Commission Implementing Decision 2019/1765 of 22 October 2019 providing the rules for the establishment, the management and the functioning of the network of national authorities responsible for eHealth, and repealing Implementing Decision 2011/890/EU (notified under document C(2019) 7460) (Text with EEA relevance) (c. 1765)

[F1Article 7a U.K. Cross-border exchange of data between national contact tracing and warning mobile applications through the federation gateway

1. Where personal data is exchanged through the federation gateway, the processing shall be limited to the purposes of facilitating the interoperability of national contact tracing and warning mobile applications within the federation gateway and the continuity of contact tracing in a cross-border context.

2. The personal data referred to in paragraph 3 shall be transmitted to the federation gateway in a pseudonymised format.

3. The pseudonymised personal data exchanged through and processed in the federation gateway shall only comprise the following information:

(a) the keys transmitted by the national contact tracing and warning mobile applications up to 14 days prior to the date of upload of the keys;

(b) log data associated to the keys in line with the technical specifications protocol used in the country of origin of the keys;

(d) the countries of interest and the country of origin of the keys.

4. The designated national authorities or official bodies processing personal data in the federation gateway shall be joint controllers of the data processed in the federation gateway. The respective responsibilities of the joint controllers shall be allocated in accordance with Annex II. Each Member State wishing to participate in the cross-border exchange of data between national contact tracing and warning mobile applications shall notify the Commission, prior to joining, of its intention and indicate the national authority or official body that has been designated as the responsible controller.

5. The Commission shall be the processor of personal data processed within the federation gateway. In its capacity as processor, the Commission shall ensure the security of processing, including the transmission and hosting, of personal data within the federation gateway and shall comply with the obligations of a processor laid down in Annex III.

6. The effectiveness of the technical and organisational measures for ensuring the security of processing of personal data within the federation gateway shall be regularly tested, assessed and evaluated by the Commission and by the national authorities authorised to access the federation gateway.

7. Without prejudice to the decision of the joint controllers to terminate the processing in the federation gateway, the operation of the federation gateway shall be deactivated at the latest 14 days after all the connected national contact tracing and warning mobile applications cease to transmit keys through the federation gateway.]

Textual Amendments

F1 Inserted by Commission Implementing Decision (EU) 2020/1023 of 15 July 2020 amending Implementing Decision (EU) 2019/1765 as regards the cross-border exchange of data between national contact tracing and warning mobile applications with regard to combatting the COVID-19 pandemic (Text with EEA relevance).