This document is an excerpt from the EUR-Lex website
Document 32025R1467
Commission Implementing Regulation (EU) 2025/1467 of 18 July 2025 laying down rules for the application of Regulation (EU) 2024/1938 of the European Parliament and of the Council as regards the technical specifications for the EU SoHO Platform to exchange information concerning substances of human origin intended for human application
Commission Implementing Regulation (EU) 2025/1467 of 18 July 2025 laying down rules for the application of Regulation (EU) 2024/1938 of the European Parliament and of the Council as regards the technical specifications for the EU SoHO Platform to exchange information concerning substances of human origin intended for human application
Commission Implementing Regulation (EU) 2025/1467 of 18 July 2025 laying down rules for the application of Regulation (EU) 2024/1938 of the European Parliament and of the Council as regards the technical specifications for the EU SoHO Platform to exchange information concerning substances of human origin intended for human application
C/2025/4757
OJ L, 2025/1467, 21.7.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1467/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
In force
|
Official Journal |
EN L series |
|
2025/1467 |
21.7.2025 |
COMMISSION IMPLEMENTING REGULATION (EU) 2025/1467
of 18 July 2025
laying down rules for the application of Regulation (EU) 2024/1938 of the European Parliament and of the Council as regards the technical specifications for the EU SoHO Platform to exchange information concerning substances of human origin intended for human application
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2024/1938 of the European Parliament and of the Council of 13 June 2024 on standards of quality and safety for substances of human origin intended for human application and repealing Directives 2002/98/EC and 2004/23/EC (1), and in particular Article 74(4), first subparagraph, thereof,
Whereas:
|
(1) |
Regulation (EU) 2024/1938 requires the Commission to establish, manage and maintain a digital platform to facilitate efficient and effective exchange of information concerning substances of human origin (SoHO) activities in the Union (the ‘EU SoHO Platform’). |
|
(2) |
Regulation (EU) 2024/1938 provides for the processing of personal data, including data concerning health, exchanged through the EU SoHO Platform, where necessary, in the interest of public health and for the purposes of helping to identify, evaluate and manage risks associated with a particular SoHO donation or SoHO donor, including pseudonymised donor identification in the case of rapid alerts, and for the processing of relevant information on clinical-outcome monitoring, including pseudonymised clinical data provided in support of SoHO preparation authorisations. |
|
(3) |
As sensitive personal data, including data concerning health, may be exchanged through the EU SoHO Platform, the Platform should provide a secure channel for restricted exchange of information and data. |
|
(4) |
Personal data should be stored on the EU SoHO Platform for a limited period. As some diseases can have a long incubation time and may cause symptoms after 25 to 30 years (e.g. Creutzfeldt–Jakob disease), it is necessary to apply a retention period of 30 years after donation or human application for personal data related to the safety, quality and effectiveness of SoHO. |
|
(5) |
In order to ensure good administration and sufficient transparency of SoHO supervisory activities and SoHO activities, the personal data of authorised actors should be retained for up to 5 years from the date that they no longer operate as authorised actors. |
|
(6) |
To ensure the ability to verify whether the SoHO Coordination Board acted in an independent and impartial manner, including in the event of complaints or litigation, the personal data of the SoHO Coordination Board members and alternates should be retained for up to 15 years from the date on which the member or alternate no longer participates in the SoHO Coordination Board. |
|
(7) |
In order to ensure the safety and security of personal data processed through the EU SoHO Platform, the Commission should put in place and keep up to date state-of-the-art technical and organisational measures, including data access control. |
|
(8) |
In order to facilitate efficient and effective exchange of information concerning SoHO activities in the Union through the EU SoHO Platform, its user interface should be provided in English as the commonly understood language in the field of SoHO. SoHO entities, SoHO competent authorities, Member States, the SoHO Coordination Board and the Commission should exchange information of cross-border interest through the EU SoHO Platform in that commonly understood language in the field of SoHO. |
|
(9) |
As Regulation (EU) 2024/1938 applies from 7 August 2027, the application of this act should commence on the same date. |
|
(10) |
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (2) and delivered an opinion on 3 June 2025. |
|
(11) |
The measures provided for in this Regulation are in accordance with the opinion of the Committee established by Article 79(1) of Regulation (EU) 2024/1938, |
HAS ADOPTED THIS REGULATION:
Article 1
Definitions
For the purpose of this Regulation, the following definitions shall apply:
|
(1) |
‘actor’ means a natural person who registers a SoHO entity on the EU SoHO Platform after authentication; |
|
(2) |
‘authorised actor’ means a natural person who, after authentication, has been granted access to the EU SoHO Platform to perform actions in accordance with the access rights assigned to the person’s profile and who acts on behalf of a Member State, a SoHO national authority, a SoHO competent authority, the SoHO Coordination Board, a SoHO entity, the Commission, the European Centre for Disease Prevention and Control (ECDC) or the European Directorate for the Quality of Medicines & HealthCare (EDQM); |
|
(3) |
‘local administrator’ means an authorised actor who has the right to grant access to the EU SoHO Platform to other actors or authorised actors within the same Member State, SoHO national authority, SoHO competent authority or SoHO entity. |
Article 2
Maintenance and use of the EU SoHO Platform
1. The Commission shall maintain and optimise the EU SoHO Platform to carry out the tasks referred to in Article 73 of Regulation (EU) 2024/1938.
2. Actors and authorised actors shall use the platform to comply with the requirements laid down in Articles 4(2), 5(5), 9(4), 16, 17(2), (5) to (7), 19(1), (3) and (10), 21(4) and (5), 25(1), (2) and (6), 27(7), 31 to 35, 37(2), 41(2) and (4), 54(3), 56(4), 63(3) point (e), 64(3), 65(3), 68(3) and (4), 69(1), 71 to 74, 76, 81, 82 and 86 of Regulation (EU) 2024/1938.
Article 3
Accessibility, modules and functionalities of the EU SoHO Platform
1. The EU SoHO Platform shall be accessible via a dedicated website.
2. The EU SoHO Platform shall provide at least the modules and functionalities listed in Annex I.
Article 4
Access of actors, authorised actors and local administrators
1. The access of actors to the EU SoHO Platform shall be controlled via an authentication tool.
The access of authorised actors to the EU SoHO Platform shall be controlled via an authentication tool and an authorisation tool.
The authentication tool and the authorisation tool shall ensure that actors and authorised actors have the appropriate access rights for the EU SoHO Platform and the proper permissions to perform actions on the EU SoHO Platform.
Following authentication, actors shall have access to the registration module of the EU SoHO Platform for the registration of a SoHO entity.
2. The Commission shall be responsible for granting, suspending or revoking the access rights of local administrators for the EU SoHO Platform.
3. Local administrators shall manage the access rights of actors and authorised actors for the EU SoHO Platform by granting, suspending or revoking those access rights.
4. Member States shall define the appropriate level of access of authorised actors acting on their behalf for the EU SoHO Platform in accordance with national law.
Article 5
Access of the general public
1. The general public shall be able to view on the EU SoHO Platform the publicly available information referred to in Article 71(5), point (d), Article 74(3) and, without prejudice to national legislation and if the Member State so decides, information referred to in Article 75(5) of Regulation (EU) 2024/1938.
2. No registration, authentication or authorisation shall be required to access the publicly available information referred to in paragraph 1.
3. The general public shall be able to perform searches on the publicly available information referred to in paragraph 1.
Article 6
Responsibilities for recording and verifying the accuracy of information exchanged through the EU SoHO Platform
1. Actors and authorised actors shall ensure that the information entered by them into the EU SoHO Platform is complete and accurate, and respects the format and specifications defined by the SoHO Coordination Board.
2. SoHO competent authorities shall be responsible for recording and verifying the accuracy of the information on authorised SoHO establishments and SoHO preparations. SoHO competent authorities shall also be responsible for keeping this information up to date, and consistent with their national registry of SoHO entities when such registry is established outside the EU SoHO Platform.
3. The Commission shall safeguard the safety and security of all data stored on the EU SoHO Platform using security protocols and connectivity rules from non-proprietary open standards established by international standards bodies or organisations.
Article 7
Data submission
Data shall be deemed to have been submitted to the EU SoHO Platform at the date when the data is successfully registered on the EU SoHO Platform.
Article 8
Protection of personal data
1. Personal data, including data concerning health, pseudonymised when necessary, shall be processed through the EU SoHO Platform for the purpose of complying with the obligations set out in Article 76(1) to (5) of Regulation (EU) 2024/1938.
2. The categories of personal data to be processed, and their retention periods, are listed in Annex II. The Commission shall be responsible for deleting all personal data collected on the EU SoHO Platform when the retention period has expired.
3. The local administrator shall be responsible for the management of the personal data of the authorised actors under its responsibility. The local administrator shall, at any time after the upload of the personal data of authorised actors to the EU SoHO Platform, rectify or erase personal data which is inaccurate or no longer up to date.
Article 9
Safety and security of personal data
The Commission shall put in place measures to safeguard the safety and security of personal data, including data concerning health, processed through the EU SoHO Platform. Such measures shall include prevention of unauthorised access, reading, copying, modification or deletion of personal data, and shall ensure that authorised actors have access only to data covered by their access authorisation and that it is possible to verify and establish what data has been created, modified or deleted, by which authorised actor and at what time.
Article 10
Technical and administrative support
1. The Commission shall set up a support team to provide timely assistance to actors and authorised actors of the EU SoHO Platform, reachable via a dedicated functional mailbox.
2. The Commission shall make specific manuals available on the EU SoHO Platform to actors and authorised actors.
Article 11
Contingency arrangements in case of prolonged failure or unavailability of the EU SoHO Platform
1. The Commission, in collaboration with the SoHO national authorities, shall develop detailed contingency arrangements to be applied in cases of prolonged failure or unavailability of the EU SoHO Platform or any of its modules or functionalities for reasons outside the Commission’s control.
2. The detailed contingency arrangements shall describe the procedures to be followed to ensure continuity of the regulatory processes supported by the EU SoHO Platform using appropriate alternative electronic means.
Article 12
Information technology security
1. Where the Commission suspects that an information technology (IT) security incident, IT security risk or IT security threat occurred, which it considers as potentially harmful for the EU SoHO Platform, its data or the confidentiality of its data, the Commission may suspend all access to the EU SoHO Platform and inform the SoHO national authorities.
2. An actor or authorised actor who becomes aware of or suspects an IT security incident, IT security risk or IT security threat, shall immediately inform the Commission and the SoHO national authority thereof.
Article 13
Language requirements
1. The user interface of the EU SoHO Platform shall be provided in English.
2. Member States, SoHO competent authorities, SoHO Coordination Board, the Commission and SoHO entities shall use English, as the commonly understood language in the field of SoHO, for all information, data and documents exchanged through the EU SoHO Platform, when appropriate.
Article 14
Entry into force and application
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from 7 August 2027.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 18 July 2025.
For the Commission
The President
Ursula VON DER LEYEN
(1) OJ L, 2024/1938, 17.7.2024, ELI: http://data.europa.eu/eli/reg/2024/1938/oj.
(2) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).
ANNEX I
MODULES AND FUNCTIONALITIES
The EU SoHO platform shall provide at least the following modules and functionalities:
|
(1) |
a module on the registration of SoHO entities and authorisation of SoHO establishments that allows:
|
|
(2) |
a module on the compendium of authorised SoHO preparations and the compendium of approved clinical studies on SoHO preparations that allows:
|
|
(3) |
a module on the SoHO Coordination Board membership and a compendium of advice that:
|
|
(4) |
a module on vigilance reporting and rapid alerts that allows:
|
|
(5) |
an activity data module that allows:
|
|
(6) |
a module on guidelines for implementation of standards that allows:
|
|
(7) |
a collaboration module that:
|
|
(8) |
a publication module that consists of:
|
ANNEX II
CATEGORIES OF PERSONAL DATA TO BE PROCESSED AND THEIR RETENTION PERIODS
The following categories of personal data shall be processed through the EU SoHO Platform:
|
(1) |
personal data identifying authorised actors and responsible persons for SoHO entities:
|
|
(2) |
personal data, including data concerning health, exchanged through the EU SoHO Platform and required for the application of Articles 73 and 74 of Regulation (EU) 2024/1938, taking account of Article 76 thereof:
|
|
(3) |
personal data identifying SoHO Coordination Board members and alternates:
|
ELI: http://data.europa.eu/eli/reg_impl/2025/1467/oj
ISSN 1977-0677 (electronic edition)