Skip to Main Content

IMSOC

TRACES · ADIS · EUROPHYT · iRASFF

Back Privacy Statement - ELAN

PROTECTION OF YOUR PERSONAL DATA
This privacy statement provides information about the processing and the protection of your personal data.

Processing operation: Electronic system for agricultural non-customs formalities (ELAN)

Data Controller: Directorate-General for Agriculture and Rural Development, Unit E.1 ‘Governance of the agri-food markets’ (hereafter ‘AGRI E.1’)

Record reference: DPR-EC-31628

Table of Contents

  1. Introduction
  2. Why and how do we process your personal data?
  3. On what legal ground(s) do we process your personal data?
  4. Which personal data do we collect and further process?
  5. How long do we keep your personal data?
  6. How do we protect and safeguard your personal data?
  7. Who has access to your personal data and to whom is it disclosed?
  8. What are your rights and how can you exercise them?
  9. Contact information
  10. Where to find more detailed information?

1. Introduction

The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).

This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.

The information in relation to processing operation “Electronic system for agricultural noncustoms formalities (ELAN)” undertaken by the Directorate-General for Agriculture and Rural Development, Directorate E, is presented below.

2. Why and how do we process your personal data?

Purpose of the processing operation: the Directorate-General for Agriculture and Rural Development, Directorate E, collects and uses your personal information to securely identify and authenticate economic operators and public officials involved in the issuance, transmission, and control of documents necessary for compliance with EU agricultural trade regulations. This processing supports secure and reliable document management, enables monitoring by competent authorities, facilitates seamless information exchange with customs systems, and ensures effective enforcement of relevant market rules. All personal data processing in ELAN is based on the legal basis outlined in the EU Regulations listed in Section 3 and the general principles of data protection governing EU institutions.

The processing of data for the operations of ELAN is performed manually by the users, the Commission's staff (DG AGRI, Units E.1 and R3, DG SANTE, TRACES Helpdesk)responsible for the management and maintenance of the system.

Your personal data will not be used for an automated decision-making including profiling

3. On what legal ground(s) do we process your personal data?

ELAN processes personal data that are necessary to ensure the functioning of the system (e.g. data concerning access, performance of operations, logs, etc...), as well as data that are embedded in the documents exchanged, whose processing is required by the relevant legislation (see list here below).

The personal data is being processed, because:

  • processing is necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the Union institution or body (user data and logs of actions);
  • processing is necessary for compliance with a legal obligation to which the controller is subject (data included in documents processed in ELAN).

The legal basis for the data processing in ELAN is:

  • Commission Delegated Regulation (EU) 2025/1269 of 6 May 2025 laying down rules supplementing Regulation (EU) No 1308/2013 of the European Parliament and of the Council with regard to the electronic system for agricultural non-customs formalities (‘ELAN’) to monitor and manage trade and market in agricultural products
  • Commission Implementing Regulation (EU) 2025/1272 of 6 May 2025 laying down rules for the application of Regulation (EU) No 1308/2013 of the European Parliament and of the Council with regard to the electronic system for agricultural non-customs formalities (‘ELAN’)
  • Commission Implementing Regulation (EU) 2020/761 of 17 December 2019 laying down rules for the application of Regulations (EU) No 1306/2013, (EU) No 1308/2013 and (EU) No 510/2014 of the European Parliament and of the Council as regards the management system of tariff quotas with licences
  • Commission Implementing Regulation (EU) 2020/1988 of 11 November 2020 laying down rules for the application of Regulations (EU) No 1308/2013 and (EU) No 510/2014 of the European Parliament and of the Council as regards the administration of import tariff quotas in accordance with the ‘first come, first served’ principle
  • Commission Implementing Regulation (EU) 2023/2834 of 10 October 2023 laying down rules for the application of Regulation (EU) No 1308/2013 of the European Parliament and of the Council as regards imports in the sectors of rice, cereals, sugar and hops
  • Regulation (EU) 2022/2399 of the European Parliament and of the Council of 23 November 2022 establishing the European Union Single Window Environment for Customs and amending Regulation (EU) No 952/2013;
  • Commission Implementing Regulation (EU) 2019/1715 of 30 September 2019 laying down rules for the functioning of the information management system for official controls and its system components ('the IMSOC Regulation');

4. Which personal data do we collect and further process?

In order to carry out this processing operation AGRI E.1 collects the following categories of personal data:

  • economic operator's data that are being collected include the operator's EORI or exporter code, name and address, if the economic operator is a natural person or can be directly linked to a natural person.
  • With regard to persons responsible of issuing or processing ELAN documents from national authorities, users attached to their respective central/regional competent body:
    • the users' personal details (name, contact details);
    • the entity to which users are associated;
    • system access logs, timestamps of document actions (issue, correction, validation, cancellation, retrieval), and documentation of interaction with ELAN (i.e. use of the system and actions performed on ELAN documents);
    • Electronic Signatures and affixed to documents, validation records required by EU legislation for document authenticity.
  • With regard to EC staff using ELAN:
    • the users' personal details (name, contact details);
    • system access logs, timestamps of document actions (issue, correction, validation, cancellation, retrieval), and documentation of interaction with ELAN (i.e. use of the system and actions performed on ELAN documents).

5. How long do we keep your personal data?

The Directorate-General for Agriculture and Rural Development, Directorate E, only keeps your personal data for the time necessary to fulfil the purpose of collection or further processing.

The following storage periods apply to the personal data collected by ELAN:

  • Personal data contained in documents held in ELAN, as well as electronic signatures/seals, timestamps, and exchange metadata: up to 10 years from either the last day of validity of the relevant document, or, if no such date is laid down by Union legislation, from the day the document was issued. If an appeal or administrative/judicial proceeding is initiated during this 10-year period based on ELAN documents, those documents may be retained until the conclusion of the procedure—after which they must be deleted immediately once the final judgement or decision is binding;
  • Personal data from the users' accounts: 10 years after the deactivation of the user’s account;
  • Access logs – user activity: 3 months after the action performed.

6. How do we protect and safeguard your personal data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored on the servers of the European Commission

All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

In order to protect your personal data, the Commission has put in place a number of technical and organisational measures in place. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

7. Who has access to your personal data and to whom is it disclosed?

Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

The recipients of the data can be distinguished as indicated below:

Recipients within the EU organization:

  • Commission staff (DG AGRI, Units E.1 and R.3, DG SANTE, TRACES Helpdesk)

Recipients outside the EU organization:

  • EU Member States competent authorities
  • Non-EU countries competent bodies
  • Customs authorities of EU Member States

Each category of the above recipients has access to the relevant data and information which directly concerns it and which is under its area of direct responsibility within ELAN. This means that:

  • Commission staff members have access to all of the data
  • Customs authorities of EU Member States will have access to all data included in documents available in ELAN that they need to process to perform the required customs formalities, as well as to the data concerning the operations performed on those documents (creation, modifications, attributions, etc…) including the name of the user who performed them;
  • Licence issuing authorities of EU Member States will have access to all data included in documents available in ELAN that they issued, or that other authorities issued in favour of operators that are registered in their country, as well as to the data concerning the operations performed on those documents (creation, modifications, attributions, etc…) including the name of the user who performed them;
  • Non-EU authorities will have access to all data included in documents available in ELAN that they issued.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability.

You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) of Regulation (EU) 2018/1725, on grounds relating to your particular situation.

You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.

You should note that the European Commission does not have the power to modify the content of the documents hosted on ELAN; any requests in this sense must be addressed to the competent Member State’s authorities. If you are unsure on who that is in your case, you can reach out to us, and we will provide that information to you.

9. Contact information

- The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller, Directorate-General for Agriculture and Rural Development, Directorate E: AGRI-SINGLEWINDOW@ec.europa.eu

- The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

- The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-31628