THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Council Directive 2000/29/EC of 8 May 2000 on protective measures against the introduction into the community of organisms harmful to plants or plant products and against their spread within the Community(1), and in particular Article 13(1) thereof,

Having regard to Regulation (EC) No 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety(2), and in particular Article 51 thereof,

Having regard to Regulation (EU) 2016/429 of the European Parliament of the Council of 9 March 2016 on transmissible animal diseases and amending and repealing certain acts in the area of animal health(3) (‘Animal Health Law’), and in particular point (c) of the first paragraph of Article 23 thereof,

Having regard to Regulation (EU) 2016/2031 of the European Parliament of the Council of 26 October 2016 on protective measures against pests of plants, amending Regulations (EU) No 228/2013, (EU) No 652/2014 and (EU) No 1143/2014 of the European Parliament and of the Council and repealing Council Directives 69/464/EEC, 74/647/EEC, 93/85/EEC, 98/57/EC, 2000/29/EC, 2006/91/EC and 2007/33/EC(4), and in particular points (a), (b) and (c) of the first paragraph of Article 104 thereof,

Having regard to Regulation (EU) 2017/625 of the European Parliament and of the Council of 15 March 2017 on official controls and other official activities performed to ensure the application of food and feed law, rules on animal health and welfare, plant health and plant protection products, amending Regulations (EC) No 999/2001, (EC) No 396/2005, (EC) No 1069/2009, (EC) No 1107/2009, (EU) No 1151/2012, (EU) No 652/2014, (EU) 2016/429 and (EU) 2016/2031 of the European Parliament and of the Council, Council Regulations (EC) No 1/2005 and (EC) No 1099/2009 and Council Directives 98/58/EC, 1999/74/EC, 2007/43/EC, 2008/119/EC and 2008/120/EC, and repealing Regulations (EC) No 854/2004 and (EC) No 882/2004 of the European Parliament and of the Council, Council Directives 89/608/EEC, 89/662/EEC, 90/425/EEC, 91/496/EEC, 96/23/EC, 96/93/EC and 97/78/EC and Council Decision 92/438/EEC(5) (‘Official Controls Regulation’), in particular point (a) of the first paragraph of Article 58, points (a), (b) and (c) of the first subparagraph of Article 75(2), point (f) of the first paragraph of Article 90, points (a) and (b) of the first subparagraph of Article 102(6), Article 103(6) and points (a) to (g) of the first paragraph of Article 134 thereof,

Whereas:

(1) Regulation (EU) 2017/625 establishes, inter alia, rules for the Member States’ performance of official controls and other official activities on animals and goods entering the Union in order to ensure the correct application of the Union agri-food chain legislation.

(2) It requires the Commission, in collaboration with Member States, to set up and manage a computerised information management system for official controls (IMSOC) to manage, handle and automatically exchange data, information and documents in relation to official controls. The IMSOC should integrate and upgrade as necessary certain information systems managed by the Commission and act as an interoperability schema connecting them and, in certain cases, also existing national systems of the Member States and information systems of third countries and international organisations (‘other systems’).

(3) The information systems managed by the Commission and to be integrated in IMSOC include the Rapid alert system for food and feed (RASFF) for notifying direct or indirect risk to human health deriving from food, food contact material or feed, as established by Regulation (EC) No 178/2002 and broadened by Regulation (EC) No 183/2005 of the European Parliament and of the Council(6), the system for notifying and reporting information on animal diseases (ADIS), to be established pursuant to Regulation (EU) 2016/429, the system for notifying and reporting the presence of pests in plants and plant products (EUROPHYT), to be established pursuant to Regulation (EU) 2016/2031, the technical tools for administrative assistance and cooperation (AAC) and the TRACES system referred to in Regulation (EU) 2017/625.

(4) The information systems managed by the Commission were established at different times and have since been modified on legal and operational grounds. Therefore, in order to upgrade and integrate them as required by Regulation (EU) 2017/625, it is appropriate to gather in the same act all provisions relating to the functioning of the IMSOC and its system components, and establish rules for the exchange of data, information and documents with other systems on the basis of the powers conferred on the Commission by Regulations (EC) No 178/2002, (EU) 2016/429, (EU) 2016/2031 and (EU) 2017/625 and repeal the existing implementing acts.

(5) Regulation (EU) 2017/625 provides that the Member States and the Commission should process personal data through the IMSOC and any of its components only for the purposes of official controls and other official activities performed for the verification of compliance with relevant Union rules in the areas referred to in Article 1(2) of that Regulation, including the operators’ past records as regards compliance with those rules.

(6) Official controls and other official activities are to be carried out on operators for the whole duration of their activities and in certain cases such as animal welfare checks or official controls on products with long shelf life, e.g. canned food or food contact materials, on the same animals and goods at different points in time. Therefore, in order to be able to properly track operators’ past records, it is appropriate to establish a maximum storage period of personal data of 10 years, which should allow traceability in case of foodborne outbreaks, animal diseases outbreaks, animal welfare checks and plant pest outbreaks.

(7) In order to implement measures that adhere to the ‘data protection by design’ principle laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council(7) and Regulation (EU) 2018/1725 of the European Parliament and of the Council(8), the IMSOC components should be given a limited capacity to insert unstructured information. This capacity should be used only where such information is necessary and cannot be provided efficiently in a structured manner. Moreover, even in the absence of explicit references to them, personal data protection principles are embedded in each provision of this Regulation, in particular as regards the identification of data controllers, storage periods of personal data, access to personal data, transmission and transfer of personal data and data security.

(8) A multi-level governance of the IMSOC by the Commission, in collaboration with the Member States, is necessary to ensure that the development of general solutions applicable to the IMSOC are steered uniformly and that system components are developed and used in a coherent way, so as to limit administrative burden and the establishing of different procedures where this is not strictly necessary.

(9) To this end, it is appropriate to establish a network of members, including the Commission and, where appropriate, EU agencies, for each IMSOC system component, and for the Commission to establish governance structures to gather ongoing feedback from Member States on planned changes and new features to steer the development of the IMSOC and its components.

(10) Although each IMSOC component has its own specificities, this Regulation should establish general principles which all components need to comply with, regarding ownership and responsibility for data, information and documents and exchanges with other systems. It should also establish the Commission’s obligations and rights as regards the IMSOC and personal data protection provisions in Regulation (EU) 2016/679, Directive (EU) 2016/680 of the European Parliament and of the Council(9) and Regulation (EU) 2018/1725.

(11) As Regulation (EU) 2017/625 provides that the IMSOC is to integrate the RASFF, this Regulation should lay down implementing measures for the efficient operation of the RASFF within the IMSOC on the basis of the conditions and procedures applicable to the transmission of notifications, as currently established by Commission Regulation (EU) No 16/2011(10), including the definition of the different types of notification classified according to risks.

(12) Since the provisions on administrative assistance and cooperation of Title IV of Regulation (EC) No 882/2004 of the European Parliament and of the Council(11) and the implementing measures in Commission Implementing Decision (EU) 2015/1918(12) establishing the Administrative Assistance and Cooperation System (the AAC system) are now included in Title IV of Regulation (EU) 2017/625, this Regulation should lay down operational rules and a standard format for the exchange of information on instances of cross-border non-compliance within the IMSOC in accordance with the power conferred on the Commission by Regulation (EU) 2017/625.

(13) Given the complex nature of certain cases of non-compliance where risks may not be immediately identified and in order to ensure swift and appropriate coordination between different competent authorities through the correct procedure, this Regulation should include rules for the clear distinction between non-compliances generating risks and other non-compliances, in order to streamline and facilitate the choice between the RASFF or AAC procedure accordingly.

(14) Moreover, this Regulation should also harmonise, as far as possible, the type of information exchanged through the RASFF or AAC procedures to allow a swift change of procedure in case factual evidence demonstrates the presence or absence of a risk.

(15) At the Ministerial Conference on 26 September 2017(13), following an incident of fipronil contamination, the Commission and the Member States agreed on concrete measures and coordinated action to step up the fight against food fraud. They identified bridging the gap between the RASFF and the AAC system by means of a combined platform as one measure to ensure that information is exchanged as efficiently as possible. To this end, this Regulation should establish a common computerised tool (iRASFF) to be integrated in the IMSOC that brings together the RASFF and the AAC system, for the exchange of information required by Regulation (EC) No 178/2002 and Regulation (EU) 2017/625.

(16) To ensure the correct and efficient functioning of iRASFF, the Member States’ contact points of the RASFF and AAC networks should be represented in an entity called single contact point. The latter should consist of persons managing both networks, whether or not physically located in the same administrative unit, relay information to the appropriate competent authority within the country and routinely be the first contact point for the Commission.

(17) Moreover, considering the occurrence of criminal activities along the food and feed chain and the concurring relevance of those activities for competent authorities and police or judicial bodies, the European Union Agency for Law Enforcement Cooperation (Europol) should take part in the food fraud network, and where relevant, inform the European Union’s Judicial Cooperation Unit (Eurojust).

(18) This Regulation should also establish common rules for the contact points of iRASFF and for the Commission’s coordinating role in verifying notifications and helping to identify recurrent hazards and operators reported in them.

(19) Moreover, as Regulation (EC) No 178/2002 requires public authorities to inform the public of risks to human health, inter alia, and third countries of certain notifications, this Regulation should lay down rules to inform the public and third countries, balancing the need to inform with that not to harm business operators.

(20) Regulation (EU) 2016/429 lays down rules on animal diseases that are transmissible to animals or humans, including requirements for disease notification and reporting. It requires the Commission to set up and manage a computerised information system for the operation of the mechanisms and tools for those requirements (ADIS) that should be integrated into the IMSOC.

(21) As Regulation (EU) 2016/429 becomes applicable as of 21 April 2021, this Regulation should lay down deferred rules for the establishment of the network for the functioning of ADIS.

(22) Regulation (EU) 2016/2031 lays down measures to prevent the entry or spread of plant pests in EU territory, including notification requirements for pest presence and phytosanitary measures taken. It requires the Commission to establish an electronic system through which the Member States are to submit notifications and which should be connected to, and compatible with, the IMSOC.

(23) For that purpose, that Regulation empowers the Commission to lay down specific rules on notifications, in particular on the items to be included, a form and how to fill it in and deadlines for the submission of particular items.

(24) The EUROPHYT-Interceptions web-based notification system(14) is a system developed by the Commission with the Member States, for notifying interception of consignments of plants and plant products from other Member States or third countries that may present an imminent danger of introducing or spreading pests. The procedure and standard form to be used for notifying interception of such consignments from a third country are laid down in Commission Directive 94/3/EC(15).

(25) A parallel web-based notification system, EUROPHYT-Outbreaks, was developed with a view to helping Member States to notify official confirmation of the presence of pests on their territory, and measures taken to eradicate or prevent the spread of the pest, whether or not regulated at EU level as harmful. Commission Implementing Decision 2014/917/EU(16) sets out the information to be included in such notifications and the deadline for submitting them. It also requires the notifying Member State to provide updates as soon as possible if it receives new relevant information or takes new relevant measures.

(26) To allow the Member States to notify interceptions and outbreaks as required by Regulation (EU) 2016/2031, this Regulation should lay down rules on notifying interceptions and outbreaks following procedures similar to those used for interceptions under Directive 94/3/EC and outbreaks under Implementing Decision 2014/917/EU.

(27) Because the notifications submitted to EUROPHYT-Interceptions are similar to the data and information on imports of and intra-Union trade in animals and products of animal origin submitted to the TRACES system, the functionalities of EUROPHYT-Interception for commodities intercepted at the border and within the Union should be provided within TRACES rather than within EUROPHYT.

(28) Regulation (EU) 2017/625 also provides that the IMSOC should allow the production, handling and transmission of common health entry documents (CHEDs) and official certificates, and empowers the Commission to lay down rules on the format of the CHEDs, instruction for their presentation and use, and rules for the issuance of electronic certificates and for the use of electronic signatures.

(29) To establish an adequate level of security of electronic means of identification and electronic certification, digitalise and harmonise the certification process, the issuance of electronic official certificates and CHEDs should meet the standards for electronic signatures, electronic seals and electronic timestamps in their different levels of identity assurance set by Regulation (EU) No 910/2014 of the European Parliament and of the Council(17) and Commission Implementing Decision (EU) 2015/1506(18) adopted pursuant to that Regulation, and use, as a basis, the existing provisions on electronic phytosanitary certification in Commission Implementing Decision (EU) 2018/1553(19).

(30) However, as Regulation (EU) 2016/2031 provides that electronic phytosanitary certificates for the introduction into the Union territory of plants, plant products and other objects are to be accepted only where they are provided through, or in electronic exchange with the IMSOC, this Regulation should establish rules for the issuance of such certificates in line with those provisions.

(31) Moreover, to maintain continuity with the current operational practice, the entries of the common veterinary entry document (CVED) for products established by Commission Regulation (EC) No 136/2004(20), the CVED for animals established by Commission Regulation (EC) No 282/2004(21) and the common entry document established by Commission Regulation (EC) No 669/2009(22) should serve as a basis to establish in this Regulation the entries for the CHEDs for the respective categories of animals and goods.

(32) For consignments of plants, plant products and other objects introduced from third countries for which a phytosanitary certificate is required, this Regulation should also lay down a template for a CHED with entries that are relevant for plants, plant products and other objects, as referred to in Article 47(1)(c) to (f) of Regulation (EU) 2017/625 and Commission Implementing Regulation (EU) 2019/66(23). Moreover, those entries should be aligned with the items to be included in the EUROPHYT-Interceptions notifications.

(33) As the CHEDs should be used by operators to give prior notification of arrival of consignment to competent authorities and by those authorities to record the outcome of official controls and the decision on the consignment, the CHEDs should be divided in three parts: one to be filled in by the person responsible for the consignment; one by the competent authority taking a decision on the consignment and one to be filled in by the competent authority performing follow-up actions on the consignment. This Regulation should set out instructions for completing each part of the CHED, including language requirements.

(34) Decision No 70/2008/EC of the European Parliament and of the Council(24) requires the Commission and the Member States to set up secure, integrated, interoperable and accessible electronic customs systems to provide single window services for the seamless flow of data between economic operators and customs authorities, between customs authorities and the Commission, and between customs authorities and other administrations or agencies. Since these objectives are similar to those of Regulation (EU) 2017/625, this Regulation should provide for similar cooperation arrangements between authorities dealing with animals and goods entering the Union and operating in TRACES.

(35) In order to ensure the consistent collection of information and avoid the pollution of Member States and Commission databases, data exchanges between TRACES and the national systems of the Member States should use reference data provided by the Commission in TRACES.

(36) To this end, Member States should provide the Commission with information necessary for the functioning of TRACES such as the lists of border control posts and control points designated in accordance with Regulation (EU) 2017/625, the lists of control units designated for the purpose of TRACES, the lists of food business establishments approved in accordance with Regulation (EC) No 852/2004 of the European Parliament and of the Council(25) and the lists of establishments, plants and operators handling animal by-products or derived products, approved or registered in accordance with Regulation (EC) No 1069/2009 of the European Parliament and of the Council(26).

(37) The provisions of Directive 94/3/EC, Regulation (EU) No 16/2011, and Implementing Decisions 2014/917/EU, (EU) 2015/1918 and (EU) 2018/1553 have been reviewed and are now incorporated in this Regulation. For the sake of clarity and consistency those acts should be repealed with effect from the date of application of Regulation (EU) 2017/625.

(38) Commission Decisions 92/486/EEC(27), 2003/24/EC(28), 2003/623/EC(29), 2004/292/EC(30), 2004/675/EC(31) and 2005/123/EC(32), adopted in relation to the TRACES system pursuant to Council Directive 90/425/EEC(33) and Council Decision 92/438/EEC(34), have become obsolete. For the sake of clarity and consistency, those Decisions should also be repealed with effect from the date of application of Regulation (EU) 2017/625.

(39) This Regulation has been discussed with the European Food Safety Authority and the European Data Protection Supervisor.

(40) The measures provided for in this Regulation are in accordance with the opinion of the Standing Committee on Plants, Animals, Food and Feed,

HAS ADOPTED THIS REGULATION: