Personal data management policy for the TRIPS application
ARTICLE 1: PREAMBLE
- The methods used in processing their personal data
- The data controller
- Data subjects
ARTICLE 2 : DEFINITIONS
I. Personal data
Personal data (PD) are any information that can be used directly or indirectly to identify an individual.
Processing is any operation or set of operations performed on personal data, such as collection, recording, organisation, consultation, extraction, erasure and destruction.
III. Data controller
The body or organisation that determines the processing purposes and means.
The body or organisation that processes personal data on behalf of and on instructions from the Data Controller
V. Data subject
Person whose personal data are processed.
Internal services or any external entity authorised to receive personal data.
ARTICLE 3: PROCESSED PERSONAL DATA
Processing is performed in accordance with current legislation, notably (EU) regulation 2016/679 of the European Parliament and the Council of 27 April 2016, the General Data Protection Regulation (GDPR) and Law no. 78-17 of 6 January 1978, the French Data Protection Act (LIL), as amended.
I. Data processing methods
A. Purpose of the data processing
Personal data are processed for the purpose of managing the transport of Members of the European Parliament.
B. Lawful basis of the data processing
The processing of personal data is based upon the consent of the user of the application. Consent may be withdrawn at any time. Withdrawal of consent will result in the removal of access to the application.
C. Personal data types
Personal data collected during use of the application are as follows:
- Personal identifying data of parliamentarians/assistants: title, last name, first name, job title, the body to which the person is attached, Member State, encrypted password;
- Contact data of parliamentarians/assistants: email, secondary email (optional), mobile telephone number, landline telephone number (optional);
- Transport-related data: date and time of arrival or departure, flight number, departure/destination airport, meeting place, data entered in the free-text field regarding an accommodation request;
- Transporter identification data: email, encrypted password, telephone.
These data are collected when the user performs one of the following operations in the application:
- Registration on the application to create an account
- Transfer reservation request for a parliamentarian
- Amending account personal details
D. Data storage duration
The Data Controller will store all processed data in an active database within the application information systems, in accordance with technical and organisational security measures, throughout the period of access to the service. Following closure of the account, the data are anonymised to allow statistical reporting.
II. Recipients of the personal data
The recipients of the personal data are, internally, the Reception Centre for European institutions and International Delegations using the application, and, externally, for the relevant data, the transporters.
III. Data hosting
The TRIPS application is hosted by the Eurometropolis of Strasbourg.
ARTICLE 4: DATA CONTROLLER AND DATA PROTECTION OFFICER
I. Data controller (DC)
The Data Controller is the Eurometropolis of Strasbourg, 1 Parc de l’Etoile, 67076 Strasbourg Cedex, France.
II. Data Protection Officer (DPO)
The Data Protection Officer of the City and Eurometropolis of Strasbourg is Mr. Sélim-Alexandre Arrad, who can be contacted in accordance with the policy’s procedures for exercising user rights.
ARTICLE 5: SECURITY OF INFORMATION SYSTEMS (SIS)
Technical and organisational security measures are in place to protect personal data. Any security flaw detected can be reported to the Head of Information Systems Security (HISS) by email to firstname.lastname@example.org.
ARTICLE 6: DATA SUBJECT RIGHTS
Data subjects, in accordance with applicable legislation regarding the protection of personal data, enjoy the rights set out below.
I. Right of access
You can ask for your personal data to be sent to you. The City and Eurometropolis of Strasbourg may decline to do so, especially in cases where the request is unfounded, excessive or infringes on third-party rights.
II. Right to rectification
You can ask for any inaccurate or incomplete personal data to be rectified.
III. Right of erasure (right to be forgotten)
You can ask for your personal data to be erased. It is important to specify exactly which data you are requesting erasure for.
IV. Right to restrict processing
You can request a temporary suspension in the use of some of your data. If you contest the accuracy of your data or if you object to your data being processed, the law grants us a certain amount of time for checking or examining your request.
V. Right to data portability
You are entitled to have your personal data given to you in an easily-reusable format. This right applies to:
- Data which you have provided
- The processing of which depends on your consent
- The processing of which is automated
The exercise of this right must not infringe on third parties’ rights and liberties.
VI. Right to lodge a complaint with the CNIL
If after contacting us, you believe that your rights have not been respected, you can lodge a complaint with the CNIL, the French data protection authority
VII. Post-mortem instructions
In accordance with article 85 of the French Data Protection Act, as amended: “any person may give instructions regarding the retention, erasure and communication of their personal data after their death.” The instructions may be general or specific.
ARTICLE 7: EXERCISING YOUR RIGHTS
You may exercise your rights in 2 ways:
- By mail to the Data Protection Officer at email@example.com (attaching a scanned identity document)
- By using the relevant form (attaching a scanned identity document), which you will find here: https://demarches.strasbourg.eu/vie-pratique/informations-personnelles
The Eurometropolis of Strasbourg will do its utmost to reply to your request within one month of receipt. This may, however, be extended to 3 months in the event of a complex request or if there is a large number of requests pending. You will be informed within the one-month period of the grounds for any such extension.