COMMISSION IMPLEMENTING DECISION (EU) …/…

of XXX

amending Implementing Decision 2014/287/EU setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare 1 and in particular Article 12(4)(b) and (c) thereof,

Whereas:

(1)Commission Implementing Decision 2014/287/EU 2 sets out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating those Networks. Article 6 of that Decision invited Member States to set up a Board of Member States with a view to deciding whether or not to approve proposals for Networks, their membership and termination. The Member States set up the Board of Member States, which subsequently approved 23 European Reference Networks in December 2016 and one in February 2017. All Networks commenced activities in 2017.

(2)To increase the efficiency of the European Reference Networks, the Board of Member States should become the forum for exchanging information and expertise in order to steer the development of the European Reference Networks, provide guidance to the Networks and to the Member States and advise the Commission on matters related to the establishment of the Networks. The Board should also promote the discussion with other relevant EU fora (such as the eHealth Network or the Steering Group on Health Promotion, Disease Prevention and Management of Non-Communicable Diseases) on areas of common interest.

(3)The current experience of the 24 existing European Reference Networks has shown that to ensure an effective functioning of each Network, its Members should closely cooperate in performing their tasks, such as exchanging health data concerning patients' diagnoses and treatment in an efficient and secure manner, carrying out research activities and developing medical guidelines. Close cooperation requires mutual trust among the Members of each Network and mutual recognition in particular of their expertise and competence, of the quality of their clinical care as well as of their specific human, structural and equipment resources as provided for under point 2 of Annex II to Commission Delegated Decision 2014/286/EU 3 .

(4)Mutual trust and recognition by peers are equally important where healthcare providers wish to join an existing Network as they guarantee the right pre-conditions for future cooperation within the Network. A favourable opinion on the draft membership application by the Board of the Network that the healthcare provider wishes to join, following a peer review carried out by the Network on the basis of the criteria and conditions set out in point 2 of Annex II to Delegated Decision 2014/286/EU, should therefore accompany such application when it is submitted by the healthcare provider to the Commission. In order to allow the healthcare provider express its views on the opinion of the Board of the Network, the healthcare provider should be permitted to submit comments on the draft opinion within a period of one month from the date of receipt of that opinion.

(5)Reasonable deadlines should be set out for the Board of the Network as regards the draft and final opinion. In case the healthcare provider submits comments on the Network's draft opinion, the four-month deadline for delivering the final opinion should be extended by one month in order to allow the Board of the Network to take into account the comments received. For reasons of legal certainty, if the Board of the Network fails to send the draft opinion or deliver the final opinion within the deadlines set, the final opinion should be deemed favourable.

(6)If a membership application receives an unfavourable opinion by the Board of the Network that the healthcare provider wishes to join, while having received the endorsement in the form of a written statement from the healthcare provider's Member State of establishment, the Member State of establishment should have the possibility of requesting the Board of Member States to decide, on the basis of the criteria and conditions set in point 2 of Annex II to Delegated Decision 2014/286/EU, whether the application can nevertheless be submitted to the Commission.

(7)In order to support health professionals across the European Reference Networks to collaborate remotely in the diagnosis and treatment of patients with rare or low prevalence complex diseases or conditions across national borders and to facilitate scientific research of such diseases or conditions, the Commission developed a Clinical Patient Management System for European Reference Networks (‘CPMS’) with the aim of facilitating the establishment and functioning of the European Reference Networks as provided for in point (c) of paragraph 4 of Article 12 of Directive 2011/24/EU.

(8)The CPMS should provide a common infrastructure for health professionals to collaborate within the European Reference Networks in the diagnosis and treatment of patients with rare or low prevalence complex diseases or conditions. It should provide the means through which the exchange of information and expertise on such diseases takes place within the European Reference Networks in the most effective way.

(9)The CPMS should therefore consist of a secure IT infrastructure providing a common interface where healthcare providers can exchange information within the Networks on the concerned patients with the aim of facilitating their access to safe and high quality healthcare and promoting effective cooperation on healthcare between Member States by facilitating the exchange of relevant information.

(10)In order to guarantee compliance with data protection rules and ensure the use of an effective and secured environment for the exchange of personal data of patients between healthcare providers within the European Reference Networks for the purposes referred to in paragraph 2 of Article 12 of Directive 2011/24/EU, such exchange should take place only through the CPMS. The healthcare providers are responsible for ensuring the security of the data they process outside of the CPMS with the aim of entering them into the CPMS, as well as of the data that are not entered into the CPMS but are processed by them in relation with the CPMS (such as consent forms) or of the data downloaded by them from the CPMS and processed outside of the CPMS.

(11)The CPMS processes sensitive data concerning patients suffering from rare or low prevalence complex diseases. These data are processed solely for the purpose of facilitating patients’ diagnosis and treatment, for the establishment of rare diseases registries or databases and for contacting potential participants for scientific research. Healthcare providers within the European Reference Networks should be able to process the patients’ data in the CPMS once they have obtained the patients’ informed and free consent about three possible uses of their data (medical assessment of the file for advice on diagnosis and treatment, entering the data in rare diseases registries or databases and possibility for the patients to be contacted for a research initiative). The consent should be obtained separately for each of these three purposes. This decision should lay down the purposes and the safeguards for the processing of such data in the CPMS. In particular, the Commission should provide for the general features of the CPMS in relation to each Network, should provide and maintain the IT infrastructure required to that end and should ensure its technical functioning and security. In line with the principle of data minimisation, the Commission should only process personal data strictly necessary in order to ensure the administration of the CPMS in relation to each Network and therefore should not access clinical data of patients exchanged in the ERNs.

(12)This Implementing Decision should only apply to processing of personal data, in particular contact details and health data, within the European Reference Networks, which takes place in the CPMS.

(13)Article 26 of Regulation (EU) No 2016/679 of the European Parliament and of the Council 4 and Article 28 of Regulation (EU) 2018/1725 5 place an obligation on joint controllers of personal data processing operations to determine, in a transparent manner, their respective responsibilities for compliance with the obligations under that Regulation. It also provides for the possibility to have those responsibilities determined by Union or Member State law to which the controllers are subject.

(14)Implementing Decision 2014/287/EU should therefore be amended accordingly.

(15)The measures provided for in this Decision are in accordance with the opinion of the Committee set up under Article 16 of Directive 2011/24/EU,

HAS ADOPTED THIS DECISION:

Article 1

Implementing Decision 2014/287/EU is amended as follows:

(1)The following Article 1a is inserted:

"Article 1a
Definitions

For the purposes of this Implementing Decision the following definitions shall apply:

(a)"European Reference Networks’ Coordinator" means the person appointed as the Coordinator of the Network by the Member of a European Reference Network chosen as the coordinating Member as referred to in recital 3 and Article 4 of Delegated Decision 2014/286/EU;

(b)"Board of the Network" means a body responsible for the governance of the Network, composed of representatives from each Member in the Network as referred to in recital 3 and point (1)(b)(ii) of Annex I to Delegated Decision 2014/286/EU."

(2)In Article 8, paragraph 3 is replaced by the following:

"3.The membership application shall be accompanied by:

(a)a written statement from the healthcare provider’s Member State of establishment certifying that its participation in the Network is in accordance with the Member State’s national legislation;

(b)a favourable opinion on the draft application, issued by the Board of the Network following a peer review carried out by the Network on the basis of the criteria and conditions set out in point 2 of Annex II to Delegated Decision 2014/286/EU; or

(c)in case of an unfavourable opinion of the Board of the Network, a favourable decision of the Board of the Member States issued on the basis of the criteria and conditions set out in point 2 of Annex II to Delegated Decision 2014/286/EU upon request of the Member State of establishment.

The Board of the Network shall deliver the opinion referred to in point (b) within four months from the submission of the draft application. Before delivering the opinion and within three months of receiving the draft application, the Board of the Network shall send a draft opinion to the applicant healthcare provider which may send comments to the Network within one month of receiving the draft opinion. In case the Board of the Network receives comments, the deadline for the delivery of the opinion is extended by one month. On receiving comments, the Board of the Network shall amend its opinion explaining whether the comments justify a change in its evaluation. If the Board of the Network fails to send the draft opinion or delivers its final opinion within the deadlines set above, the final opinion is deemed to be favourable."

(3)In Chapter IV, the following Article 15a is inserted:

“Article 15a
Exchange of information and expertise among the Member States

Member States are invited to exchange information and expertise within the Board of Member States in order to steer the development of the European Reference Networks, provide guidance to the Networks and to the Member States and advise the Commission on matters related to the establishment of the Networks.”

(4)The following Article 16a is inserted:

"Article 16a
The Clinical Patient Management System

(1)A Clinical Patient Management System (‘CPMS’) for the exchange of personal data of patients within the European Reference Networks is hereby established.

(2)The CPMS shall consist of a web-based tool for the sharing and hosting of patient data within the European Reference Networks provided by the Commission."

(5)The following Article 16b is inserted:

"Article 16b
Personal data processed in the CPMS

(1)Personal data of patients which consist in name, surname, date and place of birth and personal data necessary for the purpose of diagnosis and treatment shall be exchanged and processed within the European Reference Networks exclusively through the CPMS. The processing shall be limited to the purposes of facilitating collaboration on the medical assessment of a patient file for diagnosis and treatment, of establishing rare diseases registries or databases and of contacting potential participants for scientific research.

(2)The Commission shall process personal data in so far as necessary to ensure that

(a)access rights are granted to individuals identified by the healthcare providers as users and authorised by the relevant European Reference Network,

(b)these individuals may exercise their rights and fulfil their obligations, and

(c)it can fulfil its obligations as a controller or a joint controller.

(3)The Commission shall be regarded as controller of processing of personal data relating to the management of access rights.

(4)Without prejudice to point (c) of paragraph (2), the Commission shall not access personal data of patients. 

(5)Only persons authorised by European Reference Networks and belonging to the categories of staff and other individuals affiliated to the healthcare providers may access personal data of patients in the CPMS.

(6)Personal data of patients shall be pseudonymised when first entered into the CPMS. Only pseudonymised data shall be available to CPMS users from other healthcare providers for panel discussions and assessment of patient files.

(7)The Commission shall ensure the security of transfer and hosting of personal data.

(8)Personal data of patients shall only be retained for as long as necessary in the interest of patient care, diseases' diagnosis or for the purpose of ensuring care to the patients' family members. Every fifteen years at the latest each healthcare provider shall review the need to keep the patient's data it is controller of. Healthcare providers shall delete data no longer necessary.

(9)The effectiveness of technical and organisational measures for ensuring the security of processing of personal data in the CPMS shall be regularly tested, assessed and evaluated by the Commission and by the healthcare providers processing patients’ data in the CPMS."

(6)The following Article 16c is inserted

“Article 16c
Joint controllership of patients’ personal data processed through the CPMS 

(1)Each of the healthcare providers processing patients’ data in the CPMS and the Commission shall be joint controllers of the processing of these data in the CPMS.

(2)For the purposes of paragraph 1, responsibilities shall be allocated among joint controllers in accordance with Annex III.

(3)Each of the joint controllers shall comply with relevant Union and national legislation to which the controller is subject."

(7)Annex III is added, the text of which is set out in Annex I to this Decision.

(8)Annex IV is added, the text of which is set out in Annex II to this Decision.

Article 2

This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Done at Brussels,

(1)    OJ L 88, 4.4.2011, p. 45.

(2)    Commission Implementing Decision 2014/287/EU of 10 March 2014 setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks (OJ L 147, 17.5.2014, p. 79).

(3)    Commission Delegated Decision 2014/286/EU of 10 March 2014 setting out criteria and conditions that European Reference Networks and healthcare providers wishing to join a European Reference Network must fulfil (OJ L 147, 17.5.2014, p. 71).

(4)    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(5)    Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC

ANNEX I

ANNEX III

ALLOCATION OF RESPONSIBILITIES AMONG JOINT CONTROLLERS

1.The Commission shall be responsible for

(i)the setting up, operation and administration of the CPMS;

(ii)providing, where necessary, the technical means to the healthcare providers to enable patients to exercise their rights through the CPMS in accordance with Regulation (EU) 2018/1725 1 and responding and attending to the requests of data subjects where so required by applicable legislation;

(iii)ensuring that the CPMS complies with the requirements applicable to Commission's communication and information systems 2 ;

(iv)defining and implementing the technical means to enable patients to exercise their rights in accordance with Regulation (EU) 2018/1725;

(v)communicating any personal data breaches within the CPMS to the healthcare providers; 

(vi)exporting personal data sets from the CPMS in the event of a change of personal data processor;

(vii)identifying the categories of staff and other individuals affiliated to the healthcare providers to whom access to the CPMS may be granted;

(viii)ensuring that patients' personal data entered in the system are pseudonymised and encrypted;

(ix)ensuring the security and confidentiality of patients’ personal data processed through the CPMS.

2.Each healthcare provider shall be responsible for:

(i)selecting the patients whose personal data are processed through the CPMS;

(ii)collecting and maintaining an express, informed, freely-given and specific consent of the patients whose data are processed through the CPMS in compliance with the mandatory minimum requirements for the consent form specified in Annex IV;

(iii)acting as the contact point for patients, including when they exercise their rights, responding to the requests of patients or their representatives and ensuring that patients whose data are processed through the CPMS are enabled to exercise their rights in compliance with data protection legislation;

(iv)reviewing, at least every fifteen years, the necessity of storing specific patient’s personal data in the CPMS;

(v)ensuring the security and confidentiality of any processing of patients’ personal data by the healthcare provider outside the CPMS, where such data is processed for the purposes of or in connection to processing patients’ personal data through the CPMS;

(vi)communicating any personal data breaches with regard to patient data processed through the CPMS to the competent supervisory authorities and, where so required, to patients, in accordance with Articles 33 and 34 of Regulation (EU) No 2016/679 or if requested by the Commission;

(vii)identifying, in compliance with access criteria referred to in point 1)(vii) of this Annex, staff and other individuals affiliated to them, whom shall be granted access to patients' personal data within the CPMS and communicating it to the Commission;

(viii)ensuring that their staff and other individuals affiliated to them, who have access to patients' personal data within the CPMS, are adequately trained to ensure that they perform their tasks in compliance with the rules applicable to the protection of personal data, and are subject to the obligation of professional secrecy in accordance with Article 9 (3) of the Regulation (EU) No 2016/679.

ANNEX II

ANNEX IV

MANDATORY MINIMUM REQUIREMENTS FOR THE CONSENT FORM

1.The consent form shall describe the legal basis and lawfulness of processing, concept and purpose of the European Reference Networks established by Directive 2011/24/EU on the application of patients' rights in cross-border healthcare. It shall inform about the specific processing operations and the respective rights of the data subject in accordance with applicable data protection legislation. It shall explain that Networks are constituted of Members that are highly specialised healthcare providers, with the purpose to allow healthcare professionals to work together to support patients with rare or low prevalence complex diseases or conditions that need highly specialised healthcare.

2.The consent form shall request the patient’s explicit consent for sharing their personal data with one or more Networks, with the sole purpose to improve their access to diagnosis and treatment and the provision of high-quality healthcare. To that end, it shall explain that:

(a)if the consent is given, the patients’ personal data will be processed respecting the following conditions:

(i)The name and address will not be included in the shared data; the patient’s identifying data will be replaced by a unique identifier which will not allow identification of the patient to anyone else other than the healthcare provider (pseudonymisation).

(ii)Only data that are relevant for the purpose of diagnosis and treatment will be shared; this may include medical images, laboratory reports, as well as biological sample data. It may also include letters and reports from other healthcare professionals who have cared for the patient in the past. 

(iii)Patient's data will be shared through the Clinical Patient Management System (CPMS), a secure electronic information system.

(iv)Only healthcare professionals and other individuals affiliated to the healthcare providers subject to the obligation of professional secrecy who are entitled to have access to patients’ data in the Networks will have access to the patient’s data.

(v)Healthcare professionals and other individuals affiliated to the healthcare providers who are entitled to have access to patients’ data may run queries in the CPMS and create reports in order to identify similar patient cases.

(b)if the consent is not given, it will by no means affect the patient’s care by the respective healthcare provider .

3.The consent form shall request the patient’s consent to their data being entered in rare diseases registries or databases. It shall describe the concept and purpose of rare disease registries or databases and explain that:

(a)if the consent is given, patient’s personal data will be processed respecting the following conditions:

(i)Only relevant data related to the patient’s medical condition will be shared.

(ii)Healthcare professionals and other individuals affiliated to the healthcare providers who are entitled to have access to patients’ data may run queries and create reports in order to identify similar patient cases.

(b)if the consent is not given, it will by no means affect either the patient’s care by the respective healthcare provider, or the fact that the Network will provide advice on diagnoses and treatment, at the request of the patient.

4.The consent form shall request the patient’s consent to being contacted by a Network Member who believes the patient could be suitable for a research initiative, specific scientific research project or parts of a research project. It shall explain that giving at this stage the consent to be contacted for research purposes does not mean giving the consent for the patient’s data to be used for a specific scientific research initiative, neither does it mean that the patient will in any event be contacted in connection with, or the patient will be part of, a specific research project and that:

(a)if the consent is given, the patient’s personal data will be processed respecting the following conditions:

(i)Healthcare professionals and other individuals affiliated to the healthcare providers who are entitled to have access to patients’ data may run queries and create reports in order to find patients suitable for scientific research.

(ii)If the patient’s disease or condition is found relevant for a specific research project, the patient may be contacted for this specific research project, in order to obtain the patient’s consent to their data being used for that research project.

(b)if the consent is not given, it will by no means affect either the patient’s care by the respective healthcare provider, or the fact that the Network will provide advice on diagnoses and treatment, at the request of the patient.

5.The consent form shall explain the rights of the patient as regards their consent to share personal data and in particular provide the information that the patient:

(a)has the right to give or withhold any of the consents and this will not affect their care;

(b)can withdraw the consent given previously at any time;

(c)has the right to know which data are shared in a Network and to access data held about them and request corrections of any errors;

(d)can request the blocking or erasure of their personal data.

6.The consent form shall inform the patient that the healthcare provider will keep the personal data only for as long as necessary for the purposes to which the patient consented, with a review of the necessity of storing specific patient’s personal data in the CPMS at least every fifteen years.

7.The consent form shall inform the patient about the identity and the contact details of the controllers, clearly specifying that the contact point to exercise their rights is the healthcare provider, about the contact details of the data protection officers, and where applicable, about available remedies related to data protection, and provide the contact details of the National Data Protection Authority.

8.The consent form shall record the consent for each of the three different forms of data sharing in a specific, explicit and unambiguous way:

(a)the consent must be shown through a clear affirmative action, for example by the use of a ticking box and a signature on the form;

(b)both options (to provide or to refuse the consent) shall be included.

(1)    Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

(2)    Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission and Commission Decision of 13.12.2017 laying down implementing rules for Articles 3, 5, 7, 8, 9, 10, 11, 12, 14, 15 of Decision 2017/46 on the security of communication and information systems in the Commission.