Data Protection Principles

‚ÄčThe legal definition of personal data is very broad. Any information relating to an identified or identifiable person is considered personal data (for a full definition see Article 3 (1) of Regulation (EU) 2018/1725).

The Data Controller is the person who determines how personal data is processed, and is the person that grants rights to the data subject. For each processing operation, a data controller is identified and prior notice must be given to the Data Protection Officer.

The Data Processor is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller. The best example is the task carried by eu-LISA towards the core systems: Eurodac, SIS II and VIS.

eu-LISA's day-to-day business revolves heavily around personal data. The Agency needs to guarantee that personal data entrusted to us by Member States is processed according to the principles established by each legal framework of the systems we run.

In practice, eu-LISA processes the personal data of different kinds of individuals: persons subject to criminal investigations, witnesses, victims, asylum seekers and VISA holders. Further to that eu-LISA collects several types of data: personal as well as sensitive data such as biometric information.

eu-LISA also manages the personal data of its own staff.

Ensuring the confidentiality, the integrity and the availability of the data as well as implementing data protection principles within eu-LISA's processing operations, strongly influences the successful performance of the Agency. This enables the Agency to foster the trust that Member States and the European Commission endorse on eu-LISA.

The following data protection principles are applicable to all eu-LISA processing activities that address personal data:

  • lawful, fairness and transparency: meaning that personal data should be lawfully and fairly processed and in a transparent manner, in accordance with the Regulation (EU) 2018/1725 and eu-LISA implementing rules;

  • purpose limitation: meaning that personal data should be obtained only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;

  • data minimization: meaning that the collection of personal data must be adequate, relevant and necessary in relation to the purposes for which they are processed;

  • data accuracy: meaning that personal data should be accurate and up-to-date;

  • storage limitation: meaning that personal data should not be kept for longer than necessary to complete the indicated purpose;

  • data retention: meaning that a specific time limit should be defined for retaining personal data;

  • integrity and confidentiality: meaning that personal data should be processed using appropriate technical and organisational measures;

  • accountability: meaning that measures should be implemented and documented in order to guarantee the respect of data protection rules for all processing activities.

  • data protection by design and by default: meaning the implementation of technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that, by default, safeguards privacy and data protection principles right from the start