Το έγγραφο αυτό έχει ληφθεί από τον ιστότοπο EUR-Lex
Έγγραφο 32019D1269
Commission Implementing Decision (EU) 2019/1269 of 26 July 2019 amending Implementing Decision 2014/287/EU setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks (Text with EEA relevance.)
Commission Implementing Decision (EU) 2019/1269 of 26 July 2019 amending Implementing Decision 2014/287/EU setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks (Text with EEA relevance.)
Commission Implementing Decision (EU) 2019/1269 of 26 July 2019 amending Implementing Decision 2014/287/EU setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks (Text with EEA relevance.)
C/2019/5470
OJ L 200, 29.7.2019, σ. 35 έως 43
(BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
Ισχύει
29.7.2019 |
EN |
Official Journal of the European Union |
L 200/35 |
COMMISSION IMPLEMENTING DECISION (EU) 2019/1269
of 26 July 2019
amending Implementing Decision 2014/287/EU setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients' rights in cross-border healthcare (1) and in particular Article 12(4)(b) and (c) thereof,
Whereas:
(1) |
Commission Implementing Decision 2014/287/EU (2) sets out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating those Networks. Article 6 of that Decision invited Member States to set up a Board of Member States with a view to deciding whether or not to approve proposals for Networks, their membership and termination. The Member States set up the Board of Member States, which subsequently approved 23 European Reference Networks (ERNs) in December 2016 and one in February 2017. All Networks commenced activities in 2017. |
(2) |
To increase the efficiency of the European Reference Networks, the Board of Member States should become the forum for exchanging information and expertise in order to steer the development of the ERNs, provide guidance to the Networks and to the Member States and advise the Commission on matters related to the establishment of the Networks. To promote the exchange of experience and to facilitate a process consistent with other cross border exchanges of health data, the Board should foresee a close cooperation with the eHealth Network to develop, wherever possible, common approaches, data structures and guidelines facilitating transparent access to different services and streamlining rules for healthcare providers. The Board should also promote the discussion with other relevant EU fora (such as Steering Group on Health Promotion, Disease Prevention and Management of Non-Communicable Diseases) on areas of common interest. |
(3) |
The current experience of the 24 existing ERNs has shown that to ensure an effective functioning of each Network, its Members should closely cooperate in performing their tasks, such as exchanging health data concerning patients' diagnoses and treatment in an efficient and secure manner, contributing to scientific research activities and to the development of medical guidelines. Close cooperation requires mutual trust among the Members of each Network and mutual recognition in particular of their expertise and competence, of the quality of their clinical care as well as of their specific human, structural and equipment resources as provided for under point 2 of Annex II to Commission Delegated Decision 2014/286/EU (3). |
(4) |
Mutual trust and recognition by peers are equally important where healthcare providers wish to join an existing Network as they guarantee the right pre-conditions for future cooperation within the Network. A favourable opinion on the membership application by the Board of the Network that the healthcare provider wishes to join, following a peer review carried out by the Network on the basis of the criteria and conditions set out in point 2 of Annex II to Delegated Decision 2014/286/EU, should therefore accompany such application when it is assessed by an independent assessment body appointed by the Commission. In order to allow the healthcare provider express its views on the opinion of the Board of the Network, the healthcare provider should be permitted to submit comments on the draft opinion within a period of one month from the date of receipt of that opinion. |
(5) |
Reasonable deadlines should be set out for the Board of the Network as regards the draft and final opinion. The deadline for the final opinion should therefore, in principle be set at four months. However, in case the healthcare provider submits comments on the Board of the Network's draft opinion, the four-month deadline for delivering the final opinion should be extended by one month in order to allow the Board of the Network to take into account the comments received. For reasons of legal certainty, if the Board of the Network fails to send the draft opinion or deliver the final opinion within the deadlines set, the final opinion should be deemed favourable. |
(6) |
If a membership application receives an unfavourable opinion by the Board of the Network that the healthcare provider wishes to join, while having received the endorsement in the form of a written statement from the healthcare provider's Member State of establishment, the Member State of establishment should have the possibility of requesting the Board of Member States to decide, on the basis of the criteria and conditions set in point 2 of Annex II to Delegated Decision 2014/286/EU, whether the application can nevertheless be submitted to the Commission. |
(7) |
In order to support health professionals across the ERNs to collaborate remotely in the diagnosis and treatment of patients with rare or low prevalence complex diseases or conditions across national borders and to facilitate scientific research of such diseases or conditions, the Commission developed a Clinical Patient Management System for ERNs (‘CPMS’) with the aim of facilitating the establishment and functioning of the ERNs as provided for in point (c) of paragraph 4 of Article 12 of Directive 2011/24/EU. |
(8) |
The CPMS should provide a common infrastructure for health professionals to collaborate within the ERNs in the diagnosis and treatment of patients with rare or low prevalence complex diseases or conditions. It should provide the means through which the exchange of information and expertise on such diseases takes place within the ERNs in the most effective way. |
(9) |
The CPMS should therefore consist of a secure IT infrastructure providing a common interface where healthcare providers that are members of the ERNs, Affiliated Partners (4) or guest users (‘healthcare providers authorised to access CPMS’), can exchange information within the Networks on the concerned patients with the aim of facilitating their access to safe and high quality healthcare and promoting effective cooperation on healthcare between Member States by facilitating the exchange of relevant information. |
(10) |
In order to guarantee compliance with data protection rules and ensure the use of an effective and secured environment for the electronic exchange of personal data of patients between healthcare providers within the ERNs for the purposes referred to in paragraph 2 of Article 12 of Directive 2011/24/EU, such exchange should take place only on the basis of the patients' explicit consent and only through the CPMS. The healthcare providers are responsible for ensuring the security of the data they process outside of the CPMS with the aim of entering them into the CPMS, as well as of the data that are not entered into the CPMS but are processed by them in relation with the CPMS (such as consent forms) or of the data downloaded by them from the CPMS and processed outside of the CPMS. |
(11) |
The CPMS processes sensitive data concerning patients suffering from rare or low prevalence complex diseases. These data are processed solely for the purpose of facilitating patients' diagnosis and treatment, for entering them into relevant registries or other databases for rare and low prevalence complex diseases, which serve a scientific research, clinical or health policy purposes and for contacting potential participants for scientific research initiatives. Healthcare providers within the ERNs should be able to process the patients' data in the CPMS once they have obtained the patients' specific, informed and free consent about three possible uses of their data (medical assessment of the file for advice on diagnosis and treatment, entering the data in rare diseases registries or other databases for rare and low prevalence complex diseases and possibility for the patients to be contacted to participate in a scientific research initiative). The consent should be obtained separately for each of these three purposes. This decision should lay down the purposes and the safeguards for the processing of such data in the CPMS. In particular, the Commission should provide for the general features of the CPMS in relation to each Network, should provide and maintain the secure IT infrastructure required to that end and should ensure its technical functioning and security. In line with the principle of data minimisation, the Commission should only process personal data strictly necessary in order to ensure the administration of the CPMS in relation to each Network and therefore should not access health data of patients exchanged in the ERNs, unless it is strictly necessary to fulfil its obligations as a joint controller. |
(12) |
This Implementing Decision should only apply to processing of personal data, which takes place in the CPMS, in particular contact details, and health data, within the ERNs. |
(13) |
Article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council (5) and Article 28 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6) place an obligation on joint controllers of personal data processing operations to determine, in a transparent manner, their respective responsibilities for compliance with the obligations under these Regulations. They also provides for the possibility to have those responsibilities determined by Union or Member State law to which the controllers are subject. |
(14) |
Implementing Decision 2014/287/EU should therefore be amended accordingly. |
(15) |
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 13 September 2018. |
(16) |
The measures provided for in this Decision are in accordance with the opinion of the Committee set up under Article 16 of Directive 2011/24/EU, |
HAS ADOPTED THIS DECISION:
Article 1
Implementing Decision 2014/287/EU is amended as follows:
(1) |
The following Article 1a is inserted: ‘Article 1a Definitions For the purposes of this Implementing Decision the following definitions shall apply:
|
(2) |
In Article 8, the following paragraphs 4, 5 and 6 are inserted: ‘4. If the Commission concludes that the requirements set out in Article 8(2) and (3) are fulfilled, the Board of the Network that the healthcare provider wishes to join, shall issue an opinion on the membership application, following a peer review carried out by the Network on the basis of the criteria and conditions set out in point 2 of Annex II to Delegated Decision 2014/286/EU. 5. Before delivering the opinion referred to in paragraph 4 and within three months from the moment the Commission has confirmed that the requirements set out in Article 8(2) and (3) are fulfilled, the Board of the Network shall send a draft opinion to the applicant healthcare provider that may send comments to the Network within one month of receiving the draft opinion. In case the Board of the Network does not receive comments on that draft, it shall deliver a final opinion on the membership application, within four months from the moment the Commission has confirmed that the requirements set out in Article 8(2) and (3) are fulfilled. In case the Board of the Network receives comments, the deadline for the delivery of the final opinion is extended to five months from the moment the Commission has confirmed that the requirements set out in Article 8(2) and (3) are fulfilled. On receiving comments, the Board of the Network shall amend its opinion explaining whether the comments justify a change in its assessment. If the Board of the Network fails to send the draft opinion or to deliver its final opinion within the deadlines set above, the final opinion is deemed to be favourable. 6. In case of an unfavourable opinion of the Board of the Network, upon request of the Member State of establishment, the Board of the Member States, may issue a favourable opinion after re-assessing the application on the basis of the criteria and conditions set out in point 2 of Annex II to Delegated Decision 2014/286/EU. That favourable opinion shall accompany the application.’ |
(3) |
In Article 9, paragraph 1 is replaced by the following: ‘1. If a favourable opinion is issued in accordance with Article 8(5) or (6), the Commission shall appoint a body to assess the membership application which it accompanies.’ |
(4) |
In Chapter IV, the following Article 15a is inserted: ‘Article 15a Exchange of information and expertise among the Member States Member States are invited to exchange information and expertise within the Board of Member States in order to steer the development of the ERNs, provide guidance to the Networks and to the Member States and advise the Commission on matters related to the establishment of the Networks.’ |
(5) |
The following Article 16a is inserted: ‘Article 16a The Clinical Patient Management System 1. A Clinical Patient Management System (“CPMS”) for the electronic exchange of personal data of patients between healthcare providers authorised to access CPMS within the ERNs is hereby established. 2. The CPMS shall consist of a secure IT tool provided by the Commission for the sharing and hosting of patient data and for real and on-time communication on patient cases within the ERNs. 3. It shall include, inter alia, a medical image viewer, data reporting capabilities, custom datasets and it shall integrate adequate data protection safeguards in accordance with Annex I.’ |
(6) |
The following Article 16b is inserted: ‘Article 16b Personal data processed in the CPMS 1. Personal data of patients, which consist of name, gender, date and place of birth and other personal data necessary for the purpose of diagnosis and treatment shall be exchanged and processed within the ERNs exclusively through the CPMS. The processing shall be limited to the purposes of facilitating collaboration on the medical assessment of a patient file for diagnosis and treatment, of entering the data in registries and other databases for rare and low prevalence complex diseases, which serve scientific research, clinical or health policy purposes and of contacting potential participants for scientific research initiatives. It shall be based on a consent obtained in accordance with Annex IV. 2. The Commission shall be regarded as controller of processing of personal data related to the management of access rights and shall process these data on the basis of the explicit consent of the individuals identified by the healthcare providers as users and authorised by the relevant ERNs in so far as necessary to ensure that:
3. The Commission shall not access personal data of patients, unless it is strictly necessary to fulfil its obligations as a joint controller. 4. Only persons authorised by ERNs and belonging to the categories of staff and other individuals affiliated to the healthcare providers authorised to access CPMS may access personal data of patients in the CPMS. 5. The name of the patient, as well as the place and exact date of birth, shall be encrypted and pseudonymised in the CPMS. Other personal data necessary for the purpose of diagnosis and treatment shall be pseudonymised. Only pseudonymised data shall be available to CPMS users from other healthcare providers for panel discussions and assessment of patient files. 6. The Commission shall ensure the security of transfer and hosting of personal data. 7. Healthcare providers authorised to access CPMS shall delete data no longer necessary. Personal data of patients shall only be retained for as long as necessary in the interest of patient care, diseases' diagnosis or for the purpose of ensuring care within an ERN to the patients' family members. Every 15 years at the latest, each healthcare provider authorised to access CPMS shall review the need to keep the patients' data it is controller of. 8. The effectiveness of technical and organisational measures for ensuring the security of processing of personal data in the CPMS shall be regularly tested, assessed and evaluated by the Commission and by the healthcare providers authorised to access CPMS.’ |
(7) |
The following Article 16c is inserted: ‘Article 16c Joint controllership of patients' personal data processed through the CPMS (1) Each of the healthcare providers processing patients' data in the CPMS and the Commission shall be joint controllers of the processing of these data in the CPMS. (2) For the purposes of paragraph 1, responsibilities shall be allocated among joint controllers in accordance with Annex III. (3) Each of the joint controllers shall comply with relevant Union and national legislation to which the respective controller is subject.’ |
(8) |
Annex III is added, the text of which is set out in Annex I to this Decision. |
(9) |
Annex IV is added, the text of which is set out in Annex II to this Decision. |
Article 2
This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 26 July 2019.
For the Commission
The President
Jean-Claude JUNCKER
(2) Commission Implementing Decision 2014/287/EU of 10 March 2014 setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks (OJ L 147, 17.5.2014, p. 79).
(3) Commission Delegated Decision 2014/286/EU of 10 March 2014 setting out criteria and conditions that European Reference Networks and healthcare providers wishing to join a European Reference Network must fulfil (OJ L 147, 17.5.2014, p. 71).
(4) As referred to in recital 14 and point (7)(c) of Annex I of Delegated Decision 2014/286/EU and in the Statement of the Board of Member States of 10 October 2017, available at https://ec.europa.eu/health/sites/health/files/ern/docs/boms_affiliated_partners_en.pdf
(5) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(6) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
ANNEX I
‘ANNEX III
ALLOCATION OF RESPONSIBILITIES AMONG JOINT CONTROLLERS
1. |
The Commission shall be responsible for:
|
2. |
Each healthcare provider authorised to access CPMS shall be responsible for:
|
(1) Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission (OJ L 6, 11.1.2017, p. 40) and Commission Decision of 13 December 2017 laying down implementing rules for Articles 3, 5, 7, 8, 9, 10, 11, 12, 14, 15 of Decision (EU, Euratom) 2017/46 on the security of communication and information systems in the Commission (C(2017) 8841 final).
ANNEX II
‘ANNEX IV
Mandatory minimum requirements for the consent form to be provided by healthcare providers authorised to access CPMS
1. |
The consent form shall describe the legal basis and lawfulness of processing, concept and purpose of the European Reference Networks (ERNs) established by Directive 2011/24/EU on the application of patients' rights in cross-border healthcare. It shall inform about the specific processing operations and the respective rights of the data subject in accordance with applicable data protection legislation. It shall explain that Networks are constituted of Members that are highly specialised healthcare providers, with the purpose to allow healthcare professionals to work together to support patients with rare or low prevalence complex diseases or conditions that need highly specialised healthcare. |
2. |
The consent form shall request the patient's explicit consent for sharing her/his personal data with one or more ERNs, with the sole purpose to improve her/his access to diagnosis and treatment and the provision of high-quality healthcare. To that end, it shall explain that:
|
3. |
The consent form may also request the patient's additional consent to her/his data being entered in registries or other databases for rare and low prevalence complex diseases, which serve scientific research, clinical or policy purposes. If consent is requested for this purpose, the consent form shall describe the concept and purpose of rare disease registries or databases and explain that:
|
4. |
The consent form may also request the patient's additional consent to being contacted by a Network Member who believes the patient could be suitable for a scientific research initiative, a specific scientific research project or parts of a scientific research project. If consent is requested for this purpose, the consent form shall explain that giving at this stage the consent to be contacted for scientific research purposes does not mean giving the consent for the patient's data to be used for a specific scientific research initiative, neither does it mean that the patient will in any event be contacted in connection with, or that the patient will be part of, a specific scientific research project and that:
|
5. |
The consent form shall explain the rights of the patient as regards her/his respective consent(s) to share personal data and in particular provide the information that the patient:
|
6. |
The consent form shall inform the patient that the healthcare provider will keep the personal data only for as long as necessary for the purposes to which the patient consented, with a review of the necessity of storing specific patient's personal data in the CPMS at least every 15 years. |
7. |
The consent form shall inform the patient about the identity and the contact details of the controllers, clearly specifying that the contact point to exercise the patient's rights is the particular healthcare provider authorised to access CPMS, about the contact details of the data protection officers, and where applicable, about available remedies related to data protection, and provide the contact details of the National Data Protection Authority. |
8. |
The consent form shall record separately the individual consent for each of the three different forms of data sharing in a specific, explicit and unambiguous way:
|