Opinion 20/2021 on Tobacco Traceability System
Ad opted 1 Opinion 20/2021 on Tobacco Traceability System Adopted on 18 June 2021 Ad opted 2 Contents 1. BACKGROUND ................................ ................................ ................................ ........................ 3 2. SCOPE OF THE OPINION ................................ ................................ ................................ ..... 4 3. ASSESSMENT ................................ ................................ ................................…
How it connects
Related across sources
Full text
Ad opted 1 Opinion 20/2021 on Tobacco Traceability System Adopted on 18 June 2021 Ad opted 2 Contents 1. BACKGROUND ................................ ................................ ................................ ........................ 3 2. SCOPE OF THE OPINION ................................ ................................ ................................ ..... 4 3. ASSESSMENT ................................ ................................ ................................ ....................... 5 3 A dopted The European Data Protection Board Having regard to Article 70(1)(b) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and re pealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, 1 Having regard to Article 12 and Article 22 of its Rules of Procedure, HAS ADOPTED THE FOLLOWING OPINION: 1. BACKGROUND 1. On 3 March 2021, the European Commission (“Commission”) requested the opinion of the EDPB, on the basis of Article 70(1)(b) GDPR, on three questions related to the dif ferent roles of the actors involved in the tobacco traceability system established under Directive 2014/40/EU of the European Parliament and of the Council of 3 April 2014 on the approximation of the laws, regulations and administrative provisions of the M ember States concerning the manufacture, presentation and sale of tobacco and related products and repealing Directive 2001/37/EC (the “Tobacco Products Directive” or “Directive”). 2. The Tobacco Products Directive envisages the establishment of a traceabilit y system to track and trace the movements of tobacco products within the Union territory, in order to facilitate the smooth functioning of the internal market for tobacco and related products and ensure their compliance with the Directive. 2 On the basis of Article 15(11) Directive, the Commission adopted the Commission Implementing Regulation (EU) 2018/574 and Commission Delegated Regulation (EU) 2018/573 which lay down, respectively, technical standards for the establishment and operation of a traceability system for tobacco products and the key elements of data storage contracts to be concluded as part of a traceability system for tobacco products. 3. Under the tobacco traceability system, all unit packets of tobacco products are required to be marked with a unique identifier. The ID Issuers are the actors entrusted with generating and issuing the unique identifier. Personal data processed in this context are related to the request of the unique identifier code for economic operators (e.g. contact details, VA T number, address of economic operators that are natural persons or whose information relate to natural persons) . 3 The information collected by the ID Issuers (including personal data) is stored in the ID Issuers’ registries and transmitted to the secondary repository, which is part of the repositories system, composed by the primary repositories, 1 References to “Member States” made throughout this opinion should be understood as references to “EEA Member States” . 2 Articles 1 and 15 Directive . 3 See CJEU Joined Cases C - 92/09 and C - 93/09, with regard to the protection of the personal data of natural persons who are identified or identifiable on the names of legal persons. 4 A dopted the secondary repository and a routing service ( “ the router ” ) set up and managed by the provider of the secondary repository. 4. The providers of primary repositories are contracted by the tobacco manufacturers and importers and approved by the Commission. These host information (including personal data) relating to tobacco products of the manufacturer or importers who contracted the repository. The information is shar ed with the secondary repository, which is a central data storage repository containing a copy of all the data stored in the primary repositories and ID Issuers registries. Personal data processed in this context relate to recording and transmitting inform ation on product movements or transactional information (e.g. contact details of destination facilities of sole traders; contact details and VAT numbers of buyers and payers who are sole traders or whose name may identify a natural person). 5. The competent a uthorities of the Member States and the Commission have access to the data stored in the primary and secondary repositories and are entrusted with enforcement and monitoring tasks, respectively, to ensure compliance with the Directive and relevant legislat ion. 2. SCOPE OF THE OPINION 6. The Commission requested the opinion of the EDPB, on the basis of Article 70(1)(b) GDPR, on the data protection aspects of the tobacco traceability system. The Commission asked, in particular, three specific questions: I. Does the European Data Protection Board agree with the Commission’s assessment according to which the Member States and the Commission act as joint controllers with regard to the processing of personal data in the context of the EU tobacco traceability system, as explained in the background information in this note? II. Does the European Data Protection Board agree with the Commission’s assessment according to which the ID Issuers act as processors of the Member States as explained in the background information in this note? III. Does the European Data Protection Board agree with the Commission’s assessment according to which the independent third parties hosting the primary repositories act as sub - processors of the operator of the secondary repository acting as processor on behalf of the joint controllers (Commission and Member States), as explained in the background information in this note? 7. The EDPB would like to underline that, in accordance to art. 70(1)(b) of the GDPR, the EDPB is tasked with providing advice to the Com mission on any issue related to the protection of personal data in the Union. This task, however, should not be understood as an obligation of the EDPB to advise the Commission with regard to specific processing operations where the latter is involved as a controller or processor. In this regard, the EDPB recalls that the responsibility to ensure compliance with the applicable data protection legislation, including the assessment of the role of the actors involved in the processing activit ies at stake , lies with the controller and processor, assisted by, where applicable, their data protection officer. In the spirit of the principle of cooperation that governs the inter - institutional at an EU level relationship between the Commission and the EDPB, the presen t Opinion contains elements to be considered by the Commission. It is made only on the basis of the Commission’s assessment as provided to the EDPB. This Opinion has the nature of a general advice and does not, in 5 A dopted any manner, intend to provide definitive v iews and legal analysis as it does not substitute the obligations of the controller(s) to ensure that the processing of personal data is compliant with the applicable data protection legislation, including with regard to the determination of the roles of t he actors involved . In addition, the omission of any references, in this opinion, to any other aspects of the processing of personal data within the system does not signal either approval or disapproval from the EDPB or any of its members, as data protecti on regulators. This is without prejudice to any specific further assessments conducted by the European Data Protection Supervisor (“EDPS”) or the national data protection Supervisory Authorities. 8. Moreover, the EDPS remains the entity responsible for the su pervision of EU institutions, bodies, offices and agencies regarding the processing of personal data in the context of their mandates, as foreseen in Regulation 2018/1725. 4 As a result, any requests from the Commission concerning compliance with, or implem entation of any provisions regarding Regulation 2018/1725 should be addressed primarily to the EDPS. 9. Finally, the EDPB also recalls that in line with the GDPR, the national data protection s upervisory a uthorities remain entirely responsible for the superv ision of the processing of personal data within the tobacco traceability system by the national authorities and economic operators in their Member States. The EDPS and the national authorities are regularly making available guidelines and practical tools t o assist Controllers and Processors to ensure data protection compliance. 10. The EDPB also invites the Commission to consider the published EDPB guidelines aiming to ensure consistent application of the GDPR. 3. ASSESSMENT (1) Does the European Data Protection Board agree with the Commission’s assessment according to which the Member States and the Commission act as joint controllers with regard to the processing of personal data in the context of the EU tobacco traceability system, as explained in the backgrou nd information in this note? 11. In accordance with article 26 GDPR “[w]here two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”. As underlined in the EDPB Guidelines 07/2020 on the concepts of contr oller and processor in the GDPR (the “Guidelines”), “jointly” means “together with” or “not alone” and the assessment of joint controllership entails the factual analysis of the actual influence on the determination of the purposes and means of the process ing. 5 In this regard, an important criterion to identify the joint determination is “ whether the processing would not be possible without both parties’ participation in the sense that the processing by each party is inseparable, i.e. inextricably linked.” 6 12. In the present case, the EDPB understands that the purposes of the processing stem from Directive 2014/40/EU. With the objective to facilitate the smooth functioning of the internal market for tobacco 4 Se e article 52 of Regulation 2018/1725. 5 Par. 48 and 49 Guidelines . 6 Guidelines par. 53 . 6 A dopted and related products and ensure compliance with the pr ovisions of the Directive, 7 Article 15 Directive envisages the establishment of a tobacco traceability system to track and trace the movements of tobacco products within the EU. Under this system, all unit packets of tobacco products are marked with a uniq ue identifier. This allows the tracking and tracing of the tobacco packets, since economic operators involved in tobacco trade are required to record the relevant information throughout the supply chain. The data collected (including personal data) are mad e accessible to the Commission and Member States. The latter are entrusted with ensuring the compliance of tobacco and related products with the Directive and the implementing and delegated acts provided for therein, including by laying down rules on penal ties applicable to infringements and ensuring that the penalties are enforced. 8 The Commission is entrusted with monitoring tasks. 9 The respective duties and powers of the Commission and the Member States are described in the Implementing Regulation 2018/5 74. Joint determination of the purposes 13. As underlined in the Guidelines, a joint determination of the purpose exists when the entities involved process the data for the same, or common, purposes or for purposes, which are closely linked or complementary. 10 14. In general terms, it is the EDPB’s understanding that the processing of personal data in the context of the tobacco traceability system takes place for tobacco control purposes, in order to ensure compliance with the Directive and relevant legislation, as explained above. As laid out in the Directive, both the Commission and the Member States are entrusted with monitoring and enforcement tasks, respectively, these tasks being complementary and inextricably linked. 11 Consequently, it appears that the Directiv e provides the relevant elements to assess whether the Member States and the Commission share the common purpose to ensure compliance with the Directive and with the relevant legislation. 15. As stated above, joint controllership exists when the different part ies determine jointly the purpose and the means of the processing activity. Thus, assessing the existence of joint controllers requires not only examining whether the purposes are determined by more than one party, but also the means. 12 Joint determination of means 16. As stated in the Guidelines, the joint determination of the means of the processing does not entail that each entity needs in all cases to determine all of the means. Thus, “ different entities may be involved at different stages of that processing and to different degrees. Different joint controllers may therefore define the means of the processing to a different extent, depending on who is effectively in a position to do so ”. 13 7 See Article 1 Directive . 8 See article 23(2) and 23( 3 ) Directive . 9 See, for example, article 15. 8 of the Directi ve that entrusts the Commission with ensuring the suitability, in particular its independence and technical capacities, of the primary repository providers and with approving the external auditor tasked to monitor the activities of the primary repository provides. 10 Pars. 57 - 58 Guidelines . 11 See, for exam ple, Art. 25(1)(l), 26(6), 27(2), 27(3)(a), 27(4) and 27(5) Regulation 2018/574 provides the Commission and the Member States with the same tasks. 12 Guidelines, para. 48. 13 Guidelines, para . 61. 7 A dopted 17. Within the tobacco traceability system, there are two types of location s in which personal data are processed, by means of storage and exchange: the registries established and maintained by the ID issuers and the repositories system (which include the primary repositories, the secondary repository and the router set up and ma naged by the provider of the secondary repository). Personal data are processed through those different platforms, which are necessary for the functioning of the tobacco traceability system. Without the mediation of the ID issuers and the repositories, dat a (including personal data) would not be collected, exchanged and made accessible to the Member States and the Commission. 18. As stated in the Guidelines, “‘ [e]ssential means’ are closely linked to the purpose and the scope of the processing and are traditio nally and inherently reserved to the controller” . 14 Given the specific functioning of the tobacco traceability system as described in the Directive and Regulation 2018/574, it appears that the purpose of ensuring compliance with the Directive and relevant l egislation would not be attainable without the involvement of the ID issuers and the providers of the repositories, which provide the platforms that allow the collection, storage and exchange of information. 15 19. According to Article 3 of Commission Implement ing Regulation 2018/574, the ID issuers that establish and maintain the first type of registries are entities appointed by the Member States. In addition, Member States are entrusted with ensuring that the ID issuers comply with the independence requiremen ts laid down in Article 35 of Regulation 2018/574. The Commission is not directly involved in the choice of the ID issuers. However, it is tasked with the monitoring of the compliance of the ID issuers with the independence requirements. 16 The information g athered in the ID issuers’ registries is forwarded to the secondary repository via the router, where it can be accessed by the Commission and the competent authorities of the Member States. 20. The secondary repository contains a copy of all data stored in the different primary repositories and ID Issuers’ registries, as per Articles 20(3) and 27(1) Regulation 2018/574. Member States and the Commission have access to the data stored in the primary and secondary repositories, and have the right to create, manage and withdraw user access rights for the repositories and to download full and selected sets of data for the purposes foreseen in the Directive. 17 The provider of the secondary repository, who is also in charge of providing the router, is appointed by the Commission from among the providers of primary repositories. 18 Likewise, the Commission is entrusted to approve the provider of the primary repository proposed by the manufacturer or importer, as well as the draft storage contract. 19 Member States do not hav e any influence on the choice, but they are entrusted with ensuring that manufacturers and importers conclude data storage contracts with providers of primary repositories. 20 In addition, Member States shall monitor and ensure the compliance of the provider s of the primary repositories with the independence requirements. 21 14 Guidelines, para. 38. 15 See Art. 1(b) Directive, which refers to the traceability of tobacco products “to ensure their compliance with [the] Directive”. Article 15 Directive provides for the key elements of the tobacco traceability system. 16 See art. 35.4 and 35. 7 of Regulation 2018/574 . 17 See article 25(1)(k) - (l) and 25(2) of Regulation 2018/574. 18 See Article 27(1) and Annex I Part B par. 1 to Implementing Regulation 2018/574 . 19 See Article 15(8) Directive and Annex I Part A par. 3 to Implementing Regulation 2018/574 . 20 Articl e 15(8) Directive . 21 Article 35(6) Regulation 2018/574 . 8 A dopted 21. From the above, it seems to be apparent that, whereas Member States exert a decisive influence on the choice of the ID Issuers, the Commission does so with regard to the providers of the r epositories, by approving the proposed providers of primary repositories and appointing the provider of the secondary repository. In this context, it is relevant to underline that, as stated in the Guidelines, “[p]rocessing of personal data can involve mul tiple processors. For example, a controller [or joint controllers] may itself choose to directly engage multiple processors, by involving different processors at separate stages of the processing (multiple processors).” 22 22. In the present case, all the means used for the processing of personal data are necessary in order to achieve the purpose of ensuring compliance with the Directive and relevant legislation. In fact, whereas all the data are eventually stored in the secondary repository, the traceability of the tobacco products would not be possible without the information provided by the ID Issuers (and the primary repositories). In other words, in order to achieve the purpose of monitoring compliance with and enforcing the rules in the context of the tobacc o traceability system, all the means identified (i.e. the ID Issuers’ registries and the repositories) are necessary. Otherwise, the traceability of the tobacco products would not be possible and, therefore, the purpose of the processing would not be achie vable. 23. In light of the elements above and as a preliminary analysis, the EDPB considers that the Commission has taken into consideration the necessary elements to perform the assessment of joint controllership. This is without prejudice to any specific fu rther assessment pursuant to applicable data protection legislation carried out by the controller as part of its obligations or by a competent supervisory authority in the exercise of its powers. 24. In addition, the EDPB recalls that the existence of joint c ontrollership does not necessarily imply equal responsibility of the different actors involved. 23 The level of responsibility shall be assessed on a case - by - case basis, taking into account the specific circumstances of the case. In this regard, the EDPB rec alls that joint controllers “can have a certain degree of flexibility in distributing and allocating obligations among them as long as they ensure full compliance with the GDPR with respect of the given processing. The allocation should take into account f actors such as, who is competent and in a position to effectively ensure data subject’s rights as well as to comply with the relevant obligations under the GDPR ”. 24 (2) Does the European Data Protection Board agree with the Commission’s assessment according to which the ID Issuers act as processors of the Member States as explained in the background information in this note? 25. In the background information provided by the Commission, it is stated that, since the Commission is not involved in the establishment and functioning of the ID Issuers and the processing is based on their contractual relationship with the Member State that appoints them, the ID Issuers do not qualify as the Commission’s processor. 26. The EDPB recalls that there are two basic conditions to qualify as a processor: being a separate entity in relation to the controller and processing personal data on the controller’s behalf . 25 As the EDPB has previously stated, processing personal data on the controller’s behalf requires that the separate entity 22 Guidelines, para. 73 . 23 See Guidelines para. 56. 24 See Guidelines para 165. 25 Guidelines, p ara. 74 . 9 A dopted process personal data for the benefit of the controller . This entails that the processors implement the instructions given by the cont roller with regard to the purpose of the processing and the essential elements of the means. 26 27. In the case of the ID Issuers, albeit some of the elements of the processing may be laid down in the contracts between the ID Issuers and the Member State appoint ing them, other relevant aspects of the processing, in particular regarding the exchange with the secondary repository, seem to be determined otherwise, as explained in the next paragraphs. 28. As indicated above, the role of the ID Issuers within the tobacco traceability system is to generate and issue unique identifiers and transmit the information (including the personal data collected in the context of generating and issuing the unique identifier) to the secondary repository via the router. 27 Once the infor mation is transmitted to the secondary repository, the Commission and the Member States can access it for the purpose of ensuring compliance. The transmission of the data to the secondary repository via the router takes places “using the data format and da ta exchange modalities defined by the router” 28 , which is set up and managed by the secondary repository provider. 29 In addition, it shall be noted that, as per Article 28(1) Regulation 2018/574, “[t]he provider operating the secondary repository shall commu nicate to providers operating primary repositories, ID issuers and economic operators, the list of specifications required for the data exchange with the secondary repository and the router . All specifications shall be based on non - proprietary open standar ds” . 29. From the above, it appears that the ID Issuers shall follow the provisions of Regulation 2018/574 (including the technical specifications in its Annex) and the instructions of the secondary repository provider with regard to the storage and especiall y the exchange of data - including personal data, within the tobacco traceability system. In addition, it stems from the Directive that the processing of personal data by the ID Issuers is necessary in order to ensure compliance with the Directive and the r elevant legislation, which would not be possible without the data transmitted by the ID Issuers. 30 30. In light of the elements above and as a preliminary analysis, the EDPB considers that the Commission has not taken into consideration all the necessary elemen ts to perform the assessment on the role of the ID issuers. In this regard, it should be noted that, in case of joint controllership, the mere fact that the ID Issuers are appointed by the Member State, does not necessarily imply that they are only process ors of the Member State. This is without prejudice to any specific further assessment pursuant to applicable data protection legislation carried out by the controller as part of its obligations or by a competent supervisory authority in the exercise of its powers. 31. As underlined above, the joint controllership arrangement shall include the distribution of the responsibilities, taking into account the specific circumstances of the case. In this respect, as stated in 26 Guidelines, para. 78 . 27 Articles 3 and 20(3) Regulation 2018/574 . 28 Article 29(3) Regulation 2018/574 . 29 Article 24(1)(c) Regulation 2018/574 . 30 I n this regard, Article 15(1) Directive states that: “Member States shall ensure that all unit packets of tobacco products are marked with a unique identifier ” . 10 A dopted the Guidelines, the use of a processor is one of the elements to be considered by the joint controllers when determining their respective responsibilities . 31 (3) Does the European Data Protection Board agree with the Commission’s assessment according to which the independent third parties hosting t he primary repositories act as sub - processors of the operator of the secondary repository acting as processor on behalf of the joint controllers (Commission and Member States), as explained in the background information in this note? 32. The primary repositor ies, as defined under the EC implementing Regulation, are the repositories “ storing traceability data relating exclusively to the products of a given manufacturer or importer ”. 32 In general, terms, as it is the case with the provider of the secondary repository and the ID Issuers, the primary repositories’ providers do not process personal data for their own purposes in this context. T he data processed by the primary repositories’ providers w ithin the tobacco traceability system facilitate the Commission and the Member States to ensure the effective monitoring and enforcement activities in the conte x t of fighting illicit trade in tobacco products. 33. As explained above, each tobacco products’ ma nufacturer and importer is required to conclude a data storage contract with an independent third - party provider for establishing a primary repository. The key elements of the contract are established in the Commission Delegated Regulation 2018/573. The pr imary repositories host information, solely relating to the tobacco products of the manufacturer or importer that contracted such primary repository. 33 All the data received by the primary repository, in the context of a reporting activity, or for any other permitted reason shall be forwarded to the secondary repository the moment received. 34 In this regard, each primary repository shall enter into an individual contract with the provider appointed as a secondary repository to carry out their services. 35 In th is context, and on the basis of clarifications provided by the Commission, the EDPB understands that the secondary repository provider also enters into a data processing agreement with the providers of the primary repositories, to ensure that the processin g carried out by the latter is in accordance with Art. 28(2) and (3) of the GDPR. 34. Thus, it appears from the applicable legislation that the primary repositories are separate independent entities, in charge of storing and transmitting the received data to the secondary repository on behalf of a (joint) controller(s). 35. It shall be noted that, whereas in a given processing operation the essential means of the processing are determined by the (joint) controller(s), the decision on the non - essential means can b e left to the processor. As stated i n the Guidelines, non - essential means, “concern more practical aspects of implementation, such as the choice for a particular type of hard - or software or the detailed security measures”. 36 In the context of the tobacco traceability system, the Board notes that the specific rules 31 Guidelines, par a . 163 . 32 EC Implementing Regulation 18/574 Art. 2(13). 33 EC Implementing Regulation 18/574 Art. 26(2). 34 EC Implementing Regulation 18/574 Art. 26(2). 35 EC Implementing Regulation 18/574 Annex I, Part B(4). 36 See Guidelines, par a . 38 . 11 A dopted applicable to the processing carried out by the primary repositories are not determined by them nor they are specified in the contract with the manufacturer or importer. 37 36. The practical aspects o f the implementation (or “non - essential means”) are set forth in Regulation 2018/574, in the service agreement signed with the secondary repository provider and in the technical instructions of the latter. In this regard, the storage of data (including per sonal data) in the primary repositories has to be conducted in accordance with the “common data dictionary” provided by the secondary repository, 38 which contains the technical aspects of the database kept by the primary and secondary repositories. 39 Likewis e, when the primary repository conducts the transfer of data to the secondary repository, it is not independent in deciding the modalities of the transfer, but it should use the data format and data exchange modalities, as determined by the secondary repos itory. 40 Additionally, it seems that the secondary repository provider and the primary repositories’ providers also enter into a data processing agreement for the processing of personal data. 37. It stems from the above that the primary repositories act exclus ively in accordance with the rules described in the Commission Implementing Regulation 2018/574, the technical instructions provided by the secondary repository and the contract with the operator of the secondary repository. 38. In light of the elements above and as a preliminary analysis, the EDPB considers that the Commission has taken into consideration the necessary elements to perform the assessment on the role of the providers of the primary repository. This is without prejudice to any specific further a ssessment pursuant to relevant applicable data protection legislation carried out by the controller as part of its obligations or by a competent supervisory authority in the exercise of its powers. 39. The EDPB underlines that the contract between a processor and a sub - processor shall include the same data protection obligations that apply to the processor with regard to the controllers. 41 40. Finally, the EDPB recalls that, according to Art. 28(2) of the GDPR, in order to engage a (sub ) processor , the processor n eeds the controller’s approval, either via prior specific or general written authorisation. 37 Article 9 of Reg ulation 2018/573 only establishes the obligation to specify in the contract that the primary repository provider will put in place all appropriate measures to ensure the confidentiality, integrity and availability of the data stored and that it will be pro cessed in accordance with the GDPR. 38 EC Implementing Regulation 18/574 Art. 26(5). 39 Article 2(17) Regulation 2018/574 . 40 EC Implementing Regulation 18/574 Art. 26(4). 41 Article 28(4) GDPR.