32019D1269

Language
- My EUR-Lex
- Sign in
- Register
- My recent searches (0)

This document is an excerpt from the EUR-Lex website

Search tips

Need more search options? Use the Advanced search

EUROPA
EUR-Lex home
Implementing decision - 2019/1269 - EN - EUR-Lex

Document 32019D1269

Help

Commission Implementing Decision (EU) 2019/1269 of 26 July 2019 amending Implementing Decision 2014/287/EU setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks (Text with EEA relevance.)

C/2019/5470

OJ L 200, 29.7.2019, p. 35–43 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/dec_impl/2019/1269/oj

HTML

PDF

Official Journal

29.7.2019

Official Journal of the European Union

L 200/35

COMMISSION IMPLEMENTING DECISION (EU) 2019/1269

of 26 July 2019

amending Implementing Decision 2014/287/EU setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients' rights in cross-border healthcare (1) and in particular Article 12(4)(b) and (c) thereof,

Whereas:

(1)

Commission Implementing Decision 2014/287/EU (2) sets out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating those Networks. Article 6 of that Decision invited Member States to set up a Board of Member States with a view to deciding whether or not to approve proposals for Networks, their membership and termination. The Member States set up the Board of Member States, which subsequently approved 23 European Reference Networks (ERNs) in December 2016 and one in February 2017. All Networks commenced activities in 2017.

(2)

To increase the efficiency of the European Reference Networks, the Board of Member States should become the forum for exchanging information and expertise in order to steer the development of the ERNs, provide guidance to the Networks and to the Member States and advise the Commission on matters related to the establishment of the Networks. To promote the exchange of experience and to facilitate a process consistent with other cross border exchanges of health data, the Board should foresee a close cooperation with the eHealth Network to develop, wherever possible, common approaches, data structures and guidelines facilitating transparent access to different services and streamlining rules for healthcare providers. The Board should also promote the discussion with other relevant EU fora (such as Steering Group on Health Promotion, Disease Prevention and Management of Non-Communicable Diseases) on areas of common interest.

(3)

The current experience of the 24 existing ERNs has shown that to ensure an effective functioning of each Network, its Members should closely cooperate in performing their tasks, such as exchanging health data concerning patients' diagnoses and treatment in an efficient and secure manner, contributing to scientific research activities and to the development of medical guidelines. Close cooperation requires mutual trust among the Members of each Network and mutual recognition in particular of their expertise and competence, of the quality of their clinical care as well as of their specific human, structural and equipment resources as provided for under point 2 of Annex II to Commission Delegated Decision 2014/286/EU (3).

(4)

Mutual trust and recognition by peers are equally important where healthcare providers wish to join an existing Network as they guarantee the right pre-conditions for future cooperation within the Network. A favourable opinion on the membership application by the Board of the Network that the healthcare provider wishes to join, following a peer review carried out by the Network on the basis of the criteria and conditions set out in point 2 of Annex II to Delegated Decision 2014/286/EU, should therefore accompany such application when it is assessed by an independent assessment body appointed by the Commission. In order to allow the healthcare provider express its views on the opinion of the Board of the Network, the healthcare provider should be permitted to submit comments on the draft opinion within a period of one month from the date of receipt of that opinion.

(5)

Reasonable deadlines should be set out for the Board of the Network as regards the draft and final opinion. The deadline for the final opinion should therefore, in principle be set at four months. However, in case the healthcare provider submits comments on the Board of the Network's draft opinion, the four-month deadline for delivering the final opinion should be extended by one month in order to allow the Board of the Network to take into account the comments received. For reasons of legal certainty, if the Board of the Network fails to send the draft opinion or deliver the final opinion within the deadlines set, the final opinion should be deemed favourable.

(6)

If a membership application receives an unfavourable opinion by the Board of the Network that the healthcare provider wishes to join, while having received the endorsement in the form of a written statement from the healthcare provider's Member State of establishment, the Member State of establishment should have the possibility of requesting the Board of Member States to decide, on the basis of the criteria and conditions set in point 2 of Annex II to Delegated Decision 2014/286/EU, whether the application can nevertheless be submitted to the Commission.

(7)

In order to support health professionals across the ERNs to collaborate remotely in the diagnosis and treatment of patients with rare or low prevalence complex diseases or conditions across national borders and to facilitate scientific research of such diseases or conditions, the Commission developed a Clinical Patient Management System for ERNs (‘CPMS’) with the aim of facilitating the establishment and functioning of the ERNs as provided for in point (c) of paragraph 4 of Article 12 of Directive 2011/24/EU.

(8)

The CPMS should provide a common infrastructure for health professionals to collaborate within the ERNs in the diagnosis and treatment of patients with rare or low prevalence complex diseases or conditions. It should provide the means through which the exchange of information and expertise on such diseases takes place within the ERNs in the most effective way.

(9)

The CPMS should therefore consist of a secure IT infrastructure providing a common interface where healthcare providers that are members of the ERNs, Affiliated Partners (4) or guest users (‘healthcare providers authorised to access CPMS’), can exchange information within the Networks on the concerned patients with the aim of facilitating their access to safe and high quality healthcare and promoting effective cooperation on healthcare between Member States by facilitating the exchange of relevant information.

(10)

In order to guarantee compliance with data protection rules and ensure the use of an effective and secured environment for the electronic exchange of personal data of patients between healthcare providers within the ERNs for the purposes referred to in paragraph 2 of Article 12 of Directive 2011/24/EU, such exchange should take place only on the basis of the patients' explicit consent and only through the CPMS. The healthcare providers are responsible for ensuring the security of the data they process outside of the CPMS with the aim of entering them into the CPMS, as well as of the data that are not entered into the CPMS but are processed by them in relation with the CPMS (such as consent forms) or of the data downloaded by them from the CPMS and processed outside of the CPMS.

(11)

The CPMS processes sensitive data concerning patients suffering from rare or low prevalence complex diseases. These data are processed solely for the purpose of facilitating patients' diagnosis and treatment, for entering them into relevant registries or other databases for rare and low prevalence complex diseases, which serve a scientific research, clinical or health policy purposes and for contacting potential participants for scientific research initiatives. Healthcare providers within the ERNs should be able to process the patients' data in the CPMS once they have obtained the patients' specific, informed and free consent about three possible uses of their data (medical assessment of the file for advice on diagnosis and treatment, entering the data in rare diseases registries or other databases for rare and low prevalence complex diseases and possibility for the patients to be contacted to participate in a scientific research initiative). The consent should be obtained separately for each of these three purposes. This decision should lay down the purposes and the safeguards for the processing of such data in the CPMS. In particular, the Commission should provide for the general features of the CPMS in relation to each Network, should provide and maintain the secure IT infrastructure required to that end and should ensure its technical functioning and security. In line with the principle of data minimisation, the Commission should only process personal data strictly necessary in order to ensure the administration of the CPMS in relation to each Network and therefore should not access health data of patients exchanged in the ERNs, unless it is strictly necessary to fulfil its obligations as a joint controller.

(12)	This Implementing Decision should only apply to processing of personal data, which takes place in the CPMS, in particular contact details, and health data, within the ERNs.

(13)

Article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council (5) and Article 28 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6) place an obligation on joint controllers of personal data processing operations to determine, in a transparent manner, their respective responsibilities for compliance with the obligations under these Regulations. They also provides for the possibility to have those responsibilities determined by Union or Member State law to which the controllers are subject.

(14)	Implementing Decision 2014/287/EU should therefore be amended accordingly.

(15)	The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 13 September 2018.

(16)	The measures provided for in this Decision are in accordance with the opinion of the Committee set up under Article 16 of Directive 2011/24/EU,

HAS ADOPTED THIS DECISION:

Article 1

Implementing Decision 2014/287/EU is amended as follows:

(1)

The following Article 1a is inserted:

‘Article 1a

Definitions

For the purposes of this Implementing Decision the following definitions shall apply:

(a)	“European Reference Networks' Coordinator” means the person appointed as the Coordinator of the Network by the Member of a European Reference Network chosen as the coordinating Member as referred to in recital 3 and Article 4 of Delegated Decision 2014/286/EU

(b)	“Board of the Network” means a body responsible for the governance of the Network, composed of representatives from each Member in the Network as referred to in recital 3 and point (1)(b)(ii) of Annex I to Delegated Decision 2014/286/EU;

(c)	“Affiliated Partner” means (Associated National Centre, Collaborative National Centre and National Coordination Hub), as referred to in recital 14 and point (7)(c) of Annex I of Delegated Decision 2014/286/EU and in the Statement of the Board of Member States of 10 October 2017;

(d)

“Guest user” means a healthcare provider who is not a member or Affiliated Partner and who has the right, following the approval of the competent European Reference Network Coordinator, for a limited period of time, to enrol patients in CPMS and participate in the panel related to that patient or to participate in a specific panel as an expert.’

(2)

In Article 8, the following paragraphs 4, 5 and 6 are inserted:

‘4. If the Commission concludes that the requirements set out in Article 8(2) and (3) are fulfilled, the Board of the Network that the healthcare provider wishes to join, shall issue an opinion on the membership application, following a peer review carried out by the Network on the basis of the criteria and conditions set out in point 2 of Annex II to Delegated Decision 2014/286/EU.

5. Before delivering the opinion referred to in paragraph 4 and within three months from the moment the Commission has confirmed that the requirements set out in Article 8(2) and (3) are fulfilled, the Board of the Network shall send a draft opinion to the applicant healthcare provider that may send comments to the Network within one month of receiving the draft opinion. In case the Board of the Network does not receive comments on that draft, it shall deliver a final opinion on the membership application, within four months from the moment the Commission has confirmed that the requirements set out in Article 8(2) and (3) are fulfilled.

In case the Board of the Network receives comments, the deadline for the delivery of the final opinion is extended to five months from the moment the Commission has confirmed that the requirements set out in Article 8(2) and (3) are fulfilled. On receiving comments, the Board of the Network shall amend its opinion explaining whether the comments justify a change in its assessment. If the Board of the Network fails to send the draft opinion or to deliver its final opinion within the deadlines set above, the final opinion is deemed to be favourable.

6. In case of an unfavourable opinion of the Board of the Network, upon request of the Member State of establishment, the Board of the Member States, may issue a favourable opinion after re-assessing the application on the basis of the criteria and conditions set out in point 2 of Annex II to Delegated Decision 2014/286/EU. That favourable opinion shall accompany the application.’

(3)	In Article 9, paragraph 1 is replaced by the following: ‘1. If a favourable opinion is issued in accordance with Article 8(5) or (6), the Commission shall appoint a body to assess the membership application which it accompanies.’

(4)

In Chapter IV, the following Article 15a is inserted:

‘Article 15a

Exchange of information and expertise among the Member States

Member States are invited to exchange information and expertise within the Board of Member States in order to steer the development of the ERNs, provide guidance to the Networks and to the Member States and advise the Commission on matters related to the establishment of the Networks.’

(5)

The following Article 16a is inserted:

‘Article 16a

The Clinical Patient Management System

1. A Clinical Patient Management System (“CPMS”) for the electronic exchange of personal data of patients between healthcare providers authorised to access CPMS within the ERNs is hereby established.

2. The CPMS shall consist of a secure IT tool provided by the Commission for the sharing and hosting of patient data and for real and on-time communication on patient cases within the ERNs.

3. It shall include, inter alia, a medical image viewer, data reporting capabilities, custom datasets and it shall integrate adequate data protection safeguards in accordance with Annex I.’

(6)

The following Article 16b is inserted:

‘Article 16b

Personal data processed in the CPMS

1. Personal data of patients, which consist of name, gender, date and place of birth and other personal data necessary for the purpose of diagnosis and treatment shall be exchanged and processed within the ERNs exclusively through the CPMS. The processing shall be limited to the purposes of facilitating collaboration on the medical assessment of a patient file for diagnosis and treatment, of entering the data in registries and other databases for rare and low prevalence complex diseases, which serve scientific research, clinical or health policy purposes and of contacting potential participants for scientific research initiatives. It shall be based on a consent obtained in accordance with Annex IV.

2. The Commission shall be regarded as controller of processing of personal data related to the management of access rights and shall process these data on the basis of the explicit consent of the individuals identified by the healthcare providers as users and authorised by the relevant ERNs in so far as necessary to ensure that:

(a)	access rights are granted to these individuals;

(b)	these individuals may exercise their rights and fulfil their obligations; and

(c)	it can fulfil its obligations as a controller.

3. The Commission shall not access personal data of patients, unless it is strictly necessary to fulfil its obligations as a joint controller.

4. Only persons authorised by ERNs and belonging to the categories of staff and other individuals affiliated to the healthcare providers authorised to access CPMS may access personal data of patients in the CPMS.

5. The name of the patient, as well as the place and exact date of birth, shall be encrypted and pseudonymised in the CPMS. Other personal data necessary for the purpose of diagnosis and treatment shall be pseudonymised. Only pseudonymised data shall be available to CPMS users from other healthcare providers for panel discussions and assessment of patient files.

6. The Commission shall ensure the security of transfer and hosting of personal data.

7. Healthcare providers authorised to access CPMS shall delete data no longer necessary. Personal data of patients shall only be retained for as long as necessary in the interest of patient care, diseases' diagnosis or for the purpose of ensuring care within an ERN to the patients' family members. Every 15 years at the latest, each healthcare provider authorised to access CPMS shall review the need to keep the patients' data it is controller of.

8. The effectiveness of technical and organisational measures for ensuring the security of processing of personal data in the CPMS shall be regularly tested, assessed and evaluated by the Commission and by the healthcare providers authorised to access CPMS.’

(7)

The following Article 16c is inserted:

‘Article 16c

Joint controllership of patients' personal data processed through the CPMS

(1) Each of the healthcare providers processing patients' data in the CPMS and the Commission shall be joint controllers of the processing of these data in the CPMS.

(2) For the purposes of paragraph 1, responsibilities shall be allocated among joint controllers in accordance with Annex III.

(3) Each of the joint controllers shall comply with relevant Union and national legislation to which the respective controller is subject.’

(8)	Annex III is added, the text of which is set out in Annex I to this Decision.

(9)	Annex IV is added, the text of which is set out in Annex II to this Decision.

Article 2

This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Done at Brussels, 26 July 2019.

For the Commission

The President

Jean-Claude JUNCKER

(1) OJ L 88, 4.4.2011, p. 45.

(2) Commission Implementing Decision 2014/287/EU of 10 March 2014 setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks (OJ L 147, 17.5.2014, p. 79).

(3) Commission Delegated Decision 2014/286/EU of 10 March 2014 setting out criteria and conditions that European Reference Networks and healthcare providers wishing to join a European Reference Network must fulfil (OJ L 147, 17.5.2014, p. 71).

(4) As referred to in recital 14 and point (7)(c) of Annex I of Delegated Decision 2014/286/EU and in the Statement of the Board of Member States of 10 October 2017, available at https://ec.europa.eu/health/sites/health/files/ern/docs/boms_affiliated_partners_en.pdf

(5) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(6) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

ANNEX I

‘ANNEX III

ALLOCATION OF RESPONSIBILITIES AMONG JOINT CONTROLLERS

The Commission shall be responsible for:

(i)	the setting up, operation and administration of the CPMS;

(ii)	providing, where necessary, the technical means to the healthcare providers to enable patients to exercise their rights through the CPMS in accordance with Regulation (EU) 2018/1725 and responding and attending to the requests of data subjects where so required by applicable legislation;

(iii)

ensuring that the CPMS complies with the requirements applicable to Commission's communication and information systems (1);

(iv)	defining and implementing the technical means to enable patients to exercise their rights in accordance with Regulation (EU) 2018/1725;

(v)	communicating any personal data breaches within the CPMS to the healthcare providers;

(vi)	exporting personal data sets from the CPMS in the event of a change of personal data processor;

(vii)

identifying the categories of staff and other individuals to whom access to the CPMS may be granted, affiliated to the healthcare providers authorised to access CPMS;

(viii)

ensuring that the patients' name and place of birth (unless necessary for diagnosis and treatment), and the exact date of birth are encrypted and pseudonymised and that other personal data necessary for the purpose of diagnosis and treatment are pseudonymised in CPMS;

(ix)	putting adequate safeguards in place to ensure the security and confidentiality of patients' personal data processed through the CPMS.

Each healthcare provider authorised to access CPMS shall be responsible for:

(i)	selecting the patients whose personal data are processed through the CPMS;

(ii)	collecting and maintaining explicit, informed, freely-given and specific consent(s) of the patients whose data are processed through the CPMS in compliance with the mandatory minimum requirements for the consent form specified in Annex IV;

(iii)

acting as the contact point for its patients, including when they exercise their rights, responding to the requests of patients or their representatives and ensuring that patients whose data are processed through the CPMS are enabled to exercise their rights in compliance with data protection legislation, using, where necessary, the technical means provided by the Commission in line with point 1(ii);

(iv)	reviewing, at least every 15 years, the necessity of processing specific patients' personal data through the CPMS;

(v)	ensuring the security and confidentiality of any processing of patients' personal data outside the CPMS done by that healthcare provider, where such data is processed for the purposes of or in connection to processing patients' personal data through the CPMS;

(vi)	communicating any personal data breaches with regard to patient data processed through the CPMS to the Commission, to the competent supervisory authorities and, where so required, to patients, in accordance with Articles 33 and 34 of Regulation (EU) 2016/679 or if requested by the Commission;

(vii)

identifying, in compliance with access criteria referred to in point 1(vii) of this Annex, staff and other individuals affiliated to them, whom shall be granted access to patients' personal data within the CPMS and communicating it to the Commission;

(viii)

ensuring that their staff and other individuals affiliated to them, who have access to patients' personal data within the CPMS, are adequately trained to ensure that they perform their tasks in compliance with the rules applicable to the protection of personal data, and are subject to the obligation of professional secrecy in accordance with Article 9(3) of the Regulation (EU) 2016/679.

’

(1) Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission (OJ L 6, 11.1.2017, p. 40) and Commission Decision of 13 December 2017 laying down implementing rules for Articles 3, 5, 7, 8, 9, 10, 11, 12, 14, 15 of Decision (EU, Euratom) 2017/46 on the security of communication and information systems in the Commission (C(2017) 8841 final).

ANNEX II

‘ANNEX IV

Mandatory minimum requirements for the consent form to be provided by healthcare providers authorised to access CPMS

The consent form shall describe the legal basis and lawfulness of processing, concept and purpose of the European Reference Networks (ERNs) established by Directive 2011/24/EU on the application of patients' rights in cross-border healthcare. It shall inform about the specific processing operations and the respective rights of the data subject in accordance with applicable data protection legislation. It shall explain that Networks are constituted of Members that are highly specialised healthcare providers, with the purpose to allow healthcare professionals to work together to support patients with rare or low prevalence complex diseases or conditions that need highly specialised healthcare.

The consent form shall request the patient's explicit consent for sharing her/his personal data with one or more ERNs, with the sole purpose to improve her/his access to diagnosis and treatment and the provision of high-quality healthcare. To that end, it shall explain that:

(a)

if the consent is given, the patients' personal data will be processed by healthcare providers authorised to access CPMS respecting the following conditions:

(i)	the name of the patient, as well as place and exact date of birth will not be included in the shared data; the patient's identifying data will be replaced by a unique identifier which will not allow identification of the patient to anyone else other than the healthcare provider (pseudonymisation);

(ii)

only data that are relevant for the purpose of diagnosis and treatment will be shared; this may include area of birth and area of residence, gender, year and month of birth, medical images, laboratory reports, as well as biological sample data. It may also include letters and reports from other healthcare professionals who have cared for the patient in the past;

(iii)

the patient's data will be shared through the Clinical Patient Management System (CPMS), a secure electronic information system;

(iv)	only healthcare professionals and other individuals affiliated to such healthcare providers subject to the obligation of professional secrecy who are entitled to have access to patients' data in the Networks will have access to the patient's data;

(v)	healthcare professionals and other individuals affiliated to such healthcare providers who are entitled to have access to patients' data may run queries in the CPMS and create reports in order to identify similar patient cases;

(b)	if the consent is not given, it will by no means affect the patient's care by the respective healthcare provider.

The consent form may also request the patient's additional consent to her/his data being entered in registries or other databases for rare and low prevalence complex diseases, which serve scientific research, clinical or policy purposes. If consent is requested for this purpose, the consent form shall describe the concept and purpose of rare disease registries or databases and explain that:

(a)

if the consent is given, the patient's personal data will be processed by healthcare providers authorised to access CPMS respecting the following conditions:

(i)	only relevant data related to the patient's medical condition will be shared;

(ii)	healthcare professionals and other individuals affiliated to such healthcare providers who are entitled to have access to patients' data may run queries in the CPMS and create reports in order to identify similar patient cases;

(b)	if the consent is not given, it will by no means affect either the patient's care by the respective healthcare provider, or the fact that the Network will provide advice on diagnoses and treatment, at the request of the patient.

The consent form may also request the patient's additional consent to being contacted by a Network Member who believes the patient could be suitable for a scientific research initiative, a specific scientific research project or parts of a scientific research project. If consent is requested for this purpose, the consent form shall explain that giving at this stage the consent to be contacted for scientific research purposes does not mean giving the consent for the patient's data to be used for a specific scientific research initiative, neither does it mean that the patient will in any event be contacted in connection with, or that the patient will be part of, a specific scientific research project and that:

(a)

if the consent is given, the patient's personal data will be processed by healthcare providers authorised to access CPMS respecting the following conditions:

(i)	healthcare professionals and other individuals affiliated to such healthcare providers who are entitled to have access to patients' data may run queries in the CPMS and create reports in order to find patients suitable for scientific research;

(ii)	if the patient's disease or condition is found relevant for a specific scientific research project, the patient may be contacted for this specific scientific research project, in order to obtain the patient's consent to her/his data being used for that scientific research project;

(b)	if the consent is not given, it will by no means affect either the patient's care by the respective healthcare provider, or the fact that the Network will provide advice on diagnoses and treatment, at the request of the patient.

The consent form shall explain the rights of the patient as regards her/his respective consent(s) to share personal data and in particular provide the information that the patient:

(a)	has the right to give or withhold any of the consents and this will not affect her/his care;

(b)	can withdraw the consent given previously at any time;

(c)	has the right to know which data are shared in a Network and to access data held about them and request corrections of any errors;

(d)	can request the blocking or erasure of her/his personal data and has the right to data portability.

The consent form shall inform the patient that the healthcare provider will keep the personal data only for as long as necessary for the purposes to which the patient consented, with a review of the necessity of storing specific patient's personal data in the CPMS at least every 15 years.

The consent form shall inform the patient about the identity and the contact details of the controllers, clearly specifying that the contact point to exercise the patient's rights is the particular healthcare provider authorised to access CPMS, about the contact details of the data protection officers, and where applicable, about available remedies related to data protection, and provide the contact details of the National Data Protection Authority.

The consent form shall record separately the individual consent for each of the three different forms of data sharing in a specific, explicit and unambiguous way:

(a)	the consent must be shown through a clear affirmative action, for example by the use of a ticking box and a signature on the form;

(b)	both options (to provide or to refuse the consent) shall be included.

’

Top