Implementing Decision (EU) 2019/1765 is amended as follows:
(1)
in Article 2(1), the following points (g), (h), (i), (j), (k), (l), (m), (n) and (o) are inserted:
‘(g)
“application user” means a person in possession of a smart device who has downloaded and runs an approved contact tracing and warning mobile application;
(h)
“contact tracing” means measures implemented in order to trace persons who have been exposed to a source of a serious cross-border threat to health within the meaning of Article 3(c) of Decision No 1082/2013/EU of the European Parliament and of the Council ( *1 ) ;
(i)
“national contact tracing and warning mobile application” means a software application approved at national level running on smart devices, in particular smartphones, designed usually for wide-ranging and targeted interaction with web resources, which processes proximity data and other contextual information collected by many sensors found in the smart devices for the purpose of tracing contacts with persons infected with SARS-CoV-2 and alerting persons who may have been exposed to SARS-CoV-2. These mobile applications are able to detect the presence of other devices using Bluetooth and exchange information with backend servers by using the internet;
(j)
“federation gateway” means a network gateway operated by the Commission through a secure IT tool that receives, stores and makes available a minimum set of personal data between Member States’ backend servers for the purpose of ensuring the interoperability of national contact tracing and warning mobile applications;
(k)
“key” means a unique ephemeral identifier related to an application user reporting to have been infected with SARS-CoV-2, or who may have been exposed to SARS-CoV-2;
(l)
“verification of infection” means the method applied for confirming an infection with SARS-CoV-2, namely whether this was self-reported by the application user or resulted from confirmation from a national health authority or a laboratory test;
(m)
“countries of interest” means the Member State, or Member States, where an application user has been in the 14 days prior to the date of upload of the keys and where he has downloaded the approved national contact tracing and warning mobile application and/or has travelled;
(n)
“country of origin of the keys” means the Member State where the backend server that uploaded the keys to the federation gateway is located;
(o)
“log data” means an automatic record of an activity in relation to the exchange of, and access to, data processed through the federation gateway, that show in particular the type of processing activity, the date and time of the processing activity, and the identifier of the person processing the data.
( *1 ) Decision No 1082/2013/EU of the European Parliament and of the Council of 22 October 2013 on serious cross-border threats to health and repealing Decision No 2119/98/EC ( OJ L 293, 5.11.2013, p. 1 ).’;"
(2)
in Article 4(1), the following point (h) is inserted:
‘(h)
provide guidance to the Member States on the cross-border exchange of personal data through the federation gateway between national contact tracing and warning mobile applications.’;
(3)
in Article 6(1), the following points (f) and (g) are inserted:
‘(f)
develop, implement and maintain appropriate technical and organisational measures related to the security of transmission and hosting of personal data in the federation gateway for the purpose of ensuring the interoperability of national contact tracing and warning mobile applications;
(g)
support the eHealth Network in agreeing on the technical and organisational compliance of the national authorities with the requirements for the cross-border exchange of personal data in the federation gateway by providing and carrying out the necessary tests and audits. Experts from the Member States may assist the Commission auditors.’;
(4)
Article 7 is amended as follows:
(a)
the title is replaced by ‘Protection of personal data processed through the eHealth Digital Service Infrastructure’;
(b)
in paragraph 2 ‘Annex’ is replaced by ‘Annex I’;
(5)
the following Article 7a is inserted:
‘Article 7a
Cross-border exchange of data between national contact tracing and warning mobile applications through the federation gateway
1. Where personal data is exchanged through the federation gateway, the processing shall be limited to the purposes of facilitating the interoperability of national contact tracing and warning mobile applications within the federation gateway and the continuity of contact tracing in a cross-border context.
2. The personal data referred to in paragraph 3 shall be transmitted to the federation gateway in a pseudonymised format.
3. The pseudonymised personal data exchanged through and processed in the federation gateway shall only comprise the following information:
(a)
the keys transmitted by the national contact tracing and warning mobile applications up to 14 days prior to the date of upload of the keys;
(b)
log data associated to the keys in line with the technical specifications protocol used in the country of origin of the keys;
(c)
the verification of infection;
(d)
the countries of interest and the country of origin of the keys.
4. The designated national authorities or official bodies processing personal data in the federation gateway shall be joint controllers of the data processed in the federation gateway. The respective responsibilities of the joint controllers shall be allocated in accordance with Annex II. Each Member State wishing to participate in the cross-border exchange of data between national contact tracing and warning mobile applications shall notify the Commission, prior to joining, of its intention and indicate the national authority or official body that has been designated as the responsible controller.
5. The Commission shall be the processor of personal data processed within the federation gateway. In its capacity as processor, the Commission shall ensure the security of processing, including the transmission and hosting, of personal data within the federation gateway and shall comply with the obligations of a processor laid down in Annex III.
6. The effectiveness of the technical and organisational measures for ensuring the security of processing of personal data within the federation gateway shall be regularly tested, assessed and evaluated by the Commission and by the national authorities authorised to access the federation gateway.
7. Without prejudice to the decision of the joint controllers to terminate the processing in the federation gateway, the operation of the federation gateway shall be deactivated at the latest 14 days after all the connected national contact tracing and warning mobile applications cease to transmit keys through the federation gateway.’;
(6)
the Annex becomes Annex I;
(7)
Annexes II and III are added, the text of which is set out in the Annex to this Decision.