Personal data for security and safety purposes when bringing goods into the EU

When you bring in goods from a non-EU country, information on the import must be provided to the customs authorities of the EU, Norway, Switzerland and the United Kingdom for Northern Ireland.

The personal data to be provided are the names, contact details and, where applicable, the identification numbers of the consignor, consignee and other actors involved in the transport of your goods. In addition, information is provided on the goods being imported and how they are imported.

You, an operator responsible for transporting your goods, a customs agent or some other data controller, may provide the information.

In addition, Swedish Customs processes data on various types of risks and risk assessments. The data may come from Swedish Customs, customs authorities in other Member States, customs authorities in Norway, Switzerland and the United Kingdom, private operators involved in transport and import activities, authorities with specialised knowledge in different areas, and law enforcement and security agencies.

Why Swedish Customs processes your data (Purpose)

Swedish Customs and other customs authorities in the EU, Norway, Switzerland and the United Kingdom of Northern Ireland involved in the entry of your goods into the EU process your personal data to assess whether your goods may pose a risk to health and safety, and therefore may not be taken on board an aircraft or a ship, or allowed to enter the EU.

Your personal data is also processed to monitor, evaluate, develop and plan the customs authorities’ risk management activities.

Who will receive the personal data?

Within Swedish Customs, employees working to prevent dangerous goods from entering the EU, and those working to monitor these activities, will have access to the data. Information provided on the entry of the goods will also be made available to employees working with the examination of declaration documents.

Anyone who has provided information to the European Commission's central system about your entry will receive information, for example, whether the goods may be loaded and whether they are to be checked.

The customs authorities of all Member States affected by your import will receive your data, for example the customs authority of the Member State where the goods first enter the EU and the Member State where the consignee of the goods is located. A customs authority not directly involved in your import may also receive your data after flagging a specific risk. Customs authorities can also exchange data outside an ongoing entry to establish common risk criteria and standards, control measures and priority control areas.

The customs authorities of Norway, Switzerland and the United Kingdom will receive your personal data when your entry concerns them.

The European Commission will receive your data when it transfers or stores it. The Commission may also access your data when monitoring and following up on common risk criteria, and for cooperation on risk analyses.

If Swedish Customs needs the help of another authority with specialised knowledge in a particular area to assess a risk, your personal data may be disclosed to the authority that has the specific knowledge (for example, the Swedish Medical Products Agency, the Swedish Board of Agriculture and the Swedish Radiation Protection Authority). The same applies in other countries participating in this co-operation.

Swedish Customs' law enforcement departments may receive personal data if there is a suspicion of an offence or criminal activity.

Information may also be provided to other law enforcement authorities and authorities tasked with protecting Sweden, the EU or the cooperating countries if there is a suspicion of an offence or criminal activity.

Transfer of data to countries outside the EU

Swedish Customs does not provide personal data directly to countries outside the EU within the framework of processing personal data acquired in the context of safety and security; however, this can be done via the European Commission.

The Norwegian customs authority participates in this customs co-operation on the basis of Protocol 10 to the EEA Agreement (EEA = European Economic Area). Norway is an EEA country and is subject to the same data protection rules as the Member States.

The Swiss customs authority participates in this customs co-operation on the basis of the agreement between the European Community and the Swiss Confederation on the simplification of inspections and formalities in respect of the carriage of goods and on customs security measures. Switzerland has an adequate level of protection for the processing of personal data according to a decision of the European Commission.

The customs authority of the United Kingdom participates in this customs co-operation for Northern Ireland. The European Commission has taken a temporary decision that the United Kingdom has an adequate level of protection. The decision is valid until 27 June 2025 and can be further extended if the conditions for it are met. At the same time, the decision can also be revoked earlier if the level of protection of personal data is lowered.

The EU common systems allow data providers in a non-EU country to exchange information with Member States' customs authorities via a dedicated domain designed for economic operators in a non-EU country involved in the export of goods to the EU.

Legal basis and purpose

The processing is necessary for the fulfilment of a task carried out in the public interest in accordance with Article 6(1)(e) of the GDPR and is governed by the following customs legislation:

Articles 16(1), 46(3) and (5), 47(2), 127-129, 133 and 139 of Regulation (EU) No 952/2013 of the European Parliament and of the Council of 9 October 2013 laying down the Union Customs Code.

Article 182-188 of Commission Implementing Regulation (EU) 2015/2447 of 24 November 2015 laying down detailed rules for the implementation of certain provisions of the Customs Code, as amended by Commission Implementing Regulation (EU) 2020/893 of 29 June 2020.

Articles 104-113(a) and data category F of Annex B TXK.

The assessment of whether a product may pose a risk can sometimes be based on information about suspected offences. In these cases, the processing of personal data takes place in accordance with the Criminal Data Act (2018:1177) and the Act (2018:1694) on Swedish Customs' processing of personal data in the field of the Criminal Data Act, even if the same customs legislation is to be applied. The legal basis for such processing is found in Chapter 2, Section 1, paragraph 4 of the Act on the Swedish Customs' processing of personal data in the field of Criminal Data Act and concerns the fulfilment of obligations arising from international commitments.

Deletion

Swedish Customs will delete your data from the national systems no later than six years after the end of the calendar year in which the data or documents were first processed by Swedish Customs. Deletion is regulated in the Act (2001:185) on the processing of data in the activities of Swedish Customs, Chapter 2, Section 10.

In common EU systems where the European Commission and the Member States are joint controllers, data are stored for 10 years from the date of first processing in the centralised system. Data subject to an appeal or other judicial procedure are not deleted until that procedure is finalised.

The retention period for EU common systems is set out in Articles 113(2)(a) and 113(4) of Commission Implementing Regulation (EU) 2023/1070 of 1 June 2023 laying down technical arrangements for the development, maintenance and use of electronic systems for the exchange and storage of information under Regulation (EU) No 952/2013 of the European Parliament and of the Council.

Joint responsibility for personal data

As a starting point, Swedish Customs is responsible for the processing of personal data carried out by Swedish Customs, regardless of where the processing takes place.

Personal data processing in common EU systems:

• The customs authorities in the EU, Norway, Switzerland and the United Kingdom for Northern Ireland are joint controllers for the processing that takes place for storage and exchange of information. The European Commission is the processor of the customs authorities in these cases.
• The European Commission is joint controller with the customs authorities of the EU, Norway, Switzerland and the United Kingdom for Northern Ireland in monitoring and following up on the common risk criteria.
• The Swedish Customs and other EU customs authorities, as well as the European Commission, may also cooperate to jointly carry out risk analyses in the central systems using different analysis tools. This may mean that the European Commission, Swedish Customs and other customs authorities in the EU are joint controllers for this processing. On behalf of Sweden, Swedish Customs, together with other parties, has developed an arrangement on joint personal data responsibility.

The European Commission's website provides information on the arrangements for ongoing risk analyses in security and safety. See Annex IV.