ENISA is committed to the protection of individuals’ privacy and data protection.
The rights to privacy and data protection are fundamental rights, set out in articles 7 and 8 of the EU Charter of Fundamental Rights.
ENISA, as an EU Agency, is subject to the Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies. This Regulation has the same level and types of rules for the protection of personal data as the General Data Protection Regulation (GDPR), which is applicable to all EU Member States.
In order to function and meet its tasks and objectives, ENISA needs to collect and further process personal data of its staff members, as well as other natural persons in the context of its different activities in the areas of human resources, procurement and finance, corporate services (e.g. IT services), as well as in the context of the functioning of ENISA’s governance bodies and core operations.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
Examples of personal data include: names, pictures, contact details, emails, CVs, diplomas, recommendation letters, professional & family life, bank details, transaction information, medical data, judicial & criminal records, CCTV footage, log files, IP addresses, cookies, etc.
How does ENISA process personal data?
ENISA process personal data in accordance with the principles and provisions of Regulation (EU) 2018/1725.
These provisions mandate the personal data shall be:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
- accurate and, where necessary, kept up to date (“accuracy”’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
ENISA adheres to its obligations under the Regulation (EU) 2018/1725 and provides for the data subjects rights under this Regulation.
Further information:
ENISA’s central register of data processing activities
Data subjects rights under Regulation (EU) 2018/1725