Skip to main content
European Commission logo
About the European Commission
Advanced Gateway to your Meetings

Legal notice

Record for processing of personal data

Title: Information system supporting the organization of meetings

Reference: DPR-EC-01141.2

Entity of the Operational Controller: European Commission: Administration and Payment of Individual Entitlements (PMO) (PMO)

Publication date: 22/10/2021

 

 

1. General Information

Data protection record

Record reference

DPR-EC-01141.2

Title of the processing operation

Information system supporting the organization of meetings

Language of the record

English

Corporate record

Corporate - Centralised

 

Data Protection Officer

Contact details

EC-DPO-INTERNALatec [dot] europa [dot] eu (EC-DPO-INTERNAL[at]ec[dot]europa[dot]eu)

 

Entity of the Operational Controller

Responsible organisational entity

Administration and Payment of Individual Entitlements (PMO) (PMO)

Contact Details

PMO-DATA-PROTECTION-COORDINATORatec [dot] europa [dot] eu (PMO-DATA-PROTECTION-COORDINATOR[at]ec[dot]europa[dot]eu)

 

Joint controllership

Joint controllership is involved

N/A

 

Processors

Processors are involved in the processing

Yes

  • Names and contact details of processor

The main processors are Commission staff and European Union staff for EPDS and agencies. In order to develop, test and support the system the European Commission might have recourse to the services of external companies as processors. In the case of individuals, the contracts will be finalised in accordance with DIGIT framework contracts. The production environment will be hosted by DIGIT.

 

2. Purpose and description of the processing

 

Purpose

Description of the purpose of the processing

Organising meetings and managing reimbursement of expenses incurred by participants invited by the European Commission.

 

Processing for further purposes

The purpose(s) for further processing

N/A

 

Modes of processing

The mode of processing

  • Any other mode:

          AGM (Advanced Gateway to your Meetings) covers most of the processes involved in organising a meeting:

  • through a Front Office where the experts (external persons) manage the invitations to meetings (including user consent to data processing) and encode their expenses claims for costs incurred when attending a meeting organised by the DGs/agencies. The Front Office is also used by correspondents (external users) who settle the list of attendants to meetings.
  • through a Back Office managed by the service organising the meeting and all the practical arrangements for the meeting (invitation and registration of participants);
  • and through a Back Office managed by the PMO for the validation of participants’ bank accounts and legal entities, before reimbursement of the expenses incurred by them.

Description/additional information regarding the modes of processing

The purpose of the data processing is twofold:

  • Collection and use of personal data in order to organise and manage meetings with or without outside participants.
  • Reimbursement of participants invited to meetings pursuant to Commission Decision C(2007) 5858 of 5 December 2007 – Rules on the reimbursement of expenses incurred by people from outside the Commission invited to attend meetings in an expert capacity (C(2007)5858).

 

Storage medium

The medium of storage (one or more)

  • Electronic
  • Others:

          -

Description/additional information regarding the storage medium

European Commission Data centres

 

Comments

Comments/additional information on the data processing

AGM covers most of the processes related to the organisation of a meeting. The system replaced existing manual practices without adding extra data processing operations. It provides additional safeguards to protection of personal data as the processing is done using normalized operations rather than as done previously where the different meeting organisers kept their own lists. The business processes related to personal data are: - Creation of the list of correspondents of third parties and/or nominated experts to whom the invitations are sent: only meeting assistants assigned to the organisation of the meeting can update this information. - Collection of the necessary data (only first name, last name and email address) for the access to Commission premises which are sent to the IT systems of the Security Office of the Commission for access control purposes by security guards (under the responsibility of DG HR.DS - see Notification DPR-EC-0655). The correspondents of a third party enter the mentioned information that is available only to them and to the meeting assistants assigned to the organisation of the meeting. - Collection of the personal data for financial and contractual relations to be processed through AGM and to be sent to the IT systems under the responsibility of DG BUDG (see Notification DPR-EC-00301.1). - Collection of the proof of expenses by the experts for their reimbursement: the experts enter data on the expenses for which they request reimbursement. These data are registered in Ares and are accessible only to the operational and financial agents in charge of verifying and executing the payments. - Storage of the users contact information and of the rights to access/not access the different functionalities of the system - Where needed, personal data become part of a database (see NotificationDPR-EC-00847.1) that facilitates interaction between the EC and its stakeholders in their areas of interest.

 

3. Data subjects and data categories

 

Data subjects’ categories

Data subject(s) are

  • Internal to the organisation

    A description of the data subjects (internal to the organisation)

          All Services staff including EC users and the people that will be managing the invitations in external organisations (correspondents).

  • External to the organisation

    A description of the data subjects (external to the organisation)

           All the people invited and participating in a meeting (experts).

 

Data categories/fields

Description of the categories of data that will be processed

In order to process the data, the Data Controller, PMO.5, collects and processes the following categories of personal data through AGM:

  • First name and surname
  • Email address
  • Unique identifier used by the European Commission’s Authentication Service (EU Login ID)
  • Information on the transport expenses of reimbursable participants
  • Information on the subsistence expenses of reimbursable participants
  • The data in the legal entity form (e.g. ID document, private or professional address of the reimbursable participant, etc.). The data in the bank account form of the reimbursable participant (account number, name of account holder and any other information needed to identify the account to which payment is to be made)
  • EU Login data

 

Through AGM it is also possible to process the first name, surname, email address, EU Login and login data of the meeting assistants in charge of organisation and the Commission’s financial officers responsible for making the reimbursements.

There is no reference in the personal data to ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual orientation.

The processing operation concerns any 'special categories of data' which fall(s) under Article 10(1), which shall be prohibited unless any of the reasons under Article 10(2) applies

 

N/A

 

Description/additional information regarding special categories of personal data

-

 

Data related to ‘criminal convictions and offences’

The data being processed contains sensitive data which fall(s) under Article 11 'criminal convictions and offences'

N/A

 

Comments

Comments/additional information on data subjects and data categories

-

 

4. Retention period

 

Data categories and their individual retention periods

The administrative time limit(s) for keeping the personal data per data category

  1. Data category

      Financial documents

      Retention period

      7 years

      Start date description

      -

      End date description

      -

  2. Data category

      Electronic documents

      Retention period

      7 years

      Start date description

      -

      End date description

      -

 

Comments

Comments/additional information on the data retention periods

The Privacy statement is accessible to every data subject on the AGM page. The Commission meeting assistant / organiser assesses the arguments of the data subject as soon as the DG staff organising the meeting receives a request for rectification/blocking/erasure of data for legitimate reasons. The request will be handled within 15 working days after the reception of the request.

 

5. Recipients

 

Origin of the recipients of the data

The origin of the data recipients

  • Within the EU organisation

    A description of the indicated recipients of the data

          All EC Services

  • Outside the EU organisation

    A description of the indicated recipients of the data

          Agencies staff being involved in management of meetings and expense claim reimbursements in AGM

          Correspondents in external organization

 

Categories of the data recipients

The categories (one or more) of the data recipients

  • A natural or legal person
  • Public authority
  • Agency

Description of the indicated category(ies) of data recipients

All EC Services & Agencies staff being involved in management of meetings and expense claim reimbursements in AGM.

Staff of National authorities/bodies (Ministries, Offices…) acting as correspondents in AGM

Who has access to which parts of the data

EU staff assigned to execute tasks in the system based on the need to know principle.

 

Comments

Comments/additional information on data recipients

Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and authorised for this staff according to the ‘need to know’ principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

This includes:

  • For the purpose of organising the meeting, in particular sending the invitations, organisations must provide the first name, surname and email address of government experts attending the meeting on their behalf.
  • These data can also be seen by the staff of the Directorate-General responsible for organising the meeting, and by the staff in charge of reimbursement.
  • Participants, when attending a meeting with other participants in the same delegation, can see the first name(s), surname and email address of each of them. The indicator showing which of the participants will be reimbursed can be seen by all the participants in a delegation.
  • Correspondents for a delegation can see the status of a reimbursement request by participants in their delegation. The amount reimbursed is not visible.
  • Users in the services can access the personal data of the participants and contact persons in public organisations solely for the meetings for which these same users are responsible.
  • Users in the services have access to information on transport and hotel expenses and also bank information for the purpose of reimbursement of travel expenses/allowances.
  • The European Commission’s technical staff or the IT service provider has access to the system data for the purpose of resolving any technical issues.
  • Line managers, authorising officers by delegation and/or subdelegation.
  • Investigation and control bodies also receive data: IAS, IAC, OLAF, IDOC.

 

Outside the organisation, your personal data are (or may be) transferred to:

- the Court of Auditors, the European Ombudsman and the EDPS

 

6. International data transfers

 

Transfer outside of the EU or EEA

Data is transferred to countries outside the EU or EEA

N/A

 

Transfer to international organisation(s)

Data is transferred to international organisation(s)

N/A

 

Comments

Comments/additional information on international data transfers

The system does not foresee any transfers of personal data of data to countries outside of EU/EEA.

Specific expert groups will include experts from outside UE/EEA who will be able to see the meeting documentation. It is the responsibility of the meeting organiser to adjust meeting documentation to Regulation (EU) 2018/1725

 

7. Information to data subjects on their rights

 

Privacy statement

Rights of the data subjectsThe processing should respect the following rights of data subjects

  • Article 17 - Right of access by the data subject
  • Article 18 - Right to rectification
  • Article 19 - Right to erasure (right to be forgotten)
  • Article 20 - Right to restriction of processing
  • Article 21 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 22 - Right to data portability
  • Article 23 - Right to object
  • Article 24 - Rights related to Automated individual decision making, including profiling

The data subjects are informed about their rights and how to exercise them in the form of a privacy statement attached to this record

Yes

Publication of the privacy statement

  • Published on website

    The link of the website where the privacy statement is published

          Https://ec.europa.eu/tools/agm/legal-notice_en

Guidance for Data subjects which explains how and where to consult the privacy statement is available and will be provided at the beginning of the processing operation

Yes

An explanation of the guidance on how and where to consult the privacy statement

The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller, PMO_MAIL_05atec [dot] europa [dot] eu (PMO_MAIL_05[at]ec[dot]europa[dot]eu).

-    The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer ( DATA-PROTECTION-OFFICERatec [dot] europa [dot] eu (DATA-PROTECTION-OFFICER[at]ec[dot]europa[dot]eu) )

with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

-    The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor ( edpsatedps [dot] europa [dot] eu (edps[at]edps[dot]europa[dot]eu) )

if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

Where to find more information

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission which have been documented and notified to him. You may access the register via the following link:

http://ec.europa.eu/dpo-register

This specific processing operation has been included in the DPO’s public register with the following Record reference:

DPR-EC-01141.1

 

 

The privacy statement(s)

 

Comments

Comments/additional information on information to data subjects on their rights

-

 

8. Security measures

 

Short summary of overall Technical and Organisational measures implemented to ensure Information Security:

User profiles defined for different roles with access based on the need to know principle.

User access with EU login identification.

General information

Data protection record

Record reference

DPR-EC-01141.2

Title of the processing operation

Information system supporting the organization of meetings

Language of the record

English

Corporate record

Corporate - Centralised

 

Data Protection Officer

Contact details

EC-DPO-INTERNALatec [dot] europa [dot] eu (EC-DPO-INTERNAL[at]ec[dot]europa[dot]eu)

 

Entity of the Operational Controller

Responsible organisational entity

Administration and Payment of Individual Entitlements (PMO) (PMO)

Contact Details

PMO-DATA-PROTECTION-COORDINATORatec [dot] europa [dot] eu (PMO-DATA-PROTECTION-COORDINATOR[at]ec[dot]europa[dot]eu)

 

Joint controllership

Joint controllership is involved

N/A

 

Processors

Processors are involved in the processing

Yes

  • Names and contact details of processor

The main processors are Commission staff and European Union staff for EPDS and agencies. In order to develop, test and support the system the European Commission might have recourse to the services of external companies as processors. In the case of individuals, the contracts will be finalised in accordance with DIGIT framework contracts. The production environment will be hosted by DIGIT.

 

2. PURPOSE AND DESCRIPTION OF THE PROCESSING

 

Purpose

Description of the purpose of the processing

Organising meetings and managing reimbursement of expenses incurred by participants invited by the European Commission.

 

Processing for further purposes

The purpose(s) for further processing

N/A

 

Modes of processing

The mode of processing

  • Any other mode:

          AGM (Advanced Gateway to your Meetings) covers most of the processes involved in organising a meeting:

  • through a Front Office where the experts (external persons) manage the invitations to meetings (including user consent to data processing) and encode their expenses claims for costs incurred when attending a meeting organised by the DGs/agencies. The Front Office is also used by correspondents (external users) who settle the list of attendants to meetings.
  • through a Back Office managed by the service organising the meeting and all the practical arrangements for the meeting (invitation and registration of participants);
  • and through a Back Office managed by the PMO for the validation of participants’ bank accounts and legal entities, before reimbursement of the expenses incurred by them.

Description/additional information regarding the modes of processing

The purpose of the data processing is twofold:

  • Collection and use of personal data in order to organise and manage meetings with or without outside participants.
  • Reimbursement of participants invited to meetings pursuant to Commission Decision C(2007) 5858 of 5 December 2007 – Rules on the reimbursement of expenses incurred by people from outside the Commission invited to attend meetings in an expert capacity (C(2007)5858).

 

Storage medium

The medium of storage (one or more)

  • Electronic
  • Others:

          -

Description/additional information regarding the storage medium

European Commission Data centres

 

Comments

Comments/additional information on the data processing

AGM covers most of the processes related to the organisation of a meeting. The system replaced existing manual practices without adding extra data processing operations. It provides additional safeguards to protection of personal data as the processing is done using normalized operations rather than as done previously where the different meeting organisers kept their own lists. The business processes related to personal data are: - Creation of the list of correspondents of third parties and/or nominated experts to whom the invitations are sent: only meeting assistants assigned to the organisation of the meeting can update this information. - Collection of the necessary data (only first name, last name and email address) for the access to Commission premises which are sent to the IT systems of the Security Office of the Commission for access control purposes by security guards (under the responsibility of DG HR.DS - see Notification DPR-EC-0655). The correspondents of a third party enter the mentioned information that is available only to them and to the meeting assistants assigned to the organisation of the meeting. - Collection of the personal data for financial and contractual relations to be processed through AGM and to be sent to the IT systems under the responsibility of DG BUDG (see Notification DPR-EC-00301.1). - Collection of the proof of expenses by the experts for their reimbursement: the experts enter data on the expenses for which they request reimbursement. These data are registered in Ares and are accessible only to the operational and financial agents in charge of verifying and executing the payments. - Storage of the users contact information and of the rights to access/not access the different functionalities of the system - Where needed, personal data become part of a database (see NotificationDPR-EC-00847.1) that facilitates interaction between the EC and its stakeholders in their areas of interest.

 

3. DATA SUBJECTS AND DATA CATEGORIES

 

Data subjects’ categories

Data subject(s) are

  • Internal to the organisation

    A description of the data subjects (internal to the organisation)

          All Services staff including EC users and the people that will be managing the invitations in external organisations (correspondents).

  • External to the organisation

    A description of the data subjects (external to the organisation)

           All the people invited and participating in a meeting (experts).

 

Data categories/fields

Description of the categories of data that will be processed

In order to process the data, the Data Controller, PMO.5, collects and processes the following categories of personal data through AGM:

  • First name and surname
  • Email address
  • Unique identifier used by the European Commission’s Authentication Service (EU Login ID)
  • Information on the transport expenses of reimbursable participants
  • Information on the subsistence expenses of reimbursable participants
  • The data in the legal entity form (e.g. ID document, private or professional address of the reimbursable participant, etc.). The data in the bank account form of the reimbursable participant (account number, name of account holder and any other information needed to identify the account to which payment is to be made)
  • EU Login data

 

Through AGM it is also possible to process the first name, surname, email address, EU Login and login data of the meeting assistants in charge of organisation and the Commission’s financial officers responsible for making the reimbursements.

There is no reference in the personal data to ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual orientation.

The processing operation concerns any 'special categories of data' which fall(s) under Article 10(1), which shall be prohibited unless any of the reasons under Article 10(2) applies

 

N/A

 

Description/additional information regarding special categories of personal data

-

 

Data related to ‘criminal convictions and offences’

The data being processed contains sensitive data which fall(s) under Article 11 'criminal convictions and offences'

N/A

 

Comments

Comments/additional information on data subjects and data categories

-

 

4. RETENTION PERIOD

 

Data categories and their individual retention periods

The administrative time limit(s) for keeping the personal data per data category

  1. Data category

      Financial documents

      Retention period

      7 years

      Start date description

      -

      End date description

      -

  2. Data category

      Electronic documents

      Retention period

      7 years

      Start date description

      -

      End date description

      -

 

Comments

Comments/additional information on the data retention periods

The Privacy statement is accessible to every data subject on the AGM page. The Commission meeting assistant / organiser assesses the arguments of the data subject as soon as the DG staff organising the meeting receives a request for rectification/blocking/erasure of data for legitimate reasons. The request will be handled within 15 working days after the reception of the request.

 

5. RECIPIENTS

 

Origin of the recipients of the data

The origin of the data recipients

  • Within the EU organisation

    A description of the indicated recipients of the data

          All EC Services

  • Outside the EU organisation

    A description of the indicated recipients of the data

          Agencies staff being involved in management of meetings and expense claim reimbursements in AGM

          Correspondents in external organization

 

Categories of the data recipients

The categories (one or more) of the data recipients

  • A natural or legal person
  • Public authority
  • Agency

Description of the indicated category(ies) of data recipients

All EC Services & Agencies staff being involved in management of meetings and expense claim reimbursements in AGM.

Staff of National authorities/bodies (Ministries, Offices…) acting as correspondents in AGM

Who has access to which parts of the data

EU staff assigned to execute tasks in the system based on the need to know principle.

 

Comments

Comments/additional information on data recipients

Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and authorised for this staff according to the ‘need to know’ principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

This includes:

  • For the purpose of organising the meeting, in particular sending the invitations, organisations must provide the first name, surname and email address of government experts attending the meeting on their behalf.
  • These data can also be seen by the staff of the Directorate-General responsible for organising the meeting, and by the staff in charge of reimbursement.
  • Participants, when attending a meeting with other participants in the same delegation, can see the first name(s), surname and email address of each of them. The indicator showing which of the participants will be reimbursed can be seen by all the participants in a delegation.
  • Correspondents for a delegation can see the status of a reimbursement request by participants in their delegation. The amount reimbursed is not visible.
  • Users in the services can access the personal data of the participants and contact persons in public organisations solely for the meetings for which these same users are responsible.
  • Users in the services have access to information on transport and hotel expenses and also bank information for the purpose of reimbursement of travel expenses/allowances.
  • The European Commission’s technical staff or the IT service provider has access to the system data for the purpose of resolving any technical issues.
  • Line managers, authorising officers by delegation and/or subdelegation.
  • Investigation and control bodies also receive data: IAS, IAC, OLAF, IDOC.

 

Outside the organisation, your personal data are (or may be) transferred to:

- the Court of Auditors, the European Ombudsman and the EDPS

 

6. INTERNATIONAL DATA TRANSFERS

 

Transfer outside of the EU or EEA

Data is transferred to countries outside the EU or EEA

N/A

 

Transfer to international organisation(s)

Data is transferred to international organisation(s)

N/A

 

Comments

Comments/additional information on international data transfers

The system does not foresee any transfers of personal data of data to countries outside of EU/EEA.

Specific expert groups will include experts from outside UE/EEA who will be able to see the meeting documentation. It is the responsibility of the meeting organiser to adjust meeting documentation to Regulation (EU) 2018/1725

 

7. INFORMATION TO DATA SUBJECTS ON THEIR RIGHTS

 

Privacy statement

Rights of the data subjectsThe processing should respect the following rights of data subjects

  • Article 17 - Right of access by the data subject
  • Article 18 - Right to rectification
  • Article 19 - Right to erasure (right to be forgotten)
  • Article 20 - Right to restriction of processing
  • Article 21 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 22 - Right to data portability
  • Article 23 - Right to object
  • Article 24 - Rights related to Automated individual decision making, including profiling

The data subjects are informed about their rights and how to exercise them in the form of a privacy statement attached to this record

Yes

Publication of the privacy statement

  • Published on website

    The link of the website where the privacy statement is published

          Https://ec.europa.eu/tools/agm/legal-notice_en

Guidance for Data subjects which explains how and where to consult the privacy statement is available and will be provided at the beginning of the processing operation

Yes

An explanation of the guidance on how and where to consult the privacy statement

The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller, PMO_MAIL_05atec [dot] europa [dot] eu (PMO_MAIL_05[at]ec[dot]europa[dot]eu).

-    The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer ( DATA-PROTECTION-OFFICERatec [dot] europa [dot] eu (DATA-PROTECTION-OFFICER[at]ec[dot]europa[dot]eu) )

with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

-    The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor ( edpsatedps [dot] europa [dot] eu (edps[at]edps[dot]europa[dot]eu) )

if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

Where to find more information

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission which have been documented and notified to him. You may access the register via the following link:

http://ec.europa.eu/dpo-register

This specific processing operation has been included in the DPO’s public register with the following Record reference:

DPR-EC-01141.1

 

 

The privacy statement(s)

 

Comments

Comments/additional information on information to data subjects on their rights

-

 

8. SECURITY MEASURES

 

Short summary of overall Technical and Organisational measures implemented to ensure Information Security:

User profiles defined for different roles with access based on the need to know principle.

User access with EU login identification.