Protection of Your Personal Data
This privacy statement provides information about the processing and the protection of your personal data.
Processing operation: TRACES NT - EUDR - Information system (platform) for managing and tracking the life cycle of Due Diligence Statements (DDS) to ensure that operators and traders placing relevant products on the market or exporting them comply with the Deforestation Regulation
Data Controller: Directorate General Environment, Unit ENV.F1 - Planetary Common Goods, Universal Values & Environmental Security
Record reference: Record DPR-EC-30169
Table of Contents
- Introduction
- Why and how do we process your personal data?
- On what legal ground(s) do we process your personal data?
- Which personal data do we collect and further process?
- How long do we keep your personal data?
- How do we protect and safeguard your personal data?
- Who has access to your personal data and to whom is it disclosed?
- What are your rights and how can you exercise them?
- Contact information
- Where to find more detailed information?
1. Introduction
The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).
This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.
The information in relation to processing operation TRACES NT - EUDR - Information system (platform) for managing and tracking the life cycle of Due Diligence Statements (DDS) to ensure that operators and traders placing relevant products on the market or exporting them comply with the Deforestation Regulation undertaken by Directorate-General for Environment, Unit ENV.F1 - Planetary Common Goods, Universal Values & Environmental, which has determined the purpose(s) and the means of the processing of personal data is presented below.
2. Why and how do we process your personal data?
Purpose of the processing operation: DG ENV.F1 (referred to hereafter as Data Controller) collects and uses your personal information to ensure proper communication, to keep historical tracks of data provided and audit tracks of actions performed in the system. Data subjects have to provide some certain data in order to register, gain access and perform operations.
Data subjects connected to the web applications have to create an ECAS account (EU Login), where they need to insert their personal details and data. Their data will be used and processed in the web application for the performance of the operations relevant to EUDR.
Data subjects can manage, modify and update the personal data that they provide. The purpose of the personal data processing is the performance of the operations relevant to EUDR in relation to the relevant products that are being placed on the market or exported from the EU.
More in particular, the process of data aims to ensure that all the procedures relevant to the performance of the operations relevant to EUDR will be properly recorded in the system to ensure that operators and traders placing relevant products on the market or exporting them comply with the Deforestation Regulation.
Your personal data will not be used for an automated decision-making including profiling.
3. On what legal ground(s) do we process your personal data?
We process your personal data, because:
(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
(b) processing is necessary for compliance with a legal obligation to which the controller is subject;
The legal basis for the data processing is:
TRACES NT-EUDR is an Information system (platform) aimed at facilitating the implementation of Regulation (EU) 2023/1115 of the European Parliament and of the Council, on the establishment of a Due Diligence scheme for making available on the EU market and exporting certain commodities and products associated with deforestation and forest degradation.
Based on article 33 of Regulation (EC) 2023/1115, the EUDR provides a platform of reference for automated sharing of Due Diligence Statements (DDS) information amongst Member State Competent Authorities and other stakeholders.
4. Which personal data do we collect and further process?
In general, information is collected about the policy domain (EUDR Due Diligence Statements (DDS)) rather than individuals. Concerning individuals, data collected includes information of people in Competent Authorities and Customs offices as well as people who are or work for companies’ operators and traders.
‘Information System user’ means officials from national competent authorities, operators and traders, and their authorised representatives, where applicable, pursuant to Regulation (EU) 2023/1115 which are identified by individual registration within EU Login, the user authentication service of the European Commission;
The following categories of personal data are requested from the Information System user in order to register and to sign into EUDR through ECAS and SAAS (authentication and authorisation systems – EU Login), and consequently processed for the performance of the operations relevant to EUDR:
- first name;
- family name;
- e-mail;
- phone number;
- country;
- address.
In addition, the following personal data are processed:
Economic operator's and traders': Data that are being collected include the
- operator's and trader’s name, address, contact details.
- Users attached to these operators and traders have to indicate their personal details:
- identification data: first name and surname, unique identifier including the EORI number, if applicable;
- professional contact details: email and postal address, country of residence or country of registered office, phone number and fax number, if applicable;
- data on geolocation, where individuals can be identified;
- user authentication and access data to access the Information System: IP address and user name.
Officials from national competent authorities’: These users are attached to their respective central/regional/local/border control authority. Include the users' personal details:
- identification data: first name and surname,
- professional contact details: email and postal address, country of residence or country of registered office, position, phone number and fax number, if applicable;
- user authentication and access data to access the Information System: IP address and user name.
5. How long do we keep your personal data?
The Information System should not store the data including the personal data submitted by the Information System users in a form which permits identification of data subjects longer than strictly necessary for the purposes for which the personal data are processed. This period should be five years from the date the Due Diligence Statement is submitted through the information system in accordance with the record keeping obligations of operators and traders pursuant to Article 4(3) and Article 5(4) of Regulation (EU) 2023/1115.
User authentication and access data to access the Information System (IP address and user name) is kept until it is changed by the user or the account is being terminated.
6. How do we protect and safeguard your personal data?
Personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored either on the servers of the European Commission or of its contractors. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
The access to the system is protected by an EU Login account and its password. Users have got access only to data concerning their own account or to general information. Two access levels are available:
- Regular Information System user (Competent Authorities, Custom offices, operators and traders) and
- Administrators in DG SANTE or DG ENV (staff of the European Commission or under contract with the European Commission). Administrators have access to data concerning all accounts.
Regulation foresees that every operator, trader and competent authority shall have access to data, information or documents that are handled, produced or transmitted under their area of responsibility. Therefore, every user in TRACES NT - EUDR - Information system is allowed to have access to data that are directly relevant to the operations they perform within the system.
Where personal data is processed in the operation of the Information System for the purpose to fulfil obligations and tasks under Regulation (EU) 2023/1115, operators and traders, and if applicable, their authorised representatives, competent authorities, and customs authorities should be controllers within the meaning of the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679) for the processing activities they carry out.
In order to protect your personal data, the Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorized access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorized persons with a legitimate need to know for the purposes of this processing operation.
7. Who has access to your personal data and to whom is it disclosed?
Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorized staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.
Your information is shared (in read only) between the EUDR users.
The Commission and in particular the Controller cannot be held responsible for the use and processing of the information that may be made by persons who do not belong to the Commission.
EUDR users shall own and be responsible for the data, information and documents under its responsibility have inserted or produced through the operations relevant to EUDR.
The persons in Directorate General Environment, Unit ENV.F1 - Planetary Common Goods, Universal Values & Environmental Security who have access to all collected personal data and have the possibility to modify them upon request are:
- the Controller, identified officials in the unit in charge of the EUDR, identified officials in the IT sector in charge of the technical assistance to the units.
The recipients of the data can be distinguished as indicated below:
Recipients within the EU organization:
Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorized staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.
Recipients outside the EU organization:
- EU Member States competent authorities (in order to overview and manage the information, data and relevant documents that are exchanged under their area of responsibility);
- EU and non-EU economic operators and traders – (access to data relevant to their area of activity and their national competent authorities);
- Customs authorities - (access to relevant data, documents and information exchanged and transmitted into EUDR for monitoring purposes).
Each category of the above recipients has access to the relevant data and information which directly concerns it and which is under its area of direct responsibility within EUDR.
The controller will transfer your personal data to the following recipients to an international organisation in accordance with Regulation (EU) 2018/1725 to the extent and for the purpose that this may be required to do so by law:
- Europol - in the context of investigations against food fraud cases.
- Interpol - in the context of investigations against food fraud cases.
The controller will transfer your personal data based on:
- The European Commission's adequacy decision (Article 47 of Regulation (EU) 2018/1725) for cases of non-EU countries where such decision applies.
- A derogation (Article 50(1)(d) of Regulation (EU) 2018/1725) since the transfer is necessary for important reasons of public interest.
8. What are your rights and how can you exercise them?
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, rectify or erase your personal data and the right to restrict the processing of your personal data. Where applicable, you also have the right to object to the processing or the right to data portability.
According to Regulation (EU) 2018/1725, you are entitled to access directly your personal data and modify it in case the data is inaccurate or incomplete.
Any personal data collected at Member State level is subject to Regulation (EU) 2016/679.
Officials of the European Commission who have administrator rights can verify the personal data and enable/disable access to system. If an account is terminated, the account is not removed but its corresponding personal data is anonymized.
You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.
Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e., their Record reference(s) as specified under Heading 10 below) in your request.
9. Contact information
- The Data Controller
If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller,
European Commission
Directorate General Environment,
Unit ENV.F1 - Planetary Common Goods, Universal Values & Environmental Security
Rue de la Loi 200
B - 1049 Brussels
Belgium
E-mail(s): ENV-DEFORESTATION@ec.europa.eu
- The Data Protection Officer (DPO) of the Commission
You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.
- The European Data Protection Supervisor (EDPS)
You have the right to have recourse (i.e., you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
10. Where to find more detailed information?
The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.
This specific processing operation has been included in the DPO’s public register (Record reference DPR-EC-30169)