Personal data processed in IMI shall be blocked in IMI as soon as they are no longer necessary for the purpose for which they were collected, depending on the specificities of each type of administrative cooperation and, as a general rule, no later than six months after the formal closure of the administrative cooperation procedure.

However, if a longer period is provided for in an applicable Union act listed in the Annex, personal data processed in IMI may be retained for a maximum of 18 months after the formal closure of an administrative cooperation procedure.

Where a repository of information for future reference by IMI actors is required pursuant to a binding Union act listed in the Annex, the personal data included in such a repository may be processed for as long as they are needed for this purpose either with the data subject’s consent or where this is provided for in that Union act.

Personal data blocked pursuant to this Article shall, with the exception of their storage, only be processed for purposes of proof of an information exchange by means of IMI with the data subject’s consent, unless processing is requested for overriding reasons in the public interest.

The blocked data shall be automatically deleted in IMI three years after the formal closure of the administrative cooperation procedure.

At the express request of a competent authority in a specific case and with the data subject’s consent, personal data may be deleted before the expiry of the applicable retention period.

The Commission shall ensure by technical means the blocking and deletion of personal data and their retrieval in accordance with paragraph 3.

Technical means shall be put in place to encourage IMI actors to formally close administrative cooperation procedures as soon as possible after the exchange of information has been completed and to enable IMI actors to involve IMI coordinators responsible in any procedure which has been inactive without justification for longer than two months.

By way of derogation from Article 14, paragraphs 2 and 3 of this Article shall apply to the retention of personal data of IMI users. Those personal data shall include the full name and all electronic and other means of contact necessary for the purposes of this Regulation.

Personal data relating to IMI users shall be stored in IMI as long as they continue to be users of IMI and may be processed for purposes compatible with the objectives of this Regulation.

When a natural person ceases to be an IMI user, the personal data relating to that person shall be blocked by technical means for a period of three years. Those data shall, with the exception of their storage, only be processed for purposes of proof of an information exchange by means of IMI and shall be deleted at the end of the three-year period.

The processing of special categories of data referred to in Article 8(1) of Directive 95/46/EC and Article 10(1) of Regulation (EC) No 45/2001 by means of IMI shall be allowed only on the basis of a specific ground mentioned in Article 8(2) and (4) of that Directive and Article 10(2) of that Regulation and subject to appropriate safeguards provided for in those Articles to ensure the rights of individuals whose personal data are processed.

IMI may be used for the processing of data relating to offences, criminal convictions or security measures referred to in Article 8(5) of Directive 95/46/EC and Article 10(5) of Regulation (EC) No 45/2001, subject to safeguards provided for in those Articles, including information on disciplinary, administrative or criminal sanctions or other information necessary to establish the good repute of an individual or a legal person, where the processing of such data is provided for in a Union act constituting the basis for the processing or with the explicit consent of the data subject, subject to specific safeguards referred to in Article 8(5) of Directive 95/46/EC.

The Commission shall ensure that IMI complies with the rules on data security adopted by the Commission pursuant to Article 22 of Regulation (EC) No 45/2001.

The Commission shall put in place the necessary measures to ensure security of personal data processed in IMI, including appropriate data access control and a security plan which shall be kept up-to-date.

The Commission shall ensure that, in the event of a security incident, it is possible to verify what personal data have been processed in IMI, when, by whom and for what purpose.

IMI actors shall take all procedural and organisational measures necessary to ensure the security of personal data processed by them in IMI in accordance with Article 17 of Directive 95/46/EC.