Processing operation: Handling complaints under Article 90(2) and requests under Article 90(1) of the Staff Regulations

Data Controller: EPSO

Record reference: DPR-EC-01152.1


  1. Introduction

This privacy statement explains the reasons for the processing of all personal data provided, the way we collect, handle and ensure protection of these data, how that information is used, and what rights you may exercise in relation to your data (the right to access, rectify, erase, etc.).

The European institutions are committed to protecting and respecting your privacy. As this service collects and further processes personal data, Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [1] applies.

This statement concerns the handling of complaints under Article 90(2) and requests under Article 90(1) of the Staff Regulations. These articles state that:

  • any person to whom these Staff Regulations apply may submit to the appointing authority/AECE, a request that it take a decision relating to him, in accordance with Article 90(1);
  • any person to whom these Staff Regulations apply may submit to the appointing authority/AECE a complaint against an act affecting him adversely, in accordance with Article 90(2).

Personal data for the above-mentioned cases is processed by the European Personnel Selection Office (EPSO).


  1. Why do we process your data?

Purpose of processing: EPSO collects and uses your personal data to process your request or complaint submitted in accordance with Articles 90(1) and (2) of the Staff Regulations. Your personal data will not be further processed in a way that is incompatible with this purpose.

Legality of processing: Article 5(a) of Regulation (EU) 2018/1725 (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body) and (b) (the obligation of the appointing authority/AECE to respond to requests/complaints on the basis of Articles 90, 24 and 22c of the Staff Regulations).

Legal basis for processing:

  • Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Economic Community and the European Atomic Energy Community (OJ P 45, 14.6.1962, p. 1385).
  • Decision 2002/620/EC of the European Parliament, the Council, the European Commission, the Court of Justice, the Court of Auditors, the European Economic and Social Committee, the Committee of the Regions and the European Ombudsman of 25 July 2002 establishing a European Communities Personal Selection Office.
  • Decision 2002/621/EC of the Secretaries-General of the European Parliament, the Council and the Commission, the Registrar of the Court of Justice, the Secretaries-General of the Court of Auditors, the Economic and Social Committee and the Committee of the Regions, and the Representative of the European Ombudsman of 25 July 2002 on the organisation and operation of the European Communities Personnel Selection Office.


  1. Which data do we collect and process?

The personal data collected and further processed are:

  • Data provided by the complainant/requester;
  • Data provided by the department(s) concerned (meaning any department with information relevant to the analysis of the complaint/request);
  • Data stored in EPSO databases.

In some cases, depending on the subject matter of the complaint/request, medical data may be processed.


  1. How long do we keep your data?

Data in paper format are kept for a period of 15 years. They are subsequently transferred to the historical archives for permanent safekeeping.

Data in electronic format are kept for a period of 15 years.

These retention periods are necessary in order to allow for comparison with previous cases handled by EPSO, thus ensuring a uniform application of the Staff Regulations.


  1. How do we protect your data?

All data in electronic format (e-mails, documents, uploaded batches of data etc.) are stored on the servers of the European Commission, which must be used in accordance with Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

In order to protect your personal data, the Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to personal data solely to authorised persons with a legitimate need to know for the purposes of this processing.


  1. Who has access to your data and to whom is it disclosed?

Access to your data is provided to authorised staff in accordance with the ‘need-to-know’ principle. Such staff abide by statutory and, when required, additional confidentiality agreements.

The following may receive your data:

  • Members of the EPSO legal sector, members of the hierarchy involved in signing decisions: access to complete files.
  • Selection boards and panels, EPSO staff other than members of the legal sector and hierarchy: as much as is necessary to provide the explanations and information required for handling requests/complaints.
  • The Commission’s Legal Service: must be systematically consulted regarding draft decisions in response to complaints; access to complete files.
  • EU courts: in cases of judicial remedies; access to complete files.
  • OLAF, IDOC, IAS, Court of Auditors: upon request and limited to what is necessary for official investigations or for audit purposes.
  • European Ombudsman: upon request and limited to what is necessary for investigations.


  1. What are your rights and how can you exercise them?

In accordance with Articles 17 to 22 of Regulation (EU) 2018/1725, you have the right to access, rectify, and erase your data, as well as the right to data portability and the right to restrict the processing of your data. You can exercise your rights by sending an email to EPSO using the online contact form EPSO Webform, or in the event of conflict, to the Data Protection Officer and, if necessary, to the European Data Protection Supervisor. For this purpose, please use the contact information given under point 8 below.


  1. Contact information

If you have comments or questions, concerns or a complaint regarding the collection and use of your personal data, please contact the Data Controller using the EPSO online contact form EPSO Webform.

You can also contact:


  1. Where to find more detailed information

The Commission Data Protection Officer publishes the register of all operations involving the processing of personal data. You can access the register using following link:

This specific processing has been included in the Data Protection Officer’s public register with the following reference: DPR-EC-01152.1.


[1] Regulation (EU) 2018/1725 (OJ L 295, 21.11.2018, pp. 39-98).