European Data Protection Supervisor
European Data Protection Supervisor

Data Protection Notice

Data Protection Notice

One of your rights under EU law is that you must be informed when your personal data - also known as personal information - is processed (collected, used, stored) by any organisation including one of the EU institutions. You also have the right to know the details and purpose of that processing.

Here we provide you with some general information. Specific information about the processing associated with this website is contained in our Register.

The EDPS website is our most important communication tool. Here we communicate our work such as our Opinions, data protection news and information about data protection rights to the general public as well as our more expert audiences.

Some of the services offered on our website require the processing of your personal data. In such cases, links are available on those pages directing you to the specific information about the processing contained in the relevant data protection notices in our Register.

Here we give you a general overview of some of the ways this website processes your personal data including the use of cookies and social media.


Your personal data and our website

  • The EDPS collects your personal information only to the extent necessary to fulfil a precise purpose related to our tasks as an institution (which are laid down in Regulation 45/2001;
  • We do not reuse the information for another purpose that is different to the one stated;
  • We put in place measures to guarantee that your data are kept up-to-date and processed securely;
  • Under certain conditions outlined in law, we may disclose your information to third parties, (such as the European Anti-Fraud Office, the Court of Auditors, or law enforcement authorities) if it is necessary and proportionate for lawful, specific purposes;
  • We will never divulge your personal data for direct marketing purposes;
  • You have the right to access your personal information, to have it corrected and the right to recourse; at any time if you believe your data protection rights have been breached;
  • We do not keep your personal information for longer than necessary for the purposes for which we collected it;
  •  However, we may keep your information for a longer period for historical, statistical or scientific purposes with the appropriate safeguards in place.

Visit the Data Protection Officer at the EDPS page on this website for more information on your rights.



Cookies are short text files stored on a user’s device (such as a computer, tablet or phone) by a website. 

Cookies are used for the technical functioning of a website or for gathering statistics.

Cookies are also typically used to provide a more personalised experience for a user for example, when an online service remembers your user profile without you having to login.

When you visit our website, we may collect some data on your browsing experience such as your IP address, the EDPS page you visited, when you visited and the website page you were redirected from.

This information is used to gather aggregated and anonymous statistics with a view to improving our services and to enhance your user experience.

When you visit the EDPS website, we will keep the browser history of your visit for a maximum of 13 months. This information will then be deleted.

The collection, aggregation and anonymising operations are performed in the data centre of the European Commission under adequate security measures.

Should you wish to opt your data out of our anonymised, aggregated statistics, you can do so on our cookies page.

Visit our cookies page for more information about the types of cookies this website uses.


Social Media

We use social media to present our work through widely used and contemporary channels.

Our use of social media is highlighted on this website.

For instance, you can watch EDPS videos, which we upload to our YouTube page and follow links from our website to Twitter and LinkedIn.

Cookies are not set by our display of social media buttons to connect to those services when our website pages are loaded on your computer (or other devices) or from components from those services embedded in our web pages.

Each social media channel has their own policy on the way they process your personal data when you access their sites. For example, if you choose to watch one of our videos on YouTube, you will be asked for explicit consent to accept YouTube cookies; if you look at our Twitter activity on Twitter, you will be asked for explicit consent to accept Twitter cookies; the same applies for LinkedIn.

If you have any concerns or questions about their use of your personal data, you should read their privacy policies carefully before using them.



The EDPS mobile app does not collect any of your personal information.  We only use the IP address to count how many people have used the app and we will not use it in any other way.

Please note that the only means to download the app is to use the Google Play store or the Apple store. They collect personal data according to the privacy policies on their websites. The EDPS does not endorse or take responsibility for their processing of your personal information.

If you need further information or you wish to exercise your rights as a data subject under EU data protection rules (Regulation EC 45/2001) you can contact us using our contact form.


Complaint handling by the EDPS


What is the purpose of the processing?

To investigate complaints submitted to the EDPS in line with Regulation (EC) No 45/2001 (OJ L 8/1, 12.01.2001, the Regulation). Complaints against Europol will be investigated in line with Regulation (EU) 2016/794. We will only use your personal data for the investigation of the complaint submitted.


Which kinds of personal data does the EDPS process?

We process the personal data submitted by complainants as well as data submitted by the accused EU institution, body or agency. This will include names, contact details as well as the content of the allegations (insofar as the latter qualify as personal data).


Who may receive my personal data?

Within the EDPS, the case file containing your personal data is accessible to relevant members of EDPS staff. All access to case files is logged.

Please note that it will be necessary to inform the institution against which you have complained about the nature of the complaint and in most cases, who lodged it, so they may receive some personal data from us where necessary.

Your data may be transferred to third parties, including national supervisory authorities, only where necessary to ensure the appropriate investigation or follow up of your complaint.

Any summary that is made public of this or other cases or other communication outside the parties of the procedure will be anonymised.


What are my rights?

You are entitled to access the personal data the EDPS holds about you and to have them rectified where necessary. In certain cases, you also have the right to have your data blocked or erased or to object to their processing. For more information, please see Articles 13 to 19 of the Regulation.

To exercise any of these rights, please contact us using our contact form. We will reply within three months. Please note that in some cases restrictions under Article 20 of the Regulation may apply.


How long does the EDPS keep my data?

We keep the case file of our investigation - including your personal data - for up to ten years after the closure of the case. For complaints judged to be inadmissible, we keep the case file for up to five years after closure. This is without prejudice to possible longer conservation for the purpose of ongoing legal proceedings linked to the complaint.


What is the legal basis for processing of my personal data?

The EDPS' tasks to hear and investigate complaints are set out in Regulation (EC) No 45/2001, specifically in Articles 32(2) (complaints by data subjects), 33 (complaints by Union staff), 46(a) (duty to hear complaints), 47 (investigation powers), 30 and 31 (obligation for controllers to cooperate and to react to allegations). For complaints against Europol in its core business activities, the applicable provisions are Articles 43(2)(a) (duty to hear complaints), 43(4) (investigation powers) and 47 (right to complain) of Regulation (EU) 2016/794. The processing is necessary for the EDPS to fulfil the tasks attributed to it by Union legislation (Article 5(a) of the Regulation).


Who can I contact?

The controller for this processing operation is the EDPS. Please mention the case number of your complaint. You can contact us as follows:

Complaints form
Postal address: European Data Protection Supervisor - Rue Wiertz 60, B-1047 Brussels

You can also contact the DPO of the EDPS:

More information

EDPS DPO Register



The EDPS has produced a mobile app to enhance public access to the most relevant Data Protection Reform texts. Our goal is to keep this information as complete and accurate as possible. However EDPS cannot guarantee that the App will work as expected in all circumstances and on all platforms.  If errors or incompatibilities are brought to our attention, we will make the necessary corrections without delay.

The EDPS Twitter account is managed by the EDPS Information and Communication Sector and is used for information purposes only.

 The EDPS follows some Twitter users. However, being followed by the EDPS does not imply endorsement of any kind. The EDPS reserves the right to not reply individually to messages or comments received on Twitter.

 The use of Twitter by the EDPS, including the Twitter hyperlink, does not in any way imply endorsement of Twitter and/or its Privacy Policy. Twitter may occasionally be unavailable and the EDPS accepts no responsibility for lack of service due to Twitter downtime.

 The EDPS recommends that users read the Twitter Privacy Policy ( This explains Twitter's policy of data collection and processing, the use of data by Twitter and includes a list of users' rights and the ways in which they can protect their privacy when using Twitter.