Processing Activities

Search

Data subject categories

Fields

Purpose

Description

Processed data

Recipients

Supporting assets

reference number

Results

Activity: Access to documents

Reference number	PO-6-02
Data subject category	Any natural person acting on a private basis or on behalf of a legal person submitting a request for access to S2R JU (public) documents
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The purpose of the processing operation is to ensure appropriate treatment of requests for access to public documents of the S2R JU
Description	This processing operation takes form in the receipt of requests of any external person to access S2R JU (public) documents from different channels (S2R JU on line form, general mailbox, individual S2R JU staff, etc), the analysis of the request, taking a decision on the request, and informing the applicant of the decision and acknowledment of receipt. For more information please read the S2R JU practical arrangements for implementing Regulation (EC) No 1049/2001 of the European Parliament and of the Council regarding public access to documents adopted by the S2r JU Gouvening Board (decision N° 22/2015). List of S2R JU's external providers available at: https://shift2rail.org/participate/recipients-shift2rail-funds/
Processed data	Personal details	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
	Profession	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
Processors	External experts (contractors, intra and extra-muros) (Belgium)
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	Intra and extra-muros external service providers (S2R JU contractors): List of S2R JU's external providers available at: https://shift2rail.org/participate/recipients-shift2rail-funds/, S2R Executive Director: , S2R JU Staff members: (Legal and Data Protection Officer, S2R JU Management, Document Access Coordinator)
Joint controllers	n/a
privacy policy url	On-going
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Anti-fraud procedures

Reference number	PO-4-03
Data subject category	Natural persons who are or were suspected of wrongdoing which is the subject of the OLAF investigations, Natural persons who have provided information to OLAF including informants, whistleblowers, witnesses and persons who have provided statements, Staff of OLAF operational partners (e.g. competent staff of the EU institutions and bodies or national authorities) working on OLAF matters whose name appears in documents stored by OLAF, Other persons whose name appears in the case file but have no relevance to the case
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The purpose of the processing operation is to facilitate internal investigations conducted by OLA, which may carry out further external investigations, including on-the-spot checks and inspections, with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with an agreement or a contract funded by the S2R JU.
Description	This processing operation takes form in collecting personal data in order to analyse information about potential fraud and financial irregularities to assess whether there are grounds to transmit the information to the relevant authorities for investigation, in particular the European Anti-Fraud Office (OLAF). Privacy notices relating to OLAF processing operations at the following link: https://ec.europa.eu/anti-fraud/olaf-and-you/data-protection/olaf-personal-data-processing-operations-and-privacy-statements_en Shift2Rail Anti Fraud Strategy Action Plan and reviews published in the S2R web site : https://shift2rail.org/about-shift2rail/reference-documents/functioning-of-the-ju/ List of S2R JU's external providers available at: https://shift2rail.org/participate/recipients-shift2rail-funds/
Processed data	Personal characteristics	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
	Personal details	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
	Profession	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
Processors	n/a
Restrictions of data subject rights	restrictions of data subject rights may occur during the preliminary activities related to cases of potential irregularities reported to olaf. see commission decision (eu) 2018/1962 of 11 december 2018 laying down internal rules concerning the processing of personal data by the european anti-fraud office (olaf) in relation to the provision of information to data subjects and the restriction of certain of their rights in accordance with article 25 of regulation (eu) 2018/1725 of the european parliament and of the council.
Security measures	Appropriate training, Data kept according to the security measures adopted by the European Commission
Recipients	European Commission and its services: European Anti Fraud Office, Government organisations: Competent national authorities, Government organisations: Competent third country authorities, Other: Competent international organisations, Intra and extra-muros external service providers (S2R JU contractors): List of S2R JU's external providers available at: https://shift2rail.org/participate/recipients-shift2rail-funds/, S2R JU Staff members: Staff dealing with anti-fraud cases
Joint controllers	n/a
privacy policy url	https://shift2rail.org/about-shift2rail/reference-documents/functioning-of-the-ju/
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Anti-harassment procedures (hard data)

Reference number	PO-4-05-a)
Data subject category	S2R JU staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The collection of "hard" data aims at the identification of the person, the management of historical records and most importantly at the identification of recurrent and multiple cases., Personal data is collected for the purpose of the procedure detailed in the S2R JU policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment.
Description	The collection of data takes place in the context of selecting and appointing confidential counselors or in the context of the informal procedure described in the S2R JU anti-harassment procedure.
Processed data	Personal details	Explicit consent article 5 d) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725, processing is necessary to protect the vital interests of the data subject or another natural person (article 5(e) regulation 2018/1725)	5 years
	Profession	Processing is necessary to protect the vital interests of the data subject or another natural person (article 5(e) regulation 2018/1725), public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	5 years
Processors	External experts (contractors, intra and extra-muros) (Belgium)
Restrictions of data subject rights	restriction of data subject rights may occur in procedures to fight against harassment to protect the alleged victim in cases where personal data relate to the suspect as well (allegations made about the suspect by informants or witnesses). the legal basis for such restrictions is article 25(1) regulation 2018/1725 (protection of the data subject or the rights and freedoms of others.
Security measures	Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: European Anti Fraud Office (where necessary), European Commission and its services: Internal Audit Service (where necessary), Police or legal organisations: European Court of Auditors (where necessary), Professional advisors data subject: Advisors/psychologists (exceptional circumstances), Police or legal organisations: Judicial national authorities (exceptional circumstances), External evaluators or experts assisting the S2R JU: Ethics experts or law firms, S2R JU Staff members: (Legal and Data Protection Officer, Human Resources Officer), Other: Confidential counsellors, S2R Executive Director:
Joint controllers	n/a
privacy policy url	https://shift2rail.org/wp-content/uploads/2017/11/Shift2Rail-anti-fraud-strategy-2017-2020.pdf
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Anti-harassment procedures (soft data)

Reference number	PO-4-05-b)
Data subject category	S2R JU staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the purpose of the procedure detailed in the S2R JU policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment.
Description	Collection of data takes place in the context of selecting and appointing confidential counsellors or in the context of the informal procedure described in the S2R JU anti-harassment procedure. Soft data are allegations and declarations based upon the subjective perceptions of data subjects, usually collected by means of the personal notes of the counsellors.
Processed data	Personal details	Processing is necessary to protect the vital interests of the data subject or another natural person (article 5(e) regulation 2018/1725), public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	3 months after the closure of the case
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium)
Restrictions of data subject rights	restriction of data subject rights may occur in procedures to fight against harassment to protect the alleged victim in cases where personal data relate to the suspect as well (allegations made about the suspect by informants or witnesses). the legal basis for such restrictions is article 25(1) regulation 2018/1725 (protection of the data subject or the rights and freedoms of others.
Security measures	Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: (Legal and Data Protection Officer, Human Resources Officer), External evaluators or experts assisting the S2R JU: Ethics experts or law firms, Police or legal organisations: Judicial national authorities (exceptional circumstances), Professional advisors data subject: Advisors/psychologists (exceptional circumstances), S2R Executive Director: , Police or legal organisations: European Court of Auditors (where necessary), European Commission and its services: Internal Audit Service (where necessary), European Commission and its services: European Anti Fraud Office (where necessary), Other: Confidential counsellors
Joint controllers	n/a
privacy policy url	https://shift2rail.org/wp-content/uploads/2017/11/Shift2Rail-anti-fraud-strategy-2017-2020.pdf
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Communication of S2R JU Staff personal data to governments of EU Member States

Reference number	PO-1-11
Data subject category	S2R JU statutory staff (temporary agents and contract agents (CA) as well as seconded national experts as they are assimilated to statutory staff)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Article 15, al.2 of the Protocol n° 7 on the Privileges and immunities of the European Union annexed to the Treaty on the Functioning of the European Union states that “the names, grades and addresses of officials and other servants included in such categories shall be communicated periodically to the governments of the Member States”.
Description	Collecting S2R JU staff personal data (name, function and adress) and its communication, upon request, to the governments of the Member States.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Profession	Public interest article 5 a) of regulation 2018/1725	10 years after end of contract
Processors	n/a
Restrictions of data subject rights	n/a
Security measures	Secure transfer of data
Recipients	Government organisations: Governments of the EU Member States (including but not limited to ministries and Permanent Representations)
Joint controllers	n/a
privacy policy url	N/A
Last updated	29.01.2020
internal reference	Ares(2019)2259506
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Document management system (day-to-day document management)

Reference number	PO-6-01-b)
Data subject category	S2R JU staff, Staff's correspondants
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to ensure appropriate follow up, filing and registration of important communication (internal/external) and documents.
Description	Repository and filling of documents are received and sent out from and to external person as well as internal mail/documents exchanges
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	3 years
	Profession	Public interest article 5 a) of regulation 2018/1725	3 years
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium) IT Tools (ABAC, EMI, etc.) (Belgium)
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: , European Commission and its services: Investigation and Disciplinary Office, European Commission and its services: OLAF, External contractors under framework contract with the European Commission : IT service providers of DG DIGIT, European Commission and its services: DG DIGIT
Joint controllers	DG DIGIT
privacy policy url	https://shift2rail.org/wp-content/uploads/2018/11/S2RJU_DMP_adopted_20181116_v2.pdf
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Document management system (document management policy, archive policy and their implementation)

Reference number	PO-6-01-a)
Data subject category	S2R JU staff, Staff's correspondants
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to ensure appropriate follow up, filing and registration of important communication (internal/external) and documents.
Description	Repository and filling of documents are received and sent out from and to external person as well as internal mail/documents exchanges
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	5 years
	Profession	Public interest article 5 a) of regulation 2018/1725	5 years
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium) IT Tools (ABAC, EMI, etc.) (Belgium)
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: OLAF, European Commission and its services: Investigation and Disciplinary Office, S2R JU Staff members: , European Commission and its services: DG DIGIT, External contractors under framework contract with the European Commission : IT service providers of DG DIGIT
Joint controllers	DG DIGIT
privacy policy url	https://shift2rail.org/wp-content/uploads/2018/11/S2RJU_DMP_adopted_20181116_v2.pdf
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: E-newsletter subscription and related information

Reference number	PO-3-02
Data subject category	Recipients (“general public”) having requested or explicitly consented to remain in the S2R JU database and to continue receiving emails, invitations to events, alerts, e-news, newsletters and other relevant information from S2R JU
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the purpose of subscribing to the Shift2Rail electronic newsletter via the S2R JU website and related services (alerts, notifications, etc).
Description	Establishing a list of email addresses to which each issue of the e-newsletter is sent; sending emails, invitations to events, alerts, e-news, and other relevant information.
Processed data	Personal details	Explicit consent article 5 d) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	Until the data subject unsubscribes
	Profession	Explicit consent article 5 d) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	Until the data subject unsubscribes
Processors	20 Seconds to Midnight (Belgium) Online platform (USA, EU-US privacy shield)
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data not displayed to the wider public, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	Intra and extra-muros external service providers (S2R JU contractors): 20 Seconds to Midnight, S2R JU Staff members: Communication team, Intra and extra-muros external service providers (S2R JU contractors): MailChimp
Joint controllers	n/a
privacy policy url	https://shift2rail.org/wp-content/uploads/2020/02/PO-3-02-E-newsletter-subscription-and-related-information.pdf
Last updated	02.03.2020
internal reference	Ares(2019)561283
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: EU Survey Tool for event registrations

Reference number	PO-3-03
Data subject category	Registrants or attendees sent through the EU Survey tool
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected in order to share information about the event on S2R JU and EUROPA websites and social media accounts, to ensure all necessary organisational steps to allow participants access on the premises of the event’s venue, for the management of the event itself, to ensure event follow-up activities.
Description	Collecting personal data for the purposes of participation in an on-line survey in order to to participate in a S2R JU event on a voluntary basis.This specific on-line service consists of an on-line form made available on the EUSurvey application, managed by the European Commission.
Processed data	Health data	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	1 month after the results of the survey have been aggregated
	Personal details	Explicit consent article 5 d) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	1 month after the results of the survey have been aggregated
	Profession	Explicit consent article 5 d) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	1 month after the results of the survey have been aggregated
Processors	EUSurvey IT system (Belgium)
Restrictions of data subject rights	n/a
Security measures	Data kept according to the security measures adopted by the European Commission, Secure transfer of data, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: Authorized staff, Intra and extra-muros external service providers (S2R JU contractors): Only parts of personal data (name, surname, employer, email address) for the purpose of sending news, newsletter or invitations to future S2R JU events, S2R JU Staff members: Communication team
Joint controllers	DG DIGIT
privacy policy url	https://shift2rail.org/about-shift2rail/reference-documents/functioning-of-the-ju/
Last updated	07.06.2021
internal reference	Ares(2019)3713549
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Event registration and organisation.

Reference number	PO-3-01
Data subject category	Registrants/Attendees of Shift2Rail events
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to register interested persons for effective management of meetings, provide access to the S2R JU event venues, and maintain participant’s lists as well as allowing possible event follow-up actions including feedback collection, specific communication activities and sharing of presentations.
Description	Collecting personal data as a part of the registration process for Shift2Rail events, processing for organisation of event (participants list, name tags, access control, etc), online registration of participants as well as communication with event participants before and after the end of events; Sharing data for networking.
Processed data	Health data	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	5 years
	Personal details	Explicit consent article 5 d) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
	Profession	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	5 years
	Video tapes and photographs	Explicit consent article 5 d) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
Processors	Ecorys systems (Belgium)
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Paper files are stored in a locked cupboard in the HR sector’s secured office until their destruction., Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	Intra and extra-muros external service providers (S2R JU contractors): Ecorys and 20 Seconds To Midnight, Data subject themselves: Other participants, S2R JU Staff members: Communication team
Joint controllers	n/a
privacy policy url	https://shift2rail.org/about-shift2rail/reference-documents/functioning-of-the-ju/
Last updated	07.06.2021
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Exceptional leaves, absences and permanencies

Reference number	PO-1-05-c)
Data subject category	JU Staff: temporary, JU Staff: contractual, External staff: trainees and interim staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The purpose of this processing activity is to manage the exceptional leaves, absences, and permanencies of staff members so that the S2R JU HR Officer may determine if the staff members leave rights are to be adapted.
Description	This processing activity occurs when assessing the entitlement to exceptional leaves, absences and permanencies and working conditions for temporary agents and contract agents. The exceptional leaves, absences, and permanencies could concern but are not limited to: permanencies during the S2R JU office closure, flexibility during public holidays (for example the possibility to work during the day of Easter), participation to strikes organised by unions. The exceptional leaves, absences, and permanencies do not fall under the normal scope of leaves and special leaves granted to staff members, for which another record gives account.
Processed data	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	7 years
	Personal details	Public interest article 5 a) of regulation 2018/1725	7 years
	Profession	Public interest article 5 a) of regulation 2018/1725	7 years
Processors	IT Tool SYSPER (Belgium)
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: PMO, S2R JU Staff members: Human resources officer, S2R JU Staff members: Line managers, European Commission and its services: DG HR/DG DIGIT via SYSPER
Joint controllers	DG DIGIT, DG Human Resources and Security, PMO
privacy policy url
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: External audits and ex-post controls

Reference number	PO-4-02
Data subject category	S2R JU staff, Candidates applying for open S2R JU vacancies (TA, CA, and SNE), Experts and S2R JU contractors
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected and managed for the sole purpose of preparing and communicating the audit reports by the external auditors.
Description	Personal data is collected in the conduct of checks and financial controls of grant agreements or service contracts aimed at verifying beneficiary's or contractor's or subcontractors' or third parties' compliance with all contractual provisions (including financial provisions). The purpose of the control is to check that the action and the provisions of the grant agreement or contract are being properly implemented and to assess the legality and regularity of the transaction underlying the implementation of the EU budget..
Processed data	Education	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	7 years
	Financial information	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	7 years
	Personal details	Legal obligation (article 5 (b) of regulation 2018/1725), public interest article 5 a) of regulation 2018/1725	7 years
	Profession	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	7 years
Processors	Audit management system (Belgium) Baker Tilly Belgium (Belgium)
Restrictions of data subject rights	no restriction per se in the s2r ju related operations but no information on the scope of the decision laying down internal rules for the court of auditors.
Security measures	Data kept according to the security measures adopted by the European Commission, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	Police or legal organisations: European Court of Auditors, European Commission and its services: EDPS, European Commission and its services: Accounting Officer of the European Commission, Intra and extra-muros external service providers (S2R JU contractors): Baker Tilly Belgium, S2R JU Staff members: Internal Control Coordinator, Head of Administration & Finance, Data Protection Officer, Administration and Finance Support team, S2R Governing Board: , S2R Executive Director:
Joint controllers	n/a
privacy policy url
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Flexitime Management

Reference number	PO-1-09
Data subject category	JU Staff: temporary, JU Staff: contractual
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to authorize the recuperation of overtime based on the working hours registered in SYSPER by the staff member.
Description	Assessing and managing the entitlement of staff members to flexitime for temporary agents and contract agents.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	3 years
	Profession	Public interest article 5 a) of regulation 2018/1725	3 years
Processors	IT Tool SYSPER (Belgium)
Restrictions of data subject rights	n/a
Security measures	Data kept according to the security measures adopted by the European Commission, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: Human resources officer, S2R JU Staff members: Line manager
Joint controllers	DG DIGIT, DG Human Resources and Security
privacy policy url
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Internal audits

Reference number	PO-4-01
Data subject category	S2R JU staff, Experts and S2R JU contractors, Relatives of the persons above mentionned, whose personal data are available in the systems and/or files of the EC
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected and managed for the purpose of independent, risk-based and objective assurance and consulting services designated to add value and improve the operations of the S2R JU.
Description	The Internal Auditor reports to the S2R JU on his or her findings and recommendations and advises on dealing with risks, by issuing independent opinions on the quality of management and control systems and by issuing recommendations for improving the conditions of implementation of operations and promoting sound financial management.
Processed data	Education	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	7 years
	Financial information	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	7 years
	Personal details	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	7 years
	Profession	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	7 years
Processors	Audit management system (Belgium) IT Tools (ABAC, EMI, etc.) (Belgium)
Restrictions of data subject rights	no restriction per se in the s2r ju related operations but commission decision (eu) 2018/1961 of 11 december 2018 laying down internal rules concerning the provision of information to data subjects and the restriction of certain of their rights in the context of the processing of personal data for the purpose of internal audit activities.
Security measures	Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: DG DIGIT, European Commission and its services: European Data Protection Supervisor, Police or legal organisations: European Court of Auditors, S2R JU Staff members: Data Protection Officer, Internal Control Coordinator, Head of Administration and Finance, Administration and Finance Support team, S2R Executive Director: , S2R Governing Board: , European Commission and its services: Internal Audit Service
Joint controllers	n/a
privacy policy url
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Leaves and special leaves

Reference number	PO-1-05-a)
Data subject category	JU Staff: temporary, JU Staff: contractual, External staff: trainees and interim staff, Relatives of the data subject
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The purpose of this processing activity is the management of annual leave and special leave entitlements.
Description	Assessing the entitlement to annual leave and special leave and working conditions for temporary agents and contract agents. The special leaves include: 1- Marriage of an official, contract agent or SNE 2- Marriage of a child of an official / agent. 3- Birth of a child of an official / servant / SNE. 4- Serious illness of the spouse 5- Very serious illness of a child 6- Serious illness of a child 7- Serious illness of an ascendant 8- Death of the spouse 9- Death of wife during maternity leave 10- death of a child 11- Dead of an ascendant 12- Dead of a brother or sister 13- Adoption 14- Maternity 15- Exercise of an unremunerated external activity 16- Convocation to the court / judiciary. 17- Cure 18- Move 19- Election outside the duty station 20- Participation in an examination / competition / selection organized by EPSO, by a Community Institution or Agency 21- Training 22- Exercise of an elective public office. 23- Looking for a job at the end of the contract. 24- Travel time "special leave". 25- Part-time work 26- Family leave 27- Termination of functions 28- Cancellation of an annual or special leave at the request of the person concerned. 29- Postponement of annual leave 30- Flexitime 31- Permanence of end of year
Processed data	Family composition	Public interest article 5 a) of regulation 2018/1725	N+3 years
	Health data	Contractual obligation article 5 c) of regulation 2018/1725 , public interest article 5 a) of regulation 2018/1725	N+3 years
	Juridic data	Contractual obligation article 5 c) of regulation 2018/1725 , public interest article 5 a) of regulation 2018/1725	N+3 years
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	N+3 years
	Personal details	Public interest article 5 a) of regulation 2018/1725	N+3 years
Processors	IT Tool SYSPER (Belgium)
Restrictions of data subject rights	n/a
Security measures	A paper copy is made and saved in a paper file. The paper file is archived in a locked cupboard., Health data processed with the principles of medical confidentiality by HR officer, Paper files are stored in a locked cupboard in the HR sector’s secured office until their destruction., Secure transfer of data, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: PMO, DG HR, DG DIGIT via SYSPER , S2R JU Staff members: Human resources officer, S2R JU Staff members: Line manager
Joint controllers	DG DIGIT, DG Human Resources and Security, PMO
privacy policy url
Last updated	07.06.2021
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Management of S2R JU Governance's bodies and meetings

Reference number	PO-6-03
Data subject category	Members of the Governing Board, Other participant, observer or expert invited to the meetings of the bodies of the S2R JU, Members of Scientific Committee, Members of States Representatives Group, Members of the Innovation Programmes' Steering Committees, Members of working groups, Any natural person acting on a private basis or on behalf of a legal person submitting a request for a meeting with the Executive Director or S2R JU staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected and managed for the purpose of granting access to members of S2R JU bodies and visitors to S2R JU premises in order to attend either S2R JU Governance meetings or meetings with the S2R JU Executive Director or S2R JU staff.
Description	Collecting and processing information of attendees to the S2R JU meetings, in particular invitations, registration, minutes, member's nomininations; register of visitors for the Executive Director and other S2R JU staff. More information on the Shift2Rail bodies, minutes and member's names can be found on the S2R JU web site: https://shift2rail.org/about-shift2rail/structure-of-shift2rail-initiative/
Processed data	Education	Public interest article 5 a) of regulation 2018/1725	5 years
	Personal details	Public interest article 5 a) of regulation 2018/1725	5 years
	Profession	Public interest article 5 a) of regulation 2018/1725	5 years
Processors	Securitas SA (Belgium)
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	Individuals/organisations in direct relationship with controller: Security Service of the White Atrium building, S2R JU Staff members: ED Assistant, Programme Assistant, Legal Officer and DPO, External evaluators or experts assisting the S2R JU: Auditors, Police or legal organisations: European Data Protection Supervisor, S2R Executive Director: , European Commission and its services: EDPS
Joint controllers	n/a
privacy policy url	On-going
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Management of procurement procedures and grant applications (successful)

Reference number	PO-02-01-a)
Data subject category	Tenderers’ and applicants’ data (in case of legal entities, their representatives)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the award, management and follow-up of procurement contracts, grants, prizes and financial instruments by the S2R JU in accordance with S2R JU’s annual work plans.
Description	Collecting and processing of data provided by the applicants, tenderers, contractors and beneficiaries in the context of grant applications and tenders procedures as well as grant agreements and procurement contracts managed by S2R JU in accordance with S2R JU’s annual work plans.
Processed data	Education	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Financial information	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Juridic data	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Personal characteristics	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Personal details	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Profession	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
Processors	European Commission systems (Belgium) External experts (contractors, intra and extra-muros) (Belgium)
Restrictions of data subject rights	n/a. restriction already foreseen in the financial regulation – art 142 (1)
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Automated system (Grants management), Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Secure transfer of data, Signature of absence of conflict of interest , Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	External evaluators or experts assisting the S2R JU: , Intra and extra-muros external service providers (S2R JU contractors): , S2R Executive Director: , S2R JU Staff members: Grant proposal evaluation panels, IP Coordinators, Tender evaluation committees, Staff participating in the selection of external experts, European Commission and its services:
Joint controllers	Research Executive Agency
privacy policy url	https://shift2rail.org/about-shift2rail/reference-documents/functioning-of-the-ju/
Last updated	07.06.2021
internal reference	Ares(2018)6031672
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Management of procurement procedures and grant applications (unsuccessful applicants)

Reference number	PO-02-01-b)
Data subject category	Tenderers’ and applicants’ data (in case of legal entities, their representatives)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the award, management and follow-up of procurement contracts, grants, prizes and financial instruments by the S2R JU in accordance with S2R JU’s annual work plans.
Description	Collecting and processing of data provided by unsuccessful applicants in the context of grant applications and tenders procedures as well as grant agreements and procurement contracts managed by S2R JU in accordance with S2R JU’s annual work plans.
Processed data	Education	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years after closure of procedure
	Financial information	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years after closure of procedure
	Juridic data	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years after closure of procedure
	Personal characteristics	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years after closure of procedure
	Personal details	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years after closure of procedure
	Profession	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years after closure of procedure
Processors	European Commission systems (Belgium) External experts (contractors, intra and extra-muros) (Belgium)
Restrictions of data subject rights	n/a. restriction already foreseen in the financial regulation – art 142 (1)
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Automated system (Grants management), Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Secure transfer of data, Signature of absence of conflict of interest , Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: Staff participating in the selection of external experts, Tender evaluation committees, IP Coordinators, Grant proposal evaluation panels., Intra and extra-muros external service providers (S2R JU contractors): , External evaluators or experts assisting the S2R JU: , S2R Executive Director:
Joint controllers	Research Executive Agency
privacy policy url	https://shift2rail.org/about-shift2rail/reference-documents/functioning-of-the-ju/
Last updated	07.06.2021
internal reference	Ares(2018)6031672
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Management of the S2R JU Cooperation tool

Reference number	PO-5-04
Data subject category	S2R JU staff, S2R JU founding and associated Members, External guests (i.e.: auditors)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the management of the Web application "Shift2Rail Multi-project Cooperation Tool".
Description	Collecting and exchange documents, S2R JU members comments and opinions and organisation of meetings of S2R project, recording history data (for audit trail) of all communication and modifications applied by individual access. The Cooperation Tool is a multi-project (programme) to manage all collaborative projects performed by the S2R JU Members, stemming from the S2R JU annual calls for proposals under the rules for participation of H2020 and the S2R JU Regulation, as well as some specific JU activities like the IP/CCA Steering Committees. It allows the S2R JU Members to monitor the financial management of their respective grant agreements as well as their annual Total Project Costs(IKOP) reporting and certification in accordance with Article 4.4 of the S2R JU Regulation. It allows and supports the cooperation of the various R&I project participants to implement the Description of the Action (DoA) for each awarded grant through daily project coordination and communication, as well as allow the JU to manage its working groups and Steering Committee with the respective members. The tool offers a common interface and a platform for: coordination; planning; control; technical, administrative and financial management; exchange of document; comments and opinions; organisation of meetings of S2R JU projects and groups.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	3 years
	Profession	Public interest article 5 a) of regulation 2018/1725	3 years
Processors	Data centre (Italy)
Restrictions of data subject rights
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Automatically generated password stored in encrypted format, Back-ups, update and monitoring services as well as corrective and periodic maintenances , Data produced remain the sole ownership of the participants to the project, No copies kept by contractor, Password recovery mechanism , Secure communication channel between server and client, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: Observers in the IP/CCA Steering Committe (ERA and EC representatives), S2R JU Staff members: , S2R JU founding and/or associated Members: , Intra and extra-muros external service providers (S2R JU contractors): Centro Nuova Comunicazione S.R.L.
Joint controllers	n/a
privacy policy url
Last updated	29.01.2020
internal reference	Ares(2019)1475974
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Microsoft Office 365 - S2R JU staff and guest users

Reference number	PO-PO5-05
Data subject category	S2R JU staff, JU Staff: temporary, JU Staff: contractual, External staff: trainees and interim staff, S2R JU statutory staff (temporary agents and contract agents (CA) as well as seconded national experts as they are assimilated to statutory staff), Interim staff selected via an external contractor on behalf of the EC, JU external collaborators being granted access to M365 platform as guests
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	In line with the European Commission’s Digital Strategy, JU is gradually moving into a fully digital working environment. As a European public administration, JU needs to lead the way in terms of both integrating digital at the core of European policy implementation and leveraging the potential of digital to work better and faster.
Description	In line with the European Commission’s Digital Strategy, S2R JU is gradually moving into a fully digital working environment. As a European public administration, S2R JU needs to lead the way in terms of both integrating digital at the core of European policy implementation and leveraging the potential of digital to work better and faster. For this strategy to deliver, S2R JU has designed several actions and adopted a series of new tools designed to form together a Digital Workplace. The Digital Workplace is an opportunity for the S2R JU to become an example of a modern public, connected and efficient Public Administration by providing staff with the best combination of tools, physical framework and working methods, to effectively support the achievement of the priorities of our organisation. The Digital Workplace responds to the need for connected office, integrating teleworking tools for activities such as conference calls, remote collaboration, audio- or videoconferencing or webinars. Consequently, the S2R JU has decided to operate M365 provided by Microsoft Ireland. M365 offers cloud-based solutions that enable staff members of JU to: Document Processing – to create, read, review and amend documents, presentations, spreadsheets and other document types in various formats and for various purposes (Access, Sway, Forms); Email, Calendar, Contacts – to manage and exchange e-mail, calendars, contacts, tasks and notes (Exchange Online); File Sharing – to create, read, review, amend, store and share documents and files of various types in view of collaboration among staff (SharePoint Online, OneDrive, OneNote, Stream, Teams, PowerApps, Yammer); Chat and Messaging – to interact, share files, chat and exchange messages with colleagues, partners, stakeholders and other parties (Teams, Yammer); Virtual Meetings – to set up and participate in virtual meetings and teleconferences (Teams); Project and Task Management – to facilitate project and task management by staff (Exchange Online); and Data Analytics and Visualisation – to analyse data and visualise such data (Power BI). Identity and access management to M365 is managed through Azure Active Directory (Azure AD) and InTune. The operation of M365 requires the processing of personal data by S2R JU for the following purposes: provision, enabling, set-up, configuration and maintenance of M365 capabilities, including facilitating and coordinating field tasks (Identification Data, Service-Generated Data, Content Data) administration of the rights allocated to a user account (identity and access management) (Identification Data); end-user support and IT Teams support for issues with M365 (Identification Data, Service-Generated Data, Diagnostic Data); prevention, detection and resolution of security events (e.g. cyber-attack), to ensure the confidentiality, integrity and availability of M365 (Identification Data, Service-Generated Data); and responding to data subjects exercising their rights in relation to personal data processed within M365 (Identification Data, Service-Generated Data). Additionally, Microsoft Ireland as a processor for and on behalf of S2R JU processes personal data for internal business operations in the context of providing M365. These business operations consist of (exhaustive list): billing and account management (Identification Data, Service-Generated Data); compensation (Service-Generated Data); internal reporting and business modelling (Service-Generated Data); combatting fraud, cybercrime, and cyberattacks (Identification Data, Service-Generated Data); improving core functionality of accessibility, privacy and energy efficiency (Service-Generated Data); and financial reporting and compliance with legal obligations (Identification Data, Service-Generated Data).
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	6 months
	Video tapes and photographs	Public interest article 5 a) of regulation 2018/1725	For as long as the user account is active. days
Processors	Exchange Online OneDrive SharePoint Teams
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Computer systems hardened, Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	Other private organisations: Microsoft's personnel based outside the EEA (most importantly, the USA) managing the databases on Microsoft cloud servers and Microsoft’s sub-processors' personnel on a need-to-know basis.
Joint controllers	n/a
privacy policy url	https://shift2rail.org/wp-content/uploads/2021/05/PO-PO-5-05_Microsoft-365_public.docx.pdf
Last updated	21.05.2021
internal reference	PO-PO5-05
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Missions

Reference number	PO-1-08
Data subject category	JU Staff: temporary, JU Staff: contractual, External staff: trainees and interim staff, S2R JU statutory staff (temporary agents and contract agents (CA) as well as seconded national experts as they are assimilated to statutory staff)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the management of the missions of the staff and the reimbursement of travel expenses and daily subsistence allowance.
Description	Collection of contact details and meeting documentation (such as agenda), request files and reimbursement files, travel orders.
Processed data	Financial information	Public interest article 5 a) of regulation 2018/1725	7 years
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	7 years
	Personal details	Public interest article 5 a) of regulation 2018/1725	7 years
	Profession	Public interest article 5 a) of regulation 2018/1725	7 years
Processors	American Express (travel agency) (Belgium)
Restrictions of data subject rights
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: Administrative staff responsible for processing the files, European Commission and its services: PMO, External contractors under framework contract with the European Commission : American Express
Joint controllers	PMO
privacy policy url
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Occupational health and medical data

Reference number	PO-1-02
Data subject category	JU Staff: temporary, JU Staff: contractual, Relatives of the data subject
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to ensure that S2R JU staff complies with requirements of pre-recruitment, annual and periodic medical examination.
Description	Procedures put in place to ensure safety, health and welfare of S2R JU staff; Pre-recruitment medical examination; Annual and periodic medical examination . S2R JU does not collect medical certificates of staff members. These are directly sent to the medical service of the European Commission in accordance with the procedure established.
Processed data	Family composition	Public interest article 5 a) of regulation 2018/1725	3 years
	Personal details	Public interest article 5 a) of regulation 2018/1725	3 years
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium) Secured IT data base (Joint Sickness Insurance Scheme) (Belgium)
Restrictions of data subject rights	no specific restrictions in place at s2r ju. the medical files are kept at the commission's medical services. commission decision (eu) 2019/154 of 30 january 2019 laying down internal rules concerning the restriction of the right of access of data subjects to their medical files.
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: Administrative staff responsible for processing the files, European Commission and its services: DG HR and Security, European Commission and its services: PMO, External contractors under framework contract with the European Commission :
Joint controllers	DG Human Resources and Security, PMO
privacy policy url
Last updated	07.06.2021
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Personal files of staff

Reference number	PO-1-04
Data subject category	JU Staff: temporary, JU Staff: contractual
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for employment contracts and setting up rights of the staff.
Description	Collection of staff documentation for recruitment, determination of rights, career development, appraisal.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Financial information	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Personal details	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Profession	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
Processors	Secured IT data base (Joint Sickness Insurance Scheme) (Belgium)
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Health data processed with the principles of medical confidentiality by HR officer, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: Internal Audit Service, Medical Service and the PMO, S2R JU Staff members: Finance team (for reimbursement purposes), Line manager, Human Resources Officer
Joint controllers	DG Human Resources and Security
privacy policy url	N/A
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Policy on sensitive functions

Reference number	PO-4-06
Data subject category	S2R JU staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to ensure the functioning of an effective and efficient internal control system, in particular on functions that are genuinely sensitive, i.e. where the risk of fraud or irregularities in the use of funds and sensitive information is significant.
Description	Collecting personal data for the management of sensitive posts: risks associated with tasks in the areas of management, individual decisions and finance.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	2 years
	Profession	Public interest article 5 a) of regulation 2018/1725	2 years
Processors	n/a
Restrictions of data subject rights	n/a
Security measures	Annual assessment of risk factors through the risk assessment exercise, Appropriate training, Audit by the Internal Audit Service and European Court of Auditors, Decision making process based on a control chain , Periodic management review and assessment made by the Executive Director, Segregation of duties, Signature of absence of conflict of interest
Recipients	European Commission and its services: DG Human Resources in exceptional cases for guidance and advice, S2R JU Staff members: Human resources officer, S2R JU Staff members: Legal officer, S2R JU Staff members: Management
Joint controllers	n/a
privacy policy url
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Prevention and management of conflicts of interests applicable to the bodies of Shift2Rail Joint Undertaking

Reference number	PO-6-04
Data subject category	Members of the Governing Board, Other participant, observer or expert invited to the meetings of the bodies of the S2R JU, Relatives of the data subject, Members of Scientific Committee, Members of States Representatives Group, Members of the Innovation Programmes' Steering Committees, Members of working groups
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is processed for the sole purpose of applying the rules for the prevention and management of conflicts of interest applicable to the members of the bodies of the S2R JU listed under Article 5(1) of the Statutes in order to ensure the handling of situations where potential conflicts of interest may arise in a transparent and consistent manner.
Description	Collecting and screening declarations of confidentiality and non-conflict of interests signed by all members of the S2R JU bodies before appointment, after appointment (in a yearly basis) and spontaneously at any time in the course of their duties (ad-hoc Declaration). The name of the Members of Governing Board, Scientific Committee, States Representatives Group together with the name of their employer or any organisation which pays them shall be published on the S2R JU’s website.The CVs and declarations of interest by the Members of the Governing Board shall be available for public scrutiny in the S2R JU web site with due respect to the applicable EU rules on protection of personal data and access to documents (article 9 of Decision n° 07/2018)
Processed data	Education	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
	Financial information	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
	Memberships	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
	Personal details	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
	Philosophical or religious convictions	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Political preferences	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Profession	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
	Trade union membership	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
Processors	n/a
Restrictions of data subject rights
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Data kept according to the security measures adopted by the European Commission, Secure transfer of data, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: Administrative staff, legal department. , The general public: The name of the Members of Governing Board, Scientific Committee, States Representatives Group together with the name of their employer or any organization which pays them shall be published on the S2R JU's website. The CVs and declarations of interest by the Members of the Governing Board shall be available for public scrutiny in the S2R JU web site with due respect to the applicable EU rules on protection of personal data and access to documents (article 9 of Decision n° 07/2018), Data subject themselves: , Individuals/organisations in direct relationship with controller: Chairperson and Vice chair person of the relevant body or group, S2R Executive Director:
Joint controllers	n/a
privacy policy url	On-going
Last updated	07.06.2021
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Prevention and management of conflicts of interests of the staff members of the Shift2Rail Joint Undertaking

Reference number	PO-1-10
Data subject category	Relatives of the data subject, S2R JU statutory staff (temporary agents and contract agents (CA) as well as seconded national experts as they are assimilated to statutory staff)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is processed for the sole purpose of applying the rules for the prevention and management of conflicts of interest of the S2R JU staff members in order to ensure the handling in a transparent and consistent manner of situations where conflicts of interest may arise.
Description	Collecting and screening declarations of confidentiality and non-conflict of interests signed by all S2R JU staff members when they take up duties.
Processed data	Characteristics of domicile	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Education	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Family composition	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Financial information	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Memberships	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Personal details	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Philosophical or religious convictions	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Political preferences	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Profession	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Trade union membership	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
Processors	n/a
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Secure transfer of data, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: Staff member concerned, Line manager, Legal officer, Human resources officer, S2R Executive Director: , The general public: The declarations of interest submitted by the S2R JU Executive Director shall be available for public scrutiny with due respect to the applicable EU rules on protection of personal data and access to documents. Where deemed relevant, the concerned person's CV (or a summary of his/her professional experience) could also be made available. , S2R Governing Board:
Joint controllers	n/a
privacy policy url
Last updated	07.06.2021
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: S2R JU Info Day mobile app

Reference number	PO-5-03
Data subject category	Users of the S2R Info Day mobile app
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the sole purposes of permitting app users to enjoy all facilities and event related services occurring during the S2R JU Info Day.
Description	Collecting, processing and storing personal data locally for the S2R JU Info Day mobile application, a software solution created and developed by Evenium available for download at www.evenium.me and/or from the Apple Store and the Android Market, allowing the use of the ConnexMe service on smartphone devices. The app provides access to a list of all the events in which the organizer has participated and the content linked to these events, to communicate with other participants or the organizer of the event and to interact with the content of said events. It notably allows users: to participate in events with elements broadcast on screens.
Processed data	Personal details	Explicit consent article 5 d) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	Until December 21st, 2017
	Profession	Explicit consent article 5 d) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	Until December 21st, 2017
Processors	Evenium SA (Belgium)
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Use of information sources like the OWASP community and guidelines from the European Union Agency for Network and Information Security to stay abreast of new developments in threats and vulnerabilities and their most effective countermeasures
Recipients	Intra and extra-muros external service providers (S2R JU contractors): Ecorys NV, Intra and extra-muros external service providers (S2R JU contractors): Evenium SA (Subcontractor of Ecorys)
Joint controllers	n/a
privacy policy url	https://shift2rail.org/terms-of-use/
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Salary

Reference number	PO-1-06
Data subject category	JU Staff: temporary, JU Staff: contractual, Relatives of the data subject
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected in order to determine the staff member’s entitlements. Documents are collected by the HR Officer and sent to the relevant Commission service (PMO) which will process the data in order to determine the financial rights of the staff member.
Description	Producing salary slips, determining allowances, establishment of financial rights, paying the salaries and allowances to S2R JU staff.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Family composition	Public interest article 5 a) of regulation 2018/1725	8 years after the extinction of all rights of the person concerned and of any dependents
	Financial information	Public interest article 5 a) of regulation 2018/1725	8 years after the extinction of all rights of the person concerned and of any dependents
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	8 years after the extinction of all rights of the person concerned and of any dependents
	Personal details	Public interest article 5 a) of regulation 2018/1725	8 years after the extinction of all rights of the person concerned and of any dependents
	Profession	Public interest article 5 a) of regulation 2018/1725	8 years after the extinction of all rights of the person concerned and of any dependents
Processors	n/a
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Health data processed with the principles of medical confidentiality by HR officer, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: Financial team, Human resources officer, S2R Executive Director: , European Commission and its services: PMO, European Commission and its services: Medical service (if sick leave involved)
Joint controllers	PMO
privacy policy url
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Selection and management of external experts (Non-selected experts)

Reference number	PO-2-02-b)
Data subject category	Experts (in case of legal entities, their representatives)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the selection and the management (including reimbursements of expenses and payment where appropriate) of independent experts appointed by S2R JU to advise on or assist with: the evaluation of proposals, the monitoring of the implementation of actions carried out under Horizon 2020 as well as of previous Research and/or Innovation Programmes, advice or assistance with other tasks related to S2R JU activities.
Description	Collection and processing of data provided by individuals for the establishment of a database of prospective independent experts to assist with tasks managed by the S2R JU. The processing operations performed by the Controller include collection, storage and evaluation of personal data of the experts.
Processed data	Education	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years after closure of procedure
	Financial information	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years after closure of procedure
	Personal characteristics	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years after closure of procedure
	Personal details	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years after closure of procedure
	Profession	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years after closure of procedure
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium)
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Automated system (Grants management), Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis, Standard clause for the processing of personal data included in the contract
Recipients	S2R JU Staff members: IP Coordinators, S2R JU Staff members: Staff participating in the selection of external experts, External evaluators or experts assisting the S2R JU: , S2R Executive Director: , European Commission and its services:
Joint controllers	Research Executive Agency
privacy policy url	https://shift2rail.org/wp-content/uploads/2020/02/PO-2-02-b-Selection-and-management-of-external-experts-Non-selected-experts.pdf
Last updated	05.03.2020
internal reference	Ares(2018)6031672
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Selection and management of external experts (selected experts)

Reference number	PO-2-02-a)
Data subject category	Experts (in case of legal entities, their representatives)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the selection and the management (including reimbursements of expenses and payment where appropriate) of independent experts appointed by S2R JU to advise on or assist with: the evaluation of proposals, the monitoring of the implementation of actions carried out under Horizon 2020 as well as of previous Research and/or Innovation Programmes, advice or assistance with other tasks related to S2R JU activities.
Description	Collection and processing of data provided by individuals for the establishment of a database of prospective independent experts to assist with tasks managed by the S2R JU. The processing operations performed by the Controller include collection, storage and evaluation of personal data of the experts.
Processed data	Education	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Financial information	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Personal characteristics	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Personal details	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Profession	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	10 years after end of contract
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium)
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Automated system (Grants management), Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis, Standard clause for the processing of personal data included in the contract
Recipients	External evaluators or experts assisting the S2R JU: , S2R JU Staff members: Staff participating in the selection of external experts, S2R JU Staff members: IP Coordinators, S2R Executive Director: , European Commission and its services: Research Executive Agency via the H2020 Participant Portal
Joint controllers	Research Executive Agency
privacy policy url	https://shift2rail.org/wp-content/uploads/2020/02/PO-2-02-a-Selection-and-management-of-external-experts-selected-experts.pdf
Last updated	02.03.2020
internal reference	Ares(2018)6031672
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Selection and recruitment of interims

Reference number	PO-1-01-c)
Data subject category	Interim staff selected via an external contractor on behalf of the European Commission
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Data are processed for the purpose of organising the selection and recruitment procedures for interims at the S2R JU.
Description	Collecting applications of candidates, screening tables, pre-selection reports, selection reports, written tests, interview questions, offers for posts, short lists, reserve lists, reserve list letters, negative letters etc.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	6 months
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	6 months
	Personal details	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	6 months
	Profession	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	6 months
Processors	Randstad Belgium SA systems (Belgium)
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Once the procedure is closed, electronically stored data erased, Signature of absence of conflict of interest , Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	External evaluators or experts assisting the S2R JU: Appointed members of the selection committee, S2R JU Staff members: Appointed members of the selection committee, Human Resources Officer, Data Protection Officer (only for the purposes of replying to access requests or other consultations on data protection aspects from the HR Officer), S2R Executive Director: , European Commission and its services: DG Human Resources and Security, External contractors under framework contract with the European Commission : Randstad
Joint controllers	DG EAC, DG Human Resources and Security, PMO
privacy policy url	https://shift2rail.org/about-shift2rail/reference-documents/functioning-of-the-ju/
Last updated	07.06.2021
internal reference	Ares(2019)503847
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Selection and recruitment of temporary agents (TA), contract agents (CA), seconded national experts (SNE) (non-recruited candidates)

Reference number	PO-1-01-b)
Data subject category	Candidates applying for open S2R JU vacancies (TA, CA, and SNE), Trainees recruited by the European Commission ('EU BlueBlook trainees')
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Data are processed for the purpose of organising the selection and recruitment procedures for TA, CA, SNE and Blue Book Trainees at the S2R JU.
Description	This processing operation consists of collecting applications of candidates, screening tables, pre-selection reports, selection reports, written tests, interview questions, offers for posts, short lists, reserve lists, reserve list letters, negative letters etc. Special retention time applies to non-recruited candidates. Regarding the BlueBook trainees, S2R JU is not in charge of the recruitment process which is being dealt with by the relevant department at the European Commission (DG EAC). Applications are only accessible via the online database which is open for consultation only during specific periods. Therefore, S2RJU does not store any data related to the recruitment of BlueBook Trainees.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	2 years following the recruitment procedure is terminated
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	2 years following the recruitment procedure is terminated
	Personal details	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	2 years following the recruitment procedure is terminated
	Profession	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	2 years following the recruitment procedure is terminated
Processors	n/a
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Once the procedure is closed, electronically stored data erased, Signature of absence of conflict of interest , Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	External evaluators or experts assisting the S2R JU: Appointed members of the selection committee, S2R JU Staff members: Appointed members of the selection committee, Human Resources Officer, Data Protection Officer (only for the purposes of replying to access requests or other consultations on data protection aspects from the HR Officer), S2R Executive Director: , European Commission and its services: PMO, DG Human Resources and Security
Joint controllers	DG EAC, DG Human Resources and Security, PMO
privacy policy url	https://shift2rail.org/about-shift2rail/reference-documents/functioning-of-the-ju/
Last updated	07.06.2021
internal reference	Ares(2019)503847
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Selection and recruitment of temporary agents (TA), contract agents (CA), seconded national experts (SNE) (recruited candidates)

Reference number	PO-1-01-a)
Data subject category	Candidates applying for open S2R JU vacancies (TA, CA, and SNE), Trainees recruited by the European Commission ('EU BlueBlook trainees')
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Data are processed for the purpose of organising the selection and recruitment procedures for TA, CA, SNE and Blue Book Trainees at the S2R JU.
Description	This processing operation consists of collecting applications of candidates, screening tables, pre-selection reports, selection reports, written tests, interview questions, offers for posts, short lists, reserve lists, reserve list letters, negative letters etc. Regarding the BlueBook trainees, S2R JU is not in charge of the recruitment process which is being dealt with by the relevant department at the European Commission (DG EAC). Applications are only accessible via the online database which is open for consultation only during specific periods. Therefore, S2RJU does not store any data related to the recruitment of BlueBook Trainees.
Processed data	Education	Contractual obligation article 5 c) of regulation 2018/1725 , public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Personal characteristics	Contractual obligation article 5 c) of regulation 2018/1725 , public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Personal details	Contractual obligation article 5 c) of regulation 2018/1725 , public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Profession	Contractual obligation article 5 c) of regulation 2018/1725 , public interest article 5 a) of regulation 2018/1725	10 years after end of contract
Processors	Secured IT data base (Joint Sickness Insurance Scheme) (Belgium) Teams
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Once the procedure is closed, electronically stored data erased, Signature of absence of conflict of interest , Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	External evaluators or experts assisting the S2R JU: Appointed members of the selection committee, S2R JU Staff members: Executive Director, Appointed members of the selection committee, Human Resources Officer, Data Protection Officer (only for the purposes of replying to access requests or other consultations on data protection aspects from the HR Officer), European Commission and its services: PMO, DG Human Resources and Security
Joint controllers	DG EAC, DG Human Resources and Security, PMO
privacy policy url	https://shift2rail.org/about-shift2rail/reference-documents/functioning-of-the-ju/
Last updated	07.06.2021
internal reference	Ares(2019)503847
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Selection and recruitment of temporary agents (TA), contract agents (CA), seconded national experts (SNE) (spontaneous applications)

Reference number	PO-1-01-d)
Data subject category	Trainees recruited by the European Commission ('EU BlueBlook trainees'), Spontaneous applicants
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Data are processed for the purpose of organising the selection and recruitment procedures for TA, CA, SNE, interims staff and “EU Blue Book Trainees” at the S2R JU.
Description	Collecting spontaneous applications of candidates. The S2R JU does not consider spontaneous applications. Personal data (such as CV) is not stored and is deleted after 7 days. Regarding the BlueBook trainees, S2R JU is not in charge of the recruitment process which is being dealt with by the relevant department at the European Commission (DG EAC). Applications are only accessible via the online database which is open for consultation only during specific periods. Therefore, S2RJU does not store any data related to the recruitment of BlueBook Trainees.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	7 calendar days
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	7 calendar days
	Personal details	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	7 calendar days
	Profession	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	7 calendar days
Processors	n/a
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: Human Resources Officer
Joint controllers	n/a
privacy policy url	https://shift2rail.org/wp-content/uploads/2020/02/PO-1-01-d-Spontaenous-applicants.pdf
Last updated	05.03.2020
internal reference	Ares(2019)503847
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Sick leaves

Reference number	PO-1-05-b)
Data subject category	JU Staff: temporary, JU Staff: contractual, External staff: trainees and interim staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is managed and collected for the purpose of assessing the entitlement to sick leave, annual leave and special leave and working conditions for temporary agents and contract agents.
Description	Assessing the entitlement to sick leaves and working conditions for temporary agents and contract agents.
Processed data	Health data	Legal obligation article 5 b) of regulation 2018/1725, public interest article 5 a) of regulation 2018/1725	5 years
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	5 years
	Personal details	Public interest article 5 a) of regulation 2018/1725	5 years
	Profession	Public interest article 5 a) of regulation 2018/1725	5 years
Processors	IT Tool SYSPER (Belgium)
Restrictions of data subject rights	n/a
Security measures	A paper copy is made and saved in a paper file. The paper file is archived in a locked cupboard., Health data processed with the principles of medical confidentiality by HR officer, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: Human resources officer, Line manager, Executive Director, European Commission and its services: PMO, Medical service, DG DIGIT, Other: Other Institutions in case of transfer (they receive a chart with the liquidation account of sick leave)
Joint controllers	DG DIGIT, DG Human Resources and Security, PMO
privacy policy url
Last updated	07.06.2021
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Staff evaluation

Reference number	PO-1-03
Data subject category	JU Staff: temporary, JU Staff: contractual
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to assess the performance with regard to the job specifications and defined objectives, and the potential and development or reclassification needs.
Description	Staff appraisal, probationary reports, reclassification of contract and temporary agents, renewal of contracts.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Personal details	Public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Profession	Public interest article 5 a) of regulation 2018/1725	10 years after end of contract
Processors	Secured IT data base (Joint Sickness Insurance Scheme) (Belgium) Teams
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Obligation of confidentiality of the staff, Paper files are stored in a locked cupboard in the HR sector’s secured office until their destruction., Secure transfer of data, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: Line Managers, HR Officer, and in case of reclassification, the staff and Joint reclassification committees.
Joint controllers	n/a
privacy policy url
Last updated	07.06.2021
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Teleworking

Reference number	PO-1-07
Data subject category	JU Staff: temporary, JU Staff: contractual
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The purpose of this processing operation is to manage in a legal, standardized and centralized framework all temporal aspects of a jobholder's framework with respect to the management and monitoring of the implementation of teleworking. In particular, the treatment consists in identifying the persons authorized to telework according to various criteria such as the possibilities of telework, the interest of the service or the motivation of the person. The persons concerned have the possibility of making a request for telecommuting either casual or structural via Sysper.
Description	Management of the teleworking requests and agreements; planning regarding the ordering of ICT tools and devices for the performance of telework. Staff members are granted access to an electronic tool in which they can launch a request for teleworking.
Processed data	Family composition	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Habits	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Health data	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Personal details	Public interest article 5 a) of regulation 2018/1725	3 years
	Profession	Public interest article 5 a) of regulation 2018/1725	3 years
Processors	IT Tool SYSPER (Belgium)
Restrictions of data subject rights	n/a
Security measures	Data kept according to the security measures adopted by the European Commission, Health data processed with the principles of medical confidentiality by HR officer, Secure transfer of data, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	S2R JU Staff members: Executive Director, Line Managers. , Data subject themselves: Right to access and rectify their own data in SYSPER.
Joint controllers	DG DIGIT, DG Human Resources and Security
privacy policy url
Last updated	07.06.2021
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: User Network and Systems Access

Reference number	PO-5-01
Data subject category	S2R JU staff, Interim staff selected via an external contractor on behalf of the European Commission, Trainees recruited by the European Commission ('EU BlueBlook trainees'), External staff: trainees and interim staff, Any other person whose personal data have been collected and are processed by information systems that use the S2R JU ICT infrastructure
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to provide S2R JU employees with necessary access to ICT systems and services in order for them to carry out their statutory duties. This includes access provisioning to EC systems like ECAS/EU Login or ABAC.
Description	Provisioning of necessary access to S2R JU employees to designated business ICT systems of the organization based on incoming requests from HR department or management requests/access authorizations
Processed data	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	1 month after user's departure
	Personal details	Public interest article 5 a) of regulation 2018/1725	1 month after user's departure
	Profession	Public interest article 5 a) of regulation 2018/1725	1 month after user's departure
Processors	Real Dolmen (Belgium)
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Confidentiality of communications and privacy, Windows 10 access: Password renewed every six month
Recipients	S2R JU Staff members: Network and security managers, IT system and database administrators, European Commission and its services: DIGIT, External contractors under framework contract with the European Commission : Real Dolmen
Joint controllers	DG DIGIT
privacy policy url
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Video Surveillance system

Reference number	PO-5-02
Data subject category	S2R JU staff, Visitors and other persons entering into the S2R JU premises outside regular working hours
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The S2R JU uses its video-surveillance system for the sole purposes of protecting its premises and assets for safety, security and access control purposes only. The video-surveillance system helps monitor access to our offices, as well as safeguards property and information located or stored on the premises.
Description	Recording, storing and giving acces to record tapes by means of a closed circuit television (CCTV) system which are installed in S2R JU public areas located in the second floor of the White Atrium building (Avenue de la Toison d’Or 56-60, B-1060 Brussels/Belgium).
Processed data	Video tapes and photographs	Public interest article 5 a) of regulation 2018/1725	14 days
Processors	n/a
Restrictions of data subject rights	the rights that could be restricted on the ground of internal security of the s2r ju would mainly be the right to information. only in exceptional circumstances the images may be transferred to investigatory bodies in the framework of administrative inquiries, disciplinary proceedings or olaf investigation as far as there is a connection with the prevention, investigation or criminal offences. grounds for the restriction: 1. article 25(b) regulation 2018/1725: "prevention, investigation, detection and prosecution of criminal offences". 2. article 25(d) regulation 2018/1725: " internal security of union institutions and bodies"
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Computer systems hardened, Obligation of confidentiality of the staff, Physical security of the premises, System operates on a separate, disconnected private network with no external remote access
Recipients	Intra and extra-muros external service providers (S2R JU contractors): Upon request: External service provider (S2R JU contractor) in charge of the maintenance, S2R JU Staff members: ICT and Security Officer
Joint controllers	n/a
privacy policy url	https://shift2rail.org/wp-content/uploads/2020/05/PO-5-02-Video-surveillance-system.pdf
Last updated	16.12.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Web Conference Service (Webex)

Reference number	TO BE FILLED IN BY DPO
Data subject category	S2R JU staff, Members of the Governing Board, Other participant, observer or expert invited to the meetings of the bodies of the S2R JU
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Organization of videoconferencing meetings
Description	Within the S2R Joint Undertaking, the web conferencing system is used for the organization of videoconferencing meetings with external participants. The tool is called WebEx. It can be defined as an all-in-one conferencing tool that integrates audio, video and content sharing. It allows easy access from a computer or mobile device that has Internet access and a browser. All videoconferencing participants meet in a virtual room securely accessible to guests. A staff member who would like to organize conferences must first have a personal account on the system which allows the activity requested to be linked to a responsible person. The organizer of the videoconference (exclusively S2R JU staff) will have to create a virtual room and invite external participants according to his needs. These invitations will be targeted based on the participant's email address and will allow access to the session. The recording of a conference is only possible by its organizer. The purpose of data processing could be classified into several different sections: Identification of the participants and the organizer in order to allow the actual operation of the conference Identification of potential technical improvements and failures in the service Production of statistics for invoicing the services provided by the contractor Collection of representative data and conference statistics (excluding their content) in order to improve the user experience and service performance by performing analyzes of the aggregation of this information Address support requests for the service Service support performance analysis
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	3 years from when the Service is terminated, in a pseudonymised format; Host Registration & Invoicing information : 7 years
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium)
Restrictions of data subject rights	n/a
Security measures	Data kept according to the security measures adopted by the European Commission, Premises abide by the European Commission's security decisions and provisions, Secure transfer of data, Standard clause for the processing of personal data included in the contract
Recipients	Third countries:
Joint controllers	n/a
privacy policy url	https://shift2rail.org/terms-of-use/
Last updated	07.06.2021
internal reference	TO BE FILLED IN BY DPO
Exercising your rights	https://shift2rail.org/terms-of-use/

Activity: Whistleblowing procedures

Reference number	PO-4-04
Data subject category	S2R JU staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to ensure the protection and adequate remedies for whistleblowers, the management and follow up reports and to establish reporting channels for whistleblowers.
Description	Collecting data for the purposes of establishing reporting channels for whistleblowers, managing and following-up reports, and ensuring protection and adequate remedies for whistleblowers.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	2 months after the final decision has been issued to all the parties involved
	Profession	Public interest article 5 a) of regulation 2018/1725	2 months after the final decision has been issued to all the parties involved
Processors	n/a
Restrictions of data subject rights	there might be restrictions on a case-by-case basis of the rights to: information, access, rectification, blocking, erasure, notification to third parties. ground for restriction: investigation to protect witnesses or whistle-blowers in cases where personal data relate to the suspect as well (allegations made about the suspect by informants or witnesses). legal basis for restrictions: article 25(1) regulation 2018/1725 (protection of the data subject or the rights and freedoms of others)
Security measures	Data kept according to the security measures adopted by the European Commission
Recipients	European Commission and its services: European Anti Fraud Office (where needed), European Commission and its services: EDPS (where necessary), Police or legal organisations: European Court of Auditors (where necessary), Police or legal organisations: Court of Justice (where necessary), European Commission and its services: Internal Audit Service (where necessary), Intra and extra-muros external service providers (S2R JU contractors): Ethics experts or law firms, S2R JU Staff members: Human resources officer, Executive Director, Data subject themselves: The whistleblower, Personal relations data subject: Any person who may be concerned
Joint controllers	n/a
privacy policy url	https://shift2rail.org/wp-content/uploads/2018/12/Decision-GB-20_2018_Whistleblowing.pdf
Last updated	29.01.2020
internal reference
Exercising your rights	https://shift2rail.org/terms-of-use/