1. Controller
This data protection statement provides information regarding the purpose of the processing carried out by the Civil Society Unit of the Secretariat General of the European Investment Bank, hereafter the “EIB” or “we”, in the course of processing requests for internal review of administrative acts under Regulation (EC) No 1367/2006 of 6 September 2006 as amended (“Aarhus Regulation”).
In the course of this activity the processing of personal data does not involve automated decision-making, including profiling.
2. Purpose of the processing
This data protection statement provides information regarding the purpose of the processing carried out by the EIB in the course of processing requests for internal review of administrative acts under the Aarhus Regulation. The EIB performs tasks in the exercise of the authority vested in it in accordance with the provisions of the Treaties and its Statute.
The EIB processes your personal data as reasonably necessary so that it can conduct and manage internal reviews of administrative acts, in a reasonable and proper manner, in accordance with applicable laws and regulations. Personal data are processed in accordance with Regulation (EC) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereafter, the EU DPR).
Specifically, the EIB processes the personal data for the below purposes as described in the record:
Non-governmental organisations that meet certain criteria, as well as (groups of) members of the public fulfilling certain requirements may, under the conditions set out in the Aarhus Regulation, request the EIB to carry out an internal review of its administrative acts or omissions on the grounds that such an act or omission contravenes provisions of environmental law. Requesters may transmit personal data to the EIB when requesting such an internal review. Processing is necessary so that the EIB can consider and process requests for internal review, in particular to assess their admissibility.
3. Legal Basis of the processing
The legal basis for the processing of personal data in the course of processing requests for internal review of administrative acts is: Legal Obligation (the Aarhus Regulation) and the public interest.
4. Categories of data subjects
The following categories of individuals (data subjects) may be concerned by the processing under 2: the person or persons submitting the request for internal review; the members of the public on whose behalf the request is made; other persons whose personal data may be contained in the request to the EIB.
5. What personal data do we process?
The EIB processes the following categories of personal data: the names, contact details and other personal data of the person or persons submitting the request for internal review; personal data of the members of the public on whose behalf the request is made; and other personal data that may be contained in the request to the EIB; requests for internal review as well as all final decisions on those requests are published as per the Aarhus Regulation. The personal data contained in the requests are omitted.
6. Where do we obtain your personal data?
The EIB may obtain personal data directly from the requester. It may collect some information about the requester or the persons represented by the requester from publicly available sources.
7. To whom is your data disclosed?
We may disclose personal data about you to the following recipients:
- Internally, to the EIB relevant services and/or EIB governing and controlling bodies,
- our legal advisors,
- the European Investment Fund and other EU institutions (including the European Commission, and the European Court of Auditors, OLAF or EPPO),
- third-party entities having a business relationship with EIB on a need-to-know basis.
8. International Transfers
Your data are not transferred to entities established outside the EU or the European Economic Area.
9. How long do we keep your personal data?
We keep your data for the purposes described in this statement for three years following the EIB’s final decision on a request for internal review or, in case of subsequent judicial or administrative proceedings, for three years after the definitive conclusion of these proceedings or the issuance of a new decision, whichever is the later.
10. What are your rights and how can you exercise them?
Your rights are set out in sections 3 to 5 of the EU DPR.
- You have the right to obtain from the controller confirmation as to whether or not your personal data are being processed, and, if so, to access your personal data by contacting the Controller or through the EIB DPO (right of access);
- You have the right to request the controller to rectify any inaccurate data and/or have incomplete personal data completed (right for rectification);
- You have the right to request the controller to erase your personal data as per Article 19 of the EU DPR (right to be forgotten);
- You have the right to request the controller to restrict the processing of your personal data in the following cases (right to restriction of processing):
- (i) if you contest the accuracy of your data;
- (ii) if the processing of the data is unlawful and you oppose to their erasure;
- (iii) if the controller no longer needs the personal data referred to for the purposes of the processing but you require them for the establishment, exercise or defence of legal claims; or
- (iv) if you have objected to the processing of your data and EIB seeks to establish whether the controller has legitimate grounds overriding yours right to restriction.
- You have the right to object to the processing of personal data, on grounds relating to your particular situation, unless EIB demonstrates compelling legitimate grounds for the processing or for the establishment, exercise or defence of legal claims;
- You have the right to receive your personal data from the EIB in a structured, commonly used and machine-readable format to allow you to transmit your data to another controller without hindrance from the EIB (right to data portability);
- When the legal basis of the processing is the consent, data subject has the right to withdraw his/her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
- You have the right to lodge a complaint with the European Data Protection Supervisor (www.edps.europa.eu) at any time (right to lodge a complaint).
11. Contact us
If you have any questions about our processing of your personal data, or wish to exercise any of the rights described above, please contact us: info@eib.org or the EIB’s Data Protection Officer, Mr. Pelopidas Donos, by email at p.donos@eib.org or at the following address:
Mr. Pelopidas Donos
European Investment Bank
98-100 Boulevard Konrad Adenauer
L-2950 Luxembourg (Grand Duchy of Luxembourg)