The Commission shall:

1. (1)

   Set up and ensure a secure and reliable communication infrastructure that interconnects national contact tracing and warning mobile applications of the Member States participating in the federation gateway. To fulfil its obligations as data processor of the federation gateway, the Commission may engage third parties as sub-processors; the Commission shall inform the joint controllers of any intended changes concerning the addition or replacement of other sub-processors thereby giving the controllers the opportunity to jointly object to such changes as set out in Annex II, Subsection 1(4) of Section 1. The Commission shall ensure that the same data protection obligations as set out in this Decision apply to these sub-processors.

2. (2)

   Process the personal data, only based on documented instructions from the controllers, unless required to do so by Union or Member State law; in such a case, the Commission shall inform the controllers of that legal requirement before processing, unless that law prohibits submitting such information on important grounds of public interest.

3. (3)

   The processing by the Commission entails the following:

   1. a)

      Authentication of national backend servers, based on national backend server certificates;

   2. b)

      Reception of the data referred to in Article 7a, paragraph 3, of the Implementing Decision uploaded by national backend servers by providing an application programming interface that allows national backend servers to upload the relevant data;

   3. c)

      Storage of the data in the federation gateway, upon receiving them from national backend servers;

   4. d)

      Making the data available for download by national backend servers;

   5. e)

      Deletion of the data when all participating backend servers have downloaded them or 14 days after their reception, whichever is earlier.

   6. f)

      After the end of the provision of service, delete any remaining data unless Union or Member State law requires storage of the personal data.

   The processor shall take the necessary measures to preserve the integrity of the data processed.

4. (4)

   Take all state of the art organisational, physical and logical security measures to maintain the federation gateway. To this end, the Commission shall:

   1. a)

      designate a responsible entity for the security management at the level of the federation gateway, communicate to the controllers its contact information and ensure its availability to react to security threats;

   2. b)

      assume the responsibility for the security of the federation gateway;

   3. c)

      ensure that all individuals that are granted access to the federation gateway are subject to contractual, professional or statutory obligation of confidentiality;

5. (5)

   Take all necessary security measures to avoid compromising the smooth operational functioning of the national backend servers. To this end, the Commission shall put in place specific procedures related to the connection from the backend servers to the federation gateway. This includes:

   1. a)

      risk assessment procedure, to identify and estimate potential threats to the system;

   2. b)

      audit and review procedure to:

      1. i.

         check the correspondence between the implemented security measures and the applicable security policy;

      2. ii.

         control on a regular basis the integrity of system files, security parameters and granted authorisations;

      3. iii.

         monitor to detect security breaches and intrusions;

      4. iv.

         implement changes to mitigate existing security weaknesses

      5. v.

         allow for, including at the request of controllers, and contribute to, the performance of independent audits, including inspections, and reviews on security measures, subject to conditions that respect Protocol (No 7) to the TFEU on the Privileges and Immunities of the European Union16;

   3. c)

      changing the control procedure to document and measure the impact of a change before its implementation and keep the controllers informed of any changes that can affect the communication with and/or the security of their infrastructures;

   4. d)

      laying down a maintenance and repair procedure to specify the rules and conditions to be respected when maintenance and/or repair of equipment should be performed;

   5. e)

      laying down a security incident procedure to define the reporting and escalation scheme, inform without delay the controllers, as well as the European Data Protection Supervisor of any personal data breach and define a disciplinary process to deal with security breaches.

6. (6)

   Take state of the art physical and/or logical security measures for the facilities hosting the federation gateway equipment and for the controls of logical data and security access. To this end, the Commission shall:

   1. a)

      enforce physical security to establish distinct security perimeters and allowing detection of breaches;

   2. b)

      control access to the facilities and maintain a visitor register for tracing purposes;

   3. c)

      ensure that external people granted access to the premises are escorted by duly authorised staff;

   4. d)

      ensure that equipment cannot be added, replaced or removed without prior authorisation of the designated responsible bodies;

   5. e)

      control access from and to the national backend servers to the federation gateway;

   6. f)

      ensure that individuals who access the federation gateway are identified and authenticated;

   7. g)

      review the authorisation rights related to the access to the federation gateway in case of a security breach affecting this infrastructure;

   8. h)

      keep the integrity of the information transmitted through the federation gateway;

   9. i)

      implement technical and organisational security measures to prevent unauthorised access to personal data;

   10. j)

       implement, whenever necessary, measures to block unauthorised access to the federation gateway from the domain of the national authorities (i.e.: block a location/IP address).

7. (7)

   Take steps to protect its domain, including the severing of connections, in the event of substantial deviation from the principles and concepts for quality or security.

8. (8)

   Maintain a risk management plan related to its area of responsibility.

9. (9)

   Monitor – in real time – the performance of all the service components of its federation gateway services, produce regular statistics and keep records.

10. (10)

    Provide support for all federation gateway services in English, 24/7 via phone, mail or Web Portal and accept calls from authorised callers: the federation gateway’s coordinators and their respective helpdesks, Project Officers and designated persons from the Commission.

11. (11)

    Assist the controllers by appropriate technical and organisational measures, insofar as it is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the General Data Protection Regulation.

12. (12)

    Support the controllers by providing information concerning the federation gateway, in order to implement the obligations pursuant to Articles 32, 35 and 36 of the General Data Protection Regulation.

13. (13)

    Ensure that data processed within the federation gateway is unintelligible to any person who is not authorised to access it.

14. (14)

    Take all relevant measures to prevent that the federation gateway’s operators have unauthorised access to transmitted data.

15. (15)

    Take measures in order to facilitate the interoperability and the communication between the federation gateway’s designated controllers.

16. (16)

    Maintain a record of processing activities carried out on behalf of the controllers in accordance with Article 31(2) of Regulation (EU) 2018/1725.