Personal data protection

This section explains how ECDC manages and protects personal data processed in relation to the use of its website and related e-services. ECDC is committed to user privacy.

All EU institutions, bodies and agencies, including ECDC, are obliged to comply with the data protection law applicable to them: Regulation (EU) 2018/1725. The general policy that applies to the European Union’s institutional website, within the domain, is also applicable to ECDC.

In this section of our website, you will find information on how ECDC processes personal data and on your rights when ECDC processes your personal data. For specific information on cookies, please go here

What is an e-service?

An e-service on this website is a service or resource made available on the Internet in order to improve the communication between citizens and businesses on the one hand and ECDC on the other hand. Three types of e-services are or may be offered by ECDC:

  • Information services that provide users with easy and effective access to information, thus increasing transparency and understanding of the activities of ECDC.
  • Interactive communication services that allow better contacts with ECDC’s target public thus facilitating consultations, and feedback mechanisms, in order to contribute to the shaping of policies, activities and services of ECDC.
  • Transaction services that allow access to all basic forms of transactions with ECDC, e.g. procurement, financial operations, recruitment, event enrolment, etc.

Please note that the ECDC website provides links to third party sites. ECDC has no control over their content and takes no responsibility for their personal data processing operations. We encourage you to review their privacy policies separately.

How is personal data processed by ECDC?

Although you can browse through most of the ECDC website without giving any information about yourself, in some cases personal information is required in order to provide the e-services you request. For each specific e-service, a controller determines the purposes and means of the processing of personal data and ensures conformity of the specific e-service with the applicable legal framework. For the specific information on how your data are processed by ECDC in relation to a particular e-service, please refer to the relevant section of the ECDC website.

In relation to each e-service, the following information will be provided:

  • What information is collected, for what purpose and through which technical means: ECDC collects personal information only to the extent necessary to fulfil a specific purpose. The information will not be re-used for a different purpose.
  • To whom your information is disclosed: ECDC will only disclose information to third parties if that is necessary for the fulfilment of the purpose(s) identified and to the mentioned (categories of) recipients. ECDC will not divulge your personal data for direct marketing purposes.
  • How you can access your information, verify its accuracy and, if necessary, correct it or object to its processing.
  • How long your data is kept: ECDC only keeps the data for the time necessary to fulfil the purpose of collection or further processing.
  • A point of contact if you have queries or complaints: The relevant ECDC Data Controller and also ECDC's Data Protection Officer:

You can also contact the European Data Protection Supervisor at any time – more information on that is provided in the relevant section below.

Some pages on the ECDC website have a link to our contact mailboxes, which activates your e-mail software and invites you to send your comments. When you send such a message, your personal data is collected only to the extent necessary to reply. If the team responsible for managing that mailbox is unable to answer your question, it will forward your e-mail to the appropriate ECDC contact.

If you have any concerns relating to how ECDC processes your personal data, please contact


Pursuant Art. 31 of Regulation EU No. 2018/1725, ECDC is keeping a record of all processing of personal data which is conducted by ECDC.

This register gives you a brief overview of which data are being processed by ECDC, for which purpose, under which legal basis, whom they are shared with and who is responsible of the data processing. Additionally, you can obtain some basic information about the security measure, which we implemented, to keep your data safe from accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access.

See the register of data processing which is being periodically updated.

For certain data processing operations, ECDC has conducted a Data Protection Impact Assessment pursuant to art. 39 of Regulation No 2018/1725. The DPIA for the core function of Microsoft 365 is available here.

If you have further questions concerning processing of your personal data, please do not hesitate to contact ECDC’s data protection officer (

Your rights when we process your personal data

When your personal information is processed by the ECDC you have the right to know about it.

You have the right to access the information and have it rectified without undue delay if it is inaccurate or incomplete. Under certain conditions, you have the right to ask that we delete your personal data or restrict its use. Where applicable, you have the right to object to our processing of your personal data, on grounds relating to your particular situation, at any time, and the right to data portability (the right to have your data transmitted elsewhere in a readable format).

We will consider your request, take a decision and communicate it to you without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary.

You can request that we communicate, as possible, any changes to your personal data to other parties to whom your data have been disclosed.

You have also the right not to be subject to automated decisions (made solely by machines) affecting you, as defined by law.

Restrictions to data subject rights might apply in accordance to the internal rules concerning restrictions of certain rights of data subjects.

The European Data Protection Supervisor

You have the right to contact and have recourse to the European Data Protection Supervisor (EDPS). The EDPS is an independent supervisory authority established in accordance with Regulation (EC) No 2018/1725. With regard to the processing of personal data by institutions, the EDPS has to ensure that the fundamental rights and freedoms of individuals are respected. The EDPS works closely with EU institutions, advising them on all matters relating to the processing of personal data, which includes issuing opinions, guidance and recommendations to support institutions’ data protection efforts.

Website of the European Data Protection Supervisor (EDPS)

Your rights in relation to your personal data are stated in Articles 17 to 24 of Regulation (EU) 2018/1725.

How to exercise your data protection rights at the ECDC

If ECDC is processing your personal data and you would like to exercise your data protection rights, please send us a written enquiry.

In principle, we cannot accept verbal enquiries (telephone or face-to-face) as we may not be able to deal with your request immediately without first analysing it and reliably identifying you.

You can send your request to ECDC by post or email our Data Protection Officer on

Your request should contain a detailed, accurate description of the personal data you want access to.

You must provide a copy of an identification document to confirm your identity, for example, an ID card or passport. The document should contain an identification number, country of issue, period of validity, your name, address and date of birth.

Any other data contained in the copy of the identification document such as a photo or any personal characteristics, may be blacked out.

Our use of the information on your identification document is strictly limited: we will only use the data to verify your identity and will not store them for longer than needed for this purpose.

Terms and condition for the Media Request Log

The Media Request Log (MRL) is an automated request form intended for members of the press and other media entitiies who send requests to the ECDC press team

Data requestors provide through the MRL are covered by the media request log privacy statement.

Information regarding social media monitoring for epidemic intelligence activities through epitweetr

ECDC processes personal data to collect information and data about public health threats from communicable diseases. Processing includes monitoring information and data uploaded on social media through the tool epitweetr, for epidemic intelligence activities including early detection of public health threats. See the privacy statement for epitweetr.

Information regarding processing of personal data for the analysis of pathogen genome data

ECDC accesses and processes data from the GISAID EpiCov and EpiFlu databases as well as the COVID-19 data portal for the purpose of detecting new pathogen variants and for following world-wide trends for known variants for epidemiological surveillance purposes. This includes processing pseudonymised personal data. You can find more information in the privacy statement for the analysis of pathogen genome data.  

Information regarding processing of personal data in the context of vaccine effectiveness related studies

ECDC is data controller for a processing operation aiming at the collection of personal data allowing the evaluation of the effect of vaccines including against COVID-19 and the impact of vaccination programmes. You can find more information in the privacy statement on vaccine effectiveness studies. For this processing operation, a data protection impact assessment has been conducted.

Information regarding the use of Cisco WebEx for virtual meetings with external parties

ECDC uses Cisco WebEx for virtual meetings with external parties. You can find information regarding how your personal data is processed by ECDC in the WebEx privacy statement. You can find further information regarding how Cisco processes personal data on the Cisco Online privacy statement.

Page last updated 10 Jan 2022