This document is an excerpt from the EUR-Lex website
Document 02017D0253-20210726
Commission Implementing Decision (EU) 2017/253 of 13 February 2017 laying down procedures for the notification of alerts as part of the early warning and response system established in relation to serious cross-border threats to health and for the information exchange, consultation and coordination of responses to such threats pursuant to Decision No 1082/2013/EU of the European Parliament and of the Council (Text with EEA relevance)Text with EEA relevance
Consolidated text: Commission Implementing Decision (EU) 2017/253 of 13 February 2017 laying down procedures for the notification of alerts as part of the early warning and response system established in relation to serious cross-border threats to health and for the information exchange, consultation and coordination of responses to such threats pursuant to Decision No 1082/2013/EU of the European Parliament and of the Council (Text with EEA relevance)Text with EEA relevance
Commission Implementing Decision (EU) 2017/253 of 13 February 2017 laying down procedures for the notification of alerts as part of the early warning and response system established in relation to serious cross-border threats to health and for the information exchange, consultation and coordination of responses to such threats pursuant to Decision No 1082/2013/EU of the European Parliament and of the Council (Text with EEA relevance)Text with EEA relevance
02017D0253 — EN — 26.07.2021 — 002.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
COMMISSION IMPLEMENTING DECISION (EU) 2017/253 of 13 February 2017 laying down procedures for the notification of alerts as part of the early warning and response system established in relation to serious cross-border threats to health and for the information exchange, consultation and coordination of responses to such threats pursuant to Decision No 1082/2013/EU of the European Parliament and of the Council (OJ L 037 14.2.2017, p. 23) |
Amended by:
|
|
Official Journal |
||
No |
page |
date |
||
COMMISSION IMPLEMENTING DECISION (EU) 2021/858 of 27 May 2021 |
L 188 |
106 |
28.5.2021 |
|
COMMISSION IMPLEMENTING DECISION (EU) 2021/1212 of 22 July 2021 |
L 263 |
32 |
23.7.2021 |
COMMISSION IMPLEMENTING DECISION (EU) 2017/253
of 13 February 2017
laying down procedures for the notification of alerts as part of the early warning and response system established in relation to serious cross-border threats to health and for the information exchange, consultation and coordination of responses to such threats pursuant to Decision No 1082/2013/EU of the European Parliament and of the Council
(Text with EEA relevance)
Article 1
EWRS competent authorities
Article 1a
Definitions
For the purposes of this Decision, the following definitions apply:
‘passenger locator form’ (‘PLF’) means a form completed on the request of public health authorities that collects at least the passengers’ data specified in Annex I and that assists those authorities in managing a public health event by enabling them to trace passengers crossing borders who may have been exposed to a SARS-CoV-2 infected person;
‘passenger locator form data’ (‘PLF data’) means personal data collected through a PLF;
‘digital entry point’ means a single digital location to which EWRS competent authorities can securely connect their national digital PLF systems to the PLF exchange platform;
‘journey’ means the cross-border travel by a person, by means of collective transport with pre-assigned seats, having regard to the place of that person’s initial departure and final destination, with one or more legs.
‘leg’ means a cross-border single travel of a passenger with no connections or changes of flight, train, vessel or vehicle;
‘infected passenger’ means a passenger who fulfils the laboratory criterion for SARS-CoV-2 infection;
‘exposed person’ means a passenger or another person who has been in close contact to an infected passenger;
‘alert’ means a notification using the Early Warning and Response System (EWRS), following Article 9 of Decision 1082/2013/EC.
Article 2
Alert notifications in the EWRS
Article 2a
Platform for the exchange of PLF data
The PLF exchange platform shall provide a digital entry point for EWRS competent authorities to securely connect their national digital PLF systems or connect through the common European Union digital Passenger Locator Form System (‘EUdPLF’), in order to enable the exchange of data collected through PLFs.
The EWRS competent authorities shall be able to use the PLF exchange platform for the exchange of additional data, that is to say epidemiological data for the sole purpose of SARS-CoV-2 contact tracing of exposed persons, in accordance with Article 2b(5).
Article 2b
Data to be exchanged
When notifying an alert in the PLF exchange platform, the EWRS competent authorities of the Member State where the infected passenger is identified shall transmit the following PLF data to the EWRS competent authorities of the Member State of the infected passenger’s initial departure, or residence where the place of residence is different from the place of initial departure, or to the Member State of the infected passenger’s last departure, where the Member State only requires the completion of a PLF for the last leg of a journey:
first name;
last name;
date of birth;
phone number (landline and/or mobile);
e-mail address;
address of residence.
►M2 If necessary to identify exposed persons, when notifying an alert in the PLF exchange platform, the EWRS competent authorities of the Member State where the infected passenger is identified shall transmit the following PLF data, in relation to each available leg of that passenger’s journey, to the EWRS competent authorities of all Member States: ◄
place of departure of each concerned transport, unless the place can be identified through the information under point (e);
place of arrival of each concerned transport, unless the place can be identified through the information under point (e);
date of departure of each concerned transport;
type of each concerned transport (e.g. plane, train, coach, ferry, ship);
identification number of each concerned transport (e.g. flight number, train number, coach’s number plate, ferry or ship name);
seat/cabin number in each concerned transport;
time of departure of each concerned transport, unless the time can be identified through the information under point (e).
The EWRS competent authorities shall be able to provide the following epidemiological data, where this is necessary in order to perform effective contact tracing:
type of test performed;
variant of SARS-CoV-2 virus;
date of sampling;
date of symptom onset.
Article 2c
Responsibilities of the EWRS competent authorities and of ECDC in the processing of PLF data
Article 3
Other Union rapid alert and information systems
Article 4
Coordination of national responses to serious cross-border threats to health
Article 5
Risk and crisis communication
Article 6
Deactivation of the alert notification
Where the conditions which justified the introduction of an alert pursuant to Article 9(1) of Decision No 1082/2013/EU cease to exist, the alert shall be deactivated by the Member State that introduced the alert, or by the Commission in the event that the alert was introduced by the Commission. Deactivation of an alert shall only take place after all the Member States concerned by the alert have agreed to such deactivation.
Article 7
Repeal of Decision 2000/57/EC
Article 8
Entry into force
This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
ANNEX I
MINIMUM SET OF PLF DATA TO BE COLLECTED THROUGH THE NATIONAL PLF
The PLF shall contain at least the following PLF data:
first name;
last name;
date of birth;
phone number (landline and/or mobile);
E-mail address;
address of residence;
▼M2 —————
►M2 the following information for each leg of a journey for which the Member State requires the completion of a PLF: ◄
place of departure, unless the place can be identified through the information under sub-point (f);
place of arrival, unless the place can be identified through the information under sub-point (f);
date of departure;
type of transport (e.g. plane, train, coach, ferry, ship);
time of departure, unless the time can be identified through the information under sub-point (f);
identification number of the transport (e.g. flight number, train number, coach’s number plate, ferry or ship name);
seat/cabin number.
ANNEX II
RESPONSIBILITIES OF THE PARTICIPATING MEMBER STATES AS JOINT CONTROLLERS FOR THE PLF EXCHANGE PLATFORM
SECTION 1
Division of responsibilities
(1) Each EWRS competent authorities shall ensure that the processing of PLF data and of the additional epidemiological data exchanged through the PLF exchange platform is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council ( 1 ). In particular, it shall ensure that the data it enters and transmits through the PLF exchange platform are accurate and limited to the data laid down in Article 2b of this Decision.
(2) Each EWRS competent authority remains the sole controller for the collection, use, disclosure and any other processing of PLF data and additional epidemiological data, carried out outside the PLF exchange platform. Each EWRS competent authority shall ensure that the transmission of the data is carried out in accordance with the technical specifications stipulated for the PLF exchange platform.
(3) Instructions to the processor shall be sent by any of the joint controllers’ contact point, in agreement with the other joint controllers.
(4) Only persons authorised by the EWRS competent authorities may access PLF data and additional epidemiological data exchanged through the PLF exchange platform.
(5) Each EWRS competent authority shall set up a contact point with a functional mailbox that will serve for communication between the joint controllers and between the joint controllers and the processor. The decisions making process of the Joint Controllers is governed by the EWRS Health Security Committee Working Group.
(6) Each EWRS competent authority shall cease to be joint controller from the date of withdrawal of its participation in the PLF exchange platform. It shall however remain responsible for the collection and transmission of PLF data and additional epidemiological data through the PLF exchange platform that occurred prior to its withdrawal.
(7) Each EWRS competent authority shall maintain a record of the processing activities under its responsibility. The joint controllership may be indicated in the record.
SECTION 2
Responsibilities and roles for handling requests of and informing data subjects
(1) Each EWRS competent authority requiring a PLF shall provide the cross-border passengers (‘the data subjects’) with information about the circumstances of the exchange of their PLF and epidemiological data through the PLF exchange platform for the purpose of contact tracing, in accordance with Articles 13 and 14 of Regulation (EU) 2016/679.
(2) Each EWRS competent authority shall act as the contact point for the data subjects and shall handle the requests relating to the exercise of their rights in accordance with Regulation (EU) 2016/679, submitted by them or by their representatives. Each EWRS competent authority shall designate a specific contact point dedicated to requests received from data subjects. If a EWRS competent authority receives a request from a data subject, which does not fall under its responsibility, it shall promptly forward it to the responsible EWRS competent authority and inform the ECDC. If requested, the EWRS competent authorities shall assist each other in handling data subjects’ requests relating to the joint controllership and shall reply to each other without undue delay and at the latest within 15 days from receiving a request for assistance.
(3) Each EWRS competent authority shall make available to the data subjects the content of this Annex including the arrangements laid down in points 1 and 2.
SECTION 3
Management of security incidents, including personal data breaches
(1) The EWRS competent authorities as joint controllers shall assist each other in the identification and handling of any security incidents, including personal data breaches, linked to the processing of PLF and epidemiological data exchanged through the PLF exchange platform.
(2) In particular, they shall notify each other and the ECDC of the following:
any potential or actual risks to the availability, confidentiality and/or integrity of the PLF and epidemiological data undergoing processing in the PLF exchange platform;
any personal data breach, the likely consequences of the data breach and the assessment of the risk to the rights and freedoms of natural persons, and any measures taken to address the personal data breach and mitigate the risk to the rights and freedoms of natural persons;
any breach of the technical and/or organisational safeguards of the processing operation in the PLF exchange platform.
(3) The EWRS competent authorities shall communicate any data breaches with regard to the processing operation in the PLF exchange platform to the ECDC, to the competent supervisory authorities and, where required, to the data subjects, in accordance with Articles 33 and 34 of Regulation (EU) 2016/679 or following notification by the ECDC.
(4) Each EWRS competent authority shall implement appropriate technical and organisational measures, designed to:
ensure and protect the security, integrity and confidentiality of the personal data jointly processed;
protect against any unauthorised or unlawful processing, loss, use, disclosure or acquisition of or access to any personal data in its possession;
ensure that access to the personal data is not disclosed or allowed to anyone other than the recipients or processors.
SECTION 4
Data Protection Impact Assessment
If a controller, in order to comply with its obligations specified in Articles 35 and 36 of Regulation (EU) 2016/679, needs information from another controller, it shall send a specific request to the functional mailbox referred to in Subsection 1(5) of Section 1. The latter shall use its best efforts to provide such information.
ANNEX III
RESPONSIBILITIES OF THE ECDC AS DATA PROCESSOR FOR THE PLF EXCHANGE PLATFORM
(1) The ECDC shall set up and ensure a secure and reliable communication infrastructure that interconnects EWRS competent authorities of the Member States participating in the PLF exchange platform.
The processing by the ECDC of the PLF exchange platform entails the following:
define the minimum set of technical requirements to allow a smooth and secure on-boarding and off-boarding of national PLF databases;
ensure interoperability of national PLF databases in a secure and automated fashion.
(2) To fulfil its obligations as data processor of the PLF exchange platform, the ECDC shall engage the Commission as a sub-processor and shall ensure that the same data protection obligations, as set out in this Decision, apply to the Commission.
The ECDC may authorise the Commission to engage third parties as further sub-processors.
If the Commission engages sub-processors, the ECDC shall:
ensure that the same data protection obligations, as set out in this Decision, apply to these sub-processors;
inform the controllers of any intended changes concerning the addition or replacement of other sub-processors, thereby giving the controllers the opportunity to object by simple majority to such changes.
(3) The ECDC shall:
set up and ensure a secure and reliable communication infrastructure that interconnects EWRS competent authorities of the Member States participating in the PLF exchange platform;
process the PLF and additional epidemiological data, only based on documented instructions from the controllers, unless required to do so by Union law; in such a case, the ECDC shall inform the controllers of that legal requirement before processing, unless that law prohibits submitting such information on important grounds of public interest.
put in place a security plan, a business continuity and a disaster recovery plan.
take the necessary measures to preserve the integrity of the PLF and additional epidemiological data processed;
take all state of the art organisational, physical and electronic security measures to maintain the PLF exchange platform; to this end, the ECDC shall:
designate a responsible entity for security management at the level of the PLF exchange platform, communicate its contact information to the controllers and ensure its availability to react to security threats;
assume the responsibility for the security of the PLF exchange platform;
ensure that all individuals that are granted access to the PLF exchange platform are subject to contractual, professional or statutory obligation of confidentiality;
take all necessary security measures to avoid compromising the smooth operational functioning of the PLF exchange platform; to this end, the ECDC shall put in place specific procedures related to the functioning of the PLF exchange platform and the connection from the backend servers to the PLF exchange platform; this includes:
a risk assessment procedure, to identify and estimate potential threats to the system;
an audit and review procedure to:
check the correspondence between the implemented security measures and the applicable security policy;
control on a regular basis the integrity of system files, security parameters and granted authorisations;
detect and monitor security breaches and intrusions;
implement changes to mitigate existing security weaknesses;
allow for, including at the request of controllers, and contribute to, the performance of independent audits, including inspections, and reviews on security measures, subject to conditions that respect Protocol (No 7) to the TFEU on the Privileges and Immunities of the European Union (2);
changing the control procedure to document and measure the impact of a change before its implementation and keep the controllers informed of any changes that can affect the communication with and/or the security of their infrastructures;
laying down a maintenance and repair procedure to specify the rules and conditions to be respected when maintenance and/or repair of equipment should be performed;
laying down a security incident procedure to define the reporting and escalation scheme, inform without delay the controllers for them to notify the national data protection supervisory authorities of any personal data breach, and define a disciplinary process to deal with security breaches;
take state of the art physical and/or electronic security measures for the facilities hosting the PLF exchange platform equipment and for the controls of data and security access; to this end, ECDC shall:
enforce physical security to establish distinct security perimeters and allow detection of breaches;
control access to the facilities and maintain a visitor register for tracing purposes;
ensure that external people granted access to the premises are escorted by duly authorised staff;
ensure that equipment cannot be added, replaced or removed without prior authorisation of the designated responsible bodies;
control access from and to the national PLF systems to the PLF exchange platform;
ensure that individuals who access the PLF exchange platform are identified and authenticated;
review the authorisation rights related to the access to the PLF exchange platform in case of a security breach affecting this infrastructure;
implement technical and organisational security measures to prevent unauthorised access to PLF and epidemiological data;
implement, whenever necessary, measures to block unauthorised access to the PLF exchange platform from the domain of the national authorities (i.e.: block a location/IP address);
take steps to protect its domain, including the severing of connections, in the event of substantial deviation from the principles and concepts for quality or security;
maintain a risk management plan related to its area of responsibility;
monitor – in real time – the performance of all the service components of the PLF exchange platform, produce regular statistics and keep records;
make sure that the service is available 24/7, with the acceptable downtime for maintenance purposes;
provide support for all PLF exchange platform services in English, via phone, mail or Web Portal and accept calls from authorised callers: the PLF exchange platform’s coordinators and their respective helpdesks, Project Officers and designated persons from ECDC;
assist the controllers by appropriate technical and organisational measures, insofar as it is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of Regulation (EU) 2016/679;
support the controllers by providing information concerning the PLF exchange platform, in order to implement the obligations pursuant to Articles 32, 35 and 36 of Regulation (EU) 2016/679;
ensure that PLF and epidemiological data transmitted through the PLF exchange platform is unintelligible to any person who is not authorised to access it, in particular by applying strong encryption;
take all relevant measures to prevent that the PLF exchange platform’s operators have unauthorised access to transmitted PLF and epidemiological data;
take measures in order to facilitate the interoperability and the communication between the PLF exchange platform’s designated controllers;
maintain a record of processing activities carried out on behalf of the controllers in accordance with Article 31(2) of Regulation (EU) 2018/1725 of the European Parliament and of the Council.
ANNEX IV
Non-exhaustive list of alert and Information Systems at union level to be progressively linked with EWRS
This Annex lists rapid alert and information systems which are currently in place at Union level or under the Euratom Treaty and which may be relevant for receiving alerts of and information on events which are or may pose a serious cross border threat to health:
( 1 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ L 119, 4.5.2016, p. 1).