The European Union Agency for Railways (ERA) is committed to respecting the privacy of the participants to any consultations which are organised in the framework of its activities. All personal data provided to ERA are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (and any other regulation that will supersede it).

The following data protection information notice outlines the criteria by which ERA collects, manages and uses the personal data of the participants to consultations with social partners and organisations representing rail freight customers and passengers.

Identity of Controller:

ERA

Purpose of processing:

Processing of personal data is needed to obtain the views of stakeholders concerned whenever the Agency is required to address its recommendations to the European Commission on matters that have a direct impact on these categories of subjects.

Type of data processed:

Only the following data are collected:

• Name (optional)
• Surname (optional)
• Organisation (optional)
• E-mail address (optional)

Recipients of the data processed:

In accordance with Article 4 of Regulation (EC) N° 1049/2001 of 30 May 2001 regarding public access to European Parliament, Council and Commission documents and Article 8(2) of the “Arrangements to be applied by the Agency for public access to documents” (Annex to Management Board Decision N°145 of 29 November 2016), ERA is committed to grant access to any document you have submitted during the consultation phase, by publishing the outcome on the ERA website.

In a later stage, your opinions will be included in the report accompanying the recommendation to the Commission, as provided for in Articles 6 and 7 of the Agency’s Regulation.

In order to ensure the reliability of your contribution and for transparency reasons, some of your personal information may be published as well, where appropriate, without any further processing which is incompatible with the purpose of the consultation. You can specify what personal information you agree to be published by checking the relevant box in the comment sheet.

Legal basis and Lawfulness of processing:

Legal basis:

In accordance with Articles 6 and 7 of Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Railways and repealing Regulation (EC) No 881/2004.

Lawfulness: 

The agency collects and processes your personal data in compliance with Article 5 (a) and (b) of the EU Data Protection Regulation:

(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

(b) processing is necessary for compliance with a legal obligation to which the controller is subject

The processing may be based on consent (Article 5(d) of the EU Data Protection Regulation) or another legal basis, as established by the EU Data Protection Regulation, in some specific circumstances.

Protection and security measures:

All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards.

Retention period:

Your personal data will remain in the database until the results have been completely analyzed and will be rendered anonymous when they have been usefully exploited, and at the latest after twelve months from the end of the consultation. This does not apply to personal data whose online publication has been consented. These data will remain available on the ERA website until the data subject exercise their rights to have it deleted.

The data subject’s rights:

In case you wish to verify which personal data is stored on your behalf by the responsible Controller, have it modified, corrected or deleted, please contact the Data Controller by using the contact information below and by explicitly specifying your request, or our Data Protection Officer.

Resource:

Practical questions on the public consultation can be sent to the ERA staff in charge of the organisation of the relevant consultation, using the functional mailbox specifically established for that consultation.

In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection” and specifying the reference to the consultation.

Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time.

The European Union Agency for Railways (ERA) is committed to respecting the privacy of its candidates for recruitment. Within the framework of the selection procedures at ERA, all personal data provided by candidates are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

The following data protection information notice outlines the criteria by which ERA collects, manages and uses the data provided by candidates within the different selection procedures for the recruitment.

Identity of Controller:

ERA Head of Resources and Support Department

Purpose of processing:

Processing of personal data is needed for:

• The organisation of selection procedures to recruit temporary agents, contract agents, seconded national experts and trainees
• The management of applications at the various stages of these selections
• The management and control of the use of reserve lists.

Type of data processed:

The personal data processed are the ones provided in the form used for the electronic application, in particular:

• Personal data allowing the candidate to be identified, i.e. surname, first name, date of birth, gender, nationality, private address, e-mail address, telephone
• Information provided by the candidate to allow the practical organisation of selection, i.e. address information: street, postcode, town, country, telephone, fax, e-mail
• Information provided by the candidate to verify whether s/he fulfils the eligibility and selection criteria laid down in the vacancy notice, i.e. information about nationality, languages, education, previous working experience, fulfilment of military/civil service duties, criminal convictions etc. Furthermore, the applicant may indicate any individual situation regarding eligibility criteria and any other information they would like to provide to support their application
• Information concerning any disabilities (with the purpose to prepare any necessary arrangements and possibly, assist the staff/trainee in receiving an additional supplement to his/her grant)
• Additional information in case a traineeship is offered: proof of health and accident insurance, bank account details (for the purposes of travel costs reimbursement and payment of the traineeship grant, where applicable).

Candidates are free to give their data on a voluntary basis, although failure to provide data in the mandatory fields will not allow the submission of the application form.

Recipients of the data processed:

• Human Resources Unit (more specifically staff in charge of recruitment)
• Members of the Selection Board
• Appointing Authority (Executive Director)
• Also, if appropriate, access will be given to the Internal Audit Service, the European Ombudsman, the Civil Service Tribunal and the European Data Protection Supervisor
• Should the applicant’s name be placed on a reserve list, access to the reserve list and to the applicant’s data will be provided to the concerned internal services interested in the recruitment of the person
• In case the Agency would outsource services to third parties, the identification data of the candidates may be transferred in order to organise the procedure.

Legal basis and Lawfulness of processing:

Legal Basis: In accordance with Decision 206/06.2009; Decision 207/06.2009; Rules governing traineeship period at ERA; Amendment to the ERA rules governing engagement of trainees.

Lawfulness:  The agency collects and processes your personal data in compliance with Article 5 (a) and (b) of the EU Data Protection Regulation:

(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

(b) processing is necessary for compliance with a legal obligation to which the controller is subject

The processing may be based on consent (Article 5.1(d) of the EU Data Protection Regulation) or another legal basis, as established by the EU Data Protection Regulation, in some specific circumstances.

Protection and security measures:

All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards.

Retention period:

Personal data regarding engaged applicants will be kept for ten years after the termination of employment or the last pension payment, whichever applicable.

Data of non-engaged applicants but successfully placed in the reserve list for appointment will be kept for seven years after the budgetary discharge.

Data concerning non-engaged applicants will be kept for five years from the date the data subject became aware of the result of the selection procedure.

Data concerning assigned trainees will be kept for two years after the termination of the traineeship. The purpose of archiving those data is to keep records of all beneficiaries of the traineeship scheme of ERA and allow the delivery of traineeship certification.

Data concerning non-successful applicants for traineeships will be deleted at the end of the traineeship period they applied for. This would allow to for a delayed assignment, should one of the successful trainees drop out of the scheme.

After the above-mentioned periods, only data needed to provide overall statistics on the exercise (number of eligible and non-eligible applications, total number of applications, etc.) will be kept for statistical reasons. These statistics are not subject to Regulation (EU) 2018/1725 since they are anonymous and cannot be used to identify one or more persons either directly or indirectly.

The data subject’s rights:

In case you wish to verify which personal data is stored on your behalf by the responsible Controller, have it modified, corrected or deleted, please contact the Data Controller by using the contact information below and by explicitly specifying your request, or our Data Protection Officer.

On the other hand, data demonstrating compliance with the eligibility and selection criteria may not be updated or corrected after the closing date for the respective selection procedure.

Resource:

Practical questions on the recruitment can be sent to the ERA staff working for the Human Resources Unit

In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection” and specifying the reference to the application.

Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time

The European Union Agency for Railways (ERA) is committed to respecting the privacy of personal data processed by Microsoft Dynamics Customer Relationship Management (SRM) software implemented at ERA. In this framework, all personal data provided by contacts (or subscribers) are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

The following data protection information notice outlines the criteria by which ERA collects, manages and uses the personal data of its contacts or subscribers.

Identity of Controller:

ERA Head of Communications

Purpose of processing:

ERA processes personal data of stakeholders to:

• Facilitate contacts, consultation, review of work progress, as well as exchange of information and views between the Agency and its related stakeholders
• Organise and manage events, meetings or other activities, including but not limited to: contact/participant list, invitations, distribution of documents, information sharing, surveys, feedback on documents, follow-up actions, publication of photographs and videos
• Manage access to ERA registers
• Inform about ERA’s activities
• Measure and analyse the interest of stakeholders in ERA communications for improving the quality of our services
• Manage online surveys on specific topics relating to our activities
• Invite experts appointed to participate in the Agency working parties/working groups meetings and process their reimbursement requests.

ERA has identified categories of contacts (i.e. the data subjects) as useful and relevant in achieving its mission to make the railway system work better for society and to contribute to the effective functioning of a Single European Railway Area without frontiers. These categories comprise:

• Relevant stakeholders: defined as ‘core contacts’ and including members of its working groups as well as those having a collaboration relationship with ERA (e.g. national-level decision-makers in the railway domain (national safety authorities, national investigation bodies, ministries of transport etc.), European Commission (DG MOVE), EC committee (RISC), European ‘sister’ Agencies (EASA, EMSA, etc.), rail associations/organisations (GRB, CER, EIM, UIP, UITP, ETF, UIRR, ERFA, etc.)). All of these contracts or groups of contacts are deemed to have an inherent interest in, and influence on, the activities and governance of ERA.
• Information users: defined as informed members of the general audience who have an interest in the ERA activities.

Type of data processed:

Data collected using the SRM software relate to contact information of corporate relevance.

The following personal data are collected:

• Contact details: name, surname, user name, job title, organisation/company name, e-mail address(es), phone(s), gender, title, country, address, picture, domain name, equivalent user
• Financial data: bank account information, supporting evidence submitted for reimbursement.

In addition, the contacts are invited to add information about their interest areas (topics), event participation, subscription and contact preferences.

When organising events or meetings (e.g. workshops or conferences), additional data may be collected:

• Photographs and video images which could be published in the context of the event
• Audio recording of interventions during the participation to event.

ERA can make connections with other contacts (e.g. hierarchical relationship) in order to classify them and establish marketing lists.

The collected data are classified in stakeholder categories, companies/organisations, workgroups and marketing lists.

The Agency’s SRM system has an integrated Outlook client which means that the content of emails can be viewed or stored in the SRM system.

Communications made via the SRM also allow scores about frequency of interactions of the contact with the system, e.g. registration to events.

By working through SRM, the Agency and the contact are able to build up a profile and this can be further enhanced through the use of website cookies.

Recipients of the data processed:

Personal data may be accessed by ERA staff and contractors under the direct supervision of ERA staff.

Data records found not to meet applied standards are disabled.

The SRM is used to develop ERA’s mailing lists for dissemination. Other EU Agencies or bodies may request to use the ERA’s mailing list. To do so, they must first submit a request to ERA. The mailing list will be shared with the EU institution or body which made the request provided that the necessity of the transfer of the data is established, i.e. that the data to be transferred are necessary for the legitimate performance of the tasks covered by the competence of the recipient EU institution or body.

From time to time, in order to validate data or in relation to particular campaigns (e.g. user satisfaction surveys carried out on behalf of ERA or focus groups), contact details (name, emails, addresses) may be transferred to third parties provided that an adequate level of protection (within the meaning of Article 9 of the Regulation (EU) 2018/1725) is ensured, in particular where the Controller adduces adequate safeguards (e.g. use of appropriate contractual clauses) with respect to the protection of the privacy and fundamental rights and freedoms of the data subjects concerned.

How are my data processed by SRM?

• Contact details for the groups mentioned are either entered into the SRM system manually by ERA staff or by the data subject him/herself via the web interface
• All ERA staff has editing rights to manage contacts as in accordance with good SRM practice and guidelines
• Contact details may be gathered from publicly-available lists such as those relating to Members of the European Parliament, European Commission officials etc. and are also gathered through direct contact with an Agency staff member whether it is email, telephone, business card or face-to-face meeting
• Where a new contact is entered into the SRM, s/he will receive an email to indicate that the Agency would like to enter his/her data in its contact database. This email informs the data subject of this intention and provides a hyperlink to lead the data subject through to a variety of options including the possibility to decline the invitation or, if the data subject agrees to be included in the SRM, to provide full contact details, state areas of interest and subscription preferences
• It is only upon explicit agreement of the data subject concerned to be included in the system that the contact would become part of marketing lists for the provision of targeted information or for sending invitations to events
• The contacts are under constant review to ensure accuracy of data
• The contacts are requested to update themselves their data on an annual basis
• The contacts can review their data each time the Agency contacts them using the SRM
• When data subjects are contacted through SRM, they are given the opportunity to review their data and subscription preferences through the link(s) to edit data. A link to data protection policy also appears in all correspondence.

Legal basis and Lawfulness of processing:

Legal basis: The SRM supports the actions which have to be undertaken by the Agency in the context of Articles 5 and 39 of Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Railways and repealing Regulation (EC) No 881/2004, with a view to:

• setting up a limited number of working parties for the purpose of drawing up recommendations and, where relevant, guidelines, in particular relating to technical specifications for interoperability (‘TSIs’), common safety targets (‘CSTs’), common safety methods (‘CSMs’) and the use of common safety indicators (‘CSIs’)
• having those working parties composed among others of representative nominated by the competent national authorities and professionals from the railway sector
• reimbursing travel and subsistence expenses of the members of the working parties, based on rules and scales adopted by the Agency Management Board
• facilitating and making more effective the Agency’s engagement with its stakeholders.

Lawfulness:  The agency collects and processes your personal data in compliance with Article 5(a) and (b) of the EU Data Protection Regulation:

(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

(b) processing is necessary for compliance with a legal obligation to which the controller is subject

The processing of personal data of all other contacts (“information users”) who have an interest in ERA activities  and have voluntarily chosen to be added to the SRM is lawful based on consent (Article 5 (d) of the EU Data Protection Regulation).

Protection and security measures:

All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards.

Data might be stored temporarily on the servers of our processor, ClickDimensions. For more information on the processing of your data by ClickDimensions please follow this link: http://help.clickdimensions.com/common-questions-about-clickdimensions-security/.

Retention period:

Personal data regarding stakeholders will be kept until they exercise their rights to have it deleted.

Financial data will be kept for 7 years.

The data subject’s rights:

A data subject can access his/her personal data, rectify any data that is inaccurate or incomplete and request to delete them by sending an email. He or she can also access his/her data directly on the SRM via his/her log-in and password, modify his/her data and subscription preferences.

The participants to events or meetings who prefer their images are neither taken nor published on any support have the possibility to object by contacting the Communication Unit.

Resource:

Practical questions on the stakeholder relationship management can be sent to the ERA staff working for the Communication Unit.

In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection”.

Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time.

The European Union Agency for Railways (ERA) is committed to respecting the privacy of personal data of the participants in Calls for Expression of Interests (CEI). All personal data provided to ERA are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

The following data protection information notice outlines the criteria by which ERA collects, manages and uses the personal data provided within CEI.

Identity of Controller:

ERA Procurement Unit

Purpose of processing:

The processing of personal data of applicants to CEI is needed in order to allow economic operators to propose themselves to be included on a list of potential service providers / experts in advance of public procurement operations / further processing within the subject scope of the respective CEI.

Type of data processed:

The following data are / may be collected in the registration form and further processed for the purposes indicated above:

• Title, First Name, Family Name, Birth Date, Nationality
• Contact Details:
  • Full Name
  • E-Mail Address
  • Street Nr & Name
  • Town/ City
  • Postcode
  • Country
  • Phone Number
  • Website URL (if available).
• Description of main area of business / expertise
• Additional information
• Curriculum Vitae
• Information related to candidates’ legal, economic and financial as well as technical and professional capacity.

Recipients of the data processed:

Personal data may be accessed only by ERA staff for the purpose of management of the CEI and any associated tender procedures.

Also, if appropriate, access will be granted to the Internal Audit Service, Internal Legal Department, Court of Auditor, OLAF, the European Ombudsman, the EU Court and the European Data Protection Supervisor.

Legal basis and Lawfulness of processing:

Legal basis: Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Railways and repealing Regulation (EC) No 881/2004.

In accordance with Article 5 (a) of Regulation (EU) 2018/1725, the processing is necessary for the performance of tasks carried out in the public interest on the basis of the Treaties establishing the European Communities.

Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council of 25 October 2012 on the financial rules applicable to the general budget of the Union (the “Financial Regulation”).

Commission Delegated Regulation (EU) No 1268/2012 of 29 October 2012 on the rules of application of the Financial Regulation.

Lawfulness:  The agency collects and processes your personal data in compliance with Article 5(a) and (b) of the EU Data Protection Regulation:

(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

(b) processing is necessary for compliance with a legal obligation to which the controller is subject

Protection and security measures:

All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards. Personal data of applicants might be accessed by ERA.

Retention period:

Your personal data are kept - in the service in charge of the procedure - until the end of validity of the CEI for which you submitted an expression of interest, and in the archives for a period up to 10 years following the end of the validity of the corresponding CEI.

The data subject’s rights:

In case you wish to verify which personal data is stored on your behalf by the responsible Controller, have it modified, corrected or deleted, please contact the Data Controller by using the contact information below and by explicitly specifying your request, or our Data Protection Officer

Resource:

Practical questions on CEI (establishing a list of vendors or a database of experts) can be sent to the ERA staff working for the Procurement Unit

In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection”.

Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time.

This Privacy Statement outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of the selection and engagement of the Agency Staff (TA, CA, SNE and trainees). Your personal data provided to ERA are dealt with in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

Identity of Controller:

ERA Head of Resource and Support Unit.

Purpose of processing:

The purpose of this processing operation is to obtain data or information necessary to support the application during ERA’s selection procedure.

Type of data processed:

The types of data are the following:

• Family name;
• Name;
• Date of birth;
• Gender;
• Nationality;
• Private Address;
• E-mail Address(es);
• Telephone number(s);
• ERA application form;
• Motivation letter;
• Any individual situation regarding eligibility criteria and/or any other information necessary to support the application;
• In case of employment offer, supporting documents may be requested, including the ones containing sensitive data such as certificate of character and “medical-fit-to-work” certificate.

Appropriate organizational and technical security measures are ensured according to the data protection legislation applicable to EU institutions and bodies. The paper-based data are securely stored in the Human Resources Sector’s offices, partly in code-protected safes to which access is only granted to authorize HR staff members (i.e. the HR Assistants, the HR Officer).  E-stored data are stored and protected in line with the IT provisions.

Recipients of the data processed:

The recipients of the data are:

• The AACC;
• Designated Human Resources staff;
• Members of the selection committee appointed by the Executive Director;
• Supervisory instances of the Agency.

All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.

The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.

Personal data is not intended to be transferred to a third country outside the EU.

Legal basis and Lawfulness of processing:

Legal basis: Staff Regulations and the Conditions of Employment of Other Servants (CEOS) of the European Communities laid down by Council Regulation (EEC,EURATOM, ECSC) No. 259/68  and last amended by Council Regulation (EC, EURATOM EC) No. 1558/2007 of 17 December 2007 and the internal guidelines on selection.

Lawfulness: The above data processing operation is carried out in accordance with Art. 5(c) of Regulation (EU) 2018/1725.

Protection and security measures:

All personal data are processed only by designated ERA staff and stored on servers which abide by the ERA’s IT security rules and standards. Personal data of applicants might be accessed by ERA.

Retention period:

Data regarding engaged applicants will be kept for ten years after the termination of employment or the last pension payment, whichever applicable.

Data of non-engaged applicants but successfully placed in the reserve list for appointment will be kept for seven years after the budgetary discharge.

Data concerning non-engaged applicants will be kept for five years from the time that the data subject became aware of the result of the selection procedure (i.e. from the date of publication in the ERA Web page that the procedure was closed, or the date in which the applicant has received a relevant information letter).

After the above-mentioned periods, only data needed to provide overall statistics on the exercise (number of eligible and non-eligible applications, total number of applications, etc.) will be kept for statistical reasons. These statistics are not subject to Regulation 2018/1725 since they are anonymous and cannot be used to identify one or more persons either directly or indirectly.

The data subject’s rights:

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the removal of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.

Contacts:

All your requests concerning your data protection rights should be addressed to the Head of the Resource and Support Unit

In case you have any questions related to the protection of your personal data, you can also contact the Data Protection Officer

You have at any time the right of recourse to the European Data Protection Supervisor

The European Union Agency for Railways (ERA) is committed to respecting the privacy of personal data processed by the One-Stop Shop (OSS) implemented at ERA.

When the European Union Agency for Railways (ERA) acts as issuing entity, your personal data will be processed:

a) by ERA in accordance with Regulation (EC) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data and

b) by the National Safety Authorities (NSAs) of the European Economic Area and Switzerland in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

When the National Safety Authorities (NSAs) act as issuing entities, your personal data will be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

When the NSAs process personal data in the OSS according to their applicable national legislation, they are the sole responsible for ensuring the data subjects’ rights.

The service providers of OSS are obliged to process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Identity of Controller:

The European Union Agency for Railways (ERA), when it acts as issuing entity and for the part of the application it assesses. In this case, the responsible for managing your personal data processing is the ERA Head of Planning and Approvals Delivery Unit.

The NSAs when they assess their part of the application submitted in OSS as well as when they act as issuing entities. In both cases, unless otherwise stated by the NSAs, the responsible for managing your personal data is the Head of the relevant NSA.

Purpose of processing:

The processing of personal data in the OSS is needed to fulfil ERA’s, NSAs’ and applicants’ tasks and to enable the functioning of the OSS. More information on the OSS Terms of Use.

Type of data processed:

The types of data are the following:

• Family name;
• Name;
• Job title or function;
• Address;
• E-mail Address(es);
• Phone number(s);
• Language(s) spoken;
• OSS notification preferences;
• The user activity such as login and logout information attributed to users, content of application file, assessment reports, signatures, opinions, issue log, communication exchange and decisions.

Recipients of the data processed:

The recipients of the data are:

1. Designated ERA staff for the purposes of planning, assessing and deciding on applications for single safety certificates, vehicle and vehicle type authorisations and approvals;
2. Designated NSAs staff for the purposes of assessing and deciding on applications for single safety certificates, vehicle and vehicle type authorisations and approval decisions;
3. Applicants’ representatives for the purpose of submitting and uploading content in the OSS in relation to applications and receiving feedback on them;
4. Representatives of IT service provider company “Intrasoft”, based in Luxemburg, for the purpose of providing the OSS system operation;
5. Representatives of IT service provider consortium “JV CANCOM-PIRONET”, based in Belgium, for the purpose of providing the OSS system operation.

All recipients of the data are reminded of their obligation not to use the personal data for any further purpose other than the one for which they were collected. The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.

Personal data is not intended to be transferred to any third country outside the EU.

Legal basis and Lawfulness of processing:

Legal basis:

• Article 12 of Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 may 2016 on the European Union Agency for Railways and repealing Regulation (EC) No 881/2004 of 11 May 2016;
• Directive (EU) 2016/798 of the European Parliament and of the Council of 11 May 2016 on railway safety;
• Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union;
• Commission Implementing Regulation (EU) 2018/763 of 9 April 2018 establishing practical arrangements for issuing single safety certificates to railway undertakings pursuant to Directive (EU) 2016/798 of the European Parliament and of the Council, and repealing Commission Regulation (EC) No 653/2007;
• Commission Implementing Regulation (EU) 2018/545 of 4 April 2018 establishing practical arrangements for the railway vehicle authorisation and railway vehicle type authorisation process pursuant to Directive (EU) 2016/797 of the European Parliament and of the Council;
• Relevant national legislation transposing the aforementioned Directives in the States of the European Economic Area and Switzerland.

Lawfulness: The above data processing operation is carried out by ERA in accordance with Article 5(a) of Regulation (EC) 2018/1725: “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body” and by the NSAs in accordance with Article 6(e) of the GDPR: “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

Protection and security measures:

All personal data are processed only by designated staff and stored on servers which abide by the ERA’s IT security rules and standards.

Retention period:

Personal information will only be retained in the OSS for a maximum period of:

• Vehicle authorisations and Vehicle type authorisations: 15 years;
• Single safety certificates: 15 years;
• ERTMS trackside approvals: 15 years.

The data subject’s rights:

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the removal of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the Data Controller. You will find the address in the Contacts below.

Contact:

All your requests concerning your data protection rights can be addressed to the Data Controller of ERA when ERA is acting as issuing entity by using the contact form on our website, selecting as type of request: “One-Stop Shop”.

In case the request is linked to the processing personal data by the NSA and for the NSA’s part of the assessment in the OSS, ERA will transmit the request to the responsible NSA involved in the assessment of the application.

In case of conflict on any Personal Data Protection issue you can address yourself to our Data Protection Officer or use the contact form on our website, selecting as type of request: “Data protection”.

Should the conflict not be resolved by the Data Protection Officer you may lodge a complaint with the European Data Protection Supervisor at any time.

In case of the NSAs acting as issuing entity, contact details of each NSA are publically available in the ERADIS database.

This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of Procurement Procedures and Contract Management.

Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

For more information about the processing in question, you are invited to contact ERA through the addresses provided in section “Contacts”.

Identity of Controller

ERA Head of Finance and Procurement Unit.

Purpose of processing

This processing operation is related to personal data that may be included in the management and administration of procurement procedures and contracts by the Agency, including in particular :

• the provision of evidence of the technical and professional capacity of tenderers, their staff and subcontractors;
• the execution of the contract and additional purposes such as statistics, reporting or auditing.

The Agency needs to evaluate the submitted applications according to the same set of criteria provided therein in order to ensure the optimal use of EU financial resources.

ERA collects only the personal data that the tenderers provide during the participation to the procurement procedures.

ERA collects the personal data in order to use service providers, independent experts, other independent workers needed for ERA to carry out its tasks under the terms of the Regulation (EU) 2016/796 establishing the European Union Agency for Railways.

Type of data processed

1. The following data relating to tenderers (or to subcontractors, if applicable) can be processed during the public procurement:
   • identification and contact details (name, surname of natural person, name and legal form of legal person, address, identity card number, registration number, VAT number, phone number, e-mail address);
   • proof of independent worker status (if applicable) and extract from the trade register, bank certificate stating financial situation; bank account details;
   • statement of the overall turnover for the supplies and/or services referred to in the procurement procedure;
   • organisational chart of the tenderer and company profile;
   • proof of having fulfilled all obligations to pay social-security contributions and taxes;
   • certificate of clear criminal record or extract of judicial history;
   • extract from the register of bankruptcy or relevant document;
   • documents attesting professional standing (curriculum vitae, copies of diplomas, certificates etc.);
   • list of similar services provided by the tenderer and information on contracts considered similar in scope.
2. Data relating to staff members participating in the procurement procedure are limited to identification and contact details (name and surname, function, e-mail address, business telephone number).

Recipients of the data processed

The recipients of the personal data are:

• Authorised Agency staff dealing with tenders and procurement procedures as well as  financial and accounting matters have access to your data.

In accordance with the Agency's obligation to publish information on the outcome of the procurement procedure and on the beneficiaries of funds deriving from the budget of the European Community some identification data of the awarded contractor will be made publicly available. The information will concern the name and address, the amount awarded and the works, goods or services requested. It is published in supplement S of the Official Journal of the European Union and/or on the website of the Agency.

All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.

The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined above.

Legal basis for the processing operation

Legal basis:

• ERA Financial Regulation adopted by ERA Management Board (Decision n° 206)
• Regulation (EU, EURATOM) 2018/1046

Lawfulness:

The data processing is considered lawful under art. 5(a), (b) and (c) of the Regulation (EC) 2018/1725, because it is necessary:

• for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
• ensure compliance of the Agency with legal obligations;
• take steps prior to entering into contract with the data subject.

Protection and security measures

The Agency has several security controls in place to protect your personal data from unauthorised access, use or disclosure. We keep your data stored on computer systems with limited access to a specified audience only.

Retention period

The provisions contained in the article 47 of ERA's Financial Regulation state that:

"1. The authorising officer shall set up paper-based or electronic systems for the keeping of original supporting documents relating to the budget implementation. Such documents shall be kept for at least five years from the date on which the European Parliament grants discharge for the financial year to which the documents relate.
2. Documents relating to operations not definetely closed shall be kept for longer than provided for in paragraph 1, namely until the end of the year following that in which the operations are closed."

Therefore files relating to tender procedures are kept for a period of:

• 7 years following signature of the contract or following the last payment by the Agency;
• 5 years following the signature of the contract into question for unsuccesful tenderers.

Extracts from judicial reports (electronic format and paper version) are kept for a period of 2 years following the signature of the contract with the succesful bidder(s).

Until the end of a possible audit if one started before the end of the above period.

The data subject’s rights

Under data protection law, you have rights we need to make you aware of these rights. The rights available to you depend on our reason for processing your information. You are not required to pay any charges for exercising your rights.

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.

The Agency does not do automated decision making, including profiling, on the personal data acquired during procurement and contract management procedure.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.

The Agency will address your requests within 2 weeks from the receipt of the request.

Contacts

All your requests concerning your data protection rights should be addressed to the Data Controller.

In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.

You have at any time the right of recourse to the European Data Protection Supervisor.

ERA keeps this privacy notice under regular review to make sure it is up to date and accurate.

This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of Registering Bank Account File and Legal Entity File.

Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

For more information about the processing in question, you are invited to contact ERA through the addresses provided in section “Contacts”.

Identity of Controller

ERA Head of Finance and Procurement Unit.

Purpose of processing

The Agency is using the Commission accounting system ABAC, which includes the centrally validated "Legal Entity File" and "Bank Account File", to make or receive payments.

This processing operation is related to personal data that may be included in the Legal Entities File (LEF) that records all third parties with which the Agency conducts revenue and expenditure transactions.  The Bank Account File (BAF) is a descriptive file containing bank details for all companies, organisations and individuals with which the Agency has financial dealings.  Bank account related data are registered in a SWIFT compatible manner.

No transaction may be made for the purposes of implementing the budget unless it involves a legal entity (LE) that has been validated beforehand. It follows that before a bank account (BA) can be recorded in the BAF, a LE must be recorded in the ABAC application: the bank account will be linked to that legal entity.

A LE and/or a BA will not be recorded in the Agency's accounts until the legal entity validation team (LEVT) or the bank account validation team (BAVT) within DG BUDG has validated the authorising department's request, which must be accompanied by the relevant supporting documents.

The validation of the LEF and the BAF is a pre-requisite before any transaction may be made for the purposes of implementing the budget.

Each validated legal entity and bank account record is identified by a unique key.  These keys are used by authorising officers' services when preparing financial and contractual transactions.

Type of data processed

The data, including personal data that may be processed are as follows:

• data subjects:
  • Private person or Staff member;
  • Private companies represented by natural persons;
  • Public entities represented by natural persons.
• personal data:
  • Bank details : Name in which the bank account has been opened, Address declared with the bank (street, number, town, postcode, country), Bank name, Bank Branch address (if needed), Bank account number (IBAN if existing), Branch code (for certain countries), Date and signature;
  • LEF Personal details: name, first name, permanent address, ID card/passport number, date and place of birth, personnel number (for staff only).

Appropriate organizational and technical security measures will be ensured according to the data protection legislation applicable to EU institutions and bodies.

The forms and documents sent for central validation of the LEF and BAF are added in the payment file. Electronic data is kept within the ABAC WKFL system

The data collected in the Agency’s accounts can be accessed by designated agency staff + staff from the Commision’s central services, using a UserID and a Password. A Service Level Agreement guarantees the appropriate confidentiality and the technical and organisational security of the ABAC system, as required by the applicable data protection provisions.

Recipients of the data processed

The recipients of the personal data are:

• Inside ERA:
  • Authorised Agency’s staff dealing with financial and accounting matters have access to your data;
• Inside EUIs:
  • DG BUDG's central validation team dealing with financial and accounting matters have access to the data;
• Outside EUIs:
  • As the Agency is using the European Commission’s system SWIFT Network, for executing its payments, your bank particulars will also be sent to this company whenever a payment is made in to the beneficiary.

All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.

The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.

Personal data is not intended to be transferred to a third country outside the EU.

Legal basis for the processing operation

Legal basis:

In accordance with Art. 49 of the ERA Financial Regulation adopted by the Decision n°206 of the Management Board on 23/09/2019, the Management Board shall appoint an accounting officer who shall be responsible:

(a) properly implementing payments, collecting revenue and recovering amounts established as being receivable.

Moreover, in accordance with the ERA Financial Regulation adopted by the decision n°206 of the Management Board on 23/09/2019, the Articles 45 and 47 stipulate powers and duties of the Accounting Officer with respect to the creation and management of legal entity files and for the keeping of supporting documents. These files and documents contain the needed personal data for a sound and legal management of payments and recovery of sums.

Lawfulness:

Processing of "Legal Entity" (LEF) and "Bank account" (BAF) related data is lawful under art. 5.1 (a), (b) and (c) of the Regulation (EC) 2018/1725, because it is necessary:

• for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
• for compliance with a legal obligation to which the controller is subject, and
• for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Protection and security measures

The Agency has several security controls in place to protect your personal data from unauthorised access, use or disclosure. We keep your data stored on computer systems with limited access to a specified audience only.

Retention period

For audit trail reasons and to permit at all times queries on the past execution of payments, no registered data are deleted from the accounts. The forms and documents you submit are scanned and archived electronically. The original forms and documents are usually included in the payment files and follow the same retention rules.

The data subject’s rights

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.

Contacts

All your requests concerning your data protection rights should be addressed to the Data Controller.

In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.

You have at any time the right of recourse to the European Data Protection Supervisor.

This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of Procurement Procedures and Contract Management.

Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

For more information about the processing in question, you are invited to contact ERA through the addresses provided in section “Contacts”.

Identity of Controller

ERA Head of Finance and Procurement Unit.

Purpose of processing

This processing operation is related to personal data that may be included in the management and administration of procurement procedures and contracts by the Agency, including in particular :

• the provision of evidence of the technical and professional capacity of tenderers, their staff and subcontractors,
• the execution of the contract and additional purposes such as statistics, reporting or auditing.

The Agency needs to evaluate the submitted applications according to the same set of criteria provided therein in order to ensure the optimal use of EU financial resources.

ERA collects only the personal data that the tenderers provide during the participation to the procurement procedures.

ERA collects the personal data in order to use service providers, independent experts, other independent workers needed for ERA to carry out its tasks under the terms of the Regulation (EU) 2016/796 establishing the European Union Agency for Railways.

Type of data processed

1. The following data relating to tenderers (or to subcontractors, if applicable) can be processed during the public procurement:
   • identification and contact details (name, surname of natural person, name and legal form of legal person, address, identity card number, registration number, VAT number, phone number, e-mail address);
   • proof of independent worker status (if applicable) and extract from the trade register, bank certificate stating financial situation; bank account details;
   • statement of the overall turnover for the supplies and/or services referred to in the procurement procedure;
   • organisational chart of the tenderer and company profile;
   • proof of having fulfilled all obligations to pay social-security contributions and taxes;
   • certificate of clear criminal record or extract of judicial history;
   • extract from the register of bankruptcy or relevant document;
   • documents attesting professional standing (curriculum vitae, copies of diplomas, certificates etc.);
   • list of similar services provided by the tenderer and information on contracts considered similar in scope;




2. Data relating to staff members participating in the procurement procedure are limited to identification and contact details (name and surname, function, e-mail address, business telephone number).

Recipients of the data processed

The recipients of the personal data are:

• Authorised Agency staff dealing with tenders and procurement procedures as well as  financial and accounting matters have access to your data.

In accordance with the Agency's obligation to publish information on the outcome of the procurement procedure and on the beneficiaries of funds deriving from the budget of the European Community some identification data of the awarded contractor will be made publicly available. The information will concern the name and address, the amount awarded and the works, goods or services requested. It is published in supplement S of the Official Journal of the European Union and/or on the website of the Agency.

All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.

The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined above.

Legal basis for the processing operation

Legal basis:

• ERA Financial Regulation adopted by ERA Management Board (Decision n° 206)
• Regulation (EU, EURATOM) 2018/1046

Lawfulness:

The data processing is considered lawful under art. 5(a), (b) and (c) of the Regulation (EC) 2018/1725, because it is necessary:

• for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body,
• ensure compliance of the Agency with legal obligations,
• take steps prior to entering into contract with the data subject.

Protection and security measures

The Agency has several security controls in place to protect your personal data from unauthorised access, use or disclosure. We keep your data stored on computer systems with limited access to a specified audience only.

Retention period

The provisions contained in the article 47 of ERA's Financial Regulation state that:

1. The authorising officer shall set up paper-based or electronic systems for the keeping of original supporting documents relating to the budget implementation. Such documents shall be kept for at least five years from the date on which the European Parliament grants discharge for the financial year to which the documents relate.

2. Documents relating to operations not definetely closed shall be kept for longer than provided for in paragraph 1, namely until the end of the year following that in which the operations are closed".

Therefore files relating to tender procedures are kept for a period of:

• 7 years following signature of the contract or following the last payment by the Agency;
• 5 years following the signature of the contract into question for unsuccesful tenderers.

Extracts from judicial reports (electronic format and paper version) are kept for a period of 2 years following the signature of the contract with the succesful bidder(s).

Until the end of a possible audit if one started before the end of the above period.

The data subject’s rights

Under data protection law, you have rights we need to make you aware of these rights. The rights available to you depend on our reason for processing your information. You are not required to pay any charges for exercising your rights.

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.

The Agency does not do automated decision making, including profiling, on the personal data acquired during procurement and contract management procedure.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.

The Agency will address your requests within 2 weeks from the receipt of the request.

Contacts

All your requests concerning your data protection rights should be addressed to the Data Controller.

In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.

You have at any time the right of recourse to the European Data Protection Supervisor.

ERA keeps this privacy notice under regular review to make sure it is up to date and accurate.

This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of mission and authorized travels management (including travel order sent to the travel agency).

Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

For more information about the processing in question, you are invited to contact ERA through the addresses provided in section “Contacts”.

Identity of Controller

ERA Head of Finance and Procurement Unit.

Purpose of processing

This processing operation is related to the use and exchange of personal data amongst the different intervening parties in order to organise and execute missions and authorised travels. The processing operations concern the travel’s arrangements, the hotel’s accommodation, the use of third parties services (e.g. car rentals) and the related payment of these costs.

The mission management requires the intervention of both internal and external actors. These external actors are the travel agency, the transport companies, the hotels and any other organization that can be called upon to intervene as part of the mission (for example travel insurance company).

Type of data processed

1. The following categories of data subjects can be distinguished:
   • ERA Staff members (any contractual type),
   • Seconded National Experts.
2. Personal data:

Within the mission order and claim in MiMa the data fields concerned are the name of the staff member and his/her personnel number. However, since MiMa forms part of the wider e-HR application, other personal data is contained in the central repository of the e-HR application.

The travel order form contains information on the following categories of data: name, surname, date of birth, portable phone number (to be contacted by the Agency in case of emergency), nationality, passport number, date of issue and expiry date (for travels by plane, only if required by the air company), preferred placement on board of train or flight (window, aisle, porthole), meals requirements (vegetarian-vegan-halal- kosher-diabetic-low salt diet-no sugar nutrition-gluten free-allergen free), traveller's unit, name of Authorizing Officer.

Data regarding the mission itself: place(s) of the mission and transit, date of departure and arrival, means of transport, name and place of the hotel, hotel invoices, start and end times of the professional commitments, possible combined holidays, possible request for anticipating budget for expenses, the budget line on which the mission will be paid, the MiMa mission number and the approval date created when the authorising officer signs for agreement.

Recipients of the data processed

The recipients of the personal data are:

• Authorised Agency staff dealing with financial and accounting matters have access to data;
• Project Manager/Service Manager and/or hierarchical superior that validate the mission order and the Authorising Officer (Delegated/Sub-delegated) that approve the mission order;
• External service providers involved in the management of the mission, notably: travel agency, hotels, transport company.

All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.

The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined above.

Legal basis for the processing operation

Legal basis:

• ERA Financial Regulation adopted by ERA Management Board (Decision n° 206)
• Decision N° 160 of the Management Board on 22/11/2017 adopting by analogy Commission Decision C(2017)5323
• Guide to missions and authorised travel accompanying the Commission Decision C(2017)5323 of 27/09/2017

Lawfulness:

The data processing is considered lawful under art. 5(a) and (b) of the Regulation (EC) 2018/1725, because it is necessary:

• for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body,
• ensure compliance of the Agency with legal obligations.

Protection and security measures

The Agency has several security controls in place to protect your personal data from unauthorised access, use or disclosure. We keep your data stored on MiMa with limited access to a specified audience only.

Access to the MiMa database is limited to:

• the data subjects and persons having received delegation to manage or authorize missions on behalf of a staff member have direct access to personal data related to the mission order,
• the Project Manager/Service Manager and/or hierarchical supervisor that validate the mission order and the Authorising Officer (Delegated/Sub-delegated) that authorise the mission have access to the personal data,
• authorised agency staff dealing with financial and accounting matters.

Retention period

The data collected for mission management are kept for a maximum of 8 years, as per provisions contained in the Art. 47 of the ERA financial regulation:

"1. The authorising officer shall set up paper-based or electronic systems for the keeping of original supporting documents relating to the budget implementation. Such documents shall be kept for at least five years from the date on which the European Parliament grants discharge for the financial year to which the documents relate.

2. Documents relating to operations not definitely closed shall be kept for longer than provided for in paragraph 1, namely until the end of the year following that in which the operations are closed."

3. Personal data contained in supporting documents shall, where possible, be deleted when those data are not necessary for budgetary discharge, control and audit purposes. Article 88 of Regulation (EU) 2018/1725 shall apply to the conservation of data.”

Until the end of a possible audit, if one started before the end of the above-mentioned period.

The data subject’s rights

Under data protection law, you have rights we need to make you aware of these rights. The rights available to you depend on our reason for processing your information. You are not required to pay any charges for exercising your rights.

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.

The Agency does not do automated decision making, including profiling, on the personal data acquired during procurement and contract management procedure.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.

The Agency will address your requests within 2 weeks from the receipt of the request.

Contacts

All your requests concerning your data protection rights should be addressed to the Data Controller.

In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.

You have at any time the right of recourse to the European Data Protection Supervisor.

ERA keeps this privacy notice under regular review to make sure it is up to date and accurate.

Through the ERADIS database, the Agency is collecting and providing public access to the following documents and information:

• Contact details of relevant national organisations: safety authorities, investigation bodies, accreditation bodies, recognition bodies, notified conformity assessment bodies;
• Safety certificates for railway undertakings;
• Licences for providing rail transport services by railway undertakings;
• Information on the Entities in Charge of Maintenance: the schema decided in each Member State, certification bodies documents, ECM certificates and maintenance functions certificates, Recommendations for use agreed by the certification bodies network;
• Information on the CSM Assessment Bodies: the decision on the use of schema for acknowledging the competence of CSM assessment bodies, the CSM Assessment Bodies documents;
• Link to ERAIL database of Common Safety Indicators;
• Link to ERAIL database of investigation reports;
• Annual reports of national safety authorities and national investigation bodies;
• EC declarations of verification of subsystems;
• EC declarations of conformity of constituents;
• EC declarations of suitability for use of interoperability constituents;
• Authorisations for placing in service of fixed installations;
• Link to the national vehicle registers ECVVR;
• Railway Undertaking Service Quality Reports;
• Link to national rules database NOTIF-IT
• Notified Bodies EC Certificates (including NoBo QMS Approvals and NoBo ISVs Certificates).

This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of ERADIS.

Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts”.

Controller of the processing operation

The Controller determining the purpose and means of the processing of your personal data is the European Union Agency for Railways (ERA). The entity responsible for managing the personal data processing is the Head of Analysis and Monitoring Unit.

Purpose of the processing operation

The purpose of this database is to make publically available documents provided for by Directives (EU) 2016/797, 2016/798, 2012/34/EU, Regulation (EC) No 1371/2007, Commission Implementing Regulations (EU) No 402/2013 and 445/2011.

Free access to ERADIS is granted to public to read data, while a username and a password are needed for data submission. Therefore, a registration of personal data is requested to obtain credentials in order to get an authorised access and to be contacted in case of any need.

Data Processed

The types of data, including personal data that may be processed are as follows:

• Contact persons (name, address, phone number, e-mail and field of competence and fax numbers if relevant) of the relevant contact persons from rail sector representative bodies, national rail bodies/organisations involved.
• Name of the persons signing the licenses, EC declarations and safety certificates.

In addition, in order to protect the content against inappropriate behaviors (e.g. certificates mismatching or hacking attempts) an Audit Trail has been implemented, recording all user’ actions.

The fields in the recorded logs are the following:

Timestamp
Username
Source IP address
Session ID
Action details
Invoked URL

This functionality is activated only for logged-in users and can be activated/ deactivated at any time.

Finally, information is stored in servers located in ERA’s premises, access only granted to authorised staff members.

In addition, ERA uses "first-party cookies".

A cookie is a small piece of text that a website stores on your computer or mobile device when you visit it. These cookies are set and controlled by ERA through a platform named Matomo, not by any external organisation. The first-party cookies are used to:

• store visitor preferences (cookies consent)
• make operational the ERADIS application
• gather analytics data (about user behaviour), if accepted

Every time you visit ERADIS, you will be prompted to accept cookies or to modify settings, in order to:

• not be tracked by your browser (for analytics services, advertising networks, etc.) and/or
• opt-out from analytics data collection (for further details read Web analytics privacy in Matomo).

The purpose is to enable the site to:

• remember your preferences (such as username, language, etc.) for a certain period of time without the need to re-enter them while browsing during the same visit.
• establish anonymized statistics about browsing experience, if the user so agrees.

Recipients of personal data

• Agency staff involved in the related service
• The designated contractor for the purpose of providing the necessary expertise in developing the IT tool Regarding the Audit Trail logs, they are accessible only to the ERADIS administrators and the IT security officer.

All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.

The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.

Personal data is not intended to be transferred to a third country outside the EU.

Your Rights as data subject

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the erasure of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.

Legal basis for the processing operation

Legal basis:

•  Article 37(3) of Regulation (EU) 2016/796

Lawfulness:

The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:

1. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

Time limit for storing the data

Personal information is retained until the user account is deleted or for the lifetime of ERADIS, designed as a permanent tool - until the relevant legislation is changed.

Regarding the Audit Trail logs, they are kept for 12 months before deletion.

Contacts

All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit.

In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.

You have at any time the right of recourse to the European Data Protection Supervisor.

This Notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of ERATV.

Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts”.

Controller of the processing operation

The Controller determining the purpose and means of the processing of your personal data is the European Union Agency for Railways (ERA). The entity responsible for managing the personal data processing is the Head of Analysis and Monitoring Unit.

Purpose of the processing operation

ERATV is a register to make publically available types of railway vehicles authorized for placing on the market of the Union.

Free access to ERATV is granted to public to read data, while a username and a password are needed for data submission (cfr. Annex I, Table 1 of Commission Implementing Decision 2011/665/EU on the European register of authorised types of railway vehicles as amended by Commission Implementing Regulation (EU) 2019/776 of 16 May 2019). Therefore, a registration of personal data is requested to obtain credentials in order to get an authorised access and to be contacted in case of any need.

Data Processed

The types of data, including personal data that may be processed are as follows:

• family name, first name, telephone and fax numbers, e-mail address, organisation name and address

Appropriate organizational and technical security measures are ensured according to the data protection legislation applicable to EU institutions and bodies.

Finally, information is stored in servers located in ERA’s premises, access only granted to authorised staff members.

In addition, ERA uses "first-party cookies".

A cookie is a small piece of text that a website stores on your computer or mobile device when you visit it. These cookies are set and controlled by ERA through a platform named Matomo, not by any external organisation. The first-party cookies are used to:

• store visitor preferences (cookies consent)
• make operational the ERATV application
• gather analytics data (about user behaviour), if accepted

Every time you visit ERATV, you will be prompted to accept cookies or to modify settings, in order to:

• not be tracked by your browser (for analytics services, advertising networks, etc.) and/or
• opt-out from analytics data collection (for further details read Web analytics privacy in Matomo).

The purpose is to enable the site to:

• remember your preferences (such as username, language, etc.) for a certain period of time without the need to re-enter them while browsing during the same visit.
• establish anonymized statistics about browsing experience, if the user so agrees.

Recipients of personal data

The recipients of the personal data are:

• NSAs users, for the business purpose;
• relevant Agency staff: defined IT staff for the purpose of providing technical service (access would be limited to technical IT issues to be solved);
• The designated contractor for the purpose of providing the necessary expertise in developing the IT tool (limited access in order to provide the service).

All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.

The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.

Personal data is not intended to be transferred to a third country outside the EU.

Your Rights as data subject

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request to erasure of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the Contacts below.

Legal basis for the processing operation

Legal basis:

• Article 48 of Directive (EU) 2016/797 on the interoperability of the rail system within the European Union.
• Article 37.1(b) of Regulation (EU) 2016/796 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Railways and repealing Regulation (EC) No 881/2004
• Commission Implementing Decision 2011/665/EU on the European register of authorised types of railway vehicles as amended by Commission Implementing Regulation (EU) 2019/776 of 16 May 2019 amending Commission Regulations (EU) No 321/2013, (EU) No 1299/2014, (EU) No 1301/2014, (EU) No 1302/2014, (EU) No 1303/2014 and (EU) 2016/919 and Commission Implementing Decision 2011/665/EU as regards the alignment with Directive (EU) 2016/797 of the European Parliament and of the Council and the implementation of specific objectives set out in Commission Delegated Decision (EU) 2017/1474.

Lawfulness:

The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:

1.  processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

Time limit for storing the data

Personal data are retained until the user account is deleted or for the lifetime of ERATV, designed as a permanent tool - until the relevant legislation is changed.

Contacts

All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit.

In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.

You have at any time the right of recourse to the European Data Protection Supervisor.

This Notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of Register of Infrastructure (RINF) Common User Interface (CUI).

Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts”.

Controller of the processing operation

The Controller determining the purpose and means of the processing of your personal data is the European Union Agency for Railways (ERA). The entity responsible for managing the personal data processing is the Head of Analysis and Monitoring Unit.

Purpose of the processing operation

The information provided by RINF is used for:

• planning purposes, in designing new trains,
• assisting the assessment of compatibility of trains with routes before the start of operation and
• as a reference database.

Free access after self-registration is granted to public to read data, while access rights granted by the Agency are needed for data submission. Therefore, a registration of personal data is requested in order to get an authorized access according to the defined roles and to be contacted in case of any need.

Data Processed

The types of data, including personal data that may be processed are as follows:

• family name, first name, telephone number, e-mail address, relevant job position, organization name and address, country
• user login,
• role (NRE/IM/standard user, RINF administrator).

By the registration of its own data each user is able to access the information system and to manage data according to the related rights ensuring the appropriate level of security, in accordance with organizational and technical security measures of the Agency.

In addition, in order to support users or to protect the content against inappropriate behaviors (e.g. certificates mismatching or hacking attempts) an information auditing functionality has been implemented, recording all user’ actions.

The fields in the recorded logs are the following:

• Timestamp
• Username
• Action details

Finally, information is stored in servers located in ERA’s premises, access only granted to authorized staff members.

In addition, ERA uses "first-party cookies".

A cookie is a small piece of text that a website stores on your computer or mobile device when you visit it. These cookies are set and controlled by ERA through a platform named Matomo, not by any external organisation. The first-party cookies are used to:

• store visitor preferences (cookies consent)
• make operational the RINF application
• gather analytics data (about user behaviour), if accepted.

The purpose is to enable the site to:

• remember your preferences (such as username, language, etc.) for a certain period of time without the need to re-enter them while browsing during the same visit.
• establish anonymized statistics about browsing experience, if the user so agrees.

Every time you visit RINF, you will be prompted to accept cookies or to modify settings, in order to:

• not be tracked by your browser (for analytics services, advertising networks, etc.) and/or
• opt-out from analytics data collection (for further details read Web analytics privacy in Matomo).

Recipients of personal data

The recipients of the personal data are:

• Agency staff involved in the related service
• The designated contractor for the purpose of providing the necessary expertise in developing the IT tool (limited access in order to provide the service).

All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.

The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.

Personal data is not intended to be transferred to a third country outside the EU.

Your Rights as data subject

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the erasure of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the “Contacts” below.

Legal basis for the processing operation

Legal basis:

• Article 49 of Directive (EU) 2016/797 on the interoperability of the rail system within the European Union.
• Commission Implementing Regulation (EU) 2019/777 of 16 May 2019 on the common specifications for the register of railway infrastructure and repealing Implementing Decision 2014/880/EU.

Lawfulness:

The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:

1. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

Time limit for storing the data

Personal information are retained until the user account is deleted or for the lifetime of RINF CUI, designed as a permanent internet tool (until the relevant legislation is changed).

Contacts

All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit.

In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.

You have at any time the right of recourse to the European Data Protection Supervisor.

This Notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of RDD.

Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts”.

Controller of the processing operation

The Controller determining the purpose and means of the processing of your personal data is the European Union Agency for Railways (ERA). The entity responsible for managing the personal data processing is the Head of Analysis and Monitoring Unit.

Purpose of the processing operation

Information provided through RDD is used to:

• authorize railway vehicles for placing into service
• show classification of national rules achieved among different NSAs
• provide useful information for the NSA and the applicant such as the checking body and checking procedure, the evidence required for the proof of compliance.

Free access to RDD is granted to public to read data, while a username and a password are needed for data submission. Therefore, a registration of personal data is requested to obtain credentials in order to get an authorised access and to be contacted in case of any need.

Data Processed

The types of data, including personal data that may be processed are as follows:

• family name, first name, organizational address, telephone, fax, e-mail address, Country/Member State
• assigned role in the application (for access rights management).

In addition, in order to protect the content against inappropriate behaviors (e.g. hacking attempts) an Audit Trail has been implemented, recording all registered user’ actions. The fields in the recorded logs are the following:

• Username
• Source IP address
• Permission (permission required for the action taken)
• Message: description of the action taken

Appropriate organizational and technical security measures are ensured according to the data protection legislation applicable to EU institutions and bodies.

Finally, information is stored in servers located in ERA’s premises, access only granted to authorised staff members.

In addition, ERA uses "first-party cookies".

A cookie is a small piece of text that a website stores on your computer or mobile device when you visit it. These cookies are set and controlled by ERA through a platform named Matomo, not by any external organisation. The first-party cookies are used to:

• store visitor preferences (cookies consent)
• make operational the RDD application
• gather analytics data (about user behaviour), if accepted

The purpose is to enable the site to:

• remember your preferences (such as username, language, etc.) for a certain period of time without the need to re-enter them while browsing during the same visit.
• establish anonymized statistics about browsing experience, if the user so agrees.

Every time you visit RDD, you will be prompted to accept cookies or to modify settings, in order to:

• not be tracked by your browser (for analytics services, advertising networks, etc.) and/or
• opt-out from analytics data collection (for further details read Web analytics privacy in Matomo).

Recipients of personal data

The recipients of the personal data are:

• relevant Agency staff: defined staff for the purpose of providing technical/business service;
• the designated contractor for the purpose of providing the necessary expertise in developing the IT tool (limited access in order to provide the service).

All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.

The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.

Personal data is not intended to be transferred to a third country outside the EU.

Your Rights as data subject

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the erasure of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the “Contacts” below.

Legal basis for the processing operation

Legal basis:

• Commission Decision 2011/155/EU of 9 March 2011 on the publication and management of the Reference Document

Lawfulness:

The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:

1. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

Time limit for storing the data

Personal data are retained until the user account is deleted or for the lifetime of RDD.

Contacts

All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit.

In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.

You have at any time the right of recourse to the European Data Protection Supervisor.

This notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of ERAIL.

Through the ERAIL database, the Agency is collecting and providing public access to the following documents and information:

• Notifications of railway accident investigations and publication of safety recommendations;
• Final accident investigation reports issued by the National Investigation Bodies (NIBs);
• Common Safety Indicators collected by the National Safety Authorities (NSAs) and delivered to the Agency;
• Link to the Overview of Safety and Interoperability in the Single European Railway Area (SERA) published on the Agency website.

Your personal data are processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts”.

Controller of the processing operation

The Controller determining the purpose and means of the processing of your personal data is the European Union Agency for Railways (ERA). The entity responsible for managing the personal data processing is the Head of Analysis and Monitoring Unit.

Purpose of the processing operation

The purpose of this database is to make publically available documents provided for by Directive (EU) 2016/798 and Regulation (EU) 2016/796.

Free access to ERAIL is granted to public to read data, while a username and a password are needed for data submission. Therefore, a registration of personal data is requested by the application to get an authorised access and to be contacted in case of any need.

Data Processed

The types of data, including personal data that may be processed are as follows:

• Contact persons (name, e-mail and country)

In addition, ERA uses "first-party cookies".

A cookie is a small piece of text that a website stores on your computer or mobile device when you visit it. These cookies are set and controlled by ERA through a platform named Matomo, not by any external organisation. The first-party cookies are used to:

• store visitor preferences (cookies consent)
• make operational the ERAIL application
• gather analytics data (about user behaviour), if accepted.

The purpose is to enable the site to:

• remember your preferences (such as username, language, etc.) for a certain period of time without the need to re-enter them while browsing during the same visit.
• establish anonymized statistics about browsing experience, if the user so agrees.

Every time you visit ERAIL, you will be prompted to accept cookies or to modify settings, in order to:

• not be tracked by your browser (for analytics services, advertising networks, etc.) and/or
• opt-out from analytics data collection (for further details read Web analytics privacy in Matomo).

Recipients of personal data

• Agency staff involved in the related service
• the designated contractor for the purpose of providing the necessary expertise in maintaining the IT tool.

All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.

The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.

Personal data is not intended to be transferred to a third country outside the EU.

Your Rights as data subject

You have the right to access your personal data, which is the right to obtain confirmation about your data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. You have also the right to object to the processing or request the erasure of your personal data, which will be implemented as soon as your specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the “Contacts” below.

Legal basis for the processing operation

Legal basis:

• Article 25 and Article 26(2) of Directive (EU) 2016/798
• Article 5 of Directive (EU) 2016/798 and Annex I to Directive (EU) 2016/798
• Article 35.4 of Regulation (EU) 2016/796

Lawfulness:

The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:

1. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

Time limit for storing the data

Personal information is retained until the user account is deleted or for the lifetime of ERAIL, designed as a permanent tool (until the relevant legislation is changed).

Contacts

All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit.

In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.

You have at any time the right of recourse to the European Data Protection Supervisor.

This Notice outlines the criteria by which the European Union Agency for Railways (ERA) collects and processes personal data in the context of ECVVR. It is a system composed of:

• a search engine – Virtual Vehicle Register (VVR)- allowing users to access information related to registrations of railway vehicles in EU;
• a standard National Vehicle Register – sNVR – that EU Member States can use to manage their data;
• a National Vehicle Register Translation Engine – NVR-TE – integrating an existing IT system for railway vehicles registration at national level with the VVR.

Therefore, ECVVR can be considered as a search engine on distributed rail vehicles-related data, using a common software application, which allows users to retrieve data from all the registers in the Member States.

Concerning the personal data managed at Member State level, through the so called Standard National Vehicle Register (“sNVR”) sub-system and other NVRs subsystems using NVR-TE (translation engine), they shall follow the national rules in matters of data protection. Consequently Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) shall be applied.

Any personal data provided by Registration entities’ administrators (REs) to access the European Centralised Virtual Vehicle Register system (ECVVR) and particularly through the module so called “VVR” hosted by ERA will be processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

For more information about the processing in question, you are invited to contact ERA through the addresses provided in “Contacts”.

Controller of the processing operation

The Controller determining the purpose and means of the processing of personal data is the European Union Agency for Railways (ERA) for those data managed to create users’ account in VVR for REs administrators. The entity responsible for managing such personal data processing is the Head of Analysis and Monitoring Unit.

Purpose of the processing operation

The purpose of processing is to allow REs as listed in point 3.3 of the Annex I of the Commission Decision 2007/756/EC to access the EU vehicles data -via web authentication. By the registration of their own personal data each user is able to access the information system and to manage data according to their own access rights ensuring the appropriate level of security.

Data Processed

The types of data, including personal data that may be processed are as follows:

• data to identify and contact the user: first name, last name, e-mail address, organisation name
• user login and the expiration date of the user account
• role as listed in section 3.3 of Annex I to Commission Decision 2007/756/EC.

The Legislation predefined rights that, duly taken into account and matched through the VVR search engine, ensure access to the information in a secure way. Therefore, by registration of their own data the REs user is able to access the information system and to manage data according to the related rights ensuring the appropriate level of security, in accordance with organizational and technical security measures of the Agency.

Finally, information is stored in servers located in ERA’s premises, access only granted to authorized staff members.

In addition, ERA uses "first-party cookies".

A cookie is a small piece of text that a website stores on your computer or mobile device when you visit it. These cookies are set and controlled by ERA through a platform named Matomo, not by any external organisation. The first-party cookies are used to:

• store visitor preferences (cookies consent)
• make operational the ECVVR application
• gather analytics data (about user behaviour), if accepted.

The purpose is to enable the site to:

• remember your preferences (such as username, language, etc.) for a certain period of time without the need to re-enter them while browsing during the same visit.
• establish anonymized statistics about browsing experience, if the user so agrees.

Every time you visit ERADIS, you will be prompted to accept cookies or to modify settings, in order to:

• not be tracked by your browser (for analytics services, advertising networks, etc.) and/or
• opt-out from analytics data collection (for further details read Web analytics privacy in Matomo).

Recipients of personal data

The recipients of the data are:

• the ERA staff members involved in providing the ECVVR service,
• the designated contractor for the purpose of providing the necessary expertise in maintaining the IT tool (limited access in order to provide the service).

All recipients of the data are reminded of their obligation not to use the data for any further purpose other than the ones for which they were collected.

The personal information collected will not be communicated to third parties, except where necessary for the purposes outlined and to the entities identified above.

Personal data is not intended to be transferred to a third country outside the EU.

Your Rights as data subject

REs administrators have the right to access their personal data, which is the right to obtain confirmation about data processed by the Agency and the right to ask for the correction of any inaccurate or incomplete personal data. REs administrators have also the right to object to the processing or request the erasure of their personal data, which will be implemented as soon as a specific request will have been deemed legitimate.

If you have any queries concerning the processing of your personal data, you may address them to the data Controller. You will find the address in the “Contacts” below.

Legal basis for the processing operation

Legal basis:

• Regulation (EU) 2016/796, Article 37.1(a)
• Commission Decision 2007/756/EC and its amendments

Lawfulness:

The above data processing operation is carried out in accordance with Art. 5(a) of Regulation (EU) 2018/1725:

1. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

Time limit for storing the data

Period of storage: until the user account is deleted by the system user that created it (ERA or RE), for the lifetime of VVR designed as a permanent internet tool (until the relevant legislation is changed).

Contacts

All your requests concerning your data protection rights should be addressed to the Data Controller the Head of Analysis Unit.

In case you have any questions related to the protection of your personal data, you can also contact the ERA Data Protection Officer.

You have at any time the right of recourse to the European Data Protection Supervisor.