Table of Contents
- Introduction
- Why do we process your data?
- Which data do we collect and process?
- How long do we keep your data?
- How do we protect your data?
- Who has access to your data and to whom is it disclosed?
- What are your rights and how can you exercise them?
- Contact information
- Where to find more detailed information
1. Introduction
This privacy statement explains the reason for the processing, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you may exercise in relation to your data (right of access, right to rectification, right to object, right to erasure (‘right to be forgotten’), right to restriction of processing, right to data portability, the data subject shall have the right not to be subject to a decision based solely on automated processing, in the terms established in articles 15 to 22 of the GDPR).
The European institutions are committed to protecting and respecting your privacy. As this service/application collects and further processes your personal data, Regulation (EU) 2018/1725[1] of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, is applicable.
ECC-Net aims to promote consumer confidence by advising citizens on their rights as consumers and providing easy access to redress, in cases where the consumer has purchased something in another country to his/her own (cross-border). ECCs provide consumers with a wide range of services, from providing information on their rights to giving advice and assistance to their cross- border complaints and informing about the available resolution of disputes. They also advise on out-of- court-settlement procedures (ADR) for consumers throughout Europe and provide consumers with easy and informed access to such procedures, when an agreement could not be reached directly with the trader and where an applicable ADR is available.
To enable ECC-Net to provide the above mentioned services to the citizens, an IT Tool, ECC-Net 2, is used to collect and handle complaints and the necessary data including your personal data. The IT tool is operated by the European Commission.
The collection and processing of the above personal data through ECC-Net 2 follows the provisions of Regulation (EU) 2018/1725 [1]of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by Community institutions and bodies and on the free movement of such data and more specifically article 5, Paragraph (a and b).
2. Why do we process your data?
Purpose of the processing operation: Head of Unit E.3: Consumer Enforcement and Redress, Directorate-General for Justice and Consumers, European Commission (referred to hereafter as Data Controller) collects and uses your personal information to assist the work of the European Consumer Centres.
The aim of the European Consumer Centres’ Network (ECC-Net) is to provide consumers with information and advice on their rights, and assist them with the handling of their cross-border complaints and disputes within the EU/EEA, so that consumers can take full advantage of the internal market.
In order to fulfil their role, ECC-Net 2 is used by the ECCs to process relevant data, insofar and as long as necessary, for one or more of the following purposes:
- to enable communication between the ECC and the consumer
- to facilitate the assessment of a request
- to attempt resolving complaints or disputes, whether directly with the trader complained about, or through an ADR entity
- to enable consumers to follow up the status of their requests
- to provide anonymised statistics, including on suspected infringements
- Further information on ECC-Net can be found on https://ec.europa.eu/info/live-work-travel-eu/consumers/resolve-your-consumer-complaint/european-consumer-centres-network_en
ECC-Net 2 falls under the following legal basis / lawfulness:
Regulation (EU) No 254/2014 of the European Parliament and of the Council of 26 February 2014 on a multi-annual consumer programme for years 2014-20 and repealing Decision No 1926/2006/EC and, more specifically, articles 2 and 3(1)(c) and (d) of this Regulation.
Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market and, in particular, article 21.
Directive 2013/11/EU of the European Parliament and of the Council of 21 May 2013 on alternative dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC (Directive on consumer ADR) and, more specifically, article 14 of the Directive.
Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004 and, in particular, article 27(1).
Regulation (EU) 2018/1725 [1]of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
Having regard to Regulation (EC) 1028/1725 [1]the data processing is considered lawful because it is necessary to meet the requirements of the legal instruments mentioned above, and to ensure compliance of the Commission with its legal obligations.
3. Which data do we collect and process?
We collect data about the following type of users:
- Consumers in the European Union, Norway and Iceland who approach ECCs for information and assistance (Consumers);
- Contact persons for the traders in the European Union, Norway and Iceland involved in consumer complaints or disputes (Trader representatives);
- Contact persons in ADR entities (ADR representatives);
The personal data collected and further processed are:
a) For Consumers:
(i) The data processed are:
- Name of the consumer/reporter;
- Address;
- Post code;
- Country of residence;
- Telephone;
- E-mail;
- Gender;
- Communication language;
- Summary/Description of the request
Further personal data upon explicit consent may be collected if necessary for handling the complaint such as bank details.
b) For Trader representatives:
b) For Trader representatives:
- Name of the trader's representative;
- Professional address;
- Post code;
- Country;
- Professional Telephone;
- Professional email;
c) For ADR representatives:
Data from individual trader's representatives is rarely store in the system but, when processed may include:
- Name of the ADR's representative;
- Professional address;
- Post code;
- Country;
- Professional Telephone;
- Professional email;
4. How long do we keep your data?
Personal data of the consumers, traders' and ADRs' representatives shall be kept as long as a case remains open, and no longer than one year after it has been closed. This is to allow follow-up if there are new developments after the closure of the case. Once the retention period expires, the information is anonymised and only kept for statistical purposes.
5. How do we protect your data?
All data in electronic format (e-mails, documents, uploaded batches of data etc.) are stored either on the servers of the European Commission or of its contractors; the operations of which abide by the European Commission’s security decision of 16 August 2006 [C(2006) 3602] concerning the security of information systems used by the European Commission;
The Commission’s contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the Commission, and by the confidentiality obligations deriving from the transposition of Directive 95/46/CE
6. Who has access to your data and to whom is it disclosed?
To resolve your request it may subsequently be shared, with your express consent, with the ECC where the trader is based or, where appropriate, with relevant bodies such as an ADR or a Enforcement Body.
Shared requests may result in contact with the trader. When such contact is made, your data may be shared too insofar as necessary to resolve the request.
Access to your data is provided to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements. In regard to ECCNet, the authorised staff are the Case handlers in the European Consumer Centres and the European Commission staff charged with product or business management of ECC-Net2.
Norway and Iceland are EEA/EFTA countries and members of the European Consumer Centres Network. Transfer between ECCs in the EU and the ECCs in Norway or Iceland is therefore considered an Article 8 transfer in the meaning of the Regulation (EU) 2018/1725 [1].
7. What are your rights and how can you exercise them?
According to Regulation (EC) 2018/1725 [1], you are entitled to access your personal data and rectify and/or block it in case the data is inaccurate or incomplete. You can exercise your rights by contacting the European Consumer Centre with which you have been in contact or the data controller, or in case of conflict the Data Protection Officer of the Commission and if necessary the European Data Protection Supervisor using the contact information given at point 8 below.
8. Contact information
]If you have comments or questions, any concerns or a complaint regarding the collection and use of your personal data, please feel free to contact the European Consumer Centre with which you have been in contact or the Data Controller using the following contact information:
- European Consumer Centre Spain
E-mail: cec@consumo.gob.es
Telephone: +34 91 822 45 55
- The Data Controller
Head of Unit E.3: Consumer Enforcement and Redress
Directorate-General for Justice and Consumers
European Commission
e-mail:JUST-E3@ec.europa.eu
Telefax:+32 2 2989432
The Data Protection Officer (DPO) of the Commission: DATA-PROTECTION-OFFICER@ec.europa.eu
The European Data Protection Supervisor (EDPS): edps@edps.europa.eu
9. Where to find more detailed information?
The Data Protection Officer of the Commission publishes the register of all operations processing personal data. You can access the register on the following link: http://ec.europa.eu/dpo-register
This specific processing has been notified to the DPO with the following reference: DPO-1156.5 ECC-Net Case Handling IT tool.