The European Commission (hereafter ‘the Commission’) is committed to protect the personal data and privacy of EPREL visitors.
The Commission may collect, exclusively upon explicit consent, and further process personal data, pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies.
Why and how we process personal data? Which personal data we collect? To whom is personal data disclosed?
EPREL allows EPREL visitors to report product models for possible or suspected non-compliance reasons. Once a visitor has confirmed the intention to submit a report, by replying to the mail sent by the EPREL system, the e-mail content is submitted to the relevant supplier or to the relevant market surveillance authority as an “anonymous report”. No storing of personal data occurs.
Only upon explicit consent, by checking the box to enable possible feedback, the visitor e-mail address is stored and made available to the relevant supplier or Market Surveillance Authorities and to Commission services having access to EPREL.
On which legal grounds do we process this personal data?
The EPREL system only processes visitor’s email address on the basis of explicit consent, and only with the purpose to share the address with the concerned supplier or the relevant market surveillance authority and give access to the Commission services in charge of EPREL.
How long is the personal e-mail address kept?
E-mail addresses that have been collected with explicit consent, for feedback purpose, are automatically deleted within 6 months. No further processing is envisaged outside the scope of the specific context described above.
How do we protect your data?
E-mail addresses are stored on the EPREL server of the European Commission. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission. In order to protect personal data, the Commission has put in place a number of technical and organisational measures.
What are your rights and how can you exercise them?
Visitors having accepted to share their address with the relevant supplier or with market surveillance authorities, to report a possible non-compliance, can withdraw their consent, at any time, by notifying the Data Controller. The withdrawal will not affect the lawfulness of the processing carried out before having withdrawn the consent (that will become anonymous).
The Data Controller
To exercise the rights under Regulation (EU) 2018/1725, or for questions, concerns, or complaint regarding the collection and use of personal email addresses please contact the Data Controller:
European Commission - Directorate General for Energy, Unit B3 Buildings and products
The Data Protection Officer (DPO) of the Commission
The Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) can be contacted with regard to issues related to the processing of a personal e-mail address under Regulation (EU) 2018/1725.
The European Data Protection Supervisor (EDPS)
Anybody has the right to have recourse (i.e. lodging a complaint) to the European Data Protection Supervisor (email@example.com) rights under Regulation (EU) 2018/1725 are considered as infringed as a result of the processing of the personal e-mail address by the Data Controller.
Where to find more detailed information?
The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to the office. The register can be accessed via the following link: https://ec.europa.eu/dpo-register.
This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC- 12369.