Notice for the attention of the data subjects to whom the restrictive measures provided for in Council Common Position 2001/931/CFSP, as updated by Council Decision (CFSP) 2023/422, and Council Regulation (EC) No 2580/2001 on specific restrictive measures directed against certain persons and entities with a view to combating terrorism, as implemented by Council Implementing Regulation (EU) 2023/420, apply

(2023/C 70/05)

The attention of data subjects is drawn to the following information in accordance with Article 16 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (1).

The legal bases for this processing operation are Common Position 2001/931/CFSP (2), as updated by Council Decision (CFSP) 2023/422 (3), and Regulation (EC) No 2580/2001 (4), as implemented by Council Implementing Regulation (EU) 2023/420 (5).

The controller of this processing operation is the Council of the European Union represented by the Director General of Directorate-General for External Relations (RELEX) of the General Secretariat of the Council and the department entrusted with the processing operation is RELEX.1 that can be contacted at:

Email: sanctions@consilium.europa.eu

The Data Protection Officer can be contacted at:

Data Protection Officer

data.protection@consilium.europa.eu

The purpose of the processing operation is the establishment and updating of the list of persons subject to restrictive measures in accordance with Common Position 2001/931/CFSP, as updated by Council Decision (CFSP) 2023/422, and Regulation (EC) No 2580/2001, as implemented by Council Implementing Regulation (EU) 2023/420.

The data subjects are the natural persons who fulfil the listing criteria as laid down in Common Position 2001/931/CFSP and Regulation (EC) No 2580/2001.

The personal data collected includes data necessary for the correct identification of the person concerned, the statement of reasons and any other data related to the grounds for listing.

The legal bases for the handling of personal data are Common Position 2001/931/CFSP and Regulation (EC) 2580/2001.

Processing is necessary for the performance of a task carried out in the public interest in accordance with Article 5(1)(a) and for compliance with legal obligations laid down in above-mentioned legal acts to which the controller is subject in accordance with Article 5(1)(b) of Regulation (EU) 2018/1725.

Processing is necessary for reasons of substantial public interest in accordance with Article 10(2)(g) of Regulation (EU) 2018/1725.

The Council may obtain personal data of data subjects from Member States and/or the European External Action Service and/or from third countries. The recipients of the personal data are Member States, the European Commission and the European External Action Service.

All personal data processed by the Council in the context of EU autonomous restrictive measures will be retained for 5 years from the moment the data subject has been removed from the list of persons subject to the asset freeze or the validity of the measure has expired or, if a legal action is brought before the Court of Justice, until a final judgment has been handed down. Personal data contained in documents registered by the Council are kept by the Council for archiving purposes in the public interest, within the meaning of Art. 4(1)(e) of Regulation (EU) 2018/1725.

The Council may need to exchange personal data regarding a data subject with a third country or international organisation in the context of the Council’s transposition of UN designations or in the context of international cooperation regarding the EU’s restrictive measures policy. In the absence of an adequacy decision, or of appropriate safeguards, transfer of personal data to a third country or an international organisation is based on the following condition(s), pursuant to Article 50 of Regulation (EU) 2018/1725:

No automated decision-making is involved in the processing of the data subject's personal data.

Data subjects have the right of information and the right of access to their personal data. They also have the right to correct and complete their data. Under certain circumstances, they may have the right to obtain the erasure of their personal data, or the right to object to the processing of their personal data or to ask for it to be restricted.

Data subjects can exercise these rights by sending an e-mail to the controller with a copy to the Data Protection Officer as indicated above.

Attached to their request, the data subjects must provide a copy of an identification document to confirm their identity (ID card or passport). This document should contain an identification number, country of issue, period of validity, name, address and date of birth. Any other data contained in the copy of the identification document such as photo or any personal characteristics may be blacked out.

Data subjects have the right to lodge a complaint with the European Data Protection Supervisor in accordance with Regulation (EU) 2018/1725 (edps@edps.europa.eu).

Before doing so, it is recommended that data subjects first try to obtain a remedy by contacting the controller and/or the Data Protection Officer of the Council.

(1)  OJ L 295, 21.11.2018, p. 39.

(2)  OJ L 344, 28.12.2001, p. 93.

(3)  OJ L 61, 27.2.2023, p. 58.

(4)  OJ L 344, 28.12.2001, p. 70.

(5)  OJ L 61, 27.2.2023, p. 37.