Processing Activities

Search

Data subject categories

Fields

Purpose

Description

Processed data

Recipients

Supporting assets

reference number

Results

Activity: Access to documents

Reference number	PO-6-02
Data subject category	Any natural person acting on a private basis or on behalf of a legal person submitting a request for access to EU-Rail (public) documents
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The purpose of the processing operation is to ensure appropriate treatment of requests for access to public documents of EU-Rail
Description	This processing operation takes form in the receipt of requests of any external person to access EU-Rail (public) documents from different channels (EU-Rail on line form, general mailbox, individual EU-Rail staff, etc), the analysis of the request, taking a decision on the request, and informing the applicant of the decision and acknowledgment of receipt. For more information please read the EU-Rail practical arrangements for implementing Regulation (EC) No 1049/2001 of the European Parliament and of the Council regarding public access to documents adopted by the EU-Rail Gouverning Board (decision N° 22/2015). List of EU-Rail's external providers available at: Recipients of Funds and Annual List of Specific Contracts - Europe's Rail (europa.eu)
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years
	Profession	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years
Processors	Exchange Online External experts (contractors, intra and extra-muros) (Belgium) Forms PowerApps PowerBI SharePoint Stream
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	Intra and extra-muros external service providers (EU-RAIL contractors): List of EU-Rail's external providers available at: https://rail-research.europa.eu/participate/recipients-eu-rail-funds/, EU-RAIL Executive Director: , EU-RAIL Staff members: (Legal and Data Protection Officer, EU-Rail Management, Document Access Coordinator)
Joint controllers	n/a
privacy policy url	On-going
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Anti-fraud procedures

Reference number	PO-4-03
Data subject category	Natural persons who are or were suspected of wrongdoing which is the subject of the OLAF investigations, Natural persons who have provided information to OLAF including informants, whistleblowers, witnesses and persons who have provided statements, Staff of OLAF operational partners (e.g. competent staff of the EU institutions and bodies or national authorities) working on OLAF matters whose name appears in documents stored by OLAF, Other persons whose name appears in the case file but have no relevance to the case
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The purpose of the processing operation is to facilitate internal investigations conducted by OLA, which may carry out further external investigations, including on-the-spot checks and inspections, with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with an agreement or a contract funded by EU-Rail.
Description	This processing operation takes form in collecting personal data in order to analyse information about potential fraud and financial irregularities to assess whether there are grounds to transmit the information to the relevant authorities for investigation, in particular the European Anti-Fraud Office (OLAF). Privacy notices relating to OLAF processing operations at the following link: https://ec.europa.eu/anti-fraud/olaf-and-you/data-protection/olaf-personal-data-processing-operations-and-privacy-statements_en EU-Rail Anti Fraud Strategy Action Plan and reviews published in the EU-Rail web site : Functioning of the JU - Europe's Rail (europa.eu) List of EU-Rail's external providers available at: Recipients of Funds and Annual List of Specific Contracts - Europe's Rail (europa.eu)
Processed data	Personal characteristics	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years
	Personal details	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years
	Profession	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years
Processors	Exchange Online
Restrictions of data subject rights	restrictions of data subject rights may occur during the preliminary activities related to cases of potential irregularities reported to olaf. see commission decision (eu) 2018/1962 of 11 december 2018 laying down internal rules concerning the processing of personal data by the european anti-fraud office (olaf) in relation to the provision of information to data subjects and the restriction of certain of their rights in accordance with article 25 of regulation (eu) 2018/1725 of the european parliament and of the council.
Security measures	Appropriate training, Data kept according to the security measures adopted by the European Commission
Recipients	European Commission and its services: European Anti Fraud Office, Government organisations: Competent national authorities, Government organisations: Competent third country authorities, Other: Competent international organisations, Intra and extra-muros external service providers (EU-RAIL contractors): List of EU-Rail's external providers available at: https://rail-research.europa.eu/participate/recipients-eu-rail-funds/, EU-RAIL Staff members: Staff dealing with anti-fraud cases
Joint controllers	n/a
privacy policy url	https://rail-research.europa.eu/about-europes-rail/europes-rail-reference-documents/functioning-of-the-europes-rail-ju/
Last updated	18.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Anti-harassment procedures (hard data)

Reference number	PO-4-05-a)
Data subject category	EU-Rail staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The collection of "hard" data aims at the identification of the person, the management of historical records and most importantly at the identification of recurrent and multiple cases., Personal data is collected for the purpose of the procedure detailed in EU-Rail policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment.
Description	The collection of data takes place in the context of selecting and appointing confidential counselors or in the context of the informal procedure described in the EU-Rail anti-harassment procedure.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725, processing is necessary to protect the vital interests of the data subject or another natural person (article 5(e) regulation 2018/1725), explicit consent article 5 d) of regulation 2018/1725	5 years
	Profession	Public interest article 5 a) of regulation 2018/1725, processing is necessary to protect the vital interests of the data subject or another natural person (article 5(e) regulation 2018/1725), explicit consent article 5 d) of regulation 2018/1725	5 years
Processors	Exchange Online External experts (contractors, intra and extra-muros) (Belgium) SharePoint
Restrictions of data subject rights	restriction of data subject rights may occur in procedures to fight against harassment to protect the alleged victim in cases where personal data relate to the suspect as well (allegations made about the suspect by informants or witnesses). the legal basis for such restrictions is article 25(1) regulation 2018/1725 (protection of the data subject or the rights and freedoms of others.
Security measures	Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: European Anti Fraud Office (where necessary), European Commission and its services: Internal Audit Service (where necessary), Police or legal organisations: European Court of Auditors (where necessary), Professional advisors data subject: Advisors/psychologists (exceptional circumstances), Police or legal organisations: Judicial national authorities (exceptional circumstances), External evaluators or experts assisting the JU: Ethics experts or law firms, EU-RAIL Executive Director: , EU-RAIL Staff members: (Legal and Data Protection Officer, Human Resources Officer), Other: Confidential counsellors
Joint controllers	n/a
privacy policy url	https://shift2rail.org/wp-content/uploads/2017/11/Shift2Rail-anti-fraud-strategy-2017-2020.pdf
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Anti-harassment procedures (soft data)

Reference number	PO-4-05-b)
Data subject category	EU-Rail staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the purpose of the procedure detailed in the EU-Rail policy on protecting the dignity of the person and preventing psychological harassment and sexual harassment.
Description	Collection of data takes place in the context of selecting and appointing confidential counsellors or in the context of the informal procedure described in the EU-Rail anti-harassment procedure. Soft data are allegations and declarations based upon the subjective perceptions of data subjects, usually collected by means of the personal notes of the counsellors.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725, processing is necessary to protect the vital interests of the data subject or another natural person (article 5(e) regulation 2018/1725), explicit consent article 5 d) of regulation 2018/1725	3 months after the closure of the case
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium) Exchange Online SharePoint
Restrictions of data subject rights	restriction of data subject rights may occur in procedures to fight against harassment to protect the alleged victim in cases where personal data relate to the suspect as well (allegations made about the suspect by informants or witnesses). the legal basis for such restrictions is article 25(1) regulation 2018/1725 (protection of the data subject or the rights and freedoms of others.
Security measures	Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	EU-RAIL Executive Director: , EU-RAIL Staff members: (Legal and Data Protection Officer, Human Resources Officer), External evaluators or experts assisting the JU: Ethics experts or law firms, Police or legal organisations: Judicial national authorities (exceptional circumstances), Professional advisors data subject: Advisors/psychologists (exceptional circumstances), Police or legal organisations: European Court of Auditors (where necessary), European Commission and its services: Internal Audit Service (where necessary), European Commission and its services: European Anti Fraud Office (where necessary), Other: Confidential counsellors
Joint controllers	n/a
privacy policy url	https://rail-research.europa.eu/wp-content/uploads/2017/11/Shift2Rail-anti-fraud-strategy-2017-2020.pdf
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Associate membership, learning and development services offered by the Institute of Internal Auditors for the EU-Rail staff members

Reference number	PO-4-07
Data subject category	EU-Rail staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	EU-Rail staff members personal data are collected and processed in the context of the service contract with the Institute of Internal Auditors, Belgium – affiliated to the Institute of Internal Auditors (IIA Global)
Description	To administer the respective activities and services, a service contract between the Institute of Internal Auditors, Belgium (IIA Belgium) – affiliated to the Institute of Internal Auditors (IIA Global) - and the European Commission (DG HR Unit C4 - Learning & Development) is signed. Based on this service contract, EU-Rail concludes with IIA Belgium the Complementary Agreement to enable usage of IIA Belgium/IIA Global services by the EU-RAIL staff members under the EU-Rail group membership. In this respect, EU-RAIL staff members personal data are collected and processed. More information about the purpose and the description of this processing activity, applicable by analogy to EU-Rail, can be found in the EC DPO register (DPR-EC-08086.1) at the following link: https://ec.europa.eu/dpo-register/detail/DPR-EC-08086.1
Processed data	Membership of a professional association	Public interest - art. 50.1 d) article 5 a) of regulation (eu) 2018/1725	10 years
	Personal details	Public interest - art. 50.1 d) article 5 a) of regulation (eu) 2018/1725	10 years
	Profession	Public interest - art. 50.1 d) article 5 a) of regulation (eu) 2018/1725	10 years
International data transfers	<div> \| Personal data is transferred to a third country outside EU/EEA for which there is no adequacy decision (The United States). The level of protection of personal data will depend on the law or practice of this third country. However, the rights as regards data protection might not be equivalent to those in and EU/EEA country or a country with an adequacy decision. The information we collect will not be given to any other party located in a third country outside EU/EEA, except to the extent and for the purpose, which may be required by the national law of the country in question.<br> EU-Rail considers that a derogation under Article 50 - Derogations for specific situations of the Regulation (EU) 2018/1725, and in particular Art. 50.1 d) be applied, as required for important reasons of public interest. Indeed, EU-Rail’s staff under the group membership in IIA Belgium help EU-Rail in accomplishing its objectives by bringing a systematic, disciplined approach in order to evaluate and improve the effectiveness of risk management, control and governance processes. Their tasks include assessing and making appropriate recommendations for improving the risk management, control and governance process. Consequently, it is in public interest and common good to ensure that the service provided by these EU-Rail staff members would be of a high standard. There is no adequate or similar service provider in the EU/EEA that would allow these EU-Rail staff to become members of similar professional organisation, obtain certifications, follow necessary external trainings and maintain their professional qualifications. The application of derogation for specific situations based on the Regulation (EU) 2018/1725 Article 50.1(d) for the service contract with the IIA Belgium – affiliated to the Institute of Internal Auditors (IIA Global) would allow the EU-Rail staff to benefit, on a voluntary basis, from the Full Membership package offered by the IIA, including those implying the transfer of personal data to the US. The derogation is a temporary measure until a legally binding and enforceable instrument is agreed with the IIA Belgium – affiliated to the IIA Global and which has signed the Standard Contractual Clauses with the IIA Global for sharing the data.<br> More information about the legal base for the data transfer, the derogations for specific situations and the condition(s) that apply(ies) for the derogation(s) can be found in the EC DPO register (DPR-EC-08086.1) at the following link: <a href="https://ec.europa.eu/dpo-register/detail/DPR-EC-08086.1">https://ec.europa.eu/dpo-register/detail/DPR-EC-08086.1<br></a><br></div>
Processors	Servers of the European Commission Servers of the IIA Belgium/IIA Global (Belgium, Derogation under Article 50 - Derogations for specific situations of the Regulation (EU) 2018/1725, and in particular Art. 50.1 d) )
Restrictions of data subject rights
Security measures	Data kept according to the security measures adopted by the European Commission, Standard clause for the processing of personal data included in the contract
Recipients	European Commission and its services: , Processor: IIA Belgium – affiliated to the IIA Global administer and provide the associate membership services for the IAS staff members. The privacy policy of the IIA Belgium: https://iiabelgium.org/privacy-statement/ The privacy policy of the IIA Global: https://www.theiia.org/en/Privacy-Policy/
Joint controllers	n/a
privacy policy url	https://ec.europa.eu/dpo-register/detail/DPR-EC-08086
Last updated	21.02.2023
internal reference	PO-4-07
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Communication of EU-Rail Staff personal data to governments of EU Member States

Reference number	PO-1-11
Data subject category	EU-Rail statutory staff (temporary agents and contract agents (CA) as well as seconded national experts as they are assimilated to statutory staff)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Article 15, al.2 of the Protocol n° 7 on the Privileges and immunities of the European Union annexed to the Treaty on the Functioning of the European Union states that “the names, grades and addresses of officials and other servants included in such categories shall be communicated periodically to the governments of the Member States”.
Description	Collecting EU-Rail staff personal data (name, function and adress) and its communication, upon request, to the governments of the Member States.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Profession	Public interest article 5 a) of regulation 2018/1725	10 years after end of contract
Processors	n/a
Restrictions of data subject rights	n/a
Security measures	Secure transfer of data
Recipients	Government organisations: Governments of the EU Member States (including but not limited to ministries and Permanent Representations)
Joint controllers	n/a
privacy policy url	N/A
Last updated	14.06.2024
internal reference	Ares(2019)2259506
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Document management system (day-to-day document management)

Reference number	PO-6-01-b)
Data subject category	EU-Rail staff, Staff's correspondants
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to ensure appropriate follow up, filing and registration of important communication (internal/external) and documents.
Description	Repository and filling of documents are received and sent out from and to external person as well as internal mail/documents exchanges
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	3 years
	Profession	Public interest article 5 a) of regulation 2018/1725	3 years
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium) Exchange Online IT Tools (ABAC, EMI, etc.) (Belgium) SharePoint
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	EU-RAIL Staff members: , European Commission and its services: Investigation and Disciplinary Office, European Commission and its services: OLAF, External contractors under framework contract with the European Commission : IT service providers of DG DIGIT, European Commission and its services: DG DIGIT
Joint controllers	DG DIGIT
privacy policy url	https://rail-research.europa.eu/wp-content/uploads/2018/11/S2RJU_DMP_adopted_20181116_v2.pdf
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Document management system (document management policy, archive policy and their implementation)

Reference number	PO-6-01-a)
Data subject category	EU-Rail staff, Staff's correspondants
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to ensure appropriate follow up, filing and registration of important communication (internal/external) and documents.
Description	Repository and filling of documents are received and sent out from and to external person as well as internal mail/documents exchanges
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	5 years
	Profession	Public interest article 5 a) of regulation 2018/1725	5 years
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium) IT Tools (ABAC, EMI, etc.) (Belgium) SharePoint
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: OLAF, European Commission and its services: Investigation and Disciplinary Office, EU-RAIL Staff members: , European Commission and its services: DG DIGIT, External contractors under framework contract with the European Commission : IT service providers of DG DIGIT
Joint controllers	DG DIGIT
privacy policy url	https://rail-research.europa.eu/wp-content/uploads/2018/11/S2RJU_DMP_adopted_20181116_v2.pdf
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: E-newsletter subscription and related information

Reference number	PO-3-02
Data subject category	Recipients (“general public”) having requested or explicitly consented to remain in the EU-Rail database and to continue receiving emails, invitations to events, alerts, e-news, newsletters and other relevant information from EU-Rail
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the purpose of subscribing to the Europe’s Rail Joint Undertaking electronic newsletter via the EU-Rail website and related services (alerts, notifications, etc).
Description	Establishing a list of email addresses to which each issue of the e-newsletter is sent; sending emails, invitations to events, alerts, e-news, and other relevant information.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	Until the data subject unsubscribes
	Profession	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	Until the data subject unsubscribes
Processors	20 Seconds to Midnight (Belgium) Online platform (USA, EU-US privacy shield)
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data not displayed to the wider public, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	Intra and extra-muros external service providers (EU-RAIL contractors): 20 Seconds to Midnight, EU-RAIL Staff members: Communication team, Intra and extra-muros external service providers (EU-RAIL contractors): MailChimp
Joint controllers	n/a
privacy policy url	https://rail-research.europa.eu/wp-content/uploads/2020/02/PO-3-02-E-newsletter-subscription-and-related-information.pdf
Last updated	14.06.2024
internal reference	Ares(2019)561283
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: EU Survey Tool for event registrations

Reference number	PO-3-03
Data subject category	Registrants or attendees sent through the EU Survey tool
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected in order to share information about the event on EU-Rail and EUROPA websites and social media accounts, to ensure all necessary organisational steps to allow participants access on the premises of the event’s venue, for the management of the event itself, to ensure event follow-up activities.
Description	Collecting personal data for the purposes of participation in an on-line survey in order to to participate in a EU-Rail event on a voluntary basis.This specific on-line service consists of an on-line form made available on the EUSurvey application, managed by the European Commission.
Processed data	Health data	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	1 month after the results of the survey have been aggregated
	Personal details	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	1 month after the results of the survey have been aggregated
	Profession	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	1 month after the results of the survey have been aggregated
Processors	EUSurvey IT system (Belgium) Teams
Restrictions of data subject rights	n/a
Security measures	Data kept according to the security measures adopted by the European Commission, Secure transfer of data, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: Authorized staff, Intra and extra-muros external service providers (EU-RAIL contractors): Only parts of personal data (name, surname, employer, email address) for the purpose of sending news, newsletter or invitations to future EU-Rail events, EU-RAIL Staff members: Communication team
Joint controllers	DG DIGIT
privacy policy url	https://rail-research.europa.eu/wp-content/uploads/2020/02/PO-3-03-EU-Survey-Tool-for-event-registrations.pdf
Last updated	14.06.2024
internal reference	Ares(2019)3713549
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: EU-Rail JU Info Day mobile app

Reference number	PO-5-03
Data subject category	Users of EU-Rail Info Day mobile app
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the sole purposes of permitting app users to enjoy all facilities and event related services occurring during the EU-Rail Info Day.
Description	Collecting, processing and storing personal data locally for theEU-Rail Info Day mobile application, a software solution created and developed by Evenium available for download at www.evenium.me and/or from the Apple Store and the Android Market, allowing the use of the ConnexMe service on smartphone devices. The app provides access to a list of all the events in which the organizer has participated and the content linked to these events, to communicate with other participants or the organizer of the event and to interact with the content of said events. It notably allows users: to participate in events with elements broadcast on screens.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	Until December 21st, 2017
	Profession	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	Until December 21st, 2017
Processors	Evenium SA (Belgium)
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Use of information sources like the OWASP community and guidelines from the European Union Agency for Network and Information Security to stay abreast of new developments in threats and vulnerabilities and their most effective countermeasures
Recipients	Intra and extra-muros external service providers (EU-RAIL contractors): Ecorys NV, Intra and extra-muros external service providers (EU-RAIL contractors): Evenium SA (Subcontractor of Ecorys)
Joint controllers	n/a
privacy policy url	https://shift2rail.org/terms-of-use/
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Event registration and organization

Reference number	PO-3-01
Data subject category	Registrants/Attendees of EU-Rail events
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to register interested persons for effective management of meetings, provide access to the EU-Rail event venues, and maintain participant’s lists as well as allowing possible event follow-up actions including feedback collection, specific communication activities and sharing of presentations.
Description	Collecting personal data as a part of the registration process for EU-Rail events, processing for organisation of event (participants list, name tags, access control, etc), online registration of participants as well as communication with event participants before and after the end of events; Sharing data for networking.
Processed data	Health data	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	5 years
	Personal details	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	5 years
	Profession	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	5 years
	Video tapes and photographs	Public interest article 5 a) of regulation 2018/1725, explicit consent article 5 d) of regulation 2018/1725	5 years
Processors	Ecorys systems (Belgium) SharePoint Teams
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Paper files are stored in a locked cupboard in the HR sector’s secured office until their destruction., Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	Intra and extra-muros external service providers (EU-RAIL contractors): Ecorys and 20 Seconds To Midnight, Data subject themselves: Other participants, EU-RAIL Staff members: Communication team
Joint controllers	n/a
privacy policy url	https://rail-research.europa.eu/about-shift2rail/reference-documents/functioning-of-the-ju/
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Exceptional leaves, absences and permanencies

Reference number	PO-1-05-c)
Data subject category	JU Staff: temporary, JU Staff: contractual, External staff: trainees and interim staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The purpose of this processing activity is to manage the exceptional leaves, absences, and permanencies of staff members so that the EU-Rail HR Officer may determine if the staff members leave rights are to be adapted.
Description	This processing activity occurs when assessing the entitlement to exceptional leaves, absences and permanencies and working conditions for temporary agents and contract agents. The exceptional leaves, absences, and permanencies could concern but are not limited to: permanencies during the EU-Rail office closure, flexibility during public holidays (for example the possibility to work during the day of Easter), participation to strikes organized by unions. The exceptional leaves, absences, and permanencies do not fall under the normal scope of leaves and special leaves granted to staff members, for which another record gives account.
Processed data	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	7 years
	Personal details	Public interest article 5 a) of regulation 2018/1725	7 years
	Profession	Public interest article 5 a) of regulation 2018/1725	7 years
Processors	IT Tool SYSPER (Belgium)
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: PMO, EU-RAIL Staff members: Human resources officer, EU-RAIL Staff members: Line managers, European Commission and its services: DG HR/DG DIGIT via SYSPER
Joint controllers	DG DIGIT, DG Human Resources and Security, PMO
privacy policy url
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Flexitime Management

Reference number	PO-1-09
Data subject category	JU Staff: temporary, JU Staff: contractual
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to authorize the recuperation of overtime based on the working hours registered in SYSPER by the staff member.
Description	Assessing and managing the entitlement of staff members to flexitime for temporary agents and contract agents.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	3 years
	Profession	Public interest article 5 a) of regulation 2018/1725	3 years
Processors	Exchange Online IT Tool SYSPER (Belgium) SharePoint
Restrictions of data subject rights	n/a
Security measures	Data kept according to the security measures adopted by the European Commission, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	EU-RAIL Staff members: Human resources officer, EU-RAIL Staff members: Line manager
Joint controllers	DG DIGIT, DG Human Resources and Security
privacy policy url
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Internal audits

Reference number	PO-4-01
Data subject category	EU-Rail staff, Experts and EU-Rail contractors, Relatives of the persons above mentionned, whose personal data are available in the systems and/or files of the EC
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected and managed for the purpose of independent, risk-based and objective assurance and consulting services designated to add value and improve the operations of EU-Rail.
Description	The Internal Auditor reports to the EU-Rail on his or her findings and recommendations and advises on dealing with risks, by issuing independent opinions on the quality of management and control systems and by issuing recommendations for improving the conditions of implementation of operations and promoting sound financial management.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	7 years
	Financial information	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	7 years
	Personal details	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	7 years
	Profession	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	7 years
Processors	Audit management system (Belgium) Exchange Online IT Tools (ABAC, EMI, etc.) (Belgium) SharePoint
Restrictions of data subject rights	no restriction per se in eu-rail related operations but commission decision (eu) 2018/1961 of 11 december 2018 laying down internal rules concerning the provision of information to data subjects and the restriction of certain of their rights in the context of the processing of personal data for the purpose of internal audit activities.
Security measures	Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: DG DIGIT, European Commission and its services: European Data Protection Supervisor, Police or legal organisations: European Court of Auditors, EU-RAIL Governing Board: , EU-RAIL Executive Director: , EU-RAIL Staff members: Data Protection Officer, Internal Control Coordinator, Head of Administration and Finance, Administration and Finance Support team, European Commission and its services: Internal Audit Service
Joint controllers	n/a
privacy policy url
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Leaves and special leaves

Reference number	PO-1-05-a)
Data subject category	JU Staff: temporary, JU Staff: contractual, Relatives of the data subject, External staff: trainees and interim staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The purpose of this processing activity is the management of annual leave and special leave entitlements.
Description	Assessing the entitlement to annual leave and special leave and working conditions for temporary agents and contract agents. The special leaves include: 1- Marriage of an official, contract agent or SNE 2- Marriage of a child of an official / agent. 3- Birth of a child of an official / servant / SNE. 4- Serious illness of the spouse 5- Very serious illness of a child 6- Serious illness of a child 7- Serious illness of an ascendant 8- Death of the spouse 9- Death of wife during maternity leave 10- death of a child 11- Dead of an ascendant 12- Dead of a brother or sister 13- Adoption 14- Maternity 15- Exercise of an unremunerated external activity 16- Convocation to the court / judiciary. 17- Cure 18- Move 19- Election outside the duty station 20- Participation in an examination / competition / selection organized by EPSO, by a Community Institution or Agency 21- Training 22- Exercise of an elective public office. 23- Looking for a job at the end of the contract. 24- Travel time "special leave". 25- Part-time work 26- Family leave 27- Termination of functions 28- Cancellation of an annual or special leave at the request of the person concerned. 29- Postponement of annual leave 30- Flexitime 31- Permanence of end of year
Processed data	Family composition	Public interest article 5 a) of regulation 2018/1725	N+3 years
	Health data	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	N+3 years
	Juridic data	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	N+3 years
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	N+3 years
	Personal details	Public interest article 5 a) of regulation 2018/1725	N+3 years
Processors	Exchange Online IT Tool SYSPER (Belgium) SharePoint
Restrictions of data subject rights	n/a
Security measures	A paper copy is made and saved in a paper file. The paper file is archived in a locked cupboard., Health data processed with the principles of medical confidentiality by HR officer, Paper files are stored in a locked cupboard in the HR sector’s secured office until their destruction., Secure transfer of data, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: PMO, DG HR, DG DIGIT via SYSPER , EU-RAIL Staff members: Human resources officer, EU-RAIL Staff members: Line manager
Joint controllers	DG DIGIT, DG Human Resources and Security, PMO
privacy policy url
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Management of EU-Rail Governance's bodies and meetings

Reference number	PO-6-03
Data subject category	Any natural person acting on a private basis or on behalf of a legal person submitting a request for a meeting with the Executive Director or EU-Rail staff, Members of the Governing Board, Members of Scientific Committee, Members of States Representatives Group, Members of the Innovation Programmes' Steering Committees, Members of working groups, Other participant, observer or expert invited to the meetings of the bodies of EU-Rail
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected and managed for the purpose of granting access to members of EU-Rail bodies and visitors to EU-Rail premises in order to attend either EU-Rail Governance meetings or meetings with the EU-Rail Executive Director or EU-Rail staff.
Description	Collecting and processing information of attendees to the EU-Rail meetings, in particular invitations, registration, minutes, member's nomininations; register of visitors for the Executive Director and other EU-Rail staff. More information on the EU-Rail bodies, minutes and member's names can be found on the EU-Rail web site: About Europe's Rail - Europe's Rail (europa.eu)
Processed data	Education	Public interest article 5 a) of regulation 2018/1725	5 years
	Personal details	Public interest article 5 a) of regulation 2018/1725	5 years
	Profession	Public interest article 5 a) of regulation 2018/1725	5 years
Processors	Exchange Online Securitas SA (Belgium) SharePoint
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	Individuals/organisations in direct relationship with controller: Security Service of the White Atrium building, EU-RAIL Executive Director: , EU-RAIL Staff members: ED Assistant, Programme Assistant, Legal Officer and DPO, External evaluators or experts assisting the JU: Auditors, Police or legal organisations: European Data Protection Supervisor, European Commission and its services: EDPS
Joint controllers	n/a
privacy policy url	On-going
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Management of procurement procedures and grant applications (successful)

Reference number	PO-02-01-a)
Data subject category	Tenderers’ and applicants’ data (in case of legal entities, their representatives)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the award, management and follow-up of procurement contracts, grants, prizes and financial instruments by EU-Rail in accordance with EU-Rail's annual work plans.
Description	Collecting and processing of data provided by the applicants, tenderers, contractors and beneficiaries in the context of grant applications and tenders procedures as well as grant agreements and procurement contracts managed by EU-Rail in accordance with EU-Rail’s annual work plans.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Financial information	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Juridic data	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Personal details	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Profession	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
Processors	European Commission systems (Belgium) Exchange Online External experts (contractors, intra and extra-muros) (Belgium) SharePoint
Restrictions of data subject rights	n/a. restriction already foreseen in the financial regulation – art 142 (1)
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Automated system (Grants management), Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Secure transfer of data, Signature of absence of conflict of interest , Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	External evaluators or experts assisting the JU: , Intra and extra-muros external service providers (EU-RAIL contractors): , EU-RAIL Executive Director: , EU-RAIL Staff members: Grant proposal evaluation panels, IP Coordinators, Tender evaluation committees, Staff participating in the selection of external experts, European Commission and its services:
Joint controllers	Research Executive Agency
privacy policy url	https://rail-research.europa.eu/about-shift2rail/reference-documents/functioning-of-the-ju/
Last updated	14.06.2024
internal reference	Ares(2018)6031672
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Management of procurement procedures and grant applications (unsuccessful applicants)

Reference number	PO-02-01-b)
Data subject category	Tenderers’ and applicants’ data (in case of legal entities, their representatives)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the award, management and follow-up of procurement contracts, grants, prizes and financial instruments by the EU-Rail in accordance with EU-Rail’s annual work plans.
Description	Collecting and processing of data provided by unsuccessful applicants in the context of grant applications and tenders procedures as well as grant agreements and procurement contracts managed by EU-Rail in accordance with EU-Rail’s annual work plans.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years after closure of procedure
	Financial information	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years after closure of procedure
	Juridic data	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years after closure of procedure
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years after closure of procedure
	Personal details	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years after closure of procedure
	Profession	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years after closure of procedure
Processors	European Commission systems (Belgium) Exchange Online External experts (contractors, intra and extra-muros) (Belgium) SharePoint
Restrictions of data subject rights	n/a. restriction already foreseen in the financial regulation – art 142 (1)
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Automated system (Grants management), Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Secure transfer of data, Signature of absence of conflict of interest , Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	EU-RAIL Executive Director: , EU-RAIL Staff members: Staff participating in the selection of external experts, Tender evaluation committees, IP Coordinators, Grant proposal evaluation panels., Intra and extra-muros external service providers (EU-RAIL contractors): , External evaluators or experts assisting the JU:
Joint controllers	Research Executive Agency
privacy policy url	https://rail-research.europa.eu/wp-content/uploads/2020/02/PO-02-01-b-Management-of-procurement-procedures-and-grant-applications-unsuccessful-applicants.pdf
Last updated	14.06.2024
internal reference	Ares(2018)6031672
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Management of the EU-Rail Cooperation tool

Reference number	PO-5-04
Data subject category	EU-Rail staff, EU-Rail founding and associated Members, External guests (i.e.: auditors)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the management of the Web application EU-Rail Multi-project Cooperation Tool".
Description	Collecting and exchange documents, EU-Rail members comments and opinions and organisation of meetings of EU-Rail project, recording history data (for audit trail) of all communication and modifications applied by individual access. The Cooperation Tool is a multi-project (programme) to manage all collaborative projects performed by EU-Rail Members, stemming from the EU-Rail annual calls for proposals under the rules for participation of H2020 and EU-Rail Regulation, as well as some specific JU activities like the IP/CCA Steering Committees. It allows the EU-Rail Members to monitor the financial management of their respective grant agreements as well as their annual Total Project Costs(IKOP) reporting and certification in accordance with Article 4.4 of EU-Rail Regulation. It allows and supports the cooperation of the various R&I project participants to implement the Description of the Action (DoA) for each awarded grant through daily project coordination and communication, as well as allow the JU to manage its working groups and Steering Committee with the respective members. The tool offers a common interface and a platform for: coordination; planning; control; technical, administrative and financial management; exchange of document; comments and opinions; organisation of meetings of EU-Rail projects and groups.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	3 years
	Profession	Public interest article 5 a) of regulation 2018/1725	3 years
Processors	Data centre (Italy) Exchange Online
Restrictions of data subject rights
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Automatically generated password stored in encrypted format, Back-ups, update and monitoring services as well as corrective and periodic maintenances , Data produced remain the sole ownership of the participants to the project, No copies kept by contractor, Password recovery mechanism , Secure communication channel between server and client, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: Observers in the IP/CCA Steering Committe (ERA and EC representatives), EU-RAIL Staff members: , EU-RAIL private founding Members: , Intra and extra-muros external service providers (EU-RAIL contractors): Centro Nuova Comunicazione S.R.L.
Joint controllers	n/a
privacy policy url
Last updated	14.06.2024
internal reference	Ares(2019)1475974
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Microsoft Office 365 - EU-Rail staff and guest users

Reference number	PO-PO5-05
Data subject category	JU Staff: temporary, JU Staff: contractual, External staff: trainees and interim staff, EU-Rail statutory staff (temporary agents and contract agents (CA) as well as seconded national experts as they are assimilated to statutory staff), EU-Rail staff, Interim staff selected via an external contractor on behalf of the EC, JU external collaborators being granted access to M365 platform as guests
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	In line with the European Commission’s Digital Strategy, JU is gradually moving into a fully digital working environment. As a European public administration, JU needs to lead the way in terms of both integrating digital at the core of European policy implementation and leveraging the potential of digital to work better and faster.
Description	In line with the European Commission’s Digital Strategy, EU-Rail is gradually moving into a fully digital working environment. As a European public administration, EU-Rail needs to lead the way in terms of both integrating digital at the core of European policy implementation and leveraging the potential of digital to work better and faster. For this strategy to deliver, EU-Rail has designed several actions and adopted a series of new tools designed to form together a Digital Workplace. The Digital Workplace is an opportunity for the EU-Rail to become an example of a modern public, connected and efficient Public Administration by providing staff with the best combination of tools, physical framework and working methods, to effectively support the achievement of the priorities of our organisation. The Digital Workplace responds to the need for connected office, integrating teleworking tools for activities such as conference calls, remote collaboration, audio- or videoconferencing or webinars. Consequently, EU-Rail has decided to operate M365 provided by Microsoft Ireland. M365 offers cloud-based solutions that enable staff members of JU to: Document Processing – to create, read, review and amend documents, presentations, spreadsheets and other document types in various formats and for various purposes (Access, Sway, Forms); Email, Calendar, Contacts – to manage and exchange e-mail, calendars, contacts, tasks and notes (Exchange Online); File Sharing – to create, read, review, amend, store and share documents and files of various types in view of collaboration among staff (SharePoint Online, OneDrive, OneNote, Stream, Teams, PowerApps, Yammer); Chat and Messaging – to interact, share files, chat and exchange messages with colleagues, partners, stakeholders and other parties (Teams, Yammer); Virtual Meetings – to set up and participate in virtual meetings and teleconferences (Teams); Project and Task Management – to facilitate project and task management by staff (Exchange Online); and Data Analytics and Visualisation – to analyse data and visualise such data (Power BI). Identity and access management to M365 is managed through Azure Active Directory (Azure AD) and InTune. The operation of M365 requires the processing of personal data by EU-Rail for the following purposes: provision, enabling, set-up, configuration and maintenance of M365 capabilities, including facilitating and coordinating field tasks (Identification Data, Service-Generated Data, Content Data) administration of the rights allocated to a user account (identity and access management) (Identification Data); end-user support and IT Teams support for issues with M365 (Identification Data, Service-Generated Data, Diagnostic Data); prevention, detection and resolution of security events (e.g. cyber-attack), to ensure the confidentiality, integrity and availability of M365 (Identification Data, Service-Generated Data); and responding to data subjects exercising their rights in relation to personal data processed within M365 (Identification Data, Service-Generated Data). Additionally, Microsoft Ireland as a processor for and on behalf of EU-Rail processes personal data for internal business operations in the context of providing M365. These business operations consist of (exhaustive list): billing and account management (Identification Data, Service-Generated Data); compensation (Service-Generated Data); internal reporting and business modelling (Service-Generated Data); combatting fraud, cybercrime, and cyberattacks (Identification Data, Service-Generated Data); improving core functionality of accessibility, privacy and energy efficiency (Service-Generated Data); and financial reporting and compliance with legal obligations (Identification Data, Service-Generated Data).
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	6 months
	Video tapes and photographs	Public interest article 5 a) of regulation 2018/1725	For as long as the user account is active. days
Processors	Exchange Online OneDrive SharePoint Stream Teams
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Computer systems hardened, Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	Other private organisations: Microsoft's personnel based outside the EEA (most importantly, the USA) managing the databases on Microsoft cloud servers and Microsoft’s sub-processors' personnel on a need-to-know basis.
Joint controllers	n/a
privacy policy url	https://rail-research.europa.eu/wp-content/uploads/2021/05/PO-PO-5-05_Microsoft-365_public.docx.pdf
Last updated	14.06.2024
internal reference	PO-PO5-05
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Missions

Reference number	PO-1-08
Data subject category	JU Staff: temporary, JU Staff: contractual, External staff: trainees and interim staff, EU-Rail statutory staff (temporary agents and contract agents (CA) as well as seconded national experts as they are assimilated to statutory staff)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the management of the missions of the staff and the reimbursement of travel expenses and daily subsistence allowance.
Description	Collection of contact details and meeting documentation (such as agenda), request files and reimbursement files, travel orders.
Processed data	Financial information	Public interest article 5 a) of regulation 2018/1725	7 years
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	7 years
	Personal details	Public interest article 5 a) of regulation 2018/1725	7 years
	Profession	Public interest article 5 a) of regulation 2018/1725	7 years
Processors	American Express (travel agency) (Belgium) Exchange Online SharePoint
Restrictions of data subject rights
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	EU-RAIL Staff members: Administrative staff responsible for processing the files, European Commission and its services: PMO, External contractors under framework contract with the European Commission : American Express
Joint controllers	PMO
privacy policy url
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Occupational health and medical data

Reference number	PO-1-02
Data subject category	JU Staff: temporary, JU Staff: contractual, Relatives of the data subject
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to ensure that EU-Rail staff complies with requirements of pre-recruitment, annual and periodic medical examination.
Description	Procedures put in place to ensure safety, health and welfare of EU-Rail staff; Pre-recruitment medical examination; Annual and periodic medical examination . EU-Rail does not collect medical certificates of staff members. These are directly sent to the medical service of the European Commission in accordance with the procedure established.
Processed data	Family composition	Public interest article 5 a) of regulation 2018/1725	3 years
	Personal details	Public interest article 5 a) of regulation 2018/1725	3 years
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium) Secured IT data base (Joint Sickness Insurance Scheme) (Belgium) SharePoint
Restrictions of data subject rights	no specific restrictions in place at eu-rail the medical files are kept at the commission's medical services. commission decision (eu) 2019/154 of 30 january 2019 laying down internal rules concerning the restriction of the right of access of data subjects to their medical files.
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	EU-RAIL Staff members: Administrative staff responsible for processing the files, European Commission and its services: DG HR and Security, European Commission and its services: PMO, External contractors under framework contract with the European Commission :
Joint controllers	DG Human Resources and Security, PMO
privacy policy url
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Personal files of staff

Reference number	PO-1-04
Data subject category	JU Staff: temporary, JU Staff: contractual
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for employment contracts and setting up rights of the staff.
Description	Collection of staff documentation for recruitment, determination of rights, career development, appraisal.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Financial information	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Personal details	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Profession	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
Processors	Exchange Online Secured IT data base (Joint Sickness Insurance Scheme) (Belgium) SharePoint
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Health data processed with the principles of medical confidentiality by HR officer, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: Internal Audit Service, Medical Service and the PMO, EU-RAIL Staff members: Finance team (for reimbursement purposes), Line manager, Human Resources Officer
Joint controllers	DG Human Resources and Security
privacy policy url	N/A
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Policy on sensitive functions

Reference number	PO-4-06
Data subject category	EU-Rail staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to ensure the functioning of an effective and efficient internal control system, in particular on functions that are genuinely sensitive, i.e. where the risk of fraud or irregularities in the use of funds and sensitive information is significant.
Description	Collecting personal data for the management of sensitive posts: risks associated with tasks in the areas of management, individual decisions and finance.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	2 years
	Profession	Public interest article 5 a) of regulation 2018/1725	2 years
Processors	SharePoint
Restrictions of data subject rights	n/a
Security measures	Annual assessment of risk factors through the risk assessment exercise, Appropriate training, Audit by the Internal Audit Service and European Court of Auditors, Decision making process based on a control chain , Periodic management review and assessment made by the Executive Director, Segregation of duties, Signature of absence of conflict of interest
Recipients	European Commission and its services: DG Human Resources in exceptional cases for guidance and advice, EU-RAIL Staff members: Human resources officer, EU-RAIL Staff members: Legal officer, EU-RAIL Staff members: Management
Joint controllers	n/a
privacy policy url
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Prevention and management of conflicts of interests applicable to the bodies of Europe’s Rail Joint Undertaking

Reference number	PO-6-04
Data subject category	Relatives of the data subject, Members of the Governing Board, Members of Scientific Committee, Members of States Representatives Group, Members of the Innovation Programmes' Steering Committees, Members of working groups, Other participant, observer or expert invited to the meetings of the bodies of EU-Rail
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is processed for the sole purpose of applying the rules for the prevention and management of conflicts of interest applicable to the members of the bodies of EU-Rail listed under Article 5(1) of the Statutes in order to ensure the handling of situations where potential conflicts of interest may arise in a transparent and consistent manner.
Description	Collecting and screening declarations of confidentiality and non-conflict of interests signed by all members of the EU-Rail bodies before appointment, after appointment (in a yearly basis) and spontaneously at any time in the course of their duties (ad-hoc Declaration). The name of the Members of Governing Board, Scientific Committee, States Representatives Group together with the name of their employer or any organization which pays them shall be published on the EU-Rail’s website. The CVs and declarations of interest by the Members of the Governing Board shall be available for public scrutiny in the EU-Rail web site with due respect to the applicable EU rules on protection of personal data and access to documents (article 9 of Decision n° 07/2018)
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years
	Financial information	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years
	Memberships	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years
	Personal details	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years
	Philosophical or religious convictions	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Political preferences	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Profession	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years
	Trade union membership	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
Processors	Exchange Online SharePoint
Restrictions of data subject rights
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Data kept according to the security measures adopted by the European Commission, Secure transfer of data, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	EU-RAIL Executive Director: , EU-RAIL Staff members: Administrative staff, legal department. , Individuals/organisations in direct relationship with controller: Chairperson and Vice chair person of the relevant body or group, The general public: The name of the Members of Governing Board, Scientific Committee, States Representatives Group together with the name of their employer or any organization which pays them shall be published on the EU-Rail's website. The CVs and declarations of interest by the Members of the Governing Board shall be available for public scrutiny in the EU-Rail web site with due respect to the applicable EU rules on protection of personal data and access to documents (article 9 of Decision n° 07/2018), Data subject themselves:
Joint controllers	n/a
privacy policy url	On-going
Last updated	18.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Prevention and management of conflicts of interests of the staff members of the Europe’s Rail Joint Undertaking

Reference number	PO-1-10
Data subject category	Relatives of the data subject, EU-Rail statutory staff (temporary agents and contract agents (CA) as well as seconded national experts as they are assimilated to statutory staff)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is processed for the sole purpose of applying the rules for the prevention and management of conflicts of interest of EU-Rail staff members in order to ensure the handling in a transparent and consistent manner of situations where conflicts of interest may arise.
Description	Collecting and screening declarations of confidentiality and non-conflict of interests signed by all EU-Rail staff members when they take up duties.
Processed data	Characteristics of domicile	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Education	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Family composition	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Financial information	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Memberships	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Personal details	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Philosophical or religious convictions	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Political preferences	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Profession	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Trade union membership	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
Processors	Exchange Online SharePoint
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Secure transfer of data, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	EU-RAIL Executive Director: , EU-RAIL Staff members: Staff member concerned, Line manager, Legal officer, Human resources officer, The general public: The declarations of interest submitted by the EU-Rail Executive Director shall be available for public scrutiny with due respect to the applicable EU rules on protection of personal data and access to documents. Where deemed relevant, the concerned person's CV (or a summary of his/her professional experience) could also be made available. , EU-RAIL Governing Board:
Joint controllers	n/a
privacy policy url
Last updated	18.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Procedure for submitting requests under Article 90(1) of the Staff Regulations, for lodging complaints under Article 90(2) of the Staff Regulations against decisions of the Executive Director or against decisions taken at a level below that of the Executive Director

Reference number	PO-1-12
Data subject category	JU Staff: temporary, JU Staff: contractual, EU-Rail statutory staff (temporary agents and contract agents (CA) as well as seconded national experts as they are assimilated to statutory staff), EU-Rail staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is being processed in the context of Articles 90(1) and 90(2) of the Staff Regulations within Europe’s Rail. These provisions regulate the rights of persons to whom the Staff Regulations apply, particularly concerning the handling of requests, appeals and complaints. In this context, personal data will be processed where a person to whom the Staff Regulations apply, request that the appointing authority (in this case the Executive Director to whom appointing authority powers have been delegated by the Governing Board) take a decision relating to him (in accordance with Article 90 (1) of the Staff Regulations). Personal data will also be processed regarding complaints that have been lodged by the people to who the Staff Regulations apply against an act affecting them adversely, either where the decision was taken at a level below that of the Executive Director or where no measure prescribed by the Staff Regulations was adopted (in accordance with Article 90 (2) of the Staff Regulations). Personal data will also be processed when the Appeals Committee handles complaints that have been lodged by the people to who the Staff Regulations apply against an act affecting them adversely, either where the Executive Director has taken a decision or where the Executive Director has failed to adopt a measure prescribed by the Staff Regulations (in accordance with Article 90 (2) of the Staff Regulations).
Description	In accordance with Article 17(4) of Regulation (EU) No 2021/2085 and Governing Board Decision n° 11/2015, the appointing authority powers has been delegated to the EU-RAIL Executive Director. In accordance with Article 90 (1) and Article 90(2) Staff Regulations (SR), any person to whom the SR apply may submit to the Appointing Authority a request or a complaint when an act adversely affecting them, either where the said authority has taken a decision or where it has failed to adopt a measure prescribed by the SR (an implied decision rejecting the measure). In accordance with article 2(4) of Governing Board Decision n° 11/2015, the governing board shall exercise the appointing authority powers concerning Article 90(2) of the Staff Regulations when the contested decision was taken at the level of the Executive Director. For reasons of expediency and flexibility, it is appropriate to establish an “Appeals Committee” to exercise the relevant “appointing authority powers” on behalf the Governing Board to deal with complaints submitted under Article 90(2) of the Staff Regulations against decisions taken at the level of the Director of EU-RAIL.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, article 90 (1) and 90(2) eu staff regulations (sr)	10 years
	Family composition	Public interest - art. 50.1 d) article 5 a) of regulation (eu) 2018/1725	10 years
	Health data	Public interest article 5 a) of regulation 2018/1725, article 90 (1) and 90(2) eu staff regulations (sr), article 10.2.g) regulation (eu) 2018/1725-special categories of personal data (reasons of substantial public interest)	10 years
	Personal characteristics	Public interest - art. 50.1 d) article 5 a) of regulation (eu) 2018/1725, article 90 (1) and 90(2) eu staff regulations (sr)	10 years
	Personal details	Public interest - art. 50.1 d) article 5 a) of regulation (eu) 2018/1725	10 years
	Philosophical or religious convictions	Public interest article 5 a) of regulation 2018/1725, article 90 (1) and 90(2) eu staff regulations (sr), article 10.2.g) regulation (eu) 2018/1725-special categories of personal data (reasons of substantial public interest)	10 years
	Political preferences	Public interest article 5 a) of regulation 2018/1725, article 90 (1) and 90(2) eu staff regulations (sr), article 10.2.g) regulation (eu) 2018/1725-special categories of personal data (reasons of substantial public interest)	10 years
	Profession	Public interest - art. 50.1 d) article 5 a) of regulation (eu) 2018/1725, article 90 (1) and 90(2) eu staff regulations (sr)	10 years
	Racial or ethnic information	Public interest article 5 a) of regulation 2018/1725, article 90 (1) and 90(2) eu staff regulations (sr), article 10.2.g) regulation (eu) 2018/1725-special categories of personal data (reasons of substantial public interest)	10 years
	Results of the selection process	Public interest article 5 a) of regulation 2018/1725, article 90 (1) and 90(2) eu staff regulations (sr)	10 years
	Trade union membership	Public interest article 5 a) of regulation 2018/1725, article 90 (1) and 90(2) eu staff regulations (sr), article 10.2.g) regulation (eu) 2018/1725-special categories of personal data (reasons of substantial public interest)	10 years
Processors	n/a
Restrictions of data subject rights
Security measures	n/a
Recipients	EU-RAIL Executive Director: , European Commission and its services: , EU-RAIL Governing Board: , Data subject themselves: , Legal and Data Protection Officer: , External lawyer(s) under a framework or direct contract for services:
Joint controllers	European Commission
privacy policy url
Last updated	17.10.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Salary

Reference number	PO-1-06
Data subject category	JU Staff: temporary, JU Staff: contractual, Relatives of the data subject
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected in order to determine the staff member’s entitlements. Documents are collected by the HR Officer and sent to the relevant Commission service (PMO) which will process the data in order to determine the financial rights of the staff member.
Description	Producing salary slips, determining allowances, establishment of financial rights, paying the salaries and allowances to EU-Rail staff.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Family composition	Public interest article 5 a) of regulation 2018/1725	8 years after the extinction of all rights of the person concerned and of any dependents
	Financial information	Public interest article 5 a) of regulation 2018/1725	8 years after the extinction of all rights of the person concerned and of any dependents
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	8 years after the extinction of all rights of the person concerned and of any dependents
	Personal details	Public interest article 5 a) of regulation 2018/1725	8 years after the extinction of all rights of the person concerned and of any dependents
	Profession	Public interest article 5 a) of regulation 2018/1725	8 years after the extinction of all rights of the person concerned and of any dependents
Processors	Exchange Online SharePoint
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Health data processed with the principles of medical confidentiality by HR officer, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	European Commission and its services: PMO, EU-RAIL Staff members: Financial team, Human resources officer, EU-RAIL Executive Director: , European Commission and its services: Medical service (if sick leave involved)
Joint controllers	PMO
privacy policy url
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Selection and management of external experts (Non-selected experts)

Reference number	PO-2-02-b)
Data subject category	Experts (in case of legal entities, their representatives)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the selection and the management (including reimbursements of expenses and payment where appropriate) of independent experts appointed by EU-Rail to advise on or assist with: the evaluation of proposals, the monitoring of the implementation of actions carried out under Horizon 2020 as well as of previous Research and/or Innovation Programmes, advice or assistance with other tasks related to EU-Rail activities.
Description	Collection and processing of data provided by individuals for the establishment of a database of prospective independent experts to assist with tasks managed by EU-Rail. The processing operations performed by the Controller include collection, storage and evaluation of personal data of the experts.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years after closure of procedure
	Financial information	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years after closure of procedure
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years after closure of procedure
	Personal details	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years after closure of procedure
	Profession	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years after closure of procedure
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium) Exchange Online SharePoint
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Automated system (Grants management), Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis, Standard clause for the processing of personal data included in the contract
Recipients	EU-RAIL Staff members: IP Coordinators, EU-RAIL Staff members: Staff participating in the selection of external experts, External evaluators or experts assisting the JU: , EU-RAIL Executive Director: , European Commission and its services:
Joint controllers	Research Executive Agency
privacy policy url	https://rail-research.europa.eu/wp-content/uploads/2020/02/PO-2-02-b-Selection-and-management-of-external-experts-Non-selected-experts.pdf
Last updated	14.06.2024
internal reference	Ares(2018)6031672
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Selection and management of external experts (selected experts)

Reference number	PO-2-02-a)
Data subject category	Experts (in case of legal entities, their representatives)
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected for the selection and the management (including reimbursements of expenses and payment where appropriate) of independent experts appointed by EU-Rail to advise on or assist with: the evaluation of proposals, the monitoring of the implementation of actions carried out under Horizon 2020 as well as of previous Research and/or Innovation Programmes, advice or assistance with other tasks related to EU-Rail activities.
Description	Collection and processing of data provided by individuals for the establishment of a database of prospective independent experts to assist with tasks managed by EU-Rail. The processing operations performed by the Controller include collection, storage and evaluation of personal data of the experts.
Processed data	Financial information	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Personal details	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
	Profession	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	10 years after end of contract
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium) Exchange Online SharePoint
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Automated system (Grants management), Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis, Standard clause for the processing of personal data included in the contract
Recipients	External evaluators or experts assisting the JU: , EU-RAIL Staff members: Staff participating in the selection of external experts, EU-RAIL Staff members: IP Coordinators, EU-RAIL Executive Director: , European Commission and its services: Research Executive Agency via the H2020 Participant Portal
Joint controllers	Research Executive Agency
privacy policy url	https://rail-research.europa.eu/wp-content/uploads/2020/02/PO-2-02-a-Selection-and-management-of-external-experts-selected-experts.pdf
Last updated	14.06.2024
internal reference	Ares(2018)6031672
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Selection and recruitment of interims

Reference number	PO-1-01-c)
Data subject category	Interim staff selected via an external contractor on behalf of the European Commission
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Data are processed for the purpose of organising the selection and recruitment procedures for interims at EU-Rail.
Description	Collecting applications of candidates, screening tables, pre-selection reports, selection reports, written tests, interview questions, offers for posts, short lists, reserve lists, reserve list letters, negative letters etc.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	6 months
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	6 months
	Personal details	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	6 months
	Profession	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	6 months
Processors	Exchange Online Randstad Belgium SA systems (Belgium) SharePoint Teams
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Once the procedure is closed, electronically stored data erased, Signature of absence of conflict of interest , Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	External evaluators or experts assisting the JU: Appointed members of the selection committee, EU-RAIL Executive Director: , EU-RAIL Staff members: Appointed members of the selection committee, Human Resources Officer, Data Protection Officer (only for the purposes of replying to access requests or other consultations on data protection aspects from the HR Officer), External contractors under framework contract with the European Commission : Randstad , European Commission and its services: DG Human Resources and Security
Joint controllers	DG EAC, DG Human Resources and Security, PMO
privacy policy url	https://rail-research.europa.eu/wp-content/uploads/2020/02/PO-1-01-c-Selection-and-recruitment-of-interims.pdf
Last updated	14.06.2024
internal reference	Ares(2019)503847
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Selection and recruitment of temporary agents (TA), contract agents (CA), seconded national experts (SNE) (non-recruited candidates)

Reference number	PO-1-01-b)
Data subject category	Candidates applying for open EU-Rail vacancies (TA, CA, and SNE), Trainees recruited by the European Commission ('EU BlueBlook trainees')
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Data are processed for the purpose of organising the selection and recruitment procedures for TA, CA, SNE and Blue Book Trainees at EU-Rail.
Description	This processing operation consists of collecting applications of candidates, screening tables, pre-selection reports, selection reports, written tests, interview questions, offers for posts, short lists, reserve lists, reserve list letters, negative letters etc. Special retention time applies to non-recruited candidates. Regarding the BlueBook trainees, EU-Rail is not in charge of the recruitment process which is being dealt with by the relevant department at the European Commission (DG EAC). Applications are only accessible via the online database which is open for consultation only during specific periods. Therefore, EU-Rail does not store any data related to the recruitment of BlueBook Trainees.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	2 years following the recruitment procedure is terminated
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	2 years following the recruitment procedure is terminated
	Personal details	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	2 years following the recruitment procedure is terminated
	Profession	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	2 years following the recruitment procedure is terminated
Processors	Exchange Online SharePoint Teams
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Once the procedure is closed, electronically stored data erased, Signature of absence of conflict of interest , Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	External evaluators or experts assisting the JU: Appointed members of the selection committee, EU-RAIL Executive Director: , EU-RAIL Staff members: Appointed members of the selection committee, Human Resources Officer, Data Protection Officer (only for the purposes of replying to access requests or other consultations on data protection aspects from the HR Officer), European Commission and its services: PMO, DG Human Resources and Security
Joint controllers	DG EAC, DG Human Resources and Security, PMO
privacy policy url	https://shift2rail.org/about-shift2rail/reference-documents/functioning-of-the-ju/
Last updated	14.06.2024
internal reference	Ares(2019)503847
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Selection and recruitment of temporary agents (TA), contract agents (CA), seconded national experts (SNE) (recruited candidates)

Reference number	PO-1-01-a)
Data subject category	Candidates applying for open EU-Rail vacancies (TA, CA, and SNE), Trainees recruited by the European Commission ('EU BlueBlook trainees')
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Data are processed for the purpose of organising the selection and recruitment procedures for TA, CA, SNE and Blue Book Trainees at EU-Rail.
Description	This processing operation consists of collecting applications of candidates, screening tables, pre-selection reports, selection reports, written tests, interview questions, offers for posts, short lists, reserve lists, reserve list letters, negative letters etc. Regarding the BlueBook trainees, EU-Rail is not in charge of the recruitment process which is being dealt with by the relevant department at the European Commission (DG EAC). Applications are only accessible via the online database which is open for consultation only during specific periods. Therefore, EU-Rail does not store any data related to the recruitment of BlueBook Trainees.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	10 years after end of contract
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	10 years after end of contract
	Personal details	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	10 years after end of contract
	Profession	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	10 years after end of contract
Processors	Exchange Online Secured IT data base (Joint Sickness Insurance Scheme) (Belgium) SharePoint Teams
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Once the procedure is closed, electronically stored data erased, Signature of absence of conflict of interest , Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	External evaluators or experts assisting the JU: Appointed members of the selection committee, EU-RAIL Staff members: Executive Director, Appointed members of the selection committee, Human Resources Officer, Data Protection Officer (only for the purposes of replying to access requests or other consultations on data protection aspects from the HR Officer), European Commission and its services: PMO, DG Human Resources and Security
Joint controllers	DG EAC, DG Human Resources and Security, PMO
privacy policy url	https://rail-research.europa.eu/about-shift2rail/reference-documents/functioning-of-the-ju/
Last updated	14.06.2024
internal reference	Ares(2019)503847
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Selection and recruitment of temporary agents (TA), contract agents (CA), seconded national experts (SNE) (spontaneous applications)

Reference number	PO-1-01-d)
Data subject category	Trainees recruited by the European Commission ('EU BlueBlook trainees'), Spontaneous applicants
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Data are processed for the purpose of organizing the selection and recruitment procedures for TA, CA, SNE, interims staff and “EU Blue Book Trainees” at EU-Rail.
Description	Collecting spontaneous applications of candidates. EU-Rail does not consider spontaneous applications. Personal data (such as CV) is not stored and is deleted after 7 days. Regarding the BlueBook trainees, EU-Rail is not in charge of the recruitment process which is being dealt with by the relevant department at the European Commission (DG EAC). Applications are only accessible via the online database which is open for consultation only during specific periods. Therefore, EU-Rail does not store any data related to the recruitment of BlueBook Trainees.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	7 calendar days
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	7 calendar days
	Personal details	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	7 calendar days
	Profession	Public interest article 5 a) of regulation 2018/1725, contractual obligation article 5 c) of regulation 2018/1725	7 calendar days
Processors	n/a
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Data kept according to the security measures adopted by the European Commission, Obligation of confidentiality of the staff, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	EU-RAIL Staff members: Human Resources Officer
Joint controllers	n/a
privacy policy url	https://shift2rail.org/wp-content/uploads/2020/02/PO-1-01-d-Spontaenous-applicants.pdf
Last updated	14.06.2024
internal reference	Ares(2019)503847
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Sick leaves

Reference number	PO-1-05-b)
Data subject category	JU Staff: temporary, JU Staff: contractual, External staff: trainees and interim staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is managed and collected for the purpose of assessing the entitlement to sick leave, annual leave and special leave and working conditions for temporary agents and contract agents.
Description	Assessing the entitlement to sick leaves and working conditions for temporary agents and contract agents.
Processed data	Health data	Public interest article 5 a) of regulation 2018/1725, legal obligation article 5 b) of regulation 2018/1725	5 years
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	5 years
	Personal details	Public interest article 5 a) of regulation 2018/1725	5 years
	Profession	Public interest article 5 a) of regulation 2018/1725	5 years
Processors	Exchange Online IT Tool SYSPER (Belgium) SharePoint
Restrictions of data subject rights	n/a
Security measures	A paper copy is made and saved in a paper file. The paper file is archived in a locked cupboard., Health data processed with the principles of medical confidentiality by HR officer, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	EU-RAIL Staff members: Human resources officer, Line manager, Executive Director, European Commission and its services: PMO, Medical service, DG DIGIT, Other: Other Institutions in case of transfer (they receive a chart with the liquidation account of sick leave)
Joint controllers	DG DIGIT, DG Human Resources and Security, PMO
privacy policy url
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Staff evaluation

Reference number	PO-1-03
Data subject category	JU Staff: temporary, JU Staff: contractual
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to assess the performance with regard to the job specifications and defined objectives, and the potential and development or reclassification needs.
Description	Staff appraisal, probationary reports, reclassification of contract and temporary agents, renewal of contracts.
Processed data	Education	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Personal details	Public interest article 5 a) of regulation 2018/1725	10 years after end of contract
	Profession	Public interest article 5 a) of regulation 2018/1725	10 years after end of contract
Processors	Exchange Online Secured IT data base (Joint Sickness Insurance Scheme) (Belgium) SharePoint
Restrictions of data subject rights	n/a
Security measures	Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Obligation of confidentiality of the staff, Paper files are stored in a locked cupboard in the HR sector’s secured office until their destruction., Secure transfer of data, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	EU-RAIL Staff members: Line Managers, HR Officer, and in case of reclassification, the staff and Joint reclassification committees.
Joint controllers	n/a
privacy policy url
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Teleworking

Reference number	PO-1-07
Data subject category	JU Staff: temporary, JU Staff: contractual
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	The purpose of this processing operation is to manage in a legal, standardized and centralized framework all temporal aspects of a jobholder's framework with respect to the management and monitoring of the implementation of teleworking. In particular, the treatment consists in identifying the persons authorized to telework according to various criteria such as the possibilities of telework, the interest of the service or the motivation of the person. The persons concerned have the possibility of making a request for telecommuting either casual or structural via Sysper.
Description	Management of the teleworking requests and agreements; planning regarding the ordering of ICT tools and devices for the performance of telework. Staff members are granted access to an electronic tool in which they can launch a request for teleworking.
Processed data	Family composition	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Habits	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Health data	Public interest article 5 a) of regulation 2018/1725	10 years after the extinction of all rights of the staff member and any dependents
	Personal details	Public interest article 5 a) of regulation 2018/1725	3 years
	Profession	Public interest article 5 a) of regulation 2018/1725	3 years
Processors	Exchange Online IT Tool SYSPER (Belgium) SharePoint
Restrictions of data subject rights	n/a
Security measures	Data kept according to the security measures adopted by the European Commission, Health data processed with the principles of medical confidentiality by HR officer, Secure transfer of data, Staff dealing with this processing operation is designated on a need-to-know basis
Recipients	Data subject themselves: Right to access and rectify their own data in SYSPER., EU-RAIL Staff members: Executive Director, Line Managers.
Joint controllers	DG DIGIT, DG Human Resources and Security
privacy policy url
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: User Network and Systems Access

Reference number	PO-5-01
Data subject category	Trainees recruited by the European Commission ('EU BlueBlook trainees'), External staff: trainees and interim staff, EU-Rail staff, Interim staff selected via an external contractor on behalf of the European Commission, Any other person whose personal data have been collected and are processed by information systems that use the JU ICT infrastructure
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to provide EU-Rail employees with necessary access to ICT systems and services in order for them to carry out their statutory duties. This includes access provisioning to EC systems like ECAS/EU Login or ABAC.
Description	Provisioning of necessary access to EU-Rail employees to designated business ICT systems of the organization based on incoming requests from HR department or management requests/access authorizations
Processed data	Personal characteristics	Public interest article 5 a) of regulation 2018/1725	1 month after user's departure
	Personal details	Public interest article 5 a) of regulation 2018/1725	1 month after user's departure
	Profession	Public interest article 5 a) of regulation 2018/1725	1 month after user's departure
Processors	Real Dolmen (Belgium) SharePoint
Restrictions of data subject rights	n/a
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Appropriate technical and organisational security measures, giving due regard to the risks inherent in the processing and to the nature of the personal data concerned, Confidentiality of communications and privacy, Windows 10 access: Password renewed every six month
Recipients	European Commission and its services: DIGIT, EU-RAIL Staff members: Network and security managers, IT system and database administrators, External contractors under framework contract with the European Commission : Real Dolmen
Joint controllers	DG DIGIT
privacy policy url
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Video Surveillance system

Reference number	PO-5-02
Data subject category	EU-Rail staff, Visitors and other persons entering into the JU premises outside regular working hours
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	EU-Rail uses its video-surveillance system for the sole purposes of protecting its premises and assets for safety, security and access control purposes only. The video-surveillance system helps monitor access to our offices, as well as safeguards property and information located or stored on the premises.
Description	Recording, storing and giving acces to record tapes by means of a closed circuit television (CCTV) system which are installed in EU-Rail public areas located in the second floor of the White Atrium building (Avenue de la Toison d’Or 56-60, B-1060 Brussels/Belgium).
Processed data	Video tapes and photographs	Public interest article 5 a) of regulation 2018/1725	14 days
Processors	n/a
Restrictions of data subject rights	the rights that could be restricted on the ground of internal security of eu-rail would mainly be the right to information. only in exceptional circumstances the images may be transferred to investigatory bodies in the framework of administrative inquiries, disciplinary proceedings or olaf investigation as far as there is a connection with the prevention, investigation or criminal offences. grounds for the restriction: 1. article 25(b) regulation 2018/1725: "prevention, investigation, detection and prosecution of criminal offences". 2. article 25(d) regulation 2018/1725: " internal security of union institutions and bodies"
Security measures	Access control and technical measures such as physical locks and/or secure connections and firewalls, Computer systems hardened, Obligation of confidentiality of the staff, Physical security of the premises, System operates on a separate, disconnected private network with no external remote access
Recipients	Intra and extra-muros external service providers (EU-RAIL contractors): Upon request: External service provider (EU-Rail contractor) in charge of the maintenance, EU-RAIL Staff members: ICT and Security Officer
Joint controllers	n/a
privacy policy url	https://rail-research.europa.eu/wp-content/uploads/2020/05/PO-5-02-Video-surveillance-system.pdf
Last updated	18.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Web Conference Service (Webex)

Reference number	TO BE FILLED IN BY DPO
Data subject category	EU-Rail staff, Members of the Governing Board, Other participant, observer or expert invited to the meetings of the bodies of EU-Rail
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Organization of videoconferencing meetings
Description	Within the Europe’s Rail Joint Undertaking, the web conferencing system is used for the organization of videoconferencing meetings with external participants. The tool is called WebEx. It can be defined as an all-in-one conferencing tool that integrates audio, video and content sharing. It allows easy access from a computer or mobile device that has Internet access and a browser. All videoconferencing participants meet in a virtual room securely accessible to guests. A staff member who would like to organize conferences must first have a personal account on the system which allows the activity requested to be linked to a responsible person. The organizer of the videoconference (exclusively EU-Rail staff) will have to create a virtual room and invite external participants according to his needs. These invitations will be targeted based on the participant's email address and will allow access to the session. The recording of a conference is only possible by its organizer. The purpose of data processing could be classified into several different sections: Identification of the participants and the organizer in order to allow the actual operation of the conference Identification of potential technical improvements and failures in the service Production of statistics for invoicing the services provided by the contractor Collection of representative data and conference statistics (excluding their content) in order to improve the user experience and service performance by performing analyzes of the aggregation of this information Address support requests for the service Service support performance analysis
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	3 years from when the Service is terminated, in a pseudonymised format; Host Registration & Invoicing information : 7 years
Processors	EC external service providers (contractors or subcontractors) under direct or framework service procurement contracts (Belgium)
Restrictions of data subject rights	n/a
Security measures	Data kept according to the security measures adopted by the European Commission, Premises abide by the European Commission's security decisions and provisions, Secure transfer of data, Standard clause for the processing of personal data included in the contract
Recipients	Third countries:
Joint controllers	n/a
privacy policy url	https://rail-research.europa.eu/terms-of-use/
Last updated	14.06.2024
internal reference	TO BE FILLED IN BY DPO
Exercising your rights	https://rail-research.europa.eu/terms-of-use/

Activity: Whistleblowing procedures

Reference number	PO-4-04
Data subject category	EU-Rail staff
Controller	Europe’s Rail Joint Undertaking (Saint-Gilles)
Data protection officer	Data-Protection@rail-research.europa.eu
Purpose	Personal data is collected to ensure the protection and adequate remedies for whistleblowers, the management and follow up reports and to establish reporting channels for whistleblowers.
Description	Collecting data for the purposes of establishing reporting channels for whistleblowers, managing and following-up reports, and ensuring protection and adequate remedies for whistleblowers.
Processed data	Personal details	Public interest article 5 a) of regulation 2018/1725	2 months after the final decision has been issued to all the parties involved
	Profession	Public interest article 5 a) of regulation 2018/1725	2 months after the final decision has been issued to all the parties involved
Processors	Exchange Online
Restrictions of data subject rights	there might be restrictions on a case-by-case basis of the rights to: information, access, rectification, blocking, erasure, notification to third parties. ground for restriction: investigation to protect witnesses or whistle-blowers in cases where personal data relate to the suspect as well (allegations made about the suspect by informants or witnesses). legal basis for restrictions: article 25(1) regulation 2018/1725 (protection of the data subject or the rights and freedoms of others)
Security measures	Data kept according to the security measures adopted by the European Commission
Recipients	European Commission and its services: European Anti Fraud Office (where needed), European Commission and its services: EDPS (where necessary), Police or legal organisations: European Court of Auditors (where necessary), Police or legal organisations: Court of Justice (where necessary), European Commission and its services: Internal Audit Service (where necessary), Intra and extra-muros external service providers (EU-RAIL contractors): Ethics experts or law firms, EU-RAIL Staff members: Human resources officer, Executive Director, Data subject themselves: The whistleblower, Personal relations data subject: Any person who may be concerned
Joint controllers	n/a
privacy policy url	https://rail-research.europa.eu/wp-content/uploads/2018/12/Decision-GB-20_2018_Whistleblowing.pdf
Last updated	14.06.2024
internal reference
Exercising your rights	https://rail-research.europa.eu/terms-of-use/