LegalizeCommission Implementing Regulation (EU) No 1179/2011 of 17 November 2011 laying down technical specifications for online collection systems pursuant to Regulation (EU) No 211/2011 of the European Parliament and of the Council on the citizens’ initiative
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) No 211/2011 of the European Parliament and of the Council of 16 February 2011 on the citizens’ initiative (1), and in particular Article 6(5) thereof,
After consulting the European Data Protection Supervisor,
Whereas:
(1) Regulation (EU) No 211/2011 provides that where statements of support are collected online, the system used for that purpose must satisfy certain security and technical requirements and must be certified by the competent authority of the relevant Member State.
(2) An online collection system within the meaning of Regulation (EU) No 211/2011 is an information system, consisting of software, hardware, hosting environment, business processes and staff in order to accomplish the online collection of statements of support.
(3) Regulation (EU) No 211/2011 sets out the requirements that online collection systems have to comply with in order to be certified and provides that the Commission should adopt technical specifications for implementing those requirements.
(4) The Open Web Application Security Project’s (OWASP) Top 10 2010 project provides an overview of the most critical web application security risks as well as tools for addressing these risks; the technical specifications therefore draw upon the findings of this project.
(5) Implementation by the organisers of the technical specifications should guarantee certification of the online collection systems by the Member States’ authorities, and contribute to ensure the implementation of the appropriate technical and organisational measures required to comply with the obligations imposed by Directive 95/46/EC of the European Parliament and of the Council (2) on the security of the processing activities, both at the time of the design of the processing system and at the time of the processing itself, in order to maintain security and thereby to prevent any unauthorised processing and protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.
(6) The process of certification should be facilitated by the use by the organisers of the software provided by the Commission in accordance with Article 6(2) of Regulation (EU) No 211/2011.
(7) Organisers of citizens’ initiatives, as data controllers, should, when collecting statements of support online, implement the technical specifications set out in this Regulation in order to ensure the protection of personal data processed. Where the processing is carried out by a processor, the organisers should ensure that the processor acts only on instructions from the organisers and that he implements the technical specifications set out in this Regulation.
(8) This Regulation respects fundamental rights and observes the principles enshrined in the Charter of Fundamental Rights of the European Union, in particular Article 8 thereof, which states that everyone has the right to the protection of personal data concerning him or her.
(9) The measures provided for in this Regulation are in accordance with the opinion of the Committee established under Article 20 of Regulation (EU) No 211/2011,
HAS ADOPTED THIS REGULATION:
Article 1
The technical specifications referred to in Article 6(5) of Regulation (EU) No 211/2011 are set out in the Annex.
Article 2
This Regulation shall enter into force on the 20th day following its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 17 November 2011.
For the Commission The President José Manuel BARROSO