1. Description.
The European institutions are committed to protecting and respecting your privacy. The personal data collected and processed by the ECCAIRS 2 Central Hub website is governed by Regulation (EU) 2018/1725 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
This privacy notice explains the reason for the processing, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you may exercise in relation to your personal data.
This statement concerns the ECCAIRS 2 Central Hub website, managed by EASA (data processor) on behalf of the European Commission, DG MOVE (Transport and Mobility) Unit E.4 (Aviation Safety)
The ECCAIRS 2 Central Hub is designed to support the activities provided for in Articles 5(7), 11, 12(1), 12(2), Annex II and Annex III of Regulation (EU) 376/20141, and the Commission Implementing Decision 2019/11282. It includes:
- The public area of the ECCAIRS 2 Central Hub website, that includes:
- A link to the public part of the Safety Recommendations Database (SRIS).
- The Aviation Reporting Portal link to facilitate occurrence reporting to the EU MS authorities, EASA and ICAO.
- The restricted area of the ECCAIRS 2 Central Hub website for which registration and further approval is required, and that includes:
- access to the ECCAIRS 2 software community users (individuals and organisations);
- the requests submitted by interested parties for data contained in the European Central repository (ECR), for which contact data shall be sent;
- the list of the EU national, EASA and Commission Points of Contact for ECR requests, and the names of the ECCAIRS Steering Board members.
- The minutes and documents of the two ECCAIRS governance bodies, the ECCAIRS Steering Board and the ECCAIRS Steering Committee.
Personal data is only collected for the restricted area of the ECCAIRS 2 Central Hub.
The Data Controller is the Head of the Aviation Safety Unit (E.4) of DG MOVE.
2. Why do we process your data
The collection and processing of personal data is done for the purpose:
- of granting authorisation to users to access the restricted area of the ECCAIRS 2 Central Hub website;
- of generating contact information (name, e-mail address and organisation) necessary for dealing with the requests for data contained in the ECR submitted by interested parties to the Points of Contacts.
Data is collected directly from the users through registration forms using secure HTTPS connection. Once a profile is activated, access is done through the ECCAIRS 2 Identification and Access system (which is Multi-Factor Authenticated), which identifies authorised users.
3. On what legal ground(s) do we process your personal data ?
We process your personal data, because it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body.
The ECCAIRS 2 Central Hub is designed to support the activities provided for in Articles 5(7), 11, 12(1), 12(2), Annex II and Annex III of Regulation (EU) 376/20141, and the Commission Implementing Decision 2019/11282.
Users register to the ECCAIRS 2 Central Hub restricted part on voluntary basis.
4. Which data do we collect and process?
For authentication, the users first need to have an ECCAIRS 2 user account (i.e. creating the user account, which gives access to the restricted area of the ECCAIRS 2 Central Hub website). The authentication process is composed of both a user-id and password; complemented by the embedded ‘ECCAIRS 2 Multi-Factor Authentication’ process.
For authorisation (i.e. granting different access rights to different parts of the ECCAIRS web portal, depending on the role of the user), it is necessary to register by filling in a form with the following compulsory information:
- First Name
- Last Name
- Phone
- Language
5. Who has access to your data and to whom is it disclosed?
By registering yourself, you authorise the disclosure of the details you have entered in the user registration system to the Data Controller, the Data Processors and the participants of ECCAIRS 2 Central Hub website.
6. How do we protect your data?
Authorised access to personal data has been ensured through the implementation, at the application level, of a strict authentication (i.e. identifying the user as registered in ECCAIRS web portal) and authorisation policy (i.e. granting different access rights to different parts of the ECCAIRS web portal, depending on the role of the user). The authentication process is done through the embedded ECCAIRS 2 Multi-Factor Authentication process.
The details about your user account are available only to yourself and the service administrators.
All data in electronic format (e-mails, documents, uploaded batches of data etc.) are stored on the servers of EASA. All processing operations are carried out pursuant to Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
EASA’s subcontractors are bound by a specific contractual clause for any processing operations of your data on behalf of the Commission, and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679).
7. How long do we keep your data?
DG MOVE E.4 keeps the personal data for the entire operational time of the ECCAIRS 2 Central Hub website, unless:
- the user specifically requests deactivation and deletion of the profile; or
- the user’s Organisation specifically requests either the deactivation and deletion of the user’s profile, or the deletion of the Organisation Account and of all related user profiles; or
- there is evidence that the e-mail address linked to the user profile is not any more in use; or
- any inappropriate use of ECCAIRS 2 Central Hub website is detected by the Data Controllers and/or Data Processors (System Administrators).
8. What are your rights and how can you exercise them?
According to Regulation (EU) 2018/1725, you are entitled to access your personal data and rectify and/or block it in case the data is inaccurate or incomplete. You can also request information about whether and how your data has been processed. You can exercise your rights by contacting the Data Controller or, in case of conflict, the Data Protection Officer, and if necessary the European Data Protection Supervisor using the contact information given at point 8 below.
9. Contact information
If you have comments or questions, any concerns or complaints regarding the collection and use of your personal data, please feel free to contact the Data Controllers or the Data Protection Officer using the following contact information:
- The Data Controller:
Directorate Mobility and Transport – MOVE.E.4 a functional mailbox is necessary for the requests of data subjects
MOVE-E4-ECCAIRS2-GDPR@ec.europa.eu - Remarks can be addressed to the Commission Data Protection Officer (DPO):
DATA-PROTECTION-OFFICER@ec.europa.eu - Complaints can be addressed to the European Data Protection Supervisor (EDPS):
edps@edps.europa.eu.
10. Where to find more detailed information?
The Commission Data Protection Officer publishes the register of all operations processing personal data. You can access the register on the following link: http://ec.europa.eu/dpo-register
This specific processing has been notified to the Data Processing Officer with the following reference:
DPR-EC-07887
1 Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on the reporting, analysis and follow-up of occurrences in civil aviation, amending Regulation (EU) No 996/2010 of the European Parliament and of the Council and repealing Directive 2003/42/EC of the European Parliament and of the Council and Commission Regulations (EC) No 1321/2007 and (EC) No 1330/2007
2 Commission Implementing Decision (EU) 2019/1128 of 1 July 2019 on access rights to safety recommendations and responses stored in the European Central Repository and repealing Decision 2012/780/EU