ACER is highly committed in processing personal data in a lawful way.
The Agency processes personal data collected according to the provisions of Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
ACER only processes personal data for the performance of tasks carried out in the public interest in accordance with European Union law or whilst legitimately exercising the official authority vested to the Agency. Furthermore, the processing of personal data is lawful as a part of a legal or contractual obligation or when the data subject concerned has given his or her unambiguous consent.
The Agency will not process personal data for marketing or commercial purposes.
The Agency's supervisory authority, in terms of processing personal data, is the European Data Protection Supervisor (EDPS). The EDPS is responsible for the monitoring of European Union institutions, agencies and bodies and their compliance with data protection rules, ensuring that the rights to privacy and data protection are respected.
Data Protection Officer
The Agency appointed a Data Protection Officer (DPO) to ensure, in an independent manner, the internal application of data protection requirements.
The DPO's main functions are to:
- Inform data controllers and individuals regarding their obligations and rights pursuant to Regulation (EU) 2018/1725,
- Cooperate and consult with the EDPS,
- Ensure the transparency of Agency's processing operations. The DPO keeps a register of all personal data processing operations performed at the Agency,
- Advise on lawful processing of personal data, ensuring that data controllers respect the rights to privacy and data protection in the course of their work,
- Provide recommendations, develop guidelines to enhance good practice, organise training and awareness session for Agency' staff,
- Support the data subjects on the exercise of their rights,
- Provide advice with regards to data protection related breaches,
- Ensure in an independent manner the internal application of the Regulation (EU) 2018/1725.
ACER has the legal obligation to keep a register of all personal data processing operations which have been notified to the Data Protection Officer (DPO). The register aims at ensuring transparency to the public and it is accessible to any interested person. The register contains the following information:
- The Agency's department processing personal data,
- Name of the processing operation,
- Purpose of the processing operation.
ACER processes any individual's personal data in compliance with the Regulation (EC) No 1725/2018.
The data privacy notices (DPN) describe the Agency's policies and practices regarding collection and use of personal data on different operations:
- Staff Administration: covering any processing activities ACER may carry out on data related to staff members, trainees, SNEs and interim staff.
- Interactions with Stakeholders: covering any contact persons within NRAs, energy market participants, organised marketplaces and other stakeholders the Agency may engage within the context of meetings, questionnaires, requests for feedback, roundtables, working groups, etc.
- ARIS and CMT: covering any processing activities undergone on the REMIT Portal, including applications and platforms made available on the REMIT Portal.
- Financial Management: covering any processing related to data of anyone entering into financial relationships / transactions with ACER, including other activities connected with the financial and budgetary management.
- ACER In-Person Events: covering any processing activities related to the organisation of ACER in-person events.
- ACER External Events and Online Webinars: covering any processing activities related to ACER online meetings and events.
- Meetings with ACER Director: covering the disclosure of information on individuals (self-employed or representing organisations) meeting with the Director.
- Recruitment and Selection: covering the data processing on applicants and candidates to traineeship programmes, staff positions or assignments.
- Procurement and Contract Management: covering the data processing on tenderers and contractors concerning procurement procedures.
- ACER Offices: covering any processing operations on persons physically present at the Agency's premises (access control, CCTV and Wi-Fi).
- Electricity and Gas Information System (AEGIS) : covering any processing activities undergone on the AEGIS Portal, including applications and platforms made available therein.
- Board of Appeal: covering any processing activities carried out in the context of proceedings before the Agency's Board of Appeal.
- RVT Requirements: covering processing of personal information in connection with the checks of adequate proof of COVID-19 recovery, vaccination or testing carried out when accessing ACER premises.
- EU-Sign services: covering how and why EU Sign processes, collects, handles and ensures protection of personal data provided and what rights can be exercised.