Processing of personal data in the Authorisation Service
Purpose of processing personal data
The Customs Authorisation Service grants authorisations upon application to companies and private individuals. The authorisations include authorisations for simplified customs procedures, authorisations for transferring payments of taxes or customs duties or authorisations granting exemption from customs duties for goods. Personal data are processed when processing applications as well as when granting and managing authorisations.
The Authorisation Service processes applications for registering to become a customer, for registering as a message declarant as well as registering for EORI and REX. It manages guarantees provided as collateral by businesses to Customs, maintains Customs’ customer register by recording data of Customs’ customers with authorisations, and of message exchange customers. The service also provides information to Customs’ authorisation customers during the authorisation process.
The Customs Authorisation Service processes customer questionnaire replies, as well as customer and accessibility feedback concerning authorisation services, and replies to them. The Authorisation Service also processes control reports of personal data collected from the Customer Register and the Authorisation Register as well as compiled lists of email addresses of customers in the Customer Register and Authorisation Register, for the purpose of customer surveys.
In the Authorisation Service, personal data are also processed for the maintenance of customer relations, in the follow-up of the quality of the authorisation service and correctness of customs activity, in the planning of authorisation services, in the development of the service function as well as service channels and transaction channels.
The processing of personal data is based on legislation. Personal data for the performance of Customs’ statutory tasks are processed in accordance with the Customs Act (304/2016) and the Union Customs Code (EU 952/2013). Appendix A of the Commission Delegated Regulation (EU) 2015/2446 and Appendix A of the Commission Implementing Regulation (2015/2447), define the data requirements for applications and decisions submitted to the authorisation services. The basis for the legal processing of personal data in accordance with the Data Protection Regulation is compliance with the controller’s statutory obligation.
Categories of personal data
The following personal data of private customers are collected:
- first and last names, personal identity codes, email addresses and phone numbers (mobile phones)
- date of birth, passport number, other than mobile telephone numbers, home address or other address
- position, occupation, education, country of residence, native language, communication language, bank account number, status of representation and mandate
- identification numbers for customs transactions
- details of transactions and customer transactions
The following data are collected of responsible persons and contact persons at businesses:
- first and last names, personal identity codes, email addresses and phone numbers (mobile phones)
- position, occupation, education, country of residence, native language, communication language, bank account number, status of representation and mandate
- identification numbers for customs transactions
- details of transactions and customer transactions
Personal data belonging to special categories (previously called sensitive personal data) may be included in the customers’ applications or attached documents.
Sources of personal data
Customer details are accumulated to Customs Authorisation Service from authorised transactions and message exchange transactions as well as from customs clearance, the corporate audit and customer services. Data are also obtained from customs clearances at Customs offices and Customs Enforcement as well as from other functions at Customs reported with the form ‘Observation report relating to Customs procedures.’ Personal data are also transferred to the Authorisation Service with the amendment request forms in the My Details service as well as from replies in customer surveys.
Regular disclosures of personal data
The data of the Authorisation Service are disclosed to parties concerned.
Data from the Authorisation Service can be transferred on reasonable grounds to other functions within Customs, for the performance of Customs’ official tasks.
Furthermore, data may be disclosed to other authorities for the performance of official tasks according to the Act on the Openness of Government Activities of Finland (21.5.1999/621) and according to the Act on the Processing of Personal Data by Finnish Customs (639/2015). Data are disclosed when the right to information has been prescribed by special provisions in legislation. Most commonly, data are transferred upon request to the following authorities based on the legal right to information:
- The Tax Administration for carrying out taxation and for tax control
- To the Police, for the investigation and uncovering of offences, for safeguarding justice and social peace as well as for duties related to maintaining public order and security.
Data are processed by Customs’ personnel who process matters related to Customs’ authorisations and by other personnel who need the data in their duties.
Personal data retention and disposal times
Personal data collected in authorisations services are stored for a specific period in accordance with statutory obligations or as defined. The storage times are specified in Customs’ data management plan. The storage times vary from 150 days to ten years depending on the document type. When the prescribed time for retaining personal data has ended, the data are deleted based on a review in accordance with Customs’ normal practice.
Contact person of the data controller and additional information
Sari Bjong
sari.bjong(at)tulli.fi