法律人 LawPlayer logo

資料由法律人 LawPlayer整理提供·EU law / curated by LawPlayer from EUR-Lex

Regulation

Regulation (EU) 2024/982 of the European Parliament and of the Council of 13 March 2024 on the automated search and exchange of data for police cooperation, and amending Council Decisions 2008/615/JHA and 2008/616/JHA and Regulations (EU) 2018/1726, (EU) No 2019/817 and (EU) 2019/818 of the European Parliament and of the Council (the Prüm II Regulation)

CELEX
Regulation (EU) 2024/982
Date of document
Articles
81
Source
EUR-Lex
Article 1Subject matter

This Regulation establishes a framework for searching and exchanging information between Member States’ competent authorities (the Prüm II framework) by laying down:

(a)

the conditions and procedures for the automated searching of DNA profiles, dactyloscopic data, certain vehicle registration data, facial images and police records; and

(b)

the rules regarding the exchange of core data following a confirmed match on biometric data.

Article 2Purpose

The purpose of the Prüm II framework is to step up cross-border cooperation in matters covered by Part III, Title V, Chapters 4 and 5, of the Treaty on the Functioning of the European Union, particularly by facilitating the exchange of information between Member States’ competent authorities, in full respect of the fundamental rights of natural persons, including the right to respect for one’s private life and the right to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union.

The purpose of the Prüm II framework is also to allow Member State’s competent authorities to search for missing persons in the context of criminal investigations or on humanitarian grounds and to identify human remains, in accordance with Article 29, provided that those authorities are empowered to conduct such searches and to carry out such identifications under national law.

Article 3Scope

This Regulation applies to the databases established in accordance with national law and used for the automated transfer of DNA profiles, dactyloscopic data, certain vehicle registration data, facial images and police records, in compliance with, as applicable, Directive (EU) 2016/680 or Regulation (EU) 2018/1725, (EU) No 2016/794 or (EU) 2016/679.

Article 4Definitions

For the purposes of this Regulation, the following definitions apply:

(1)

‘loci’ (singular: ‘locus’) means DNA locations containing identification characteristics of an analysed human DNA sample;

(2)

‘DNA profile’ means a letter or number code which represents a set of loci or the particular molecular structure at the various loci;

(3)

‘DNA reference data’ means a DNA profile and the reference number referred to in Article 7;

(4)

‘identified DNA profile’ means the DNA profile of an identified person;

(5)

‘unidentified DNA profile’ means the DNA profile collected during the investigation of criminal offences and belonging to a person not yet identified, including a DNA profile obtained from traces;

(6)

‘dactyloscopic data’ means images of fingerprints, images of fingerprint latents, images of palm prints, images of palm print latents and templates of such images (coded minutiae) that are stored and dealt with in an automated database;

(7)

‘dactyloscopic reference data’ means dactyloscopic data and the reference number referred to in Article 12;

(8)

‘unidentified dactyloscopic data’ means dactyloscopic data collected during the investigation of a criminal offence and belonging to a person not yet identified, including dactyloscopic data obtained from traces;

(9)

‘identified dactyloscopic data’ means the dactyloscopic data of an identified person;

(10)

‘individual case’ means a single file related to the prevention, detection or investigation of a criminal offence, to the search for a missing person or to the identification of unidentified human remains;

(11)

‘facial image’ means a digital image of the face;

(12)

‘facial image reference data’ means a facial image and the reference number referred to in Article 21;

(13)

‘unidentified facial image’ means a facial image collected during the investigation of a criminal offence and belonging to a person not yet identified, including a facial image obtained from traces;

(14)

‘identified facial image’ means the facial image of an identified person;

(15)

‘biometric data’ means DNA profiles, dactyloscopic data or facial images;

(16)

‘alphanumeric data’ means data represented by letters, digits, special characters, spaces and punctuation marks;

(17)

‘match’ means the existence of a correspondence as a result of an automated comparison between personal data held in a database;

(18)

‘candidate’ means data with which a match has occurred;

(19)

‘requesting Member State’ means a Member State conducting a search via the Prüm II framework;

(20)

‘requested Member State’ means a Member State in whose databases a requesting Member State conducts a search via the Prüm II framework;

(21)

‘police records’ means biographical data of suspects and convicted persons available in national databases established for the prevention, detection and investigation of criminal offences;

(22)

‘pseudonymisation’ means pseudonymisation as defined in Article 3, point (5), of Directive (EU) 2016/680;

(23)

‘suspect’ means a person as referred to in Article 6, point (a), of Directive (EU) 2016/680;

(24)

‘personal data’ means personal data as defined in Article 3, point (1), of Directive (EU) 2016/680;

(25)

‘Europol data’ means any operational personal data processed by Europol in accordance with Regulation (EU) 2016/794;

(26)

‘competent authority’ means any public authority competent for the prevention, detection or investigation of criminal offences, or any other body or entity entrusted by Member State law with the exercise of public authority and public powers for the purposes of the prevention, detection or investigation of criminal offences;

(27)

‘supervisory authority’ means an independent public authority established by a Member State pursuant to Article 41 of Directive (EU) 2016/680;

(28)

‘SIENA’ means the secure information exchange network application managed and developed by Europol in accordance with Regulation (EU) 2016/794;

(29)

‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555 of the European Parliament and of the Council  ( 17 ) .

(30)

‘significant incident’ means an incident unless that incident has a limited impact and is likely to be already well understood in terms of method or technology;

(31)

‘significant cyber threat’ means a cyber threat with the opportunity and capability, and the purpose of which is, to cause a significant incident;

(32)

‘significant vulnerability’ means a vulnerability that will likely lead to a significant incident if it is exploited.

Article 5DNA reference data

1.   Member States shall ensure the availability of DNA reference data from their national DNA databases for the purposes of automated searches by other Member States and Europol pursuant to this Regulation.

DNA reference data shall not contain any additional data from which an individual can be directly identified.

Unidentified DNA profiles shall be recognisable as such.

2.   DNA reference data shall be processed in accordance with this Regulation and in compliance with the national law applicable to the processing of those data.

3.   The Commission shall adopt an implementing act to specify the identification characteristics of a DNA profile which is to be exchanged. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 77(2).

Article 6Automated searching of DNA profiles

1.   For the investigation of criminal offences, Member States shall, at the time of initial connection to the router via their national contact points, conduct an automated search by comparing all the DNA profiles stored in their DNA databases with all the DNA profiles stored in all other Member States’ DNA databases and Europol data. Each Member State shall agree bilaterally with each other Member State and with Europol on the arrangements for those automated searches in accordance with the rules and procedures laid down in this Regulation.

2.   For the investigation of criminal offences, Member States shall, via their national contact points, conduct automated searches by comparing all the new DNA profiles added to their DNA databases with all the DNA profiles stored in all other Member States’ DNA databases and Europol data.

3.   Where searches as referred to in paragraph 2 could not take place, the Member State concerned may agree bilaterally with each other Member State and with Europol to conduct them at a later stage by comparing DNA profiles with all DNA profiles stored in all other Member States’ DNA databases and Europol data. The Member State concerned shall agree bilaterally with each other Member State and with Europol on the arrangements for those automated searches in accordance with the rules and procedures laid down in this Regulation.

4.   Searches as referred to in paragraphs 1, 2 and 3 shall only be conducted in the framework of individual cases and in compliance with the national law of the requesting Member State.

5.   Where an automated search shows that a supplied DNA profile matches DNA profiles stored in the requested Member State’s searched database or databases, the national contact point of the requesting Member State shall receive in an automated manner the DNA reference data with which a match has been found.

6.   The national contact point of the requesting Member State may decide to confirm a match between two DNA profiles. Where it decides to confirm a match between two DNA profiles, it shall inform the requested Member State and shall ensure that at least one qualified member of staff conducts a manual review in order to confirm that match with DNA reference data received from the requested Member State.

7.   Where relevant for the investigation of criminal offences, the national contact point of the requested Member State may decide to confirm a match between two DNA profiles. Where it decides to confirm a match between two DNA profiles, it shall inform the requesting Member State and shall ensure that at least one qualified member of staff conducts a manual review in order to confirm that match with DNA reference data received from the requesting Member State.

Article 7Reference numbers for DNA profiles

The reference numbers for DNA profiles shall be the combination of the following:

(a)

a reference number allowing Member States, in the event of a match, to retrieve further data and other information in their national DNA databases in order to supply them or it to one, several or all of the other Member States in accordance with Article 47 or to Europol in accordance with Article 49(6);

(b)

a reference number allowing Europol, in the event of a match, to retrieve further data and other information for the purposes of Article 48(1) of this Regulation in order to supply them or it to one, several or all Member States in accordance with Regulation (EU) 2016/794;

(c)

a code to indicate the Member State which holds the DNA profile;

(d)

a code to indicate whether the DNA profile is an identified DNA profile or an unidentified DNA profile.

Article 8Principles for the exchange of DNA profiles

1.   Member States shall take appropriate measures to ensure the confidentiality and integrity of DNA reference data sent to other Member States or Europol, including their encryption. Europol shall take appropriate measures to ensure the confidentiality and integrity of DNA reference data sent to Member States, including their encryption.

2.   Each Member State and Europol shall ensure that the DNA profiles it transmits are of sufficient quality for automated comparison. The Commission shall establish, by means of implementing acts, a minimum quality standard to allow for the comparison of DNA profiles.

3.   The Commission shall adopt implementing acts specifying the relevant European or international standards to be used by Member States and Europol for the exchange of DNA reference data.

4.   The implementing acts referred to in paragraphs 2 and 3 of this Article shall be adopted in accordance with the examination procedure referred to in Article 77(2).

Article 9Rules for requests and replies regarding DNA profiles

1.   A request for an automated search of DNA profiles shall include only the following information:

(a)

the code of the requesting Member State;

(b)

the date and time of the request and the request number;

(c)

DNA reference data;

(d)

whether the DNA profiles transmitted are unidentified DNA profiles or identified DNA profiles.

2.   A reply to a request as referred to in paragraph 1 shall contain only the following information:

(a)

an indication as to whether there were one or more matches or no matches;

(b)

the date and time of the request and the request number;

(c)

the date and time of the reply and the reply number;

(d)

the codes of the requesting and requested Member States;

(e)

the reference numbers of the DNA profiles from the requesting and requested Member States;

(f)

whether the DNA profiles transmitted are unidentified DNA profiles or identified DNA profiles;

(g)

the matching DNA profiles.

3.   A match shall be automatically notified only where the automated search has resulted in a match of a minimum number of loci. The Commission shall adopt implementing acts specifying the minimum number of loci for that purpose in accordance with the examination procedure referred to in Article 77(2).

4.   Where a search with unidentified DNA profiles results in a match, each requested Member State with matching data may insert a marking in its national database indicating that there has been a match for that DNA profile following another Member State’s search. The marking shall include the reference number of the DNA profile used by the requesting Member State.

5.   Member States shall ensure that requests as referred to in paragraph 1 of this Article are consistent with notifications sent pursuant to Article 74. Those notifications shall be reproduced in the practical handbook referred to in Article 79.

Article 10Dactyloscopic reference data

1.   Member States shall ensure the availability of dactyloscopic reference data from their national databases established for the prevention, detection and investigation of criminal offences.

2.   Dactyloscopic reference data shall not contain any additional data from which an individual can be directly identified.

3.   Unidentified dactyloscopic data shall be recognisable as such.

Article 11Automated searching of dactyloscopic data

1.   For the prevention, detection and investigation of criminal offences, Member States shall allow national contact points of other Member States and Europol access to the dactyloscopic reference data in their national databases established for that purpose to conduct automated searches by comparing dactyloscopic reference data.

Searches as referred to in the first subparagraph shall only be conducted in the framework of individual cases and in compliance with the national law of the requesting Member State.

2.   The national contact point of the requesting Member State may decide to confirm a match between two sets of dactyloscopic data. Where it decides to confirm a match between two sets of dactyloscopic data, it shall inform the requested Member State and shall ensure that at least one qualified member of staff conducts a manual review in order to confirm that match with dactyloscopic reference data received from the requested Member State.

Article 12Reference numbers for dactyloscopic data

The reference numbers for dactyloscopic data shall be the combination of the following:

(a)

a reference number allowing Member States, in the event of a match, to retrieve further data and other information in their databases referred to in Article 10 in order to supply them or it to one, several or all of the other Member States in accordance with Article 47 or to Europol in accordance with Article 49(6);

(b)

a reference number allowing Europol, in the event of a match, to retrieve further data and other information for the purposes of Article 48(1) of this Regulation in order to supply them or it to one, several or all Member States in accordance with Regulation (EU) 2016/794;

(c)

a code to indicate the Member State which holds the dactyloscopic data.

Article 13Principles for the exchange of dactyloscopic data

1.   Member States shall take appropriate measures to ensure the confidentiality and integrity of dactyloscopic data sent to other Member States or Europol, including their encryption. Europol shall take appropriate measures to ensure the confidentiality and integrity of dactyloscopic data sent to Member States, including their encryption.

2.   Each Member State and Europol shall ensure that the dactyloscopic data it transmits are of sufficient quality for automated comparison. The Commission shall establish, by means of implementing acts, a minimum quality standard to allow for the comparison of dactyloscopic data.

3.   Dactyloscopic data shall be digitalised and transmitted to the other Member States or Europol in accordance with European or international standards. The Commission shall adopt implementing acts specifying the relevant European or international standards to be used by Member States and Europol for the exchange of dactyloscopic data.

4.   The implementing acts referred to in paragraphs 2 and 3 of this Article shall be adopted in accordance with the examination procedure referred to in Article 77(2).

Article 14Search capacities for dactyloscopic data

1.   Each Member State shall ensure that its search requests do not exceed the search capacities specified by the requested Member State or Europol to ensure system readiness and to avoid overloading the system. For the same purpose, Europol shall ensure that its search requests do not exceed the search capacities specified by the requested Member State.

Member States shall inform the other Member States, the Commission, eu-LISA and Europol about their maximum search capacities per day for identified and unidentified dactyloscopic data. Europol shall inform Member States, the Commission and eu-LISA about its maximum search capacities per day for identified and unidentified dactyloscopic data. Member States or Europol may temporarily or permanently raise those search capacities at any time, including in a case of urgency. Where a Member State raises those maximum search capacities, it shall notify the other Member States, the Commission, eu-LISA and Europol of the new maximum search capacities. Where Europol raises those maximum search capacities, it shall notify the Member States, the Commission and eu-LISA of the new maximum search capacities.

2.   The Commission shall adopt implementing acts specifying the maximum numbers of candidates accepted for comparison per transmission and the distribution of unused search capacities between Member States in accordance with the examination procedure referred to in Article 77(2).

Article 15Rules for requests and replies regarding dactyloscopic data

1.   A request for an automated search of dactyloscopic data shall include only the following information:

(a)

the code of the requesting Member State;

(b)

the date and time of the request and the request number;

(c)

dactyloscopic reference data.

2.   A reply to a request as referred to in paragraph 1 shall contain only the following information:

(a)

an indication as to whether there were one or more matches or no matches;

(b)

the date and time of the request and the request number;

(c)

the date and time of the reply and the reply number;

(d)

the codes of the requesting and requested Member States;

(e)

the reference numbers of the dactyloscopic data from the requesting and requested Member States;

(f)

the matching dactyloscopic data.

3.   Member States shall ensure that requests as referred to in paragraph 1 of this Article are consistent with notifications sent pursuant to Article 74. Those notifications shall be reproduced in the practical handbook referred to in Article 79.

Article 16Automated searching of vehicle registration data

1.   For the prevention, detection and investigation of criminal offences, Member States shall allow national contact points of other Member States and Europol access to the following national vehicle registration data to conduct automated searches in individual cases:

(a)

data relating to the owner or holder of the vehicle;

(b)

data relating to the vehicle.

2.   Searches as referred to in paragraph 1 shall be conducted only with the following data:

(a)

a complete chassis number;

(b)

a complete registration number; or

(c)

where authorised by the national law of the requested Member State, data relating to the owner or holder of the vehicle.

3.   Searches as referred to in paragraph 1 conducted with data related to the owner or holder of the vehicle shall only be conducted in the case of suspects or convicted persons. All of the following identification data shall be used for the purposes of such searches:

(a)

where the owner or holder of the vehicle is a natural person:

(i)

the first name or names of the natural person;

(ii)

the family name or names of the natural person; and

(iii)

the date of birth of the natural person;

(b)

where the owner or holder of the vehicle is a legal person, that legal person’s name.

4.   Searches as referred to in paragraph 1 shall be conducted only in compliance with the national law of the requesting Member State.

Article 17Principles of automated searching of vehicle registration data

1.   For automated searching of vehicle registration data, Member States shall use the European Vehicle and Driving Licence Information System (Eucaris).

2.   Information exchanged via Eucaris shall be transmitted in encrypted form.

3.   The Commission shall adopt implementing acts specifying the data elements of the vehicle registration data which can be exchanged and the technical procedure for Eucaris to query Member States’ databases. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 77(2).

Article 18Keeping of logs

1.   Each Member State shall keep logs of queries that the staff of its competent authorities duly authorised to exchange vehicle registration data make and logs of queries requested by other Member States. Europol shall keep logs of queries that its duly authorised staff make.

Each Member State and Europol shall keep logs of all data processing operations concerning vehicle registration data. Those logs shall include the following:

(a)

whether it was a Member State or Europol that launched the request for a query; where it was a Member State that launched the request for a query, the Member State in question;

(b)

the date and time of the request;

(c)

the date and time of the reply;

(d)

the national databases to which a request for a query was sent;

(e)

the national databases that provided a positive reply.

2.   The logs referred to in paragraph 1 shall be used only for the collection of statistics, for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those logs shall be protected by appropriate measures against unauthorised access and shall be erased three years after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

3.   For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to the logs for self-monitoring as referred to in Article 55.

Article 19Facial image reference data

1.   Member States shall ensure the availability of facial image reference data of suspects, convicted persons and, where permitted under national law, victims from their national databases established for the prevention, detection and investigation of criminal offences.

2.   Facial image reference data shall not contain any additional data from which an individual can be directly identified.

3.   Unidentified facial images shall be recognisable as such.

Article 20Automated searching of facial images

1.   For the prevention, detection and investigation of criminal offences punishable by a maximum term of imprisonment of at least one year under the law of the requesting Member State, Member States shall allow national contact points of other Member States and Europol access to the facial image reference data in their national databases to conduct automated searches.

Searches as referred to in the first subparagraph shall only be conducted in the framework of individual cases and in compliance with the national law of the requesting Member State.

Profiling as referred to in Article 11(3) of Directive (EU) 2016/680 shall be prohibited.

2.   The national contact point of the requesting Member State may decide to confirm a match between two facial images. Where it decides to confirm a match between two facial images, it shall inform the requested Member State and shall ensure that at least one qualified member of staff conducts a manual review in order to confirm that match with facial image reference data received from the requested Member State.

Article 21Reference numbers for facial images

The reference numbers for facial images shall be the combination of the following:

(a)

a reference number allowing Member States, in the event of a match, to retrieve further data and other information in their databases referred to in Article 19 in order to supply them or it to one, several or all of the other Member States in accordance with Article 47 or to Europol in accordance with Article 49(6);

(b)

a reference number allowing Europol, in the event of a match, to retrieve further data and other information for the purposes of Article 48(1) of this Regulation in order to supply them or it to one, several or all Member States in accordance with Regulation (EU) 2016/794;

(c)

a code to indicate the Member State which holds the facial images.

Article 22Principles for the exchange of facial images

1.   Member States shall take appropriate measures to ensure the confidentiality and integrity of facial images sent to other Member States or Europol, including their encryption. Europol shall take appropriate measures to ensure the confidentiality and integrity of facial images sent to Member States, including their encryption.

2.   Each Member State and Europol shall ensure that the facial images it transmits are of sufficient quality for automated comparison. The Commission shall establish, by means of implementing acts, a minimum quality standard to allow for the comparison of facial images. Where the report referred to in Article 80(7) shows a high risk of false matches, the Commission shall review those implementing acts.

3.   The Commission shall adopt implementing acts specifying the relevant European or international standards to be used by Member States and Europol for the exchange of facial images.

4.   The implementing acts referred to in paragraphs 2 and 3 of this Article shall be adopted in accordance with the examination procedure referred to in Article 77(2).

Article 23Search capacities for facial images

1.   Each Member State shall ensure that its search requests do not exceed the search capacities specified by the requested Member State or Europol to ensure system readiness and to avoid overloading the system. For the same purpose, Europol shall ensure that its search requests do not exceed the search capacities specified by the requested Member State.

Member States shall inform the other Member States, the Commission, eu-LISA and Europol about their maximum search capacities per day for identified and unidentified facial images. Europol shall inform the Member States, the Commission and eu-Lisa about its maximum search capacities per day for identified and unidentified facial images. Member States or Europol may temporarily or permanently raise those search capacities at any time, including in a case of urgency. Where a Member State raises those maximum search capacities, it shall notify the other Member States, the Commission, eu-LISA and Europol of the new maximum search capacities. Where Europol raises those maximum search capacities, it shall notify the Member States, the Commission and eu-LISA of the new maximum search capacities.

2.   The Commission shall adopt implementing acts specifying the maximum numbers of candidates accepted for comparison per transmission and the distribution of unused search capacities between Member States in accordance with the examination procedure referred to in Article 77(2).

Article 24Rules for requests and replies regarding facial images

1.   A request for an automated search of facial images shall include only the following information:

(a)

the code of the requesting Member State;

(b)

the date and time of the request and the request number;

(c)

facial image reference data.

2.   A reply to a request as referred to in paragraph 1 shall contain only the following information:

(a)

an indication as to whether there were one or more matches or no matches;

(b)

the date and time of the request and the request number;

(c)

the date and time of the reply and the reply number;

(d)

the codes of the requesting and requested Member States;

(e)

the reference numbers of the facial images from the requesting and requested Member States;

(f)

the matching facial images.

3.   Member States shall ensure that requests as referred to in paragraph 1 of this Article are consistent with notifications sent pursuant to Article 74. Those notifications shall be reproduced in the practical handbook referred to in Article 79.

Article 25Police records

1.   Member States may participate in the automated exchange of police records. For the purposes of such exchanges, participating Member States shall ensure the availability of national police record indexes which contain sets of biographical data of suspects and convicted persons from their national databases established for the prevention, detection and investigation of criminal offences. Those sets of data shall contain only the following data to the extent that they are available:

(a)

first name or names;

(b)

family name or names;

(c)

alias or aliases and previously used name or names;

(d)

date of birth;

(e)

nationality or nationalities;

(f)

country of birth;

(g)

gender.

2.   The data referred to in paragraph 1, points (a), (b) and (c), shall be pseudonymised.

Article 26Automated searching of national police record indexes

For the prevention, detection and investigation of criminal offences punishable by a maximum term of imprisonment of at least one year under the law of the requesting Member State, Member States participating in the automated exchange of police records shall allow national contact points of other participating Member States and Europol access to data from their national police record indexes to conduct automated searches.

Searches as referred to in the first paragraph shall only be conducted in the framework of individual cases and in compliance with the national law of the requesting Member State.

Article 27Reference numbers for police records

The reference numbers for police records shall be the combination of the following:

(a)

a reference number allowing Member States, in the event of a match, to retrieve biographical data and other information in their national police record indexes referred to in Article 25 in order to supply them or it to one, several or all of the other Member States in accordance with Article 44;

(b)

a code to indicate the Member State which holds the police records.

Article 28Rules for requests and replies regarding police records

1.   A request for an automated search of national police record indexes shall include only the following information:

(a)

the code of the requesting Member State;

(b)

the date and time of the request and the request number;

(c)

the data referred to in Article 25, in so far as they are available.

2.   A reply to a request as referred to in paragraph 1 shall contain only the following information:

(a)

an indication as to the number of matches;

(b)

the date and time of the request and the request number;

(c)

the date and time of the reply and the reply number;

(d)

the codes of the requesting and requested Member States;

(e)

the reference numbers of the police records from the requested Member States.

3.   Member States shall ensure that requests as referred to in paragraph 1 of this Article are consistent with notifications sent pursuant to Article 74. Those notifications shall be reproduced in the practical handbook referred to in Article 79.

Article 29Missing persons and unidentified human remains

1.   Where a national authority has been so empowered by national legislative measures as referred to in paragraph 2, it may conduct automated searches using the Prüm II framework for the following purposes only:

(a)

searching for missing persons in the context of criminal investigations or on humanitarian grounds;

(b)

identifying human remains.

2.   Member States wishing to avail themselves of the possibility provided for in paragraph 1 shall, by means of national legislative measures, designate the national authorities competent for the purposes laid down therein and lay down the procedures, conditions and criteria, including the humanitarian grounds on which it is permitted to conduct automated searches for missing persons as referred to in paragraph 1, point (a).

Article 30National contact points

Each Member State shall designate one or more national contact points for the purposes of Articles 6, 11, 16, 20 and 26.

Article 31Implementing measures

The Commission shall adopt implementing acts specifying the technical arrangements for the Member States with respect to the procedures set out in Articles 6, 11, 16, 20 and 26. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 77(2).

Article 32Availability of the automated exchange of data at national level

1.   Member States shall take all necessary measures to ensure that automated searching of DNA profiles, dactyloscopic data, certain vehicle registration data, facial images and police records is possible 24 hours a day, 7 days a week.

2.   National contact points shall immediately inform each other, the Commission, eu-LISA and Europol of any unavailability of the automated exchange of data, including, where applicable, of any technical faults causing that unavailability.

National contact points shall agree, in accordance with the applicable Union and national law, on temporary alternative information exchange arrangements to be used where the automated exchange of data is unavailable.

3.   Where the automated exchange of data is unavailable, national contact points shall ensure that it is re-established by any means necessary and without delay.

Article 33Justification for the processing of data

1.   Each Member State shall keep a record of the justifications for the queries that its competent authorities make.

Europol shall keep a record of the justifications for the queries it makes.

2.   The justifications referred to in paragraph 1 shall include:

(a)

the purpose of the query, including a reference to the specific case or investigation and, where applicable, the criminal offence;

(b)

an indication as to whether the query concerns a suspect or a person convicted of a criminal offence, a victim of a criminal offence, a missing person or unidentified human remains;

(c)

an indication as to whether the query aims to identify a person or obtain more data on a known person.

3.   The justifications referred to in paragraph 1 of this Article shall be traceable to the logs referred to in Articles 18, 40 and 45. Those justifications shall only be used for assessing whether the searches are proportionate and necessary for the purpose of preventing, detecting or investigating a criminal offence, for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those justifications shall be protected by appropriate measures against unauthorised access and shall be erased three years after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the justification.

4.   In order to assess the proportionality and necessity of searches for the purpose of preventing, detecting or investigating a criminal offence or for the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to those justifications for self-monitoring as referred to in Article 55.

Article 34Use of the universal message format

1.   The universal message format (UMF) standard established by Article 38 of Regulation (EU) 2019/818 shall be used in the development of the router referred to in Article 35 of this Regulation and the European Police Record Index System (EPRIS) in so far as possible.

2.   Any automated exchange of data in accordance with this Regulation shall use the UMF standard in so far as possible.

Article 35Router

1.   A router is established for the purpose of facilitating the establishment of connections between Member States, and between Member States and Europol, for querying with, retrieving and scoring biometric data and for retrieving alphanumeric data in accordance with this Regulation.

2.   The router shall be composed of:

(a)

a central infrastructure, including a search tool enabling the simultaneous querying of the national databases referred to in Articles 5, 10 and 19 and of Europol data;

(b)

a secure communication channel between the central infrastructure, the competent authorities authorised to use the router pursuant to Article 36 and Europol;

(c)

a secure communication infrastructure between the central infrastructure and the European Search Portal, established by Article 6 of Regulation (EU) 2019/817 and Article 6 of Regulation (EU) 2019/818, for the purposes of Article 39.

Article 36Use of the router

The use of the router shall be reserved to the Member States’ competent authorities that are authorised to access and exchange DNA profiles, dactyloscopic data and facial images in accordance with this Regulation and to Europol in accordance with this Regulation and Regulation (EU) 2016/794.

Article 37Processes

1.   The competent authorities authorised to use the router pursuant to Article 36 or Europol shall request a query by submitting biometric data to the router. The router shall dispatch the request for a query to databases of all or specific Member States and Europol data simultaneously with the data submitted by the user in accordance with his or her access rights.

2.   Upon receipt of a request for a query from the router, each requested Member State shall launch a query of their databases in an automated manner and without delay. Upon receipt of a request for a query from the router, Europol shall launch a query of Europol data in an automated manner and without delay.

3.   Any matches resulting from queries as referred to in paragraph 2 shall be sent back in an automated manner to the router. The requesting Member State shall be notified in an automated manner where there is no match.

4.   The router shall rank, where the requesting Member State so decides and where applicable, the replies by comparing the biometric data used for querying and the biometric data supplied in the replies from the requested Member State or Member States or Europol.

5.   The router shall return the list of matching biometric data and their ranking to the router user.

6.   The Commission shall adopt implementing acts specifying the technical procedure for the router to query Member States’ databases and Europol data, the format in which the router answers such queries and the technical rules for comparing and ranking the correspondence between biometric data. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 77(2).

Article 38Quality check

The requested Member State shall check the quality of the transmitted data by means of an automated procedure.

The requested Member State shall, without delay, inform the requesting Member State via the router where the data are unsuitable for automated comparison.

Article 39Interoperability between the router and the Common Identity Repository for the purposes of law enforcement access

1.   Where designated authorities as defined in Article 4, point (20), of Regulation (EU) 2019/817 and Article 4, point (20), of Regulation (EU) 2019/818 are authorised to use the router pursuant to Article 36 of this Regulation, they may launch a query to Member States’ databases and Europol data simultaneously with a query to the Common Identity Repository, established by Article 17 of Regulation (EU) 2019/817 and Article 17 of Regulation (EU) 2019/818, provided that the relevant conditions under Union law have been fulfilled and that the query is launched in accordance with their access rights. For that purpose, the router shall query the Common Identity Repository via the European Search Portal.

2.   Queries to the Common Identity Repository for law enforcement purposes shall be carried out in accordance with Article 22 of Regulation (EU) 2019/817 and Article 22 of Regulation (EU) 2019/818. Any result from such queries shall be transmitted via the European Search Portal.

Simultaneous queries of the Member States’ databases and Europol data and the Common Identity Repository shall be launched only where there are reasonable grounds to believe that data on a suspect, perpetrator or victim of a terrorist offence or other serious criminal offence as defined in Article 4, points (21) and (22), respectively, of Regulation (EU) 2019/817 and Article 4, points (21) and (22), respectively, of Regulation (EU) 2019/818 are stored in the Common Identity Repository.

Article 40Keeping of logs

1.   eu-LISA shall keep logs of all data processing operations in the router. Those logs shall include the following:

(a)

whether it was a Member State or Europol that launched the request for a query; where it was a Member State that launched the request for a query, the Member State in question;

(b)

the date and time of the request;

(c)

the date and time of the reply;

(d)

the national databases or Europol data to which a request for a query was sent;

(e)

the national databases or Europol data that provided a reply;

(f)

where applicable, the fact that there was a simultaneous query to the Common Identity Repository.

2.   Each Member State shall keep logs of queries that the staff of its competent authorities duly authorised to use the router make and logs of queries requested by other Member States.

Europol shall keep logs of queries that its duly authorised staff make.

3.   The logs referred to in paragraphs 1 and 2 shall be used only for the collection of statistics, for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those logs shall be protected by appropriate measures against unauthorised access and erased three years after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

4.   For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to the logs for self-monitoring as referred to in Article 55.

Article 41Notification procedures where it is technically impossible to use the router

1.   Where it is technically impossible to use the router to query one or several national databases or Europol data because of a failure of the router, eu-LISA shall notify the router users referred to Article 36 in an automated manner. eu-LISA shall take appropriate measures to address the technical impossibility to use the router without delay.

2.   Where it is technically impossible to use the router to query one or several national databases because of a failure of the national infrastructure in a Member State, that Member State shall notify the other Member States, the Commission, eu-LISA and Europol in an automated manner. The Member State concerned shall take appropriate measures to address the technical impossibility to use the router without delay.

3.   Where it is technically impossible to use the router to query Europol data because of a failure of Europol’s infrastructure, Europol shall notify the Member States, the Commission and eu-LISA in an automated manner. Europol shall take appropriate measures to address the technical impossibility to use the router without delay.

Article 42EPRIS

1.   The European Police Record Index System (EPRIS) is hereby established. For the automated searching of national police record indexes referred to in Article 26, Member States and Europol shall use EPRIS.

2.   EPRIS shall be composed of:

(a)

a decentralised infrastructure in the Member States, including a search tool enabling the simultaneous querying of national police record indexes, based on national databases;

(b)

a central infrastructure, supporting the search tool, enabling the simultaneous querying of national police record indexes;

(c)

a secure communication channel between the central infrastructure, Member States and Europol.

Article 43Use of EPRIS

1.   For the purpose of searching national police record indexes via EPRIS, at least two of the following sets of data shall be used:

(a)

first name or names;

(b)

family name or names;

(c)

date of birth.

2.   Where available, the following sets of data may also be used:

(a)

alias or aliases and previously used name or names;

(b)

nationality or nationalities;

(c)

country of birth;

(d)

gender.

3.   The data referred to in paragraph 1, points (a) and (b), and paragraph 2, point (a), shall be pseudonymised.

Article 44Processes

1.   Where a Member State or Europol requests a query, it shall submit the data referred to in Article 43.

EPRIS shall dispatch the request for a query to the Member States’ national police record indexes with the data submitted by the requesting Member State or Europol and in accordance with this Regulation.

2.   Upon receipt of a request for a query from EPRIS, each requested Member State shall launch a query of their national police record index in an automated manner and without delay.

3.   Any matches resulting from queries as referred to in paragraph 1 in each requested Member State’s police records indexes shall be sent back in an automated manner to EPRIS.

4.   The list of matches shall be returned to the requesting Member State or Europol by EPRIS in an automated manner. The list of matches shall indicate the quality of the match and the Member State or Member States whose police record indexes contain data that resulted in the match or matches.

5.   Upon receipt of the list of matches, the requesting Member State shall decide the matches for which a follow-up is necessary and send a reasoned follow-up request containing the data referred to in Articles 25 and 27 and any additional relevant information to the requested Member State or Member States via SIENA. The requested Member State or Member States shall process such requests without delay in order to decide whether to share the data stored in its or their database.

6.   The Commission shall adopt implementing acts specifying the technical procedure for EPRIS to query Member States’ police record indexes and the format and maximum number of replies. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 77(2).

Article 45Keeping of logs

1.   Each participating Member State and Europol shall keep logs of all data processing operations in EPRIS. Those logs shall include the following:

(a)

whether it was a Member State or Europol that launched the request for a query; where it was a Member State that launched the request for a query, the Member State in question;

(b)

the date and time of the request;

(c)

the date and time of the reply;

(d)

the national databases to which a request for a query was sent;

(e)

the national databases that provided a reply.

2.   Each participating Member State shall keep logs of the requests for queries that the staff of its competent authorities duly authorised to use EPRIS make. Europol shall keep logs of requests for queries that its duly authorised staff make.

3.   The logs referred to in paragraphs 1 and 2 shall be used only for the collection of statistics, for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those logs shall be protected by appropriate measures against unauthorised access and shall be erased three years after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

4.   For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to the logs for self-monitoring as referred to in Article 55.

Article 46Notification procedures where it is technically impossible to use EPRIS

1.   Where it is technically impossible to use EPRIS to query one or several national police record indexes because of a failure of Europol’s infrastructure, Europol shall notify Member States in an automated manner. Europol shall take measures to address the technical impossibility of using EPRIS without delay.

2.   Where it is technically impossible to use EPRIS to query one or several national police record indexes because of a failure of the national infrastructure in a Member State, that Member State shall notify the other Member States, the Commission and Europol in an automated manner. Member States shall take measures to address the technical impossibility of using EPRIS without delay.

Article 47Exchange of core data

1.   A set of core data shall be returned via the router within 48 hours of all of the following conditions being met:

(a)

the procedures referred to in Article 6, 11 or 20 show a match between the data used for the search and data stored in the database of the requested Member State or Member States;

(b)

the match referred to in point (a) of this paragraph has been manually confirmed by a qualified member of staff of the requesting Member State as referred to in Article 6(6), Article 11(2) and Article 20(2), or, in the case of DNA profiles referred to in Article 6(7), of the requested Member State;

(c)

a description of the facts and an indication of the underlying offence have been transmitted, using the common table of offence categories set out in an implementing act to be adopted pursuant to Article 11b(1), point (a), of Framework Decision 2009/315/JHA, by the requesting Member State or, in the case of DNA profiles referred to in Article 6(7), by the requested Member State in order to assess the proportionality of the request, including the seriousness of the offence for which a search was conducted, in accordance with the national law of the Member State which provides the set of core data.

2.   Where, under its national law, a Member State can provide a particular set of core data only after having obtained a judicial authorisation, that Member State may deviate from the time limit set out in paragraph 1 in so far as necessary for the purpose of obtaining such an authorisation.

3.   The set of core data referred to in paragraph 1 of this Article shall be returned by the requested Member State or, in the case of DNA profiles referred to in Article 6(7), by the requesting Member State.

4.   Where the confirmed match concerns identified data of a person, the set of core data referred to in paragraph 1 shall contain the following data to the extent that they are available:

(a)

first name or names;

(b)

family name or names;

(c)

alias or aliases and previously used name or names;

(d)

date of birth;

(e)

nationality or nationalities;

(f)

place and country of birth;

(g)

gender;

(h)

the date on which and the place where the biometric data were acquired;

(i)

the criminal offence for which the biometric data were acquired;

(j)

the criminal case number;

(k)

the competent authority responsible for the criminal case.

5.   Where the confirmed match concerns unidentified data or traces, the set of core data referred to in paragraph 1 shall contain the following data to the extent that they are available:

(a)

the date on which and the place where the biometric data were acquired;

(b)

the criminal offence for which the biometric data were acquired;

(c)

the criminal case number;

(d)

the competent authority responsible for the criminal case.

6.   The return of core data by the requested Member State or, in the case of DNA profiles referred to in Article 6(7), by the requesting Member State shall be subject to the decision of a human.

Article 48Access by Member States to biometric data provided by third countries and stored by Europol

1.   Member States shall, in accordance with Regulation (EU) 2016/794, have access to, and be able to search via the router, biometric data which have been provided to Europol by third countries for the purposes of Article 18(2), points (a), (b) and (c), of Regulation (EU) 2016/794.

2.   Where a search as referred to in paragraph 1 results in a match between the data used for the search and data provided by a third country and stored by Europol, the follow-up shall take place in accordance with Regulation (EU) 2016/794.

Article 49Access by Europol to data stored in Member States’ databases, using data provided by third countries

1.   Where necessary to achieve the objectives set out in Article 3 of Regulation (EU) 2016/794, Europol shall, in accordance with that Regulation and this Regulation, have access to data which are stored by Member States in their national databases and police record indexes.

2.   Europol queries performed with biometric data as a search criterion shall be carried out using the router.

3.   Europol queries performed with vehicle registration data as a search criterion shall be carried out using Eucaris.

4.   Europol queries performed with biographical data of suspects and convicted persons as referred to in Article 25 as a search criterion shall be carried out using EPRIS.

5.   Europol shall conduct searches with data provided by third countries in accordance with paragraphs 1 to 4 of this Article only where necessary for carrying out its tasks for the purposes of Article 18(2), points (a) and (c), of Regulation (EU) 2016/794.

6.   Where the procedures referred to in Article 6, 11 or 20 show a match between the data used for the search and data held in the national database of the requested Member State or Member States, Europol shall inform only the Member State or Member States involved.

The requested Member State shall decide whether to return a set of core data via the router within 48 hours of all of the following conditions being met:

(a)

a match as referred to in the first subparagraph has been manually confirmed by a qualified member of staff of Europol;

(b)

a description of the facts and an indication of the underlying offence have been transmitted, using the common table of offence categories set out in an implementing act to be adopted pursuant to Article 11b(1), point (a), of Framework Decision 2009/315/JHA, by Europol in order to assess the proportionality of the request, including the seriousness of the offence for which a search was conducted, in accordance with the national law of the Member State which provides the set of core data;

(c)

the name of the third country which provided the data has been transmitted.

Where, under its national law, a Member State can provide a particular set of core data only after having obtained a judicial authorisation, that Member State may deviate from the time limit set out in the second subparagraph in so far as necessary for the purpose of obtaining such an authorisation.

Where the confirmed match concerns identified data of a person, the set of core data referred to in the second subparagraph shall contain the following data to the extent that they are available:

(a)

first name or names;

(b)

family name or names;

(c)

alias or aliases and previously used name or names;

(d)

date of birth;

(e)

nationality or nationalities;

(f)

place and country of birth;

(g)

gender;

(h)

the date on which and the place where the biometric data were acquired;

(i)

the criminal offence for which the biometric data were acquired;

(j)

the criminal case number;

(k)

the competent authority responsible for the criminal case.

Where the confirmed match concerns unidentified data or traces, the set of core data referred to in the second subparagraph shall contain the following data to the extent that they are available:

(a)

the date on which and the place where the biometric data were acquired;

(b)

the criminal offence for which the biometric data were acquired;

(c)

the criminal case number;

(d)

the competent authority responsible for the criminal case.

The return of core data by the requested Member State shall be subject to the decision of a human.

7.   Europol’s use of information obtained from a query made in accordance with this Article, and from the exchange of a set of core data in accordance with paragraph 6, shall be subject to the consent of the Member State in whose database the match occurred. Where the Member State allows such information to be used, its handling by Europol shall be governed by Regulation (EU) 2016/794.

Article 50Purpose of the data processing

1.   Processing of personal data received by a Member State or Europol shall be permitted solely for the purposes for which the data were supplied by the Member State which provided the data in accordance with this Regulation. Processing for other purposes shall be permitted solely with the prior authorisation of the Member State which provided the data.

2.   Processing of data supplied by a Member State or Europol pursuant to Article 6, 11, 16, 20 or 26 shall be permitted solely where necessary for the purpose of:

(a)

establishing whether the compared DNA profiles, dactyloscopic data, vehicle registration data, facial images or police records match;

(b)

exchanging a set of core data in accordance with Article 47;

(c)

preparing and submitting a police or judicial request for legal assistance where those data match;

(d)

keeping logs as provided for in Articles 18, 40 and 45.

3.   The data received by a Member State or Europol shall be deleted immediately following automated replies to searches unless further processing is necessary for the purposes referred to in paragraph 2 or is authorised in accordance with paragraph 1.

4.   Prior to connecting their national databases to the router or EPRIS, Member States shall conduct a data protection impact assessment as referred to in Article 27 of Directive (EU) 2016/680 and, where appropriate, consult the supervisory authority as provided for in Article 28 of that Directive. The supervisory authority may use any of the powers it has under Article 47 of that Directive, in accordance with Article 28(5) of that Directive.

81 articles

Cite this act

Regulation (EU) 2024/982 of the European Parliament and of the Council of 13 March 2024 on the automated search and exchange of data for police cooperation, and amending Council Decisions 2008/615/JHA and 2008/616/JHA and Regulations (EU) 2018/1726 (EU) No 2019/817 and (EU) 2019/818 of the European Parliament and of the Council (the Prüm II Regulation) (EUR-Lex). Retrieved via LawPlayer, https://lawplayer.com/eu/act/32024R0982

© European Union, https://eur-lex.europa.eu, 1998-2026. Reuse authorised under Commission Decision 2011/833/EU, provided the source is acknowledged.

EU-EurLex-Reuse-2011-833

本頁資料來源:EUR-Lex·整理提供:法律人 LawPlayer· lawplayer.com