Since 11 December 2018, the processing of an individual’s personal data by the EU institutions has been governed by Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018. This regulation follows the same principles and rules as those established in the General Data Protection Regulation.
The information that follows is based on Articles 15 and 16 of Regulation (EU) 2018/1725.
Why do we process your data?
Together.eu is a collaborative online platform that aims to encourage citizens and organisations to participate in democracy.
The platform is owned by the European Union, represented by the European Parliament, and has been developed in order to empower citizens and organisations to play an active role in creating a brighter future in the EU. It allows citizens and organisations to interact with the together.eu community and to share actions, activities and experiences through multimedia content such as audio clips, videos, images and text. Users can also share stories and personal testimonies, record actions and events, suggest and organise events for the rest of the community, and contribute promotional material to support Parliament´s communications.
The collection and further processing of your personal data is necessary to manage the together.eu platform and the following corresponding functionalities:
facilitating the registration procedure and access to the together.eu platform;
providing relevant information to participants about events and facilitating participation in activities organised by Parliament and the community;
communications such as emails, newsletters and invitations (this entails the management of email contact lists), which may involve profiling in order to send you information pertinent to your interests; the decision to send you information is automatically linked to the preferences set by the user; this is valid for all registered users;
submitting, sharing and moderating contributions by registered users;
participation in competitions organised by Parliament;
statistical and analytical purposes;
secure functioning and maintenance of the together.eu platform;
promoting Parliament’s activities.
Anonymised surveys can be conducted in order to assess the performance and activities organised by Parliament. In these surveys, only aggregated and anonymised data is collected.
What is the legal basis for the processing of your personal data?
Article 5(1)(d) of Regulation (EU) 2018/1725, which stipulates that the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
For online competitions, Article 5(1)(c) of Regulation (EU) 2018/1725 shall apply, which states that the processing of personal data is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
In addition, the processing of data is based on the Decision of the Bureau of the European Parliament of 17 June 2019 as described in the minutes of the ordinary meeting of the Bureau of 17 June 2019, where Members of the European Parliament emphasised the importance of maintaining, also after the elections, the established network of private and public partners, and expressed the view that communication about the European Parliament to the citizens must be an ongoing undertaking, not an isolated effort taking place once every five years before the elections. Your personal information is treated in accordance with the conditions described in Article 5(1)(a) of Regulation (EU) 2018/1725. Tasks related to Parliament’s institutional information and communication campaign are carried out in the public interest and are based on the strategic execution framework of Parliament’s Secretariat-General.
Parliament will process your personal data as necessary for the performance of the aforementioned tasks and, when applicable, only if you have unambiguously consented to the processing. Your personal data will be processed only to the extent necessary to fulfil the purposes for which it was transmitted.
Who is responsible for the processing of your data? (Controller)
Parliament acts as the data controller and your data is processed under the joint responsibility of the Directorate for Liaison Offices and Directorate for Campaigns of the Directorate-General for Communication of the European Parliament, represented by the Director for Liaison Offices and the Director for Campaigns.
For more information, you can contact the controllers at firstname.lastname@example.org.
What personal data do we process?
The information collected depends on the type of user.
For the basic visitor, only their IP address can be processed for security reasons. This information is kept for 10 days.
Registered and contributing users
The following information is required to create an account on the platform:
Name and surname;
Region and country of residence;
Contact details (e.g. email address);
Parliament also keeps track of the opening rates of emails and other rates (i.e. click-through rate and bounce rate) for statistical and reporting purposes.
Contact details (e.g. phone number, address, etc.);
Social media links, e.g. Facebook, Twitter account;
Future communication preferences, including subscription preferences and topics of interest that you have chosen to receive more information about;
The number of users recruited by other users through the platform for statistical and reporting purposes;
Your image (photos and videos) collected during events.
In some circumstances, citizens will be able to voluntarily share information with the community by submitting testimonials, audiovisual material and events. In these cases, additional consent will be obtained. This consent will be valid only for one specific testimonial or audiovisual material that will be shared on the website. A representative of a registered organisation may also provide information on the organisation in terms of public information and potential campaigns organised. This suggested content proposed by users will first be validated by the team in order to check that it respects the terms and conditions and the code of conduct of the website.
When online competitions are organised on social media or other channels through this platform, additional steps may be involved that require the processing of additional personal data (passport information and/or bank account). The data subject will be clearly informed with specific terms and conditions.
In addition to the data collected as a registered user, the representative of a registered organisation can be asked to provide the following additional information:
Job position and field of work within the organisation for the users who sign up as representatives of an organisation.
Working email address.
Who has access to your personal data and to whom is it disclosed?
Access to your personal data is provided to the authorised Parliament staff members and contractors responsible for carrying out this processing operation according to the ‘need-to-know’ principle. These employees abide by statutory, and when required, additional confidentiality agreements.
Mandated staff of Parliament services involved in the together.eu project have access to personal data collected via a dedicated admin interface platform for the purpose of operating the project as well as for follow-up action that might be necessary for further processing purposes (e.g. data subject request). It is important to note, however, that the data is only accessible on a ‘need-to-know’ basis, specifically:
Parliament’s IT team has access to data that is strictly necessary to provide appropriate technical and logistical support (e.g. helpdesk, management of access rights, maintenance of the platform);
Administrators will have access to all personal data provided during registration.
Parliament does not transmit any data to third parties outside these recipients. It does not share personal data with third parties for direct marketing.
Only if requested by law, or in case of an audit or judicial procedures, could your data be transferred to the competent authorities (European Court of Auditors, Court of Justice of the European Union, European Data Protection Supervisor or European Anti-Fraud Office).
This platform may contain links to other websites. Since Parliament has no control over such sites, we invite you to review these websites’ own privacy policies.
How long is your personal data stored?
The retention period will depend on the data and the profile of the data subject.
Visitors who do not have an account and just browse the website will have their IP address collected for security purposes. After 10 days, the logs containing this data will be deleted.
Registered users, contributors and organisations
As it is essential for Parliament to maintain constant communication with citizens in the long term, no end date has been set for the data collected for these profiles.
The following measures have been put in place in order to strengthen control over your data:
We will periodically, after every European election, remind all members of the community (i.e. all data subjects) of the possibility to withdraw their consent and ask for the removal of their data at any time;
In every email communication, you will find a disclaimer explaining how you can remove your data from the system and/or unsubscribe from our email communications;
In the context of registration, if an account is not properly validated within 15 days, all the data collected for this account will be deleted.
The information is kept as long as the user needs to have access to the administration interface.
Photos and videos taken with the data subject’s consent during an event will be keep for a duration of one year.
In the context of a specific competition, if any additional data is collected, the data subject will be informed about the retention date.
Will your personal data be shared with a non-EU country or organisation?
Parliament will not share your personal data with a non-EU country or organisation.
Parliament is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorised access, use or disclosure. The together.eu platform is hosted in a cloud service supported by Amazon Web Services (AWS). AWS is contracted by Parliament under an interinstitutional restricted procedure, which includes different data protection clauses in order to ensure compliance with Regulation (EU) 2018/1725.
Under these contractual provisions, the cloud services are to be performed exclusively in the EU. Services offered by the contractor that might require the transfer of data outside the European Economic Area are not required and are not used for the purpose of together.eu.
In addition, and despite the fact that the servers used for storage are located in the EU, the encryption of the data stored in the cloud servers is guaranteed by Parliament’s own implementation of data sharing.
What are your rights when we process your personal data and how can you exercise them?
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725. As regards this processing operation, you can exercise the following rights:
the right to access your personal data;
the right to rectify your personal data if it is inaccurate or incomplete;
the right to erase your personal data;
where applicable, the right to restrict the processing of your personal data;
the right to data portability;
the right to object to the processing of your personal data lawfully carried out pursuant to Article 5(1)(a);
if you have provided your consent for the present processing operation, the right to withdraw it at any time by notifying the Data Controller, without affecting the lawfulness of processing based on consent before its withdrawal.
Data subjects who wish to exercise their rights under Regulation (EU) 2018/1725 can send an email to email@example.com or send a request via their personal area on the website. The request will be sent to firstname.lastname@example.org, and will be handled via a ticketing system integrated in the software solution. A central team will handle these requests and keep track of all related actions.
Who should you contact if you have a query or complaint?
Your first point of contact is email@example.com.
You may contact, at any time, Parliament’s Data Protection Officer (Data-Protection@europarl.europa.eu) if you have any concerns/complaints about the processing of your personal data.
Parliament’s Data Protection Officer ensures the internal application of Regulation (EU) 2018/1725. The address of the Data Protection Officer is as follows:
Data Protection Officer
2, rue Alcide De Gasperi
You have the right to lodge a complaint with the European Data Protection Supervisor (firstname.lastname@example.org) at any time concerning the processing of your personal data.
The European Data Protection Supervisor acts as an independent supervisory authority and ensures that all EU institutions and bodies respect people's right to privacy when processing their personal data.
 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
 Decision of the Bureau of the European Parliament of 17 June 2019 on the implementing rules relating to Regulation (EU) 2018/1725 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by the Union Institutions, Bodies, Offices and Agencies and on the free movement of such data.