On the personal data processed by Microsoft Dynamics Customer Relationship Management (SRM) software implemented at the European Union Agency for Railways (the Agency).
This Privacy Statement concerns personal data processed in the Agency’s Microsoft Dynamics Customer Relationship Management (SRM) software.
Regulation (EC) 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data1 gives data subjects, i.e. contacts or subscribers registered within Microsoft Dynamics SRM, the right to obtain certain information about the processing of personal data and the right to access and to rectify his or her personal data.
What is the purpose of the collection of personal data?
The SRM is used to:
- facilitate contacts, consultation, review of work progress, as well as exchange of information and ideas between the Agency and its related stakeholders, and
- manage and organise events, meetings or other activities, including but not limited to: lists for contacts, invitations, distribution of documents, information sharing, surveys, feedback on documents, follow-up actions, and
- manage Extranet workspaces and Agency registers access, and
- inform about the Agency’s activities and to disseminate the European idea.
Data collected in the SRM relate to contact information of corporate relevance.
Who are the data subjects?
- All stakeholders of the Agency
- These stakeholders can be both internal (e.g. agency staff) and external (e.g. railway actors, EU institutions, suppliers, etc.)
Who is the data controller of SRM?
The Head of Corporate Management and Evaluation Unit is the Data Controller and may be contacted by using the contact details specified below:
Head of Corporate Management and Evalution Unit
European Union Agency for Railways
120 rue Marc lefrancq,
FR-59307 Valenciennes, France
What personal data are collected?
- The following personal data are collected:
Contact details include: First Name, Middle Name, Last Name, User Name, Job Title, Organisation/Company Name, E-Mail Address(es), Phone(s), Gender, Title, Country, Address, picture, Domain Name, Equivalent User
Data subjects are classified in stakeholder categories, companies/organisations, workgroups and marketing lists.
- The Agency and the Data Subject can add information on event participation, subscription and contact preferences.
- The Agency can add information about a contact’s interest areas (Topics), notes, activities and posts and can make connections with other contacts e.g. indicating a hierarchical relationship or a substitute.
- The Agency’s SRM system has an integrated Outlook client which means that the content of emails can be viewed or stored in the SRM system.
- Communications made via the SRM Tool also allow scores about frequency of interactions of the Data Subject with the system, e.g. registration for conferences, etc.
- By working through SRM, the Agency and the data subject are able to build up a profile as indicated above and this can be further enhanced through the use of website cookies.
How are my data processed by SRM?
- Contact details are either entered into the SRM system manually by an Agency staff member or by the data subject him/herself.
- Data have been gathered from various sources such as e.g. publicly-available lists such as those relating to Members of the European Parliament, European Commission officials etc., and are also gathered through direct contact with an Agency staff member whether it is email, telephone, business card or face-to-face meeting.
- Where a new contact is entered into the SRM, s/he will receive an email to indicate that the Agency entered his/her data in the SRM. This email provides a hyperlink to update his/her data, to subscribe/unsubscribe to the newsletter, and the possibility to request the unsubscription.
- The contact can be included in lists for the provision of targeted Agency information, or for sending invitations to conferences, etc.
- If you do not want to be incuded in the SRM database, you can unsubscribe at any time by writing to firstname.lastname@example.org. All emails provide a link to data protection policy in this area.
- Stakeholder contacts are under constant review to ensure accuracy of data.
- All stakeholders are requested to update themselves their data on an annual basis.
- The stakeholders can review their data each time the Agency contacts them using the SRM.
What is the legal basis of this processing?
The legal basis for this processing operation is to be found in the Agency’s Communication Plan 2017, adopted by Decision No. 150 of its Management Board on the basis of art.39 of the new Agency Regulation . The SRM tool forms part of the actions which have to be undertaken by the Agency in the context of the above-mentioned communication strategy with a view to facilitating and making more effective the Agency’s engagement with the stakeholders.
Consequently, the relevant processing operation is lawful under art. 5(a) of Regulation (EC) 45/2001.
Who has access to your personal data and to whom is it disclosed?
Personal data can be accessed by the Data Subject (for its own data only), Agency staff members and external contractors (covered by non-disclosure agreement) via the SRM.
Data records that are no more accurate (e.g. wrong emailadress) are disabled.
The SRM is used to develop the Agency’s mailing lists for dissemination. Other EU Agencies or bodies may request to use the Agency’s mailing list. To do so, they must first submit a request to the Agency. The mailing list will be shared with the EU institution or body which made the request provided that the necessity of the transfer of the data is established, i.e. that the data to be transferred are necessary for the legitimate performance of the tasks covered by the competence of the recipient EU institution or body.
From time to time in order to validate data in the SRM or in relation to particular campaigns (e.g. user satisfaction surveys carried out on behalf of Agency or focus groups), contact details (name, emails, addresses) may be transferred to third parties provided that an adequate level of protection within the meaning of art. 9 of the Regulation (EC) 45/2001 is ensured, in particular where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of the data subjects concerned which might result, among others, from the use of appropriate contractual clauses
How long are your personal data kept?
The data will be stored in the SRM until the Data Subject requests their removal and for as long as follow up actions linked to the a.m. purpose (annual communication plan) are necessary.
How are my data stored?
Personal data are stored on servers located at the Agency’s ICT on-site systems.
What are your rights as a data subject?
A data subject can access his/her personal data, rectify any data that is inaccurate or incomplete and request to delete them by sending an email to email@example.com. He/She can also access his/her data directly on the SRM via his/her log-in and password, modify his/her data and subscribe/unsubscribe to the newsletter.
For any remarks and/or complaints regarding the processing of your personal data, you may contact the Data Protection Officer of the Agency by sending an e-mail at firstname.lastname@example.org
. You may also exercise, at any time, the right of recourse to the European Data Protection Supervisor (EDPS) by using the following address: email@example.com
1 OJ L 8, 12.1.2001, p. 1-22.
2 Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Railways and repealing Regulation (EC) No. 881/2004, OJ L 138, 26.5.2016, p. 1-43.