(1)

The identification of a positive case of COVID-19 following a given cross-border journey fulfils the criteria set out in Article 9(1) of Decision 1082/2013/EU, as it may still cause significant mortality in humans, as it may grow rapidly in scale, as it affects more than one Member State, and as it may require a coordinated response at Union level. In accordance with point 23 of Recommendation (EU) 2020/1475 of 13 October 2020 on a coordinated approach to the restriction of free movement in response to the COVID-19 pandemic (2), information on COVID-19 cases detected on the arrival of a person on the territory of a Member State should be immediately shared with the public health authorities of the countries the person concerned has stayed in during the previous 14 days for contact tracing purposes, using the Early Warning and Response System (‘EWRS’) established by Article 8 of Decision 1082/2013/EU and operated by the European Centre for Disease Prevention and Control (‘ECDC’).

(2)

Pursuant to Recommendation (EU) 2020/1475, Member States could require persons entering their territory to submit passenger locator forms (‘PLFs’) in accordance with data protection requirements.

(3)

By imposing the completion of national PLFs of various formats, Member States collect PLF data from cross-border passengers entering their territory. One use of this data is that if a person who has completed a PLF is identified as a COVID-19 case, the data collected by the PLF are used to establish the journey of that person and transmit relevant information to the Member States that need to perform contact tracing procedures in relation to persons that might have been exposed to the infected passenger.

(4)

Public health authorities of some Member States have already been exchanging personal data collected through national PLFs between themselves for purposes of contact tracing in the context of the COVID-19 pandemic. This exchange has been done in particular through the current technical infrastructure provided under the EWRS.

(5)

The technical infrastructure currently provided under the EWRS is not yet designed to handle the volume of PLF data generated by the systematic and large-scale use of PLFs. For example, it does not translate between different national formats and requires manual entry, thus adversely affecting the timeliness and effectiveness of contact tracing. This is in particular the case when contact tracing needs to be performed in relation to cross-border passengers that have travelled by collective transport means with pre-assigned seats, such as aircraft, certain trains, ferries and cruises, where the number of exposed passengers and the duration of exposure to an infected passenger could be significant.

(6)

A technical infrastructure – called the ‘PLF exchange platform’ – should therefore be set up to enable the secure, timely and effective exchange of data between the EWRS competent authorities of the Member States, by allowing to transmit information from their existing national digital PLF systems to other EWRS competent authorities in an interoperable and automatic manner. It should build on the exchange platform already developed by the European Union Aviation Safety Agency (‘EASA’), with EASA not playing any role in the context of the processing of personal data through the PLF exchange platform as laid down in this Implementing Decision. The PLF exchange platform should also enable the exchange of limited epidemiological data, necessary for the contact tracing, in accordance with Article 9(3) of Decision 1082/2013/EU. In order to avoid an overlap of activities or conflicting actions with existing structures and mechanisms for monitoring, early warning and combating serious cross-border threats to health, the PLF exchange platform should be developed under the EWRS as a complement of the selective messaging functionality existing within that system.

(7)

The PLF exchange platform should be operated by the ECDC in line with Article 8 of Regulation (EC) No 851/2004 of the European Parliament and of the Council (3).

(8)

The PLF exchange platform should not store the PLF data and the epidemiological data to be exchanged.

(9)

If a Member State does not have a nationally developed digital PLF system, it could use the common European Union digital Passenger Locator Form System (‘EUdPLF’) which the EU Healthy Gateways Joint Action was tasked by the Commission to develop (grant No 801493) (4). The purpose of the EUdPLF is to create a single entry point and database for the collection of PLFs. In the future, the EUdPLF should be connected with the PLF exchange platform for the sole purpose of allowing the exchange of data between Member States with their own national digital PLF systems on the one hand and Member States making use of the EUdPLF on the other hand. This Decision does not cover the establishment of the EUdPLF nor does it regulate the processing of personal data in relation to it.

(10)

This Decision does not regulate the establishment of national PLFs, which is a matter for the Member States to decide upon. Member States are free to choose whether they collect PLFs from all passengers arriving at their territory, or only from passengers having that Member State as their final destination. Effective cross border contact tracing based on PLF data requires that Member States collect a common minimum set of PLF data through their national PLFs. Those minimum PLF data should therefore be laid down. Moreover, for reasons of cost efficiency, sustainability and increased security of the solution, Member States should consider adopting a common approach when it comes to requiring PLFs from all passengers, including transit passengers, or only from those passengers that have the Member state concerned as their final destination.

(11)

The use of the PLF exchange platform should be voluntary and Member States should be free to notify alerts under the currently existing technical infrastructure of the EWRS, on a temporary basis and provided they do not compromise the purpose of contact tracing.

(12)

EWRS competent authorities should only exchange well-defined sets of data collected through their PLFs and other limited epidemiological data necessary for the contact tracing, in line with the minimisation principle of personal data processing. Where the Member State notifying the alert about an infected passenger can identify all the Member States concerned, based on the PLF data at its disposal, it should transmit data only to the EWRS competent authorities of those Member States. This is the case, for example, where the Member State identifying the infected passenger collects PLFs for all passengers, including transit passengers, arriving in its territory with a direct connection from the initial place of departure.

(13)

Where a passenger is detected as being infected with SARS-CoV-2 in a Member State, the EWRS competent authorities of that Member State should be able to share with the EWRS competent authorities of the Member State of departure a limited set of data extracted from the PLFs, which should be strictly defined as to what is necessary to perform contact tracing of exposed persons in the Member State of departure and residence, where different from the Member State of departure – namely the identity and contact information of the infected passenger.

(14)

In addition, where a passenger is detected as being infected with SARS-CoV-2 in a Member State, the EWRS competent authorities of that Member State should also be able to share a limited set of data with the EWRS competent authorities of all the Member States or of the concerned Member States, if those authorities have the information enabling them to identify such Member States. The data should be limited to the place of departure, the place of arrival, the date of departure, the type of transport used (e.g. plane, train, coach, ferry, ship), identification number of the transport service – that is to say flight number, train number, coach’s number plate, ferry or ship’s name – the seat or cabin number of the infected passenger, and the time of departure in case the above data are not sufficient to identify the transport. This should allow the receiving EWRS competent authorities to establish whether exposed passengers arrived in their territory and, if so, to perform their contact tracing.

(15)

When sharing data with other EWRS competent authorities through the PLF exchange platform, the relevant EWRS competent authority should be able to add epidemiological information, limited to what is necessary to perform the contact tracing, i.e. the type of COVID-19 test performed, the variant of the SARS-CoV-2 virus, the date of sampling and the date of symptom onset.

(16)

Processing of personal data of infected passengers, exchanged through the PLF exchange platform, is to be carried out by the EWRS competent authorities in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (5). Processing of personal data under the responsibility of the ECDC as operator of the PLF exchange platform for purposes of contact tracing and of the Commission as its sub-processor has to comply with Regulation (EU) 2018/1725 of the European Parliament and of the Council (6).

(17)

The legal ground for the exchange of infected passengers’ personal data, including on health, between the EWRS competent authorities for the purpose of contact tracing is laid down in Article 9(1) and 9(3)(i) of Decision 1082/2013/EU, in line with Article 6(1)(c) and Article 9(2)(i) of Regulation (EU) 2016/679. This Decision should lay down suitable and specific measures to safeguard the rights and freedoms for the data subject. These should include measures relating to the definition of the necessary data sets to be exchanged, the EWRS competent authorities with which the data should be exchanged in the various cases, the appropriate security measures, including encryption, and the modalities for the processing of data between the national competent authorities through the PLF exchange platform within the European Union.

(18)

The EWRS competent authorities participating in the PLF exchange platform determine together the purpose and means of processing of personal data in the PLF exchange platform, and are therefore joint controllers. Article 26 of Regulation (EU) 2016/679 places an obligation on joint controllers to determine, in a transparent manner, their respective responsibilities for compliance with the obligations under that Regulation. It also provides for the possibility to have those responsibilities determined by Union or Member State law to which the controllers are subject. This Decision should therefore determine the respective roles and responsibilities of the joint controllers.

(19)

The ECDC, as a provider of technical and organisational solutions for the PLF exchange platform, processes PLF and epidemiological data on behalf of the Member States participating in the PLF exchange platform as joint controllers, and is therefore a processor within the meaning of Article 3(12) of Regulation (EU) 2018/1725. Pursuant to Article 28 of Regulation (EU) 2016/679 and Article 29 of Regulation (EU) 2018/1725, the processing by a processor is to be governed by a contract or a legal act under Union or Member State law which is binding on the processor with regard to the controller and which specifies the processing. It is therefore necessary to set out rules on processing by the ECDC as a processor.

(20)

Article 3(3) of Regulation (EC) No 851/2004 provides that the ECDC, the Commission and the Member States shall cooperate to promote effective coherence between their respective activities. Accordingly, service level agreements should be concluded between the Commission and the ECDC to cooperate during the technical development and operation of the PLF exchange platform. They have to specify the division of responsibilities (organisational, financial and technological) between the parties to facilitate the implementation of the PLF exchange platform and the technical measures relating to its operation, maintenance and further development.

(21)

Implementing Decision (EU) 2017/253 should therefore be amended accordingly.

(22)

The PLF exchange platform is to be financed in the year 2021 by the Emergency Support Instrument, that has been put in place to help Member States respond to the coronavirus pandemic by addressing needs in a strategic and coordinated manner at European level, and by the ‘Support activities to the European transport policy, transport security and passenger rights including communication activities’. It is to be financed in the year 2022 by the Digital Europe Programme.

(23)

Considering the envisaged date of operation of the PLF exchange platform, this Decision should apply from 1 June 2021. The exchange of data should cease after 12 months or once the Director-General of the World Health Organization has declared, in accordance with the International Health Regulations that the public health emergency of international concern caused by SARS-CoV-2 has ended, if that declaration is made earlier.

(24)

The operation of the PLF exchange platform should be limited to the control of the COVID-19 pandemic. However, it could be in the future extended through an amending implementing decision to such epidemics that may require Member States to exchange PLF data for contact tracing purposes, in line with the criteria set out in Article 9(1) and the conditions set out in Article 9(3) of Decision 1082/2013/EU.

(25)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 6 May 2021.

(26)

The measures provided for in this Decision are in accordance with the opinion of the Committee on serious cross-border threats to health established by Article 18 of Decision No 1082/2013/EU,

(1)

The following Article 1a is inserted:

(2)

The following Articles 2a, 2b and 2c are inserted:

(3)

In Article 3(3), the words ‘the Annex’ are replaced by ‘Annex IV’;

(4)

In the Annex, the title ‘ANNEX’ is replaced by ‘ANNEX IV’;

(5)

Annexes I, II and III, as set out in the Annex to this Decision, are inserted