The European Union Agency for Railways (ERA) is committed to respecting the privacy of the participants to any consultations which are organised in the framework of its activities. All personal data provided to ERA are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (and any other regulation that will supersede it).

The following data protection information notice outlines the criteria by which ERA collects, manages and uses the personal data of the participants to consultations with social partners and organisations representing rail freight customers and passengers.

Identity of Controller:

ERA

Purpose of processing:

Processing of personal data is needed to obtain the views of stakeholders concerned whenever the Agency is required to address its recommendations to the European Commission on matters that have a direct impact on these categories of subjects.

Type of data processed:

Only the following data are collected:

• Name (optional)
• Surname (optional)
• Organisation (optional)
• E-mail address (optional)

Recipients of the data processed:

In accordance with Article 4 of Regulation (EC) N° 1049/2001 of 30 May 2001 regarding public access to European Parliament, Council and Commission documents and Article 8(2) of the “Arrangements to be applied by the Agency for public access to documents” (Annex to Management Board Decision N°145 of 29 November 2016), ERA is committed to grant access to any document you have submitted during the consultation phase, by publishing the outcome on the ERA website.

In a later stage, your opinions will be included in the report accompanying the recommendation to the Commission, as provided for in Articles 6 and 7 of the Agency’s Regulation.

In order to ensure the reliability of your contribution and for transparency reasons, some of your personal information may be published as well, where appropriate, without any further processing which is incompatible with the purpose of the consultation. You can specify what personal information you agree to be published by checking the relevant box in the comment sheet.

Legal basis and Lawfulness of processing:

Legal basis: In accordance with Articles 6 and 7 of Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Railways and repealing Regulation (EC) No 881/2004.

Lawfulness:  The agency collects and processes your personal data in compliance with Article 5 (a) and (b) of the EU Data Protection Regulation:

(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

(b) processing is necessary for compliance with a legal obligation to which the controller is subject

The processing may be based on consent (Article 5(d) of the EU Data Protection Regulation) or another legal basis, as established by the EU Data Protection Regulation, in some specific circumstances.

Protection and security measures:

All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards.

Retention period:

Your personal data will remain in the database until the results have been completely analyzed and will be rendered anonymous when they have been usefully exploited, and at the latest after twelve months from the end of the consultation. This does not apply to personal data whose online publication has been consented. These data will remain available on the ERA website until the data subject exercise their rights to have it deleted.

The data subject’s rights:

In case you wish to verify which personal data is stored on your behalf by the responsible Controller, have it modified, corrected or deleted, please contact the Data Controller by using the contact information below and by explicitly specifying your request, or our Data Protection Officer.

Resource:

Practical questions on the public consultation can be sent to the ERA staff in charge of the organisation of the relevant consultation, using the functional mailbox specifically established for that consultation.

In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection” and specifying the reference to the consultation.

Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time.

The European Union Agency for Railways (ERA) is committed to respecting the privacy of its candidates for recruitment. Within the framework of the selection procedures at ERA, all personal data provided by candidates are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

The following data protection information notice outlines the criteria by which ERA collects, manages and uses the data provided by candidates within the different selection procedures for the recruitment.

Identity of Controller:

ERA Head of Resources and Support Department

Purpose of processing:

Processing of personal data is needed for:

• The organisation of selection procedures to recruit temporary agents, contract agents, seconded national experts and trainees
• The management of applications at the various stages of these selections
• The management and control of the use of reserve lists.

Type of data processed:

The personal data processed are the ones provided in the form used for the electronic application, in particular:

• Personal data allowing the candidate to be identified, i.e. surname, first name, date of birth, gender, nationality, private address, e-mail address, telephone
• Information provided by the candidate to allow the practical organisation of selection, i.e. address information: street, postcode, town, country, telephone, fax, e-mail
• Information provided by the candidate to verify whether s/he fulfils the eligibility and selection criteria laid down in the vacancy notice, i.e. information about nationality, languages, education, previous working experience, fulfilment of military/civil service duties, criminal convictions etc. Furthermore, the applicant may indicate any individual situation regarding eligibility criteria and any other information they would like to provide to support their application
• Information concerning any disabilities (with the purpose to prepare any necessary arrangements and possibly, assist the staff/trainee in receiving an additional supplement to his/her grant)
• Additional information in case a traineeship is offered: proof of health and accident insurance, bank account details (for the purposes of travel costs reimbursement and payment of the traineeship grant, where applicable).

Candidates are free to give their data on a voluntary basis, although failure to provide data in the mandatory fields will not allow the submission of the application form.

Recipients of the data processed:

• Human Resources Unit (more specifically staff in charge of recruitment)
• Members of the Selection Board
• Appointing Authority (Executive Director)
• Also, if appropriate, access will be given to the Internal Audit Service, the European Ombudsman, the Civil Service Tribunal and the European Data Protection Supervisor
• Should the applicant’s name be placed on a reserve list, access to the reserve list and to the applicant’s data will be provided to the concerned internal services interested in the recruitment of the person
• In case the Agency would outsource services to third parties, the identification data of the candidates may be transferred in order to organise the procedure.

Legal basis and Lawfulness of processing:

Legal Basis: In accordance with Decision 206/06.2009; Decision 207/06.2009; Rules governing traineeship period at ERA; Amendment to the ERA rules governing engagement of trainees.

Lawfulness:  The agency collects and processes your personal data in compliance with Article 5 (a) and (b) of the EU Data Protection Regulation:

(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

(b) processing is necessary for compliance with a legal obligation to which the controller is subject

The processing may be based on consent (Article 5.1(d) of the EU Data Protection Regulation) or another legal basis, as established by the EU Data Protection Regulation, in some specific circumstances.

Protection and security measures:

All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards.

Retention period:

Personal data regarding engaged applicants will be kept for ten years after the termination of employment or the last pension payment, whichever applicable.

Data of non-engaged applicants but successfully placed in the reserve list for appointment will be kept for seven years after the budgetary discharge.

Data concerning non-engaged applicants will be kept for five years from the date the data subject became aware of the result of the selection procedure.

Data concerning assigned trainees will be kept for two years after the termination of the traineeship. The purpose of archiving those data is to keep records of all beneficiaries of the traineeship scheme of ERA and allow the delivery of traineeship certification.

Data concerning non-successful applicants for traineeships will be deleted at the end of the traineeship period they applied for. This would allow to for a delayed assignment, should one of the successful trainees drop out of the scheme.

After the above-mentioned periods, only data needed to provide overall statistics on the exercise (number of eligible and non-eligible applications, total number of applications, etc.) will be kept for statistical reasons. These statistics are not subject to Regulation (EU) 2018/1725 since they are anonymous and cannot be used to identify one or more persons either directly or indirectly.

The data subject’s rights:

In case you wish to verify which personal data is stored on your behalf by the responsible Controller, have it modified, corrected or deleted, please contact the Data Controller by using the contact information below and by explicitly specifying your request, or our Data Protection Officer.

On the other hand, data demonstrating compliance with the eligibility and selection criteria may not be updated or corrected after the closing date for the respective selection procedure.

Resource:

Practical questions on the recruitment can be sent to the ERA staff working for the Human Resources Unit

In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection” and specifying the reference to the application.

Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time

The European Union Agency for Railways (ERA) is committed to respecting the privacy of personal data processed by Microsoft Dynamics Customer Relationship Management (SRM) software implemented at ERA. In this framework, all personal data provided by contacts (or subscribers) are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

The following data protection information notice outlines the criteria by which ERA collects, manages and uses the personal data of its contacts or subscribers.

Identity of Controller:

ERA Head of Communications

Purpose of processing:

ERA processes personal data of stakeholders to:

• Facilitate contacts, consultation, review of work progress, as well as exchange of information and views between the Agency and its related stakeholders
• Organise and manage events, meetings or other activities, including but not limited to: contact/participant list, invitations, distribution of documents, information sharing, surveys, feedback on documents, follow-up actions, publication of photographs and videos
• Manage access to ERA registers
• Inform about ERA’s activities
• Measure and analyse the interest of stakeholders in ERA communications for improving the quality of our services
• Manage online surveys on specific topics relating to our activities
• Invite experts appointed to participate in the Agency working parties/working groups meetings and process their reimbursement requests.

ERA has identified categories of contacts (i.e. the data subjects) as useful and relevant in achieving its mission to make the railway system work better for society and to contribute to the effective functioning of a Single European Railway Area without frontiers. These categories comprise:

• Relevant stakeholders: defined as ‘core contacts’ and including members of its working groups as well as those having a collaboration relationship with ERA (e.g. national-level decision-makers in the railway domain (national safety authorities, national investigation bodies, ministries of transport etc.), European Commission (DG MOVE), EC committee (RISC), European ‘sister’ Agencies (EASA, EMSA, etc.), rail associations/organisations (GRB, CER, EIM, UIP, UITP, ETF, UIRR, ERFA, etc.)). All of these contracts or groups of contacts are deemed to have an inherent interest in, and influence on, the activities and governance of ERA.
• Information users: defined as informed members of the general audience who have an interest in the ERA activities.

Type of data processed:

Data collected using the SRM software relate to contact information of corporate relevance.

The following personal data are collected:

• Contact details: name, surname, user name, job title, organisation/company name, e-mail address(es), phone(s), gender, title, country, address, picture, domain name, equivalent user
• Financial data: bank account information, supporting evidence submitted for reimbursement.

In addition, the contacts are invited to add information about their interest areas (topics), event participation, subscription and contact preferences.

When organising events or meetings (e.g. workshops or conferences), additional data may be collected:

• Photographs and video images which could be published in the context of the event
• Audio recording of interventions during the participation to event.

ERA can make connections with other contacts (e.g. hierarchical relationship) in order to classify them and establish marketing lists.

The collected data are classified in stakeholder categories, companies/organisations, workgroups and marketing lists.

The Agency’s SRM system has an integrated Outlook client which means that the content of emails can be viewed or stored in the SRM system.

Communications made via the SRM also allow scores about frequency of interactions of the contact with the system, e.g. registration to events.

By working through SRM, the Agency and the contact are able to build up a profile and this can be further enhanced through the use of website cookies.

Recipients of the data processed:

Personal data may be accessed by ERA staff and contractors under the direct supervision of ERA staff.

Data records found not to meet applied standards are disabled.

The SRM is used to develop ERA’s mailing lists for dissemination. Other EU Agencies or bodies may request to use the ERA’s mailing list. To do so, they must first submit a request to ERA. The mailing list will be shared with the EU institution or body which made the request provided that the necessity of the transfer of the data is established, i.e. that the data to be transferred are necessary for the legitimate performance of the tasks covered by the competence of the recipient EU institution or body.

From time to time, in order to validate data or in relation to particular campaigns (e.g. user satisfaction surveys carried out on behalf of ERA or focus groups), contact details (name, emails, addresses) may be transferred to third parties provided that an adequate level of protection (within the meaning of Article 9 of the Regulation (EU) 2018/1725) is ensured, in particular where the Controller adduces adequate safeguards (e.g. use of appropriate contractual clauses) with respect to the protection of the privacy and fundamental rights and freedoms of the data subjects concerned.

How are my data processed by SRM?

• Contact details for the groups mentioned are either entered into the SRM system manually by ERA staff or by the data subject him/herself via the web interface
• All ERA staff has editing rights to manage contacts as in accordance with good SRM practice and guidelines
• Contact details may be gathered from publicly-available lists such as those relating to Members of the European Parliament, European Commission officials etc. and are also gathered through direct contact with an Agency staff member whether it is email, telephone, business card or face-to-face meeting
• Where a new contact is entered into the SRM, s/he will receive an email to indicate that the Agency would like to enter his/her data in its contact database. This email informs the data subject of this intention and provides a hyperlink to lead the data subject through to a variety of options including the possibility to decline the invitation or, if the data subject agrees to be included in the SRM, to provide full contact details, state areas of interest and subscription preferences
• It is only upon explicit agreement of the data subject concerned to be included in the system that the contact would become part of marketing lists for the provision of targeted information or for sending invitations to events
• The contacts are under constant review to ensure accuracy of data
• The contacts are requested to update themselves their data on an annual basis
• The contacts can review their data each time the Agency contacts them using the SRM
• When data subjects are contacted through SRM, they are given the opportunity to review their data and subscription preferences through the link(s) to edit data. A link to data protection policy also appears in all correspondence.

Legal basis and Lawfulness of processing:

Legal basis: The SRM supports the actions which have to be undertaken by the Agency in the context of Articles 5 and 39 of Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Railways and repealing Regulation (EC) No 881/2004, with a view to:

• setting up a limited number of working parties for the purpose of drawing up recommendations and, where relevant, guidelines, in particular relating to technical specifications for interoperability (‘TSIs’), common safety targets (‘CSTs’), common safety methods (‘CSMs’) and the use of common safety indicators (‘CSIs’)
• having those working parties composed among others of representative nominated by the competent national authorities and professionals from the railway sector
• reimbursing travel and subsistence expenses of the members of the working parties, based on rules and scales adopted by the Agency Management Board
• facilitating and making more effective the Agency’s engagement with its stakeholders.

Lawfulness:  The agency collects and processes your personal data in compliance with Article 5(a) and (b) of the EU Data Protection Regulation:

(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

(b) processing is necessary for compliance with a legal obligation to which the controller is subject

The processing of personal data of all other contacts (“information users”) who have an interest in ERA activities  and have voluntarily chosen to be added to the SRM is lawful based on consent (Article 5 (d) of the EU Data Protection Regulation).

Protection and security measures:

All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards.

Data might be stored temporarily on the servers of our processor, ClickDimensions. For more information on the processing of your data by ClickDimensions please follow this link: http://help.clickdimensions.com/common-questions-about-clickdimensions-security/.

Retention period:

Personal data regarding stakeholders will be kept until they exercise their rights to have it deleted.

Financial data will be kept for 7 years.

The data subject’s rights:

A data subject can access his/her personal data, rectify any data that is inaccurate or incomplete and request to delete them by sending an email. He or she can also access his/her data directly on the SRM via his/her log-in and password, modify his/her data and subscription preferences.

The participants to events or meetings who prefer their images are neither taken nor published on any support have the possibility to object by contacting the Communication Unit.

Resource:

Practical questions on the stakeholder relationship management can be sent to the ERA staff working for the Communication Unit.

In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection”.

Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time.

The European Union Agency for Railways (ERA) is committed to respecting the privacy of personal data of the participants in Calls for Expression of Interests (CEI). All personal data provided to ERA are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

The following data protection information notice outlines the criteria by which ERA collects, manages and uses the personal data provided within CEI.

Identity of Controller:

ERA Procurement Unit

Purpose of processing:

The processing of personal data of applicants to CEI is needed in order to allow economic operators to propose themselves to be included on a list of potential service providers / experts in advance of public procurement operations / further processing within the subject scope of the respective CEI.

Type of data processed:

The following data are / may be collected in the registration form and further processed for the purposes indicated above:

• Title, First Name, Family Name, Birth Date, Nationality
• Contact Details:
  • Full Name
  • E-Mail Address
  • Street Nr & Name
  • Town/ City
  • Postcode
  • Country
  • Phone Number
  • Website URL (if available).
• Description of main area of business / expertise
• Additional information
• Curriculum Vitae
• Information related to candidates’ legal, economic and financial as well as technical and professional capacity.

Recipients of the data processed:

Personal data may be accessed only by ERA staff for the purpose of management of the CEI and any associated tender procedures.

Also, if appropriate, access will be granted to the Internal Audit Service, Internal Legal Department, Court of Auditor, OLAF, the European Ombudsman, the EU Court and the European Data Protection Supervisor.

Legal basis and Lawfulness of processing:

Legal basis: Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Railways and repealing Regulation (EC) No 881/2004.

In accordance with Article 5 (a) of Regulation (EU) 2018/1725, the processing is necessary for the performance of tasks carried out in the public interest on the basis of the Treaties establishing the European Communities.

Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council of 25 October 2012 on the financial rules applicable to the general budget of the Union (the “Financial Regulation”).

Commission Delegated Regulation (EU) No 1268/2012 of 29 October 2012 on the rules of application of the Financial Regulation.

Lawfulness:  The agency collects and processes your personal data in compliance with Article 5(a) and (b) of the EU Data Protection Regulation:

(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

(b) processing is necessary for compliance with a legal obligation to which the controller is subject

Protection and security measures:

All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards. Personal data of applicants might be accessed by ERA.

Retention period:

Your personal data are kept - in the service in charge of the procedure - until the end of validity of the CEI for which you submitted an expression of interest, and in the archives for a period up to 10 years following the end of the validity of the corresponding CEI.

The data subject’s rights:

In case you wish to verify which personal data is stored on your behalf by the responsible Controller, have it modified, corrected or deleted, please contact the Data Controller by using the contact information below and by explicitly specifying your request, or our Data Protection Officer

Resource:

Practical questions on CEI (establishing a list of vendors or a database of experts) can be sent to the ERA staff working for the Procurement Unit

In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection”.

Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time.

This Privacy Statement outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of the selection and engagement of the Agency Staff (TA, CA, SNE and trainees). Your personal data provided to ERA are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

Identity of Controller:

ERA Head of Resource and Support Unit.

Purpose of processing:

The purpose of this processing operation is to obtain data or information necessary to support the application during ERA’s selection procedure.

Type of data processed:

The types of data are the following:

• Family name;
• Name;
• Date of birth;
• Gender;
• Nationality;
• Private Address;
• E-mail Address(es);
• Telephone number(s);
• ERA application form;
• Motivation letter;
• Any individual situation regarding eligibility criteria and/or any other information necessary to support the application;
• In case of employment offer, supporting documents may be requested, including the ones containing sensitive data such as certificate of character and “medical-fit-to-work” certificate.

Appropriate organizational and technical security measures are ensured according to the data protection legislation applicable to EU institutions and bodies. The paper-based data are securely stored in the Human Resources Sector’s offices, partly in code-protected safes to which access is only granted to authorize HR staff members (i.e. the HR Assistants, the HR Officer).  E-stored data are stored and protected in line with the IT provisions.

Recipients of the data processed:

The recipients of the data are:

• The AACC;
• Designated Human Resources staff;
• Members of the selection committee appointed by the Executive Director;
• Supervisory instances of the Agency.

All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.

The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.

Personal data is not intended to be transferred to a third country outside the EU.

Legal basis and Lawfulness of processing:

Legal basis: Staff Regulations and the Conditions of Employment of Other Servants (CEOS) of the European Communities laid down by Council Regulation (EEC,EURATOM, ECSC) No. 259/68  and last amended by Council Regulation (EC, EURATOM EC) No. 1558/2007 of 17 December 2007 and the internal guidelines on selection.

Lawfulness: The above data processing operation is carried out in accordance with Art. 5(c) of Regulation (EU) 2018/1725.

Protection and security measures:

All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards. Personal data of applicants might be accessed by ERA.

Retention period:

Data regarding engaged applicants will be kept for ten years after the termination of employment or the last pension payment, whichever applicable.

Data of non-engaged applicants but successfully placed in the reserve list for appointment will be kept for seven years after the budgetary discharge.

Data concerning non-engaged applicants will be kept for five years from the time that the data subject became aware of the result of the selection procedure (i.e. from the date of publication in the ERA Web page that the procedure was closed, or the date in which the applicant has received a relevant information letter).

After the above-mentioned periods, only data needed to provide overall statistics on the exercise (number of eligible and non-eligible applications, total number of applications, etc.) will be kept for statistical reasons. These statistics are not subject to Regulation 2018/1725 since they are anonymous and cannot be used to identify one or more persons either directly or indirectly.

The data subject’s rights:

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the removal of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.

Contacts:

All your requests concerning your data protection rights should be addressed to the Head of the Resource and Support Unit

In case you have any questions related to the protection of your personal data, you can also contact the Data Protection Officer

You have at any time the right of recourse to the European Data Protection Supervisor

The European Union Agency for Railways (ERA) is committed to respecting the privacy of personal data processed by the One-Stop Shop (OSS) implemented at ERA.

When the European Union Agency for Railways (ERA) acts as issuing entity, your personal data will be processed:

a) by ERA in accordance with Regulation (EC) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data and

b) by the National Safety Authorities (NSAs) of the European Economic Area and Switzerland in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

When the National Safety Authorities (NSAs) act as issuing entities, your personal data will be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

When the NSAs process personal data in the OSS according to their applicable national legislation, they are the sole responsible for ensuring the data subjects’ rights.

The service providers of OSS are obliged to process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Identity of Controller:

The European Union Agency for Railways (ERA), when it acts as issuing entity and for the part of the application it assesses. In this case, the responsible for managing your personal data processing is the ERA Head of Planning and Approvals Delivery Unit.

The NSAs when they assess their part of the application submitted in OSS as well as when they act as issuing entities. In both cases, unless otherwise stated by the NSAs, the responsible for managing your personal data is the Head of the relevant NSA.

Purpose of processing:

The processing of personal data in the OSS is needed to fulfil ERA’s, NSAs’ and applicants’ tasks and to enable the functioning of the OSS. More information on the OSS Terms of Use.

Type of data processed:

The types of data are the following:

• Family name;
• Name;
• Job title or function;
• Address;
• E-mail Address(es);
• Phone number(s);
• Language(s) spoken;
• OSS notification preferences;
• The user activity such as login and logout information attributed to users, content of application file, assessment reports, signatures, opinions, issue log, communication exchange and decisions.

Recipients of the data processed:

The recipients of the data are:

1. Designated ERA staff for the purposes of planning, assessing and deciding on applications for single safety certificates, vehicle and vehicle type authorisations and approvals;
2. Designated NSAs staff for the purposes of assessing and deciding on applications for single safety certificates, vehicle and vehicle type authorisations and approval decisions;
3. Applicants’ representatives for the purpose of submitting and uploading content in the OSS in relation to applications and receiving feedback on them;
4. Representatives of IT service provider company “Intrasoft”, based in Luxemburg, for the purpose of providing the OSS system operation;
5. Representatives of IT service provider consortium “JV CANCOM-PIRONET”, based in Belgium, for the purpose of providing the OSS system operation.

All recipients of the data are reminded of their obligation not to use the personal data for any further purpose other than the one for which they were collected. The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.

Personal data is not intended to be transferred to any third country outside the EU.

Legal basis and Lawfulness of processing:

Legal basis:

• Article 12 of Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 may 2016 on the European Union Agency for Railways and repealing Regulation (EC) No 881/2004 of 11 May 2016;
• Directive (EU) 2016/798 of the European Parliament and of the Council of 11 May 2016 on railway safety;
• Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union;
• Commission Implementing Regulation (EU) 2018/763 of 9 April 2018 establishing practical arrangements for issuing single safety certificates to railway undertakings pursuant to Directive (EU) 2016/798 of the European Parliament and of the Council, and repealing Commission Regulation (EC) No 653/2007;
• Commission Implementing Regulation (EU) 2018/545 of 4 April 2018 establishing practical arrangements for the railway vehicle authorisation and railway vehicle type authorisation process pursuant to Directive (EU) 2016/797 of the European Parliament and of the Council;
• Relevant national legislation transposing the aforementioned Directives in the States of the European Economic Area and Switzerland.

Lawfulness: The above data processing operation is carried out by ERA in accordance with Article 5(a) of Regulation (EC) 2018/1725: “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body” and by the NSAs in accordance with Article 6(e) of the GDPR: “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

Protection and security measures:

All personal data are processed only by designated staff and stored on servers which abide by the ERA’s IT security rules and standards.

Retention period:

Personal information will only be retained in the OSS for a maximum period of:

• Vehicle authorisations and Vehicle type authorisations: 15 years;
• Single safety certificates: 15 years;
• ERTMS trackside approvals: 15 years.

The data subject’s rights:

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the removal of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the Data Controller. You will find the address in the Contacts below.

Contact:

All your requests concerning your data protection rights can be addressed to the Data Controller of ERA when ERA is acting as issuing entity by using the contact form on our website, selecting as type of request: “One-Stop Shop”.

In case the request is linked to the processing personal data by the NSA and for the NSA’s part of the assessment in the OSS, ERA will transmit the request to the responsible NSA involved in the assessment of the application.

In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection”.

Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time.

In case of the NSAs acting as issuing entity, contact details of each NSA are publically available in the ERADIS database.