法律人 LawPlayer logo

資料由法律人 LawPlayer整理提供·EU law / curated by LawPlayer from EUR-Lex

Regulation

Commission Implementing Regulation (EU) 2024/3084 of 4 December 2024 on the functioning of the information system pursuant to Regulation (EU) 2023/1115 of the European Parliament and of the Council on the making available on the Union market and the export from the Union of certain commodities and products associated with deforestation and forest degradation

CELEX
Implementing Regulation (EU) 2024/3084
Date of document
Articles
19
Source
EUR-Lex
Article 1Subject matter

This Regulation lays down the rules for the functioning of the Information System, including rules for the protection of personal data and exchange of data with other IT systems.

Article 2Deployment and Use of the Information System

1.   The Commission shall:

(a)

develop the Information System as an independent module of TRACES platform;

(b)

ensure the functioning, maintenance, support and any necessary update or development of the Information System.

2.   The Information System shall be used by operators and traders, and if applicable, their authorised representatives, for submitting and managing Due Diligence Statements and verifying the validity of reference numbers, and by competent authorities, customs authorities and the Commission for accessing and acting on Due Diligence Statements, including the exchange of information containing personal data between competent authorities, customs authorities and the Commission in relation to implementation and enforcement of Regulation (EU) 2023/1115. Any such exchange of information shall comply with the rules on the protection of personal data laid down in Regulations (EU) 2016/679 and (EU) 2018/1725.

3.   The Due Diligence Statements are attributed in the Information System to the competent authorities in the following order:

(a)

if the Information System user provides information indicating the Member State where the relevant product enters or leaves the Union market, or in the absence of that, where the relevant product is placed or made available on the market, the Due Diligence Statements shall be attributed to the competent authorities of that Member State;

(b)

in the absence of the information required by subparagraph a), the Due Diligence Statements shall be attributed to the competent authorities of the Member State in which the Information System user is established. In case the Information System user is established outside the Union, then the Due Diligence Statements shall be attributed to the competent authorities of the Member State with which the Information System user is associated according to their identifier provided upon registration in the Information System.

Article 3Definitions

For the purposes of this Regulation, in addition to the definitions set out in Article 2 of Regulation (EU) 2023/1115, Article 4 of Regulation (EU) 2016/679, and Article 3 of Regulation (EU) 2018/1725, the following definitions shall apply:

(a)

‘Information System’ means the information system established and maintained by the Commission pursuant to Article 33 of Regulation (EU) 2023/1115;

(b)

‘Information System actor’ means the competent authorities and customs authorities pursuant to Regulation (EU) 2023/1115, and the Commission, to carry out the tasks conferred on them in accordance with Regulation (EU) 2023/1115;

(c)

‘Information System user’ means operators and traders, and their authorised representatives, where applicable, pursuant to Regulation (EU) 2023/1115 which are identified by individual registration within EU Login, the user authentication service of the European Commission;

(d)

‘Due Diligence Statement’ means Due Diligence Statement submitted by the Information System user pursuant to Regulation (EU) 2023/1115;

(e)

‘Reference number’ means the reference number assigned by the Information System to the Due Diligence Statement submitted by the Information System user pursuant to Regulation (EU) 2023/1115;

(f)

‘Verification number’ means a security number assigned by the Information System to the Due Diligence Statement submitted by the Information System user to ensure additional security of data contained in the Due Diligence Statement;

(g)

‘Risk profiling’ means the identification of the risks of non-compliance of a relevant product within the scope of Regulation (EU) 2023/1115 within the Information System, based on risk criteria, for the purpose of assigning to each Due Diligence Statement submitted in the Information System, including after any amendment thereof, a risk status reflecting these risks.

Article 4Submission of the Due Diligence Statements

1.   Except where the Due Diligence Statement is made available through the electronic interface referred to in Article 28(2) of Regulation (EU) 2023/1115, the Information System users shall submit and manage the Due Diligence Statements of relevant products in the Information System.

2.   Where a relevant product contains or has been made using wood, Information System users shall enter in the Due Diligence Statement the common names and full scientific names of the wood species which the relevant products contain or have been made with.

Article 5Amendment and withdrawal of Due Diligence Statements

1.   The Information System shall enable Information System users to amend or withdraw Due Diligence Statements within 72 hours after the reference number for the Due Diligence Statement was made available in the Information System.

2.   Due Diligence Statements cannot be amended or withdrawn within the duration set out in paragraph 1 after the Due Diligence Statement was used as a reference in a Due Diligence Statement submitted by the same or another Information System user.

3.   The Due Diligence Statement shall not be amended or withdrawn by an Information System user after:

(a)

the Information System user was notified about the intention to carry out a check on the Due Diligence Statement or on the relevant product associated with the Due Diligence Statement, for the period of the check;

(b)

the relevant product was placed on or made available on the Union market pursuant to Regulation (EU) 2023/1115;

(c)

the reference number of the Due Diligence Statement was provided or made available to customs authorities before the release for free circulation or export of a relevant product entering or leaving the market as part of the procedures laid down in Chapter 4 of Regulation (EU) 2023/1115.

4.   Without prejudice to paragraphs 2 and 3, upon individual and reasoned request of an Information System user, the competent authorities may extend the period referred to in paragraph 1 only when such period referred to in paragraph 1 has expired. Such extension shall not be longer than 8 calendar days. The request shall be based on reasons beyond the control of the Information System user, who shall, as part of their reasoned request, state that paragraph 3 of this Article is not applicable. Such extension shall also be possible retroactively after the period referred to in paragraph 1 has passed.

5.   The amended Due Diligence Statement shall be subject to risk profiling as set out in Article 6. The risk profiling shall apply to the whole amended Due Diligence Statement.

Article 6Risk profiling

1.   The Information System shall enable competent authorities to identify situations within the Information System where relevant products present such a high risk of non-compliance that they require immediate action before those relevant products are placed or made available on the market or exported, pursuant to Article 17 of Regulation (EU) 2023/1115, and to inform the competent authorities to identify the checks to be carried out and fulfil tasks conferred on them pursuant to Chapter 3 of Regulation (EU) 2023/1115.

2.   For the purposes of paragraph 1, the Information System shall enable competent authorities to set up risk profiles in the Information System to support informed decision for selecting operators or traders or relevant products associated to the Due Diligence Statements on which to carry out checks. These risk profiles shall be based, inter alia, on the risk criteria set out in their annual plan of checks pursuant to Article 16(5) of Regulation (EU) 2023/1115, which is established in accordance with their risk-based approach pursuant to Article 16(3) of Regulation (EU) 2023/1115.

3.   Upon its submission in the Information System, each Due Diligence Statement shall be subjected to an automated electronic risk profiling and the Information System shall assign a risk status to each Due Diligence Statement.

4.   At any stage after submission of a Due Diligence Statement, competent authorities may review a Due Diligence Statement to determine whether a relevant product complies with Article 3 of Regulation (EU) 2023/1115. In such case, they may assign to the Due Diligence Statement a new risk status as a result of the review. If the competent authority assigns a new risk status to a Due Diligence Statement, such new risk status takes precedence over a risk status assigned pursuant to paragraph 3 of this Article.

Article 7Assigning and making available reference numbers

1.   The Information System shall, without undue delay, assign a reference number and verification number to the Due Diligence Statement submitted by the Information System user after concluding the risk profiling referred to in Article 6.

2.   The reference number and verification number shall be made available to the Information System user upon concluding the risk profiling referred to in Article 6.

3.   The Information System shall enable competent authorities to delay the making available of the reference number to establish whether the relevant products comply with Article 3 of Regulation (EU) 2023/1115 and, in particular, to verify that the identified situation referred to in Article 6(1) of this Regulation is not applicable to that relevant product. Such delay shall be as short as possible and shall not exceed the period set out in Article 17(3) of Regulation (EU) 2023/1115. It may be further extended at the discretion of the competent authority.

Article 8Rejecting Due Diligence statements

1.   In order to prevent a relevant product not complying with Regulation (EU) 2023/1115 from being placed or made available on the market or exported pursuant to Article 17 of Regulation (EU) 2023/1115, the competent authorities may reject a Due Diligence Statement, unless the reference number of a Due Diligence Statement has already become available to the Information System user.

2.   The relevant product declared in a rejected Due Diligence Statement shall be deemed not covered by a Due Diligence Statement as required in Article 3, point (c) of Regulation (EU) 2023/1115.

3.   The rejection shall be reflected in the Information System by the assignment of a specific status to the concerned Due Diligence Statement.

Article 9Functions and responsibilities of the Commission

In addition to the tasks listed in Article 2(1), the Commission shall be responsible for carrying out the following tasks in relation to the Information System:

(a)

providing knowledge, training, and support, including technical assistance, to Information System users and Information System actors in relation to the use of the Information System;

(b)

granting access to Information System actors designated by each Member State;

(c)

granting access to Information System users, who are under the supervision of the competent authorities;

(d)

processing personal data in the Information System, where required in this Regulation, or for the implementation and enforcement under Regulation (EU) 2023/1115;

(e)

providing webservices for Information System users to submit and manage Due Diligence Statements in the Information System in an automated manner;

(f)

providing webservices for Member States competent authorities to perform tasks on submitted Due Diligence Statements in the Information System in an automated manner.

(g)

providing the electronic interface pursuant to Article 28 of Regulation (EU) 2023/1115;

(h)

suspending and revoking access of Information System users upon request of the competent authorities of the Member State in which the Information System user is established, or, in case the user is established outside the Union, the competent authorities of the Member State with which the Information System user is associated according to its identifier provided upon registration in the Information system.

Article 10Access rights of Information System users

1.   Only registered Information System users shall have access to the Information System.

2.   Authentication to the Information System shall take place via EU Login, the European Commission Authentication Service.

3.   Information System users shall have access to the information in the Information System which they have submitted, or to which they have been given access by another Information System user through reference numbers and verification numbers of associated Due Diligence Statements.

Article 11Access rights of Information System actors

1.   The Commission shall have access to all data, information and documents in the Information System for the purpose of producing reports and for the development, functioning and maintenance of the system.

2.   The Commission shall grant and may revoke access rights to the Information System actors in case of change in competencies pursuant to Article 14(2) of Regulation (EU) 2023/1115.

3.   Authentication to the Information System shall take place via EU Login, the European Commission Authentication Service.

4.   Information System actors shall put in place appropriate means to ensure that individual users representing Information System actors in the Information System are allowed to access personal data processed in the Information system only where strictly necessary for the implementation and enforcement under Regulation (EU) 2023/1115.

5.   Information System actors shall have access to all relevant information in the Information System which is necessary for the purpose of fulfilling their obligations and tasks under Regulation (EU) 2023/1115.

Article 12Processing of personal data in the Information System

1.   The transmission, storage and other processing of personal data in the Information System may take place only as necessary and proportionate and only for the following purposes:

(a)

supporting communications between Information System actors in connection with the implementation and enforcement under Regulation (EU) 2023/1115;

(b)

case-handling by Information System actors when carrying out their own activities in connection with the implementation and enforcement under Regulation (EU) 2023/1115;

(c)

performing the business and technical transformations of data listed in this Regulation, where this is necessary to enable the exchange and use of information referred to in points (a) and (b).

2.   The processing of personal data may take place in the Information System only in respect of the following categories of personal data:

(a)

identification data: first name and surname, unique identifier including the Economic Operators Registration and Identification number (‘EORI’), in accordance with Article 9 of Regulation (EU) No 952/2013 of the European Parliament and of the Council  ( 5 ) , if applicable;

(b)

professional contact details: email and postal address, country of residence or country of registered office, phone number and fax number, if applicable;

(c)

role of the Information System user;

(d)

data on geolocation pursuant to Article 2(28) of Regulation (EU) 2023/1115, where natural persons can be identified;

(e)

user authentication and access data to access the Information System: IP address and user name.

3.   The Information System shall store the categories of personal data listed in paragraph 2 which has been processed for the implementation and enforcement under Regulation (EU) 2023/1115.

4.   The storage of data referred to in paragraph 2 shall be performed using information technology infrastructure located in the European Economic Area.

5.   The Information System shall store the personal data contained in Due Diligence Statements not longer than 10 years from the date when the Due Diligence Statement is submitted in the Information System. The storage period may be further extended by the Commission upon individual request of Information System users or Information System actors where it is necessary to comply with their responsibilities and obligations under Regulation (EU) 2023/1115.

6.   Without prejudice to the data processing activities set out in Article 14, each Information System actor shall be a separate controller within the meaning of Regulations (EU) 2016/679 and (EU) 2018/1725 with respect to the data processing activities which the Information System actor performs.

7.   The national Supervisory Authorities and the European Data Protection Supervisor, each acting within the scope of their respective competence, shall ensure coordinated supervision of the Information System and its use by Information System actors and Information System users in accordance with Article 62 of Regulation (EU) 2018/1725.

Article 13Processing of personal data by the Commission

1.   The Commission shall be a controller within the meaning of Article 3, point (8), of Regulation (EU) 2018/1725 with respect to the processing of personal data of the Information System users, including the processing of personal data when registering Information System users in the Information System.

2.   Where the Commission processes personal data in the operation of the Information System on behalf of other Information System actors for the purpose of exchanging information under Article 27 of Regulation (EU) 2023/1115, it shall be considered a processor within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725.

3.   The Commission shall be a processor within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725 for the processing of personal data carried out for joint investigations pursuant to Article 21 of Regulation (EU) 2023/1115 carried out in the context of the implementation and enforcement under Regulation (EU) 2023/1115.

Article 14Joint controllership in the Information System

When competent authorities and customs authorities pursuant to Regulation (EU) 2023/1115 carry out implementation and enforcement in cooperation pursuant to Article 21 of Regulation (EU) 2023/1115, the concerned competent authorities and customs authorities shall be joint controllers, within the meaning of Article 26(1) of Regulation (EU) 2016/679, for the transmission, storage, and other processing of personal data in the Information System in the context of such particular cooperation. Where required according to Article 26(1) of Regulation (EU) 2016/679, the controllers shall determine their respective responsibilities for compliance with the obligations under Regulation (EU) 2016/679 by means of an arrangement between them.

Article 15Security

1.   The Commission shall put in place the necessary, state-of-the-art measures to ensure security of personal data processed in the Information System, including appropriate data access control and a security plan, which shall be kept up-to-date.

2.   The Commission shall put in place the necessary, state-of-the-art measures in the event of a security incident, take remedial action, and ensure that it shall be possible to verify what personal data have been processed in the Information System, when, by whom, and for what purpose.

3.   The Commission shall inform the competent authorities about the measures regarding paragraph 1 and 2 of this Article.

Article 16Confidentiality

1.   Each Member State and the Commission shall apply their own rules on professional secrecy or other equivalent duties of confidentiality in relation to the Information System in accordance with national or Union law.

2.   Each Information System actor shall ensure that demands from other Information System actors for confidential treatment of information exchanged in the Information System are complied with by individuals working under their authority.

Article 17Translation

1.   The Commission shall make the Information System available in all official languages of the Union.

2.   An Information System actor may produce and use, in relation to the performance of any of the tasks conferred on it in accordance with Regulation (EU) 2023/1115, any information, document, finding, statement, or certified true copy which it has received in the Information System, on the same basis as similar information obtained in its own country, for purposes compatible with those for which the data were originally collected and in accordance with relevant Union and national law.

Article 18Costs

1.   The costs incurred for the set-up, maintenance and operation of the Information System shall be borne by the Commission.

2.   The costs associated to the Information System at Member State level, including the human resources needed for training, promotion, technical assistance activities, as well as for the use of the Information System at national level and any adaptations required to national networks and information systems shall be borne by the Member State which incurs them.

Article 19Entry into force

This Regulation shall enter into force on the third day following that of its publication in the Official Journal of the European Union .

19 articles

Cite this act

Commission Implementing Regulation (EU) 2024/3084 of 4 December 2024 on the functioning of the information system pursuant to Regulation (EU) 2023/1115 of the European Parliament and of the Council on the making available on the Union market and the export from the Union of certain commodities and products associated with deforestation and forest degradation (EUR-Lex). Retrieved via LawPlayer, https://lawplayer.com/eu/act/32024R3084

© European Union, https://eur-lex.europa.eu, 1998-2026. Reuse authorised under Commission Decision 2011/833/EU, provided the source is acknowledged.

EU-EurLex-Reuse-2011-833

本頁資料來源:EUR-Lex·整理提供:法律人 LawPlayer· lawplayer.com