Skip to main content

Privacy notice - Public Access Requests

For the purpose of processing public access requests, the EPPO must process personal data of the applicants, and the process is not possible without this. The EPPO processes the personal data submitted by the applicants in their requests and contained in communication related thereto. Additionally, data will be processed when identifying, assessing and communicating the documents to which access is sought. This notice aims to provide you with an overview of how the EPPO processes the personal data collected for the outlined purposes, the existence of your rights as well as how to exercise them.


1. Purpose & Legal Basis

The purpose of this processing operation is to process the request for public access in line with the legal obligations as outlined below, and decide whether und to what extent EPPO may grant access to documents requested by you as the applicant, and to provide such access. The processing is necessary for compliance with a legal obligation to which the controller is subject, specifically Article 109 of the EPPO Regulation (Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) (OJ L 283, 31.10.2017, p. 1)) in conjunction with Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43), as well as the EPPO College Decision 008/2020 of 21 October 2020 laying down rules on public access to documents of the EPPO.

Personal data will be processed and stored in line with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 (OJ L 295, 21.11.2018, p. 39). Such data will be processed only for the purpose of dealing with the request made, and consequences deriving therefrom, such as subsequent complaints and legal remedies, but also audit, reporting and compliance aspects, as well as statistical reporting. Regarding the statistical processing, data will be anonymized as soon as it is no longer required for the other purposes.


2. Identity of the Controller & Contact Details

The controller is the EPPO, and this process is coordinated by the Legal Service sector. Contact to the Head of the Legal Service can be made by email to EPPO-PublicAccess (at), or by mail marked for attention of the Head of the Legal Service, EPPO, 11, Avenue John F. Kennedy, 1855 Luxembourg.


3. Contact Details of Data Protection Officer

The Data Protection Officer (DPO) can be reached by email to EPPO-DPO (at), or by mail marked for the attention of the DPO, to EPPO, 11, Avenue John F. Kennedy, 1855 Luxembourg.


4. Who else may be recipients of the personal data

Internally within EPPO, the request will be shared in case of consultations being required with other units, or in cases of confirmatory applications. In general, however this will not include the applicant’s personal data, albeit this may occur on occasion.

In case of the need to consult with external parties as per the consultation obligations under Regulation 2001/1049, also here personal data of the applicant will only be shared, in case exceptionally necessary in the respective circumstances. In cases of complaints, legal proceedings, etc., this may also involve the transfer to external parties, such as external audit bodies, legal counsel, etc.


5. Transfers to third countries and / or International Organisations

Potentially, in case of the need to consult with the provider/owner of the underlying document in line with the consultation requirements, such transfers may occur. However, in case there is such an exceptional need to include the personal data when exercising the consultation obligation, the DPO will be consulted on the necessity and the existence of appropriate safeguards existing to allow such a transfer.


6. How long will the personal data be stored

The personal data collected for this process will be stored for no longer than 2 (two) years from the date of completion of the request, for auditing and reporting purposes, and will thereafter be anonymized and maintained for statistical processing. In case of exceptional circumstances, such as subsequent legal appeals, the storage period will be extended to the extent necessary for the purpose in that case.


7. Right to request access, rectification, erasure, restriction or objection

You have the right at any time to request access to, rectification, object to or request restriction of processing, and / or erasure of your personal data. To exercise these rights, request assistance in their exercise or questions thereto, or file a complaint, you may contact the data controller (see 2.), or the Data Protection Officer of the EPPO (see 3.), or exercise your rights through the European Data Protection Supervisor (see 8.).


8. Complaint to the European Data Protection Supervisor

You also have the right to address yourself to the European Data Protection Supervisor to lodge a complaint or to exercise your rights through them. The European Data Protection Supervisor can be contacted by email to EDPS (at), or by post to EDPS, Rue Wiertz 60, B-1047 Brussels.


9. Mandatory Nature of provision of personal data

The provision and processing by the EPPO of your personal data is mandatory to take part in the process. Should you not provide your personal data, it will not be possible to lodge, register or make a decision on your public access application.


10. Automated Decision Making

There is no automated decision making involved in this process.


Last Update: August 2021