The Union Registry and the EU Transaction Log (EUTL) are established under the Directive 2003/87/EC of the European Parliament and of the Council establishing a scheme for greenhouse gas emission allowance trading within the EU (EU ETS), Commission Delegated Regulation (EU) 2019/1122 supplementing Directive 2003/87/EC as regards the functioning of the Union Registry (applicable from 1 January 2021), Decision No 406/2009/EC of the European Parliament and of the Council on the effort of Member States to reduce their greenhouse gas emissions to meet the Community’s greenhouse gas emission reduction commitments up to 2020 (ESD) and by Regulation (EU) No 525/2013 of the European Parliament and of the Council of 21 May 2013 on a mechanism for monitoring and reporting greenhouse gas emissions and for reporting other information at national and Union level relevant to climate change.
The Union Registry and the EUTL ensure the accurate accounting of all allowances issued under the EU ETS. They record the possession of allowances held in electronic accounts which are administered by the National Administrators of the Member States (the Member States of the EU and the 3 States from EFTA-EEA). The functioning of the Union Registry and the EUTL is regulated by Commission Delegated Regulation (EU) 2019/1122 (the Registry Regulation).
The European Commission (the Commission) together with the Member States (MS) are co-controllers of personal data.
The Environmental Protection Agency (EPA) in Ireland has statutory responsibility for the establishment and maintenance of Ireland’s domain on the Union Registry and is the National Administrator for Ireland.
The primary collection and encoding of personal data in the Union Registry for Ireland is made by the account holders and by the EPA since the EPA manage the accounts in the Union Registry, which are under the jurisdiction of Ireland. The accuracy of the data is the exclusive responsibility of the account holders and of the national administrators.
For personal data relating to accounts under the jurisdiction of Ireland, the controller is the EPA.
The European institutions are committed to protecting and respecting your privacy. As this service/application collects and further processes personal data, Regulation (EC) N°45/2001, of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, is applicable.
The EPA will handle your personal data in accordance with Data Protection Legislation. Data Protection Legislation means the Data Protection Acts 1988 to 2018 and Directive 95/46/EC, any other applicable law or regulation relating to the processing of personal data and to privacy (including the E-Privacy Directive and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011), as such legislation shall be amended, revised or replaced from time to time, including by operation of the General Data Protection Regulation (EU) 2016/679 (GDPR) (and laws implementing or supplementing the GDPR or the E-Privacy Regulations).
The European Commission (the Commission) together with the Member States (MSs) are co-controllers of personal data. These Data Controllers collect and use your personal information to implement the system comprised of the Union Registry and the EUTL. This is required to operate an emissions trading scheme, by providing an overview of allowances and emissions at European level, and controlling transactions occurring across Member States.
Data processing is lawful under Article 5 of Regulation (EU) 2018/1725.
Within the Union Registry and EUTL the Commission performs limited processing of personal data which is handled in conformity with Regulation (EU) 2018/1725.
No data processed in the Union Registry or EUTL falls under special category data according to Article 10 of Regulation (EU) 2018/1725.
The relevant processing operations are under the responsibility of Directorate-General Climate Action (CLIMA), acting as the controller.
As a statutory body the EPA may process your personal data on the basis that is carrying out a task in the public interest or in the exercise of official authority vested in the EPA pursuant to the Environmental Protection Agency Act 1992, as amended, other environmental legislation and regulation or other relevant legislation.
The personal data collected by the EPA which is further processed concerns the Primary Registry Contact (PRC); account holders (where they are natural persons); Authorised Representatives and directors of the account holders (where they are legal entities).
The personal data collected is:
• Personal Name and Surname
• Personal ID
• Date and place of birth
• Contact data such as postal address, email address, mobile phone, phone and fax numbers
• For security monitoring reasons the logging of user ID, MUDI (Mobile Unique Device Identifier), IP addresses, logon time, logoff time, programme used and accessed infrastructure resources (servers’ logs) is also recorded. In some cases, sequences of actions performed on the information system are also recorded.
The personal data is collected directly from the Data Subject and provision of this data is compulsory for being registered in the Union Registry.
The information to be submitted for the opening of an account is detailed in Commission Delegated Regulation (EU) 2019/1122 (the Registry Regulation). Article 22.1 of the Registry Regulation requires all account holders to notify the EPA within 10 working days of changes to the account information. In addition, account holders shall confirm to the EPA by 31 December each year that their account information remains complete, up-to-date, accurate and true.
This information is also regularly reviewed by the EPA in accordance with the requirements detailed in Article 22.4 of the Registry Regulation.
Please also refer to the European Commission - Privacy Statement for Users Registered with the EU ETS Union Registry
The personal data is exclusively collected in a database and in application log files shared by both the EUTL and the Union Registry. Application log files are created to record elements that trace any operation on the system. These elements may be the name, the User ID, the logical address (IP address), a time stamp giving the beginning and the end of the operation. For security monitoring reasons a permanent access to these logs is required.
The information is to be processed by Commission personnel, under the responsibility of the controllers mentioned in Point 1
Access to your data is provided to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.
The personal data collected is accessible by the designated officials of the European Commission and of the respective National Administrators, including the EPA.
Application log files are consulted when there is a problem in the system, to analyse and to fix it and to provide support to a user. System logs are used to verify the behaviour and performance of the system and to guarantee its security by monitoring and tracking unauthorised accesses. The system administrators use them only in the framework of their tasks.
In accordance with Art.80 of Commission Delegated Regulation (EU) 2019/1122 Member States and EU entities explicitly listed in these provisions may obtain access to the data stored in the Union Registry and in the EUTL if this is necessary for the performance of their tasks. The Commission shall provide this access to the Member States and EU entities through the Security Directorate of its Directorate-General for Human Resources and Security.
EUROPOL has a permanent read-only access to that data stored in the Union Registry and in the EUTL for the purpose of the performance of its tasks in accordance with Council Decision 2009/371/JHA. EUROPOL must keep the Commission informed of the use it makes of the data.
Furthermore, in accordance with Art 80.8 of Commission Delegated Regulation (EU) 2019/1122, National Administrators shall make available to other National Administrators and the Commission the names and identities of Account Holders and Authorised Representatives in certain circumstances.
The information submitted for the opening of an account, as detailed in Commission Delegated Regulation (EU) 2019/1122 (the Registry Regulation) is only accessible by designated persons within the EPA.
The PRC data is not uploaded onto the Union Registry and the PRC has no access to the Union Registry. The EPA records certain PRC details within the EPA IT infrastructure such as the PRC Name, Organisation Address, contact details and relevant Accountholder details are recorded on an EPA Network Drive where access is restricted to a small number of personnel working in the Union Registry area.
The PRC information is retained offline as hard copies.
The Data Controllers only keep the data for the time necessary to fulfil the purpose of collection or further processing.
The data published on the EUTL public website is captured dynamically from the Union Registry and regularly refreshed.
The Union Registry stores records concerning all processes, log data and account holders for five years after the closure of an account. The Union Registry and other KP registries store records concerning all relevant KP processes, log data and account holders of KP accounts for 15 years after the closure of the account or until any issue of implementation relating to them arising within the context of the UNFCCC bodies has been resolved, whichever is the later.
If formal investigations are carried for judicial actions, evidence logs need to be stored for long periods until the judicial decisions are taken. Once formal investigations have been concluded, data is still kept for 6 months and destroyed afterwards.
The information submitted for the opening of an account as detailed in Commission Delegated Regulation (EU) 2019/1122 (the Registry Regulation) is maintained for the duration of your appointment on the Union Registry and/or for as long as you hold an account on the Union Registry – thereafter this information is retained for five years.
All data in electronic format are stored either on the servers of the European Commission or of its contractors; the operations of which abide by Commission Decision (EU, Euratom) 2017/46 on the security of communication and information systems in the European Commission.
The Commission’s contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the Commission, and by the confidentiality obligations deriving from the transposition of Directive 95/46/CE.
Please also refer to the European Commission - Privacy Statement for Users Registered with the EU ETS Union Registry.
The information submitted to the EPA for the opening of an account is securely stored with restricted access thereto. Upon expiry of the retention period, the information is securely destroyed.
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, rectify or erase your personal data and the right to restrict the processing of your personal data. You can exercise your rights by contacting the Data Protection Officer/s using the contact details below.
If you have comments or questions, any concerns or a complaint regarding the collection and use of your personal data please contact:
Irish National AdministratorData Protection OfficerEnvironmental Protection AgencyPO Box 3000Johnstown Castle EstateCo Wexford Y35 W821Ireland
European CommissionEuropean Commission Directorate-General for Climate Action,200 Rue de la LoiB - 1040 BrusselsE-mail: firstname.lastname@example.org The Data Protection Officer (DPO) of the Commission:DATA-PROTECTION-OFFICER@ec.europa.eu. The European Data Protection Supervisor (EDPS):email@example.com.
The Commission Data Protection Officer publishes the register of all operations processing personal data
This specific processing has been notified to the DPO with the following reference: DPR-EC-00230.2.