This document is an excerpt from the EUR-Lex website
Document 32008D0049
2008/49/EC: Commission Decision of 12 December 2007 concerning the implementation of the Internal Market Information System (IMI) as regards the protection of personal data (notified under document number C(2007) 6306) (Text with EEA relevance )
2008/49/EC: Commission Decision of 12 December 2007 concerning the implementation of the Internal Market Information System (IMI) as regards the protection of personal data (notified under document number C(2007) 6306) (Text with EEA relevance )
2008/49/EC: Commission Decision of 12 December 2007 concerning the implementation of the Internal Market Information System (IMI) as regards the protection of personal data (notified under document number C(2007) 6306) (Text with EEA relevance )
OJ L 13, 16.1.2008, p. 18–23
(BG, ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
No longer in force, Date of end of validity: 03/12/2012; Repealed by 32012R1024
16.1.2008 |
EN |
Official Journal of the European Union |
L 13/18 |
COMMISSION DECISION
of 12 December 2007
concerning the implementation of the Internal Market Information System (IMI) as regards the protection of personal data
(notified under document number C(2007) 6306)
(Text with EEA relevance)
(2008/49/EC)
THE COMMISSION OF THE EUROPEAN COMMUNITIES,
Having regard to the Treaty establishing the European Community,
Having regard to Decision 2004/387/EC of the European Parliament and of the Council of 21 April 2004 on the interoperable delivery of pan-European eGovernment services to public administrations, businesses and citizens (IDABC) (1), and in particular Article 4 thereof,
Whereas:
(1) |
On 17 March 2006, Member State representatives in the Internal Market Advisory Committee (2) approved the Global Implementation Plan for the Internal Market Information System, hereinafter ‘IMI’, and its development aimed at improving communication among Member State administrations. |
(2) |
In its Decision COM/2006/3606 of 14 August 2006 on the third revision of the IDABC Work Programme 2005-2009 the Commission decided on the financing and setting up of the Internal Market Information System as a project of common interest. |
(3) |
Further financing was provided by Commission Decision COM/2007/3514 of 25 July 2007 on the fourth revision of the IDABC Work Programme. |
(4) |
IMI is intended to support legislative acts in the field of the Internal Market that require the exchange of information between Member States administrations, including Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market (3) and Directive 2005/36/EC of the European Parliament and of the Council of 7 September 2005 on the recognition of professional qualifications (4). |
(5) |
Since the protection of personal data has to be ensured within IMI, it is necessary to complement the Decision setting up IMI in that regard. Since the various tasks and functions of the Commission and the Member States in relation to IMI will entail different responsibilities and obligations as regards data protection rules, it is necessary to define their respective functions, responsibilities and access rights. |
(6) |
The opinion of the Article 29 Working Party on data protection issues related to the Internal Market Information System (IMI) (5) expressly calls for a Commission Decision which determines the rights and obligations of the IMI actors. |
(7) |
The exchange of information by electronic means between Member States should comply with the rules on the protection of personal data in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (6) and Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (7). |
(8) |
For the purpose of ensuring follow-up questions between competent authorities and for the purpose of situations in which a data subject wishes to appeal against a negative administrative decision taken on the basis of an information exchange, all personal data exchanged between competent authorities and processed in IMI should be retained for six months after the formal closure of an information exchange. After the six-month period all personal data should be erased. A six-month retention period is considered appropriate because it corresponds to the duration of administrative procedures as provided for in Community legislation on the basis of which information is exchanged, |
HAS ADOPTED THIS DECISION:
CHAPTER 1
GENERAL PROVISIONS
Article 1
Subject matter
This Decision lays down the functions, rights and obligations of the IMI actors and IMI users referred to in Article 6 in relation to data protection requirements with regard to the operation of the Internal Market Information System, hereinafter ‘IMI’.
Article 2
Data quality
The competent authorities of the Member States shall exchange and further process personal data only for the purposes defined in the relevant Community acts as set out in the Annex, on the basis of which the information is exchanged, hereinafter ‘the relevant Community acts’.
Requests for information from the competent authorities of one Member State to another and the replies thereto shall be based on the multilingual questions and the data fields defined for the purposes of IMI and drawn up by the Commission in cooperation with the Member States.
Article 3
Controllers
The responsibilities of the controller under Article 2(d) of Directive 95/46/EC and Article 2(d) of Regulation (EC) No 45/2001 shall be jointly exercised by the IMI actors pursuant to Article 6 in accordance with their respective responsibilities within IMI.
The controllers shall ensure that the data subject may effectively exercise its rights to information, to access, to rectify and to object according to the applicable data protection legislation. The IMI actors shall provide privacy statements in an appropriate form.
Article 4
Retention of personal data of data subjects of the information exchanges
All personal data relating to the data subjects of information exchanges, which are exchanged between competent authorities and processed in IMI, shall be erased six months after the formal closure of an information exchange, unless erasure before that period is expressly requested by a competent authority to the Commission.
Where such a request is made, the Commission shall act upon it within 10 working days subject to the agreement of the other competent authority involved.
Article 5
Retention of personal data of IMI users
Personal data relating to IMI users, as referred to in Article 6, shall be stored in IMI as long as they continue to be users of IMI and shall be erased by the competent authority when they are no longer users.
The personal data referred to in the first paragraph shall include the full name, professional e-mail address, professional telephone and fax numbers of the IMI users.
CHAPTER 2
FUNCTIONS AND RESPONSIBILITIES IN RELATION TO IMI
Article 6
IMI actors and users
1. The following shall be IMI actors:
(a) |
competent authorities of the Member States pursuant to Article 7; |
(b) |
coordinators pursuant to Article 8; |
(c) |
the Commission. |
2. Only natural persons working under the control of a competent authority or that of a coordinator, hereinafter ‘IMI users’, may use IMI pursuant to Article 9.
Article 7
Competent authorities
The competent authorities shall, for the purposes defined in the relevant Community act on the basis of which information is to be exchanged, ensure the exchange within IMI of the information concerned.
Article 8
IMI coordinators
1. Each Member State shall appoint one national IMI coordinator to ensure that IMI is implemented at national level.
Each Member State may additionally appoint one or more delegated IMI coordinators according to its internal administrative structure in order to carry out the coordination responsibilities for a particular legislative area, a division of the administration or a geographical region.
2. The Commission shall register the national IMI coordinators in IMI and shall grant access to IMI to them.
3. If a Member State appoints a delegated IMI coordinator pursuant to paragraph 1, the national IMI coordinator shall register the delegated IMI coordinator in IMI and shall grant access to IMI to it.
4. The coordinators shall register or authenticate registration of competent authorities requiring access to IMI and ensure its efficient functioning. They shall grant access to competent authorities to those legislative areas for which they are competent.
5. All coordinators may act as competent authorities. In such cases a coordinator will exercise the same access rights as a competent authority.
Article 9
IMI user roles
1. The IMI users may carry out one or more of the following roles: request handlers, allocators, referral handlers and local data administrators.
2. Each IMI user shall be granted a defined set of access rights associated with their user role as set out in Article 12.
3. All IMI users may search for a specific competent authority.
4. IMI users designated as request handlers may participate in information exchanges on behalf of their competent authority.
5. IMI users designated as allocators in a competent authority may attribute an information request to one or more request handlers within that authority.
IMI users designated as allocators in a coordinator may attribute an information request to one or more referral handlers within that authority.
6. IMI users in a coordinator may be designated as referral handlers.
They may approve sending requests or responses by a competent authority where such an approval process has been indicated as a requirement by the coordinator and may indicate agreement or disagreement when a requesting competent authority is not satisfied with a response received.
7. IMI users designated as local data administrators may do any of the following:
(a) |
update personal data about IMI users of their own authority; |
(b) |
register additional users for their own authority; |
(c) |
change user profiles for users of their own authority. |
Article 10
Commission
1. The Commission shall ensure the availability and the maintenance of the IT infrastructure on which IMI will be run. It shall provide a multilingual system which functions in all official languages as well as a central help-desk to assist Member States in the use of IMI.
2. The Commission will make publicly available the sets of questions and data fields referred to in Article 2(2).
3. The Commission may participate in information exchanges only in specific cases where the relevant Community act provides for information to be exchanged between Member States and the Commission.
4. In the cases referred to in the third paragraph, the Commission shall exercise the same access rights as a competent authority pursuant to Article 12.
CHAPTER 3
ACCESS RIGHTS TO PERSONAL DATA
Article 11
Data subject
For the purposes of this Chapter, ‘data subject’ shall mean only the data subject of a specific information exchange and shall not include IMI users.
Article 12
Access rights of IMI users
1. Request handlers of a competent authority shall only have access, in the course of an information exchange, to personal data of:
(a) |
other request handlers of the same competent authority involved in the information exchange concerned; |
(b) |
the request handler of the other competent authority involved in the information exchange concerned; |
(c) |
the referral handlers of the coordinators dealing with the information exchange concerned; |
(d) |
the data subjects of the information exchange concerned. Request handlers of a responding competent authority shall only have access to the personal data of the data subjects once the request has been accepted by their competent authority. |
2. Allocators of a competent authority shall only have access to personal data of:
(a) |
all request handlers of the same competent authority; |
(b) |
the request handler of the other competent authority involved in the information exchange concerned; |
(c) |
the referral handlers of the coordinators dealing with the information exchange concerned. |
They shall not have access to the personal data of the data subjects.
3. Allocators of a coordinator shall only have access to personal data of:
(a) |
all referral handlers of the same coordinator; |
(b) |
the request handlers of competent authorities involved in the information exchange concerned; |
(c) |
the referral handler of the other coordinator dealing with the information exchange concerned. |
They shall not have access to the personal data of the data subjects.
4. Referral handlers shall only have access to the personal data of:
(a) |
referral handlers of the coordinators involved in the information exchange concerned; |
(b) |
the request handlers of competent authorities involved in the information exchange concerned. |
They shall not have access to the personal data of the data subjects.
5. Local data administrators of a competent authority shall only have access to personal data of all IMI users of the same competent authority.
They shall not have access to the personal data of the data subjects.
6. Local data administrators of a coordinator shall only have access to personal data of:
(a) |
all IMI users of the same coordinator; |
(b) |
all local data administrators of the competent authorities and coordinators for which they are the coordinator. |
They shall not have access to the personal data of the data subjects.
7. Local data administrators of the Commission shall only have access to personal data of:
(a) |
all other local data administrators of the Commission; |
(b) |
all local data administrators of the national IMI coordinators. |
Local data administrators of the Commission may erase personal data of the data subjects in conformity with Article 4, but shall not be able to view them.
CHAPTER 4
FINAL PROVISION
Article 13
Addressees
This Decision is addressed to the Member States.
Done at Brussels, 12 December 2007.
For the Commission
Charlie McCREEVY
Member of the Commission
(1) OJ L 144, 30.4.2004, as corrected by OJ L 181, 18.5.2004, p. 25.
(2) Set up by Commission Decision 93/72/EEC (OJ L 26, 3.2.1993, p. 18).
(3) OJ L 376, 27.12.2006, p. 36.
(4) OJ L 255, 30.9.2005, p. 22. Directive as last amended by Commission Regulation (EC) No 1430/2007 (OJ L 320, 6.12.2007, p. 3).
(5) Opinion 01911/07/EN, WP 140.
(6) OJ L 281, 23.11.1995, p. 31. Directive as amended by Regulation (EC) No 1882/2003 (OJ L 284, 31.10.2003, p. 1).
ANNEX
Relevant Community Acts referred to in Article 2
The relevant Community acts referred to in Article 2 paragraph 1 are:
1. |
Directive 2005/36/EC of the European Parliament and of the Council of 7 September 2005 on the recognition of professional qualifications (1); |
2. |
Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market (2). |
(1) OJ L 255, 30.9.2005, p. 22. Directive as amended by Council Directive 2006/100/EC (OJ L 363, 20.12.2006, p. 141).