Table of Contents:
This privacy statement explains the reason for the processing, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you may exercise in relation to your data (the right to access, rectify, block etc.).
The European institutions are committed to protecting and respecting your privacy. As this service/application collects and further processes personal data, Regulation (EC) N°45/2001 (OJ L8 of 12/01/2001), of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, is applicable.
This privacy statement concerns processing of personal data within a research study on the security of Email communications at JRC/Directorate E undertaken by the Cyber and Digital Citizens' Security Unit (JRC.E.3). The research project is called My Email Communications Security Assessment (MECSA), a web platform that allows citizens to assess the level of security and privacy in their email communications offered by their providers. The MECSA platform service will be public and it will allow anyone with an email address to test the security and privacy of his/her email communications, receiving as result a comprehensive report with an overall score and technical details about the findings.
Purpose of the processing operation: the Head of the JRC Cyber and Digital Citizens' Security Unit (referred to hereafter as Data Controller) collects and uses your personal information to provide the service offered by the MECSA platform, namely research and assess the current level of security and privacy offered by existing email providers.
The following legal documents represent the legal bases for the research and the processing of your data:
The data subjects are the end-users of the MECSA platform.
The personal data collected and further processed are:
The Data Controller only keeps the data for the time necessary to fulfil the purpose of collection or further processing. In particular, email addresses and messages are immediately removed from the database after the analysis requested by the data subject is carried out. Typically, this process takes place in less than 5 minutes. In exceptional cases (for example in case the data subject never replies to the email that is sent to him/her), the email address will remain in the database until it is deleted by an automated process (maximum 24 hours).
IP addresses collected by the web server are kept for a period of a maximum of 6 months.
Responses to data subjects requests will take place in a maximum of 15 days.
All data in electronic format (e-mails, documents, uploaded batches of data etc.) are stored either on the servers of the European Commission or of its contractors; the operations of which abide by the European Commission's security decision of 16 August 2006 [C(2006) 3602] concerning the security of information systems used by the European Commission;
Email addresses are immediately removed from the database after the analysis is carried out. Typically, this process takes place in less than 5 minutes. In exceptional cases (for example in case the user never replies to the email that is sent to him/her) the email address will remain in the database until it is deleted by an automatic process (maximum 24 hours).
Access to your data, when required, is provided to authorised staff according to the 'need to know' principle. Such staff abide by statutory, and when required, additional confidentiality agreements. Personal data would be accessed only by JRC staff from the Cyber and Digital Citizens’ Security Unit involved in the research (the Data Controller as well as the researchers involved for this deliverable) in a controlled environment, as well as security staff of the European Commission if required (e.g. in case of security incident).
Personal data is only collected and processed to carry out the analysis of the email communications and deleted immediately afterwards.
According to Regulation (EC) n°45/2001, you are entitled to access your personal data and rectify and/or block it in case the data is inaccurate or incomplete. You can exercise your rights by contacting the data controller, or in case of conflict the Data Protection Officer and if necessary the European Data Protection Supervisor using the contact information given at point 8 below.
If you have comments or questions, any concerns or a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller using the following contact information:
The Data Controller:
The Data Protection Officer (DPO) of the Commission: DATA-PROTECTION-OFFICER@ec.europa.eu
The European Data Protection Supervisor (EDPS): firstname.lastname@example.org
The Commission Data Protection Officer publishes the register of all operations processing personal data. You can access the register on the following link : http://ec.europa.eu/dpo-register
This specific processing has been notified to the DPO with the following reference: DPO – 3874.