Official Journal C 229 of the European Union

Volume 64 English edition Information and Notices 15 June 2021

Contents

IV Notices

NOTICES FROM EUROPEAN UNION INSTITUTIONS, BODIES, OFFICES AND AGENCIES

European Commission

2021/C 229/01 Euro exchange rates — 14 June 2021 ...... 1

2021/C 229/02 Interim update of the weightings applicable to the remuneration of officials, temporary staff and contract staff of the European Union serving in third countries ...... 2

2021/C 229/03 Commission Decision of 4 June 2021 regarding the licencing of the Natura 2000 logo ...... 6

European Data Protection Supervisor

2021/C 229/04 Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Pilot Regime for Market Infrastructures based on Distributed Ledger Technology (The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu) ...... 13

2021/C 229/05 Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on digital operational resilience for the financial sector and amending Regulations (EC) 1060/2009, (EU) 648/2012, (EU) 600/2014 and (EU) 909/2014 (The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu) ...... 16

V Announcements

ADMINISTRATIVE PROCEDURES

European Commission

2021/C 229/06 Calls for proposals and related activities under the 2021-2022 work programme under Horizon Europe – the Framework Programme for Research and Innovation (2021-2027) ...... 19 EN

15.6.2021 EN Offi cial Jour nal of the European Union C 229/1

IV

(Notices)

NOTICES FROM EUROPEAN UNION INSTITUTIONS, BODIES, OFFICES AND AGENCIES

EUROPEAN COMMISSION

Euro exchange rates (1) 14 June 2021

(2021/C 229/01)

1 euro =

Currency Exchange rate Currency Exchange rate

USD US dollar 1,2112 CAD Canadian dollar 1,4737 JPY Japanese yen 132,95 HKD Hong Kong dollar 9,4008 DKK Danish krone 7,4361 NZD New Zealand dollar 1,6959 GBP Pound sterling 0,85898 SGD Singapore dollar 1,6070 KRW South Korean won 1 355,07 SEK Swedish krona 10,0944 ZAR South African rand 16,7159 CHF Swiss franc 1,0889 CNY Chinese yuan renminbi 7,7501 ISK Iceland króna 147,20 HRK Croatian kuna 7,4890 NOK Norwegian krone 10,0828 IDR Indonesian rupiah 17 267,62 BGN Bulgarian lev 1,9558 MYR Malaysian ringgit 4,9841 CZK Czech koruna 25,422 PHP Philippine peso 57,969 HUF Hungarian forint 351,14 RUB Russian rouble 87,5040 PLN Polish zloty 4,5152 THB Thai baht 37,717 RON Romanian leu 4,9203 BRL Brazilian real 6,1846 TRY Turkish lira 10,1380 MXN Mexican peso 24,1179 AUD Australian dollar 1,5696 INR Indian rupee 88,7015

(1) Source: reference exchange rate published by the ECB. C 229/2 EN Offi cial Jour nal of the European Union 15.6.2021

Interim update of the weightings applicable to the remuneration of officials, temporary staff and contract staff of the European Union serving in third countries (1)

(2021/C 229/02)

AUGUST 2020

Economic parity Exchange rate Weighting Place of employment August 2020 August 2020 (*) August 2020 (**)

Iran 58 043 49 320,6 117,7

Kyrgyzstan 55,29 89,9777 61,4

Lebanon 4 516 1 770,26 255,1

North Macedonia 28,15 61,6950 45,6

Saudi Arabia 3,836 4,40363 87,1

South-Sudan 385,4 192,660 200,0

Sudan 109,4 64,7072 169,1

(*) 1 EUR = x units of local currency. (**) Brussels and Luxembourg = 100.

SEPTEMBER 2020

Economic parity Exchange rate Weighting Place of employment September 2020 September 2020 (*) September 2020 (**)

Angola 518,7 693,090 74,8

Argentina 47,96 88,0995 54,4

Chad 652,2 655,957 99,4

Dominican Republic 37,45 68,7889 54,4

Malaysia 3,223 4,96320 64,9

Pakistan 110,2 199,065 55,4

South-Sudan 406,3 196,223 207,1

Sudan 125,1 65,1395 192,0

Suriname 8,801 8,88621 99,0

(*) 1 EUR = x units of local currency. (**) Brussels and Luxembourg = 100.

(1) According to the Eurostat Report of 5 May 2021 on the interim update of weightings (correction coefficients) applicable to the remuneration of officials, temporary staff and contract staff of the European Union serving in Extra-EU Delegations in accordance with Article 64 and Annex X and Annex XI of the Staff Regulations applicable to officials and other servants of the European Union. Further information is available on the Eurostat website (http://ec.europa.eu/eurostat > ‘Data’ > ‘Database’ > ‘Economy and finance’ > ‘Prices’ > ‘Correction coefficients’). 15.6.2021 EN Offi cial Jour nal of the European Union C 229/3

OCTOBER 2020

Economic parity Exchange rate Weighting Place of employment October 2020 October 2020 (*) October 2020 (**)

Argentina 50,76 88,6778 57,2 Costa Rica 557,9 703,495 79,3 Democratic Republic of the Congo 2 889 2 312,82 124,9 Gambia 45,28 60,4300 74,9 Haiti 105,0 83,8978 125,2 Iran 63 731 49 148,4 129,7 Kosovo 0,6469 1,00000 64,7 Lebanon 5 003 1 764,08 283,6 Liberia 381,2 232,649 163,9 Malawi 578,6 877,297 66,0 South Africa 10,83 19,8685 54,5 South-Sudan 431,9 196,423 219,9 Sudan 152,5 64,1145 237,9 Suriname 9,477 16,5630 57,2 Turkey 4,002 9,16490 43,7 Uzbekistan 7 488 12 071,3 62,0

(*) 1 EUR = x units of local currency. (**) Brussels and Luxembourg = 100.

NOVEMBER 2020

Economic parity Exchange rate Weighting Place of employment November 2020 November 2020 (*) November 2020 (**)

Argentina 53,72 91,5955 58,6 Djibouti 200,2 208,376 96,1 Eritrea 18,67 18,0646 103,4 Ethiopia 33,80 44,7994 75,4 Kazakhstan 322,0 507,300 63,5 Lebanon 5 334 1 764,38 302,3 Mauritius 34,23 46,9488 72,9 Myanmar/Burma 1 249 1 548,44 80,7 Nepal 98,93 139,695 70,8 Pakistan 116,5 190,565 61,1 Papua New Guinea 3,881 4,09231 94,8 South-Sudan 458,1 203,182 225,5 C 229/4 EN Offi cial Jour nal of the European Union 15.6.2021

Sudan 166,9 65,1979 256,0

Suriname 10,28 16,5658 62,1

Tajikistan 8,102 12,1015 67,0

(*) 1 EUR = x units of local currency. (**) Brussels and Luxembourg = 100.

DECEMBER 2020

Economic parity Exchange rate Weighting Place of employment December 2020 December 2020 (*) December 2020 (**)

Angola 551,8 769,336 71,7

Argentina 56,93 96,3178 59,1

Bangladesh 84,34 101,099 83,4

Barbados 2,321 2,39717 96,8

Dominican Republic 40,08 69,2507 57,9

India 64,70 88,3015 73,3

Iran 67 245 50 072,4 134,3

Kuwait 0,3110 0,363860 85,5

Nigeria 377,5 459,932 82,1

Sudan 183,5 65,6313 279,6

Uzbekistan 7 885 12 416,6 63,5

(*) 1 EUR = x units of local currency. (**) Brussels and Luxembourg = 100.

JANUARY 2021

Economic parity Exchange rate Weighting Place of employment January 2021 January 2021 (*) January 2021 (**)

Argentina 60,13 102,374 58,7

Democratic Republic of the Congo 3 040 2 404,81 126,4

Ethiopia 35,94 47,6928 75,4

Kosovo 0,6033 1,00000 60,3

Lebanon 6 017 1 851,36 325,0

Liberia 355,1 200,573 177,0

Malawi 612,2 938,495 65,2

Malaysia 3,414 4,95780 68,9

South-Sudan 414,6 217,658 190,5 15.6.2021 EN Offi cial Jour nal of the European Union C 229/5

Sudan 200,0 67,3306 297,0 Tajikistan 8,532 13,8775 61,5 Zambia 11,09 25,8171 43,0 (*) 1 EUR = x units of local currency, except USD for Liberia. (**) Brussels and Luxembourg = 100. C 229/6 EN Official Journal of the European Union 15.6.2021

COMMISSION DECISION of 4 June 2021 regarding the licencing of the Natura 2000 logo

(2021/C 229/03)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Council Directive 92/43/EEC of 21 May 1992 on the conservation of natural habitats and of wild fauna and flora (1), and in particular Article 17(3) thereof,

Having regard to the Decision of the Commission of 19 September 2001 (PV1536) conferring to the Directors General and Heads of Services the power to decide on the need to file an application for protection of intellectual property rights resulting from the activities or programmes for which they are responsible, the granting of licences related thereto, the acquisition, transfer or surrender or abandoning of rights, and to the Directors General the power of administrative execution related thereto,

Whereas:

(1) As stated in Article 191 of the Treaty, the Union policy on the environment is to contribute to pursuit of the objective of preserving, protecting and improving the quality of the environment, which includes conserving natural habitats and wild fauna and flora.

(2) Directive 92/43/EEC aims to promote the maintenance of biodiversity by taking measures at Union level in order to conserve and restore threatened habitats and species. Directive 2009/147/EC of the European Parliament and of the Council (2) aims to ensure a far-reaching protection for wild birds and habitats.

(3) Directives 92/43/EEC and 2009/147/EC are the foundation for an ecological network of designated nature protection sites, known as Natura 2000.

(4) In order to promote this ecological network, a NATURA 2000 logo was designed and endorsed by the Habitats Committee on 15 January 1996. The owner of the copyright of the NATURA 2000 logo is the European Union.

(5) The NATURA 2000 logo is used by the Commission and the Member States to identify a Natura 2000 site and to increase awareness about the network.

(6) It is appropriate to promote the use of the NATURA 2000 logo to communicate the benefits that Natura 2000 can provide to local economies and to build new partnerships between site managers, landowners and users, local businesses, while improving the perception of and increasing support for the Natura 2000 network. It is therefore appropriate to grant a free licence for the use of the NATURA 2000 logo.

(7) However, in order to ensure that the use of the NATURA 2000 logo is used in a such a way that it effectively contributes to the conservation objectives of the Natura 2000 sites and that it is not misused, it is necessary to set out terms for use of the ‘NATURA 2000’ logo,

HAS DECIDED AS FOLLOWS:

Sole Article

Upon request from the Member State, the Commission may grant a licence to use the NATURA 2000 logo in accordance with the Licence Agreement set out in the Annex.

(1) OJ L 206, 22.7.1992, p. 7. (2) Directive 2009/147/EC of the European Parliament and of the Council of 30 November 2009 on the conservation of wild birds (OJ L 20, 26.1.2010, p. 7). 15.6.2021 EN Official Journal of the European Union C 229/7

Done at Brussels, 4 June 2021.

For the Commission Florika FINK-HOOIJER Director-General for Environment C 229/8 EN Official Journal of the European Union 15.6.2021

ANNEX

to the Commission Decision regarding the licencing of the Natura 2000 logo

LICENCE AGREEMENT

Between:

The European Union, represented by the European Commission – having its seat at 200, Rue de la Loi, 1000 Brussels, Belgium – itself represented for the purposes of this agreement by Florika FINK-HOOIJER, Director-General for Environment (hereinafter referred to as the ‘Licensor’)

and

[XXXXXXX] (hereinafter referred to as the ‘Licensee’).

The ‘Licensor’ and ‘Licensee’ are individually referred to as the ‘Party’ and collectively as the ‘Parties’.

With reference to the work (hereinafter the ‘Licensed Material’):

NATURA 2000 logo, as illustrated in the Annex

Whereas:

The European Union (hereinafter the ‘EU’) considers the preservation, protection and improvement of the quality of the environment, including the conservation of natural habitats and of wild fauna and flora, as an essential objective of general interest pursued by the EU, as stated in Article 191 of the Treaty on the Functioning of the European Union.

The EU has adopted Directive 92/43/EEC on the conservation of natural habitats and of wild fauna and flora (1) (hereinafter the ‘Habitats Directive’) aiming to promote the maintenance of biodiversity by taking measures at EU level in order to conserve and restore threatened habitats and species.

The EU has adopted Directive 2009/147/EC on the conservation of wild birds (2) (hereinafter the ‘Birds Directive’) aiming to ensure a far-reaching protection for wild birds and their habitats.

The Habitats and Birds Directives are the foundation of an ecological network of designated nature protection sites, known as Natura 2000.

In order to promote this ecological network, a ‘NATURA 2000’ logo was created in line with Article 17(3) of the Habitats Directive. The logo is reproduced in the Annex.

This logo is used by the European Commission and the Member States to identify Natura 2000 sites.

The European Commission and the Member States represented in the Habitats committee set up pursuant to Article 20 of the Habitats Directive have decided to use the ‘NATURA 2000’ logo to communicate on the benefits that Natura 2000 can provide to local economies. Such use of the logo will also help build new partnerships between site managers, landowners, land users and local businesses, while improving the perception of and increasing support for the Natura 2000 network.

The EU asserts that it is the owner of the intellectual property rights, including copyright or design right without limitation, on the ‘NATURA 2000’ logo and is willing to grant Member States a licence to use it under the terms and conditions set out in this Agreement.

(1) OJ L 206, 22.7.1992, p. 7. (2) OJ L 20, 26.1.2010. p. 7. 15.6.2021 EN Official Journal of the European Union C 229/9

The Parties have agreed as follows:

I. GRANT OF LICENCE

1. Subject to the terms of this Agreement, the Licensor grants the Licensee a non-exclusive, royalty-free, sub-licensable and conditional right to use, print, publish, reproduce, display and incorporate the Licensed Material in the context of the Natura 2000 network for the purposes set out under Clause II. The Licensee may make the Licensed Material available on any media including print, digital and electronic forms, without prejudice to the copyright of the Licensor.

2. The Agreement is limited to the territorial jurisdiction of the Licensee. This Agreement enters into force upon the signature of both Parties and is granted for an indefinite period.

II. CONDITIONS OF LICENCE

1. The Licensee shall use the Licensed Material for the purpose of implementing the Habitats and Birds Directives, in particular: (i) to identify areas that are part of the Natura 2000 network since they have been designated as ‘Special Areas of Conservation’ or listed as ‘Sites of Community Importance’ under the Habitats Directive or classified as ‘Special Protection Areas’ under the Birds Directive; or (ii) to identify measures and actions that directly contribute to the creation, management or promotion of the Natura 2000 network.

2. The Licensee may also use the Licensed Material in relation to goods and services that: (i) contribute to the achievement of the conservation objectives of specific Natura 2000 sites, provided that those objectives have been established in accordance with the Habitats and Birds Directives; or (ii) originate completely or significantly from or are provided in specific Natura 2000 sites and are fully compatible with their conservation objectives, provided that the latter have been established in accordance with the Habitats and Birds Directives.

3. The Licensee shall not use the Licensed Material in any way that would be detrimental to the purpose of EU legislation and policies or the reputation of EU Institutions.

4. The Licensee shall neither register the Licensed Material in whole or in part as a trademark nor incorporate it in its own trademarks, in any jurisdiction.

5. The Licensee shall bear all costs and expenses of carrying out the Licensee’s rights under this Agreement.

III. CONDITIONS OF SUB-LICENCE

1. The Licensee may sub-license the right to use the Licensed Material within its territory under the same conditions as mentioned in Clause II.

2. The Licensee shall not allow third parties to register the Licensed Material in whole or in part as a trademark or incorporate it in their own trademarks, in any jurisdiction.

3. The Licensee shall not allow third parties to use the Licensed Material in a way that would be detrimental to the purpose of EU legislation, policies or the reputation of EU Institutions.

IV. COPYRIGHT

1. The copyright on the Licensed Material remains with the European Union.

2. This Agreement is subject to the condition that the Licensee (and any sub-Licensee) include a visible reference to the Licensor’s ownership of the copyright in the Licensed Material as follows: C 229/10 EN Official Journal of the European Union 15.6.2021

© European Union

3. The rights herein are granted for the full term of the copyright. This Agreement does not extend to the European emblem and/or any other trademark, trade name, logo or graphic device of the European Union. No further rights are granted herein to the Licensee.

V. TERMINATION OF LICENCE

1. If the Licensee commits a breach of this Agreement, the Parties commit to discuss the issue within twenty (20) working days after written notice by the Licensor. If no solution is found within a reasonable period of time, the Licensor may terminate this Agreement by notice in writing.

VI. INFRINGEMENT BY THIRD PARTIES AND ENFORCEMENT ACTIONS

1. If the Licensee becomes aware of any use by any third party of the Licensed Material that would be detrimental to the purpose of EU legislation, policies or the reputation of EU Institutions, the Licensee shall immediately notify the Licensor in writing of such use.

2. The European Commission shall have the right to take appropriate action against such use in close coordination with the Licensee.

3. The Licensee shall have the right and the obligation to take action against any alleged infringement of the intellectual property rights of the Licensor in the Licensed Material, including the right to sue for copyright infringement, at its sole expense and in its own name.

VII. ADMINISTRATIVE PROVISION

1. Any communication between the Parties with reference to the performance of this Agreement, all notifications and any relevant correspondence shall be made in writing and addressed to the following addressees: For the European Commission, on behalf of the European Union, the person responsible for the implementation of this Agreement is: [XXXXXXXXXX] For the Licensee the person responsible for the implementation of this Agreement is: [XXXXXXXXXXXXXXX]

VIII. DISPUTE SETTLEMENT

1. Any dispute arising between the Parties concerning any matter relating to this Agreement must be attempted to be resolved in the first instance by the responsible persons for the Parties at Clause VII and should be raised by the disputing Party submitting a notice of the dispute to the other Party.

IX. ENTIRE AGREEMENT

1. The terms of this Agreement constitute the whole Agreement between the Parties in respect of the subject matter of this Agreement.

2. Any amendment to the Agreement shall be agreed in writing between the Parties and shall be subject to a formal addendum to this Agreement.

3. The Parties further agree that neither Party shall rely on any representations, agreements, statements or undertakings made prior to the signature of the Agreement, whether orally or in writing, other than those which have been expressly incorporated in the Agreement. 15.6.2021 EN Official Journal of the European Union C 229/11

X. APPLICABLE LAW

1 This Agreement shall be governed by European Law and supplemented where necessary by the national substantive law of Belgium. Any dispute between the Parties which cannot be settled amicably shall be brought before the Court of Justice of the European Union.

Done in duplicate in Brussels on ….

Signed for the European Commission on behalf of the European Union by:

Signed for the Licensee by: C 229/12 EN Official Journal of the European Union 15.6.2021

Annex

LICENSED MATERIAL: NATURA 2000 LOGO

© European Union

© European Union 15.6.2021 EN Offi cial Jour nal of the European Union C 229/13

EUROPEAN DATA PROTECTION SUPERVISOR

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Pilot Regime for Market Infrastructures based on Distributed Ledger Technology (The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2021/C 229/04)

On 24 September 2020 the European Commission adopted its Proposal for a Regulation of the European Parliament and of the Council on a pilot regime for market infrastructures based on Distributed Ledger Technology (COM(2020)594 final). The Proposal establishes harmonised requirements for certain market participants to apply for and be granted permission to operate digital ledger technology (DLT) market infrastructures.

The EDPS highlights that the protection of personal data does not constitute an obstacle to innovation and in particular, for the development of new technologies in the financial sector. At the same time, he recalls that measures adopted at EU level regarding innovative technologies involving the processing of personal data must comply with the general principles of necessity and proportionality. Moreover, given the lack of full view of the of these new technologies impact on our society, the EDPS considers that the precautionary principle approach should be followed.

The EDPS notes that depending on the DLT’s configuration, the meta or transactional data stored therein may be considered personal data, if it relates to an identified or identifiable natural person. Thus, the controllers must carefully analyse and document the DLT’s configuration in order to determine whether personal data is processed thereby and as a consequence, the operations are subject to the data protection obligations.

The EDPS highlights that the technology behind some digital ledgers, particularly those that are public and permissionless, rises crucial questions with regard to its compatibility with data protection requirements.

The EDPS is of the view that a discussion about the compatibility of DLT systems in general with the data protection framework should take place before the Proposal enters into force.

The EDPS notes that in case of DLT’s containing on-chain personal data, the processing operations relating thereto will likely meet the criteria for the classification of the processing operation as of high risk. Therefore, the controller shall prior to the processing of personal data, carry out a data protection impact assessment for the envisaged processing operations. Moreover, prior approval from the competent data protection authority may be required.

The EDPS recommends that the Proposal requests, as part of the application to operate a DLT Market Infrastructure related information, where applicable, the core information in relation to the processing operations envisaged. Moreover, he recommends that operators of DLT market infrastructures should publish the privacy notice in the same place of its operating information as required by the Proposal.

The EDPS highlights that IT and cyber arrangements foreseen in the Proposal for the operation of DLT Market Infrastructures must be also in line with the obligations set by Articles 22 and 32 of the GDPR (1). C 229/14 EN Offi cial Jour nal of the European Union 15.6.2021

Finally, in the context of reporting of operational issues by DLT Market Infrastructures’ operators, the EDPS recommends reminding in a recital that in cases of personal data breaches, these shall also be notified by the operator to the competent data protection authority, in accordance with Article 33 of the GDPR, and, if applicable, to the data subjects, in accordance with Article 34 of the GDPR.

3. BACKGROUND

1. On 24 September 2020 the European Commission adopted its Proposal for a Regulation of the European Parliament and of the Council on a pilot regime for market infrastructures based on Distributed Ledger Technology (COM(2020) 594 final) (the ‘Proposal’). The Proposal establishes harmonised requirements for specific market participants, namely investment firms, market operators or central securities depositories, to apply for and be granted permission to operate digital ledger technology market infrastructures (‘DLT Market Infrastructure’) in a supervised environment with the application of specific exemptions to compliance with financial regulations. In particular, the Proposal has four objectives: providing legal certainty for crypto-assets, ensuring financial stability, protecting consumers and investors and enabling innovation towards the use of blockchain, distributed ledger technology and crypto assets.

2. This Proposal is part of a package that includes a proposal for a regulation to build markets in cryptoassets (2) (the ‘MICA Regulation’), a proposal for digital operational resilience (3) (the ‘DORA Regulation’), and a proposal to clarify or amend certain related EU financial services rules (4). The EDPS expects to be consulted also on the other regulations of the package in line with Article 42(1) of Regulation (UE) 2018/1725.

3. On 26 February 2021 the European Commission requested the European Data Protection Supervisor (the ‘EDPS’) to issue an opinion on the Proposal, in accordance with Article 42(1) of Regulation (UE) 2018/1725. These comments are limited to the provisions of the Proposal that are relevant from a data protection perspective.

5. CONCLUSIONS

In light of the above, the EDPS:

— recalls that the protection of personal data does not constitute an obstacle to innovation and, in particular, for the development of new technologies, notably in the financial sector.

— highlights that the technology behind some digital ledgers, particularly those that are public and permissionless, rises crucial conceptual questions with regard to data protection requirements; recommends therefore that the discussion about the possible way to ensure compatibility of DLT systems with the data protection framework should take place before the Proposal enters into force.

— stresses that the crypto-assets traded in the DLT Market Infrastructures covered by the Proposal should be only those using a DLT configuration which complies with the data protection framework.

— suggest to also include, as part of the information required to the operator in the context of its application to operate a DLT Market Infrastructure, where applicable, the list of the foreseen processing operations involving personal data, the allocation of roles and responsibilities of each operator pursuant to the GDPR within the DLT Market Infrastructure, as well as the main risks envisaged and mitigation strategies for what concerns data protection.

— highlights that IT and cyber arrangements foreseen in the Proposal for the operation of DLT Market Infrastructures must be also in line with the obligations set by Articles 22 and 32 of the GDPR. 15.6.2021 EN Offi cial Jour nal of the European Union C 229/15

— recommends reminding in a recital, in the context of reporting of operational issues by DLT Market Infrastructures’ operators, that in cases of personal data breaches, these shall also be notified by the operator to the competent data protection supervisory authority, in accordance with Article 33 of the GDPR, and, if applicable, to data subjects, in accordance with Article 34 of the GDPR.

Brussels, 23 April 2021.

Wojciech Rafał WIEWIÓROWSKI

______(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). (2) Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, and amending Directive (EU) 2019/1937, COM/2020/593 final. Available at EUR-Lex - 52020PC0593 - EN - EUR-Lex (europa.eu) (3) Proposal for a Regulation of the European Parliament and of the Council on Digital Operational Resilience for the Financial sector and Amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM/2020/595 final, available at EUR-Lex - 52020PC0595 - EN - EUR-Lex (europa.eu) (4) Proposal for a Directive of the European Parliament and of the Council amending Directives 2006/43/EC, 2009/65/EC, 2009/138/EU, 2011/61/EU, EU/2013/36, 2014/65/EU, (EU) 2015/2366 and EU/2016/2341, COM/2020/596 final. Available at EUR-Lex - 52020PC0596 - EN - EUR-Lex (europa.eu) C 229/16 EN Offi cial Jour nal of the European Union 15.6.2021

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on digital operational resilience for the financial sector and amending Regulations (EC) 1060/2009, (EU) 648/2012, (EU) 600/2014 and (EU) 909/2014 (The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2021/C 229/05)

The European Commission adopted on 24 September 2020 a Proposal for a Regulation on Digital Operational Resilience for the financial sector and Amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (the ‘Proposal’). The Proposal establishes a comprehensive framework on digital operational resilience for EU financial entities, based on five key areas, namely the management of ICT risks (Chapter II), the management, classification and reporting of incidents (Chapter III), digital operational resilience testing (Chapter IV), management of third-party risks and regulation of critical ICT service providers (Chapter V) and information sharing (Chapter VI).

The EDPS welcomes the objectives of the Proposal, and considers it essential for the European Union financial market’s stability that financial institutions count with a sound, comprehensive and well-documented ICT risk management framework

The EDPS highlights the importance of ensuring that any processing operation in the context of the operations of the financial entities is based on one of the legal basis laid down in Article 6 of the GDPR (1) Moreover, the EDPS highlights the importance for financial entities of embedding within their digital operational resilience framework a strong data protection governance mechanism, which clearly identifies the roles and responsibilities of the controller and the processor, as well as the processing activities that will take place.

Regarding the international transfers to ICT third-party service providers established in a third-country, the EDPS recalls that any international transfer of personal data must comply with the requirements of Chapter V of the GDPR as interpreted in the case-law of the CJEU, including the judgment in Schrems II.

Regarding the sharing arrangements on intelligence and cyber threat information amongst financial entities, the EDPS highlights that the protection of personal data does not constitute an obstacle to intelligence sharing in the financial sector. Rather, data protection requirements should be perceived as a basic requirement which should be complied with to ensure the safeguard of the rights of individuals. In this context, the EDPS encourages the adoption also in the financial sector of codes of conduct in accordance with Article 40 of the GDPR, particularly in view of clearly establishing the roles of the main stakeholders in the processing of personal data, as well as ensuring a fair and transparent processing.

Regarding the publication of administrative fines, the EDPS recommends including, among the criteria for consideration of the competent authority, the risks to the protection of the personal data of the individuals. Moreover, the EDPS recalls that the principle of storage limitation requires that personal data is stored for no longer than is necessary for the purposes for which the personal data are processed.

Regarding the notification of data breaches, the EDPS highlights that the wording of Recital 42 of the Proposal is incompatible with Article 33 of the GDPR. Therefore, the EDPS recommends deleting the reference to data protection authorities from Recital 42 of the Proposal, as well as slightly amending Article 17 of the Proposal in accordance with the recommendations of this Opinion. 15.6.2021 EN Offi cial Jour nal of the European Union C 229/17

1. BACKGROUND

1. The European Commission adopted on 24 September 2020 a Proposal for a Regulation on Digital Operational Resilience for the financial sector and Amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (the ‘Proposal’). The Proposal establishes a comprehensive framework on digital operational resilience for EU financial entities, based on five key areas, namely the management of ICT risks (Chapter II), the management, classification and reporting of incidents (Chapter III), digital operational resilience testing (Chapter IV), management of third-party risks and regulation of critical ICT service providers (Chapter V) and information sharing (Chapter VI).

2. This Proposal belongs to a package that includes also a proposal for a regulation to build markets in cryptoassets (2) (the ‘MICA Regulation’), a proposal on a pilot regime for Market Infrastructures based on DLT (3), and a proposal to clarify or amend certain related EU financial services rules (4). The EDPS was consulted on the Proposal on the pilot regime for Market Infrastructures based on DLT and delivered his Opinion on 23 April 2021 (5). He was also consulted on the MICA Regulation on 29 April 2021 and will deliver his opinion in line with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6).

3. On 15 March 2021, the European Commission requested the European Data Protection Supervisor (the ‘EDPS’) to issue an opinion on the Proposal, in accordance with Article 42(1) of Regulation (EU) 2018/1725. These comments are limited to the provisions of the Proposal that are relevant from a data protection perspective.

4. CONCLUSIONS

In light of the above, the EDPS:

— Highlights the importance of ensuring that any processing operation in the context of the operations of the financial entities is based on one of the legal basis of Article 6 of the GDPR, and indicates Article 6(1)(c), (e) and (f) of the GDPR as possible legal basis for consideration by financial entities.

— The EDPS highlights the importance for financial entities of embedding within their digital operational resilience framework a strong data protection governance mechanism, which clearly identifies the roles and responsibilities of the controller and the processor, as well as the processing activities that will take place.

— The EDPS recalls that any international transfer of personal data by financial entities to a ICT third-party service provider established in a third-country must comply with the requirements of Chapter V of the GDPR, and where carried out, be subject to appropriate safeguards in line with the data protection framework and the case- law of the CJEU, in particular the Schrems II case. Such financial entities may take recourse to the Standard Contractual Clauses, as it would seem as the most relevant transfer tool.

— The EDPS highlights that the protection of personal data does not constitute an obstacle to intelligence sharing in the financial sector. Rather, data protection requirements should be perceived as a basic requirement to be complied with to ensure the safeguard of the rights of individuals within the digital operational resilience framework of financial entities.

— The EDPS encourages the adoption also in the financial sector of codes of conduct in accordance with Article 40 of the GDPR, particularly in view of clearly establishing the roles of the main stakeholders in the processing of personal data, as well as ensuring a fair and transparent processing.

— Regarding the publication of administrative sanctions, the EDPS recommends including, among the criteria for consideration of the competent authority, the risks to the protection of personal data of the individuals.

— In accordance with the principle of storage limitation, the EDPS recommends financial entities to adopt measures to ensure that the information on the administrative fines are deleted from their website after the five years have elapsed, or before if, it is no longer necessary. C 229/18 EN Offi cial Jour nal of the European Union 15.6.2021

— The EDPS highlights that the wording of Recital 42 of the Proposal is incompatible with Article 33 of the GDPR. The EDPS hence recommends deleting the reference to data protection authorities from Recital 42 of the Proposal, as well as amending Article 17 of the Proposal to include a reference to the obligation of notification of data breaches to the relevant data protection authorities. — The EDPS recommends amending Article 23(2) of the Proposal to ensure that testing, product development or research of the ICT systems may not be carried out on live production systems containing personal data of customers.

Brussels, 10 May 2021.

Wojciech Rafał WIEWIÓROWSKI

______(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). (2) Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, and amending Directive (EU) 2019/1937, COM/2020/593 final. Available at EUR-Lex - 52020PC0593 - EN - EUR-Lex (europa.eu) (3) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a pilot regime for market infrastructures based on distributed ledger technology. COM/2020/594 final, available at EUR-Lex - 52020PC0594 - EN - EUR-Lex (europa.eu) (4) Proposal for a Directive of the European Parliament and of the Council amending Directives 2006/43/EC, 2009/65/EC, 2009/138/EU, 2011/61/EU, EU/2013/36, 2014/65/EU, (EU) 2015/2366 and EU/2016/2341, COM/2020/596 final. Available at EUR-Lex - 52020PC0596 - EN - EUR-Lex (europa.eu) (5) Opinion 6/2021 on the Proposal for a Pilot Regime for Market Infrastructures based on Distributed Ledger Technology, available at 2021-0219_d0912_opinion_6_2021_en_0.pdf (europa.eu) (6) Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138). 15.6.2021 EN Offi cial Jour nal of the European Union C 229/19

V

(Announcements)

ADMINISTRATIVE PROCEDURES

EUROPEAN COMMISSION

Calls for proposals and related activities under the 2021-2022 work programme under Horizon Europe – the Framework Programme for Research and Innovation (2021-2027)

(2021/C 229/06)

Notice is hereby given of the launch of further actions under the 2021-2022 work programme under Horizon Europe – the Framework Programme for Research and Innovation (2021-2027).

The Commission has adopted an amendment to the above mentioned work programme by Decision C(2021) 4200 of 15 June 2021.

The actions are subject to the availability of the appropriations provided for in the general budget of the Union for 2021 and 2022, following the adoption of the 2022 budget by the budgetary authority or as provided for in the system of provisional twelfths. The Commission reserves its right to cancel or make corrigendum to the actions.

Confirmation that these conditions have been met will be announced on the European Commission Funding & Tenders Portal website (https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/programmes/horizon).

This work programme, including deadlines and budgets for the actions, are available through the above-mentioned Funding & Tenders Portal along with information on the modalities of the actions, and guidance for applicants on how to submit proposals. All this information will be updated as necessary on the same Funding & Tenders Portal.

ISSN 1977-091X (electronic edition) ISSN 1725-2423 (paper edition)

EN