EUROPEAN COMMISSION

Brussels, 21.12.2016

COM(2016) 882 final

2016/0408(COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1987/2006

EXPLANATORY MEMORANDUM

1.CONTEXT OF THE PROPOSAL

•Reasons for and objectives of the proposal

Over the course of the last two years, the European Union has been working on simultaneously addressing the separate challenges of migration management, integrated border management of the EU's external borders and the fight against terrorism and cross-border crime. Effective information exchange amongst Member States, and between Member States and the relevant EU agencies, is essential to providing a robust response to those challenges and to building an effective and genuine Security Union.

The Schengen Information System (SIS) is the most successful tool for the effective cooperation of immigration, police, customs and judicial authorities in the EU and the Schengen associated countries. Competent authorities in the Member States such as police, border guards and customs officers need to have access to high quality information about the persons or objects they are checking, with clear instructions about what needs to be done in each case. This large-scale information system is at the very heart of Schengen cooperation and plays a crucial role in facilitating the free movement of people within the Schengen area. It enables competent authorities to enter and consult data on wanted persons, persons who may not have the right to enter or stay in the EU, missing persons – in particular children – and objects that may have been stolen, misappropriated or lost. SIS not only contains information about a particular person or object but also clear instructions for the competent authorities on what to do with that person or object once found.

Following the findings of the High Level Expert Group on Information Systems and Interoperability, which will be presented in the first half of 2017, the Commission will consider a second set of proposals to further improve interoperability of SIS with other IT systems in mid-2017. The review of Regulation (EU) No 1077/2011 5 concerning the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) is an equally important element of this work and is likely to be the subject of separate Commission proposals also in 2017. Investing in swift, effective and qualitative information exchange and information management and ensuring the interoperability of EU databases and information systems is an important aspect of addressing current security challenges.

The current legal framework of the second generation of SIS – concerning its use for the purposes of border checks of third-country nationals is based upon a former first pillar instrument, namely Regulation (EC) No 1987/2006 6 . This proposal replaces 7 the current legal instrument in order to:

make it compulsory for Member States to enter an alert in SIS in all cases where an entry ban has been issued to an illegally staying third country national in accordance with provisions respecting Directive 2008/115/EC;

harmonise national procedures for the use of SIS with regard of the consultation procedure to avoid that a third-country national who is subject to an entry ban, holds a valid residence permit issued by a Member State;

introduce technical changes to improve security and help reduce administrative burdens;

address the complete end-to-end use of SIS, covering not only the central and national systems, but also the needs of the end-user by ensuring that end-users receive all necessary data to perform their tasks and they comply with all security rules when they process SIS data.

(1)consolidation of the results of the work on the implementation of SIS carried out in the last three years entailing technical amendments to the Central SIS in order to extend some of the existing alert categories and provide new functionalities;

(2)recommendations for technical and procedural changes resulting from a comprehensive evaluation of the SIS 8 ;

(3)requests from SIS end-users for technical improvements; and

(4)the interim findings of the High Level Expert Group on Information Systems and Interoperability 9 as regards data quality.

In light of the fact that this proposal is intrinsically linked to the Commission proposal for a Regulation on the establishment, operation and use of the SIS in the field of police cooperation and judicial cooperation in criminal matters, a number of provisions are common to both texts. These include measures covering the end-to-end use of SIS, including not only the operation of the central and national systems, but also end-user needs; strengthened measures for business continuity; measures addressing data quality, data protection and data security, and provisions concerning monitoring, evaluation and reporting arrangements. Both proposals also extend the use of biometric information. 10

•Consistency with existing policy provisions in the policy area as well as with existing and future legal instruments

This proposal is fully consistent and aligned with the provisions of Directive 2008/115/EC on the issuance and enforcement of entry bans. It therefore complements the existing provisions on entry bans and contributes to the effective enforcement of these bans at the external border, facilitating the application of the obligations defined by the Return Directive and successfully preventing the re-entry of third country nationals concerned in the Schengen area.

•Consistency with other Union policies

(1)Internal security in relation to the role of SIS for preventing the entry of third-country nationals posing a security threat.

Data protection insofar as this proposal ensures the protection of fundamental rights of individuals whose personal data is processed in SIS.

This proposal is also closely linked with and complements existing Union legislation, namely:

External border management insofar as this proposal assists Member States in controlling their portion of the EU's external borders and in strengthening the effectiveness of the EU system of external border controls.

An effective EU returns policy contributing to and enhancing the EU system to detect and prevent the re-entry of third-country nationals following their return. This proposal would help reducing incentives to irregular migration to the EU, one of the main objectives of the European Agenda on Migration 12 .

European Border and Coast Guard as regards (i) the possibility for the Agency staff conducting risk analyses and (ii) the access to SIS of the ETIAS Central Unit within the Agency for the purposes of the proposed European Travel Information and Authorisation System (ETIAS) 13 , as well as (iii) for providing a technical interface for SIS access to European Border and Coast Guard Teams, teams of staff involved in return-related tasks and members of the migration management support teams to, within their mandate, have the right to access and search data entered in SIS.

Europol - broader rights to access and search the SIS data, within its mandate, is proposed.

This proposal is also closely linked with and complements future Union legislation, namely

Entry/Exit System which proposed a combination of fingerprint and facial image as biometric identifiers for the operation of the Entry/Exit System (EES); an approach that this proposal seeks to reflect.

ETIAS which proposed a thorough security assessment, including a verification in SIS, of visa-exempted third country nationals who intend to travel in the EU.

2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

•Legal basis

•Variable geometry 

•Subsidiarity 

•Proportionality

•Choice of the instrument

3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

•Ex-post evaluations/fitness checks of existing legislation

In accordance with the Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA 16 , three years after its entry into operation, the Commission carried out an overall evaluation of the central SIS II system as well as of the bilateral and multilateral exchange of supplementary information between Member States.

The evaluation specifically targeted the review of the application of Article 24 of Regulation (EC) No 1987/2006 with the purpose of making necessary proposals to modify the provisions of this Article to achieve a greater level of harmonisation of the criteria for entering alerts.

The results of the evaluation highlighted the need for changes to the SIS legal basis in order to provide a better response to new security and migration challenges. This includes for example a proposal for the mandatory entry of entry bans into SIS to better enforce them, the mandatory consultation between Member States to avoid the co-existence of an entry ban and a residence permit, the option to identify and locate individuals on the basis of their fingerprints through the use of a new automated fingerprint identification system, and expanding the biometric identifiers in the system.

The evaluation results also showed the need for legal amendments in order to improve the technical functioning of the system and to streamline national processes. These measures will enhance the efficiency and effectiveness of SIS by facilitating its use and reducing unnecessary burden. Further measures are designed to enhance the data quality and transparency of the system by more clearly describing the specific reporting tasks of member States and eu-LISA.

The results of the comprehensive evaluation (the evaluation report and the related Staff Working Document were adopted on 21 December 2016 17 ) have formed the basis of the measures contained within this proposal.

Furthermore, in accordance with Article 19 of the Return Directive 2008/115/EC, the Commission published a Communication on EU Return Policy in 2014 18 , which reports on the application of that Directive. It concluded that the potential of SIS in the field of return policy should be further enhanced; it indicates that the review of SIS II is an opportunity to improve consistency between the return policy and SIS II, and it suggests introducing an obligation on Member States to enter a refusal of entry alert in SIS II for entry bans issued under the Return Directive.

•Stakeholder consultations

•Collection and use of expertise

SIS Technical Assessment (Kurt Salmon) 19

This assessment identified the key issues in the functioning of SIS and future needs that should be addressed, primarily identifying concerns with regards to maximising business continuity and ensuring that the overall architecture can adapt to increasing capacity requirements.

ICT Impact Assessment of Possible Improvements to the SIS II Architecture (Kurt Salmon) 20

This study assessed the current cost of operating the SIS at national level and to evaluated two possible technical scenarios for the improvement of the system. Both scenarios include a set of technical proposals focusing on improvements to the central system and overall architecture.

"ICT Impact Assessment of the technical improvements to the SIS II architecture – Final Report",10 November 2016, (Wavestone) 21

This study assessed the cost impacts on Member States of the implementation of a national copy by analysing three scenarios (a fully centralised system, a standardised N.SIS implementation developed and provided by eu-LISA to Member States and a distinct N.SIS implementation with common technical standards).

Study on the feasibility and implications of setting up within the framework of the Schengen Information System an EU-wide system for exchanging data on and monitoring compliance with return decisions (PwC) 22

This study assesses the feasibility and the technical and operational implications of the proposed changes to the SIS with the purpose of enhancing its use for the return of irregular migrants and for preventing their re-entry.

•Impact assessment

Furthermore, the Commission has carried out a comprehensive evaluation of SIS as it was required by Articles 24 (5), 43 (3) and 50 (5) of Regulation (EC) No 1987/2006 and Art. 59 (3) and 66(5) of Decision 2007/533/JHA and published an accompanying Staff Working Document. The results of the comprehensive evaluation (the evaluation report and the related Staff Working Document were adopted on 21 December 2016) have formed the basis of the measures contained within this proposal.

The changes proposed in this Regulation do not present a significant economic or environmental impact. However, these changes are expected to have a significantly positive social impact, as they provide for increased security by allowing for better identification of persons using false identities, criminals whose identity remains unknown after having committed a serious crime as well irregular migrants taking advantage of the area without internal border controls. The impact of these changes on fundamental rights and data protection has been considered and set out in more detail in the next section ("Fundamental rights").

The proposal has been drawn up making use of the substantial body of evidence collected to inform the overall evaluation of the second generation of SIS, which explored the functioning of the system and possible areas for improvement. In addition, a cost impact assessment study was carried out, to ensure that the national architecture chosen was the most appropriate and proportionate.

•Fundamental rights and data protection

4.BUDGETARY IMPLICATIONS

5.OTHER ELEMENTS

•Implementation plans and monitoring, evaluation and reporting arrangements

examine results achieved against objectives;

assess whether the underlying rationale for the system remains valid;

examine how the Regulation is being applied to the central system;

evaluate the security of the central system;

explore implications for the future functioning of the system.

•Detailed explanation of the new provisions of the proposal

Provisions that are common to this proposal and the proposal for a Regulation on the establishment, operation and use of the SIS in the field of police cooperation and judicial cooperation in criminal matters:

General Provisions (Articles 1 – 3)

Technical architecture and ways of operating SIS (Articles 4 – 14)

Responsibilities of eu-LISA (Articles 15 – 18)

Right to access and retention of alerts (Articles 29, 30, 31, 33 and 34)

General data processing and data protection rules (Articles 36 – 53)

Monitoring and statistics (Article 54)

End-to-end use of SIS 

With over 2 million end-users in the competent authorities across Europe, SIS is an extremely widely used and effective tool for information exchange. These proposals include rules covering the complete end-to-end operation of the system, including Central SIS operated by eu-LISA, the national systems and the end-user applications. It addresses not only the central and national systems themselves, but also the end-users' technical and operational needs.

Article 9(2) specifies that end-users must receive the data required to perform their tasks (in particular all data required for the identification of the data subject and to take the required action). It also provides for a common blueprint for Member State implementation of SIS, ensuring harmonisation across all national systems. Article 6 stipulates that each Member State must ensure uninterrupted availability of SIS data to end-users, in order to maximise the operational benefits by reducing the possibility of downtime.

The possibility to search with fingerprints with a view to identify a person is already set out in Article. 22 of Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA. The proposals make this search mandatory if the identity of the person cannot be ascertained in any other way. Currently, facial images can only be used to confirm a person's identity following an alphanumeric search, rather than as the basis for a search. Furthermore, changes to Articles 22 and 28 make provision for facial images, photographs and palm prints to be used to search the system and identify people, when this becomes technically possible. Dactylography refers to the scientific study of fingerprints as a method of identification.  Experts in dactylography recognise that palm prints have the characteristic of uniqueness and that they contain reference points that enable accurate and conclusive comparisons just as do fingerprints. Palm prints can be used to establish a person's identity in the same way that fingerprints can be used.  The taking of palm prints along with the ten rolled and ten flat prints of a person has been police practice for many decades.  There is one main use of palm prints, namely for identification purposes when the subject has intentionally or unintentionally damaged the tips of their fingers.  This can be through an attempt to avoid being identified or fingerprinted or through damage caused by accident or heavy manual work.  In the course of the discussion on the technical rules of SIS AFIS, Member States reported considerable success in the identification of irregular migrants who had intentionally damaged their fingertips in an attempt to avoid identification.  The taking of palm prints by Member State authorities allowed subsequent identification.

In order to provide more and more precise information to the end-users to facilitate and accelerate the required action as well as to allow the better identification of the alert subject this proposal expands the types of information (Article 20) that can be held about people for whom an alert has been issued, to also include:

whether the person is involved in any activity falling under Articles 1, 2 , 3 and 4 of Council Framework Decision 2002/475/JHA;

whether the alert is related to an EU citizen or other person who enjoys rights of freedom of movement equivalent to those of EU citizens;

whether a decision on refusal of entry is based on provisions in Article 24 or in Article 27;

the type of offence (for alerts issued under Article 24(2));

details of a person's identity or travel document;

colour copy of the person's identity or travel document;

photographs and facial images;

fingerprints and palm prints.

Having appropriate data is essential to ensure the accurate identification of a person who is checked at a border crossing, who is subject to an internal check or who applies for permission to stay. An inaccurate identification can result in fundamental rights issues; it can also lead to a situation in which the appropriate follow-up actions cannot be taken as there is no knowledge of the existence or content of an alert.

Concerning the information on the underlying decision, four reasons can be distinguished: a previous conviction as referred to in Article 24 (2)(a), a serious security threat as referred to in Article 24 (2)(b), an entry ban as referred to in Article 24 (3) and a restrictive measure as referred to in Article 27. In order to ensure that appropriate actions are taken in case of a hit it is also necessary to indicate whether the alert is related to an EU citizen or other person who enjoys rights of freedom of movement equivalent to those of EU citizens. Having appropriate data is essential to ensure the accurate identification of a person who is checked at a border crossing, who is subject to an internal check or who applies for permission to stay. An inaccurate identification can result in fundamental rights issues; it can also lead to a situation in which the appropriate follow-up actions cannot be taken as there is no knowledge of the existence or content of an alert.

facial images;

palm prints;

details of identity documents;

the victim's address;

the names of the victim's father and mother.

Article 20 provides for more detailed information in the alerts. It includes categories for the reason of the refusal of entry and stay and the details of the personal identification documents of the data subjects. This enhanced information allows for the better identification of the person concerned, and on the other hand for a more informed decision to be taken by the end-users. For the protection of the end-users carrying out the checks, SIS will also show if the person in relation to whom an alert was issued, falls under any of the categories provided in Articles 1, 2, 3 and 4 of Council Framework Decision 2002/475/JHA on combating terrorism 33 .

The proposal makes clear that Member States must not copy data entered by another Member State into other national data files (Article 37).

data subject's access requests;

requests for rectification of inaccurate data and erasure of unlawfully stored data;

cases before the courts;

cases where the court ruled in favour of the applicant; and

observations on cases of mutual recognition of final decisions handed down by the courts or authorities of other Member States on alerts created by the alert-issuing State.

2016/0408 (COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1987/2006

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty the Functioning of the of the European Union, and in particular Articles 77(2)(b) and (d) and 79(2)(c) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1)The Schengen Information System (SIS) constitutes an essential tool for the application of the provisions of the Schengen acquis as integrated into the framework of the European Union. SIS is one of the major compensatory measures contributing to maintaining a high level of security within the area of freedom, security and justice of the European Union by supporting operational cooperation between border guards, police, customs and other law enforcement authorities, judicial authorities in criminal matters and immigration authorities.

(2)SIS was set up pursuant to the provisions of Title IV of the Convention of 19 June 1990 implementing the Schengen Agreement of 14 June 1985 between the governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders 36 (the Schengen Convention).The development of the second generation of SIS (SIS II) was entrusted to the Commission pursuant to Council Regulation (EC) No 2424/2001 37  and Council Decision 2001/886/JHA (SIS) 38  and it was established by Regulation (EC) No 1987/2006 39 as well as by Council Decision 2007/533/JHA 40 . SIS II replaced SIS as created pursuant to the Schengen Convention.

(3)Three years after SIS II was brought into operation, the Commission carried out an evaluation of the system in accordance with Articles 24(5), 43(5) and 50(5) of Regulation (EC) No 1987/2006 and Articles 59 and 65(5) of Decision 2007/533/JHA. The evaluation report and the related Staff Working Document were adopted on 21 December 2016 41 . The recommendations set out in those documents should be reflected, as appropriate, in this Regulation.

(4)This Regulation constitutes the necessary legislative basis for governing SIS in respect of matters falling within the scope of Chapter 2 of Title V of the Treaty on Functioning of the European Union. Regulation (EU) 2018/… of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters 42 constitutes the necessary legislative basis for governing SIS in respect of matters falling within the scope of Chapters 4 and 5 of Title V of the Treaty on Functioning of the European Union.

(5)The fact that the legislative basis necessary for governing SIS consists of separate instruments does not affect the principle that SIS constitutes one single information system that should operate as such. Certain provisions of these instruments should therefore be identical.

(6)It is necessary to specify the objectives of SIS, its technical architecture and its financing, to lay down rules concerning its end-to-end operation and use and to define responsibilities, the categories of data to be entered into the system, the purposes for which the data are to be entered, the criteria for their entry, the authorities authorised to access the data, the use of biometric identifiers and further rules on data processing.

(7)SIS includes a central system (Central SIS) and national systems with a full or partial copy of the SIS database. Considering that SIS is the most important information exchange instrument in Europe, it is necessary to ensure its uninterrupted operation at central as well as at national level. Therefore each Member State should establish a partial or full copy of the SIS database and should set up its backup system.

(8)It is necessary to maintain a manual setting out the detailed rules for the exchange of certain supplementary information concerning the action called for by alerts. National authorities in each Member State (the SIRENE Bureaux), should ensure the exchange of this information.

(9)In order to maintain the efficient exchange of supplementary information concerning the action to be taken specified in the alerts, it is appropriate to reinforce the functioning of the SIRENE Bureaux by specifying the requirements concerning available resources, user training and the response time to the inquiries received from other SIRENE Bureaux.

(10)The operational management of the central components of SIS are exercised by the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice 43 (the Agency). In order to enable the Agency to dedicate the necessary financial and personal resources covering all aspects of the operational management of Central SIS, this Regulation should set out its tasks in detail, in particular with regard to the technical aspects of the exchange of supplementary information.

(11)Without prejudice to the responsibility of Member States for the accuracy of data entered into SIS, the Agency should become responsible for reinforcing data quality by introducing a central data quality monitoring tool, and for providing reports at regular intervals to the Member States.

(12)In order to allow better monitoring of the use of SIS to analyse trends concerning migratory pressure and border management, the Agency should be able to develop a state-of-the-art capability for statistical reporting to the Member States, the Commission, Europol and the European Border and Cost Guard Agency without jeopardising data integrity. Therefore, a central statistical repository should be established. Any statistic produced should not contain personal data.

(13)SIS should contain further data categories to allow end-users to take informed decisions based upon an alert without losing time. Therefore alerts for the purpose of refusal of entry and stay should hold information concerning the decision on which the alert is based. Furthermore, in order to facilitate identification and detect multiple identities, the alert should include a reference to the personal identification document or number and a copy of such document, where available.

(14)SIS should not store any data used for search with the exception of keeping logs to verify if the search is lawful, for monitoring the lawfulness of data processing, for self-monitoring and for ensuring the proper functioning of N.SIS, as well as for data integrity and security.

(15)SIS should permit the processing of biometric data in order to assist in the reliable identification of the individuals concerned. In the same perspective, SIS should also allow for the processing of data concerning individuals whose identity has been misused (in order to avoid inconveniences caused by their misidentification), subject to suitable safeguards; in particular with the consent of the individual concerned and a strict limitation of the purposes for which such data can be lawfully processed.

(16)Member States should make the necessary technical arrangement so that each time the end-users are entitled to carry out a search in a national police or immigration database they also search SIS in parallel in accordance with Article 4 of Directive (EU) 2016/680 of the European Parliament and of the Council 44 . This should ensure that SIS functions as the main compensatory measure in the area without internal border controls and better address the cross-border dimension of criminality and the mobility of criminals.

(17)This Regulation should set out the conditions for use of dactylographic data and facial images for identification purposes. The use of facial images for identification purposes in SIS should also help ensure consistency in border control procedures where identification and the verification of identity are required by the use of dactylographic data and facial images. Searching with dactylographic data should be mandatory if there is any doubt concerning the identity of a person. Facial images for identification purposes should only be used in the context of regular border controls in self-service kiosks and electronic gates.

(18)Fingerprints found at a crime scene should be allowed to be checked against the dactylographic data stored in SIS if it can be established to a high degree of probability that they belong to the perpetrator of the serious crime or terrorist offence. Serious crime should be the offences listed in Council Framework Decision 2002/584/JHA 45 and ‘terrorist offence’ should be offences under national law referred to in Council Framework Decision 2002/475/JHA 46 .

(19)It should be possible for Member States to establish links between alerts in SIS. The establishment by a Member State of links between two or more alerts should have no impact on the action to be taken, their retention period or the access rights to the alerts.

(20)A greater level of effectiveness, harmonisation and consistency can be achieved by making it mandatory to enter in SIS all entry bans issued by the competent authorities of the Member States in accordance with procedures respecting Directive 2008/115/EC 47 , and by setting common rules for entering such alerts following the return of the illegally staying third country national. Member States should take all necessary measures to ensure that no time-gap exist between the moment in which the third-country national leaves the Schengen area and the activation of the alert in SIS. This should ensure the successful enforcement of entry bans at external border crossing points, effectively preventing re-entry into the Schengen area.

(21)This Regulation should set mandatory rules for the consultation of national authorities in case a third country national holds or may obtain a valid residence permit or other authorisation or right to stay granted in one Member State, and another Member State intends to issue or already entered an alert for refusal of entry and stay to the third country national concerned. Such situations create serious uncertainties for border guards, police and immigration authorities. Therefore, it is appropriate to provide for a mandatory timeframe for rapid consultation with a definite result in order to avoid that persons representing a threat may enter to the Schengen area.

(22)This Regulation should be without prejudice to the application of Directive 2004/38 48 .

(23)Alerts should not be kept in SIS longer than the time required to fulfil the purposes for which they were issued. In order reduce the administrative burden on the authorities involved in processing data on individuals for different purposes, it is appropriate to align the maximum retention period of refusal of entry and stay alerts with the possible maximum length of entry bans issued in accordance with procedures respecting Directive 2008/115/EC. Therefore, the retention period for alerts on persons should be a maximum of five years. As a general principle, alerts on persons should be automatically deleted from SIS after a period of five years. Decisions to keep alerts on persons should be based on a comprehensive individual assessment. Member States should review alerts on persons within the defined period and keep statistics about the number of alerts on persons for which the retention period has been extended.

(24)Entering and extending the expiry date of a SIS alert should be subject to the necessary proportionality requirement, examining whether a concrete case is adequate, relevant and important enough to insert an alert in SIS. In cases of offences pursuant Articles 1, 2, 3 and 4 of Council Framework Decision 2002/475/JHA on combating terrorism 49 an alert should always be created on third country nationals for the purposes of refusal of entry and stay taking into account the high level of threat and overall negative impact such activity may result in.

(25)The integrity of SIS data is of primary importance. Therefore, appropriate safeguards should be provided to process SIS data at central as well as at national level to ensure the end-to-end security of data. The authorities involved in the data processing should be bound by the security requirements of this Regulation and be subject to a uniform incident reporting procedure.

(26)Data processed in SIS in application of this Regulation should not be transferred or made available to third countries or to international organisations.

(27)To enhance the efficiency of the work of the immigration authorities when deciding about the right of third country nationals to enter and stay in the territories of the Member States, as well as about the return of illegally staying third country nationals, it is appropriate to grant them access to SIS under this Regulation.

(28)Regulation (EU) 2016/679 50 should apply to the processing of personal data under this Regulation by Member States authorities when Directive (EU) 2016/680 51 does not apply. Regulation (EC) No 45/2001 of the European Parliament and of the Council 52 should apply to the processing of personal data by the institutions and bodies of the Union when carrying out their responsibilities under this Regulation. The provisions of Directive (EU) 2016/680, Regulation (EU) 2016/679 and Regulation (EC) No 45/2001 should be further specified in this Regulation where necessary. With regard to processing of personal data by Europol, Regulation (EU) 2016/794 on the European Union Agency for Law Enforcement cooperation 53 (Europol Regulation) applies.

(29)In so far as confidentiality is concerned, the relevant provisions of the Staff Regulations of officials and the Conditions of Employment of other servants of the European Union should apply to officials or other servants employed and working in connection with SIS.

(30)Both the Member States and the Agency should maintain security plans in order to facilitate the implementation of security obligations and should cooperate with each other in order to address security issues from a common perspective.

(31)The national independent supervisory authorities should monitor the lawfulness of the processing of personal data by the Member States in relation to this Regulation. The rights of data subjects for access, rectification and erasure of their personal data stored in SIS, and subsequent remedies before national courts as well as the mutual recognition of judgments should be set out. Therefore, it is appropriate to require annual statistics from Member States.

(32)The supervisory authorities should ensure that an audit of the data processing operations in its N.SIS is carried out in accordance with international auditing standards at least every four years. The audit should either be carried out by the supervisory authorities, or the national supervisory authorities should directly order the audit from an independent data protection auditor. The independent auditor should remain under the control and responsibility of the national supervisory authority or authorities which therefore should order the audit itself and provide a clearly defined purpose, scope and methodology of the audit as well as guidance and supervision concerning the audit and its final results.

(33)Regulation (EU) 2016/794 (Europol Regulation) provides that Europol supports and strengthens actions carried out by the competent authorities of Member States and their cooperation in combating terrorism and serious crime and provides analysis and threat assessments. In order to facilitate Europol in carrying out its tasks, in particular within the European Migrant Smuggling Centre, it is appropriate to allow Europol access to the alert categories defined in this Regulation. Europol's European Migrant Smuggling Centre plays a major strategic role in countering the facilitation of irregular migration, it should obtain access to alerts on persons who are refused entry and stay within the territory of a Member State either on criminal grounds or because of non-compliance with entry and stay conditions.

(34)In order to bridge the gap in information sharing on terrorism, in particular on foreign terrorist fighters – where monitoring of their movement is crucial – Member States should share information on terrorism-related activity with Europol in parallel to introducing an alert in SIS, as well as hits and related information. This should allow Europol's European Counter Terrorism Centre to verify if there is any additional contextual information available in Europol's databases and to deliver high quality analysis contributing to disrupting terrorism networks and, where possible, preventing their attacks. 

(35)It is also necessary to set out clear rules for Europol on the processing and downloading of SIS data to allow the most comprehensive use of SIS provided that data protection standards are respected as provided in this Regulation and Regulation (EU) 2016/794. In cases where searches carried out by Europol in SIS reveal the existence of an alert issued by a Member State, Europol cannot take the required action. Therefore it should inform the Member State concerned allowing it to follow up the case.

(36)Regulation (EU) 2016/1624 of the European Parliament and of the Council 54 provides for the purposes of this Regulation, that the host Member State is to authorise the members of the European Border and Coast Guard teams or teams of staff involved in return-related tasks, deployed by the European Border and Coast Guard Agency, to consult European databases, where this consultation is necessary for fulfilling operational aims specified in the operational plan on border checks, border surveillance and return. Other relevant Union agencies, in particular the European Asylum Support Office and Europol, may also deploy experts as part of migration management support teams, who are not members of the staff of those Union agencies. The objective of the deployment of the European Border and Coast Guard teams, teams of staff involved in return-related tasks and the migration management support teams is to provide for technical and operational reinforcement to the requesting Member States, especially to those facing disproportionate migratory challenges. Fulfilling the tasks assigned to the European Border and Coast Guard teams, teams of staff involved in return-related tasks and to the migration management support teams, necessitates access to SIS via a technical interface of the European Border and Coast Guard Agency connecting to Central SIS. In cases where searches carried out by the team or the teams of staff in SIS reveal the existence of an alert issued by a Member State, the member of the team or the staff cannot take the required action unless authorised to do so by the host Member State. Therefore it should inform the Member States concerned allowing for follow up of the case.

(37)In accordance with Regulation (EU) 2016/1624 the European Border and Coast Guard Agency shall prepare risk analyses. These risk analyses shall cover all aspects relevant to European integrated border management, notably threats that may affect the functioning or security of the external borders. Alerts introduced in the SIS in accordance with this Regulation, notably the alerts on refusal of entry and stay are relevant information for assessing possible threats that may affect the external borders and should thus be available in view of the risk analysis which must be prepared by the European Border and Coast Guard Agency. Fulfilling the tasks assigned to the European Border and Coast Guard Agency in relation to risk analysis, necessitates access to SIS. Furthermore, in accordance with Commission proposal for a Regulation of the European Parliament and of the Council establishing a European Travel Information and Authorisation System (ETIAS) 55 the ETIAS Central Unit of the European Border and Coast Guard Agency will perform verifications in SIS via ETIAS in order to perform the assessment of the applications for travel authorisation which require, inter alia, to ascertain if the third country national applying for a travel authorisation is subject of a SIS alert. To this end the ETIAS Central Unit within European Border and Coast Guard Agency should also have access to SIS to the extent necessary to carry out its mandate, namely to all alert categories on third country nationals in respect of whom an alert has been issued for the purposes of entry and stay, and those who are subject to restrictive measure intended to prevent entry or transit through Member States.

(38)Owing to their technical nature, level of detail and need for regular updating, certain aspects of SIS cannot be covered exhaustively by the provisions of this Regulation. These include, for example, technical rules on entering data, updating, deleting and searching data, data quality and search rules related to biometric identifiers, rules on compatibility and priority of alerts, the adding of flags, links between alerts, setting the expiry date of alerts within the maximum time limit and the exchange of supplementary information. Implementing powers in respect of those aspects should therefore be conferred to the Commission. Technical rules on searching alerts should take into account the smooth operation of national applications.

(39)In order to ensure uniform conditions for the implementation of this Regulation implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 56 . The procedure for adopting implementing measures under this Regulation and Regulation (EU) 2018/xxx (police and judicial cooperation) should be the same.

(40)In order to ensure transparency, a report on the technical functioning of Central SIS and the communication infrastructure, including its security, and on the exchange of supplementary information should be produced every two years by the Agency. An overall evaluation should be issued by the Commission every four years.

(41)Since the objectives of this Regulation, namely the establishment and regulation of a joint information system and the exchange of related supplementary information, cannot, by their very nature, be sufficiently achieved by the Member States and can therefore be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity, as set out in Article 5 of the Treaty of the European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(42)This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union. In particular, this Regulation seeks to ensure a safe environment for all persons residing on the territory of the European Union and a protection of irregular migrants from exploitation and trafficking by allowing their identification while fully respecting the protection of personal data.

(43)In accordance with Articles 1 and 2 of Protocol No 22 on the Position of Denmark annexed to the Treaty on European Union and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.

(44)This Regulation constitutes a development of provisions of the Schengen acquis in which the United Kingdom does not take part, in accordance with Council Decision 2000/365/EC 57 ; the United Kingdom is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(45)This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take part, in accordance with Council Decision 2002/192/EC 58 ; Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(46)As regards Iceland and Norway, this Regulation constitutes a development of provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis 59 , which fall within the area referred to in Article 1, point G of Council Decision 1999/437/EC 60 on certain arrangements for the application of that Agreement.

(47)As regards Switzerland, this Regulation constitutes a development of provisions of the Schengen acquis within the meaning of the Agreement signed between the European Union, the European Community and the Swiss Confederation concerning the association of the Swiss Confederation with the implementation, application and development of the Schengen acquis, which fall within the area referred to in Article 1, point G, of Decision 1999/437/EC read in conjunction with Article 4(1) of Council Decisions 2004/849/EC 61  and 2004/860/EC 62 . 

(48)As regards Liechtenstein, this Decision constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis 63 , which fall within the area referred to in Article 1, point G, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/349/EU 64  and Article 3 of Council Decision 2011/350/EU 65 .

(49)As regards Bulgaria and Romania, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article Article 4(2) of the 2005 Act of Accession and should be read in conjunction with Council Decision 2010/365/EU on the application of the provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Bulgaria and Romania 66 .

(50)Concerning Cyprus and Croatia this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within, respectively, the meaning of Article 3(2) of the 2003 Act of Accession and Article 4(2) of the 2011 Act of Accession.

(51)The estimated costs of the upgrade of the SIS national systems and of the implementation of the new functionalities, envisaged in this Regulation are lower than the remaining amount in the budget line for Smart Borders in Regulation (EU) No 515/2014 of the European Parliament and the Council 67 . Therefore, this Regulation should re-allocate the amount, attributed for developing IT systems supporting the management of migration flows across the external borders.in accordance with Article 5(5)(b) of Regulation (EU) No 515/2014.

(52)Regulation (EC) No 1987/2006 should therefore be repealed.

(53)The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on …,

HAVE ADOPTED THIS REGULATION:

CHAPTER I

GENERAL PROVISIONS

Article 1
General purpose of SIS

The purpose of SIS shall be to ensure a high level of security within the area of freedom, security and justice of the Union, including the maintenance of public security and public policy and the safeguarding of security in the territories of the Member States, and to apply the provisions of Chapter 2 of Title V of Part Three of the Treaty on the Functioning of the European Union relating to the movement of persons in their territories, using information communicated via this system.

Article 2
Scope

1.This Regulation establishes the conditions and procedures for the entry and processing in SIS of alerts in respect of third-country nationals, the exchange of supplementary information and additional data for the purpose of refusing entry into and stay on the territory of the Member States.

2.This Regulation also lays down provisions on the technical architecture of SIS, the responsibilities of the Member States and of the European Agency on the operational management of large-scale IT systems in the area of freedom, security and justice, general data processing, the rights of the persons concerned and liability.

Article 3
Definitions

1.For the purposes of this Regulation, the following definitions shall apply:

(a)‘alert’ means a set of data, including biometric identifiers as referred to in Article 22, entered in SIS allowing the competent authorities to identify a person with a view to taking specific action;

(b)‘supplementary information’ means information not forming part of the alert data stored in SIS, but connected to SIS alerts, which is to be exchanged:

(1)in order to allow Member States to consult or inform each other when entering an alert;

(2)following a hit in order to allow the appropriate action to be taken;

(3)when the required action cannot be taken;

(4)when dealing with the quality of SIS data;

(5)when dealing with the compatibility and priority of alerts;

(6)when dealing with rights of access;

(c)‘additional data’ means the data stored in SIS and connected with SIS alerts which are to be immediately available to the competent authorities where a person in respect of whom data has been entered in SIS is located as a result of searches made therein;

(d)‘third-country national’ means any person who is not a citizen of the Union within the meaning of Article 20 of the TFEU, with the exception of persons who enjoy rights of free movement equivalent to those of Union citizens under agreements between the Union, or the Union and its Member States on the one hand, and third countries on the other hand;

(e)‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);

(f)‘an identifiable natural person’ is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(g)‘processing of personal data’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, logging, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(h)a ‘hit’ in SIS means:

(1)a search is conducted by a user,

(2)the search reveals an alert in entered by another Member State in SIS,

(3)data concerning the alert in SIS matches the search data, and

(4)further actions are requested as a result of the hit

(i)‘issuing Member State’ means the Member State which entered the alert in SIS;

(j)‘executing Member State’ means the Member State which takes the required actions following a hit;

(k)‘end-users’ mean competent authorities directly searching CS-SIS, N.SIS or a technical copy thereof.

(l)‘return’ means return as defined in point 3 of Article 3 of Directive 2008/115/EC;

(m)‘entry ban’ means entry ban as defined in point 6 of Article 3 of Directive 2008/115/EC;

(n)‘dactylographic data’ means data on fingerprints and palm prints which due to their unique character of uniqueness and the reference points contained therein enable accurate and conclusive comparisons on a person's identity;

(o)‘serious crime’ means offences listed in Article 2(1) and (2) of Framework Decision 2002/584/JHA of 13 June 2002 68 ;

(p)‘terrorist offences’ means offences under national law referred to in Articles, 1-4 of Framework Decision 2002/475/JHA of 13 June 2002 69 .

Article 4
Technical architecture and ways of operating SIS

1.SIS shall be composed of:

(a)a central system (Central SIS) composed of:

–a technical support function (‘CS-SIS’) containing a database, the ‘SIS database’,

–a uniform national interface (NI-SIS);

(b)a national system (N.SIS) in each of the Member States, consisting of the national data systems which communicate with Central SIS. An N.SIS shall contain a data file (a ‘national copy’), containing a complete or partial copy of the SIS database as well as a backup N.SIS. The N.SIS and its backup may be used simultaneously to ensure uninterrupted availability to end-users;

(c)a communication infrastructure between CS-SIS and NI-SIS (the Communication Infrastructure) that provides an encrypted virtual network    dedicated to SIS data and the exchange of data between SIRENE Bureaux    as referred to in Article 7(2).

2.SIS data shall be entered, updated, deleted and searched via the various N.SIS. A partial or a full national copy shall be available for the purpose of carrying out automated searches in the territory of each of the Member States using such a copy. The partial national copy shall contain at least the data listed in Article 20(2) (a)-(v) of this Regulation It shall not be possible to search the data files of other Member States' N.SIS.

3.CS-SIS shall perform technical supervision and administration functions and have a backup CS-SIS, capable of ensuring all functionalities of the principal CS-SIS in the event of failure of this system. CS-SIS and the backup CS-SIS shall be located in the two technical sites of the European Agency for the operational management of large-scale information systems in the area of freedom, security and justice established by Regulation (EU) No 1077/2011 70 (‘the Agency’). CS-SIS or backup CS-SIS may contain an additional copy of the SIS database and may be used simultaneously in active operation provided that each of them is capable to process all transactions related to SIS alerts.

4.CS-SIS shall provide the services necessary for the entry and processing of SIS data, including searches in the SIS database. CS-SIS shall:

(a)provide online update of the national copies;

(b)ensure synchronisation of and consistency between the national copies and the SIS database;

(c)provide the operation for initialisation and restoration of the national copies;

(d)provide uninterrupted availability.

Article 5
Costs

1.The costs of operating, maintaining and further developing Central SIS and the Communication Infrastructure shall be borne by the general budget of the European Union.

2.These costs shall include work done with respect to CS-SIS that ensures the provision of the services referred to in Article 4(4).

3.The costs of setting up, operating, maintaining and further developing each N.SIS shall be borne by the Member State concerned.

CHAPTER II

RESPONSIBILITIES OF THE MEMBER STATES

Article 6
National systems

Each Member State shall be responsible for setting up, operating, maintaining and further developing its N.SIS and connecting its N.SIS to NI-SIS.

Each Member State shall be responsible for ensuring the continuous operation of the N.SIS, its connection to NI-SIS and the uninterrupted availability of SIS data to the end-users.

Article 7
N.SIS Office and SIRENE Bureau

1.Each Member State shall designate an authority (the N.SIS Office), which shall have central responsibility for its N.SIS.

That authority shall be responsible for the smooth operation and security of the N.SIS, shall ensure the access of the competent authorities to the SIS and shall take the necessary measures to ensure compliance with the provisions of this Regulation. It shall be responsible for ensuring that all functionalities of SIS are appropriately made available to the end-users.

Each Member State shall transmit its alerts via its N.SIS Office.

2.Each Member State shall designate the authority which shall ensure the exchange and availability of all supplementary information (the SIRENE Bureau) in accordance with the provisions of the SIRENE Manual, as referred to in Article 8.

Those Bureaux shall also coordinate the verification of the quality of the information entered in SIS. For those purposes they shall have access to data processed in SIS.

3.The Member States shall inform the Agency of their N.SIS II Office and of their SIRENE Bureau. The Agency shall publish the list of them together with the list referred to in Article 36(8).

Article 8
Exchange of supplementary information

1.Supplementary information shall be exchanged in accordance with the provisions of the SIRENE Manual and using the Communication Infrastructure. Member States shall provide the necessary technical and personal resources to ensure the continuous availability and exchange of supplementary information. In the event that the the Communication Infrastructure is unavailable, Member States may use other adequately secured technical means to exchange supplementary information.

2.Supplementary information shall be used only for the purpose for which it was transmitted in accordance with Article 43 unless prior consent is obtained from the issuing Member State.

3.The SIRENE Bureaux shall carry out their task in a quick and efficient manner, in particular by replying to a request as soon as possible but not later than 12 hours after the receipt of the request.

4.Detailed rules for the exchange of supplementary information shall be adopted by means of implementing measures in accordance with the examination procedure referred to in Article 55(2) in the form of a manual called the ‘SIRENE Manual’.    

Article 9
Technical and functional compliance

1.When setting up its N.SIS, each Member State shall comply with common standards, protocols and technical procedures established to ensure the compatibility of its N-SIS with CS-SIS for the prompt and effective transmission of data. Those common standards, protocols and technical procedures shall be laid down and developed by means of implementing measures in accordance with the examination procedure referred to in Article 55(2).

2.Member States shall ensure, by means of the services provided by CS-SIS, that data stored in the national copy are, by means of automatic updates referred to in Article 4(4), identical to and consistent with the SIS database, and that a search in its national copy produces a result equivalent to that of a search in the SIS database. End-users shall receive the data required to perform their tasks, in particular all data required for the identification of the data subject and to take the required action.

Article 10
Security – Member States

1.Each Member State shall, in relation to its N.SIS, adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan, in order to:

(a)physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(c)prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d)prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e)prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f)ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation, by means of individual and unique user identities and confidential access modes only (data access control);

(g)ensure that all authorities with a right of access to SIS or to the data processing facilities create profiles describing the functions and responsibilities of persons who are authorised to access, enter, update, delete and search the data and make these profiles available to the national supervisory authorities referred to in Article 50(1) without delay upon their request (personnel profiles);

(h)ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(i)ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when, by whom and for what purpose the data were input (input control);

(j)prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media, in particular by means of appropriate encryption techniques (transport control);

(k)monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring (self-auditing).

2.Member States shall take measures equivalent to those referred to in paragraph 1 as regards security in respect of the processing and exchange of supplementary information, including securing the premises of the SIRENE Bureau.

3.Member States shall take measures equivalent to those referred to in paragraph 1 as regards security in respect of the processing of SIS data by the authorities referred to in Article 29.

Article 11
Confidentiality – Member States

Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with SIS data and supplementary information, in accordance with its national law. That obligation shall also apply after those persons leave office or employment or after the termination of the activities of those bodies.

Article 12
Keeping of logs at national level

1.Member States shall ensure that every access to and all exchanges of personal data within CS-SIS are logged in their N.SIS for the purposes of checking whether or not the search is lawful, monitoring the lawfulness of data processing, self-monitoring and ensuring the proper functioning of N.SIS , data integrity and security.

2.The logs shall show, in particular, the history of the alert, the date and time of the data processing activity, the type of data used to perform a search, a reference to the of type data transmitted and the name of both the competent authority and the person responsible for processing the data.

3.If the search is carried out with dactylographic data or facial image in accordance with Article 22 the logs shall show, in particular, the type of data used to perform a search, a reference to the type data transmitted and the name of both the competent authority and the person responsible for processing the data.

4.The logs may be used only for the purpose referred to in paragraph 1 and shall be deleted at the earliest one year, and at the latest three years, after their creation.

5.Logs may be kept longer if they are required for monitoring procedures that are already under way.

6.The competent national authorities in charge of checking whether or not searches are lawful, monitoring the lawfulness of data processing, self-monitoring and ensuring the proper functioning of the N.SIS, data integrity and security, shall have access, within the limits of their competence and at their request, to these logs for the purpose of fulfilling their duties.

Article 13
Self-monitoring

Member States shall ensure that each authority entitled to access SIS data takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the national supervisory authority.

Article 14
Staff training

Before being authorised to process data stored in SIS and periodically after access to SIS data has been granted, the staff of the authorities having a right to access SIS shall receive appropriate training about data-security, data-protection rules and the procedures on data processing as set out in the SIRENE Manual. The staff shall be informed of any relevant criminal offences and penalties.

CHAPTER III

RESPONSIBILITIES OF THE AGENCY

Article 15
Operational management

1.The Agency shall be responsible for the operational management of Central SIS. The Agency shall ensure, in cooperation with the Member States, ensure that at all times the best available technology, using a cost-benefit analysis, is used for Central SIS.

2.The Agency shall also be responsible for the following tasks relating to the Communication Infrastructure.

(a)supervision;

(b)security;

(c)the coordination of relations between the Member States and the provider;

3.The Commission shall be responsible for all other tasks relating to the Communication Infrastructure, in particular:

(a)tasks relating to implementation of the budget;

(b)acquisition and renewal;

(c)contractual matters.

4.The Agency shall also be responsible for the following tasks relating to the SIRENE Bureaux and communication between the SIRENE Bureaux:

(a)the coordination and management of testing;

(b)the maintenance and update of technical specifications for the exchange of supplementary information between SIRENE Bureaux and the communication infrastructure and managing the impact of technical changes where it affects both SIS and the exchange of supplementary information between SIRENE Bureaux.

5.The Agency shall develop and maintain a mechanism and procedures for carrying out quality checks on the data in CS-SIS and shall provide regular reports to the Member States. The Agency shall provide a regular report to the Commission covering the issues encountered and the Member States concerned. This mechanism, procedures and interpretation of data quality compliance shall be laid down and developed by means of implementing measures in accordance with the examination procedure referred to in Article  55(2).

6.Operational management of Central SIS shall consist of all the tasks necessary to keep Central SIS functioning 24 hours a day, seven days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary for the smooth running of the system. Those tasks also include testing activities ensuring that Central SIS and the national systems operate in accordance with the technical and functional requirements in accordance with Article 9 of this Regulation.

Article 16
Security

1.The Agency shall adopt the necessary measures, including of a security plan a business continuity plan and a disaster recovery plan for Central SIS and the Communication Infrastructure in order to:

(a)physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(c)prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d)prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e)prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f)ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation by means of individual and unique user identities and confidential access modes only (data access control);

(g)create profiles describing the functions and responsibilities for persons who are authorised to access the data or the data processing facilities and make these profiles available to the European Data Protection Supervisor referred to in Article 51 without delay upon its request (personnel profiles);

(h)ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(i)ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when and by whom the data were input (input control);

(j)prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media in particular by means of appropriate encryption techniques (transport control);

(k)monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing).

2.The Agency shall take measures equivalent to those referred to in paragraph 1 as regards security in respect of the processing and exchange of supplementary information through the Communication Infrastructure.

Article 17
Confidentiality – Agency

1.Without prejudice to Article 17 of the Staff Regulations of officials and the Conditions of Employment of other servants of the European Union, the Agency shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality of comparable standards to those laid down in Article 11 of this Regulation to all its staff required to work with SIS data. This obligation shall also apply after those persons leave office or employment or after the termination of their activities.

2.The Agency shall take measures equivalent to those referred to in paragraph 1 as regards confidentiality in respect of the exchange of supplementary information through the Communication Infrastructure.

Article 18
Keeping of logs at central level

1.The Agency shall ensure that every access to and all exchanges of personal data within CS-SIS are logged for the purposes mentioned in Article 12(1).

2.The logs shall show, in particular, the history of the alerts, the date and time of the data transmitted, the type of data used to perform searches, the reference to the type of data transmitted and the name of the competent authority responsible for processing the data.

3.If the search is carried out with dactylographic data or facial image in accordance with Article 22 and 28 the logs shall show, in particular, the type of data used to perform a search, a reference to the type data transmitted and the name of both the competent authority and the person responsible for processing the data.

4.The logs may only be used for the purposes mentioned in paragraph 1 and shall be deleted at the earliest one year, and at the latest three years, after their creation. The logs which include the history of alerts shall be erased after one to three years after deletion of the alerts.

5.Logs may be kept longer if they are required for monitoring procedures that are already underway.

6.The competent authorities in charge of checking whether or not a search is lawful, monitoring the lawfulness of data processing, self-monitoring and ensuring the proper functioning of CS-SIS, data integrity and security, shall have access, within the limits of their competence and at their request, to those logs for the purpose of fulfilling their tasks.

CHAPTER IV

INFORMATION TO THE PUBLIC

Article 19
SIS information campaigns

The Commission, in cooperation with the national supervisory authorities and the European Data Protection Supervisor, shall regularly carry out campaigns informing the public about the objectives of SIS, the data stored, the authorities having access to SIS and the rights of data subjects. Member States shall, in cooperation with their national supervisory authorities, devise and implement the necessary policies to inform their citizens about SIS generally.

CHAPTER V

ALERTS ISSUED IN RESPECT OF THIRD-COUNTRY NATIONALS FOR THE PURPOSE OF REFUSING ENTRY AND STAY

Article 20
Categories of data

1.Without prejudice to Article 8(1) or the provisions of this Regulation providing for the storage of additional data, SIS shall contain only those categories of data which are supplied by each of the Member States, as required for the purposes laid down in Article 24.

2.The information on persons in relation to whom an alert has been issued shall only contain the following data:

(a)surname(s);

(b)forename(s);

(c)name(s) at birth;

(d)previously used names and aliases;

(e)any specific, objective, physical characteristics not subject to change;

(f)place of birth;

(g)date of birth;

(h)sex;

(i)nationality/nationalities;

(j)whether the person concerned is armed, violent, has escaped or is involved in an activity as referred to in Articles 1, 2 , 3 and 4 of Council Framework Decision 2002/475/JHA on combating terrorism;

(k)reason for the alert;

(l)authority issuing the alert;

(m)a reference to the decision giving rise to the alert;

(n)action to be taken;

(o)link(s) to other alerts issued in SIS pursuant to Article 38;

(p)whether the person concerned is a family member of an EU citizen or other person who enjoys rights of free movement as referred to in Article 25;

(q)whether the decision on refusal of entry is based on:

–a previous conviction as referred to in Article 24(2)(a);

–a serious security threat as referred to in Article 24(2)(b);

–an entry ban as referred to in Article 24(3); or

–a restrictive measure as referred to in Article 27;

(r)type of offence (for alerts issued pursuant to Article 24(2) of this Regulation);

(s)the category of the person’s identification document;

(t)the country of issue of the person’s identification document;

(u)the number(s) of the person’s identification document;

(v)the date of issue of the person’s identification document;

(w)photographs and facial images;

(x)dactylographic data;

(y)a colour copy of the identification document.

3.The technical rules necessary for entering, updating, deleting and searching the data referred to in paragraph 2 shall be laid down and developed by means of implementing measures in accordance with the examination procedure referred to in Article 55(2).

4.The technical rules necessary for searching the data referred to in paragraph 2 shall be laid down and developed in accordance with the examination procedure referred to in Article 55(2). These technical rules shall be similar for searches in CS-SIS, in national copies and in technical copies, as referred to in Article 36 and they shall be based upon common standards laid down and developed by means of implementing measures in accordance with the examination procedure referred to in Article 55(2).

Article 21
Proportionality

1.Before issuing an alert and when extending the validity period of an alert, Member States shall determine whether the case is adequate, relevant and important enough to warrant the entry of an alert in SIS.

2.In the application of Article 24(2) Member States shall, in all circumstances, create such an alert in relation to third country nationals if the offence falls under Articles 1 – 4 of Council Framework Decision 2002/475/JHA on combating terrorism 71 .

Article 22
Specific rules for entering photographs, facial images and dactylographic data

1.Data referred to in Article 20(2)(w) and (x) shall only be entered into SIS following a quality check to ascertain the fulfilment of a minimum data quality standard.

2.Quality standards shall be established for the storage of the data referred to under paragraph 1. The specification of these standards shall be laid down by means of implementing measures and updated in accordance with the examination procedure referred to in Article 55(2).

Article 23
Requirement for an alert to be entered

1.An alert may not be entered without the data referred to in Article 20(2)(a), (g),(k),(m),(n) and (q). Where an alert is based upon a decision taken under Article 24 (2) the data referred to in Article 20(2)(r) shall also be entered.

2.Where available, all other data listed in Article 20(2) shall also be entered.

Article 24
Conditions for issuing alerts on refusal of entry and stay

1.Data on third-country nationals in respect of whom an alert has been issued for the purposes of refusing entry and stay shall be entered in SIS on the basis of a national alert resulting from a decision taken by the competent administrative or judicial authorities in accordance with the rules of procedure laid down by national law taken on the basis of an individual assessment. Appeals against those decisions shall be made in accordance with national law.

2.An alert shall be entered where the decision referred to in paragraph 1 is based on a threat to public policy or public security or to national security which the presence of the third-country national in question in the territory of a Member State may pose. This situation shall arise in particular in the case of:

(a)a third-country national who has been convicted in a Member State of an offence carrying a penalty involving the deprivation of liberty of at least one year;

(b)a third-country national in respect of whom there are serious grounds for believing that he has committed a serious crime or in respect of whom there are clear indications of an intention to commit such an offence in the territory of a Member State.

3.An alert shall be entered where the decision referred to in paragraph 1 is an entry ban issued in accordance with procedures respecting Directive 2008/115/EC. The issuing Member State shall ensure that the alert takes effect in SIS at the point of return of the third-country national concerned. The confirmation of return shall be communicated to the issuing Member State in accordance with Article 6 of Regulation (EU) 2018/xxx [Return Regulation].

Article 25
Conditions for entering alerts on third-country nationals who are beneficiaries of the right of free movement within the Union

1.An alert concerning a third-country national who is a beneficiary of the right of free movement within the Union, within the meaning of Directive 2004/38/EC of the European Parliament and of the Council 72 shall be entered in accordance with the measures adopted to implement that Directive.

2.Where there is a hit on an alert pursuant to Article 24 concerning a third-country national who is a beneficiary of the right of free movement within the Union, the Member State executing the alert shall immediately consult the issuing Member State, through the exchange of supplementary information, in order to decide without delay on the action to be taken.

Article 26
Consultation procedure

1.Where a Member State considers granting a residence permit or other authorisation offering a right to stay to a third-country national who is the subject of an alert for refusal of entry and stay entered by another Member State, it shall first consult the issuing Member State through the exchange of supplementary information and shall take account of the interests of that Member State. The issuing Member State shall provide a definite reply within seven days. Where the Member State considering granting a permit or other authorisation offering a right to stay decides to grant it, the alert for refusal of entry and stay shall be deleted.

2.Where a Member State considers entering an alert for refusal of entry and stay concerning a third-country national who is the holder of a valid residence permit or other authorisation offering a right to stay issued by another Member State, it shall first consult the Member State that issued the permit through the exchange of supplementary information and shall take account of the interests of that Member State. The Member State that issued the permit shall provide a definite reply within seven days. If the Member State that issued the permit decides to maintain it, the alert for refusal of entry and stay shall not be entered.

3.In the event of a hit on an alert for refusal of entry and stay concerning a third-country national who is the holder of a valid residence permit or other authorisation offering a right to stay, the executing Member State shall consult immediately the Member State that issued the residence permit and the Member State that entered the alert, respectively, via the exchange of supplementary information in order to decide without delay if the action may be taken. If it is decided to maintain the residence permit, the alert shall be deleted.

4.Member States shall provide on an annual basis statistics to the Agency about the consultations carried out in accordance with paragraphs 1 to 3.

Article 27
Conditions for issuing alerts on third-country nationals subject to restrictive measures

1.Alerts relating to third-country nationals, who are the subject of a restrictive measure intended to prevent entry into or transit through the territory of Member States, taken in accordance with legal acts adopted by the Council, including measures implementing a travel ban issued by the Security Council of the United Nations, shall insofar as data-quality requirements are satisfied, be entered in SIS for the purpose of refusing entry and stay.

2.The Member State responsible for entering, updating and deleting these alerts on behalf of all Member States shall be designated at the moment of the adoption of the relevant measure taken in accordance with Article 29 of the Treaty on European Union. The procedure for designating the Member State responsible shall be laid down and developed by means of implementing measures in accordance with the examination procedure referred to in Article 55(2).

CHAPTER VI

SEARCH WITH BIOMETRIC DATA

Article 28
Specific rules for verification or search with photographs, facial images and dactylographic data

1.Photographs, facial images and dactylographic data shall be retrieved from SIS to verify the identity of a person who has been located as a result of an alphanumeric search made in SIS.

2.Dactylographic data may also be used to identify a person. Dactylographic data stored in SIS shall be used for identification purposes if the identity of the person cannot be ascertained by other means.

3.Dactylographic data stored in SIS in relation to alerts issued under Article 24 may also be searched with complete or incomplete sets of fingerprints or palm prints discovered at the scenes of crimes under investigation and where it can be established to a high degree of probability that they belong to the perpetrator of the offence provided that the competent authorities are unable to establish the identity of the person by using any other national, European or international database.

4.As soon as this becomes technically possible, and while ensuring a high degree of reliability of identification, photographs and facial images may be used to identify a person. Identification based on photographs or facial images shall only be used in the context of regular border crossing points where self-service systems and automated border control systems are in use.

CHAPTER VII

RIGHT TO ACCESS AND RETENTION OF ALERTS

Article 29
Authorities having a right to access alerts

1.Access to data entered in SIS and the right to search such data directly or in a copy of SIS data shall be reserved to the authorities responsible for the identification of third-country nationals for the purposes of:

(a)border control, in accordance with Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code);

(b)police and customs checks carried out within the Member State concerned, and the coordination of such checks by designated authorities;

(c)other law enforcement activities carried out for the prevention, detection and investigation of criminal offences within the Member State concerned;

(d)examining the conditions and taking decisions related to the entry and stay of third-country nationals on the territory of the Member States, including on residence permits and long-stay visas, and to the return of third-country nationals;

(e)examining visa applications and taking decisions related to those applications including on whether to annul, revoke or extend visas, in accordance with Regulation (EU) No 810/2009 of the European Parliament and of the Council. 73

2.For the purposes of Article 24(2) and (3) and Article 27 the right to access data entered in SIS and the right to search such data directly may also be exercised by national judicial authorities, including those responsible for the initiation of public prosecutions in criminal proceedings and for judicial inquiries prior to charge, in the performance of their tasks, as provided for in national legislation, and by their coordinating authorities.

3.The right to access data concerning documents relating to persons entered in accordance with Article 38(2)(j) and (k) of Regulation (EU) 2018/xxx [police cooperation and judicial cooperation in criminal matters] and the right to search such data may also be exercised by the authorities referred to in paragraph 1(d). Access to data by these authorities shall be governed by the law of each Member State.

4.The authorities referred to in this Article shall be included in the list referred to in Article 36(8).

Article 30
Access to SIS data by Europol

1.The European Union Agency for Law Enforcement Cooperation (Europol) shall have within its mandate, have the right to access and search data entered into SIS.

2.Where a search by Europol reveals the existence of an alert in SIS, Europol shall inform the issuing Member State via the channels defined by Regulation (EU) 2016/794.

3.The use of information obtained from a search in the SIS is subject to the consent of the Member State concerned. If the Member State allows the use of such information, the handling thereof by Europol shall be governed by Regulation (EU) 2016/794. Europol may only communicate such information to third countries and third bodies with the consent of the Member State concerned.

4.Europol may request further information from the Member State concerned in accordance with the provisions of Regulation (EU) 2016/794.

5.Europol shall:

(a)without prejudice to paragraphs 3, 4 and 6, not connect parts of SIS nor transfer the data contained therein to which it has access to any computer system for data collection and processing operated by or at Europol nor download or otherwise copy any part of SIS;

(b)limit access to data entered in SIS to specifically authorised staff of Europol;

(c)adopt and apply measures provided for in Articles 10 and 11;

(d)allow the European Data Protection Supervisor to review the activities of Europol in the exercise of its right to access and search data entered in SIS.

6.Data may only be copied for technical purposes, provided that such copying is necessary in order for duly authorised Europol staff to carry out a direct search. The provisions of this Regulation shall apply to such copies. The technical copy shall be used for the purpose of storing SIS data whilst those data are searched. Once the data have been searched they shall be deleted. Such uses shall not be construed to be an unlawful downloading or copying of SIS data. Europol shall not copy alert data or additional data issued by Member States or from CS-SIS into other Europol systems.

7.Any copies, as referred to in paragraph 6, which lead to off-line databases may be retained for a period not exceeding 48 hours. That period may be extended in an emergency until the emergency comes to an end. Europol shall report any such extensions to the European Data Protection Supervisor.

8.Europol may receive and process supplementary information on corresponding SIS alerts provided that the data processing rules referred to in paragraphs (2)-(7) are applied as appropriate.

9.For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity Europol should keep logs of every access to and search in SIS. Such logs and documentation shall not be considered to be the unlawful downloading or copying of any part of SIS.

Article 31
Access to SIS data by the European Border and Coast Guard teams, teams of staff involved in return-related tasks, and members of the migration management support teams

1.In accordance with Article 40(8) of Regulation (EU) 2016/1624, the members of the European Border and Coast Guard teams or teams of staff involved in return-related tasks as well as the members of the migration management support teams shall, within their mandate, have the right to access and search data entered in SIS within their mandate.

2.Members of the European Border and Coast Guard teams or teams of staff involved in return-related tasks as well as the members of the migration management support teams shall access and search data entered in SIS in accordance with paragraph 1 via the technical interface set up and maintained by the European Border and Coast Guard Agency as referred to in Article 32(2).

3.Where a search by a member of the European Border and Coast Guard teams or teams of staff involved in return-related tasks or by a member of the migration management support teams reveals the existence of an alert in SIS, the issuing Member State shall be informed thereof. In accordance with Article 40 of Regulation (EU) 2016/1624, members of the teams may only act in response to an alert in SIS under instructions from and, as a general rule, in the presence of border guards or staff involved in return-related tasks of the host Member State in which they are operating. The host Member State may authorise members of the teams to act on its behalf.

4.Every instance of access and every search made by a member of the European Border and Coast Guard teams or teams of staff involved in return-related tasks or by a member of the migration management support teams shall be logged in accordance with the provisions of Article 12 and every use made by them of data accessed by them shall be registered.

5.Access to data entered in SIS shall be limited to a member of the European Border and Coast Guard teams or teams of staff involved in return-related tasks or by a member of the migration management support teams and shall not be extended to any other team member.

6.Measures to ensure security and confidentiality as provided for in Articles 10 and 11 shall be adopted and applied.

Article 32
Access to SIS data by the European Border and Coast Guard Agency

1.The European Border and Coast Guard Agency shall, for the purpose of analysing the threats that may affect the functioning or security of the external borders, have the right to access and search data entered in SIS, in accordance with Articles 24 and 27.

2.For the purposes of Article 31(2) and paragraphs 1 of this Article the European Border and Coast Guard Agency shall set up and maintain a technical interface which allows a direct connection to Central SIS.

3.Where a search by the European Border and Coast Guard Agency reveals the existence of an alert in SIS, it shall inform the issuing Member State.

4.The European Border and Coast Guard Agency shall, for the purpose of performing its tasks conferred on it by the Regulation establishing a European Travel Information and Authorisation System (ETIAS), have the right to access and verify data entered in SIS, in accordance with Articles 24 and 27.

5.Where a verification by the European Border and Coast Guard Agency for the purposes of paragraph 2 reveals the existence of an alert in SIS the procedure set out in Article 22 of Regulation establishing a European Travel Information and Authorisation System (ETIAS) applies.

6.Nothing in this Article shall be interpreted as affecting the provisions of Regulation (EU) 2016/1624 concerning data protection and the liability for any unauthorised or incorrect processing of such data by the European Border and Coast Guard Agency.

7.Every instance of access and every search made by the European Border and Coast Guard Agency shall be logged in accordance with the provisions of Article 12 and every use made of data accessed by the European Border and Coast Guard Agency shall be registered.

8.Except where necessary to perform the tasks for the purposes of the Regulation establishing a European Travel Information and Authorisation System (ETIAS) no parts of SIS shall be connected to any computer system for data collection and processing operated by or at the European Border and Coast Guard Agency nor shall the data contained in SIS to which the European Border and Coast Guard Agency has access be transferred to such a system. No part of SIS shall be downloaded. The logging of access and searches shall not be construed to be the downloading or copying of SIS data.

9.Measures to ensure security and confidentiality as provided for in Articles 10 and 11 shall be adopted and applied.

Article 33
Scope of access

End-users, including Europol, and the European Border and Coast Guard Agency, may only access data which they require for the performance of their tasks.

Article 34
Retention period of alerts

1.Alerts entered in SIS pursuant to this Regulation shall be kept only for the time required to achieve the purposes for which they were entered.

2.A Member State issuing an alert shall, within five years of its entry into SIS, review the need to retain it.

3.Each Member State shall, where appropriate, set shorter review periods in accordance with its national law.

4.In cases where it becomes clear to staff in the SIRENE Bureau, who are responsible for coordinating and verifying of data quality, that an alert on a person has achieved its purpose and should be deleted from SIS, the staff shall notify the authority which created the alert to bring this issue to the attention of the authority. The authority shall have 30 calendar days from the receipt of this notification to indicate that the alert has been or shall be deleted or shall state reasons for the retention of the alert. If the 30-day period expires without such a reply the alert shall be deleted by the staff of the SIRENE Bureau. SIRENE Bureaux shall report any recurring issues in this area to their national supervisory authority.

5.Within the review period, the Member State issuing the alert may, following a comprehensive individual assessment, which shall be recorded, decide to keep the alert longer, should this prove necessary for the purposes for which the alert was issued. In such a case, paragraph 2 shall apply also to the extension. Any extension of an alert shall be communicated to CS-SIS.

6.Alerts shall automatically be erased after the review period referred to in paragraph 2 except where the Member State issuing the alert has informed CS-SIS about the extension of the alert to CS-SIS pursuant to paragraph 5. CS-SIS shall automatically inform the Member States of the scheduled deletion of data from the system four months in advance.

7.Member States shall keep statistics about the number of alerts or which the retention period has been extended in accordance with paragraph 5.

Article 35
Deletion of alerts

1.Alerts on refusal of entry and stay pursuant to Article 24 shall be deleted when the decision on which the alert was entered has been withdrawn by the competent authority, where applicable following the consultation procedure referred to in Article 26.

2.Alerts relating to third-country nationals who are the subject of a restrictive measure as referred to in Article 27 shall be deleted when the measure implementing the travel ban has been terminated, suspended or annulled.

3.Alerts issued in respect of a person who has acquired citizenship of any State whose nationals are beneficiaries of the right of free movement within the Union shall be deleted as soon as the issuing Member State becomes aware, or is informed pursuant to Article 38 that the person in question has acquired such citizenship.

CHAPTER VIII

GENERAL DATA PROCESSING RULES

Article 36
Processing of SIS data

1.The Member States may process the data referred to in Article 20 for the purposes of refusing entry into and stay in their territories.

2.Data may only be copied for technical purposes, provided that such copying is necessary in order for the authorities referred to in Article 29 to carry out a direct search. The provisions of this Regulation shall apply to such copies. A Member State shall not copy alert data or additional data entered by another Member State from its N.SIS or from the CS-SIS into other national data files.

3.Technical copies, as referred to in paragraph 2, which lead to off-line databases may be retained for a period not exceeding 48 hours. That period may be extended in the event of an emergency until the emergency comes to an end.

Notwithstanding the first subparagraph, technical copies which lead to off-line databases to be used by visa issuing authorities shall not be permitted, except for copies made to be used only in an emergency following the unavailability of the network for more than 24 hours.

Member States shall keep an up-to-date inventory of those copies, make that inventory available to their national supervisory authority, and ensure that the provisions of this Regulation, in particular those of Article 10, are applied in respect of those copies.

4.Access to data shall only be authorised within the limits of the competence of the national authorities referred to in Article 29 and to duly authorised staff.

5.Any processing of information contained in SIS for purposes other than those for which it was entered in SIS has to be linked with a specific case and justified by the need to prevent an imminent serious threat to public policy and public security, on serious grounds of national security or for the purposes of preventing a serious crime. Prior authorisation from the Member State issuing the alert shall be obtained for this purpose.

6.Data concerning documents related to persons entered under Article 38(2)(j) and (k) of Regulation (EU) 2018/xxx may be used by the authorities referred to in Article 29(1)(d) in accordance with the laws of each Member State.

7.Any use of data which does not comply with paragraphs 1 to 6 shall be considered as misuse under the national law of each Member State.

8.Each Member State shall send to the Agency a list of its competent authorities which are authorised to search directly the data contained in SIS pursuant to this Regulation, as well as any changes to the list. The list shall specify, for each authority, which data it may search and for what purposes. The Agency shall ensure the annual publication of the list in the Official Journal of the European Union.

9.In so far as Union law does not lay down specific provisions, the law of each Member State shall apply to data entered in its N.SIS.

Article 37
SIS data and national files

1.Article 36(2) shall not prejudice the right of a Member State to keep in its national files SIS data in connection with which action has been taken on its territory. Such data shall be kept in national files for a maximum period of three years, except if specific provisions in national law provide for a longer retention period.

2.Article 36(2) shall not prejudice the right of a Member State to keep in its national files data contained in a particular alert issued in SIS by that Member State.

Article 38
Information in case of non-execution of alert

If a requested action cannot be performed, the requested Member State shall immediately inform the Member State issuing the alert.

Article 39
Quality of the data processed in SIS

1.A Member State issuing an alert shall be responsible for ensuring that the data are accurate, up-to-date and entered in SIS lawfully.

2.Only the Member State issuing an alert shall be authorised to modify, add to, correct, update or delete data which it has entered.

3.Where a Member State other than that which issued an alert has evidence suggesting that an item of data is factually incorrect or has been unlawfully stored, it shall, through the exchange of supplementary information, inform the issuing Member State at the earliest opportunity and not later than 10 days after the said evidence has come to its attention. The issuing Member State shall check the communication and, if necessary, correct or delete the item in question without delay.

4.Where the Member States are unable to reach agreement within two months of the time when the evidence first came to light, as described in paragraph 3, the Member State which did not issue the alert shall submit the matter to the national supervisory authorities concerned for a decision.

5.The Member States shall exchange supplementary information where a person complains that he or she is not the person wanted by an alert. Where the outcome of the check shows that there are in fact two different persons the complainant shall be informed of the measures laid down in Article 42.

6.Where a person is already the subject of an alert in SIS, a Member State which enters a further alert shall reach agreement on the entry of the alert with the Member State which entered the first alert. The agreement shall be reached on the basis of the exchange of supplementary information.

Article 40
Security incidents

1.Any event that has or may have an impact on the security of SIS and may cause damage or loss to SIS data shall be considered to be a security incident, especially where access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2.Security incidents shall be managed to ensure a quick, effective and proper response.

3.Member States shall notify the Commission, the Agency and the European Data Protection Supervisor of security incidents. The Agency shall notify the Commission and the European data Protection Supervisor of security incidents.

4.Information regarding a security incident that has or may have an impact on the operation of SIS in a Member State or within the Agency or on the availability, integrity and confidentiality of the data entered or sent by other Member States, shall be provided to the Member States and reported in compliance with the incident management plan provided by the Agency.

Article 41
Distinguishing between persons with similar characteristics

Where it becomes apparent, when a new alert is entered, that there is already a person in SIS with the same identity description element, the following procedure shall apply:

(a)the SIRENE Bureau shall contact the requesting authority to clarify whether or not the alert is on the same person;

(b)where the cross-check reveals that the subject of the new alert and the person already in SIS are indeed one and the same, the SIRENE Bureau shall apply the procedure for entering multiple alerts as referred to in Article 39(6). Where the outcome of the check is that there are in fact two different persons, the SIRENE Bureau shall approve the request for entering the second alert by adding the necessary elements to avoid any misidentifications.

Article 42
Additional data for the purpose of dealing with misused identities

1.Where confusion may arise between the person actually intended as the subject of an alert and a person whose identity has been misused, the issuing Member State shall, subject to that person's explicit consent, add data relating to the latter to the alert in order to avoid the negative consequences of misidentification.

2.Data relating to a person whose identity has been misused shall be used only for the following purposes:

(a)to allow the competent authority to distinguish the person whose identity has been misused from the person actually intended as the subject of the alert;

(b)to allow the person whose identity has been misused to prove his or her identity and to establish that his or her identity has been misused.

3.For the purpose of this Article, only the following personal data may be entered and further processed in SIS:

(a)surname(s)

(b)forename(s),

(c)name(s) at birth

(d)previously used names and any aliases possibly entered separately;

(e)any specific objective and physical characteristic not subject to change;

(f)place of birth

(g)date of birth;

(h)sex;

(i)facial images;

(j)fingerprints;

(k)nationality(ies);

(l)the category of the person’s identity document

(m)the country of issue of the person’s identity document

(n)the number(s) of the person’s identity document

(o)the date of issue of a person’s identity document

(p)address of the victim

(q)victim's father’s name

(r)victim's mother’s name

4.The technical rules necessary for entering and further processing the data referred to in paragraph 3 shall be established by means of implementing measures laid down and developed in accordance with the examination procedure referred to in Article 55(2).

5.The data referred to in paragraph 3 shall be deleted at the same time as the corresponding alert or earlier where the person so requests.

6.Only the authorities having a right of access to the corresponding alert may access the data referred to in paragraph 3. They may do so for the sole purpose of avoiding misidentification.

Article 43
Links between alerts

1.A Member State may create a link between alerts it enters in SIS. The effect of such a link shall be to establish a relationship between two or more alerts.

2.The creation of a link shall not affect the specific action to be taken on the basis of each linked alert or the retention period of each of the linked alerts.

3.The creation of a link shall not affect the rights of access provided for in this Regulation. Authorities with no right of access to certain categories of alerts shall not be able to see the link to an alert to which they do not have access.

4.A Member State shall create a link between alerts when there is an operational need.

5.Where a Member State considers that the creation by another Member State of a link between alerts is incompatible with its national law or international obligations, it may take the necessary measures to ensure that there can be no access to the link from its national territory or by its authorities located outside its territory.

6.The technical rules for linking alerts shall be laid down and developed in accordance with the examination procedure defined in Article 55(2).

Article 44
Purpose and retention period of supplementary information

1.Member States shall keep a reference to the decisions giving rise to an alert at the SIRENE Bureau in order to support the exchange of supplementary information.

2.Personal data held in files by the SIRENE Bureau as a result of information exchanged shall be kept only for such time as may be required to achieve the purposes for which they were supplied. They shall in any event be deleted at the latest one year after the related alert has been deleted from SIS.

3.Paragraph 2 shall not prejudice the right of a Member State to keep in national files data relating to a particular alert which that Member State has issued or to an alert in connection with which action has been taken on its territory. The period for which such data may be held in such files shall be governed by national law.

Article 45
Transfer of personal data to third parties

Data processed in SIS and the related supplementary information pursuant to this Regulation shall not be transferred or made available to third countries or to international organisations.

CHAPTER IX

DATA PROTECTION

Article 46
Applicable legislation

1.    Regulation (EC) No 45/2001 shall apply to the processing of personal data by the Agency under this Regulation.

2.    Regulation 2016/679 shall apply to the processing of personal data by the authorities referred to in Article 29 of this Regulation provided that national provisions transposing Directive (EU) 2016/680 do not apply.

3.    For processing of data by competent national authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offences of the execution of criminal penalties including the safeguarding against the prevention of threat to public security national provisions transposing Directive (EU) 2016/680 shall apply.

Article 47
Right of access, rectification of inaccurate data and erasure of unlawfully stored data

1.The right of data subjects to have access to data relating to them entered in SIS and to have such data rectified or erased shall be exercised in accordance with the law of the Member State before which they invoke that right.

2.If national law so provides, the national supervisory authority shall decide whether information is to be communicated and by what means.

3.A Member State other than that which has issued an alert may communicate information concerning such data only if it first gives the Member State issuing the alert an opportunity to state its position. This shall be done through the exchange of supplementary information.

4.A Member State shall take a decision not to communicate information to the data subject, in whole or in part, in accordance with national law, to the extent that, and for as long as such a partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned, in order to:

(a)avoid obstructing official or legal inquiries, investigations or procedures;

(b)avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)protect public security;

(d)protect national security;

(e)protect the rights and freedoms of others.

5.The person concerned shall be informed as soon as possible and in any event not later than 60 days from the date on which he applies for access or sooner if national law so provides.

6.The person concerned shall be informed about the follow-up given to the exercise of his rights of rectification and erasure as soon as possible and in any event not later than three months from the date on which he applies for rectification or erasure or sooner if national law so provides.

Article 48
Right of information

1.Third-country nationals who are the subject of an alert issued in accordance with this Regulation shall be informed in accordance with Articles 10 and 11 of Directive 95/46/EC. This information shall be provided in writing, together with a copy of or a reference to the national decision giving rise to the alert, as referred to in Article 24(1).

2.This information shall not be provided:

(a)where:

i)the personal data have not been obtained from the third-country national in question;

and

ii) the provision of the information proves impossible or would involve a disproportionate effort;

(b)where the third country national in question already has the information;

(c)where national law allows for the right of information to be restricted, in particular in order to safeguard national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences.

Article 49
Remedies

1.Any person may bring an action before the courts or the authority competent under the law of any Member State to access, rectify, delete or erase information or to obtain compensation in connection with an alert relating to him.

2.The Member States undertake mutually to enforce final decisions handed down by the courts or authorities referred to in paragraph 1 of this Article, without prejudice to the provisions of Article 53.

3.In order to gain a consistent overview of the functioning of remedies the national supervisory authorities shall be invited to develop a standard statistical system for reporting annually on:

(a)the number of subject access requests submitted to the data controller and the number of cases where access to the data was granted;

(b)the number of subject access requests submitted to the national supervisory authority and the number of cases where access to the data was granted;

(c)the number of requests for the rectification of inaccurate data and the erasure of unlawfully stored data to the data controller and the number of cases where the data were corrected or deleted;

(d)the number of requests for the rectification of inaccurate data and the erasure of unlawfully stored data submitted to the national supervisory authority;

(e)the number of cases which are heard before the courts;

(f)the number of cases where the court ruled in favour of the applicant in any aspect of the case;

(g)any observations on cases of mutual recognition of final decisions handed down by the courts or authorities of other Member States on alerts created by the alert-issuing Member State.

The reports from the national supervisory authorities shall be forwarded to the cooperation mechanism set out in Article 52.

Article 50
Supervision of N.SIS

1.Each Member State shall ensure that the independent national supervisory authorit(ies) designated in each Member State and endowed with the powers referred to in Chapter VI of Directive (EU)2016/680 or Chapter VI of Regulation (EU) 2016/679 monitor independently the lawfulness of the processing of SIS personal data on their territory and its transmission from their territory, and the exchange and further processing of supplementary information.

2.The national supervisory authority shall ensure that an audit of the data processing operations in its N.SIS is carried out in accordance with international auditing standards at least every four years. The audit shall either be carried out by the national supervisory authority(ies), or the national supervisory authority(ies) shall directly order the audit from an independent data protection auditor. The national supervisory authority shall at all times retain control over and undertake the responsibilities of the independent auditor.

3.Member States shall ensure that their national supervisory authority has sufficient resources to fulfil the tasks entrusted to it under this Regulation.

Article 51
Supervision of the Agency

1.The European Data Protection Supervisor shall ensure that the personal data processing activities of the Agency are carried out in accordance with this Regulation. The duties and powers referred to in Articles 46 and 47 of Regulation (EC) No 45/2001 shall apply accordingly.

2.The European Data Protection Supervisor shall ensure that an audit of the Agency's personal data processing activities is carried out in accordance with international auditing standards at least every four years. A report on that audit shall be sent to the European Parliament, the Council, the Agency, the Commission and the National Supervisory Authorities. The Agency shall be given an opportunity to make comments before the report is adopted.

Article 52
Cooperation between national supervisory authorities and the European Data Protection Supervisor

1.The national supervisory authorities and the European Data Protection Supervisor, each acting within the scope of its respective competences, shall actively cooperate within the framework of their responsibilities and shall ensure coordinated supervision of SIS.

2.They shall, each acting within the scope of its respective competences, exchange relevant information, assist each other in carrying out audits and inspections, examine difficulties in the interpretation or application of this Regulation and other applicable legal acts of the Union, study problems that are revealed through the exercise of independent supervision or through the exercise of the rights of data subjects, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

3.For the purposes laid down in paragraph 2, the national supervisory authorities and the European Data Protection Supervisor shall meet at least twice a year as part of the European Data Protection Board established by Regulation (EU) 2016/679. The costs and servicing of these meetings shall be borne by the Board established by Regulation (EU) 2016/679. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary.

4.A joint report of activities as regards coordinated supervision shall be sent by the Board established by Regulation (EU) 2016/679 to the European Parliament, the Council, and the Commission every two years.

CHAPTER X

LIABILITY

Article 53
Liability

1.Each Member State shall be liable for any damage caused to a person through the use of N.SIS. This shall also apply to damage caused by the issuing Member State, where the latter entered factually inaccurate data or stored data unlawfully.

2.Where the Member State against which an action is brought is not the Member State issuing the alert, the latter shall be required to reimburse, on request, the sums paid out as compensation unless the use of data by the Member State requesting reimbursement infringes this Regulation.

3.Where any failure by a Member State to comply with its obligations under this Regulation causes damage to SIS, that Member State shall be held liable for the damage, unless and in so far as the Agency or another Member States participating in SIS failed to take reasonable steps to prevent the damage from occurring or to minimise its impact.

CHAPTER XI

FINAL PROVISIONS

Article 54
Monitoring and statistics

1.The Agency shall ensure that procedures are in place to monitor the functioning of SIS against objectives, relating to output, cost-effectiveness, security and quality of service.

2.For the purposes of technical maintenance, reporting and statistics, the Agency shall have access to the necessary information relating to the processing operations performed in Central SIS.

3.The Agency shall produce, daily, monthly and annual statistics showing the number of records per category of alert, the annual number of hits per category of alert, how many times SIS was searched and how many times SIS was accessed for the purpose of entering, updating or deleting an alert in total and for each Member State, including statistics on the consultation procedure referred to in Article 26. The statistics produced shall not contain any personal data. The annual statistical report shall be published.

4.Member States as well as Europol and the European Border and Coast Guard Agency shall provide the Agency and the Commission with the information necessary to draft the reports referred to in paragraphs 7 and 8.

5.The Agency shall provide the Member States, the Commission, Europol and the European Border and Coast Guard Agency with any statistical reports that it produces. In order to monitor the implementation of legal acts of the Union, the Commission shall be able to request the Agency to provide additional specific statistical reports, either regular or ad-hoc, on the performance or use of SIS and SIRENE communication.

6.For the purpose of paragraphs 3 to 5 of this Article and Article 15(5), the Agency shall establish, implement and host a central repository in its technical sites containing the data referred to in paragraph 3 of this Article and in Article 15(5) which shall not allow for the identification of individuals and shall allow the Commission and the agencies referred to in paragraph 5 to obtain bespoke reports and statistics. The Agency shall grant access to Member States, the Commission, Europol and the European Border and Coast Guard Agency to the central repository by means of secured access through the Communication Infrastructure with control of access and specific user profiles solely for the purpose of reporting and statistics.

Detailed rules on the operation of the central repository and the data protection and security rules applicable to the repository shall be laid down and developed by means of implementing measures adopted in accordance with the examination procedure referred to in Article 55(2).

7.Two years after SIS is brought into operation and every two years thereafter, the Agency shall submit to the European Parliament and the Council a report on the technical functioning of Central SIS and the Communication Infrastructure, including the security thereof, and the bilateral and multilateral exchange of supplementary information between Member States.

8.Three years after SIS is brought into operation and every four years thereafter, the Commission shall produce an overall evaluation of Central SIS and the bilateral and multilateral exchange of supplementary information between Member States. That overall evaluation shall include an examination of results achieved against objectives, and an assessment of the continuing validity of the underlying rationale, the application of this Regulation in respect of Central SIS, the security of Central SIS and any implications for future operations. The Commission shall transmit the evaluation to the European Parliament and the Council.

Article 55
Committee procedure

1.The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011

2.Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Article 56

Amendments to Regulation (EU) 515/2014

Regulation (EU) 515/2014 74  is amended as follows:

In Article 6, the following paragraph 6 is inserted:

“6. During the development phase Member States shall receive an additional allocation of 36,8 million EUR to be distributed via a lump sum to their basic allocation and shall entirely devote this funding to SIS national systems to ensure their quick and effective upgrading in line with the implementation of Central SIS as required in Regulation (EU) 2018/…* and in Regulation (EU) 2018/…** 

*Regulation on the establishment, operation and use of the Schengen Information System (SIS) in the field of police and judicial cooperation for criminal matters and in Regulation (OJ…..

**Regulation (EU 2018/…on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks and in Regulation (OJ …)”

Article 57
Repeal

Regulation (EC) No 1987/2006 on the establishment, operation and use of the second generation Schengen Information System;

Commission Decision 2010/261/EU of 4 May 2010 on the Security Plan for Central SIS II and the Communication Infrastructure. 75  

Article 25 of the Convention implementing the Schengen Agreement. 76

Article 58
Entry into force and applicability

1.This Regulation shall enter into force on the 20th day following its publication in the Official Journal of the European Union.

2.It shall apply from the date fixed by the Commission after:

(a)the necessary implementing measures have been adopted;

(b)Member States have notified the Commission about that they have made the necessary technical and legal arrangements to process SIS data and exchange supplementary information pursuant to this Regulation;

(c)The Agency has notified the Commission about the completion of all testing activities with regard CS-SIS and the interaction between CS-SIS and N.SIS.

3.This Regulation shall be binding in its entirety and directly applicable to Member States in accordance with the Treaty on the Functioning of the European Union.

Done at Brussels,

LEGISLATIVE FINANCIAL STATEMENT

1.FRAMEWORK OF THE PROPOSAL/INITIATIVE

1.1.Title of the proposal/initiative

1.2.Policy area(s) concerned in the ABM/ABB structure

1.3.Nature of the proposal/initiative

1.4.Objective(s)

1.5.Grounds for the proposal/initiative

1.6.Duration and financial impact

1.7.Management mode(s) planned

2.MANAGEMENT MEASURES

2.1.Monitoring and reporting rules

2.2.Management and control system

2.3.Measures to prevent fraud and irregularities

3.ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE

3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected

3.2.Estimated impact on expenditure 

3.2.1.Summary of estimated impact on expenditure

3.2.2.Estimated impact on operational appropriations

3.2.3.Estimated impact on appropriations of an administrative nature

3.2.4.Compatibility with the current multiannual financial framework

3.2.5.Third-party contributions

3.3.Estimated impact on revenue

LEGISLATIVE FINANCIAL STATEMENT

1.FRAMEWORK OF THE PROPOSAL/INITIATIVE

1.1.Title of the proposal/initiative

1.2.Policy area(s) concerned in the ABM/ABB structure 77  

1.3.Nature of the proposal/initiative

◻ The proposal/initiative relates to a new action 

◻ The proposal/initiative relates to a new action following a pilot project/preparatory action 78  

☑ The proposal/initiative relates to the extension of an existing action 

◻ The proposal/initiative relates to an action redirected towards a new action 

1.4.Objective(s)

1.4.1.The Commission's multiannual strategic objective(s) targeted by the proposal/initiative

1.4.2.Specific objective(s) and ABM/ABB activity(ies) concerned

1.4.3.Expected result(s) and impact

Specify the effects which the proposal/initiative should have on the beneficiaries/groups targeted.

1.4.4.Indicators of results and impact

Specify the indicators for monitoring implementation of the proposal/initiative.

1.5.Grounds for the proposal/initiative

1.5.1.Requirement(s) to be met in the short or long term

1.5.2.Added value of EU involvement

1.5.3.Lessons learned from similar experiences in the past

1.5.4.Compatibility and possible synergy with other appropriate instruments

1.6.Duration and financial impact

◻ Proposal/initiative of limited duration

–◻    Proposal/initiative in effect from [DD/MM]YYYY to [DD/MM]YYYY

–◻    Financial impact from YYYY to YYYY

☑ Proposal/initiative of unlimited duration

–Implementation with a start-up period from 2018 to 2020,

–followed by full-scale operation.

1.7.Management mode(s) planned 88  

☑ Direct management by the Commission

–☑by its departments, including by its staff in the Union delegations;

–◻    by the executive agencies

☑Shared management with the Member States

☑Indirect management by entrusting budget implementation tasks to:

–◻ third countries or the bodies they have designated;

–◻ international organisations and their agencies (to be specified);

–◻the EIB and the European Investment Fund;

–☑bodies referred to in Articles 208 and 209 of the Financial Regulation;

–◻ public law bodies;

–◻ bodies governed by private law with a public service mission to the extent that they provide adequate financial guarantees;

–◻ bodies governed by the private law of a Member State that are entrusted with the implementation of a public-private partnership and that provide adequate financial guarantees;

–◻ persons entrusted with the implementation of specific actions in the CFSP pursuant to Title V of the TEU, and identified in the relevant basic act.

–If more than one management mode is indicated, please provide details in the ‘Comments’ section.

Comments

2.MANAGEMENT MEASURES

2.1.Monitoring and reporting rules

Specify frequency and conditions.

2.2.Furthermore, eu-LISA is also now required to provide daily, monthly and annual statistics on the use of SIS, ensuring continuous monitoring of the system and its functioning against objectives.Management and control system

2.2.1.Risk(s) identified

2.2.2.Information concerning the internal control system set up

2.2.3.Estimate of the costs and benefits of the controls and assessment of the expected level of risk of error

2.3.Measures to prevent fraud and irregularities

Specify existing or envisaged prevention and protection measures.

3.ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE

3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected

Existing budget lines

In order of multiannual financial framework headings and budget lines.

3.2.Estimated impact on expenditure

3.2.1.Summary of estimated impact on expenditure

EUR million (to three decimal places)

3.2.2.Estimated impact on operational appropriations

If more than one heading is affected by the proposal / initiative:

3.2.3.Estimated impact on appropriations of an administrrative nature

EUR million (to three decimal places)

EUR million (to three decimal places)

3.2.3.1.Estimated impact on eu-LISA's operational appropriations

–◻    The proposal/initiative does not require the use of operational appropriations

–☑    The proposal/initiative requires the use of operational appropriations, as explained below:

Commitment appropriations in EUR million (to three decimal places)

3.2.3.2.Estimated impact on DG HOME appropriations

–◻    The proposal/initiative does not require the use of operational appropriations

–☑    The proposal/initiative requires the use of operational appropriations, as explained below:

3.2.3.3.Estimated impact on eu-LISA's human resources - Summary

–◻    The proposal/initiative does not require the use of appropriations of an administrative nature

–☑    The proposal/initiative requires the use of appropriations of an administrative nature, as explained below:

EUR million (to three decimal places)

Recruitment is planned for January 2018. All staff must be available as of early 2018 in order to allow starting the development in due time with a view of ensuring an entry into operations of SIS II Recast in 2020. The 3 new Contractual Agents (CAs) are needed to cover needs both for the project implementation as well as for operational support and maintenance after deployment to production. These resources will be used to:

Support the project implementation as project team members, including activities as: the definition of requiremnets and technical specifications, cooperation and support to Member States during the implementation; updates of the Interface Control Document (ICD), the follow-up of the contractual deliveries, documentation delivery and updates, etc.

Support transition activities for putting the system into operations in cooperation with the contractor (releases follow-up, operational process updates, trainings (including Member States training activities), etc.

Support the longer-term activities, definition of specifications, contractual preparations in case there is reengineering of the system (e.g. due to image recognition) or in case the new SIS II Maintenance in Working Order (MWO) contract will need to be amended to cover additional changes (from technical and budgetary perspective)

Enforce the second level support following Entry into Operation (EiO), during continuous maintenance and operations

It has to be noted that the three new resources (FTE CA) will act on top of the internal teams resources which will be as well dedicated to the project/contractual and financial follow-up/operational activities. The use of CAs will provide adequate duration and continuity of the contracts to ensure business continuity and use of the same specialised people for operational support activities after the project conclusion. On top of that, the operational support activities require accesses to Production environment that cannot be asigned to contractors or external staff.

3.2.3.4.Estimated requirements of human resources

–◻    The proposal/initiative does not require the use of human resources.

–◻    The proposal/initiative requires the use of human resources, as explained below:

Estimate to be expressed in full time equivalent units

XX is the policy area or budget title concerned.

The human resources required will be met by staff from the DG who are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.

Description of tasks to be carried out:

3.2.4.Compatibility with the current multiannual financial framework

–◻    The proposal/initiative is compatible the current multiannual financial framework.

–☑    The proposal/initiative will entail reprogramming of the relevant heading in the multiannual financial framework.

–◻    The proposal/initiative requires application of the flexibility instrument or revision of the multiannual financial framework.

3.2.5.Third-party contributions

–☑ The proposal/initiative does not provide for co-financing by third parties.

–The proposal/initiative provides for the co-financing estimated below:

Appropriations in EUR million (to three decimal places)

3.3.Estimated impact on revenue

–◻    The proposal/initiative has no financial impact on revenue.

–☑    The proposal/initiative has the following financial impact:

–◻    on own resources

–☑    on miscellaneous revenue

EUR million (to three decimal places)

For miscellaneous ‘assigned’ revenue, specify the budget expenditure line(s) affected.

Specify the method for calculating the impact on revenue.

(1) Report to the European Parliament and Council on the evaluation of the second generation Schengen Information System (SIS II) in accordance with Art. 24 (5), 43 (3) and 50 (5) of Regulation (EC) No 1987/2006 and Art. 59 (3) and 66(5) of Decision 2007/533/JHA and an accompanying Staff Working Document. (OJ…).

(2) Directive 2008/115/EC of the European Parliament and of the Council of 16 December 2008 on common standards and procedures in Member States for returning illegally staying third-country nationals (OJ L 348, 24.12.2008, p. 98).

(3) COM(2016) 205 final of 6.4.2016.

(4) Commission Decision 2016/C 257/03 of 17.6.2016.

(5) Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 286, 1.11.2011, p.1).

(6) Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (OJ L 381, 28.12.2006, p. 4).

(7) Please see Section 2 'Choice of the instrument' for explanation as to why a replacement rather than a recast of the current legislation was pursued.

(8) Report to the European Parliament and Council on the evaluation of the second generation Schengen Information System (SIS II) in accordance with Art. 24 (5), 43 (3) and 50 (5) of Regulation (EC) No 1987/2006 and Art. 59 (3) and 66(5) of Decision 2007/533/JHA and an accompanying Staff Working Document. (OJ…).

(9) High Level Expert Group - Chairman's Report of 21 December 2016.

(10) Please see Section 5 'Other elements' for detailed explanation of the changes included in this proposal

(11) COM(2015) 453 final.

(12) COM(2015) 240 final.

(13) COM(2016) 731 final.

(14) Council Decision of 29 June 2010 on the application of the provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Bulgaria and Romania (OJ L 166, 1.7.2010, p. 17).

(15) Established by Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 286, 1.11.2011, p.1).

(16) Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (OJ L 205, 7.8.2007, p. 63).

(17) Report to the European Parliament and Council on the evaluation of the second generation Schengen Information System (SIS II) in accordance with Art. 24 (5), 43 (3) and 50 (5) of Regulation (EC) No 1987/2006 and Art. 59 (3) and 66(5) of Decision 2007/533/JHA and an accompanying Staff Working Document. 

(18) COM(2014) 199 final.

(19) European Commission FINAL REPORT — SIS II technical assessment.

(20) European Commission FINAL REPORT — ICT Impact Assessment of Possible Improvements to the SIS II Architecture 2016.

(21) European Commission FINAL REPORT — ICT Impact Assessment of the technical improvements to the SIS II architecture – Final Report",10 November 2016, (Wavestone).

(22) Study on the feasibility and implications of setting up within the framework of the SIS and EU-wide system for exchanging data on and monitoring compliance with return decisions, 4 April 2015, PwC.

(23) Commission Implementing Decision (EU) 2015/219 of 29 January 2015 replacing the Annex to Implementing Decision 2013/115/EU on the SIRENE Manual and other implementing measures for the second generation Schengen Information System (SIS II) (OJ L 44, 18.2.2015, p. 75).

(24) Commission recommendation establishing a catalogue of recommendations and best practices for the correct application of the second generation Schengen Information System (SIS II) and the exchange of supplementary information by the competent authorities of the Member States implementing and using SIS II (C(2015)9169/1).

(25) Regulation (EU) No. 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the application of the Schengen acquis and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing Committee on the evaluation and implementation of Schengen (OJ L 295, 6.11,2013, p.27).

(26) Charter of Fundamental Rights of the European Union (2012/C 326/02). 

(27) Wavestone "ICT Impact Assessment of the technical improvements to the SIS II architecture – Final Report", 10 November 2016, Scenario 3 Distinct N. SIS II Implementation.

(28) Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing, as part of the Internal Security Fund, the instrument for financial support for external borders and visa (OJ L 150, 20.5.2014, p. 143).

(29) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (OJ L 119, 4.5.2016, p.89).

(30) COM (2016)731 final.

(31) The ETIAS Central Unit is granted access to Articles 24 and 27 of this Regulation.

(32) COM (2016)…

(33) Council Framework Decision 2002/475/JHA of 13 June 2002 on combating terrorism (OJ L 164, 22.6.2002, p. 3).

(34) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation (OJ L 119, 4.5.2016, p. 1).

(35) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (OJ L 119, 4.5.2016, p.89).

(36) OJ L 239, 22.9.2000, p. 19 . Convention as amended by Regulation (EC) No 1160/2005 of the European Parliament and of the Council ( OJ L 191, 22.7.2005, p. 18 ).

(37) OJ L 328, 13.12.2001, p. 4 .

(38) Council Decision 2001/886/JHA of 6 December 2001 on the development of the second generation Schengen Information System (SIS II ) ( OJ L 328, 13.12.2001, p. 1 ).

(39) Regulation (EC) No 1987/2006 of 20 December 2006 of the European Parliament and of the Council on the establishment, operation and use of the second generation Schengen Information system (SIS II) (OJ L181, 28.12.2006, p. 4).

(40) Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information system (SIS II) (OJ L 205, 7.8.2007, p.63).

(41) Report to the European Parliament and Council on the evaluation of the second generation Schengen Information System (SIS II) in accordance with Art. 24 (5), 43 (3) and 50 (5) of Regulation (EC) No 1987/2006 and Art. 59 (3) and 66(5) of Decision 2007/533/JHA and an accompanying Staff Working Document. 

(42) Regulation (EU) 2018/…

(43) Established by Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 286, 1.11.2011, p.1).

(44) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016 (OJ L 119, 4.5.2016, p. 89).

(45) Council Framework Decision (2002/584/JHA) of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (0J L 190, 18.07.2002, p. 1).

(46) Council Framework Decision 2002/475/JHA of 13 June 2002 on combating terrorism (OJ L 164, 22.6.2002, p. 3).

(47) Directive 2008/115/EC of the European Parliament and of the Council of 16 December 2008 on common standards and procedures in Member States for returning illegally staying third-country nationals (OJ L 348, 24.12.2008, p. 98).

(48) Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States (OJ L 158, 30.4.2004, p.77).

(49) Council Framework Decision 2002/475/JHA of 13 June 2002 on combating terrorism (OJ L 164, 22.6.2002, p. 3).

(50) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation (OJ L 119, 4.5.2016, p. 1).

(51) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (OJ L 119, 4.5.2016, p.89).

(52) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p.1).

(53) Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 25.5.2016, p. 53).

(54) Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC (OJ L 251 of 16.9.2016, p. 1).

(55) COM (2016)731 final.

(56) Regulation (EU) No182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13). 

(57) OJ L 131, 1.6.2000, p. 43.

(58) OJ L 64, 7.3.2002, p.20.

(59) OJ L 176, 10.7.1999, p.36.

(60) OJ L 176, 10.7.1999, p.31.

(61) Council Decision 2004/849/EC of 25 October 2004 on the signing, on behalf of the European Union, and on the provisional application of certain provisions of the Agreement between the European Union, the European Community and the Swiss Confederation concerning the Swiss Confederation's association with the implementation, application and development of the Schengen acquis ( OJ L 368, 15.12.2004, p. 26 ).

(62) Council Decision 2004/860/EC of 25 October 2004 on the signing, on behalf of the European Community, and on the provisional application of certain provisions of the Agreement between the European Union, the European Community and the Swiss Confederation, concerning the Swiss Confederation's association with the implementation, application and development of the Schengen acquis ( OJ L 370, 17.12.2004, p. 78 ).

(63) OJ L 160, 18.6.2011, p. 21.

(64) Council Decision 2011/349/EU of 7 March 2011 on the conclusion on behalf of the European Union of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis, relating in particular to judicial cooperation in criminal matters and police cooperation (OJ L 160, 18.6.2011, p. 1).

(65) Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19).

(66) OJ L 166, 1.7.2010, p. 17.

(67) Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing, as part of the Internal Security Fund, the instrument for financial support for external borders and visa (OJ L 150, 20.5.2014, p. 143).

(68) Council Framework Decision (2002/584/JHA) of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (0J L 190, 18.07.2002, p. 1).

(69) Council Framework Decision 2002/475/JHA of 13 June 2002 on combating terrorism (OJ L 164, 22.6.2002, p. 3).

(70) Established by Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 286, 1.11.2011, p.1).

(71) Council Framework Decision 2002/475/JHA of 13 June 2002 on combating terrorism (OJ L 164, 22.6.2002, p. 3).

(72) OJ L 158, 30.4.2004, p.77.

(73) Regulation (EC) No 810/2009 of the European Parliament and of the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code) (OJ L 243, 15.9.2009, p. 1).

(74) Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing, as part of the Internal Security Fund, the instrument for financial support for external borders and visa (OJ L 150, 20.5.2014, p. 143).

(75) Commission Decision 2010/261/EU of 4 May 2010 on the Security Plan for Central SIS II and the Communication Infrastructure (OJ L 112, 5.5.2010, p.31).

(76) OJ L 239, 22.9.2000, p. 19.

(77) ABM: activity-based management; ABB: activity-based budgeting.

(78) As referred to in Article 54(2)(a) or (b) of the Financial Regulation.

(79) COM(2015) 240 final.

(80) COM(2015) 185 final.

(81) COM(2015) 285 final.

(82) COM(2016) 205 final.

(83) Ares(2016)2231546 – 12/05/2016.

(84) COM(2016) 205 final.

(85) COM(2015) 240 final.

(86) Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC (OJ L 251 of 16.9.2016, p. 1).

(87) Proposal for a Regulation of the European Parliament and of the Council establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third country nationals crossing the external Borders of the Member States of the European Union and determining the conditions for access to the EES for law enforcement purposes and amending Regulation (EC) No 767/2008 and amending Regulation (EU) No 1077/2011 (COM(2016) 194 final).

(88) Details of management modes and references to the Financial Regulation may be found on the BudgWeb site: http://www.cc.cec/budg/man/budgmanag/budgmanag_en.html

(89) Diff. = Differentiated appropriations / Non-diff. = Non-differentiated appropriations.

(90) EFTA: European Free Trade Association.

(91) Candidate countries and, where applicable, potential candidate countries from the Western Balkans.

(92) Year N is the year in which implementation of the proposal/initiative starts.

(93) Outputs are products and services to be supplied (e.g.: number of student exchanges financed, number of km of roads built, etc.).

(94) As described in point 1.4.2. ‘Specific objective(s)…’. 

(95) Outputs are products and services to be supplied (e.g.: number of student exchanges financed, number of km of roads built, etc.).

(96) As described in point 1.4.2. ‘Specific objective(s)…’. 

(97) AC= Contract Staff; AL = Local Staff; END= Seconded National Expert; INT = agency staff; JED= Junior Experts in Delegations.

(98) Sub-ceiling for external staff covered by operational appropriations (former ‘BA’ lines).

(99) As regards traditional own resources (customs duties, sugar levies), the amounts indicated must be net amounts, i.e. gross amounts after deduction of 25 % for collection costs.