Ga verder naar contentGa verder naar content en skip ook inhoudsopgave
In- en Uitvoer
Home

Commission Implementing Regulation (EU) 2019/1799 of 22 October 2019 laying down technical specifications for individual online collection systems pursuant to Regulation (EU) 2019/788 of the European Parliament and of the Council on the European citizens’ initiative

Commission Implementing Regulation (EU) 2019/1799 of 22 October 2019 laying down technical specifications for individual online collection systems pursuant to Regulation (EU) 2019/788 of the European Parliament and of the Council on the European citizens’ initiative

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2019/788 of the European Parliament and of the Council of 17 April 2019 on the European citizens’ initiative(1), and in particular Article 11(5) thereof,

Whereas:

  1. Regulation (EU) 2019/788 lays down revised rules on the European citizens’ initiative and repeals Regulation (EU) No 211/2011 of the European Parliament and of the Council(2).

  2. Regulation (EU) 2019/788 provides that for the online collection of statements of support for registered citizens’ initiatives, organisers have to make use of the central online collection system that is set up and operated by the Commission. However, to facilitate the transition, for initiatives registered under Regulation (EU) 2019/788 before the end of 2022, organisers may choose to use their own individual online collection system.

  3. Under Regulation (EU) 2019/788 an individual system that is used for the online collection of statements of support should have adequate technical and security features in place to ensure that the data are securely collected, stored and transferred throughout the collection procedure. The Commission should define, together with the Member States, the technical specifications to implement the requirements for individual online collection systems.

  4. The rules laid down in this Regulation replace those set out in Commission Implementing Regulation (EU) No 1179/2011(3), which will therefore become obsolete.

  5. The technical and organisational measures to be implemented should aim to prevent, both at the time of the design of the system and throughout the collection period, any unauthorised processing of personal data and protect them against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.

  6. To that end, organisers should apply adequate risk management processes to identify the risks to their systems and to determine the appropriate and proportional countermeasures to reduce those risks to acceptable levels. Organisers should properly document the identified security and data protection risks and the measures taken to counter those risks, having regard to the security rules and requirements applied by the certifying authority. The security rules and requirements should be in line with Regulation (EU) 2019/788 and should be made available by the certifying authority upon request.

  7. Implementation of the technical specifications set out in this Regulation should be without prejudice to the obligation for the organisers to comply with the data protection requirements that follow from Regulation (EU) 2016/679 of the European Parliament and of the Council(4), including the possible need for a data protection impact assessment.

  8. The representative of a group of organisers or, as the case may be, a legal entity referred to in Article 5(7) of that Regulation are considered as data controllers under Regulation (EU) 2016/679 in relation to the processing of personal data in an individual online collection system.

  9. Organisers that introduce changes in their individual online collection system after the system has been certified should notify without undue delay the relevant certifying authority thereof if the change could affect the assessment underlying the certification. Before doing so, the organisers may seek the advice of the certifying authority to verify if the change may have such impact and thus should be notified.

  10. The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 of the European Parliament and of the Council(5), and delivered comments on 16 September 2019. The European Network Information Security Agency was consulted and provided comments on 18 July 2019.

  11. The measures provided for in this Regulation are in accordance with the opinion of the Committee established under Article 22 of Regulation (EU) 2019/788,

HAS ADOPTED THIS REGULATION:

Article 1

The technical specifications referred to in Article 11(5) of Regulation (EU) 2019/788 shall be as set out in the Annex to this Regulation.

Article 2

1.

Organisers shall ensure that their individual online collection system complies with the technical specifications set out in the Annex throughout the collection period.

2.

The organisers shall notify without undue delay to the competent authority of the Member State referred to in Article 11(3) of Regulation (EU) 2019/788, changes which are introduced in the system or in the supporting organisational measures after the system has been certified by that authority, when those changes may impact the assessment underlying the certification. Before doing so, the organisers may seek the advice of the competent authority as to whether the change may have such an impact.

Article 3

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 1 January 2020.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 22 October 2019.

For the Commission

The President

Jean-Claude Juncker

ANNEX