2024/2639

10.10.2024

COMMISSION IMPLEMENTING REGULATION (EU) 2024/2639

of 9 October 2024

laying down rules for the application of Regulation (EU) 2023/988 of the European Parliament and of the Council as regards the roles and tasks of the single national contact points of the Safety Gate Rapid Alert System

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2023/988 of the European Parliament and of the Council of 10 May 2023 on general product safety, amending Regulation (EU) No 1025/2012 of the European Parliament and of the Council and Directive (EU) 2020/1828 of the European Parliament and the Council, and repealing Directive 2001/95/EC of the European Parliament and of the Council and Council Directive 87/357/EEC (1), and in particular Article 25(2), second subparagraph, thereof,

Whereas:

(1) Regulation (EU) 2023/988 provides that the Safety Gate Rapid Alert System is the rapid alert system for the exchange of information on corrective measures concerning dangerous products. To ensure an efficient information flow and proper functioning of the Safety Gate Rapid Alert System, pursuant to Article 25(2), first subparagraph, of Regulation (EU) 2023/988, each Member State is to designate a single national contact point for the Safety Gate Rapid Alert System (‘Safety Gate contact point’). Pursuant to Article 25(2), first subparagraph, of Regulation (EU) 2023/988, the Safety Gate contact point is to be responsible at least for checking the completeness of the notifications submitted to the Commission for validation, and for communicating with the Commission on the tasks provided for in Article 26(1) to (6) of that Regulation. The designation of the Safety Gate National contact point should be without prejudice to Member States’ competence to organise their market surveillance system.

(2) Commission Implementing Decision (EU) 2019/417 (2) laid down guidelines for the management of the European Union Rapid Information System (‘RAPEX’) established under the repealed Directive 2001/95/EC of the European Parliament and of the Council (3). That Implementing Decision provided for the tasks of the RAPEX National Contact Points, including tasks of organising and steering the work of the relevant national authorities, ensuring that all tasks are performed correctly and, in particular, that all required information is provided to the Commission without delay or coordinating all national activities and initiatives carried out in relation to the system. Given the good experience with the functioning of the RAPEX National Contact Points, the roles and tasks of the Safety Gate contact points should include, in so far as appropriate, the roles and tasks established in Implementing Decision (EU) 2019/417.

(3) To ensure the efficient flow of information between the Safety Gate contact point and the various authorities participating in the Safety Gate Rapid Alert System in a given Member State, the Safety Gate contact point should organise and steer the work of their network of national authorities dealing with the Safety Gate Rapid Alert System (‘Safety Gate National Network’).

(4) In line with their existing tasks under Implementing Decision (EU) 2019/417 and to ensure the efficient use of the Safety Gate Rapid Alert System and consistency in the information submitted, Safety Gate contact points should train and assist national authorities in their use of the system.

(5) To avoid duplication of notifications in the Safety Gate Rapid Alert System, Safety Gate contact points should check, with the involvement of national authorities if relevant, before submitting a notification, whether a measure concerning the product has already been notified in the Safety Gate Rapid Alert System.

(6) The Product Safety eSurveillance Webcrawler, an IT application developed and managed by the Commission, aims at detecting products that have been notified in the Safety Gate Rapid Alert System and are still sold or reappear in web shops and online marketplaces. To enhance the effectiveness of market surveillance online, its use should be widely promoted, where applicable together with other similar tools used by the authorities.

(7) The Commission and national authorities act as joint controllers for processing data in the Safety Gate Rapid Alert System pursuant to Article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council (4) and Article 28 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (5). It is therefore appropriate to specify the roles and responsibilities of each joint controller.

(8) This Regulation should start to apply from the same date as Regulation (EU) 2023/988.

(9) The measures provided for in this Regulation are in accordance with the opinion of the General Product Safety Regulation Committee established under Article 46(1) of Regulation (EU) 2023/988,

HAS ADOPTED THIS REGULATION:

Article 1

The roles and tasks of the single national contact points under Article 25(2) of Regulation (EU) 2023/988 (‘Safety Gate contact points’) shall be to:

(a) verify and validate the completeness of the notification received from other national authorities in their Member State before its transmission to the Commission through the Safety Gate Rapid Alert System pursuant to Article 25(2), first subparagraph, of Regulation (EU) 2023/988;

(b) check, before submitting a notification through the Safety Gate Rapid Alert System, whether a product subject to that notification has already been notified in that System, and if this is the case, and where appropriate, in cooperation with the relevant national authority, submit a follow-up notification in accordance with Article 26(7) of Regulation (EU) 2023/988 instead;

(c) ensure that the notifications of other Member States, that were validated by the Commission, in the Safety Gate Rapid Alert System reach the relevant national authorities, including the authorities in charge of external border controls, in their Member State for appropriate follow-up at national level;

(d) promote the use of the Product Safety eSurveillance Webcrawler, and if relevant other similar tools, within its Member State, and in particular the follow up of its relevant results by the national authorities;

(e) train and assist all national authorities in the use of Safety Gate Rapid Alert System;

(f) facilitate that within their Member State the tasks related to the Safety Gate Rapid Alert System stemming from Regulation (EU) 2023/988 and Commission Delegated Regulation of 27 August 2024 supplementing Regulation (EU) 2023/988 of the European Parliament and of the Council with regard to rules on access to and operation of the Safety Gate Rapid Alert System, information to be entered in that System, notification requirements and the criteria for assessment of the level of risk (6) are performed and, in particular, that all required information is provided to the Commission in accordance with Regulation (EU) 2023/988;

(g) cooperate and exchange information relevant for product safety with other Safety Gate contact points, and participate in discussions between the Safety Gate contact points coordinated by the Commission;

(h) exchange information relevant for product safety at national level with the authority which is a member of the Consumer Safety Network referred to in Article 30 of Regulation (EU) 2023/988, where it is a different authority than the Safety Gate contact point;

(i) exchange information relevant for product safety at national level with the single liaison office appointed under Article 10 of Regulation (EU) 2019/1020 of the European Parliament and of the Council (7) and Article 23(1) of Regulation (EU) 2023/988, where it is a different authority than the Safety Gate contact point;

(j) inform the Commission without delay of any technical problem with the functioning of the Safety Gate Rapid Alert System;

(k) manage requests for access to applications linked to the Safety Gate Rapid Alert System from users in their Safety Gate National Network, and inform the Commission about any change in staff affecting access rights;

(l) answer requests related to operation of the Safety Gate Rapid Alert System within their Member State from stakeholders, including economic operators and providers of online marketplaces;

(m) where appropriate, liaise with the authority in their Member State that submitted the relevant Safety Gate Rapid Alert System notification, regarding any supplementary information that could be considered to be added to that notification, on requests of economic operators or providers of online marketplaces, in particular when those businesses may be adversely affected by the incomplete nature of a notification in the Safety Gate Rapid Alert System.

Article 2

The Commission and the national authorities acting as joint controllers for processing data in the Safety Gate Rapid Alert System pursuant to Article 26 of Regulation (EU) 2016/679 and Article 28 of Regulation (EU) 2018/1725 shall have the roles and responsibilities set out in the Annex to this Regulation.

Article 3

This Regulation shall enter into force on the twentieth day following that of its publication in the

Official Journal of the European Union

It shall apply from 13 December 2024.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 9 October 2024.

For the Commission

The President

Ursula VON DER LEYEN

(1)

OJ L 135, 23.5.2023, p. 1

, ELI:

http://data.europa.eu/eli/reg/2023/988/oj

(2) Commission Implementing Decision (EU) 2019/417 of 8 November 2018 laying down guidelines for the management of the European Union Rapid Information System ‘RAPEX’ established under Article 12 of Directive 2001/95/EC on general product safety and its notification system (

OJ L 73, 15.3.2019, p. 121

, ELI:

http://data.europa.eu/eli/dec/2019/417/oj

(3) Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety (

OJ L 11, 15.1.2002, p. 4

, ELI:

http://data.europa.eu/eli/dir/2001/95/oj

(4) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (

OJ L 119, 4.5.2016, p. 1

, ELI:

http://data.europa.eu/eli/reg/2016/679/oj

(5) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (

OJ L 295, 21.11.2018, p. 39

, ELI:

http://data.europa.eu/eli/reg/2018/1725/oj

(6) Not yet published in the Official Journal.

(7) Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (

OJ L 169, 25.6.2019, p. 1

, ELI:

http://data.europa.eu/eli/reg/2019/1020/oj

ANNEX

JOINT CONTROLLERSHIP OF THE SAFETY GATE RAPID ALERT SYSTEM

1. SUBJECT MATTER AND DESCRIPTION OF THE PROCESSING

The Safety Gate Rapid Alert System is a notification system operated by the Commission intended for the rapid exchange of information between national authorities of Member States, the three European Economic Area/European Free Trade Association (EEA/EFTA) states (Iceland, Liechtenstein and Norway) and the Commission on measures taken against dangerous products found on the Union and/or EEA/EFTA market.

The purpose of the Safety Gate Rapid Alert System is to allow the rapid exchange of information on corrective measures taken across the Union in relation to products that present a risk.

The information exchange concerns corrective measures taken in relation to dangerous consumer and professional products falling in the scope of Regulations (EU) 2023/988 or (EU) 2019/1020.

The Safety Gate Rapid Alert System covers both measures ordered by national authorities and measures taken voluntarily by economic operators.

2. SCOPE OF THE JOINT CONTROLLERSHIP

The Commission and national authorities shall act as joint controllers (‘Joint Controllers’) for processing data in the Safety Gate Rapid Alert System. ‘National authorities’ refers to all authorities acting on product safety in the Member States and/or the EFTA/EEA countries and participating in the EU network of Safety Gate contact points, including market surveillance authorities responsible for monitoring the compliance of products with safety requirements and authorities in charge of external border controls.

For the purposes of Article 26 of Regulation (EU) 2016/679 and Article 28 of Regulation (EU) 2018/1725, the following processing activities shall fall under the responsibility of the Commission as a Joint Controller of personal data:

(1) The processing by the Commission of information regarding measures taken against products posing serious risks, imported into or exported from the Union and the European Economic Area, in order to transmit it to the single national contact points of the Safety Gate Rapid Alert System (‘Safety Gate contact points’);

(2) The processing by the Commission of information received from third countries, international organisations, businesses or other rapid alert systems about products of EU and non-EU origin posing a risk to the health and safety of consumers, in order to transmit such information to the national authorities.

When carrying out these activities, the Commission shall ensure compliance with the applicable obligations and conditions of Regulation (EU) 2018/1725.

The following processing activities shall fall under the responsibility of the national authorities, as Joint Controllers of personal data:

(1) The processing by national authorities of information pursuant to Article 26 of Regulation (EU) 2023/988 on general product safety and Article 20 of Regulation (EU) 2019/1020 in order to notify such information to the Commission and other Member States and EFTA/EEA countries;

(2) The processing by national authorities of information subsequent to their follow-up activities in relation to the Safety Gate Rapid Alert System notifications in order to notify such information to the Commission and other Member States and EFTA/EEA countries.

When carrying out these activities, the national authorities shall ensure compliance with the applicable obligations and conditions of Regulation (EU) 2016/679.

3. RESPONSIBILITIES, ROLES AND RELATIONSHIP OF THE JOINT CONTROLLERS TOWARDS DATA SUBJECTS

3.1. Categories of data subjects and personal data

The Joint Controllers shall jointly process the following categories of personal data:

(a) Contact details of the Safety Gate Rapid Alert System users:

The following data may be processed:

— name of the Safety Gate Rapid Alert System users;

— surname of the Safety Gate Rapid Alert System users;

— email address of the Safety Gate Rapid Alert System users;

— country of the Safety Gate Rapid Alert System users;

— preferred language of the Safety Gate Rapid Alert System users;

(b) Contact details of the authors and validators of notifications and reactions submitted through the Safety Gate Rapid Alert System:

These authors and validators include:

— Safety Gate contact points and inspectors from the market surveillance authorities of Member States and EFTA/EEA countries or from the national authorities in charge of external border controls, who are involved in the notification procedure;

— Commission staff including officials, temporary agents, contract agents, trainees and external service providers.

The following data may be processed:

— name of the authors and validators of notifications and reactions submitted through the Safety Gate Rapid Alert System;

— surname of the authors and validators of notifications and reactions submitted through the Safety Gate Rapid Alert System;

— name of the authority authoring or validating notifications and reactions submitted through the Safety Gate Rapid Alert System;

— address of the authority authoring or validating notifications and reactions submitted through the Safety Gate Rapid Alert System;

— email address of the authors and validators of notifications and reactions submitted through the Safety Gate Rapid Alert System;

— phone number of the authors and validators of notifications and reactions submitted through the Safety Gate Rapid Alert System;

(i) When necessary to trace dangerous products, as defined in Article 3(3) of Regulation (EU) 2023/988, contact details of economic operators might contain personal data that will be included in the Safety Gate Rapid Alert System. Such data are inserted in the Safety Gate Rapid Alert System by national authorities only, based on the information collected during their investigation. The following data may be processed:

— name of economic operators;

— address of economic operators;

— city of economic operators;

— country of economic operators;

— contact information of economic operators (1);

— contact address of economic operators;

(ii) When they have been incidentally included in other documents such as test reports, names of persons who have performed the tests on dangerous products and/or authenticated the test reports.

3.2. Provision of information to data subjects

The Commission shall provide the information referred to in Articles 15 and 16 and any communication under Articles 17 to 24 and 35 of Regulation (EU) 2018/1725 in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The Commission shall also take appropriate measures to assist national authorities in providing any information referred to in Articles 13 and 14 and any communication under Articles 19 to 26 and 37 of Regulation (EU) 2016/679 in a concise, transparent, intelligible and easily accessible form, using clear and plain language concerning the following data:

— data related to Safety Gate Rapid Alert System users;

— data related to the authors and validators of notifications and reactions.

Safety Gate Rapid Alert System users shall be informed about their rights through the Privacy Statement available in the Safety Gate Rapid Alert System.

National authorities shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 19 to 26 and 37 of Regulation (EU) 2016/679 in a concise, transparent, intelligible and easily accessible form, using clear and plain language concerning the following data:

— information on legal persons identifying a natural person;

— names and other data of persons who have performed the tests on dangerous products and/or authenticated the test reports.

The information shall be provided in writing, including electronically.

National authorities shall use the model for a privacy statement provided by the Commission when complying with their obligations concerning data subjects.

3.3. Handling of data subjects’ requests

The data subjects may exercise their rights under Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively against the Commission or against national authorities acting as Joint Controllers.

The Joint Controllers shall handle the requests of data subjects in accordance with the procedure established by the Joint Controllers for this purpose. The detailed procedure for the exercise of data subjects’ rights is explained in the privacy statement.

The Joint Controllers shall cooperate and, when so requested, provide each other with swift and efficient assistance in handling any data subject requests.

Should one Joint Controller receive a data subject request, which does not fall under its responsibility, that Joint Controller shall forward the request promptly, and at the latest within seven calendar days of its receipt, to the Joint Controller actually responsible for that request. The responsible Joint Controller shall send an acknowledgment of receipt to the data subject within three calendar days after reception of the forwarded request, while at the same time informing thereof the Joint Controller, which received the request in the first place.

In response to a data subject request for access to personal data, no Joint Controller shall disclose or otherwise make available any personal data processed jointly without first consulting the other Joint Controller.

4. OTHER RESPONSIBILITIES AND ROLES OF JOINT CONTROLLERS

4.1. Security of processing

Each Joint Controller shall implement appropriate technical and organisational measures to:

(a) ensure and protect the security, integrity and confidentiality of the personal data jointly processed, in line with Commission Decision (EU, Euratom) 2017/46 (2) and the relevant legal act of the EU Member State or EFTA/EEA country, respectively;

(b) protect against any unauthorised or unlawful processing, loss, use, disclosure or acquisition of or access to any personal data in its possession;

(c) not disclose or allow access to the personal data to anyone other than the beforehand agreed recipients or processors.

Each Joint Controller shall implement appropriate technical and organisational measures to ensure the security of processing pursuant to Article 33 of Regulation (EU) 2018/1725 and Article 32 of Regulation (EU) 2016/679, respectively.

The Joint Controllers shall provide a swift and efficient assistance to each other in case of security incidents, including personal data breaches.

4.2. Management of security incidents, including personal data breaches

The Joint Controllers shall handle security incidents, including personal data breaches, in accordance with their internal procedures and applicable legislation.

The Joint Controllers shall in particular provide each other with swift and efficient assistance as required to facilitate the identification and handling of any security incidents, including personal data breaches, linked to the joint processing operation.

The Joint Controllers shall notify each other of the following:

(a) any potential or actual risks to the availability, confidentiality and/or integrity of the personal data undergoing joint processing;

(b) any security incidents that are linked to the joint processing operation;

(c) any personal data breach (i.e. any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data undergoing joint processing), the likely consequences of the personal data breach, the assessment of the risk to the rights and freedoms of natural persons, and any measures taken to address the personal data breach and mitigate the risk to the rights and freedoms of natural persons;

(d) any breach of the technical and/or organisational safeguards of the joint processing operation.

Each Joint Controller shall be responsible for handling all security incidents, including personal data breaches, that occur as a result of an infringement of that Joint Controller’s obligations under this Implementing Regulation, Regulation (EU) 2018/1725 and Regulation (EU) 2016/679, respectively.

The Joint Controllers shall document security incidents (including personal data breaches) and notify each other without undue delay and at the latest within 48 hours after becoming aware of a security incident (including a personal data breach).

The Joint Controller responsible for a personal data breach shall document that personal data breach and notify it to the European Data Protection Supervisor or the competent national supervisory authority. It shall do so without undue delay and, where feasible, no later than 72 hours after having become aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The Joint Controller responsible shall inform the other Joint Controller of such notification.

The Joint Controller responsible for the personal data breach shall communicate that personal data breach to the data subjects concerned if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. The Joint Controller responsible shall inform the other Joint Controller of such communication.

4.3. Localisation of personal data

Personal data collected for the purpose of the notification process through the Safety Gate Rapid Alert System shall be stored and collected in the Safety Gate Rapid Alert System to ensure that the access to the application is limited only to clearly identified persons and thus that data stored in the application are well protected.

Personal data collected for the purpose of the processing operation shall only be processed within the territory of the EU/EEA and shall not leave that territory, unless they are in compliance with Articles 45, 46 or 49 of Regulation (EU) 2016/679 or with Articles 47, 48 or 50 of Regulation (EU) 2018/1725.

According to Article 40 of Regulation (EU) 2023/988, the Commission may provide third countries or international organisations with selected information from the Safety Gate Rapid Alert System and receive relevant information on the safety of products and on preventive, restrictive and corrective measures taken by those third countries or international organisations. Any information exchange under Article 40 of Regulation (EU) 2023/988 shall, to the extent it involves personal data, be carried out in accordance with Union data protection rules.

4.4. Recipients of personal data

Access to personal data shall only be granted to authorised staff and contractors of the Commission and national authorities for the purposes of administering and operating the Safety Gate Rapid Alert System. This access shall be subject to identity and password requirements as follows:

— The Safety Gate Rapid Alert System shall only be open to the Commission and to users specifically appointed by the EU Member State’s authorities and by authorities from the EFTA/EEA countries as well as from the UK with regard to users from Northern Ireland;

— Access to the collected personal data on the Safety Gate Rapid Alert System shall only be granted to the nominated and authorised users of the application who have a User Id/Password. Access to the application and granting of a password shall be possible only if this is requested by the competent national authority under the general supervision of the Commission’s Safety Gate Team;

— Access to the collected personal data shall be provided to the Commission staff responsible for carrying out this processing operation and to authorised persons according to the ‘need to know’ principle. Such staff shall abide by statutory, and, when required, additional confidentiality agreements.

The persons who shall have access to the collected personal data are:

(a) staff and contractors of the Commission;

(b) identified contact points and inspectors from the market surveillance authorities of EU Member States and EFTA/EEA countries as well as UK authorities in respect of Northern Ireland users;

(c) identified inspectors from the authorities in charge of external border controls of EU Member States and EFTA/EEA countries.

The persons who shall have access to all collected personal data and who shall have the possibility to modify them upon request are:

(a) members of the Commission’s Safety Gate Team;

(b) members of the Commission’s Safety Gate Helpdesk.

A list of all Safety Gate contact points, containing their contact details (surname, name, name of authority, address of authority, phone, email) shall be available on the Safety Gate Portal (3). User management at national level shall be controlled by the Safety Gate contact points through the Safety Gate Rapid Alert System.

All users shall have access to the content of notifications with an ‘EC validated’ status. Only national Safety Gate Rapid Alert System users shall have access to the draft of their notifications (before submission to EC). Commission staff and authorised persons shall have access to notifications with an ‘EC submitted’ status.

Each Joint Controller shall inform all other Joint Controllers about any transfer of personal data to the recipients in third countries or international organisations.

5. SPECIFIC RESPONSIBILITIES OF JOINT CONTROLLERS

The Commission shall ensure and be responsible for:

(a) deciding on the means, requirements and purposes of processing;

(b) recording of the processing operation;

(d) handling of data subjects’ requests;

(e) deciding to restrict the application of or derogate from data subject rights, where necessary and proportionate;

(f) ensuring privacy by design and privacy by default;

(g) identifying and assessing the lawfulness, necessity and proportionality of transmissions and transfers of personal data;

(h) carrying out a prior consultation with the European Data Protection Supervisor, where needed;

(i) ensuring that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(j) cooperating with the European Data Protection Supervisor, on request, in the performance of their tasks.

The national authorities shall ensure and be responsible for:

(a) recording of the processing operation;

(b) ensuring that the personal data undergoing processing are adequate, accurate, relevant and limited to what is necessary for the purpose;

(d) facilitating the exercise of the rights of data subjects;

(e) using only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing meets the requirements of Regulation (EU) 2016/679 and ensures the protection of the rights of the data subject;

(f) governing the processor’s processing by a contract or legal act under Union or Member State law in accordance with Article 28 of Regulation (EU) 2016/679;

(g) carrying out a prior consultation with the national supervisory authority, where needed;

(h) ensuring that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(i) cooperating with the national supervisory authority on request, in the performance of their tasks.

6. DURATION OF PROCESSING

Joint Controllers shall not retain or process personal data longer than necessary to carry out the agreed purposes and obligations as set out in this Regulation, i.e. for the time necessary to fulfil the purpose of collection or further processing. In particular:

(a) Contact details of the users of the Safety Gate Rapid Alert System shall be kept in the system as long as they are users. Contact details shall be deleted from the Safety Gate Rapid Alert System immediately after the receipt of information that a certain person is no longer a user of the system;

(b) Contact details of the inspectors from the market surveillance authorities of Member States and EFTA/EEA countries, as well as from the inspectors from the authorities in charge of external border controls, provided in notifications and reactions shall be kept in the system for a period of five years after the validation of the notification or reaction;

(c) Personal data of other natural persons possibly included in the system shall be kept in a form that permits identification for 30 years from the moment of the insertion of the information in the Safety Gate Rapid Alert System, which corresponds to the estimated maximum lifecycle of categories of products such as electrical appliances or motor vehicles.

Legitimate requests from data subjects to have their data blocked, adjusted or erased shall be complied with by the Commission within one month from receipt of the request.

7. LIABILITY FOR NON-COMPLIANCE

The Commission shall be liable for non-compliance in accordance with Chapter VIII of Regulation (EU) 2018/1725.

The EU Member States’ authorities shall be liable for non-compliance in accordance with Chapter VIII of Regulation (EU) 2016/679.

8. COOPERATION BETWEEN JOINT CONTROLLERS

Each Joint Controller, when so requested, shall provide a swift and efficient assistance to the other Joint Controllers in execution of this Regulation, while complying with all applicable requirements of Regulations (EU) 2018/1725 and (EU) 2016/679, respectively, and other applicable data protection rules.

9. SETTLEMENT OF DISPUTES

The Joint Controllers shall endeavour to settle amicably any dispute arising out or relating to the interpretation or application of this Regulation.

If at any time a question, dispute or difference arises between the Joint Controllers, in relation to or in connection with this Regulation, the Joint Controllers shall use every endeavour to resolve it by a process of consultation.

The preference is that all disputes are settled at the operational level as they arise, and that they are settled by the contact points referred to in point 10 of this Annex and listed on the Safety Gate Portal.

The purpose of the consultation shall be to review and agree so far as it is practicable the action taken to solve the problem. The Joint Controllers shall negotiate with each other in good faith to that end. Each Joint Controller shall respond to a request for amicable settlement within seven working days following the reception of such request. The period to reach an amicable settlement shall be 30 working days from the date of reception of the request.

If the dispute cannot be settled amicably, each Joint Controller may refer to mediation or/and judicial proceedings in the following manner:

(a) in case of mediation, the Joint Controllers shall jointly appoint a mediator acceptable by each of them, who will be responsible for facilitating the resolution of the dispute within two months from the referral of the dispute to him/her;

(b) in case of judicial proceedings, the matter shall be referred to the Court of Justice of the European Union in accordance with Article 272 of the Treaty on the Functioning of the European Union.

10. CONTACT POINTS FOR COOPERATION BETWEEN THE JOINT CONTROLLERS

Each Joint Controller nominates a single point of contact, who other Joint Controllers shall contact in case of queries, complaints and provision of information within the scope of this Regulation.

A detailed list of all contact points nominated by the Commission and the national authorities, containing their contact details (surname, name, name of authority, address of authority, phone, fax, email), shall be available on the Safety Gate Portal.

(1) This field may refer to the physical person representing the manufacturers or authorised representatives. Member States are however asked to avoid entering any personal data and favour non-personal contact details like generic email addresses.

(2) Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission (

OJ L 6, 11.1.2017, p. 40

, ELI:

http://data.europa.eu/eli/dec/2017/46/oj

(3)

https://ec.europa.eu/safety-gate/#/screen/pages/contacts

ELI: http://data.europa.eu/eli/reg_impl/2024/2639/oj

ISSN 1977-0677 (electronic edition)