
Article 1 
Implementing Decision (EU) 2019/1765 is amended as follows:

((1)) in Article 2(1), the following points (g), (h), (i), (j), (k), (l), (m), (n) and (o) are inserted:
'
((g)) “application user” means a person in possession of a smart device who has downloaded and runs an approved contact tracing and warning mobile application;
((h)) “contact tracing” means measures implemented in order to trace persons who have been exposed to a source of a serious cross-border threat to health within the meaning of Article 3(c) of Decision No 1082/2013/EU of the European Parliament and of the Council;
((i)) “national contact tracing and warning mobile application” means a software application approved at national level running on smart devices, in particular smartphones, designed usually for wide-ranging and targeted interaction with web resources, which processes proximity data and other contextual information collected by many sensors found in the smart devices for the purpose of tracing contacts with persons infected with SARS-CoV-2 and alerting persons who may have been exposed to SARS-CoV-2. These mobile applications are able to detect the presence of other devices using Bluetooth and exchange information with backend servers by using the internet;
((j)) “federation gateway” means a network gateway operated by the Commission through a secure IT tool that receives, stores and makes available a minimum set of personal data between Member States’ backend servers for the purpose of ensuring the interoperability of national contact tracing and warning mobile applications;
((k)) “key” means a unique ephemeral identifier related to an application user reporting to have been infected with SARS-CoV-2, or who may have been exposed to SARS-CoV-2;
((l)) “verification of infection” means the method applied for confirming an infection with SARS-CoV-2, namely whether this was self-reported by the application user or resulted from confirmation from a national health authority or a laboratory test;
((m)) “countries of interest” means the Member State, or Member States, where an application user has been in the 14 days prior to the date of upload of the keys and where he has downloaded the approved national contact tracing and warning mobile application and/or has travelled;
((n)) “country of origin of the keys” means the Member State where the backend server that uploaded the keys to the federation gateway is located;
((o)) “log data” means an automatic record of an activity in relation to the exchange of, and access to, data processed through the federation gateway, that show in particular the type of processing activity, the date and time of the processing activity, and the identifier of the person processing the data.';
((2)) in Article 4(1), the following point (h) is inserted:
'
((h)) provide guidance to the Member States on the cross-border exchange of personal data through the federation gateway between national contact tracing and warning mobile applications.';
((3)) in Article 6(1), the following points (f) and (g) are inserted:
'
((f)) develop, implement and maintain appropriate technical and organisational measures related to the security of transmission and hosting of personal data in the federation gateway for the purpose of ensuring the interoperability of national contact tracing and warning mobile applications;
((g)) support the eHealth Network in agreeing on the technical and organisational compliance of the national authorities with the requirements for the cross-border exchange of personal data in the federation gateway by providing and carrying out the necessary tests and audits. Experts from the Member States may assist the Commission auditors.';
((4)) Article 7 is amended as follows:

((a)) the title is replaced by ‘Protection of personal data processed through the eHealth Digital Service Infrastructure’;
((b)) in paragraph 2 ‘Annex’ is replaced by ‘Annex I’;
((5)) the following Article 7a is inserted:
'
Article 7a 

1. Where personal data is exchanged through the federation gateway, the processing shall be limited to the purposes of facilitating the interoperability of national contact tracing and warning mobile applications within the federation gateway and the continuity of contact tracing in a cross-border context.
2. The personal data referred to in paragraph 3 shall be transmitted to the federation gateway in a pseudonymised format.
3. The pseudonymised personal data exchanged through and processed in the federation gateway shall only comprise the following information:
(a) the keys transmitted by the national contact tracing and warning mobile applications up to 14 days prior to the date of upload of the keys;
(b) log data associated to the keys in line with the technical specifications protocol used in the country of origin of the keys;
(c) the verification of infection;
(d) the countries of interest and the country of origin of the keys.
4. The designated national authorities or official bodies processing personal data in the federation gateway shall be joint controllers of the data processed in the federation gateway. The respective responsibilities of the joint controllers shall be allocated in accordance with Annex II. Each Member State wishing to participate in the cross-border exchange of data between national contact tracing and warning mobile applications shall notify the Commission, prior to joining, of its intention and indicate the national authority or official body that has been designated as the responsible controller.
5. The Commission shall be the processor of personal data processed within the federation gateway. In its capacity as processor, the Commission shall ensure the security of processing, including the transmission and hosting, of personal data within the federation gateway and shall comply with the obligations of a processor laid down in Annex III.
6. The effectiveness of the technical and organisational measures for ensuring the security of processing of personal data within the federation gateway shall be regularly tested, assessed and evaluated by the Commission and by the national authorities authorised to access the federation gateway.
7. Without prejudice to the decision of the joint controllers to terminate the processing in the federation gateway, the operation of the federation gateway shall be deactivated at the latest 14 days after all the connected national contact tracing and warning mobile applications cease to transmit keys through the federation gateway.';
((6)) the Annex becomes Annex I;
((7)) Annexes II and III are added, the text of which is set out in the Annex to this Decision.
Article 2 
This Decision shall enter into force on the day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 15 July 2020.
For the Commission
The President
Ursula VON DER LEYEN
ANNEX

In Implementing Decision (EU) 2019/1765, the following Annexes II and III are added:
'
ANNEX II 
SECTION 1
Subsection 1 (1) The joint controllers shall process personal data through the federation gateway in accordance with the technical specifications stipulated by the eHealth Network.
 (2) Each controller shall be responsible for the processing of personal data in the federation gateway in accordance with the General Data Protection Regulation and Directive 2002/58/EC.
 (3) Each controller shall set up a contact point with a functional mailbox that will serve for the communication between the joint controllers and between the joint controllers and the processor.
 (4) A temporary subgroup set up by the eHealth network in accordance with Article 5(4) shall be tasked to examine any issues arising from the interoperability of national contact tracing and warning mobile applications and from the joint controllership of related processing of personal data and to facilitate coordinated instructions to the Commission as a processor. Amongst other issues, the controllers may, in the framework of the temporary subgroup, work towards a common approach on the retention of data in their national backend servers, taking into account the retention period set forth in the federation gateway.
 (5) Instructions to the processor shall be sent by any of the joint controllers’ contact point, in agreement with the other joint controllers in the subgroup referred to above.
 (6) Only persons authorised by the designated national authorities or official bodies may access personal data of users exchanged in the federation gateway.
 (7) Each designated national authority or official body shall cease to be joint controller from the date of withdrawal of its participation in the federation gateway. It shall however remain responsible for processing in the federation gateway that occurred prior to its withdrawal.

Subsection 2 (1) Each controller shall provide the users of its national contact tracing and warning mobile application (“the data subjects”) with information about the processing of their personal data in the federation gateway for the purposes of cross-border interoperability of the national contact tracing and warning mobile applications, in accordance with Articles 13 and 14 of the General Data Protection Regulation.
 (2) Each controller shall act as the contact point for the users of its national contact tracing and warning mobile application and shall handle the requests relating to the exercise of the rights of data subjects in accordance with the General Data Protection Regulation, submitted by those users or their representatives. Each controller shall designate a specific contact point dedicated to requests received from data subjects. If a joint controller receives a request from a data subject, which does not fall under its responsibility, it shall promptly forward it to the responsible joint controller. If requested, the joint controllers shall assist each other in handling data subjects’ requests and shall reply to each other without undue delay and at the latest within 15 days from receiving a request for assistance.
 (3) Each controller shall make available to the data subjects the content of this Annex including the arrangements laid down in points 1 and 2.

SECTION 2 (1) The joint controllers shall assist each other in the identification and handling of any security incidents, including personal data breaches, linked to the processing in the federation gateway.
 (2) 

a)) any potential or actual risks to the availability, confidentiality and/or integrity of the personal data undergoing processing in the federation gateway;
b)) any security incidents that are linked to the processing operation in the federation gateway;
c)) any personal data breach, the likely consequences of the personal data breach and the assessment of the risk to the rights and freedoms of natural persons, and any measures taken to address the personal data breach and mitigate the risk to the rights and freedoms of natural persons;
d)) any breach of the technical and/or organisational safeguards of the processing operation in the federation gateway.
 (3) The joint controllers shall communicate any personal data breaches with regard to the processing operation in the federation gateway to the Commission, to the competent supervisory authorities and, where required so, to data subjects, in accordance with Articles 33 and 34 of Regulation (EU) 2016/679 or following notification by the Commission.

SECTION 3
If a controller, in order to comply with its obligations specified in Articles 35 and 36 of the General Data Protection Regulation needs information from another controller, it shall send a specific request to the functional mailbox referred to in Subsection 1(3) of Section 1. The latter shall use its best efforts to provide such information.

ANNEX III 
The Commission shall:


((1)) Set up and ensure a secure and reliable communication infrastructure that interconnects national contact tracing and warning mobile applications of the Member States participating in the federation gateway. To fulfil its obligations as data processor of the federation gateway, the Commission may engage third parties as sub-processors; the Commission shall inform the joint controllers of any intended changes concerning the addition or replacement of other sub-processors thereby giving the controllers the opportunity to jointly object to such changes as set out in Annex II, Subsection 1(4) of Section 1. The Commission shall ensure that the same data protection obligations as set out in this Decision apply to these sub-processors.
((2)) Process the personal data, only based on documented instructions from the controllers, unless required to do so by Union or Member State law; in such a case, the Commission shall inform the controllers of that legal requirement before processing, unless that law prohibits submitting such information on important grounds of public interest.
((3)) The processing by the Commission entails the following:

a)) Authentication of national backend servers, based on national backend server certificates;
b)) Reception of the data referred to in Article 7a, paragraph 3, of the Implementing Decision uploaded by national backend servers by providing an application programming interface that allows national backend servers to upload the relevant data;
c)) Storage of the data in the federation gateway, upon receiving them from national backend servers;
d)) Making the data available for download by national backend servers;
e)) Deletion of the data when all participating backend servers have downloaded them or 14 days after their reception, whichever is earlier.
f)) After the end of the provision of service, delete any remaining data unless Union or Member State law requires storage of the personal data.
The processor shall take the necessary measures to preserve the integrity of the data processed.
((4)) Take all state of the art organisational, physical and logical security measures to maintain the federation gateway. To this end, the Commission shall:

a)) designate a responsible entity for the security management at the level of the federation gateway, communicate to the controllers its contact information and ensure its availability to react to security threats;
b)) assume the responsibility for the security of the federation gateway;
c)) ensure that all individuals that are granted access to the federation gateway are subject to contractual, professional or statutory obligation of confidentiality;
((5)) Take all necessary security measures to avoid compromising the smooth operational functioning of the national backend servers. To this end, the Commission shall put in place specific procedures related to the connection from the backend servers to the federation gateway. This includes:

a)) risk assessment procedure, to identify and estimate potential threats to the system;
b)) audit and review procedure to:

i.. check the correspondence between the implemented security measures and the applicable security policy;
ii.. control on a regular basis the integrity of system files, security parameters and granted authorisations;
iii.. monitor to detect security breaches and intrusions;
iv.. implement changes to mitigate existing security weaknesses
v.. allow for, including at the request of controllers, and contribute to, the performance of independent audits, including inspections, and reviews on security measures, subject to conditions that respect Protocol (No 7) to the TFEU on the Privileges and Immunities of the European Union;
c)) changing the control procedure to document and measure the impact of a change before its implementation and keep the controllers informed of any changes that can affect the communication with and/or the security of their infrastructures;
d)) laying down a maintenance and repair procedure to specify the rules and conditions to be respected when maintenance and/or repair of equipment should be performed;
e)) laying down a security incident procedure to define the reporting and escalation scheme, inform without delay the controllers, as well as the European Data Protection Supervisor of any personal data breach and define a disciplinary process to deal with security breaches.
((6)) Take state of the art physical and/or logical security measures for the facilities hosting the federation gateway equipment and for the controls of logical data and security access. To this end, the Commission shall:

a)) enforce physical security to establish distinct security perimeters and allowing detection of breaches;
b)) control access to the facilities and maintain a visitor register for tracing purposes;
c)) ensure that external people granted access to the premises are escorted by duly authorised staff;
d)) ensure that equipment cannot be added, replaced or removed without prior authorisation of the designated responsible bodies;
e)) control access from and to the national backend servers to the federation gateway;
f)) ensure that individuals who access the federation gateway are identified and authenticated;
g)) review the authorisation rights related to the access to the federation gateway in case of a security breach affecting this infrastructure;
h)) keep the integrity of the information transmitted through the federation gateway;
i)) implement technical and organisational security measures to prevent unauthorised access to personal data;
j)) implement, whenever necessary, measures to block unauthorised access to the federation gateway from the domain of the national authorities (i.e.: block a location/IP address).
((7)) Take steps to protect its domain, including the severing of connections, in the event of substantial deviation from the principles and concepts for quality or security.
((8)) Maintain a risk management plan related to its area of responsibility.
((9)) Monitor – in real time – the performance of all the service components of its federation gateway services, produce regular statistics and keep records.
((10)) Provide support for all federation gateway services in English, 24/7 via phone, mail or Web Portal and accept calls from authorised callers: the federation gateway’s coordinators and their respective helpdesks, Project Officers and designated persons from the Commission.
((11)) Assist the controllers by appropriate technical and organisational measures, insofar as it is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the General Data Protection Regulation.
((12)) Support the controllers by providing information concerning the federation gateway, in order to implement the obligations pursuant to Articles 32, 35 and 36 of the General Data Protection Regulation.
((13)) Ensure that data processed within the federation gateway is unintelligible to any person who is not authorised to access it.
((14)) Take all relevant measures to prevent that the federation gateway’s operators have unauthorised access to transmitted data.
((15)) Take measures in order to facilitate the interoperability and the communication between the federation gateway’s designated controllers.
((16)) Maintain a record of processing activities carried out on behalf of the controllers in accordance with Article 31(2) of Regulation (EU) 2018/1725.
'
