Data protection in the European Consumer Centres Network

The European Consumer Centres (hereinafter ECCs) and the European Commission (hereafter ‘the Commission’) are committed to protect your personal data and to respect your privacy.

ECCs work together to provide consumers with information and advice on their rights and assist them with cross-border complaints and disputes within the EU/EEA, so that consumers can take full advantage of the internal market. ECCs collect and further processes personal data pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data,.

The European Commission is the civil service of the European Union. Within this organisation, the Consumer Enforcement and Redress Unit (unit B3) in DG JUST is responsible for providing the case handling IT tool and supporting its use in the handling of consumer queries made to ECCs. In providing the tool, this unit works with DIGIT, a directorate general that provides IT services within the Commission. Unit B3 is the owner of the tool and is responsible for its strategic development and supporting its users, DIGIT is responsible for technical functioning and infrastructural support.

The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).

Purposes of the data processin

This section describes the purposes of the processing by the ECCs and by the European Commission. The ECCs and the European Commission are joint controllers for the processing.

To fulfil their role, ECCNET2 is used by the ECCs to process relevant data, insofar and as long as necessary, for one or more of the following purposes:

• to enable communication between the ECC and the consumer
• to facilitate the assessment of a request
• to attempt resolving complaints or disputes, whether directly with the trader complained about, or through an Alternative Dispute Resolution entity or “ADR” entity (this is an impartial organisation that tries to resolve consumer disputes)
• to enable consumers to follow up the status of their requests
• to create aggregated statistics, including on suspected infringements.

The European Commission

The European Commission provides ECCNET2, the case handling IT tool used by all ECCs. The Commission processes relevant data, insofar and as long as necessary, for one or more of the following purposes:

• To support users of the IT tool in ECCs in its optimal use (monitoring, training, and support)
• To maintain, develop and troubleshoot the case handling IT tool used by the ECCs
• To create anonymised statistics, including on suspected infringements.

Your personal data will not be used for any automated decision-making including profiling.

We process your personal data on three legal grounds: first of all, based on your consent (when you seek help from an ECC), and for secondary purposes, when processing is necessary for the performance of a task carried out in the public interest.

To answer your questions or handle your complaint, the processing of your data is based on your consent.

For other purposes mentioned above, including the creation of statistics, and maintenance, development and troubleshooting, the processing is necessary for the performance of a task carried out in the public interest -or in the exercise of official authority vested in the Union institution or body (Art 5(1) a of Regulation (EU) 2018/1725 -or in the exercise of official authority vested in the controller Art 6(1) e of Regulation (EU) 2016/679.

The network has a legal basis in the following legal instruments:

• Regulation (EU) 2021/690 of the European Parliament and of the Council of 28 April 2021establishing a programme for single market, competitiveness of enterprises, including small and medium-sized enterprises, including small and medium-sized enterprises, the area of plants, animals, food and feed, and European statistics (Single Market Programme) and repealing Regulations (EU) No 99/2013, (EU) No 1287/2013, (EU) No 254/2014 and (EU) No 652/2014 and, more specifically, articles 3(2)(d), Art 8(2)(b) and 9(5) of this Regulation.
• Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market and, in particular, article 21.
• Directive 2013/11/EU of the European Parliament and of the Council of 21 May 2013 on alternative dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC (Directive on consumer ADR) and, more specifically, article 14 of the Directive.
• Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004 and, in particular, article 27(1).

To carry out this processing operation, the European Commission collects personal data from the following categories of data subjects:

• Consumers in the European Union, Norway, Iceland and other countries who approach ECCs for information and assistance (Consumers);
• Contact persons for the traders in the European Union, Norway and Iceland involved in consumer complaints or disputes (Trader representatives);
• Contact persons in ADR entities (ADR representatives);

The ECCs and Commission do not knowingly collect or process data from minors.

The personal data collected and further processed may include:

a) For Consumers:

• Name of the consumer/reporter
• Address
• Post code
• Country of residence
• Telephone
• Email
• Gender
• Communication language
• Summary/Description of the request

Further personal data may be collected if provided by the consumer as necessary for handling the complaint.

b) For Trader representatives:

Data from individual trader’s representatives is rarely stored in the system but, when processed may include:

• Name of the trader’s representative
• Professional address
• Post code
• Country
• Professional Telephone
• Professional email

c) For ADR representatives:

Data from individual ADR representatives is rarely stored in the system but, when processed may include:

• Name of the ADR’s representative;
• Professional address;
• Post code;
• Country;
• Professional Telephone;
• Professional email;

The provision of the abovementioned data is mandatory to allow us to handle your question of complaint. If you do not provide your personal data, we will not be able to respond to you.

The Commission as provider of the IT tool has access to your file along with the ECC or ECCs that are directly involved in handling your query.

Personal data of the consumers, traders’ and ADRs’ representatives shall be kept as long as a case remains open, and for three years after the case has been closed. This is to allow follow-up if there are new developments after the closure of the case. Once the retention period expires, all personal data relating to that case will be automatically deleted from the IT tool and only anonymous statistical information is retained. This deletion occurs by the full deletion of contents of all fields where personal data can be entered or stored.

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored on the servers of the European Commission, or on the servers of ECC offices or their host organisation of ECCs. Storage on host organisation servers may occur on mail servers and in the mail clients of the ECC offices or their host organisation, and (temporarily) in other Office productivity tools for text processing.

To protect your personal data, the Commission and ECCs have put in place several technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff of your ECC (case handlers) according to the “need to know” principle. This means that only staff who have a compelling purpose for having access to your data will have access. Such staff abide by statutory, and additional confidentiality requirements.

To resolve your request, it may subsequently be shared, with your express consent, with the authorised staff (case handlers) at the ECC where the trader is based or, where appropriate, with relevant public or private bodies such as an ADR entity or a National Enforcement Body (NEB).

Shared requests may result in contact with the trader. When such contact is made, your data may be shared too insofar as necessary to resolve the request.

Other than that, the information we collect will not be given to any third party, except to the extent and for the purpose we may be required to do so by law.

Norway and Iceland are EEA/EFTA countries. This means these countries have entered into agreement with the EU to be part of what is called a European Economic Area or the European Free Trade Association. ECC offices in Norway and Iceland are members of the European Consumer Centres Network.

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular, the right to access your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability.

You have consented to provide your personal data to your ECC and to the European Commission, directorate-General Justice and Consumers, Directorate E: Consumers Directorate, Unit E3 “Consumer Enforcement and Redress”.

You can withdraw your consent at any time by notifying the Data Controller. For consumers that have lodged a query with an ECC, the data controller to be notified is the ECC where the query was lodged. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent.

You can exercise your rights by contacting the Data Controller whom you originally contacted (the ECC), or in case of a conflict, the Data Protection Officer supervising your local ECC. If you wish, you may alternatively contact the European Data Protection Supervisor (contact details under Section 9 below) although your primary point of contact is the national ECC where you filed a complaint, and its Data Protection Officer.

If you wish to exercise your rights in the context of one or several specific processing operations, please provide a specific description of the data in your request.

Data Controller (European Consumer Centre): European Consumer Centre Finland (Euroopan kuluttajakeskus Suomessa).

Data Controller (European Commission): Directorate-General Justice and Consumers, Directorate E: Consumers Directorate, Unit B3 “Consumer Enforcement and Redress”

Record reference: DPR-EC-01406

Two joint data controllers

If you would like to exercise your rights under Regulation (EU) 2018/1725 or under Regulation (EU) 2016/679, if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please contact the relevant Data Controller. Normally, this would be the ECC that you have contacted:

European Consumer Centre Finland (Euroopan kuluttajakeskus Suomessa), ekk@kkv.fi; and the Data Protection Officer (DPO) of the Finnish Competition and Consumer Authority (the Host of ECC Finland): tietosuoja@kkv.fi

Alternatively, you may contact the data controller below,

Unit B3 “Consumer Enforcement and Redress”, Directorate E: Consumers Directorate, Directorate-General Justice and Consumers
E-mail: JUST-B3@ec.europa.eu

The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him

This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-0140.

The Finnish Competition and Consumer Authority, which is the host organisation of the European Consumer Centre in Finland, is responsible for implementing other obligations arising from data protection legislation and maintains a record of processing activities.