EUDR

The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).

This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.

The information in relation to processing operation TRACES NT - EUDR - Information system [platform] for managing and tracking the life cycle of Due Diligence Statements to ensure that operators and traders placing relevant products on the market or exporting them comply with the Deforestation Regulation undertaken by Directorate-General for Environment, Unit ENV.F1 - Planetary Common Goods, Universal Values & Environmental Security, which has determined the purpose[s] and the means of the processing of personal data is presented below.

Purpose of the processing operation: DG ENV.F1 (referred to hereafter as Data Controller) collects and uses your personal information to ensure proper communication, to keep historical tracks of data provided and audit tracks of actions performed in the system. Data subjects have to provide certain data in order to register, gain access and perform operations.

Data subjects connected to the web applications have to create an ECAS account (EU Login), where they need to insert their personal details and data. Their data will be used and processed in the web application for the performance of the operations relevant to EUDR.

Data subjects can manage, modify and update the personal data that they provide. The purpose of the personal data processing is the performance of the operations relevant to EUDR in relation to the relevant products that are being placed on the market or exported from the EU.

More particular, the processing of data aims to ensure that all the procedures relevant to the performance of the operations relevant to EUDR will be properly recorded in the system to ensure that operators and traders making available relevant products on the market or exporting them comply with the Deforestation Regulation.

Your personal data will not be used for an automated decision-making including profiling.

• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
• processing is necessary for compliance with a legal obligation to which the controller is subject;

The legal basis for the data processing is:

TRACES NT-EUDR is an Information system [platform] aimed at facilitating the implementation of Regulation (EU) 2023/1115 of the European Parliament and of the Council, on the establishment of a Due Diligence scheme for placing on, making available on, or exporting from the Union market certain commodities and products associated with deforestation and forest degradation.

Based on Article 33 of Regulation (EU) 2023/1115, the EUDR provides a platform of reference for automated sharing of Due Diligence Statements information amongst Member State Competent Authorities and other stakeholders in line with respective rights and obligations under Regulation (EU) 2023/1115.

In general, information is collected about the policy domain (Due diligence statements) rather than individuals. Concerning individuals, data collected includes information of people in Competent Authorities and Customs offices as well as people who are or work for companies that are operators and traders. These Information System users are identified by individual registration within EU Login, the user authentication service of the European Commission.

The following categories of personal data are requested from the Information System user in order to register and to sign into the Information System through ECAS and SAAS (authentication and authorisation systems – EU Login), and consequently processed for the performance of the operations relevant to EUDR:

• first name;
• surname;
• email address;
• phone number;
• Country of residence or country of registered office;
• Postal address.

According to Article 12(5) of the Implementing Regulation (EU) 2024/3084 the Information System shall store the personal data contained in Due Diligence Statements as of the date of the submission of the Due Diligence Statement to the Information System.

The following personal data are processed:

Economic operator's and traders’: Data that are being collected include the

• operator's and trader’s name, address, contact details.
• Users attached to these operators and traders have to indicate their personal details:
  • (a) identification data: first name and surname, unique identifier including the EORI number, if applicable;
  • (b) professional contact details: email and postal address, country of residence or country of registered office, phone number and fax number, if applicable;
  • (c) data on geolocation, where individuals can be identified;
  • (d) user authentication and access data to access the Information System: IP address and user name.

• (a) identification data: first name and surname,
• (b) professional contact details: email and postal address, country of residence or country of registered office, position, phone number and fax number, if applicable;
• (e) user authentication and access data to access the Information System: IP address and user name.

The Information System should not store the data including the personal data submitted by the Information System users in a form which permits identification of data subjects longer than strictly necessary for the purposes for which the personal data are processed. This period should be five years from the date the Due Diligence Statement is submitted through the information system in accordance with the record keeping obligations of operators and traders pursuant to Article 4(3) and Article 5(4) of Regulation (EU) 2023/1115. According to Article 12(5) of the Implementing Regulation (EU) 2024/3084, a 10-year retention period is set from the date the Due Diligence Statement is submitted through the information system. The retention period can be extended upon an individual and reasoned request.

User authentication and access data to access the Information System [IP address and user name] is kept until it is changed by the user or the account is being terminated.

Personal data in electronic format (e-mails, Due diligence statements, uploaded batches of data, etc.) are stored either on the servers of the Commission or of its contractors. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

The access to the system is protected by an EU Login account and its password. Users are only granted access to data concerning their own account or to general information. There are two access levels available:

• Regular Information System user [Competent Authorities, Customs offices, operators and traders]
• Administrators in DG SANTE (for technical administration) or DG ENV (Commission staff or under external contract with the Commission). Administrators from DG ENV have access to data concerning all accounts.

The Regulation foresees that every operator, trader and competent authority shall have access to data, information or Due diligence statements that are handled, produced or transmitted under their area of responsibility. Therefore, every user in TRACES NT - EUDR - Information System is allowed to have access to data that are directly relevant to the operations they perform within the system.

Where personal data is processed in the operation of the Information System for the purpose to fulfil obligations and tasks under Regulation (EU) 2023/1115, operators and traders, and if applicable, their authorised representatives, competent authorities, and customs authorities should be data controllers within the meaning of the General Data Protection Regulation (Regulation (EU) 2016/679) for the processing activities they carry out.

In order to protect personal data, the Commission has put in place a number of technical measures including appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

Your information is shared (in read only) between the Commission staff and the information system users in the same company.

The Commission and in particular the Data Controller cannot be held responsible for the use and processing of the information that may be made by persons who do not belong to the Commission.

Information system users shall own and be responsible for the data, information and assessments under their responsibility which they have inserted or produced through the registration process or operations relevant to EUDR.

Staff in Directorate General Environment, Unit ENV.F1 - Planetary Common Goods, Universal Values & Environmental Security who have access to all collected personal data and have the possibility to modify them upon request are:

* the Data Controller, identified officials in the unit in charge of the EUDR, identified officials in the IT sector in charge of the technical assistance to the units.

The recipients of the data can be distinguished as indicated below:

Recipients within the EU organization:

Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

Recipients outside the EU organization:

• EU Member States competent authorities (in order to overview and manage the information, data and relevant documents that are exchanged under their area of responsibility);
• EU and non-EU economic operators and traders – (access to data relevant to their area of activity and their national competent authorities);
• Customs authorities - (access to relevant data, documents and information exchanged and transmitted into EUDR for monitoring purposes).

Members of each category of the above recipients have access to the relevant data and information which directly concern them, and which is under their area of direct responsibility within EUDR.

The controller will transfer your personal data to the following recipients to an international organisation in accordance with Regulation (EU) 2018/1725 to the extent and for the purpose that this is may be required to do so by law:

• Europol - in the context of investigations against fraud cases.
• Interpol - in the context of investigations against fraud cases.

The controller will transfer your personal data based on:

• The Commission's adequacy decision (Article 47 of Regulation (EU) 2018/1725) for cases of non-EU countries where such decision applies.
• A derogation [Article 50[1][d] of Regulation [EU] 2018/1725] since the transfer is necessary for important reasons of public interest.

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, rectify or erase your personal data and the right to restrict the processing of your personal data. Where applicable, you also have the right to object to the processing or the right to data portability.

According to Regulation (EU) 2018/1725, you are entitled to access directly your personal data and modify it in case the data is inaccurate or incomplete.

Any personal data collected at Member State level is subject to Regulation (EU) 2016/679.

Officials of the Commission who have administrator rights can verify the personal data and enable/disable access to system. If an account is terminated, the account is not removed but its corresponding personal data is anonymized.

You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.

* The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller,

European Commission
Directorate General Environment,
Unit ENV.F1 - Planetary Common Goods, Universal Values & Environmental Security
Rue de la Loi 200
B - 1049 Brussels
Belgium
E-mail(s): ENV-DEFORESTATION@ec.europa.eu

* The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

* The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register (Record reference DPR-EC-30169)