Data Protection Principles

The legal definition of personal data is very broad. Any information relating to an identified or identifiable person is considered personal data (for a full definition see Article 2.a of Regulation (EC) 45/2001).

The Data Controller is the person who determines how personal data is processed, and is the person that grants rights to the data subject. For each processing operation, a data controller is identified and prior notice must be given to the Data Protection Officer.

The Data Processor is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller. The best example is the task carried by eu-LISA towards the core systems: Eurodac, SIS II and VIS.

eu-LISA's day-to-day business revolves heavily around personal data. The Agency needs to guarantee that personal data entrusted to us by Member States is processed according to the principles established by each legal framework of the systems we run.

In practice, eu-LISA processes the personal data of different kinds of individuals: persons subject to criminal investigations, witnesses, victims, asylum seekers and VISA holders. Further to that eu-LISA collects several types of data: personal as well as sensitive data such as biometric information.

eu-LISA also manages the personal data of its own staff.

Ensuring the confidentiality, the integrity and the availability of the data as well as implementing data protection principles within eu-LISA's processing operations, strongly influences the successful performance of the Agency. This enables the Agency to foster the trust that Member States and the European Commission endorse on eu-LISA.

The following data protection principles are applicable to all eu-LISA processing activities that address personal data:

  • lawful and fairness: meaning that personal data should be lawfully and fairly processed in accordance with the Regulation (EC) 45/2001 and eu-LISA implementing rules;

  • data minimization: meaning that the collection of personal data must be adequate, relevant and not excessive, following a necessity test;

  • purpose limitation: meaning that personal data should be obtained only for specified purposes and not further processed in a manner incompatible with those purposes;

  • data accuracy: meaning that personal data should be accurate and up-to-date;

  • storage limitation: meaning that personal data should not be kept for longer than necessary to complete the indicated purpose;

  • data retention: meaning that a specific time limit should be defined for retaining personal data;

  • data transfer: meaning that personal data should not be transferred to countries outside the European Union that don't offer adequate protection;

  • accountability: meaning that measures should be implemented and documented in order to guarantee the respect of data protection rules for all processing activities.