Record for processing of personal data
Title: Information system supporting the organization of meetings
Reference: DPR-EC-01141.2
Entity of the Operational Controller: European Commission: Administration and Payment of Individual Entitlements (PMO) (PMO)
Publication date: 22/10/2021
1. General Information
Data protection record
Record reference
DPR-EC-01141.2
Title of the processing operation
Information system supporting the organization of meetings
Language of the record
English
Corporate record
Corporate - Centralised
Data Protection Officer
Contact details
EC-DPO-INTERNALec [dot] europa [dot] eu (EC-DPO-INTERNAL[at]ec[dot]europa[dot]eu)
Entity of the Operational Controller
Responsible organisational entity
Administration and Payment of Individual Entitlements (PMO) (PMO)
Contact Details
PMO-DATA-PROTECTION-COORDINATORec [dot] europa [dot] eu (PMO-DATA-PROTECTION-COORDINATOR[at]ec[dot]europa[dot]eu)
Joint controllership
Joint controllership is involved
N/A
Processors
Processors are involved in the processing
Yes
- Names and contact details of processor
The main processors are Commission staff and European Union staff for EPDS and agencies. In order to develop, test and support the system the European Commission might have recourse to the services of external companies as processors. In the case of individuals, the contracts will be finalised in accordance with DIGIT framework contracts. The production environment will be hosted by DIGIT.
2. Purpose and description of the processing
Purpose
Description of the purpose of the processing
Organising meetings and managing reimbursement of expenses incurred by participants invited by the European Commission.
Processing for further purposes
The purpose(s) for further processing
N/A
Modes of processing
The mode of processing
- Any other mode:
AGM (Advanced Gateway to your Meetings) covers most of the processes involved in organising a meeting:
- through a Front Office where the experts (external persons) manage the invitations to meetings (including user consent to data processing) and encode their expenses claims for costs incurred when attending a meeting organised by the DGs/agencies. The Front Office is also used by correspondents (external users) who settle the list of attendants to meetings.
- through a Back Office managed by the service organising the meeting and all the practical arrangements for the meeting (invitation and registration of participants);
- and through a Back Office managed by the PMO for the validation of participants’ bank accounts and legal entities, before reimbursement of the expenses incurred by them.
Description/additional information regarding the modes of processing
The purpose of the data processing is twofold:
- Collection and use of personal data in order to organise and manage meetings with or without outside participants.
- Reimbursement of participants invited to meetings pursuant to Commission Decision C(2007) 5858 of 5 December 2007 – Rules on the reimbursement of expenses incurred by people from outside the Commission invited to attend meetings in an expert capacity (C(2007)5858).
Storage medium
The medium of storage (one or more)
- Electronic
- Others:
-
Description/additional information regarding the storage medium
European Commission Data centres
Comments
Comments/additional information on the data processing
AGM covers most of the processes related to the organisation of a meeting. The system replaced existing manual practices without adding extra data processing operations. It provides additional safeguards to protection of personal data as the processing is done using normalized operations rather than as done previously where the different meeting organisers kept their own lists. The business processes related to personal data are: - Creation of the list of correspondents of third parties and/or nominated experts to whom the invitations are sent: only meeting assistants assigned to the organisation of the meeting can update this information. - Collection of the necessary data (only first name, last name and email address) for the access to Commission premises which are sent to the IT systems of the Security Office of the Commission for access control purposes by security guards (under the responsibility of DG HR.DS - see Notification DPR-EC-0655). The correspondents of a third party enter the mentioned information that is available only to them and to the meeting assistants assigned to the organisation of the meeting. - Collection of the personal data for financial and contractual relations to be processed through AGM and to be sent to the IT systems under the responsibility of DG BUDG (see Notification DPR-EC-00301.1). - Collection of the proof of expenses by the experts for their reimbursement: the experts enter data on the expenses for which they request reimbursement. These data are registered in Ares and are accessible only to the operational and financial agents in charge of verifying and executing the payments. - Storage of the users contact information and of the rights to access/not access the different functionalities of the system - Where needed, personal data become part of a database (see NotificationDPR-EC-00847.1) that facilitates interaction between the EC and its stakeholders in their areas of interest.
3. Data subjects and data categories
Data subjects’ categories
Data subject(s) are
- Internal to the organisation
A description of the data subjects (internal to the organisation)
All Services staff including EC users and the people that will be managing the invitations in external organisations (correspondents).
- External to the organisation
A description of the data subjects (external to the organisation)
All the people invited and participating in a meeting (experts).
Data categories/fields
Description of the categories of data that will be processed
In order to process the data, the Data Controller, PMO.5, collects and processes the following categories of personal data through AGM:
- First name and surname
- Email address
- Unique identifier used by the European Commission’s Authentication Service (EU Login ID)
- Information on the transport expenses of reimbursable participants
- Information on the subsistence expenses of reimbursable participants
- The data in the legal entity form (e.g. ID document, private or professional address of the reimbursable participant, etc.). The data in the bank account form of the reimbursable participant (account number, name of account holder and any other information needed to identify the account to which payment is to be made)
- EU Login data
Through AGM it is also possible to process the first name, surname, email address, EU Login and login data of the meeting assistants in charge of organisation and the Commission’s financial officers responsible for making the reimbursements.
There is no reference in the personal data to ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual orientation.
The processing operation concerns any 'special categories of data' which fall(s) under Article 10(1), which shall be prohibited unless any of the reasons under Article 10(2) applies
N/A
Description/additional information regarding special categories of personal data
-
Data related to ‘criminal convictions and offences’
The data being processed contains sensitive data which fall(s) under Article 11 'criminal convictions and offences'
N/A
Comments
Comments/additional information on data subjects and data categories
-
4. Retention period
Data categories and their individual retention periods
The administrative time limit(s) for keeping the personal data per data category
1. Data category
Financial documents
Retention period
7 years
Start date description
-
End date description
-
2. Data category
Electronic documents
Retention period
7 years
Start date description
-
End date description
-
Comments
Comments/additional information on the data retention periods
The Privacy statement is accessible to every data subject on the AGM page. The Commission meeting assistant / organiser assesses the arguments of the data subject as soon as the DG staff organising the meeting receives a request for rectification/blocking/erasure of data for legitimate reasons. The request will be handled within 15 working days after the reception of the request.
5. Recipients
Origin of the recipients of the data
The origin of the data recipients
- Within the EU organisation
A description of the indicated recipients of the data
All EC Services
- Outside the EU organisation
A description of the indicated recipients of the data
Agencies staff being involved in management of meetings and expense claim reimbursements in AGM
Correspondents in external organization
Categories of the data recipients
The categories (one or more) of the data recipients
- A natural or legal person
- Public authority
- Agency
Description of the indicated category(ies) of data recipients
All EC Services & Agencies staff being involved in management of meetings and expense claim reimbursements in AGM.
Staff of National authorities/bodies (Ministries, Offices…) acting as correspondents in AGM
Who has access to which parts of the data
EU staff assigned to execute tasks in the system based on the need to know principle.
Comments
Comments/additional information on data recipients
Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and authorised for this staff according to the ‘need to know’ principle. Such staff abide by statutory, and when required, additional confidentiality agreements.
This includes:
- For the purpose of organising the meeting, in particular sending the invitations, organisations must provide the first name, surname and email address of government experts attending the meeting on their behalf.
- These data can also be seen by the staff of the Directorate-General responsible for organising the meeting, and by the staff in charge of reimbursement.
- Participants, when attending a meeting with other participants in the same delegation, can see the first name(s), surname and email address of each of them. The indicator showing which of the participants will be reimbursed can be seen by all the participants in a delegation.
- Correspondents for a delegation can see the status of a reimbursement request by participants in their delegation. The amount reimbursed is not visible.
- Users in the services can access the personal data of the participants and contact persons in public organisations solely for the meetings for which these same users are responsible.
- Users in the services have access to information on transport and hotel expenses and also bank information for the purpose of reimbursement of travel expenses/allowances.
- The European Commission’s technical staff or the IT service provider has access to the system data for the purpose of resolving any technical issues.
- Line managers, authorising officers by delegation and/or subdelegation.
- Investigation and control bodies also receive data: IAS, IAC, OLAF, IDOC.
Outside the organisation, your personal data are (or may be) transferred to:
- the Court of Auditors, the European Ombudsman and the EDPS
.
6. International data transfers
Transfer outside of the EU or EEA
Data is transferred to countries outside the EU or EEA
N/A
Transfer to international organisation(s)
Data is transferred to international organisation(s)
N/A
Comments
Comments/additional information on international data transfers
The system does not foresee any transfers of personal data of data to countries outside of EU/EEA.
Specific expert groups will include experts from outside UE/EEA who will be able to see the meeting documentation. It is the responsibility of the meeting organiser to adjust meeting documentation to Regulation (EU) 2018/1725
7. Information to data subjects on their rights
Privacy statement
Rights of the data subjectsThe processing should respect the following rights of data subjects
- Article 17 - Right of access by the data subject
- Article 18 - Right to rectification
- Article 19 - Right to erasure (right to be forgotten)
- Article 20 - Right to restriction of processing
- Article 21 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 22 - Right to data portability
- Article 23 - Right to object
- Article 24 - Rights related to Automated individual decision making, including profiling
The data subjects are informed about their rights and how to exercise them in the form of a privacy statement attached to this record
Yes
Publication of the privacy statement
- Published on website
The link of the website where the privacy statement is published
Https://ec.europa.eu/tools/agm/legal-notice_en
Guidance for Data subjects which explains how and where to consult the privacy statement is available and will be provided at the beginning of the processing operation
Yes
An explanation of the guidance on how and where to consult the privacy statement
The Data Controller
If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller, PMO_MAIL_05ec [dot] europa [dot] eu (PMO_MAIL_05[at]ec[dot]europa[dot]eu).
- The Data Protection Officer (DPO) of the Commission
You may contact the Data Protection Officer ( DATA-PROTECTION-OFFICERec [dot] europa [dot] eu (DATA-PROTECTION-OFFICER[at]ec[dot]europa[dot]eu) )
with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.
- The European Data Protection Supervisor (EDPS)
You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor ( edpsedps [dot] europa [dot] eu (edps[at]edps[dot]europa[dot]eu) )
if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
Where to find more information
The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission which have been documented and notified to him. You may access the register via the following link:
http://ec.europa.eu/dpo-register
This specific processing operation has been included in the DPO’s public register with the following Record reference:
DPR-EC-01141.1
The privacy statement(s)
Comments
Comments/additional information on information to data subjects on their rights
-
8. Security measures
Short summary of overall Technical and Organisational measures implemented to ensure Information Security:
User profiles defined for different roles with access based on the need to know principle.
User access with EU login identification.
General information
Data protection record
Record reference
DPR-EC-01141.2
Title of the processing operation
Information system supporting the organization of meetings
Language of the record
English
Corporate record
Corporate - Centralised
Data Protection Officer
Contact details
EC-DPO-INTERNALec [dot] europa [dot] eu (EC-DPO-INTERNAL[at]ec[dot]europa[dot]eu)
Entity of the Operational Controller
Responsible organisational entity
Administration and Payment of Individual Entitlements (PMO) (PMO)
Contact Details
PMO-DATA-PROTECTION-COORDINATORec [dot] europa [dot] eu (PMO-DATA-PROTECTION-COORDINATOR[at]ec[dot]europa[dot]eu)
Joint controllership
Joint controllership is involved
N/A
Processors
Processors are involved in the processing
Yes
- Names and contact details of processor
The main processors are Commission staff and European Union staff for EPDS and agencies. In order to develop, test and support the system the European Commission might have recourse to the services of external companies as processors. In the case of individuals, the contracts will be finalised in accordance with DIGIT framework contracts. The production environment will be hosted by DIGIT.
2. PURPOSE AND DESCRIPTION OF THE PROCESSING
Purpose
Description of the purpose of the processing
Organising meetings and managing reimbursement of expenses incurred by participants invited by the European Commission.
Processing for further purposes
The purpose(s) for further processing
N/A
Modes of processing
The mode of processing
- Any other mode:
AGM (Advanced Gateway to your Meetings) covers most of the processes involved in organising a meeting:
- through a Front Office where the experts (external persons) manage the invitations to meetings (including user consent to data processing) and encode their expenses claims for costs incurred when attending a meeting organised by the DGs/agencies. The Front Office is also used by correspondents (external users) who settle the list of attendants to meetings.
- through a Back Office managed by the service organising the meeting and all the practical arrangements for the meeting (invitation and registration of participants);
- and through a Back Office managed by the PMO for the validation of participants’ bank accounts and legal entities, before reimbursement of the expenses incurred by them.
Description/additional information regarding the modes of processing
The purpose of the data processing is twofold:
- Collection and use of personal data in order to organise and manage meetings with or without outside participants.
- Reimbursement of participants invited to meetings pursuant to Commission Decision C(2007) 5858 of 5 December 2007 – Rules on the reimbursement of expenses incurred by people from outside the Commission invited to attend meetings in an expert capacity (C(2007)5858).
Storage medium
The medium of storage (one or more)
- Electronic
- Others:
-
Description/additional information regarding the storage medium
European Commission Data centres
Comments
Comments/additional information on the data processing
AGM covers most of the processes related to the organisation of a meeting. The system replaced existing manual practices without adding extra data processing operations. It provides additional safeguards to protection of personal data as the processing is done using normalized operations rather than as done previously where the different meeting organisers kept their own lists. The business processes related to personal data are: - Creation of the list of correspondents of third parties and/or nominated experts to whom the invitations are sent: only meeting assistants assigned to the organisation of the meeting can update this information. - Collection of the necessary data (only first name, last name and email address) for the access to Commission premises which are sent to the IT systems of the Security Office of the Commission for access control purposes by security guards (under the responsibility of DG HR.DS - see Notification DPR-EC-0655). The correspondents of a third party enter the mentioned information that is available only to them and to the meeting assistants assigned to the organisation of the meeting. - Collection of the personal data for financial and contractual relations to be processed through AGM and to be sent to the IT systems under the responsibility of DG BUDG (see Notification DPR-EC-00301.1). - Collection of the proof of expenses by the experts for their reimbursement: the experts enter data on the expenses for which they request reimbursement. These data are registered in Ares and are accessible only to the operational and financial agents in charge of verifying and executing the payments. - Storage of the users contact information and of the rights to access/not access the different functionalities of the system - Where needed, personal data become part of a database (see NotificationDPR-EC-00847.1) that facilitates interaction between the EC and its stakeholders in their areas of interest.
3. DATA SUBJECTS AND DATA CATEGORIES
Data subjects’ categories
Data subject(s) are
- Internal to the organisation
A description of the data subjects (internal to the organisation)
All Services staff including EC users and the people that will be managing the invitations in external organisations (correspondents).
- External to the organisation
A description of the data subjects (external to the organisation)
All the people invited and participating in a meeting (experts).
Data categories/fields
Description of the categories of data that will be processed
In order to process the data, the Data Controller, PMO.5, collects and processes the following categories of personal data through AGM:
- First name and surname
- Email address
- Unique identifier used by the European Commission’s Authentication Service (EU Login ID)
- Information on the transport expenses of reimbursable participants
- Information on the subsistence expenses of reimbursable participants
- The data in the legal entity form (e.g. ID document, private or professional address of the reimbursable participant, etc.). The data in the bank account form of the reimbursable participant (account number, name of account holder and any other information needed to identify the account to which payment is to be made)
- EU Login data
Through AGM it is also possible to process the first name, surname, email address, EU Login and login data of the meeting assistants in charge of organisation and the Commission’s financial officers responsible for making the reimbursements.
There is no reference in the personal data to ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual orientation.
The processing operation concerns any 'special categories of data' which fall(s) under Article 10(1), which shall be prohibited unless any of the reasons under Article 10(2) applies
N/A
Description/additional information regarding special categories of personal data
-
Data related to ‘criminal convictions and offences’
The data being processed contains sensitive data which fall(s) under Article 11 'criminal convictions and offences'
N/A
Comments
Comments/additional information on data subjects and data categories
-
4. RETENTION PERIOD
Data categories and their individual retention periods
The administrative time limit(s) for keeping the personal data per data category
1. Data category
Financial documents
Retention period
7 years
Start date description
-
End date description
-
2. Data category
Electronic documents
Retention period
7 years
Start date description
-
End date description
-
Comments
Comments/additional information on the data retention periods
The Privacy statement is accessible to every data subject on the AGM page. The Commission meeting assistant / organiser assesses the arguments of the data subject as soon as the DG staff organising the meeting receives a request for rectification/blocking/erasure of data for legitimate reasons. The request will be handled within 15 working days after the reception of the request.
5. RECIPIENTS
Origin of the recipients of the data
The origin of the data recipients
- Within the EU organisation
A description of the indicated recipients of the data
All EC Services
- Outside the EU organisation
A description of the indicated recipients of the data
Agencies staff being involved in management of meetings and expense claim reimbursements in AGM
Correspondents in external organization
Categories of the data recipients
The categories (one or more) of the data recipients
- A natural or legal person
- Public authority
- Agency
Description of the indicated category(ies) of data recipients
All EC Services & Agencies staff being involved in management of meetings and expense claim reimbursements in AGM.
Staff of National authorities/bodies (Ministries, Offices…) acting as correspondents in AGM
Who has access to which parts of the data
EU staff assigned to execute tasks in the system based on the need to know principle.
Comments
Comments/additional information on data recipients
Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and authorised for this staff according to the ‘need to know’ principle. Such staff abide by statutory, and when required, additional confidentiality agreements.
This includes:
- For the purpose of organising the meeting, in particular sending the invitations, organisations must provide the first name, surname and email address of government experts attending the meeting on their behalf.
- These data can also be seen by the staff of the Directorate-General responsible for organising the meeting, and by the staff in charge of reimbursement.
- Participants, when attending a meeting with other participants in the same delegation, can see the first name(s), surname and email address of each of them. The indicator showing which of the participants will be reimbursed can be seen by all the participants in a delegation.
- Correspondents for a delegation can see the status of a reimbursement request by participants in their delegation. The amount reimbursed is not visible.
- Users in the services can access the personal data of the participants and contact persons in public organisations solely for the meetings for which these same users are responsible.
- Users in the services have access to information on transport and hotel expenses and also bank information for the purpose of reimbursement of travel expenses/allowances.
- The European Commission’s technical staff or the IT service provider has access to the system data for the purpose of resolving any technical issues.
- Line managers, authorising officers by delegation and/or subdelegation.
- Investigation and control bodies also receive data: IAS, IAC, OLAF, IDOC.
Outside the organisation, your personal data are (or may be) transferred to:
- the Court of Auditors, the European Ombudsman and the EDPS
.
6. INTERNATIONAL DATA TRANSFERS
Transfer outside of the EU or EEA
Data is transferred to countries outside the EU or EEA
N/A
Transfer to international organisation(s)
Data is transferred to international organisation(s)
N/A
Comments
Comments/additional information on international data transfers
The system does not foresee any transfers of personal data of data to countries outside of EU/EEA.
Specific expert groups will include experts from outside UE/EEA who will be able to see the meeting documentation. It is the responsibility of the meeting organiser to adjust meeting documentation to Regulation (EU) 2018/1725
7. INFORMATION TO DATA SUBJECTS ON THEIR RIGHTS
Privacy statement
Rights of the data subjectsThe processing should respect the following rights of data subjects
- Article 17 - Right of access by the data subject
- Article 18 - Right to rectification
- Article 19 - Right to erasure (right to be forgotten)
- Article 20 - Right to restriction of processing
- Article 21 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 22 - Right to data portability
- Article 23 - Right to object
- Article 24 - Rights related to Automated individual decision making, including profiling
The data subjects are informed about their rights and how to exercise them in the form of a privacy statement attached to this record
Yes
Publication of the privacy statement
- Published on website
The link of the website where the privacy statement is published
Https://ec.europa.eu/tools/agm/legal-notice_en
Guidance for Data subjects which explains how and where to consult the privacy statement is available and will be provided at the beginning of the processing operation
Yes
An explanation of the guidance on how and where to consult the privacy statement
The Data Controller
If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller, PMO_MAIL_05ec [dot] europa [dot] eu (PMO_MAIL_05[at]ec[dot]europa[dot]eu).
- The Data Protection Officer (DPO) of the Commission
You may contact the Data Protection Officer ( DATA-PROTECTION-OFFICERec [dot] europa [dot] eu (DATA-PROTECTION-OFFICER[at]ec[dot]europa[dot]eu) )
with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.
- The European Data Protection Supervisor (EDPS)
You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor ( edpsedps [dot] europa [dot] eu (edps[at]edps[dot]europa[dot]eu) )
if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
Where to find more information
The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission which have been documented and notified to him. You may access the register via the following link:
http://ec.europa.eu/dpo-register
This specific processing operation has been included in the DPO’s public register with the following Record reference:
DPR-EC-01141.1
The privacy statement(s)
Comments
Comments/additional information on information to data subjects on their rights
-
8. SECURITY MEASURES
Short summary of overall Technical and Organisational measures implemented to ensure Information Security:
User profiles defined for different roles with access based on the need to know principle.
User access with EU login identification.