Commission Delegated Regulation (EU) 2020/473 of 20 January 2020 supplementing Di... (32020R0473)
EU - Rechtsakte: 07 Transport policy

COMMISSION DELEGATED REGULATION (EU) 2020/473

of 20 January 2020

supplementing Directive (EU) 2017/2397 of the European Parliament and of the Council with regard to the standards for databases for the Union certificates of qualification, service record books and logbooks

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive (EU) 2017/2397 of the European Parliament and of the Council of 12 December 2017 on the recognition of professional qualifications in inland navigation and repealing Council Directives 91/672/EEC and 96/50/EC (1), and in particular Article 25(2) thereof,
Whereas:
(1) In order to facilitate mobility and ensure the safety of navigation and the protection of human life and the environment, it is essential for crew members to hold certificates proving their qualifications. In order to obtain such certificates, crew members should record their navigation time by means of valid entries in the crew member’s service record book that may be crossed-checked with entries in the logbooks of the craft on which the crew member served.
(2) In order to properly implement Directive (EU) 2017/2397 and to prevent fraud, the competent authorities that issue certificates in accordance with that Directive should ensure that crew members hold only a single specific certificate at a certain point of time. In the context of identifying a crew member, where relevant, due account should be taken of Regulation (EU) No 910/2014 of the European Parliament and of the Council (2).
(3) In order to contribute to the efficient administration of Union certificates of qualification, pursuant to Article 25(1) of Directive (EU) 2017/2397 Member States that issue certificates in accordance with Directive (EU) 2017/2397 should set up registers for recording data on the Union certificates of qualification, service record books and logbooks as well as on documents recognised pursuant to Article 10(2) of Directive (EU) 2017/2397.
(4) In order to facilitate the exchange of information between Member States and the Commission for the purpose of implementing, enforcing and evaluating Directive (EU) 2017/2397, as well as for statistical purposes, maintaining safety and ease of navigation, Member States should make available/include data on those documents and their status, using a database kept by the Commission.
(5) For the purposes of the same objectives, this database should also serve to provide information on documents recognised pursuant to Article 10(2) or (3) of Directive (EU) 2017/2397.
(6) The fact that certificates of qualifications and service record books are held by crew members while the logbook is linked to a craft requires the separate management of those data under two different frameworks. In this context, the existence of the European Hull Data Base established by Directive (EU) 2016/1629 of the European Parliament and of the Council (3), which includes information relating to inland waterway craft for the use of competent authorities, should be taken into account.
(7) Due account should be taken of relevant data exchange specifications laid down in relevant Union law, as well as of the principles and recommendations set out in the EU eGovernment Action Plan 2016-2020 (4) and the European Interoperability Framework (5). Due care should also be taken that, as far as possible, the specifications remain technology-neutral and open to innovative technologies. The once-only and interoperability-by-default principles should be applied.
(8) Whenever the measures provided for in this delegated Regulation entail the processing of personal data, it should be carried out in accordance with Union law on the protection of personal data, in particular Regulation (EU) 2018/1725 of the European Parliament and of the Council (6) with regard to the processing by the European Commission and Regulation (EU) 2016/679 of the European Parliament and of the Council (7) with regard to the processing by the Member States competent authorities.
(9) The Member States, represented by the relevant competent authorities, determine the purposes and means of processing of personal data in the national registers. The Commission, by keeping the database that is providing the solution to exchange the data among Member States is also a controller. Member States together with the Commission are joint controllers of the personal data processed in the Union database. Article 26 of Regulation (EU) 2016/679 and Article 28 of Regulation (EU) 2018/1725 place an obligation on joint controllers to determine, in a transparent manner, their respective responsibilities for compliance with the obligations under those Regulations. This Regulation determines those respective responsibilities.
(10) In order to ensure equal access rights on the basis of Regulation (EU) 2016/679 and of Regulation (EU) 2018/1725, the Commission should be regarded as the controller of personal data relating to the management of access rights to the Union database.
(11) The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725.
(12) In the interest of coherence, the provisions of this Regulation should generally apply from the same date as provided for the transposition of Directive (EU) 2017/2397. An exception should however be provided for the provisions concerning the operation of the database by the Commission during the test phase and its role as controller for the processing of access rights,
HAS ADOPTED THIS REGULATION:

Article 1

Subject matter

This Regulation sets the standards laying down the characteristics and conditions for use of the databases for Union certificates of qualification, service record books and logbooks issued in accordance with Directive (EU) 2017/2397 and for documents recognised pursuant to its Article 10(2)-(3).

Article 2

Definitions

For the purposes of this Regulation, the following definitions shall apply:
(a) ‘Union database’ means the database provided by the Commission pursuant to Article 25(2) of Directive (EU) 2017/2397 to record and exchange data on certificates of qualifications and service record books referred to in Article 25(1) of Directive (EU) 2017/2397 and on certificates of qualifications and service record books recognised pursuant to its Article 10(3);
(b) ‘European hull database (EHDB)’ means the database provided by the Commission pursuant to Article 25(2) of Directive (EU) 2017/2397 to record and exchange the data on the logbooks referred to in Article 25(1) of that Directive;
(c) ‘National registers’ means the registers of the Union certificates of qualification, service record books and logbooks and, where relevant, of documents recognised pursuant to Article 10(2) of Directive (EU) 2017/2397, which are established and kept by Member States pursuant to Article 25(1) of that Directive
(d) ‘crew member identification number’ (CID) means a number generated by the Union database that identifies a crew member registered in that database and that is unique to the holder;
(e) ‘Status “active”’ means that certificates of qualification and specific authorisations are valid;
(f) ‘Status “expired”’ means that certificates of qualification and specific authorisations are no longer valid because the validity period came to an end or because they have been replaced by a new certification of qualification or specific authorisation following a need for change of administrative data or the validity period coming to an end;
(g) ‘Status “suspended”’ means that certificates of qualification and specific authorisations are no longer valid because measures have been taken by competent authorities in accordance with Article 14(2) of Directive (EU) 2017/2397;
(h) ‘Status “withdrawn”’ means that certificates of qualification and specific authorisations are no longer valid because measures have been taken by competent authorities in accordance with Article 14(1) of Directive (EU) 2017/2397;
(i) ‘Status “lost”’ means that certificates of qualification and specific authorisations have been declared lost to the competent authority;
(j) ‘Status “stolen”’ means that certificates of qualification and specific authorisations have been declared stolen to the competent authority;
(k) ‘Status “destroyed”’ means that certificates of qualification and specific authorisations have been declared destroyed to the competent authority.
(l) ‘metadata’ means data processed in the Union database for the purposes of sending or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the electronic communications content, and the date, time, duration and type of communication.

Article 3

Information on the certificates of qualifications and service record books

1.   The Commission shall set up the Union database. It shall manage it in accordance with the requirements laid down in Annex I. It shall be responsible for its technical operations and its maintenance. The Commission shall take all measures necessary to ensure the confidentiality, integrity and availability of the Union database.
2.   Member States that issue certificates in accordance with Directive (EU) 2017/2397 shall make available machine-to-machine to the Union database the registers referred to in Article 25(1) of Directive (EU) 2017/2397 concerning the data referred to in Article 25(1) of Directive (EU) 2017/2397.
3.   Without prejudice to paragraph 4 each of the Member States’ competent authority designated as controller for the data processed in the national registers and the Commission shall be joint controllers for the processing of personal data in the Union database. Responsibilities shall be allocated among joint controllers in accordance with Annex III.
4.   The Commission shall be regarded as controller for the processing of personal data necessary to grant and manage access rights to the Union database.

Article 4

Information on the logbook

1.   Member States shall record the data on the logbooks referred to in Article 25(1) of Directive (EU) 2017/2397 in the EHDB,
2.   Conditions for the use of the EHDB for the purpose of recording the data related to logbooks in accordance with Article 25(2) of Directive (EU) 2017/2397 are laid down in Annex II.

Article 5

Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
It shall apply from 18 January 2022 with the exception of its Article 3(1) and (4) that shall apply from the date of entry into force of this Regulation.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 20 January 2020.
For the Commission
The President
Ursula VON DER LEYEN
(1)  
OJ L 345, 27.12.2017, p. 53
.
(2)  Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (
OJ L 257, 28.8.2014, p. 73
). See also its implementing regulations, in particular Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014.
(3)  Directive (EU) 2016/1629 of the European Parliament and of the Council of 14 September 2016 laying down technical requirements for inland waterway vessels, amending Directive 2009/100/EC and repealing Directive 2006/87/EC (
OJ L 252, 16.9.2016, p. 118
).
(4)  EU eGovernment Action Plan 2016-2020 Accelerating the digital transformation of government — Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions (COM(2016) 179 final).
(5)  European Interoperability Framework — Implementation Strategy, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions (COM(2017) 134).
(6)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
(7)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).

ANNEX I

Requirements for the Union database

1.   

General

1.1.
The Union database shall provide a consolidated overview of the data in the certificates of qualifications and on the service record books referred to in Article 25(1) of Directive (EU) 2017/2397 which are kept in Member States’ national registers established and kept pursuant to Article 25(1) of that Directive.
1.2.
The Union database shall also provide information on certificates of qualifications and service record books recognised pursuant to Article 10(2) or 10(3) of Directive (EU) 2017/2397 where the Commission has granted access to it to an authority of a third country, in accordance with Article 25(4) of Directive (EU) 2017/2397.
1.3.
The Union database shall provide a user interface (‘the Union database web portal’) through which the authorised users shall be able to access data in accordance with their access rights.

2.   

Users and access rights

2.1.
The Commission shall grant access rights to individual users corresponding to the user profiles laid down in Table 1, on the basis of a list provided by the Member States.
2.2.
The Commission may also grant access to the Union database to international organisations and authorities of a third country, in accordance with Article 25(4) of Directive (EU) 2017/2397 and, in particular provided the requirements set out in Article 46 of Regulation (EU) 2018/1725 are fulfilled. User profiles referred to in Table 1 or their access rights can be limited following the result of the assessment concerning the level of protection of natural persons’ personal data.
Table 1

User profiles

Definitions

Access rights

Certification authorities

Competent authorities designated to issue, renew or withdraw certificates of qualifications, specific authorisations and services record books referred to in Article 26 of Directive (EU) 2017/2397.

Read and write in relation to functionalities 3.1 to 3.5.

Authorities in charge of suspension

Authorised users in competent authorities for the suspension of certificates of qualifications and specific authorisations referred to in Article 26 of Directive (EU) 2017/2397.

Read and write in relation to functionalities 3.3 and 3.4.

Enforcement authorities

Authorised users in competent authorities detecting and combating fraud and other unlawful practices referred to in Article 26 of Directive (EU) 2017/2397.

Read-only in relation to functionalities 3.1, 3.2, 3.3 and 3.5.

Registers’ keepers

Authorised users in competent authorities desigated to keep the registers referred to in Article 26 of Directive (EU) 2017/2397.

Read and write in relation to functionalities 3.1 to 3.5 if not exercised by certification authorities or authorities in charge of supensions

Statistics offices

Authorised users in national or international offices in charge of collecting statistical data.

Read-only in relation to functionality 3.5.

International organisations

Authorised users in international organisations that have been provided access to, in accordance with Article 25(4) of Directive (EU) 2017/2397 and Article 46 of Regulation (EU) 2018/1725.

Read-only access to be determined in relation to functionalities 3.2, 3.3 and 3.5 following the result of the assessment concerrning the level of protection of natural persons and compliance with this Regulation

Authorities from third countries

Authorised users in designated competent authorities from third countries that have been provided access to, in accordance with Article 25(4) of Directive (EU) 2017/2397 and Article 46 of Regulation (EU) 2018/1725.

To be determined in relation to functionalities 3.1 to 3.5 following the result of the assessment concerrning the level of protection of natural persons and compliance with this Regulation

Commission

Authorised users in Commission staff

1.

in charge of keeping the Union database; or

2.

in charge of inland navigation policies.

Provider of the technical solution for all functionalities;

Read-only in relation to functionality 3.5

3.   

Functionalities

The following functionalities shall be provided through the Union database:
3.1.
Verification of the crew member’s registration in the Union database:
The Union database shall allow certification and enforcement authorities to check, whether a crew member is already registered in the system. This shall be done either on the basis of a crew member identification number (CID) or of data contained in an identity document provided by the crew member. In the case of on-line services, the identification of a crew member shall be made with the support of the dataset as set out under Regulation (EU) 2015/1501.
Providing no person with a similar identity-related dataset is found in the system following a search by a certification authority, the crew member shall be registered in the system.
3.2.
Consultation of data on certificates of qualification and service record books:
The Union database shall provide read access to data on certificates of qualifications and service record books as made available by the national registers.
3.3.
Consultation and modification of the status of certificates of qualification:
The Union database shall provide read access to the status of certificates of qualifications and write access to record a suspension of a certificate of qualification in the Union database.
The standard certificate statuses are the following: ‘active’, ‘expired’, ‘suspended’, ‘withdrawn’, ‘lost’, ‘stolen’ or ‘destroyed’.
3.4.
Sending and receiving notification:
The Union database shall allow certification authorities and authorities in charge of suspensions to be notified of modifications or of requests in the registers concerning certificates of qualification or specific authorisation that they have issued or suspended.
3.5.
Generating statistics:
The Union database shall contain features to provide data for authorised users to perform searches for statistical purposes.
3.6.
Updating metadata:
The Commission shall update the metadata of the Union database upon notification of modification of corresponding data in a national register.
3.7.
Information on incomplete transaction:
In case the system is not able to complete a functionality, this fact and its reason shall be notified to the relevant user. The request or the data shall be temporarily buffered in the Union database and the transaction automatically repeated until the error or deficiency has been addressed and the functionality completed.
3.8.
Management of user access:
Users shall access the Union database through the Commission authentication service (EU Login).
3.9.
Monitoring login and transactions:
The Union database shall log all login information and transactions for monitoring and debugging purposes and allow the generation of statistics about these logins and transactions for processing by Commission staff.

4.   

The Union database data

4.1.
In order for the Union database to perform its functionalities, it shall keep the following data:
(a) routing metadata;
(b) access right tables;
(c) CIDs with:
(i) the holder’s list of types of certificates and of specific authorisations with their respective issuing authority and status;
(ii) the serial number of the holder’s active service record book, where relevant;
(iii) the pointer to the national register that hosts the holder’s most recent personal identity-related data.
4.2.
The Union database may also keep data referred to under Article 25 of Directive (EU) 2017/2397 for certificates of qualifications and service record books recognised pursuant to Article 10(3) when the Commission has refused access to an authority of a third country, in accordance with Article 25(4) of Directive (EU) 2017/2397.

5.   

Communication between the Union database and the registers

5.1.
The connection between the Union database and the national registers shall be based on the Commission’s secure electronic registered delivery service (CEF eDelivery).
5.2.
The exchange of information shall be based on standard data-structuring methods and shall be expressed in XML format.
5.3.
The service time frame shall be 24/7 days, with an availability rate of the system of at least 98 % excluded scheduled maintenance.

6.   

Reference data of the Union database

6.1.
The reference data such as code lists, controlled vocabularies and glossaries shall be kept in the European Reference Data Management System (ERDMS), including, where relevant, the translation in the EU official languages.

7.   

Personal data protection

7.1.
Any processing of personal data by the authorised users in Member States shall be carried out in accordance with Union law on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council.
7.2.
The Commission shall carry out all processing of personal data provided for in this Regulation in accordance with Regulation (EU) 2018/1725.
7.3.
The personal data referred to in Article 25(1) of Directive (EU) 2017/2397 shall be accessed and processed only for the execution of the functionalities referred to in Section 3 and by the authorised users.
7.4.
The personal data referred to in Section 4 shall not be stored in the Union database for longer than is necessary for the purposes for which the personal data are processed and not after crew members’ retirement. The holder’s list of types of certificates and of specific authorisations shall not include those certificates and authorisations that have expired, have been withdrawn or destroyed, have been declared lost or stolen once they have been replaced by a new certificate or authorisation.
7.5.
Personal data processed for the purpose of the functionality described under point 3.9 shall not be retained in the Union database for more than 6 months.
7.6.
Personal data other than those referred to in points 7.4 and 7.5 shall not be retained in the Union database for longer than strictly necessary for the transaction to be completed.
7.7.
The data available for statistical purposes shall be anonymised and aggregated. Statistical information that has been duly anonymised and aggregated may be retained indefinitely.

8.   

Single contact points

8.1.
For the purposes related to the operation of the Union database, the Commission shall maintain contact with the Member States through a single contact point designated by each Member State among the competent authorities referred to in Article 26(g) of Directive (EU) 2017/2397.

ANNEX II

Requirements for the operation of the European Hull Database for information on the logbooks

1.   
The data related to logbooks shall be accessed and processed only by the authorised users referred to in Table 1.
2.   
The Commission shall grant access rights to users corresponding to the user profiles laid down in Table 1, on the basis of a list provided by the Member States through the single contact points referred to in Delegated Regulation 2020/474 (1), as well as to the international organisations and authorities of a third country, in accordance with Article 25(4) of Directive (EU) 2017/2397.
3.   
The instructions in Annex III and Annex IV on full access and read-only access to and processing of the data in the EHDB of Delegated Regulation 2020/474 on EHDB shall apply.
4.   
Any processing of personal data by authorised users shall be carried out in accordance with the Union law on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council.
5.   
The Commission shall carry out all processing of personal data provided for in this Regulation in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council.
Table 1

User profiles

Definitions

Access rights

Certification authorities

Authorised users in competent authorities for the issuing of logbooks in accordance with Article 26 of Directive (EU) 2017/2397.

Full-access

Enforcement authorities

Authorised users in competent authorities detecting and combating fraud and other unlawful practices in accordance with Article 26 of Directive (EU) 2017/2397.

Read-only

Statistics offices

Authorised users in national or international offices in charge of collecting statistical data.

Read-only

International organisations

Authorised users in international organisations that have been provided access to EHDB in accordance with Article 25(4) of Directive (EU) 2017/2397 and Article 46 of Regulation (EU) 2018/1725.

Read-only access to be determined following the result of the assessment concerning the level of protection of natural persons

Authorities from third countries

Authorised users in designated competent authorities from third countries that have been provided access to in accordance with Article 25(4) of Directive (EU) 2017/2397 and Article 46 of Regulation (EU) 2018/1725.

To be determined following the result of the assessment concerrning the level of protection of natural persons

(1)  Commission Delegated Regulation (EU) 2020/474 of 20 January 2020 on the European Hull Data Base (
OJ L 100, 1.4.2020, p. 12
).

ANNEX III

Allocation of responsibilities among joint controllers

1.   
The Member States, represented by the competent authorities, determine the purposes and means of processing of personal data in the national registers. The Commission, by keeping/managing the Union database which provides for the exchange of data among Member States, is also a controller. The Member States and the Commission are joint controllers for the processing of personal data in the EU database.
2.   
Each of the joint controllers shall comply with relevant Union and national legislation to which the respective controller is subject.
3.   
The Commission shall be responsible for:
(a) ensuring that the Union database complies with the requirements applicable to Commission’s communication and information systems, including those concerning the protection of personal data and the application of data protection rules on security of the processing (1). The Commission shall carry out an information security risk assessment and ensure an appropriate level of security;
(b) responding to the requests of data subjects addressed directly to it in relation to the Union database and publishing a data protection information notice to fulfil information requirements. Where appropriate and in particular when the request concerns rectification and erasure of personal data, the Commission shall foward the request of the data subject to the relevant single contact point(s) that shall address it. In cases where a request is addressed directly to the Commission, it shall inform the data subject on the follow-up given to the request;
(c) communicating any personal data breaches within the Union database to the single contact points referred to in Section 8.1 of Annex I, to the European Data Protection Supervisor and to the relevant individuals where there is a high risk in accordance with Articles 34 and 35 of Regulation (EU) 2018/1725;
(d) identifying the categories of staff and other individuals to whom access to the Union database may be granted and ensuring that access by all those concerned is compliant with applicable data protection rules;
(e) ensuring that Commission staff who have access to crew members’ personal data within the Union database, are adequately trained to ensure that they perform their tasks in compliance with the rules applicable to the protection of personal data, and are subject to the obligation of professional secrecy under Union law.
4.   
Member States’ competent authorities shall be responsible for:
(a) collecting and processing the personal data of applicants, and for processing the personal data they obtain from/exchange through the Union database. Collecting and processing personal data shall be done in accordance with Regulation (EU) 2016/679, in particular to ensure lawful collection of data, provide appropriate information, keep the data accurate (including erasing outdated data or profiles where relevant) and ensure appropriate security of the data in the national register(s).
(b) acting as the contact point for the crew members, including when they exercise their rights, responding to the requests of crew members and ensuring that crew members whose data are processed through the Union database and national registers are enabled to exercise their rights in compliance with data protection legislation. In this context, they shall cooperate with other Member States’ competent authorities via the single contact points and with the Commission to address appropriately the requests of data subjects addressed to it, to other Member States or to the Commission. Member States competent authorities that have received the data subject request shall inform the data subject on the follow-up given to the request;
(c) communicating any personal data breaches with regard to crew members data processed through the Union database to the Commission, to the single contact point referred to in section 8.1. of Annex I, to the competent supervisory authority at national level and, where so required, to relevant crew members, in accordance with Articles 33 and 34 of Regulation (EU) 2016/679 or if requested by the Commission;
(d) identifying, in compliance with access rights to users corresponding to the user profiles laid down in the table 1 of Annex I, staff whom shall be granted access to crew members’ personal data within the Union database and communicating it to the Commission;
(e) ensuring that their staff who have access to crew members’ personal data within the Union database, are adequately trained to ensure that they perform their tasks in compliance with the rules applicable to the protection of personal data, and are subject to the obligation of professional secrecy in accordance with national law or rules established by national competent authority.
(1)  Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission (
OJ L 6, 11.1.2017, p. 40
) and Commission Decision of 13 December 2017 laying down implementing rules for Articles 3, 5, 7, 8, 9, 10, 11, 12, 14, 15 of Decision 2017/46/EC on the security of communication and information systems in the Commission.
Markierungen
Leseansicht