1. The processing of personal data in the central database of the Commission shall be carried out in accordance with Regulation (EC) No 45/2001 and under the supervision of the European Data Protection Supervisor.
2. Processing of personal data by the competent authorities in the Member States shall be carried out in accordance with Directive 95/46/EC and under the supervision of the public independent authority of the Member State referred to in Article 28 of that Directive.
3. Personal data shall be collected and used solely for the purposes of this Regulation. Personal data so collected shall be accurate and shall be kept up to date.
4. Each customs authority that has introduced personal data into the central database shall be the controller with respect to the processing of this data.
5. A data subject shall have a right of access to the personal data relating to him or her that are processed through the central database and, where appropriate, the right to the rectification, erasure or blocking of personal data in accordance with Regulation (EC) No 45/2001 or the national laws implementing Directive 95/46/EC.
6. All requests for the exercise of the right of access, rectification, erasure or blocking shall be submitted to and processed by the customs authorities. Where a data subject has submitted a request for the exercise of that right to the Commission, the Commission shall forward such request to the customs authorities concerned.
7. Personal data shall not be kept longer than six months from the date the relevant decision granting the application has been revoked or the relevant period during which the customs authorities are to take action has expired.
8. Where the holder of the decision has initiated proceedings in accordance with Article 23(3) or Article 26(9) and has notified the customs authorities of the initiation of such proceedings, personal data shall be kept for six months after proceedings have determined in a final way whether an intellectual property right has been infringed.