Legal provisions of COM(2023)244 - Amendment of Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2023)244 - Amendment of Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data.
document COM(2023)244 EN
date March 13, 2024


Article 1

Decision 2009/917/JHA is amended as follows:

(1)in Article 1, paragraph 2 is replaced by the following:

‘2.   The purpose of the Customs Information System, in accordance with this Decision, shall be to assist the competent authorities of the Member States with the prevention, investigation, detection or prosecution of criminal offences under national laws, by making information available more rapidly, thereby increasing the effectiveness of the cooperation and control procedures of the customs administrations of the Member States.’

;

(2)Article 2 is amended as follows:

(a)point (2) is replaced by the following:

‘2.“personal data” means personal data as defined in Article 3, point (1), of Directive (EU) 2016/680 of the European Parliament and of the Council (*1);

(*1)  Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).’;"

(b)the following point is added:

‘6.“national supervisory authority” means a supervisory authority as defined in Article 3, point (15), of Directive (EU) 2016/680.’;

(3)in Article 3(1), the introductory wording is replaced by the following:

‘The Customs Information System shall consist of a central database facility, accessible through terminals in each Member State. It shall comprise exclusively data necessary to achieve its purpose as stated in Article 1(2), including personal data, in the following categories:’;

(4)Article 4 is amended as follows:

(a)paragraph 1 is replaced by the following:

‘1.   Member States shall determine the items to be entered into the Customs Information System relating to each of the categories referred to in Article 3(1), to the extent that this is necessary to achieve the purpose of that system. No items of personal data shall be entered in any event within the category set out in Article 3(1), point (e).’

;

(b)paragraph 5 is replaced by the following:

‘5.   In no case shall the special categories of personal data referred to in Article 10 of Directive (EU) 2016/680 be entered into the Customs Information System.’

;

(5)in Article 5, paragraph 2 is replaced by the following:

‘2.   For the purpose of the actions referred to in paragraph 1, personal data in any of the categories referred to in Article 3(1) may be entered into the Customs Information System only if there are reasonable grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit a criminal offence under national laws.’

;

(6)Article 7 is amended as follows:

(a)paragraph 1 is replaced by the following:

‘1.   Direct access to data entered into the Customs Information System shall be reserved to the national authorities designated by each Member State. Those national authorities shall be customs administrations, but may also include other authorities competent, according to the laws, regulations and procedures of the Member State in question, to act in order to achieve the purpose stated in Article 1(2).’

;

(b)paragraph 3 is deleted;

(7)Article 8 is amended as follows:

(a)paragraphs 1 and 2 are replaced by the following:

‘1.   The national authorities designated by each Member State in accordance with Article 7, Europol and Eurojust may process personal data obtained from the Customs Information System in order to achieve the purpose stated in Article 1(2), in accordance with Union or national law applicable to the protection of personal data with the prior authorisation of, and subject to compliance with any conditions imposed by, the designated national authorities of the Member State which entered the personal data into that system.

The national authorities designated by each Member State, Europol and Eurojust may process non-personal data obtained from the Customs Information System in order to achieve the purpose stated in Article 1(2) or for other purposes, including administrative ones, in compliance with any conditions imposed by the designated national authorities of the Member State which entered the non-personal data in that system.

2. Without prejudice to paragraphs 1 and 4 of this Article and Articles 11 and 12, data obtained from the Customs Information System shall only be used by national authorities in each Member State designated by the Member State in question, which are competent, in accordance with the laws, regulations and procedures of that Member State, to act in order to achieve the purpose stated in Article 1(2).’

;

(b)paragraph 4 is replaced by the following:

‘4.   Personal data obtained from the Customs Information System may, with the prior authorisation of, and subject to compliance with any conditions imposed by, the designated national authorities of the Member State which entered that data into that system, be:

(a)transmitted to, and further processed by, national authorities other than those designated under paragraph 2, in accordance with Union or national law applicable to the protection of personal data; or

(b)transferred to, and further processed by, the competent authorities of third countries and international or regional organisations, in accordance with Union or national law applicable to the protection of personal data.

Non-personal data obtained from the Customs Information System may be transferred to, and further processed by national authorities other than those designated under paragraph 2, third countries, and international or regional organisations, in compliance with any conditions imposed by the designated national authorities of the Member State which entered the non-personal data in that system.’

;

(8)in Article 13, paragraph 5 is replaced by the following:

‘5.   Subject to this Decision, where in any Member State a court, or other competent authority within that Member State, makes a final decision as to the amendment, supplementation, rectification or erasure of data in the Customs Information System, the Member States undertake mutually to enforce such a decision. In the event of conflict between such decisions of courts or of other competent authorities in different Member States, including of the national supervisory authorities, concerning rectification or erasure, the Member State which entered the data in question shall erase them from that system.’

;

(9)Article 14 is replaced by the following:

‘Article 14

Personal data entered into the Customs Information System shall be kept only for the time necessary to achieve the purpose stated in Article 1(2) and may not be retained for more than five years. However, exceptionally, those data may be retained for an additional period of up to two years, where and insofar as a strict need to do so in order to achieve that purpose is established in an individual case.’

;

(10)Article 15 is amended as follows:

(a)paragraph 2 is replaced by the following:

‘2.   The purpose of the customs files identification database shall be to enable the national authorities responsible for carrying out customs investigations designated in accordance with Article 7, when opening a file on or investigating one or more persons or businesses, and for Europol and Eurojust, to identify the competent authorities of other Member States which are investigating or have investigated those persons or businesses, in order, through information on the existence of investigation files, to achieve the purpose referred to in Article 1(2).’

;

(b)paragraph 3 is replaced by the following:

‘3.   For the purposes of the customs files identification database, each Member State shall send the other Member States, Europol, Eurojust and the Committee referred to in Article 27 a list of criminal offences under its national laws.

This list shall comprise only criminal offences that are punishable:

(a)by deprivation of liberty or a detention order for a maximum period of not less than 12 months; or

(b)by a fine of at least EUR 15 000.’

;

(11)Article 20 is replaced by the following:

‘Article 20

Unless otherwise provided for in this Decision:

(a)national provisions adopted pursuant to Directive (EU) 2016/680 shall apply to the processing of personal data under this Decision by national authorities designated by each Member State in accordance with Article 7 of this Decision;

(b)Regulation (EU) 2018/1725 of the European Parliament and of the Council (*2) shall apply to the processing of personal data under this Decision by the Commission;

(c)Regulation (EU) 2016/794 of the European Parliament and of the Council (*3) shall apply to the processing of personal data under this Decision by Europol; and

(d)Regulation (EU) 2018/1727 of the European Parliament and of the Council (*4) shall apply to the processing of personal data under this Decision by Eurojust.

(*2)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39)."

(*3)  Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53)."

(*4)  Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138).’;"

(12)Articles 22, 23, 24 and 25 are deleted;

(13)Article 26 is replaced by the following:

‘Article 26

1. The European Data Protection Supervisor shall be responsible for monitoring the processing of personal data under this Decision by the Commission and for ensuring that it is carried out in accordance with this Decision. The tasks and powers referred to in Articles 57 and 58 of Regulation (EU) 2018/1725 shall apply accordingly.

2. The European Data Protection Supervisor shall carry out an audit of the processing of personal data by the Commission under this Decision in accordance with international auditing standards at least every five years. A report on that audit shall be sent to the European Parliament, to the Council, to the Commission and to the national supervisory authorities.

3. The European Data Protection Supervisor and the national supervisory authorities, acting within the scope of their respective competences, shall cooperate actively within the framework of their responsibilities to ensure coordinated supervision of the operation of the Customs Information System in accordance with Article 62 of Regulation (EU) 2018/1725.’

;

(14)in Article 27, paragraph 2, point (a) is replaced by the following:

‘(a)for the implementation and correct application of this Decision, without prejudice to the powers of the national supervisory authorities and of the European Data Protection Supervisor;’;

(15)Article 28 is amended as follows:

(a)in paragraph 2, the following points are added:

‘(i)to ensure that it is possible to restore installed systems in the case of interruption;

(j)to ensure the proper functioning of the System, that faults in the System are reported and that stored personal data cannot be corrupted by the System malfunctioning.’;

(b)paragraph 3 is replaced by the following:

‘3.   The Committee referred to in Article 27 shall monitor the queries of the Customs Information System for the purpose of checking that searches made were admissible and made by authorised users. At least 1 % of all searches made shall be checked. A record of such searches and checks shall be maintained in the System and shall be used only for the abovementioned purpose by that Committee, the national supervisory authorities and the European Data Protection Supervisor. It shall be erased after six months.’

;

(16)Article 29 is replaced by the following:

‘Article 29

The competent customs administration referred to in Article 10(1) shall be responsible for the security measures set out in Article 28, in relation to the terminals located in the territory of the Member State concerned, the review functions set out in Articles 14 and 19, and otherwise for the proper implementation of this Decision so far as is necessary under the laws, regulations and procedures of that Member State.’

;

(17)in Article 30, paragraph 1 is deleted.

Article 2

By 9 October 2025, without prejudice to the application of this Regulation, the personal data entered into the Customs Information System before 8 April 2024 shall be reviewed by the Member States which entered those data and, where necessary, updated or deleted in order to ensure that their processing complies with Decision 2009/917/JHA as amended by this Regulation.

Article 3

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.