ANNEX
JOINT CONTROLLERSHIP OF THE SAFETY GATE RAPID ALERT SYSTEM
1. SUBJECT MATTER AND DESCRIPTION OF THE PROCESSING
The Safety Gate Rapid Alert System is a notification system operated by the Commission intended for the rapid exchange of information between national authorities of Member States, the three European Economic Area/European Free Trade Association (EEA/EFTA) states (Iceland, Liechtenstein and Norway) and the Commission on measures taken against dangerous products found on the Union and/or EEA/EFTA market.
The purpose of the Safety Gate Rapid Alert System is to allow the rapid exchange of information on corrective measures taken across the Union in relation to products that present a risk.
The information exchange concerns corrective measures taken in relation to dangerous consumer and professional products falling in the scope of Regulations (EU) 2023/988 or (EU) 2019/1020.
The Safety Gate Rapid Alert System covers both measures ordered by national authorities and measures taken voluntarily by economic operators.
2. SCOPE OF THE JOINT CONTROLLERSHIP
The Commission and national authorities shall act as joint controllers (‘Joint Controllers’) for processing data in the Safety Gate Rapid Alert System. ‘National authorities’ refers to all authorities acting on product safety in the Member States and/or the EFTA/EEA countries and participating in the EU network of Safety Gate contact points, including market surveillance authorities responsible for monitoring the compliance of products with safety requirements and authorities in charge of external border controls.
For the purposes of Article 26 of Regulation (EU) 2016/679 and Article 28 of Regulation (EU) 2018/1725, the following processing activities shall fall under the responsibility of the Commission as a Joint Controller of personal data:
(1)
The processing by the Commission of information regarding measures taken against products posing serious risks, imported into or exported from the Union and the European Economic Area, in order to transmit it to the single national contact points of the Safety Gate Rapid Alert System (‘Safety Gate contact points’);
(2)
The processing by the Commission of information received from third countries, international organisations, businesses or other rapid alert systems about products of EU and non-EU origin posing a risk to the health and safety of consumers, in order to transmit such information to the national authorities.
When carrying out these activities, the Commission shall ensure compliance with the applicable obligations and conditions of Regulation (EU) 2018/1725.
The following processing activities shall fall under the responsibility of the national authorities, as Joint Controllers of personal data:
(1)
The processing by national authorities of information pursuant to Article 26 of Regulation (EU) 2023/988 on general product safety and Article 20 of Regulation (EU) 2019/1020 in order to notify such information to the Commission and other Member States and EFTA/EEA countries;
(2)
The processing by national authorities of information subsequent to their follow-up activities in relation to the Safety Gate Rapid Alert System notifications in order to notify such information to the Commission and other Member States and EFTA/EEA countries.
When carrying out these activities, the national authorities shall ensure compliance with the applicable obligations and conditions of Regulation (EU) 2016/679.
3. RESPONSIBILITIES, ROLES AND RELATIONSHIP OF THE JOINT CONTROLLERS TOWARDS DATA SUBJECTS
3.1. Categories of data subjects and personal data
The Joint Controllers shall jointly process the following categories of personal data:
(a)
Contact details of the Safety Gate Rapid Alert System users:
The following data may be processed:
—
name of the Safety Gate Rapid Alert System users;
—
surname of the Safety Gate Rapid Alert System users;
—
email address of the Safety Gate Rapid Alert System users;
—
country of the Safety Gate Rapid Alert System users;
—
preferred language of the Safety Gate Rapid Alert System users;
(b)
Contact details of the authors and validators of notifications and reactions submitted through the Safety Gate Rapid Alert System:
These authors and validators include:
—
Safety Gate contact points and inspectors from the market surveillance authorities of Member States and EFTA/EEA countries or from the national authorities in charge of external border controls, who are involved in the notification procedure;
—
Commission staff including officials, temporary agents, contract agents, trainees and external service providers.
The following data may be processed:
—
name of the authors and validators of notifications and reactions submitted through the Safety Gate Rapid Alert System;
—
surname of the authors and validators of notifications and reactions submitted through the Safety Gate Rapid Alert System;
—
name of the authority authoring or validating notifications and reactions submitted through the Safety Gate Rapid Alert System;
—
address of the authority authoring or validating notifications and reactions submitted through the Safety Gate Rapid Alert System;
—
email address of the authors and validators of notifications and reactions submitted through the Safety Gate Rapid Alert System;
—
phone number of the authors and validators of notifications and reactions submitted through the Safety Gate Rapid Alert System;
(c)
In addition, two types of personal data can incidentally be included in the Safety Gate Rapid Alert System:
(i)
When necessary to trace dangerous products, as defined in Article 3(3) of Regulation (EU) 2023/988, contact details of economic operators might contain personal data that will be included in the Safety Gate Rapid Alert System. Such data are inserted in the Safety Gate Rapid Alert System by national authorities only, based on the information collected during their investigation. The following data may be processed:
—
name of economic operators;
—
address of economic operators;
—
city of economic operators;
—
country of economic operators;
—
contact information of economic operators ( 1 ) ;
—
contact address of economic operators;
(ii)
When they have been incidentally included in other documents such as test reports, names of persons who have performed the tests on dangerous products and/or authenticated the test reports.
3.2. Provision of information to data subjects
The Commission shall provide the information referred to in Articles 15 and 16 and any communication under Articles 17 to 24 and 35 of Regulation (EU) 2018/1725 in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The Commission shall also take appropriate measures to assist national authorities in providing any information referred to in Articles 13 and 14 and any communication under Articles 19 to 26 and 37 of Regulation (EU) 2016/679 in a concise, transparent, intelligible and easily accessible form, using clear and plain language concerning the following data:
—
data related to Safety Gate Rapid Alert System users;
—
data related to the authors and validators of notifications and reactions.
Safety Gate Rapid Alert System users shall be informed about their rights through the Privacy Statement available in the Safety Gate Rapid Alert System.
National authorities shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 19 to 26 and 37 of Regulation (EU) 2016/679 in a concise, transparent, intelligible and easily accessible form, using clear and plain language concerning the following data:
—
information on legal persons identifying a natural person;
—
names and other data of persons who have performed the tests on dangerous products and/or authenticated the test reports.
The information shall be provided in writing, including electronically.
National authorities shall use the model for a privacy statement provided by the Commission when complying with their obligations concerning data subjects.
3.3. Handling of data subjects’ requests
The data subjects may exercise their rights under Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively against the Commission or against national authorities acting as Joint Controllers.
The Joint Controllers shall handle the requests of data subjects in accordance with the procedure established by the Joint Controllers for this purpose. The detailed procedure for the exercise of data subjects’ rights is explained in the privacy statement.
The Joint Controllers shall cooperate and, when so requested, provide each other with swift and efficient assistance in handling any data subject requests.
Should one Joint Controller receive a data subject request, which does not fall under its responsibility, that Joint Controller shall forward the request promptly, and at the latest within seven calendar days of its receipt, to the Joint Controller actually responsible for that request. The responsible Joint Controller shall send an acknowledgment of receipt to the data subject within three calendar days after reception of the forwarded request, while at the same time informing thereof the Joint Controller, which received the request in the first place.
In response to a data subject request for access to personal data, no Joint Controller shall disclose or otherwise make available any personal data processed jointly without first consulting the other Joint Controller.
4. OTHER RESPONSIBILITIES AND ROLES OF JOINT CONTROLLERS
4.1. Security of processing
Each Joint Controller shall implement appropriate technical and organisational measures to:
(a)
ensure and protect the security, integrity and confidentiality of the personal data jointly processed, in line with Commission Decision (EU, Euratom) 2017/46 ( 2 ) and the relevant legal act of the EU Member State or EFTA/EEA country, respectively;
(b)
protect against any unauthorised or unlawful processing, loss, use, disclosure or acquisition of or access to any personal data in its possession;
(c)
not disclose or allow access to the personal data to anyone other than the beforehand agreed recipients or processors.
Each Joint Controller shall implement appropriate technical and organisational measures to ensure the security of processing pursuant to Article 33 of Regulation (EU) 2018/1725 and Article 32 of Regulation (EU) 2016/679, respectively.
The Joint Controllers shall provide a swift and efficient assistance to each other in case of security incidents, including personal data breaches.
4.2. Management of security incidents, including personal data breaches
The Joint Controllers shall handle security incidents, including personal data breaches, in accordance with their internal procedures and applicable legislation.
The Joint Controllers shall in particular provide each other with swift and efficient assistance as required to facilitate the identification and handling of any security incidents, including personal data breaches, linked to the joint processing operation.
The Joint Controllers shall notify each other of the following:
(a)
any potential or actual risks to the availability, confidentiality and/or integrity of the personal data undergoing joint processing;
(b)
any security incidents that are linked to the joint processing operation;
(c)
any personal data breach (i.e. any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data undergoing joint processing), the likely consequences of the personal data breach, the assessment of the risk to the rights and freedoms of natural persons, and any measures taken to address the personal data breach and mitigate the risk to the rights and freedoms of natural persons;
(d)
any breach of the technical and/or organisational safeguards of the joint processing operation.
Each Joint Controller shall be responsible for handling all security incidents, including personal data breaches, that occur as a result of an infringement of that Joint Controller’s obligations under this Implementing Regulation, Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively.
The Joint Controllers shall document security incidents (including personal data breaches) and notify each other without undue delay and at the latest within 48 hours after becoming aware of a security incident (including a personal data breach).
The Joint Controller responsible for a personal data breach shall document that personal data breach and notify it to the European Data Protection Supervisor or the competent national supervisory authority. It shall do so without undue delay and, where feasible, no later than 72 hours after having become aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The Joint Controller responsible shall inform the other Joint Controller of such notification.
The Joint Controller responsible for the personal data breach shall communicate that personal data breach to the data subjects concerned if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. The Joint Controller responsible shall inform the other Joint Controller of such communication.
4.3. Localisation of personal data
Personal data collected for the purpose of the notification process through the Safety Gate Rapid Alert System shall be stored and collected in the Safety Gate Rapid Alert System to ensure that the access to the application is limited only to clearly identified persons and thus that data stored in the application are well protected.
Personal data collected for the purpose of the processing operation shall only be processed within the territory of the EU/EEA and shall not leave that territory, unless they are in compliance with Articles 45, 46 or 49 of Regulation (EU) 2016/679 or with Articles 47, 48 or 50 of Regulation (EU) 2018/1725.
According to Article 40 of Regulation (EU) 2023/988, the Commission may provide third countries or international organisations with selected information from the Safety Gate Rapid Alert System and receive relevant information on the safety of products and on preventive, restrictive and corrective measures taken by those third countries or international organisations. Any information exchange under Article 40 of Regulation (EU) 2023/988 shall, to the extent it involves personal data, be carried out in accordance with Union data protection rules.
4.4. Recipients of personal data
Access to personal data shall only be granted to authorised staff and contractors of the Commission and national authorities for the purposes of administering and operating the Safety Gate Rapid Alert System. This access shall be subject to identity and password requirements as follows:
—
The Safety Gate Rapid Alert System shall only be open to the Commission and to users specifically appointed by the EU Member State’s authorities and by authorities from the EFTA/EEA countries as well as from the UK with regard to users from Northern Ireland;
—
Access to the collected personal data on the Safety Gate Rapid Alert System shall only be granted to the nominated and authorised users of the application who have a User Id/Password. Access to the application and granting of a password shall be possible only if this is requested by the competent national authority under the general supervision of the Commission’s Safety Gate Team;
—
Access to the collected personal data shall be provided to the Commission staff responsible for carrying out this processing operation and to authorised persons according to the ‘need to know’ principle. Such staff shall abide by statutory, and, when required, additional confidentiality agreements.
The persons who shall have access to the collected personal data are:
(a)
staff and contractors of the Commission;
(b)
identified contact points and inspectors from the market surveillance authorities of EU Member States and EFTA/EEA countries as well as UK authorities in respect of Northern Ireland users;
(c)
identified inspectors from the authorities in charge of external border controls of EU Member States and EFTA/EEA countries.
The persons who shall have access to all collected personal data and who shall have the possibility to modify them upon request are:
(a)
members of the Commission’s Safety Gate Team;
(b)
members of the Commission’s Safety Gate Helpdesk.
A list of all Safety Gate contact points, containing their contact details (surname, name, name of authority, address of authority, phone, email) shall be available on the Safety Gate Portal ( 3 ) . User management at national level shall be controlled by the Safety Gate contact points through the Safety Gate Rapid Alert System.
All users shall have access to the content of notifications with an ‘EC validated’ status. Only national Safety Gate Rapid Alert System users shall have access to the draft of their notifications (before submission to EC). Commission staff and authorised persons shall have access to notifications with an ‘EC submitted’ status.
Each Joint Controller shall inform all other Joint Controllers about any transfer of personal data to the recipients in third countries or international organisations.
5. SPECIFIC RESPONSIBILITIES OF JOINT CONTROLLERS
The Commission shall ensure and be responsible for:
(a)
deciding on the means, requirements and purposes of processing;
(b)
recording of the processing operation;
(c)
facilitating the exercise of the rights of data subjects;
(d)
handling of data subjects’ requests;
(e)
deciding to restrict the application of or derogate from data subject rights, where necessary and proportionate;
(f)
ensuring privacy by design and privacy by default;
(g)
identifying and assessing the lawfulness, necessity and proportionality of transmissions and transfers of personal data;
(h)
carrying out a prior consultation with the European Data Protection Supervisor, where needed;
(i)
ensuring that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(j)
cooperating with the European Data Protection Supervisor, on request, in the performance of their tasks.
The national authorities shall ensure and be responsible for:
(a)
recording of the processing operation;
(b)
ensuring that the personal data undergoing processing are adequate, accurate, relevant and limited to what is necessary for the purpose;
(c)
ensuring a transparent information and communication to data subjects of their rights;
(d)
facilitating the exercise of the rights of data subjects;
(e)
using only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing meets the requirements of Regulation (EU) 2016/679 and ensures the protection of the rights of the data subject;
(f)
governing the processor’s processing by a contract or legal act under Union or Member State law in accordance with Article 28 of Regulation (EU) 2016/679;
(g)
carrying out a prior consultation with the national supervisory authority, where needed;
(h)
ensuring that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(i)
cooperating with the national supervisory authority on request, in the performance of their tasks.
6. DURATION OF PROCESSING
Joint Controllers shall not retain or process personal data longer than necessary to carry out the agreed purposes and obligations as set out in this Regulation, i.e. for the time necessary to fulfil the purpose of collection or further processing. In particular:
(a)
Contact details of the users of the Safety Gate Rapid Alert System shall be kept in the system as long as they are users. Contact details shall be deleted from the Safety Gate Rapid Alert System immediately after the receipt of information that a certain person is no longer a user of the system;
(b)
Contact details of the inspectors from the market surveillance authorities of Member States and EFTA/EEA countries, as well as from the inspectors from the authorities in charge of external border controls, provided in notifications and reactions shall be kept in the system for a period of five years after the validation of the notification or reaction;
(c)
Personal data of other natural persons possibly included in the system shall be kept in a form that permits identification for 30 years from the moment of the insertion of the information in the Safety Gate Rapid Alert System, which corresponds to the estimated maximum lifecycle of categories of products such as electrical appliances or motor vehicles.
Legitimate requests from data subjects to have their data blocked, adjusted or erased shall be complied with by the Commission within one month from receipt of the request.
7. LIABILITY FOR NON-COMPLIANCE
The Commission shall be liable for non-compliance in accordance with Chapter VIII of Regulation (EU) 2018/1725.
The EU Member States’ authorities shall be liable for non-compliance in accordance with Chapter VIII of Regulation (EU) 2016/679.
8. COOPERATION BETWEEN JOINT CONTROLLERS
Each Joint Controller, when so requested, shall provide a swift and efficient assistance to the other Joint Controllers in execution of this Regulation, while complying with all applicable requirements of Regulations (EU) 2018/1725 and (EU) 2016/679, respectively, and other applicable data protection rules.
9. SETTLEMENT OF DISPUTES
The Joint Controllers shall endeavour to settle amicably any dispute arising out or relating to the interpretation or application of this Regulation.
If at any time a question, dispute or difference arises between the Joint Controllers, in relation to or in connection with this Regulation, the Joint Controllers shall use every endeavour to resolve it by a process of consultation.
The preference is that all disputes are settled at the operational level as they arise, and that they are settled by the contact points referred to in point 10 of this Annex and listed on the Safety Gate Portal.
The purpose of the consultation shall be to review and agree so far as it is practicable the action taken to solve the problem. The Joint Controllers shall negotiate with each other in good faith to that end. Each Joint Controller shall respond to a request for amicable settlement within seven working days following the reception of such request. The period to reach an amicable settlement shall be 30 working days from the date of reception of the request.
If the dispute cannot be settled amicably, each Joint Controller may refer to mediation or/and judicial proceedings in the following manner:
(a)
in case of mediation, the Joint Controllers shall jointly appoint a mediator acceptable by each of them, who will be responsible for facilitating the resolution of the dispute within two months from the referral of the dispute to him/her;
(b)
in case of judicial proceedings, the matter shall be referred to the Court of Justice of the European Union in accordance with Article 272 of the Treaty on the Functioning of the European Union.
10. CONTACT POINTS FOR COOPERATION BETWEEN THE JOINT CONTROLLERS
Each Joint Controller nominates a single point of contact, who other Joint Controllers shall contact in case of queries, complaints and provision of information within the scope of this Regulation.
A detailed list of all contact points nominated by the Commission and the national authorities, containing their contact details (surname, name, name of authority, address of authority, phone, fax, email), shall be available on the Safety Gate Portal.
( 1 ) This field may refer to the physical person representing the manufacturers or authorised representatives. Member States are however asked to avoid entering any personal data and favour non-personal contact details like generic email addresses.
( 2 ) Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission ( OJ L 6, 11.1.2017, p. 40 , ELI: http://data.europa.eu/eli/dec/2017/46/oj ).
( 3 )
https://ec.europa.eu/safety-gate/#/screen/pages/contacts .