Privacy policy for access to documents

Privacy policy for access to documents

This privacy policy governs the processing of your personal data on the basis of the European Regulation (EU) N°2018/1725 (“EU-DPR”) by Key Digital Technologies Joint Undertaking (“KDT JU”)set up by Council Regulation (EU) 2021/2085 of 19 November 2021, in the context of requests regarding access to documents in accordance with Regulation (EC) 1049/2001.

Although you can browse through most of the pages of our website without giving any information about yourself, in some cases, personal information is required in order to provide the e-services you request, such as registration for participation in events organised by KDT JU or signing up for its newsletter.

The pages that require such information treat it according to the rules described in the EU-DPR.

In this respect:

  • for each e-service, the purposes and means of the processing of personal data are specified in their corresponding privacy statement;
  • within KDT JU, the Data Protection Officer (DPO, ensures that the provisions of the EU-DPR are applied and advises controllers on fulfilling their obligations;
  • as for all the institutions, the European Data Protection Supervisor (EDPS) will act as an independent supervisory authority.

This policy is based on the EU-DPR. It may be modified by KDT JU from time to time, on its own initiative or on the advice of the EDPS.

KDT JU's website may provide links to third-party sites. Since we do not control them, we encourage you to review their privacy policies.

Which personal data do we process?

When you file a request, we process all information included in the official request form, such as:

  • Identity information you provide us with, such as your first name and last name and organization;
  • Contact details you provide us with, such as your e-mail address and postal address;
  • Any other personal data you provide us with (non-compulsory);

We receive most of your personal data directly from you. If we receive personal data about you from a third party, we will inform you about this or ask the third party to inform you about this.

Why do we process your personal data and what is the legal basis for this?

The purposes and legal bases justifying the processing operations carried out by KDT JU vary. Our processing operations may be based on:

  • Your consent;
  • contract or grant agreement with you, in order to perform that contract or in order to take steps prior to concluding a bilateral agreement with you;
  • legal obligation we must comply with;
  • The public interest.

In order to respond to your request of access, we process your personal data to perform a task carried out in the public interest and to comply with legal obligations (in particular under Regulation (EC) 1049/2001) that we have to comply with, or to comply with any reasonable request from competent law enforcement agents or representatives, judicial authorities, governmental agencies or bodies, including the EDPS, or to transfer your personal data to the police or the judicial authorities upon our own initiative as evidence or if we have justified suspicions of an unlawful act or crime committed by you through your use of our website, our social media channels or other communication channels.

Whom do we share your personal data with?

We may share your personal data with third parties if necessary to comply with our request. Third parties are allowed to process your personal data on our behalf on our explicit written instruction, only. We ensure that third parties are committed to observing the safety and integrity of your personal data.

We may be legally obliged to share your personal data with competent law enforcement agents or representatives, judicial authorities, governmental agencies or bodies.

We do not send your personal data in an identifiable manner to any other third party than the ones mentioned in this section without your explicit consent to do so. However, we may send anonymised data to other organisations that may use those data for improving our activities or services.

Where do we process your personal data?

In principle, we process your personal data within the European Economic Area (EEA). In order to process your personal data for the purposes outlined above, we may also transfer your personal data to third parties who process on our behalf outside the EEA. Each third party outside the EEA that processes your personal data will be bound to observe adequate safeguards with regard to the processing of your personal data.

What quality assurances can be expected?

We do our utmost best to process only those personal data which are necessary to achieve the purposes outlined above and only as long as needed to achieve these purposes, or up until such time where you withdraw your consent for processing them.

In particular, your personal data will not be kept longer than 5 years after closure of the access procedure. We will delete your personal data when they are no longer necessary for the purposes outlined above, unless there is:

  • An overriding interest of the Joint Undertaking, or any other third party, in keeping your personal data identifiable, or;
  • A legal or regulatory obligation or a judicial or administrative order that prevents us from deleting them.

We will take appropriate technical and organisational measures to keep your personal data safe from unauthorised access or theft as well as accidental loss, tampering or destruction. Access by our personnel or third parties’ personnel will only be on a need-to-know basis and be subject to strict confidentiality obligations.

What are your rights?

As a data subject, you have the following rights:

  • The right to request access to all your personal data processed by us.
  • The right to rectificationi.e. to ask that any of your personal data that are inaccurate, are corrected.
  • You have the right to withdraw your earlier given consent for processing of your personal data.
  • You have the right to erasurei.e. to request that your personal data is deleted if these data are no longer required in the light of the purposes outlined above or if you withdraw your consent for processing them.
  • You have the right to restriction instead of deletion, i.e. to request that we limit the processing of your personal data.
  • You have the right to object to the processing of personal data unless we demonstrate compelling legitimate grounds which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
  • You have the right to data portabilityi.e. to receive from us in a structured, commonly-used and machine-readable format all personal data you have provided to us if the processing is based on your consent or a contract with you and the processing is carried out by automated means.

Considering Article 25(1) of the EU-DPR, we may restrict some of the above rights in duly justified cases. These justified cases entail processing operations in the performance of:

  • administrative inquiries;
  • disciplinary proceedings;
  • preliminary activities related to cases of potential irregularities deported to OLAF;
  • whistleblowing procedures;
  • procedures of harassment;
  • processing internal and external complaints;
  • internal audits;
  • investigations carried out by the Data Protection Officer;
  • security investigations; or
  • within the frame of the grant management or procurement procedure, after the closing date of the submission of the calls for proposals or the application of tenders.

These situations can create the necessity of a restriction on the right to information, the right of access to your processed data or the right of rectification. The restriction shall continue to apply as long as the reasons justifying it remain applicable.

If you wish to submit a request to exercise one or more of the rights listed above, you can contact us by sending an e-mail to An e-mail requesting to exercise a right will not be construed as consent with the processing of your personal data beyond what is required for handling your request. Such request should meet the following conditions:

  • State clearly which right you wish to exercise; and
  • Your request should be accompanied by a digitally scanned copy of your valid identity card proving your identity.

We will promptly inform you of having received your request. If the request meets the conditions above and proves valid, we will honour it as soon as reasonably possible and at the latest thirty (30) days after having received your request.

If you have any complaints regarding the processing of your personal data by us, you may always contact us by sending an e-mail to If you remain unsatisfied with our response, you are free to file a complaint with the European Data Protection Supervisor (

More information on Data Protection at the JU can be obtained in the record of processing activities and in the privacy notices published on the JU’s website.