Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Amending Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data

2023/0143(COD)

The European Parliament adopted by 630 votes to 1, with 6 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council amending Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data.

The proposal aims to bring the rules governing data protection in Council Decision 2009/917/JHA into line with the principles and rules laid down in the Directive on data protection in the field of law enforcement in order to establish a solid and coherent framework for the protection of personal data in the Union.

Parliament’s position adopted at first reading following the ordinary legislative procedure amended the Commission proposal as follows:

Customs Information System

It is clarified that the purpose of the Customs Information System, in accordance with this Decision, is to assist the competent authorities of the Member States with the prevention, investigation, detection or prosecution of criminal offences under national laws, by making information available more rapidly, thereby increasing the effectiveness of the cooperation and control procedures of the customs administrations of the Member States.

The Customs Information System should consist of a central database facility, accessible through terminals in each Member State. It should comprise exclusively data necessary to achieve its purpose, including personal data, in the following categories. Member States should determine the items to be entered into the Customs Information System relating to each of the categories, to the extent that this is necessary to achieve the purpose of that system.

In no case should the special categories of personal data referred to in Article 10 of Directive (EU) 2016/680 be entered into the Customs Information System.

Access to data

Direct access to data entered into the Customs Information System should be reserved to the national authorities designated by each Member State. Those national authorities should be customs administrations, but may also include other authorities competent, according to the laws, regulations and procedures of the Member State in question, to act in order to achieve the purpose of the Customs Information System.

The national authorities designated by each Member State, Europol and Eurojust may process non-personal data obtained from the Customs Information System in order to achieve the stated purpose, in compliance with any conditions imposed by the designated national authorities of the Member State which entered the non-personal data in that system.

Data obtained from the Customs Information System should only be used by national authorities in each Member State designated by the Member State in question, which are competent, in accordance with the laws, regulations and procedures of that Member State.

Transfer of data

Personal data obtained from the Customs Information System may, with the prior authorisation of, and subject to compliance with any conditions imposed by, the designated national authorities of the Member State which entered that data into that system, be:

- transmitted to, and further processed by, national authorities in accordance with Union or national law applicable to the protection of personal data; or

- transferred to, and further processed by, the competent authorities of third countries and international or regional organisations, in accordance with Union or national law applicable to the protection of personal data.

Modification of data

Subject to this Decision, where in any Member State a court, or other competent authority within that Member State, makes a final decision as to the amendment, supplementation, rectification or erasure of data in the Customs Information System, the Member States undertake mutually to enforce such a decision. In the event of conflict between such decisions of courts or of other competent authorities in different Member States, including of the national supervisory authorities, concerning rectification or erasure, the Member State which entered the data in question should erase them from that system.

Role of the European Data Protection Supervisor (EDPS)

The European Data Protection Supervisor should be responsible for monitoring the processing of personal data under this Decision by the Commission and for ensuring that it is carried out in accordance with this Decision. It should carry out an audit of the processing of personal data by the Commission under this Decision in accordance with international auditing standards at least every five years. A report on that audit should be sent to the European Parliament, to the Council, to the Commission and to the national supervisory authorities.

The European Data Protection Supervisor and the national supervisory authorities, acting within the scope of their respective competences, should cooperate actively within the framework of their responsibilities to ensure coordinated supervision of the operation of the Customs Information System.

Review

By 18 months from the date of entry into force of this Regulation, the personal data entered into the Customs Information System before the date of entry into force of this Regulation should be reviewed by the Member States which entered those data and, where necessary, updated or deleted in order to ensure that their processing complies with Decision 2009/917/JHA as amended by this Regulation.