ECC Net Privacy Policy

ECC-Net Privacy Statement

Introduction

The European Consumer Centres (ECCs) and the European Commission (the Commission) are committed to protect your personal data and to respect your privacy.

ECCs work together to provide consumers with information and advice on their rights and assist them with cross-border complaints and disputes within the EU/EEA, so that consumers can take full advantage of the internal market.

ECCs collect and further processes personal data pursuant to Regulation (EU) 2016/679Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The Commission is the civil service of the European Union. Within this organisation, the Consumer Enforcement and Redress Unit (unit B3) in DG JUST is responsible for providing the case handling IT tool and supporting its use in the handling of consumer queries made to ECCs. In providing the tool, this unit works with DIGIT, a directorate general that provides IT services within the Commission. Unit B3 is the owner of the tool and is responsible for its strategic development and supporting its users, DIGIT is responsible for technical functioning and infrastructural support.

The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).

This privacy statement explains the reasons for the processing of your personal data, the way the Commission and the ECC collect, handle, and ensure protection of the personal data you have provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer, and the contact details of both the European Data Protection Supervisor as well as the national supervisory authority.

The Commission provides ECCNET2, the case handling IT tool used by all ECCs. The Commission processes relevant data, insofar and as long as necessary, for one or more of the following purposes:

  • To support users of the IT tool in ECCs in its optimal use (monitoring, training, and support)
  • To maintain, develop and troubleshoot the case handling IT tool used by the ECCs
  • to create anonymised statistics, including on suspected infringements

Why and how do we process your data? 

ECCNET2 is used by ECCI to process relevant data, insofar and as long as necessary, for one or more of the following purposes:

  • to enable communication between ECCI and the consumer
  • to facilitate the assessment of a request
  • to attempt resolving complaints or disputes, whether directly with the trader complained about, or through an Alternative Dispute Resolution entity or “ADR” entity (this is an impartial organisation that tries to resolve consumer disputes)
  • to enable consumers to follow up the status of their requests
  • to create aggregated statistics, including on suspected infringements.

Further information on ECC-Net can be found at Europa.eu

The Commission provides ECCNET2, the case handling IT tool used by all ECCs. The Commission processes relevant data, insofar and as long as necessary, for one or more of the following purposes:

  • To support users of the IT tool in ECCs in its optimal use (monitoring, training, and support)
  • To maintain, develop and troubleshoot the case handling IT tool used by the ECCs
  • to create anonymised statistics, including on suspected infringements

Your personal data will not be used for any automated decision-making including profiling.

On what legal ground(s) do we process your personal data

We process your personal data on three legal grounds: first of all, based on your consent (when you seek help from an ECC), and for secondary purposes, when processing is necessary for the performance of a task carried out in the public interest.

To answer your questions or handle your complaint, the processing of your data is based on your consent.

For other purposes mentioned above, including the creation of statistics, and maintenance, development and troubleshooting, the processing is necessary for the performance of a task carried out in the public interest -or in the exercise of official authority vested in the Union institution or body (Art 5(1) a of Regulation (EU) 2018/1725 -or in the exercise of official authority vested in the controller Art 6(1) e of Regulation (EU) 2016/679.

The network has a legal basis in the following legal instruments:

  • Regulation (EU) 2021/690 of the European Parliament and of the Council of 28 April 2021establishing a programme for single market, competitiveness of enterprises, including small and medium-sized enterprises, including small and medium-sized enterprises, the area of plants, animals, food and feed, and European statistics (Single Market Programme) and repealing Regulations (EU) No 99/2013, (EU) No 1287/2013, (EU) No 254/2014 and (EU) No 652/2014 and, more specifically, articles 3(2)(d), Art 8(2)(b) and 9(5) of this Regulation.
  • Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market and, in particular, article 21.
  • Directive 2013/11/EU of the European Parliament and of the Council of 21 May 2013 on alternative dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC (Directive on consumer ADR) and, more specifically, article 14 of the Directive.
  • Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004 and, in particular, article 27(1).

Whose personal data do we collect and process? 

The Commission collects personal data from the following data subjects:

  • Consumers – in the European Union, Iceland, Norway and the UK who approach ECCs for information and assistance.
  • Trader representatives – contact persons for businesses in the European Union, Norway and Iceland involved in consumer complaints or disputes.
  • ADR representatives – contact persons in ADR entities.

The ECCs and Commission do not knowingly collect or process data from minors.

 

What data do we collect and process? 

The personal data collected and processed may include:

For consumers

  • Name of the consumer/reporter
  • Address
  • Postal code
  • Country of residence
  • Telephone number
  • Email
  • Gender
  • Communication language
  • Summary/Description of the request
  • Further personal data upon explicit consent may be collected if necessary for handling the complaint such as bank details.

For trader representatives

Data from individual trader’s representatives is rarely stored in ECC-NET2 but, when processed may include:

  • Name of the trader’s representative
  • Professional address
  • Postal code
  • Country
  • Professional telephone
  • Professional email
  • ADR representatives

For ADR representatives

Data from ADR representatives is rarely store in the system but, when processed may include:

  • Name of the ADR’s representative
  • Professional address
  • Postal code
  • Country
  • Professional telephone
  • Professional email

How long do we keep your personal data? 

Personal data of the consumers, traders’ and ADRs’ representatives shall be kept as long as a case remains open, and for three years has been closed. This is to allow follow-up if there are new developments after the closure of the case. Once the retention period expires, all personal data relating to that case will be automatically deleted from the IT tool and only anonymous statistical information is retained. This deletion occurs by the full deletion of contents of all fields where personal data can be entered or stored.

How do we protect your personal data? 

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored on the servers of the European Commission, or on the servers of ECC offices or their host organisation of ECCs. Storage on host organisation servers may occur on mail servers and in the mail clients of the ECC offices or their host organisation, and (temporarily) in other Office productivity tools for text processing.

To protect your personal data, the Commission and ECCs have put in place several technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

Who has access to your personal data? 

Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff of your ECC (case handlers) according to the “need to know” principle.  This means that only staff who have a compelling purpose for having access to your data will have access. Such staff abide by statutory, and additional confidentiality requirements.

To resolve your request, it may subsequently be shared, with your express consent, with the authorised staff (case handlers) at the ECC where the trader is based or, where appropriate, with relevant public or private bodies such as an ADR entity or a National Enforcement Body (NEB).

Shared requests may result in contact with the trader. When such contact is made, your data may be shared too insofar as necessary to resolve the request.

Other than that, the information we collect will not be given to any third party, except to the extent and for the purpose we may be required to do so by law.

Norway and Iceland are EEA/EFTA countries. This means these countries have entered into agreement with the EU to be part of what is called a European Economic Area or the European Free Trade Association.  ECC offices in Norway and Iceland are members of the European Consumer Centres Network.

What are your rights and how can you exercise them? 

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular, the right to access your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability.

 

You have consented to provide your personal data to your ECC and to the European Commission, directorate-General Justice and Consumers, Directorate E: Consumers Directorate, Unit E3 “Consumer Enforcement and Redress”.

 

You can withdraw your consent at any time by notifying the Data Controller. For consumers that have lodged a query with an ECC, the data controller to be notified is the ECC where the query was lodged. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent.

 

You can exercise your rights by contacting the Data Controller whom you originally contacted (the ECC), or in case of a conflict, the Data Protection Officer supervising your local ECC. If you wish, you may alternatively contact the European Data Protection Supervisor (contact details under Section 9 below) although your primary point of contact is the national ECC where you filed a complaint, and its Data Protection Officer.

If you wish to exercise your rights in the context of one or several specific processing operations, please provide a specific description of the data in your request.

Contact information 

Data controllers

If you would like to exercise your rights under Regulation (EU) 2018/1725 or under Regulation (EU) 2016/679, if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please contact the relevant Data Controller. Normally, this would be the ECC that you have contacted. For Ireland, the details are below:

European Consumer Centre Ireland  

Bloom House, Railway Street, Dublin 1, D01 C576

Email: contactecci@eccireland.ie

 

Alternatively, you may contact the Commission data controller below:

Head of Unit E.3: Consumer Enforcement and Redress 

Directorate-General for Justice and Consumers

European Commission

Email: JUST-E3@ec.europa.eu

The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

Where can you find out more details?  

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-01406