EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 32009D0917

Information technology for customs purposes

Information technology for customs purposes



Decision 2009/917/JHA on the use of information technology for customs purposes


  • It replaces and updates the 1995 customs information system convention (CIS convention) and brings it into line with Regulation (EC) No 766/2008 which amends Regulation (EC) No 515/97 (see summary) on cooperation between EU countries and the European Commission to ensure the law on customs and agriculture is correctly applied.
  • The CIS aims to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly, increasing the effectiveness of EU countries’ customs cooperation and control procedures.


The CIS consists of a central database, accessible from every EU country. It comprises exclusively data necessary to achieve its aim, including personal data, in the following areas:

  • commodities (products that can be bought or sold);
  • means of transport;
  • businesses;
  • persons;
  • fraud trends;
  • availability of expertise;
  • items detained, seized or confiscated;
  • cash detained, seized or confiscated.

Data protection

  • Directive (EU) 2016/680 applies to data protection unless otherwise provided for in this decision.
  • The CIS contains the data (including that of a personal character) necessary to achieve the system’s objective through activities such as sighting and reporting, discreet surveillance, specific checks and strategic and operational analysis.
  • This decision respects the fundamental rights and adheres to the principles recognised in particular by the Charter of Fundamental Rights of the European Union. It does not prevent EU countries from applying their constitutional rules relating to public access to official documents.
  • Only the EU countries supplying the information to the CIS database have the right to amend, add or erase that data.
  • Data will be kept only for the time necessary to achieve the purpose for which it was entered. The need for retention is reviewed at least annually by the supplying country.

Customs files identification database

  • A special database known as the customs files identification database was set up, allowing national authorities to know whether persons or businesses they are investigating are also being investigated or have been investigated in other EU countries. For the purpose of this database EU countries share among themselves, as well as with Europol and Eurojust, a list of serious contraventions of national laws: those punishable least a 12-month custodial sentence or a fine of at least €15,000.
  • An EU country is not obliged to share information with this special database where this would harm public policy or other essential interests.
  • Data is retained for 3 years if it has not been established that an infringement has taken place, with data erased 12 months after the most recent investigative act. This is extended to 6 years where there is an infringement that has not led to a conviction or 10 years where there has been a conviction.

Supervision and administration

  • Each EU country designates a national supervisory authority or authorities responsible for personal data protection to carry out independent supervision of data covered by the decision. A joint supervisory authority was also set up, consisting of 2 representatives from each EU country’s respective national supervisory authority.
  • The European Data Protection Supervisor oversees the activities of the Commission regarding the CIS.
  • A committee consisting of representatives from the customs administrations of the EU countries, with the involvement of the Commission, is responsible for the implementation and correct application of this decision (based on unanimity) and the proper technical and operational functioning of the CIS (decisions by two-thirds majority).


It has applied since 27 May 2011.


For more information, see:


Council Decision 2009/917/JHA of 30 November 2009 on the use of information technology for customs purposes (OJ L 323, 10.12.2009, pp. 20-30)


Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89-131)

Successive amendments to Directive (EU) 2016/680 have been incorporated into the original text. This consolidated version is of documentary value only.

Council Regulation (EC) No 515/97 of 13 March 1997 on mutual assistance between the administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs or agricultural matters (OJ L 82, 22.3.1997, pp. 1-16)

See consolidated version.

last update 08.11.2019