法律人 LawPlayer logo

資料由法律人 LawPlayer整理提供·EU law / curated by LawPlayer from EUR-Lex

Regulation

Commission Implementing Regulation (EU) 2022/1504 of 6 April 2022 laying down detailed rules for the application of Council Regulation (EU) No 904/2010 as regards the creation of a central electronic system of payment information (CESOP) to combat VAT fraud

CELEX
Implementing Regulation (EU) 2022/1504
Date of document
Articles
9
Source
EUR-Lex
Article 1Technical measures for establishing and maintaining CESOP

1.   The Commission shall develop technical measures for the establishment of CESOP with the following functionalities:

(a)

receiving payment data transmitted by Member States;

(b)

storing the payment data securely for a maximum period of 5 years from the end of the calendar year in which the Member States transmitted the information to it;

(c)

cleansing the payment data of anomalies and mistakes, including duplications of the same payment;

(d)

aggregating the payment data in relation to each payee;

(e)

allowing searches and visualisation of the payment data in CESOP;

(f)

analysing and performing crosschecks of the payment data with the data stored and exchanged in accordance with Article 17(1), points (a), (b), (d), (e) and (f), and Article 33(2), point (b), of Regulation (EU) No 904/2010:

(g)

performing automatic analytics and flag suspicious payees;

(h)

allowing Eurofisc liaison officials to perform non-automatic controls and analysis;

(i)

generating reports on the results of the analysis and controls performed by CESOP and the Eurofisc liaison officials;

(j)

providing user access control management infrastructure for the Eurofisc liaison officials;

(k)

allowing Eurofisc liaison officials to exchange information relating to cross-border VAT fraud investigation and detection directly in CESOP;

(l)

providing the technical infrastructure for Member States to manage access rights for their Eurofisc liaison officials.

2.   The Commission shall perform the following tasks for maintaining CESOP:

(a)

ensuring that CESOP and its functionalities are operational;

(b)

performing maintenance outside working hours;

(c)

providing the necessary technical updates for the proper functioning and improvement of CESOP;

(d)

handling technical problems.

Article 2Tasks of the Commission for technically managing CESOP

The Commission shall perform the following tasks to technically manage CESOP:

(a)

retaining and updating the list of Eurofisc liaison officials who have access to CESOP and their unique personal user identification in accordance with Article 5;

(b)

implementing the organisational and technical security measures referred to in Article 6;

(c)

establishing, keeping and maintaining a list of payment service providers who reported data pursuant to Article 24b(1) of Regulation (EU) No 904/2010, according to the data provided by Member States;

(d)

giving Eurofisc liaison officials who have access to CESOP automated access to the list maintained pursuant to point (c);

(e)

providing technical assistance to Eurofisc liaison officials when using CESOP;

(f)

providing training to Eurofisc liaison officials regarding the use of CESOP.

Article 3Connection and overall interoperability between CESOP and national electronic systems

1.   Member States shall take all the necessary measures to ensure that the national electronic systems for the collection of payment information set up pursuant to Article 24b(2) of Regulation (EU) No 904/2010 are functional and able to collect the payment information pursuant to Article 24b(1) of that Regulation.

2.   Member States shall transmit to CESOP only the payment information that is complete with all the mandatory fields pursuant to Article 243d of Directive 2006/112/EC and is in line with the requirements laid down in the Annex to this Regulation.

3.   The Commission shall ensure the interoperability between CESOP and the national electronic systems referred to in paragraph 1.

Article 4Standard electronic form

The electronic standard form referred to in Article 24b(1), point (b), of Regulation (EU) No 904/2010, shall be submitted in a standardised XML format in accordance with the data table in the Annex to this Regulation.

Article 5Practical arrangements regarding Eurofisc liaison officials who will have access to CESOP

1.   Member States shall designate the Eurofisc liaison officials who will have access to CESOP and communicate their names and email addresses to the Commission.

2.   Member States shall inform the Commission of any changes in the information provided under paragraph 1, including changes in the designated Eurofisc liaison officials, in a timely manner and no later than 30 calendar days after the change occurred.

3.   The Commission shall immediately provide the Eurofisc liaison officials referred to in paragraph 1 with a unique personal user identification to access CESOP.

Article 6Procedures for the technical and organisational security measures for the development and operation of CESOP

1.   The Member States shall provide the Commission with information on the application and every update of their own security measures at national level.

That information shall include details on the measures adopted to ensure only Eurofisc liaison officials referred to in Article 5 have access to CESOP and details on the measures adopted to ensure the encryption of the data transmitted by the Member States.

2.   The Commission shall, by 30 April each year from the year following the date of application of this Regulation, inform the Member States of the measures taken for the security of CESOP.

That information shall at least indicate the following:

(a)

the security incidents that occurred during the previous year and how they have been resolved;

(b)

details on security measures adopted or changes to the existing security measures;

(c)

an assessment of the existing security measures and whether the Commission considers any changes to those measures is needed.

Article 7Roles and responsibilities of the controllers and the processor

1.   Member States shall jointly be controllers, as defined in Article 4, point (7), of Regulation (EU) 2016/679, of CESOP. The responsibilities of the controllers of CESOP shall be determined in an agreement between the controllers, which shall set out the rules for the exercise of rights of the data subject and their duties in relation to the provision of the information referred to in Article 13 and 14 of Regulation (EU) 2016/679.

Member States shall be responsible for the following:

(a)

drawing up the technical specifications of CESOP, and where necessary adapting them, for the Commission to be able to:

(a)

establish and maintain CESOP pursuant to Article 1 of this Regulation;

(b)

technically manage CESOP pursuant to Article 2 of this Regulation;

(c)

ensure the interoperability of the national electronic systems referred to in Article 24b of Regulation (EU) No 904/2010 and CESOP pursuant to Article 3(3) of this Regulation;

(d)

take the security measures pursuant to Article 6(2), first subparagraph, of this Regulation;

(b)

setting out the rules and procedures for the selection of Eurofisc liaison officials who will have access to CESOP;

(c)

answering requests from data subjects regarding the exercise of the rights laid down in Chapter III of Regulation (EU) 2016/679.

2.   The Commission shall be processor, as defined in Article 3, point (12), of Regulation (EU) 2018/1725, of CESOP.

The Commission shall:

(a)

process the personal data on behalf of the Member States on their instructions and keep documentation for those instructions;

(b)

ensure the confidentiality of personal data when processed under this Regulation;

(c)

provide the necessary technical infrastructure for Member States to respond to the requests referred to in paragraph 1, point (c);

(d)

assist the Member States to comply with the obligations laid down in Articles 33 to 41 of Regulation (EU) 2016/679;

(e)

ensure the deletion of all personal data stored in CESOP in accordance with Article 24c(2), of Regulation (EU) No 904/2010;

(f)

make available to Member States all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by Member States or another auditor mandated by Member States, in full respect of Protocol (No 7) to the Treaty on the Functioning of the European Union on the Privileges and Immunities of the European Union.

Article 8

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union .

It shall apply from 1 January 2024.

Schedules & Appendices

ANNEXElectronic form for the transmission of data

ANNEX

Electronic form for the transmission of data

Box N°

Data Element name

Article 243d

Description

Format example

Mandatory

Checks performed at transmission to CESOP

1

BIC/ID reporting PSP

(1), point (a)

BIC as defined in Article 2, point (16), of Regulation (EU) No 260/2012 of the European Parliament and of the Council  ( 1 ) or any other business identifier code that unambiguously identifies the payment service provider transmitting the data.

BIC of the payment service provider providing the data.

Yes

Presence, syntactic check of the BIC

2

Payee name

(1), point (b)

All names of the payee as available in the records of the payment service providers, including legal name and business name.

Card acceptor name, Merchant name, Creditor name.

Yes

Presence

3

Payee VAT/TIN

(1), point (c)

VAT identification number and/or any other national tax number of the payee.

Optional Mandatory

Syntactic check of the VAT numbers from EU Member States

4

Payee account ID

(1), point (d)

IBAN as defined in Article 2, point (15), of Regulation (EU) No 260/2012 or, if not available, any other identifier, which unambiguously identifies and gives the location of the payee involved in the transaction.

IBAN, card acceptor ID, Merchant ID, E-account identifier.

Yes when funds are transferred to a payment account of the payee

Presence, syntactic check of the IBAN

5

BIC/ID Payee PSP

(1), point (e)

BIC or any other business identifier code that unambiguously identifies and gives the location of the payment service provider acting on behalf of the payee where the payee receives funds without having a payment account.

BIC.

Only when the payee receives funds without having a payment account

Presence, syntactic check of the BIC

6

Payee Address

(1), point (f)

All addresses of the payee as available in the records of the payment service providers (legal address, business address, warehouse address).

Card acceptor street, Merchant address, account owner address.

Optional Mandatory

7

Refund

(1), point (h)

Any reference that the transaction is a refund and link to the previous transaction reported.

If applicable

Presence

8

Date/time

(2), point (a)

Date and time of the execution of the payment transaction or of the payment refund.

Purchase date, execution date, transaction created date.

Yes

Presence, syntactic check

9

Amount

(2), point (b)

Amount of the payment transaction or of the payment refund.

Yes

Presence

10

Currency

(2), point (b)

Currency of the payment transaction or of the payment refund.

Yes

Presence, syntactic check of the currency code

11

MS origin payment

(2), point (c)

Member State of origin of the payment received by the payee.

Payer country code.

If transaction is a payment

Presence, syntactic check of the country code

12

MS Destination refund

(2), point (c)

Member State of destination of the refund.

Country code of the refund’s beneficiary.

If transaction is a refund under box 7

Presence, syntactic check of the country code

13

Payer Location information

(2), point (c)

Indication of the information used to determine the origin of the payment or the destination of the refund.

The details of the information shall not be transmitted to avoid identification of the payer.

Payment service providers indicate that the location was deduced from

IBAN Payer,

Cardholder BIN range,

Other.

The ID itself (IBAN number, BIN number, address) should never be transmitted.

Yes

Presence

14

Transaction ID

(2), point (d)

Any reference which unambiguously identifies the payment transaction.

Acquirer Reference, transaction ID.

Yes

Presence

15

Physical presence

(2), point (e)

Any reference which indicates the presence of the payer in the physical premises of the merchant when initiating the payment.

Point of Sale (POS) Entry Mode

If applicable

Presence

( 1 )   Regulation (EU) No 260/2012 of the European Parliament and of the Council of 14 March 2012 establishing technical and business requirements for credit transfers and direct debits in euro and amending Regulation (EC) No 924/2009 ( OJ L 94, 30.3.2012, p. 22 ).

9 articles

Cite this act

Commission Implementing Regulation (EU) 2022/1504 of 6 April 2022 laying down detailed rules for the application of Council Regulation (EU) No 904/2010 as regards the creation of a central electronic system of payment information (CESOP) to combat VAT fraud (EUR-Lex). Retrieved via LawPlayer, https://lawplayer.com/eu/act/32022R1504

© European Union, https://eur-lex.europa.eu, 1998-2026. Reuse authorised under Commission Decision 2011/833/EU, provided the source is acknowledged.

EU-EurLex-Reuse-2011-833

本頁資料來源:EUR-Lex·整理提供:法律人 LawPlayer· lawplayer.com