DPO-3732_Anx1_PrivacyStatement_SURVEYGIZMO-UScontractor_CONSENT_2016-03-22.doc P.

1/4 - 30/03/2016

PRIVACY STATEMENT ON THE PROTECTION OF YOUR PERSONAL DATA

Consultation using SURVEYGIZMO tools provided by an external contractor from the United States of America
for the Publications Office

I. Introduction
The European institutions are committed to protecting and respecting your privacy. The policy on protection of
individuals with regard to the processing of personal data by the Community institutions is based on Regulation (EC)
N°45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with
regard to the processing of personal data by the Community institutions and bodies and on the free movement of such
data.

II. Why do we process your data?

The Publications Office carries out "Consultations" of stakeholders and/or the public on behalf of EU Institutions,
agencies and other bodies concerning publication and distribution activities.
These consultations generally concern: gathering feedback on one or more publications or related services;
establishing the level of interest in one or more publications or subscriptions; and/or creating a mailing list for one or
more publications or subscriptions.
Stakeholders may be invited to present their views in writing, in the context of public consultations.
The public and interested parties may be invited via e-mail, the Internet, or traditional alternatives (press releases,
mailings), to fill in an on-line questionnaire prepared using SurveyGizmo tools provided by a contractor in the United
States of America (USA).
Your personal data will be used only for this purpose.

Tasks and operations of the Publications Office are defined in the Decision 2009/496/EC.
The processing of your personal data is based on Article 5(a) of Regulation (EC) no. 45/2001 which stipulates that
“personal data may be processed only if “processing is necessary for the performance of a task carried out in the
public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted
on the basis thereof or in the legitimate exercise of official authority vested in the Community institution or body or in a
third party to whom the data are disclosed,”
Collected personal data is treated according to the policy described in the above-mentioned Regulation.

III. Which data do we collect and process?

Identification Data
The personal data collected and further processed are data necessary for the participation in the consultation, such
as:

Title, First Name, Family Name, Organisation, Department/Service, Organisation's geographic area of activity, Street
and number, Country, Postal Code, City, Phone, Fax, E-Mail Address, Data subject's categories they represent,
Language, Age Group and Contribution.
The public and interested parties may be invited via e-mail, the Internet, or traditional alternatives (press releases,
mailings), to fill in an on-line questionnaire prepared using SurveyGizmo tools provided by a contractor in the USA.
The implications and consequences of this are explained further below in section V., entitled "To whom are your data
disclosed?" below.
The processing operations on personal data linked to the organisation and management of this consultation are
necessary for the management and functioning of the Commission, as mandated by the Treaties, and more
specifically in Article 5 of the Treaty on European Union (TEU), Article 13 TEU and Articles 244-250 of the Treaty on
the Functioning of the European Union (TFEU), and in accordance with Article 1 and Article 11 TEU.
Further information : http://www.surveygizmo.com/privacy/
DPO-3732_Anx1_PrivacyStatement_SURVEYGIZMO-UScontractor_CONSENT_2016-03-22.doc P.2/4 - 30/03/2016

Technical information

IV. How long do we keep your data?

We keep the data only for the time necessary to fulfil the purpose of collection or further processing.
 When the Publications Office keeps personal data for more than 1 year:
Your personal data will remain in the database until the results have been completely analysed and will be rendered
anonymous when they have been usefully exploited, and at the latest after 1 year from the end of the consultation.

 When the Publications Office needs to keep personal data collected in the context of this consultation in order to feed
its lists of contact details:
If you provided your email address at the end of the consultation, your personal data will be part of a list of contact
details shared internally amongst the staff of the EU institutions for the purpose of contacting you in the future in the
context of the EU’s activities. If you do not agree with this, please contact the Controller by using the Contact
Information below and by explicitly specifying your request.

V. How do we protect your data?

All data in electronic format (e-mails, documents, uploaded batches of data etc.) are stored either on the servers of the
European Commission or of its contractors; the operations of which abide by the European Commission’s security
decision of 16 August 2006 [C(2006) 3602] concerning the security of information systems used by the European
Commission.

The Commission’s contractors are bound by a specific contractual clause for any processing operations of your data
on behalf of the Commission, and by the confidentiality obligations deriving from the transposition of Directive
95/46/CE.

The Publications Office has put in place, and regularly reviews and updates, appropriate physical, electronic, and
managerial procedures to safeguard and help prevent unauthorized access, maintain data security, and correctly use
the information collected for the treatment of publications orders.

Staff of the Publications Office and the European institutions who have access to personally identifiable information
are required to protect this information in a manner that is consistent with this Privacy Statement by, for example, not
using the information for any purpose other than to carry out the services they are performing.

To protect your privacy and security, we will take reasonable steps to help verify your identity before granting access
or making corrections.
The collected personal data and all information related to the above mentioned consultation is stored on a computer of
SURVEYGIZMO or its subcontractor(s), acting as processor(s).

VI. Who has access to your data and to whom is it disclosed?

Access to your data is provided to authorised staff according to the “need to know” principle. Such staff abide by
statutory, and when required, additional confidentiality agreements.
The access to all personal data as well as all information collected in the context of this consultation is only granted
through UserId/Password to a defined population of users, without prejudice to a possible transmission to the bodies in
charge of a monitoring or inspection task in accordance with Community legislation. These users typically are
members of the Unit organising the consultation inside the Publications Office, and its related contractors.

The survey tool SurveyGizmo is provided and managed by an external contractor called WIDGIX, a
U.S. company bound by U.S. laws. Thus, your personal data can be disclosed to U.S. authorities
when required by law, for example in relation to national security considerations. There are
conditions and safeguards in U.S. laws which are nonetheless different from those in EU law. For
more information, see the SurveyGizmo privacy policy: https://www.surveygizmo.com/privacy/
DPO-3732_Anx1_PrivacyStatement_SURVEYGIZMO-UScontractor_CONSENT_2016-03-22.doc P.3/4 - 30/03/2016

This survey is done using the services of a U.S. tool, SurveyGizmo. By responding to our surveys
on SurveyGizmo you give your consent that SurveyGizmo processes your personal data in
accordance to U.S. laws.
No personal data is transmitted to parties which are outside the recipients and the legal framework mentioned.

The Publications Office and its contractor(s) will not share personal data with third parties for direct marketing
purposes.

Without prior written agreement of the person concerned, such personal details will not be disclosed to third parties,
without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance
with EU legislation.

VII. What are your rights and how can you exercise them?
In accordance with Regulation (EC) n°45/2001, you are entitled to access your personal data and rectify and/or
block it in case the data is inaccurate or incomplete. You can exercise your rights by contacting the data controller, or
in case of conflict the Data Protection Officer and if necessary the European Data Protection Supervisor using the
contact information given at section VIII below.

You may also request us to delete your personal information completely, subject to settlement of all outstanding issues
related to our relationship. This will mean that you will also terminate all services and access rights that may be linked
to this information.

In case you want to verify which personal data is stored on your behalf by the responsible controller, have it modified,
corrected or deleted, please contact the controller by using the contact information below and by explicitly specifying
your request. In this case, the Publications Office will proceed to corrections within maximum 5 working
days.

VIII. Contact information

If you have comments or questions, any concerns or a complaint regarding the collection and use of your personal
data, please feel free to contact the Data Controller using the following contact information:

 The Data Controller:

• Head of the “Common Portal and Open Data Portal” unit

• Email: info@publications.europa.eu

In case you wish to access or verify your personal information which is stored on your behalf by the responsible
controller, have it modified, corrected, or deleted, or if you have questions regarding the consultation, or concerning
any information processed in the context of the consultation, or on your rights, feel free to contact the support team,
operating under the responsibility of the Controller.

The Data Protection Officer (DPO) of the Commission:
DATA-PROTECTION-OFFICER@ec.europa.eu

 The European Data Protection Supervisor (EDPS): edps@edps.europa.eu.

Complaints, in case of conflict, can be addressed to the Data Protection Officer of the European Commission or the
European Data Protection Supervisor.
DPO-3732_Anx1_PrivacyStatement_SURVEYGIZMO-UScontractor_CONSENT_2016-03-22.doc P.4/4 - 30/03/2016

IX. Where to find more detailed information?

The Commission Data Protection Officer publishes the register of all operations processing personal data. You can
access the register on the following link: http://ec.europa.eu/dpo-register

This specific processing has been notified to the DPO with the following reference:
DPO-3732.