Answer given by Ms Roswall on behalf of the European Commission

24.4.2025

In accordance with Commission Implementing Regulation (EU) 2024/3084[1] and the Commission’s Cloud Security Control Baseline, the Information System uses a data infrastructure located in the European Union.

The Commission ensures the highest level of security for the Information System and the data it contains and does not consider it a security risk.

The processing of personal data under Regulation (EU) 2024/3084 is subject to Regulation (EU) 2016/679[2] and Regulation (EU) 2018/1725[3].

The Data Protection Record and Data Privacy Statement of the system were prepared in close cooperation with the Data Protection Officer of the Commission[4].

During the drafting procedure of Regulation (EU) 2024/3084, the European Data Protection Supervisor was consulted and delivered an opinion on 5 November 2024.

The EU Deforestation Regulation Committee comprising representatives of the Member States voted in favour by consensus on the draft Regulation (EU) 2024/3084 on 26 November 2024 during the examination procedure.

The Information System is an independent module of the TRACES platform[5] established by Regulation (EU) 2017/625[6]. The Commission has put in place the necessary measures to ensure the security and integrity of personal data processed, including appropriate data access control and a security plan.

The hosting service is provided as part of a framework contract of the Commission with specific guidelines to that effect, and a full contingent of technical measures are put in place as part of the infrastructure layer to ensure full security compliance of all hosted systems.

The Commission follows strictly Commission Decision (EU, Euratom) 2017/46[7] and the related implementing decisions and guidelines that are defining its functionality.

• [1] Commission Implementing Regulation (EU) 2024/3084 of 4 December 2024 on the functioning of the information system pursuant to Regulation (EU) 2023/1115 of the European Parliament and of the Council on the making available on the Union market and the export from the Union of certain commodities and products associated with deforestation and forest degradation, OJ L, 2024/3084, 6.12.2024.
• [2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1-88.
• [3] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39-98.
• [4] https://commission.europa.eu/about/departments-and-executive-agencies/data-protection-officer_en
• [5] https://food.ec.europa.eu/horizontal-topics/traces_en
• [6] Regulation (EU) 2017/625 of the European Parliament and of the Council of 15 March 2017 on official controls and other official activities performed to ensure the application of food and feed law, rules on animal health and welfare, plant health and plant protection products, amending Regulations (EC) No 999/2001, (EC) No 396/2005, (EC) No 1069/2009, (EC) No 1107/2009, (EU) No 1151/2012, (EU) No 652/2014, (EU) 2016/429 and (EU) 2016/2031 of the European Parliament and of the Council, Council Regulations (EC) No 1/2005 and (EC) No 1099/2009 and Council Directives 98/58/EC, 1999/74/EC, 2007/43/EC, 2008/119/EC and 2008/120/EC, and repealing Regulations (EC) No 854/2004 and (EC) No 882/2004 of the European Parliament and of the Council, Council Directives 89/608/EEC, 89/662/EEC, 90/425/EEC, 91/496/EEC, 96/23/EC, 96/93/EC and 97/78/EC and Council Decision 92/438/EEC (Official Controls Regulation), OJ L 95, 7.4.2017, p. 1-142.
• [7] Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission, C/2016/8998, OJ L 6, 11.1.2017, p. 40-51.