Data Protection Notice for Big Buyers Working Together Annual Event 2024, Maison de la Poste, Rue Picard 7, 1000, Brussles, 24 April 2024
Your personal data is processed in accordance with Regulation (EU) No 2018/172511 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
The data controller of the processing operation is Head of Unit I.02 of the European Innovation Council and SMEs Executive Agency (EISMEA).
The following entity/ies process your personal data on our behalf:
The contractor: EUROCITIES ASBL,Square de Meeus 1, 1000 Brussels, Belgium (enterprise number 447.820.987); ICLEI European Secretariat GmbH, Leopoldring 3, 79098 Freiburg, Germany (Statutory registration number: HRB 4188) and BMEnet GmbH, Frankfurter Straße 27, D-6576 Eschborn, Germany (Register: HRB 53643) acting as processors on behalf of the Agency.
Approved third-party authorized, Idloom, which does not process or transfer Customer’s personal data or have these processed by third parties, outside the European Union, in line with idloom Data Processing Agreement, available at: https://www.idloom.com/en/dpa.
The legal basis for the processing activities is/are:
- Article 5(1)(a) of Regulation (EU) 2018/1725 because processing is necessary for the performance of a task carried out in the public interest (or in the exercise of official authority vested in the Union institution or body)2 [or necessary for the management and functioning of the Union institution and body] laid down in Union law;
- Article 5(1)(d) of Regulation (EU) 2018/1725 based on your explicit prior consent for your non-mandatory personal data indicated below.
The purpose(s) of this processing is/are to register and manage participation of members of Big Buyers Working Together Communities of Practices and general public to the in-person event organised in the context of the Big Buyers Working Together project; collect data from registered participants to provide practical information about the event, including the agenda, reminders and follow-up e-mails and resources.
The following of your personal data are collected: first name, last name, title, e-mail, job title, country of residence, city of residence, phone number. All personal data are mandatory for the purpose(s) outlined above.
In addition, the following non-mandatory personal data are collected: photos, web-streaming, videos that will be collected during the event and might be used for related communication purposes and can only be processed based on your explicit prior consent.
Please note that the event will be (partly) web-streamed and it is possible that you will be recorded. It is also possible that photographs of you will be taken during the event and might be used for related communication purposes4. Upon registration, you can give your explicit consent to have your image/voice recorded and published on related communication channels. In the absence of your consent, the organiser will try to find suitable alternatives, so that you can fully take part in the event, e.g. by offering an alternative room to follow the event.
The recipients of your personal data will or may be authorised staff of the Agency and Commission, or Commission contractors and bodies in charge of monitoring or inspection tasks in application of Union or national law (e.g. internal audits, Court of Auditors, European Anti-fraud Office (OLAF), European Public Prosecutor’s Office (EPPO), law enforcement bodies).
Your personal data will not be transferred to third countries or international organisations.
The processing of your data will not include automated decision-making (such as profiling).
The following technical and organisational security measures are in place to safeguard the processing of your personal data: Personal data are processed on a need-to-know basis by authorised staff only, with limited access rights; files are stored on secured Servers subject to the European Commission's security Decision 2017/46 of 10 January 2017. Electronic communication and files are secured for internal communication purposes.
The contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the Agency or the Commission, and by the confidentiality obligations deriving from the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679).
Your personal data will be kept for a maximum period of 5 years from the end of the implementation of the tasks within the service contract (end foreseen for 2026). Data will be deleted at the end of this period.
You have the right to access your personal data and to request your personal data to be rectified, if the data is inaccurate or incomplete; where applicable, you have the right to request restriction or to object to processing, to request a copy or erasure of your personal data held by the data controller. If processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on your consent before its withdrawal.
Your request to exercise one of the above rights will be dealt with without undue delay and within one month.
Your right to information, access, rectification, erasure, restriction or objection to processing, communication of a personal data breach or confidentiality of electronic communications may be restricted only under certain specific conditions as set out in the applicable Restriction Decision in accordance with Article 25 of Regulation (EU) 2018/1725.
If you have any queries concerning the processing of your personal data, you may address them to EISMEA Head of Unit I.02 (entity acting as data controller) via EISMEA-SMP-COSME-ENQUIRIES@ec.europa.eu.
You shall have the right of recourse at any time to the EISMEA Data Protection Officer at EISMEA-DPO@ec.europa.eu and to the European Data Protection Supervisor at https://edps.europa.eu.
Footnotes
2 EISMEA Establishment Act: Commission Implementing Decision (EU) 2021/173 of 12 February 2021 establishing the European Climate, Infrastructure and Environment Executive Agency, the European Health and Digital Executive Agency, the European Research Executive Agency, the European Innovation Council and SMEs Executive Agency, the European Research Council Executive Agency, and the European Education and Culture Executive Agency and repealing Implementing Decisions 2013/801/EU, 2013/771/EU, 2013/778/EU, 2013/779/EU, 2013/776/EU and 2013/770/EU (OJ L 50/9 of 15.2.2021)