EXPLANATORY MEMORANDUM
1.CONTEXT OF THE DELEGATED ACT
The Tobacco Products Directive 2014/40/EU (hereinafter "the TPD") provides, in its Article 15, for the establishment of a traceability system to address the issue of illicit trade in tobacco products. Under the traceability system, all unit packets of tobacco products produced in, destined for or placed on the EU market are to be marked with a unique identifier in order for their movements to be recorded. This will enable such products to be tracked and traced throughout the supply chain (from the manufacturer until the last level before the first retail outlet). The provisions of Article 15 shall apply to cigarettes and roll-your-own tobacco products from 20 May 2019 and to all other tobacco products from 20 May 2024.
Article 15(8) of the TPD requires manufacturers and importers of tobacco products to conclude data storage contracts with an independent third party, for the purposes of hosting the data recorded pursuant to that Article. Article 15(8) further sets out that the suitability of each third party, in particular their independence and technical capacities, as well as each data storage contract concluded, shall be approved by the Commission.
Article 15(12) of the TPD empowers the Commission to adopt delegated acts to define the key elements of the above-mentioned data storage contracts. The Commission is seeking to fulfil this obligation via the present Delegated Regulation.
The Delegated Regulation should be read in conjunction with the Commission Implementing Regulation on technical standards for the establishment and operation of a traceability system for tobacco products that the Commission is required to adopt under Article 15(11) of the TPD.
2.CONSULTATIONS PRIOR TO THE ADOPTION OF THE ACT
The main objective of the proposal is to lay down key elements to be included in the data storage contracts to be concluded between manufacturers and importers of tobacco products and third parties (providers of primary repositories) that will host the data related to their tobacco products and recorded under the traceability system.
The proposal draws on the results of several consultation exercises undertaken by the Commission in the context of the implementation of Article 15 of the TPD: a targeted stakeholder consultation (May-July 2015), a public consultation (July-November 2016) and two stakeholder workshops. Assistance was also provided in the form of a feasibility study as well as an implementation study carried out by external contractors. In line with the rules on Better Regulation, the draft proposal was also published for a period of four weeks, during which it was possible for the general public to submit feedback.
The proposal also feeds from the discussions of the Expert Group on Tobacco Control, in particular its Expert Subgroup on Traceability and Security Features.
The Commission, when preparing and drawing up this delegated act, ensured simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and the Council and carried out appropriate and transparent consultations well in advance, including at expert level.
3.LEGAL ELEMENTS OF THE DELEGATED ACT
The proposal is made pursuant to Article 15(12) of the TPD, which empowers the Commission to define key elements of the data storage contracts provided for under paragraph 8 of that article, such as duration, renewability, expertise required or confidentiality, including regular monitoring and evaluation of those contracts.
The present Delegated Regulation lays down these key elements, including:
key services to be rendered,
requirement for providers to declare technical expertise,
availability and uptime of the service as well as back-up mechanisms to be provided to prevent loss of data,
access rights,
independence,
data protection and confidentiality,
duration,
audits.
4.BUDGETARY IMPLICATION
The proposal has no budgetary implications.
COMMISSION DELEGATED REGULATION (EU) …/...
of 15.12.2017
on key elements of data storage contracts to be concluded as part of a traceability system for tobacco products
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 2014/40/EU of the European Parliament and of the Council of 3 April 2014 on the approximation of the laws, regulations and administrative provisions of the Member States concerning the manufacture, presentation and sale of tobacco and related products and repealing Directive 2001/37/EC, and in particular Article 15(12) thereof,
Whereas:
(1)Article 15(8) of Directive 2014/40/EU requires each manufacturer and importer, as part of the traceability system for tobacco products, further specified in Commission Implementing Regulation (EU) …/…, to conclude a contract with an independent third-party provider for the purpose of hosting information related to its tobacco products. Article 15(12) of Directive 2014/40/EU empowers the Commission to define the key elements of those contracts.
(2)To ensure the effective functioning of the traceability system for tobacco products in general and the interoperability of the repositories system in particular, it is appropriate to lay down the key elements of the data storage contracts, to include specifications relating to the operability, availability and performance of the services to be provided by data storage providers. The effective and continuous functioning of the traceability system and the data storage system contained therein makes it necessary that clear requirements on data portability are put in place by providers for cases where a manufacturer or importer decides to change its provider. For that reason, the contracts should include provisions requiring the use of technology that is readily available on the market and commonly used in the sector to guarantee an effective and uninterrupted data transfer between current and new providers.
(3)In order to ensure the necessary level of flexibility, it should be possible to request the data storage provider to carry out, against a fee, ancillary technical services connected with the operation of the primary repository such as the expansion of the operational functionality of user interfaces, provided that the additional services contribute to the proper functioning of the repositories system and do not violate any of the requirements laid down in Commission Implementing Regulation (EU) …/…. Therefore, the contract should provide for such an option.
(4)To safeguard the independent operation of the traceability system at all times, the Commission should be able to revoke the approval of an already contracted data storage provider where an assessment or reassessment of the technical capacity or independence of the provider results in an adverse finding as regards its suitability.
(5)In order to ensure the effective organisation of the day-to-day functioning of the system, providers of primary repositories should cooperate with one another, as well as with the competent authorities of Member States and the Commission.
HAS ADOPTED THIS REGULATION:
Article 1
Subject matter
This Regulation sets out key elements to be included in the data storage contracts referred to in Article 15(8) of Directive 2014/40/EU.
Article 2
Definitions
For the purpose of this Regulation, in addition to the definitions laid down in Directive 2014/40/EU and Implementing Regulation (EU) …/…, the following definitions shall apply:
(1)'contract' means a contractual agreement between a manufacturer or importer of tobacco products and a provider of data storage systems in accordance with Article 15(8) of Directive 2014/40/EU and Implementing Regulation (EU) …/…;
(2)'provider' means any legal person contracted by a manufacturer or importer of tobacco products for the purpose of establishing and operating its primary repository and the related services;
(3)'data portability' means the ability to move data among different repositories, by the use of technology that is readily available on the market and commonly used in the sector.
Article 3
Key responsibilities under the contract
1.The contract shall specify the key services to be rendered by the provider, which shall include:
(1)the establishment and operation of a primary repository in accordance with Article 26 of Implementing Regulation (EU) …/…;
(2)in the case the operator of the primary repository is appointed as provider of the secondary repository, the establishment and operation of the secondary repository and the router, in accordance with Articles 27, 28 and 29 of Implementing Regulation (EU) …/…;
(3)the provision, upon request, of other ancillary technical services connected with the operation of the primary repository that contribute to the proper functioning of the repositories system.
2.In defining the key services referred to in points (1) and (2) of paragraph 1, the contract shall contain specifications relating to the operability, availability and performance of the services meeting the minimum requirements specified in this Regulation and laid down in Chapter V of Implementing Regulation (EU) …/….
Article 4
Technical expertise
The contract shall require providers to issue to the manufacturer or importer a written declaration that they hold, or have at their disposal, the technical and operational expertise necessary to carry out the services referred to in Article 3 and to comply with the requirements laid down in Chapter V of Implementing Regulation (EU) …/….
Article 5
Availability of the primary repository
1.The contract shall specify a guaranteed monthly uptime and availability of 99.5% for the primary repository.
2.The contract shall require that appropriate back-up mechanisms are put in place by the provider to prevent any loss of data that is stored, received or transferred at the time the primary repository becomes unavailable.
Article 6
Access rights
The contract shall specify the requirements for physical and virtual access to be granted, at server and database level, to national administrators of Member States, the Commission, and appointed external auditors to the primary repository, in accordance with Article 25 of Implementing Regulation (EU) …/….
Article 7
Sub-contracting
1.Where the contract specifies that the provider may subcontract certain obligations under the contract, it shall contain a provision clarifying that the subcontract does not affect the primary responsibility of the provider for the performance of the contract.
2.The contract shall further require the provider:
(a)to ensure that the proposed subcontractor has the necessary technical expertise and meets the requirements of independence laid down in Article 35 of Implementing Regulation (EU) …/….
(b)to submit to the Commission a copy of the declaration referred to in Article 8 of this Regulation signed by the respective sub-contractor(s).
Article 8
Legal and financial independence
The contract shall require providers and, where applicable, their sub-contractors, to issue to the manufacturer or importer, together with the data storage contract, a written declaration that they comply with the requirements for legal and financial independence as laid down in Article 35 of Implementing Regulation (EU) …/….
Article 9
Data protection and confidentiality
1.The contract shall specify that the provider shall put in place all appropriate measures necessary to ensure the confidentiality, integrity and availability of all data stored in the performance of the contract. Such measures shall include administrative, technical and physical safety and security controls.
2.The contract shall require that personal data handled under the contract are processed in accordance with Directive 95/46/EC of the European Parliament and of the Council.
Article 10
Information security management
The contract shall require providers to declare that the primary repository and, where applicable, the second repository, is managed in accordance with internationally recognised information security management standards. Providers certified to ISO/IEC 27001:2013 shall be presumed to meet those standards.
Article 11
Costs
The contract shall require the costs charged by providers to manufacturers or importers in accordance with Article 30 of Implementing Regulation (EU) …/… to be fair, reasonable, and proportionate to:
(a)the services rendered; and
(b)the number of unique identifiers requested over a given period of time by the manufacturer or importer concerned.
Article 12
Participation in secondary repository system
1.The contract shall require the provider to participate in the establishment of the secondary repository system (where the secondary system has not yet been established at the date of the conclusion of the contract) as may be required in accordance with the rules provided for in Chapter V of Implementing Regulation (EU) …/….
2.The contract shall contain a provision that allows for providers to recover from manufacturers and importers of tobacco products the costs arising in connection with the establishment, operation and maintenance of the secondary repository and the router referred to in Chapter V of Implementing Regulation (EU) …/….
Article 13
Duration
The duration of the contract shall be fixed for a minimum of five years with a possibility of renewal subject to agreement of the Parties and the continuing compliance of the provider with the requirements of Directive 2014/40/EU and Implementing Regulation (EU) …/….
Article 14
Communication with other parties
The contract shall require providers to cooperate with one another, as well as with the competent authorities of Member States, to the extent necessary to ensure the effective organisation of the day-to-day functioning of the repositories system.
Article 15
Audits
1.The contract shall lay down terms enabling external auditors approved by the Commission, in accordance with Article 15(8) of Directive 2014/40/EU, to carry out announced and unannounced audits in relation to the primary repository, and, where applicable, the secondary repository, including an assessment of whether the provider and, if applicable, its sub-contractors comply with the relevant legislative requirements.
2.The contract shall specify that external auditors are granted unrestricted physical and virtual access to the primary repository and, where applicable, the secondary repository, and its related services for the duration of the audit.
Article 16
Liability
The contract shall lay down terms detailing the liability of the parties including with respect to direct and indirect damages that may arise under the contract, in accordance with the applicable law. Without prejudice to the applicable law, the contract shall further specify that no limitation of liability exists in case of breach of confidentiality or breach of data protection rules.
Article 17
Termination of contract
1.The contract shall lay down terms regarding the termination of the contract, in accordance with the applicable law. In the case of termination, the contract shall require the terminating Party to notify the Commission, in accordance with the procedural requirements laid down in Annex I to Implementing Regulation (EU) …/….
2.The contract shall require parties to provide a minimum notice period of five months for the termination of the contract.
By derogation to the first subparagraph, the contract shall require manufacturers and importers to terminate the contract immediately:
(a)in the event of a serious breach by the provider of its obligations under the contract,
(b)where the provider becomes, or is in imminent risk of becoming, insolvent under the applicable law.
3.For the purposes of paragraph 2(a) a serious breach shall include:
(a)the failure by the provider to carry out obligations or to perform services provided for under the contract that are critical to the effective functioning of the traceability system, including in particular, the failure to comply with requirements laid down in Chapter V of Implementing Regulation (EU) …/…,
(b)where a provider ceases to comply with the requirements for legal and financial independence laid down in Article 35(2) of Implementing Regulation (EU) …/… and where, by the expiry of the time-period referred to in Article 35(6) of Implementing Regulation (EU) …/…, compliance with the requirements could not be established.
Article 18
Suspension of services
The contract shall specify that suspension of services in case of late payments by a manufacturer or importer to the provider shall be prohibited, unless the delay exceeds the final payment deadline by thirty days or more.
Article 19
Data portability
1.The contract shall require providers to ensure full data portability in cases where a manufacturer or importer contracts a new provider to operate its primary repository. The current provider shall deliver to the new provider, prior to the date of termination of the contract, an up-to-date copy of all data stored in the primary repository. Any updates to the data after that delivery shall be migrated to the new provider without undue delay.
2.In order to ensure business continuity, the contract shall include an applicable exit plan laying down the procedure to be followed in case of the termination of the contract and a new provider is contracted by the manufacturer or importer. The plan shall include a requirement for the current provider to continue providing its services until the new provider becomes operational.
3.The contract shall contain provisions ensuring that the current provider has no right of retention with respect to any data, information or other necessary material related to the primary repository after they have been delivered to the new provider.
Article 20
Applicable law and jurisdiction
1.The contract shall be governed by the laws of one of the Member States of the European Union, as agreed by the parties to the contract.
2.The contract shall be subject to the jurisdiction of one of the Member States of the European Union, as agreed by the parties to the contract.
Article 21
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 15.12.2017
For the Commission
The President
Jean-Claude JUNCKER
