Skip to main content
European Cybersecurity Competence Centre and Network

ECCC Website Data Protection Section

The rights to privacy and data protection are fundamental rights, set out in articles 7 and 8 of the EU Charter of Fundamental Rights.

The ECCC, as an EU Centre, is subject to the Regulation (EU) 2018/1725 (EUDPR) on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies. This Regulation has the same level and types of rules for the protection of personal data as the General Data Protection Regulation (GDPR).


In order to function and meet its tasks and objectives, the ECCC collects and further processes personal data of its staff members, as well as other natural persons in the context of its different activities in the areas of human resources, procurement and finance, corporate services, as well as in the context of the functioning of the ECCC’s governance bodies and tasks.


What is personal data?

Personal data is any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.


Examples of personal data include: names, pictures, contact details, emails, CVs, diplomas, bank account details, transaction information, medical data, judicial & criminal records, CCTV footage, log files, IP addresses, cookies, etc.


How does the ECCC process personal data?

The ECCC process personal data in accordance with the principles and provisions of Regulation (EU) 2018/1725.

These provisions mandate the personal data shall be:

  • processed lawfully, fairly and in a transparent manner;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
  • accurate and, where necessary, kept up to date (“accuracy”’);
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed  (‘storage limitation’);
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The ECCC adheres to its obligations under the Regulation (EU) 2018/1725 (EUDPR) and provides for the data subjects rights under this Regulation. In principle, information as to how your personal data is processed in a given processing activity is explained in a data protection notice that is made available to you. The ECCC also keeps a central register of records of activities processing personal data, which you can access here.

What are my rights under the EUDPR?

  • Right to be informed of any processing of my personal data, including information on the controller, the purpose and the legal basis, the types of data being processed, data recipients, time limits for the processing, as well as possible transfers of personal data to third counties;
  • Right of access to my personal data;
  • Right to rectify (correct) my personal data when inaccurate or incomplete;
  • Right to have data my erased under certain circumstances (e.g. when the data is no longer necessary for the purpose for which they were collected);
  • Right to restrict the processing of personal data under certain circumstances (e.g. when the accuracy of the data is contested);
  • Right to object to the processing of personal data under certain circumstances;
  • Right not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her.

Restrictions of data subject rights

In certain cases, by virtue of article 25 of Regulation (EU) 2018/1725 and of the Internal Rules laid down under ECCC’s Governing Board Decision 2023/05, one or several of the data subjects rights may be restricted for a temporary period of time inter alia, on the grounds of prevention, investigation, detection and prosecution of criminal offences or other applicable grounds (as laid down in the Internal Rules). Any such restriction will be limited in time, proportionate and respect the essence of the above-mentioned rights. It will be lifted as soon as the circumstances justifying the restriction are no longer applicable. Data subjects will receive a more specific data protection notice when this period has passed. As a general rule, data subjects will be informed on the principal reasons for a restriction unless this information would cancel the effect of the restriction as such.

Data Protection Officer

The ECCC has appointed a Data Protection Officer who is entrusted with the main task of ensuring, in an independent manner, the internal application of Regulation (EU) 2018/1725. The ECCC’s Data Protection Officer is provided by the European Union Agency for Cybersecurity (ENISA) under a Service Level Agreement signed between the Centre and the Agency.

Data subjects may at any time consult the ECCC Data Protection Officer (ECCC-DPOatenisa [dot] europa [dot] eu (ECCC-DPO[at]enisa[dot]europa[dot]eu)) or a Controller responsible for a particular data processing operation.

Data subjects have a recourse to the European Data Protection Supervisor (

ECCC Records of processing activities