Commission Implementing Regulation (EU) 2023/2117 of 12 October 2023 laying down the necessary rules and detailed requirements for the functioning and management of a repository of information pursuant to Regulation (EU) 2018/1139 of the European Parliament and of the Council

CHAPTER I

GENERAL PROVISIONS

Article 1

Subject matter

This Regulation lays down the rules and procedures for the functioning and management of a repository of information necessary to ensure effective cooperation between the Agency and the national competent authorities concerning the exercise of their tasks relating to certification, oversight and enforcement under Regulation (EU) 2018/1139.

Article 2

Definitions

The following definitions shall also apply:

(a) ‘authorised users’ means the Commission, the Agency, national competent authorities and any competent authority of the Member State entrusted with the investigation of civil aviation accidents and incidents as laid down in Article 74(6), first sentence, of Regulation (EU) 2018/1139;

(b) ‘interface’ means the point at which independent and often unrelated systems connect and act on or communicate with each other;

(c) ‘authorised staff’ means staff of the authorised users who have received access to the repository;

(d) ‘information object category’ means the type of information falling within the scope of Article 74(1) of Regulation (EU) 2018/1139 to be exchanged and accessed by the authorised users;

(e) ‘information object’ means an individually exchanged piece of information which shall always correspond to the information object category and be compatible with its information format;

(f) ‘information format’ means a pre-defined structure of the information object category consisting of a scheme of fields corresponding to detailed types of content within each information object category and vocabularies made of limited sets of permissible values associated to each field;

(g) ‘interested party’ means public authorities of the European Union institutions, agencies and bodies and Member States’ public authorities, natural and legal persons who are subject to an information object as defined in Annex I to this Regulation and qualified entities accredited pursuant to Article 69 of Regulation (EU) 2018/1139.

CHAPTER II

ESTABLISHMENT, MANAGEMENT AND MAINTENANCE OF THE REPOSITORY

Article 3

Establishment of the repository

The Storage interface referred to in paragraph 1 shall consist of:

(a) a central database containing information referred to in Article 74(1) of Regulation (EU) 2018/1139, encompassing both the existing and new information; and

(b) a history of changes to information and its current/archived status.

The Exchange interface referred to in paragraph 1 shall consist of:

(a) a communication infrastructure that provides secure Application Programmable Interfaces (APIs) for the issue, change, query/read, and archive of information between the authorised users’ systems and the repository; and

(b) information quality verification rules that ensure the consistency, integrity and accuracy of the information stored.

The Agency shall develop the necessary documentation supporting the authorised users’ integration with the repository. That documentation shall consist of:

(a) API standards and exchange mechanisms;

(b) security, network, and application configuration information required to communicate with the repository;

(c) rules specifying the valid structure and content of information exchanged with the repository.

Article 4

Management of the repository

Article 5

Maintenance of the repository

CHAPTER III

RULES ON THE INFORMATION STORED IN THE REPOSITORY

Article 6

Formats and standards of the information

Article 7

Classification of information

The Agency, in cooperation with the Commission and the national competent authorities, shall classify the information object categories according to the following markings:

(a) privacy: non personal data, non-sensitive or sensitive personal data;

(b) confidentiality: no impact, limited, significant, catastrophic;

(c) integrity: no impact, limited, significant, catastrophic;

(d) availability: no impact, limited, significant, catastrophic.

Article 8

Arrangements for the dissemination of information

When receiving a request, the Agency shall verify that:

(a) the request is made by an interested party; and

(b) the interested party demonstrates that the requested information is strictly necessary to the interested party’s own operations.

The Agency shall provide the requested information to the interested party only under the following conditions:

(a) the interested party does not receive access to the entire content of the repository;

(b) the information is strictly necessary for the interested party’s own operations;

(c) no personal data is disseminated unless such data concerns the interested party itself or if such dissemination is strictly necessary to perform the operations of the interested party.

The interested party shall:

(a) use the information only for the purpose specified in the request form;

(b) not disclose the information received without the authorisation of the authorised users;

(c) take the necessary measures to ensure the confidentiality of the information received.

Article 9

Logging of data-processing operations

The Agency shall ensure that all data-processing operations are logged. The logs shall provide the following information:

(a) the purpose of the request for access to the repository;

(b) the identification of the authorised user that retrieves the data;

(c) the date and exact time of the data-processing operations;

(d) the identification of the authorised staff that carry out the search.

Article 10

Access to the repository

The authorised users shall establish and maintain:

(a) a list of authorised staff;

(b) procedures regarding access to the repository; such procedures shall comply with the legal requirements applied to the access and processing of information laid down in Union and national law. They shall document the terms and conditions for authorised staff to access the repository.

Article 11

Security management of the repository

The Agency shall protect the infrastructure of the repository and its information, and shall develop:

(a) a security management plan;

(b) a business continuity plan;

(c) a disaster recovery plan.

The authorised users shall manage the security of their information before and during the transmission to the repository and shall protect their infrastructure by ensuring:

(a) the establishment of interfaces between their systems and the repository;

(b) the operation and maintenance of the interfaces;

(c) that authorised staff are properly trained in information security, applicable data protection legislation and fundamental rights before they are allowed to process information stored in the repository.

CHAPTER IV

PERSONAL DATA PROTECTION

Article 12

Processing of personal data stored in the repository

Article 13

Joint controllership of personal data processed in the repository

Article 14

Allocation of responsibilities among joint controllers

The Agency shall be responsible for:

(a) the setting up, operation and administration of the repository;

(b) the continued management of the repository, in particular the access rights and the security and confidentiality of the personal data processed in the repository in accordance with Articles 4, 5, 9 and 12;

(c) communicating any personal data breaches within the repository to the authorised users, to the European Data Protection Supervisor and, where required, to the data subjects in accordance with Article 34 of Regulation (EU) 2018/1725;

(d) defining and implementing the technical means to enable data subjects the exercise of their rights in accordance with Regulation (EU) 2018/1725.

The national competent authorities and the Commission shall be responsible for:

(a) processing personal data in the repository in accordance with the Storage, Exchange and User access interfaces referred to in Article 3 and security requirements defined in paragraph 4 of Article 12;

(b) ensuring the security of any processing of personal data outside the repository when such data is processed for the purposes of or in connection to the processing through the repository;

(c) designating and communicating to the Agency the authorised staff who shall be granted access to the repository in accordance with Article 11;

(d) acting as contact point for the data subjects falling under their responsibility as sole controllers, including when they exercise their rights, using where necessary the technical means provided by the Agency in accordance with point 1(d), or through the communication channels designated in point 3;

(e) notifying the Agency of any security incident, including personal data breaches that may compromise the security, confidentiality, availability or integrity of the personal data transmitted and/or stored in the repository;

(f) notify any data breaches relating to personal data processed in the repository to the respective competent supervisory authorities and, where so required, to data subjects, in accordance with Articles 33 and 34 of Regulation (EU) 2016/679 and Article 34 of Regulation (EU) 2018/1725 as applicable.

Each joint controller shall designate:

(a) a point of contact with a functional mailbox for the communication amongst them;

(b) a point of contact to support data subjects in the exercise of their rights according to the applicable data protection legislation.

Article 15

Restrictions

The controllers may restrict the exercise of the rights of data subjects only to the extent and for as long as strictly necessary to safeguard civil aviation safety. The exercise of data subjects’ rights may only be restricted in the following situations:

(a) ongoing investigations, inspections or monitoring activities referred to in Article 75(2), point (e), of Regulation (EU) 2018/1139 and performed by the Agency within the remit of its responsibilities, or by the competent authorities as provided for by national or Union law;

(b) ongoing proceedings before the Court of Justice of the European Union or any other competent court under national or international law.

Article 16

Storage period of personal data

The authorised users shall:

(a) store personal data within the repository for a maximum period of 10 years starting from the date of expiry of the document, or from the date it is no longer valid, including any documents necessary for the procedures referred to in Regulation (EU) 2018/1139 unless a different period is required by national law;

(b) delete personal data from the repository as soon as the storage period elapses.

The repository shall have the technical means to enable:

(a) the automated erasure of personal data upon expiry of the storage period;

(b) the automated pseudonymisation, or other technical solutions with equivalent effect, of personal data stored for archiving purposes.

Article 17

Processing for archiving and historical research purposes in the interest of safety of aviation

CHAPTER V

FINAL PROVISIONS

Article 18

Entry into force and application

The requirements concerning information objects issued after the entry into force of this Regulation shall be applicable:

(a) as of 1 January 2027 for Annex I, group A category;

(b) as of 1 January 2028 for Annex I, group B category;

(c) as of 1 January 2029 for Annex I, group C category.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

ANNEX I