- Y Diweddaraf sydd Ar Gael (Diwygiedig)
- Gwreiddiol (Fel y’i mabwysiadwyd gan yr UE)
Commission Delegated Regulation (EU) 2018/573Dangos y teitl llawn
Commission Delegated Regulation (EU) 2018/573 of 15 December 2017 on key elements of data storage contracts to be concluded as part of a traceability system for tobacco products (Text with EEA relevance)
You are here:
- Rheoliadau yn deillio o’r UE
- 2018 No. 573
- Whole Regulation
- Blaenorol
- Nesaf
Pa Fersiwn
Nodweddion Uwch
- Dangos Graddfa Ddaearyddol(e.e. Lloegr, Cymru, Yr Alban aca Gogledd Iwerddon)
- Dangos Llinell Amser Newidiadau
Dewisiadau Agor
Rhagor o Adnoddau
Legislation originating from the EU
When the UK left the EU, legislation.gov.uk published EU legislation that had been published by the EU up to IP completion day (31 December 2020 11.00 p.m.). On legislation.gov.uk, these items of legislation are kept up-to-date with any amendments made by the UK since then.
Mae hon yn eitem o ddeddfwriaeth sy’n deillio o’r UE
Mae unrhyw newidiadau sydd wedi cael eu gwneud yn barod gan y tîm yn ymddangos yn y cynnwys a chyfeirir atynt gydag anodiadau.Ar ôl y diwrnod ymadael bydd tair fersiwn o’r ddeddfwriaeth yma i’w gwirio at ddibenion gwahanol. Y fersiwn legislation.gov.uk yw’r fersiwn sy’n weithredol yn y Deyrnas Unedig. Y Fersiwn UE sydd ar EUR-lex ar hyn o bryd yw’r fersiwn sy’n weithredol yn yr UE h.y. efallai y bydd arnoch angen y fersiwn hon os byddwch yn gweithredu busnes yn yr UE. EUR-Lex Y fersiwn yn yr archif ar y we yw’r fersiwn swyddogol o’r ddeddfwriaeth fel yr oedd ar y diwrnod ymadael cyn cael ei chyhoeddi ar legislation.gov.uk ac unrhyw newidiadau ac effeithiau a weithredwyd yn y Deyrnas Unedig wedyn. Mae’r archif ar y we hefyd yn cynnwys cyfraith achos a ffurfiau mewn ieithoedd eraill o EUR-Lex. The EU Exit Web Archive legislation_originated_from_EU_p3
Changes to legislation:
This version of this Regulation was derived from EUR-Lex on IP completion day (31 December 2020 11:00 p.m.). It has not been amended by the UK since then. Find out more about legislation originating from the EU as published on legislation.gov.uk.
Changes to Legislation
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
Commission Delegated Regulation (EU) 2018/573
of 15 December 2017
on key elements of data storage contracts to be concluded as part of a traceability system for tobacco products
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 2014/40/EU of the European Parliament and of the Council of 3 April 2014 on the approximation of the laws, regulations and administrative provisions of the Member States concerning the manufacture, presentation and sale of tobacco and related products and repealing Directive 2001/37/EC(1), and in particular Article 15(12) thereof,
Whereas:
(1) Article 15(8) of Directive 2014/40/EU requires each manufacturer and importer, as part of the traceability system for tobacco products, further specified in Commission Implementing Regulation (EU) 2018/574(2), to conclude a contract with an independent third-party provider for the purpose of hosting information related to its tobacco products. Article 15(12) of Directive 2014/40/EU empowers the Commission to define the key elements of those contracts.
(2) To ensure the effective functioning of the traceability system for tobacco products in general and the interoperability of the repositories system in particular, it is appropriate to lay down the key elements of the data storage contracts, to include specifications relating to the operability, availability and performance of the services to be provided by data storage providers. The effective and continuous functioning of the traceability system and the data storage system contained therein makes it necessary that clear requirements on data portability are put in place by providers for cases where a manufacturer or importer decides to change its provider. For that reason, the contracts should include provisions requiring the use of technology that is readily available on the market and commonly used in the sector to guarantee an effective and uninterrupted data transfer between current and new providers.
(3) In order to ensure the necessary level of flexibility, it should be possible to request the data storage provider to carry out, against a fee, ancillary technical services connected with the operation of the primary repository such as the expansion of the operational functionality of user interfaces, provided that the additional services contribute to the proper functioning of the repositories system and do not violate any of the requirements laid down in Implementing Regulation (EU) 2018/574. Therefore, the contract should provide for such an option.
(4) To safeguard the independent operation of the traceability system at all times, the Commission should be able to revoke the approval of an already contracted data storage provider where an assessment or reassessment of the technical capacity or independence of the provider results in an adverse finding as regards its suitability.
(5) In order to ensure the effective organisation of the day-to-day functioning of the system, providers of primary repositories should cooperate with one another, as well as with the competent authorities of Member States and the Commission.
HAS ADOPTED THIS REGULATION:
Article 1U.K.Subject matter
This Regulation sets out key elements to be included in the data storage contracts referred to in Article 15(8) of Directive 2014/40/EU.
Article 2U.K.Definitions
For the purpose of this Regulation, in addition to the definitions laid down in Directive 2014/40/EU and Implementing Regulation (EU) 2018/574, the following definitions shall apply:
(1)
‘contract’ means a contractual agreement between a manufacturer or importer of tobacco products and a provider of data storage systems in accordance with Article 15(8) of Directive 2014/40/EU and Implementing Regulation (EU) 2018/574;
(2)
‘provider’ means any legal person contracted by a manufacturer or importer of tobacco products for the purpose of establishing and operating its primary repository and the related services;
(3)
‘data portability’ means the ability to move data among different repositories, by the use of technology that is readily available on the market and commonly used in the sector.
Article 3U.K.Key responsibilities under the contract
1.The contract shall specify the key services to be rendered by the provider, which shall include:
(1)
the establishment and operation of a primary repository in accordance with Article 26 of Implementing Regulation (EU) 2018/574;
(2)
in the case the operator of the primary repository is appointed as provider of the secondary repository, the establishment and operation of the secondary repository and the router, in accordance with Articles 27, 28 and 29 of Implementing Regulation (EU) 2018/574;
(3)
the provision, upon request, of other ancillary technical services connected with the operation of the primary repository that contribute to the proper functioning of the repositories system.
2.In defining the key services referred to in points (1) and (2) of paragraph 1, the contract shall contain specifications relating to the operability, availability and performance of the services meeting the minimum requirements specified in this Regulation and laid down in Chapter V of Implementing Regulation (EU) 2018/574.
Article 4U.K.Technical expertise
The contract shall require providers to issue to the manufacturer or importer a written declaration that they hold, or have at their disposal, the technical and operational expertise necessary to carry out the services referred to in Article 3 and to comply with the requirements laid down in Chapter V of Implementing Regulation (EU) 2018/574.
Article 5U.K.Availability of the primary repository
1.The contract shall specify a guaranteed monthly uptime and availability of 99,5 % for the primary repository.
2.The contract shall require that appropriate back-up mechanisms are put in place by the provider to prevent any loss of data that is stored, received or transferred at the time the primary repository becomes unavailable.
Article 6U.K.Access rights
The contract shall specify the requirements for physical and virtual access to be granted, at server and database level, to national administrators of Member States, the Commission, and appointed external auditors to the primary repository, in accordance with Article 25 of Implementing Regulation (EU) 2018/574.
Article 7U.K.Sub-contracting
1.Where the contract specifies that the provider may subcontract certain obligations under the contract, it shall contain a provision clarifying that the subcontract does not affect the primary responsibility of the provider for the performance of the contract.
2.The contract shall further require the provider:
(a)to ensure that the proposed subcontractor has the necessary technical expertise and meets the requirements of independence laid down in Article 35 of Implementing Regulation (EU) 2018/574.
(b)to submit to the Commission a copy of the declaration referred to in Article 8 of this Regulation signed by the respective sub-contractor(s).
Article 8U.K.Legal and financial independence
The contract shall require providers and, where applicable, their sub-contractors, to issue to the manufacturer or importer, together with the data storage contract, a written declaration that they comply with the requirements for legal and financial independence as laid down in Article 35 of Implementing Regulation (EU) 2018/574.
Article 9U.K.Data protection and confidentiality
1.The contract shall specify that the provider shall put in place all appropriate measures necessary to ensure the confidentiality, integrity and availability of all data stored in the performance of the contract. Such measures shall include administrative, technical and physical safety and security controls.
2.The contract shall require that personal data handled under the contract are processed in accordance with Directive 95/46/EC of the European Parliament and of the Council(3).
Article 10U.K.Information security management
The contract shall require providers to declare that the primary repository and, where applicable, the second repository, is managed in accordance with internationally recognised information security management standards. Providers certified to ISO/IEC 27001:2013 shall be presumed to meet those standards.
Article 11U.K.Costs
The contract shall require the costs charged by providers to manufacturers or importers in accordance with Article 30 of Implementing Regulation (EU) 2018/574 to be fair, reasonable, and proportionate to:
(a)
the services rendered; and
(b)
the number of unique identifiers requested over a given period of time by the manufacturer or importer concerned.
Article 12U.K.Participation in secondary repository system
1.The contract shall require the provider to participate in the establishment of the secondary repository system (where the secondary system has not yet been established at the date of the conclusion of the contract) as may be required in accordance with the rules provided for in Chapter V of Implementing Regulation (EU) 2018/574.
2.The contract shall contain a provision that allows for providers to recover from manufacturers and importers of tobacco products the costs arising in connection with the establishment, operation and maintenance of the secondary repository and the router referred to in Chapter V of Implementing Regulation (EU) 2018/574.
Article 13U.K.Duration
The duration of the contract shall be fixed for a minimum of five years with a possibility of renewal subject to agreement of the Parties and the continuing compliance of the provider with the requirements of Directive 2014/40/EU and Implementing Regulation (EU) 2018/574.
Article 14U.K.Communication with other parties
The contract shall require providers to cooperate with one another, as well as with the competent authorities of Member States, to the extent necessary to ensure the effective organisation of the day-to-day functioning of the repositories system.
Article 15U.K.Audits
1.The contract shall lay down terms enabling external auditors approved by the Commission, in accordance with Article 15(8) of Directive 2014/40/EU, to carry out announced and unannounced audits in relation to the primary repository, and, where applicable, the secondary repository, including an assessment of whether the provider and, if applicable, its sub-contractors comply with the relevant legislative requirements.
2.The contract shall specify that external auditors are granted unrestricted physical and virtual access to the primary repository and, where applicable, the secondary repository, and its related services for the duration of the audit.
Article 16U.K.Liability
The contract shall lay down terms detailing the liability of the parties including with respect to direct and indirect damages that may arise under the contract, in accordance with the applicable law. Without prejudice to the applicable law, the contract shall further specify that no limitation of liability exists in case of breach of confidentiality or breach of data protection rules.
Article 17U.K.Termination of contract
1.The contract shall lay down terms regarding the termination of the contract, in accordance with the applicable law. In the case of termination, the contract shall require the terminating Party to notify the Commission, in accordance with the procedural requirements laid down in Annex I to Implementing Regulation (EU) 2018/574.
2.The contract shall require parties to provide a minimum notice period of five months for the termination of the contract.
By derogation to the first subparagraph, the contract shall require manufacturers and importers to terminate the contract immediately:
(a)in the event of a serious breach by the provider of its obligations under the contract,
(b)where the provider becomes, or is in imminent risk of becoming, insolvent under the applicable law.
3.For the purposes of paragraph 2(a) a serious breach shall include:
(a)the failure by the provider to carry out obligations or to perform services provided for under the contract that are critical to the effective functioning of the traceability system, including in particular, the failure to comply with requirements laid down in Chapter V of Implementing Regulation (EU) 2018/574,
(b)where a provider ceases to comply with the requirements for legal and financial independence laid down in Article 35(2) of Implementing Regulation (EU) 2018/574 and where, by the expiry of the time-period referred to in Article 35(6) of Implementing Regulation (EU) 2018/574, compliance with the requirements could not be established.
Article 18U.K.Suspension of services
The contract shall specify that suspension of services in case of late payments by a manufacturer or importer to the provider shall be prohibited, unless the delay exceeds the final payment deadline by thirty days or more.
Article 19U.K.Data portability
1.The contract shall require providers to ensure full data portability in cases where a manufacturer or importer contracts a new provider to operate its primary repository. The current provider shall deliver to the new provider, prior to the date of termination of the contract, an up-to-date copy of all data stored in the primary repository. Any updates to the data after that delivery shall be migrated to the new provider without undue delay.
2.In order to ensure business continuity, the contract shall include an applicable exit plan laying down the procedure to be followed in case of the termination of the contract and a new provider is contracted by the manufacturer or importer. The plan shall include a requirement for the current provider to continue providing its services until the new provider becomes operational.
3.The contract shall contain provisions ensuring that the current provider has no right of retention with respect to any data, information or other necessary material related to the primary repository after they have been delivered to the new provider.
Article 20U.K.Applicable law and jurisdiction
1.The contract shall be governed by the laws of one of the Member States of the European Union, as agreed by the parties to the contract.
2.The contract shall be subject to the jurisdiction of one of the Member States of the European Union, as agreed by the parties to the contract.
Article 21U.K.Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 15 December 2017.
For the Commission
The President
Jean-Claude Juncker
(2)
Commission Implementing Regulation (EU) 2018/574 of 15 December 2017 on technical standards for the establishment and operation of a traceability system for tobacco products (see page 7 of this Official Journal).
(3)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).
Options/Help
Print Options
PrintThe Whole Regulation
Mae deddfwriaeth ar gael mewn fersiynau gwahanol:
Y Diweddaraf sydd Ar Gael (diwygiedig):Y fersiwn ddiweddaraf sydd ar gael o’r ddeddfwriaeth yn cynnwys newidiadau a wnaed gan ddeddfwriaeth ddilynol ac wedi eu gweithredu gan ein tîm golygyddol. Gellir gweld y newidiadau nad ydym wedi eu gweithredu i’r testun eto yn yr ardal ‘Newidiadau i Ddeddfwriaeth’.
Gwreiddiol (Fel y’i mabwysiadwyd gan yr UE): Mae'r wreiddiol version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
Gweler y wybodaeth ychwanegol ochr yn ochr â’r cynnwys
Rhychwant ddaearyddol: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Dangos Llinell Amser Newidiadau: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Dewisiadau Agor
Dewisiadau gwahanol i agor deddfwriaeth er mwyn gweld rhagor o gynnwys ar y sgrin ar yr un pryd
Rhagor o Adnoddau
Gallwch wneud defnydd o ddogfennau atodol hanfodol a gwybodaeth ar gyfer yr eitem ddeddfwriaeth o’r tab hwn. Yn ddibynnol ar yr eitem ddeddfwriaeth sydd i’w gweld, gallai hyn gynnwys:
- y PDF print gwreiddiol y fel adopted version that was used for the EU Official Journal
- rhestr o newidiadau a wnaed gan a/neu yn effeithio ar yr eitem hon o ddeddfwriaeth
- pob fformat o’r holl ddogfennau cysylltiedig
- slipiau cywiro
- dolenni i ddeddfwriaeth gysylltiedig ac adnoddau gwybodaeth eraill
Llinell Amser Newidiadau
Mae’r llinell amser yma yn dangos y fersiynau gwahanol a gymerwyd o EUR-Lex yn ogystal ag unrhyw fersiynau dilynol a grëwyd ar ôl y diwrnod ymadael o ganlyniad i newidiadau a wnaed gan ddeddfwriaeth y Deyrnas Unedig.
Cymerir dyddiadau fersiynau’r UE o ddyddiadau’r dogfennau ar EUR-Lex ac efallai na fyddant yn cyfateb â’r adeg pan ddaeth y newidiadau i rym ar gyfer y ddogfen.
Ar gyfer unrhyw fersiynau a grëwyd ar ôl y diwrnod ymadael o ganlyniad i newidiadau a wnaed gan ddeddfwriaeth y Deyrnas Unedig, bydd y dyddiad yn cyd-fynd â’r dyddiad cynharaf y daeth y newid (e.e. ychwanegiad, diddymiad neu gyfnewidiad) a weithredwyd i rym. Am ragor o wybodaeth gweler ein canllaw i ddeddfwriaeth ddiwygiedig ar Ddeall Deddfwriaeth.
Rhagor o Adnoddau
Defnyddiwch y ddewislen hon i agor dogfennau hanfodol sy’n cyd-fynd â’r ddeddfwriaeth a gwybodaeth am yr eitem hon o ddeddfwriaeth. Gan ddibynnu ar yr eitem o ddeddfwriaeth sy’n cael ei gweld gall hyn gynnwys:
- y PDF print gwreiddiol y fel adopted fersiwn a ddefnyddiwyd am y copi print
- slipiau cywiro
liciwch ‘Gweld Mwy’ neu ddewis ‘Rhagor o Adnoddau’ am wybodaeth ychwanegol gan gynnwys
- rhestr o newidiadau a wnaed gan a/neu yn effeithio ar yr eitem hon o ddeddfwriaeth
- manylion rhoi grym a newid cyffredinol
- pob fformat o’r holl ddogfennau cysylltiedig
- dolenni i ddeddfwriaeth gysylltiedig ac adnoddau gwybodaeth eraill
Mae’r holl gynnwys ar gael dan Drwydded Llywodraeth Agored v3.0 ac eithrio ble nodir yn wahanol. Yn ychwanegol mae’r safle hwn â chynnwys sy’n deillio o EUR-Lex, a ailddefnyddiwyd dan delerau Penderfyniad y Comisiwn 2011/833/EU ar ailddefnyddio dogfennau o sefydliadau’r UE. Am ragor o wybodaeth gweler ddatganiad cyhoeddus Swyddfa Gyhoeddiadau’r UE ar ailddefnyddio.