- Latest available (Revised)
- Original (As adopted by EU)
Commission Implementing Decision 2019/1765Show full title
Commission Implementing Decision 2019/1765 of 22 October 2019 providing the rules for the establishment, the management and the functioning of the network of national authorities responsible for eHealth, and repealing Implementing Decision 2011/890/EU (notified under document C(2019) 7460) (Text with EEA relevance)
You are here:
What Version
Advanced Features
- Show Geographical Extent(e.g. England, Wales, Scotland and Northern Ireland)
- Show Timeline of Changes
More Resources
Revised version PDFs
- Revised 17/07/20200.26 MB
Legislation originating from the EU
When the UK left the EU, legislation.gov.uk published EU legislation that had been published by the EU up to IP completion day (31 December 2020 11.00 p.m.). On legislation.gov.uk, these items of legislation are kept up-to-date with any amendments made by the UK since then.
This item of legislation originated from the EU
Legislation.gov.uk publishes the UK version. EUR-Lex publishes the EU version. The EU Exit Web Archive holds a snapshot of EUR-Lex’s version from IP completion day (31 December 2020 11.00 p.m.).
Changes over time for: ANNEX III
Changes to legislation:
There are currently no known outstanding effects for the Commission Implementing Decision 2019/1765,
ANNEX III
.
Changes to Legislation
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
[F1ANNEX III U.K. RESPONSIBILITIES OF THE COMMISSION AS DATA PROCESSOR FOR THE FEDERATION GATEWAY FOR CROSS-BORDER PROCESSING BETWEEN NATIONAL CONTACT TRACING AND WARNING MOBILE APPLICATIONS
Textual Amendments
F1 Inserted by Commission Implementing Decision (EU) 2020/1023 of 15 July 2020 amending Implementing Decision (EU) 2019/1765 as regards the cross-border exchange of data between national contact tracing and warning mobile applications with regard to combatting the COVID-19 pandemic (Text with EEA relevance).
The Commission shall:
(1)
Set up and ensure a secure and reliable communication infrastructure that interconnects national contact tracing and warning mobile applications of the Member States participating in the federation gateway. To fulfil its obligations as data processor of the federation gateway, the Commission may engage third parties as sub-processors; the Commission shall inform the joint controllers of any intended changes concerning the addition or replacement of other sub-processors thereby giving the controllers the opportunity to jointly object to such changes as set out in Annex II, Subsection 1(4) of Section 1. The Commission shall ensure that the same data protection obligations as set out in this Decision apply to these sub-processors.
(2)
Process the personal data, only based on documented instructions from the controllers, unless required to do so by Union or Member State law; in such a case, the Commission shall inform the controllers of that legal requirement before processing, unless that law prohibits submitting such information on important grounds of public interest.
(3)
The processing by the Commission entails the following:
a)
Authentication of national backend servers, based on national backend server certificates;
b)
Reception of the data referred to in Article 7a, paragraph 3, of the Implementing Decision uploaded by national backend servers by providing an application programming interface that allows national backend servers to upload the relevant data;
c)
Storage of the data in the federation gateway, upon receiving them from national backend servers;
d)
Making the data available for download by national backend servers;
e)
Deletion of the data when all participating backend servers have downloaded them or 14 days after their reception, whichever is earlier.
f)
After the end of the provision of service, delete any remaining data unless Union or Member State law requires storage of the personal data.
The processor shall take the necessary measures to preserve the integrity of the data processed.
(4)
Take all state of the art organisational, physical and logical security measures to maintain the federation gateway. To this end, the Commission shall:
a)
designate a responsible entity for the security management at the level of the federation gateway, communicate to the controllers its contact information and ensure its availability to react to security threats;
b)
assume the responsibility for the security of the federation gateway;
c)
ensure that all individuals that are granted access to the federation gateway are subject to contractual, professional or statutory obligation of confidentiality;
(5)
Take all necessary security measures to avoid compromising the smooth operational functioning of the national backend servers. To this end, the Commission shall put in place specific procedures related to the connection from the backend servers to the federation gateway. This includes:
a)
risk assessment procedure, to identify and estimate potential threats to the system;
b)
audit and review procedure to:
i.
check the correspondence between the implemented security measures and the applicable security policy;
ii.
control on a regular basis the integrity of system files, security parameters and granted authorisations;
iii.
monitor to detect security breaches and intrusions;
iv.
implement changes to mitigate existing security weaknesses
v.
allow for, including at the request of controllers, and contribute to, the performance of independent audits, including inspections, and reviews on security measures, subject to conditions that respect Protocol (No 7) to the TFEU on the Privileges and Immunities of the European Union (1) ;
c)
changing the control procedure to document and measure the impact of a change before its implementation and keep the controllers informed of any changes that can affect the communication with and/or the security of their infrastructures;
d)
laying down a maintenance and repair procedure to specify the rules and conditions to be respected when maintenance and/or repair of equipment should be performed;
e)
laying down a security incident procedure to define the reporting and escalation scheme, inform without delay the controllers, as well as the European Data Protection Supervisor of any personal data breach and define a disciplinary process to deal with security breaches.
(6)
Take state of the art physical and/or logical security measures for the facilities hosting the federation gateway equipment and for the controls of logical data and security access. To this end, the Commission shall:
a)
enforce physical security to establish distinct security perimeters and allowing detection of breaches;
b)
control access to the facilities and maintain a visitor register for tracing purposes;
c)
ensure that external people granted access to the premises are escorted by duly authorised staff;
d)
ensure that equipment cannot be added, replaced or removed without prior authorisation of the designated responsible bodies;
e)
control access from and to the national backend servers to the federation gateway;
f)
ensure that individuals who access the federation gateway are identified and authenticated;
g)
review the authorisation rights related to the access to the federation gateway in case of a security breach affecting this infrastructure;
h)
keep the integrity of the information transmitted through the federation gateway;
i)
implement technical and organisational security measures to prevent unauthorised access to personal data;
j)
implement, whenever necessary, measures to block unauthorised access to the federation gateway from the domain of the national authorities (i.e.: block a location/IP address).
(7)
Take steps to protect its domain, including the severing of connections, in the event of substantial deviation from the principles and concepts for quality or security.
(8)
Maintain a risk management plan related to its area of responsibility.
(9)
Monitor – in real time – the performance of all the service components of its federation gateway services, produce regular statistics and keep records.
(10)
Provide support for all federation gateway services in English, 24/7 via phone, mail or Web Portal and accept calls from authorised callers: the federation gateway’s coordinators and their respective helpdesks, Project Officers and designated persons from the Commission.
(11)
Assist the controllers by appropriate technical and organisational measures, insofar as it is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the General Data Protection Regulation.
(12)
Support the controllers by providing information concerning the federation gateway, in order to implement the obligations pursuant to Articles 32, 35 and 36 of the General Data Protection Regulation.
(13)
Ensure that data processed within the federation gateway is unintelligible to any person who is not authorised to access it.
(14)
Take all relevant measures to prevent that the federation gateway’s operators have unauthorised access to transmitted data.
(15)
Take measures in order to facilitate the interoperability and the communication between the federation gateway’s designated controllers.
(16)
Maintain a record of processing activities carried out on behalf of the controllers in accordance with Article 31(2) of Regulation (EU) 2018/1725.]
(1)
[F1Protocol (No 7) on the Privileges and Immunities of the European Union ( OJ C 326, 26.10.2012, p. 266 ).]
Textual Amendments
F1 Inserted by Commission Implementing Decision (EU) 2020/1023 of 15 July 2020 amending Implementing Decision (EU) 2019/1765 as regards the cross-border exchange of data between national contact tracing and warning mobile applications with regard to combatting the COVID-19 pandemic (Text with EEA relevance).
Options/Help
Print Options
PrintThe Whole Decision
PrintThis Annex only
Legislation is available in different versions:
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
See additional information alongside the content
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Opening Options
Different options to open legislation in order to view more content on screen at once
More Resources
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the EU Official Journal
- lists of changes made by and/or affecting this legislation item
- all formats of all associated documents
- correction slips
- links to related legislation and further information resources
Timeline of Changes
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
More Resources
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the print copy
- correction slips
Click 'View More' or select 'More Resources' tab for additional information including:
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- links to related legislation and further information resources
All content is available under the Open Government Licence v3.0 except where otherwise stated. This site additionally contains content derived from EUR-Lex, reused under the terms of the Commission Decision 2011/833/EU on the reuse of documents from the EU institutions. For more information see the EUR-Lex public statement on re-use.