Accept Refuse

EUR-Lex Access to European Union law

This document is an excerpt from the EUR-Lex website

Document 32018R0573

Commission Delegated Regulation (EU) 2018/573 of 15 December 2017 on key elements of data storage contracts to be concluded as part of a traceability system for tobacco products (Text with EEA relevance. )

C/2017/8415

OJ L 96, 16.4.2018, p. 1–6 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

In force

ELI: http://data.europa.eu/eli/reg_del/2018/573/oj

16.4.2018   

EN

Official Journal of the European Union

L 96/1


COMMISSION DELEGATED REGULATION (EU) 2018/573

of 15 December 2017

on key elements of data storage contracts to be concluded as part of a traceability system for tobacco products

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Directive 2014/40/EU of the European Parliament and of the Council of 3 April 2014 on the approximation of the laws, regulations and administrative provisions of the Member States concerning the manufacture, presentation and sale of tobacco and related products and repealing Directive 2001/37/EC (1), and in particular Article 15(12) thereof,

Whereas:

(1)

Article 15(8) of Directive 2014/40/EU requires each manufacturer and importer, as part of the traceability system for tobacco products, further specified in Commission Implementing Regulation (EU) 2018/574 (2), to conclude a contract with an independent third-party provider for the purpose of hosting information related to its tobacco products. Article 15(12) of Directive 2014/40/EU empowers the Commission to define the key elements of those contracts.

(2)

To ensure the effective functioning of the traceability system for tobacco products in general and the interoperability of the repositories system in particular, it is appropriate to lay down the key elements of the data storage contracts, to include specifications relating to the operability, availability and performance of the services to be provided by data storage providers. The effective and continuous functioning of the traceability system and the data storage system contained therein makes it necessary that clear requirements on data portability are put in place by providers for cases where a manufacturer or importer decides to change its provider. For that reason, the contracts should include provisions requiring the use of technology that is readily available on the market and commonly used in the sector to guarantee an effective and uninterrupted data transfer between current and new providers.

(3)

In order to ensure the necessary level of flexibility, it should be possible to request the data storage provider to carry out, against a fee, ancillary technical services connected with the operation of the primary repository such as the expansion of the operational functionality of user interfaces, provided that the additional services contribute to the proper functioning of the repositories system and do not violate any of the requirements laid down in Implementing Regulation (EU) 2018/574. Therefore, the contract should provide for such an option.

(4)

To safeguard the independent operation of the traceability system at all times, the Commission should be able to revoke the approval of an already contracted data storage provider where an assessment or reassessment of the technical capacity or independence of the provider results in an adverse finding as regards its suitability.

(5)

In order to ensure the effective organisation of the day-to-day functioning of the system, providers of primary repositories should cooperate with one another, as well as with the competent authorities of Member States and the Commission.

HAS ADOPTED THIS REGULATION:

Article 1

Subject matter

This Regulation sets out key elements to be included in the data storage contracts referred to in Article 15(8) of Directive 2014/40/EU.

Article 2

Definitions

For the purpose of this Regulation, in addition to the definitions laid down in Directive 2014/40/EU and Implementing Regulation (EU) 2018/574, the following definitions shall apply:

(1)

‘contract’ means a contractual agreement between a manufacturer or importer of tobacco products and a provider of data storage systems in accordance with Article 15(8) of Directive 2014/40/EU and Implementing Regulation (EU) 2018/574;

(2)

‘provider’ means any legal person contracted by a manufacturer or importer of tobacco products for the purpose of establishing and operating its primary repository and the related services;

(3)

‘data portability’ means the ability to move data among different repositories, by the use of technology that is readily available on the market and commonly used in the sector.

Article 3

Key responsibilities under the contract

1.   The contract shall specify the key services to be rendered by the provider, which shall include:

(1)

the establishment and operation of a primary repository in accordance with Article 26 of Implementing Regulation (EU) 2018/574;

(2)

in the case the operator of the primary repository is appointed as provider of the secondary repository, the establishment and operation of the secondary repository and the router, in accordance with Articles 27, 28 and 29 of Implementing Regulation (EU) 2018/574;

(3)

the provision, upon request, of other ancillary technical services connected with the operation of the primary repository that contribute to the proper functioning of the repositories system.

2.   In defining the key services referred to in points (1) and (2) of paragraph 1, the contract shall contain specifications relating to the operability, availability and performance of the services meeting the minimum requirements specified in this Regulation and laid down in Chapter V of Implementing Regulation (EU) 2018/574.

Article 4

Technical expertise

The contract shall require providers to issue to the manufacturer or importer a written declaration that they hold, or have at their disposal, the technical and operational expertise necessary to carry out the services referred to in Article 3 and to comply with the requirements laid down in Chapter V of Implementing Regulation (EU) 2018/574.

Article 5

Availability of the primary repository

1.   The contract shall specify a guaranteed monthly uptime and availability of 99,5 % for the primary repository.

2.   The contract shall require that appropriate back-up mechanisms are put in place by the provider to prevent any loss of data that is stored, received or transferred at the time the primary repository becomes unavailable.

Article 6

Access rights

The contract shall specify the requirements for physical and virtual access to be granted, at server and database level, to national administrators of Member States, the Commission, and appointed external auditors to the primary repository, in accordance with Article 25 of Implementing Regulation (EU) 2018/574.

Article 7

Sub-contracting

1.   Where the contract specifies that the provider may subcontract certain obligations under the contract, it shall contain a provision clarifying that the subcontract does not affect the primary responsibility of the provider for the performance of the contract.

2.   The contract shall further require the provider:

(a)

to ensure that the proposed subcontractor has the necessary technical expertise and meets the requirements of independence laid down in Article 35 of Implementing Regulation (EU) 2018/574.

(b)

to submit to the Commission a copy of the declaration referred to in Article 8 of this Regulation signed by the respective sub-contractor(s).

Article 8

Legal and financial independence

The contract shall require providers and, where applicable, their sub-contractors, to issue to the manufacturer or importer, together with the data storage contract, a written declaration that they comply with the requirements for legal and financial independence as laid down in Article 35 of Implementing Regulation (EU) 2018/574.

Article 9

Data protection and confidentiality

1.   The contract shall specify that the provider shall put in place all appropriate measures necessary to ensure the confidentiality, integrity and availability of all data stored in the performance of the contract. Such measures shall include administrative, technical and physical safety and security controls.

2.   The contract shall require that personal data handled under the contract are processed in accordance with Directive 95/46/EC of the European Parliament and of the Council (3).

Article 10

Information security management

The contract shall require providers to declare that the primary repository and, where applicable, the second repository, is managed in accordance with internationally recognised information security management standards. Providers certified to ISO/IEC 27001:2013 shall be presumed to meet those standards.

Article 11

Costs

The contract shall require the costs charged by providers to manufacturers or importers in accordance with Article 30 of Implementing Regulation (EU) 2018/574 to be fair, reasonable, and proportionate to:

(a)

the services rendered; and

(b)

the number of unique identifiers requested over a given period of time by the manufacturer or importer concerned.

Article 12

Participation in secondary repository system

1.   The contract shall require the provider to participate in the establishment of the secondary repository system (where the secondary system has not yet been established at the date of the conclusion of the contract) as may be required in accordance with the rules provided for in Chapter V of Implementing Regulation (EU) 2018/574.

2.   The contract shall contain a provision that allows for providers to recover from manufacturers and importers of tobacco products the costs arising in connection with the establishment, operation and maintenance of the secondary repository and the router referred to in Chapter V of Implementing Regulation (EU) 2018/574.

Article 13

Duration

The duration of the contract shall be fixed for a minimum of five years with a possibility of renewal subject to agreement of the Parties and the continuing compliance of the provider with the requirements of Directive 2014/40/EU and Implementing Regulation (EU) 2018/574.

Article 14

Communication with other parties

The contract shall require providers to cooperate with one another, as well as with the competent authorities of Member States, to the extent necessary to ensure the effective organisation of the day-to-day functioning of the repositories system.

Article 15

Audits

1.   The contract shall lay down terms enabling external auditors approved by the Commission, in accordance with Article 15(8) of Directive 2014/40/EU, to carry out announced and unannounced audits in relation to the primary repository, and, where applicable, the secondary repository, including an assessment of whether the provider and, if applicable, its sub-contractors comply with the relevant legislative requirements.

2.   The contract shall specify that external auditors are granted unrestricted physical and virtual access to the primary repository and, where applicable, the secondary repository, and its related services for the duration of the audit.

Article 16

Liability

The contract shall lay down terms detailing the liability of the parties including with respect to direct and indirect damages that may arise under the contract, in accordance with the applicable law. Without prejudice to the applicable law, the contract shall further specify that no limitation of liability exists in case of breach of confidentiality or breach of data protection rules.

Article 17

Termination of contract

1.   The contract shall lay down terms regarding the termination of the contract, in accordance with the applicable law. In the case of termination, the contract shall require the terminating Party to notify the Commission, in accordance with the procedural requirements laid down in Annex I to Implementing Regulation (EU) 2018/574.

2.   The contract shall require parties to provide a minimum notice period of five months for the termination of the contract.

By derogation to the first subparagraph, the contract shall require manufacturers and importers to terminate the contract immediately:

(a)

in the event of a serious breach by the provider of its obligations under the contract,

(b)

where the provider becomes, or is in imminent risk of becoming, insolvent under the applicable law.

3.   For the purposes of paragraph 2(a) a serious breach shall include:

(a)

the failure by the provider to carry out obligations or to perform services provided for under the contract that are critical to the effective functioning of the traceability system, including in particular, the failure to comply with requirements laid down in Chapter V of Implementing Regulation (EU) 2018/574,

(b)

where a provider ceases to comply with the requirements for legal and financial independence laid down in Article 35(2) of Implementing Regulation (EU) 2018/574 and where, by the expiry of the time-period referred to in Article 35(6) of Implementing Regulation (EU) 2018/574, compliance with the requirements could not be established.

Article 18

Suspension of services

The contract shall specify that suspension of services in case of late payments by a manufacturer or importer to the provider shall be prohibited, unless the delay exceeds the final payment deadline by thirty days or more.

Article 19

Data portability

1.   The contract shall require providers to ensure full data portability in cases where a manufacturer or importer contracts a new provider to operate its primary repository. The current provider shall deliver to the new provider, prior to the date of termination of the contract, an up-to-date copy of all data stored in the primary repository. Any updates to the data after that delivery shall be migrated to the new provider without undue delay.

2.   In order to ensure business continuity, the contract shall include an applicable exit plan laying down the procedure to be followed in case of the termination of the contract and a new provider is contracted by the manufacturer or importer. The plan shall include a requirement for the current provider to continue providing its services until the new provider becomes operational.

3.   The contract shall contain provisions ensuring that the current provider has no right of retention with respect to any data, information or other necessary material related to the primary repository after they have been delivered to the new provider.

Article 20

Applicable law and jurisdiction

1.   The contract shall be governed by the laws of one of the Member States of the European Union, as agreed by the parties to the contract.

2.   The contract shall be subject to the jurisdiction of one of the Member States of the European Union, as agreed by the parties to the contract.

Article 21

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 15 December 2017.

For the Commission

The President

Jean-Claude JUNCKER


(1)  OJ L 127, 29.4.2014, p. 1.

(2)  Commission Implementing Regulation (EU) 2018/574 of 15 December 2017 on technical standards for the establishment and operation of a traceability system for tobacco products (see page 7 of this Official Journal).

(3)  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).


Top