On 9 June 2026, the European Medicines Agency (EMA) published a document titled "Records of data processing activity regarding EMA Account Management System (public)", detailing how personal data is handled within its account management platform. The document outlines the purposes, categories of data subjects, and retention periods for data processed through the system, impacting users such as pharmaceutical companies, researchers, and healthcare professionals who interact with EMA's digital services.
The records, issued by EMA's Data Protection Officer, describe the system as a centralised authentication service for accessing various EMA applications. Data processed includes user identification details, login credentials, and activity logs, retained for up to 10 years after account closure for security and audit purposes. The document categorises data subjects as external users (e.g., industry representatives, experts) and internal EMA staff.
Policy orientations and trade-offs The publication reflects EMA's compliance with the EU General Data Protection Regulation (GDPR), which requires agencies to maintain transparent records of processing activities. While the document enhances transparency and accountability, it also highlights the trade-off between security monitoring and user privacy: prolonged retention of activity logs may raise concerns among users about surveillance, but EMA justifies this as necessary for detecting unauthorised access and ensuring system integrity.
Impact on stakeholders For pharmaceutical companies and other external users, the document provides clarity on how their personal data is managed, potentially increasing trust in EMA's digital services. However, the extended retention period could be seen as intrusive by some users, particularly those concerned about data minimisation principles. EMA staff are also affected, as their internal account data falls under the same processing rules. The document imposes no new obligations on users but formalises existing practices, with no immediate compliance costs.
Expected institutional follow-up The publication is a routine transparency measure under GDPR Article 30. No further action is required from EMA or stakeholders, though the agency may update the records if processing activities change. The document serves as a reference for data subjects exercising their rights under GDPR, such as access or erasure requests.
← Atlas › News › Health & Lifestyle