Primary repository privacy statement

This privacy statement provides information about the processing and the protection of your personal data. 

Processing operation: Personal data processing taking place in the context of the EU tobacco traceability system Data Controllers: The European Commission, represented by Directorate-General for Health and Food Safety (hereinafter DG SANTE), and the EU Member States acting as joint controllers  

Table of Contents

1. Introduction
2. Why and how do we process your personal data?
3. On what legal ground(s) do we process your personal data?
4. Which personal data do we collect and further process?
5. How long do we keep your personal data?
6. How do we protect and safeguard your personal data?
7. Who has access to your personal data and to whom is it disclosed?
8. What are your rights and how can you exercise them?
9. Contact information of the responsible Data Controller
10. Where to find more detailed information?

 

1. Introduction

DG SANTE and the EU Member States are committed to protect your personal data and respect your privacy. The Commission collects and further processes your personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001). The Member States collect and further process your personal data pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘General Data Protection Regulation’). This privacy statement explains the reasons for the processing of your personal data, the way DG SANTE and the EU Member States collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to the processing of your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor. The information in relation to the processing operation “personal data processing taking place in the context of the EU tobacco traceability system” undertaken by DG SANTE and the EU Member States is presented below.  

2. Why and how do we process your personal data?

Purpose of the processing operation: The purpose of the personal data processing is the operation of the EU tracking and tracing system, which requires economic operators to register in the system and to record and transmit information on product movements and transactional data of tobacco products in the European Union. The collected data enables the Commission and the EU Member States to carry out effective monitoring of the proper functioning of the tobacco traceability system and enforcement of the tobacco traceability legislation respectively, in particular the fight against illicit trade in tobacco products. The ID Issuers that are competent for generating and issuing unique identifiers, collect your personal data in the format indicated in points 1.1., 1.4. and 1.7. of section 1 of chapter II of Annex II to Commission Implementing Regulation (EU) 2018/574. Once your personal data is collected, it is stored in offline flat-files and registries of the ID Issuers. An update copy of all offline flat-files and registries are electronically provided via the router to the secondary repository in accordance with Article 20 (1) and (3) of Commission Implementing Regulation (EU) 2018/574. Once your personal data is collected, it is stored on the servers operated by the operator of the secondary repository. The third parties providers operating the primary repositories collect your personal data in the format indicated in points 3.1 to 3.5 of section 3 and section 4 of chapter II of Annex II to Commission Implementing Regulation (EU) 2018/574. Once your personal data is collected, it is stored in the servers or cloud storages operated by the primary repositories’ providers. Your personal data is then forwarded to the secondary repository instantaneously in accordance with Article 26(3) of Commission Implementing Regulation (EU) 2018/574, and stored on the servers operated by the operator of the secondary repository. The operator of the secondary repository also collects your personal data in the format indicated in points 3.1 to 3.5 of section 3 and section 4 of chapter II of Annex II to Commission Implementing Regulation (EU) 2018/574 via the router. Once your personal data is collected, it is stored on the servers operated by the operator of the secondary repository.   Your personal data will not be used for an automated decision-making including profiling.  

3. On what legal ground(s) do we process your personal data

DG SANTE and the EU Member States process your personal data because the processing is necessary for the proper functioning of the EU tobacco traceability system carried out in the public interest, namely for tobacco control purposes referred to in Directive 2014/40/EU and Commission Implementing Regulation (EU) 2018/574. Illicit products undermine the free circulation of compliant products and the protection provided for by the tobacco control legislation. To combat illicit tobacco products, including those illegally imported into the EU, Directive 2014/40/EU stipulates in Article 15 that unit packets of tobacco products should be marked with a unique identifier and their movements should be recorded so that such products can be tracked and traced throughout the Union and their compliance with the Directive can be monitored and better enforced. Commission Implementing Regulation (EU) 2018/574 also underlines that the aim of the tobacco traceability system is to provide the EU Member States and the Commission with an effective tool to fight the illicit trade in tobacco products.

4. Which personal data do we collect and further process?

 The provision of personal data takes place in the context of:

1. submission of requests for economic operators’, facilities’ and machines’ identifier codes by economic operators and operators of first retail outlets in accordance with Articles 14(2), 16(2) and 18(2) of Commission Implementing Regulation (EU) 2018/574,
2. transmission of information on the product movements of tobacco products by economic operators in accordance with Article 32(2) of Commission Implementing Regulation (EU) 2018/574,
3. transmission of transactional information by economic operators in accordance with Article 33(2) of Commission Implementing Regulation (EU) 2018/574.

DG SANTE and the EU Member States collect and further process the following personal data:

• economic operator’s registered name
• economic operator’s address
• economic operator’s email address
• economic operator’s VAT number
• economic operator’s tax registration number
• facility’s address (street name, house number, postal code and city)
• machine’s producer
• EO_ID (Economic operator identifier)
• F_Excise Number2 (facility’s excise number issued by the competent authority for the purpose of identification of persons/premises)
• F_ID (Facility identifier code)
• destination facility’s full address (street, house number, postal code, city)
• number plates of transport vehicles
• buyer’s registered legal name
• buyer’s address
• buyer’s tax registration number
• payer’s registered legal name
• payer’s address
• payer’s tax registration number

In the context of the above-mentioned activities, your personal data is submitted to the ID Issuers that are competent for generating and issuing unique identifiers, the independent third parties providers operating the primary repositories and the independent third party provider operating the secondary repository in accordance with Articles 14(2), 16(2), 18(2), 32(2) and 33(2) of Commission Implementing Regulation (EU) 2018/574. If you do not provide this personal data, your request or reporting message will be considered incorrect and incomplete and will be rejected by the tobacco traceability system.  

5. How long do we keep your personal data</u

 In the context of submission of requests for economic operators’, facilities’ and machines’ identifier codes, your personal data will be retained for as long as the traceability system is operational in accordance with Articles 25 and 27(10) of Commission Implementing Regulation (EU) 2018/574. In the context of transmission of information on the product movements of tobacco products and transactional information, your personal data will be retained for five years in accordance with Article 25(1)(e) of Commission Implementing Regulation (EU) 2018/574. This retention period counts from the last event relating to a given unique identifier. In case the tobacco traceability system is not operational anymore, all the personal data stored in the offline flat-files and registries of the ID Issuers, and the databases and cloud storages of the primary repositories’ providers and the secondary repository operator will be deleted.  

6. How do we protect and safeguard your personal data?

All personal data are stored in the offline flat-files and registries of the ID Issuers, and the databases and cloud storages of the primary repository providers and the secondary repository operator. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission. The ID Issuers that are appointed by the Member States by means of an agreement with them or a legal act, are bound by specific clauses of this agreement or provisions of the legal act regarding any personal data processing operations carried out on behalf of the joint controllers. The same entities are also bound by the confidentiality obligations of the General Data Protection Regulation (EU) 2016/679 and national data protection laws. The operator of the secondary repository, acting as the Commission’s contractor is bound by specific contractual obligations concerning the personal data processing operations carried out on behalf of the joint controllers. In particular, the operator is required to have in place the appropriate technical and organisational security measures to ensure that your data are processed securely in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679. In 2021, in the framework of the existing concession contract, the Commission arranged for an external audit of the operator of the secondary repository. The audit was carried out by BDO LPP, the audit company selected and fully paid by the Commission. The audit covered both contractual compliance, adherence to the information-security-management standards and data security. The auditors did not encounter issues that would have impacts deemed significant or material. The obligations referred to in the data processing agreement signed between the operator of the secondary repository and the Commission passed on in writing to the providers of primary repositories. The same entities are also bound by the confidentiality obligations of the General Data Protection Regulation (EU) 2016/679 and national data protection laws. In addition, pursuant to Article 15(8) of Directive 2014/40/EU, the primary repositories are monitored by an external auditor, who is proposed and paid by the tobacco manufacturer and approved by the Commission. The external auditor is required to submit an annual report to the competent authorities and to the Commission, assessing in particular any irregularities in relation to access to the stored data. Thus, the Commission receives every year audit reports concerning the data storage activities of all primary repositories’ providers. This allows the Commission to detect potential irregularities in relation to access to the stored data, and to assess the relevant data security measures that are in place. In order to protect your personal data, the Commission has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of these processing operations.

7. Who has access to your personal data and to whom is it disclosed?

According to Article 15(8) par. 3 of Directive 2014/40/EU and Article 25(1)(k) of Commission Implementing Regulation 2018/574, access to your personal data is limited to the competent authorities of the Member States, the Commission and external auditors approved by the Commission. The Member States, the Commission and external auditors have full physical and virtual access to the personal data in the primary repositories and the secondary repository. Virtual access to the data is facilitated via graphical interfaces at the level of the secondary repository.   Access to personal data undergoing joint processing shall only be allowed to:

1. authorised staff of the Commission and the Member States for the purposes of carrying out effective monitoring and enforcement activities in the context of Directive 2014/40/EU. Such staff abides by statutory, and when required, additional confidentiality agreements.
2. authorised staff of the ID Issuers, the independent third party provider operating the secondary repository and the independent third parties’ providers operating the primary repositories. This access is subject to ID and password requirements.

 

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725 and Chapter III (Article 12-23) of the General Data Protection Regulation, in particular the right to access your personal data and rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data and restrict the processing of your personal data. You also have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) of Regulation (EU) 2018/1725 and Article 6(1)(e) of the General Data Protection Regulation on grounds relating to your particular situation. You can exercise your rights by contacting the responsible Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below. Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description in your request.  

9. Contact information of the responsible Data Controller

• The responsible Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact DG SANTE (SANTE-TT- DP@ec.europa.eu).

• The Data Protection Officer (DPO) of the Commission

You may also contact the Data Protection Officer of the Commission (DATA-PROTECTION- OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

• The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

10. Where to find more detailed information?

The Commission’s Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.