Kiri


EUROPEAN COMMISSION
DIRECTORATE-GENERAL FOR HEALTH AND FOOD SAFETY

Public Health, Cancer and Health security
The Director (acting)
Joint Controllership ARRANGEMENT between the EWRS Member States competent authorities and the European Commission when processing Personal Data via EWRS Platform
European Commission's Directorate-General for Health and Food Safety (DG SANTE)
Rue Froissartstraat 101
1040 Brussels
Hereafter: DG SANTE.

And

The Early Warning and Response System (EWRS) competent Member States Health Authorities.
Hereafter: MS authorities.

Hereinafter jointly referred to as the “Parties” or “Joint Controllers” and individually as a “Party” and represented by DG SANTE for the signature of this Arrangement as per assignment of signatory power delegated to the European Commission.

Having regard to Regulation (EU) 2022/2371 of the European Parliament and of the Council on serious cross-border threats to health and repealing Decision No 1082/2013/EU (hereafter, Regulation (EU) 2022/2371);

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council, of 23 October 2018, on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereafter, Regulation (EU) 2018/1725);

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereafter, Regulation (EU) 2016/679);

Whereas:
(1) Article 28 of Regulation (EU) 2018/1725 establishes that where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. By means of an arrangement between them, they shall in a transparent manner determine their respective responsibilities for compliance with their data protection obligations, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 15 and 16 of Regulation (EU) 2018/1725;
(2) Article 26 of Regulation (EU) 2016/679 establishes that where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. By means of an arrangement between them, they shall in a transparent manner determine their respective responsibilities for compliance with their data protection obligations, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 of Regulation (EU) 2016/679;

HAVE AGREED AS FOLLOWS:

Article 1 – SCOPE OF THIS ARRANGEMENT
The DG SANTE and the [name of the MS authorities] act as joint controllers in relation to the processing of personal data for provision and allowing of timely and effective alert notifications in relation to serious cross border threats to health and for information exchange, consultation and coordination of responses to such threats on the EWRS (hereafter, ‘Processing Activities’), and are hereafter collectively referred to as the ‘Joint Controllers’/‘Parties’.
This Joint Controllership Arrangement (hereafter, ‘Arrangement’) defines the respective roles, responsibilities, and practical arrangements to be established between the DG SANTE and the [name(s) of the MS authorities] as Joint Controllers pursuant to Article 28 of Regulation (EU) 2018/1725 and Article 26 of Regulation (EU) 2016/679, respectively. For the purpose of this Arrangement, the definitions set out in Article 3 of Regulation (EU) 2018/1725 and Article 4 of Regulation (EU) 2016/679, respectively, shall apply.

Article 2 – SUBJECT MATTER AND DESCRIPTION OF THE PROCESSING
Article 18 of Regulation (EU) 2022/2371 establishes relevant information from the various information systems at Union level and under the Euratom Treaty is gathered and communicated to the Member States through the Early Warning and Response System (hereafter, EWRS) set up by Decision No 1082/2013/EU for the purposes of preparedness, early warning and response, alert notifications, assessing public health risks and determining the measures that may be required to protect public health.
In order to ensure maximum effectiveness of the EWRS, the DG SANTE and the MS authorities have established this Arrangement. Its purpose is to govern the processing of personal data, define their respective roles and responsibilities regarding the data they will access, and establish the conditions for onward data communication. This Arrangement outlines the rules and commitments that will be followed to achieve these objectives.

Article 3 – SCOPE OF THE JOINT CONTROLLERSHIP
The joint processing operation consists of the following processing activities:
• Carry out notification of health threats in the European Union/European Economic Area (EU/EEA) and facilitate their exchange/transmission of alerts related to health across the Member States and other stakeholders involved (e.g., WTO).
• Store safely contact tracing data to allow the identification of infected persons as well as of individuals potentially in danger (‘contact tracing data’) and their ad-hoc monitoring.
• Transfer of personal data, including data concerning health, of patients under medical evacuation procedure (MEDEVAC), using the EWRS selective exchange functionality, from EU/EEA countries to a third country and vice versa.
• Exchange data between EWRS and other EU level rapid Alert and Information systems (AIS) which will be progressively linked to the EWRS.
• Exchange of relevant information between Member States and third countries to ensure serious cross-border threats to health crisis management, including response measures, coordination of risk and crisis communication.
• Facilitate the development of simulation exercises and provide access to a repository of simulation exercises recommendations (through an optional module).

Article 4 – RESPONSIBILITIES, ROLES AND RELATIONSHIP OF THE JOINT CONTROLLERS TOWARDS DATA SUBJECTS
1
2
3
4
4.1 Provision of information to data subjects
A privacy statement is published on DG SANTE's webpage dedicated to the EWRS with regard, in particular, to the processing operations which fall under the Commission's responsibility.
However, responsibility with respect to the provision of information to data subjects is also incumbent on the MS authorities, for their respective processing operations within the EWRS.

4.2 Handling of data subjects’ requests
The Joint Controllers shall be responsible to reply to the following Data Subjects requests:
(i) provide confirmation to the Data Subject as to whether Personal Data concerning the Data Subject is being processed and, where this is the case, a copy of the data relating to him/her; if Personal Data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the Personal Data has been or will be onward transferred, the purpose of such onward transfers and provide information on the right to lodge a complaint with a Supervisory Authority;

(ii) rectify inaccurate or incomplete data concerning the Data Subject;

(iii) erase Personal Data concerning the Data Subject if such data is being or has been processed in violation of any of this Arrangement ensuring third-party beneficiary rights, or if the Data Subject withdraws the consent on which the processing is based;

(iv) if decisions are based on solely automated processing, which would produce legal affects concerning the Data Subject, the Parties shall inform the Data Subject of the envisaged automated decision, the envisaged consequences and the logic involved and implement suitable safeguards, at least by enabling the Data Subject to contest the decision, express his/her point of view and obtain review by a human being.

With regard to the EWRS users’ data, DG SANTE is responsible to receive requests for modification/verification/deletion of the users’ personal data that are then uploaded in the EWRS by the EWRS administrator (from ECDC). More specifically, the data subjects (EWRS authorized users) can address to Unit B2 "Health Security", European Commission's Directorate-General for Health and Food Safety (SANTE) any question concerning processing of personal data or questions regarding their rights with respect to this processing.
With regard to the data of the infected or exposed individuals, competent MS authorities are solely responsible for their processing. Therefore, any questions arising from the processing of personal data by a MS competent authority in one or more EU or EEA countries, or related to the exercise of data subject’s rights, data subjects should contact the concerned authority who will direct them to the responsible controller for the processing in question. Specifically, if a person believes that his or her personal data are being processed within the EWRS, and would like to have access to it or have it deleted or rectified, he or she can address his or her request to any of the national competent authorities with which he or she had contacts and/or which collected his or her data in relation to a specific event posing a public health risk (normally, the authority of the country of which the data subject is a citizen, or the authority of the country of stay of the person at the time of the event), as well as any other authority involved in a given information exchange.
The data subjects may exercise their rights under Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively, in respect of and against each of the Parties. DG SANTE expressly agrees to provide the necessary and reasonably required assistance to enable the other Parties to comply with Data Subject’s requests under EUDPR, and within the time limits imposed, upon simple request. The Parties expressly agree to provide the necessary and reasonably required assistance to enable the other to comply with Data Subject’s requests under GDPR. In addition, the Parties agree to provide the necessary information, for it to defend their own interests, or their Employees, in any form of (judicial or arbitration) proceedings brought against it for the violation of the fundamental rights to privacy and the protection of Personal Data of the Data Subjects.
The Parties shall handle the requests of data subjects in accordance with the procedure for handling requests for the exercise of rights in the protection of personal data established for this purpose. Also, the Parties shall cooperate and, when so requested, provide each other with swift and efficient assistance in handling any data subject requests.
In the event one Party were to receive a data subject request which does not fall under its responsibility, that Party shall forward the request promptly and at the latest within three calendar days of its receipt to the Party responsible for that request. The Party responsible shall send an acknowledgment of receipt to the data subject within further three calendar days, while at the same time informing thereof the Party, which received the request in the first place.
Any request of the data subject shall be replied without undue delay and at the latest within one month. That period may be extended pursuant to Article 14(3) of Regulation (EU) 2018/1725 and Article 12(3) of Regulation (EU) 2016/679, respectively. In the exceptional event additional time was required in order to handle the request, the data subject shall receive a holding reply from the Party in charge of a request, provided the Party raises duly justified reasons for said holding reply.
In response to a data subject request for access to personal data, no Party shall disclose or otherwise make available any personal data processed jointly without first consulting the other relevant Parties.

Article 5 – OTHER RESPONSIBILITIES AND ROLES OF JOINT CONTROLLERS
5
5.1 Security of processing
Each Party shall implement appropriate technical and organisational measures, designed to:
i. Ensure and protect the security, integrity and confidentiality of the personal data jointly processed.
ii. Protect against any unauthorised or unlawful processing, loss, use, disclosure or acquisition of or access to any personal data in its possession.
iii. Not disclose or allow access to the personal data to anyone other than the beforehand agreed recipients or processors.
Each Party shall implement appropriate technical and organisational measures to ensure the security of processing pursuant to Article 33 of Regulation (EU) 2018/1725 and Article 32 of Regulation (EU) 2016/679, respectively.
The Parties shall provide a swift and efficient assistance to each other in case of security incidents, including personal data breaches.
5.2 Management of security incidents, including personal data breaches
The Parties shall handle security incidents, including personal data breaches, in accordance with their internal procedures and applicable legislation.
Moreover, the Parties shall in particular provide each other with efficient assistance in a timely manner and as required to facilitate the identification and handling of any security incidents, including but not limited to personal data breaches, linked to the joint processing operation.
The Parties shall notify each other of the following:
a) any risks to the availability, confidentiality and/or integrity of the personal data undergoing joint processing;
b) any security incidents that are linked to the joint processing operation;
c) any personal data breach (i.e. any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data undergoing joint processing), the likely consequences of the personal data breach, the assessment of the risk to the rights and freedoms of natural persons, and any measures taken to address the personal data breach and mitigate the risk to the rights and freedoms of natural persons;
d) any breach of the technical and/or organisational safeguards of the joint processing operation.
Each and every Party is responsible for the security incidents, which occur as a result of an infringement of that Party’s obligations under this Arrangement and Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively. These incidents include inter alia personal data breaches.
The Parties, in accordance with the Personal Data Security Breach Management Protocol, shall prepare documentation and specific reports of security incidents, which shall include, amongst others, security threats, observations and measures put in place (if any); (including personal data breaches) and notify each other without undue delay and at the latest within 48 hours after becoming aware of a security incident (including a personal data breach).
The Party, responsible for a personal data breach, shall duly document that personal data breach and notify it to the European Data Protection Supervisor and to the competent national supervisory authority. This notification shall be carried out without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, with the exception of personal data breaches which for justified reasons are unlikely to result in a risk to the rights and freedoms of natural persons. The Party responsible shall inform the other Parties of such notification.
The Party, responsible for the personal data breach, shall communicate that personal data breach to the data subjects concerned if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. The Party responsible shall inform the other Parties of such communication.
5.3 Localisation of personal data
Personal data, collected for the purpose of the processing operation, shall only be processed within the territory of the EU/EEA and should not leave that territory, except in the cases described in the following paragraph.
Personal data can leave the territory of EU/EEA countries if processed for the purposes of MEDEVAC Repatriation. Such transfer must comply with Chapter V Regulation (EU) 2016/679.
5.4 Recipients
Access to personal data undergoing joint processing shall be strictly limited and only allowed to DG SANTE and MS authorities’ authorised staff, for the purposes of administering and operating the EWRS system insofar as necessary to facilitate the processing operation. This access shall be subject to username and password requirements.
5.5 Specific responsibilities of Joint Controllers:
The DG SANTE shall ensure and is responsible for:
• Recording of the processing operation;
• Ensuring that the personal data undergoing processing are adequate, accurate, relevant and limited to what is necessary for the purpose;
• Ensuring a transparent information and communication to data subjects of their rights;
• Facilitating the exercise of the rights of data subjects;
• Deciding to restrict the application of or derogate from data subject rights, where necessary and proportionate;
• Ensuring privacy by design and privacy by default;
• Using only processors that meet the requirements of Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively, and to govern the processor’s processing by a contract or legal act;
• Identifying and assessing the lawfulness, necessity and proportionality of transmissions and transfers of personal data;
• Establishing and keeping up to date the list of all recipients of personal data (in the EU Member States, third countries and international organisations);
• Carrying out a data protection impact assessment, where necessary;
• Carrying out a prior consultation with the European Data Protection Supervisor, where needed;
• Ensuring that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Cooperating with the European Data Protection Supervisor, on request, in the performance of his or her tasks;
• Set-up, operation and maintenance of EWRS as a system;
• Procurement of the IT infrastructure supporting the system and of the electronic communications/transmission IT network capacity;
• Central storage of the personal data involved and transmitted through the selective messaging channel (contact tracing & data concerning health);
• Coordination & management of access & related usage rights for the end-users designated by DG SANTE, Member States and other entities who have currently (or which may have in the future access to the system for a certain usage);
• Assessing and implementing the requirements of the provisions prescribed for in Chapter V of the Regulation (EU) 2018/1725 and Regulation 2016/679 when a transfer of personal data to a third country or an international organisation is intended to take place, including a conclusion of administrative arrangements with public authorities or bodies of third countries on behalf of Joint Controllers as provided by article 46(3)b of the Regulation 2016/679 and 48(3)b of the Regulation (EU) 2018/1725.

The MS authorities shall ensure and are responsible for:
• Recording of the processing operation;
• Ensuring that the personal data undergoing processing are adequate, accurate, relevant and limited to what is necessary for the purpose;
• Ensuring a transparent information and communication to data subjects of their rights;
• Facilitating the exercise of the rights of data subjects;
• Handling of data subjects’ requests;
• Deciding to restrict the application of or derogate from data subject rights, where necessary and proportionate;
• Identifying and assessing the lawfulness, necessity and proportionality of transmissions and transfers of personal data;
• Carrying out a data protection impact assessment, where necessary;
• Ensuring that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Cooperating with the European Data Protection Supervisor and/or national supervisory authority, respectively, on request, in the performance of his or her tasks;
• Uploading personal data relating to contact tracing or data concerning health for the MEDEVAC purposes on the selective messaging channel of the system;
• Rectifying, changing, updating and ensuring quality of the contact tracing data and related data concerning health on the selective messaging channel;
• Communicating to DG SANTE (and/or its (sub) processors) personal data of their designated respective users for access and usage of the system.

Article 6 – LIABILITY FOR NON-COMPLIANCE
The DG SANTE and MS authorities shall be liable for non-compliance in line with Chapter VIII of Regulation (EU) 2018/1725 and with Chapter VIII of Regulation (EU) 2016/679.

Article 7 – COOPERATION BETWEEN THE PARTIES OF THE ARRANGEMENT
Each Party, when so requested, shall provide a swift and efficient assistance to the other Parties in execution of this Arrangement, while complying with all applicable requirements of Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively, and other applicable data protection rules.

Article 8 – SETTLEMENT OF DISPUTES
This Arrangement is governed by the Belgian law.
The Parties shall endeavour to settle amicably any dispute arising out or relating to the interpretation or application of this Arrangement.
If at any time a question, dispute or difference arises between the Parties, in relation to or in connection with this Arrangement, the Parties will use all means necessary to resolve it through a process of consultation.

Article 9 – AMENDMENTS
At any time, the Parties may, by mutual consent, amend or supplement this Arrangement. Any such amendment or supplement shall be made in writing.
A Party that no longer wishes to carry out the processing operation as a Joint Controller, shall inform the other Parties that it intends to withdraw from this Arrangement. The withdrawal shall come into effect within [withdrawal period] of the day when the withdrawing Party informed all other Parties of its intention to withdraw from this Arrangement.

Article 10 – ENTRY INTO FORCE
This Arrangement enters into force on the date on which the last Party signs it and it is valid for the duration of the processing operation.

For DG SANTE:

Sandra GALLINA
Director-General

For the MS authorities:
Signature:
Signature:


________________________________
________________________________


 


EUROPEAN COMMISSION
DIRECTORATE-GENERAL FOR HEALTH AND FOOD SAFETY

Public Health, Cancer and Health security
The Director (acting)
Joint Controllership ARRANGEMENT between the EWRS Member States competent authorities and the European Commission when processing Personal Data via EWRS Platform
European Commission's Directorate-General for Health and Food Safety (DG SANTE)
Rue Froissartstraat 101
1040 Brussels
Hereafter: DG SANTE.

And

The Early Warning and Response System (EWRS) competent Member States Health Authorities.
Hereafter: MS authorities.

Hereinafter jointly referred to as the “Parties” or “Joint Controllers” and individually as a “Party” and represented by DG SANTE for the signature of this Arrangement as per assignment of signatory power delegated to the European Commission.

Having regard to Regulation (EU) 2022/2371 of the European Parliament and of the Council on serious cross-border threats to health and repealing Decision No 1082/2013/EU (hereafter, Regulation (EU) 2022/2371);

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council, of 23 October 2018, on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereafter, Regulation (EU) 2018/1725);

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereafter, Regulation (EU) 2016/679);

Whereas:
(1) Article 28 of Regulation (EU) 2018/1725 establishes that where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. By means of an arrangement between them, they shall in a transparent manner determine their respective responsibilities for compliance with their data protection obligations, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 15 and 16 of Regulation (EU) 2018/1725;
(2) Article 26 of Regulation (EU) 2016/679 establishes that where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. By means of an arrangement between them, they shall in a transparent manner determine their respective responsibilities for compliance with their data protection obligations, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 of Regulation (EU) 2016/679;

HAVE AGREED AS FOLLOWS:

Article 1 – SCOPE OF THIS ARRANGEMENT
The DG SANTE and the [name of the MS authorities] act as joint controllers in relation to the processing of personal data for provision and allowing of timely and effective alert notifications in relation to serious cross border threats to health and for information exchange, consultation and coordination of responses to such threats on the EWRS (hereafter, ‘Processing Activities’), and are hereafter collectively referred to as the ‘Joint Controllers’/‘Parties’.
This Joint Controllership Arrangement (hereafter, ‘Arrangement’) defines the respective roles, responsibilities, and practical arrangements to be established between the DG SANTE and the [name(s) of the MS authorities] as Joint Controllers pursuant to Article 28 of Regulation (EU) 2018/1725 and Article 26 of Regulation (EU) 2016/679, respectively. For the purpose of this Arrangement, the definitions set out in Article 3 of Regulation (EU) 2018/1725 and Article 4 of Regulation (EU) 2016/679, respectively, shall apply.

Article 2 – SUBJECT MATTER AND DESCRIPTION OF THE PROCESSING
Article 18 of Regulation (EU) 2022/2371 establishes relevant information from the various information systems at Union level and under the Euratom Treaty is gathered and communicated to the Member States through the Early Warning and Response System (hereafter, EWRS) set up by Decision No 1082/2013/EU for the purposes of preparedness, early warning and response, alert notifications, assessing public health risks and determining the measures that may be required to protect public health.
In order to ensure maximum effectiveness of the EWRS, the DG SANTE and the MS authorities have established this Arrangement. Its purpose is to govern the processing of personal data, define their respective roles and responsibilities regarding the data they will access, and establish the conditions for onward data communication. This Arrangement outlines the rules and commitments that will be followed to achieve these objectives.

Article 3 – SCOPE OF THE JOINT CONTROLLERSHIP
The joint processing operation consists of the following processing activities:
• Carry out notification of health threats in the European Union/European Economic Area (EU/EEA) and facilitate their exchange/transmission of alerts related to health across the Member States and other stakeholders involved (e.g., WTO).
• Store safely contact tracing data to allow the identification of infected persons as well as of individuals potentially in danger (‘contact tracing data’) and their ad-hoc monitoring.
• Transfer of personal data, including data concerning health, of patients under medical evacuation procedure (MEDEVAC), using the EWRS selective exchange functionality, from EU/EEA countries to a third country and vice versa.
• Exchange data between EWRS and other EU level rapid Alert and Information systems (AIS) which will be progressively linked to the EWRS.
• Exchange of relevant information between Member States and third countries to ensure serious cross-border threats to health crisis management, including response measures, coordination of risk and crisis communication.
• Facilitate the development of simulation exercises and provide access to a repository of simulation exercises recommendations (through an optional module).

Article 4 – RESPONSIBILITIES, ROLES AND RELATIONSHIP OF THE JOINT CONTROLLERS TOWARDS DATA SUBJECTS
1
2
3
4
4.1 Provision of information to data subjects
A privacy statement is published on DG SANTE's webpage dedicated to the EWRS with regard, in particular, to the processing operations which fall under the Commission's responsibility.
However, responsibility with respect to the provision of information to data subjects is also incumbent on the MS authorities, for their respective processing operations within the EWRS.

4.2 Handling of data subjects’ requests
The Joint Controllers shall be responsible to reply to the following Data Subjects requests:
(i) provide confirmation to the Data Subject as to whether Personal Data concerning the Data Subject is being processed and, where this is the case, a copy of the data relating to him/her; if Personal Data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the Personal Data has been or will be onward transferred, the purpose of such onward transfers and provide information on the right to lodge a complaint with a Supervisory Authority;

(ii) rectify inaccurate or incomplete data concerning the Data Subject;

(iii) erase Personal Data concerning the Data Subject if such data is being or has been processed in violation of any of this Arrangement ensuring third-party beneficiary rights, or if the Data Subject withdraws the consent on which the processing is based;

(iv) if decisions are based on solely automated processing, which would produce legal affects concerning the Data Subject, the Parties shall inform the Data Subject of the envisaged automated decision, the envisaged consequences and the logic involved and implement suitable safeguards, at least by enabling the Data Subject to contest the decision, express his/her point of view and obtain review by a human being.

With regard to the EWRS users’ data, DG SANTE is responsible to receive requests for modification/verification/deletion of the users’ personal data that are then uploaded in the EWRS by the EWRS administrator (from ECDC). More specifically, the data subjects (EWRS authorized users) can address to Unit B2 "Health Security", European Commission's Directorate-General for Health and Food Safety (SANTE) any question concerning processing of personal data or questions regarding their rights with respect to this processing.
With regard to the data of the infected or exposed individuals, competent MS authorities are solely responsible for their processing. Therefore, any questions arising from the processing of personal data by a MS competent authority in one or more EU or EEA countries, or related to the exercise of data subject’s rights, data subjects should contact the concerned authority who will direct them to the responsible controller for the processing in question. Specifically, if a person believes that his or her personal data are being processed within the EWRS, and would like to have access to it or have it deleted or rectified, he or she can address his or her request to any of the national competent authorities with which he or she had contacts and/or which collected his or her data in relation to a specific event posing a public health risk (normally, the authority of the country of which the data subject is a citizen, or the authority of the country of stay of the person at the time of the event), as well as any other authority involved in a given information exchange.
The data subjects may exercise their rights under Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively, in respect of and against each of the Parties. DG SANTE expressly agrees to provide the necessary and reasonably required assistance to enable the other Parties to comply with Data Subject’s requests under EUDPR, and within the time limits imposed, upon simple request. The Parties expressly agree to provide the necessary and reasonably required assistance to enable the other to comply with Data Subject’s requests under GDPR. In addition, the Parties agree to provide the necessary information, for it to defend their own interests, or their Employees, in any form of (judicial or arbitration) proceedings brought against it for the violation of the fundamental rights to privacy and the protection of Personal Data of the Data Subjects.
The Parties shall handle the requests of data subjects in accordance with the procedure for handling requests for the exercise of rights in the protection of personal data established for this purpose. Also, the Parties shall cooperate and, when so requested, provide each other with swift and efficient assistance in handling any data subject requests.
In the event one Party were to receive a data subject request which does not fall under its responsibility, that Party shall forward the request promptly and at the latest within three calendar days of its receipt to the Party responsible for that request. The Party responsible shall send an acknowledgment of receipt to the data subject within further three calendar days, while at the same time informing thereof the Party, which received the request in the first place.
Any request of the data subject shall be replied without undue delay and at the latest within one month. That period may be extended pursuant to Article 14(3) of Regulation (EU) 2018/1725 and Article 12(3) of Regulation (EU) 2016/679, respectively. In the exceptional event additional time was required in order to handle the request, the data subject shall receive a holding reply from the Party in charge of a request, provided the Party raises duly justified reasons for said holding reply.
In response to a data subject request for access to personal data, no Party shall disclose or otherwise make available any personal data processed jointly without first consulting the other relevant Parties.

Article 5 – OTHER RESPONSIBILITIES AND ROLES OF JOINT CONTROLLERS
5
5.1 Security of processing
Each Party shall implement appropriate technical and organisational measures, designed to:
i. Ensure and protect the security, integrity and confidentiality of the personal data jointly processed.
ii. Protect against any unauthorised or unlawful processing, loss, use, disclosure or acquisition of or access to any personal data in its possession.
iii. Not disclose or allow access to the personal data to anyone other than the beforehand agreed recipients or processors.
Each Party shall implement appropriate technical and organisational measures to ensure the security of processing pursuant to Article 33 of Regulation (EU) 2018/1725 and Article 32 of Regulation (EU) 2016/679, respectively.
The Parties shall provide a swift and efficient assistance to each other in case of security incidents, including personal data breaches.
5.2 Management of security incidents, including personal data breaches
The Parties shall handle security incidents, including personal data breaches, in accordance with their internal procedures and applicable legislation.
Moreover, the Parties shall in particular provide each other with efficient assistance in a timely manner and as required to facilitate the identification and handling of any security incidents, including but not limited to personal data breaches, linked to the joint processing operation.
The Parties shall notify each other of the following:
a) any risks to the availability, confidentiality and/or integrity of the personal data undergoing joint processing;
b) any security incidents that are linked to the joint processing operation;
c) any personal data breach (i.e. any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data undergoing joint processing), the likely consequences of the personal data breach, the assessment of the risk to the rights and freedoms of natural persons, and any measures taken to address the personal data breach and mitigate the risk to the rights and freedoms of natural persons;
d) any breach of the technical and/or organisational safeguards of the joint processing operation.
Each and every Party is responsible for the security incidents, which occur as a result of an infringement of that Party’s obligations under this Arrangement and Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively. These incidents include inter alia personal data breaches.
The Parties, in accordance with the Personal Data Security Breach Management Protocol, shall prepare documentation and specific reports of security incidents, which shall include, amongst others, security threats, observations and measures put in place (if any); (including personal data breaches) and notify each other without undue delay and at the latest within 48 hours after becoming aware of a security incident (including a personal data breach).
The Party, responsible for a personal data breach, shall duly document that personal data breach and notify it to the European Data Protection Supervisor and to the competent national supervisory authority. This notification shall be carried out without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, with the exception of personal data breaches which for justified reasons are unlikely to result in a risk to the rights and freedoms of natural persons. The Party responsible shall inform the other Parties of such notification.
The Party, responsible for the personal data breach, shall communicate that personal data breach to the data subjects concerned if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. The Party responsible shall inform the other Parties of such communication.
5.3 Localisation of personal data
Personal data, collected for the purpose of the processing operation, shall only be processed within the territory of the EU/EEA and should not leave that territory, except in the cases described in the following paragraph.
Personal data can leave the territory of EU/EEA countries if processed for the purposes of MEDEVAC Repatriation. Such transfer must comply with Chapter V Regulation (EU) 2016/679.
5.4 Recipients
Access to personal data undergoing joint processing shall be strictly limited and only allowed to DG SANTE and MS authorities’ authorised staff, for the purposes of administering and operating the EWRS system insofar as necessary to facilitate the processing operation. This access shall be subject to username and password requirements.
5.5 Specific responsibilities of Joint Controllers:
The DG SANTE shall ensure and is responsible for:
• Recording of the processing operation;
• Ensuring that the personal data undergoing processing are adequate, accurate, relevant and limited to what is necessary for the purpose;
• Ensuring a transparent information and communication to data subjects of their rights;
• Facilitating the exercise of the rights of data subjects;
• Deciding to restrict the application of or derogate from data subject rights, where necessary and proportionate;
• Ensuring privacy by design and privacy by default;
• Using only processors that meet the requirements of Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively, and to govern the processor’s processing by a contract or legal act;
• Identifying and assessing the lawfulness, necessity and proportionality of transmissions and transfers of personal data;
• Establishing and keeping up to date the list of all recipients of personal data (in the EU Member States, third countries and international organisations);
• Carrying out a data protection impact assessment, where necessary;
• Carrying out a prior consultation with the European Data Protection Supervisor, where needed;
• Ensuring that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Cooperating with the European Data Protection Supervisor, on request, in the performance of his or her tasks;
• Set-up, operation and maintenance of EWRS as a system;
• Procurement of the IT infrastructure supporting the system and of the electronic communications/transmission IT network capacity;
• Central storage of the personal data involved and transmitted through the selective messaging channel (contact tracing & data concerning health);
• Coordination & management of access & related usage rights for the end-users designated by DG SANTE, Member States and other entities who have currently (or which may have in the future access to the system for a certain usage);
• Assessing and implementing the requirements of the provisions prescribed for in Chapter V of the Regulation (EU) 2018/1725 and Regulation 2016/679 when a transfer of personal data to a third country or an international organisation is intended to take place, including a conclusion of administrative arrangements with public authorities or bodies of third countries on behalf of Joint Controllers as provided by article 46(3)b of the Regulation 2016/679 and 48(3)b of the Regulation (EU) 2018/1725.

The MS authorities shall ensure and are responsible for:
• Recording of the processing operation;
• Ensuring that the personal data undergoing processing are adequate, accurate, relevant and limited to what is necessary for the purpose;
• Ensuring a transparent information and communication to data subjects of their rights;
• Facilitating the exercise of the rights of data subjects;
• Handling of data subjects’ requests;
• Deciding to restrict the application of or derogate from data subject rights, where necessary and proportionate;
• Identifying and assessing the lawfulness, necessity and proportionality of transmissions and transfers of personal data;
• Carrying out a data protection impact assessment, where necessary;
• Ensuring that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Cooperating with the European Data Protection Supervisor and/or national supervisory authority, respectively, on request, in the performance of his or her tasks;
• Uploading personal data relating to contact tracing or data concerning health for the MEDEVAC purposes on the selective messaging channel of the system;
• Rectifying, changing, updating and ensuring quality of the contact tracing data and related data concerning health on the selective messaging channel;
• Communicating to DG SANTE (and/or its (sub) processors) personal data of their designated respective users for access and usage of the system.

Article 6 – LIABILITY FOR NON-COMPLIANCE
The DG SANTE and MS authorities shall be liable for non-compliance in line with Chapter VIII of Regulation (EU) 2018/1725 and with Chapter VIII of Regulation (EU) 2016/679.

Article 7 – COOPERATION BETWEEN THE PARTIES OF THE ARRANGEMENT
Each Party, when so requested, shall provide a swift and efficient assistance to the other Parties in execution of this Arrangement, while complying with all applicable requirements of Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively, and other applicable data protection rules.

Article 8 – SETTLEMENT OF DISPUTES
This Arrangement is governed by the Belgian law.
The Parties shall endeavour to settle amicably any dispute arising out or relating to the interpretation or application of this Arrangement.
If at any time a question, dispute or difference arises between the Parties, in relation to or in connection with this Arrangement, the Parties will use all means necessary to resolve it through a process of consultation.

Article 9 – AMENDMENTS
At any time, the Parties may, by mutual consent, amend or supplement this Arrangement. Any such amendment or supplement shall be made in writing.
A Party that no longer wishes to carry out the processing operation as a Joint Controller, shall inform the other Parties that it intends to withdraw from this Arrangement. The withdrawal shall come into effect within [withdrawal period] of the day when the withdrawing Party informed all other Parties of its intention to withdraw from this Arrangement.

Article 10 – ENTRY INTO FORCE
This Arrangement enters into force on the date on which the last Party signs it and it is valid for the duration of the processing operation.

For DG SANTE:

Sandra GALLINA
Director-General

For the MS authorities:
Signature:
Signature:


________________________________
________________________________