Personal Data Protection

The processing of personal data in the Union institutions and bodies like agencies is regulated by Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC 

Scope of the Regulation No. 2018/1725
Art. 2 provide that the Regulation shall apply to the processing of personal data by all Union institutions and bodies.

Processing of personal data
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Personal data
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

The data protection principles

Personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The controller shall be responsible for, and be able to demonstrate compliance with all of the above principles.

The Data Controller  
‘Controller’ means the Union institution or body or the directorate-general or any other organisational entity which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by a specific Union act, the controller or the specific criteria for its nomination can be provided for by Union law. Union institutions and bodies’ means the Union institutions, bodies, offices and agencies set up by, or on the basis of, the TEU, the TFEU or the Euratom Treaty;

For each processing operation, a Data Controller/Delegated Controller must be identified and prior notice must be given to the Data Protection Officer of the institution.

The Processor
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

The Data Subject
The Data Subject is the person whose personal data are collected, held or processed by the Data Controller.

The Data Protection Officer (DPO)
Each Union institution or body shall designate a data protection officer. Union institutions and bodies may designate a single data protection officer for several of them, taking into account their organisational structure and size.

The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks. The Union institutions and bodies shall publish the contact details of the data protection officer and communicate them to the European Data Protection Supervisor. The Union institutions and bodies shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The DPO in EMSA is Radostina Nedeva-Magerlein.
The DPO can be contacted at

In some institutions (including EMSA) there are also DPCs (data protection coordinators).

European Data Protection Supervisor (EDPS) is an independent supervisory authority established in accordance with Regulation (EC) 45/2001, later amended by Regulation 2018/1725. With respect to the processing of personal data, the EDPS is responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the Union institutions and bodies. The EDPS is also responsible for advising Union institutions and bodies and Data Subjects on all matters concerning the processing of personal data.

Data Subjects Rights

1. Right to transparency
The data controller must use clear and plain language when informing you about how your personal data will be processed. The information must be clear, concise and transparent, and it must be provided to you in an easily accessible format.

2. Right to be informed
You have the right to be informed, for example, about the fact that your data has been processed, the purpose for which it was processed and the identity of the controller.

3. Right to access
You have the right to receive information from an EU institution on whether your personal data is being processed by them, the purpose of this processing operation, the categories of data concerned and the recipients to whom your data are disclosed, as well as the right to access this personal data, processed by the EU institution.

4. Right to rectification
If your data is inaccurate or incomplete, you have the right to rectify it.

5. Right to restrict the processing
Under certain circumstances, such as if you contest the accuracy of the processed data or if you are not sure if your data is lawfully processed, you can ask the controller to restrict the data processing.

6. Right to data portability
This right allows you to obtain the data that the controller holds on you and to transfer it from one controller to another. Where technically possible, the controller has to do the work for you.

7. Right not to be subject to automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which results in legal consequences for you or significantly affects you in a similar way.

8. Right to object
You can object, on compelling legitimate grounds, to the processing of data relating to you.


For the safety and security of its buildings, assets, staff and visitors, the European Maritime Safety Agency (the Agency) operates a video-surveillance system. The purpose of the video surveillance system is the reduction and prevention of security incidents. The system helps to ensure the security of the buildings, the safety of staff and visitors, as well as property and information located or stored on the premises, by means of controlling access to the Agency buildings in compliance with Regulation(EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC and the applicable Portuguese legislation as well as the European Data Protection Supervisor (EDPS) Guidelines.

The video surveillance system, which operates through a CCTV camera system, complements other physical security measures, such as access control systems and physical intrusion control systems. It forms part of all the security measures taken within the Agency and helps to prevent, deter, and if necessary, investigate unauthorised physical access, including unauthorised access to secure premises and protected rooms, ICT infrastructure, or operational information. In addition, video surveillance helps to prevent, detect and investigate theft of equipment or assets owned by the Agency, visitors or staff, or threats to the safety of personnel working at the offices (e.g. fire, physical assault).

More Info