Regulation (EU) No 1024/2012 of the European Parliament and of the Council of 25 October 2012 on administrative cooperation through the Internal Market Information System and repealing Commission Decision 2008/49/EC ( ‘the IMI Regulation’ ) Text with EEA relevance
1024/2012 • 32012R1024
Legal Acts - Regulations
- 334 Inbound citations:
- •
- 23 Cited paragraphs:
- •
- 43 Outbound citations:
14.11.2012
EN
Official Journal of the European Union
L 316/1
REGULATION (EU) No 1024/2012 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 25 October 2012
on administrative cooperation through the Internal Market Information System and repealing Commission Decision 2008/49/EC (‘the IMI Regulation’)
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee (1),
Acting in accordance with the ordinary legislative procedure (2),
Whereas:
(1)
The application of certain Union acts governing the free movement of goods, persons, services and capital in the internal market requires Member States to cooperate more effectively and exchange information with one another and with the Commission. As practical means to implement such information exchange are often not specified in those acts, appropriate practical arrangements need to be made.
(2)
The Internal Market Information System (‘IMI’) is a software application accessible via the internet, developed by the Commission in cooperation with the Member States, in order to assist Member States with the practical implementation of information exchange requirements laid down in Union acts by providing a centralised communication mechanism to facilitate cross-border exchange of information and mutual assistance. In particular, IMI helps competent authorities to identify their counterpart in another Member State, to manage the exchange of information, including personal data, on the basis of simple and unified procedures and to overcome language barriers on the basis of pre-defined and pre-translated workflows. Where available, the Commission should provide IMI users with any existing additional translation functionality that meets their needs, is compatible with the security and confidentiality requirements for the exchange of information in IMI and can be offered at a reasonable cost.
(3)
In order to overcome language barriers, IMI should in principle be available in all official Union languages.
(4)
The purpose of IMI should be to improve the functioning of the internal market by providing an effective, user-friendly tool for the implementation of administrative cooperation between Member States and between Member States and the Commission, thus facilitating the application of Union acts listed in the Annex to this Regulation.
(5)
The Commission Communication of 21 February 2011 entitled ‘Better governance of the Single Market through greater administrative cooperation: A strategy for expanding and developing the Internal Market Information System (“IMI”)’ sets out plans for the possible expansion of IMI to other Union acts. The Commission Communication of 13 April 2011 entitled ‘Single Market Act: Twelve Levers to boost growth and strengthen confidence — “Working together to create new growth”’ stresses the importance of IMI for strengthening cooperation among the actors involved, including at local level, thus contributing to better governance of the single market. It is therefore necessary to establish a sound legal framework for IMI and a set of common rules to ensure that IMI functions efficiently.
(6)
Where the application of a provision of a Union act requires Member States to exchange personal data and provides for the purpose of this processing, such a provision should be considered an adequate legal basis for the processing of personal data, subject to the conditions set out in Articles 8 and 52 of the Charter of Fundamental Rights of the European Union. IMI should be seen primarily as a tool used for the exchange of information, including personal data, which would otherwise take place via other means, including regular mail, fax or electronic mail on the basis of a legal obligation imposed on Member States’ authorities and bodies in Union acts. Personal data exchanged via IMI should only be collected, processed and used for purposes in line with those for which it was originally collected and should be subject to all relevant safeguards.
(7)
Following the privacy-by-design principle, IMI has been developed with the requirements of data protection legislation in mind and has been data protection-friendly from its inception, in particular because of the restrictions imposed on access to personal data exchanged in IMI. Therefore, IMI offers a considerably higher level of protection and security than other methods of information exchange such as regular mail, telephone, fax or electronic mail.
(8)
Administrative cooperation by electronic means between Member States and between Member States and the Commission should comply with the rules on the protection of personal data laid down in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (3) and in Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (4). The definitions used in Directive 95/46/EC and Regulation (EC) No 45/2001 should also apply for the purposes of this Regulation.
(9)
The Commission supplies and manages the software and IT infrastructure for IMI, ensures the security of IMI, manages the network of national IMI coordinators and is involved in the training of and technical assistance to the IMI users. To that end, the Commission should only have access to such personal data that are strictly necessary to carry out its tasks within the responsibilities set out in this Regulation, such as the registration of national IMI coordinators. The Commission should also have access to personal data when retrieving, upon a request by another IMI actor, such data that have been blocked in IMI and to which the data subject has requested access. The Commission should not have access to personal data exchanged as part of administrative cooperation within IMI, unless a Union act provides for a role for the Commission in such cooperation.
(10)
In order to ensure transparency, in particular for data subjects, the provisions of Union acts for which IMI is to be used should be listed in the Annex to this Regulation.
(11)
IMI may be expanded in the future to new areas, where it can help to ensure effective implementation of a Union act in a cost-efficient, user-friendly way, taking account of technical feasibility and overall impact on IMI. The Commission should conduct the necessary tests to verify the technical readiness of IMI for any envisaged expansion. Decisions to expand IMI to further Union acts should be taken by means of the ordinary legislative procedure.
(12)
Pilot projects are a useful tool for testing whether the expansion of IMI is justified and for adapting technical functionality and procedural arrangements to the requirements of IMI users before a decision on the expansion of IMI is taken. Member States should be fully involved in deciding which Union acts should be subject to a pilot project and on the modalities of that pilot project, in order to ensure that the pilot project reflects the needs of IMI users and that the provisions on processing of personal data are fully complied with. Such modalities should be defined separately for each pilot project.
(13)
Nothing in this Regulation should preclude Member States and the Commission from deciding to use IMI for the exchange of information which does not involve the processing of personal data.
(14)
This Regulation should set out the rules for using IMI for the purposes of administrative cooperation, which may cover, inter alia, the one-to-one exchange of information, notification procedures, alert mechanisms, mutual assistance arrangements and problem-solving.
(15)
The right of the Member States to decide which national authorities carry out the obligations resulting from this Regulation should remain unaffected by this Regulation. Member States should be able to adapt functions and responsibilities in relation to IMI to their internal administrative structures, as well as to implement the needs of a specific IMI workflow. Member States should be able to appoint additional IMI coordinators to carry out the tasks of national IMI coordinators, alone or jointly with others, for a particular area of the internal market, a division of the administration, a geographic region, or according to another criterion. Member States should inform the Commission of the IMI coordinators they have appointed, but they should not be obliged to indicate additional IMI coordinators in IMI, where this is not required for its proper functioning.
(16)
In order to achieve efficient administrative cooperation through IMI, Member States and the Commission should ensure that their IMI actors have the necessary resources to carry out their obligations in accordance with this Regulation.
(17)
While IMI is in essence a communication tool for administrative cooperation between competent authorities, which is not open to the general public, technical means may need to be developed to allow external actors such as citizens, enterprises and organisations to interact with the competent authorities in order to supply information or retrieve data, or to exercise their rights as data subjects. Such technical means should include appropriate safeguards for data protection. In order to ensure a high level of security, any such public interface should be developed in such a way as to be technically fully separate from IMI, to which only IMI users should have access.
(18)
The use of IMI for the technical support of the SOLVIT network should be without prejudice to the informal character of the SOLVIT procedure which is based on a voluntary commitment of the Member States, in accordance with the Commission Recommendation of 7 December 2001 on principles for using ‘SOLVIT’ — the Internal Market Problem Solving Network (5) (‘the SOLVIT Recommendation’). To continue the functioning of the SOLVIT network on the basis of existing work arrangements, one or more tasks of the national IMI coordinator may be assigned to SOLVIT centres within the remit of their work, so that they can function independently from the national IMI coordinator. The processing of personal data and of confidential information as part of SOLVIT procedures should benefit from all guarantees set out in this Regulation, without prejudice to the non-binding character of the SOLVIT Recommendation.
(19)
While IMI includes an internet-based interface for its users, in certain cases and at the request of the Member State concerned, it may be appropriate to consider technical solutions for the direct transfer of data from national systems to IMI, where such national systems have already been developed, notably for notification procedures. The implementation of such technical solutions should depend on the outcome of an assessment of their feasibility, costs and expected benefits. Those solutions should not affect the existing structures and the national order of competencies.
(20)
Where Member States have fulfilled the obligation to notify under Article 15(7) of Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market (6) by using the procedure in accordance with Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services (7), they should not also be required to make the same notification through IMI.
(21)
The exchange of information through IMI follows from the legal obligation on Member States’ authorities to give mutual assistance. To ensure that the internal market functions properly, information received by a competent authority through IMI from another Member State should not be deprived of its value as evidence in administrative proceedings solely on the ground that it originated in another Member State or was received by electronic means, and it should be treated by that competent authority in the same way as similar documents originating in its Member State.
(22)
In order to guarantee a high level of data protection, maximum retention periods for personal data in IMI need to be established. However, those periods should be well-balanced taking into due consideration the need for IMI to function properly, as well as the rights of the data subjects to fully exercise their rights, for instance by obtaining evidence that an information exchange took place in order to appeal against a decision. In particular, retention periods should not go beyond what is necessary to achieve the objectives of this Regulation.
(23)
It should be possible to process the name and contact details of IMI users for purposes compatible with the objectives of this Regulation, including monitoring of the use of the system by IMI coordinators and the Commission, communication, training and awareness-raising initiatives, and gathering information on administrative cooperation or mutual assistance in the internal market.
(24)
The European Data Protection Supervisor should monitor and seek to ensure the application of this Regulation, inter alia by maintaining contacts with national data protection authorities, including the relevant provisions on data security.
(25)
In order to ensure the effective monitoring of, and reporting on, the functioning of IMI and the application of this Regulation, Member States should make relevant information available to the Commission.
(26)
Data subjects should be informed about the processing of their personal data in IMI and of the fact that they have the right of access to the data relating to them and the right to have inaccurate data corrected and illegally processed data erased, in accordance with this Regulation and national legislation implementing Directive 95/46/EC.
(27)
In order to make it possible for the competent authorities of the Member States to implement legal provisions for administrative cooperation and efficiently exchange information by means of IMI, it may be necessary to lay down practical arrangements for such an exchange. Those arrangements should be adopted by the Commission in the form of a separate implementing act for each Union act listed in the Annex or for each type of administrative cooperation procedure and should cover the essential technical functionality and procedural arrangements required to implement the relevant administrative cooperation procedures via IMI. The Commission should ensure the maintenance and development of the software and IT infrastructure for IMI.
(28)
In order to ensure sufficient transparency for data subjects, the predefined workflows, question and answer sets, forms and other arrangements relating to administrative cooperation procedures in IMI should be made public.
(29)
Where Member States apply, in accordance with Article 13 of Directive 95/46/EC, any limitations on or exceptions to the rights of data subjects, information about such limitations or exceptions should be made public in order to ensure full transparency for data subjects. Such exceptions or limitations should be necessary and proportionate to the intended purpose and subject to adequate safeguards.
(30)
Where international agreements are concluded between the Union and third countries that also cover the application of provisions of Union acts listed in the Annex to this Regulation, it should be possible to include the counterparts of IMI actors in such third countries in the administrative cooperation procedures supported by IMI, provided that it has been established that the third country concerned offers an adequate level of protection of personal data in accordance with Directive 95/46/EC.
(31)
Commission Decision 2008/49/EC of 12 December 2007 concerning the implementation of the Internal Market Information System (IMI) as regards the protection of personal data (8) should be repealed. Commission Decision 2009/739/EC of 2 October 2009 setting out the practical arrangements for the exchange of information by electronic means between the Member States under Chapter VI of Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (9) should continue to apply to issues relating to the exchange of information under Directive 2006/123/EC.
(32)
In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (10).
(33)
The performance of the Member States regarding the effective application of this Regulation should be monitored in the annual report on the functioning of IMI based on statistical data from IMI and any other relevant data. The performance of Member States should be evaluated, inter alia, based on average reply times with the aim of ensuring rapid replies of good quality.
(34)
Since the objective of this Regulation, namely laying down the rules for the use of IMI for administrative cooperation, cannot be sufficiently achieved by the Member States and can therefore, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
(35)
The European Data Protection Supervisor has been consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on 22 November 2011 (11),
HAVE ADOPTED THIS REGULATION:
CHAPTER I
GENERAL PROVISIONS
Article 1
Subject matter
This Regulation lays down rules for the use of an Internal Market Information System (‘IMI’) for administrative cooperation, including processing of personal data, between competent authorities of the Member States and between competent authorities of the Member States and the Commission.
Article 2
Establishment of IMI
IMI is hereby formally established.
Article 3
Scope
1. IMI shall be used for administrative cooperation between competent authorities of the Member States and between competent authorities of the Member States and the Commission necessary for the implementation of Union acts in the field of the internal market, within the meaning of Article 26(2) of the Treaty on the Functioning of the European Union (TFEU), which provide for administrative cooperation, including the exchange of personal data, between Member States or between Member States and the Commission. Those Union acts are listed in the Annex.
2. Nothing in this Regulation shall have the effect of rendering mandatory the provisions of Union acts which have no binding force.
Article 4
Expansion of IMI
1. The Commission may carry out pilot projects in order to assess whether IMI would be an effective tool to implement provisions for administrative cooperation of Union acts not listed in the Annex. The Commission shall adopt an implementing act to determine which provisions of Union acts shall be subject to a pilot project and to set out the modalities of each project, in particular the basic technical functionality and procedural arrangements required to implement the relevant administrative cooperation provisions. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 24(3).
2. The Commission shall submit an evaluation of the outcome of the pilot project, including data protection issues and effective translation functionalities, to the European Parliament and the Council. Where appropriate, that evaluation may be accompanied by a legislative proposal to amend the Annex to expand the use of IMI to the relevant provisions of Union acts.
Article 5
Definitions
For the purposes of this Regulation, the definitions laid down in Directive 95/46/EC and Regulation (EC) No 45/2001 shall apply.
In addition, the following definitions shall also apply:
(a)
‘IMI’ means the electronic tool provided by the Commission to facilitate administrative cooperation between competent authorities of the Member States and between competent authorities of the Member States and the Commission;
(b)
‘administrative cooperation’ means the working in collaboration of competent authorities of the Member States or competent authorities of the Member States and the Commission, by exchanging and processing information, including through notifications and alerts, or by providing mutual assistance, including for the resolution of problems, for the purpose of better application of Union law;
(c)
‘internal market area’ means a legislative or functional field of the internal market, within the meaning of Article 26(2) TFEU, in which IMI is used in accordance with Article 3 of this Regulation;
(d)
‘administrative cooperation procedure’ means a pre-defined workflow provided for in IMI allowing IMI actors to communicate and interact with each other in a structured manner;
(e)
‘IMI coordinator’ means a body appointed by a Member State to perform support tasks necessary for the efficient functioning of IMI in accordance with this Regulation;
(f)
‘competent authority’ means any body established at either national, regional or local level and registered in IMI with specific responsibilities relating to the application of national law or Union acts listed in the Annex in one or more internal market areas;
(g)
‘IMI actors’ means the competent authorities, IMI coordinators and the Commission;
(h)
‘IMI user’ means a natural person working under the authority of an IMI actor and registered in IMI on behalf of that IMI actor;
(i)
‘external actors’ means natural or legal persons other than IMI users that may interact with IMI only through separate technical means and in accordance with a specific pre-defined workflow provided for that purpose;
(j)
‘blocking’ means applying technical means by which personal data become inaccessible to IMI users via the normal interface of IMI;
(k)
‘formal closure’ means applying the technical facility provided by IMI to close an administrative cooperation procedure.
CHAPTER II
FUNCTIONS AND RESPONSIBILITIES IN RELATION TO IMI
Article 6
IMI coordinators
1. Each Member State shall appoint one national IMI coordinator whose responsibilities shall include:
(a)
registering or validating registration of IMI coordinators and competent authorities;
(b)
acting as the main contact point for IMI actors of the Member States for issues relating to IMI, including providing information on aspects relating to the protection of personal data in accordance with this Regulation;
(c)
acting as interlocutor of the Commission for issues relating to IMI including providing information on aspects relating to the protection of personal data in accordance with this Regulation;
(d)
providing knowledge, training and support, including basic technical assistance, to IMI actors of the Member States;
(e)
ensuring the efficient functioning of IMI as far as it is within their control, including the provision of timely and adequate responses by IMI actors of the Member States to requests for administrative cooperation.
2. Each Member State may, in addition, appoint one or more IMI coordinators in order to carry out any of the tasks listed in paragraph 1, in accordance with its internal administrative structure.
3. Member States shall inform the Commission of the IMI coordinators appointed in accordance with paragraphs 1 and 2 and of the tasks for which they are responsible. The Commission shall share that information with the other Member States.
4. All IMI coordinators may act as competent authorities. In such cases an IMI coordinator shall have the same access rights as a competent authority. Each IMI coordinator shall be a controller with respect to its own data processing activities as an IMI actor.
Article 7
Competent authorities
1. When cooperating by means of IMI, competent authorities, acting through IMI users in accordance with administrative cooperation procedures, shall ensure that, in accordance with the applicable Union act, an adequate response is provided within the shortest possible period of time, and in any event within the deadline set by that act.
2. A competent authority may invoke as evidence any information, document, finding, statement or certified true copy which it has received electronically by means of IMI, on the same basis as similar information obtained in its own country, for purposes compatible with the purposes for which the data were originally collected.
3. Each competent authority shall be a controller with respect to its own data processing activities performed by an IMI user under its authority and shall ensure that data subjects can exercise their rights in accordance with Chapters III and IV, where necessary, in cooperation with the Commission.
Article 8
Commission
1. The Commission shall be responsible for carrying out the following tasks:
(a)
ensuring the security, availability, maintenance and development of the software and IT infrastructure for IMI;
(b)
providing a multilingual system, including existing translation functionalities, training in cooperation with the Member States, and a helpdesk to assist Member States in the use of IMI;
(c)
registering the national IMI coordinators and granting them access to IMI;
(d)
performing processing operations on personal data in IMI, where provided for in this Regulation, in accordance with the purposes determined by the applicable Union acts listed in the Annex;
(e)
monitoring the application of this Regulation and reporting back to the European Parliament, the Council and the European Data Protection Supervisor in accordance with Article 25.
2. For the purposes of performing the tasks listed in paragraph 1 and producing statistical reports, the Commission shall have access to the necessary information relating to the processing operations performed in IMI.
3. The Commission shall not participate in administrative cooperation procedures involving the processing of personal data except where required by a provision of a Union act listed in the Annex.
Article 9
Access rights of IMI actors and users
1. Only IMI users shall have access to IMI.
2. Member States shall designate the IMI coordinators and competent authorities and the internal market areas in which they have competence. The Commission may play a consultative role in that process.
3. Each IMI actor shall grant and revoke, as necessary, appropriate access rights to its IMI users in the internal market area for which it is competent.
4. Appropriate means shall be put in place by the Commission and the Member States to ensure that IMI users are allowed to access personal data processed in IMI only on a need-to-know basis and within the internal market area or areas for which they were granted access rights in accordance with paragraph 3.
5. The use of personal data processed in IMI for a specific purpose in a way that is incompatible with that original purpose shall be prohibited, unless explicitly provided for by national law in accordance with Union law.
6. Where an administrative cooperation procedure involves the processing of personal data, only the IMI actors participating in that procedure shall have access to such personal data.
Article 10
Confidentiality
1. Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to its IMI actors and IMI users, in accordance with national or Union legislation.
2. IMI actors shall ensure that requests of other IMI actors for confidential treatment of information exchanged by means of IMI are respected by IMI users working under their authority.
Article 11
Administrative cooperation procedures
IMI shall be based on administrative cooperation procedures implementing the provisions of the relevant Union acts listed in the Annex. Where appropriate, the Commission may adopt implementing acts for a specific Union act listed in the Annex or for a type of administrative cooperation procedure, setting out the essential technical functionality and the procedural arrangements required to enable the operation of the relevant administrative cooperation procedures, including where applicable the interaction between external actors and IMI as referred to in Article 12. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 24(2).
Article 12
External actors
Technical means may be provided to allow external actors to interact with IMI where such interaction is:
(a)
provided for by a Union act;
(b)
provided for in an implementing act referred to in Article 11 in order to facilitate administrative cooperation between competent authorities in Member States for the application of the provisions of Union acts listed in the Annex; or
(c)
necessary for submitting requests in order to exercise their rights as data subjects in accordance with Article 19.
Any such technical means shall be separate from IMI and shall not enable external actors to access IMI.
CHAPTER III
PROCESSING OF PERSONAL DATA AND SECURITY
Article 13
Purpose limitation
IMI actors shall exchange and process personal data only for the purposes defined in the relevant provisions of the Union acts listed in the Annex.
Data submitted to IMI by data subjects shall only be used for the purposes for which the data were submitted.
Article 14
Retention of personal data
1. Personal data processed in IMI shall be blocked in IMI as soon as they are no longer necessary for the purpose for which they were collected, depending on the specificities of each type of administrative cooperation and, as a general rule, no later than six months after the formal closure of the administrative cooperation procedure.
However, if a longer period is provided for in an applicable Union act listed in the Annex, personal data processed in IMI may be retained for a maximum of 18 months after the formal closure of an administrative cooperation procedure.
2. Where a repository of information for future reference by IMI actors is required pursuant to a binding Union act listed in the Annex, the personal data included in such a repository may be processed for as long as they are needed for this purpose either with the data subject’s consent or where this is provided for in that Union act.
3. Personal data blocked pursuant to this Article shall, with the exception of their storage, only be processed for purposes of proof of an information exchange by means of IMI with the data subject’s consent, unless processing is requested for overriding reasons in the public interest.
4. The blocked data shall be automatically deleted in IMI three years after the formal closure of the administrative cooperation procedure.
5. At the express request of a competent authority in a specific case and with the data subject’s consent, personal data may be deleted before the expiry of the applicable retention period.
6. The Commission shall ensure by technical means the blocking and deletion of personal data and their retrieval in accordance with paragraph 3.
7. Technical means shall be put in place to encourage IMI actors to formally close administrative cooperation procedures as soon as possible after the exchange of information has been completed and to enable IMI actors to involve IMI coordinators responsible in any procedure which has been inactive without justification for longer than two months.
Article 15
Retention of personal data of IMI users
1. By way of derogation from Article 14, paragraphs 2 and 3 of this Article shall apply to the retention of personal data of IMI users. Those personal data shall include the full name and all electronic and other means of contact necessary for the purposes of this Regulation.
2. Personal data relating to IMI users shall be stored in IMI as long as they continue to be users of IMI and may be processed for purposes compatible with the objectives of this Regulation.
3. When a natural person ceases to be an IMI user, the personal data relating to that person shall be blocked by technical means for a period of three years. Those data shall, with the exception of their storage, only be processed for purposes of proof of an information exchange by means of IMI and shall be deleted at the end of the three-year period.
Article 16
Processing of special categories of data
1. The processing of special categories of data referred to in Article 8(1) of Directive 95/46/EC and Article 10(1) of Regulation (EC) No 45/2001 by means of IMI shall be allowed only on the basis of a specific ground mentioned in Article 8(2) and (4) of that Directive and Article 10(2) of that Regulation and subject to appropriate safeguards provided for in those Articles to ensure the rights of individuals whose personal data are processed.
2. IMI may be used for the processing of data relating to offences, criminal convictions or security measures referred to in Article 8(5) of Directive 95/46/EC and Article 10(5) of Regulation (EC) No 45/2001, subject to safeguards provided for in those Articles, including information on disciplinary, administrative or criminal sanctions or other information necessary to establish the good repute of an individual or a legal person, where the processing of such data is provided for in a Union act constituting the basis for the processing or with the explicit consent of the data subject, subject to specific safeguards referred to in Article 8(5) of Directive 95/46/EC.
Article 17
Security
1. The Commission shall ensure that IMI complies with the rules on data security adopted by the Commission pursuant to Article 22 of Regulation (EC) No 45/2001.
2. The Commission shall put in place the necessary measures to ensure security of personal data processed in IMI, including appropriate data access control and a security plan which shall be kept up-to-date.
3. The Commission shall ensure that, in the event of a security incident, it is possible to verify what personal data have been processed in IMI, when, by whom and for what purpose.
4. IMI actors shall take all procedural and organisational measures necessary to ensure the security of personal data processed by them in IMI in accordance with Article 17 of Directive 95/46/EC.
CHAPTER IV
RIGHTS OF DATA SUBJECTS AND SUPERVISION
Article 18
Information to data subjects and transparency
1. IMI actors shall ensure that data subjects are informed about processing of their personal data in IMI as soon as possible and that they have access to information on their rights and how to exercise them, including the identity and contact details of the controller and of the controller’s representative, if any, in accordance with Article 10 or 11 of Directive 95/46/EC and national legislation which is in accordance with that Directive.
2. The Commission shall make publicly available in a way which is easily accessible:
(a)
information concerning IMI in accordance with Articles 11 and 12 of Regulation (EC) No 45/2001, in a clear and understandable form;
(b)
information on the data protection aspects of administrative cooperation procedures in IMI as referred to in Article 11 of this Regulation;
(c)
information on exceptions to or limitations of the rights of data subjects as referred to in Article 20 of this Regulation;
(d)
types of administrative cooperation procedures, essential IMI functionalities and categories of data that may be processed in IMI;
(e)
a comprehensive list of all implementing or delegated acts regarding IMI, adopted pursuant to this Regulation or to another Union act, and a consolidated version of the Annex to this Regulation and its subsequent amendments by other Union acts.
Article 19
Right of access, correction and deletion
1. IMI actors shall ensure that data subjects may effectively exercise their right of access to data relating to them in IMI, and the right to have inaccurate or incomplete data corrected and unlawfully processed data deleted, in accordance with national legislation. The correction or deletion of data shall be carried out as soon as possible, and at the latest 30 days after the request by the data subject is received by the IMI actor responsible.
2. Where the accuracy or lawfulness of data blocked pursuant to Article 14(1) is contested by the data subject, this fact shall be recorded, as well as the accurate, corrected information.
Article 20
Exceptions and limitations
Member States shall inform the Commission where they provide for exceptions to, or limitations of, the rights of data subjects set out in this Chapter in national legislation in accordance with Article 13 of Directive 95/46/EC.
Article 21
Supervision
1. The national supervisory authority or authorities designated in each Member State and endowed with the powers referred to in Article 28 of Directive 95/46/EC (the ‘National Supervisory Authority’) shall independently monitor the lawfulness of the processing of personal data by the IMI actors of their Member State and, in particular, shall ensure that the rights of data subjects set out in this Chapter are protected in accordance with this Regulation.
2. The European Data Protection Supervisor shall monitor and seek to ensure that the personal data processing activities of the Commission, in its role as an IMI actor, are carried out in accordance with this Regulation. The duties and powers referred to in Articles 46 and 47 of Regulation (EC) No 45/2001 shall apply accordingly.
3. The National Supervisory Authorities and the European Data Protection Supervisor, each acting within the scope of their respective competencies, shall ensure coordinated supervision of IMI and its use by IMI actors.
4. The European Data Protection Supervisor may invite the National Supervisory Authorities to meet, where necessary, for the purposes of ensuring coordinated supervision of IMI and its use by IMI actors, as referred to in paragraph 3. The cost of such meetings shall be borne by the European Data Protection Supervisor. Further working methods for this purpose, including rules of procedure, may be developed jointly as necessary. A joint report of activities shall be sent to the European Parliament, the Council and the Commission at least every three years.
CHAPTER V
GEOGRAPHIC SCOPE OF IMI
Article 22
National use of IMI
1. A Member State may use IMI for the purpose of administrative cooperation between competent authorities within its territory, in accordance with national law, only where the following conditions are satisfied:
(a)
no substantial changes to the existing administrative cooperation procedures are required;
(b)
a notification of the envisaged use of IMI has been submitted to the National Supervisory Authority where required under national law; and
(c)
it does not have a negative impact on the efficient functioning of IMI for IMI users.
2. Where a Member State intends to make systematic use of IMI for national purposes, it shall notify its intention to the Commission and seek its prior approval. The Commission shall examine whether the conditions set out in paragraph 1 are met. Where necessary, and in accordance with this Regulation, an agreement setting out, inter alia, the technical, financial and organisational arrangements for national use, including the responsibilities of the IMI actors, shall be concluded between the Member State and the Commission.
Article 23
Information exchange with third countries
1. Information, including personal data, may be exchanged in IMI pursuant to this Regulation between IMI actors within the Union and their counterparts in a third country only where the following conditions are satisfied:
(a)
the information is processed pursuant to a provision of a Union act listed in the Annex and an equivalent provision in the law of the third country;
(b)
the information is exchanged or made available in accordance with an international agreement providing for:
(i)
the application of a provision of a Union act listed in the Annex by the third country;
(ii)
the use of IMI; and
(iii)
the principles and modalities of that exchange; and
(c)
the third country in question ensures adequate protection of personal data in accordance with Article 25(2) of Directive 95/46/EC, including adequate safeguards that the data processed in IMI shall only be used for the purpose for which they were initially exchanged, and the Commission has adopted a decision in accordance with Article 25(6) of Directive 95/46/EC.
2. Where the Commission is an IMI actor, Article 9(1) and (7) of Regulation (EC) No 45/2001 shall apply to any exchange of personal data processed in IMI with its counterparts in a third country.
3. The Commission shall publish in the Official Journal of the European Union and keep up-to-date a list of third countries authorised to exchange information, including personal data, in accordance with paragraph 1.
CHAPTER VI
FINAL PROVISIONS
Article 24
Committee procedure
1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
2. Where reference is made to this paragraph, Article 4 of Regulation (EU) No 182/2011 shall apply.
3. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
Article 25
Monitoring and reporting
1. The Commission shall report to the European Parliament and the Council on the functioning of IMI on a yearly basis.
2. By 5 December 2017 and every five years thereafter, the Commission shall report to the European Data Protection Supervisor on aspects relating to the protection of personal data in IMI, including data security.
3. For the purpose of producing the reports referred to in paragraphs 1 and 2, Member States shall provide the Commission with any information relevant to the application of this Regulation, including on the application in practice of the data protection requirements laid down in this Regulation.
Article 26
Costs
1. The costs incurred for the development, promotion, operation and maintenance of IMI shall be borne by the general budget of the European Union, without prejudice to arrangements under Article 22(2).
2. Unless otherwise stipulated in a Union act, the costs for the IMI operations at Member State level, including the human resources needed for training, promotion and technical assistance (helpdesk) activities, as well as for the administration of IMI at national level, shall be borne by each Member State.
Article 27
Repeal
Decision 2008/49/EC is repealed.
Article 28
Effective application
Member States shall take all necessary measures to ensure effective application of this Regulation by their IMI actors.
Article 29
Exceptions
1. Notwithstanding Article 4 of this Regulation, the IMI pilot project launched on 16 May 2011 to test the suitability of IMI for the implementation of Article 4 of Directive 96/71/EC of the European Parliament and of the Council of 16 December 1996 concerning the posting of workers in the framework of the provision of services (12) may continue to operate on the basis of the arrangements that were made prior to the entry into force of this Regulation.
2. Notwithstanding Article 8(3) and points (a) and (b) of the first paragraph of Article 12 of this Regulation, for the implementation of the administrative cooperation provisions of the SOLVIT Recommendation through IMI, the involvement of the Commission in administrative cooperation procedures and the existing facility for external actors may continue on the basis of the arrangements that were made prior to the entry into force of this Regulation. The period as referred to in Article 14(1) of this Regulation shall be 18 months for personal data processed in IMI for the purposes of the SOLVIT Recommendation.
3. Notwithstanding Article 4(1) of this Regulation, the Commission may launch a pilot project to assess whether IMI is an efficient, cost-effective and user-friendly tool to implement Article 3(4), (5) and (6) of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce) (13). No later than two years after the launch of that pilot project, the Commission shall submit to the European Parliament and the Council the evaluation referred to in Article 4(2) of this Regulation, which shall also cover the interaction between administrative cooperation within the consumer protection cooperation system established in accordance with Regulation (EC) No 2006/2004 of the European Parliament and of the Council of 27 October 2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (the Regulation on consumer protection cooperation) (14) and within IMI.
4. Notwithstanding Article 14(1) of this Regulation, any periods up to a maximum of 18 months decided on the basis of Article 36 of Directive 2006/123/EC with regard to administrative cooperation pursuant to Chapter VI thereof shall continue to apply in that area.
Article 30
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Strasbourg, 25 October 2012.
For the European Parliament
The President
M. SCHULZ
For the Council
The President
A. D. MAVROYIANNIS
(1) OJ C 43, 15.2.2012, p. 14.
(2) Position of the European Parliament of 11 September 2012 (not yet published in the Official Journal) and decision of the Council of 4 October 2012.
(3) OJ L 281, 23.11.1995, p. 31.
(4) OJ L 8, 12.1.2001, p. 1.
(5) OJ L 331, 15.12.2001, p. 79.
(6) OJ L 376, 27.12.2006, p. 36.
(7) OJ L 204, 21.7.1998, p. 37.
(8) OJ L 13, 16.1.2008, p. 18.
(9) OJ L 263, 7.10.2009, p. 32.
(10) OJ L 55, 28.2.2011, p. 13.
(11) OJ C 48, 18.2.2012, p. 2.
(12) OJ L 18, 21.1.1997, p. 1.
(13) OJ L 178, 17.7.2000, p. 1.
(14) OJ L 364, 9.12.2004, p. 1.
ANNEX
PROVISIONS ON ADMINISTRATIVE COOPERATION IN UNION ACTS THAT ARE IMPLEMENTED BY MEANS OF IMI, REFERRED TO IN ARTICLE 3
1.
Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market (1): Chapter VI, Article 39(5), as well as Article 15(7), unless a notification, as provided for in that latter Article, is made in accordance with Directive 98/34/EC.
2.
Directive 2005/36/EC of the European Parliament and of the Council of 7 September 2005 on the recognition of professional qualifications (2): Article 8, Article 50(1), (2) and (3), and Article 56.
3.
Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (3): Article 10(4).
4.
Regulation (EU) No 1214/2011 of the European Parliament and of the Council of 16 November 2011 on the professional cross-border transport of euro cash by road between euro-area Member States (4): Article 11(2).
5.
Commission Recommendation of 7 December 2001 on principles for using ‘SOLVIT’ — the Internal Market Problem Solving Network (5): Chapters I and II.
(1) OJ L 376, 27.12.2006, p. 36.
(2) OJ L 255, 30.9.2005, p. 22.
(3) OJ L 88, 4.4.2011, p. 45.
(4) OJ L 316, 29.11.2011, p. 1.
(5) OJ L 331, 15.12.2001, p. 79.