Customs information system (CIS) is a common automated information system for customs purposes, which helps to prevent, investigate and prosecute breaches of Community customs and agricultural legislation. It increases the effectiveness of the cooperation and control procedures of the customs authorities by disseminating data and information quickly.
The CIS is managed by OLAF (the European Anti-Fraud Office). The information is exchanged through AFIS (anti-fraud information system) terminals in each Member States.
Direct access to data entered into the CIS shall be reserved to the national authorities designated by each Member State. Those national authorities shall be customs authorities, but may also include other authorities competent, according to the laws, regulations and procedures of the Member State in question. The Council may, by a unanimous decision, permit access to the CIS by international or regional organisations.
The CIS was established under the Convention on the use of information technology for customs purposes (CIS Convention) of 1995 which determined the operation of CIS, its security, use of customs operation, personal data protection, etc. The Convention was replaced by the Council Decision 2009/917/JHA on the use of information technology for customs purposes (CIS Decision) which applies from 27 May 2011. Its aim is to reinforce cooperation between customs administrations, by laying down procedures under which customs administrations may act jointly and exchange personal and other data concerned with illicit trafficking activities, using new technology for the management and transmission of such information. Its aim is also to enhance complementarity with actions in the context of cooperation with the Europol and Eurojust, by granting those bodies access to the Customs Information System, including the customs files identification database, to fulfil their tasks within their mandate.
The CIS Decision determines that Framework Decision 2008/977/JHA applies to the protection of the data exchange unless otherwise provided in the CIS Decision. The Framework Decision was repealed with the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA with effect from 6 May 2018. From then on the references to the repealed Decision construe as references to this Directive.
Another important document regarding CIS is the Council Regulation (EC) of 13 March 1997 on mutual assistance between the administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs and agricultural matters (Regulation 515/97). Its aim is to establish common automated information system for customs purposes, which helps to prevent, investigate and prosecute breaches of Community customs and agricultural legislation. It increases the effectiveness of the cooperation and control procedures of the customs authorities by disseminating data and information quickly.
Regulation 515/97 was amended in 2008 with the Regulation (EC) No 766/2008 of the European Parliament and of the Council of 9 July 2008 amending Council Regulation (EC) No 515/97 on mutual assistance between the administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs and agricultural matters (Regulation 766/2008). Amendments apply mostly to cooperation between customs authorities and more common and efficient use of the information system. From the personal data protection aspect amendments focus on:
enhanced supervision over CIS
improvement of cooperation between national data protection authorities and between them and European Data Protection Supervisor
providing sufficient guarantees to ensure the protection of the rights of the data subject regarding processing of the personal data
improvement of personal data protection with regard to transfers to third countries
transfer of personal data protection jurisdiction from European Ombudsman to European data Protection Supervisor
establishment of FIDE (Customs files identification database) and enforcement of framework for protection of personal data contained in it.
1. CIS and personal data
CIS consists of a central database facility accessible through terminals in each Member State and Commission. It comprises exclusively data necessary to achieve its aim, including personal data, in the following categories:
(b) means of transport;
(e) fraud trends;
(f) availability of expertise:
(g) items detained, seized or confiscated;
(h) cash detained, seized or confiscated.
Category (e) may not in any event contain personal data. The items of information entered in respect of persons in the categories (a) do (d) comprise no more than:
· name, maiden name, forenames, former surnames and aliases;
· date and place of birth;
· number and place and date of issue of the identity papers (passports, identity cards, driving licences)
· any particular objective and permanent physical characteristics;
· reason for entering data;
· suggested action;
· a warning code indicating any history of being armed, violent or of escaping;
· registration number of the means of transport.
In no case personal data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning health, sex life or sexual orientation may be entered in the CIS.
Entering data into the CIS and processing of data is regulated by laws, regulations and procedures of the Member State supplying them. Only the supplying Member State has the right to amend, supplement, rectify or erase data which it has entered in the CIS.
2. Personal data protection supervision
Regulation 766/2008 determined that European Data Protection Supervisor supervises compliance of the CIS with Regulation (EC) 45/2001.
For purpose of improvement of cooperation between national data protection authorities and between them and European Data Protection Supervisor (EDPS) at least once a year a meeting between EDPS and national data protection authorities will be held under the organisation of EDPS.
National supervisory authorities, responsible for CIS supervision, currently cooperate in Joint Supervisory Authority (JSA Customs) as determined in Art 25 of the CIS Decision. It consists of two representatives from each Member State’s respective independent supervisory authority or authorities.
The Joint Supervisory Authority performs its tasks in conformity with the provisions of the CIS Decision and Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No 108), while taking into account the Recommendation No. R(87)15 on regulating the use of personal data in the police sector.
The Joint Supervisory Authority is competent to:
supervise operation of the CIS,
examine any difficulties of application or interpretation which may arise during its operation,
study problems which may arise with regard to the exercise of independent supervision by the national supervisory authorities of the Member States, or in the exercise of rights of access by individuals to the system,
draw up proposals for the purpose of finding joint solutions to problems.
For the purpose of fulfilling its responsibilities, the Joint Supervisory Authority has access to the CIS.
Reports drawn up by the Joint Supervisory Authority shall be forwarded to the authorities to which the national supervisory authorities submit their reports, to the European Parliament and the Council.
The Joint Supervisory Authority and EDPS, each acting within the scope of their respective competences, shall cooperate in the framework of their responsibilities and shall ensure coordinated supervision of the CIS, including for issuing relevant recommendations.
The Joint Supervisory Authority and the European Data Protection Supervisor shall meet for that purpose at least once a year. The costs and servicing of these meetings shall be for the account of the European Data Protection Supervisor.
National supervisory authorities (Information Commissioner in Slovenia), in conformity with their respective national legislation, carry out independent supervision and checks to ensure that processing and use of data held in CIS do not violate the rights of data subjects.
3. Data retention
Storage periods shall be determined in accordance with the laws, regulations and procedures of the Member State entering the data. However, the following time limits, starting on the date on which the data were entered in the file, may not be exceeded:
data relating to current investigation files shall not be retained beyond a period of three years if it has not been established that an infringement has taken place within that time period. The data shall be erased before the expiry of the three-year period if 12 months have passed since the last investigative act;
data relating to investigation files which have established that an infringement has taken place but which have not yet led to a conviction or to imposition of a fine shall not be retained beyond a period of 6 years;
data relating to investigation files which have led to a conviction or a fine shall not be retained beyond a period of 10 years.
4. Establishment of FIDE
Regulation 766/2008 has established a new database – Customs files identification database (FIDE). The CIS includes FIDE and all the provisions of the Regulation 766/2008 relating to the CIS shall also apply to the FIDE. The objectives of the FIDE are to help to prevent operations in breach of customs legislation and of agricultural legislation applicable to goods entering or leaving the customs territory of the Community and to facilitate and accelerate their detection and prosecution. The purpose of the FIDE shall be to allow the Commission, when it opens a coordination file or prepares a Community mission in a third country, and the competent authorities of a Member State, when they open an investigation file or investigate one or more persons or businesses, to identify the competent authorities of the other Member States or the Commission departments which are or have been investigating the persons or businesses concerned, in order to achieve the objectives specified above by means of information on the existence of investigation files.
The competent authorities may enter data from investigation files in the FIDE concerning cases which are in breach of customs legislation or agricultural legislation applicable to goods entering or leaving the customs territory of the Community and which are of particular relevance at Community level. The data covers only the following categories:
persons and businesses which are or have been the subject of an administrative enquiry or a criminal investigation by the relevant service of a Member State, and:
are suspected of committing or of having committed a breach of customs or agriculture legislation or of participating in or of having participated in an operation in breach of such legislation,
have been the subject of a finding relating to such an operation, or
have been the subject of an administrative decision or an administrative penalty or judicial penalty for such an operation;
the field concerned by the investigation file;
the name, nationality and details of the relevant service in the Member State and the file number.
The data are introduced separately for each person or business. The creation of links between those data is prohibited.
The personal data referred to in first point consist only of the following: name, maiden name, forename, former surnames and alias, date and place of birth, nationality and sex.
5. The rights of the data subjects regarding processing of their personal data in the CIS
The rights of persons with regard to personal data in the Customs Information System, in particular their right of access, to rectification, erasure or blocking shall be exercised in accordance with the laws, regulations and procedures of the Member State implementing Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA in which such rights are invoked.
Access shall be refused to the extent that such refusal is necessary and proportionate in order not to jeopardise any ongoing national investigations, or during the period of discreet surveillance or sighting and reporting. When the applicability of such an exemption is assessed, the legitimate interests of the person concerned shall be taken into account.
In the territory of each Member State, any person may, in accordance with the laws, regulations and procedures of the Member State in question, bring an action or, if appropriate, a complaint before the courts or the authority competent under the laws, regulations and procedures of that Member State concerning personal data relating to himself on the Customs Information System, in order to:
· rectify or erase factually inaccurate personal data;
· rectify or erase personal data entered or stored in the CIS contrary to this Decision;
· obtain access to personal data;
· block personal data;
· obtain compensation.