Guidelines for the EU rapid information system Safety Gate (formerly RAPEX)

KEY POINTS

The decision, as amended by Decision (EU) 2023/975, comprises two annexes.

• Annex I. Guidelines for the management of Safety Gate.
• Annex II. Joint controllership of Safety Gate.

Annex I

Scope

These guidelines cover two sets of products:

• products covered by the GPSD;
• products covered by Regulation (EC) No 765/2008 on the accreditation and market surveillance of non-food products, which implies the inclusion of professional products and the extension of the risks to other risks than those for the health and safety of consumers, for example environmental risks.

The decision does not cover the following:

• food and feed and other products covered by Regulation (EC) No 178/2002;
• medicinal products covered by Directive 2001/83/EC on medicines for humans (see summary) and Regulation (EU) 2019/6 on veterinary medicines (see summary);
• medical devices covered by Regulation (EU) 2017/745;
• second-hand products, antiques or products to be repaired or reconditioned prior to use;
• equipment used by professional service providers to supply a service.

Safety Gate

Safety Gate was originally set up for the rapid exchange of information between Member States and the Commission on products posing a serious risk to the health and safety of consumers. Its main features are that it:

• prevents and restricts the supply of dangerous products;
• monitors the effectiveness and consistency of market surveillance and enforcement activities;
• identifies needs and provides a basis for action at the EU level;
• ensures consistent enforcement of the EU product safety requirements.

Risk

• Before a Member State’s authority decides to submit a Safety Gate notification, it assesses whether the product to be notified poses a risk to the health and safety of consumers, or, in the case of products covered by Regulation (EC) No 765/2008, a serious risk to the health, safety or security of the end users or to the environment, and thus whether the notification criteria are met.
• Risk assessment guidelines and examples are included in an appendix to the decision.

Action notified through Safety Gate

Measures to prevent or restrict sales can be taken, in relation to products posing a risk, either voluntarily by manufacturers or distributors, or ordered by a Member State’s authority. Measures include, but are not limited to:

• marking a product with warnings about risks;
• making the marketing of a product subject to conditions;
• warning consumers and end users of risks;
• a temporary ban on the product’s supply or display;
• a ban on the marketing of a product;
• the withdrawal of a product from the market;
• the recall of a product from consumers;
• the destruction of a withdrawn or recalled product.

Notifications

Participation in Safety Gate is mandatory for Member States, which must notify the Commission where the following four criteria are met for a product.

• The product falls under the scope of application of the GPSD or under the scope of application of Regulation (EC) No 765/2008.
• It is subject to measures that prevent, restrict or impose specific conditions on its possible marketing or use.
• It poses a risk to the health and safety of consumers, or, in the case of products covered by Regulation (EC) No 765/2008, also to other relevant public interests of the end users.
• It cannot be ruled out that the effect of the serious risk to the health and safety of consumers, or, in the case of products covered by Regulation (EC) No 765/2008, also to other relevant public interests of the end users, goes beyond the territory of the notifying Member State.

Additional rules for notifications covered by the decision include:

• streamlining the processes for notification;
• setting out the notification criteria;
• defining the content of notifications;
• establishing follow-up requirements for Member States;
• describing how notifications and their follow-up are handled by the Commission;
• setting deadlines for the various types of action taken under the notification mechanisms;
• setting out the practical and technical arrangements needed at the Commission and national levels for the notification mechanisms to be employed effectively and efficiently.

Annex II: Joint controllership of Safety Gate

The Commission and Member States’ national authorities responsible for product safety (including market surveillance authorities monitoring the compliance of products with safety requirements and authorities in charge of external border controls) act as joint controllers for processing data in the Safety Gate system.

• The Commission’s responsibilities as a joint controller of personal data include:
  • processing information regarding measures taken against products posing serious risks, imported into or exported from the EU and the European Economic Area (EEA), for transmission to the Safety Gate contact points;
  • processing information received from non-EU countries, international organisations, businesses or other rapid alert systems about products of EU and non-EU origin posing a risk, for transmission to the national authorities;
  • ensuring compliance with the obligations and conditions of Regulation (EU) 2018/1725 regarding these activities.
• National authorities’ responsibilities as joint controllers of personal data include:
  • processing information pursuant to Directive 2001/95/EC and Regulation (EU) 2019/1020 in order to notify the Commission, other Member States and EEA / European Free Trade Association countries;
  • processing information subsequent to their follow-up activities in relation to Safety Gate notifications in order to notify the Commission, other Member States and EEA / European Free Trade Association countries;
  • ensuring compliance with the obligations and conditions of Regulation (EU) 2016/679 regarding these activities.
• The annex also sets out detailed rules on:
  • the categories of data subjects and personal data,
  • providing information to data subjects,
  • handling data subjects’ requests,
  • security of processing,
  • management of security incidents, including personal data breaches,
  • localisation of personal data,
  • recipients of data,
  • recording of processing operations,
  • duration of processing,
  • liability for non-compliance,
  • cooperation between joint controllers,
  • settlement of disputes.