Privacy policy

1. Introduction

The European Commission is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data. This privacy statement explains the reason for the processing of your personal data in the context of the EU Health Policy Platform (hereafter HPP). It explains the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of our unit with which you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor. The information in relation to processing operation regarding the HPP, undertaken by DG SANTE, Unit B3 of the European Commission, is presented below.

2. Why and how do we process your personal data?

The general purpose for the processing of personal data in the context of the HPP is to enable the sharing of ideas and good practices between public health stakeholders in the EU, among themselves and with the Commission, as well as to disseminate their views within the specific networks they belong to, and to inform them about events and information relevant to health policies through the HPP.

The HPP is a collaborative, interactive platform that evolved from a consultative group (EU Health Policy Forum) to a multilateral communication channel between the Commission and its health stakeholders. The new format of the HPP is conceived to increase the sharing of ideas and good practices both between public health stakeholders in the EU and between these stakeholders and the Commission.

The HPP operates through the following three axes:

(1) Web platform to enable online discussion and collaboration through the common space, the Agora, and other open and restricted networks,

(2) Joint Statements through Thematic Networks in the Platform, and

(3) Live webinars and the EU Health Policy Platform annual meeting. Your personal data will not be used for any automated decision-making including profiling.

3. On what legal ground(s) do we process your personal data?

The processing operations on personal data, linked to the organisation and management of the HPP are necessary for the management and functioning of the Commission, as mandated by the Treaties. Those provisions are in particular, Article 11 of the Treaty on European Union and Article 15 of the Treaty on the Functioning of the European Union. Consequently, those processing operations are lawful under Article 5(1)(a) of Regulation (EU) 2018/1725 (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body).

When clicking on the log-in tab on the EU Health Policy Platform homepage, stakeholders will be directed to an interactive platform where, after registration (via the European Commission Authentication Service-ECAS/EU-login) and requesting access, they become members of a general network called the Agora Network and receive automatic access to the Thematic and Exchange networks. Then, upon request, they can also become part of other specific networks led by Stakeholders, the Commission or Member States, according to their needs and fields of expertise. Each network has a newsfeed where stakeholders can post items (news, comments, links and documents) with different degrees of visibility (visible to all networks – through the Agora – or restricted to a single network). Network members are also able to comment on posts and discuss new ideas, exchange and store documents, promote and participate in events, create opinion polls, start a discussion and request access to other networks. New networks are regularly created to meet the needs of stakeholders, Member States and DG SANTE.

4. Which personal data do we collect and further process?

The data fields are the personal data required in order to sign up to ECAS/EU login: e-mail address, first name, last name, username. The e-mail address will only be visible to the system administrator.

Data is kept concerning members of existing DG SANTE EU Expert and Stakeholder Groups, European Commission staff and health stakeholders involved in health policy who are registered in the Platform. Policy officers of the European Commission may act as moderators of Commission and Member State led networks, which means that their personal data (name, title and image) is visible for the group members.

Furthermore, each stakeholder who is a member of a network will be able to create a profile by supplying, by choice, the following personal data: name, surname, picture, location, email addresses (personal and professional), phone number, skype address, memberships in the networks, and the name of the organisation they represent, as well as comments / opinions. These data are published on the member’s profile and will be visible to all stakeholders registered in the HPP. The moderator of each network shall ensure that the discussions in the group are not related to a specific individual’s personal health data.

Only data of relevance to the event, webinar, Platform, etc. is collected. No special personal data categories, as described in article 10 of Regulation (EU) 2018/1725, are processed in the context of this processing operation.

5. How long do we keep your personal data?

Personal data of the users will be kept for as long as their account is active. After two months after the deletion from EU login of the user profile, personal data will be also deleted by SAAS2.

For the data in SAAS2, once a person is removed from any access to any DG SANTE system, the data will not be kept longer than one month after the initial date of deletion.

6. How do we protect and safeguard your personal data?

Users are allowed to choose whom they share their personal data with within the Platform. In addition, all exchanges of information within the HPP’s Agora Network are checked a posteriori by a moderator from the Commission services, following the Rules of Procedure of the HPP, which include good practices to be followed by registered users. The networks led by Stakeholders, the Commission and Member States are managed and moderated by designated stakeholder representatives or, where applicable, the policy officer responsible for that particular area of interest.

The collected personal data and all related information are stored on servers of a computer center of DG DIGIT issuing the call for application. The Commission premises and operations of all computer centers abide by the Commission’s security decisions and provisions established by the Directorate General Human Resources and Security.

Personal data of HPP users will be kept for as long as their account is active (functional email address). As stated above, two months following the deletion of the user profile from ECAS, personal data will be also deleted from SAAS2. Once a person is removed from any access to any DG SANTE system, the data will be deleted from SAAS2 within one month of the deletion request.

7. Who has access to your personal data and to whom is it disclosed?

For the purpose detailed above, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with European Union law, personal data in the HPP is disclosed to:

• Users registered in the HPP (who are able to read comments and certain personal data categories of other users if supplied – first name, family name, picture and organisation of the contributor).

• Commission staff, as well as external experts and contractors who work on behalf of the Commission for the purposes of managing the selection procedure (in the case of the EU Health Award), and the bodies charged with a monitoring or inspection task in application of Union law (e.g. internal audits, Financial Irregularities Panel, European Anti-fraud Office – OLAF);

Personal data submitted by applicants as contact points of an organisation is not provided via the EU Health Policy Platform or the EU Health Award to members of the public without prior consent.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your 4 personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability when specific conditions are met.

You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) of Regulation (EU) 2018/1725 on grounds relating to your particular situation.

In case you have consented to provide certain personal data for the present processing operation, you can withdraw your consent at any time by notifying the data controller. The withdrawal of your consent will not affect the lawfulness of the processing carried out before you have withdrawn the consent.

You can exercise your rights by contacting the data controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.

Users can access, verify and correct their own personal data at any given time. To delete their profile, however, they need to send an email to the functional mailbox (see section 7 below). Regarding SAAS2, users have to send an email to the functional mailbox (see section 7 below) in order to exercise their rights. Two months after deletion in EU Login/ECAS, the users’ personal data is automatically deleted from SAAS2If the user wants to erase their personal data from SAAS2 before the two-month period, they are required to send an email to the functional mailbox (see section 7 below).

If Platform users wish to verify which personal data is stored, or ask that it be modified, corrected or deleted, or object to its processing, they are requested to contact the Commission, using the Contact Information below, explicitly specifying the nature of their request. Users should be sure that they wish to be deleted before making that request, because after deletion, it is impossible for other network members or the Commission services to contact them again via the Platform, unless the user chooses to launch a new request to join at a later date.

9. Contact information

– The Data Controller If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller on SANTE-HPP@ec.europa.eu

– The Data Protection Officer (DPO) of the Commission You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

– The European Data Protection Supervisor (EDPS) You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation 5 (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the data controller.

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the European Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dporegister.