IMSOC

The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).

This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.

The information in relation to processing operation “Information management system for official controls (IMSOC)” undertaken by Directorate-General for Health and Food Safety, which has determined the purpose(s) and the means of the processing of personal data is presented below.

Purpose of the processing operation: Directorate-General for Health and Food Safety collects and uses your personal information in each of the components of the IMSOC, for the performance of official controls and other official activities. Data subjects have to provide some certain data in order to register, gain access and perform operations in the web applications under the IMSOC. The IMSOC is composed of four (4) components:

• iRASFF;
• ADIS;
• EUROPHYT;
• TRACES.

Data subjects connected to the web applications linked to these components have to create an ECAS account (EU Login), where they need to insert their personal details and data. Their data will be used and processed in the web applications of the aforementioned components of the IMSOC for the performance of the operations relevant to the official controls and other official activities.

Data subjects can manage, modify and update the personal data that they provide. The purpose of the personal data processing is the performance of official controls and other official activities in relation to animals and goods that are being imported and exported from, and transported through the EU.

More in particular the process of data aims to ensure that all the procedures relevant to the performance of official controls will be properly recorded in the IMSOC in order to enhance food safety, traceability and a rapid response in the cases of detection of dangerous goods.

Your personal data will not be used for an automated decision-making including profiling.

The personal data is being processed, because:

• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person.

The legal basis for the data processing is:

The legal basis for the data processing operations performed by the components of the IMSOC derives from the provisions laid down in Commission Implementing Regulation (EU) 2019/1715 laying down rules for the functioning of the information management system for official controls and its system components (the IMSOC Regulation).

The legal basis of the IMSOC Implementing Regulation derives from the General Food law [Regulation (EC) No 178/2002], the Animal Health Law [Regulation (EU) 2016/429], the Plant Health Law [Regulation (EU) 2016/2031], and the Official Controls Regulation [Regulation (EU) 2017/625].

The Official controls Regulation requires the Commission, in collaboration with Member States, to set up and manage a computerised information system for official controls (IMSOC) to manage, handle and automatically exchange data, information and documents in relation to official controls.

The IMSOC is to integrate the four existing information systems managed by the Commission, namely the iRASFF (implementing the RASFF and AAC procedures described in Article 50 of Regulation (EC) No 178/2002 and Articles 102 to 108 of Regulation (EU) 2017/625 respectively), the Animal Diseases Information System (ADIS established pursuant to the Animal Health Law), the system for notifying and reporting pests’ presence (EUROPHYT - established by the Plant Health Law) and the TRACES system (referred to in the Official Controls Regulation).

The purpose of the IMSOC Regulation is to gather in the same act all provisions relating to the functioning of the IMSOC and its four components and establish rules for the exchange of data, information and documents between IMSOC’s components and, in certain cases, with other systems such as Member States’ national systems, information systems of the third countries and international organisations.

The following categories of personal data are requested in order to sign into the web applications of IMSOC’s components through ECAS and SAAS (authentication and authorisation systems – EU Login), and consequently processed for the performance of the operations relevant to the performance of official controls and other official activities:

• first name;
• family name;
• e-mail;
• country;

In addition, the following personal data are processed:

• Economic operator's data that are being collected include the operator's name, address, contact details. Users attached to these operators have to indicate their personal details (name, contact details and where appropriate identification data). When submitting a document/certificate into IMSOC, the name of the user performing the submission is visible.
• Officials from national authorities’ data include the users' personal details (name, contact details, position). These users are attached to their respective central/regional/local/border control authority. Upon performance of operations within IMSOC their name and role are visible.
• Attachments, and notably laboratory reports contain the personal data of the responsible(s) technician(s) for the analysis (name, surname, position and contact details).

The Data Controller only keeps your personal data to fulfil the purpose of collection or further processing.

Personal data collected by the respective components of the IMSOC in the context of official controls are being stored as follows:

• iRASFF: Personal data from closed notifications shall be stored for no longer than 10 years
• ADIS: Personal data used to access ADIS shall be stored in ADIS for no more than 10 years.
• EUROPHYT: Personal data from EUROPHYT outbreak notifications shall be stored for no more than 10 years.
• TRACES: Personal data from the certificates and CHEDs issued in or transmitted to TRACES shall be stored by TRACES and the Member States’ national systems for no more than 10 years.

Personal data collected by the respective components of the IMSOC concerning the users’ access into IMSOC and its components are stored for no longer than 10 years after the deactivation of the respective IMSOC users’ accounts.

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored either on the servers of the European Commission. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

In order to protect your personal data, the Commission has put in place a number of technical and organisational measures in place. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

Pursuant to the necessary security measures in order to safeguard that the personal data is processed securely without unauthorized access, the IMSOC Regulation foresees that every operator and competent authority shall have access to data, information or documents that are handled, produced or transmitted under their area of responsibility. Therefore, every user in each component of the IMSOC is allowed to have access to data which are directly relevant to the operations that he/she performs within the IMSOC. The servers where the relevant data is stored are hosted in the data centre of DG DIGIT, located in Luxembourg and DG DIGIT’s security standards are applied.

Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

Your information is shared (in read only) between the IMSOC network members.

The Commission and in particular the Controller cannot be held responsible for the use and processing of the information that may be made by persons who do not belong to the Commission.

In accordance with Article 5(1) of the IMSOC Regulation, “each [IMSOC] network member shall own and be responsible for the data, information and documents its contact point or users acting under its responsibility have inserted or produced in the relevant component”.

The persons in Directorate-General for Health and Food Safety who have access to all collected personal data and have the possibility to modify them upon request are: the Controller, identified officials in the unit in charge of the IMSOC, identified officials in the IT sector in charge of the technical assistance to the units.

The recipients of the data can be distinguished as indicated below:

Recipients within the EU organization:

• Commission Officials
• Commission External staff

Recipients outside the EU organization:

• EU Member States and non-EU countries competent authorities (in order to overview and manage the information, data and relevant documents that are exchanged under their area of responsibility);
• EU and non-EU economic operators (importers/exporters/transporters) – (access to data relevant to their area of activity and their national competent authorities);
• Laboratory technicians - (access to relevant data and documents concerning consignments that should undergo laboratory tests and analyses);
• Customs authorities - (access to relevant data, documents and information exchanged and transmitted into IMSOC for monitoring purposes).

Each category of the above recipients has access to the relevant data and information which directly concerns it and which is under its area of direct responsibility within IMSOC.

The controller will transfer your personal data to the following recipients in a third country or to an international organisation in accordance with Regulation (EU) 2018/1725:

• Competent authorities of non-EU countries - in cases where these countries need to be notified of an alert related to the official controls;
• World Health Organization - disclosure of personal data may be performed in the context of requests for data which relate to the introduction into the Union of consignments which may pose risks to public health;
• European Plant Protection Organization (EPPO) - disclosure of personal data may be performed in the context of requests for data which relate to cases of introduction into the Union of consignments which may pose risks to plant health (introduction of pests);
• Europol - in the context of investigations against food fraud cases;
• Interpol - in the context of investigations against food fraud cases.

The controller will transfer your personal data based on:

• The European Commission's adequacy decision (Article 47 of Regulation (EU) 2018/1725) for cases of non-EU countries where such decision applies.
• A derogation (Article 50(1)(d) of Regulation (EU) 2018/1725) since the transfer is necessary for important reasons of public interest.

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability.

You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) on grounds relating to your particular situation.

You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.

The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller, Directorate-General for Health and Food Safety. If a data subject who is not a user wants to verify his/her personal data stored into IMSOC, to modify/correct/delete them, she/he should submit an e-mail message to one of the following addresses (depending on the web application of the component that is being used by the user):

• TRACES - IMSOC (sante-traces@ec.europa.eu)
• iRASFF support (sante-rasff-application-support@ec.europa.eu)
• Europhyt outbreaks (SANTE-OUTBREAKS-EUROPHYT-SUPPORT@ec.europa.eu)
• ADIS (SANTE-ADIS-SUPPORT@ec.europa.eu)

The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-02027