Commission Implementing Regulation (EU) 2019/1715Show full title

CHAPTER 2 General principles and data protection

Article 3IMSOC components

1.The IMSOC shall be composed of the following components:

(a)iRASFF;

(b)ADIS;

(c)EUROPHYT;

(d)TRACES.

2.The components referred to in paragraph 1 shall operate in compliance with the general principles and data protection rules laid down in this Chapter.

Article 4Components, networks and contact points

1.Each component shall have a network of which the Commission shall be part.

2.Network members shall each designate at least one contact point and communicate that designation and its contact details to the Commission contact point. They shall inform the Commission contact point immediately of any changes in this respect.

3.The Commission contact point shall maintain and keep up to date a list of contact points and make it available to all network members.

4.The Commission shall establish a governance structure to steer the development of, identify priorities for and monitor the correct implementation of the IMSOC. The governance structure shall be composed of:

(a)an operations management board, in collaboration with the Member States, to discuss, at least once a year, priorities for and the development of each component;

(b)sub-groups within the operations management board that regularly discuss priorities for and the development of specific functionalities of each component.

Article 5Ownership and responsibilities for data, information and documents

1.Each network member shall own and be responsible for the data, information and documents its contact point or users acting under its responsibility have inserted or produced in the relevant component.

2.Each signatory, competent authority to which a signatory belongs or competent authority creating an electronic seal shall own and be responsible for the part of the documents it signs or seals in TRACES.

3.Where more than one signatory signs a document in TRACES, each signatory shall own and be responsible for the part of the document that it signs.

Article 6Links between components

1.Links between components shall be aimed at:

(a)complementing data, information or documents in one or more components by data, information or documents already present in another component; and

(b)providing relevant and up-to-date information to each network member for the performance of its tasks in accordance with the rules set for each component in this Regulation; and

(c)supporting and operating the procedures for

2.The links referred to in paragraph 1 shall consist in links between:

(a)iRASFF and TRACES, allowing the exchange of data concerning border rejection notifications and common health entry documents;

(b)EUROPHYT and TRACES, allowing the exchange of data concerning EUROPHYT outbreak and interception notifications;

(c)iRASFF, EUROPHYT and TRACES, allowing the exchange of data concerning operators’ past records as regards compliance with the rules referred to in Article 1(2) of Regulation (EU) 2017/625.

Article 7Electronic data exchange between components and other electronic systems

1.Data exchanges between the IMSOC and other electronic systems, including the Member States’ national systems, shall:

(a)be based on international standards that are relevant for the component and use XML, CMS or PDF formats;

(b)use the specific data dictionaries and business rules provided for in the relevant component.

2.The Commission shall provide the Member States with:

(a)the frequency of identity checks and physical checks referred to in point (c)(i) of Article 6(1);

(b)the frequency rates and the outcome of the coordinated performance by competent authorities of the intensified official controls referred to in point (c)(iii) of Article 6(1);

(c)the data dictionaries and business rules referred to in point (b) of paragraph 1.

3.In collaboration with the Member States, the Commission shall draw-up a service-level agreement governing the maintenance of the electronic data exchange between the relevant component and other electronic systems, including the Member States’ national systems.

Article 8Obligations and rights of the Commission

1.The Commission shall ensure the functioning, maintenance, support and any necessary updating or development of the software and the IT infrastructure of the components.

2.The Commission shall have access to all data, information and documents in each component in order to monitor the exchange of data, information and documents inserted or produced therein for identifying activities that are, or appear to be, not in compliance with the rules referred to in Article 1(2) of Regulation (EU) 2017/625, and:

(a)either have, or might have, ramifications in more than one Member State; or

(b)are, or appear to be, taking place in more than one Member State.

Article 9Conditions for the granting of partial access to the IMSOC to third countries and international organisations

1.On receipt of a duly justified application, the Commission, in collaboration with the Member States, may grant the competent authority of a third country or an international organisation partial access to the functionalities of one or more components and to specific data, information and documents inserted or produced therein, provided the applicant demonstrates, in respect of the component(s) in question, that it meets the following requirements:

(a)it has the legal and operational capacity to provide, without undue delay, the assistance necessary to allow the good functioning of the component to which partial access is requested;

(b)it has designated a contact point for that purpose;

2.The partial access referred to in paragraph 1 shall not include access to personal data processed in the component(s) to which the partial access is granted.

3.By way of derogation from paragraph 2, partial access may include access to personal data where the conditions for lawful transfers of personal data established by Regulations (EU) 2016/679 and (EU) 2018/1725 are fulfilled by the applicant third country or international organisation.

Article 10Personal data processing

1.Personal data shall be processed in each component for the purpose of performing official controls and other official activities. In particular, personal data shall belong to one of the following categories:

(a)contact points, operators, importers, exporters, transporters and laboratory technicians when personal data is required by Union law;

(b)users of each component.

2.In processing personal data pursuant to this Regulation, Member States shall comply with Regulation (EU) 2016/679 and Directive (EU) 2016/680 and the Commission with Regulation (EU) 2018/1725.

Article 11Data controllers and joint controllership

1.The Commission and the competent authorities of the Member States shall be joint controllers of data processing operations in each of the components.

2.The Commission shall be responsible for:

(a)determining and implementing the technical means to enable data subjects to exercise their rights, and ensuring that those rights are exercised in compliance with Regulation (EU) 2018/1725;

(b)ensuring the security of processing within each component pursuant to Article 33 of Regulation (EU) 2018/1725;

(c)determining the categories of its staff and external providers to whom access to the components may be granted;

(d)notifying and communicating any personal data breach of the components to the European Data Protection Supervisor pursuant to Article 34 of Regulation (EU) 2018/1725 and to the data subject pursuant to Article 35 of that Regulation respectively;

(e)ensuring that its staff and external providers are adequately trained to perform their tasks in accordance with Regulation (EU) 2018/1725.

3.The competent authorities of the Member States shall be responsible for:

(a)ensuring that data subject’s rights are exercised in compliance with Regulation (EU) 2016/679 and this Regulation;

(b)ensuring the security and confidentiality of personal data pursuant to Section 2 of Chapter IV of Regulation (EU) 2016/679;

(c)designating the staff that are to have access to each component;

(d)ensuring that staff accessing each component are adequately trained to perform their tasks in accordance with Regulation (EU) 2016/679 and, where relevant, Directive (EU) 2016/680.

4.The competent authorities of the Member States may designate different joint controllers within the same Member State for the purpose of fulfilling one or more of the obligations referred to in paragraph 3.