Information on social media monitoring for epidemic intelligence purposes

ECDC monitors social media for epidemic intelligence purposes. This is done by monitoring a list of predefined users using Epidemic Intelligence from Open Sources (EIOS), monitoring a list of predefined users on social media platforms and automated monitoring of social media posts based on keywords related to public health events of diseases under surveillance. 

Processing also includes manual revision of information collected and uploading content to EpiPulse, ECDC’s surveillance platform, and including certain data in reports.  Except for official sources, data are anonymised before uploading content to EpiPulse.

Details on why, how and under which basis ECDC conducts social media monitoring for epidemic intelligence purposes are available in this internal procedure on manual monitoring and in this internal procedure on automated monitoring.

For the manual monitoring, you are invited to check your social media account to check if ECDC is one of your followers. For the automated monitoring, you are invited to contact epidemic [dot] intelligenceecdc [dot] europa [dot] eu (epidemic[dot]intelligence[at]ecdc[dot]europa[dot]eu) to verify whether your social media data is being processed.

Who is responsible for processing of your personal data in this context?

The European Centre for Disease Prevention and Control (ECDC) is the data controller for the processing operation.

You can contact the controller at epidemic [dot] intelligenceecdc [dot] europa [dot] eu (epidemic[dot]intelligence[at]ecdc[dot]europa[dot]eu) or by post at the following address:

European Centre for Disease Prevention and Control (ECDC) 

171 83 Stockholm

Sweden

You can contact the Data Protection Officer of ECDC at dpoecdc [dot] europa [dot] eu (dpo[at]ecdc[dot]europa[dot]eu) 

What are the purposes of the processing, and what is the legal basis?

Social media is one of the sources that ECDC monitors for epidemiological surveillance purposes.

The legal basis for the processing operation stems from art. 5(1)(a) of Regulation 2018/1725 in combination with art. 3 of Regulation 851/2004.

What personal data does ECDC process and what is the source of the data?

The personal data processed by ECDC consists in identity and affiliation where relevant of social media users monitored by ECDC, as well as the content of post in social media related to public health events of diseases under surveillance.

The personal data processed by ECDC in the context of social media monitoring comes from publicly available sources. Data has been made public by the respective social media user. 

In the context of this processing activity, ECDC does not process any personal data of data subjects that are patients of a disease under surveillance. 

Who has access to your personal data and to whom are data disclosed?

Personal data from manual monitoring of official sources are included in the EpiPulse platform, where data are available to EpiPulse users, and in ECDC’s Communicable Disease Threats reports. Personal data from automated monitoring are available only to ECDC internal staff on a need-to-know basis.

For how long does ECDC process the data?

When personal data consists of links to social media posts collected via manual monitoring, if a social media user cancel the respective post, ECDC will automatically stop processing the respective personal data. 

When updating an event, ECDC checks if links to personal data included in social media content is still relevant for the original purpose of epidemiologic intelligence. If not, the link is removed. If the content in a social media post is still relevant, the link is kept. 

ECDC reviews the relevance of links collected via manual monitoring every six months. 

For the automated monitoring, the retention period of personal data is based on potential downtime of the tool (three months).

What are your rights regarding your personal data? 

As the individual to whom the personal data relate, you can exercise the following rights: 

• access to your personal data under Article 17 of Regulation (EU) 2018/1725;
• rectify your personal data under Article 18 of Regulation (EU) 2018/1725;
• erase your personal data under Article 19 of Regulation (EU) 2018/1725;
• restrict the processing concerning yourself under Article 20 of Regulation (EU) 2018/1725; or
• exercise the right to data portability under Article 22 of Regulation (EU) 2018/1725. 

Please note that these rights are not absolute rights, which means that some exceptions may apply. Please also note that, in certain cases, as provided in Article 25 of Regulation (EU) 2018/1725, restrictions of data subjects’ rights may apply. These restrictions are applied on a case-by-case basis.

Who can you contact in case of further questions or to complain about the processing of your personal data?

If you have questions on how your personal data is being processed, you can contact the Epidemic Intelligence function of ECDC at epidemic [dot] intelligenceecdc [dot] europa [dot] eu (epidemic[dot]intelligence[at]ecdc[dot]europa[dot]eu) or the Data Protection Officer of ECDC at dpoecdc [dot] europa [dot] eu (dpo[at]ecdc[dot]europa[dot]eu).   

If you think that your personal data is processed unlawfully, you can lodge a complaint with the European Data Protection Supervisor.