Regulation (EU) No 1024/2012 of the European Parliament and of the Council of 25 October 2012 on administrative cooperation through the Internal Market Information System and repealing Commission Decision 2008/49/EC (‘the IMI Regulation’) (Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee⁽¹⁾,

Acting in accordance with the ordinary legislative procedure⁽²⁾,

Whereas:

1. The application of certain Union acts governing the free movement of goods, persons, services and capital in the internal market requires Member States to cooperate more effectively and exchange information with one another and with the Commission. As practical means to implement such information exchange are often not specified in those acts, appropriate practical arrangements need to be made.

2. The Internal Market Information System (‘IMI’) is a software application accessible via the internet, developed by the Commission in cooperation with the Member States, in order to assist Member States with the practical implementation of information exchange requirements laid down in Union acts by providing a centralised communication mechanism to facilitate cross-border exchange of information and mutual assistance. In particular, IMI helps competent authorities to identify their counterpart in another Member State, to manage the exchange of information, including personal data, on the basis of simple and unified procedures and to overcome language barriers on the basis of pre-defined and pre-translated workflows. Where available, the Commission should provide IMI users with any existing additional translation functionality that meets their needs, is compatible with the security and confidentiality requirements for the exchange of information in IMI and can be offered at a reasonable cost.

3. In order to overcome language barriers, IMI should in principle be available in all official Union languages.

4. The purpose of IMI should be to improve the functioning of the internal market by providing an effective, user-friendly tool for the implementation of administrative cooperation between Member States and between Member States and the Commission, thus facilitating the application of Union acts listed in the Annex to this Regulation.

5. The Commission Communication of 21 February 2011 entitled ‘Better governance of the Single Market through greater administrative cooperation: A strategy for expanding and developing the Internal Market Information System (“IMI”)’ sets out plans for the possible expansion of IMI to other Union acts. The Commission Communication of 13 April 2011 entitled ‘Single Market Act: Twelve Levers to boost growth and strengthen confidence — “Working together to create new growth”’ stresses the importance of IMI for strengthening cooperation among the actors involved, including at local level, thus contributing to better governance of the single market. It is therefore necessary to establish a sound legal framework for IMI and a set of common rules to ensure that IMI functions efficiently.

6. Where the application of a provision of a Union act requires Member States to exchange personal data and provides for the purpose of this processing, such a provision should be considered an adequate legal basis for the processing of personal data, subject to the conditions set out in Articles 8 and 52 of the Charter of Fundamental Rights of the European Union. IMI should be seen primarily as a tool used for the exchange of information, including personal data, which would otherwise take place via other means, including regular mail, fax or electronic mail on the basis of a legal obligation imposed on Member States’ authorities and bodies in Union acts. Personal data exchanged via IMI should only be collected, processed and used for purposes in line with those for which it was originally collected and should be subject to all relevant safeguards.

7. Following the privacy-by-design principle, IMI has been developed with the requirements of data protection legislation in mind and has been data protection-friendly from its inception, in particular because of the restrictions imposed on access to personal data exchanged in IMI. Therefore, IMI offers a considerably higher level of protection and security than other methods of information exchange such as regular mail, telephone, fax or electronic mail.

8. Administrative cooperation by electronic means between Member States and between Member States and the Commission should comply with the rules on the protection of personal data laid down in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data⁽³⁾ and in Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data⁽⁴⁾. The definitions used in Directive 95/46/EC and Regulation (EC) No 45/2001 should also apply for the purposes of this Regulation.

9. The Commission supplies and manages the software and IT infrastructure for IMI, ensures the security of IMI, manages the network of national IMI coordinators and is involved in the training of and technical assistance to the IMI users. To that end, the Commission should only have access to such personal data that are strictly necessary to carry out its tasks within the responsibilities set out in this Regulation, such as the registration of national IMI coordinators. The Commission should also have access to personal data when retrieving, upon a request by another IMI actor, such data that have been blocked in IMI and to which the data subject has requested access. The Commission should not have access to personal data exchanged as part of administrative cooperation within IMI, unless a Union act provides for a role for the Commission in such cooperation.

10. In order to ensure transparency, in particular for data subjects, the provisions of Union acts for which IMI is to be used should be listed in the Annex to this Regulation.

11. IMI may be expanded in the future to new areas, where it can help to ensure effective implementation of a Union act in a cost-efficient, user-friendly way, taking account of technical feasibility and overall impact on IMI. The Commission should conduct the necessary tests to verify the technical readiness of IMI for any envisaged expansion. Decisions to expand IMI to further Union acts should be taken by means of the ordinary legislative procedure.

12. Pilot projects are a useful tool for testing whether the expansion of IMI is justified and for adapting technical functionality and procedural arrangements to the requirements of IMI users before a decision on the expansion of IMI is taken. Member States should be fully involved in deciding which Union acts should be subject to a pilot project and on the modalities of that pilot project, in order to ensure that the pilot project reflects the needs of IMI users and that the provisions on processing of personal data are fully complied with. Such modalities should be defined separately for each pilot project.

13. Nothing in this Regulation should preclude Member States and the Commission from deciding to use IMI for the exchange of information which does not involve the processing of personal data.

14. This Regulation should set out the rules for using IMI for the purposes of administrative cooperation, which may cover, inter alia, the one-to-one exchange of information, notification procedures, alert mechanisms, mutual assistance arrangements and problem-solving.

15. The right of the Member States to decide which national authorities carry out the obligations resulting from this Regulation should remain unaffected by this Regulation. Member States should be able to adapt functions and responsibilities in relation to IMI to their internal administrative structures, as well as to implement the needs of a specific IMI workflow. Member States should be able to appoint additional IMI coordinators to carry out the tasks of national IMI coordinators, alone or jointly with others, for a particular area of the internal market, a division of the administration, a geographic region, or according to another criterion. Member States should inform the Commission of the IMI coordinators they have appointed, but they should not be obliged to indicate additional IMI coordinators in IMI, where this is not required for its proper functioning.

16. In order to achieve efficient administrative cooperation through IMI, Member States and the Commission should ensure that their IMI actors have the necessary resources to carry out their obligations in accordance with this Regulation.

17. While IMI is in essence a communication tool for administrative cooperation between competent authorities, which is not open to the general public, technical means may need to be developed to allow external actors such as citizens, enterprises and organisations to interact with the competent authorities in order to supply information or retrieve data, or to exercise their rights as data subjects. Such technical means should include appropriate safeguards for data protection. In order to ensure a high level of security, any such public interface should be developed in such a way as to be technically fully separate from IMI, to which only IMI users should have access.

18. The use of IMI for the technical support of the SOLVIT network should be without prejudice to the informal character of the SOLVIT procedure which is based on a voluntary commitment of the Member States, in accordance with the Commission Recommendation of 7 December 2001 on principles for using ‘SOLVIT’ — the Internal Market Problem Solving Network⁽⁵⁾ (‘the SOLVIT Recommendation’). To continue the functioning of the SOLVIT network on the basis of existing work arrangements, one or more tasks of the national IMI coordinator may be assigned to SOLVIT centres within the remit of their work, so that they can function independently from the national IMI coordinator. The processing of personal data and of confidential information as part of SOLVIT procedures should benefit from all guarantees set out in this Regulation, without prejudice to the non-binding character of the SOLVIT Recommendation.

19. While IMI includes an internet-based interface for its users, in certain cases and at the request of the Member State concerned, it may be appropriate to consider technical solutions for the direct transfer of data from national systems to IMI, where such national systems have already been developed, notably for notification procedures. The implementation of such technical solutions should depend on the outcome of an assessment of their feasibility, costs and expected benefits. Those solutions should not affect the existing structures and the national order of competencies.

20. Where Member States have fulfilled the obligation to notify under Article 15(7) of Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market⁽⁶⁾ by using the procedure in accordance with Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services⁽⁷⁾, they should not also be required to make the same notification through IMI.

21. The exchange of information through IMI follows from the legal obligation on Member States’ authorities to give mutual assistance. To ensure that the internal market functions properly, information received by a competent authority through IMI from another Member State should not be deprived of its value as evidence in administrative proceedings solely on the ground that it originated in another Member State or was received by electronic means, and it should be treated by that competent authority in the same way as similar documents originating in its Member State.

22. In order to guarantee a high level of data protection, maximum retention periods for personal data in IMI need to be established. However, those periods should be well-balanced taking into due consideration the need for IMI to function properly, as well as the rights of the data subjects to fully exercise their rights, for instance by obtaining evidence that an information exchange took place in order to appeal against a decision. In particular, retention periods should not go beyond what is necessary to achieve the objectives of this Regulation.

23. It should be possible to process the name and contact details of IMI users for purposes compatible with the objectives of this Regulation, including monitoring of the use of the system by IMI coordinators and the Commission, communication, training and awareness-raising initiatives, and gathering information on administrative cooperation or mutual assistance in the internal market.

24. The European Data Protection Supervisor should monitor and seek to ensure the application of this Regulation, inter alia by maintaining contacts with national data protection authorities, including the relevant provisions on data security.

25. In order to ensure the effective monitoring of, and reporting on, the functioning of IMI and the application of this Regulation, Member States should make relevant information available to the Commission.

26. Data subjects should be informed about the processing of their personal data in IMI and of the fact that they have the right of access to the data relating to them and the right to have inaccurate data corrected and illegally processed data erased, in accordance with this Regulation and national legislation implementing Directive 95/46/EC.

27. In order to make it possible for the competent authorities of the Member States to implement legal provisions for administrative cooperation and efficiently exchange information by means of IMI, it may be necessary to lay down practical arrangements for such an exchange. Those arrangements should be adopted by the Commission in the form of a separate implementing act for each Union act listed in the Annex or for each type of administrative cooperation procedure and should cover the essential technical functionality and procedural arrangements required to implement the relevant administrative cooperation procedures via IMI. The Commission should ensure the maintenance and development of the software and IT infrastructure for IMI.

28. In order to ensure sufficient transparency for data subjects, the predefined workflows, question and answer sets, forms and other arrangements relating to administrative cooperation procedures in IMI should be made public.

29. Where Member States apply, in accordance with Article 13 of Directive 95/46/EC, any limitations on or exceptions to the rights of data subjects, information about such limitations or exceptions should be made public in order to ensure full transparency for data subjects. Such exceptions or limitations should be necessary and proportionate to the intended purpose and subject to adequate safeguards.

30. Where international agreements are concluded between the Union and third countries that also cover the application of provisions of Union acts listed in the Annex to this Regulation, it should be possible to include the counterparts of IMI actors in such third countries in the administrative cooperation procedures supported by IMI, provided that it has been established that the third country concerned offers an adequate level of protection of personal data in accordance with Directive 95/46/EC.

31. Commission Decision 2008/49/EC of 12 December 2007 concerning the implementation of the Internal Market Information System (IMI) as regards the protection of personal data⁽⁸⁾ should be repealed. Commission Decision 2009/739/EC of 2 October 2009 setting out the practical arrangements for the exchange of information by electronic means between the Member States under Chapter VI of Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market⁽⁹⁾ should continue to apply to issues relating to the exchange of information under Directive 2006/123/EC.

32. In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers⁽¹⁰⁾.

33. The performance of the Member States regarding the effective application of this Regulation should be monitored in the annual report on the functioning of IMI based on statistical data from IMI and any other relevant data. The performance of Member States should be evaluated, inter alia, based on average reply times with the aim of ensuring rapid replies of good quality.

34. Since the objective of this Regulation, namely laying down the rules for the use of IMI for administrative cooperation, cannot be sufficiently achieved by the Member States and can therefore, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

35. The European Data Protection Supervisor has been consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on 22 November 2011⁽¹¹⁾,

HAVE ADOPTED THIS REGULATION: