Print

Protecting the personal data of EU producers

22
Jul
2022

Protecting the personal data of EU producers

While supporting the Proposal for a Regulation on geographical indications for wine, spirits, agricultural products, and quality schemes for agricultural products in its Opinion published today, the EDPS recommends that a number of measures related to the processing of personal data are clarified and added.

The Proposal includes measures that aim to help manage more effectively the registration and certification processes for EU Member States’ producers of wine, spirits, agricultural products when they apply for a geographical indication under the EU’s quality scheme, which allows them to protect and certify their product in the EU, to avoid for example the misuse or imitation of their products.

Wojciech Wiewiórowski, EDPS, said: “I welcome the measures envisaged in the Proposal to protect personal data. In particular, I welcome the clarification of the roles and responsibilities of the European Commission and Member States’ authorities with regard to the processing operations laid down in the Proposal. At the same time, further improvements are needed, for example, there is a need to explicitly specify instances of joint controllership in relation to the processing of personal data.”

The Proposal entrusts the task of assessing the application of a wine, spirit or agriculture product - which may include the processing of producers’ personal data, such as their name, address, email - to the EU’s Intellectual Property Office (EUIPO) and the European Commission. The EDPS believes that EUIPO and the European Commission would act as joint controllers in this context, meaning that both institutions may determine jointly the purposes and means of the processing. To this end, the EDPS advises that the European Commission should be empowered to lay down the detailed responsibilities and tasks of the joint controllers in an implementing act, in line with the applicable EU data protection law, Regulation (EU) 2018/1725.

The EDPS also recommends laying down explicitly in the Proposal the categories of personal data that are necessary for the correct management of the procedures of registration, amendment or cancellation of geographical indications and traditional specialities guaranteed, to ensure that the processing of personal data is limited to what is directly relevant and necessary to accomplish the specific objectives of the Proposal.

Furthermore, in its Opinion, the EDPS recommends identifying in the Proposal which categories of personal data should be made publicly available and to clearly define for which purposes. Moreover, a procedure should be envisaged to ensure that only individuals who demonstrate a legitimate interest should have access to additional categories of personal data, such as contact details.

Finally, the EDPS considers that the storage duration of personal data should be further justified or reduced in the Proposal. The timeframe to keep personal data should be limited to what is strictly necessary, writes the EDPS.

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.

The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.

Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.

The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725, which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.

Available languages: English