19.1.2008   

EN

Official Journal of the European Union

C 14/1

1.

The Proposal for a Regulation of the European Parliament and of the Council establishing common rules concerning the conditions to be complied with to pursue the occupation of road transport operator was sent by the Commission to the EDPS for consultation, in accordance with Article 28(2) of Regulation (EC) No 45/2001/EC (hereinafter ‘the proposal’), and was received by the EDPS on 29 May 2007. A revised version of the proposal was received on 6 July 2007. The EDPS welcomes that the preamble of the Regulation, as proposed by the Commission, mentions that he is consulted.

2.

The aim of the proposal is to replace Council Directive 96/26/EC of 29 April 1996 on admission to the occupation of road haulage operator and road passenger transport operator and mutual recognition of diplomas, certificates and other evidence of formal qualifications intended to facilitate for these operators the right to freedom of establishment in national and international transport operations (3), in order to rectify the shortcomings of that Directive. The Directive establishes minimum conditions relating to good repute, financial standing and professional competence which companies have to satisfy. As the Explanatory Memorandum of the proposal explains, Directive 96/26/EC is part of a legislative framework shaping the internal market for road transport. The Explanatory Memorandum states that the directive is not applied and enforced uniformly, as a result of legal provisions that are unclear, incomplete or not in keeping with the development of the sector. As a result, this is considered to be detrimental to fair competition. New rules are needed for the smooth functioning of the internal market in the road transport sector.

3.

The proposal takes over several provisions of Directive 96/26/EC and also contains some new elements which are listed in paragraph 3.1 of the Explanatory Memorandum. The EDPS, carrying out his task to advise Community institutions and bodies on all matters concerning the processing of personal data, will not discuss all these elements but will concentrate on the elements of the proposal that are of specific importance for the protection of personal data. In particular, the proposal introduces electronic registers interconnected between all Member States, facilitating the exchange of information between Member States. Furthermore, the proposal introduces an obligation for the authorities to warn the operator where they discover that a transport operator no longer satisfies the conditions on good repute, financial standings or professional competence. This obligation is one of a number of rules to ensure these conditions are met.

4.

The proposal thus includes elements requiring the processing of personal data. The registers mentioned above contain personal data (Article 15 of the proposal). In this context, it has to be underlined that the proposal contains rights and obligations for undertakings, as well as transport managers. It follows from the definition of Article 1(d) that not only transport managers, but also undertakings can be natural persons. In those cases, also the processing of data on the undertakings falls within the scope of data protection law.

5.

In this opinion the EDPS addresses the following Articles of the proposal:

6.

Article 6 lays down the conditions relating to the requirement as to good repute. One of the requirements, included in Article 6(1)(b), by definition concerns the behaviour of natural persons and falls within the scope of community legislation on the processing of personal data. The other requirements, listed in Article 6(1)(a) and (c), may concern the behaviour of natural persons.

7.

The provision of Article 6(1)(b) requires that the transport manager has not incurred convictions or sanctions for serious infringements or repeated minor infringements. However, the proposal does not clearly define the difference between serious and minor infringements. An indication for this difference can be found in Recital (7). It mentions ‘serious criminal convictions or serious sanctions, in particular for Community rules relating to road transport’. However, this indication does not give sufficient clarification. Is for instance a conviction relating to the Community rules on driving time and the rest period of drivers ‘serious’ or not, or, under what conditions are convictions not related to rules on road transport ‘serious’?

8.

This issue will be clarified in an implementing regulation established by the Commission (assisted by a Regulatory Procedure with Scrutiny Committee composed of the representatives of the Member States) containing a list of categories, types and degrees of seriousness of infringements and the frequency of occurrence beyond which repeated minor infringements shall lead to the loss of good repute (Article 6(2)). The EDPS underlines the importance of this implementing regulation. Point 4.2.4 of the Explanatory Memorandum rightly states that the list is a precondition for the exchange of information between Member States and for common thresholds for the withdrawal of authorisations (4). Moreover, according to the EDPS it is a necessary instrument to ensure the application of the principles relating to data quality (5), such as the principles requiring that personal data are adequate, relevant and not excessive for the purpose for which they were collected and that the data are accurate and kept up to date. The list is also necessary for the legal certainty of the persons concerned. Finally, it has to be kept in mind that the data on infringements are essential for assessing the suitability of persons to exercise the job of transport managers and the processing of these data also presents clear risks from the perspective of the protection of privacy. This is even more important since the data will determine the content of the national electronic registers under Article 15 of the proposal.

9.

In the view of the EDPS the implementing regulation will contain essential elements of the system on the admission to the occupation of road transport operator and the pursuit of that occupation, the subject matter of the proposal according to its Article 1. It would therefore have been preferable to lay down at least the main elements of the list mentioned in Article 6(2) in the proposal itself, possibly in an annex, in a more precise way than what is laid down in Article 6(2)(a)-(c). The EDPS suggests modifying the proposal in this sense, also to be in line with the principles relating to data quality. He disagrees with any suggestion following from Article 6(2), namely that the list only contains non-essential elements.

10.

The EDPS also points at Article 6(1)(a) of the proposal, which provides that Member States shall ensure that undertakings satisfy the requirement that there are no compelling grounds for doubting their good repute. The proposal and the explanatory memorandum do not give indications how the Member States should specify this vague norm, which — apparently — covers situations where no convictions or sanctions to the undertaking or the transport managers have occurred, but where the good repute is at stake nevertheless. The EDPS suggests that the Community legislator specifies the situations this provision aims to cover, especially in light of the objective of the proposal to enhance the smooth functioning of the internal market in road transport. From the perspective of data protection this is even more important since undertakings can be natural persons and relating to them data protection law will be applicable.

11.

Articles 9-14 on the authorisation and monitoring lay down the central role of the competent authorities of the Member States in the implementation of the system. The powers of the competent authorities are laid down in Article 9 and include the examination of applications by road transport undertakings, the granting, suspending and withdrawing of authorisations, the declarations of unfitness relating to the transport manager and the verifications.

12.

The EDPS welcomes this central role of the competent authorities which also gives them responsibilities for the processing of personal data, as a necessary element of their activities. In this context, the EDPS noted some ambiguities in the proposal which can be easily solved without changing anything in the system itself. In the first place, Article 10 deals, according to its heading, with the registration of applications. However, Article 10(2) — the paragraph dealing with registration — seems to concern the registration of the authorisations. If, however, it is meant for the Community legislator to also register the applications — including the name of the transport manager — this should be made explicit. Secondly, the competent authorities have tasks relating to the registration in the national electronic registers, but they are not explicitly made responsible for these registers (see point 17 of this opinion).

13.

A separate issue in the chapter on authorisation and monitoring are the rehabilitation measures. According to Article 6(3) rehabilitation or any other measure having equivalent effect is necessary to restore good repute. Article 14(1) states that the rehabilitation measures must be specified in the decisions of the Member States on the admission to the occupation of road transport manager, on the withdrawal or suspension of this admission and on the declaration of unfitness. However, the proposal leaves the grounds for and the substance of the rehabilitation, as well as the period in which rehabilitation should take place, fully to the discretion of the Member States. It would have been preferable to limit the discretion of the Member States, and by doing so contribute to the smooth functioning of the internal market in road transport, as well as to the application of the principles of data quality and the legal certainty of the persons concerned.

14.

Article 15(1) provides that each Member State shall keep a national register of authorised road transport operators. It contains the data listed in the second part of the paragraph, which include personal data. Some of the personal data in the registers present specific risks for the data subject, such as in particular the names of persons declared to be unfit to manage the transport activity of an undertaking (6).

15.

The EDPS welcomes that access to these registers is clearly limited to those national authorities which have powers relating to the subject matter of the proposal. Also the purpose of the registers is clearly limited to the implementation of the regulation, laid down in the Articles 10-13 of the proposal, as well as for the purpose mentioned in Article 26 of the proposal, the reports that have to be made on the functioning of the regulation.

16.

Article 15(2) gives a storage period of two years for data on suspensions and withdrawals of authorisations and concerning persons declared to be unfit for the occupation. The EDPS welcomes that the storage period is limited to a fixed period of two years. However, the text should also ensure that the data concerning persons declared to be unfit for the occupation shall be removed from the register immediately after a rehabilitation measure pursuant to Article 6(3) has been taken. In this context, reference can be made to Article 6(1)(e) of Directive 95/46/EC (7).

17.

Furthermore, the responsibility for the keeping of the register and for the processing of the data within the register should be clarified in the text of the regulation. In the terminology of Directive 95/46/EC: which entity can be qualified as the controller (8)? It seems logical that the competent authority must be considered as controller, but the proposal does not mention this. The EDPS suggests clarifying this in the proposal. There is even more reason for clarification since the regulation foresees the interconnection of the national electronic registers by the end of 2010 and the designation of a contact point for the exchange of information between the Member States. However, not all competent authorities will be contact points: there will be one contact point in each Member State, but there can be more than one competent authority.

18.

This leads to an observation on the interconnection of the national electronic registers. Article 15(4) provides that interconnection shall be implemented in such a way that a competent authority in any Member State can consult the electronic registers of all the Member States. In other words, the proposal foresees a system of direct access. As has been explained by the EDPS in his opinion on the proposal for a Council Framework Decision on the exchange of information under the principle of availability (9), direct access will automatically mean that an increased number of persons will have access to a database and therefore encompasses a growing risk of misuse. In case of direct access by a competent authority of another Member State, the authorities of the originating Member State have no control over the access and the further use of the data. How, for instance, can the competent authority of the originating Member State ensure that an authority in another Member State is informed of modifications in the register after the latter one has accessed the data?

19.

These matters should be dealt with in the decisions of the Commission on the interconnections as foreseen in Article 15(5) and (6) of the proposal. The EDPS welcomes in particular the common rules on the format and the technical procedures for automatic consultation that shall be adopted by the Commission. In any event, there should be no doubt about the responsibilities for the access and further use of the data. The EDPS suggests adding a sentence to Article 15(5) stating as follows: ‘These common rules should lay down which authority is responsible for the access, the further use and the keeping up to date of the data after access and should include to this effect rules on logging and monitoring of the data.’

20.

Article 16 is an Article on the protection of personal data. The beginning of this Article confirms that Directive 95/46/EC is fully applicable to personal data included in the registers. It stresses the importance of data protection and it can be seen as an introduction to the more specific provisions of Article 16(a), (b), (c) and (d).

21.

According to the EDPS, the more specific provisions of Article 16 lack added value. They recall the rights of the data subject from Directive 95/46/EC (as included in its Articles 12 and 14), in a simplified form and without giving any specification (apart from the element mentioned in point 23 of this opinion). Moreover, the simplification of the rights of the data subject leads to legal uncertainty and might therefore lower the protection of the data subject. Article 16 of the proposal is ambiguous as to whether the more specific provisions of Directive 95/46/EC fully apply to requests of the data subjects relating to information about him or her within the scope of the proposal. Article 16 of the proposal — a lex specialis to Articles 12 and Article 14 of Directive 95/46/EC — lays down that in particular the elements listed in Article 16(a), (b), (c) and (d) are ensured. According to the EDPS this should not mean that the other elements are not ensured, but the text is not fully clear.

22.

Alternatively, Article 16 could have added value if it would specify the rights included in the Directive. For instance, Article 16 could:

23.

Article 16(b) contains a limitation of the right of access under Article 12 of Directive 95/46/EC which is not compatible with the directive. It states that access has to be given without constraint, at regular intervals and without excessive delay or cost for the public authority responsible for processing the data or for the applicant. Article 12 of Directive 95/46/EC however aims to protect the data subject, where it requires access without constraint and without excessive delay or expense. The EDPS suggests modifying Article 16(b) and making it compatible with Directive 95/46/EC, by striking the words ‘for the authority responsible for processing the data’. If there is a concern regarding expenses derived from access requests, it should be noted that the notion of ‘excessive expense’ mentioned in Article 12 of the Directive does not prohibit data controllers to request a small fee (sufficiently small not to constitute a deterrent for the exercise of the right by the data subject). Moreover, under national law authorities will normally have legal possibilities to prevent abuse of rights by certain data subjects.

24.

The EDPS suggests that Article 16 be rewritten, taking into account the preceding points of this opinion.

25.

Finally, Directive 95/46/EC and more specifically Article 16 also apply to the administrative cooperation between the Member States, the subject matter of Article 17 since the communication between the Member States of information concerning infringements and sanctions relating to natural persons qualifies as processing of personal data. This inter alia means that the data subjects should be informed, in accordance with Directive 95/46/EC and Article 16(a) of the regulation.

26.

The EDPS suggests that the Community legislator specifies the situations Article 6(1)(a) aims to cover, also in the light of the objective of the proposal to enhance the smooth functioning of the internal market in road transport. He also suggests modifying the proposal, in order to lay down at least the main elements of the list mentioned in Article 6(2) in the proposal itself, possibly in an annex, in a more precise way than what is laid down in Article 6(2)(a)-(c).

27.

The EDPS welcomes the central role of the competent authorities which also gives them responsibilities for the processing of personal data, as a necessary element of their activities. In this context, the EDPS noted some ambiguities in the proposal which can be easily solved without changing anything in the system itself.

28.

The EDPS welcomes that the access to and purpose of the national electronic registers are clearly limited. He also welcomes that the storage period is limited to a fixed period of two years. However, the text should also ensure that the data concerning persons declared to be unfit for the occupation shall be removed from the register immediately after a rehabilitation measure pursuant to Article 6(3) has been taken.

29.

The responsibility for the keeping of the electronic register and for the processing of the data within the register should be clarified in the text of the regulation. As far as the interconnection of the national electronic registers is concerned, the following sentence should be added to Article 15(5): ‘These common rules should lay down which authority is responsible for the access, the further use and the keeping up to date of the data after access and should include to this effect rules on logging and monitoring of the data.’

30.

The EDPS suggests that Article 16 on data protection be rewritten, taking into account the needs for: