1.   The purpose of the VIS is to improve the implementation of the common visa policy for short stays, consular cooperation and consultation between visa authorities by facilitating the exchange of data between Member States on applications and on the decisions relating thereto, in order to:

2.   As regards long-stay visas and residence permits, the VIS shall have the purpose of facilitating the exchange of data between Member States on the applications and decisions related thereto, in order to:

1.   The VIS shall be based on a centralised architecture and shall consist of:

The VIS Central System, the NUIs, the web service, the carrier gateway and the VIS communication infrastructure shall share and re-use as much as technically possible the hardware and software components of, respectively, the EES Central System, the EES national uniform interfaces, the ETIAS carrier gateway, the EES web service and the EES communication infrastructure.

2.   There shall be at least two NUIs as referred to in point (c) of paragraph 1 for each Member State, which shall provide the physical connection between Member States and the physical network of the VIS. The connection through the communication infrastructure referred to in point (d) of paragraph 1 shall be encrypted. The NUIs shall be located at Member State premises. The NUIs shall be used exclusively for purposes established by Union legislative acts.

3.   The VIS Central System shall perform technical supervision and administration functions and have a backup VIS Central System, capable of ensuring all functionalities of the VIS Central System in the event of failure of that system. The VIS Central System shall be located in Strasbourg (France) and the backup VIS Central System shall be located in Sankt Johann im Pongau (Austria).

4.   The communication infrastructure shall support and contribute to ensuring the uninterrupted availability of the VIS. It shall include redundancies for the connections between the VIS Central System and the backup VIS Central System and redundancies for the connections between each NUI on the one hand and the VIS Central System and the backup VIS Central System on the other hand. The communication infrastructure shall provide an encrypted virtual private network dedicated to VIS data and to communication among Member States and between Member States and eu-LISA.

5.   eu-LISA shall implement technical solutions to ensure the uninterrupted availability of the VIS either through the simultaneous operation of the VIS Central System and the backup VIS Central System, provided that the backup VIS Central System remains capable of ensuring the operation of the VIS in the event of a failure of the VIS Central System, or through duplication of the system or its components.

1.   Only the following categories of data shall be recorded in the VIS:

1a.   The CIR shall contain the data referred to in points (4)(a) to (ca) and points (5) and (6) of Article 9 and in points (d) to (g), (j) and (k) of Article 22a(1). The remaining VIS data shall be stored in the VIS Central System.

1b.   Verification and identification in the VIS by means of a facial image shall be possible only against facial images recorded in the VIS with an indication that the facial image was taken live upon submission of the application, in accordance with point (5) of Article 9 and point (j) of Article 22a(1).

2.   Without prejudice to the recording of data processing operations pursuant to Article 34, the messages transmitted by the VISMail in accordance with Article 16, Article 24(2) and Article 25(2) shall not be recorded in the VIS.

1.   The list of travel documents which entitle the holder to cross the external borders and which may be endorsed with a visa, as set out in Decision No 1105/2011/EU of the European Parliament and of the Council (*), shall be integrated in the VIS.

2.   The VIS shall provide the functionality for the centralised management of the list of recognised travel documents and of the notification of the recognition or non-recognition of the listed travel documents pursuant to Article 4 of Decision No 1105/2011/EU.

3.   The Commission shall adopt implementing acts to lay down detailed rules on managing the functionality referred to in paragraph 2 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).

1.   Access to the VIS for entering, amending or erasing the data referred to in Article 5(1) shall be reserved exclusively to the duly authorised staff of the visa authorities and to the authorities competent to collect or decide on an application for a long-stay visa or residence permit in accordance with Article 22a to 22f. The number of duly authorised members of staff shall be limited by the actual needs of their service.

2.   Access to the VIS to consult the data shall be reserved exclusively for the duly authorised staff of the national authorities of each Member State and of the Union bodies which are competent for the purposes of Articles 15 to 22, Articles 22g to 22m and Article 45e of this Regulation, as well as for the purposes laid down in Articles 20 and 21 of Regulation (EU) 2019/817.

Such access shall be limited to the extent that the data are required for the performance of the tasks of those authorities and Union bodies in accordance with those purposes, and proportionate to the objectives pursued.

2a.   By way of derogation from the provisions on the use of data provided for in Chapters II, III and IIIa, fingerprint data and facial images of children shall only be used to search the VIS and, in the case of a hit, shall only be accessed to verify the child’s identity:

Where the search with alphanumerical data cannot be performed due to the lack of a travel document, the fingerprint data of children may also be used to search the VIS in the asylum procedure in accordance with Article 21, 22, 22j or 22k.

2b.   By way of derogation from the provisions on the use of data provided for in Article 22h, in the case of persons who have held valid residence permits recorded in the VIS for a period of 10 years or more without interruption, the authorities competent for carrying out checks within the territory of the Member States shall only have access to the VIS to consult the data referred to in points (d), (e) and (f) of Article 22c and the status information of the residence permit.

2c.   By way of derogation from the provisions on the use of data provided for in Article 22i, in the case of persons who have held valid residence permits recorded in the VIS for a period of 10 years or more without interruption, the authorities competent for carrying out checks within the territory of the Member States shall only have access to the VIS to consult the data referred to in points (d), (e) and (f) of Article 22c and the status information of the residence permit. Where the person does not present a valid travel document or where there are doubts as to the authenticity of the travel document presented or where the verification pursuant to Article 22h has failed, the competent authorities shall also have access the VIS to consult the data referred to in points (d) to (g) and (i) of Article 22a(1).

2d.   By way of derogation from the provisions on the use of data provided for in Articles 22j and 22k, the competent asylum authorities shall not have access to VIS data of persons who have held valid residence permits recorded in the VIS in accordance with Chapter IIIa for a period of 10 years or more without interruption.

2e.   By way of derogation from the provisions on the use of data provided for in Chapter IIIb, the Member States’ designated authorities and Europol shall not have access to VIS data of persons who have held valid residence permits recorded in the VIS in accordance with Chapter IIIa for a period of 10 years or more without interruption.

2f.   By way of derogation from the provisions on the use of data provided for in Articles 45e and 45f, the members of the European Border and Coast Guard teams, with the exception of border management teams, shall not have access to VIS data of persons who have held valid residence permits recorded in the VIS in accordance with Chapter IIIa for a period of 10 years or more without interruption.

3.   Each Member State shall designate the competent authorities the duly authorised staff of which shall have access to the VIS to enter, amend, erase or consult VIS data. Each Member State shall without delay communicate a list of those authorities to the Commission and eu-LISA, in accordance with Article 45b. The list shall specify the purpose for which each authority may process VIS data. Each Member State may at any time amend or replace the list which it communicated and shall inform the Commission and eu-LISA accordingly.

The authorities entitled to consult or access the VIS for the purposes of prevention, detection and investigation of terrorist offences or other serious criminal offences shall be designated in accordance with Chapter IIIb.

4.   In addition to the communications mentioned in paragraph 3, each Member State shall communicate to eu-LISA without delay a list of the operating units of the national competent authorities having access to the VIS for the purposes of this Regulation. The list shall specify the purpose for which each operating unit is to have access to VIS data. The VIS shall provide the functionality for the centralised management of those lists.

5.   The Commission shall adopt implementing acts to lay down the detailed rules on managing the functionality for the centralised management of the list in paragraph 3 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).

1.   The application files shall be processed automatically by the VIS to identify hits in accordance with this Article. The VIS shall examine each application file individually.

2.   When an application file is created, the VIS shall check whether the travel document related to that application is recognised in accordance with Decision No 1105/2011/EU, by performing an automatic search against the list of recognised travel documents referred to in Article 5a of this Regulation, and shall return a result. If the search shows that the travel document is not recognised by one or more Member States, Article 25(3) of Regulation (EC) No 810/2009 shall apply where a visa is issued.

3.   For the purposes of the verifications provided for in Article 21(1), points (a), (c) and (d) of Article 21(3) and Article 21(4) of Regulation (EC) No 810/2009 and for the purposes of the objective referred to in point (k) of Article 2(1) of this Regulation, the VIS shall launch a query by using the ESP to compare the relevant data referred to in points (4), (5) and (6) of Article 9 of this Regulation with the data present in a record, file or alert registered in:

The comparison shall be made with both alphanumeric and biometric data, unless the information system or database queried contains only one of those data categories.

4.   In particular, the VIS shall verify:

5.   SIS alerts in respect of missing persons or vulnerable persons, persons sought to assist with a judicial procedure and persons or objects for discreet checks, inquiry checks or specific checks shall be queried only for the purposes of the objective referred to in point (k) of Article 2(1).

6.   As regards Interpol SLTD and Interpol TDAWN, any queries or verification shall be performed in such a way that no information shall be revealed to the owner of the Interpol alert. If the requirement provided for in this paragraph is not fulfilled, the VIS shall not query Interpol databases.

7.   As regards Europol data, the automated processing shall receive the appropriate notification in accordance with Article 21(1b) of Regulation (EU) 2016/794.

8.   A hit shall be triggered where all or some of the data from the application file used for the query correspond fully or partially to the data present in a record, alert or file of the information systems or databases referred to in paragraph 3. The manual referred to in Article 9h(2) shall define partial correspondence, including a degree of probability to limit the number of false hits.

9.   Where the automatic comparison referred to in paragraph 3 reports a hit related to point (a)(i), (ii) and (iii), point (b), point (c)(i), point (d) and point (g)(i) of paragraph 4, the VIS shall add a reference in the application file to any hit and, where relevant, the Member States that entered or supplied the data having triggered the hit.

10.   Where the automatic comparison referred to in paragraph 3 reports a hit related to point (a)(iv), point (c)(ii), points (e) and (f) and point (g)(ii) of paragraph 4, the VIS shall only indicate in the application file that further verification is needed.

In the event of hits pursuant to point (a)(iv), points (e) and (f) and point (g)(ii) of paragraph 4, the VIS shall send an automated notification regarding such hits to the VIS designated authority of the Member State processing the application. Such automated notification shall contain the data recorded in the application file in accordance with points (4), (5) and (6) of Article 9.

In the event of hits pursuant to point (c)(ii) of paragraph 4, the VIS shall send an automated notification regarding such hits to the ETIAS National Unit of the Member State that entered the data or, if the data was entered by Europol, to the ETIAS National Unit of the Member States processing the application. That automated notification shall contain the data recorded in the application file in accordance with point (4) of Article 9.

11.   Where the automatic comparison referred to in paragraph 3 reports a hit related to point (a)(v), (vi) and (vii) of paragraph 4, the VIS shall neither record the hit in the application file nor indicate in the application file that further verification is needed.

12.   The unique reference number of the data record having triggered a hit shall be kept in the application file for the purpose of the keeping of logs, reporting and statistics in accordance with Articles 34 and 45a.

13.   The VIS shall compare the relevant data referred to in point (4)(a), (aa), (g), (h), (j), (k) and (l) of Article 9 to the specific risk indicators referred to in Article 9j.

1.   As regards a third-country national who is a family member of a Union citizen to whom Directive 2004/38/EC applies or of a third-country national enjoying the right of free movement equivalent to that of Union citizens under an agreement between the Union and its Member States, on the one hand, and a third country, on the other, the automated queries pursuant to Article 9a(3) shall be carried out solely for the purpose of checking that there are no factual indications or reasonable grounds based on factual indications to conclude that the presence of that third-country national on the territory of the Member States poses a risk to security or high epidemic risk in accordance with Directive 2004/38/EC.

2.   The VIS shall not verify:

3.   Where the automated processing pursuant to Article 9a(3) of this Regulation has reported a hit corresponding to an alert for refusal of entry and stay as referred to in Article 24 of Regulation (EU) 2018/1861, the visa authority shall verify the ground for the decision following which this alert was entered in the SIS. If that ground is related to an illegal immigration risk, the alert shall not be taken into consideration for the assessment of the application. The visa authority shall proceed in accordance with Article 26(2) of Regulation (EU) 2018/1861.

4.   The specific risk indicators based on illegal immigration risks determined pursuant to Article 9j shall not apply.

1.   Any hit pursuant to Article 9a(9) shall be manually verified by the competent visa authority of the Member State processing the visa application.

2.   For the purposes of manual verification under paragraph 1 of this Article, the competent visa authority shall have access to the application file and any linked application files, as well as to the hits triggered during the automated processing pursuant to Article 9a(9).

The competent visa authority shall also have temporary access to data in the SIS, the EES, the ETIAS, Eurodac or Interpol SLTD that triggered the hit for the duration of the verifications referred to in this Article and the examination of the visa application and in the event of an appeal procedure. Such temporary access shall be in accordance with the legal instruments governing the SIS, the EES, the ETIAS, Eurodac and Interpol SLTD.

3.   The competent visa authority shall verify whether the identity of the applicant recorded in the application file corresponds to the data in any of the information systems or databases queried.

4.   Where the personal data in the application file correspond to the data stored in the relevant information system or database, the hit shall be taken into account in the examination of the visa application pursuant to Article 21 of Regulation (EC) No 810/2009.

5.   Where the personal data in the application file do not correspond to the data stored in the relevant information system or database, the competent visa authority shall erase the false hit from the application file.

6.   Where automatic comparison pursuant to Article 9a(13) of this Regulation reports a hit, the competent visa authority shall assess the security, illegal immigration or high epidemic risk and shall take it into account in the examination of a visa application pursuant to Article 21 of Regulation (EC) No 810/2009. The competent visa authority shall in no circumstances take a decision automatically on the basis of a hit based on specific risk indicators. The competent visa authority shall individually assess the security, illegal immigration and high epidemic risks in all cases.

1.   Each Member State shall designate an authority (the “VIS designated authority”) for the purposes of the manual verification and follow-up action with regard to hits pursuant to points (a)(iv) to (vii), points (e) and (f) and point (g)(ii) of Article 9a(4). Member States may designate more than one authority as the VIS designated authority. Member States shall notify the Commission and eu-LISA of the VIS designated authority.

Where Member States choose to designate the SIRENE Bureau as the VIS designated authority, they shall allocate sufficient additional resources to enable the SIRENE Bureau to fulfil the tasks entrusted to the VIS designated authority under this Regulation.

2.   The VIS designated authority shall be operational at least during regular working hours. It shall have temporary access to the data recorded in the application file and the data in the SIS, ECRIS-TCN, Europol data or Interpol TDAWN that triggered the hit, for the duration of the verification referred to in this Article and in Article 9g.

3.   The VIS designated authority shall verify, within two working days from the notification sent by the VIS, whether the identity of the applicant recorded in the application file corresponds to the data present in one of the information systems or databases queried.

4.   Where the personal data in the application file do not correspond to the data stored in the relevant information system or database, the VIS designated authority shall erase the indication in the application file that further verification is needed.

1.   The ETIAS National Unit of the Member State which entered the data in the ETIAS watchlist or, if the data was entered by Europol, the ETIAS National Unit of the Member State processing the application shall manually verify and carry out follow-up action with regard to hits pursuant to point (c)(ii) of Article 9a(4).

2.   The relevant ETIAS National Unit shall verify, within two working days from the notification sent by the VIS, whether the data recorded in the application file corresponds to the data in the ETIAS watchlist.

3.   Where the data in the application file corresponds to the data in the ETIAS watchlist, the ETIAS National Unit shall provide a reasoned opinion to the central visa authority of the Member State processing the visa application on whether the applicant poses a risk to public security, which shall be taken into account in the examination of the visa application pursuant to Article 21 of Regulation (EC) No 810/2009.

4.   Where the data was entered into the ETIAS watchlist by Europol, the ETIAS National Unit of the Member State processing the application shall, for the purpose of drafting its reasoned opinion, request without delay the opinion of Europol. For that purpose, the ETIAS National Unit shall send the data recorded in the application file in accordance with point (4) of Article 9 to Europol. Europol shall reply within 60 hours of the date of the request. Where Europol does not reply within that deadline, there shall be deemed to be no grounds for objecting to the issuing of the visa.

5.   The ETIAS National Unit shall send the reasoned opinion to the central visa authority within seven calendar days from the notification sent by the VIS. Where the ETIAS National Unit sends no reasoned opinion within that deadline, there shall be deemed to be no grounds for objecting to the issuing of the visa.

6.   The reasoned opinion shall be recorded in the application file in a manner that renders it accessible only to the central visa authority of the Member State processing the visa application.

7.   Where the data in the application file do not correspond to the data in the ETIAS watchlist, the ETIAS National Unit shall inform the central visa authority of the Member State processing the visa application which shall erase the record of further verification being needed from the application file.

1.   In the event of hits pursuant to point (a)(iii) to (vii) of Article 9a(4), and after manual verification, the competent visa authority or the VIS designated authority shall notify such hits to the SIRENE Bureau of the Member State processing the application.

2.   In the event of hits pursuant to point (a)(iii) of Article 9a(4), the SIRENE Bureau of the Member State processing the application shall:

3.   In the event of hits pursuant to point (a)(iv) to (vii) of Article 9a(4) of this Regulation, the SIRENE Bureau of the Member State processing the application shall take any appropriate follow-up action in accordance with Regulation (EU) 2018/1862.

1.   In the event of verified hits pursuant to point (e) or (f) or point (g)(ii) of Article 9a(4), the VIS designated authority shall, if necessary, take any appropriate follow-up action. For that purpose, it shall consult, where appropriate, the Interpol National Central Bureau of the Member State processing the application, Europol or the central authority of the convicting Member State designated in accordance with Article 3(1) of Council Framework Decision 2009/315/JHA (*).

2.   The VIS designated authority shall provide a reasoned opinion on whether the applicant poses a threat to public security to the central visa authority of the Member State processing the visa application, which shall be taken it into account in the examination of the visa application pursuant to Article 21 of Regulation (EC) No 810/2009.

3.   In the event of verified hits pursuant to point (e) of Article 9a(4) of this Regulation, where the conviction was handed down prior to the start of operations of ECRIS-TCN in accordance with Article 35(4) of Regulation (EU) 2019/816, the VIS designated authority shall, in the reasoned opinion referred to in paragraph 2 of this Article, not take account of convictions for terrorist offences handed down more than 25 years before the date of the visa application or of convictions for other serious criminal offences handed down more than 15 years before the date of the visa application.

4.   Where a hit manually verified by the VIS designated authority concerns the Europol data referred to in point (f) of Article 9a(4), the VIS designated authority shall request without delay the opinion of Europol in order to carry out its task as referred to in paragraph 2 of this Article. For that purpose, the VIS designated authority shall send the data recorded in the application file in accordance with points (4), (5) and (6) of Article 9 to Europol. Europol shall reply within 60 hours of the date of the request. Where Europol does not reply within that deadline, there shall be deemed to be no grounds for objecting to the issuing of the visa.

5.   In the event of verified hits pursuant to point (a)(iv) of Article 9a(4) of this Regulation and after consulting the SIRENE bureau of the Member State issuing the alert, the VIS designated authority of the Member State processing the application shall provide a reasoned opinion on whether the applicant poses a threat to public security to the central visa authority processing the visa application, which shall be taken into account in the examination of the visa application pursuant to Article 21 of Regulation (EC) No 810/2009.

6.   The reasoned opinion shall be recorded in the application file in a manner that renders it accessible only to the VIS designated authority referred to in Article 9d of the Member State processing the application and to the central visa authority of the same Member State.

7.   The VIS designated authority shall send the reasoned opinion to the central visa authority within seven calendar days from the notification sent by the VIS. In the event of verified hits pursuant to point (e) of Article 9a(4), the deadline for sending the reasoned opinion shall be 10 calendar days. Where the VIS designated authority sends no such reasoned opinion within that deadline, there shall be deemed to be no grounds for objecting to the issuing of the visa.

1.   For the purpose of implementing Articles 9a to 9g, eu-LISA shall, in cooperation with the Member States and Europol, establish appropriate channels for the notifications and exchange of information referred to in those Articles.

2.   The Commission shall adopt a delegated act in accordance with Article 48a to lay down in a manual the procedures and rules necessary for queries, verifications and assessments.

1.   The specific risk indicators shall be applied as an algorithm enabling profiling as defined in point (4) of Article 4 of Regulation (EU) 2016/679 through the comparison in accordance with Article 9a(13) of this Regulation of the data recorded in an application file of the VIS with specific risk indicators established by the ETIAS Central Unit under paragraph 4 of this Article pointing to security, illegal immigration or high epidemic risks. The ETIAS Central Unit shall enter the specific risk indicators in the VIS.

2.   The Commission shall adopt a delegated act in accordance with Article 48a to further define the risks related to security or illegal immigration or a high epidemic risk on the basis of:

3.   The Commission shall adopt an implementing act to specify the risks, as defined in this Regulation and in the delegated act referred to in paragraph 2 of this Article, on which the specific risks indicators referred to in paragraph 4 of this Article are to be based. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 49(2).

The specific risks referred to in the first subparagraph of this paragraph shall be reviewed at least every six months and, where necessary, a new implementing act shall be adopted by the Commission in accordance with the examination procedure referred to in Article 49(2).

4.   Based on the specific risks determined in accordance with paragraph 3, the ETIAS Central Unit shall establish a set of specific risk indicators consisting of a combination of data including one or several of the following:

5.   The specific risk indicators shall be targeted and proportionate. They shall, in no circumstances, be based solely on a person’s sex or age or on information revealing a person’s colour, race, ethnic or social origin, genetic features, language, political or any other opinion, religion or philosophical belief, trade union membership, membership of a national minority, property, birth, disability or sexual orientation.

6.   The specific risk indicators shall be defined, established, assessed ex ante, implemented, evaluated ex post, revised and deleted by the ETIAS Central Unit after consulting the VIS Screening Board.

1.   A VIS Screening Board with an advisory function is hereby established within the European Border and Coast Guard Agency. It shall be composed of a representative of the central visa authority of each Member State, of the European Border and Coast Guard Agency and of Europol.

2.   The ETIAS Central Unit shall consult the VIS Screening Board on the definition, establishment, ex ante assessment, implementation, ex post evaluation, revision and deletion of the specific risk indicators referred to in Article 9j.

3.   The VIS Screening Board shall issue opinions, guidelines, recommendations and best practices for the purposes referred to in paragraph 2. When issuing recommendations, the VIS Screening Board shall take into consideration the recommendations issued by the VIS Fundamental Rights Guidance Board.

4.   The VIS Screening Board shall meet whenever necessary, and at least twice a year. The costs and servicing of its meetings shall be borne by the European Border and Coast Guard Agency.

5.   The VIS Screening Board may consult the VIS Fundamental Rights Guidance Board on specific issues related to fundamental rights, in particular with regard to privacy, the protection of personal data and non-discrimination.

6.   The VIS Screening Board shall adopt rules of procedure at its first meeting by a simple majority of its members.

1.   An independent VIS Fundamental Rights Guidance Board with an advisory and appraisal function is hereby established. Without prejudice to their respective competences and independence, it shall be composed of the Fundamental Rights Officer of the European Border and Coast Guard Agency, a representative of the consultative forum on fundamental rights of the European Border and Coast Guard Agency, a representative of the European Data Protection Supervisor, a representative of the European Data Protection Board established by Regulation (EU) 2016/679 and a representative of the European Union Agency for Fundamental Rights.

2.   The VIS Fundamental Rights Guidance Board shall perform regular appraisals and issue recommendations to the VIS Screening Board on the impact on fundamental rights of the processing of applications and of the implementation of Article 9j, in particular with regard to privacy, the protection of personal data and non-discrimination.

The VIS Fundamental Rights Guidance Board shall also support the VIS Screening Board in the execution of its tasks when consulted by the latter on specific issues related to fundamental rights, in particular with regard to privacy, the protection of personal data and non-discrimination.

The VIS Fundamental Rights Guidance Board shall have access to the audits referred to in point (e) of Article 7(2) of Regulation (EU) 2018/1240.

3.   The VIS Fundamental Rights Guidance Board shall meet whenever necessary, and at least twice a year. The costs and servicing of its meetings shall be borne by the European Border and Coast Guard Agency. Its meetings shall take place in premises of the European Border and Coast Guard Agency. The secretariat of its meetings shall be provided by the European Border and Coast Guard Agency. The VIS Fundamental Rights Guidance Board shall adopt rules of procedure at its first meeting by a simple majority of its members.

4.   One representative of the VIS Fundamental Rights Guidance Board shall be invited to attend the meetings of the VIS Screening Board in an advisory capacity. The members of the VIS Fundamental Rights Guidance Board shall have access to the information and files of the VIS Screening Board.

5.   The VIS Fundamental Rights Guidance Board shall produce an annual report. The report shall be made publicly available.

1.   For the purposes of consultation between central visa authorities on applications in accordance with Article 22 of Regulation (EC) No 810/2009, the consultation request and the responses thereto shall be transmitted in accordance with paragraph 2 of this Article.

2.   When an application file is created in the VIS regarding a national of a specific third country or belonging to a specific category of such nationals for which prior consultation is requested pursuant to Article 22 of Regulation (EC) No 810/2009, the VIS shall automatically transmit by VISMail the request for consultation to the Member State or the Member States indicated.

The Member State or the Member States consulted shall transmit their response to the VIS, which shall transmit by VISMail that response to the Member State which created the application.

In the case of a negative response, the response shall specify whether the applicant poses a threat to public policy, internal security, public health or international relations.

Solely for the purpose of carrying out the consultation procedure, the list of Member States requiring that their central authorities be consulted by other Member States’ central authorities during the examination of visa applications for uniform visas lodged by nationals of specific third countries or specific categories of such nationals in accordance with Article 22 of Regulation (EC) No 810/2009 shall be integrated into the VIS. The VIS shall provide the functionality for the centralised management of that list.

3.   The transmission of information by VISMail shall also apply to:

3a.   The list of Member States requiring that their central authorities be informed of visas issued by other Member States to nationals of specific third countries or to specific categories of such nationals pursuant to Article 31 of Regulation (EC) No 810/2009 shall be integrated into the VIS. The VIS shall provide for the centralised management of that list.

3b.   The transmission of information pursuant to points (a), (b) and (c) of paragraph 3 shall be automatically generated by the VIS.

3c.   The competent visa authorities shall respond to requests pursuant to point (e) of paragraph 3 within three working days.

4.   The personal data transmitted pursuant to this Article shall be used solely for the consultation and information of central visa authorities and consular cooperation.”;

1.   For the sole purpose of determining the Member State responsible for examining an application for international protection in accordance with Articles 12 and 34 of Regulation (EU) No 604/2013, the competent asylum authorities shall have access to the VIS to search with the fingerprints of the applicant for international protection.

Where the fingerprints of the applicant for international protection cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in point (4)(a), (aa), (b), (c) or (ca), or point (5) of Article 9. However, the facial image shall not be the only search criterion.

2.   If the search with the data listed in paragraph 1 of this Article indicates that a visa issued with an expiry date of no more than six months before the date of the application for international protection, or a visa extended to an expiry date of no more than six months before the date of the application for international protection, is recorded in the VIS, the competent asylum authority shall have access to the VIS to consult the following data of the application file, and as regards the data listed in point (e) of this paragraph of the spouse and children, pursuant to Article 8(4), for the sole purpose referred to in paragraph 1 of this Article:

3.   The consultation of the VIS pursuant to paragraphs 1 and 2 of this Article shall be carried out only by the designated national authorities referred to in Article 34(6) of Regulation (EU) No 604/2013.

1.   For the sole purpose of examining an application for international protection, the competent asylum authorities shall have access in accordance with Article 34 of Regulation (EU) No 604/2013 to search with the fingerprints of the applicant for international protection.

Where the fingerprints of the applicant for international protection cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in point (4)(a), (aa), (b), (c) or (ca), or point (5) of Article 9. However, the facial image shall not be the only search criterion.

2.   If the search with the data listed in paragraph 1 of this Article indicates that data on the applicant for international protection is recorded in the VIS, the competent asylum authority shall have access to the VIS to consult the following data of the applicant and of any linked application files of the applicant pursuant to Article 8(3), and, as regards the data listed in point (f) of this paragraph, of the spouse and children, pursuant to Article 8(4), for the sole purpose referred to in paragraph 1 of this Article:

3.   The consultation of the VIS pursuant to paragraphs 1 and 2 of this Article shall be carried out only by the designated national authorities referred to in Article 34(6) of Regulation (EU) No 604/2013.”;

1.   Upon application for a long-stay visa or residence permit, the authority competent for collecting or examining the application shall create without delay an application file, by entering the following data in the VIS as far as those data are required to be provided by the applicant in accordance with the relevant Union or national law:

2.   With regard to fingerprints as referred to in point (k) of paragraph 1, the fingerprints of children below the age of six shall not be entered in the VIS.

With regard to facial images and fingerprints as referred to in points (j) and (k) of paragraph 1, the data of minors shall be entered in the VIS only where all of the following conditions are met:

3.   Upon creation of the application file, the VIS shall automatically launch the queries pursuant to Article 22b.

4.   If the applicant has applied as part of a group or with a family member, the authority shall create an application file for each person in the group and link the files of the persons having applied together for long-stay visas or residence permits.

5.   Where particular data are not required to be provided in accordance with Union or national law or cannot be provided, the specific data fields shall be marked as ‘not applicable’. In the case of fingerprints, the system shall permit a distinction to be made between the cases where fingerprints are not required to be provided in accordance with Union or national law and the cases where they cannot be provided.

1.   The application files shall be processed automatically by the VIS to identify hits in accordance with this Article. The VIS shall examine each application file individually.

2.   For the purpose of assessing whether the person could pose a threat to the public policy, internal security or public health of the Member States pursuant to point (e) of Article 6(1) of Regulation (EU) 2016/399 and for the purposes of the objective referred to in point (f) of Article 2(2) of this Regulation, the VIS shall launch a query by using the ESP to compare the relevant data referred to in points (d) to (g) and points (i), (j) and (k) of Article 22a(1) of this Regulation with the data present in a record, file or alert registered in:

The comparison shall be made with both alphanumeric and biometric data, unless the information system or database queried contains only one of those data categories.

3.   In particular, the VIS shall verify:

4.   SIS alerts in respect of missing persons or vulnerable persons, persons sought to assist with a judicial procedure and persons or objects for discreet checks, inquiry checks or specific checks shall be queried only for the purposes of the objective referred to in point (f) of Article 2(2).

5.   As regards Interpol SLTD and Interpol TDAWN, any queries or verification shall be performed in such a way that no information shall be revealed to the owner of the Interpol alert.

If the requirement provided for in this paragraph is not fulfilled, the VIS shall not query Interpol databases.

6.   As regards Europol data, the automated processing shall receive the appropriate notification in accordance with Article 21(1b) of Regulation (EU) 2016/794.

7.   A hit shall be triggered where all or some of the data from the application file used for the query correspond fully or partially to the data present in a record, alert or file of the information systems or databases referred to in paragraph 2. The manual referred to in paragraph 18 shall define partial correspondence, including a degree of probability to limit the number of false hits.

8.   Where the automatic comparison referred to in paragraph 2 reports a hit related to point (a)(i), (ii) and (iii), point (b), point (c)(i), point (d) and point (g)(i) of paragraph 3, the VIS shall add a reference in the application file to any hit and, where relevant, the Member States that entered or supplied the data having triggered the hit.

9.   Where the automatic comparison referred to in paragraph 2 reports a hit related to point (a)(iv), point (c)(ii), points (e) and (f) and point (g)(ii) of paragraph 3, the VIS shall only indicate in the application file that further verification is needed.

In the event of hits pursuant to point (a)(iv), points (e) and (f) and point (g)(ii) of paragraph 3, the VIS shall send an automated notification regarding such hits to the VIS designated authority of the Member State processing the application. Such automated notification shall contain the data recorded in the application file in accordance with points (d) to (g), and (i), (j) and (k) of Article 22a(1).

In the event of hits pursuant to point (c)(ii) of paragraph 3, the VIS shall send an automated notification regarding such hits to the ETIAS National Unit of the Member State that entered the data or, if the data was entered by Europol, to the ETIAS National Unit of the Member States processing the application. That automated notification shall contain the data recorded in the application file in accordance with points (d) to (g) and (i) of Article 22a(1).

10.   Where the automatic comparison referred to in paragraph 2 reports a hit related to point (a)(v), (vi) and (vii) of paragraph 3, the VIS shall neither record the hit in the application file nor indicate in the application file that further verification is needed.

11.   The unique reference number of the data record having triggered a hit shall be kept in the application file for the purpose of the keeping of logs, reporting and statistics in accordance with Articles 34 and 45a.

12.   Any hit pursuant to paragraph 6 shall be manually verified by the competent visa or immigration authority of the Member State processing the application for a long-stay visa or residence permit.

For the purposes of manual verification under the first subparagraph of this paragraph, the competent authority shall have access to the application file and any linked application files, as well as to the hits triggered during the automated processing pursuant to paragraph 6.

The competent authority shall also have temporary access to data in the VIS, the SIS, the EES, the ETIAS, or Interpol SLTD that triggered the hit for the duration of the verifications referred to in this Article and the examination of the application for a long-stay visa or residence permit and in the event of an appeal procedure.

The competent authority shall verify whether the identity of the applicant recorded in the application file corresponds to the data in any of the information systems and databases queried.

Where the personal data in the application file correspond to the data stored in the relevant information system or database, the hit shall be taken into account when assessing whether the applicant for a long-stay visa or a residence permit could pose a threat to the public policy, internal security or public health of the Member States processing the application.

Where the hit concerns a person in respect of whom an alert for refusal of entry and stay or an alert on return has been entered into the SIS by another Member State, the prior consultation pursuant to Article 27 of Regulation (EU) 2018/1861 or Article 9 of Regulation (EU) 2018/1860 shall apply.

Where the personal data in the application file do not correspond to the data stored in the relevant information system or database, the competent authority shall erase the false hit from the application file.

13.   For the manual verification of hits pursuant to points (a)(iv) to (vii), points (e) and (f) and point (g)(ii) of paragraph 3 of this Article by VIS designated authorities, Article 9d shall apply accordingly.

14.   For the manual verification and follow-up action with regard to hits in the ETIAS watchlist pursuant to point (c)(ii) of paragraph 3 of this Article by ETIAS National Units, Article 9e shall apply accordingly. The reference to the central visa authority shall be understood as referring to the visa or immigration authority competent for long-stay visas or residence permits.

15.   For follow-up action with regard to hits in the SIS pursuant to point (a)(iv) to (vii) of paragraph 3 of this Article by the SIRENE Bureaux, Article 9f shall apply accordingly.

16.   For follow-up action with regard to hits pursuant to point (e) or (f) or point (g)(ii) of paragraph 3 of this Article by the VIS designated authorities, Article 9g shall apply accordingly. The reference to the central visa authority shall be understood as referring to the visa or immigration authority competent for long-stay visas or residence permits.

17.   For the purpose of implementing this Article, eu-LISA shall, in cooperation with the Member States and Europol, establish appropriate channels for the notifications and exchange of information referred to in this Article.

18.   The Commission shall adopt a delegated act in accordance with Article 48a to lay down in a manual the procedures and rules necessary for queries, verifications and assessments.

1.   Where a competent authority decides to refuse a long-stay visa or a residence permit because the applicant is considered to pose a threat to public policy, internal security or public health or the applicant has presented documents which were fraudulently acquired, or falsified, or tampered with, it shall add the following data to the application file where the data is collected in accordance with the relevant Union and national law:

2.   Where a final decision to refuse a long-stay visa or a residence permit has been taken on the basis of reasons other than those referred to in paragraph 1, the application file shall be deleted without delay from the VIS.

1.   Where a competent authority decides to extend a long-stay visa, it shall add the following data to the application file, where the data is collected in accordance with the relevant Union and national law:

2.   Where a competent authority decides to renew a residence permit, Article 22c applies.

1.   For the sole purpose of verifying the identity of the holder of the long-stay visa or residence permit, or the authenticity and the validity of the long-stay visa or residence permit or whether the conditions for entry to the territory of the Member States in accordance with Article 6 of Regulation (EU) 2016/399 are fulfilled, the competent authorities for carrying out checks at external border crossing points in accordance with that Regulation shall have access to search the VIS using the following data:

2.   If the search with the data listed in paragraph 1 of this Article indicates that data on the holder of the long-stay visa or residence permit are recorded in the VIS, the competent border control authority shall have access to the VIS to consult the following data of the application file and of linked application files pursuant to Article 22a(4), solely for the purposes referred to in paragraph 1 of this Article:

3.   For the purposes referred to in paragraph 1, the competent authorities for carrying out checks at external border crossing points shall also have access to the VIS to verify the fingerprints or the facial image of the holder of the long-stay visa or residence permit against the fingerprints or the facial image taken live recorded in the VIS.

4.   Where verification of the holder of the long-stay visa or residence permit fails or where there are doubts as to the identity of the holder or the authenticity of the long-stay visa or residence permit or the travel document, the duly authorised staff of the competent authorities for carrying out checks at external border crossing points shall have access to VIS data in accordance with Article 22i(1) and (2).

1.   For the sole purpose of verifying the identity of the holder of the long-stay visa or residence permit, or the authenticity and the validity of the long-stay visa or residence permit or whether the conditions for entry to, stay or residence on the territory of the Member States are fulfilled, the authorities competent for carrying out checks within the territory of the Member States as to whether the conditions for entry to, stay or residence on the territory of the Member States are fulfilled shall have access to the VIS to search with the number of the long-stay visa or residence permit in combination with verification of fingerprints of the holder of the long-stay visa or residence permit, or the number of the long-stay visa or residence permit.

Where the identity of the holder of the long-stay visa or residence permit cannot be verified with fingerprints, the competent authorities may also carry out the verification with the facial image.

2.   If the search with the data listed in paragraph 1 of this Article indicates that data on the holder of the long-stay visa or residence permit are recorded in the VIS, the competent authority shall have access to the VIS to consult the following data of the application file and of linked application files pursuant to Article 22a(4), solely for the purposes referred to in paragraph 1 of this Article:

3.   Where verification of the holder of the long-stay visa or residence permit fails or where there are doubts as to the identity of the holder or the authenticity of the long-stay visa or residence permit or the travel document, the duly authorised staff of the competent authorities shall have access to VIS data in accordance with Article 22i(1) and (2).

1.   For the sole purpose of the identification of any person who may have been registered previously in the VIS or who does not or no longer fulfils the conditions for the entry to, stay or residence on the territory of the Member States, the authorities competent for carrying out checks at external border crossing points in accordance with Regulation (EU) 2016/399 or within the territory of the Member States as to whether the conditions for entry to, stay or residence on the territory of the Member States are fulfilled, shall have access to the VIS to search with the fingerprints of that person.

Where the fingerprints of that person cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in points (d) to (g) or point (j) of Article 22a(1). However, the facial image shall not be the only search criterion.

2.   If the search with the data listed in paragraph 1 of this Article indicates that data on the applicant are recorded in the VIS, the competent authority shall have access to the VIS to consult the following data of the application file and of linked application files pursuant to Article 22a(4), solely for the purposes referred to in paragraph 1 of this Article:

3.   Where the person holds a long-stay visa or residence permit, the competent authorities shall access the VIS first in accordance with Article 22g or 22h.

1.   For the sole purpose of determining the Member State responsible for examining an application for international protection in accordance with Articles 12 and 34 of Regulation (EU) No 604/2013, the competent asylum authorities shall have access to the VIS to search with the fingerprints of the applicant for international protection.

Where the fingerprints of the applicant for international protection cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in points (d) to (g) or point (j) of Article 22a(1). However, the facial image shall not be the only search criterion.

2.   If the search with the data listed in paragraph 1 of this Article indicates that a long-stay visa or residence permit is recorded in the VIS, the competent asylum authority shall have access to the VIS to consult the following data of the application file and, as regards the data listed in point (e) of this paragraph, of linked application files relating to the spouse and children pursuant to Article 22a(4), solely for the purpose referred to in paragraph 1 of this Article:

3.   The consultation of the VIS pursuant to paragraphs 1 and 2 of this Article shall be carried out only by the designated national authorities referred to in Article 34(6) of Regulation (EU) No 604/2013.

1.   For the sole purpose of examining an application for international protection, the competent asylum authorities shall have access to the VIS in accordance with Article 34 of Regulation (EU) No 604/2013 to search with the fingerprints of the applicant for international protection.

Where the fingerprints of the applicant for international protection cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in points (d) to (g) or point (j) of Article 22a(1). However, the facial image shall not be the only search criterion.

2.   If the search with the data listed in paragraph 1 of this Article indicates that data on the applicant for international protection is recorded in the VIS, the competent asylum authority shall have access to the VIS to consult the following data of the application file and, as regards the data listed in point (f) of this paragraph, of the linked application files relating to the spouse and children pursuant to Article 22a(4), solely for the purpose referred to in paragraph 1 of this Article:

3.   The consultation of the VIS pursuant to paragraphs 1 and 2 of this Article shall be carried out only by the designated national authorities referred to in Article 34(6) of Regulation (EU) No 604/2013.

1.   Each Member State shall designate the authorities which are entitled to consult the VIS data in order to prevent, detect and investigate terrorist offences or other serious criminal offences.

The data accessed by those authorities shall only be processed for the purposes of the specific case for which the data have been consulted.

2.   Each Member State shall keep a list of its designated authorities and shall communicate that list to the Commission and eu-LISA. Each Member State may at any time amend or replace the list which it communicated and shall inform the Commission and eu-LISA accordingly.

3.   Each Member State shall designate a central access point which shall have access to the VIS. The central access point shall verify that the conditions for access to VIS data laid down in Article 22o are fulfilled.

The designated authorities and the central access point may be part of the same organisation if permitted under national law, but the central access point shall act fully independently of the designated authorities when performing its tasks under this Regulation. The central access point shall be separate from the designated authorities and shall not receive instructions from them as regards the outcome of the verification which it shall perform independently.

Member States may designate more than one central access point to reflect their organisational and administrative structure in the fulfilment of their constitutional or legal requirements.

4.   Each Member State shall communicate to the Commission and eu-LISA its central access point and may at any time amend or replace its communication.

5.   At national level, each Member State shall keep a list of the operating units within the designated authorities that are authorised to request access to VIS data through the central access point.

6.   Only duly empowered staff of the central access point shall be authorised to access VIS data in accordance with Articles 22n and 22o.

1.   Europol shall designate one of its operating units as ‘Europol designated authority’ and shall authorise it to request access to VIS data through the VIS designated central access point referred to in paragraph 2 in order to support and strengthen action by Member States in preventing, detecting and investigating terrorist offences or other serious criminal offences.

The data accessed by Europol shall only be processed for the purposes of the specific case for which the data have been consulted.

2.   Europol shall designate a specialised unit with duly empowered Europol officials as the central access point. The central access point shall verify that the conditions for access to VIS data laid down in Article 22r are fulfilled.

The central access point shall act independently when performing its tasks under this Regulation and shall not receive instructions from the Europol designated authority as regards the outcome of the verification.

1.   The operating units referred to in Article 22l(5) shall submit a reasoned electronic or written request to the central access points referred to in paragraph 3 of that Article for access to VIS data. Upon receipt of a request for access the central access point shall verify whether the conditions referred to in Article 22o are fulfilled. If the conditions are fulfilled, the central access point shall process the request. The VIS data accessed shall be transmitted to the operating units referred to in Article 22l(5) in such a way as not to compromise the security of the data.

2.   In a case of exceptional urgency, where there is a need to prevent an imminent danger to the life of a person associated with a terrorist offence or other serious criminal offence, the central access point shall process the request immediately and shall only verify ex post whether all the conditions of Article 22o are fulfilled, including whether a case of urgency actually existed. The ex post verification shall take place without undue delay and in any event no later than seven working days after the processing of the request.

3.   Where an ex post verification reveals that the access to VIS data was not justified, all the authorities that accessed such data shall without delay erase the data accessed from the VIS and shall inform the central access point of the erasure.

1.   Without prejudice to Article 22 of Regulation (EU) 2019/817 designated authorities shall have access to the VIS for the purposes of consultation where all of the following conditions are met:

2.   The fulfilment of the condition provided for in point (d) of paragraph 1 shall not be required where access to the VIS is needed as a tool to consult the visa history or the periods of authorised stay on the territory of the Member States of a known suspect, perpetrator or suspected victim of a terrorist offence or other serious criminal offence, or the data category with which the search is conducted is not stored in the CIR.

3.   Consultation of the VIS shall be limited to searching with any of the following data in the application file:

4.   The facial image referred to in point (e) of paragraph 3 shall not be the only search criterion.

5.   Consultation of the VIS shall, in the event of a hit, give access to the data listed in paragraph 3 of this Article as well as to any other data taken from the application file, including data entered in respect of any document issued, refused, annulled, revoked, withdrawn, renewed or extended. Access to the data referred to in point (4)(l) of Article 9 as recorded in the application file shall only be given if consultation of that data was explicitly requested in a reasoned request and approved by independent verification.

6.   By way of derogation from paragraphs 3 and 5 the data referred to in points (d) and (e) of paragraph 3 of children below the age of 14 shall only be used to search the VIS and, in the case of a hit, shall only be accessed where:

1.   By way of derogation from Article 22o(1), designated authorities shall not be required to fulfil the conditions laid down in that paragraph to access the VIS for the purposes of the identification of persons who have gone missing, were abducted or were identified as victims of trafficking in human beings, and in respect of whom there are reasonable grounds to consider that consultation of VIS data will support their identification or contribute in investigating specific cases of human trafficking. In such circumstances, the designated authorities may search in the VIS with the fingerprints of those persons.

2.   Where the fingerprints of the persons referred to in paragraph 1 cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in point (4)(a) to (ca) of Article 9 or points (d) to (g) of Article 22a(1).

3.   Consultation of the VIS shall, in the event of a hit, give access to any of the data in Article 9 and Article 22a, as well as to the data in linked application files in accordance with Article 8(3) and (4) or Article 22a(4).

1.   VIS data may be used for the purpose of entering in the SIS an alert on missing persons or vulnerable persons who need to be prevented from travelling in accordance with Article 32 of Regulation (EU) 2018/1862. In those cases, the central access point referred to in Article 22l(3) shall ensure the transmission of data through secured means.

2.   In the case of a hit against a SIS alert through the use of VIS data as referred to in paragraph 1, child protection authorities and national judicial authorities may request an authority with access to the VIS to grant them access to those data for the purposes of their tasks. Such national judicial authorities shall include those responsible for the initiation of public prosecutions in criminal proceedings and for judicial inquiries prior to charging a person, and their coordinating authorities, as referred to in Article 44(3) of Regulation (EU) 2018/1862. The conditions provided for in Union and national law shall apply. Member States shall ensure that the data are transmitted in a secure manner.

1.   Europol shall have access to the VIS for the purposes of consultation where all of the following conditions are met:

2.   Fulfilment of the condition provided for in point (d) of paragraph 1 shall not be required where access to the VIS is needed as a tool to consult the visa history or the periods of authorised stay on the territory of the Member States of a known suspect, perpetrator or suspected victim of a terrorist offence or other serious criminal offence, or the data category with which the search is conducted is not stored in the CIR.

3.   Consultation of the VIS shall be limited to searching with any of the following data in the application file:

4.   The facial image referred to in point (e) of paragraph 3 shall not be the only search criterion.

5.   Consultation of the VIS shall, in the event of a hit, give access to the data listed in paragraph 3 of this Article as well as to any other data taken from the application file, including data entered in respect of any document issued, refused, annulled, revoked, withdrawn, renewed or extended. Access to the data referred to in point (4)(l) of Article 9 as recorded in the application file shall only be given if consultation of that data was explicitly requested in a reasoned request and approved by independent verification.

6.   By way of derogation from paragraphs 3 and 5 the data referred to in points (d) and (e) of paragraph 3 of children below the age of 14 shall only be used to search the VIS and, in the case of a hit, shall only be accessed where:

7.   Europol’s designated authority may submit a reasoned electronic request for the consultation of all VIS data or a specific set of VIS data to the Europol central access point. Upon receipt of a request for access the Europol central access point shall verify whether the conditions referred to in paragraphs 1 and 2 are fulfilled. If all conditions are fulfilled, the duly authorised staff of the central access point shall process the request. The VIS data accessed shall be transmitted to the Europol designated authority in such a way as not to compromise the security of the data.

8.   The processing of data obtained by Europol by consulting VIS data shall be subject to the authorisation of the Member State of origin of the data. That authorisation shall be obtained via the Europol national unit of that Member State.

1.   eu-LISA shall keep logs of all data processing operations within the VIS involving access by the central access points referred to in Article 22l(3) for the purposes of Chapter IIIb. Those logs shall show the date and time of each operation, the data used for launching the search, the data transmitted by the VIS and the name of the authorised staff of the central access points entering and retrieving the data.

2.   In addition, each Member State and Europol shall keep logs of all data processing operations within the VIS resulting from requests to consult VIS data or from access to VIS data for the purposes of Chapter IIIb.

3.   The logs referred to in paragraph 2 shall show:

4.   The logs referred to in paragraphs 1 and 2 of this Article shall be used only to check the admissibility of the request, monitor the lawfulness of data processing and to ensure data integrity and security. The logs shall be protected by appropriate measures against unauthorised access. They shall be deleted one year after the retention period referred to in Article 23 has expired, if they are not required for monitoring procedures which have already begun. The European Data Protection Supervisor and the competent supervisory authorities shall have access to the logs at their request for the purpose of fulfilling their duties. The authority responsible for checking the admissibility of the request shall also have access to the logs for that purpose. Other than for such purposes, personal data shall be erased in all national and Europol files after a period of one month, unless those data are required for the purposes of the specific ongoing criminal investigation for which they were requested by a Member State or by Europol. Only logs containing non-personal data may be used for the monitoring and evaluation referred to in Article 50.

1.   Access to the VIS for consultation by designated authorities of a Member State in respect of which this Regulation has not yet been put into effect shall take place where such access is:

2.   A Member State in respect of which this Regulation has not yet been put into effect shall make its data on visas available to Member States to which this Regulation applies, on the basis of a duly reasoned written or electronic request, subject to compliance with the conditions laid down in Article 22o(1).”;

1.   Each application file shall be stored in the VIS for a maximum of five years, without prejudice to the erasure referred to in Articles 24 and 25 and to the keeping of the logs referred to in Article 34.

That period shall start:

2.   Upon expiry of the period referred to in paragraph 1 of this Article, the VIS shall automatically erase the application file and the links to that file as referred to in Article 8(3) and (4) and Article 22a(4).

3.   By way of derogation from paragraph 1, fingerprints and facial images pertaining to children below the age of 12 shall be erased upon the visa, long-stay visa or residence permit having expired and, in the event of a visa, the child having exited the external borders.

For the purposes of that erasure, the EES shall automatically notify the VIS when the exit of the child is entered in the entry/exit record in accordance with Article 16(3) of Regulation (EU) 2017/2226.”;

1.   Only the Member State responsible shall have the right to amend data which it has transmitted to the VIS, by rectifying or erasing such data.

2.   If a Member State has evidence to suggest that data processed in the VIS are inaccurate or that data were processed in the VIS contrary to this Regulation, it shall inform the Member State responsible immediately. That message shall be transmitted by VISMail in accordance with the procedure in Article 16(3).

Where the inaccurate data refers to links created pursuant to Article 8(3) or (4) or Article 22a(4) or where a link is missing, the Member State responsible shall check the data concerned and provide an answer within three working days, and shall rectify the link if necessary. If no answer is provided within that timeframe, the requesting Member State shall rectify the link and notify, by VISMail, the Member State responsible of the rectification made.

3.   The Member State responsible shall, as soon as possible, check the data concerned and, if necessary, rectify or erase them immediately.”;

1.   eu-LISA shall be responsible for the technical and operational management of the VIS and its components as set out in Article 2a. It shall ensure, in cooperation with the Member States, that at all times the best available technology, subject to a cost-benefit analysis, is used for those components.

2.   eu-LISA shall be responsible for the following tasks relating to the communication infrastructure between the VIS Central System and the NUIs:

3.   Operational management of the VIS shall consist of all the tasks necessary to keep the VIS functioning 24 hours a day, seven days a week in accordance with this Regulation. It shall include, in particular, the maintenance work and technical developments necessary to ensure that the VIS functions at a satisfactory level of operational quality, in particular as regards the response time for consultation of the VIS by visa authorities, the authorities competent to decide on an application for a long-stay visa or residence permit and border authorities. Such response times shall be as short as possible.

8a.   eu-LISA may use anonymised real personal data in the VIS for testing purposes in the following circumstances:

In the cases referred to in point (b) of the first subparagraph, the security measures, access control and logging activities at the testing environment shall be equal to those for the VIS. Real personal data adopted for testing shall be rendered anonymous in such a way that the data-subject is no longer identifiable.

9.   Without prejudice to Article 17 of the Staff Regulations of officials of the European Communities, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (*), eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to all its staff required to work with VIS data. This obligation shall also apply after such staff leave office or employment or after the termination of their activities.

10.   Where eu-LISA cooperates with external contractors in any VIS-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with this Regulation, in particular on security, confidentiality and data protection.

1.   Each Member State shall ensure that the data are processed lawfully, and in particular that only duly authorised staff have access to data processed in the VIS for the performance of their tasks in accordance with this Regulation. The Member State responsible shall ensure in particular that:

2.   eu-LISA shall ensure that the VIS is operated in accordance with this Regulation and its implementing rules referred to in Article 45. In particular, eu-LISA shall:

2a.   eu-LISA shall develop and maintain a mechanism and procedures for carrying out quality checks on the data in the VIS and shall provide regular reports to the Member States. eu-LISA shall provide a regular report to the European Parliament, the Council and the Commission covering the issues encountered.

The Commission shall adopt implementing acts to lay down and develop the mechanism and the procedures for carrying out quality checks and appropriate requirements for data quality compliance. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).

3.   eu-LISA shall inform the European Parliament, the Council and the Commission of the measures which it takes pursuant to paragraph 2.

4.   In relation to the processing of personal data in the VIS, each Member State shall designate the authority which is to be considered as controller in accordance with point (7) of Article 4 of Regulation (EU) 2016/679 and which shall have central responsibility for the processing of data by that Member State. Each Member State shall notify the Commission of the designation.

1.   The data referred to in Article 6(4), Articles 9 to 14, Article 22a and Articles 22c to 22f shall be entered in the VIS only following a quality check performed by the responsible national authorities and shall be processed by the VIS following a quality check performed by the VIS in accordance with paragraph 2 of this Article.

2.   Quality checks on the data referred to in Articles 9 to 14, Article 22a and Articles 22c to 22f shall be performed by the VIS in accordance with this paragraph.

The quality checks shall be initiated when creating or updating application files in the VIS. Where the quality checks fail to meet the established quality standards, the responsible authority or authorities shall be automatically notified by the VIS. The automated queries pursuant to Article 9a(3) and Article 22b(2) shall be triggered by the VIS only following a positive quality check.

Quality checks on facial images and fingerprints shall be performed when creating or updating application files in the VIS, to ascertain the fulfilment of minimum data quality standards allowing for biometric matching.

Quality checks on the data referred to Article 6(4) shall be performed when storing information about the national competent authorities in the VIS.

3.   Quality standards shall be established for the storage of the data referred to in paragraphs 1 and 2 of this Article.

The Commission shall adopt implementing acts to lay down the specification of those quality standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).”;

1.   Data processed in the VIS pursuant to this Regulation shall not be transferred or made available to a third country or to an international organisation with the exception of transfers to Interpol for the purpose of carrying out the queries referred to in point (g) of Article 9a(4) and in point (g) of Article 22b(3) of this Regulation. Transfers of personal data to Interpol are subject to the provisions of Chapter V of Regulation (EU) 2018/1725 and Chapter V of Regulation (EU) 2016/679.

2.   By way of derogation from paragraph 1 of this Article, the data referred to in points (4)(a), (b), (ca), (k) and (m) and points (6) and (7) of Article 9 or in points (d) to (i) and (k) of Article 22a(1) of this Regulation may be accessed by the competent authorities and transferred or made available to a third country or to an international organisation listed in the Annex, provided that it is necessary in individual cases in order to prove the identity of third-country nationals for the purposes of return in accordance with Directive 2008/115/EC, or, as regards transfers to an international organisation listed in the Annex to this Regulation, for the purposes of resettlement in accordance with European or national resettlement schemes, and provided that one of the following conditions is satisfied:

Moreover, the data referred to in the first subparagraph shall be transferred only where all of the following conditions are satisfied:

Subject to the first and second subparagraphs of this paragraph, where a return decision adopted pursuant to Directive 2008/115/EC has been issued in relation to a third-country national, the data referred to in the first subparagraph shall be transferred only where the enforcement of such a return decision is not suspended and provided that no appeal has been lodged which may lead to the suspension of its enforcement.

3.   Transfers of personal data to third countries or to international organisations pursuant to paragraph 2 shall not prejudice the rights of applicants for and beneficiaries of international protection, in particular as regards non-refoulement.

4.   Personal data obtained from the VIS by a Member State or by Europol for law enforcement purposes shall not be transferred or made available to any third country, international organisation or private entity established in or outside the Union. The prohibition shall also apply where those data are further processed at national level or between Member States pursuant to Directive (EU) 2016/680.

5.   By way of derogation from paragraph 4 of this Article, the data referred to in point (4)(a) to (ca) of Article 9 and in points (d) to (g) of Article 22a(1) may be transferred by the designated authority to a third country in individual cases, only where all of the following conditions are met:

Where a transfer is made pursuant to the first subparagraph of this paragraph, such a transfer shall be documented and the documentation shall, on request, be made available to the supervisory authority referred to in Article 41(1) of Directive (EU) 2016/680, including the date and time of the transfer, information about the receiving competent authority, the justification for the transfer and the personal data transferred.”;

1.   Any event that has or may have an impact on the security of the VIS and may cause damage to or loss of VIS data shall be considered to be a security incident, in particular where unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2.   Security incidents shall be managed so as to ensure a quick, effective and proper response.

3.   Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States shall notify the Commission, eu-LISA and the European Data Protection Supervisor of security incidents. In the event of a security incident in relation to the VIS Central System, eu-LISA shall notify the Commission and the European Data Protection Supervisor. Europol and the European Border and Coast Guard Agency shall notify the Commission and the European Data Protection Supervisor in the case of a VIS-related security incident.

4.   Information regarding a security incident that has or may have an impact on the operation of the VIS or on the availability, integrity and confidentiality of the VIS data shall be provided to the Commission and, if affected, to Member States, to Europol and to the European Border and Coast Guard Agency. Such incidents shall also be reported in compliance with the incident management plan to be provided by eu-LISA.

5.   Member States, the European Border and Coast Guard Agency, eu-LISA and Europol shall cooperate in the event of a security incident.

6.   The Commission shall inform the European Parliament and the Council without delay of serious incidents and the measures taken to address them. This information shall be classified, where appropriate, as EU RESTRICTED/ RESTREINT UE in accordance with applicable security rules.”;

1.   Without prejudice to the liability of and the right to compensation from the controller or processor under Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EU) 2018/1725:

The Member State or Union institution, body, office or agency shall be exempt from its liability under the first subparagraph, in whole or in part, if it proves that it is not responsible for the event which gave rise to the damage.

2.   If any failure of a Member State to comply with its obligations under this Regulation causes damage to the VIS, that Member State shall be held liable for such damage, unless and insofar as eu-LISA or another Member State participating in the VIS failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3.   Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the national law of that Member State. Claims for compensation against a Union institution, body, office or agency for the damage referred to in paragraphs 1 and 2 shall be subject to the conditions provided for in the Treaties.”;

1.   Each Member State, the European Border and Coast Guard Agency and eu-LISA shall keep logs of all their data processing operations within the VIS. Those logs shall show:

In addition, each Member State shall keep logs of the staff duly authorised to enter data in or retrieve data from the VIS.

2.   For the queries and consultations referred to in Articles 9a to 9g and 22b, a log for each data processing operation carried out within the VIS and, respectively, the EES, the ETIAS, the SIS, the ECRIS-TCN and Eurodac shall be kept in accordance with this Article and, respectively, Article 28a of Regulation (EU) No 603/2013, Article 46(2) of Regulation (EU) 2017/2226, Article 69 of Regulation (EU) 2018/1240, Article 18a of Regulation (EU) 2018/1861, Article 18a of Regulation (EU) 2018/1862 and Article 31a of Regulation (EU) 2019/816.

3.   For the operations listed in Article 45c of this Regulation a log of each data processing operation carried out within the VIS and the EES shall be kept in accordance with that Article and Article 46 of Regulation (EU) 2017/2226. For the operations listed in Article 17a of this Regulation, a log of each data processing operation carried out in the VIS and the EES shall be kept in accordance with this Article and Article 46 of Regulation (EU) 2017/2226.

4.   Logs kept pursuant to this Article shall be used only for the data-protection monitoring of the admissibility of data processing as well as to ensure data security. The logs shall be protected by appropriate measures against unauthorised access and modification and shall be deleted after a period of one year after the retention period referred to in Article 23 has expired, if they are not required for monitoring procedures which have already begun.”;

1.   Regulation (EU) 2018/1725 shall apply to the processing of personal data by the European Border and Coast Guard Agency and eu-LISA under this Regulation.

2.   Regulation (EU) 2016/679 shall apply to the processing of personal data by the visa, border, asylum and immigration authorities when performing tasks under this Regulation.

3.   Directive (EU) 2016/680 shall apply to the processing of personal data stored in the VIS, including access to those data, for the purposes referred to in Chapter IIIb of this Regulation by Member States’ designated authorities under that Chapter.

4.   Regulation (EU) 2016/794 shall apply to the processing of personal data by Europol pursuant to this Regulation.”;

1.   In order to exercise their rights under Articles 15 to 18 of Regulation (EU) 2016/679, any person shall have the right to obtain communication of the data relating to him or her recorded in the VIS and of the Member State which entered them in the VIS. The Member State that receives the request shall examine and reply to it as soon as possible, and at the latest within one month of receipt of the request.

2.   Any person may request that data relating to him or her which are inaccurate be rectified and that data recorded unlawfully be erased.

Where the request is addressed to the Member State responsible and where it is found that VIS data are factually inaccurate or have been recorded unlawfully, the Member State responsible shall, in accordance with Article 24(3), rectify or erase those data in the VIS without delay and at the latest within one month of receipt of the request. The Member State responsible shall confirm in writing to the person concerned without delay that it has taken action to rectify or erase data relating to him or her.

Where the request is addressed to a Member State other than the Member State responsible, the authorities of the Member State to which the request was addressed shall contact the authorities of the Member State responsible within a period of seven days. The Member State responsible shall proceed in accordance with the second subparagraph of this paragraph. The Member State which contacted the authority of the Member State responsible shall inform the person concerned that his or her request was forwarded, to which Member State and about the further procedure.

3.   Where the Member State responsible does not agree with the claim that data recorded in the VIS are factually inaccurate or have been recorded unlawfully, it shall without delay adopt an administrative decision explaining in writing to the person concerned why it does not intend to rectify or erase data relating to him or her.

4.   The administrative decision referred to in paragraph 3 shall also provide the person concerned with information explaining the possibility to challenge that decision and, where relevant, information on how to bring an action or a complaint before the competent authorities or courts and information on any assistance available to the person, including from the competent supervisory authorities.

5.   Any request made pursuant to paragraph 1 or 2 shall contain the necessary information to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in paragraph 1 or 2.

6.   The Member State responsible shall keep a record in the form of a written document that a request as referred to in paragraph 1 or 2 was made and how it was addressed. It shall make that document available to the competent supervisory authorities without delay and not later than seven days following the decision to rectify or erase the data referred to in the second subparagraph of paragraph 2 or following the administrative decision referred to in paragraph 3.

7.   By way of derogation from paragraphs 1 to 6 of this Article, and only as regards data contained in the reasoned opinions that are recorded in the VIS in accordance with Article 9e(6), Article 9g(6) and Article 22b(14) and (16) as a result of the queries pursuant to Articles 9a and 22b, a Member State shall take a decision not to provide information to the person concerned, in whole or in part, in accordance with national or Union law, to the extent that, and for as long as such a partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the person concerned, in order to:

In the cases referred to in the first subparagraph, the Member State shall inform the person concerned in writing, without undue delay, of any refusal or restriction of access and of the reasons for the refusal or restriction. Such information may be omitted where its provision would undermine any of the reasons set out in points (a) to (e) of the first subparagraph. The Member State shall inform the person concerned of the possibility of lodging a complaint with a supervisory authority or of seeking a judicial remedy.

The Member State shall document the factual or legal reasons on which the decision not to provide information to the person concerned is based. That information shall be made available to the supervisory authorities.

For such cases, the person concerned shall also be able to exercise his or her rights through the competent supervisory authorities.

1.   The competent authorities of the Member States shall cooperate actively to enforce the rights laid down in Article 38.

2.   In each Member State, the supervisory authority referred to in Article 51(1) of Regulation (EU) 2016/679 shall, upon request, assist and advise the data subject in exercising his or her right to rectification, completion or erasure of personal data relating to him or her or to restriction of the processing of such data, in accordance with Regulation (EU) 2016/679.

In order to achieve the aims referred to in the first subparagraph, the supervisory authority of the Member State responsible and the supervisory authority of the Member State to which the request has been made shall cooperate with each other.

1.   Without prejudice to Articles 77 and 79 of Regulation (EU) 2016/679, any person shall have the right to bring an action or a complaint before the competent authorities or courts of the Member State which refused the right of access to, rectification, completion or erasure of data relating to him or her provided for in Article 38 and Article 39(2) of this Regulation. The right to bring such an action or complaint shall also apply where requests for access to, rectification, completion or erasure were not responded to within the deadlines provided for in Article 38 or were never dealt with by the data controller.

2.   The assistance of the supervisory authority referred to in Article 51(1) of Regulation (EU) 2016/679 shall remain available throughout the proceedings.

1.   Each Member State shall ensure that the supervisory authority referred to in Article 51(1) of Regulation (EU) 2016/679 independently monitors the lawfulness of the processing of personal data pursuant to this Regulation by the Member State concerned.

2.   The supervisory authority referred to in Article 41(1) of Directive (EU) 2016/680 shall monitor the lawfulness of the processing of personal data by the Member States in accordance with Chapter IIIb, including the access to personal data by the Member States and their transmission to and from the VIS.

3.   The supervisory authority referred to in Article 51(1) of Regulation (EU) 2016/679 shall ensure that an audit of the data processing operations by the responsible national authorities is carried out in accordance with relevant international auditing standards at least every four years. The results of the audit may be taken into account in the evaluations conducted under the mechanism established by Council Regulation (EU) No 1053/2013 (*). The supervisory authority referred to in Article 51(1) of Regulation (EU) 2016/679 shall publish annually the number of requests for rectification, completion or erasure, or restriction of processing of data, the action subsequently taken and the number of rectifications, completions, erasures and restrictions of processing made in response to requests by the persons concerned.

4.   Member States shall ensure that their supervisory authorities have sufficient resources to fulfil the tasks entrusted to them under this Regulation and have access to advice from persons with sufficient knowledge of biometric data.

5.   Member States shall supply any information requested by the supervisory authorities and shall, in particular, provide them with information on the activities carried out in accordance with their responsibilities under this Regulation. Member States shall grant the supervisory authorities access to their logs and allow them access at all times to all their VIS-related premises.

1.   The European Data Protection Supervisor shall be responsible for monitoring the personal data processing activities of eu-LISA, Europol and the European Border and Coast Guard Agency under this Regulation and for ensuring that such activities are carried out in accordance with this Regulation and Regulation (EU) 2018/1725 or, as regards Europol, with Regulation (EU) 2016/794.

2.   The European Data Protection Supervisor shall ensure that an audit of eu-LISA’s personal data processing activities is carried out in accordance with relevant international auditing standards at least every four years. A report of that audit shall be sent to the European Parliament, the Council, eu-LISA, the Commission and the supervisory authorities. eu-LISA shall be given an opportunity to make comments before the reports are adopted.

3.   eu-LISA shall supply information requested by the European Data Protection Supervisor, give the European Data Protection Supervisor access to all documents and to its logs as referred to in Articles 22s, 34 and 45c and allow the European Data Protection Supervisor access to all its premises at any time.

1.   The supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, cooperate actively within the framework of their respective responsibilities to ensure the coordinated supervision of the VIS and the national systems.

2.   The European Data Protection Supervisor and the supervisory authorities shall exchange relevant information, assist each other in carrying out audits and inspections, examine any difficulties concerning the interpretation or application of this Regulation, assess problems in the exercise of independent supervision or in the exercise of the rights of the data subject, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

3.   For the purposes of paragraph 2, the supervisory authorities and the European Data Protection Supervisor shall meet at least twice a year within the framework of the European Data Protection Board. The European Data Protection Board shall organise and bear the costs of those meetings. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary.

4.   A joint report of activities undertaken pursuant to this Article shall be sent by the European Data Protection Board to the European Parliament, to the Council, to the Commission, to Europol, to the European Border and Coast Guard Agency and to eu-LISA every two years. That report shall include a chapter on each Member State prepared by the supervisory authority of that Member State.

1.   The Commission shall adopt implementing acts to lay down the measures necessary for the development of the VIS Central System, the NUIs in each Member State and the communication infrastructure between the VIS Central System and the NUIs concerning the following:

2.   The Commission shall adopt implementing acts to lay down measures necessary for the technical implementation of the functionalities of the VIS Central System, in particular:

3.   The Commission shall adopt implementing acts to lay down the technical specifications for the quality, resolution and use of fingerprints and of the facial image for biometric verification and identification in the VIS.

4.   The implementing acts referred to in paragraphs 1, 2 and 3 of this Article shall be adopted in accordance with the examination procedure referred to in Article 49(2).

1.   The duly authorised staff of the competent authorities of Member States, the Commission, eu-LISA, the European Asylum Support Office and the European Border and Coast Guard Agency, including the ETIAS Central Unit in accordance with Article 9j, shall have access to the VIS to consult the following data, solely for the purposes of reporting and statistics without allowing for individual identification and in accordance with the safeguards related to non-discrimination referred to in Article 7(2):

The duly authorised staff of the European Border and Coast Guard Agency shall have access to the VIS to consult the data referred to in the first subparagraph of this paragraph for the purpose of carrying out risk analyses and vulnerability assessments as referred to in Articles 29 and 32 of Regulation (EU) 2019/1896.

2.   For the purposes of paragraph 1 of this Article, eu-LISA shall store the data referred to in that paragraph in the central repository for reporting and statistics referred to in Article 39 of Regulation (EU) 2019/817. In accordance with Article 39(1) of that Regulation, cross-system statistical data and analytical reporting shall allow the authorities listed in paragraph 1 of this Article to obtain customisable reports and statistics, to support the implementation of the specific risk indicators referred to in Article 9j of this Regulation, to improve the assessment of the security, illegal immigration and high epidemic risks, to enhance the efficiency of border checks and to help the visa authorities to process visa applications.

3.   The procedures put in place by eu-LISA to monitor the functioning of the VIS referred to in Article 50(1) shall include the possibility to produce regular statistics for ensuring that monitoring.

4.   Every quarter, eu-LISA shall compile statistics based on the VIS data on visas showing, for each location where a visa application was lodged and for each Member State, in particular:

The daily statistics shall be stored in the central repository for reporting and statistics in accordance with Article 39 of Regulation (EU) 2019/817.

5.   Every quarter, eu-LISA shall compile statistics based on the VIS data on long-stay visas and residence permits showing, for each location, in particular:

6.   At the end of each year, statistical data shall be compiled in an annual report for that year. The statistics shall contain a breakdown of data for each location and each Member State. The report shall be published and transmitted to the European Parliament, to the Council, to the Commission, to the European Border and Coast Guard Agency, to the European Data Protection Supervisor and to the supervisory authorities.

7.   At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the implementation of the common visa policy or of the migration and asylum policy, including on aspects pursuant to the application of Regulation (EU) No 1053/2013.

1.   Member States shall notify the Commission of the authority which is to be considered as controller as referred to in Article 29(4).

2.   Member States shall notify the Commission and eu-LISA of the competent authorities referred to in Article 6(3) which have access to the VIS to enter, amend, erase or consult data in the VIS and of the VIS designated authority as referred to in Article 9d(1) and Article 22b(14).

Three months after the date of the start of operations of the VIS pursuant to Article 11 of Regulation (EU) 2021/1134 of the European Parliament and of the Council (*) eu-LISA shall publish a consolidated list of the authorities notified pursuant to the first subparagraph of this paragraph in the Official Journal of the European Union.

Member States shall notify the Commission and eu-LISA of any changes to the authorities notified without delay. In the event of such changes, eu-LISA shall publish once a year an updated consolidated list in the Official Journal of the European Union. eu-LISA shall maintain a continuously updated public website containing that information.

3.   Member States shall notify the Commission and eu-LISA of their designated authorities and of their central access points as referred to in Article 22l and shall notify any changes in that regard without delay.

4.   The Commission shall publish the information referred to in paragraphs 1 and 3 in the Official Journal of the European Union. In the event of changes to the information, the Commission shall publish once a year an updated consolidated version of it. The Commission shall maintain a continuously updated public website containing that information.

1.   In order to fulfil their obligation under point (b) of Article 26(1) of the Schengen Convention, air carriers, sea carriers and international carriers transporting groups overland by coach shall send a query to the VIS in order to verify whether third country nationals who are subject to a visa requirement or who are required to hold a long-stay visa or a residence permit are in possession of a valid visa, long-stay visa or residence permit, as applicable.

2.   Secure access to the carrier gateway referred to in point (h) of Article 2a, including the possibility to use mobile technical solutions, shall allow carriers to proceed with the query referred to in paragraph 1 of this Article prior to the boarding of a passenger.

For this purpose, as regards visas, the carrier shall provide the data referred to in point (4)(a), (b) and (c) of Article 9 and as regards long-stay visas and residence permits, the carrier shall provide the data referred to in points (d), (e) and (f) of Article 22a(1), as contained in the travel document. The carrier shall also indicate the Member State of entry or, in the case of airport transit, the Member State of transit.

By way of derogation from the second subparagraph of this paragraph, in the case of airport transit, the carrier shall not be obliged to send a query to the VIS, except where the third-country national is required to hold an airport transit visa in accordance with Article 3 of Regulation (EC) No 810/2009.

3.   The VIS shall provide the carriers with an OK/NOT OK answer, indicating whether the person has a valid visa, long-stay visa or residence permit, as applicable.

If a visa with limited territorial validity has been issued in accordance with Article 25 of Regulation (EC) No 810/2009, the answer provided by the VIS shall take into account the Member States for which the visa is valid as well as the Member State of entry indicated by the carrier.

Carriers may store the information sent and the answer received in accordance with the applicable law. The OK/NOT OK answer shall not be regarded as a decision to authorise or refuse entry in accordance with Regulation (EU) 2016/399.

The Commission shall adopt implementing acts to lay down detailed rules concerning the conditions for the operation of the carrier gateway and the data protection and security rules applicable. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).

4.   Where third-country nationals are refused boarding as a result of a consultation of the VIS, carriers shall inform them that this refusal is due to information stored in the VIS and shall provide them with information on their rights with regard to access to and rectification or erasure of personal data recorded in the VIS.

5.   An authentication scheme, reserved exclusively for carriers, shall be set up in order to allow access to the carrier gateway for the purposes of this Article to the duly authorised members of the carriers’ staff. When setting up the authentication scheme, information security risk management and the principles of data protection by design and by default shall be taken into account.

The Commission shall adopt implementing acts to lay down the authentication scheme for carriers. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).

6.   The carrier gateway shall make use of a separate read-only database updated on a daily basis via a one-way extraction of the minimum necessary subset of VIS data. eu-LISA shall be responsible for the security of the carrier gateway, for the security of the personal data it contains and for the process of extracting the personal data into the separate read-only database.

7.   By way of derogation from paragraph 1 of this Article, for carriers transporting groups overland by coach, the verification pursuant to that paragraph shall be optional for the first 18 months following the date of the start of operations of the VIS pursuant to Article 11 of Regulation (EU) 2021/1134.

8.   For the purpose of implementing paragraph 1 or for the purpose of resolving any potential dispute arising from its application, eu-LISA shall keep logs of all data processing operations carried out within the carrier gateway by carriers. Those logs shall show the date and time of each operation, the data used for consultation, the data transmitted by the carrier gateway and the name of the carrier in question.

eu-LISA shall store the logs for a period of two years. eu-LISA shall ensure that logs are protected by appropriate measures against unauthorised access.

1.   Where it is technically impossible to proceed with the query referred to in Article 45c(1), because of a failure of any part of the VIS, the carriers shall be exempt from the obligation to verify the possession of a valid visa, long-stay visa or residence permit by using the carrier gateway. Where such a failure is detected by eu-LISA, the ETIAS Central Unit shall notify the carriers and the Member States. It shall also notify the carriers and the Member States when the failure is remedied. Where such a failure is detected by the carriers, they may notify the ETIAS Central Unit. The ETIAS Central Unit shall inform the Member States without delay about the notification of the carriers.

2.   Where for other reasons than a failure of any part of VIS it is technically impossible for a carrier to proceed with the query referred to in Article 45c(1) for a prolonged period of time, the carrier shall notify the ETIAS Central Unit. The ETIAS Central Unit shall inform the Member States without delay about the notification of that carrier.

3.   The Commission shall adopt an implementing act to lay down the details of the fall-back procedures in the case of technical impossibility to access data by carriers. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 49(2).

1.   To exercise the tasks and powers pursuant to Article 82(1) and (10) of Regulation (EU) 2019/1896 of the European Parliament and of the Council (**) the members of the European Border and Coast Guard teams, as well as teams of staff involved in return-related operations, shall, within their mandate, have the right to access and search VIS data.

2.   To ensure the access referred to in paragraph 1 of this Article, the European Border and Coast Guard Agency shall designate a specialised unit with duly empowered European Border and Coast Guard officials as the central access point. The central access point shall verify that the conditions to request access to the VIS laid down in Article 45f are fulfilled.

1.   In view of the access referred to in Article 45e(1), a European Border and Coast Guard team may submit a request for the consultation of all VIS data or a specific set of VIS data to the European Border and Coast Guard central access point referred to in Article 45e(2). The request shall refer to the operational plan on border checks, border surveillance or return of that Member State on which the request is based. Upon receipt of a request for access, the European Border and Coast Guard central access point shall verify whether the conditions for access referred to in paragraph 2 of this Article are fulfilled. If all conditions for access are fulfilled, the duly authorised staff of the central access point shall process the request. The VIS data accessed shall be transmitted to the team in such a way as not to compromise the security of the data.

2.   For the access to be granted, the following conditions shall apply:

3.   In accordance with Article 82(4) of Regulation (EU) 2019/1896, members of the European Border and Coast Guard teams, as well as teams of staff involved in return-related tasks shall act in response to information obtained from the VIS only under instructions from and, as a general rule, in the presence of border guards or staff involved in return-related tasks of the host Member State in which they are operating. The host Member State may authorise members of the European Border and Coast Guard teams to act on its behalf.

4.   In the case of doubt or if the verification of the identity of the visa holder, long-stay visa holder or residence permit holder fails, the member of the European Border and Coast Guard team shall refer the person to a border guard of the host Member State.

5.   Consultation of VIS data by members of the teams shall take place as follows:

6.   Where access and searches pursuant to paragraph 5 reveal the existence of data recorded in the VIS, the host Member State shall be informed thereof.

7.   Every log of data processing operations within the VIS by a member of the European Border and Coast Guard teams or teams of staff involved in return-related tasks shall be kept by eu-LISA in accordance with Article 34.

8.   Every instance of access and every search made by the European Border and Coast Guard teams shall be logged in accordance with Article 34 and every use made of data accessed by the European Border and Coast Guard teams shall be registered.

9.   For the purposes of Article 45e and of this Article, no parts of the VIS shall be connected to any computer system for data collection and processing operated by or at the European Border and Coast Guard Agency nor shall the data contained in the VIS to which the European Border and Coast Guard Agency has access be transferred to such a system. No part of the VIS shall be downloaded. The logging of access and searches shall not be construed as constituting to be the downloading or copying of VIS data.

10.   Measures to ensure security of data as provided for in Articles 32 shall be adopted and applied by the European Border and Coast Guard Agency.

1.   The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2.   The power to adopt delegated acts referred to in Article 9, Article 9h(2), Article 9j(2) and Article 22b(18) shall be conferred on the Commission for a period of five years from 2 August 2021. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.

3.   The delegation of power referred to in Article 9, Article 9h(2), Article 9j(2) and Article 22b(18) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4.   Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making.

5.   As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6.   A delegated act adopted pursuant to Article 9, Article 9h(2), Article 9j(2) or Article 22b(18) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.”;

1.   The Commission shall be assisted by the committee established by Article 68(1) of Regulation (EU) 2017/2226. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council (*).

2.   Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

1.   eu-LISA shall ensure that procedures are in place to monitor the functioning of the VIS against objectives relating to output, cost-effectiveness, security and quality of service.

2.   For the purposes of technical maintenance, eu-LISA shall have access to the necessary information relating to the data processing operations performed in the VIS.

3.   Every two years eu-LISA shall submit to the European Parliament, the Council and the Commission a report on the technical functioning of the VIS, including the security and costs thereof. The report shall also contain, once the technology is in use, an evaluation of the use of facial images to identify persons, including an assessment of any difficulties encountered.

4.   While respecting the provisions of national law on the publication of sensitive information, each Member State and Europol shall prepare annual reports on the effectiveness of access to VIS data for law enforcement purposes containing information and statistics on:

Member States’ and Europol’s annual reports shall be transmitted to the Commission by 30 June of the subsequent year.

A technical solution shall be made available to Member States in order to facilitate the collection of those data pursuant to Chapter IIIb for the purpose of generating statistics referred to in this paragraph. The Commission shall, by means of implementing acts, adopt the specifications of the technical solution. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).

5.   Three years after the date of the start of operations of the VIS pursuant to Article 11 of Regulation (EU) 2021/1134 and every four years thereafter, the Commission shall produce an overall evaluation of the VIS. The overall evaluation shall include an examination of results achieved against objectives and costs sustained and an assessment of the continuing validity of the underlying rationale, and its impact on fundamental rights, the application of this Regulation in respect of the VIS, the security of the VIS, the use made of the provisions referred to in Article 31 and any implications for future operations. It shall also include a detailed analysis of the data provided in the annual reports foreseen by paragraph 4 of this Article, with a view to assessing the effectiveness of access to VIS data for law enforcement purposes, as well as an assessment of whether the querying of ECRIS-TCN by the VIS has contributed to supporting the objective of assessing whether the applicant could pose a threat to public policy or public security. The Commission shall transmit the evaluation to the European Parliament and the Council.

6.   Member States shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 3, 4 and 5.

7.   eu-LISA shall provide the Commission with the information necessary to produce the overall evaluation referred to in paragraph 5.