recording of the meeting;

▪ Personal data processed for web-streaming of the meeting, including audio-visual recording of the speakers, organisers and participants (non-speaker participants are not recorded individually but they may however appear on panoramic photographs of the whole event/audience)

▪ Personal data relating to your dietary requirements and/or access requirements]

If you do not provide these personal data, possible consequences are the impossibility to attend meetings and/or to be reimbursed or paid. We have obtained your personal data either directly from you, via the competent National department, other public entity or organisation that you work for or via the Permanent Representation of your country in Brussels.

5. How long do we keep your personal data?

The Data Controller only keeps your personal data for the time necessary to fulfil the purpose of collection or further processing, namely for a maximum of 5 years after closure of the file to which the personal data processed belongs. The documents related to the work of the expert groups are transferred to the Historical Archives for permanent preservation2.

The ‘administrative retention period’ of five years is based on the retention policy of Commission documents and files (and the personal data contained in them), governed by the common Commission-level retention list for European Commission files (SEC(2019)900).

It is a regulatory document in the form of a retention schedule that establishes the retention periods for different types of Commission files. That list has been notified to the European Data Protection Supervisor.

The ‘administrative retention period’ is the period during which the Commission departments are required to keep a file depending on its usefulness for administrative purposes and the relevant statutory and legal obligations.

This information is without prejudice to different retention periods which may apply to personal data processed for the purpose of reimbursing travel and subsistence costs, payment of special allowances and ensuring the participant's access to Commission premises based on the

2 For the processing operations concerning the Historical Archives, please see legacy notifications: 'DPO-

3871-3 Notification for the digital archival repository and ARCHISscanning' and 'DPO-2806-5

Gestion des dossiers papier structurés par nom de personnes et transférés aux Archives Historiques'.

dedicated processing operations notified to the DPO by the responsible Commission departments (Records of Processing DPR-EC-00655 (Commission Physical Access Control System (PACS)) and DPR-EC-00301 - Legal Entities and Bank Accounts (former notifications DPO-372 and DPO-300)).

Sensitive personal data relating to dietary and/or access requirements will be deleted as soon as they are no longer necessary for the purpose for which they have been collected in the framework of the expert group meeting, but no later than within 1 month after the end of the meeting.

Recordings from the web-streamed meeting will be kept for 2 years before being deleted. More information is available in the Record of Processing DPR-EC-00306 (Web-streaming of Commission events).

In case of audio-visual recording of the meeting, the recordings will be kept for 3 months after the meeting before being deleted. More information is available in the Record of Processing DPR-EC-03266 (Audio-visual recording of meetings).

Personal data shared with the Directorate-General for Human Resources and Security of the European Commission for the participants to gain access to Commission buildings is kept for 6 months after the termination of the link between the data subject and the Commission. More information is available in the Record of Processing DPR-EC-00655 (Commission Physical Access Control System (PACS)).

6. How do we protect and safeguard your personal data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored on the servers of the European Commission. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

In order to protect your personal data, the Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

7. Who has access to your personal data and to whom is it disclosed?

Access to your personal data is provided to the Commission staff authorised for carrying out this processing operation and to other authorised Commission staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

More specifically, the following Commission staff have access to certain parts of the personal data:

- Authorised staff of the European Commission's Directorate-General for Human Resources and Security have access to the personal data necessary for providing access

to European Commission premises;

6

- Authorised staff of the European Commission's Directorate-General for Budget and the Paymaster Office (PMO) have access to the personal data needed for reimbursement

purposes and payment of special allowances; - Authorised staff of the European Commission's Directorate-General for Interpretation

(SCIC) as meeting room and equipment providers have access to the audio-visual recordings of the meetings;

- Authorised staff of other European Commission departments involved in the policy follow-up to a specific expert group meeting.

The minutes of expert group meetings are made public on the Register of expert groups and in some cases contain personal data, as explained under Heading 2 of this privacy statement.

Please note that pursuant to Article 3(13) of Regulation (EU) 2018/1725, public authorities (e.g. Court of Auditors, EU Court of Justice) which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients. The further processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

The information we collect will not be given to any third party, except to the extent and for the purpose we may be required to do so by law.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access your personal data and to rectify them in case your personal data is inaccurate or incomplete. Under certain conditions, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing and the right to data portability. You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) of Regulation (EU) 2018/1725, on grounds relating to your particular situation. To the extent you consented to the publication of some of your personal data, you can withdraw your consent at any time by notifying the Data Controller. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent. You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.

Any request for access to personal data will be handled within one month. Any other request mentioned above will be addressed within 15 working days.

9. Contact information

- The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller:

European Commission, DG JUST, Unit C4 – Democracy, union citizenship and free movement at [email protected]

- The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer ([email protected]) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

- The European Data Protection Supervisor (EDPS) You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor ([email protected]) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-00744.

Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE AND CONSUMERS Directorate C: Rule of Law, Fundamental Rights and Democracy The Director

Brussels, JUST/C4/MO/ms (2024)5474762s

Subject: Invitation to the next meeting of the Commission’s Expert group against

SLAPP joined by the focal points on SLAPP and Member States

representatives (remote format)

Dear Madam/Sir,

I have the pleasure to invite you to the next meeting of the Expert Group against SLAPP

which will be held virtually on Monday 9th September 2024. (indicatively between 10.00

and 12.00). A link will be shared in due course.

Member States’ focal points had participated to the eighth meeting of the Expert Group

against SLAPP of 21 November 2022. Since then, important developments have taken place

in the fight against SLAPP, such as the entry into force of the Anti-SLAPP Directive1 in May

2024. More and more Member States have now appointed Focal Points.

The goal of extending this expert group meeting’s invitation to Member States Focal Points

will be to introduce recently established national Focal Points and exchange best practices and

information related to Member States’ work on support mechanisms.

Questions about the meeting can be directed to the functional mailbox JUST-ANTI-SLAPP-

[email protected].

We would be grateful for a confirmation of your participation by 26 August 2024 ideally via

the AGM system.

We are looking forward to the continuation of our meaningful exchanges at the meeting.

Yours sincerely,

Julien MOUSNIER

1 Directive (EU) 2024/1069 of the European Parliament and of the Council of 11 April 2024 on protecting

persons who engage in public participation from manifestly unfounded claims or abusive court proceedings

(‘Strategic lawsuits against public participation’), available at the following link: https://eur-lex.europa.eu/legal-

content/EN/TXT/?uri=CELEX%3A32024L1069

Electronically signed on 05 07/2024 16:44 (UTC+02) in accordance with Article 11 of Commission Decision (EU) 2021/2121

EUROPEAN COMMISSION

PROTECTION OF YOUR PERSONAL DATA

This privacy statement provides information about the processing and the protection of your personal data.

Processing operation: Organisation and management of meetings of expert groups

Data Controller: European Commission, DG JUST, Unit C4 – Democracy, union citizenship and free movement

Record reference: DPR-EC-00744

Table of Contents

1. Introduction

2. Why and how do we process your personal data?

3. On what legal ground(s) do we process your personal data?

4. Which personal data do we collect and further process?

5. How long do we keep your personal data?

6. How do we protect and safeguard your personal data?

7. Who has access to your personal data and to whom is it disclosed?

8. What are your rights and how can you exercise them?

9. Contact information

10. Where to find more detailed information?

2

1. Introduction

The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.

This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.

This privacy statement concerns the processing operation Organisation and management of Commission expert group meetings undertaken by the European Commission, DG JUST, Unit C4 – Democracy, union citizenship and free movement as presented below.

For the purpose of this privacy statement and the corresponding record, the term “expert groups” describes Commission expert groups in the sense of Article 2(1) of Commission Decision C(2016)3301 of 30 May 20161 and their sub-groups, as well as other similar entities in the sense of Article 2(2) of Commission Decision C(2016)3301 and their sub-groups.

2. Why and how do we process your personal data?

Purpose of the processing operation: The European Commission collects and uses your personal information only for the organisation, preparation, management and follow-up of expert groups meetings. More specifically, this concerns the following processing activities:

• communication activities such as sending e-mails and invitations (this entails the management of contact lists for correspondence);

• exchange of meeting documents (notably through information sharing and circulation of documents via e-mail, the Advanced Gateway to EU Meetings (AGM) online system for meeting organisation (see Record of processing DPR-EC-01141 - Information system supporting the organisation of meetings (former notification DPO-3911)) or CIRCABC (see Record of Processing DPR-EC-01666 - CIRCA and CIRCABC – Global User Directory (former notification DPO-1008))) and sharing of information with other Commission services to follow-up on the expert group meeting concerned;

• publication of minutes of meetings, including list of participants, in the Register of Commission expert groups and other similar entities (‘the Register of expert groups’) for reasons of transparency. The minutes and the list of participants include the names of individuals appointed as members either in a personal capacity who are due to act independently and in the public interest, or to represent a common interest shared by stakeholders in a particular policy area. The minutes may also include the positions of these individuals as expressed at the meeting. In the case of organisations, Member States’ authorities and other public entities, the names of their representatives may only be included in the minutes and published in the Register of expert groups subject to their prior freely given, specific, informed and unambiguous consent, in compliance with Article 3(15) and Article 7 of Regulation (EU) 2018/1725. Furthermore, in agreement with the competent Commission department, the expert group may, by

1 Commission Decision C(2016)3301 of 30 May 2016 establishing horizontal rules on the creation and

operation of Commission expert groups.

simple majority of its members, decide that deliberations shall be public, in compliance with Article 13.6 of Commission Decision C(2016)3301 of 30 May 2016 establishing horizontal rules on the creation and operation of Commission expert groups.

Your personal data will not be used for an automated decision-making including profiling.

3. On what legal ground(s) do we process your personal data

We process your personal data, because processing is necessary for the performance of a task carried out in the public interest (Article 5(1)(a) of Regulation (EU) No 2018/1725).

Expert groups play an important role in enabling the Commission to collect advice and views from a variety of key actors, such as Member States' authorities, private stakeholders, scientists and professionals. The Commission uses advice and expertise received as a basis for sound policy making and implementation.

The natural way for the Commission to obtain the opinion of the expert groups is in meetings. Furthermore, preparing minutes of the meetings of expert groups allows for the proper documentation of the work of the expert groups and also increases the transparency on expert groups and their work.

Processing of your personal data is also necessary to comply with a legal obligation to which the controller is subject (Article 5(1)(b) of Regulation (EU) No 2018/1725), namely Commission Decision C(2016)3301 of 30 May 2016 establishing horizontal rules on the creation and operation of Commission expert groups, and in particular its Articles 13, 20 and 26.

The latter Commission Decision also constitutes the Union law on which the processing under Article 5(1)(a) and (b) of Regulation (EU) No 2018/1725 is based.

For specific processing activities the consent of the data subject is necessary: The names of representatives of organisations, Member States’ authorities and other public entities are included in the minutes of the meetings only subject to their prior freely given, specific, informed and unambiguous consent, in compliance with Article 3(15) and Article 7 of Regulation (EU) No 2018/1725.

Your consent is required for the processing of your personal data relating to your dietary requirements and/or access requirements. If you opt-in, you are giving us your explicit consent under Article 5(1)(d) of Regulation (EU) 2018/1725 to process your personal data for those specific purposes. You can give your consent form by informing the controller for the expert group in question. You can withdraw your consent for these services at any time by contacting the controller for the expert group in question.

4. Which personal data do we collect and further process?

In order to carry out this processing operation the Data Controller may collect the following categories of personal data: ▪ Personal data necessary for organising and managing meetings such as gender (Mr/Ms),

name, organisation to which he/she belongs, e-mail address, phone/fax number;

▪ Personal data necessary for security (access control to Commission premises) such as ID card/Passport number and date of birth, name, surname, organisation he/she belongs to, gender;

4

▪ Personal data necessary for reimbursements purposes such as name, means of transport, hotel accommodation and banking details;

▪ Personal data necessary for payment of special allowances, such as name and banking details;

▪ Personal data included in the minutes of meetings, such as names of meeting participants and their positions expressed (in case of representatives of organisations, Member States’ authorities and other public entities, only based on their prior freely given, specific, informed and unambiguous consent, if at all);

▪ Personal data necessary for establishing the attendance list and the minutes: signature, audio-visual recording of the meeting;

▪ Personal data processed for web-streaming of the meeting, including audio-visual recording of the speakers, organisers and participants (non-speaker participants are not recorded individually but they may however appear on panoramic photographs of the whole event/audience)

▪ Personal data relating to your dietary requirements and/or access requirements]

If you do not provide these personal data, possible consequences are the impossibility to attend meetings and/or to be reimbursed or paid. We have obtained your personal data either directly from you, via the competent National department, other public entity or organisation that you work for or via the Permanent Representation of your country in Brussels.

5. How long do we keep your personal data?

The Data Controller only keeps your personal data for the time necessary to fulfil the purpose of collection or further processing, namely for a maximum of 5 years after closure of the file to which the personal data processed belongs. The documents related to the work of the expert groups are transferred to the Historical Archives for permanent preservation2.

The ‘administrative retention period’ of five years is based on the retention policy of Commission documents and files (and the personal data contained in them), governed by the common Commission-level retention list for European Commission files (SEC(2019)900).

It is a regulatory document in the form of a retention schedule that establishes the retention periods for different types of Commission files. That list has been notified to the European Data Protection Supervisor.

The ‘administrative retention period’ is the period during which the Commission departments are required to keep a file depending on its usefulness for administrative purposes and the relevant statutory and legal obligations.

This information is without prejudice to different retention periods which may apply to personal data processed for the purpose of reimbursing travel and subsistence costs, payment of special allowances and ensuring the participant's access to Commission premises based on the

2 For the processing operations concerning the Historical Archives, please see legacy notifications: 'DPO-

3871-3 Notification for the digital archival repository and ARCHISscanning' and 'DPO-2806-5

Gestion des dossiers papier structurés par nom de personnes et transférés aux Archives Historiques'.

dedicated processing operations notified to the DPO by the responsible Commission departments (Records of Processing DPR-EC-00655 (Commission Physical Access Control System (PACS)) and DPR-EC-00301 - Legal Entities and Bank Accounts (former notifications DPO-372 and DPO-300)).

Sensitive personal data relating to dietary and/or access requirements will be deleted as soon as they are no longer necessary for the purpose for which they have been collected in the framework of the expert group meeting, but no later than within 1 month after the end of the meeting.

Recordings from the web-streamed meeting will be kept for 2 years before being deleted. More information is available in the Record of Processing DPR-EC-00306 (Web-streaming of Commission events).

In case of audio-visual recording of the meeting, the recordings will be kept for 3 months after the meeting before being deleted. More information is available in the Record of Processing DPR-EC-03266 (Audio-visual recording of meetings).

Personal data shared with the Directorate-General for Human Resources and Security of the European Commission for the participants to gain access to Commission buildings is kept for 6 months after the termination of the link between the data subject and the Commission. More information is available in the Record of Processing DPR-EC-00655 (Commission Physical Access Control System (PACS)).

6. How do we protect and safeguard your personal data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored on the servers of the European Commission. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

In order to protect your personal data, the Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

7. Who has access to your personal data and to whom is it disclosed?

Access to your personal data is provided to the Commission staff authorised for carrying out this processing operation and to other authorised Commission staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

More specifically, the following Commission staff have access to certain parts of the personal data:

- Authorised staff of the European Commission's Directorate-General for Human Resources and Security have access to the personal data necessary for providing access

to European Commission premises;

6

- Authorised staff of the European Commission's Directorate-General for Budget and the Paymaster Office (PMO) have access to the personal data needed for reimbursement

purposes and payment of special allowances; - Authorised staff of the European Commission's Directorate-General for Interpretation

(SCIC) as meeting room and equipment providers have access to the audio-visual recordings of the meetings;

- Authorised staff of other European Commission departments involved in the policy follow-up to a specific expert group meeting.

The minutes of expert group meetings are made public on the Register of expert groups and in some cases contain personal data, as explained under Heading 2 of this privacy statement.

Please note that pursuant to Article 3(13) of Regulation (EU) 2018/1725, public authorities (e.g. Court of Auditors, EU Court of Justice) which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients. The further processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

The information we collect will not be given to any third party, except to the extent and for the purpose we may be required to do so by law.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access your personal data and to rectify them in case your personal data is inaccurate or incomplete. Under certain conditions, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing and the right to data portability. You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) of Regulation (EU) 2018/1725, on grounds relating to your particular situation. To the extent you consented to the publication of some of your personal data, you can withdraw your consent at any time by notifying the Data Controller. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent. You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.

Any request for access to personal data will be handled within one month. Any other request mentioned above will be addressed within 15 working days.

9. Contact information

- The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller:

European Commission, DG JUST, Unit C4 – Democracy, union citizenship and free movement at [email protected]

- The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer ([email protected]) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

- The European Data Protection Supervisor (EDPS) You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor ([email protected]) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-00744.