Data Protection

The protection of your privacy, including your personal data, is of great importance to the The European Union Naval Force Somalia – Operation Atalanta (EU NAVFOR), hereinafter EU NAVFOR.

Privacy and data protection have become increasingly crucial in our everyday life, both in private and at work. The rights to privacy and data protection have long been recognised as fundamental rights, set out in article 7 and 8 of the EU Charter of Fundamental Rights. There is a specific legislative act renewed for the institutions, bodies, offices and agencies of the European Union (Regulation (EU) 2018/1725) that applies also to the EU NAVFOR when processing personal data. The revised legal framework intends to guarantee a high level of data protection when it comes to collecting and storing personal data for the benefit of Union citizens, EU institution staff and of our partners in the world. It entered into force the same year and is harmonised with the principles of the General Data Protection Regulation (the GDPR) which is applicable for Member States' authorities, the private sector and civil society organisations.

To meet its obligations to EU citizens and to any individual, the EU NAVFOR frequently needs to collect, process and keep personal data, such as names, functions, office addresses, phone numbers, photos or other data, including specific information about people in the context of a EU NAVFOR activity, including security, defence and crisis response, public diplomacy, development cooperation as well as HR management, IT applications, conference, meeting and event organisation, budget or other administrative procedures and procurements.


What is personal data?

Personal data is information relating to you or any identified or identifiable natural person stored or displayed in a way that would directly or indirectly identify an individual. Examples include the name, photo, birth date, ID number, even the phone number or e-mail address, but also characteristics if linked to the person and data about behaviour, travel or shopping habits, profiles also on social media platforms.


How does the EU NAVFOR process your personal data?

Your personal data is processed in accordance with Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data that entered into force on11 December 2018 and is aligned with the provisions of Regulation (EU) 2016/679, the GDPR. The EU NAVFOR aims at implementing data protection fully in line with the standards set out in the renewed legislative framework using flexible privacy friendly tools with appropriate measures achieving compliance.

These rules provide a legal framework and ensure that your data are:

  • processed fairly, lawfully and in a transparent manner
  • collected for specified, explicit and legitimate purposes and not further processed for any incompatible purpose
  • adequate, relevant and limited to what is necessary
  • accurate and kept up to date enabling inaccurate or incomplete data to be corrected or erased
  • kept for no longer than necessary
  • processed securely including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
  • not transferred to third parties without adequate safeguards
  • processed in a way that you can exercise your rights as a data subject

Each directorate, division and service within the EU NAVFOR, EEAS and all EU Delegations are required to collect, handle and keep data identifying individuals according to the rights and obligations laid down in the data protection legal framework. The EEAS Data Protection Office is consulted when activities involve such collection, transfer or storage of data. All information of a personal nature provided to the EU NAVFOR - namely data which can identify a person directly or indirectly - will be handled with the necessary care.


Data protection in the EAAS

The European Union Naval Force Somalia – Operation Atalanta (EU NAVFOR) website operates under the same terms of the EEAS:

The EU NAVFOR respects the Europe-wide recognised data protection principles for the processing of personal data:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability


These principles are set out in Regulation (EU) 2018/1725 & applicable to Union institutions and bodies, as well as in Regulation (EU) 2016/679, the GDPR.

The GDPR harmonises data protection requirements across all EU Member States, enforcing rights for data subjects, which apply extraterritorially to any organisation controlling and processing data of natural persons in the European Union.

For more information on the GDPR:

A functional mailbox has been also set up for specific questions: (link sends e-mail)

Information is available on all Delegations' website, translated into French, Spanish, Portuguese and Russian and is also accessible on the EEAS website:

Your rights

The EU NAVFOR intends to inform people whose personal data is processed, that means individuals whose data has been collected, handled and eventually kept for a period of time. By means of Privacy Statements or Data Protection Notices, the EU NAVFOR provides information on the processing and on how to exercise individual rights.


You have the right, free of charge:

  • to be informed of any processing of your personal data:
    • who is in charge of the data processing
    • what the purpose and the legal bases are
    • what type of data are being processed
    • who has access to the collected data
    • how long it is kept
    • what logic is used in any automated decision-making process concerning your data
  • to access your data;
  • to correct (rectify) them when inaccurate or incomplete;
  • to have your data erased in certain circumstances (such as when the processing is unlawful or the data is inaccurate), their processing restricted (for example while they are rectified or when a dispute about the lawfulness is to be decided) and to object to the processing of your personal data based on your specific circumstances.

You can find more details on individual rights in the articles 14-24 and 35 of Regulation (EU) 2018/1725.


Exercising your rights

To exercise your rights, you can contact the data controller in charge of the processing of personal data. The functional mailbox of the data controller entity appears on the privacy statement or data protection notice for each data processing activity.

If you cannot find the contact details of the data controller, you can send an e-mail to the EEAS Data Protection Office (link sends e-mail)

You may lodge a complaint at any time with the European Data Protection Supervisor (EDPS) who acts as an independent supervisory authority for EU institutions and bodies, offices and agencies devoted to protecting personal data and privacy and promoting good practice on the basis of EU Decision 1247/2002/EC on the regulations and general conditions governing the performance of the European Data Protection Supervisor's duties.


European Data Protection Supervisor (EDPS)

As data protection is a fundamental right in the European Union, it also includes the right to supervision by an independent authority.

The EDPS is responsible for ensuring the protection of personal data by the EU institutions, bodies, offices and agencies.


  • supervises and monitors personal data processing activities by the EU administration
  • advises on policies and legislation that affect privacy, providing advice to the EU legislator and may appear before the EU Courts
  • cooperates with other data protection authorities to ensure consistent data protection
  • monitors new technologies with an impact on privacy

E-mail sends e-mail)


Information in the data protection register and privacy statements

The Data Protection Register contains records of personal data processing activities in the EU NAVFOR.

The Register provides general information about each record of personal data processing, similarly to the information included in the Privacy Statement or Data Protection Notice:

  • purpose of the personal data processing
  • controller(s), processor, data protection officer
  • type of data processed
  • types of people concerned
  • how long the data is kept
  • to whom the data is disclosed including any transfers
  • legal basis
  • general security measures

The purpose of the EEAS Data Protection Register is to inform the public about the existence of personal data processing activities. All individuals concerned may exercise their rights recognised by the Regulation (EU) 2018/1725, as described by the information contained in the Register and in the Data Protection Notices, also known as Privacy Statements.

The Register is based on the records submitted by data controllers along with the relevant Privacy Statements and is therefore available only in the language of the record, generally in English. Processing activities that have been prior-checked by the European Data Protection Supervisor under Article 27 of the former data protection Regulation (EC) 45/2001 are available on the webpage about prior-checking opinions of the EDPS.

To be able to comply with the provisions of the revised data protection regulation, the EEAS register goes through a migration process. If you look for a specific processing activity, you may also contact the EEAS Data Protection Officer (link sends e-mail).

EEAS Data Protection Officer (DPO)

The Data Protection Officer has multiple tasks:

  • supporting and consulting data controllers to demonstrate compliance, record their processes and to prepare privacy statements
  • monitoring compliance with Regulation (EU) 2018/1725 and ensuring that the principles of data protection are applied correctly in the EU NAVFOR
  • raising awareness through events and trainings on data protection for staff and citizens
  • providing advice (guidance and recommendations on individual rights and data controller obligations), in particular about
    • privacy risk assessment
    • reporting of personal data breaches
    • transfers of personal data
  • maintaining the central register of personal data processing activities based on the records prepared by the data controllers
  • investigating matters and incidents on request or on own initiative
  • being an interface between the EEAS, their Delegations and the European Data Protection Supervisor


Mission Statement of the DPO:

The Data Protection Officer ensures the application of the principles of data protection in an independent manner for activities that involve personal data processing by the European External Action Service and the Union Delegations. The EU NAVFOR is committed to applying diligent data protection rules in the activities at all levels, both in Headquarters and in the Delegations.

The DPO provides guidance for data controllers to respect data protection obligations and to inform individuals about their rights with respect to the Regulation (EU) 2018/1725 and how the EU NAVFOR is processing their personal data.

The EEAS DPO is in charge of supporting and advising all services in Headquarters as well as EU Delegations - the data controllers processing personal data - to comply with the data protection provisions in accordance with Regulation (EU) 2018/1725. When helping to implement the data protection requirements laid down in the pertinent legislation, the DPO takes into account the specific needs of EEAS services, and of EU Delegations.

The objective of the DPO, when providing guidance to data controllers, is to facilitate the free movement of information while ensuring the protection of personal data within the EEAS and the legitimate expectation of data subjects that their right to privacy be respected.

The EEAS appoints Data Protection Coordinators and Correspondents (DPC) in the various directorates and divisions of the EEAS Headquarters and in the Union Delegations.


The Data Protection Office comprises and coordinates:

  • Data Protection Officer (DPO)
  • DPC Network of data protection coordinators in Headquarters
  • DPC Network of data protection correspondents in EU Delegations


Data Protection Officer of the EEAS:


You are welcome to contact the EEAS Data Protection Officer via (link sends e-mail

Postal Address:
EEAS Data Protection Officer (DPO)
EEAS Building, 9A Rond-Point Schuman
1046 Brussels

Telephone: +32 584 6235



EAAS Privacy statements (Data Protection Notices)


See Also

Terms & conditions

Cookies Policy