ANNEX I
Requirements for the Union database
1.General
1.1.The Union database shall provide a consolidated overview of the data in the certificates of qualifications and on the service record books referred to in Article 25(1) of Directive (EU) 2017/2397 which are kept in Member States’ national registers established and kept pursuant to Article 25(1) of that Directive .
1.2.The Union database shall also provide information on certificates of qualifications and service record books recognised pursuant to Article 10(2) or 10(3) of Directive (EU) 2017/2397 where the Commission has granted access to it to an authority of a third country, in accordance with Article 25(4) of Directive (EU) 2017/2397.
1.3.The Union database shall provide a user interface (‘the Union database web portal’) through which the authorised users shall be able to access data in accordance with their access rights.
2.Users and access rights
2.1.The Commission shall grant access rights to individual users corresponding to the user profiles laid down in Table 1, on the basis of a list provided by the Member States.
2.2.The Commission may also grant access to the Union database to international organisations and authorities of a third country, in accordance with Article 25(4) of Directive (EU) 2017/2397 and, in particular provided the requirements set out in Article 46 of Regulation (EU) 2018/1725 are fulfilled. User profiles referred to in Table 1 or their access rights can be limited following the result of the assessment concerrning the level of protection of natural persons’personal data.
Table 1.
User profiles
|
Definitions
|
Access rights
|
Certification authorities
|
Competent authorities designated to issue, renew and withdraw certificates of qualifications, specific authorisations and services record books referred to in Article 26 of Directive (EU) 2017/2397
|
Read and write in relation to functionalities 3.1 to 3.5.
|
Authorities in charge of suspension
|
Authorised users in competent authorities for the suspension of certificates of qualifications and specific authorisations referred to in Article 26 of Directive (EU) 2017/2397
|
Read and write in relation to functionalities 3.3. and 3.4.
|
Enforcement authorities
|
Authorised users in competent authorities detecting and combating fraud and other unlawful practices referred to in Article 26 of Directive (EU) 2017/2397
|
Read-only in relation to functionalities 3.1, 3.2., 3.3. and 3.5.
|
Registers’ keepers
|
Authorised users in competent authorities desigated to keep the registered referred to in Article 26 of Directive (EU) 2017/2397
|
Read and write in relation to functionalities 3.1 to 3.5 if not exercised by certification authorities or authorities in charge of supensions
|
Statistic offices
|
Authorised users in national or international offices in charge of collecting statistical data.
|
Read-only in relation to functionality 3.5.
|
International organisations
|
Authorised users in international organisations that have been provided access to, in accordance with Article 25(4) of Directive (EU) 2017/2397 and Article 46 of Regulation (EU) 2018/1725.
|
Read-only access to be determined in relation to functionalities 3.2., 3.3. and 3.5. following the result of the assessment concerrning the level of protection of natural persons
|
Authorities from third countries
|
Authorised users in designated competent authorities from third countries that have been provided access to, in accordance with Article 25(4) of Directive (EU) 2017/2397 and Article 46 of Regulation (EU) 2018/1725
|
To be determined in relation to functionalities 3.1 to 3.5. following the result of the assessment concerrning the level of protection of natural persons
|
Commission
|
Authorised users in Commission staff
a)in charge of keeping the Union database or
b)in charge of inland navigation policies
|
a)Provider of the technical solution for all functionalities;
b)Read-only in relation to functionality 3.5
|
3.Functionalities
The following functionalities shall be provided through the Union database:
3.1.Verification of the crew member’s registration in the Union database:
The Union database shall allow certification and enforcement authorities to check, either on the basis of a Crew member Identification Number (CID) or of data contained in an identity document provided by the crew member, whether a crew member is already registered in the system. In case of on-line services, the identification of a crew member shall be made with the support of the dataset as set out under Regulation (EU) 2015/1501.
In case no person with similar identity related dataset is found in the system following a search by a certification authority, the crew member shall be registered in the system.
3.2.Consultation of data on certificates of qualification and service record books:
The Union database shall provide read access to data on certificates of qualifications and service record books as made available by the national registers.
3.3.Consultation and modification of status of certificates of qualification:
The Union database shall provide read access to the status of certificates of qualifications and write access to record a suspension of a certificate of qualification in the Union database.
The standard certificate statuses are the following: “active”, “expired”, “suspended”, “withdrawn”, “lost”, “stolen” or “destroyed”.
3.4.Sending and receiving notification:
The Union database shall allow certification authorities and authorities in charge of suspensions to be notified of modifications or of request in the registers, which concern certificates of qualification or specific authorisation that they have issued or suspended.
3.5. Generating statistics:
The Union database shall contain features to provide data for authorised users to perform queries for statistical purposes.
3.6.Updating metadata:
The Commission shall update the metadata of the Union database upon notification by a Member State of modification of corresponding data in its register.
3.7.Information on incomplete transaction:
In case the system is not able to complete a functionality, this fact and its reason shall be notified to the relevant user, the request or the data shall be temporarily buffered in the Union database and the transaction shall be automatically repeated until the error or deficiency has been addressed and the functionality completed.
3.8.Management of user access:
Users shall access the Union database through the Commission authentication service (EU Login).
3.9.Monitoring login and transactions :
The Union database shall log all login information and transactions for monitoring and debugging purposes and allow the generation of statistics about these logins and transactions for the use by the Commission services.
4.The Union database data
4.1.In order for the Union database to perform its functionalities, it shall keep the following data:
–(a) routing metadata;
–(b) access right tables;
–(c) CIDs with the following pointers or metadata for each CID:
(i)the holder’s list of types of certificates and of specific authorisations with their respective issuing authority and status;
(ii) the holder’s active service record book, where relevant;
(III) the national register that hosts the holder’s most recent personal identity related data.
4.2.The Union database may also keep data referred to under Article 25 of Directive (EU) 2017/2397 for certificates of qualifications and service record books recognised pursuant to Article 10(3) when the Commission has refused any type of access to an authority of a third country, in accordance with Article 25(4) of Directive (EU) 2017/2397.
5.Communication between the Union database and the registers
5.1.The connection between the Union database and the national registers shall be based on the Commission’s secure electronic registered delivery service (CEF eDelivery).
5.2.The exchange of information shall be based on standard data-structuring methods and shall be expressed in XML format.
6.Reference data of the Union database
6.1.The reference data such as code lists, controlled vocabularies and glossaries shall be kept in the European Reference Data Management System (ERDMS), including, where relevant, the translation in the EU official languages.
7.Personal data protection
7.1. Any processing of personal data by the authorised users in Member States shall be carried out in accordance with Union law on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council.
7.2.The Commission shall carry out all processing of personal data provided for in this Regulation in accordance with Regulation (EU) 2018/1725.
The personal data referred to in Article 25(1) of Directive (EU) 2017/2397 shall be accessed and processed only for the execution of the functionalities referred.to in section 3 and by the authorised users.
7.3.The personal data referred to in section 4 shall not be stored in the Union database for longer than it is necessary for the purposes for which the personal data are processed and not after crew members’ retirement. The holder’s list of types of certificates and of specific authorisations shall not include those certificates and authorisations that have expired, have been withdrawn or destroyed, have been declared lost or stolen once they have been replaced by a new certificate or authorisation.
7.4.Personal data processed for the purpose of the functionality described under point 4.9. shall not be retained in the EU platform for more than 6 months.
7.5.Personal data other than those referred to in points 7.5. and 7.6.. shall not be retained in the Union database for longer than strictly necessary for the transaction to be completed.
7.6.The data available for statistical purposes shall be anonymized and aggregated. Statistical information that has been duly anonymised and aggregated may be retained indefinitely.
8.single contact points
8.1.For the purposes related to the operation of the Union database, the Commission shall maintain contact with the Member States through a single contact point designated by each Member State among the competent authorities referred to in Article 26(g) of Directive (EU) 2017/2397.
8.2.
ANNEX II
Requirements for the operation of the European Hull Database for information on the logbooks
1.The data related to logbooks shall be only accessed and processed by the authorised users referred to in Table 1.
2.The Commission shall grant access rights to users corresponding to the user profiles laid down in table 1, on the basis of a list provided by the Member States, as well to the international organisations and authorities of a third country, in accordance with Article 25(4) of Directive.
3.The Instructions of Annex III and Annex IV on full access, read-only access and processing the data in the EHDB of Delegated Regulation xxxx on EHDB shall apply.
4.Any processing of personal data by the authorised users shall be carried out in accordance with the Union law on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council.
5.The Commission shall carry out all processing of personal data provided for in this Regulation in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council.
Table 1.
User profiles
|
Definition
|
Access rights
|
Certification Authorities
|
Authorised users in competent authorities for the issuing of logbooks in accordance with Article 26 of Directive (EU) 2017/2397.
|
Full-access
|
Enforcement authorities
|
Authorised users in competent authorities detecting and combating fraud and other unlawful practices in accordance with Article 26 of Directive (EU) 2017/2397.
|
Read-only
|
Statistic office
|
Authorised users in national or international offices in charge of collecting statistical data.
|
Read-only
|
International organisations
|
Authorised users in international organisations that have been provided access to EHDB in accordance with Article 25(4) of the Directive (EU) 2017/2397 and Article 46 of Regulation (EU) 2018/1725.
|
Read-only access to be determined following the result of the assessment concerrning the level of protection of natural persons
|
Authorities from third countries
|
Authorised users in designated competent authorities from third countries that have been provided access to in accordance with Article 25(4) of Directive (EU) 2017/2397 and Article 46 of Regulation (EU) 2018/1725.
|
To be determined following the result of the assessment concerrning the level of protection of natural persons
|
ANNEX III
Allocation of responsabilities among joint controllers
1.The Member States, represented by the competent authorities, determine the purposes and means of processing of personal data in the national registers. The Commission, by keeping/managing the Union database which provides for the exchange of data among Member States, is also a controller. The Member States and the Commission are joint controllers for the processing of personal data in the EU database.
2.Each of the joint controllers shall comply with relevant Union and national legislation to which the respective controller is subject.
3.The Commission shall be responsible for:
(a)ensuring that the Union database complies with the requirements applicable to Commission's communication and information systems, including those concerning the protection of personal data and the application of data protection rules on security of the processing; (
). The Commission shall carry out an information security risk assessment and ensure an appropriate level of security;
(b)responding to the requests of data subjects addressed directly to it in relation to the Union database and publishing a data protection information notice to fulfil information requirements. Where appropriate and in particular when the request concerns rectification and erasure of personal data, the Commission shall foward the request of the data subject to the relevant single contact point(s) that shall address it. In cases where a request is addressed directly to the Commission, it shall inform the data subject on the follow-up given to the request;
(c)communicating any personal data breaches within the Union database to the single contact points referred to in section 8.1. of Annex I, to the European Data Protection Supervisor and to the relevant individuals where there is a high risk in accordance with Articles 34 and 35 of Regulation (EU) 1725/2018;
(d)identifying the categories of staff and other individuals to whom access to the Union database may be granted and ensuring that access by all those concerned is compliant with applicable data protection rules;
(e)ensuring that Commission staff who have access to crew members’ personal data within the Union database, are adequately trained to ensure that they perform their tasks in compliance with the rules applicable to the protection of personal data, and are subject to the obligation of professional secrecy under Union law.
4.Member States’ competent authorities shall be responsible for:
(a)collecting and processing the personal data of applicants, and for processing the personal data they obtain from/exchange through the Union database. Collecting and processing personal data shall be done in accordance with Regulation (EU) 2016/679, in particular to ensure lawful collection of data, provide appropriate information, keep the data accurate (including erasing outdated data or profiles where relevant) and ensure appropriate security of the data in the national register(s).
(b)acting as the contact point for the crew members, including when they exercise their rights, responding to the requests of crew members and ensuring that crew members whose data are processed through the Union database and national registers are enabled to exercise their rights in compliance with data protection legislation. In this context, they shall cooperate with other Member States’ competent authorities via the single contact points and with the Commission to address appropriately the requests of data subjects addressed to it, to other Member States or to the Commission. Member States competent authorities that have received the data subject request shall inform the data subject on the follow-up given to the request;
(c)communicating any personal data breaches with regard to crew members data processed through the Union database to the Commission, to the single contact point referred to in section 8.1. of Annex I, to the competent supervisory authority at national level and, where so required, to relevant crew members, in accordance with Articles 33 and 34 of Regulation (EU) 2016/679 or if requested by the Commission;
(d)identifying, in compliance with access rights to users corresponding to the user profiles laid down in the table 1 of Annex I, staff whom shall be granted access to crew members' personal data within the Union database and communicating it to the Commission;
(e)ensuring that their staff who have access to crew members’ personal data within the Union database, are adequately trained to ensure that they perform their tasks in compliance with the rules applicable to the protection of personal data, and are subject to the obligation of professional secrecy in accordance with national law or rules established by national competent authority.