7.5.2014

EN

Official Journal of the European Union

L 134/32

---

COMMISSION IMPLEMENTING REGULATION (EU) No 463/2014

of 5 May 2014

laying down pursuant to Regulation (EU) No 223/2014 of the European Parliament and of the Council on the Fund for European Aid to the Most Deprived, the terms and conditions applicable to the electronic data exchange system between the Member States and the Commission

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 223/2014 of the European Parliament and of the Council of 11 of March 2014 on the Fund for European Aid to the Most Deprived (1), and in particular Article 30(4) thereof,

Whereas:

(1)

Pursuant to Article 30(4) of Regulation (EU) No 223/2014 all official exchanges of information between the Member State and the Commission shall be carried out using an electronic data exchange system. It is therefore necessary to establish the terms and conditions with which that electronic data exchange system should comply.

(2)	In order to guarantee enhanced quality of information on the implementation of operational programmes, improved usefulness of the system and simplification, it is necessary to specify basic requirements for the form and scope of the information to be exchanged.

(3)	It is necessary to specify principles, as well as applicable rules for operation of the system with regard to the identification of the party responsible for uploading the documents and making any updates thereto.

(4)	In order to guarantee the reduction of the administrative burden for the Member States and the Commission while ensuring the efficient and effective electronic exchange of information, it is necessary to establish technical characteristics for the system.

(5)

Member States and the Commission should also have a possibility to encode and transfer data in two different ways to be specified. It is also necessary to provide for rules in the event of force majeure hindering the use of the electronic data exchange system, to ensure that both Member States and the Commission can continue to exchange information by alternative means.

(6)	Member States and the Commission should ensure that transfer of data through the electronic data exchange system is performed in a secured manner allowing for availability, integrity, authenticity, confidentiality and non-repudiation of information. Therefore rules on security should be set out.

(7)

This Regulation should respect the fundamental rights and observe the principles recognised by the Charter of Fundamental Rights of the European Union, and notably the right to protection of personal data. This Regulation should therefore be applied in accordance with these rights and principles. Concerning personal data processed by Member States, Directive 95/46/EC of the European Parliament and of the Council (2) applies. Concerning the processing of personal data by the Union institutions and bodies and the free movement of such data, Regulation (EC) No 45/2001 of the European Parliament and of the Council (3) applies.

(8)	In order to allow for the prompt application of the measures provided for in this Regulation, this Regulation should enter into force on the day following that of its publication in the Official Journal of the European Union.

(9)	The measures provided for in this Regulation are in accordance with the opinion of the Committee for the Fund for European Aid to the Most Deprived,

HAS ADOPTED THIS REGULATION:

CHAPTER I

PROVISIONS IMPLEMENTING REGULATION (EU) NO 223/2014 WITH REGARD TO THE FUND FOR EUROPEAN AID TO THE MOST DEPRIVED (FEAD)

ELECTRONIC DATA EXCHANGE SYSTEM

(Empowerment under Article 30(4) of Regulation (EU) No 223/2014)

Article 1

Establishment of electronic data exchange system

The Commission shall establish an electronic data exchange system for all official exchanges of information between the Member State and the Commission.

Article 2

Content of electronic data exchange system

The electronic data exchange system (hereinafter referred to as ‘SFC2014’) shall contain at least information specified in the models, formats and templates established in accordance with Regulation (EU) No 223/2014. The information provided in the electronic forms embedded in SFC2014 (hereinafter referred to as ‘structured data’) may not be replaced by non-structured data, including the use of hyperlinks or other types of non-structured data such as attachment of documents or images. Where a Member State transmits the same information in the form of structured data and non-structured data, the structured data shall be used in case of inconsistencies.

Article 3

Operation of SFC2014

1.   The Commission, the authorities designated by the Member State pursuant to Article 59(3) of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (4) and Article 31 of Regulation (EU) No 223/2014 as well as the bodies to which tasks of those authorities have been delegated shall enter into SFC2014 the information for the transmission of which they are responsible and any updates thereto.

2.   Any transmission of information to the Commission shall be verified and submitted by a person other than the person who entered the data for that transmission. This separation of tasks shall be supported by SFC2014 or by Member State's management and control information systems connected automatically with SFC2014.

3.   Member States shall appoint, at national level, a person or persons responsible for managing access rights to SFC2014 who shall fulfil the following tasks:

(a)	identifying users requesting access, making sure those users are employed by the organisation;

(b)	informing users about their obligations to preserve the security of the system;

(c)	verifying the entitlement of users to the required privilege level in relation to their tasks and their hierarchical position;

(d)	requesting the termination of access rights when those access rights are no longer needed or justified;

(e)	promptly reporting suspicious events that may bring prejudice to the security of the system;

(f)	ensuring the continued accuracy of user identification data by reporting any changes;

(g)	taking the necessary data protection and commercial confidentiality precautions in accordance with Union and national rules;

(h)	informing the Commission of any changes affecting the capacity of the Member State authorities or users of SFC2014 to carry out the responsibilities referred to in paragraph 1 or their personal capacity to carry out responsibilities referred to in points (a)-(g).

4.   Exchanges of data and transactions shall bear a compulsory electronic signature within the meaning of Directive 1999/93/EC of the European Parliament and of the Council (5). The Member States and the Commission shall recognise the legal effectiveness and admissibility of the electronic signature used in SFC2014 as evidence in legal proceedings.

Information processed through SFC2014 shall respect the protection of privacy and personal data for individuals and commercial confidentiality for legal entities in accordance with Directive 2002/58/EC of the European Parliament and of the Council (6), Directive 2009/136/EC of the European Parliament and of the Council (7), Directive 1995/46/EC and Regulation (EC) No 45/2001.

Article 4

Characteristics of SFC2014

In order to ensure the efficient and effective electronic exchange of information, SFC2014 shall have the following characteristics:

(a)	interactive forms or forms pre-filled by the system on the basis of the data already recorded in the system previously;

(b)	automatic calculations, where they reduce the encoding effort of users;

(c)	automatic embedded controls to verify internal consistency of transmitted data and consistency of this data with applicable rules;

(d)	system generated alerts warning SFC2014 users that certain actions can or cannot be performed;

(e)	online status tracking of the treatment of information entered into the system;

(f)	availability of historical data in respect of all information entered for an operational programme.

Article 5

Transmission of data through SFC2014

1.   SFC2014 shall be accessible to the Member States and the Commission either directly through an interactive user-interface (i.e. a web-application) or via a technical interface using pre-defined protocols (i.e. web-services) that allows for automatic synchronisation and transmission of data between Member States information systems and SFC2014.

2.   The date of electronic transmission of the information by the Member State to the Commission and vice versa shall be considered to be the date of submission of the document concerned.

3.   In the event of force majeure, a malfunctioning of SFC2014 or a lack of a connection with SFC2014 exceeding one working day in the last week before a regulatory deadline for the submission of information or in the period from 23 to 31 December, or five working days at other times, the information exchange between the Member State and the Commission may take place in paper form using the models, formats and templates referred to in Article 2(1) of this Regulation.

When the electronic exchange system ceases to malfunction, the connection with that system is re-established or the cause of force majeure ceases, the party concerned shall enter without delay the information already sent in paper form also into SFC2014.

4.   In cases referred to in paragraph 3 the date stamped by the post shall be considered to be the date of submission of the document concerned.

Article 6

Security of data transmitted through SFC2014

1.   The Commission shall establish an information technology security policy (hereinafter referred to as ‘SFC IT security policy’) for SFC2014 applicable to personnel using SFC2014 in accordance with relevant Union rules, in particular Commission Decision C(2006) 3602 (8) and its implementing rules. The Commission shall designate a person or persons responsible for defining, maintaining and ensuring the correct application of the security policy to SFC2014.

2.   Member States and European institutions other than the Commission, who have received access rights to SFC2014, shall comply with the IT security terms and conditions published in the SFC2014 portal and the measures that are implemented in SFC2014 by the Commission to secure the transmission of data, in particular in relation to the use of the technical interface referred to in Article 5(1) of this Regulation.

3.   Member States and the Commission shall implement and ensure the effectiveness of the security measures adopted to protect the data they have stored and transmitted through SFC2014.

4.   Member States shall adopt national, regional or local information security policies covering access to SFC2014 and automatic input of data into it, ensuring a minimum set of security requirements. These national, regional or local IT security policies can refer to other security documents. Each Member State shall ensure that these IT security policies apply to all authorities using SFC2014.

5.   These national, regional or local IT security policies shall include:

(a)	the IT security aspects of the work performed by the person or persons responsible for managing the access rights referred to in Article 3(3) of this Regulation in case of application of direct use;

(b)	in case of national, regional or local computer systems connected to SFC2014, through a technical interface referred to in Article 5(1) of this Regulation the security measures for those systems allowing to be aligned with SFC2014 security requirements.

For the purposes of point (b) of the first subparagraph, the following aspects shall be covered, as appropriate:

(a)	physical security;

(b)	data media and access control;

(c)	storage control;

(d)	access and password control;

(e)	monitoring;

(f)	interconnection with SFC2014;

(g)	communication infrastructure;

(h)	human resources management prior to employment, during employment and after employment;

(i)	incident management.

6.   These national, regional or local IT security policies shall be based on a risk assessment and the measures described shall be proportionate to the risks identified.

7.   The documents setting out the national, regional or local IT security policies shall be made available to the Commission upon request.

8.   Member States shall designate, at a national level, a person or persons responsible for maintaining and ensuring the application of the national, regional or local IT security policies. That person or these persons shall act as a contact point with the person or persons designated by the Commission and referred to in Article 6(1) of this Regulation.

9.   Both the SFC IT security policy and the relevant national, regional and local IT security policies shall be updated in the event of technological changes, the identification of new threats or other relevant developments. In any event, they shall be reviewed on an annual basis to ensure that they continue to provide an appropriate response.

CHAPTER II

FINAL PROVISION

Article 7

This Regulation shall enter into force on the day following that of its publication in the Official Journal of the European Union.

---

(1)  Regulation (EU) No 223/2014 of the European Parliament and of the Council of 11 March 2014 on the Fund for European Aid to the most Deprived (OJ L 72, 12.3.2014, p. 1).

(2)  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).

(3)  Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

(4)  Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council of 25 October 2012 on the financial rules applicable to the general budget of the Union and repealing Council Regulation (EC, Euratom) No 1605/2002 (OJ L 298, 26.10.2012, p. 1).

(5)  Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (OJ L 13, 19.1.2000, p. 12).

(6)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).

(7)  Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (OJ L 337, 18.12.2009, p. 11).

(8)  Commission Decision C(2006) 3602 of 16 August 2006 concerning the security of information systems used by the European Commission.

---