Missions privacy statement (Regulation 2018/1725)
Specific privacy statement
This statement applies to the administration of missions and authorised travel, and explains how the
personal data of Commission staff are used and how confidentiality is ensured, according to Regulation (EU)
2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural
persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and
on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC(1).
It also contains the legal information required under Articles 15 and 16 of this Regulation.
Why do we collect information about you?
In the course of managing your missions/authorised travel, the Commission must process some of your
personal data. These data, together with any other information you may provide if you consider it
appropriate to do so for a specific purpose, will be used by the travel agency, transport firms, hotels, car hire
companies, credit card companies, insurance companies and any other entity which the Commission (or
you) may come into contact with during the organisation of your missions/authorised travel.
We use your details to arrange travel, accommodation and, where necessary, assistance for staff on
mission/authorised travel, and to pay the resulting expenses.
The processing of the data is based on Article 71 of the Staff Regulations, Articles 11 to 13 of Annex VII to
the Staff Regulations, and Commission Decision C(2017) 5323 final of 27/09/2017 on the general
provisions for implementing Articles 11, 12 and 13 of Annex VII to the Staff Regulations of Officials
(mission expenses) and on authorised travel
(https://myintracomm.ec.europa.eu/hr_admin/en/missions/Documents/guide-to-missions-and-authorisedtravel-
en.pdf).
To obtain the best value for money, the Commission uses outside service providers who process some of the
data on behalf of the Commission or for their own purposes. These are:
- the travel agency responsible for issuing tickets and booking hotels;
- the credit-card-issuing financial institution or bank;
- car hire companies that may be used when on mission;
- transport companies;
- insurance companies;
- hotels and other assimilated accommodation providers.
The outside companies used by the Commission to organise your missions/authorised travel are required to
handle these data and certain other information. In their handling of personal data, these firms must apply
the rules on privacy set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of
27 April 2016(2).
(1) OJ L 295, 21.11.2018, pp. 39–98.
(2) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1) .
What information is collected?
The information required is as follows:
- Member of staff on mission/authorised travel: Title, surname, first name, personnel number, post
(DG/Directorate/Unit), place of employment, office address, office telephone number, office e-mail
address;
- Information concerning the mission/authorised travel: Place(s) of mission/authorised travel and transit,
expected times of departure and return to the place of employment, means of transport used, name of
hotel, bill(s), start and end times of professional commitments at the place of mission, bank account
number, budget heading to which the mission/authorised travel will be charged, MIPS
mission/authorised travel number and confirmation number generated at the time of signature of the
mission order/travel authorisation for approval by the authorising officer.
- Other details may be provided in certain circumstances by persons going on mission/authorised travel, if
they wish to receive more personalised service, mainly through their traveller profile (a travel agencies’
tool englobing information which is necessary and/or useful for the management of commands; this
information is formatted and/or structured by the agencies themselves): a mobile telephone number; their
nationality, the date and place of issue of their passport and its expiry date; the passport and credit card
number; the details of a person who may be asked to make reservations on their behalf; any preferences
as regards the conditions of the trip which they might wish to be automatically taken into consideration,
seat + meal.
To ensure that the quality of the service provided by the agency is constantly monitored, any e-mail
correspondence addressed to persons going on mission/authorised travel is copied to the Missions
Department.
To whom is your information disclosed?
- Your information is passed on to your management, the authorising officer, the administrative staff
dealing with it, the settlements officers, the on-line support team, the service providers referred to above
and other persons where required.
The agency receives the basic information required for it to fulfil its contract. This information is
destroyed at the end of the contract. Other information may be transmitted directly by the official to the
agency. In the course of its work, the agency may be required to send your information to a country
outside the EU.
- EEAS (security reasons): to add automatically staff members to the lists of evacuation while on
mission/authorised travel in a delegation;
- HR DS – Security Directorate ;
- The control and investigation bodies:
- IAS, Court of Auditors, IAC
- OLAF, IDOC
- European Ombudsman, EDPS.
How can you obtain access to information concerning you, check its accuracy and, if necessary,
correct it?
As a data subject you may at any time exercise your rights under Articles 14 to 24 of the Regulation by
contacting the data controller. Furthermore, if you wish to obtain specific details pertaining to a
mission/authorised travel you can contact the PMO officer responsible for handling the mission/authorised
travel indicated on the mission statement or the functional mailbox PMO-MISSIONS
ec [dot] europa [dot] eu (PMO-MISSIONS[at]ec[dot]europa[dot]eu).
You can also consult personal data held on you by the travel agency, the bank or financial institution which
issued your credit card and the insurance company:
- AirPlus International Corporate privacy statement
- AMEX Global Business Travel privacy statement
- CIGNA privacy statement
How long do we keep your information?
All mission/authorised travel expenses are digitised in MIPS, e-domec compliant system.
In agreement with DG BUDG (see Ares note Ares(2013)2548764):
- the retention period for the digitised documents is 7 years;
- the retention period for originals kept by the staff member having gone on mission/authorised travel is
the date of the payment (unless there is a disagreement);
- the retention period for originals that have been part of a conformity check sampling (recall of the
original documents kept by the staff member having gone on mission/authorised travel) is 7 years.
What security measures are taken to prevent any abuse of your information or access to it by
unauthorised persons?
Data are stored in the Commission's Data Centre in Luxembourg and are therefore protected by a number of
measures introduced by the Directorate-General for Informatics to protect the integrity and confidentiality of
the Commission's electronic products.
Access to personal data is protected by means of access rights which are strictly limited in accordance with
the "need to know" principle and are based on the duties entrusted to access holders.
Overall responsibility for implementing the rules on data protection and granting access rights is assumed by
the "controller". He is the person who, in both organisational and practical terms, decides who in the various
domains has what right of access to which part of the system. The paper archives are stored in specially
designated premises.
Contact points if you have questions or complaints about personal data processing
Controller: The Head of Unit PMO.2
HR's Data Protection Coordinator: HT-DATA-PROTECTION-COORDINATORec [dot] europa [dot] eu (HR-DATA-PROTECTION-COORDINATOR[at]ec[dot]europa[dot]eu)
The Commission's Data Protection Officer: DATA-PROTECTION-OFFICERec [dot] europa [dot] eu (DATA-PROTECTION-OFFICER[at]ec[dot]europa[dot]eu)
You can also contact the European Data Protection Supervisor: edpsedps [dot] europa [dot] eu (edps[at]edps[dot]europa[dot]eu)
JSIS privacy statement
PROTECTION OF YOUR PERSONAL DATA
This privacy statement provides information about the processing and the protection of your personal data.
Processing operation: Payment and reimbursement of medical expenses — Article 72 of the Staff Regulations (Joint Sickness Insurance Scheme for European officials).
Data Controller: PMO- UNIT PMO3
Record reference: DPR-EC-01090.1
Table of Contents
1. Introduction
2. Why and how do we process your personal data?
3. On what legal ground(s) do we process your personal data?
4. Which personal data do we collect and further process?
5. How long do we keep your personal data?
6. How do we protect and safeguard your personal data?
7. Who has access to your personal data and to whom is it disclosed?
8. What are your rights and how can you exercise them?
9. Contact information
10. Where to find more detailed information?
1. Introduction
The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).
This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.
The information in relation to processing operation concerning the settlement and reimbursement of medical expenses — Article 72 of the Staff Regulations (Joint Sickness Insurance Scheme for European Officials), undertaken by PMO3 is presented below.
2. Why and how do we process your personal data?
Purpose of the processing operation:
PMO3 collects and uses your personal data to settle and reimburse your medical expenses in accordance with Article 72 of the Staff Regulations of officials and other servants of the European Union and the common rules on medical cover.
More specifically, your data is collected for the following purposes:
(1) Optimal reimbursement of medical expenses incurred by each individual insured or dependent of the insured and beneficiary of the sickness insurance, under Article 72 of the Staff Regulations of officials and other servants and the common rules on medical cover relating to cover of the risks of illness of civil servants and the General Implementing Provisions (GIP). This part of the management includes in particular:
- reimbursement of medical expenses
- requests for complementarity under Article 72 of the Staff Regulations of officials and other servants
- requests for prior authorization
- requests for direct billing for hospitalization
- requests for acceptance of dental and orthodontic estimates
- issuance of affiliation certificates with the JSIS
(2) Management for statistical purposes for internal use only, for:
- Regular fixing and adjustment of parity coefficients;
- Regular fixing and adjustment of ceilings and maximum reimbursements;
- General and overall statistics on expenditure, e.g. by group of services (hospitalization, medicines, dentistry, etc.) and/or by group of officials and members ( active and/or retired)
- establishment of insurance rights and/or JSIS membership rights (full coverage/top-up/no cover)
Your personal data will not be used for an automated decision-making including profiling within the meaning of Article 24 of Regulation (EC) No 2018/1725.
3. On what legal ground(s) do we process your personal data
For the purposes of Article 5(1) of the Regulation, we process your personal data because:
(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
(b) processing is necessary for compliance with a legal obligation to which the controller is subject;
Your personal data is processed pursuant to:
Commission Decision (2003/522 / EC) of 6.11.2002 establishing the Office for the administration and payment of individual entitlements, available via EUR-Lex
Financial Regulation - Regulation (EU, Euratom) 2018/1046 on the financial rules applicable to the general budget of the Union, repealing Regulation (EU, Euratom) No 966/2012, available via EUR-Lex
The Staff Regulations of Officials and the Conditions of Employment of Other Servants, available on Staff Matters Portal and EUR-Lex (Article 72 more specifically)
Council Regulation (EU) 2016/300 of 29 February 2016 fixing the emoluments of high-level public office holders in the European Union, available via EUR-Lex
Common rules on sickness insurance for EU officials, available on the Staff Matters Portal and through the Register of implementing rules for the Staff Regulations and the Staff Regulations
Commission Decision C (2007) 3195 of 2.7.2007 establishing the general implementing provisions relating to the reimbursement of medical expenses, available on the Staff Matters Portal and through the Register of implementing rules for the Staff Regulations
General implementing provisions relating to accident risk cover for the spouse, children and other dependents of officials of the European Communities posted to a third country, available on the Staff Matters Portal and through the Register of implementing rules of the statute and the staff Regulations
General implementing provisions for Article 24, first and second paragraph of Annex X of the Staff Regulations, available on the Staff Matters Portal and through the Register of implementing rules for the Staff Regulations
Implementing measures for the Statute for Members of the European Parliament established by Bureau Decision of 19 May and 9 July 2008 (Articles 3 to 6 on reimbursement of medical expenses), available via EUR-Lex
Under Article 10 (2) of Regulation (EC) No 2018/1725, we deal with special categories of personal data. In particular, we process data relating to health or data relating to sexual life or sexual orientation. We process this category of data because:
Article 10(2)(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
Article 10(2)(b) the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law insofar as it is authorised by Union law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
Article 10(2) (c) the processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent;
Article 10(2)(f) the processing is necessary for the establishment, exercise or defence of legal claims or whenever the Court of Justice is acting in its judicial capacity;
Article 10(2)(h) the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union law.
4. Which personal data do we collect and further process?
In order to carry out this processing operation, the Data Controller, PMO3 collects the following categories of personal data: Professional and private data relating to the identity of the insured (see also DPR-EC-01117.1 on SYSPER)
full office address
• date of entry into service
• date of birth
• institution
• language
• private address
• personnel number and registration number
• nationality
• surname, first name
• country
• gender
• phone number
• title
• position
• category of beneficiary
Data relating to the identification of the bank account to which the reimbursement of medical expenses will be made (see also DPR-EC-01116.1 on NAP and DPR-EC-01146.1 on Payment Factory):
• Bank identification details: Third party file (SINCOM2)
• BANK AGENCY CODE
• BIC CODE
• ITA CODE
• BANK ACCOUNT
• ITA ACCOUNT
• CURRENCY
• THIRD PARTY SI2
When the reimbursement is made to a person external to the institutions and bodies of the EU, this person must provide all the documents necessary for his personal identification, including a copy of the identity card, and the validation of the bank account.
• Salary history for calculating of rights on the basis of Article 72(3) of the Staff Regulations of Officials and Other Servants.
• Declaration by members on the professional activity of the spouse/partner and/or children (necessary for the establishment of sickness insurance cover- See also DPR-EC-01117.1 on SYSPER)
• All details of the services declared (invoices, medical prescriptions) as well as the corresponding reimbursements
• Medical data, processed under strict confidentiality, such as medical reports drawn up by the general practitioner, the expert doctor, the medical officer and the doctor appointed by the competent service.
The data controller processes special categories of personal data, namely your health data, pursuant to Article 10 (2) (b) & (c) of Regulation (EU) No 1725/2018, i.e. medical data, processed under strict confidentiality, such as medical reports drawn up by the general practitioner, the expert doctor and the doctor appointed by the competent service.
We collect your data directly from the data subject (see Article 15 of the Regulation).
The provision of your personal data is necessary in order to fulfil our obligations under the Staff Regulations under Article 72 of the Staff Regulations of Officials and Other Servants of the European Union and the Common Rules on Medical Coverage.
5. How long do we keep your personal data?
The Data Controller, PMO.3, keeps your personal data for the time necessary to fulfil the purpose of collection or further processing, namely:
- applications of all types in paper format (original documents) — 18 months (documents kept by the staff member himself)
- original documents sent to PMO in paper format — 18 months (then eliminated)
- original documents sampled — control — 7 years — in accordance with Article 134 of the Financial Regulation
- digitized files — 7 years — in accordance with Article 134 of the Financial Regulation
- files sent to doctors appointed by the competent services (kept on their premises)
6. How do we protect and safeguard your personal data?
All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored on the servers of the European Commission. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
In order to protect your personal data, the Commission has put in place a number of technical and organisational measures in place. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.
7. Who has access to your personal data and to whom is it disclosed?
Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.
In addition, the following services receive your data for the purpose of carrying out their duties under the Staff Regulations of Officials and the applicable law of the European Union:
• The managers of the PMO3 health insurance sector
• The PMO’s relevant financial departments as regards the execution of payments (salaries, pensions, etc.).
• The relevant services of DG HR as part of their medical file.
• The services of DG HR and the Legal Service with regard to complaints and actions in
Court of Justice against decisions adopted.
• If necessary, the social workers of DG HR’s medical service
• Internal departments and bodies responsible for carrying out checks or inspections under EU law.
• The relevant services of DG BUDG as regards the data necessary for the transfer to the bank accounts of the data subjects
• the relevant departments of the General Secretariat in the case of confirmatory applications for access to documents
• Insurance companies under a reinsurance contract with the European institutions
• Third party insurance companies in the context of the recovery of disbursements. They can be located outside the EU
• Doctors appointed by the competent services in accordance with the terms of reference given on the basis of the common rules and their contract for the provision of services and specifications
• The occupational physicians of the institutions and bodies which have signed an agreement on the provision of services with the PMO
• External departments and bodies responsible for carrying out checks or inspections under EU law.
• European Ombudsman in the event of a complaint
• Any relevant national authority on the basis of a detailed request
The data controller may transfer some of your personal data to hospital in case of direct billing. The hospital may be a third country in accordance with Regulation (EU) 2018/1725
The controller will transfer your personal data based on:
- Article 47 of Regulation (EU) 2018/1725 : adequacy decision
- In the absence of appropriate safeguards, the derogations provided for in Article50(1)(a)-(g) of Regulation (EU) 2018/1725 apply, in this case for the following reasons:
(b) the transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the request of the data subject;
(e) the transfer is necessary for the establishment, exercise or defense of legal claims;
(f) the transfer is necessary to safeguard the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving his or her consent.
8. What are your rights and how can you exercise them?
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability.
You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) on grounds relating to your particular situation.
You have consented to provide your personal data to the data controller , PMO 3 for the present processing operation. You can withdraw your consent at any time by notifying the Data Controller. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent.
You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.
Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.
9. Contact information
- The Data Controller
If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller, PMO.3 (PMO-3-RCAM-FO-BOec [dot] europa [dot] eu (PMO-3-RCAM-FO-BO[at]ec[dot]europa[dot]eu)).
- The Data Protection Officer (DPO) of the Commission
You may contact the Data Protection Officer (DATA-PROTECTION-OFFICERec [dot] europa [dot] eu (DATA-PROTECTION-OFFICER[at]ec[dot]europa[dot]eu)) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.
- The European Data Protection Supervisor (EDPS)
You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edpsedps [dot] europa [dot] eu (edps[at]edps[dot]europa[dot]eu)) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
10. Where to find more detailed information?
The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.
This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-01090