Commission Implementing Regulation (EU) 2019/1715 of 30 September 2019 laying down rules for the functioning of the information management system for official controls and its system components (the IMSOC Regulation) (Text with EEA relevance)

CHAPTER 1

Subject matter, scope and definitions

Article 1

Subject matter and scope

This Regulation lays down:

(a) specific conditions and procedures applicable to the transmission of notifications and supplementary information for the Rapid alert system for food and feed (RASFF) to be established pursuant to Regulation (EC) No 178/2002;

(b) procedures for the establishment and use of the computerised system for Union notification and reporting of diseases to be set up and managed by the Commission in accordance with Article 22 of Regulation (EU) 2016/429;

(c) specific rules, including deadlines, for the submission of notifications, to be laid down pursuant to Regulation (EU) 2016/2031;

(d) rules for the computerised handling and exchange of information, data and documents in the information management system for official controls (IMSOC) necessary for the performance of the official controls provided for in Regulation (EU) 2017/625, as regards: (i) the format of the common health entry document (CHED) referred to in Article 56 of Regulation (EU) 2017/625, including its electronic equivalent, and the instructions for its presentation and use; (ii) uniform arrangements for cooperation between customs authorities, competent authorities and other authorities, as referred to in Article 75 of Regulation (EU) 2017/625; (iii) the issuance of electronic certificates and the use of electronic signatures for the official certificates referred to in Article 87 of Regulation (EU) 2017/625; (iv) standard formats for information exchange in the framework of administrative assistance and cooperation, as referred to in Title IV of Regulation (EU) 2017/625, concerning: — requests for assistance, — common and recurrent notifications and responses; (v) specifications of the technical tools and procedures for communication between liaison bodies designated in accordance with Article 103(1) of Regulation (EU) 2017/625; (vi) the proper functioning of the IMSOC referred to in Chapter IV of Title VI of Regulation (EU) 2017/625.

Article 2

Definitions

For the purposes of this Regulation, the following definitions shall apply:

(1) ‘component’ means an electronic system integrated in the IMSOC;

(2) ‘network’ means a group of members having access to a specific component;

(3) ‘network member’ means a Member State’s competent authority, the Commission, an EU agency, a third country’s competent authority or an international organisation that has access to at least one component;

(4) ‘contact point’ means the contact point designated by the network member to represent it;

(5) ‘Member State’s national system’ means a computerised information system owned and set up before the date of entry into force of Regulation (EU) 2017/625 by a Member State for the purpose of managing, handling and exchanging data, information and documents on official controls, and capable of electronically exchanging data with the relevant component;

(6) ‘international organisation’ means any of the internationally recognised bodies listed in point (g) of Article 121 of Regulation (EU) 2017/625, or similar intergovernmental organisations;

(7) ‘iRASFF’ means the electronic system implementing the RASFF and AAC procedures described in Article 50 of Regulation (EC) No 178/2002 and Articles 102 to 108 of Regulation (EU) 2017/625 respectively;

(9) ‘RASFF network’ means the Rapid alert system established as a network by Article 50 of Regulation (EC) No 178/2002 for the notifications referred to in points (15) to (20) of this Article;

(10) ‘AAC network’ means the network composed of the Commission and the liaison bodies designated by the Member States in accordance with Article 103(1) of Regulation (EU) 2017/625 for the purpose of facilitating communication between competent authorities;

(11) ‘fraud network’ means the network composed of the Commission, Europol and the liaison bodies designated by the Member States in accordance with Article 103(1) of Regulation (EU) 2017/625 for the specific purpose of facilitating the exchange of information on fraud notifications as defined in point (21);

(12) ‘alert and cooperation network’ means a network composed of the RASFF, AAC and fraud networks;

(13) ‘single contact point’ means a contact point composed of the RASFF and AAC contact points in each Member State, whether or not physically located in the same administrative unit;

(14) ‘non-compliance notification’ means a notification in iRASFF of a non-compliance with the rules referred to in Article 1(2) of Regulation (EU) 2017/625 that does not represent a risk within the meaning of Article 50 of Regulation (EC) No 178/2002 and Article 29 of Regulation (EC) No 183/2005;

(15) ‘alert notification’ means a notification in iRASFF of a serious direct or indirect risk deriving from food, food contact material or feed within the meaning of Article 50 of Regulation (EC) No 178/2002 and Article 29 of Regulation (EC) No 183/2005 that requires or might require rapid action by another RASFF network member;

(16) ‘information notification’ means a notification in iRASFF of a direct or indirect risk deriving from food, food contact material or feed according to Article 50 of Regulation (EC) No 178/2002 and Article 29 of Regulation (EC) No 183/2005 that does not require rapid action by another RASFF network member;

(17) ‘information notification for follow-up’ means an information notification related to a product that is or may be placed on the market of another RASFF network member’s country;

(18) ‘information notification for attention’ means an information notification related to a product that: (i) either is present only in the notifying network member’s country; or (ii) has not been placed on the market; or (iii) is no longer on the market;

(19) ‘news notification’ means a notification in iRASFF concerning a risk deriving from food, food contact material or feed within the meaning of Article 50 of Regulation (EC) No 178/2002 and Article 29 of Regulation (EC) No 183/2005 that has an informal source, contains unverified information or concerns as yet an unidentified product;

(20) ‘border rejection notification’ means a notification in iRASFF of a rejection of a batch, container or cargo of food, food contact material or feed due to a risk as referred to in point (c) of the first subparagraph of Article 50(3) of Regulation (EC) No 178/2002 and Article 29 of Regulation (EC) No 183/2005;

(21) ‘fraud notification’ means a non-compliance notification in iRASFF concerning suspected intentional action by businesses or individuals for the purpose of deceiving purchasers and gaining undue advantage therefrom, in violation of the rules referred to in Article 1(2) of Regulation (EU) 2017/625;

(22) ‘original notification’ means a non-compliance notification, an alert notification, an information notification, a news notification, a fraud notification or a border rejection notification;

(23) ‘follow-up notification’ means a notification in iRASFF that contains additional information in relation to an original notification;

(24) ‘request’ means a request for administrative assistance in iRASFF based on an original or follow-up notification and enabling the exchange of information pursuant to Articles 104 to 108 of Regulation (EU) 2017/625;

(25) ‘response’ means a response to a request for administrative assistance in iRASFF based on an original or follow-up notification and enabling the exchange of information pursuant to Articles 104 to 108 of Regulation (EU) 2017/625;

(26) ‘notifying network member or contact point’ means the network member or contact point addressing a notification to another network member or contact point;

(27) ‘notified network member or contact point’ means the network member or contact point to which a notification is addressed by another network member or contact point;

(28) ‘requested network member or contact point’ means the network member or contact point to which a notification is addressed by another network member or contact point for the purpose of receiving a response;

(29) ‘ADIS’ means the computerised information system for the notification and reporting of diseases to be set up and managed by the Commission in accordance with Article 22 of Regulation (EU) 2016/429;

(30) ‘ADIS network’ means the network composed of the Commission and Member States’ competent authorities for the functioning of ADIS;

(31) ‘EUROPHYT’ means the electronic notification system to be established by the Commission and to be connected to, and compatible with, the IMSOC for Member States’ submission of EUROPHYT outbreak notifications in accordance with Article 103 of Regulation (EU) 2016/2031;

(32) ‘EUROPHYT outbreak notification’ means a notification to be submitted in EUROPHYT of any of the following: (a) the officially confirmed presence on the Union territory of a Union quarantine pest, as referred to in points (a) and (b) of the first paragraph of Article 11 of Regulation (EU) 2016/2031; (b) the officially confirmed presence of a pest not included in the list of Union quarantine pests, as referred to in Article 29(1) of Regulation (EU) 2016/2031; (c) the presence in, or the imminent danger of entry into, or spread within, the Union territory of a pest not included in the list of Union quarantine pests, as referred to in Article 30(1) of Regulation (EU) 2016/2031; (d) the officially confirmed presence of a protected zone quarantine pest, as referred to in Article 33(1) of Regulation (EU) 2016/2031;

(35) ‘EUROPHYT outbreak network’ means the network composed by the Commission and Member States’ competent authorities for the functioning of EUROPHYT;

(36) ‘TRACES’ means the computerised system referred to in Article 133(4) of Regulation (EU) 2017/625 for the purposes of exchanging data, information and documents;

(37) ‘TRACES network’ means the network composed by the Commission and Member States’ competent authorities for the functioning of TRACES;

(38) ‘electronic signature’ means an electronic signature as defined in point (10) of Article 3 of Regulation (EU) No 910/2014;

(39) ‘advanced electronic signature’ means an electronic signature complying with the technical specifications laid down in the Annex to Implementing Decision (EU) 2015/1506;

(40) ‘qualified electronic signature’ means an electronic signature as defined in point (12) of Article 3 of Regulation (EU) No 910/2014;

(41) ‘advanced electronic seal’ means an electronic seal complying with the technical specifications laid down in the Annex to Implementing Decision (EU) 2015/1506;

(42) ‘qualified electronic seal’ means an electronic seal as defined in point (27) of Article 3 of Regulation (EU) No 910/2014;

(43) ‘qualified electronic time stamp’ means an electronic time stamp as defined in point (34) of Article 3 of Regulation (EU) No 910/2014;

(44) ‘control point’ means a control point as referred to in point (a) of Article 53(1) of Regulation (EU) 2017/625;

(45) ‘control unit’ means a unit that has the technology and equipment necessary for the efficient operation of the relevant component and designated as follows for that purpose: (a) ‘central control unit’ for the central competent authority of a Member State; (b) ‘regional control unit’ for any regional competent authority of a Member State; (c) ‘local control unit’ for any local competent authority of a Member State.

CHAPTER 2

General principles and data protection

Article 3

IMSOC components

The IMSOC shall be composed of the following components:

(a) iRASFF;

(b) ADIS;

(c) EUROPHYT;

(d) TRACES.

Article 4

Components, networks and contact points

The Commission shall establish a governance structure to steer the development of, identify priorities for and monitor the correct implementation of the IMSOC. The governance structure shall be composed of:

(a) an operations management board, in collaboration with the Member States, to discuss, at least once a year, priorities for and the development of each component;

(b) sub-groups within the operations management board that regularly discuss priorities for and the development of specific functionalities of each component.

Article 5

Ownership and responsibilities for data, information and documents

Article 6

Links between components

Links between components shall be aimed at:

(a) complementing data, information or documents in one or more components by data, information or documents already present in another component; and

(b) providing relevant and up-to-date information to each network member for the performance of its tasks in accordance with the rules set for each component in this Regulation; and

(c) supporting and operating the procedures for (i) determining and modifying the frequency rates of identity checks and physical checks to be performed on consignments of categories of animals and goods referred to in points (a), (b) and (c) of Article 47(1) of Regulation (EU) 2017/625; (ii) applying the frequency of identity checks and physical checks to be performed on consignments of categories of animals or goods referred to in points (d), (e) and (f) of that Article; (iii) the coordinated performance by competent authorities of the intensified official controls in case of suspicions of non-compliance referred to in Article 65(6) of that Regulation.

The links referred to in paragraph 1 shall consist in links between:

(a) iRASFF and TRACES, allowing the exchange of data concerning border rejection notifications and common health entry documents;

(b) EUROPHYT and TRACES, allowing the exchange of data concerning EUROPHYT outbreak notifications;

(c) iRASFF and TRACES, allowing the exchange of data concerning operators’ past records as regards compliance with the rules referred to in Article 1(2) of Regulation (EU) 2017/625;

(d) ADIS and TRACES, allowing the exchange of data and information concerning Union notifications.

Article 7

Electronic data exchange between components and other electronic systems

Data exchanges between the IMSOC and other electronic systems, including the Member States’ national systems, shall:

(a) be based on international standards that are relevant for the component and use XML, CMS or PDF formats;

(b) use the specific data dictionaries and business rules provided for in the relevant component.

The Commission shall provide the Member States with:

(a) the frequency of identity checks and physical checks referred to in point (c)(i) of Article 6(1);

(b) the frequency rates and the outcome of the coordinated performance by competent authorities of the intensified official controls referred to in point (c)(iii) of Article 6(1);

(c) the data dictionaries and business rules referred to in point (b) of paragraph 1.

Article 8

Obligations and rights of the Commission

The Commission shall have access to all data, information and documents in each component in order to monitor the exchange of data, information and documents inserted or produced therein for identifying activities that are, or appear to be, not in compliance with the rules referred to in Article 1(2) of Regulation (EU) 2017/625, and:

(a) either have, or might have, ramifications in more than one Member State; or

(b) are, or appear to be, taking place in more than one Member State.

Article 9

Conditions for the granting of partial access to the IMSOC to third countries and international organisations

On receipt of a duly justified application, the Commission, in collaboration with the Member States, may grant the competent authority of a third country or an international organisation partial access to the functionalities of one or more components and to specific data, information and documents inserted or produced therein, provided the applicant demonstrates, in respect of the component(s) in question, that it meets the following requirements:

(a) it has the legal and operational capacity to provide, without undue delay, the assistance necessary to allow the good functioning of the component to which partial access is requested;

(b) it has designated a contact point for that purpose;

Article 10

Personal data processing

Personal data shall be processed in each component for the purpose of performing official controls and other official activities. In particular, personal data shall belong to one of the following categories:

(a) contact points, operators, importers, exporters, transporters and laboratory technicians when personal data is required by Union law;

(b) users of each component.

Article 11

Data controllers and joint controllership

The Commission shall be responsible for:

(a) determining and implementing the technical means to enable data subjects to exercise their rights, and ensuring that those rights are exercised in compliance with Regulation (EU) 2018/1725;

(b) ensuring the security of processing within each component pursuant to Article 33 of Regulation (EU) 2018/1725;

(c) determining the categories of its staff and external providers to whom access to the components may be granted;

(d) notifying and communicating any personal data breach of the components to the European Data Protection Supervisor pursuant to Article 34 of Regulation (EU) 2018/1725 and to the data subject pursuant to Article 35 of that Regulation respectively;

(e) ensuring that its staff and external providers are adequately trained to perform their tasks in accordance with Regulation (EU) 2018/1725.

The competent authorities of the Member States shall be responsible for:

(a) ensuring that data subject’s rights are exercised in compliance with Regulation (EU) 2016/679 and this Regulation;

(b) ensuring the security and confidentiality of personal data pursuant to Section 2 of Chapter IV of Regulation (EU) 2016/679;

(c) designating the staff that are to have access to each component;

(d) ensuring that staff accessing each component are adequately trained to perform their tasks in accordance with Regulation (EU) 2016/679 and, where relevant, Directive (EU) 2016/680.

CHAPTER 3

Components, networks and contact points

SECTION 1

iRASFF

Article 12

Liaison bodies responsible for the exchange of certain types of information

Member States shall indicate which of the liaison bodies designated in accordance with Article 103(1) of Regulation (EU) 2017/625 are responsible for exchanging information on fraud notifications.

Article 13

Single contact point

The single contact point in each Member State shall be responsible for:

(a) setting up effective arrangements for the smooth exchange of relevant information with all relevant competent authorities within its jurisdiction, allowing the immediate transmission of notifications, requests or responses to the competent authorities for appropriate action, and maintaining the notifications, requests or responses in good order;