COMMISSION DECISION

of 12 December 2007

concerning the implementation of the Internal Market Information System (IMI) as regards the protection of personal data

(notified under document number C(2007) 6306)

(Text with EEA relevance)

(2008/49/EC)

THE COMMISSION OF THE EUROPEAN COMMUNITIES,

Having regard to the Treaty establishing the European Community,

Having regard to Decision 2004/387/EC of the European Parliament and of the Council of 21 April 2004 on the interoperable delivery of pan-European eGovernment services to public administrations, businesses and citizens (IDABC) (1), and in particular Article 4 thereof,

Whereas:

HAS ADOPTED THIS DECISION:

CHAPTER 1

GENERAL PROVISIONS

Article 1

Subject matter

This Decision lays down the functions, rights and obligations of the IMI actors and IMI users referred to in Article 6 in relation to data protection requirements with regard to the operation of the Internal Market Information System, hereinafter ‘IMI’.

Article 2

Data quality

The competent authorities of the Member States shall exchange and further process personal data only for the purposes defined in the relevant Community acts as set out in the Annex, on the basis of which the information is exchanged, hereinafter ‘the relevant Community acts’.

Requests for information from the competent authorities of one Member State to another and the replies thereto shall be based on the multilingual questions and the data fields defined for the purposes of IMI and drawn up by the Commission in cooperation with the Member States.

Article 3

Controllers

The responsibilities of the controller under Article 2(d) of Directive 95/46/EC and Article 2(d) of Regulation (EC) No 45/2001 shall be jointly exercised by the IMI actors pursuant to Article 6 in accordance with their respective responsibilities within IMI.

The controllers shall ensure that the data subject may effectively exercise its rights to information, to access, to rectify and to object according to the applicable data protection legislation. The IMI actors shall provide privacy statements in an appropriate form.

Article 4

Retention of personal data of data subjects of the information exchanges

All personal data relating to the data subjects of information exchanges, which are exchanged between competent authorities and processed in IMI, shall be erased six months after the formal closure of an information exchange, unless erasure before that period is expressly requested by a competent authority to the Commission.

Where such a request is made, the Commission shall act upon it within 10 working days subject to the agreement of the other competent authority involved.

Article 5

Retention of personal data of IMI users

Personal data relating to IMI users, as referred to in Article 6, shall be stored in IMI as long as they continue to be users of IMI and shall be erased by the competent authority when they are no longer users.

The personal data referred to in the first paragraph shall include the full name, professional e-mail address, professional telephone and fax numbers of the IMI users.

CHAPTER 2

FUNCTIONS AND RESPONSIBILITIES IN RELATION TO IMI

Article 6

IMI actors and users

1.   The following shall be IMI actors:

2.   Only natural persons working under the control of a competent authority or that of a coordinator, hereinafter ‘IMI users’, may use IMI pursuant to Article 9.

Article 7

Competent authorities

The competent authorities shall, for the purposes defined in the relevant Community act on the basis of which information is to be exchanged, ensure the exchange within IMI of the information concerned.

Article 8

IMI coordinators

1.   Each Member State shall appoint one national IMI coordinator to ensure that IMI is implemented at national level.

Each Member State may additionally appoint one or more delegated IMI coordinators according to its internal administrative structure in order to carry out the coordination responsibilities for a particular legislative area, a division of the administration or a geographical region.

2.   The Commission shall register the national IMI coordinators in IMI and shall grant access to IMI to them.

3.   If a Member State appoints a delegated IMI coordinator pursuant to paragraph 1, the national IMI coordinator shall register the delegated IMI coordinator in IMI and shall grant access to IMI to it.

4.   The coordinators shall register or authenticate registration of competent authorities requiring access to IMI and ensure its efficient functioning. They shall grant access to competent authorities to those legislative areas for which they are competent.

5.   All coordinators may act as competent authorities. In such cases a coordinator will exercise the same access rights as a competent authority.

Article 9

IMI user roles

1.   The IMI users may carry out one or more of the following roles: request handlers, allocators, referral handlers and local data administrators.

2.   Each IMI user shall be granted a defined set of access rights associated with their user role as set out in Article 12.

3.   All IMI users may search for a specific competent authority.

4.   IMI users designated as request handlers may participate in information exchanges on behalf of their competent authority.

5.   IMI users designated as allocators in a competent authority may attribute an information request to one or more request handlers within that authority.

IMI users designated as allocators in a coordinator may attribute an information request to one or more referral handlers within that authority.

6.   IMI users in a coordinator may be designated as referral handlers.

They may approve sending requests or responses by a competent authority where such an approval process has been indicated as a requirement by the coordinator and may indicate agreement or disagreement when a requesting competent authority is not satisfied with a response received.

7.   IMI users designated as local data administrators may do any of the following:

Article 10

Commission

1.   The Commission shall ensure the availability and the maintenance of the IT infrastructure on which IMI will be run. It shall provide a multilingual system which functions in all official languages as well as a central help-desk to assist Member States in the use of IMI.

2.   The Commission will make publicly available the sets of questions and data fields referred to in Article 2(2).

3.   The Commission may participate in information exchanges only in specific cases where the relevant Community act provides for information to be exchanged between Member States and the Commission.

4.   In the cases referred to in the third paragraph, the Commission shall exercise the same access rights as a competent authority pursuant to Article 12.

CHAPTER 3

ACCESS RIGHTS TO PERSONAL DATA

Article 11

Data subject

For the purposes of this Chapter, ‘data subject’ shall mean only the data subject of a specific information exchange and shall not include IMI users.

Article 12

Access rights of IMI users

1.   Request handlers of a competent authority shall only have access, in the course of an information exchange, to personal data of:

2.   Allocators of a competent authority shall only have access to personal data of:

They shall not have access to the personal data of the data subjects.

3.   Allocators of a coordinator shall only have access to personal data of:

They shall not have access to the personal data of the data subjects.

4.   Referral handlers shall only have access to the personal data of:

They shall not have access to the personal data of the data subjects.

5.   Local data administrators of a competent authority shall only have access to personal data of all IMI users of the same competent authority.

They shall not have access to the personal data of the data subjects.

6.   Local data administrators of a coordinator shall only have access to personal data of:

They shall not have access to the personal data of the data subjects.

7.   Local data administrators of the Commission shall only have access to personal data of:

Local data administrators of the Commission may erase personal data of the data subjects in conformity with Article 4, but shall not be able to view them.

CHAPTER 4

FINAL PROVISION

Article 13

Addressees

This Decision is addressed to the Member States.

(1)  OJ L 144, 30.4.2004, as corrected by OJ L 181, 18.5.2004, p. 25.

(2)  Set up by Commission Decision 93/72/EEC (OJ L 26, 3.2.1993, p. 18).

(3)  OJ L 376, 27.12.2006, p. 36.

(4)  OJ L 255, 30.9.2005, p. 22. Directive as last amended by Commission Regulation (EC) No 1430/2007 (OJ L 320, 6.12.2007, p. 3).

(5)  Opinion 01911/07/EN, WP 140.

(6)  OJ L 281, 23.11.1995, p. 31. Directive as amended by Regulation (EC) No 1882/2003 (OJ L 284, 31.10.2003, p. 1).

(7)  OJ L 8, 12.1.2001, p. 1.