The European Union Agency for Railways (ERA) is committed to user privacy.
Personal data, such as contact details or other, will be processed in line with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
Although you can browse through most parts of the Agency site without giving any information about yourself, in some cases, personal information is required in order to provide access to e-services. Whenever such information is collected, the Agency will treat it according to the policy described in Regulation (EU) 2018/1725 (and any other regulation that will supersede it). Further information about the use of your data is provided in the register of records of personal data processing activities and in the specific privacy statements for the relevant e-services below.
For any questions regarding the processing of such personal data including how to access and rectify them, please get in touch with our Data Protection Officer.
In case of conflict on any Personal Data Protection issue, you can address yourself to our Data Protection Officer.
Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time.
The European Union Agency for Railways (ERA) is committed to respecting the privacy of the participants to any consultations which are organised in the framework of its activities. All personal data provided to ERA are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (and any other regulation that will supersede it).
The following data protection information notice outlines the criteria by which ERA collects, manages and uses the personal data of the participants to consultations with social partners and organisations representing rail freight customers and passengers.
ERA
Processing of personal data is needed to obtain the views of stakeholders concerned whenever the Agency is required to address its recommendations to the European Commission on matters that have a direct impact on these categories of subjects.
Only the following data are collected:
In accordance with Article 4 of Regulation (EC) N° 1049/2001 of 30 May 2001 regarding public access to European Parliament, Council and Commission documents and Article 8(2) of the “Arrangements to be applied by the Agency for public access to documents” (Annex to Management Board Decision N°145 of 29 November 2016), ERA is committed to grant access to any document you have submitted during the consultation phase, by publishing the outcome on the ERA website.
In a later stage, your opinions will be included in the report accompanying the recommendation to the Commission, as provided for in Articles 6 and 7 of the Agency’s Regulation.
In order to ensure the reliability of your contribution and for transparency reasons, some of your personal information may be published as well, where appropriate, without any further processing which is incompatible with the purpose of the consultation. You can specify what personal information you agree to be published by checking the relevant box in the comment sheet.
Legal basis:
In accordance with Articles 6 and 7 of Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Railways and repealing Regulation (EC) No 881/2004.
Lawfulness:
The agency collects and processes your personal data in compliance with Article 5 (a) and (b) of the EU Data Protection Regulation:
(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
(b) processing is necessary for compliance with a legal obligation to which the controller is subject
The processing may be based on consent (Article 5(d) of the EU Data Protection Regulation) or another legal basis, as established by the EU Data Protection Regulation, in some specific circumstances.
All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards.
Your personal data will remain in the database until the results have been completely analyzed and will be rendered anonymous when they have been usefully exploited, and at the latest after twelve months from the end of the consultation. This does not apply to personal data whose online publication has been consented. These data will remain available on the ERA website until the data subject exercise their rights to have it deleted.
In case you wish to verify which personal data is stored on your behalf by the responsible Controller, have it modified, corrected or deleted, please contact the Data Controller by using the contact information below and by explicitly specifying your request, or our Data Protection Officer.
Practical questions on the public consultation can be sent to the ERA staff in charge of the organisation of the relevant consultation, using the functional mailbox specifically established for that consultation.
In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection” and specifying the reference to the consultation.
Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time.
The European Union Agency for Railways (ERA) is committed to respecting the privacy of its candidates for recruitment. Within the framework of the selection procedures at ERA, all personal data provided by candidates are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
The following data protection information notice outlines the criteria by which ERA collects, manages and uses the data provided by candidates within the different selection procedures for the recruitment.
ERA Head of Resources and Support Department
Processing of personal data is needed for:
The personal data processed are the ones provided in the form used for the electronic application, in particular:
Candidates are free to give their data on a voluntary basis, although failure to provide data in the mandatory fields will not allow the submission of the application form.
Legal Basis: In accordance with Decision 206/06.2009; Decision 207/06.2009; Rules governing traineeship period at ERA; Amendment to the ERA rules governing engagement of trainees.
Lawfulness: The agency collects and processes your personal data in compliance with Article 5 (a) and (b) of the EU Data Protection Regulation:
(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
(b) processing is necessary for compliance with a legal obligation to which the controller is subject
The processing may be based on consent (Article 5.1(d) of the EU Data Protection Regulation) or another legal basis, as established by the EU Data Protection Regulation, in some specific circumstances.
All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards.
Personal data regarding engaged applicants will be kept for ten years after the termination of employment or the last pension payment, whichever applicable.
Data of non-engaged applicants but successfully placed in the reserve list for appointment will be kept for seven years after the budgetary discharge.
Data concerning non-engaged applicants will be kept for five years from the date the data subject became aware of the result of the selection procedure.
Data concerning assigned trainees will be kept for two years after the termination of the traineeship. The purpose of archiving those data is to keep records of all beneficiaries of the traineeship scheme of ERA and allow the delivery of traineeship certification.
Data concerning non-successful applicants for traineeships will be deleted at the end of the traineeship period they applied for. This would allow to for a delayed assignment, should one of the successful trainees drop out of the scheme.
After the above-mentioned periods, only data needed to provide overall statistics on the exercise (number of eligible and non-eligible applications, total number of applications, etc.) will be kept for statistical reasons. These statistics are not subject to Regulation (EU) 2018/1725 since they are anonymous and cannot be used to identify one or more persons either directly or indirectly.
In case you wish to verify which personal data is stored on your behalf by the responsible Controller, have it modified, corrected or deleted, please contact the Data Controller by using the contact information below and by explicitly specifying your request, or our Data Protection Officer.
On the other hand, data demonstrating compliance with the eligibility and selection criteria may not be updated or corrected after the closing date for the respective selection procedure.
Practical questions on the recruitment can be sent to the ERA staff working for the Human Resources Unit
In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection” and specifying the reference to the application.
Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time
Data protection notice (updated May 2020)
The European Union Agency for Railways (ERA) is committed to respecting the privacy of personal data processed by Microsoft Dynamics Customer Relationship Management software (called SRM) implemented at ERA. In this framework, all personal data provided by stakeholders (contacts) are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereafter EUI Data Protection Regulation).
The following data protection information notice outlines the criteria by which ERA collects, manages and uses the personal data of its stakeholders.
Head of Unit EXO
ERA processes personal data of stakeholders to:
ERA has identified two main types of stakeholders:
The following personal data may be collected:
In addition, the stakeholder can select communication preferences by subscribing to the following subscription lists:
ERA can make connections with other contacts (e.g. hierarchical relationship) in order to classify them and establish marketing lists.
The collected data are classified in stakeholder categories, companies/organisations, workgroups and marketing lists.
The Agency’s SRM system has an integrated Outlook client which means that the content of emails can be viewed or stored in the SRM system.
Communications made via the SRM also allow scores about frequency of interactions of the contact with the system, e.g. registration to events.
By working through SRM, the Agency and the contact are able to build up a profile and this can be further enhanced through the use of website cookies.
Personal data stored in the SRM may be accessed by ERA staff and contractors under the direct supervision of ERA staff.
Data records found not to meet applied standards are deleted.
From time to time, in order to validate data or in relation to particular campaigns (e.g. user satisfaction surveys carried out on behalf of ERA or focus groups), contact details (name, emails, addresses) may be transferred to third parties provided that an adequate level of protection (within the meaning of Article 9 of the Regulation (EU) 2018/1725) is ensured, in particular where the Controller adduces adequate safeguards (e.g. use of appropriate contractual clauses) with respect to the protection of the privacy and fundamental rights and freedoms of the data subjects concerned.
Legal basis: The SRM supports the actions which have to be undertaken by the Agency in the context of Articles 5 and 39 of Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Railways
Lawfulness: The agency collects and processes your personal data in compliance with Article 5(a) and (b) of the EUI Data Protection Regulation:
(a) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
(b) Processing is necessary for compliance with a legal obligation to which the controller is subject
The processing of personal data for all other purposes (generic stakeholders) who have an interest in ERA activities and have voluntarily chosen to be added to the SRM is lawful based on their consent (Article 5 (d) of the EUI Data Protection Regulation).
Appropriate organizational and technical security measures are ensured according to the data protection legislation applicable to EU institutions and bodies.
Data might be stored temporarily on the servers of our processor, ClickDimensions. For more information on the processing of your data by ClickDimensions please follow this link.
Personal data regarding stakeholders will be kept until they exercise their rights to have it deleted. However, data received via the contact us-form on the website will be put on ‘inactive’, when requested and deleted after the mandatory (anonymized) reporting on access to documents requests to the Management Board once a year. Financial data will be kept for 7 years.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request to erasure of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the contacts below.
In order to exercise your rights as data subjects you are invited to contact the Controller by email.
Any other questions on the stakeholder relationship management can be sent using the contact us-form on the ERA website, selecting as topic of request: ‘User management of workgroups’.
In case you have any questions related to the protection of your personal data, you can contact the ERA Data Protection Officer.
You have at any time the right of recourse to the European Data Protection Supervisor.
The European Union Agency for Railways (ERA) is committed to respecting the privacy of personal data of the participants in Calls for Expression of Interests (CEI). All personal data provided to ERA are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
The following data protection information notice outlines the criteria by which ERA collects, manages and uses the personal data provided within CEI.
ERA Procurement Unit
The processing of personal data of applicants to CEI is needed in order to allow economic operators to propose themselves to be included on a list of potential service providers / experts in advance of public procurement operations / further processing within the subject scope of the respective CEI.
The following data are / may be collected in the registration form and further processed for the purposes indicated above:
Personal data may be accessed only by ERA staff for the purpose of management of the CEI and any associated tender procedures.
Also, if appropriate, access will be granted to the Internal Audit Service, Internal Legal Department, Court of Auditor, OLAF, the European Ombudsman, the EU Court and the European Data Protection Supervisor.
Legal basis: Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Railways and repealing Regulation (EC) No 881/2004.
In accordance with Article 5 (a) of Regulation (EU) 2018/1725, the processing is necessary for the performance of tasks carried out in the public interest on the basis of the Treaties establishing the European Communities.
Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council of 25 October 2012 on the financial rules applicable to the general budget of the Union (the “Financial Regulation”).
Commission Delegated Regulation (EU) No 1268/2012 of 29 October 2012 on the rules of application of the Financial Regulation.
Lawfulness: The agency collects and processes your personal data in compliance with Article 5(a) and (b) of the EU Data Protection Regulation:
(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
(b) processing is necessary for compliance with a legal obligation to which the controller is subject
All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards. Personal data of applicants might be accessed by ERA.
Your personal data are kept - in the service in charge of the procedure - until the end of validity of the CEI for which you submitted an expression of interest, and in the archives for a period up to 10 years following the end of the validity of the corresponding CEI.
In case you wish to verify which personal data is stored on your behalf by the responsible Controller, have it modified, corrected or deleted, please contact the Data Controller by using the contact information below and by explicitly specifying your request, or our Data Protection Officer
Practical questions on CEI (establishing a list of vendors or a database of experts) can be sent to the ERA staff working for the Procurement Unit
In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection”.
Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time.
This Privacy Statement outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of the selection and engagement of the Agency Staff (TA, CA, SNE and trainees). Your personal data provided to ERA are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
ERA Head of Resource and Support Unit.
The purpose of this processing operation is to obtain data or information necessary to support the application during ERA’s selection procedure.
The types of data are the following:
Appropriate organizational and technical security measures are ensured according to the data protection legislation applicable to EU institutions and bodies. The paper-based data are securely stored in the Human Resources Sector’s offices, partly in code-protected safes to which access is only granted to authorize HR staff members (i.e. the HR Assistants, the HR Officer). E-stored data are stored and protected in line with the IT provisions.
The recipients of the data are:
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.
Personal data is not intended to be transferred to a third country outside the EU.
Legal basis: Staff Regulations and the Conditions of Employment of Other Servants (CEOS) of the European Communities laid down by Council Regulation (EEC,EURATOM, ECSC) No. 259/68 and last amended by Council Regulation (EC, EURATOM EC) No. 1558/2007 of 17 December 2007 and the internal guidelines on selection.
Lawfulness: The above data processing operation is carried out in accordance with Art. 5(c) of Regulation (EU) 2018/1725.
All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards. Personal data of applicants might be accessed by ERA.
Data regarding engaged applicants will be kept for ten years after the termination of employment or the last pension payment, whichever applicable.
Data of non-engaged applicants but successfully placed in the reserve list for appointment will be kept for seven years after the budgetary discharge.
Data concerning non-engaged applicants will be kept for five years from the time that the data subject became aware of the result of the selection procedure (i.e. from the date of publication in the ERA Web page that the procedure was closed, or the date in which the applicant has received a relevant information letter).
After the above-mentioned periods, only data needed to provide overall statistics on the exercise (number of eligible and non-eligible applications, total number of applications, etc.) will be kept for statistical reasons. These statistics are not subject to Regulation 2018/1725 since they are anonymous and cannot be used to identify one or more persons either directly or indirectly.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the removal of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.
All your requests concerning your data protection rights should be addressed to the Head of the Resource and Support Unit
In case you have any questions related to the protection of your personal data, you can also contact the Data Protection Officer
You have at any time the right of recourse to the European Data Protection Supervisor
The European Union Agency for Railways (ERA) is committed to respecting the privacy of personal data processed by the One-Stop Shop (OSS) implemented at ERA.
When the European Union Agency for Railways (ERA) acts as issuing entity, your personal data will be processed:
a) by ERA in accordance with Regulation (EC) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data and
b) by the National Safety Authorities (NSAs) of the European Economic Area and Switzerland in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
When the National Safety Authorities (NSAs) act as issuing entities, your personal data will be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
When the NSAs process personal data in the OSS according to their applicable national legislation, they are the sole responsible for ensuring the data subjects’ rights.
The service providers of OSS are obliged to process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
The European Union Agency for Railways (ERA), when it acts as issuing entity and for the part of the application it assesses. In this case, the responsible for managing your personal data processing is the ERA Head of Planning and Approvals Delivery Unit.
The NSAs when they assess their part of the application submitted in OSS as well as when they act as issuing entities. In both cases, unless otherwise stated by the NSAs, the responsible for managing your personal data is the Head of the relevant NSA.
The processing of personal data in the OSS is needed to fulfil ERA’s, NSAs’ and applicants’ tasks and to enable the functioning of the OSS. More information on the OSS Terms of Use.
The types of data are the following:
The recipients of the data are:
All recipients of the data are reminded of their obligation not to use the personal data for any further purpose other than the one for which they were collected. The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.
Personal data is not intended to be transferred to any third country outside the EU.
Legal basis:
Lawfulness: The above data processing operation is carried out by ERA in accordance with Article 5(a) of Regulation (EC) 2018/1725: “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body” and by the NSAs in accordance with Article 6(e) of the GDPR: “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
All personal data are processed only by designated staff and stored on servers which abide by the ERA’s IT security rules and standards.
Personal information will only be retained in the OSS for a maximum period of:
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the removal of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the Data Controller. You will find the address in the Contacts below.
All your requests concerning your data protection rights can be addressed to the Data Controller of ERA when ERA is acting as issuing entity by using the contact form on our website, selecting as type of request: “One-Stop Shop”.
In case the request is linked to the processing personal data by the NSA and for the NSA’s part of the assessment in the OSS, ERA will transmit the request to the responsible NSA involved in the assessment of the application.
In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection”.
Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time.
In case of the NSAs acting as issuing entity, contact details of each NSA are publically available in the ERADIS database.
This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of Procurement Procedures and Contract Management.
Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
For more information about the processing in question, you are invited to contact ERA through the addresses provided in section “Contacts”.
ERA Head of Finance and Procurement Unit.
This processing operation is related to personal data that may be included in the management and administration of procurement procedures and contracts by the Agency, including in particular :
The Agency needs to evaluate the submitted applications according to the same set of criteria provided therein in order to ensure the optimal use of EU financial resources.
ERA collects only the personal data that the tenderers provide during the participation to the procurement procedures.
ERA collects the personal data in order to use service providers, independent experts, other independent workers needed for ERA to carry out its tasks under the terms of the Regulation (EU) 2016/796 establishing the European Union Agency for Railways.
The recipients of the personal data are:
In accordance with the Agency's obligation to publish information on the outcome of the procurement procedure and on the beneficiaries of funds deriving from the budget of the European Community some identification data of the awarded contractor will be made publicly available. The information will concern the name and address, the amount awarded and the works, goods or services requested. It is published in supplement S of the Official Journal of the European Union and/or on the website of the Agency.
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined above.
Legal basis:
Lawfulness:
The data processing is considered lawful under art. 5(a), (b) and (c) of the Regulation (EC) 2018/1725, because it is necessary:
The Agency has several security controls in place to protect your personal data from unauthorised access, use or disclosure. We keep your data stored on computer systems with limited access to a specified audience only.
The provisions contained in the article 47 of ERA's Financial Regulation state that:
"1. The authorising officer shall set up paper-based or electronic systems for the keeping of original supporting documents relating to the budget implementation. Such documents shall be kept for at least five years from the date on which the European Parliament grants discharge for the financial year to which the documents relate.
2. Documents relating to operations not definetely closed shall be kept for longer than provided for in paragraph 1, namely until the end of the year following that in which the operations are closed."
Therefore files relating to tender procedures are kept for a period of:
Extracts from judicial reports (electronic format and paper version) are kept for a period of 2 years following the signature of the contract with the succesful bidder(s).
Until the end of a possible audit if one started before the end of the above period.
Under data protection law, you have rights we need to make you aware of these rights. The rights available to you depend on our reason for processing your information. You are not required to pay any charges for exercising your rights.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.
The Agency does not do automated decision making, including profiling, on the personal data acquired during procurement and contract management procedure.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.
The Agency will address your requests within 2 weeks from the receipt of the request.
All your requests concerning your data protection rights should be addressed to the Data Controller.
In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.
You have at any time the right of recourse to the European Data Protection Supervisor.
ERA keeps this privacy notice under regular review to make sure it is up to date and accurate.
This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of Registering Bank Account File and Legal Entity File.
Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
For more information about the processing in question, you are invited to contact ERA through the addresses provided in section “Contacts”.
ERA Head of Finance and Procurement Unit.
The Agency is using the Commission accounting system ABAC, which includes the centrally validated "Legal Entity File" and "Bank Account File", to make or receive payments.
This processing operation is related to personal data that may be included in the Legal Entities File (LEF) that records all third parties with which the Agency conducts revenue and expenditure transactions. The Bank Account File (BAF) is a descriptive file containing bank details for all companies, organisations and individuals with which the Agency has financial dealings. Bank account related data are registered in a SWIFT compatible manner.
No transaction may be made for the purposes of implementing the budget unless it involves a legal entity (LE) that has been validated beforehand. It follows that before a bank account (BA) can be recorded in the BAF, a LE must be recorded in the ABAC application: the bank account will be linked to that legal entity.
A LE and/or a BA will not be recorded in the Agency's accounts until the legal entity validation team (LEVT) or the bank account validation team (BAVT) within DG BUDG has validated the authorising department's request, which must be accompanied by the relevant supporting documents.
The validation of the LEF and the BAF is a pre-requisite before any transaction may be made for the purposes of implementing the budget.
Each validated legal entity and bank account record is identified by a unique key. These keys are used by authorising officers' services when preparing financial and contractual transactions.
The data, including personal data that may be processed are as follows:
Appropriate organizational and technical security measures will be ensured according to the data protection legislation applicable to EU institutions and bodies.
The forms and documents sent for central validation of the LEF and BAF are added in the payment file. Electronic data is kept within the ABAC WKFL system
The data collected in the Agency’s accounts can be accessed by designated agency staff + staff from the Commision’s central services, using a UserID and a Password. A Service Level Agreement guarantees the appropriate confidentiality and the technical and organisational security of the ABAC system, as required by the applicable data protection provisions.
The recipients of the personal data are:
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.
Personal data is not intended to be transferred to a third country outside the EU.
Legal basis:
In accordance with Art. 49 of the ERA Financial Regulation adopted by the Decision n°206 of the Management Board on 23/09/2019, the Management Board shall appoint an accounting officer who shall be responsible:
(a) properly implementing payments, collecting revenue and recovering amounts established as being receivable.
Moreover, in accordance with the ERA Financial Regulation adopted by the decision n°206 of the Management Board on 23/09/2019, the Articles 45 and 47 stipulate powers and duties of the Accounting Officer with respect to the creation and management of legal entity files and for the keeping of supporting documents. These files and documents contain the needed personal data for a sound and legal management of payments and recovery of sums.
Lawfulness:
Processing of "Legal Entity" (LEF) and "Bank account" (BAF) related data is lawful under art. 5.1 (a), (b) and (c) of the Regulation (EC) 2018/1725, because it is necessary:
The Agency has several security controls in place to protect your personal data from unauthorised access, use or disclosure. We keep your data stored on computer systems with limited access to a specified audience only.
For audit trail reasons and to permit at all times queries on the past execution of payments, no registered data are deleted from the accounts. The forms and documents you submit are scanned and archived electronically. The original forms and documents are usually included in the payment files and follow the same retention rules.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.
All your requests concerning your data protection rights should be addressed to the Data Controller.
In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.
You have at any time the right of recourse to the European Data Protection Supervisor.
This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of mission and authorized travels management (including travel order sent to the travel agency).
Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
For more information about the processing in question, you are invited to contact ERA through the addresses provided in section “Contacts”.
ERA Head of Finance and Procurement Unit.
This processing operation is related to the use and exchange of personal data amongst the different intervening parties in order to organise and execute missions and authorised travels. The processing operations concern the travel’s arrangements, the hotel’s accommodation, the use of third parties services (e.g. car rentals) and the related payment of these costs.
The mission management requires the intervention of both internal and external actors. These external actors are the travel agency, the transport companies, the hotels and any other organization that can be called upon to intervene as part of the mission (for example travel insurance company).
Within the mission order and claim in MiMa the data fields concerned are the name of the staff member and his/her personnel number. However, since MiMa forms part of the wider e-HR application, other personal data is contained in the central repository of the e-HR application.
The travel order form contains information on the following categories of data: name, surname, date of birth, portable phone number (to be contacted by the Agency in case of emergency), nationality, passport number, date of issue and expiry date (for travels by plane, only if required by the air company), preferred placement on board of train or flight (window, aisle, porthole), meals requirements (vegetarian-vegan-halal- kosher-diabetic-low salt diet-no sugar nutrition-gluten free-allergen free), traveller's unit, name of Authorizing Officer.
Data regarding the mission itself: place(s) of the mission and transit, date of departure and arrival, means of transport, name and place of the hotel, hotel invoices, start and end times of the professional commitments, possible combined holidays, possible request for anticipating budget for expenses, the budget line on which the mission will be paid, the MiMa mission number and the approval date created when the authorising officer signs for agreement.
The recipients of the personal data are:
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined above.
Legal basis:
Lawfulness:
The data processing is considered lawful under art. 5(a) and (b) of the Regulation (EC) 2018/1725, because it is necessary:
The Agency has several security controls in place to protect your personal data from unauthorised access, use or disclosure. We keep your data stored on MiMa with limited access to a specified audience only.
Access to the MiMa database is limited to:
The data collected for mission management are kept for a maximum of 8 years, as per provisions contained in the Art. 47 of the ERA financial regulation:
"1. The authorising officer shall set up paper-based or electronic systems for the keeping of original supporting documents relating to the budget implementation. Such documents shall be kept for at least five years from the date on which the European Parliament grants discharge for the financial year to which the documents relate.
2. Documents relating to operations not definitely closed shall be kept for longer than provided for in paragraph 1, namely until the end of the year following that in which the operations are closed."
3. Personal data contained in supporting documents shall, where possible, be deleted when those data are not necessary for budgetary discharge, control and audit purposes. Article 88 of Regulation (EU) 2018/1725 shall apply to the conservation of data.”
Until the end of a possible audit, if one started before the end of the above-mentioned period.
Under data protection law, you have rights we need to make you aware of these rights. The rights available to you depend on our reason for processing your information. You are not required to pay any charges for exercising your rights.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.
The Agency does not do automated decision making, including profiling, on the personal data acquired during procurement and contract management procedure.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.
The Agency will address your requests within 2 weeks from the receipt of the request.
All your requests concerning your data protection rights should be addressed to the Data Controller.
In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.
You have at any time the right of recourse to the European Data Protection Supervisor.
ERA keeps this privacy notice under regular review to make sure it is up to date and accurate.
Through the ERADIS database, the Agency is collecting and providing public access to the following documents and information:
This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of ERADIS.
Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts”.
The Controller determining the purpose and means of the processing of your personal data is the European Union Agency for Railways (ERA). The entity responsible for managing the personal data processing is the Head of Analysis and Monitoring Unit.
The purpose of this database is to make publically available documents provided for by Directives (EU) 2016/797, 2016/798, 2012/34/EU, Regulation (EC) No 1371/2007, Commission Implementing Regulations (EU) No 402/2013 and 445/2011.
Free access to ERADIS is granted to public to read data, while a username and a password are needed for data submission. Therefore, a registration of personal data is requested to obtain credentials in order to get an authorised access and to be contacted in case of any need.
The types of data, including personal data that may be processed are as follows:
In addition, in order to protect the content against inappropriate behaviors (e.g. certificates mismatching or hacking attempts) an Audit Trail has been implemented, recording all user’ actions.
The fields in the recorded logs are the following:
Timestamp
Username
Source IP address
Session ID
Action details
Invoked URL
This functionality is activated only for logged-in users and can be activated/ deactivated at any time.
Finally, information is stored in servers located in ERA’s premises, access only granted to authorised staff members.
In addition, ERA uses "first-party cookies".
A cookie is a small piece of text that a website stores on your computer or mobile device when you visit it. These cookies are set and controlled by ERA through a platform named Matomo, not by any external organisation. The first-party cookies are used to:
The purpose is to enable the site to:
Every time you visit ERADIS, you will be prompted to accept cookies or to modify settings, in order to:
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.
Personal data is not intended to be transferred to a third country outside the EU.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the erasure of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the “Contacts” below.
Legal basis:
Lawfulness:
The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:
Personal information is retained until the user account is deleted or for the lifetime of ERADIS, designed as a permanent tool - until the relevant legislation is changed.
Regarding the Audit Trail logs, they are kept for 12 months before deletion.
All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit.
In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.
You have at any time the right of recourse to the European Data Protection Supervisor.
This Notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of ERATV.
Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts”.
The Controller determining the purpose and means of the processing of your personal data is the European Union Agency for Railways (ERA). The entity responsible for managing the personal data processing is the Head of Analysis and Monitoring Unit.
ERATV is a register to make publically available types of railway vehicles authorized for placing on the market of the Union.
Free access to ERATV is granted to public to read data, while a username and a password are needed for data submission (cfr. Annex I, Table 1 of Commission Implementing Decision 2011/665/EU on the European register of authorised types of railway vehicles as amended by Commission Implementing Regulation (EU) 2019/776 of 16 May 2019).
Once logged-in, user can see also the names of other users (e.g. authors), who created the draft record in ERATV. The same information is displayed in the History of changes and in the Communications section (which user did each action and when). The purpose is to keep the traceability of data creation, submission and publication and to be able to contact a user in case of any need (see User Manual section 2.2.3)
Therefore, a registration of personal data is requested to obtain credentials in order to get an authorised access, to keep trace of data management and to be contacted.
Responsibilities for the records submitters are described in the ERATV Terms of Use, section 3.
The types of data, including personal data that may be processed are as follows:
Appropriate organizational and technical security measures are ensured according to the data protection legislation applicable to EU institutions and bodies.
Finally, information is stored in servers located in ERA’s premises, access only granted to authorised staff members.
In addition, ERA uses "first-party cookies".
A cookie is a small piece of text that a website stores on your computer or mobile device when you visit it. These cookies are set and controlled by ERA through a platform named Matomo, not by any external organisation. The first-party cookies are used to:
The purpose is to enable the site to:
Every time you visit ERATV, you will be prompted to accept cookies or to modify settings, in order to:
The recipients of the personal data are:
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.
Personal data is not intended to be transferred to a third country outside the EU.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the erasure of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the “Contacts” below.
Legal basis:
Lawfulness:
The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:
Personal data are retained until the user account is deleted or for the lifetime of ERATV, designed as a permanent tool - until the relevant legislation is changed.
All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit at AOD.aam@era.europa.eu.
In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer at DataProtectionOfficer@era.europa.eu.
You have at any time the right of recourse to the European Data Protection Supervisor at edps@edps.europa.eu.
This Notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of Register of Infrastructure (RINF) Common User Interface (CUI).
Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts”.
The Controller determining the purpose and means of the processing of your personal data is the European Union Agency for Railways (ERA). The entity responsible for managing the personal data processing is the Head of Analysis and Monitoring Unit.
The information provided by RINF is used for:
Free access after self-registration is granted to public to read data, while access rights granted by the Agency are needed for data submission. Therefore, a registration of personal data is requested in order to get an authorized access according to the defined roles and to be contacted in case of any need.
The types of data, including personal data that may be processed are as follows:
By the registration of its own data each user is able to access the information system and to manage data according to the related rights ensuring the appropriate level of security, in accordance with organizational and technical security measures of the Agency.
In addition, in order to support users or to protect the content against inappropriate behaviors (e.g. certificates mismatching or hacking attempts) an information auditing functionality has been implemented, recording all user’ actions.
The fields in the recorded logs are the following:
Finally, information is stored in servers located in ERA’s premises, access only granted to authorized staff members.
In addition, ERA uses "first-party cookies".
A cookie is a small piece of text that a website stores on your computer or mobile device when you visit it. These cookies are set and controlled by ERA through a platform named Matomo, not by any external organisation. The first-party cookies are used to:
The purpose is to enable the site to:
Every time you visit RINF, you will be prompted to accept cookies or to modify settings, in order to:
The recipients of the personal data are:
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.
Personal data is not intended to be transferred to a third country outside the EU.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the erasure of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the “Contacts” below.
Legal basis:
Lawfulness:
The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:
Personal information are retained until the user account is deleted or for the lifetime of RINF CUI, designed as a permanent internet tool (until the relevant legislation is changed).
All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit.
In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.
You have at any time the right of recourse to the European Data Protection Supervisor.
This Notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of RDD.
Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts”.
The Controller determining the purpose and means of the processing of your personal data is the European Union Agency for Railways (ERA). The entity responsible for managing the personal data processing is the Head of Analysis and Monitoring Unit.
The following processing of information implies personal data and has the following purposes:
The collected data for user registration are the following (fields marked * are mandatory):
General information: Username *, E-mail *, Password *, Confirm Password *, Role *(role assigned to user in RDD by selection form the available ones), Member State *(associated MS- allows user to carry out action on the data set of the respective MS), Address, Postal Code, Country *, Office, Phone, Mobile Phone, Fax, Contact Person, First Name, Last Name, E-mail and Phone.
Reports Service User Account Info (configuration data necessary for execution of reports with limited accessibility: (e.g. access to unpublished information that is restricted to MS): Reports Service User Name, Reports Service Domain Name, and Reports Service Password
The notification information required for specific role of notifier to ensure data transfer from RDD to Notif-IT: Title, Title in English, Reporting Body, Reporter User, Creator User.
The collected data for notification of publication from RDD is the email address.
The summary of the actions performed by the user are logged.
The username associated with the locked MS NLF or MS NRD is stored in the database.
In addition, in order to protect the content against inappropriate behaviors (e.g. hacking attempts) an Audit Trail has been implemented, recording all registered user’ actions. The fields in the recorded logs are the following:
Appropriate organizational and technical security measures are ensured according to the data protection legislation applicable to EU institutions and bodies.
Finally, information is stored in servers located in ERA’s premises, access only granted to authorised staff members.
Furthermore, ERA uses "first-party cookies".
A cookie is a small piece of text that a website stores on your computer or mobile device when you visit it. These cookies are set and controlled by ERA through a platform named Matomo, not by any external organisation. The first-party cookies are used to:
The purpose is to enable the site to:
Every time you visit RDD, you will be prompted to accept cookies or to modify settings, in order to:
The recipients of the personal data are:
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.
Personal data is not intended to be transferred to a third country outside the EU.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the erasure of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the “Contacts” below.
Legal basis:
Lawfulness:
The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:
Personal data related to the user accounts are retained until the user account is deleted or for the lifetime of RDD.
When a request for an account deletion is received, the account is deleted by RDD administrator. Regarding the subscription to notification of publication from RDD, the subscriber can at any moment unsubscribe.
All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit.
In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.
You have at any time the right of recourse to the European Data Protection Supervisor.
This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of Content creation and collaboration by means of Microsoft Office 365 online.
Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
For more information about the processing in question, you are invited to contact ERA through the addresses provided in section “Contacts”.
ERA Head of Resources and Support Unit.
The processing activity refers to the Microsoft Office 365 (Office 365) services made available to the Agency’ staff to support all content creation and management as well as collaboration use cases at ERA, as far as these are not supported by alternative tools or systems.
ERA has contracted the cloud-based solution Office 365 (“Office 365 platform”) provided by Microsoft to enable ERA internal and external stakeholders to work on any corporate device and facilitating collaboration.
These services are contracted through an inter-institutional framework contract whose terms and conditions were negotiated by the European Commission – DG DIGIT on behalf of the Agency, beside others EUIs. Microsoft acts as data processor for the provision of services related to the Microsoft Office 365 cloud–based collaboration platform, as well as to operate the following business operations:
The Office365 platform distinguishes between the following data categories:
Any of these categories may contain personal data. The operation of this platform requires the processing of data categories by Microsoft, for the following specific purposes:
The operation of this platform requires the processing of data categories by ERA, for the following specific purposes:
The above-mentioned processing of personal data by ERA and/or Microsoft is done to provide the cloud component of the Digital Workplace services.
In addition to this, Microsoft has been granted permission to process personal information for internal business functions in the context of providing the Office365 service (exhaustive list):
Note that processing of personal data for profiling, advertising or marketing is explicitly prohibited.
The mode of processing is automated (computer/machine).
In addition to automated processing, ERA or Microsoft or other specific Third party contractually bound with ERA, may process personal data manually. Manual processing is taking place in the framework of service operations, most importantly to investigate security alerts.
The following categories of data subjects can be distinguished:
that are enrolled as Office 365 users.
Related to the provision of the service, ERA or Microsoft process four different categories of data, all of which may include personal data. These categories are:
This information is copied to all Microsoft Office 365 data centers as per contract terms used to provide the service that allows global access and access control to the ERA’s environment in Office 365.
The recipients of the personal data are:
Those members of staff include ERA staff and external contractors under the supervision of the above mentioned ERA staff.
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
The personal information collected will not be communicated to third parties, except where necessary for the purposes ERA may be required to do so by law.
For services related to the Office 365 cloud-based collaboration platform, Microsoft acts as data processor. Contact details: Microsoft Ireland, South County Business Park, One Microsoft Place, Carmanhall and Leopardstown, Dublin, D18 P521, Ireland.
Legal basis:
Lawfulness:
The data processing is considered lawful under art. 5(a), of the Regulation (EC) 2018/1725, because it is necessary:
All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored either on the servers of the Agency or in Microsoft datacentres in the EU (linked to the Commission’s Office 365 environment). All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
In order to protect your personal data, the Commission (who represented the Agency in the negotiations with Microsoft) has put in place several strong contractual safeguards, complemented by technical and organisational measures. In addition to the general policy of Microsoft to secure personal data by means of pseudonymisation and encryption, the risk of disclosure of personal data to third country authorities by Microsoft Ireland and its affiliates is mitigated by customized contractual provisions, which address the way Microsoft responds to access requests, limiting risks to personal data of the customer. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.
If users access the Office 365 service from outside the EU/EEA, personal data may be transferred to a corresponding location in order to provide the service. To enable the global service provisioning of Office 365, Microsoft copies identification data (see Section 4) to all Office 365 data centres around the globe used to provide the service. This copied identification data remains under the control of Microsoft and is used to verify the user authentication details and grant access to EC M365 resources.
Service generated data is not necessarily processed outside of the EU. Microsoft is authorised to transfer it to Microsoft Corp., located in the USA, and the network of sub-processors. This type of data contains information on the usage of the service. The data is aggregated before being transferred but may contain identifiable information (see Section 4).
In addition to the general policy of Microsoft to secure personal data by means of pseudonymisation and encryption, the risk of disclosure of personal data to third country authorities by Microsoft Ireland and its affiliates is mitigated by customized contractual provisions, which address the way Microsoft responds to access requests, limiting risks to personal data of the customer.
Any data in transit is protected by strong encryption
The Agency
Microsoft, as a processor for Office 365 services, may retain data for Online Services upon expiration of the subscription, i.e. during the 90-day retention period and subsequent period, up to an additional 90 days.
Under data protection law, you have rights we need to make you aware of these rights. The rights available to you depend on our reason for processing your information. You are not required to pay any charges for exercising your rights.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.
The Agency does not do automated decision making, including profiling, on the personal data acquired during the use of the Microsoft Office 365 services.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.
The Agency will address your requests within 2 weeks from the receipt of the request.
All your requests concerning your data protection rights can be addressed to the Data Controller at HoUResourcesandSupport@era.europa.eu.
In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer at DataProtectionOfficer@era.europa.eu.
You have at any time the right of recourse to the European Data Protection Supervisor at edps@edps.europa.eu.
ERA keeps this notice under regular review to make sure it is up to date and accurate.
1 The objective of all processing activities related to Office 365 is to support the management and the functioning of the Agency, by adjusting the internal mechanisms and management systems to the new technological environment and advancements, by providing to ERA Staff the necessary means and tools to perform their daily tasks and by organizing ERA’s operations according to the principles of sound financial management.
This Notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of ECVVR.
It is a system composed of:
Therefore, ECVVR can be considered as a search engine on distributed rail vehicles-related data, using a common software application, which allows users to retrieve data from all the registers in the Member States.
Concerning the personal data managed at Member State level, through the so called Standard National Vehicle Register (“sNVR”) sub-system and other NVRs subsystems using NVR-TE (translation engine), they shall follow the national rules in matters of data protection. Consequently Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) shall be applied.
Any personal data provided by Registration entities’ administrators (REs) to access the European Centralised Virtual Vehicle Register system (ECVVR) and particularly through the module so called “VVR” hosted by ERA will be processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts”.
The Controller determining the purpose and means of the processing of personal data is the European Union Agency for Railways (ERA) for those data managed to create users’ account in VVR for REs administrators. The entity responsible for managing such personal data processing is the Head of Analysis and Monitoring Unit.
The purpose of processing is to allow REs as listed in point 3.3 of the Annex I of the Commission Decision 2007/756/ECto access the EU vehicles data -via web authentication. By the registration of their own personal data each user is able to access the information system and to manage data according to their own access rights ensuring the appropriate level of security.
The types of data, including personal data that may be processed are as follows:
The Legislation predefined rights that, duly taken into account and matched through the VVR search engine, ensure access to the information in a secure way. Therefore, by registration of their own data the REs user is able to access the information system and to manage data according to the related rights ensuring the appropriate level of security, in accordance with organizational and technical security measures of the Agency.
Finally, information is stored in servers located in ERA’s premises, access only granted to authorized staff members.
In addition, ERA uses "first-party cookies".
A cookie is a small piece of text that a website stores on your computer or mobile device when you visit it. These cookies are set and controlled by ERA through a platform named Matomo, not by any external organisation. The first-party cookies are used to:
The purpose is to enable the site to:
Every time you visit ERADIS, you will be prompted to accept cookies or to modify settings, in order to:
The recipients of the data are:
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.
Personal data is not intended to be transferred to a third country outside the EU.
REs administrators have the right to access their personal data, which is the right to obtain confirmation about data processed by the Agency and the right to ask for correction of any inaccurate or incomplete personal data. REs administrators have also the right to object to the processing or request the erasure of their personal data, which will be implemented as soon as a specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the “Contacts” below.
Legal basis:
Lawfulness:
The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:
Period of storage: until the user account is deleted by the system user that created it (ERA or RE), for the lifetime of VVR designed as a permanent internet tool (until the relevant legislation is changed).
All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit.
In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.
You have at any time the right of recourse to the European Data Protection Supervisor.
The European Union Agency for Railways (ERA) is committed to respecting the privacy of personal data processed during webinars it organises. In this framework, all personal data provided by stakeholders (contacts) are dealt with in compliance with (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereafter EUI Data Protection Regulation).
This privacy statement outlines the criteria by which ERA collects, manages and uses the personal data of its stakeholders when organising webinars.
Head of Unit EXO
ERA Staff
Third Party: only when using the SRM (see below): Microsoft Dynamics CRM Click Dimensions
The Agency has introduced webinars to promote a better understanding of its activities and to ensure a continuous exchange with its stakeholders.
Webinars are organised using Microsoft Teams Live. Participants can choose to ask questions in the chat anonymously, create an alias or identify themselves. The link to access the webinar is made available on the ERA website and is unique for each event. In addition invitations are sent using the Agency’s Stakeholder Relationship Management CRM-tool, SRM. SRM is also used for follow up. (Data Protection Notice - Stakeholder Relationship Management)
ERA has identified two main types of stakeholders:
ERA gathers no personal data about the participants of the webinars if they chose to connect anonymously.
Speakers at the webinars are requested to give their written consent for data processing, the use of their personal data for promoting the webinar, as well as the dissemination of the recordings, prior to the webinar broadcast.
The webinar and the Questions & Answers-session are recorded to make it available for streaming (not downloading) on the Agency’s YouTube channel after the broadcasting. No personal data are collected from the persons streaming this video.
In addition, via links displayed on the dedicated webinar web page:
Only when requesting documentation after the webinar, the SRM collects the following personal data: first name, last name, email address.
If the webinar participant agrees that his/her data are kept in the ERA database and in addition selects subscription preferences he/she will be directed to the sign in-portal of SRM and the workflow of SRM applies. (DP Notice - SRM)
Personal data taken from speakers and data subjects ordering documentation about the webinar will be deleted within 60 days if requested by the data subject.
ERA processes no personal data of the persons that participate in the webinar broadcast or that stream the website video after it has been made available on the website. For invitations to the webinar and follow up the SRM is used and the DP Notice - SRM applies.
No
ERA processes no personal data of the persons that participate in the webinar broadcast or that stream the website video after it has been made available on the website. For invitations to the webinar and follow up the SRM is used and the DP Notice - SRM applies.
Legal basis: ERA webinars support the actions which have to be undertaken by the Agency in the context of Articles 5 and 39 of Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Railways
Lawfulness: The agency collects and processes your personal data in compliance with Article 5(a) and (b) of the EUI Data Protection Regulation:
(a) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
(b) Processing is necessary for compliance with a legal obligation to which the controller is subject
The processing of personal data for all other purposes (generic stakeholders) who have an interest in ERA activities and have voluntarily chosen to be added to the SRM is lawful based on their consent (Article 5 (d) of the EUI Data Protection Regulation).
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request to erasure of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the contacts below.
In order to exercise your rights as data subjects you are invited to contact the Controller by email.
Any other questions on the stakeholder relationship management can be sent using the contact us-form on the ERA website, selecting as topic of request: ‘User management of workgroups’.
In case you have any questions related to the protection of your personal data, you can contact the ERA Data Protection Officer.
You have at any time the right of recourse to the European Data Protection Supervisor.
This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of the European rail safety climate survey.
Your personal data is processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
For more information about the processing in question, you are invited to contact ERA through the addresses provided in section “Contact us”.
The Controller determining the purpose and means of the processing of your personal data is the European Union Agency for Railways (ERA). The entity responsible for managing the personal data processing is the Head of Safety and Operations Unit.
The purpose of the processing operation is to obtain a general overview on the risk perception of railway professionals. Responses will not be identified by individuals, but compiled together and analysed as a group for the sole purpose of dealing effectively with the topic.
The only personal data that you are explicitly requested to provide is:
Your data is processed with the use of EU Survey tool, which is as an application developed by the Commission of the European Union supported by Directorate-General for Informatics (DIGIT) of the European Commission. The privacy notice of the EU Survey tool is accessible here. Some EU Survey pages may contain links to other websites. EU Survey is not responsible for the privacy policies or practices of third party websites.
Appropriate organisational and technical security measures will be ensured according to the data protection legislation applicable to EU institutions and bodies.
The recipients of the personal data are:
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.
Personal data is not intended to be transferred to a third country outside the EU.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for correction of any inaccurate or incomplete personal data. You have also the right to request the erase of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.
Processing is necessary for the performance of tasks with a legal obligation to which the controller is subject: Directive (EU) 2016/798 of the European Parliament and of the Council of 11 May 2016 on railway safety (recast). Article 29(2) provides that the Agency shall evaluate the development of a safety culture including occurrence reporting. It is to submit to the Commission, by 16 June 2024, a report containing, where appropriate, improvements to be made to the system.
The above data processing operation is therefore carried out in accordance with Art. 5(b) of Regulation (EU) 2018/1725: processing is necessary for compliance with a legal obligation to which the controller is subject.
All your requests concerning your data protection rights should be addressed to the Data Controller.
In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.
You have at any time the right of recourse to the European Data Protection Supervisor.
This Notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of SRD.
Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts”.
The Controller determining the purpose and means of the processing of your personal data is the European Union Agency for Railways (ERA). The entity responsible for managing the personal data processing is the Head of Analysis and Monitoring Unit.
The processing of personal data in the SRD is needed to enable certain functionalities regarding notifying countries’, ERA’s, EC’s or EFTA’s tasks fulfillment. Particularly, credentials (username and password) are required to register, edit, draft and notify national rules, act on assessment results submitted by ERA, communicate with the Agency and EC/EFTA, manage SRD users, reference data, examination and assessment results of national rules, validation of national rules of notifying countries and communicate with them concerning a specific national rule (EC).
The personal data requested for user registration are the following:
In addition, in order to protect the content against inappropriate behaviors (e.g. hacking attempts) an Audit Trail has been implemented, recording logged-in users’ actions:
All personal data are processed only by designated staff and stored on servers in ERA premises, which abide by the ERA’s IT security rules and standards. For more information about the ERA Authentication Service (EAS) allowing the authenticated users to have access to the ICT resources in a manner that ensures the confidentiality, integrity and availability of the information assets please refer to the Azure Active Directory privacy notice.
Furthermore, ERA uses "first-party cookies".
A cookie is a small piece of text that a website stores on your computer or mobile device when you visit it. These cookies are set and controlled by ERA through a platform named Matomo, not by any external organisation. The first-party cookies are used to:
The purpose is to enable the site to:
Every time you visit SRD, you will be prompted to accept cookies or to modify settings, in order to:
The recipients of the personal data are:
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.
Personal data is not intended to be transferred to a third country outside the EU.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the erasure of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the “Contacts” below.
Legal basis:
Lawfulness:
The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:
Personal information is retained until the user account is deleted or for the lifetime of SRD, designed as a permanent tool - until the relevant legislation is changed.
All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit.
In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.
You have at any time the right of recourse to the European Data Protection Supervisor.
This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of the Organisation Codes Register (OCR).
Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts” section.
The Controller determining the purpose and means of the processing of your personal data is the European Union Agency for Railways (ERA). The entity responsible for managing the personal data processing is the Head of Analysis and Monitoring Unit.
Through the OCR, the Agency is creating, allocating and providing public access to the Organisations codes to access its registers and databases (including the One-Stop-Shop application).
Free access to OCR is granted to public to read data, while a username and a password are needed for data submission. Therefore, a registration of personal data is requested through the Stakeholder Relations Management (SRM) tool, in order to get an authorised access and to be contacted in case of any need.
The collected personal data for the Stakeholders (defined as “Guest”) account type are the following:
All personal data are processed only by designated staff and stored on Microsoft cloud servers located in Europe, which abide by the ERA’s IT security rules and standards, pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.
Microsoft Corporation, as processor, is committed under the terms of the Interinstitutional License Agreement and related documents to respect the obligations of the GDPR. The nature and the purpose of the processing is related to the provision of the Online Service pursuant to Customer's volume licensing agreement.
In compliance with the terms of the Art. 27 of the GDPR, Microsoft Ireland Operations Limited is Microsoft's representative in the European Union that offers customer support through Microsoft's Privacy web form, located at http://go.microsoft.com/?linkid=9846224. The Microsoft Data Protection Officer is Mr Steve May.
Transfers of personal data outside the European Union are not foreseen.
However, diagnostic data covered by contractual rules may be sent to Microsoft outside EU territory.
Microsoft commits to have in place written agreements with all sub-processors that are at least as restrictive in terms of data protection and security as their data processing agreement with the EC.
The activities of all sub-processors are in scope of third-party audits.
You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data.
If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.
Legal basis:
Lawfulness:
The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:
Personal data for the “Guest” account type is retained as follows:
As long as users are recorded as active. If the user is registered through a third party, the period of activity will usually correspond to a contractual link with that party, but the Agency will consider the user active if it continues to receive user’s information (in the case of an automatic link) or until user’s account expires. After the expiration date, data is kept:
› for a period of 30 days, before its deletion,
› 6 months after the deletion in logs and back-up media.
In case of incident the data will be kept for analysis for a longer period to establish evidence or to defend a right in a legal claim pending before a court.
All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit at AOD.aam@era.europa.eu.
In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer at DataProtectionOfficer@era.europa.eu.
You have at any time the right of recourse to the European Data Protection Supervisor at edps@edps.europa.eu.