法律人 LawPlayer logo

資料由法律人 LawPlayer整理提供·EU law / curated by LawPlayer from EUR-Lex

Regulation

Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA

CELEX
Regulation (EU) 2019/817
Date of document
Articles
79
Source
EUR-Lex
Article 1Subject matter

1.   This Regulation, together with Regulation (EU) 2019/818 of the European Parliament and of the Council  ( 34 ) , establishes a framework to ensure interoperability between the Entry/Exit System (EES), the Visa Information System (VIS), the European Travel Information and Authorisation System (ETIAS), Eurodac, the Schengen Information System (SIS), and the European Criminal Records Information System for third-country nationals (ECRIS-TCN).

2.   The framework shall include the following interoperability components:

(a)

a European search portal (ESP);

(b)

a shared biometric matching service (shared BMS);

(c)

a common identity repository (CIR);

(d)

a multiple-identity detector (MID).

3.   This Regulation also lays down provisions on data quality requirements, on a universal message format (UMF), on a central repository for reporting and statistics (CRRS) and on the responsibilities of the Member States and of the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA), with respect to the design, development and operation of the interoperability components.

4.   This Regulation also adapts the procedures and conditions for the designated authorities and for the European Union Agency for Law Enforcement Cooperation (Europol) to access the EES, VIS, ETIAS and Eurodac for the purposes of the prevention, detection or investigation of terrorist offences or of other serious criminal offences.

5.   This Regulation also lays down a framework for verifying the identity of persons and for identifying persons.

Article 2Objectives

1.   By ensuring interoperability, this Regulation has the following objectives:

(a)

to improve the effectiveness and efficiency of border checks at external borders;

(b)

to contribute to the prevention and the combating of illegal immigration;

(c)

to contribute to a high level of security within the area of freedom, security and justice of the Union including the maintenance of public security and public policy and safeguarding security in the territories of the Member States;

(d)

to improve the implementation of the common visa policy;

(e)

to assist in the examination of applications for international protection;

(f)

to contribute to the prevention, detection and investigation of terrorist offences and of other serious criminal offences;

(g)

to facilitate the identification of unknown persons who are unable to identify themselves or unidentified human remains in case of a natural disaster, accident or terrorist attack.

2.   The objectives referred to in paragraph 1 shall be achieved by:

(a)

ensuring the correct identification of persons;

(b)

contributing to combating identity fraud;

(c)

improving data quality and harmonising the quality requirements for the data stored in the EU information systems while respecting the data processing requirements of the legal instruments governing the individual systems, data protection standards and principles;

(d)

facilitating and supporting technical and operational implementation by Member States of EU information systems;

(e)

strengthening, simplifying and making more uniform the data security and data protection conditions that govern the respective EU information systems, without affecting the special protection and safeguards afforded to certain categories of data;

(f)

streamlining the conditions for designated authorities' access to the EES, VIS, ETIAS and Eurodac, while ensuring necessary and proportionate conditions for that access;

(g)

supporting the purposes of the EES, VIS, ETIAS, Eurodac, SIS and ECRIS-TCN.

Article 3Scope

1.   This Regulation applies to the EES, VIS, ETIAS and SIS.

2.   This Regulation applies to persons in respect of whom personal data may be processed in the EU information systems referred to in paragraph 1 of this Article and whose data are collected for the purposes defined in Articles 1 and 2 of Regulation (EC) No 767/2008, Article 1 of Regulation (EU) 2017/2226, Articles 1 and 4 of Regulation (EU) 2018/1240, Article 1 of Regulation (EU) 2018/1860 and Article 1 of Regulation (EU) 2018/1861.

Article 4Definitions

For the purposes of this Regulation, the following definitions apply:

(1)

‘external borders’ means external borders as defined in point (2) of Article 2 of Regulation (EU) 2016/399;

(2)

‘border checks’ means border checks as defined in point (11) of Article 2 of Regulation (EU) 2016/399;

(3)

‘border authority’ means the border guard assigned in accordance with national law to carry out border checks;

(4)

‘supervisory authorities’ means the supervisory authority referred to in Article 51(1) of Regulation (EU) 2016/679 and the supervisory authority referred to in Article 41(1) of Directive (EU) 2016/680;

(5)

‘verification’ means the process of comparing sets of data to establish the validity of a claimed identity (one-to-one check);

(6)

‘identification’ means the process of determining a person's identity through a database search against multiple sets of data (one-to-many check);

(7)

‘alphanumeric data’ means data represented by letters, digits, special characters, spaces and punctuation marks;

(8)

‘identity data’ means the data referred to in Article 27(3)(a) to (e);

(9)

‘fingerprint data’ means fingerprint images and images of fingerprint latents, which due to their unique character and the reference points contained therein enable accurate and conclusive comparisons on a person's identity;

(10)

‘facial image’ means digital images of the face;

(11)

‘biometric data’ means fingerprint data or facial images or both;

(12)

‘biometric template’ means a mathematical representation obtained by feature extraction from biometric data limited to the characteristics necessary to perform identifications and verifications;

(13)

‘travel document’ means a passport or other equivalent document entitling the holder to cross the external borders and to which a visa can be affixed;

(14)

‘travel document data’ means the type, number and country of issuance of the travel document, the date of expiry of the validity of the travel document and the three-letter code of the country issuing the travel document;

(15)

‘EU information systems’ means the EES, VIS, ETIAS, Eurodac, SIS and ECRIS-TCN;

(16)

‘Europol data’ means personal data processed by Europol for the purpose referred to in Article 18(2)(a), (b) and (c) of Regulation (EU) 2016/794;

(17)

‘Interpol databases’ means the Interpol Stolen and Lost Travel Document database (SLTD database) and the Interpol Travel Documents Associated with Notices database (TDAWN database);

(18)

‘match’ means the existence of a correspondence as a result of an automated comparison between personal data recorded or being recorded in an information system or database;

(19)

‘police authority’ means the competent authority as defined in point (7) of Article 3 of Directive (EU) 2016/680;

(20)

‘designated authorities’ means the Member State designated authorities as defined in point (26) of Article 3(1) of Regulation (EU) 2017/2226, point (e) of Article 2(1) of Decision 2008/633/JHA and point (21) Article 3(1) of Regulation (EU) 2018/1240;

(21)

‘terrorist offence’ means an offence under national law which corresponds or is equivalent to one of the offences referred to in Directive (EU) 2017/541 of the European Parliament and of the Council  ( 35 ) ;

(22)

‘serious criminal offence’ means an offence which corresponds or is equivalent to one of the offences referred to in Article 2(2) of Council Framework Decision 2002/584/JHA  ( 36 ) , if it is punishable under national law by a custodial sentence or a detention order for a maximum period of at least three years;

(23)

‘Entry/Exit System’ or ‘EES’ means the Entry/Exit System established by Regulation (EU) 2017/2226;

(24)

‘Visa Information System’ or ‘VIS’ means the Visa Information System established by Regulation (EC) No 767/2008;

(25)

‘European Travel Information and Authorisation System’ or ‘ETIAS’ means the European Travel Information and Authorisation System established by Regulation (EU) 2018/1240;

(26)

‘Eurodac’ means Eurodac established by Regulation (EU) No 603/2013 of the European Parliament and of the Council  ( 37 ) ;

(27)

‘Schengen Information System’ or ‘SIS’ means the Schengen Information System established by Regulations (EU) 2018/1860, (EU) 2018/1861 and (EU) 2018/1862;

(28)

‘ECRIS-TCN’ means the centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons established by Regulation (EU) 2019/816 of the European Parliament and of the Council  ( 38 ) .

Article 5Non-discrimination and fundamental rights

Processing of personal data for the purposes of this Regulation shall not result in discrimination against persons on any grounds such as gender, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation. It shall fully respect human dignity and integrity and fundamental rights, including the right to respect for one's private life and to the protection of personal data. Particular attention shall be paid to children, the elderly, persons with a disability and persons in need of international protection. The best interests of the child shall be a primary consideration.

Article 6European search portal

1.   A European search portal (ESP) is established for the purposes of facilitating the fast, seamless, efficient, systematic and controlled access of Member State authorities and Union agencies to the EU information systems, to Europol data and to the Interpol databases for the performance of their tasks and in accordance with their access rights and the objectives and purposes of the EES, VIS, ETIAS, Eurodac, SIS and ECRIS-TCN.

2.   The ESP shall be composed of:

(a)

a central infrastructure, including a search portal enabling the simultaneous querying of the EES, VIS, ETIAS, Eurodac, SIS, ECRIS-TCN as well as of Europol data and the Interpol databases;

(b)

a secure communication channel between the ESP, Member States and Union agencies that are entitled to use the ESP;

(c)

a secure communication infrastructure between the ESP and the EES, VIS, ETIAS, Eurodac, Central SIS, ECRIS-TCN, Europol data and the Interpol databases as well as between the ESP and the central infrastructures of the CIR and the MID.

3.   eu-LISA shall develop the ESP and ensure its technical management.

Article 7Use of the European search portal

1.   The use of the ESP shall be reserved to the Member State authorities and Union agencies having access to at least one of the EU information systems in accordance with the legal instruments governing those EU information systems, to the CIR and the MID in accordance with this Regulation, to Europol data in accordance with Regulation (EU) 2016/794 or to the Interpol databases in accordance with Union or national law governing such access.

Those Member State authorities and Union agencies may make use of the ESP and the data provided by it only for the objectives and purposes laid down in the legal instruments governing those EU information systems, in Regulation (EU) 2016/794 and in this Regulation.

2.   The Member State authorities and Union agencies referred to in paragraph 1 shall use the ESP to search data related to persons or their travel documents in the central systems of the EES, VIS and ETIAS in accordance with their access rights as referred to in the legal instruments governing those EU information systems and in national law. They shall also use the ESP to query the CIR in accordance with their access rights under this Regulation for the purposes referred to in Articles 20, 21 and 22.

3.   The Member State authorities referred to in paragraph 1 may use the ESP to search data related to persons or their travel documents in the Central SIS referred to in Regulations (EU) 2018/1860 and (EU) 2018/1861.

4.   Where provided for under Union law, the Union agencies referred to in paragraph 1 shall use the ESP to search data related to persons or their travel documents in the Central SIS.

5.   The Member State authorities and Union agencies referred to in paragraph 1 may use the ESP to search data related to travel documents in the Interpol databases, where provided for and in accordance with their access rights under Union and national law.

Article 8Profiles for the users of the European search portal

1.   For the purposes of enabling the use of the ESP, eu-LISA shall, in cooperation with Member States, create a profile based on each category of ESP user and on the purposes of the queries, in accordance with the technical details and access rights referred to in paragraph 2. Each profile shall, in accordance with Union and national law, comprise the following information:

(a)

the fields of data to be used for querying;

(b)

the EU information systems, Europol data and the Interpol databases that are to be queried, those that can be queried and those that are to provide a reply to the user;

(c)

the specific data in the EU information systems, Europol data and the Interpol databases that may be queried;

(d)

the categories of data that may be provided in each reply.

2.   The Commission shall adopt implementing acts to specify the technical details of the profiles referred to in paragraph 1 in accordance with the ESP users' access rights under the legal instruments governing the EU information systems and under national law. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

3.   The profiles referred to in paragraph 1 shall be reviewed regularly by eu-LISA in cooperation with Member States, at least once per year, and if necessary updated.

Article 9Queries

1.   The ESP users shall launch a query by submitting alphanumeric or biometric data to the ESP. Where a query has been launched, the ESP shall query the EES, ETIAS, VIS, SIS, Eurodac, ECRIS-TCN, the CIR, Europol data and the Interpol databases simultaneously with the data submitted by the user and in accordance with the user profile.

2.   The categories of data used to launch a query via the ESP shall correspond to the categories of data related to persons or travel documents that may be used to query the various EU information systems, Europol data and the Interpol databases in accordance with the legal instruments governing them.

3.   eu-LISA, in cooperation with Member States, shall implement an interface control document based on the UMF referred to in Article 38 for the ESP.

4.   When a query is launched by an ESP user, the EES, ETIAS, VIS, SIS, Eurodac, ECRIS-TCN, the CIR, the MID, the Europol data and the Interpol databases shall in reply to the query provide the data that they hold.

Without prejudice to Article 20, the reply provided by the ESP shall indicate to which EU information system or database the data belong.

The ESP shall provide no information regarding data in EU information systems, Europol data and the Interpol databases to which the user has no access under the applicable Union and national law.

5.   Any queries of the Interpol databases launched via the ESP shall be performed in such a way that no information shall be revealed to the owner of the Interpol alert.

6.   The ESP shall provide replies to the user as soon as data are available from one of the EU information systems, Europol data or Interpol databases. Those replies shall contain only the data to which the user has access under Union and national law.

7.   The Commission shall adopt an implementing act to specify the technical procedure for the ESP to query the EU information systems, Europol data and Interpol databases and the format of the ESP replies. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 74(2).

Article 10Keeping of logs

1.   Without prejudice to Article 46 of Regulation (EU) 2017/2226, Article 34 of Regulation (EC) No 767/2008, Article 69 of Regulation (EU) 2018/1240 and Articles 12 and 18 of Regulation (EU) 2018/1861, eu-LISA shall keep logs of all data processing operations in the ESP. Those logs shall include the following:

(a)

the Member State or Union agency launching the query and the ESP profile used;

(b)

the date and time of the query;

(c)

the EU information systems and the Interpol databases queried.

2.   Each Member State shall keep logs of queries that its authorities and the staff of those authorities duly authorised to use the ESP make. Each Union agency shall keep logs of queries that its duly authorised staff make.

3.   The logs referred to in paragraphs 1 and 2 may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

Article 11Fall-back procedures in case of technical impossibility to use the European search portal

1.   Where it is technically impossible to use the ESP to query one or several EU information systems or the CIR, because of a failure of the ESP, the ESP users shall be notified in an automated manner by eu-LISA.

2.   Where it is technically impossible to use the ESP to query one or several EU information systems or the CIR, because of a failure of the national infrastructure in a Member State, that Member State shall notify eu-LISA and the Commission in an automated manner.

3.   In the cases referred to in paragraphs 1 or 2 of this Article, and until the technical failure is addressed, the obligation referred to in Article 7(2) and (4) shall not apply and Member States shall access the EU information systems or the CIR directly where they are required to do so under Union or national law.

4.   Where it is technically impossible to use the ESP to query one or several EU information systems or the CIR, because of a failure of the infrastructure of a Union agency, that agency shall notify eu-LISA and the Commission in an automated manner.

Article 12Shared biometric matching service

1.   A shared biometric matching service (shared BMS) storing biometric templates obtained from the biometric data referred to in Article 13 that are stored in the CIR and SIS and enabling querying with biometric data across several EU information systems is established for the purposes of supporting the CIR and the MID and the objectives of the EES, VIS, Eurodac, SIS and ECRIS-TCN.

2.   The shared BMS shall be composed of:

(a)

a central infrastructure, which shall replace the central systems of the EES, VIS, SIS, Eurodac and ECRIS-TCN respectively, to the extent that it shall store biometric templates and allow searches with biometric data;

(b)

a secure communication infrastructure between the shared BMS, Central SIS and the CIR.

3.   eu-LISA shall develop the shared BMS and ensure its technical management.

Article 13Storing biometric templates in the shared biometric matching service

1.   The shared BMS shall store the biometric templates, which it shall obtain from the following biometric data:

(a)

the data referred to in Article 16(1)(d), Article 17(1)(b) and (c) and Article 18(2)(a), (b) and (c) of Regulation (EU) 2017/2226;

(b)

the data referred to in point (6) of Article 9 of Regulation (EC) No 767/2008;

(c)

the data referred to in Article 20(2)(w) and (x), excluding data on palm prints, of Regulation (EU) 2018/1861;

(d)

the data referred to in Article 4(1)(u) and (v), excluding data on palm prints, of Regulation (EU) 2018/1860.

The biometric templates shall be stored in the shared BMS in logically separated form according to the EU information system from which the data originate.

2.   For each set of data referred to in paragraph 1, the shared BMS shall include in each biometric template a reference to the EU information systems in which the corresponding biometric data are stored and a reference to the actual records in those EU information systems.

3.   Biometric templates shall only be entered in the shared BMS following an automated quality check of the biometric data added to one of the EU information systems performed by the shared BMS to ascertain the fulfilment of a minimum data quality standard.

4.   The storage of the data referred to in paragraph 1 shall meet the quality standards referred to in Article 37(2).

5.   The Commission shall lay down, by means of an implementing act, the performance requirements and practical arrangements for monitoring the performance of the shared BMS in order to ensure that the effectiveness of biometric searches respect time-critical procedures such as border checks and identifications. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 74(2).

Article 14Searching biometric data with the shared biometric matching service

In order to search the biometric data stored within the CIR and SIS, the CIR and SIS shall use the biometric templates stored in the shared BMS. Queries with biometric data shall take place in accordance with the purposes provided for in this Regulation and in Regulations (EC) No 767/2008, (EU) 2017/2226, (EU) 2018/1860, (EU) 2018/1861, (EU) 2018/1862 and (EU) 2019/816.

Article 15Data retention in the shared biometric matching service

The data referred to in Article 13(1) and (2) shall be stored in the shared BMS only for as long as the corresponding biometric data are stored in the CIR or SIS. The data shall be erased from the shared BMS in an automated manner.

Article 16Keeping of logs

1.   Without prejudice to Article 46 of Regulation (EU) 2017/2226, Article 34 of Regulation (EC) No 767/2008 and Articles 12 and 18 of Regulation (EU) 2018/1861, eu-LISA shall keep logs of all data processing operations in the shared BMS. Those logs shall include the following:

(a)

the Member State or Union agency launching the query;

(b)

the history of the creation and storage of biometric templates;

(c)

the EU information systems queried with the biometric templates stored in the shared BMS;

(d)

the date and time of the query;

(e)

the type of biometric data used to launch the query;

(f)

the results of the query and date and time of the result.

2.   Each Member State shall keep logs of queries that its authorities and the staff of those authorities duly authorised to use the shared BMS make. Each Union agency shall keep logs of queries that its duly authorised staff make.

3.   The logs referred to in paragraphs 1 and 2 may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

Article 17Common identity repository

1.   A common identity repository (CIR), creating an individual file for each person that is registered in the EES, VIS, ETIAS, Eurodac or ECRIS-TCN containing the data referred to in Article 18, is established for the purpose of facilitating and assisting in the correct identification of persons registered in the EES, VIS, ETIAS, Eurodac and ECRIS-TCN in accordance with Article 20, of supporting the functioning of the MID in accordance with Article 21 and of facilitating and streamlining access by designated authorities and Europol to the EES, VIS, ETIAS and Eurodac, where necessary for the prevention, detection or investigation of terrorist offences or other serious criminal offences in accordance with Article 22.

2.   The CIR shall be composed of:

(a)

a central infrastructure that shall replace the central systems of respectively the EES, VIS, ETIAS, Eurodac and ECRIS-TCN to the extent that it shall store the data referred to in Article 18;

(b)

a secure communication channel between the CIR, Member States and Union agencies that are entitled to use the CIR in accordance with Union law and national law;

(c)

a secure communication infrastructure between the CIR and the EES, VIS, ETIAS, Eurodac and ECRIS-TCN as well as with the central infrastructures of the ESP, the shared BMS and the MID.

3.   eu-LISA shall develop the CIR and ensure its technical management.

4.   Where it is technically impossible because of a failure of the CIR to query the CIR for the purpose of identifying a person pursuant to Article 20, for the detection of multiple identities pursuant to Article 21 or for the purposes of preventing, detecting or investigating terrorist offences or other serious criminal offences pursuant to Article 22, the CIR users shall be notified by eu-LISA in an automated manner.

5.   eu-LISA, in cooperation with Member States, shall implement an interface control document based on the UMF referred to in Article 38 for the CIR.

Article 18The common identity repository data

1.   The CIR shall store the following data, logically separated according to the information system from which the data have originated:

(a)

the data referred to in Article 16(1)(a) to (d), Article 17(1)(a), (b) and (c) and Article 18(1) and (2) of Regulation (EU) 2017/2226;

(b)

the data referred to in points (4)(a) to (c), (5) and (6) of Article 9 of Regulation (EC) No 767/2008;

(c)

the data referred to in Article 17(2)(a) to (e) of Regulation (EU) 2018/1240;

2.   For each set of data referred to in paragraph 1, the CIR shall include a reference to the EU information systems to which the data belong.

3.   The authorities accessing the CIR shall do so in accordance with their access rights under the legal instruments governing the EU information systems, and under national law and in accordance with their access rights under this Regulation for the purposes referred to in Articles 20, 21 and 22.

4.   For each set of data referred to in paragraph 1, the CIR shall include a reference to the actual record in the EU information systems to which the data belong.

5.   The storage of the data referred to in paragraph 1 shall meet the quality standards referred to in Article 37(2).

Article 19Adding, amending and deleting data in the common identity repository

1.   Where data are added, amended or deleted in the EES, VIS and ETIAS, the data referred to in Article 18 stored in the individual file of the CIR shall be added, amended or deleted accordingly in an automated manner.

2.   Where a white or red link is created in the MID in accordance with Article 32 or 33 between the data of two or more of the EU information systems constituting the CIR, instead of creating a new individual file, the CIR shall add the new data to the individual file of the linked data.

Article 20Access to the common identity repository for identification

1.   Queries of the CIR shall be carried out by a police authority in accordance with paragraphs 2 and 5 only in the following circumstances:

(a)

where a police authority is unable to identify a person due to the lack of a travel document or another credible document proving that person's identity;

(b)

where there are doubts about the identity data provided by a person;

(c)

where there are doubts as to the authenticity of the travel document or another credible document provided by a person;

(d)

where there are doubts as to the identity of the holder of a travel document or of another credible document; or

(e)

where a person is unable or refuses to cooperate.

Such queries shall not be allowed against minors under the age of 12 years old, unless in the best interests of the child.

2.   Where one of the circumstances listed in paragraph 1 arises and a police authority has been so empowered by national legislative measures as referred to in paragraph 5, it may, solely for the purpose of identifying a person, query the CIR with the biometric data of that person taken live during an identity check, provided that the procedure was initiated in the presence of that person.

3.   Where the query indicates that data on that person are stored in the CIR, the police authority shall have access to consult the data referred to in Article 18(1).

Where the biometric data of the person cannot be used or where the query with that data fails, the query shall be carried out with identity data of the person in combination with travel document data, or with the identity data provided by that person.

4.   Where a police authority has been so empowered by national legislative measures as referred to in paragraph 6, it may, in the event of a natural disaster, an accident or a terrorist attack and solely for the purpose of identifying unknown persons who are unable to identify themselves or unidentified human remains, query the CIR with the biometric data of those persons.

5.   Member States wishing to avail themselves of the possibility provided for in paragraph 2 shall adopt national legislative measures. When doing so, Member States shall take into account the need to avoid any discrimination against third-country nationals. Such legislative measures shall specify the precise purposes of the identification within the purposes referred to in Article 2(1)(b) and (c). They shall designate the competent police authorities and lay down the procedures, conditions and criteria of such checks.

6.   Member States wishing to avail themselves of the possibility provided for in paragraph 4 shall adopt national legislative measures laying down the procedures, conditions and criteria.

Article 21Access to the common identity repository for the detection of multiple identities

1.   Where a query of the CIR results in a yellow link in accordance with Article 28(4), the authority responsible for the manual verification of different identities in accordance with Article 29 shall have access, solely for the purpose of that verification, to the data referred to in Article 18(1) and (2) stored in the CIR connected by a yellow link.

2.   Where a query of the CIR results in a red link in accordance with Article 32, the authorities referred to in Article 26(2) shall have access, solely for the purposes of combating identity fraud, to the data referred to in Article 18(1) and (2) stored in the CIR connected by a red link.

Article 22Querying the common identity repository for the purposes of preventing, detecting or investigating terrorist offences or other serious criminal offences

1.   In a specific case, where there are reasonable grounds to believe that consultation of EU information systems will contribute to the prevention, detection or investigation of terrorist offences or other serious criminal offences, in particular where there is a suspicion that the suspect, perpetrator or victim of a terrorist offence or other serious criminal offences is a person whose data are stored in the EES, VIS or ETIAS, the designated authorities and Europol may consult the CIR in order to obtain information on whether data on a specific person are present in the EES, VIS or ETIAS.

2.   Where in reply to a query the CIR indicates that data on that person are present in the EES, VIS or ETIAS, the CIR shall provide to designated authorities and Europol a reply in the form of a reference as referred to in Article 18(2) indicating which of those EU information systems contains matching data. The CIR shall reply in such a way that the security of the data is not compromised.

The reply indicating that data on that person are present in any of the EU information systems referred to in paragraph 1 shall be used only for the purposes of submitting a request for full access subject to the conditions and procedures laid down in the respective legal instruments governing such access.

In the event of a match or multiple matches, the designated authority or Europol shall make a request for full access to at least one of the information systems from which a match was generated.

Where exceptionally, such full access is not requested, the designated authorities shall record the justification for not making the request, which shall be traceable to the national file. Europol shall record the justification in the relevant file.

3.   Full access to the data contained in the EES, VIS or ETIAS for the purposes of preventing, detecting or investigating terrorist offences or other serious criminal offences remains subject to the conditions and procedures laid down in the respective legal instruments governing such access.

Article 23Data retention in the common identity repository

1.   The data referred to in Article 18(1), (2) and (4) shall be deleted from the CIR in an automated manner in accordance with the data retention provisions of Regulations (EU) 2017/2226, (EC) No 767/2008 and (EU) 2018/1240 respectively.

2.   The individual file shall be stored in the CIR only for as long as the corresponding data are stored in at least one of the EU information systems whose data are contained in the CIR. The creation of a link shall not affect the retention period of each item of the linked data.

Article 24Keeping of logs

1.   Without prejudice to Article 46 of Regulation (EU) 2017/2226, Article 34 of Regulation (EC) No 767/2008 and Article 69 of Regulation (EU) 2018/1240, eu-LISA shall keep logs of all data processing operations in the CIR in accordance with paragraphs 2, 3 and 4 of this Article.

2.   eu-LISA shall keep logs of all data processing operations pursuant to Article 20 in the CIR. Those logs shall include the following:

(a)

the Member State or Union agency launching the query;

(b)

the purpose of access of the user querying via the CIR;

(c)

the date and time of the query;

(d)

the type of data used to launch the query;

(e)

the results of the query.

3.   eu-LISA shall keep logs of all data processing operations pursuant to Article 21 in the CIR. Those logs shall include the following:

(a)

the Member State or Union agency launching the query;

(b)

the purpose of access of the user querying via the CIR;

(c)

the date and time of the query;

(d)

where a link is created, the data used to launch the query and the results of the query indicating the EU information system from which the data were received.

4.   eu-LISA shall keep logs of all data processing operations pursuant to Article 22 in the CIR. Those logs shall include the following:

(a)

the date and time of the query;

(b)

the data used to launch the query;

(c)

the results of the query;

(d)

the Member State or Union agency querying the CIR.

The logs of such access shall be regularly verified by the competent supervisory authority in accordance with Article 41 of Directive (EU) 2016/680 or by the European Data Protection Supervisor in accordance with Article 43 of Regulation (EU) 2016/794, at intervals not exceeding six months, to verify whether the procedures and conditions set out in Article 22(1) and (2) of this Regulation are fulfilled.

5.   Each Member State shall keep logs of queries that its authorities and the staff of those authorities duly authorised to use the CIR make pursuant to Articles 20, 21 and 22. Each Union agency shall keep logs of queries that its duly authorised staff make pursuant to Articles 21 and 22.

In addition, for any access to the CIR pursuant to Article 22, each Member State shall keep the following logs:

(a)

the national file reference;

(b)

the purpose of access;

(c)

in accordance with national rules, the unique user identity of the official who carried out the query and of the official who ordered the query.

6.   In accordance with Regulation (EU) 2016/794, for any access to the CIR pursuant to Article 22 of this Regulation, Europol shall keep logs of the unique user identity of the official who carried out the query and of the official who ordered the query.

7.   The logs referred to in paragraphs 2 to 6 may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

8.   eu-LISA shall store the logs related to the history of the data, in individual files. eu-LISA shall erase such logs in an automated manner, once the data are erased.

Article 25Multiple-identity detector

1.   A multiple-identity detector (MID) creating and storing identity confirmation files as referred to in Article 34, containing links between data in the EU information systems included in the CIR and SIS and allowing detection of multiple identities, with the dual purpose of facilitating identity checks and combating identity fraud, is established for the purpose of supporting the functioning of the CIR and the objectives of the EES, VIS, ETIAS, Eurodac, SIS and ECRIS-TCN.

2.   The MID shall be composed of:

(a)

a central infrastructure, storing links and references to EU information systems;

(b)

a secure communication infrastructure to connect the MID with SIS and the central infrastructures of the ESP and the CIR.

3.   eu-LISA shall develop the MID and ensure its technical management.

Article 26Access to the multiple-identity detector

1.   For the purposes of the manual verification of different identities referred to in Article 29, access to the data referred to in Article 34 stored in the MID shall be granted to:

(a)

competent authorities designated in accordance with Article 9(2) of Regulation (EU) 2017/2226 when creating or updating an individual file in the EES in accordance with Article 14 of that Regulation;

(b)

the visa authorities referred to in Article 6(1) of Regulation (EC) No 767/2008 when creating or updating an application file in VIS in accordance with that Regulation;

(c)

the ETIAS Central Unit and the ETIAS National Units when carrying out the processing referred to in Articles 22 and 26 of Regulation (EU) 2018/1240;

(d)

the SIRENE Bureau of the Member State creating or updating a SIS alert in accordance with Regulations (EU) 2018/1860 and (EU) 2018/1861.

2.   Member State authorities and Union agencies having access to at least one EU information system included in the CIR or to SIS shall have access to the data referred to in Article 34(a) and (b) regarding any red links referred to in Article 32.

3.   Member State authorities and Union agencies shall have access to the white links referred to in Article 33 where they have access to the two EU information systems containing data between which the white link was created.

4.   Member State authorities and Union agencies shall have access to the green links referred to in Article 31 where they have access to the two EU information systems containing data between which the green link was created and a query of those information systems has revealed a match with the two sets of linked data.

Article 27Multiple-identity detection

1.   Multiple-identity detection in the CIR and SIS shall be launched where:

(a)

an individual file is created or updated in the EES in accordance with Article 14 of Regulation (EU) 2017/2226;

(b)

an application file is created or updated in VIS in accordance with Regulation (EC) No 767/2008;

(c)

an application file is created or updated in ETIAS in accordance with Article 19 of Regulation (EU) 2018/1240;

(d)

an alert on a person is created or updated in SIS in accordance with Article 3 of Regulation (EU) 2018/1860 and Chapter V of Regulation (EU) 2018/1861.

2.   Where the data contained within an EU information system referred to in paragraph 1 contains biometric data, the CIR and Central SIS shall use the shared BMS in order to perform multiple-identity detection. The shared BMS shall compare the biometric templates obtained from any new biometric data to the biometric templates already contained in the shared BMS in order to verify whether data belonging to the same person are already stored in the CIR or in Central SIS.

3.   In addition to the process referred to in paragraph 2, the CIR and Central SIS shall use the ESP to search the data stored in Central SIS and the CIR respectively using the following data:

(a)

surname (family name); first name or names (given names); date of birth; nationality or nationalities; and sex; as referred to in Articles 16(1)(a), 17(1) and 18(1) of Regulation (EU) 2017/2226;

(b)

surname (family name); first name or names (given names); date of birth; sex; place and country of birth; and nationalities; as referred to in point (4)(a) and (aa) of Article 9 of Regulation (EC) No 767/2008;

(c)

surname (family name), first name(s) (given name(s)), surname at birth; alias(es); date of birth, place of birth, sex and current nationality; as referred to in Article 17(2) of Regulation (EU) 2018/1240;

(d)

surnames, forenames, names at birth, previously used names and aliases, place of birth, date of birth, gender and any nationalities held, as referred to in Article 20(2) of Regulation (EU) 2018/1861;

(e)

surnames, forenames, names at birth, previously used names and aliases, place of birth, date of birth, gender and any nationalities held, as referred to in Article 4 of Regulation (EU) 2018/1860.

4.   In addition to the process referred to in paragraphs 2 and 3, the CIR and Central SIS shall use the ESP to search the data stored in Central SIS and the CIR respectively using travel document data.

5.   The multiple-identity detection shall only be launched in order to compare data available in one EU information system with data available in other EU information systems.

Article 28Results of the multiple-identity detection

1.   Where the queries referred to in Article 27(2), (3) and (4) do not report any match, the procedures referred to in Article 27(1) shall continue in accordance with the legal instruments governing them.

2.   Where the query laid down in Article 27(2), (3) and (4) reports one or several matches, the CIR and, where relevant, SIS shall create a link between the data used to launch the query and the data triggering the match.

Where several matches are reported, a link shall be created between all data triggering the match. Where the data were already linked, the existing link shall be extended to the data used to launch the query.

3.   Where the query referred to in Article 27(2), (3) and (4) reports one or several matches and the identity data of the linked files are the same or similar, a white link shall be created in accordance with Article 33.

4.   Where the query referred to in Article 27(2), (3) and (4) reports one or several matches and the identity data of the linked files cannot be considered to be similar, a yellow link shall be created in accordance with Article 30 and the procedure referred to in Article 29 shall apply.

5.   The Commission shall adopt delegated acts in accordance with Article 73 laying down the procedures to determine the cases in which identity data can be considered to be the same or similar.

6.   The links shall be stored in the identity confirmation file referred to in Article 34.

7.   The Commission shall, in cooperation with eu-LISA, lay down the technical rules for creating links between data from different EU information systems, by implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

Article 29Manual verification of different identities and the authorities responsible

1.   Without prejudice to paragraph 2, the authority responsible for manual verification of different identities shall be:

(a)

the competent authority designated in accordance with Article 9(2) of Regulation (EU) 2017/2226 for matches that occurred when creating or updating an individual file in the EES in accordance with that Regulation;

(b)

the visa authorities referred to in Article 6(1) of Regulation (EC) No 767/2008 for matches that occurred when creating or updating an application file in VIS in accordance with that Regulation;

(c)

the ETIAS Central Unit and the ETIAS National Units for matches that occurred when creating or updating an application file in accordance with Regulation (EU) 2018/1240;

(d)

the SIRENE Bureau of the Member State for matches that occurred when creating or updating a SIS alert in accordance with Regulations (EU) 2018/1860 and (EU) 2018/1861.

The MID shall indicate the authority responsible for the manual verification of different identities in the identity confirmation file.

2.   The authority responsible for the manual verification of different identities in the identity confirmation file shall be the SIRENE Bureau of the Member State that created the alert where a link is created to data contained in an alert:

(a)

in respect of persons wanted for arrest for surrender or extradition purposes referred to in Article 26 of Regulation (EU) 2018/1862;

(b)

on missing or vulnerable persons referred to in Article 32 of Regulation (EU) 2018/1862;

(c)

on persons sought to assist with a judicial procedure referred to in Article 34 of Regulation (EU) 2018/1862;

(d)

on persons for discreet checks, inquiry checks or specific checks referred to in Article 36 of Regulation (EU) 2018/1862.

3.   Without prejudice to paragraph 4 of this Article, the authority responsible for the manual verification of different identities shall have access to the linked data contained in the relevant identity confirmation file and to the identity data linked in the CIR and, where relevant, in SIS. It shall assess the different identities without delay. Once such assessment is completed, it shall update the link in accordance with Articles 31, 32 and 33 and add it to the identity confirmation file without delay.

4.   Where the authority responsible for the manual verification of different identities in the identity confirmation file is the competent authority designated in accordance with Article 9(2) of Regulation (EU) 2017/2226 creating or updating an individual file in the EES in accordance with Article 14 of that Regulation, and where a yellow link is created, that authority shall carry out additional verifications. That authority shall, for that purpose only, have access to the related data contained in the relevant identity confirmation file. It shall assess the different identities, update the link in accordance with Articles 31, 32 and 33 of this Regulation and add it to the identity confirmation file without delay.

Such manual verification of different identities shall be initiated in the presence of the person concerned, who shall be offered the opportunity to explain the circumstances to the authority responsible, which shall take those explanations into account.

In cases in which the manual verification of different identities takes place at the border, it shall take place within 12 hours from the creation of a yellow link under Article 28(4), where possible.

5.   Where more than one link is created, the authority responsible for the manual verification of different identities shall assess each link separately.

6.   Where data reporting a match were already linked, the authority responsible for the manual verification of different identities shall take into account the existing links when assessing the creation of new links.

Article 30Yellow link

1.   Where manual verification of different identities has not yet taken place, a link between data from two or more EU information systems shall be classified as yellow in any of the following cases:

(a)

the linked data share the same biometric data but have similar or different identity data;

(b)

the linked data have different identity data but share the same travel document data, and at least one of the EU information systems does not contain biometric data on the person concerned;

(c)

the linked data share the same identity data but have different biometric data;

(d)

the linked data have similar or different identity data, and share the same travel document data, but have different biometric data.

2.   Where a link is classified as yellow in accordance with paragraph 1, the procedure laid down in Article 29 applies.

Article 31Green link

1.   A link between data from two or more EU information systems shall be classified as green where:

(a)

the linked data have different biometric data but share the same identity data and the authority responsible for the manual verification of different identities has concluded that the linked data refer to two different persons;

(b)

the linked data have different biometric data, have similar or different identity data, share the same travel document data and the authority responsible for the manual verification of different identities has concluded that the linked data refer to two different persons;

(c)

the linked data have different identity data but share the same travel document data, at least one of the EU information systems does not contain biometric data on the person concerned and the authority responsible for the manual verification of different identities has concluded that the linked data refer to two different persons.

2.   Where the CIR or SIS are queried and where a green link exists between data in two or more of the EU information systems, the MID shall indicate that the identity data of the linked data do not correspond to the same person.

3.   If a Member State authority has evidence to suggest that a green link has been incorrectly recorded in the MID, that a green link is out of date or that data were processed in the MID or the EU information systems in breach of this Regulation, it shall check the relevant data stored in the CIR and SIS and shall, if necessary, rectify or erase the link from the MID without delay. That Member State authority shall inform the Member State responsible for the manual verification of different identities without delay.

Article 32Red link

1.   A link between data from two or more EU information systems shall be classified as red in any of the following cases:

(a)

the linked data share the same biometric data but have similar or different identity data and the authority responsible for the manual verification of different identities has concluded that the linked data refer to the same person in an unjustified manner;

(b)

the linked data have the same, similar or different identity data and the same travel document data, but different biometric data and the authority responsible for the manual verification of different identities has concluded that the linked data refer to two different persons, at least one of whom is using the same travel document in an unjustified manner;

(c)

the linked data share the same identity data, but have different biometric data and different or no travel document data and the authority responsible for the manual verification of different identities has concluded that the linked data refer to two different persons in an unjustified manner;

(d)

the linked data have different identity data, but share the same travel document data, at least one of the EU information systems does not contain biometric data on the person concerned and the authority responsible for the manual verification of different identities has concluded that the linked data refer to the same person in an unjustified manner.

2.   Where the CIR or SIS are queried and where a red link exists between data in two or more of the EU information systems, the MID shall indicate the data referred to in Article 34. Follow-up to a red link shall take place in accordance with Union and national law, with any legal consequence for the person concerned being based only on the relevant data on that person. No legal consequence for the person concerned shall derive solely from the existence of a red link.

3.   Where a red link is created between data in the EES, VIS, ETIAS, Eurodac or ECRIS-TCN, the individual file stored in the CIR shall be updated in accordance with Article 19(2).

4.   Without prejudice to the provisions related to the handling of alerts in SIS contained in Regulations (EU) 2018/1860, (EU) 2018/1861 and (EU) 2018/1862, and without prejudice to limitations necessary to protect security and public order, prevent crime and guarantee that no national investigation will be jeopardised, where a red link is created, the authority responsible for the manual verification of different identities shall inform the person concerned of the presence of multiple unlawful identity data and shall provide the person with the single identification number referred to in Article 34(c) of this Regulation, a reference to the authority responsible for the manual verification of different identities referred to in Article 34(d) of this Regulation and the website address of the web portal established in accordance with Article 49 of this Regulation.

5.   The information referred to in paragraph 4 shall be provided in writing by means of a standard form by the authority responsible for the manual verification of different identities. The Commission shall determine the content and presentation of that form by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

6.   Where a red link is created, the MID shall notify the authorities responsible for the linked data in an automated manner.

7.   If a Member State authority or Union agency having access to the CIR or SIS has evidence to suggest that a red link has been incorrectly recorded in the MID or that data were processed in the MID, the CIR or SIS in breach of this Regulation, that authority or agency shall check the relevant data stored in the CIR and SIS and shall:

(a)

where the link relates to one of the SIS alerts referred to in Article 29(2), immediately inform the relevant SIRENE Bureau of the Member State that created the SIS alert;

(b)

in all other cases, either rectify or erase the link from the MID immediately.

If a SIRENE Bureau is contacted pursuant to point (a) of the first subparagraph, it shall verify the evidence provided by the Member State authority or the Union agency and where relevant rectify or erase the link from the MID immediately.

The Member State authority obtaining the evidence shall inform the Member State authority responsible for the manual verification of different identities without delay of any relevant rectification or erasure of a red link.

Article 33White link

1.   A link between data from two or more EU information systems shall be classified as white in any of the following cases:

(a)

the linked data share the same biometric data and the same or similar identity data;

(b)

the linked data share the same or similar identity data, the same travel document data, and at least one of the EU information systems does not have biometric data on the person concerned;

(c)

the linked data share the same biometric data, the same travel document data and similar identity data;

(d)

the linked data share the same biometric data but have similar or different identity data and the authority responsible for the manual verification of different identities has concluded that linked data refer to the same person in a justified manner.

2.   Where the CIR or SIS are queried and where a white link exists between data in two or more of the EU information systems, the MID shall indicate that the identity data of the linked data correspond to the same person. The queried EU information systems shall reply indicating, where relevant, all the linked data on the person, thereby triggering a match against the data that are linked by the white link, if the authority launching the query has access to the linked data under Union or national law.

3.   Where a white link is created between data in the EES, VIS, ETIAS, Eurodac or ECRIS-TCN, the individual file stored in the CIR shall be updated in accordance with Article 19(2).

4.   Without prejudice to the provisions related to the handling of alerts in SIS contained in Regulations (EU) 2018/1860, (EU) 2018/1861 and (EU) 2018/1862, and without prejudice to limitations necessary to protect security and public order, prevent crime and guarantee that no national investigation will be jeopardised, where a white link is created following a manual verification of different identities, the authority responsible for the manual verification of different identities shall inform the person concerned of the presence of similar or different identity data and shall provide the person with the single identification number referred to in Article 34(c) of this Regulation, a reference to the authority responsible for the manual verification of different identities referred to in Article 34(d) of this Regulation and the website address of the web portal established in accordance with Article 49 of this Regulation.

5.   If a Member State authority has evidence to suggest that a white link has been incorrectly recorded in the MID, that a white link is out of date or that data were processed in the MID or the EU information systems in breach of this Regulation, it shall check the relevant data stored in the CIR and SIS and shall, if necessary, rectify or erase the link from the MID without delay. That Member State authority shall inform the Member State responsible for the manual verification of different identities without delay.

6.   The information referred to in paragraph 4 shall be in writing by means of a standard form by the authority responsible for the manual verification of different identities. The Commission shall determine the content and presentation of that form by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

Article 34Identity confirmation file

The identity confirmation file shall contain the following data:

(a)

the links referred to in Articles 30 to 33;

(b)

a reference to the EU information systems in which the linked data are held;

(c)

a single identification number allowing retrieval of the linked data from the corresponding EU information systems;

(d)

the authority responsible for the manual verification of different identities;

(e)

the date of creation of the link or of any update to it.

Article 35Data retention in the multiple-identity detector

The identity confirmation files and the data in them, including the links, shall be stored in the MID only for as long as the linked data are stored in two or more EU information systems. They shall be erased from the MID in an automated manner.

Article 36Keeping of logs

1.   eu-LISA shall keep logs of all data processing operations in the MID. Those logs shall include the following:

(a)

the Member State launching the query;

(b)

the purpose of user's access;

(c)

the date and time of the query;

(d)

the type of data used to launch the query;

(e)

the reference to the linked data;

(f)

the history of the identity confirmation file.

2.   Each Member State shall keep logs of queries that its authorities and the staff of those authorities duly authorised to use the MID make. Each Union agency shall keep logs of queries that its duly authorised staff make.

3.   The logs referred to in paragraphs 1 and 2 may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

Article 37Data quality

1.   Without prejudice to Member States' responsibilities with regard to the quality of data entered into the systems, eu-LISA shall establish automated data quality control mechanisms and procedures on the data stored in the EES, VIS, ETIAS, SIS, the shared BMS and the CIR.

2.   eu-LISA shall implement mechanisms for evaluating the accuracy of the shared BMS, common data quality indicators and the minimum quality standards for storage of data in the EES, VIS, ETIAS, SIS, the shared BMS and the CIR.

Only data fulfilling the minimum quality standards may be entered in the EES, VIS, ETIAS, SIS, the shared BMS, the CIR and the MID.

3.   eu-LISA shall provide regular reports on the automated data quality control mechanisms and procedures and the common data quality indicators to the Member States. eu-LISA shall also provide a regular report to the Commission covering the issues encountered and the Member States concerned. eu-LISA shall also provide that report to the European Parliament and to the Council upon request. No reports provided under this paragraph shall contain any personal data.

4.   The details of the automated data quality control mechanisms and procedures, the common data quality indicators and the minimum quality standards for storage of data in the EES, VIS, ETIAS, SIS, the shared BMS and the CIR, in particular regarding biometric data, shall be laid down in implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

5.   One year after the establishment of the automated data quality control mechanisms and procedures, common data quality indicators and the minimum data quality standards, and every year thereafter, the Commission shall evaluate Member States' implementation of data quality and make any necessary recommendations. The Member States shall provide the Commission with an action plan to remedy any deficiencies identified in the evaluation report and, in particular, data quality issues deriving from erroneous data in EU information systems. The Member States shall regularly report to the Commission on any progress against this action plan until it is fully implemented.

The Commission shall transmit the evaluation report to the European Parliament, to the Council, to the European Data Protection Supervisor, to the European Data Protection Board and to the European Union Agency for Fundamental Rights established by Council Regulation (EC) No 168/2007  ( 39 ) .

Article 38Universal message format

1.   The universal message format (UMF) standard is hereby established. The UMF defines standards for certain content elements of cross-border information exchange between information systems, authorities or organisations in the field of Justice and Home Affairs.

2.   The UMF standard shall be used in the development of the EES, ETIAS, the ESP, the CIR, the MID and, if appropriate, in the development by eu-LISA or by any other Union agency of new information exchange models and information systems in the area of Justice and Home Affairs.

3.   The Commission shall adopt an implementing act to lay down and develop the UMF standard referred to in paragraph 1 of this Article. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 74(2).

Article 39Central repository for reporting and statistics

1.   A central repository for reporting and statistics (CRRS) is established for the purposes of supporting the objectives of the EES, VIS, ETIAS and SIS, in accordance with the respective legal instruments governing those systems, and to provide cross-system statistical data and analytical reporting for policy, operational and data quality purposes.

2.   eu-LISA shall establish, implement and host in its technical sites the CRRS containing the data and statistics referred to in Article 63 of Regulation (EU) 2017/2226, Article 17 of Regulation (EC) No 767/2008, Article 84 of Regulation (EU) 2018/1240, Article 60 of Regulation (EU) 2018/1861 and Article 16 of Regulation (EU) 2018/1860, logically separated by EU information system. Access to the CRRS shall be granted by means of controlled, secured access and specific user profiles, solely for the purpose of reporting and statistics, to the authorities referred to in Article 63 of Regulation (EU) 2017/2226, Article 17 of Regulation (EC) No 767/2008, Article 84 of Regulation (EU) 2018/1240 and Article 60 of Regulation (EU) 2018/1861.

3.   eu-LISA shall render the data anonymous and shall record such anonymised data in the CRRS. The process for rendering the data anonymous shall be automated.

The data contained in CRRS shall not allow for the identification of individuals.

4.   The CRRS shall be composed of:

(a)

the tools necessary for anonymising data;

(b)

a central infrastructure, consisting of a data repository of anonymous data;

(c)

a secure communication infrastructure to connect the CRRS to the EES, VIS, ETIAS and SIS, as well as the central infrastructures of the shared BMS, the CIR and the MID.

5.   The Commission shall adopt a delegated act in accordance with Article 73 laying down detailed rules on the operation of the CRRS, including specific safeguards for the processing of personal data under paragraphs 2 and 3 of this Article and security rules applicable to the repository.

Article 40Data controller

1.   In relation to the processing of data in the shared BMS, the Member State authorities that are controllers for the EES, VIS and SIS respectively shall be controllers in accordance with point (7) of Article 4 of Regulation (EU) 2016/679 or point (8) of Article 3 of Directive (EU) 2016/680 in relation to the biometric templates obtained from the data referred to in Article 13 of this Regulation that they enter into the underlying systems and shall have responsibility for the processing of the biometric templates in the shared BMS.

2.   In relation to the processing of data in the CIR, the Member State authorities that are controllers for the EES, VIS and ETIAS respectively, shall be controllers in accordance with point (7) of Article 4 of Regulation (EU) 2016/679 in relation to data referred to in Article 18 of this Regulation that they enter into the underlying systems and shall have responsibility for the processing of those personal data in the CIR.

3.   In relation to the processing of data in the MID:

(a)

the European Border and Coast Guard Agency shall be a data controller within the meaning of point (8) of Article 3 of Regulation (EU) 2018/1725 in relation to the processing of personal data by the ETIAS Central Unit;

(b)

the Member State authorities adding or modifying the data in the identity confirmation file shall be controllers in accordance with point (7) of Article 4 of Regulation (EU) 2016/679 or point (8) of Article 3 of Directive (EU) 2016/680 and shall have responsibility for the processing of the personal data in the MID.

4.   For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to the logs referred to in Articles 10, 16, 24 and 36 for self-monitoring as referred to in Article 44.

Article 41Data processor

In relation to the processing of personal data in the shared BMS, the CIR and the MID, eu-LISA shall be the data processor within the meaning of point (12)(a) of Article 3 of Regulation (EU) 2018/1725.

Article 42Security of processing

1.   eu-LISA, the ETIAS Central Unit, Europol and the Member State authorities shall ensure the security of the processing of personal data that takes place pursuant to this Regulation. eu-LISA, the ETIAS Central Unit, Europol and the Member State authorities shall cooperate on security-related tasks.

2.   Without prejudice to Article 33 of Regulation (EU) 2018/1725, eu-LISA shall take the necessary measures to ensure the security of the interoperability components and their related communication infrastructure.

3.   In particular, eu-LISA shall adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan, in order to:

(a)

physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)

deny unauthorised persons access to data-processing equipment and installations;

(c)

prevent the unauthorised reading, copying, modification or removal of data media;

(d)

prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of recorded personal data;

(e)

prevent the unauthorised processing of data and any unauthorised copying, modification or deletion of data;

(f)

prevent the use of automated data-processing systems by unauthorised persons using data communication equipment;

(g)

ensure that persons authorised to access the interoperability components have access only to the data covered by their access authorisation, by means of individual user identities and confidential access modes only;

(h)

ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment;

(i)

ensure that it is possible to verify and establish what data have been processed in the interoperability components, when, by whom and for what purpose;

(j)

prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data to or from the interoperability components or during the transport of data media, in particular by means of appropriate encryption techniques;

(k)

ensure that, in the event of interruption, installed systems can be restored to normal operation;

(l)

ensure reliability by making sure that any faults in the functioning of the interoperability components are properly reported;

(m)

monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation and to assess those security measures in the light of new technological developments.

4.   Member States, Europol and the ETIAS Central Unit shall take measures equivalent to those referred to in paragraph 3 as regards security in respect of the processing of personal data by the authorities having a right to access any of the interoperability components.

Article 43Security incidents

1.   Any event that has or may have an impact on the security of the interoperability components and may cause damage to or loss of data stored in them shall be considered to be a security incident, in particular where unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2.   Security incidents shall be managed so as to ensure a quick, effective and proper response.

3.   Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States shall notify the Commission, eu-LISA, the competent supervisory authorities and the European Data Protection Supervisor of any security incidents without delay.

Without prejudice to Articles 34 and 35 of Regulation (EU) 2018/1725 and Article 34 of Regulation (EU) 2016/794, the ETIAS Central Unit and Europol shall notify the Commission, eu-LISA and the European Data Protection Supervisor of any security incidents without delay.

In the event of a security incident in relation to the central infrastructure of the interoperability components, eu-LISA shall notify the Commission and the European Data Protection Supervisor without delay.

4.   Information regarding a security incident that has or may have an impact on the operation of the interoperability components or on the availability, integrity and confidentiality of the data shall be provided to the Member States, the ETIAS Central Unit and Europol without delay and reported in compliance with the incident management plan to be provided by eu-LISA.

5.   The Member States concerned, the ETIAS Central Unit, Europol and eu-LISA shall cooperate in the event of a security incident. The Commission shall lay down the specifications of this cooperation procedure by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

Article 44Self-monitoring

Member States and the relevant Union agencies shall ensure that each authority entitled to access the interoperability components takes the measures necessary to monitor its compliance with this Regulation and cooperates, where necessary, with the supervisory authority.

The data controllers referred to in Article 40 shall take the necessary measures to monitor the compliance of data processing pursuant to this Regulation, including through frequent verification of the logs referred to in Articles 10, 16, 24 and 36, and cooperate, where necessary, with the supervisory authorities and with the European Data Protection Supervisor.

Article 45Penalties

Member States shall ensure that any misuse of data, processing of data or exchange of data contrary to this Regulation is punishable in accordance with national law. The penalties provided shall be effective, proportionate and dissuasive.

Article 46Liability

1.   Without prejudice to the right to compensation from, and liability of the controller or processor under Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EU) 2018/1725:

(a)

any person or Member State that has suffered material or non-material damage as a result of an unlawful personal da processing operation or any other act incompatible with this Regulation by a Member State shall be entitled to receive compensation from that Member State;

(b)

any person or Member State that has suffered material or non-material damage as a result of any act by Europol, the European Border and Coast Guard Agency or eu-LISA incompatible with this Regulation shall be entitled to receive compensation from the agency in question.

The Member State concerned, Europol, the European Border and Coast Guard Agency or eu-LISA shall be exempted from their liability under the first subparagraph, in whole or in part, if they prove that they are not responsible for the event which gave rise to the damage.

2.   If any failure of a Member State to comply with its obligations under this Regulation causes damage to the interoperability components, that Member ate shall be liable for such damage, unless and insofar as eu-LISA or another Member State bound by this Regulation failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3.   Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the national law of the defendant Member State. Claims for compensation against the controller or eu-LISA for the damage referred to in paragraphs 1 and 2 shall be subject to the conditions provided for in the Treaties.

Article 47Right to information

1.   The authority collecting the personal data to be stored in the shared BMS, the CIR or the MID shall provide the persons whose data are collected with the information required under Articles 13 and 14 of Regulation (EU) 2016/679, Articles 12 and 13 of Directive (EU) 2016/680 and Articles 15 and 16 of Regulation (EU) 2018/1725. The authority shall provide the information at the time that such data are collected.

2.   All information shall be made available, using clear and plain language, in a linguistic version the person concerned understands or is reasonably expected to understand. This shall include providing information in a manner which is appropriate to the age of the data subjects who are minors.

3.   Persons whose data are recorded in the EES, VIS or ETIAS shall be informed about the processing of personal data for the purposes of this Regulation in accordance with paragraph 1 when:

(a)

an individual file is created or updated in the EES in accordance with Article 14 of Regulation (EU) 2017/2226;

(b)

an application file is created or updated in VIS in accordance with Article 8 of Regulation (EC) No 767/2008;

(c)

an application file is created or updated in ETIAS in accordance with Article 19 of Regulation (EU) 2018/1240.

Article 48Right of access to, rectification and erasure of personal data stored in the MID and restriction of processing thereof

1.   In order to exercise their rights under Articles 15 to 18 of Regulation (EU) 2016/679, Articles 17 to 20 of Regulation (EU) 2018/1725 and Articles 14, 15 and 16 of Directive (EU) 2016/680, any person shall have the right to address himself or herself to the competent authority of any Member State, which shall examine and reply to the request.

2.   The Member State which examines such a request shall reply without undue delay and in any event within 45 days of receipt of the request. That period may be extended by 15 further days where necessary, taking into account the complexity and number of the requests. The Member State which examines the request shall inform the data subject of any such extension within 45 days of receipt of the request, together with the reasons for the delay. Member States may decide that replies are to be given by central offices.

3.   If a request for rectification or erasure of personal data is made to a Member State other than the Member State responsible for the manual verification of different identities, the Member State to which the request has been made shall contact the authorities of the Member State responsible for the manual verification of different identities within seven days. The Member State responsible for the manual verification of different identities shall check the accuracy of the data and the lawfulness of the data processing without undue delay and in any event within 30 days of such contact. That period may be extended by 15 further days where necessary, taking into account the complexity and number of the requests. The Member State responsible for the manual verification of different identities shall inform the Member State which contacted it of any such extension together with the reasons for the delay. The person concerned shall be informed by the Member State which contacted the authority of the Member State responsible for the manual verification of different identities about the further procedure.

4.   If a request for rectification or erasure of personal data is made to a Member State where the ETIAS Central Unit was responsible for the manual verification of different identities, the Member State to which the request has been made shall contact the ETIAS Central Unit within seven days to ask for its opinion. The ETIAS Central Unit shall give its opinion without undue delay and in any event within 30 days of being contacted. That period may be extended by 15 further days where necessary, taking into account the complexity and number of the requests. The person concerned shall be informed by the Member State which contacted the ETIAS Central Unit about the further procedure.

5.   Where, following an examination, it is found that the data stored in the MID are inaccurate or have been recorded unlawfully, the Member State responsible for the manual verification of different identities or, where there was no Member State responsible for the manual verification of different identities or where the ETIAS Central Unit was responsible for the manual verification of different identities, the Member State to which the request has been made shall rectify or erase those data without any undue delay. The person concerned shall be informed in writing that his or her data have been rectified or erased.

6.   Where data stored in the MID are amended by a Member State during their retention period, that Member State shall carry out the processing laid down in Article 27 and, where relevant, Article 29 to determine whether the amended data are to be linked. Where the processing does not report any match, that Member State shall erase the data from the identity confirmation file. Where the automated processing reports one or several matches, that Member State shall create or update the relevant link in accordance with the relevant provisions of this Regulation.

7.   Where the Member State responsible for the manual verification of different identities or, where applicable, the Member State to which the request has been made does not agree that data stored in the MID are inaccurate or have been recorded unlawfully, that Member State shall adopt an administrative decision explaining in writing to the person concerned without delay why it is not prepared to rectify or erase data relating to him or her.

8.   The decision referred to in paragraph 7 shall also provide the person concerned with information explaining the possibility to challenge the decision taken in respect of the request for access to, rectification, erasure or restriction of processing of personal data and, where relevant, information on how to bring an action or a complaint before the competent authorities or courts, and any assistance, including from the supervisory authorities.

9.   Any request for access to, rectification, erasure or restriction of processing of personal data shall contain the necessary information to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in this Article and shall be erased immediately afterwards.

10.   The Member State responsible for the manual verification of different identities or, where applicable, the Member State to which the request has been made shall keep a written record that a request for access to, rectification, erasure or restriction of processing of personal data was made and how it was addressed, and shall make that record available to supervisory authorities without delay.

11.   This Article is without prejudice to any limitations and restrictions to the rights set out in this Article pursuant to Regulation (EU) 2016/679 and Directive (EU) 2016/680.

Article 49Web portal

1.   A web portal is established for the purpose of facilitating the exercise of the rights of access to, rectification, erasure or restriction of processing of personal data.

2.   The web portal shall contain information on the rights and procedures referred to in Articles 47 and 48 and a user interface enabling persons whose data are processed in the MID and who have been informed of the presence of a red link in accordance with Article 32(4) to receive the contact information of the competent authority of the Member State responsible for the manual verification of different identities.

3.   In order to obtain the contact information of the competent authority of the Member State responsible for the manual verification of different identities, the person whose data are processed in the MID should enter the reference to the authority responsible for the manual verification of different identities referred to in Article 34(d). The web portal shall use this reference in order to retrieve the contact information of the competent authority of the Member State responsible for the manual verification of different identities. The web portal shall also include a template e-mail to facilitate communication between the portal user and the competent authority of the Member State responsible for the manual verification of different identities. Such e-mail shall include a field for the single identification number referred to in Article 34(c) in order to allow the competent authority of the Member State responsible for the manual verification of different identities to identify the data concerned.

4.   Member States shall provide eu-LISA with the contact details of all authorities that are competent to examine and reply to any request referred to in Articles 47 and 48 and shall regularly review whether those contact details are up to date.

5.   eu-LISA shall develop the web portal and ensure its technical management.

6.   The Commission shall adopt a delegated act in accordance with Article 73 laying down detailed rules on the operation of the web portal, including the user interface, the languages in which the web portal shall be available and the template e-mail.

Article 50Communication of personal data to third countries, international organisations and private parties

Without prejudice to Article 65 of Regulation (EU) 2018/1240, Articles 25 and 26 of Regulation (EU) 2016/794, Article 41 of Regulation (EU) 2017/2226, Article 31 of Regulation (EC) No 767/2008, and the querying of Interpol databases through the ESP in accordance with Article 9(5) of this Regulation which comply with the provisions of Chapter V of Regulation (EU) 2018/1725 and Chapter V of Regulation (EU) 2016/679, personal data stored in, processed or accessed by the interoperability components shall not be transferred or made available to any third country, to any international organisation or to any private party.

79 articles

Cite this act

Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008 (EU) 2016/399 (EU) 2017/2226 (EU) 2018/1240 (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (EUR-Lex). Retrieved via LawPlayer, https://lawplayer.com/eu/act/32019R0817

© European Union, https://eur-lex.europa.eu, 1998-2026. Reuse authorised under Commission Decision 2011/833/EU, provided the source is acknowledged.

EU-EurLex-Reuse-2011-833

本頁資料來源:EUR-Lex·整理提供:法律人 LawPlayer· lawplayer.com