Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Civil aviation safety: investigation and prevention of accidents and incidents

2009/0170(COD)

Opinion of the European Data Protection Supervisor on the proposal for a Regulation of the European Parliament and of the Council on investigation and prevention of accidents and incidents in civil aviation

The EDPS welcomes the fact that the regulation explicitly applies without prejudice to Directive 95/46/EC, and thus, to some extent, takes data protection principles into account. However, considering the context in which personal data are processed, he considers that specific provisions should be added in order to ensure a fair processing.

This is all the more necessary considering the circumstances in which these data are processed: they will mostly relate to individuals directly or indirectly affected by a serious accident and/or with the loss of relatives. This supports the need for an effective protection of their rights, and for a strict limitation of the transmission or publication of personal data.

Considering that the purpose of the proposal is to allow the investigation of accidents or incidents and that personal data are relevant only where necessary in the framework of such investigation, such data should in principle be deleted or anonymised, as soon as possible, and not only at the stage of the final report. This should be guaranteed by the insertion of a horizontal provision in the Regulation.

The EDPS stresses the need to:

  • strictly define and limit the exceptions to the purpose limitation principle: although the proposal states as a principle that personal information should only be used for investigation purposes and by the parties responsible for such investigations, the text includes some broad derogations;
  • provide for a limited period of storage of personal data: the proposal does not provide for any indication as to the duration of storage of this information. According to data protection principles, personal data must be kept ‘in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed’. Accordingly, personal data should in principle be deleted as soon as the investigation is terminated, or should be kept in an anonymous format if complete deletion is not possible. Any reasons for which identifiable data is kept longer should be indicated and justified, and should include criteria identifying those entitled to keep the data. A provision should be inserted in the proposal to that effect , which should apply in a horizontal way to any personal information exchanged through the network;
  • ensure a coordinated procedure for access, rectification and/or deletion of personal data, especially in the context of their transmission to Member States through the network: the EDPS welcomes the measures as far as confidentiality of information is concerned, and especially the obligation not to disclose information which has been considered as confidential by the Commission. Regarding personal information processed through the network, the EDPS considers that these safeguards should be complemented by an obligation to guarantee the accuracy of these data and their possible correction and deletion in a synchronised way by all members of the network processing such personal data;
  • submit the transmission of personal data to representatives of third countries to the condition that they provide an adequate level of protection: a provision could be added in the proposal recalling that no personal data should be transferred to representatives of a third country which does not provide an adequate level of protection, except when specific conditions have been fulfilled. It would apply in particular with regard to Article 8 on the network, and Article 18 on the conditions of communication of information;
  • clarify the roles and responsibilities of the Commission and of EASA, in the perspective of the application of Regulation (EC) No 45/2001. The EDPS calls for clarification on the extent to which the network will be managed by the Commission and through European Unions’ technical infrastructure. Would the purpose be to use an already existing network, any plan to allow for interoperability with existing databases should be clearly mentioned and motivated. The EDPS emphasises the need to provide for a secure network, accessible only for the purposes described in the proposal and to entitled stakeholders. The respective roles and responsibilities of the Commission and of EASA ( 13 ) as well as any other Union body which would be involved in the management of the network, should be clarified in the text for reasons of legal certainty.