The Committee on the Internal Market and Consumer Protection adopted the report by Adam BIELAN (ECR, PL) on the proposal for a regulation of the European Parliament and of the Council on administrative cooperation through the Internal Market Information System (‘the IMI Regulation’).
The committee recommends that the European Parliament’s position in first reading following the ordinary legislative procedure should amend the Commission proposal as follows:
Treatment of personal data: the report states that all personal data and information circulated among the different competent authorities must be collected, processed and used for strictly legitimate purposes which are in line with data protection rules. Furthermore, all relevant safeguards against abuse of the system shall be firmly put in place.
Members inserted the following amendments:
· personal data processed in IMI shall be blocked in the system after a period of no longer than eighteen months after the formal closure of an administrative cooperation procedure;
· the storage of personal data included in the repository shall comply with the provisions of data protection set out in Union legislation on protection of personal data;
· data submitted by data subjects to IMI shall only be used for the purposes for which the data were submitted. Data subjects' consent shall also be required for extension of the use of those data to new areas or workflows.
· IMI actors shall ensure that data subjects are informed about processing of their personal data in IMI within 30 days of such processing. The correction and deletion shall be carried out as soon as possible, and at the latest 30 days after the request of data subject is received.
Development of IMI and its extension to other areas of Union law: Members oppose the Commission’s provisions on amending the scope of the Regulation through delegated acts. They suggest that the Commission may propose an amendment to the Annex to this Regulation if it decides that IMI is to be used for new legal acts of the Union.
· Before submitting a proposal, the Commission may carry out pilot projects of a limited duration or impact assessment, including data protection, in order to assess whether IMI would be an effective tool for the implementation of provisions on administrative cooperation of internal market acts not yet listed in the Annex.
· The Commission shall submit the results of the pilot project or of the impact assessment to the European Parliament and to the Council, and where appropriate, accompany them with a legislative proposal to amend the Annex for the expansion of IMI.
Competent authorities: an amendment states that Member States shall take all necessary measures to ensure effective application of this Regulation by the competent authorities. The latter shall fulfil their obligations under the Regulation in the same way as they would if acting at the request of another competent authority within their own Member State.
Commission’s role: the report stipulates that the Commission shall monitor the application of this Regulation and report back to the European Parliament, the Council and the European Data Protection Supervisor.
It also wants the Commission to play a consultative role in the process of designating the IMI coordinators and competent authorities.
Access rights of IMI actors and users: the committee considers that external actors should only have access to a public interface, which is technically separate from the IMI application and does not provide access to personal data exchange between competent authorities.
Lastly, Members want the Commission's internal control mechanisms to include data privacy assessments, including a security risk analysis, on the basis of which a data protection policy (including a security plan) will be adopted, as well as periodic reviews and auditing.