Accept Refuse

EUR-Lex Access to European Union law

This document is an excerpt from the EUR-Lex website

Document L:2018:312:FULL

Official Journal of the European Union, L 312, 7 December 2018


Display all documents published in this Official Journal
 

ISSN 1977-0677

Official Journal

of the European Union

L 312

European flag  

English edition

Legislation

Volume 61
7 December 2018


Contents

 

I   Legislative acts

page

 

 

REGULATIONS

 

*

Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals

1

 

*

Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006

14

 

*

Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU

56

 

 

Corrigenda

 

*

Corrigendum to Regulation (EU) 2017/2225 of the European Parliament and of the Council of 30 November 2017 amending Regulation (EU) 2016/399 as regards the use of the Entry/Exit System ( OJ L 327, 9.12.2017 )

107

EN

Acts whose titles are printed in light type are those relating to day-to-day management of agricultural matters, and are generally valid for a limited period.

The titles of all other Acts are printed in bold type and preceded by an asterisk.


I Legislative acts

REGULATIONS

7.12.2018   

EN

Official Journal of the European Union

L 312/1


REGULATION (EU) 2018/1860 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 28 November 2018

on the use of the Schengen Information System for the return of illegally staying third-country nationals

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 79(2)(c) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure (1),

Whereas:

(1)

The return of third-country nationals who do not fulfil or no longer fulfil the conditions for entry, stay or residence in the Member States, in full respect of fundamental rights and in particular the principle of non-refoulement, and in accordance with Directive 2008/115/EC of the European Parliament and of the Council (2), is an essential part of the comprehensive efforts to tackle irregular migration and increase the rate of return of irregular migrants.

(2)

It is necessary to increase the effectiveness of the Union system to return illegally staying third-country nationals. This is essential for maintaining public trust in the Union migration and asylum policy and providing support to persons in need of international protection.

(3)

Member States should take all necessary measures to return illegally staying third-country nationals in an effective and proportionate manner, in accordance with the provisions of Directive 2008/115/EC.

(4)

Regulation (EU) 2018/1861 (3) and Regulation (EU) 2018/1862 (4) of the European Parliament and of the Council lay down the conditions for the establishment, operation and use of the Schengen Information System (SIS).

(5)

A system should be established for sharing information between Member States that use SIS pursuant to Regulation (EU) 2018/1861 concerning return decisions issued in respect of third-country nationals staying illegally on the territory of the Member States and for monitoring whether third-country nationals subject to those decisions have left the territory of the Member States.

(6)

This Regulation does not affect the rights and obligations of third-country nationals laid down in Directive 2008/115/EC. An alert entered into SIS for the purpose of return does not, in itself, constitute a determination of the status of the third-country national on the territory of Member States, especially in Member States other than the Member State which entered the alert into SIS.

(7)

Alerts on return entered into SIS and the exchange of supplementary information concerning those alerts should support competent authorities to take the necessary measures to enforce return decisions. SIS should contribute to the identification of and the information sharing between Member States on third-country nationals who are subject to such a return decision, who have absconded and are apprehended in another Member State. Those measures should help prevent and deter irregular migration and secondary movements and enhance cooperation between Member States' authorities.

(8)

To ensure the effectiveness of return and increase the added value of alerts on return, Member States should enter alerts into SIS in relation to return decisions they issue in respect of illegally staying third-country nationals in accordance with provisions respecting Directive 2008/115/EC. For this purpose, Member States should also enter an alert into SIS when decisions imposing or stating an obligation to return are issued in the situations described in Article 2(2) of that Directive, namely to third-country nationals who are subject to a refusal of entry in accordance with Regulation (EU) 2016/399 of the European Parliament and of the Council (5), or who are apprehended or intercepted by the competent authorities in connection with the irregular crossing by land, sea or air of the external border of a Member State and who have not subsequently obtained an authorisation or a right to stay in that Member State, and to third-country nationals who are subject to return as a criminal law sanction or as a consequence of a criminal law sanction, according to national law, or who are the subject of extradition procedures. In certain circumstances, Member States may refrain from entering alerts on return into SIS where the risk of the return decision not being complied with is low, namely during any period of detention or when the return decision is issued at the external border and is executed immediately, in order to reduce their administrative burden.

(9)

This Regulation should set out common rules for entering alerts on return into SIS. Alerts on return should be entered into SIS as soon as the underlying return decisions are issued. The alert should indicate whether a period for voluntary departure has been granted to the third-country national concerned, including whether such period has been extended and whether the decision has been suspended or removal has been postponed.

(10)

It is necessary to determine the categories of data to be entered into SIS in respect of a third-country national who is the subject of a return decision. Alerts on return should contain only those data that are necessary to identify the data subjects, to allow the competent authorities to take informed decisions without losing time and to ensure, where necessary, the protection of those authorities from persons who are, for example, armed, violent, have escaped or are involved in an activity as referred to in Articles 3 to 14 of Directive (EU) 2017/541 of the European Parliament and of the Council (6). Furthermore, in order to facilitate identification and detect multiple identities, the alert should include also a reference to the identification document of the person concerned and a copy of that document, where available.

(11)

Given the reliability of identifying persons using fingerprints and photographs or facial images, they should always be inserted in alerts on return. As they may not be available, for example, when a return decision is taken in absentia, it should exceptionally be possible to derogate from this requirement in such cases.

(12)

The exchange of supplementary information provided by the national competent authorities on third-country nationals subject to alerts on return, should always be carried out through the network of national offices called SIRENE Bureaux serving as point of contact and in accordance with Articles 7 and 8 of Regulation (EU) 2018/1861.

(13)

Procedures should be established to enable Member States to verify that the obligation to return has been complied with and to confirm the departure of the third-country national concerned to the Member State that entered the alert on return into SIS. This information should contribute to more comprehensive monitoring of the compliance with return decisions.

(14)

Alerts on return should be deleted as soon as the Member State or competent authority that issued the return decision receives confirmation that the return has taken place or where the competent authority has sufficient and convincing information that the third-country national has left the territory of the Member States. Where a return decision is accompanied by an entry ban, an alert for refusal of entry and stay should be entered into SIS in accordance with Regulation (EU) 2018/1861. In such cases Member States should take all necessary measures to ensure that no time-gap exists between the moment in which the third-country national leaves the Schengen area and the activation of the alert for refusal of entry and stay in SIS. If the data contained in SIS show that the return decision is accompanied by an entry ban, the enforcement of the entry ban should be ensured.

(15)

SIS should contain a mechanism for notifying the Member States of the non-compliance of third-country nationals with an obligation to return within a given period of voluntary departure. The mechanism should support the Member States in fulfilling their obligations to enforce return decisions and their obligations to issue an entry ban in accordance with Directive 2008/115/EC with regard to third-country nationals who have not complied with an obligation to return.

(16)

This Regulation should establish mandatory rules for consultation between Member States to avoid or reconcile conflicting instructions. Consultations should be carried out where third-country nationals who hold, or are being granted, a valid residence permit or a long-stay visa by a Member State are subject to an alert on return issued by another Member State, in particular if the return decision is accompanied by an entry ban, or where conflicting situations may arise at entry in the territories of the Member States.

(17)

Alerts should be kept in SIS only for the time required to fulfil the purposes for which they were entered. The relevant provisions of Regulation (EU) 2018/1861 on review periods should apply. Alerts on return should be automatically deleted as soon as they expire, in accordance with the review procedure referred to in that Regulation.

(18)

Personal data obtained by a Member State pursuant to this Regulation should not be transferred or made available to any third country. As a derogation to that rule, it should be possible to transfer such personal data to a third country where the transfer is subject to strict conditions and is necessary in individual cases in order to assist with the identification of a third-country national for the purposes of his or her return. The transfer of any personal data to third countries should be carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (7) and be conducted with the agreement of the issuing Member State. It should be noted however, that third countries of return are often not subject to adequacy decisions adopted by the Commission under Article 45 of Regulation (EU) 2016/679. Furthermore, the extensive efforts of the Union in cooperating with the main countries of origin of illegally-staying third-country nationals subject to an obligation to return has not been able to ensure the systematic fulfilment by such third countries of the obligation established by international law to readmit their own nationals. Readmission agreements that have been concluded or are being negotiated by the Union or the Member States and which provide for appropriate safeguards for the transfer of data to third countries pursuant to Article 46 of Regulation (EU) 2016/679 cover a limited number of such third countries.

Conclusion of any new agreement remains uncertain. In those circumstances, and as an exception to the requirement for an adequacy decision or appropriate safeguards, transfer of personal data to third-country authorities pursuant to this Regulation should be allowed for the purposes of implementing the return policy of the Union. It should be possible to use the derogation provided for in Article 49 of Regulation (EU) 2016/679, subject to the conditions set out in that Article. Under Article 57 of that Regulation, implementation of that Regulation, including with regard to transfers of personal data to third countries pursuant to this Regulation, should be subject to monitoring by independent supervisory authorities.

(19)

National authorities responsible for return might differ significantly among Member States, and such authorities might also vary within a Member State depending on the reasons for illegal stay. Judicial authorities might also issue return decisions, for instance as result of appeals against a refusal to grant an authorisation or right to stay or as a criminal sanction. All national authorities in charge of issuing and enforcing return decisions in accordance with Directive 2008/115/EC should be entitled to access SIS in order to enter, update, delete and search alerts on return.

(20)

Access to alerts on return should be granted to the national competent authorities referred to in Regulation (EU) 2018/1861 for the purpose of identification and return of third-country nationals.

(21)

Regulation (EU) 2016/794 of the European Parliament and of the Council (8) provides that Europol is to support and strengthen actions carried out by the national competent authorities and their cooperation in combating terrorism and serious crime and to provide analysis and threat assessments. In order to facilitate Europol in carrying out its tasks, in particular within the European Migrant Smuggling Centre, it is appropriate to allow Europol access to the category of alerts as provided for in this Regulation.

(22)

Regulation (EU) 2016/1624 of the European Parliament and of the Council (9) provides, for the purpose of that Regulation, that the host Member State is to authorise the members of the teams referred to in point (8) of Article 2 of that Regulation deployed by the European Border and Coast Guard Agency to consult Union databases where this consultation is necessary for fulfilling operational aims specified in the operational plan on border checks, border surveillance and return. The objective of the deployment of the teams referred to in points (8) and (9) of Article 2 of that Regulation is to provide technical and operational reinforcement to the requesting Member States, especially to those facing disproportionate migratory challenges. For the teams referred to in points (8) and (9) of Article 2 of that Regulation to fulfil their tasks, they require access to alerts on return in SIS through a technical interface of the European Border and Coast Guard Agency connecting to Central SIS.

(23)

The provisions on responsibilities of the Member States and the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice established by Regulation (EU) 2018/1726 of the European Parliament and of the Council (10) (‘eu-LISA’), on the entry and processing of alerts, on the conditions for access to and retention of alerts, on data processing, on data protection, on liability and on monitoring and statistics in Regulation (EU) 2018/1861 should also apply to data contained and processed in SIS in accordance with this Regulation.

(24)

Since the objectives of this Regulation, namely to establish a system for sharing information about return decisions issued by the Member States in accordance with provisions respecting Directive 2008/115/EC in view of facilitating their enforcement and to monitor the compliance of illegally staying third-country nationals with their obligation to return, cannot be sufficiently achieved by the Member States, but can rather, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(25)

This Regulation respects fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union.

(26)

The application of this Regulation is without prejudice to the obligations deriving from the Geneva Convention relating to the Status of Refugees of 28 July 1951, as supplemented by the New York Protocol of 31 January 1967.

(27)

Member States should implement this Regulation in full respect of fundamental rights, including the respect of the principle of non-refoulement, and should always take into consideration the best interests of the child, family life, and the state of health or condition of vulnerability of the individuals concerned.

(28)

In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark annexed to the TEU and to the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.

(29)

This Regulation constitutes a development of provisions of the Schengen acquis in which the United Kingdom does not take part, in accordance with Council Decision 2000/365/EC (11); the United Kingdom is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(30)

This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take part, in accordance with Council Decision 2002/192/EC (12); Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(31)

As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latters' association with the implementation, application and development of the Schengen acquis (13), which fall within the area referred to in Article 1, point (C) of Council Decision 1999/437/EC (14).

(32)

As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (15), which fall within the area referred to in Article 1, point (C) of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/146/EC (16).

(33)

As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (17), which fall within the area referred to in Article 1, point (C) of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (18).

(34)

As regards Bulgaria and Romania, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2005 Act of Accession and should be read in conjunction with Council Decisions 2010/365/EU (19) and (EU) 2018/934 (20).

(35)

As regards Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2011 Act of Accession and should be read in conjunction with Council Decision (EU) 2017/733 (21).

(36)

Concerning Cyprus this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 3(2) of the 2003 Act of Accession.

(37)

The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council (22) and delivered an opinion on 3 May 2017,

HAVE ADOPTED THIS REGULATION:

Article 1

Subject matter and scope

This Regulation lays down the conditions and procedures for the entry and processing of alerts in respect of third-country nationals subject to return decisions issued by the Member States in the Schengen Information System (SIS) established by Regulation (EU) 2018/1861, as well as for exchanging supplementary information on such alerts.

Article 2

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)

‘return’ means return as defined in point (3) of Article 3 of Directive 2008/115/EC;

(2)

‘third-country national’ means a third-country national as defined in point (1) of Article 3 of Directive 2008/115/EC;

(3)

‘return decision’ means an administrative or judicial decision or act, stating or declaring the stay of a third-country national to be illegal and imposing or stating an obligation to return that respects Directive 2008/115/EC;

(4)

‘alert’ means an alert as defined in point (1) of Article 3 of Regulation (EU) 2018/1861;

(5)

‘supplementary information’ means supplementary information as defined in point (2) of Article 3 of Regulation (EU) 2018/1861;

(6)

‘removal’ means removal as defined in point (5) of Article 3 of Directive 2008/115/EC;

(7)

‘voluntary departure’ means a voluntary departure as defined in point (8) of Article 3 of Directive 2008/115/EC;

(8)

‘issuing Member State’ means an issuing Member State as defined in point (10) of Article 3 of Regulation (EU) 2018/1861;

(9)

‘granting Member State’ means a granting Member State as defined in point (11) of Article 3 of Regulation (EU) 2018/1861;

(10)

‘executing Member State’ means an executing Member State as defined in point (12) of Article 3 of Regulation (EU) 2018/1861;

(11)

‘personal data’ means personal data as defined in point (1) of Article 4 of Regulation (EU) 2016/679;

(12)

‘CS-SIS’ means the technical support function of the Central SIS as referred to in point (a) of Article 4(1) of Regulation (EU) 2018/1861;

(13)

‘residence permit’ means a residence permit as defined in point (16) of Article 2 of Regulation (EU) 2016/399;

(14)

‘long-stay visa’ means a long-stay visa as referred to in Article 18(1) of Convention of 19 June 1990 implementing the Schengen Agreement of 14 June 1985 between the governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders (23);

(15)

a ‘hit’ means a hit as defined in point (8) of Article 3 of Regulation (EU) 2018/1861;

(16)

‘threat to public health’ means a threat to public health as defined in point (21) of Article 2 of Regulation (EU) 2016/399;

(17)

‘external borders’ means the external borders as defined in point (2) of Article 2 of Regulation (EU) 2016/399.

Article 3

Entry of alerts on return into SIS

1.   Member States shall enter into SIS alerts on third-country nationals subject to a return decision for the purpose of verifying that the obligation to return has been complied with and of supporting the enforcement of the return decisions. An alert on return shall be entered into SIS without delay following issue of a return decision.

2.   Member States may refrain from entering alerts on return when the return decisions concern third-country nationals who are detained pending removal. If the third-country nationals concerned are released from detention without being removed, an alert on return shall be entered into SIS without delay.

3.   Member States may refrain from entering alerts on return when the return decision is issued at the external border of a Member State and is executed immediately.

4.   The period for voluntary departure granted in accordance with Article 7 of Directive 2008/115/EC shall be recorded in the alert on return immediately. Any extension of that period shall be recorded in the alert without delay.

5.   Any suspension or postponement of the enforcement of the return decision, including as a result of the lodging of an appeal, shall immediately be recorded in the alert on return.

Article 4

Categories of data

1.   An alert on return entered into SIS in accordance with Article 3 of this Regulation shall contain only the following data:

(a)

surnames;

(b)

forenames;

(c)

names at birth;

(d)

previously used names and aliases;

(e)

place of birth;

(f)

date of birth;

(g)

gender;

(h)

any nationalities held;

(i)

whether the person concerned:

(i)

is armed;

(ii)

is violent;

(iii)

has absconded or escaped;

(iv)

poses a risk of suicide;

(v)

poses a threat to public health; or

(vi)

is involved in an activity referred to in Articles 3 to 14 of Directive (EU) 2017/541;

(j)

the reason for the alert;

(k)

the authority which created the alert;

(l)

a reference to the decision giving rise to the alert;

(m)

the action to be taken in the case of a hit;

(n)

links to other alerts pursuant to Article 48 of Regulation (EU) 2018/1861;

(o)

whether the return decision is issued in relation to a third-country national who poses a threat to public policy, to public security or to national security;

(p)

the type of offence;

(q)

the category of the person's identification documents;

(r)

the country of issue of the person's identification documents;

(s)

the number(s) of the person's identification documents;

(t)

the date of issue of the person's identification documents;

(u)

photographs and facial images;

(v)

dactyloscopic data;

(w)

a copy of the identification documents, in colour wherever possible;

(x)

last date of the period for voluntary departure, if granted;

(y)

whether the return decision has been suspended or the enforcement of the decision has been postponed, including as a result of the lodging of an appeal;

(z)

whether the return decision is accompanied by an entry ban constituting the basis for an alert for refusal of entry and stay pursuant to point (b) of Article 24(1) of Regulation (EU) 2018/1861.

2.   The minimum set of data necessary to enter an alert into SIS shall be the data referred to in points (a), (f), (j), (l), (m), (x) and (z) of paragraph 1. The other data referred to in that paragraph shall also be entered into SIS, if available.

3.   Dactyloscopic data referred to in point (v) of paragraph 1 may consist of:

(a)

one to ten flat fingerprints and one to ten rolled fingerprints of the third-country national concerned;

(b)

up to two palm prints in respect of third-country nationals from whom the collection of fingerprints is impossible;

(c)

up to two palm prints in respect of third-country nationals who are subject to return as a criminal law sanction or who have committed a criminal offence on the territory of the Member State which issued the return decision.

Article 5

Authority responsible for the exchange of supplementary information

The SIRENE Bureau designated under Article 7 of Regulation (EU) 2018/1861 shall ensure the exchange of all supplementary information on third-country nationals who are the subject of an alert on return, in accordance with Articles 7 and 8 of that Regulation.

Article 6

Hits at the external borders at exit — Confirmation of return

1.   In the event of a hit on an alert on return concerning a third-country national who is exiting the territory of the Member States through the external border of a Member State, the executing Member State shall communicate the following information to the issuing Member State through the exchange of supplementary information:

(a)

that the third-country national has been identified;

(b)

the location and time of the check;

(c)

that the third-country national has left the territory of the Member States;

(d)

that the third-country national has been subject to removal, if this is the case.

Where a third-country national who is the subject of an alert on return exits the territory of the Member States through the external border of the issuing Member State, the confirmation of return shall be sent to the competent authority of that Member State in accordance with national procedures.

2.   The issuing Member State shall delete the alert on return without delay following the receipt of the confirmation of return. Where applicable, an alert for refusal of entry and stay shall be entered without delay pursuant to point (b) of Article 24(1) of Regulation (EU) 2018/1861.

3.   The Member States shall on a quarterly basis provide statistics to the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) on the number of confirmed returns and on the number of those confirmed returns where the third-country national was subject to removal. eu-LISA shall compile the quarterly statistics into the annual statistical report referred to in Article 16 of this Regulation. The statistics shall not contain personal data.

Article 7

Non-compliance with return decisions

1.   Upon expiry of the period for voluntary departure indicated in an alert on return, including any possible extensions, CS-SIS shall automatically notify the issuing Member State.

2.   Without prejudice to the procedure referred to in Articles 6(1), 8 and 12, in the event of a hit on an alert on return, the executing Member State shall immediately contact the issuing Member State through the exchange of supplementary information in order to determine the measures to be taken.

Article 8

Hits at the external borders upon entry

In the event of a hit on an alert on return concerning a third-country national who is entering the territory of the Member States through the external borders, the following shall apply:

(a)

where the return decision is accompanied by an entry ban, the executing Member State shall immediately inform the issuing Member State through the exchange of supplementary information. The issuing Member State shall immediately delete the alert on return and enter an alert for refusal of entry and stay pursuant to point (b) of Article 24(1) of Regulation (EU) 2018/1861;

(b)

where the return decision is not accompanied by an entry ban, the executing Member State shall immediately inform the issuing Member State through the exchange of supplementary information, in order that the issuing Member State delete the alert on return without delay.

The decision on the entry of the third-country national shall be taken by the executing Member State in accordance with Regulation (EU) 2016/399.

Article 9

Prior consultation before granting or extending a residence permit or long-stay visa

1.   Where a Member State considers granting or extending a residence permit or long-stay visa to a third-country national who is the subject of an alert on return entered by another Member State that is accompanied by an entry ban, the Member States involved shall consult each other through the exchange of supplementary information, in accordance with the following rules:

(a)

the granting Member State shall consult the issuing Member State prior to granting or extending the residence permit or long-stay visa;

(b)

the issuing Member State shall reply to the consultation request within 10 calendar days;

(c)

the absence of a reply by the deadline referred to in point (b) shall mean that the issuing Member State does not object to the granting or extending of the residence permit or long-stay visa;

(d)

when making the relevant decision, the granting Member State shall take into account the reasons for the decision of the issuing Member State and shall consider, in accordance with national law, any threat to public policy or to public security which the presence of the third-country national in question on the territory of the Member States may pose;

(e)

the granting Member State shall notify the issuing Member State of its decision; and

(f)

where the granting Member State notifies the issuing Member State that it intends to grant or extend the residence permit or long-stay visa or that it has decided to do so, the issuing Member State shall delete the alert on return.

The final decision on whether to grant a residence permit or long-stay visa to a third-country national rests with the granting Member State.

2.   Where a Member State considers granting or extending a residence permit or long-stay visa to a third-country national who is the subject of an alert on return entered by another Member State which is not accompanied by an entry ban, the granting Member State shall inform without delay the issuing Member State that it intends to grant or has granted a residence permit or a long-stay visa. The issuing Member State shall delete the alert on return without delay.

Article 10

Prior consultation before entering an alert on return

Where a Member State has issued a return decision in accordance with Article 6(2) of Directive 2008/115/EC and considers entering an alert on return concerning a third-country national who is the holder of a valid residence permit or long-stay visa granted by another Member State, the Member States involved shall consult each other, through the exchange of supplementary information, in accordance with the following rules:

(a)

the Member State that has taken the return decision shall inform the granting Member State of the decision;

(b)

the information exchanged under point (a) shall include sufficient detail on the reasons for the return decision;

(c)

on the basis of the information provided by the Member State that has taken the return decision, the granting Member State shall consider whether there are reasons for withdrawing the residence permit or long-stay visa;

(d)

when making the relevant decision, the granting Member State shall take into account the reasons for the decision of the Member State that has taken the return decision and shall consider, in accordance with national law, any threat to public policy or to public security which the presence of the third-country national in question on the territory of the Member States may pose;

(e)

within 14 calendar days of receipt of the request for consultation the granting Member State shall notify the Member State that has taken the return decision of its decision or, where it has been impossible for the granting Member State to take a decision within that period, shall make a reasoned request to extend exceptionally the time period for its response for a maximum of a further 12 calendar days;

(f)

where the granting Member State notifies the Member State that has taken the return decision that it is maintaining the residence permit or long-stay visa, the Member State that has taken the return decision shall not enter the alert on return.

Article 11

A posteriori consultation after entering an alert on return

Where it emerges that a Member State has entered an alert on return concerning a third-country national who is the holder of a valid residence permit or long-stay visa granted by another Member State, the issuing Member State may decide to withdraw the return decision. In the case of such withdrawal, it shall immediately delete the alert on return. However, where the issuing Member State decides to maintain the return decision issued in accordance with Article 6(2) of Directive 2008/115/EC, the Member States involved shall consult each other, through the exchange of supplementary information, in accordance with the following rules:

(a)

the issuing Member State shall inform the granting Member State of the return decision;

(b)

the information exchanged under point (a) shall include sufficient detail on the reasons for the alert on return;

(c)

on the basis of the information provided by the issuing Member State, the granting Member State shall consider whether there are reasons for withdrawing the residence permit or long-stay visa;

(d)

when making its decision, the granting Member State shall take into account the reasons for the decision of the issuing Member State and shall consider, in accordance with national law, any threat to public policy or to public security which the presence of the third-country national in question on the territory of the Member States may pose;

(e)

within 14 calendar days of receipt of the request for consultation the granting Member State shall notify the issuing Member State of its decision or, where it has been impossible for the granting Member State to take a decision within that period, shall make a reasoned request to extend exceptionally the time period for its response for a maximum of a further 12 calendar days;

(f)

where the granting Member State notifies the issuing Member State that it is maintaining the residence permit or long-stay visa, the issuing Member State shall immediately delete the alert on return.

Article 12

Consultation in the case of a hit concerning a third-country national holding a valid residence permit or long-stay visa

Where a Member State encounters a hit on an alert on return entered by a Member State concerning a third-country national who is the holder of a valid residence permit or long-stay visa granted by another Member State, the Member States involved shall consult each other through the exchange of supplementary information, in accordance with the following rules:

(a)

the executing Member State shall inform the issuing Member State of the situation;

(b)

the issuing Member State shall initiate the procedure laid down in Article 11;

(c)

the issuing Member State shall notify the executing Member State of the outcome following the consultation.

Article 13

Statistics on exchange of information

Member States shall provide statistics to eu-LISA on an annual basis on the exchanges of information carried out in accordance with Articles 8 to 12 and on the instances in which the deadlines provided for in those Articles were not met.

Article 14

Deletion of alerts

1.   In addition to Articles 6 and 8 to 12, alerts on return shall be deleted when the decision on the basis of which the alert was entered has been withdrawn or annulled by the competent authority. Alerts on return shall also be deleted when the third-country national concerned can demonstrate that he or she has left the territory of the Member States in compliance with the respective return decision.

2.   Alerts on return concerning a person who has acquired citizenship of a Member State or of any State whose nationals are beneficiaries of the right of free movement under Union law shall be deleted as soon as the issuing Member State becomes aware, or is so informed pursuant to Article 44 of Regulation (EU) 2018/1861 that the person in question has acquired such citizenship.

Article 15

Transfer of personal data to third countries for the purpose of return

1.   By way of derogation from Article 50 of Regulation (EU) 2018/1861, the data referred to in points (a), (b), (c), (d), (e), (f), (g), (h), (q), (r), (s), (t), (u), (v) and (w) of Article 4(1) of this Regulation and the related supplementary information may be transferred or made available to a third country with the agreement of the issuing Member State.

2.   The transfer of the data to a third country shall be carried out in accordance with the relevant provisions of Union law, in particular provisions on protection of personal data, including Chapter V of Regulation (EU) 2016/679, with readmission agreements where applicable, and with the national law of the Member State transferring the data.

3.   The transfers of data to a third country shall take place only when the following conditions are met:

(a)

the data is transferred or made available solely for the purpose of identification of, and issuance of an identification or travel document to, an illegally staying third-country national in view of his or her return;

(b)

the third-country national concerned has been informed that his or her personal data and supplementary information may be shared with the authorities of a third country.

4.   Transfers of personal data to third countries pursuant to this Article shall not prejudice the rights of applicants for and beneficiaries of international protection, in particular as regards non-refoulement, and the prohibition on disclosing or obtaining information set out in Article 30 of Directive 2013/32/EU of the European Parliament and of the Council (24).

5.   Data processed in SIS and the related supplementary information exchanged pursuant to this Regulation shall not be made available to a third country where the enforcement of the return decision was suspended or postponed, including as a result of the lodging of an appeal, on grounds that such return would violate the principle of non-refoulement.

6.   Application of Regulation (EU) 2016/679, including with regard to the transfer of personal data to third countries pursuant to this Article, and in particular the use, proportionality and necessity of transfers based on point (d) of Article 49(1) of that Regulation, shall be subject to monitoring by the independent supervisory authorities referred to in Article 51(1) of that Regulation.

Article 16

Statistics

eu-LISA shall produce daily, monthly and annual statistics, both for each Member State and in aggregate, on the number of alerts on return entered into SIS. The statistics shall include the data referred to in point (y) of Article 4(1), the number of notifications referred to in Article 7(1) and the number of alerts on return that have been deleted. eu-LISA shall produce statistics on the data provided by the Member States in accordance with Article 6(3) and Article 13. The statistics shall not contain any personal data.

Those statistics shall be included in the annual statistical report provided for in Article 60(3) of Regulation (EU) 2018/1861.

Article 17

Competent authorities having a right to access data in SIS

1.   Access to data in SIS and the right to search such data shall be reserved to the national competent authorities referred to in Article 34(1), (2) and (3) of Regulation (EU) 2018/1861.

2.   Europol shall within its mandate have the right to access and search data in SIS in accordance with Article 35 of Regulation (EU) 2018/1861 for the purpose of supporting and strengthening action by the competent authorities of the Member States and their mutual cooperation in preventing and combating migrant smuggling and facilitation of irregular migration.

3.   Members of the teams referred to in points (8) and (9) of Article 2 of Regulation (EU) 2016/1624 shall within their mandate have the right to access and search data in SIS in accordance with Article 36 of Regulation (EU) 2018/1861 for the purpose of carrying out border checks, border surveillance and return operations through the technical interface set up and maintained by the European Border and Coast Guard Agency.

Article 18

Evaluation

The Commission shall evaluate the application of this Regulation within two years of the date of the start of its application. This evaluation shall include an assessment of the possible synergies between this Regulation and Regulation (EU) 2017/2226 of the European Parliament and of the Council (25).

Article 19

Applicability of the provisions of Regulation (EU) 2018/1861

Insofar as not established in this Regulation, the entry, processing and updating of alerts, the provisions on responsibilities of the Member States and eu-LISA, the conditions concerning access and the review period for alerts, data processing, data protection, liability and monitoring and statistics, as laid down in Articles 6 to 19, Article 20(3) and (4), Articles 21, 23, 32, 33, 34(5) and 38 to 60 of Regulation (EU) 2018/1861, shall apply to data entered and processed in SIS in accordance with this Regulation.

Article 20

Entry into force

This Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union.

It shall apply from the date set by the Commission in accordance with Article 66(2) of Regulation (EU) 2018/1861.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

Done at Brussels, 28 November 2018.

For the European Parliament

The President

A. TAJANI

For the Council

The President

K. EDTSTADLER


(1)  Position of the European Parliament of 24 October 2018 (not yet published in the Official Journal) and decision of the Council of 19 November 2018.

(2)  Directive 2008/115/EC of the European Parliament and of the Council of 16 December 2008 on common standards and procedures in Member States for returning illegally staying third-country nationals (OJ L 348, 24.12.2008, p. 98).

(3)  Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (see page 14 of this Official Journal).

(4)  Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (see page 56 of this Official Journal).

(5)  Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (OJ L 77, 23.3.2016, p. 1).

(6)  Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

(7)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(8)  Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).

(9)  Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC (OJ L 251, 16.9.2016, p. 1).

(10)  Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, p. 99).

(11)  Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis (OJ L 131, 1.6.2000, p. 43).

(12)  Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).

(13)  OJ L 176, 10.7.1999, p. 36.

(14)  Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31).

(15)  OJ L 53, 27.2.2008, p. 52.

(16)  Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1).

(17)  OJ L 160, 18.6.2011, p. 21.

(18)  Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19).

(19)  Council Decision 2010/365/EU of 29 June 2010 on the application of the provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Bulgaria and Romania (OJ L 166, 1.7.2010, p. 17).

(20)  Council Decision (EU) 2018/934 of 25 June 2018 on the putting into effect of the remaining provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Bulgaria and Romania (OJ L 165, 2.7.2018, p. 37).

(21)  Council Decision (EU) 2017/733 of 25 April 2017 on the application of the provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Croatia (OJ L 108, 26.4.2017, p. 31).

(22)  Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

(23)  OJ L 239, 22.9.2000, p. 19.

(24)  Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on common procedures for granting and withdrawing international protection (OJ L 180, 29.6.2013, p. 60).

(25)  Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20).


7.12.2018   

EN

Official Journal of the European Union

L 312/14


REGULATION (EU) 2018/1861 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 28 November 2018

on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the of the European Union, and in particular Article 77(2)(b) and (d) and Article 79(2)(c) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure (1),

Whereas:

(1)

The Schengen Information System (SIS) constitutes an essential tool for the application of the provisions of the Schengen acquis as integrated into the framework of the European Union. SIS is one of the major compensatory measures contributing to maintaining a high level of security within the area of freedom, security and justice of the Union by supporting operational cooperation between national competent authorities, in particular border guards, the police, customs authorities, immigration authorities, and authorities responsible for the prevention, detection, investigation or prosecution of criminal offences or execution of criminal penalties.

(2)

SIS was initially set up pursuant to the provisions of Title IV of the Convention of 19 June 1990 implementing the Schengen Agreement of 14 June 1985 between the governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders (2) (the Convention implementing the Schengen Agreement). The development of the second generation of SIS (SIS II) was entrusted to the Commission pursuant to Council Regulation (EC) No 2424/2001 (3) and Council Decision 2001/886/JHA (4). It was later established by Regulation (EC) No 1987/2006 of the European Parliament and of the Council (5) and by Council Decision 2007/533/JHA (6). SIS II replaced SIS as created pursuant to the Convention implementing the Schengen Agreement.

(3)

Three years after SIS II was brought into operation, the Commission carried out an evaluation of the system in accordance with Regulation (EC) No 1987/2006 and Decision 2007/533/JHA. On 21 December 2016, the Commission submitted the Report on the Evaluation of the Second Generation Schengen Information System (SIS II) in accordance with Articles 24(5), 43(3) and 50(5) of Regulation (EC) No 1987/2006 and Articles 59(3) and 66(5) of Decision 2007/533/JHA and an accompanying staff working document to the European Parliament and to the Council. The recommendations set out in those documents should be reflected, as appropriate, in this Regulation.

(4)

This Regulation constitutes the legal basis for SIS in respect of matters falling within the scope of Chapter 2 of Title V of Part Three of the Treaty on Functioning of the European Union (TFEU). Regulation (EU) 2018/1862 of the European Parliament and of the Council (7) constitutes the legal basis for SIS in respect of matters falling within the scope of Chapters 4 and 5 of Title V of Part Three TFEU.

(5)

The fact that the legal basis for SIS consists of separate instruments does not affect the principle that SIS constitutes one single information system that should operate as such. It should include a single network of national offices called SIRENE Bureaux for ensuring the exchange of supplementary information. Certain provisions of those instruments should therefore be identical.

(6)

It is necessary to specify the objectives of SIS, certain elements of its technical architecture and its financing, to lay down rules concerning its end-to-end operation and use and to define responsibilities. It is also necessary to determine the categories of data to be entered into the system, the purposes for which the data are to be entered and processed and the criteria for their entry. Rules are also required to govern the deletion of alerts, the authorities authorised to access the data, the use of biometric data and to further determine data protection and data processing rules.

(7)

Alerts in SIS contain only the information necessary to identify a person and for the action to be taken. Member States should therefore exchange supplementary information related to alerts where required.

(8)

SIS includes a central system (Central SIS) and national systems. The national systems might contain a complete or partial copy of the SIS database, which may be shared by two or more Member States. Considering that SIS is the most important information exchange instrument in Europe for ensuring security and effective border management, it is necessary to ensure its uninterrupted operation at central as well as at national level. The availability of SIS should be subject to close monitoring at central and Member State level and any incident of unavailability for end-users should be registered and reported to stakeholders at national and Union level. Each Member State should set up a backup for its national system. Member States should also ensure uninterrupted connectivity with Central SIS by having duplicated and physically and geographically separated connection points. Central SIS and the Communication Infrastructure should be operated in such a way that their functioning 24 hours a day, 7 days a week is ensured. For that reason, the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (‘eu-LISA’) established by Regulation (EU) 2018/1726 of the European Parliament and of the Council (8) should implement technical solutions to reinforce the uninterrupted availability of SIS, subject to an independent impact assessment and cost-benefit analysis.

(9)

It is necessary to maintain a manual setting out the detailed rules for the exchange of supplementary information concerning the actions called for by alerts (‘the SIRENE Manual’). The SIRENE Bureaux should ensure the exchange of such information in a fast and efficient manner.

(10)

In order to ensure the efficient exchange of supplementary information, including on the action to be taken specified in alerts, it is appropriate to reinforce the functioning of the SIRENE Bureaux by specifying the requirements concerning the available resources and user training and the response time to inquiries they receive from other SIRENE Bureaux.

(11)

Member States should ensure that the staff of their SIRENE Bureau have the linguistic skills and knowledge of relevant law and procedural rules necessary to perform their tasks.

(12)

In order to be able to fully benefit from the functionalities of SIS, Member States should ensure that end-users and the staff of the SIRENE Bureaux regularly receive training, including on data security, data protection and data quality. SIRENE Bureaux should be involved in the development of training programmes. To the extent possible, SIRENE Bureaux should also provide for staff exchanges with other SIRENE Bureaux at least once a year. Member States are encouraged to take appropriate measures to avoid the loss of skills and experience through staff turnover.

(13)

The operational management of the central components of SIS are exercised by eu-LISA. In order to enable eu-LISA to dedicate the necessary financial and personal resources covering all aspects of the operational management of Central SIS and the Communication Infrastructure, this Regulation should set out its tasks in detail, in particular with regard to the technical aspects of the exchange of supplementary information.

(14)

Without prejudice to the responsibility of Member States for the accuracy of data entered into SIS and to the role of the SIRENE Bureaux as quality coordinators, eu-LISA should be responsible for reinforcing data quality by introducing a central data quality monitoring tool, and should provide reports at regular intervals to the Commission and to the Member States. The Commission should report to the European Parliament and to the Council on the data quality issues encountered. To further increase the quality of data in SIS, eu-LISA should also offer training on the use of SIS to national training bodies and, insofar as possible, to the SIRENE Bureaux and to end-users.

(15)

In order to allow better monitoring of the use of SIS and to analyse trends concerning migratory pressure and border management, eu-LISA should be able to develop a state-of-the-art capability for statistical reporting to the Member States, to the European Parliament, to the Council, to the Commission, to Europol and to the European Border and Coast Guard Agency without jeopardising data integrity. Therefore, a central repository should be established. Statistics retained in or obtained from that repository should not contain any personal data. Member States should communicate statistics concerning exercise of the right of access, rectification of inaccurate data and erasure of unlawfully stored data in the framework of cooperation between supervisory authorities and the European Data Protection Supervisor under this Regulation.

(16)

New data categories should be introduced in SIS to allow end-users to take informed decisions based upon an alert without losing time. Therefore, alerts for refusal of entry and stay should contain information concerning the decision on which the alert is based. Furthermore, in order to facilitate identification and detect multiple identities, the alert should, where such information is available, include a reference to the personal identification document of the individual concerned or its number and a copy, if possible in colour, of the document.

(17)

Competent authorities should be able, where strictly necessary, to enter into SIS specific information relating to any specific, objective, physical characteristics of a person which are not subject to change, such as tattoos, marks or scars.

(18)

Where available, all the relevant data, in particular the forename of the individual concerned, should be inserted when creating an alert, in order to minimise the risk of false hits and unnecessary operational activities.

(19)

SIS should not store any data used to carry out searches with the exception of keeping logs to verify whether the search is lawful, for monitoring the lawfulness of data processing, for self-monitoring and for ensuring the proper functioning of the national systems as well as for data integrity and security.

(20)

SIS should permit the processing of biometric data in order to assist in the reliable identification of the individuals concerned. Any entry of photographs, facial images or dactyloscopic data into SIS and any use of such data should be limited to what is necessary for the objectives pursued, should be authorised by Union law, should respect fundamental rights, including the best interests of the child, and should be in accordance with Union law on data protection, including the relevant provisions on data protection laid down in this Regulation. In the same perspective, in order to avoid inconveniences caused by misidentification, SIS should also allow for the processing of data concerning individuals whose identity has been misused, subject to suitable safeguards, to obtaining the consent of the individual concerned for each data category, in particular palm prints, and to a strict limitation of the purposes for which such personal data can be lawfully processed.

(21)

Member States should make the necessary technical arrangements so that each time end-users are entitled to carry out a search in a national police or immigration database, they also search SIS in parallel, subject to the principles set out in Article 4 of Directive (EU) 2016/680 of the European Parliament and of the Council (9) and Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council (10). This should ensure that SIS functions as the main compensatory measure in the area without internal border controls and better addresses the cross-border dimension of criminality and the mobility of criminals.

(22)

This Regulation should set out the conditions for use of dactyloscopic data, photographs and facial images for identification and verification purposes. Facial images and photographs should, for identification purposes, initially be used only in the context of regular border crossing points. Such use should be subject to a report by the Commission confirming the availability, reliability and readiness of the technology.

(23)

It should be allowed to search dactyloscopic data stored in SIS with complete or incomplete sets of fingerprints or palm prints found at a crime scene if it can be established to a high degree of probability that they belong to the perpetrator of the serious crime or terrorist offence, provided that a search is carried out simultaneously in the relevant national fingerprint databases. Particular attention should be given to the establishment of quality standards applicable to the storage of biometric data.

(24)

Wherever the identity of a person cannot be ascertained by any other means, dactyloscopic data should be used to attempt identification. It should be allowed in all cases to identify a person by using dactyloscopic data.

(25)

It should be possible for Member States to establish links between alerts in SIS. The establishment of links between two or more alerts should have no impact on the action to be taken, the review period for alerts or the access rights to the alerts.

(26)

A greater level of effectiveness, harmonisation and consistency can be achieved by making it mandatory to enter into SIS all entry bans issued by the national competent authorities in accordance with procedures respecting Directive 2008/115/EC of the European Parliament and of the Council (11) and by setting common rules for entering alerts for refusal of entry and stay upon the return of an illegally staying third-country national. Member States should take all necessary measures to ensure that no time-gap exists between the moment in which the third-country national concerned leaves the Schengen area and the activation of the alert in SIS. This should ensure the enforcement of entry bans at external border crossing points, effectively preventing re-entry into the Schengen area.

(27)

Persons in respect of whom a decision for refusal of entry and stay is taken should have the right to appeal against that decision. The right of appeal should comply with Directive 2008/115/EC where the decision is related to return.

(28)

This Regulation should set mandatory rules for the consultation and notification of national authorities where a third-country national holds or might obtain a valid residence permit or long-stay visa granted in one Member State, and another Member State intends to or has already entered an alert for refusal of entry and stay on that third-country national. Such situations create serious uncertainties for border guards, police and immigration authorities. Therefore, it is appropriate to provide for a mandatory timeframe for rapid consultation with a definite result in order to ensure that third-country nationals who are entitled to reside lawfully in the territory of the Member States are entitled to enter that territory without difficulty and that those who are not entitled to enter are prevented from doing so.

(29)

When deleting an alert in SIS following a consultation between Member States, the issuing Member State should be able to keep the third-country national concerned on its national list of alerts.

(30)

This Regulation should be without prejudice to the application of Directive 2004/38/EC of the European Parliament and of the Council (12).

(31)

Alerts should not be kept in SIS longer than the time required to fulfil the specific purposes for which they were entered. Within three years of entry of an alert into SIS, the issuing Member State should review the need to retain it. However, if the national decision on which the alert is based provides for a longer period of validity than three years, the alert should be reviewed within five years. Decisions to retain alerts on persons should be based on a comprehensive individual assessment. Member States should review alerts on persons within the prescribed review period and should keep statistics on the number of alerts on persons for which the retention period has been extended.

(32)

Entering an alert into SIS and extending the expiry date of an alert in SIS should be subject to a proportionality requirement involving examination of whether a concrete case is adequate, relevant and important enough to warrant insertion of an alert in SIS. Where terrorist offences are concerned, the case should be considered adequate, relevant and important enough to warrant an alert in SIS. For public or national security reasons, Member States should be allowed exceptionally to refrain from entering an alert into SIS when it is likely that this would obstruct official or legal inquiries, investigations or procedures.

(33)

The integrity of SIS data is of primary importance. Therefore, appropriate safeguards should be provided to process SIS data at central as well as at national level to ensure the end-to-end security of the data. The authorities involved in the data processing should be bound by the security requirements of this Regulation and be subject to a uniform incident reporting procedure. Their staff should be appropriately trained and be informed of any offences and penalties in this respect.

(34)

Data processed in SIS and the related supplementary information exchanged pursuant to this Regulation should not be transferred or made available to third countries or to international organisations.

(35)

To enhance the efficiency of immigration authorities' work when deciding on the right of third-country nationals to enter and stay in the territories of the Member States and on the return of illegally staying third-country nationals, it is appropriate to grant those authorities access to SIS under this Regulation.

(36)

Without prejudice to more specific rules laid down in this Regulation for the processing of personal data, Regulation (EU) 2016/679 should apply to the processing of personal data by the Member States under this Regulation unless such processing is carried out by the national competent authorities for the purposes of prevention, investigation, detection or prosecution of terrorist offences or of other serious criminal offences.

(37)

Without prejudice to more specific rules laid down in this Regulation, the national laws, regulations and administrative provisions adopted pursuant to Directive (EU) 2016/680 should apply to the processing of personal data under this Regulation by the national competent authorities for the purposes of the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties. Access to data entered into SIS and the right to search such data by national competent authorities which are responsible for the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties are to be subject to all relevant provisions of this Regulation and those of Directive (EU) 2016/680 as transposed into national law, and in particular to monitoring by the supervisory authorities referred to in Directive (EU) 2016/680.

(38)

Regulation (EU) 2018/1725 of the European Parliament and of the Council (13) should apply to the processing of personal data by the Union institutions and bodies when carrying out their responsibilities under this Regulation.

(39)

Regulation (EU) 2016/794 of the European Parliament and of the Council (14) should apply to the processing of personal data by Europol under this Regulation.

(40)

When using SIS, the competent authorities should ensure that the dignity and integrity of the person whose data are processed are respected. Processing of personal data for the purposes of this Regulation is not to result in discrimination against persons on any grounds, such as sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation.

(41)

Insofar as confidentiality is concerned, the relevant provisions of the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the Union laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (15) (‘Staff Regulations’) should apply to officials or other servants employed and working in connection with SIS.

(42)

Both the Member States and eu-LISA should maintain security plans in order to facilitate the implementation of security obligations and should cooperate with each other in order to address security issues from a common perspective.

(43)

The national independent supervisory authorities referred to in Regulation (EU) 2016/679 and Directive (EU) 2016/680 (‘supervisory authorities’) should monitor the lawfulness of the processing of personal data by the Member States under this Regulation, including the exchange of supplementary information. The supervisory authorities should be granted sufficient resources to carry out this task. The rights of data subjects to access, rectify and erase their personal data that is stored in SIS, and any subsequent remedies before national courts as well as the mutual recognition of judgments should be provided for. It is also appropriate to require annual statistics from Member States.

(44)

The supervisory authorities should ensure that an audit of the data processing operations in their Member State's national systems is carried out in accordance with international auditing standards at least every four years. The audit should either be carried out by the supervisory authorities, or the supervisory authorities should directly order the audit from an independent data protection auditor. The independent auditor should remain under the control and responsibility of the supervisory authorities concerned, which therefore should instruct the auditor themselves and provide a clearly defined purpose, scope and methodology for the audit as well as guidance and supervision concerning the audit and its final results.

(45)

The European Data Protection Supervisor should monitor the activities of the Union institutions and bodies in relation to the processing of personal data under this Regulation. The European Data Protection Supervisor and the supervisory authorities should cooperate with each other in monitoring SIS.

(46)

The European Data Protection Supervisor should be granted sufficient resources to fulfil the tasks entrusted to it under this Regulation, including assistance from persons with expertise in biometric data.

(47)

Regulation (EU) 2016/794 provides that Europol is to support and strengthen actions carried out by the national competent authorities and their cooperation in combating terrorism and serious crime and to provide analysis and threat assessments. In order to facilitate Europol in carrying out its tasks, in particular within the European Migrant Smuggling Centre, it is appropriate to allow Europol access to categories of alerts as provided for in this Regulation.

(48)

In order to bridge the gap in information sharing on terrorism, in particular on foreign terrorist fighters – where monitoring of their movement is crucial – Member States are encouraged to share information on terrorism-related activity with Europol. This information sharing should be carried out through the exchange of supplementary information with Europol on the alerts concerned. For this purpose Europol should set up a connection with the Communication Infrastructure.

(49)

It is also necessary to set out clear rules for Europol on the processing and downloading of SIS data to allow it to use SIS comprehensively, provided that data protection standards are complied with as provided for in this Regulation and Regulation (EU) 2016/794. In cases where searches carried out by Europol in SIS reveal the existence of an alert entered by a Member State, Europol cannot take the required action. Therefore it should inform the Member State concerned through the exchange of supplementary information with the respective SIRENE Bureau, to allow that Member State to follow up the case.

(50)

Regulation (EU) 2016/1624 of the European Parliament and of the Council (16) provides, for the purpose of that Regulation, that the host Member State is to authorise the members of the teams referred to in point (8) of Article 2 of that Regulation deployed by the European Border and Coast Guard Agency to consult Union databases where this consultation is necessary for fulfilling operational aims specified in the operational plan on border checks, border surveillance and return. Other relevant Union agencies, in particular the European Asylum Support Office and Europol, may also deploy experts who are not members of the staff of those Union agencies as part of migration management support teams. The objective of the deployment of the teams referred to in points (8) and (9) of Article 2 of that Regulation is to provide technical and operational reinforcement to the requesting Member States, especially to those facing disproportionate migratory challenges. For the teams referred to in points (8) and (9) of Article 2 of that Regulation to fulfil their tasks, they require access to SIS through a technical interface of the European Border and Coast Guard Agency connecting to Central SIS. In cases where searches in SIS carried out by the teams referred to in points (8) and (9) of Article 2 of Regulation (EU) 2016/1624 or by the teams of staff reveal the existence of an alert entered by a Member State, the member of the team or the staff cannot take the required action unless authorised to do so by the host Member State. Therefore, the host Member State should be informed to allow it to follow up the case. The host Member State should notify the issuing Member State of the hit through the exchange of supplementary information.

(51)

Certain aspects of SIS cannot be covered exhaustively by this Regulation given their technical, highly detailed and frequently changing nature. Those aspects include, for example, technical rules on entering data, on updating, deleting and searching data and on data quality and rules related to biometric data, rules on the compatibility and order of priority of alerts, on links between alerts and on the exchange of supplementary information. Implementing powers in respect of those aspects should therefore be conferred on the Commission. Technical rules on searching alerts should take into account the smooth operation of national applications.

(52)

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (17). The procedure for adopting implementing acts under this Regulation and Regulation (EU) 2018/1862 should be the same.

(53)

In order to ensure transparency, two years after the start of operations of SIS pursuant to this Regulation, eu-LISA should produce a report on the technical functioning of Central SIS and the Communication Infrastructure, including their security, and on the bilateral and multilateral exchange of supplementary information. An overall evaluation should be issued by the Commission every four years.

(54)

In order to ensure the smooth functioning of SIS, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of the determination of the circumstances in which photographs and facial images may be used for the identification of persons other than in the context of regular border crossing points. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (18). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(55)

Since the objectives of this Regulation, namely the establishment and regulation of a Union information system and the exchange of related supplementary information, cannot be sufficiently achieved by the Member States, but can rather, by reason of their nature be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity, as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(56)

This Regulation respects fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union. In particular, this Regulation fully respects the protection of personal data in accordance with Article 8 of the Charter of Fundamental Rights of the European Union while seeking to ensure a safe environment for all persons residing on the territory of the Union and protection of irregular migrants from exploitation and trafficking in human beings. In cases concerning children, the best interests of the child should be a primary consideration.

(57)

The estimated costs of the upgrade of the national systems and of the implementation of the new functionalities envisaged in this Regulation, are lower than the remaining amount in the budget line for Smart Borders in Regulation (EU) No 515/2014 of the European Parliament and of the Council (19). Therefore, funding attributed for developing IT systems supporting the management of migration flows across the external borders in accordance with Regulation (EU) No 515/2014 should be allocated to the Member States and eu-LISA. The financial costs of upgrading SIS and the implementation of this Regulation should be monitored. If the estimated costs are higher, Union funding should be made available to support Member States in conformity with the applicable Multiannual Financial Framework.

(58)

In accordance with Articles 1 and 2 of Protocol No 22 on the Position of Denmark annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.

(59)

This Regulation constitutes a development of provisions of the Schengen acquis in which the United Kingdom does not take part, in accordance with Council Decision 2000/365/EC (20); the United Kingdom is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(60)

This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take part, in accordance with Council Decision 2002/192/EC (21); Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(61)

As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latters' association with the implementation, application and development of the Schengen acquis (22) which fall within the area referred to in Article 1, point (G) of Council Decision 1999/437/EC (23).

(62)

As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (24), which fall within the area referred to in Article 1, point (G), of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/146/EC (25).

(63)

As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (26) which fall within the area referred to in Article 1, point (G), of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (27).

(64)

As regards Bulgaria and Romania, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2005 Act of Accession and should be read in conjunction with Council Decisions 2010/365/EU (28) and (EU) 2018/934 (29).

(65)

As regards Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2011 Act of Accession and should be read in conjunction with Council Decision (EU) 2017/733 (30).

(66)

Concerning Cyprus this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 3(2) of the 2003 Act of Accession.

(67)

This Regulations introduces a series of improvements to SIS which will increase its effectiveness, strengthen data protection and extend access rights. Certain of those improvements do not require complex technical developments, while others do require technical changes of varying magnitude. In order to enable improvements to the system to become available to end-users as soon as possible, this Regulation introduces amendments to Regulation (EC) No 1987/2006 in several phases. A number of improvements to the system should apply immediately upon entry into force of this Regulation, whereas others should apply either one or two years after its entry into force. This Regulation should apply in its entirety within three years after its entry into force. In order to avoid delays in its application the phased implementation of this Regulation should be closely monitored.

(68)

Regulation (EC) No 1987/2006 should be repealed with effect from the date of full application of this Regulation.

(69)

The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council (31) and delivered an opinion on 3 May 2017,

HAVE ADOPTED THIS REGULATION:

CHAPTER I

GENERAL PROVISIONS

Article 1

General purpose of SIS

The purpose of SIS shall be to ensure a high level of security within the area of freedom, security and justice of the Union, including the maintenance of public security and public policy and the safeguarding of security in the territories of the Member States, and to ensure the application of the provisions of Chapter 2 of Title V of Part Three TFEU relating to the movement of persons on their territories, using information communicated through this system.

Article 2

Subject matter

1.   This Regulation establishes the conditions and procedures for the entry and processing of alerts in SIS on third-country nationals and for the exchange of supplementary information and additional data for the purpose of refusing entry into and stay on the territory of the Member States.

2.   This Regulation also lays down provisions on the technical architecture of SIS, on the responsibilities of the Member States and of the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), on data processing, on the rights of the persons concerned and on liability.

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)

‘alert’ means a set of data entered into SIS allowing the competent authorities to identify a person with a view to taking specific action;

(2)

‘supplementary information’ means information not forming part of the alert data stored in SIS, but connected to alerts in SIS, which is to be exchanged through the SIRENE Bureaux:

(a)

in order to allow Member States to consult or inform each other when entering an alert;

(b)

following a hit in order to allow the appropriate action to be taken;

(c)

when the required action cannot be taken;

(d)

when dealing with the quality of SIS data;

(e)

when dealing with the compatibility and priority of alerts;

(f)

when dealing with rights of access;

(3)

‘additional data’ means the data stored in SIS and connected with alerts in SIS which are to be immediately available to the competent authorities where a person in respect of whom data has been entered in SIS is located as a result of conducting a search in SIS;

(4)

‘third-country national’ means any person who is not a citizen of the Union within the meaning of Article 20(1) TFEU, with the exception of persons who are beneficiaries of rights of free movement equivalent to those of citizens of the Union under agreements between the Union, or the Union and its Member States on the one hand, and third countries on the other hand;

(5)

‘personal data’ means personal data as defined in point 1 of Article 4 of Regulation (EU) 2016/679;

(6)

‘processing of personal data’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, logging, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(7)

a ‘match’ means the occurrence of the following steps:

(a)

a search has been conducted in SIS by an end-user;

(b)

that search has revealed an alert entered into SIS by another Member State; and

(c)

data concerning the alert in SIS match the search data;

(8)

a ‘hit’ means any match which fulfils the following criteria:

(a)

it has been confirmed by:

(i)

the end-user; or

(ii)

the competent authority in accordance with national procedures, where the match concerned was based on the comparison of biometric data;

and

(b)

further actions are requested;

(9)

‘issuing Member State’ means the Member State which entered the alert into SIS;

(10)

‘granting Member State’ means the Member State which is considering granting or extending or which has granted or extended a residence permit or long-stay visa and which is involved in the consultation procedure with another Member State;

(11)

‘executing Member State’ means the Member State which takes or has taken the required actions following a hit;

(12)

‘end-user’ means a member of staff of a competent authority authorised to search directly CS-SIS, N.SIS or a technical copy thereof;

(13)

‘biometric data’ means personal data resulting from specific technical processing relating to the physical or physiological characteristics of a natural person, which allow or confirm the unique identification of that natural person, namely photographs, facial images and dactyloscopic data;

(14)

‘dactyloscopic data’ means data on fingerprints and palm prints which due to their unique character and the reference points contained therein enable accurate and conclusive comparisons on a person's identity;

(15)

‘facial image’ means digital images of the face with sufficient image resolution and quality to be used in automated biometric matching;

(16)

‘return’ means return as defined in point 3 of Article 3 of Directive 2008/115/EC;

(17)

‘entry ban’ means an entry ban as defined in point 6 of Article 3 of Directive 2008/115/EC;

(18)

‘terrorist offences’ means offences under national law referred to in Articles 3 to 14 of Directive (EU) 2017/541 of the European Parliament and of the Council (32), or equivalent to one of those offences for the Member States which are not bound by that Directive;

(19)

‘residence permit’ means a residence permit as defined in point (16) of Article 2 of Regulation (EU) 2016/399 of the European Parliament and of the Council (33);

(20)

‘long-stay visa’ means a long-stay visa as referred to in Article 18(1) of Convention implementing the Schengen Agreement;

(21)

‘threat to public health’ means a threat to public health as defined in point (21) of Article 2 of Regulation (EU) 2016/399.

Article 4

Technical architecture and ways of operating SIS

1.   SIS shall be composed of:

(a)

a central system (Central SIS) composed of:

(i)

a technical support function (‘CS-SIS’) containing a database, (the ‘SIS database’), and including a backup CS-SIS,

(ii)

a uniform national interface (‘NI-SIS’);

(b)

a national system (N.SIS) in each of the Member States, consisting of the national data systems which communicate with Central SIS, including at least one national or shared backup N.SIS; and

(c)

a communication infrastructure between CS-SIS, backup CS-SIS and NI-SIS (‘the Communication Infrastructure’) that provides an encrypted virtual network dedicated to SIS data and the exchange of data between SIRENE Bureaux, as referred to in Article 7(2).

An N.SIS as referred to in point (b) may contain a data file (a ‘national copy’) containing a complete or partial copy of the SIS database. Two or more Member States may establish in one of their N.SIS a shared copy which may be used jointly by those Member States. Such shared copy shall be considered as the national copy of each of those Member States.

A shared backup N.SIS as referred to in point (b) may be used jointly by two or more Member States. In such cases, the shared backup N.SIS shall be considered as the backup N.SIS of each of those Member States. The N.SIS and its backup may be used simultaneously to ensure uninterrupted availability to end-users.

Member States intending to establish a shared copy or shared backup N.SIS to be used jointly shall agree their respective responsibilities in writing. They shall notify their arrangement to the Commission.

The Communication Infrastructure shall support and contribute to ensuring the uninterrupted availability of SIS. It shall include redundant and separated paths for the connections between CS-SIS and the backup CS-SIS and shall also include redundant and separated paths for the connections between each SIS national network access point and CS-SIS and backup CS-SIS.

2.   Member States shall enter, update, delete and search SIS data through their own N.SIS. The Member States using a partial or a complete national copy or a partial or complete shared copy shall make that copy available for the purpose of carrying out automated searches in the territory of each of those Member States. The partial national or shared copy shall contain at least the data listed in points (a) to (v) of Article 20(2). It shall not be possible to search the data files of other Member States' N.SIS, except in the case of shared copies.

3.   CS-SIS shall perform technical supervision and administration functions and have a backup CS-SIS, capable of ensuring all functionalities of the principal CS-SIS in the event of failure of that system. CS-SIS and the backup CS-SIS shall be located in the two technical sites of eu-LISA.

4.   eu-LISA shall implement technical solutions to reinforce the uninterrupted availability of SIS either through the simultaneous operation of CS-SIS and the backup CS-SIS, provided that the backup CS-SIS remains capable of ensuring the operation of SIS in the event of a failure of CS-SIS, or through duplication of the system or its components. Notwithstanding the procedural requirements laid down in Article 10 of Regulation (EU) 2018/1726 eu-LISA shall, no later than 28 December 2019, prepare a study on the options for technical solutions, containing an independent impact assessment and cost-benefit analysis.

5.   Where necessary in exceptional circumstances, eu-LISA may temporarily develop an additional copy of the SIS database.

6.   CS-SIS shall provide the services necessary for the entry and processing of SIS data, including searches in the SIS database. For the Member States which use a national or shared copy, CS-SIS shall:

(a)

provide online updates for the national copies;

(b)

ensure synchronisation of and consistency between the national copies and the SIS database; and

(c)

provide the operation for initialisation and restoration of the national copies.

7.   CS-SIS shall provide uninterrupted availability.

Article 5

Costs

1.   The costs of operating, maintaining and further developing Central SIS and the Communication Infrastructure shall be borne by the general budget of the Union. Those costs shall include work done with respect to CS-SIS, in order to ensure the provision of the services referred to in Article 4(6).

2.   Funding is allocated from the envelope of EUR 791 million foreseen under point (b) Article 5(5) of Regulation (EU) No 515/2014 to cover the costs of implementation of this Regulation.

3.   From the envelope referred to in paragraph 2, and without prejudice to further funding for this purpose from other sources of the general budget of the Union, an amount of EUR 31 098 000 is allocated to eu-LISA. Such funding shall be implemented under indirect management and shall contribute to carrying out the technical developments required under this Regulation concerning Central SIS and the Communication Infrastructure, as well as related training activities.

4.   From the envelope referred to in paragraph 2, the Member States participating in Regulation (EU) No 515/2014 shall receive an additional global allocation of EUR 36 810 000 to be distributed in equal shares through a lump sum to their basic allocation. Such funding shall be implemented under shared management and shall be entirely devoted to the quick and effective upgrade of the national systems concerned in line with the requirements of this Regulation.

5.   The costs of setting up, operating, maintaining and further developing each N.SIS shall be borne by the Member State concerned.

CHAPTER II

RESPONSIBILITIES OF THE MEMBER STATES

Article 6

National systems

Each Member State shall be responsible for setting up, operating, maintaining and further developing its N.SIS and connecting it to NI-SIS.

Each Member State shall be responsible for ensuring the uninterrupted availability of SIS data to end-users.

Each Member State shall transmit its alerts through its N.SIS.

Article 7

N.SIS Office and SIRENE Bureau

1.   Each Member State shall designate an authority (the N.SIS Office), which shall have central responsibility for its N.SIS.

That authority shall be responsible for the smooth operation and security of the N.SIS, shall ensure the access of the competent authorities to SIS and shall take the necessary measures to ensure compliance with this Regulation. It shall be responsible for ensuring that all functionalities of SIS are made available to the end-users appropriately.

2.   Each Member State shall designate a national authority which shall be operational 24 hours a day, 7 days a week and which shall ensure the exchange and availability of all supplementary information (the SIRENE Bureau) in accordance with the SIRENE Manual. Each SIRENE Bureau shall serve as a single contact point for its Member State to exchange supplementary information regarding alerts and to facilitate the requested actions to be taken when alerts on persons have been entered in SIS and those persons are located following a hit.

Each SIRENE Bureau shall, in accordance with national law, have easy direct or indirect access to all relevant national information, including national databases and all information on its Member States' alerts, and to expert advice, in order to be able to react to requests for supplementary information swiftly and within the deadlines provided for in Article 8.

The SIRENE Bureaux shall coordinate the verification of the quality of the information entered in SIS. For those purposes they shall have access to data processed in SIS.

3.   The Member States shall provide eu-LISA with details of their N.SIS Office and of their SIRENE Bureau. eu-LISA shall publish the list of the N.SIS Offices and the SIRENE Bureaux together with the list referred to in Article 41(8).

Article 8

Exchange of supplementary information

1.   Supplementary information shall be exchanged in accordance with the provisions of the SIRENE Manual and using the Communication Infrastructure. Member States shall provide the necessary technical and human resources to ensure the continuous availability and timely and effective exchange of supplementary information. In the event that the Communication Infrastructure is unavailable, Member States shall use other adequately secured technical means to exchange supplementary information. A list of adequately secured technical means shall be laid down in the SIRENE Manual.

2.   Supplementary information shall be used only for the purpose for which it was transmitted in accordance with Article 49 unless prior consent for another use is obtained from the issuing Member State.

3.   The SIRENE Bureaux shall carry out their tasks in a quick and efficient manner, in particular by replying to a request for supplementary information as soon as possible but not later than 12 hours after the receipt of the request.

Requests for supplementary information with the highest priority shall be marked ‘URGENT’ in the SIRENE forms, and the reason for the urgency shall be specified.

4.   The Commission shall adopt implementing acts to lay down detailed rules for the tasks of the SIRENE Bureaux pursuant to this Regulation and the exchange of supplementary information in the form of a manual entitled the ‘SIRENE Manual’. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

Article 9

Technical and functional compliance

1.   When setting up its N.SIS, each Member State shall comply with common standards, protocols and technical procedures established to ensure the compatibility of its N.SIS with Central SIS for the prompt and effective transmission of data.

2.   If a Member State uses a national copy, it shall ensure, by means of the services provided by CS-SIS and by means of automatic updates referred to in Article 4(6) that the data stored in the national copy are identical to and consistent with the SIS database and that a search in its national copy produces a result equivalent to that of a search in the SIS database.

3.   End-users shall receive the data required to perform their tasks, in particular, and where necessary all the available data allowing for the identification of the data subject and for the requested action to be taken.

4.   Member States and eu-LISA shall undertake regular tests to verify the technical compliance of the national copies referred to in paragraph 2. The results of those tests shall be taken into consideration as part of the mechanism established by Council Regulation (EU) No 1053/2013 (34).

5.   The Commission shall adopt implementing acts to lay down and develop common standards, protocols and technical procedures referred to in paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

Article 10

Security – Member States

1.   Each Member State shall, in relation to its N.SIS, adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan in order to:

(a)

physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)

deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(c)

prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d)

prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e)

prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f)

prevent the unauthorised processing of data in SIS and any unauthorised modification or erasure of data processed in SIS (control of data entry);

(g)

ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation, by means of individual and unique user identifiers and confidential access modes only (data access control);

(h)

ensure that all authorities with a right of access to SIS or to the data processing facilities create profiles describing the functions and responsibilities of persons who are authorised to access, enter, update, delete and search the data and make those profiles available to the supervisory authorities referred to in Article 55(1) without delay upon their request (personnel profiles);

(i)

ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(j)

ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when, by whom and for what purpose (input control);

(k)

prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(l)

monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing);

(m)

ensure that, in the event of interruption, installed systems can be restored to normal operation (recovery); and

(n)

ensure that SIS performs its functions correctly, that faults are reported (reliability) and that personal data stored in SIS cannot be corrupted by means of the system malfunctioning (integrity).

2.   Member States shall take measures equivalent to those referred to in paragraph 1 as regards security in respect of the processing and exchange of supplementary information, including by securing the premises of the SIRENE Bureaux.

3.   Member States shall take measures equivalent to those referred to in paragraph 1 of this Article as regards security in respect of the processing of SIS data by the authorities referred to in Article 34.

4.   The measures described in paragraphs 1, 2 and 3 may be part of a generic security approach and plan at national level encompassing multiple IT systems. In such cases, the requirements set out in this Article and their applicability to SIS shall be clearly identifiable in and ensured by that plan.

Article 11

Confidentiality – Member States

1.   Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with SIS data and supplementary information, in accordance with its national law. That obligation shall also apply after those persons leave office or employment or after the termination of the activities of those bodies.

2.   Where a Member State cooperates with external contractors in any SIS-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular on security, confidentiality and data protection.

3.   The operational management of N.SIS or of any technical copies shall not be entrusted to private companies or private organisations.

Article 12

Keeping of logs at national level

1.   Member States shall ensure that every access to and all exchanges of personal data within CS-SIS are logged in their N.SIS for the purposes of checking whether the search was lawful, monitoring the lawfulness of data processing, self-monitoring, ensuring the proper functioning of N.SIS, as well as for data integrity and security. This requirement does not apply to the automatic processes referred to in points (a), (b) and (c) of Article 4(6).

2.   The logs shall show, in particular, the history of the alert, the date and time of the data processing activity, the data used to perform a search, a reference to the data processed and the individual and unique user identifiers of both the competent authority and the person processing the data.

3.   By way of derogation from paragraph 2 of this Article, if the search is carried out with dactyloscopic data or a facial image in accordance with Article 33, the logs shall show the type of data used to perform the search instead of the actual data.

4.   The logs shall only be used for the purpose referred to in paragraph 1 and shall be deleted three years after their creation. The logs which include the history of alerts shall be deleted three years after deletion of the alerts.

5.   Logs may be kept for longer than the periods referred to in paragraph 4 if they are required for monitoring procedures that are already underway.

6.   The national competent authorities in charge of checking whether searches are lawful, monitoring the lawfulness of data processing, self-monitoring and ensuring the proper functioning of N.SIS and data integrity and security, shall have access, within the limits of their competence and at their request, to the logs for the purpose of fulfilling their duties.

Article 13

Self-monitoring

Member States shall ensure that each authority entitled to access SIS data takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the supervisory authority.

Article 14

Staff training

1.   Before being authorised to process data stored in SIS and periodically after access to SIS data has been granted, the staff of the authorities having a right to access SIS shall receive appropriate training on data security on fundamental rights including data protection, and on the rules and procedures for data processing set out in the SIRENE Manual. The staff shall be informed of any relevant provisions on criminal offences and penalties, including those provided for in Article 59.

2.   Member States shall have a national SIS training programme which shall include training for end-users as well as the staff of the SIRENE Bureaux.

That training programme may be part of a general training programme at national level encompassing training in other relevant areas.

3.   Common training courses shall be organised at Union level at least once a year to enhance cooperation between SIRENE Bureaux.

CHAPTER III

RESPONSIBILITIES OF eu-LISA

Article 15

Operational management

1.   eu-LISA shall be responsible for the operational management of Central SIS. eu-LISA shall, in cooperation with the Member States, ensure that at all times the best available technology is used for Central SIS, subject to a cost-benefit analysis.

2.   eu-LISA shall also be responsible for the following tasks relating to the Communication Infrastructure:

(a)

supervision;

(b)

security;

(c)

the coordination of relations between the Member States and the provider;

(d)

tasks relating to implementation of the budget;

(e)

acquisition and renewal; and

(f)

contractual matters.

3.   eu-LISA shall also be responsible for the following tasks relating to the SIRENE Bureaux and communication between the SIRENE Bureaux:

(a)

the coordination, management and support of testing activities;

(b)

the maintenance and updating of technical specifications for the exchange of supplementary information between SIRENE Bureaux and the Communication Infrastructure; and

(c)

managing the impact of technical changes where it affects both SIS and the exchange of supplementary information between SIRENE Bureaux.

4.   eu-LISA shall develop and maintain a mechanism and procedures for carrying out quality checks on the data in CS-SIS. It shall provide regular reports to the Member States in this regard.

eu-LISA shall provide a regular report to the Commission covering the issues encountered and the Member States concerned.

The Commission shall provide the European Parliament and the Council with a regular report on data quality issues that are encountered.

5.   eu-LISA shall also perform tasks related to providing training on the technical use of SIS and on measures for improving the quality of SIS data.

6.   The operational management of Central SIS shall consist of all the tasks necessary to keep Central SIS functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary for the smooth running of the system. Those tasks shall also include the coordination, management and support of testing activities for Central SIS and the N.SIS that ensure that Central SIS and the N.SIS operate in accordance with the requirements for technical and functional compliance set out in Article 9.

7.   The Commission shall adopt implementing acts to set out the technical requirements for the Communication Infrastructure. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

Article 16

Security – eu-LISA

1.   eu-LISA shall adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan for Central SIS and the Communication Infrastructure in order to:

(a)

physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)

deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(c)

prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d)

prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e)

prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f)

prevent the unauthorised processing of data in SIS and any unauthorised modification or erasure of data processed in SIS (control of data entry);

(g)

ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation by means of individual and unique user identifiers and confidential access modes only (data access control);

(h)

create profiles describing the functions and responsibilities of persons who are authorised to access the data or the data processing facilities and make those profiles available to the European Data Protection Supervisor without delay upon its request (personnel profiles);

(i)

ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(j)

ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when and by whom (input control);

(k)

prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(l)

monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing).

(m)

ensure that, in the event of interrupted operations, installed systems can be restored to normal operation (recovery);

(n)

ensure that SIS performs its functions correctly, that faults are reported (reliability) and that personal data stored in SIS cannot be corrupted by means of the system malfunctioning (integrity); and

(o)

ensure the security of its technical sites.

2.   eu-LISA shall take measures equivalent to those referred to in paragraph 1 as regards security in respect of the processing and exchange of supplementary information through the Communication Infrastructure.

Article 17

Confidentiality – eu-LISA

1.   Without prejudice to Article 17 of the Staff Regulations eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality of a comparable standard to those laid down in Article 11 of this Regulation to all its staff required to work with SIS data. That obligation shall also apply after those persons leave office or employment or after the termination of their activities.

2.   eu-LISA shall take measures equivalent to those referred to in paragraph 1 as regards confidentiality in respect of the exchange of supplementary information through the Communication Infrastructure.

3.   Where eu-LISA cooperates with external contractors in any SIS-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular on security, confidentiality and data protection.

4.   The operational management of CS-SIS shall not be entrusted to private companies or private organisations.

Article 18

Keeping of logs at central level

1.   eu-LISA shall ensure that every access to and all exchanges of personal data within CS-SIS are logged for the purposes stated in Article 12(1).

2.   The logs shall show, in particular, the history of the alert, the date and time of the data processing activity, the data used to perform a search, a reference to the data processed and the individual and unique user identifiers of the competent authority processing the data.

3.   By way of derogation from paragraph 2 of this Article, if the search is carried out with dactyloscopic data or facial images in accordance with Article 33, the logs shall show the type of data used to perform the search instead of the actual data.

4.   The logs shall only be used for the purposes referred to in paragraph 1 and shall be deleted three years after their creation. The logs which include the history of alerts shall be deleted three years after deletion of the alerts.

5.   Logs may be kept longer than the periods referred to in paragraph 4 if they are required for monitoring procedures that are already underway.

6.   For the purposes of self-monitoring and ensuring the proper functioning of CS-SIS, data integrity and security, eu-LISA shall have access to the logs within the limits of its competence.

The European Data Protection Supervisor shall have access to those logs on request, within the limits of its competence and for the purpose of fulfilling its tasks.

CHAPTER IV

INFORMATION TO THE PUBLIC

Article 19

SIS information campaigns

At the start of the application of this Regulation, the Commission, in cooperation with the supervisory authorities and the European Data Protection Supervisor, shall carry out a campaign informing the public about the objectives of SIS, the data stored in SIS, the authorities having access to SIS and the rights of data subjects. The Commission shall repeat such campaigns regularly, in cooperation with the supervisory authorities and the European Data Protection Supervisor. The Commission shall maintain a website available to the public providing all relevant information concerning SIS. Member States shall, in cooperation with their supervisory authorities, devise and implement the necessary policies to inform their citizens and residents about SIS generally.

CHAPTER V

ALERTS FOR REFUSAL OF ENTRY AND STAY ON THIRD-COUNTRY NATIONALS

Article 20

Categories of data

1.   Without prejudice to Article 8(1) or to the provisions of this Regulation providing for the storage of additional data, SIS shall contain only those categories of data which are supplied by each Member State, as required for the purposes laid down in Articles 24 and 25.

2.   Any alert in SIS which includes information on persons shall contain only the following data:

(a)

surnames;

(b)

forenames;

(c)

names at birth;

(d)

previously used names and aliases;

(e)

any specific, objective, physical characteristics not subject to change;

(f)

place of birth;

(g)

date of birth;

(h)

gender;

(i)

any nationalities held;

(j)

whether the person concerned:

(i)

is armed;

(ii)

is violent;

(iii)

has absconded or escaped;

(iv)

poses a risk of suicide;

(v)

poses a threat to public health; or

(vi)

is involved in an activity referred to in Articles 3 to 14 of Directive (EU) 2017/541;

(k)

the reason for the alert;

(l)

the authority which created the alert;

(m)

a reference to the decision giving rise to the alert;

(n)

the action to be taken in the case of a hit;

(o)

links to other alerts pursuant to Article 48;

(p)

whether the person concerned is a family member of a citizen of the Union or other person who is a beneficiary of the right of free movement as referred to in Article 26;

(q)

whether the decision for refusal of entry and stay is based on:

(i)

a previous conviction as referred to in point (a) of Article 24(2);

(ii)

a serious security threat as referred to in point (b) of Article 24(2);

(iii)

circumvention of Union or national law on entry and stay as referred to in point (c) of Article 24(2);

(iv)

an entry ban as referred to in point (b) of Article 24(1); or

(v)

a restrictive measure referred to in Article 25;

(r)

the type of offence;

(s)

the category of the person's identification documents;

(t)

the country of issue of the person's identification documents;

(u)

the number(s) of the person's identification documents;

(v)

the date of issue of the person's identification documents;

(w)

photographs and facial images;

(x)

dactyloscopic data;

(y)

a copy of the identification documents, in colour wherever possible.

3.   The Commission shall adopt implementing acts to lay down and develop the technical rules necessary for entering, updating, deleting and searching the data referred to in paragraph 2 of this Article and the common standards referred to in paragraph 4 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

4.   Technical rules shall be similar for searches in CS-SIS, in national or shared copies and in technical copies made under Article 41(2). They shall be based on common standards.

Article 21

Proportionality

1.   Before entering an alert and when extending the period of validity of an alert, Member States shall determine whether the case is adequate, relevant and important enough to warrant an alert in SIS.

2.   Where the decision to refuse entry and stay referred to in point (a) of Article 24(1) is related to a terrorist offence, the case shall be considered adequate, relevant and important enough to warrant an alert in SIS. For public or national security reasons, Member States may exceptionally refrain from entering an alert when it is likely to obstruct official or legal inquiries, investigations or procedures.

Article 22

Requirement for an alert to be entered

1.   The minimum set of data necessary in order to enter an alert into SIS shall be the data referred to in points (a), (g), (k), (m), (n) and (q) of Article 20(2). The other data referred to in that paragraph shall also be entered into SIS, if available.

2.   The data referred to in point (e) of Article 20(2) of this Regulation shall only be entered when this is strictly necessary for the identification of the third-country national concerned. When such data are entered, Member States shall ensure that Article 9 of Regulation (EU) 2016/679 is complied with.

Article 23

Compatibility of alerts

1.   Before entering an alert, the Member State shall check whether the person concerned is already the subject of an alert in SIS. For that purpose, a check with dactyloscopic data shall also be carried out if such data are available.

2.   Only one alert per person per Member State shall be entered into SIS. Where necessary, new alerts may be entered on the same person by other Member States, in accordance with paragraph 3.

3.   Where a person is already the subject of an alert in SIS, a Member State wishing to enter a new alert shall check that there is no incompatibility between the alerts. If there is no incompatibility, the Member State may enter the new alert. If the alerts are incompatible, the SIRENE Bureaux of the Member States concerned shall consult each other by exchanging supplementary information in order to reach an agreement. Rules on the compatibility of alerts shall be laid down in the SIRENE Manual. Departures from the compatibility rules may be made after consultation between the Member States if essential national interests are at stake.

4.   In the case of hits on multiple alerts on the same person, the executing Member State shall observe the priority rules for alerts laid down in the SIRENE Manual.

If a person is subject to multiple alerts entered by different Member States, alerts for arrest entered in accordance with Article 26 of Regulation (EU) 2018/1862 shall be executed as a priority, subject to Article 25 of that Regulation.

Article 24

Conditions for entering alerts for refusal of entry and stay

1.   Member States shall enter an alert for refusal of entry and stay when one of the following conditions is met:

(a)

the Member State has concluded, based on an individual assessment which includes an assessment of the personal circumstances of the third-country national concerned and the consequences of refusing him or her entry and stay, that the presence of that third-country national on its territory poses a threat to public policy, to public security or to national security, and the Member State has consequently adopted a judicial or administrative decision in accordance with its national law to refuse entry and stay and issued a national alert for refusal of entry and stay; or

(b)

the Member State has issued an entry ban in accordance with procedures respecting Directive 2008/115/EC in respect of a third-country national.

2.   The situations covered by point (a) of paragraph 1 shall arise where:

(a)

a third-country national has been convicted in a Member State of an offence carrying a penalty involving the deprivation of liberty of at least one year;

(b)

there are serious grounds for believing that a third-country national has committed a serious criminal offence, including a terrorist offence, or there are clear indications of his or her intention to commit such an offence in the territory of a Member State; or

(c)

a third-country national has circumvented or attempted to circumvent Union or national law on entry into and stay on the territory of the Member States.

3.   The issuing Member State shall ensure that the alert takes effect in SIS as soon as the third-country national concerned has left the territory of the Member States or as soon as possible where the issuing Member State has obtained clear indications that the third-country national has left the territory of the Member States, in order to prevent the re-entry of that third-country national.

4.   Persons in respect of whom a decision for refusal of entry and stay is taken as referred in paragraph 1 shall have the right to appeal. Such appeals shall be conducted in accordance with Union and national law, which shall provide for an effective remedy to be requested before a court.

Article 25

Conditions for entering alerts on third-country nationals subject to restrictive measures

1.   Alerts on third-country nationals who are the subject of a restrictive measure intended to prevent entry into or transit through the territory of Member States taken in accordance with legal acts adopted by the Council, including measures implementing a travel ban issued by the Security Council of the United Nations, shall, insofar as data-quality requirements are satisfied, be entered into SIS for the purpose of refusing entry and stay.

2.   The alerts shall be entered, kept up-to-date and deleted by the competent authority of the Member State which holds the Presidency of the Council of the European Union at the time of the adoption of the measure. If that Member State does not have access to SIS or to alerts entered in accordance with this Regulation, the responsibility shall be taken up by the Member State which holds the subsequent Presidency and which has access to SIS, including to alerts entered in accordance with this Regulation.

Member States shall put in place the necessary procedures for entering, updating and deleting such alerts.

Article 26

Conditions for entering alerts on third-country nationals who are beneficiaries of the right of free movement within the Union

1.   An alert on a third-country national who is a beneficiary of the right of free movement within the Union in accordance with Directive 2004/38/EC or with an agreement between the Union or the Union and its Members States on the one hand, and a third country on the other hand, shall be in conformity with the rules adopted in implementation of that Directive or agreement.

2.   Where there is a hit on an alert entered in accordance with Article 24 on a third-country national who is a beneficiary of the right of free movement within the Union, the executing Member State shall immediately consult the issuing Member State, through the exchange of supplementary information, in order to decide without delay on the action to be taken.

Article 27

Prior consultation before granting or extending a residence permit or long-stay visa

Where a Member State considers granting or extending a residence permit or long-stay visa to a third-country national who is the subject of an alert for refusal of entry and stay entered by another Member State, the Member States involved shall consult each other through the exchange of supplementary information, in accordance with the following rules:

(a)

the granting Member State shall consult the issuing Member State prior to granting or extending the residence permit or long-stay visa;

(b)

the issuing Member State shall reply to the consultation request within 10 calendar days;

(c)

the absence of a reply by the deadline referred to in point (b) shall mean that the issuing Member State does not object to the granting or extending of the residence permit or long-stay visa;

(d)

when making the relevant decision, the granting Member State shall take into account the reasons for the decision of the issuing Member State and shall consider, in accordance with national law, any threat to public policy or to public security which the presence of the third-country national in question on the territory of the Member States may pose;

(e)

the granting Member State shall notify the issuing Member State of its decision; and

(f)

where the granting Member State notifies the issuing Member State that it intends to grant or extend the residence permit or long-stay visa or that it has decided to do so, the issuing Member State shall delete the alert for refusal of entry and stay.

The final decision on whether to grant a residence permit or long-stay visa to a third-country national rests with the granting Member State.

Article 28

Prior consultation before entering an alert for refusal of entry and stay

Where a Member State has taken a decision referred to in Article 24(1) and considers entering an alert for refusal of entry and stay on a third-country national who is the holder of a valid residence permit or long-stay visa granted by another Member State, the Member States involved shall consult each other through the exchange of supplementary information, in accordance with the following rules:

(a)

the Member State that has taken the decision referred to in Article 24(1) shall inform the granting Member State of the decision;

(b)

the information exchanged under point (a) of this Article shall include sufficient detail on the reasons for the decision referred to in Article 24(1);

(c)

on the basis of the information provided by the Member State that has taken the decision referred to in Article 24(1), the granting Member State shall consider whether there are reasons for withdrawing the residence permit or long-stay visa;

(d)

when making the relevant decision, the granting Member State shall take into account the reasons for the decision of the Member State that has taken the decision referred to in Article 24(1) and shall consider, in accordance with national law, any threat to public policy or to public security which the presence of the third-country national in question on the territory of the Member States may pose;

(e)

within 14 calendar days of receipt of the request for consultation the granting Member State shall notify the Member State that has taken the decision referred to in Article 24(1) of its decision or, where it has been impossible for the granting Member State to take a decision within that period, shall make a reasoned request to extend exceptionally the time period for its response for a maximum of a further 12 calendar days;

(f)

where the granting Member State notifies the Member State that has taken the decision referred to in Article 24(1) that it is maintaining the residence permit or long-stay visa, the Member State that has taken the decision shall not enter the alert for refusal of entry and stay.

Article 29

A posteriori consultation after entering an alert for refusal of entry and stay

Where it emerges that a Member State has entered an alert for refusal of entry and stay on a third-country national who is the holder of a valid residence permit or long-stay visa granted by another Member State, the Member States involved shall consult each other through the exchange of supplementary information, in accordance with the following rules:

(a)

the issuing Member State shall inform the granting Member State of the alert for refusal of entry and stay;

(b)

the information exchanged under point (a) shall include sufficient detail on the reasons for the alert for refusal of entry and stay;

(c)

on the basis of the information provided by the issuing Member State, the granting Member State shall consider whether there are reasons for withdrawing the residence permit or long-stay visa;

(d)

when making its decision, the granting Member State shall take into account the reasons for the decision of the issuing Member State and shall consider, in accordance with national law, any threat to public policy or to public security which the presence of the third-country national in question on the territory of the Member States may pose;

(e)

within 14 calendar days of receipt of the request for consultation the granting Member State shall notify the issuing Member State of its decision or, where it has been impossible for the granting Member State to take a decision within that period, shall make a reasoned request to extend exceptionally the time period for its response for a maximum of a further 12 calendar days;

(f)

where the granting Member State notifies the issuing Member State that it is maintaining the residence permit or long-stay visa, the issuing Member State shall immediately delete the alert for refusal of entry and stay.

Article 30

Consultation in the case of a hit concerning a third-country national holding a valid residence permit or long-stay visa

Where a Member State encounters a hit on an alert for refusal of entry and stay entered by a Member State on a third-country national who is the holder of a valid residence permit or long-stay visa granted by another Member State, the Member States involved shall consult each other through the exchange of supplementary information, in accordance with the following rules:

(a)

the executing Member State shall inform the issuing Member State of the situation;

(b)

the issuing Member State shall initiate the procedure laid down in Article 29;

(c)

the issuing Member State shall notify the executing Member State of the outcome following the consultation.

The decision on the entry of the third-country national shall be taken by the executing Member State in accordance with Regulation (EU) 2016/399.

Article 31

Statistics on exchange of information

Member States shall provide statistics to eu-LISA on an annual basis on the exchanges of information carried out in accordance with Articles 27 to 30 and on the instances in which the deadlines provided for in those Articles were not met.

CHAPTER VI

SEARCH WITH BIOMETRIC DATA

Article 32

Specific rules for entering photographs, facial images and dactyloscopic data

1.   Only photographs, facial images and dactyloscopic data referred to in points (w) and (x) of Article 20(2) which fulfil minimum data quality standards and technical specifications shall be entered into SIS. Before such data are entered, a quality check shall be performed in order to ascertain whether the minimum data quality standards and technical specifications have been met.

2.   Dactyloscopic data entered in SIS may consist of one to ten flat fingerprints and one to ten rolled fingerprints. It may also include up to two palm prints.

3.   Minimum data quality standards and technical specifications shall be established in accordance with paragraph 4 of this Article for the storage of the biometric data referred to in paragraph 1 of this Article. Those minimum data quality standards and technical specifications shall set the level of quality required for using the data to verify the identity of a person in accordance with Article 33(1) and for using the data to identify a person in accordance with Article 33(2) to (4).

4.   The Commission shall adopt implementing acts to lay down the minimum data quality standards and technical specifications referred to in paragraphs 1 and 3 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

Article 33

Specific rules for verification or search with photographs, facial images and dactyloscopic data

1.   Where photographs, facial images and dactyloscopic data are available in an alert in SIS, such photographs, facial images and dactyloscopic data shall be used to confirm the identity of a person who has been located as a result of an alphanumeric search made in SIS.

2.   Dactyloscopic data may be searched in all cases to identify a person. However, dactyloscopic data shall be searched to identify a person where the identity of the person cannot be ascertained by other means. For that purpose, the Central SIS shall contain an Automated Fingerprint Identification System (AFIS).

3.   Dactyloscopic data in SIS in relation to alerts entered in accordance with Articles 24 and 25 may also be searched using complete or incomplete sets of fingerprints or palm prints discovered at the scenes of serious crimes or terrorist offences under investigation, where it can be established to a high degree of probability that those sets of prints belong to a perpetrator of the offence and provided that the search is carried out simultaneously in the Member State's relevant national fingerprints databases.

4.   As soon as it becomes technically possible, and while ensuring a high degree of reliability of identification, photographs and facial images may be used to identify a person in the context of regular border crossing points.

Before this functionality is implemented in SIS, the Commission shall present a report on the availability, readiness and reliability of the required technology. The European Parliament shall be consulted on the report.

After the start of the use of the functionality at regular border crossing points, the Commission shall be empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation concerning the determination of other circumstances in which photographs and facial images may be used to identify persons.

CHAPTER VII

RIGHT OF ACCESS AND REVIEW AND DELETION OF ALERTS

Article 34

National competent authorities having a right to access data in SIS

1.   National competent authorities responsible for the identification of third-country nationals shall have access to data entered in SIS and the right to search such data directly or in a copy of the SIS database for the purposes of:

(a)

border control, in accordance with Regulation (EU) 2016/399;

(b)

police and customs checks carried out within the Member State concerned, and the coordination of such checks by designated authorities;

(c)

the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties, within the Member State concerned, provided that Directive (EU) 2016/680 applies;

(d)

examining the conditions and taking decisions related to the entry and stay of third-country nationals on the territory of the Member States, including on residence permits and long-stay visas, and to the return of third-country nationals, as well as carrying out checks on third-country nationals who are illegally entering or staying on the territory of the Member States;

(e)

security checks on third-country nationals who apply for international protection, insofar as authorities performing the checks are not ‘determining authorities’ as defined in point (f) of Article 2 of Directive 2013/32/EU of the European Parliament and of the Council (35), and, where relevant, providing advice in accordance with Council Regulation (EC) No 377/2004 (36);

(f)

examining visa applications and taking decisions related to those applications including on whether to annul, revoke or extend visas, in accordance with Regulation (EC) No 810/2009 of the European Parliament and of the Council (37).

2.   The right to access data in SIS and the right to search such data directly may be exercised by national competent authorities responsible for naturalisation, as provided for in national law, for the purposes of examining an application for naturalisation.

3.   For the purposes of Articles 24 and 25 the right to access data in SIS and the right to search such data directly may also be exercised by national judicial authorities, including those responsible for the initiation of public prosecutions in criminal proceedings and for judicial inquiries prior to charging a person, in the performance of their tasks, as provided for in national law, and by their coordinating authorities.

4.   The right to access data concerning documents relating to persons entered in accordance with Article 38(2)(k) and (l) of Regulation (EU) 2018/1862 and the right to search such data may also be exercised by the authorities referred to in point (f) of paragraph 1 of this Article.

5.   The competent authorities referred to in this Article shall be included in the list referred to in Article 41(8).

Article 35

Access to data in SIS by Europol

1.   The European Union Agency for Law Enforcement Cooperation (Europol), established by Regulation (EU) 2016/794, shall, where necessary to fulfil its mandate, have the right to access and search data in SIS. Europol may also exchange and further request supplementary information in accordance with the provisions of the SIRENE Manual.

2.   Where a search by Europol reveals the existence of an alert in SIS, Europol shall inform the issuing Member State through the exchange of supplementary information by means of the Communication Infrastructure and in accordance with the provisions set out in the SIRENE Manual. Until Europol is able to use the functionalities intended for the exchange of supplementary information, it shall inform issuing Member States through the channels defined by Regulation (EU) 2016/794.

3.   Europol may process the supplementary information that has been provided to it by Member States for the purposes of comparing it with its databases and operational analysis projects, aimed at identifying connections or other relevant links and for the strategic, thematic or operational analyses referred to in points (a), (b) and (c) of Article 18(2) of Regulation (EU) 2016/794. Any processing by Europol of supplementary information for the purpose of this Article shall be carried out in accordance with that Regulation.

4.   Europol's use of information obtained from a search in SIS or from the processing of supplementary information shall be subject to the consent of the issuing Member State. If the Member State allows the use of such information, its handling by Europol shall be governed by Regulation (EU) 2016/794. Europol shall only communicate such information to third countries and third bodies with the consent of the issuing Member State and in full compliance with Union law on data protection.

5.   Europol shall:

(a)

without prejudice to paragraphs 4 and 6, not connect parts of SIS nor transfer the data contained in it to which it has access to any system for data collection and processing operated by or at Europol, nor download or otherwise copy any part of SIS;

(b)

notwithstanding Article 31(1) of Regulation (EU) 2016/794, delete supplementary information containing personal data at the latest one year after the related alert has been deleted. By way of derogation, where Europol has information in its databases or operational analysis projects on a case to which the supplementary information is related, in order for Europol to perform its tasks, Europol may exceptionally continue to store the supplementary information when necessary. Europol shall inform the issuing and the executing Member State of the continued storage of such supplementary information and present a justification for it;

(c)

limit access to data in SIS, including supplementary information, to specifically authorised staff of Europol who require access to such data for the performance of their tasks;

(d)

adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13;

(e)

ensure that its staff who are authorised to process SIS data receive appropriate training and information in accordance with Article 14(1); and

(f)

without prejudice to Regulation (EU) 2016/794, allow the European Data Protection Supervisor to monitor and review the activities of Europol in the exercise of its right to access and search data in SIS and in the exchange and processing of supplementary information.

6.   Europol shall only copy data from SIS for technical purposes where such copying is necessary in order for duly authorised Europol staff to carry out a direct search. This Regulation shall apply to such copies. The technical copy shall only be used for the purpose of storing SIS data whilst those data are searched. Once the data have been searched they shall be deleted. Such uses shall not be considered to be unlawful downloading or copying of SIS data. Europol shall not copy alert data or additional data issued by Member States or from CS-SIS into other Europol systems.

7.   For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, Europol shall keep logs of every access to and search in SIS in accordance with the provisions of Article 12. Such logs and documentation shall not be considered to be unlawful downloading or copying of part of SIS.

8.   Member States shall inform Europol through the exchange of supplementary information of any hit on alerts related to terrorist offences. Member States may exceptionally not inform Europol if doing so would jeopardise current investigations, the safety of an individual or be contrary to essential interests of the security of the issuing Member State.

9.   Paragraph 8 shall apply from the date that Europol is able to receive supplementary information in accordance with paragraph 1.

Article 36

Access to data in SIS by the European Border and Coast Guard teams, teams of staff involved in return-related tasks, and members of the migration management support teams

1.   In accordance with Article 40(8) of Regulation (EU) 2016/1624, the members of the teams referred to in points (8) and (9) of Article 2 of that Regulation shall, within their mandate and provided that they are authorised to carry out checks in accordance with Article 34(1) of this Regulation and have received the required training in accordance with Article 14(1) of this Regulation, have the right to access and search data in SIS insofar it is necessary for the performance of their task and as required by the operational plan for a specific operation. Access to data in SIS shall not be extended to any other team members.

2.   Members of the teams referred to in paragraph 1 shall exercise the right to access and search data in SIS in accordance with paragraph 1 through a technical interface. The technical interface shall be set up and maintained by the European Border and Coast Guard Agency and shall allow direct connection to Central SIS.

3.   Where a search by a member of the teams referred to in paragraph 1 of this Article reveals the existence of an alert in SIS, the issuing Member State shall be informed thereof. In accordance with Article 40 of Regulation (EU) 2016/1624, members of the teams shall only act in response to an alert in SIS under instructions from and, as a general rule, in the presence of border guards or staff involved in return-related tasks of the host Member State in which they are operating. The host Member State may authorise members of the teams to act on its behalf.

4.   For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, the European Border and Coast Guard Agency shall keep logs of every access to and search in SIS in accordance with the provisions of Article 12.

5.   The European Border and Coast Guard Agency shall adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13 and shall ensure that the teams referred to in paragraph 1 of this Article apply those measures.

6.   Nothing in this Article shall be interpreted as affecting the provisions of Regulation (EU) 2016/1624 concerning data protection or the European Border and Coast Guard Agency's liability for any unauthorised or incorrect processing of data by it.

7.   Without prejudice to paragraph 2, no parts of SIS shall be connected to any system for data collection and processing operated by the teams referred to in paragraph 1 or by the European Border and Coast Guard Agency, nor shall the data in SIS to which those teams have access be transferred to such a system. No part of SIS shall be downloaded or copied. The logging of access and searches shall not be considered to be unlawful downloading or copying of SIS data.

8.   The European Border and Coast Guard Agency shall allow the European Data Protection Supervisor to monitor and review the activities of the teams referred to in this Article in the exercise of their right to access and search data in SIS. This shall be without prejudice to the further provisions of Regulation (EU) 2018/1725.

Article 37

Evaluation of the use of SIS by Europol and the European Border and Coast Guard Agency

1.   The Commission shall carry out an evaluation of the operation and the use of SIS by Europol and the teams referred to in Article 36(1) at least every five years.

2.   Europol and the European Border and Coast Guard Agency shall ensure adequate follow-up to the findings and recommendations stemming from the evaluation.

3.   A report on the results of the evaluation and follow-up to it shall be sent to the European Parliament and to the Council.

Article 38

Scope of access

End-users, including Europol and the members of the teams referred to in points (8) and (9) of Article 2 of Regulation (EU) 2016/1624, shall only access data which they require for the performance of their tasks.

Article 39

Review period for alerts

1.   Alerts shall be kept only for the time required to achieve the purposes for which they were entered.

2.   An issuing Member State shall, within three years of the entry of an alert into SIS, review the need to retain it. However, if the national decision on which the alert is based provides for a longer period of validity than three years, the alert shall be reviewed within five years.

3.   Each Member State shall, where appropriate, set shorter review periods in accordance with its national law.

4.   Within the review period, the issuing Member State may, following a comprehensive individual assessment, which shall be recorded, decide to retain the alert for longer than the review period, where this proves necessary and proportionate for the purposes for which the alert was entered. In such a case, paragraph 2 shall also apply to the extension. Any such extension shall be communicated to CS-SIS.

5.   Alerts shall be deleted automatically after the review period referred to in paragraph 2 has expired except where the issuing Member State has informed CS-SIS of an extension pursuant to paragraph 4. CS-SIS shall automatically inform the issuing Member State of the scheduled deletion of data four months in advance.

6.   Member States shall keep statistics on the number of alerts the retention periods of which have been extended in accordance with paragraph 4 of this Article and transmit them, upon request, to the supervisory authorities referred to in Article 55.

7.   As soon as it becomes clear to a SIRENE Bureau that an alert has achieved its purpose and should therefore be deleted, it shall immediately notify the authority which created the alert. The authority shall have 15 calendar days from the receipt of that notification to reply that the alert has been or shall be deleted or shall state reasons for the retention of the alert. If no reply has been received by the end of the 15-day period, the SIRENE Bureau shall ensure that the alert is deleted. Where permissible under national law, the alert shall be deleted by the SIRENE Bureau. SIRENE Bureaux shall report any recurring issues they encounter when acting under this paragraph to their supervisory authority.

Article 40

Deletion of alerts

1.   Alerts for refusal of entry and stay pursuant to Article 24 shall be deleted:

(a)

when the decision on the basis of which the alert was entered has been withdrawn or annulled by the competent authority; or

(b)

where applicable, following the consultation procedure referred to in Article 27 and Article 29.

2.   Alerts on third-country nationals who are the subject of a restrictive measure intended to prevent entry into or transit through the territory of Member States shall be deleted when the restrictive measure has been terminated, suspended or annulled.

3.   Alerts on a person who has acquired citizenship of a Member State or of any State whose nationals are beneficiaries of the right of free movement under Union law shall be deleted as soon as the issuing Member State becomes aware, or is so informed pursuant to Article 44 that the person in question has acquired such citizenship.

4.   Alerts shall be deleted upon expiry of the alert in accordance with Article 39.

CHAPTER VIII

GENERAL DATA PROCESSING RULES

Article 41

Processing of SIS data

1.   The Member States shall only process the data referred to in Article 20 for the purposes of refusing entry into and stay on their territories.

2.   Data shall only be copied for technical purposes, where such copying is necessary in order for the competent authorities referred to in Article 34 to carry out a direct search. This Regulation shall apply to those copies. A Member State shall not copy alert data or additional data entered by another Member State from its N.SIS or from the CS-SIS into other national data files.

3.   Technical copies referred to in paragraph 2 which result in offline databases may be retained for a period not exceeding 48 hours.

Notwithstanding the first subparagraph, technical copies which result in offline databases to be used by visa-issuing authorities shall not be permitted, except for copies made to be used only in an emergency following the unavailability of the network for more than 24 hours.

Member States shall keep an up-to-date inventory of those copies, make that inventory available to their supervisory authorities, and ensure that this Regulation, in particular Article 10, is applied in respect of those copies.

4.   Access to data in SIS by national competent authorities referred to in Article 34 shall only be authorised within the limits of their competence and only to duly authorised staff.

5.   Any processing of SIS data by Member States for purposes other than those for which it was entered into SIS has to be linked with a specific case and justified by the need to prevent an imminent and serious threat to public policy and to public security, on serious grounds of national security or for the purposes of preventing a serious crime. Prior authorisation from the issuing Member State shall be obtained for this purpose.

6.   Data concerning documents related to persons that are entered into SIS under points (k) and (l) of Article 38(2) of Regulation (EU) 2018/1862 may be used by the competent authorities referred to in point (f) of Article 34(1) in accordance with the laws of each Member State.

7.   Any use of SIS data which does not comply with paragraphs 1 to 6 of this Article shall be considered as misuse under the national law of each Member State and subject to penalties in accordance with Article 59.

8.   Each Member State shall send to eu-LISA a list of its competent authorities which are authorised to search the data in SIS directly pursuant to this Regulation, as well as any changes to the list. The list shall specify, for each authority, which data it may search and for what purposes. eu-LISA shall ensure that the list is published in the Official Journal of the European Union annually. eu-LISA shall maintain a continuously updated list on its website containing changes sent by Member States between the annual publications.

9.   Insofar as Union law does not lay down specific provisions, the law of each Member State shall apply to data in its N.SIS.

Article 42

SIS data and national files

1.   Article 41(2) shall be without prejudice to the right of a Member State to keep in its national files SIS data in connection with which action has been taken on its territory. Such data shall be kept in national files for a maximum period of three years, except if specific provisions in national law provide for a longer retention period.

2.   Article 41(2) shall be without prejudice to the right of a Member State to keep in its national files data contained in a particular alert entered in SIS by that Member State.

Article 43

Information in the case of non-execution of an alert

If a requested action cannot be performed, the Member State from which action is requested shall immediately inform the issuing Member State through the exchange of supplementary information.

Article 44

Quality of the data in SIS

1.   An issuing Member State shall be responsible for ensuring that the data are accurate, up-to-date, and entered and stored in SIS lawfully.

2.   Where an issuing Member State receives relevant additional or modified data as listed in Article 20(2), it shall complete or modify the alert without delay.

3.   Only the issuing Member State shall be authorised to modify, add to, correct, update or delete data which it has entered into SIS.

4.   Where a Member State other than the issuing Member State has relevant additional or modified data as listed in Article 20(2), it shall transmit them without delay, through the exchange of supplementary information, to the issuing Member State to enable the latter to complete or modify the alert. The data shall only be transmitted if the identity of the third-country national is ascertained.

5.   Where a Member State other than the issuing Member State has evidence suggesting that an item of data is factually incorrect or has been unlawfully stored, it shall, through the exchange of supplementary information, inform the issuing Member State as soon as possible and not later than two working days after that evidence has come to its attention. The issuing Member State shall check the information and, if necessary, correct or delete the item in question without delay.

6.   Where the Member States are unable to reach an agreement within two months of the time when evidence first came to light as referred to in paragraph 5 of this Article, the Member State which did not enter the alert shall submit the matter to the supervisory authorities concerned and to the European Data Protection Supervisor for a decision, by means of cooperation in accordance with Article 57.

7.   The Member States shall exchange supplementary information in cases where a person complains that he or she is not the intended subject of an alert. Where the outcome of the check shows that the intended subject of an alert is not the complainant, the complainant shall be informed of the measures laid down in Article 47 and of the right to redress under Article 54(1).

Article 45

Security incidents

1.   Any event that has or may have an impact on the security of SIS or may cause damage or loss to SIS data or to the supplementary information shall be considered to be a security incident, especially where unlawful access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2.   Security incidents shall be managed in a way as to ensure a quick, effective and proper response.

3.   Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679 or to Article 30 of Directive (EU) 2016/680, Member States, Europol and the European Border and Coast Guard Agency shall notify the Commission, eu-LISA, the competent supervisory authority and the European Data Protection Supervisor without delay of security incidents. eu-LISA shall notify the Commission and the European Data Protection Supervisor without delay of any security incident concerning Central SIS.

4.   Information regarding a security incident that has or may have an impact on the operation of SIS in a Member State or within eu-LISA, on the availability, integrity and confidentiality of the data entered or sent by other Member States or on supplementary information exchanged, shall be provided to all Member States without delay and reported in compliance with the incident management plan provided by eu-LISA.

5.   The Member States and eu-LISA shall collaborate in the event of a security incident.

6.   The Commission shall report serious incidents immediately to the European Parliament and to the Council. Those reports shall be classified as EU RESTRICTED/RESTREINT UE in accordance with applicable security rules.

7.   misuse of data, Member States, Europol and the European Border and Coast Guard Agency shall ensure that penalties are imposed in accordance with Article 59.

Article 46

Distinguishing between persons with similar characteristics

1.   Where upon a new alert being entered it becomes apparent that there is already an alert in SIS on a person with the same description of identity, the SIRENE Bureau shall contact the issuing Member State through the exchange of supplementary information within 12 hours to cross-check whether the subjects of the two alerts are the same person.

2.   Where the cross-check reveals that the subject of the new alert and the person subject to the alert already entered in SIS are indeed one and the same person, the SIRENE Bureau shall apply the procedure for entering multiple alerts referred to in Article 23.

3.   Where the outcome of the cross-check is that there are in fact two different persons, the SIRENE Bureau shall approve the request for entering the second alert by adding the data necessary to avoid any misidentifications.

Article 47

Additional data for the purpose of dealing with misused identities

1.   Where confusion may arise between the person intended to be the subject of an alert and a person whose identity has been misused, the issuing Member State shall, subject to the explicit consent of the person whose identity has been misused, add data relating to the latter to the alert in order to avoid the negative consequences of misidentification. Any person whose identity has been misused shall have the right to withdraw his or her consent regarding the processing of the added personal data.

2.   Data relating to a person whose identity has been misused shall be used only for the following purposes:

(a)

to allow the competent authority to distinguish the person whose identity has been misused from the person intended to be the subject of the alert; and

(b)

to allow the person whose identity has been misused to prove his or her identity and to establish that his or her identity has been misused.

3.   For the purpose of this Article, and subject to the explicit consent of the person whose identity has been misused for each data category, only the following personal data of the person whose identity has been misused may be entered and further processed in SIS:

(a)

surnames;

(b)

forenames;

(c)

names at birth;

(d)

previously used names and any aliases possibly entered separately;

(e)

any specific objective and physical characteristic not subject to change;

(f)

place of birth;

(g)

date of birth;

(h)

gender;

(i)

photographs and facial images;

(j)

fingerprints, palm prints or both;

(k)

any nationalities held;

(l)

the category of the person's identification documents;

(m)

the country of issue of the person's identification documents;

(n)

the number(s) of the person's identification documents;

(o)

the date of issue of a person's identification documents;

(p)

address of the person;

(q)

person's father's name;

(r)

person's mother's name.

4.   The Commission shall adopt implementing acts to lay down and develop technical rules necessary for entering and further processing the data referred to in paragraph 3 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

5.   The data referred to in paragraph 3 shall be deleted at the same time as the corresponding alert or earlier where the person so requests.

6.   Only the authorities having a right of access to the corresponding alert may access the data referred to in paragraph 3. They may do so for the sole purpose of avoiding misidentification.

Article 48

Links between alerts

1.   A Member State may create a link between alerts it enters in SIS. The effect of such a link shall be to establish a relationship between two or more alerts.

2.   The creation of a link shall not affect the specific action to be taken on the basis of each linked alert or the review period of each of the linked alerts.

3.   The creation of a link shall not affect the rights of access provided for in this Regulation. Authorities with no right of access to certain categories of alerts shall not be able to see the link to an alert to which they do not have access.

4.   A Member State shall create a link between alerts when there is an operational need.

5.   Where a Member State considers that the creation by another Member State of a link between alerts is incompatible with its national law or its international obligations, it may take the necessary measures to ensure that there can be no access to the link from its national territory or by its authorities located outside its territory.

6.   The Commission shall adopt implementing acts to lay down and develop technical rules for linking alerts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

Article 49

Purpose and retention period of supplementary information

1.   Member States shall keep a reference to the decisions giving rise to an alert at the SIRENE Bureau in order to support the exchange of supplementary information.

2.   Personal data held in files by the SIRENE Bureau as a result of information exchanged shall be kept only for such time as may be required to achieve the purposes for which they were supplied. They shall in any event be deleted at the latest one year after the related alert has been deleted from SIS.

3.   Paragraph 2 shall be without prejudice to the right of a Member State to keep in national files data relating to a particular alert which that Member State has entered or to an alert in connection with which action has been taken on its territory. The period for which such data may be kept in those files shall be governed by national law.

Article 50

Transfer of personal data to third parties

Data processed in SIS and the related supplementary information exchanged pursuant to this Regulation shall not be transferred or made available to third countries or to international organisations.

CHAPTER IX

DATA PROTECTION

Article 51

Applicable legislation

1.   Regulation (EU) 2018/1725 shall apply to the processing of personal data by eu-LISA and by the European Border and Coast Guard Agency under this Regulation. Regulation (EU) 2016/794 shall apply to the processing of personal data by Europol under this Regulation.

2.   Regulation (EU) 2016/679 shall apply to the processing of personal data under this Regulation by the competent authorities referred to in Article 34 of this Regulation with the exception of processing for the purposes of the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security where Directive (EU) 2016/680 applies.

Article 52

Right of information

1.   Third-country nationals who are the subject of an alert in SIS shall be informed of this in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 or Articles 12 and 13 of Directive (EU) 2016/680. This information shall be provided in writing, together with a copy of or a reference to the national decision giving rise to the alert, as referred to in Article 24(1) of this Regulation.

2.   This information shall not be provided where national law allows for the right of information to be restricted, in particular in order to safeguard national security, defence, public security, and the prevention, detection, investigation and prosecution of criminal offences.

Article 53

Right of access, rectification of inaccurate data and erasure of unlawfully stored data

1.   Data subjects shall be able to exercise the rights laid down in Articles 15, 16 and 17 of Regulation (EU) 2016/679 and in Article 14 and Article 16(1) and (2) of Directive (EU) 2016/680.

2.   A Member State other than the issuing Member State may provide to the data subject information concerning any of the data subject's personal data that are being processed, only if it first gives the issuing Member State an opportunity to state its position. The communication between those Member States shall be done through the exchange of supplementary information.

3.   A Member State shall take a decision not to provide information to the data subject, in whole or in part, in accordance with national law, to the extent that, and for as long as such a partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the data subject concerned, in order to:

(a)

avoid obstructing official or legal inquiries, investigations or procedures;

(b)

avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)

protect public security;

(d)

protect national security; or

(e)

protect the rights and freedoms of others.

In cases referred to in the first subparagraph, the Member State shall inform the data subject in writing, without undue delay, of any refusal or restriction of access and of the reasons for the refusal or restriction. Such information may be omitted where its provision would undermine any of the reasons set out in points (a) to (e) of the first subparagraph. The Member State shall inform the data subject of the possibility of lodging a complaint with a supervisory authority or of seeking a judicial remedy.

The Member State shall document the factual or legal reasons on which the decision not to provide information to the data subject is based. That information shall be made available to the supervisory authorities.

For such cases, the data subject shall also be able to exercise his or her rights through the competent supervisory authorities.

4.   Following an application for access, rectification or erasure, the Member State shall inform the data subject as soon as possible and in any event within the deadlines referred to in Article 12(3) of Regulation (EU) 2016/679 about the follow-up given to the exercise of the rights under this Article, regardless of whether the data subject is in a third country or not.

Article 54

Remedies

1.   Without prejudice to the provisions on remedies of Regulation (EU) 2016/679 and of Directive (EU) 2016/680, any person may bring an action before any competent authority, including a court, under the law of any Member State to access, rectify, erase, obtain information or obtain compensation in connection with an alert relating to him or her.

2.   The Member States undertake mutually to enforce final decisions handed down by the courts or authorities referred to in paragraph 1 of this Article, without prejudice to Article 58.

3.   Member States shall report annually to the European Data Protection Board on:

(a)

the number of access requests submitted to the data controller and the number of cases where access to the data was granted;

(b)

the number of access requests submitted to the supervisory authority and the number of cases where access to the data was granted;

(c)

the number of requests for the rectification of inaccurate data and for the erasure of unlawfully stored data to the data controller and the number of cases where the data were rectified or erased;

(d)

the number of requests for the rectification of inaccurate data and the erasure of unlawfully stored data submitted to the supervisory authority;

(e)

the number of court proceedings initiated;

(f)

the number of cases where the court ruled in favour of the applicant;

(g)

any observations on cases of mutual recognition of final decisions handed down by the courts or authorities of other Member States on alerts entered by the issuing Member State.

A template for the reporting referred to in this paragraph shall be developed by the Commission.

4.   The reports from the Member States shall be included in the joint report referred to in Article 57(4).

Article 55

Supervision of N.SIS

1.   Member States shall ensure that the independent supervisory authorities designated in each Member State and endowed with the powers referred to in Chapter VI of Regulation (EU) 2016/679 or Chapter VI of Directive (EU) 2016/680 monitor the lawfulness of the processing of personal data in SIS on their territory, its transmission from their territory and the exchange and further processing of supplementary information on their territory.

2.   The supervisory authorities shall ensure that an audit of the data processing operations in its N.SIS is carried out in accordance with international auditing standards at least every four years. The audit shall either be carried out by the supervisory authorities, or the supervisory authorities shall directly order the audit from an independent data protection auditor. The supervisory authorities shall at all times retain control over and undertake the responsibilities of the independent auditor.

3.   Member States shall ensure that their supervisory authorities have sufficient resources to fulfil the tasks entrusted to them under this Regulation and have access to advice from persons with sufficient knowledge of biometric data.

Article 56

Supervision of eu-LISA

1.   The European Data Protection Supervisor shall be responsible for monitoring the processing of personal data by eu-LISA and for ensuring that it is carried out in accordance with this Regulation. The tasks and powers referred to in Articles 57 and 58 of Regulation (EU) 2018/1725 shall apply accordingly.

2.   The European Data Protection Supervisor shall carry out an audit of the processing of personal data by eu-LISA in accordance with international auditing standards at least every four years. A report on that audit shall be sent to the European Parliament, to the Council, to eu-LISA, to the Commission and to the supervisory authorities. eu-LISA shall be given an opportunity to make comments before the report is adopted.

Article 57

Cooperation between supervisory authorities and the European Data Protection Supervisor

1.   The supervisory authorities and the European Data Protection Supervisor, each acting within the scope of their respective competences, shall actively cooperate within the framework of their responsibilities and shall ensure coordinated supervision of SIS.

2.   The supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, exchange relevant information, assist each other in carrying out audits and inspections, examine difficulties in the interpretation or application of this Regulation and other applicable Union legal acts, study problems that are revealed through the exercise of independent supervision or through the exercise of the rights of data subjects, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

3.   For the purposes laid down in paragraph 2, the supervisory authorities and the European Data Protection Supervisor shall meet at least twice a year as part of the European Data Protection Board. The costs and servicing of these meetings shall be borne by the European Data Protection Board. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary.

4.   A joint report of activities as regards coordinated supervision shall be sent annually by the European Data Protection Board to the European Parliament, to the Council, and to the Commission.

CHAPTER X

LIABILITY AND PENALTIES

Article 58

Liability

1.   Without prejudice to the right to compensation and to any liability under Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EU) 2018/1725:

(a)

any person or Member State that has suffered material or non-material damage, as a result of an unlawful personal data processing operation through the use of N.SIS or any other act incompatible with this Regulation by a Member State, shall be entitled to receive compensation from that Member State; and

(b)

any person or Member State that has suffered material or non-material damage as a result of any act by eu-LISA incompatible with this Regulation shall be entitled to receive compensation from eu-LISA.

A Member State or eu-LISA shall be exempted from their liability under the first subparagraph, in whole or in part, if they prove that they are not responsible for the event which gave rise to the damage.

2.   If any failure of a Member State to comply with its obligations under this Regulation causes damage to SIS, that Member State shall be held liable for such damage, unless and insofar as eu-LISA or another Member State participating in SIS failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3.   Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the national law of that Member State. Claims for compensation against eu-LISA for the damage referred to in paragraphs 1 and 2 shall be subject to the conditions provided for in the Treaties.

Article 59

Penalties

Member States shall ensure that any misuse of SIS data, or any processing of such data or any exchange of supplementary information contrary to this Regulation, is punishable in accordance with national law.

The penalties provided for shall be effective, proportionate and dissuasive.

CHAPTER XI

FINAL PROVISIONS

Article 60

Monitoring and statistics

1.   eu-LISA shall ensure that procedures are in place to monitor the functioning of SIS against objectives relating to output, cost-effectiveness, security and quality of service.

2.   For the purposes of technical maintenance, reporting, data quality reporting and statistics, eu-LISA shall have access to the necessary information relating to the processing operations performed in Central SIS.

3.   eu-LISA shall produce daily, monthly and annual statistics showing the number of records per category of alerts, both for each Member State and in aggregate. eu-LISA shall also provide annual reports on the number of hits per category of alert, how many times SIS was searched and how many times SIS was accessed for the purpose of entering, updating or deleting an alert, both for each Member State and in aggregate. Such statistics shall include statistics on the exchanges of information under Article 27 to Article 31. The statistics produced shall not contain any personal data. The annual statistical report shall be published.

4.   Member States, Europol and the European Border and Coast Guard Agency shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 3, 5, 7 and 8.

5.   eu-LISA shall provide the European Parliament, the Council, the Member States, the Commission, Europol, the European Border and Coast Guard Agency and the European Data Protection Supervisor with any statistical reports that it produces.

In order to monitor the implementation of Union legal acts, including for the purposes of Regulation (EU) No 1053/2013, the Commission may request that eu-LISA provide additional specific statistical reports, either on a regular or ad hoc basis, on the performance of SIS, the use of SIS and on the exchange of supplementary information.

The European Border and Coast Guard Agency may request that eu-LISA provide additional specific statistical reports for the purpose of carrying out risk analyses and vulnerability assessments as referred to in Articles 11 and 13 of Regulation (EU) 2016/1624, either on a regular or ad hoc basis.

6.   For the purpose of Article 15(4) and of paragraphs 3, 4 and 5 of this Article, eu-LISA shall establish, implement and host a central repository in its technical sites containing the data referred to in Article 15(4) and in paragraph 3 of this Article which shall not allow for the identification of individuals and which shall allow the Commission and the agencies referred to in paragraph 5 of this Article to obtain bespoke reports and statistics. Upon request, eu-LISA shall give access to Member States, the Commission, Europol, and the European Border and Coast Guard Agency, to the extent required for the performance of their tasks, to the central repository by means of secured access through the Communication Infrastructure. eu-LISA shall implement access controls and specific user profiles to ensure that the central repository is accessed solely for the purpose of reporting and statistics.

7.   Two years after the date of application of this Regulation pursuant to the first subparagraph of Article 66(5) and every two years thereafter, eu-LISA shall submit to the European Parliament and to the Council a report on the technical functioning of Central SIS and of the Communication Infrastructure, including their security, on the AFIS and on the bilateral and multilateral exchange of supplementary information between Member States. This report shall also contain, once the technology is in use, an evaluation of the use of facial images to identify persons.

8.   Three years after the date of application of this Regulation pursuant to the first subparagraph of Article 66(5) and every four years thereafter, the Commission shall carry out an overall evaluation of Central SIS and the bilateral and multilateral exchange of supplementary information between Member States. That overall evaluation shall include an examination of results achieved against objectives, and an assessment of the continuing validity of the underlying rationale, the application of this Regulation in respect of Central SIS, the security of Central SIS and any implications for future operations. The evaluation report shall also include an assessment of the AFIS and the SIS information campaigns carried out by the Commission in accordance with Article 19.

The evaluation report shall also contain statistics on the number of alerts entered in accordance with point (a) of Article 24(1)and statistics on the number of alerts entered in accordance with point (b) of that paragraph. As regards alerts falling under point (a) of Article 24(1), it shall detail how many alerts were entered following the situations referred to in point (a), (b) or (c) of Article 24(2). The evaluation report shall also contain an assessment of the application of Article 24 by Member States.

The Commission shall transmit the evaluation report to the European Parliament and to the Council.

9.   The Commission shall adopt implementing acts to lay down detailed rules on the operation of the central repository referred to in paragraph 6 of this Article and the data protection and security rules applicable to that repository. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

Article 61

Exercise of the delegation

1.   The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2.   The power to adopt delegated acts referred to in Article 33(4) shall be conferred on the Commission for an indeterminate period of time from 27 December 2018.

3.   The delegation of power referred to in Article 33(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4.   Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5.   As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6.   A delegated act adopted pursuant to Article 33(4) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

Article 62

Committee procedure

1.   The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.   Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Article 63

Amendments to Regulation (EC) No 1987/2006

Regulation (EC) No 1987/2006 is amended as follows:

(1)

Article 6 is replaced by the following:

‘Article 6

National Systems

1.   Each Member State shall be responsible for setting up, operating, maintaining and further developing its N.SIS II and connecting it to NI-SIS.

2.   Each Member State shall be responsible for ensuring the uninterrupted availability of SIS II data to end-users.’;

(2)

Article 11 is replaced by the following:

‘Article 11

Confidentiality – Member States

1.   Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with SIS II data and supplementary information, in accordance with its national legislation. This obligation shall also apply after those people leave office or employment or after the termination of the activities of those bodies.

2.   Where a Member State cooperates with external contractors in any SIS II-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular on security, confidentiality and data protection.

3.   The operational management of N.SIS II or of any technical copies shall not be entrusted to private companies or private organisations.’;

(3)

Article 15 is amended as follows:

(a)

the following paragraph is inserted:

‘3a.   The Management Authority shall develop and maintain a mechanism and procedures for carrying out quality checks on the data in CS-SIS. It shall provide regular reports to the Member States in this regard.

The Management Authority shall provide a regular report to the Commission covering the issues encountered and the Member States concerned.

The Commission shall provide the European Parliament and the Council with a regular report on data quality issues that are encountered.’;

(b)

paragraph 8 is replaced by the following:

‘8.   The operational management of Central SIS II shall consist of all the tasks necessary to keep Central SIS II functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary for the smooth running of the system. Those tasks shall also include the coordination, management and support of testing activities for Central SIS II and the N.SIS II that ensure that Central SIS II and the N.SIS II operate in accordance with the requirements for technical compliance set out in Article 9.’;

(4)

in Article 17, the following paragraphs are added:

‘3.   Where the Management Authority cooperates with external contractors in any SIS II-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular on security, confidentiality and data protection.

4.   The operational management of CS-SIS shall not be entrusted to private companies or private organisations.’;

(5)

in Article 20(2), the following point is inserted:

‘(ka)

the type of offence;’;

(6)

in Article 21, the following paragraph is added:

‘Where the decision to refuse entry and stay referred to in Article 24(2) is related to a terrorist offence, the case shall be considered adequate, relevant and important enough to warrant an alert in SIS II. For public or national security reasons, Member States may exceptionally refrain from entering an alert when it is likely to obstruct official or legal inquiries, investigations or procedures.’;

(7)

Article 22 is replaced by the following:

‘Article 22

Specific rules for entering, verification or search with photographs and fingerprints

1.   Photographs and fingerprints shall only be entered following a special quality check to ascertain whether they fulfil minimum data quality standards. The specification of the special quality check shall be established in accordance with the procedure referred to in Article 51(2).

2.   Where photographs and fingerprint data are available in an alert in SIS II, such photographs and fingerprint data shall be used to confirm the identity of a person who has been located as a result of an alphanumeric search made in SIS II.

3.   Fingerprint data may be searched in all cases to identify a person. However, fingerprint data shall be searched to identify a person where the identity of the person cannot be ascertained by other means. For that purpose, the Central SIS II shall contain an Automated Fingerprint Identification System (AFIS).

4.   Fingerprint data in SIS II in relation to alerts entered in accordance with Articles 24 and 26 may also be searched using complete or incomplete sets of fingerprints discovered at the scenes of serious crimes or terrorist offences under investigation, where it can be established to a high degree of probability that those sets of prints belong to a perpetrator of the offence and provided that the search is carried out simultaneously in the Member State's relevant national fingerprints databases.’;

(8)

Article 26 is replaced by the following:

‘Article 26

Conditions for entering alerts on third-country nationals subject to restrictive measures

1.   Alerts on third-country nationals who are the subject of a restrictive measure intended to prevent entry into or transit through the territory of Member States taken in accordance with legal acts adopted by the Council, including measures implementing a travel ban issued by the Security Council of the United Nations, shall, insofar as data-quality requirements are satisfied, be entered into SIS II for the purpose of refusing entry and stay.

2.   The alerts shall be entered, kept up-to-date and deleted by the competent authority of the Member State which holds the Presidency of the Council of the European Union at the time of the adoption of the measure. If that Member State does not have access to SIS II or to alerts entered in accordance with this Regulation, the responsibility shall be taken up by the Member State which holds the subsequent Presidency and which has access to SIS II, including to alerts entered in accordance with this Regulation.

Member States shall put in place the necessary procedures for entering, updating and deleting such alerts.’;

(9)

the following Articles are inserted:

‘Article 27a

Access to data in SIS II by Europol

1.   The European Union Agency for Law Enforcement Cooperation (Europol), established by Regulation (EU) 2016/794 of the European Parliament and of the Council (*1), shall, where necessary to fulfil its mandate, have the right to access and search data in SIS II. Europol may also exchange and further request supplementary information in accordance with the provisions of the SIRENE Manual.

2.   Where a search by Europol reveals the existence of an alert in SIS II, Europol shall inform the issuing Member State through the exchange of supplementary information by means of the Communication Infrastructure and in accordance with the provisions set out in the SIRENE Manual. Until Europol is able to use the functionalities intended for the exchange of supplementary information, it shall inform issuing Member States through the channels defined by Regulation (EU) 2016/794.

3.   Europol may process the supplementary information that has been provided to it by Member States for the purposes of comparing it with its databases and operational analysis projects, aimed at identifying connections or other relevant links and for the strategic, thematic or operational analyses referred to in points (a), (b) and (c) of Article 18(2) of Regulation (EU) 2016/794. Any processing by Europol of supplementary information for the purpose of this Article shall be carried out in accordance with that Regulation.

4.   Europol's use of information obtained from a search in SIS II or from the processing of supplementary information shall be subject to the consent of the issuing Member State. If the Member State allows the use of such information, its handling by Europol shall be governed by Regulation (EU) 2016/794. Europol shall only communicate such information to third countries and third bodies with the consent of the issuing Member State and in full compliance with Union law on data protection.

5.   Europol shall:

(a)

without prejudice to paragraphs 4 and 6, not connect parts of SIS II nor transfer the data contained in it to which it has access to any system for data collection and processing operated by or at Europol, nor download or otherwise copy any part of SIS II;

(b)

notwithstanding Article 31(1) of Regulation (EU) 2016/794, delete supplementary information containing personal data at the latest one year after the related alert has been deleted. By way of derogation, where Europol has information in its databases or operational analysis projects on a case to which the supplementary information is related, in order for Europol to perform its tasks, Europol may exceptionally continue to store the supplementary information when necessary. Europol shall inform the issuing and the executing Member State of the continued storage of such supplementary information and present a justification for it;

(c)

limit access to data in SIS II, including supplementary information, to specifically authorised staff of Europol who require access to such data for the performance of their tasks;

(d)

adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13;

(e)

ensure that its staff who are authorised to process SIS II data receive appropriate training and information in accordance with Article 14; and

(f)

without prejudice to Regulation (EU) 2016/794, allow the European Data Protection Supervisor to monitor and review the activities of Europol in the exercise of its right to access and search data in SIS II and in the exchange and processing of supplementary information.

6.   Europol shall only copy data from SIS II for technical purposes where such copying is necessary in order for duly authorised Europol staff to carry out a direct search. This Regulation shall apply to such copies. The technical copy shall only be used for the purpose of storing SIS II data whilst those data are searched. Once the data have been searched they shall be deleted. Such uses shall not be considered to be unlawful downloading or copying of SIS II data. Europol shall not copy alert data or additional data issued by Member States or from CS-SIS II into other Europol systems.

7.   For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, Europol shall keep logs of every access to and search in SIS II in accordance with the provisions of Article 12. Such logs and documentation shall not be considered to be unlawful downloading or copying of part of SIS II.

8.   Member States shall inform Europol through the exchange of supplementary information of any hit on alerts related to terrorist offences. Member States may exceptionally not inform Europol if doing so would jeopardise current investigations, the safety of an individual or be contrary to essential interests of the security of the issuing Member State.

9.   Paragraph 8 shall apply from the date that Europol is able to receive supplementary information in accordance with paragraph 1.

Article 27b

Access to data in SIS II by the European Border and Coast Guard teams, teams of staff involved in return-related tasks, and members of the migration management support teams

1.   In accordance with Article 40(8) of Regulation (EU) 2016/1624 of the European Parliament and of the Council (*2), the members of the teams referred to in points (8) and (9) of Article 2 of that Regulation shall, within their mandate and provided that they are authorised to carry out checks in accordance with Article 27(1) of this Regulation and have received the required training in accordance with Article 14 of this Regulation, have the right to access and search data in SIS II insofar it is necessary for the performance of their task and as required by the operational plan for a specific operation. Access to data in SIS II shall not be extended to any other team members.

2.   Members of the teams referred to in paragraph 1 shall exercise the right to access and search data in SIS II in accordance with paragraph 1 through a technical interface. The technical interface shall be set up and maintained by the European Border and Coast Guard Agency and shall allow direct connection to Central SIS II.

3.   Where a search by a member of the teams referred to in paragraph 1 of this Article reveals the existence of an alert in SIS II, the issuing Member State shall be informed thereof. In accordance with Article 40 of Regulation (EU) 2016/1624, members of the teams shall only act in response to an alert in SIS II under instructions from and, as a general rule, in the presence of border guards or staff involved in return-related tasks of the host Member State in which they are operating. The host Member State may authorise members of the teams to act on its behalf.

4.   For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, the European Border and Coast Guard Agency shall keep logs of every access to and search in SIS II in accordance with the provisions of Article 12.

5.   The European Border and Coast Guard Agency shall adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13 and shall ensure that the teams referred to in paragraph 1 of this Article apply those measures.

6.   Nothing in this Article shall be interpreted as affecting the provisions of Regulation (EU) 2016/1624 concerning data protection or the European Border and Coast Guard Agency's liability for any unauthorised or incorrect processing of data by it.

7.   Without prejudice to paragraph 2, no parts of SIS II shall be connected to any system for data collection and processing operated by the teams referred to in paragraph 1 or by the European Border and Coast Guard Agency, nor shall the data in SIS II to which those teams have access be transferred to such a system. No part of SIS II shall be downloaded or copied. The logging of access and searches shall not be considered to be unlawful downloading or copying of SIS II data.

8.   The European Border and Coast Guard Agency shall allow the European Data Protection Supervisor to monitor and review the activities of the teams referred to in this Article in the exercise of their right to access and search data in SIS II. This shall be without prejudice to the further provisions of Regulation (EU) 2018/1725 of the European Parliament and of the Council (*3).

(*1)  Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53)."

(*2)  Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC (OJ L 251, 16.9.2016, p. 1)."

(*3)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).’."

Article 64

Amendment to the Convention implementing the Schengen Agreement

Article 25 of the Convention implementing the Schengen Agreement is deleted.

Article 65

Repeal

Regulation (EC) No 1987/2006 is repealed from the date of application of this Regulation as set out in the first subparagraph of Article 66(5).

References to the repealed Regulation shall be construed as references to this Regulation and shall be read in accordance with the correlation table in the Annex.

Article 66

Entry into force, start of operation and application

1.   This Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union.

2.   No later than 28 December 2021, the Commission shall adopt a decision setting the date on which SIS operations start pursuant to this Regulation, after verification that the following conditions have been met:

(a)

the implementing acts necessary for the application of this Regulation have been adopted;

(b)

Member States have notified the Commission that they have made the necessary technical and legal arrangements to process SIS data and exchange supplementary information pursuant to this Regulation; and

(c)

eu-LISA has notified the Commission of the successful completion of all testing activities with regard to CS-SIS and to the interaction between CS-SIS and N.SIS.

3.   The Commission shall closely monitor the process of gradual fulfilment of the conditions set out in paragraph 2 and shall inform the European Parliament and the Council about the outcome of the verification referred to in that paragraph.

4.   By 28 December 2019 and every year thereafter until the decision of the Commission referred to in paragraph 2 has been taken, the Commission shall submit a report to the European Parliament and to the Council on the state of play of preparations for the full implementation of this Regulation. That report shall contain also detailed information about the costs incurred and information as to any risks which may impact the overall costs.

5.   This Regulation shall apply from the date determined in accordance with paragraph 2.

By way of derogation from the first subparagraph:

(a)

Article 4(4), Article 5, Article 8(4), Article 9(1) and (5), Article 15(7), Article 19, Article 20(3) and (4), Article 32(4), Article 33(4), Article 47(4), Article 48(6), Article 60(6) and (9), Article 61, Article 62, points (1) to (6) and point (8) of Article 63, and paragraphs 3 and 4 of this Article shall apply from the date of entry into force of this Regulation;

(b)

point (9) of Article 63 shall apply from 28 December 2019;

(c)

point (7) of Article 63 shall apply from 28 December 2020.

6.   The Commission decision referred to in paragraph 2 shall be published in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

Done at Brussels, 28 November 2018.

For the European Parliament

The President

A. TAJANI

For the Council

The President

K. EDTSTADLER


(1)  Position of the European Parliament of 24 October 2018 (not yet published in the Official Journal) and decision of the Council of 19 November 2018.

(2)  OJ L 239, 22.9.2000, p. 19.

(3)  Council Regulation (EC) No 2424/2001 of 6 December 2001 on the development of the second generation Schengen Information System (SIS II) (OJ L 328, 13.12.2001, p. 4).

(4)  Council Decision 2001/886/JHA of 6 December 2001 on the development of the second generation Schengen Information System (SIS II) (OJ L 328, 13.12.2001, p. 1).

(5)  Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (OJ L 381, 28.12.2006, p. 4).

(6)  Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (OJ L 205, 7.8.2007, p. 63).

(7)  Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (see page 56 of this Official Journal).

(8)  Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, p. 99).

(9)  Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).

(10)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(11)  Directive 2008/115/EC of the European Parliament and of the Council of 16 December 2008 on common standards and procedures in Member States for returning illegally staying third-country nationals (OJ L 348, 24.12.2008, p. 98).

(12)  Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC (OJ L 158, 30.4.2004, p. 77).

(13)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

(14)  Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).

(15)  OJ L 56, 4.3.1968, p. 1.

(16)  Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC (OJ L 251, 16.9.2016, p. 1).

(17)  Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

(18)  OJ L 123, 12.5.2016, p. 1.

(19)  Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing, as part of the Internal Security Fund, the instrument for financial support for external borders and visa and repealing Decision No 574/2007/EC (OJ L 150, 20.5.2014, p. 143).

(20)  Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis (OJ L 131, 1.6.2000, p. 43).

(21)  Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).

(22)  OJ L 176, 10.7.1999, p. 36.

(23)  Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31).

(24)  OJ L 53, 27.2.2008, p. 52.

(25)  Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1).

(26)  OJ L 160, 18.6.2011, p. 21.

(27)  Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19).

(28)  Council Decision 2010/365/EU of 29 June 2010 on the application of the provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Bulgaria and Romania (OJ L 166, 1.7.2010, p. 17).

(29)  Council Decision (EU) 2018/934 of 25 June 2018 on the putting into effect of the remaining provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Bulgaria and Romania (OJ L 165, 2.7.2018, p. 37).

(30)  Council Decision (EU) 2017/733 of 25 April 2017 on the application of the provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Croatia (OJ L 108, 26.4.2017, p. 31 ).

(31)  Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

(32)  Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

(33)  Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (OJ L 77, 23.3.2016, p. 1).

(34)  Council Regulation (EU) No 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the application of the Schengen acquis and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing Committee on the evaluation and implementation of Schengen (OJ L 295, 6.11.2013, p. 27).

(35)  Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on common procedures for granting and withdrawing international protection (OJ L 180, 29.6.2013, p. 60).

(36)  Council Regulation (EC) No 377/2004 of 19 February 2004 on the creation of an immigration liaison officers network (OJ L 64, 2.3.2004, p. 1).

(37)  Regulation (EC) No 810/2009 of the European Parliament and of the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code) (OJ L 243, 15.9.2009, p. 1).


ANNEX

CORRELATION TABLE

Regulation (EC) No 1987/2006

This Regulation

Article 1

Article 1

Article 2

Article 2

Article 3

Article 3

Article 4

Article 4

Article 5

Article 5

Article 6

Article 6

Article 7

Article 7

Article 8

Article 8

Article 9

Article 9

Article 10

Article 10

Article 11

Article 11

Article 12

Article 12

Article 13

Article 13

Article 14

Article 14

Article 15

Article 15

Article 16

Article 16

Article 17

Article 17

Article 18

Article 18

Article 19

Article 19

Article 20

Article 20

Article 21

Article 21

Article 22

Articles 32 and 33

Article 23

Article 22

Article 23

Article 24

Article 24

Article 25

Article 26

Article 26

Article 25

Article 27

Article 28

Article 29

Article 30

Article 31

Article 27

Article 34

Article 27a

Article 35

Article 27b

Article 36

Article 37

Article 28

Article 38

Article 29

Article 39

Article 30

Article 40

Article 31

Article 41

Article 32

Article 42

Article 33

Article 43

Article 34

Article 44

Article 45

Article 35

Article 46

Article 36

Article 47

Article 37

Article 48

Article 38

Article 49

Article 39

Article 50

Article 40

Article 51

Article 41

Article 53

Article 42

Article 52

Article 43

Article 54

Article 44

Article 55

Article 45

Article 56

Article 46

Article 57

Article 47

Article 48

Article 58

Article 49

Article 59

Article 50

Article 60

Article 61

Article 51

Article 62

Article 52

Article 63

Article 64

Article 53

Article 65

Article 54

Article 55

Article 66


7.12.2018   

EN

Official Journal of the European Union

L 312/56


REGULATION (EU) 2018/1862 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 28 November 2018

on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular point (d) of the second subparagraph of Article 82(1), Article 85(1), Article 87(2)(a) and Article 88(2)(a) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure (1),

Whereas:

(1)

The Schengen Information System (SIS) constitutes an essential tool for the application of the provisions of the Schengen acquis as integrated into the framework of the European Union. SIS is one of the major compensatory measures contributing to maintaining a high level of security within the area of freedom, security and justice of the Union by supporting operational cooperation between national competent authorities, in particular border guards, the police, customs authorities, immigration authorities, and authorities responsible for the prevention, detection, investigation or prosecution of criminal offences or execution of criminal penalties.

(2)

SIS was initially set up pursuant to the provisions of Title IV of the Convention of 19 June 1990 implementing the Schengen Agreement of 14 June 1985 between the governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders (2) (the Convention implementing the Schengen Agreement). The development of the second generation of SIS (SIS II) was entrusted to the Commission pursuant to Council Regulation (EC) No 2424/2001 (3) and Council Decision 2001/886/JHA (4). It was later established by Regulation (EC) No 1987/2006 of the European Parliament and of the Council (5) and by Council Decision 2007/533/JHA (6). SIS II replaced SIS as created pursuant to the Convention implementing the Schengen Agreement.

(3)

Three years after SIS II was brought into operation, the Commission carried out an evaluation of the system in accordance with Regulation (EC) No 1987/2006 and Decision 2007/533/JHA. On 21 December 2016, the Commission submitted the Report on the Evaluation of the Second Generation Schengen Information System (SIS II) in accordance with Articles 24(5), 43(3) and 50(5) of Regulation (EC) No 1987/2006 and Articles 59(3) and 66(5) of Decision 2007/533/JHA and an accompanying staff working document to the European Parliament and to the Council. The recommendations set out in those documents should be reflected, as appropriate, in this Regulation.

(4)

This Regulation constitutes the legal basis for SIS in respect of matters falling within the scope of Chapters 4 and 5 of Title V of Part Three of the Treaty on Functioning of the European Union (TFEU). Regulation (EU) 2018/1861 of the European Parliament and of the Council (7) constitutes the legal basis for SIS in respect of matters falling within the scope of Chapter 2 of Title V of Part Three TFEU.

(5)

The fact that the legal basis for SIS consists of separate instruments does not affect the principle that SIS constitutes one single information system that should operate as such. It should include a single network of national offices called SIRENE Bureaux for ensuring the exchange of supplementary information. Certain provisions of those instruments should therefore be identical.

(6)

It is necessary to specify the objectives of SIS, certain elements of its technical architecture and its financing, to lay down rules concerning its end-to-end operation and use and to define responsibilities. It is also necessary to determine the categories of data to be entered into the system, the purposes for which the data are to be entered and processed and the criteria for their entry. Rules are also required to govern the deletion of alerts, the authorities authorised to access the data, the use of biometric data and to further determine data protection and data processing rules.

(7)

Alerts in SIS contain only the information necessary to identify a person or an object and for the action to be taken. Member States should therefore exchange supplementary information related to alerts where required.

(8)

SIS includes a central system (Central SIS) and national systems. The national systems might contain a complete or partial copy of the SIS database, which may be shared by two or more Member States. Considering that SIS is the most important information exchange instrument in Europe for ensuring security and effective border management, it is necessary to ensure its uninterrupted operation at central as well as at national level. The availability of SIS should be subject to close monitoring at central and Member State level and any incident of unavailability for end-users should be registered and reported to stakeholders at national and Union level. Each Member State should set up a backup for its national system. Member States should also ensure uninterrupted connectivity with Central SIS by having duplicated and physically and geographically separated connection points. Central SIS and the Communication Infrastructure should be operated in such a way that their functioning 24 hours a day, 7 days a week is ensured. For that reason the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (‘eu-LISA’), established by Regulation (EU) 2018/1726 of the European Parliament and of the Council (8) should implement technical solutions to reinforce the uninterrupted availability of SIS, subject to an independent impact assessment and cost-benefit analysis.

(9)

It is necessary to maintain a manual setting out the detailed rules for the exchange of supplementary information concerning the actions called for by alerts (‘the SIRENE Manual’). The SIRENE Bureaux, should ensure the exchange of such information in a fast and efficient manner.

(10)

In order to ensure the efficient exchange of supplementary information, including on the action to be taken specified in alerts, it is appropriate to reinforce the functioning of the SIRENE Bureaux by specifying the requirements concerning the available resources and user training and the response time to inquiries they receive from other SIRENE Bureaux.

(11)

Member States should ensure that the staff of their SIRENE Bureau have the linguistic skills and knowledge of relevant law and procedural rules necessary to perform their tasks.

(12)

In order to be able to fully benefit from the functionalities of SIS, Member States should ensure that end-users and the staff of the SIRENE Bureaux regularly receive training, including on data security, data protection and data quality. SIRENE Bureaux should be involved in the development of training programmes. To the extent possible, SIRENE Bureaux should also provide for staff exchanges with other SIRENE Bureaux at least once a year. Member States are encouraged to take appropriate measures to avoid the loss of skills and experience through staff turnover.

(13)

The operational management of the central components of SIS are exercised by eu-LISA. In order to enable eu-LISA to dedicate the necessary financial and personal resources covering all aspects of the operational management of Central SIS and the Communication Infrastructure, this Regulation should set out its tasks in detail, in particular with regard to the technical aspects of the exchange of supplementary information.

(14)

Without prejudice to the responsibility of Member States for the accuracy of data entered into SIS and to the role of the SIRENE Bureaux as quality coordinators, eu-LISA should be responsible for reinforcing data quality by introducing a central data quality monitoring tool, and should provide reports at regular intervals to the Commission and to the Member States. The Commission should report to the European Parliament and to the Council on the data quality issues encountered. To further increase the quality of data in SIS, eu-LISA should also offer training on the use of SIS to national training bodies and, insofar as possible, to the SIRENE Bureaux and to end-users.

(15)

In order to allow better monitoring of the use of SIS and to analyse trends concerning criminal offences, eu-LISA should be able to develop a state-of-the-art capability for statistical reporting to the Member States, to the European Parliament, to the Council, to the Commission, to Europol, to Eurojust and to the European Border and Coast Guard Agency without jeopardising data integrity. Therefore, a central repository should be established. Statistics retained in or obtained from that repository should not contain any personal data. Member States should communicate statistics concerning exercise of the right of access, rectification of inaccurate data and erasure of unlawfully stored data in the framework of cooperation between supervisory authorities and the European Data Protection Supervisor under this Regulation.

(16)

New data categories should be introduced in SIS to allow end-users to take informed decisions based upon an alert without losing time. Therefore, in order to facilitate identification and detect multiple identities, the alert should, where such information is available, include a reference to the personal identification document of the individual concerned or its number and a copy, if possible in colour, of the document.

(17)

Competent authorities should be able, where strictly necessary, to enter into SIS specific information relating to any specific, objective, physical characteristics of a person which are not subject to change, such as tattoos, marks or scars.

(18)

Where available, all the relevant data, in particular the forename of the individual concerned, should be inserted when creating an alert, in order to minimise the risk of false hits and unnecessary operational activities.

(19)

SIS should not store any data used to carry out searches with the exception of keeping logs to verify whether the search is lawful, for monitoring the lawfulness of data processing, for self-monitoring and for ensuring the proper functioning of the national systems as well as for data integrity and security.

(20)

SIS should permit the processing of biometric data in order to assist in the reliable identification of the individuals concerned. Any entry of photographs, facial images or dactyloscopic data into SIS and any use of such data should be limited to what is necessary for the objectives pursued, should be authorised by Union law, should respect fundamental rights, including the best interests of the child, and should be in accordance with Union law on data protection, including the relevant provisions on data protection laid down in this Regulation. In the same perspective, in order to avoid inconveniences caused by misidentification, SIS should also allow for the processing of data concerning individuals whose identity has been misused, subject to suitable safeguards, to obtaining the consent of the individual concerned for each data category, in particular palm prints, and to a strict limitation of the purposes for which such personal data can be lawfully processed.

(21)

Member States should make the necessary technical arrangements so that each time end-users are entitled to carry out a search in a national police or immigration database, they also search SIS in parallel, subject to the principles set out in Article 4 of Directive (EU) 2016/680 of the European Parliament and of the Council (9) and Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council (10). This should ensure that SIS functions as the main compensatory measure in the area without internal border controls and better addresses the cross-border dimension of criminality and the mobility of criminals.

(22)

This Regulation should set out the conditions for use of dactyloscopic data, photographs and facial images for identification and verification purposes. Facial images and photographs should, for identification purposes, initially be used only in the context of regular border crossing points. Such use should be subject to a report by the Commission confirming the availability, reliability and readiness of the technology.

(23)

The introduction of an automated fingerprint identification service within SIS complements the existing Prüm mechanism on mutual cross-border online access to designated national DNA databases and automated fingerprint identification systems, as set out in Council Decisions 2008/615/JHA (11) and 2008/616/JHA (12). The SIS dactyloscopic data search allows an active search for the perpetrator. Therefore, it should be possible to upload the dactyloscopic data of an unknown perpetrator into SIS, provided that the owner of that data can be identified with a very high degree of probability as the perpetrator of a serious crime or act of terrorism. This is in particular the case if dactyloscopic data are found on the weapon or on any object used for the offence. The mere presence of the dactyloscopic data at the crime scene should not be considered as indicating a very high degree of probability that the dactyloscopic data are those of the perpetrator. A further precondition for the creation of such an alert should be that the identity of the suspect cannot be established on the basis of data from any other relevant national, Union or international database. Should a dactyloscopic data search lead to a potential match, the Member State should carry out further checks with the involvement of experts to establish whether the suspect is the owner of the prints stored in SIS, and should establish the identity of the person. The procedure should be subject to national law. Such identification could substantially contribute to the investigation and could lead to an arrest provided that all the conditions for an arrest are met.

(24)

It should be allowed to search dactyloscopic data stored in SIS with complete or incomplete sets of fingerprints or palm prints found at a crime scene if it can be established to a high degree of probability that they belong to the perpetrator of the serious crime or terrorist offence, provided that a search is carried out simultaneously in the relevant national fingerprint databases. Particular attention should be given to the establishment of quality standards applicable to the storage of biometric data, including latent dactyloscopic data.

(25)

Wherever the identity of a person cannot be ascertained by any other means, dactyloscopic data should be used to attempt identification. It should be allowed in all cases to identify a person by using dactyloscopic data.

(26)

It should be possible to add a DNA profile to an alert in clearly defined cases where dactyloscopic data are not available. That DNA profile should only be accessible to authorised users. DNA profiles should facilitate the identification of missing persons in need of protection and particularly missing children, including by allowing the use of DNA profiles of direct ascendants, descendants or siblings to enable identification. DNA data should contain only the minimum information necessary for identification of the missing person.

(27)

DNA profiles should only be retrieved from SIS where identification is necessary and proportionate for the purposes laid down in this Regulation. DNA profiles should not be retrieved or processed for any other purpose than those for which they were entered into SIS. The data protection and security rules laid down in this Regulation should apply. Additional safeguards, if necessary, should be put in place when using DNA profiles in order to avoid any risk of false matches, hacking and unauthorised sharing with third parties.

(28)

SIS should contain alerts on persons wanted for arrest for surrender purposes and wanted for arrest for extradition purposes. In addition to alerts, it is appropriate to provide for the exchange of supplementary information through the SIRENE Bureaux which is necessary for the surrender and extradition procedures. In particular, data referred to in Article 8 of Council Framework Decision 2002/584/JHA (13) should be processed in SIS. Due to operational reasons, it is appropriate for the issuing Member State to make an existing alert for arrest temporarily unavailable upon the authorisation of the judicial authorities when a person who is the subject of a European Arrest Warrant is intensively and actively searched and end-users not involved in the concrete search operation may jeopardise the successful outcome. The temporary unavailability of such alerts should in principle not exceed 48 hours.

(29)

It should be possible to add to SIS a translation of the additional data entered for the purpose of surrender under the European Arrest Warrant and for the purpose of extradition.

(30)

SIS should contain alerts on missing persons or on vulnerable persons who need to be prevented from travelling to ensure their protection or to prevent threats to public security or to public order. In the case of children, these alerts and the corresponding procedures should serve the best interests of the child in accordance with Article 24 of the Charter of Fundamental Rights of the European Union and Article 3 of the United Nations Convention on the Rights of the Child of 20 November 1989. Actions and decisions by the competent authorities, including judicial authorities, following an alert on a child should be taken in cooperation with child protection authorities. The national hotline for missing children should be informed, where appropriate.

(31)

Alerts on missing persons who need to be placed under protection should be entered at the request of the competent authority. All children who have gone missing from Member States' reception facilities should be the subject of an alert on missing persons in SIS.

(32)

Alerts on children at risk of parental child abduction should be entered into SIS at the request of competent authorities, including judicial authorities having jurisdiction in matters of parental responsibility under national law. Alerts on children at risk of parental child abduction should only be entered in SIS where this risk is concrete and apparent and in limited circumstances. Therefore it is necessary to provide for strict and appropriate safeguards. In assessing whether a concrete and apparent risk exists that a child may be imminently and unlawfully removed from a Member State, the competent authority should take into account the child's personal circumstances and the environment to which the child is exposed.

(33)

This Regulation should establish a new category of alerts for certain categories of vulnerable persons who need to be prevented from travelling. Persons who, due to their age, disabilities, or their family circumstances require protection should be considered vulnerable.

(34)

Alerts on children who need to be prevented from travelling for their own protection should be entered into SIS if there is a concrete and apparent risk of them being removed from or leaving the territory of a Member State. Such alerts should be entered if the travel would put them at risk of becoming victims of trafficking in human beings or of forced marriage, female genital mutilation or other forms of gender-based violence, of becoming victims or being involved in terrorist offences, of being conscripted or enlisted into armed groups, or of being made to participate actively in hostilities.

(35)

Alerts on vulnerable adults who need to be prevented from travelling for their own protection should be entered if travel would put them at risk of becoming victims of trafficking in human beings or gender-based violence.

(36)

In order to guarantee strict and appropriate safeguards, alerts on children or other vulnerable persons who need to be prevented from travelling should, where required under national law, be entered into SIS following a decision by a judicial authority or a decision by a competent authority confirmed by a judicial authority.

(37)

A new action to be taken should be introduced to allow a person to be stopped and interviewed in order for the issuing Member State to obtain detailed information. This action should apply in cases where, based on a clear indication, a person is suspected of intending to commit or of committing any of the offences referred to in Article 2(1) and (2) of Framework Decision 2002/584/JHA, where further information is needed to execute a custodial sentence or detention order against a person convicted of any of the offences referred to in Article 2(1) and (2) of Framework Decision 2002/584/JHA, or where there is a reason to believe that he or she will commit any of those offences. This action to be taken should also be without prejudice to existing mutual legal assistance mechanisms. It should supply sufficient information to decide upon further actions. This new action should not amount to searching the person nor to his or her arrest. The procedural rights of suspects and accused persons under Union and national law should be preserved, including their right to have access to a lawyer in accordance with Directive 2013/48/EU of the European Parliament and of the Council (14).

(38)

In the case of alerts on objects for seizure or use as evidence in criminal proceedings, the objects concerned should be seized in accordance with national law that determines if and in accordance with which conditions an object is to be seized, particularly if it is in the possession of its rightful owner.

(39)

SIS should contain new categories of objects of high value, such as items of information technology which can be identified and searched with a unique identification number.

(40)

As regards alerts entered into SIS on documents for seizure or use as evidence in criminal proceedings, the term ‘false’ should be construed as encompassing both forged and counterfeit documents.

(41)

It should be possible for a Member State to add an indication, called a flag, to an alert, to the effect that the action to be taken on the basis of the alert will not be taken on its territory. When alerts are entered for arrest for surrender purposes, nothing in this Regulation should be construed so as to derogate from or prevent the application of the provisions contained in the Framework Decision 2002/584/JHA. The decision to add a flag to an alert with a view to the non-execution of a European Arrest Warrant should be based only on the grounds for refusal contained in that Framework Decision.

(42)

When a flag has been added and the whereabouts of the person wanted for arrest for surrender become known, the person's whereabouts should always be communicated to the issuing judicial authority, which may decide to transmit a European Arrest Warrant to the competent judicial authority in accordance with the provisions of the Framework Decision 2002/584/JHA.

(43)

It should be possible for Member States to establish links between alerts in SIS. The establishment of links between two or more alerts should have no impact on the action to be taken, the review period for alerts or the access rights to the alerts.

(44)

Alerts should not be kept in SIS longer than the time required to fulfil the specific purposes for which they were entered. The review periods for different categories of alerts should be appropriate in light of their purpose. Alerts on objects which are linked to an alert on a person should only be kept for as long as the alert on the person is kept. Decisions to retain alerts on persons should be based on a comprehensive individual assessment. Member States should review alerts on persons and objects within the prescribed review periods and should keep statistics on the number of alerts for which the retention period has been extended.

(45)

Entering an alert into SIS and extending the expiry date of an alert in SIS should be subject to a proportionality requirement involving examination of whether a concrete case is adequate, relevant and important enough to warrant insertion of an alert in SIS. Where terrorist offences are concerned, the case should be considered adequate, relevant and important enough to warrant an alert in SIS. For public or national security reasons, Member States should be allowed exceptionally to refrain from entering an alert into SIS when it is likely that this would obstruct official or legal inquiries, investigations or procedures.

(46)

It is necessary to establish rules concerning the deletion of alerts. An alert should be kept only for the time required to achieve the purpose for which it was entered. Considering the diverging practices of Member States in determining the point in time when an alert has fulfilled its purpose, it is appropriate to set out detailed criteria for each category of alert to determine when it should be deleted.

(47)

The integrity of SIS data is of primary importance. Therefore, appropriate safeguards should be provided to process SIS data at central as well as at national level to ensure the end-to-end security of the data. The authorities involved in the data processing should be bound by the security requirements of this Regulation and be subject to a uniform incident reporting procedure. Their staff should be appropriately trained and be informed of any offences and penalties in this respect.

(48)

Data processed in SIS and the related supplementary information exchanged pursuant to this Regulation should not be transferred or made available to third countries or to international organisations.

(49)

It is appropriate to grant access to SIS to services responsible for registering vehicles, boats and aircraft in order to allow them to verify whether the conveyance concerned is being searched for in Member States for seizure. It is also appropriate to grant access to SIS to services responsible for registering firearms in order to allow them to verify whether the firearm concerned is being searched for in Member States for seizure or whether there is an alert on the person requesting the registration.

(50)

Direct access to SIS should only be provided to competent government services. This access should be limited to alerts concerning the respective conveyances and their registration document or number plate or firearms and persons requesting the registration. Any hit in SIS should be reported by such services to the police authorities, who should take further action in line with the particular alert in SIS and notify the issuing Member State of the hit through the SIRENE Bureaux.

(51)

Without prejudice to more specific rules laid down in this Regulation, the national laws, regulations and administrative provisions adopted pursuant to Directive (EU) 2016/680 should apply to the processing, including collection and communication of personal data under this Regulation by the national competent authorities for the purposes of the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties. Access to data entered into SIS and the right to search such data by national competent authorities which are responsible for the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties are to be subject to all relevant provisions of this Regulation and those of Directive (EU) 2016/680 as transposed into national law, and in particular to monitoring by the supervisory authorities referred to in Directive (EU) 2016/680.

(52)

Without prejudice to more specific rules laid down in this Regulation for the processing of personal data, Regulation (EU) 2016/679 should apply to the processing of personal data by the Member States under this Regulation unless such processing is carried out by the national competent authorities for the purposes of the prevention, investigation, detection or prosecution of terrorist offences or of other serious criminal offences.

(53)

Regulation (EU) 2018/1725 of the European Parliament and of the Council (15) should apply to the processing of personal data by the institutions and bodies of the Union when carrying out their responsibilities under this Regulation.

(54)

Regulation (EU) 2016/794 of the European Parliament and of the Council (16) should apply to the processing of personal data by Europol under this Regulation.

(55)

In cases when searches carried out in SIS by national members of Eurojust and their assistants reveal the existence of an alert entered by a Member State, Eurojust cannot take the requested action. Therefore, it should inform the Member State concerned to allow it to follow up the case.

(56)

When using SIS, the competent authorities should ensure that the dignity and integrity of the person whose data are processed are respected. Processing of personal data for the purposes of this Regulation is not to result in discrimination against persons on any grounds, such as sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation.

(57)

Insofar as confidentiality is concerned, the relevant provisions of the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (17) (‘Staff Regulations’) should apply to officials or other servants employed and working in connection with SIS.

(58)

Both the Member States and eu-LISA should maintain security plans in order to facilitate the implementation of security obligations and should cooperate with each other in order to address security issues from a common perspective.

(59)

The national independent supervisory authorities referred to in Regulation (EU) 2016/679 and Directive (EU) 2016/680 (‘supervisory authorities’) should monitor the lawfulness of the processing of personal data by the Member States under this Regulation, including the exchange of supplementary information. The supervisory authorities should be granted sufficient resources to carry out this task. The rights of data subjects to access, rectify and erase their personal data that is stored in SIS, and any subsequent remedies before national courts as well as the mutual recognition of judgments should be provided for. It is also appropriate to require annual statistics from Member States.

(60)

The supervisory authorities should ensure that an audit of the data processing operations in their Member State's national systems is carried out in accordance with international auditing standards at least every four years. The audit should either be carried out by the supervisory authorities, or the supervisory authorities should directly order the audit from an independent data protection auditor. The independent auditor should remain under the control and responsibility of the supervisory authorities concerned which therefore should instruct the auditor themselves and provide a clearly defined purpose, scope and methodology for the audit as well as guidance and supervision concerning the audit and its final results.

(61)

The European Data Protection Supervisor should monitor the activities of the Union institutions and bodies in relation to the processing of personal data under this Regulation. The European Data Protection Supervisor and the supervisory authorities should cooperate with each other in monitoring SIS.

(62)

The European Data Protection Supervisor should be granted sufficient resources to fulfil the tasks entrusted to it under this Regulation, including assistance from persons with expertise in biometric data.

(63)

Regulation (EU) 2016/794 provides that Europol is to support and strengthens actions carried out by the national competent authorities and their cooperation in combating terrorism and serious crime and to provide analysis and threat assessments. The extension of Europol's access rights to alerts on missing persons should further improve Europol's capacity to provide national law enforcement authorities with comprehensive operational and analytical products concerning trafficking in human beings and child sexual exploitation, including online. This would contribute to better prevention of those criminal offences, to the protection of potential victims and to the investigation of perpetrators. Europol's European Cybercrime Centre would also benefit from Europol having access to alerts on missing persons, including in cases of travelling sex offenders and child sexual abuse online, where perpetrators often claim that they have access to children or can get access to children who might have been registered as missing.

(64)

In order to bridge the gap in information sharing on terrorism, in particular on foreign terrorist fighters — where monitoring of their movement is crucial — Member States are encouraged to share information on terrorism-related activity with Europol. This information sharing should be carried out through the exchange of supplementary information with Europol on the alerts concerned. For this purpose Europol should set up a connection with the Communication Infrastructure.

(65)

It is also necessary to set out clear rules for Europol on the processing and downloading of SIS data to allow it to use SIS comprehensively, provided that data protection standards are complied with as provided for in this Regulation and Regulation (EU) 2016/794. In cases where searches carried out by Europol in SIS reveal the existence of an alert entered by a Member State, Europol cannot take the required action. Therefore it should inform the Member State concerned through the exchange of supplementary information with the respective SIRENE Bureau, to allow that Member State to follow up the case.

(66)

Regulation (EU) 2016/1624 of the European Parliament and of the Council (18) provides for the purpose of that Regulation, that the host Member State is to authorise the members of the teams referred to in point (8) of Article 2 of that Regulation, deployed by the European Border and Coast Guard Agency to consult Union databases where this consultation is necessary for fulfilling operational aims specified in the operational plan on border checks, border surveillance and return. Other relevant Union agencies, in particular the European Asylum Support Office and Europol, may also deploy experts who are not members of the staff of those Union agencies as part of migration management support teams. The objective of the deployment of the teams referred to in points (8) and (9) of Article 2 of that Regulation is to provide technical and operational reinforcement to the requesting Member States, especially to those facing disproportionate migratory challenges. For the teams referred to in points (8) and (9) of Article 2 of that Regulation to fulfil their tasks, they require access to SIS through a technical interface of the European Border and Coast Guard Agency connecting to Central SIS. In cases where searches in SIS carried out by the teams referred to in points (8) and (9) of Article 2 of Regulation (EU) 2016/1624 or by the teams of staff reveal the existence of an alert entered by a Member State, the member of the team or the staff cannot take the required action unless authorised to do so by the host Member State. Therefore, the host Member State should be informed to allow it to follow up the case. The host Member State should notify the issuing Member State of the hit through the exchange of supplementary information.

(67)

Certain aspects of SIS cannot be covered exhaustively by this Regulation given their technical, highly detailed and frequently changing nature. Those aspects include, for example, technical rules on entering data, on updating, deleting and searching data and on data quality and rules related to biometric data rules on the compatibility and order of priority of alerts, on links between alerts, setting the expiry date of alerts within the maximum time limit and on the exchange of supplementary information. Implementing powers in respect of those aspects should therefore be conferred on the Commission. Technical rules on searching alerts should take into account the smooth operation of national applications.

(68)

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (19). The procedure for adopting implementing acts under this Regulation and Regulation (EU) 2018/1861 should be the same.

(69)

In order to ensure transparency, two years after the start of operations of SIS pursuant to this Regulation, eu-LISA should produce a report on the technical functioning of Central SIS and the Communication Infrastructure, including their security, and on the bilateral and multilateral exchange of supplementary information. An overall evaluation should be issued by the Commission every four years.

(70)

In order to ensure the smooth functioning of SIS, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of new sub-categories of objects to be sought under alerts on objects for seizure or used as evidence in criminal proceedings, and the determination of the circumstances in which photographs and facial images may be used for the identification of persons other than in the context of regular border crossing points. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (20). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(71)

Since the objectives of this Regulation, namely the establishment and regulation of a Union information system and the exchange of related supplementary information, cannot be sufficiently achieved by the Member States, but can rather, by reason of their nature be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity, as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(72)

This Regulation respects fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union. In particular, this Regulation fully respects the protection of personal data in accordance with Article 8 of the Charter of Fundamental Rights of the European Union while seeking to ensure a safe environment for all persons residing on the territory of the Union and special protection for children who could be victim of trafficking or abduction. In cases concerning children, the best interests of the child should be a primary consideration.

(73)

In accordance with Articles 1 and 2 of Protocol No 22 on the Position of Denmark annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.

(74)

The United Kingdom is taking part in this Regulation in accordance with Article 5(1) of Protocol No 19 on the Schengen acquis integrated into the framework of the European Union annexed to the TEU and to the TFEU and Article 8(2) of Council Decision 2000/365/EC (21).

(75)

Ireland is taking part in this Regulation in accordance with Article 5(1) of Protocol No 19 annexed to the TEU and to the TFEU and Article 6(2) of Council Decision 2002/192/EC (22).

(76)

As regards Iceland and Norway, this Regulation constitutes a development of provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latters' association with the implementation, application and development of the Schengen acquis (23), which fall within the area referred to in Article 1, point (G) of Council Decision 1999/437/EC (24).

(77)

As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (25), which fall within the area referred to in Article 1, point (G), of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/149/JHA (26).

(78)

As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (27), which fall within the area referred to in Article 1, point (G), of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/349/EU (28).

(79)

As regards Bulgaria and Romania, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2005 Act of Accession and should be read in conjunction with Council Decisions 2010/365/EU (29) and (EU) 2018/934 (30).

(80)

As regards Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2011 Act of Accession and should be read in conjunction with Council Decision (EU) 2017/733 (31).

(81)

Concerning Cyprus this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 3(2) of the 2003 Act of Accession.

(82)

This Regulation should apply to Ireland on dates determined in accordance with the procedures set out in the relevant instruments concerning the application of the Schengen acquis to this State.

(83)

This Regulation introduces a series of improvements to SIS which will increase its effectiveness, strengthen data protection and extend access rights. Certain of those improvements do not require complex technical developments, while others do require technical changes of varying magnitude. In order to enable improvements to the system to become available to end-users as soon as possible, this Regulation introduces amendments to Decision 2007/533/JHA in several phases. A number of improvements to the system should apply immediately upon entry into force of this Regulation, whereas others should apply either one or two years after its entry into force. This Regulation should apply in its entirety within three years after its entry into force. In order to avoid delays in its application the phased implementation of this Regulation should be closely monitored.

(84)

Regulation (EC) No 1986/2006 of the European Parliament and of the Council (32), Decision 2007/533/JHA and Commission Decision 2010/261/EU (33) should be repealed with effect from the date of full application of this Regulation.

(85)

The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council (34) and delivered an opinion on 3 May 2017,

HAVE ADOPTED THIS REGULATION:

CHAPTER I

General provisions

Article 1

General purpose of SIS

The purpose of SIS shall be to ensure a high level of security within the area of freedom, security and justice of the Union including the maintenance of public security and public policy and the safeguarding of security in the territories of the Member States, and to ensure the application of the provisions of Chapter 4 and Chapter 5 of Title V of Part Three TFEU relating to the movement of persons on their territories, using information communicated through this system.

Article 2

Subject matter

1.   This Regulation establishes the conditions and procedures for the entry and processing of alerts in SIS on persons and objects and for the exchange of supplementary information and additional data for the purpose of police and judicial cooperation in criminal matters.

2.   This Regulation also lays down provisions on the technical architecture of SIS, on the responsibilities of the Member States and of the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), on data processing, on the rights of the persons concerned and on liability.

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)

‘alert’ means a set of data entered into SIS allowing the competent authorities to identify a person or an object with a view to taking specific action;

(2)

‘supplementary information’ means information not forming part of the alert data stored in SIS, but connected to alerts in SIS, which is to be exchanged through the SIRENE Bureaux:

(a)

in order to allow Member States to consult or inform each other when entering an alert;

(b)

following a hit in order to allow the appropriate action to be taken;

(c)

when the required action cannot be taken;

(d)

when dealing with the quality of SIS data;

(e)

when dealing with the compatibility and priority of alerts;

(f)

when dealing with rights of access;

(3)

‘additional data’ means the data stored in SIS and connected with alerts in SIS which are to be immediately available to the competent authorities where a person in respect of whom data has been entered in SIS is located as a result of conducting a search in SIS;

(4)

‘personal data’ means personal data as defined in point 1 of Article 4 of Regulation (EU) 2016/679;

(5)

‘processing of personal data’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, logging, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(6)

a ‘match’ means the occurrence of the following steps:

(a)

a search has been conducted in SIS by an end-user;

(b)

that search has revealed an alert entered into SIS by another Member State; and

(c)

data concerning the alert in SIS match the search data;

(7)

a ‘hit’ means any match which fulfils the following criteria:

(a)

it has been confirmed by:

(i)

the end-user; or

(ii)

the competent authority in accordance with national procedures, where the match concerned was based on the comparison of biometric data;

and

(b)

further actions are requested;

(8)

‘flag’ means a suspension of the validity of an alert at the national level that may be added to alerts for arrest, alerts on missing and vulnerable persons and alerts for discreet, inquiry and specific checks;

(9)

‘issuing Member State’ means the Member State which entered the alert into SIS;

(10)

‘executing Member State’ means the Member State which takes or has taken the required actions following a hit;

(11)

‘end-user’ means a member of staff of a competent authority authorised to search directly CS-SIS, N.SIS or a technical copy thereof;

(12)

‘biometric data’ means personal data resulting from specific technical processing relating to the physical or physiological characteristics of a natural person, which allow or confirm the unique identification of that natural person, namely photographs, facial images, dactyloscopic data and DNA profile;

(13)

‘dactyloscopic data’ means data on fingerprints and palm prints which due to their unique character and the reference points contained therein enable accurate and conclusive comparisons on a person's identity;

(14)

‘facial image’ means digital images of the face with sufficient image resolution and quality to be used in automated biometric matching;

(15)

‘DNA profile’ means a letter or number code which represents a set of identification characteristics of the noncoding part of an analysed human DNA sample, namely the particular molecular structure at the various DNA locations (loci);

(16)

‘terrorist offences’ means offences under national law referred to in Articles 3 to 14 of Directive (EU) 2017/541 of the European Parliament and of the Council (35), or equivalent to one of those offences for the Member States which are not bound by that Directive;

(17)

‘threat to public health’ means a threat to public health as defined in point (21) of Article 2 of Regulation (EU) 2016/399 of the European Parliament and of the Council (36).

Article 4

Technical architecture and ways of operating SIS

1.   SIS shall be composed of:

(a)

a central system (Central SIS) composed of:

(i)

a technical support function (‘CS-SIS’) containing a database (the ‘SIS database’), and including a backup CS-SIS;

(ii)

a uniform national interface (‘NI-SIS’);

(b)

a national system (N.SIS) in each of the Member States, consisting of the national data systems which communicate with Central SIS, including at least one national or shared backup N.SIS; and

(c)

a communication infrastructure between CS-SIS, backup CS-SIS and NI-SIS (‘the Communication Infrastructure’) that provides an encrypted virtual network dedicated to SIS data and the exchange of data between SIRENE Bureaux, as referred to in Article 7(2).

An N.SIS as referred to in point (b) may contain a data file (a ‘national copy’) containing a complete or partial copy of the SIS database. Two or more Member States may establish in one of their N.SIS a shared copy which may be used jointly by those Member States. Such shared copy shall be considered as the national copy of each of those Member States.

A shared backup N.SIS as referred to in point (b) may be used jointly by two or more Member States. In such cases, the shared backup N.SIS shall be considered as the backup N.SIS of each of those Member States. The N.SIS and its backup may be used simultaneously to ensure uninterrupted availability to end-users.

Member States intending to establish a shared copy or shared backup N.SIS to be used jointly shall agree their respective responsibilities in writing. They shall notify their arrangement to the Commission.

The Communication Infrastructure shall support and contribute to ensuring the uninterrupted availability of SIS. It shall include redundant and separated paths for the connections between CS-SIS and the backup CS-SIS and shall also include redundant and separated paths for the connections between each SIS national network access point and CS-SIS and backup CS-SIS.

2.   Member States shall enter, update, delete and search SIS data through their own N.SIS. The Member States using a partial or a complete national copy or a partial or complete shared copy shall make that copy available for the purpose of carrying out automated searches in the territory of each of those Member States. The partial national or shared copy shall contain at least the data listed in points (a) to (v) of Article 20 (3). It shall not be possible to search the data files of other Member States' N.SIS except in the case of shared copies.

3.   CS-SIS shall perform technical supervision and administration functions and have a backup CS-SIS, capable of ensuring all functionalities of the principal CS-SIS in the event of failure of that system. CS-SIS and the backup CS-SIS shall be located in the two technical sites of eu-LISA.

4.   eu-LISA shall implement technical solutions to reinforce the uninterrupted availability of SIS either through the simultaneous operation of CS-SIS and the backup CS-SIS, provided that the backup CS-SIS remains capable of ensuring the operation of SIS in the event of a failure of CS-SIS, or through duplication of the system or its components. Notwithstanding the procedural requirements laid down in Article 10 of Regulation (EU) 2018/1726 eu-LISA shall no later than 28 December 2019, prepare a study on the options for technical solutions, containing an independent impact assessment and cost-benefit analysis.

5.   Where necessary in exceptional circumstances, eu-LISA may temporarily develop an additional copy of the SIS database.

6.   CS-SIS shall provide the services necessary for the entry and processing of SIS data, including searches in the SIS database. For the Member States which use a national or shared copy, CS-SIS shall:

(a)

provide online updates for the national copies;

(b)

ensure synchronisation of and consistency between the national copies and the SIS database; and

(c)

provide the operation for initialisation and restoration of the national copies.

7.   CS-SIS shall provide uninterrupted availability.

Article 5

Costs

1.   The costs of operating, maintaining and further developing Central SIS and the Communication Infrastructure shall be borne by the general budget of the Union. Those costs shall include work done with respect to CS-SIS, in order to ensure the provision of the services referred to in Article 4(6).

2.   The costs of setting up, operating, maintaining and further developing each N.SIS shall be borne by the Member State concerned.

CHAPTER II

Responsibilities of the Member States

Article 6

National systems

Each Member State shall be responsible for setting up, operating, maintaining and further developing its N.SIS and connecting it to NI-SIS.

Each Member State shall be responsible for ensuring the uninterrupted availability of SIS data to end-users.

Each Member State shall transmit its alerts through its N.SIS.

Article 7

N.SIS Office and SIRENE Bureau

1.   Each Member State shall designate an authority (the N.SIS Office), which shall have central responsibility for its N.SIS.

That authority shall be responsible for the smooth operation and security of the N.SIS, shall ensure the access of the competent authorities to SIS and shall take the necessary measures to ensure compliance with this Regulation. It shall be responsible for ensuring that all functionalities of SIS are made available to the end users appropriately.

2.   Each Member State shall designate a national authority which shall be operational 24 hours a day, 7 days a week and which shall ensure the exchange and availability of all supplementary information (the SIRENE Bureau) in accordance with the SIRENE Manual. Each SIRENE Bureau shall serve as a single contact point for its Member State to exchange supplementary information regarding alerts and to facilitate the requested actions to be taken when alerts on persons or objects have been entered in SIS and those persons or objects are located following a hit.

Each SIRENE Bureau shall, in accordance with national law, have easy direct or indirect access to all relevant national information, including national databases and all information on its Member States' alerts, and to expert advice, in order to be able to react to requests for supplementary information swiftly and within the deadlines provided for in Article 8.

The SIRENE Bureaux shall coordinate the verification of the quality of the information entered in SIS. For those purposes they shall have access to data processed in SIS.

3.   The Member States shall provide eu-LISA with details of their N.SIS Office and of their SIRENE Bureau. eu-LISA shall publish the list of the N.SIS Offices and the SIRENE Bureaux together with the list referred to in Article 56(7).

Article 8

Exchange of supplementary information

1.   Supplementary information shall be exchanged in accordance with the provisions of the SIRENE Manual and using the Communication Infrastructure. Member States shall provide the necessary technical and human resources to ensure the continuous availability and timely and effective exchange of supplementary information. In the event that the Communication Infrastructure is unavailable, Member States shall use other adequately secured technical means to exchange supplementary information. A list of adequately secured technical means shall be laid down in the SIRENE Manual.

2.   Supplementary information shall be used only for the purpose for which it was transmitted in accordance with Article 64 unless prior consent for another use is obtained from the issuing Member State.

3.   The SIRENE Bureaux shall carry out their tasks in a quick and efficient manner, in particular by replying to a request for supplementary information as soon as possible but not later than 12 hours after the receipt of the request. In case of alerts for terrorist offences, of alerts on persons wanted for arrest for surrender or extradition purposes, and in cases of alerts on children referred to in point (c) of Article 32(1) the SIRENE Bureaux shall act immediately.

Requests for supplementary information with the highest priority shall be marked ‘URGENT’ in the SIRENE forms, and the reason for the urgency shall be specified.

4.   The Commission shall adopt implementing acts to lay down detailed rules for the tasks of the SIRENE Bureaux pursuant to this Regulation and the exchange of supplementary information in the form of a manual entitled the ‘SIRENE Manual’. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 9

Technical and functional compliance

1.   When setting up its N.SIS, each Member State shall comply with common standards, protocols and technical procedures established to ensure the compatibility of its N.-SIS with Central SIS for the prompt and effective transmission of data.

2.   If a Member State uses a national copy, it shall ensure, by means of the services provided by CS-SIS and by means of automatic updates referred to in Article 4(6), that the data stored in the national copy are identical to and consistent with the SIS database and that a search in its national copy produces a result equivalent to that of a search in the SIS database.

3.   End-users shall receive the data required to perform their tasks, in particular, and where necessary, all the available data allowing for the identification of the data subject and for the requested action to be taken.

4.   Member States and eu-LISA shall undertake regular tests to verify the technical compliance of the national copies referred to in paragraph 2. The results of those tests shall be taken into consideration as part of the mechanism established by Council Regulation (EU) No 1053/2013 (37).

5.   The Commission shall adopt implementing acts to lay down and develop common standards, protocols and technical procedures, referred to in paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 10

Security — Member States

1.   Each Member State shall, in relation to its N.SIS, adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan, in order to:

(a)

physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)

deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(c)

prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d)

prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e)

prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f)

prevent the unauthorised processing of data in SIS and any unauthorised modification or erasure of data processed in SIS (control of data entry);

(g)

ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation, by means of individual and unique user identifiers and confidential access modes only (data access control);

(h)

ensure that all authorities with a right of access to SIS or to the data processing facilities create profiles describing the functions and responsibilities of persons who are authorised to access, enter, update, delete and search the data and make those profiles available to the supervisory authorities referred to in Article 69(1) without delay upon their request (personnel profiles);

(i)

ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(j)

ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when, by whom and for what purpose (input control);

(k)

prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(l)

monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing);

(m)

ensure that, in the event of interruption, installed systems can be restored to normal operation (recovery); and

(n)

ensure that SIS performs its functions correctly, that faults are reported (reliability) and that personal data stored in SIS cannot be corrupted by means of the system malfunctioning (integrity).

2.   Member States shall take measures equivalent to those referred to in paragraph 1 as regards security in respect of the processing and exchange of supplementary information, including by securing the premises of the SIRENE Bureaux.

3.   Member States shall take measures equivalent to those referred to in paragraph 1 of this Article as regards security in respect of the processing of SIS data by the authorities referred to in Article 44.

4.   The measures described in paragraphs 1, 2 and 3 may be part of a generic security approach and plan at national level encompassing multiple IT systems. In such cases, the requirements set out in this Article and their applicability to SIS shall be clearly identifiable in and ensured by that plan.

Article 11

Confidentiality — Member States

1.   Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with SIS data and supplementary information, in accordance with its national law. That obligation shall also apply after those persons leave office or employment or after the termination of the activities of those bodies.

2.   Where a Member State cooperates with external contractors in any SIS-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular on security, confidentiality and data protection.

3.   The operational management of N.SIS or of any technical copies shall not be entrusted to private companies or private organisations.

Article 12

Keeping of logs at national level

1.   Member States shall ensure that every access to and all exchanges of personal data within CS-SIS are logged in their N.SIS for the purposes of checking whether the search was lawful, monitoring the lawfulness of data processing, self-monitoring, ensuring the proper functioning of N.SIS, as well as for data integrity and security. This requirement does not apply to the automatic processes referred to in points (a), (b) and (c) of Article 4(6).

2.   The logs shall show, in particular, the history of the alert, the date and time of the data processing activity, the data used to perform a search, a reference to the data processed and the individual and unique user identifiers of both the competent authority and the person processing the data.

3.   By way of derogation from paragraph 2 of this Article, if the search is carried out with dactyloscopic data or a facial image in accordance with Article 43, the logs shall show the type of data used to perform the search instead of the actual data.

4.   The logs shall only be used for the purpose referred to in paragraph 1 and shall be deleted three years after their creation. The logs which include the history of alerts shall be deleted three years after deletion of the alerts.

5.   Logs may be kept for longer than the periods referred to in paragraph 4 if they are required for monitoring procedures that are already underway.

6.   The national competent authorities in charge of checking whether searches are lawful, monitoring the lawfulness of data processing, self-monitoring and ensuring the proper functioning of N.SIS and data integrity and security, shall have access, within the limits of their competence and at their request, to the logs for the purpose of fulfilling their duties.

7.   Where Member States, in accordance with national law, carry out automated scanned searches of the number plates of motor vehicles, using Automatic Number Plate Recognition systems, Member States shall maintain a log of the search in accordance with national law. If necessary, a full search may be carried out in SIS in order to verify whether a hit has been achieved. Paragraphs 1 to 6 shall apply to any full search.

8.   The Commission shall adopt implementing acts to establish the content of the log, referred to in paragraph 7 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 13

Self-monitoring

Member States shall ensure that each authority entitled to access SIS data takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the supervisory authority.

Article 14

Staff training

1.   Before being authorised to process data stored in SIS and periodically after access to SIS data has been granted, the staff of the authorities having a right to access SIS shall receive appropriate training on data security, on fundamental rights including data -protection, and on the rules and procedures for data processing set out in the SIRENE Manual. The staff shall be informed of any relevant provisions on criminal offences and penalties, including those provided for in Article 73.

2.   Member States shall have a national SIS training programme which shall include training for end-users as well as the staff of the SIRENE Bureaux.

That training programme may be part of a general training programme at national level encompassing training in other relevant areas.

3.   Common training courses shall be organised at Union level at least once a year to enhance cooperation between SIRENE Bureaux.

CHAPTER III

Responsibilities of eu-LISA

Article 15

Operational management

1.   eu-LISA shall be responsible for the operational management of Central SIS. eu-LISA shall, in cooperation with the Member States, ensure that at all times the best available technology is used for Central SIS, subject to a cost-benefit analysis.

2.   eu-LISA shall also be responsible for the following tasks relating to the Communication Infrastructure:

(a)

supervision;

(b)

security;

(c)

the coordination of relations between the Member States and the provider;

(d)

tasks relating to implementation of the budget;

(e)

acquisition and renewal; and

(f)

contractual matters.

3.   eu-LISA shall also be responsible for the following tasks relating to the SIRENE Bureaux and communication between the SIRENE Bureaux:

(a)

the coordination, management and support of testing activities;

(b)

the maintenance and updating of technical specifications for the exchange of supplementary information between SIRENE Bureaux and the Communication Infrastructure; and

(c)

managing the impact of technical changes where it affects both SIS and the exchange of supplementary information between SIRENE Bureaux.

4.   eu-LISA shall develop and maintain a mechanism and procedures for carrying out quality checks on the data in CS-SIS. It shall provide regular reports to the Member States in this regard.

eu-LISA shall provide a regular report to the Commission covering the issues encountered and the Member States concerned.

The Commission shall provide the European Parliament and the Council with a regular report on data quality issues that are encountered.

5.   eu-LISA shall also perform tasks related to providing training on the technical use of SIS and on measures for improving the quality of SIS data.

6.   The operational management of Central SIS shall consist of all the tasks necessary to keep Central SIS functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary for the smooth running of the system. Those tasks shall also include the coordination, management and support of testing activities for Central SIS and the N.SIS that ensure that Central SIS and the N.SIS operate in accordance with the requirements for technical and functional compliance set out in Article 9.

7.   The Commission shall adopt implementing acts to set out the technical requirements for the Communication Infrastructure. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 16

Security — eu-LISA

1.   eu-LISA shall adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan for Central SIS and the Communication Infrastructure in order to:

(a)

physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)

deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(c)

prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d)

prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e)

prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f)

prevent the unauthorised processing of data in SIS and any unauthorised modification or erasure of data processed in SIS (control of data entry);

(g)

ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation by means of individual and unique user identifiers and confidential access modes only (data access control);

(h)

create profiles describing the functions and responsibilities of persons who are authorised to access the data or the data processing facilities and make those profiles available to the European Data Protection Supervisor without delay upon its request (personnel profiles);

(i)

ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(j)

ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when and by whom (input control);

(k)

prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(l)

monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing);

(m)

ensure that, in the event of interrupted operations, installed systems can be restored to normal operation (recovery);

(n)

ensure that SIS performs its functions correctly, that faults are reported (reliability) and that personal data stored in SIS cannot be corrupted by means of the system malfunctioning (integrity); and

(o)

ensure the security of its technical sites.

2.   eu-LISA shall take measures equivalent to those referred to in paragraph 1 as regards security in respect of the processing and exchange of supplementary information through the Communication Infrastructure.

Article 17

Confidentiality — eu-LISA

1.   Without prejudice to Article 17 of the Staff Regulations, eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality of a comparable standard to those laid down in Article 11 of this Regulation to all its staff required to work with SIS data. That obligation shall also apply after those persons leave office or employment or after the termination of their activities.

2.   eu-LISA shall take measures equivalent to those referred to in paragraph 1 as regards confidentiality in respect of the exchange of supplementary information through the Communication Infrastructure.

3.   Where eu-LISA cooperates with external contractors in any SIS-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular on security, confidentiality and data protection.

4.   The operational management of CS-SIS shall not be entrusted to private companies or private organisations.

Article 18

Keeping of logs at central level

1.   eu-LISA shall ensure that every access to and all exchanges of personal data within CS-SIS are logged for the purposes stated in Article 12(1).

2.   The logs shall show, in particular, the history of the alert, the date and time of the data processing activity, the data used to perform a search, a reference to the data processed and the individual and unique user identifiers of the competent authority processing the data.

3.   By way of derogation from paragraph 2 of this Article, if the search is carried out with dactyloscopic data or facial images in accordance with Article 43, the logs shall show the type of data used to perform the search instead of the actual data.

4.   The logs shall only be used for the purposes referred to in paragraph 1 and shall be deleted three years after their creation. The logs which include the history of alerts shall be deleted three years after deletion of the alerts.

5.   Logs may be kept longer than the periods referred to in paragraph 4 if they are required for monitoring procedures that are already underway.

6.   For the purposes of self-monitoring and ensuring the proper functioning of CS-SIS, data integrity and security, eu-LISA shall have access to the logs within the limits of its competence.

The European Data Protection Supervisor shall have access to those logs on request, within the limits of its competence and for the purpose of fulfilling its tasks.

CHAPTER IV

Information to the public

Article 19

SIS information campaigns

At the start of the application of this Regulation, the Commission, in cooperation with the supervisory authorities and the European Data Protection Supervisor, shall carry out a campaign informing the public about the objectives of SIS, the data stored in SIS, the authorities having access to SIS and the rights of data subjects. The Commission shall repeat such campaigns regularly, in cooperation with the supervisory authorities and the European Data Protection Supervisor. The Commission shall maintain a website available to the public providing all relevant information concerning SIS. Member States shall, in cooperation with their supervisory authorities, devise and implement the necessary policies to inform their citizens and residents about SIS generally.

CHAPTER V

Categories of data and flagging

Article 20

Categories of data

1.   Without prejudice to Article 8(1) or to the provisions of this Regulation providing for the storage of additional data, SIS shall contain only those categories of data which are supplied by each Member State, as required for the purposes laid down in Articles 26, 32, 34, 36, 38 and 40.

2.   The categories of data shall be as follows:

(a)

information on persons in relation to whom an alert has been entered;

(b)

information on objects referred to in Articles 26, 32, 34, 36 and 38.

3.   Any alert in SIS which includes information on persons shall contain only the following data:

(a)

surnames;

(b)

forenames;

(c)

names at birth;

(d)

previously used names and aliases;

(e)

any specific, objective, physical characteristics not subject to change;

(f)

place of birth;

(g)

date of birth;

(h)

gender;

(i)

any nationalities held;

(j)

whether the person concerned:

(i)

is armed;

(ii)

is violent;

(iii)

has absconded or escaped;

(iv)

poses a risk of suicide;

(v)

poses a threat to public health; or

(vi)

is involved in an activity referred to in Articles 3 to 14 of Directive (EU) 2017/541;

(k)

the reason for the alert;

(l)

the authority which created the alert;

(m)

a reference to the decision giving rise to the alert;

(n)

the action to be taken in the case of a hit;

(o)

links to other alerts pursuant to Article 63;

(p)

the type of offence;

(q)

the person's registration number in a national register;

(r)

for alerts referred to in Article 32(1), a categorisation of the type of case;

(s)

the category of the person's identification documents;

(t)

the country of issue of the person's identification documents;

(u)

the number(s) of the person's identification documents;

(v)

the date of issue of the person's identification documents;

(w)

photographs and facial images;

(x)

in accordance with Article 42(3), relevant DNA profiles;

(y)

dactyloscopic data;

(z)

a copy of the identification documents, in colour wherever possible.

4.   The Commission shall adopt implementing acts to lay down and develop the technical rules necessary for entering, updating, deleting and searching the data referred to in paragraphs 2 and 3 of this Article and the common standards referred to in paragraph 5 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

5.   Technical rules shall be similar for searches in CS-SIS, in national or shared copies and in technical copies made under Article 56(2). They shall be based on common standards.

Article 21

Proportionality

1.   Before entering an alert and when extending the period of validity of an alert, Member States shall determine whether the case is adequate, relevant and important enough to warrant an alert in SIS.

2.   Where a person or an object is sought under an alert related to a terrorist offence, the case shall be considered adequate, relevant and important enough to warrant an alert in SIS. For public or national security reasons, Member States may exceptionally refrain from entering an alert when it is likely to obstruct official or legal inquiries, investigations or procedures.

Article 22

Requirement for an alert to be entered

1.   The minimum set of data necessary in order to enter an alert into SIS shall be the data referred to in points (a), (g), (k) and (n) of Article 20(3), except for in the situations referred to in Article 40. The other data referred to in that paragraph shall also be entered into SIS, if available.

2.   The data referred to in point (e) of Article 20(3) of this Regulation shall only be entered when this is strictly necessary for the identification of the person concerned. When such data are entered, Member States shall ensure that Article 10 of Directive (EU) 2016/680 is complied with.

Article 23

Compatibility of alerts

1.   Before entering an alert, the Member State shall check whether the person or the object concerned is already the subject of an alert in SIS. To check whether the person is already the subject of an alert, a check with dactyloscopic data shall also be carried out if such data are available.

2.   Only one alert per person or per object per Member State shall be entered into SIS. Where necessary, new alerts may be entered on the same person or object by other Member States, in accordance with paragraph 3.

3.   Where a person or an object is already the subject of an alert in SIS, a Member State wishing to enter a new alert shall check that there is no incompatibility between the alerts. If there is no incompatibility, the Member State may enter the new alert. If the alerts are incompatible, the SIRENE Bureaux of the Member States concerned shall consult each other by exchanging supplementary information in order to reach an agreement. Rules on the compatibility of alerts shall be laid down in the SIRENE Manual. Departures from the compatibility rules may be made after consultation between the Member States if essential national interests are at stake.

4.   In the case of hits on multiple alerts on the same person or object, the executing Member State shall observe the priority rules for alerts laid down in the SIRENE Manual.

If a person is subject to multiple alerts entered by different Member States, alerts for arrest entered in accordance with Article 26 shall be executed as a priority, subject to Article 25.

Article 24

General provisions on flagging

1.   Where a Member State considers that to give effect to an alert entered in accordance with Article 26, 32 or 36 is incompatible with its national law, its international obligations or essential national interests, it may require that a flag be added to the alert to the effect that the action to be taken on the basis of the alert will not be taken in its territory. The flag shall be added by the SIRENE Bureau of the issuing Member State.

2.   In order to enable Member States to require that a flag be added to an alert entered in accordance with Article 26, all Member States shall be notified automatically of any new alert of that category through the exchange of supplementary information.

3.   If in particularly urgent and serious cases, an issuing Member State requests the execution of the action, the executing Member State shall examine whether it is able to allow the flag added at its behest to be withdrawn. If the executing Member State is able to do so, it shall take the necessary steps to ensure that the action to be taken can be carried out immediately.

Article 25

Flagging related to alerts for arrest for surrender purposes

1.   Where Framework Decision 2002/584/JHA applies, a Member State shall request the issuing Member State to add a flag preventing arrest as a follow-up to an alert for arrest for surrender purposes where the competent judicial authority under national law for the execution of a European Arrest Warrant has refused its execution on the basis of a ground for non-execution and where the addition of the flag has been required.

A Member State may also require that a flag be added to the alert if its competent judicial authority releases the subject of the alert during the surrender process.

2.   However, at the behest of a competent judicial authority under national law, either on the basis of a general instruction or in a specific case, a Member State may also require the issuing Member State to add a flag to an alert for arrest for surrender purposes if it is obvious that the execution of the European Arrest Warrant will have to be refused.

CHAPTER VI

Alerts on persons wanted for arrest for surrender or extradition purposes

Article 26

Objectives and conditions for entering alerts

1.   Alerts on persons wanted for arrest for surrender purposes on the basis of a European Arrest Warrant, or alerts on persons wanted for arrest for extradition purposes, shall be entered at the request of the judicial authority of the issuing Member State.

2.   Alerts for arrest for surrender purposes shall also be entered on the basis of arrest warrants issued, in accordance with agreements concluded between the Union and third countries on the basis of the Treaties, for the purpose of surrender of persons on the basis of an arrest warrant, which provide for the transmission of such an arrest warrant through SIS.

3.   Any reference in this Regulation to provisions of Framework Decision 2002/584/JHA shall be construed as including the corresponding provisions of agreements concluded between the Union and third countries on the basis of the Treaties, for the purpose of surrender of persons on the basis of an arrest warrant which provide for the transmission of such an arrest warrant through SIS.

4.   In the case of an ongoing operation, the issuing Member State may temporarily make an existing alert for arrest entered in accordance with this Article unavailable for searching by the end-users in the Member States involved in the operation. In such cases the alert shall only be accessible to the SIRENE Bureaux. Member States shall only make an alert unavailable if:

(a)

the purpose of the operation cannot be achieved by other measures;

(b)

a prior authorisation has been granted by the competent judicial authority of the issuing Member State; and

(c)

all Member States involved in the operation have been informed through the exchange of supplementary information.

The functionality provided for in the first subparagraph shall only be used for a period not exceeding 48 hours. However, if operationally necessary, it may be extended by further periods of 48 hours. Member States shall keep statistics on the number of alerts in relation to which this functionality has been used.

5.   Where there is a clear indication that the objects referred to in points (a), (b), (c), (e), (g), (h), (j) and (k) of Article 38(2) are connected with a person who is the subject of an alert pursuant to paragraph 1 and 2 of this Article, alerts on those objects may be entered in order to locate the person. In such cases, the alert on the person and the alert on the object shall be linked in accordance with Article 63.

6.   The Commission shall adopt implementing acts to lay down and develop rules necessary for entering, updating, deleting and searching the data referred to in paragraph 5 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 27

Additional data on persons wanted for arrest for surrender purposes

1.   Where a person is wanted for arrest for surrender purposes on the basis of a European Arrest Warrant, the issuing Member State shall enter into SIS a copy of the original of the European Arrest Warrant.

A Member State may enter the copy of more than one European Arrest Warrant in an alert for arrest for surrender purposes.

2.   The issuing Member State may enter a copy of a translation of the European Arrest Warrant in one or more other official languages of the institutions of the Union.

Article 28

Supplementary information on persons wanted for arrest for surrender purposes

The issuing Member State of an alert for arrest for surrender purposes shall communicate the information referred to in Article 8(1) of Framework Decision 2002/584/JHA to the other Member States through the exchange of supplementary information.

Article 29

Supplementary information on persons wanted for arrest for extradition purposes

1.   The issuing Member State of an alert for extradition purposes shall communicate the following data to all other Member States through the exchange of supplementary information:

(a)

the authority which issued the request for arrest;

(b)

whether there is an arrest warrant or a document having the same legal effect, or an enforceable judgment;

(c)

the nature and legal classification of the offence;

(d)

a description of the circumstances in which the offence was committed, including the time, place and the degree of participation in the offence by the person on whom the alert has been entered;

(e)

insofar as possible, the consequences of the offence; and

(f)

any other information useful or necessary for the execution of the alert.

2.   The data listed in paragraph 1 of this Article shall not be communicated where the data referred to in Article 27 or 28 have already been provided and are considered sufficient for the execution of the alert by the executing Member State.

Article 30

Conversion of an action to be taken concerning alerts for arrest for surrender or extradition purposes

Where an arrest cannot be made, either because the Member State requested to do so refuses to make it in accordance with the procedures on flagging set out in Article 24 or 25, or because, in the case of an alert for arrest for extradition purposes, an investigation has not been completed, the Member State requested to make the arrest shall act on the alert by communicating the whereabouts of the person concerned.

Article 31

Execution of an action based on an alert for arrest for surrender or extradition purposes

1.   An alert entered in SIS in accordance with Article 26 and the additional data referred to in Article 27 shall together constitute and have the same effect as a European Arrest Warrant issued in accordance with Framework Decision 2002/584/JHA where that Framework Decision applies.

2.   Where Framework Decision 2002/584/JHA does not apply, an alert entered in SIS in accordance with Articles 26 and 29 shall have the same legal force as a request for provisional arrest under Article 16 of the European Convention on Extradition of 13 December 1957 or Article 15 of the Benelux Treaty concerning Extradition and Mutual Assistance in Criminal Matters of 27 June 1962.

CHAPTER VII

Alerts on missing persons or vulnerable persons who need to be prevented from travelling

Article 32

Objectives and conditions for entering alerts

1.   Alerts on the following categories of persons shall be entered in SIS at the request of the competent authority of the issuing Member State:

(a)

missing persons who need to be placed under protection:

(i)

for their own protection;

(ii)

in order to prevent a threat to public order or public security;

(b)

missing persons who do not need to be placed under protection;

(c)

children at risk of abduction by a parent, a family member or a guardian, who need to be prevented from travelling;

(d)

children who need to be prevented from travelling owing to a concrete and apparent risk of them being removed from or leaving the territory of a Member State and:

(i)

becoming victims of trafficking in human beings, or of forced marriage, female genital mutilation or other forms of gender-based violence;

(ii)

becoming victims of or involved in terrorist offences; or

(iii)

becoming conscripted or enlisted into armed groups or being made to participate actively in hostilities;

(e)

vulnerable persons who are of age and who need to be prevented from travelling for their own protection owing to a concrete and apparent risk of them being removed from or leaving the territory of a Member State and becoming victims of trafficking in human beings or gender-based violence.

2.   Point (a) of paragraph 1 shall apply in particular to children and to persons who have to be institutionalised following a decision by a competent authority.

3.   An alert on a child referred to in point (c) of paragraph 1 shall be entered following a decision by the competent authorities, including judicial authorities of the Member States having jurisdiction in matters of parental responsibility, where a concrete and apparent risk exists that the child may be unlawfully and imminently removed from the Member State where the competent authorities are situated.

4.   An alert on persons referred to in points (d) and (e) of paragraph 1 shall be entered following a decision by the competent authorities, including judicial authorities.

5.   The issuing Member State shall regularly review the need to maintain the alerts referred to in points (c), (d) and (e) of paragraph 1 of this Article in accordance with Article 53(4).

6.   The issuing Member State shall ensure all of the following:

(a)

that the data it enters in SIS indicate which of the categories referred to in paragraph 1 the person concerned by the alert falls into;

(b)

that the data it enters in SIS indicate which type of case is involved, wherever the type of case is known; and

(c)

that, in relation to alerts entered in accordance with points (c), (d) and (e) of paragraph 1, its SIRENE Bureau has all relevant information at its disposal at the time of the creation of the alert.

7.   Four months before a child who is the subject of an alert under this Article reaches the age of majority in accordance with the national law of the issuing Member State, CS-SIS shall automatically notify the issuing Member State that either the reason for the alert and the action to be taken have to be updated or the alert has to be deleted.

8.   Where there is a clear indication that the objects referred to in points (a), (b), (c), (e), (g), (h), and (k) of Article 38(2) are connected with a person who is the subject of an alert pursuant to paragraph 1 of this Article, alerts on those objects may be entered in order to locate the person. In such cases, the alert on the person and the alert on the object shall be linked in accordance with Article 63.

9.   The Commission shall adopt implementing acts to lay down and develop rules on the categorisation of the types of cases and the entering of data referred to in paragraph 6. The types of cases of missing persons who are children shall include, but not be limited to, runaways, unaccompanied children in the context of migration and children at risk of parental abduction.

The Commission shall also adopt implementing acts to lay down and develop technical rules necessary for entering, updating, deleting and searching the data referred to in paragraph 8.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 33

Execution of action based on an alert

1.   Where a person referred to in Article 32 is located, the competent authorities of the executing Member State shall, subject to the requirements in paragraph 4, communicate his or her whereabouts to the issuing Member State.

2.   In the case of persons who need to be placed under protection referred to in points (a), (c), (d) and (e) of Article 32(1), the executing Member State shall immediately consult its own competent authorities and those of the issuing Member State through the exchange of supplementary information in order to agree without delay the measures to be taken. The competent authorities in the executing Member State may, in accordance with national law, move such persons to a safe place in order to prevent them from continuing their journey.

3.   In the case of children, any decision on the measures to be taken or any decision to move the child to a safe place as referred to in paragraph 2 shall be made in accordance with the best interests of the child. Such decisions shall be made immediately and not later than 12 hours after the child was located, in consultation with relevant child protection authorities, as appropriate.

4.   The communication, other than between the competent authorities, of data on a missing person who has been located and who is of age shall be subject to that person's consent. The competent authorities may, however, communicate the fact that the alert has been deleted because the missing person has been located to the person who reported the person missing.

CHAPTER VIII

Alerts on persons sought to assist with a judicial procedure

Article 34

Objectives and conditions for entering alerts

1.   For the purposes of communicating the place of residence or domicile of persons, Member States shall, at the request of a competent authority, enter into SIS alerts on:

(a)

witnesses;

(b)

persons summoned or persons sought to be summoned to appear before the judicial authorities in connection with criminal proceedings in order to account for acts for which they are being prosecuted;

(c)

persons who are to be served with a criminal judgment or other documents in connection with criminal proceedings in order to account for acts for which they are being prosecuted;

(d)

persons who are to be served with a summons to report in order to serve a penalty involving a deprivation of liberty.

2.   Where there is a clear indication that the objects referred to in points (a), (b), (c), (e), (g), (h), and (k) of Article 38(2) are connected with a person who is the subject of an alert pursuant to paragraph 1 of this Article, alerts on those objects may be entered in order to locate the person. In such cases the alerts on the person and the alert on the object shall be linked in accordance with Article 63.

3.   The Commission shall adopt implementing acts to lay down and develop the technical rules necessary for entering, updating, deleting and searching of the data referred to in paragraph 2 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 35

Execution of the action based on an alert

Requested information shall be communicated to the issuing Member State through the exchange of supplementary information.

CHAPTER IX

Alerts on persons and objects for discreet checks, inquiry checks or specific checks

Article 36

Objectives and conditions for entering alerts

1.   Alerts on persons, on the objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) and on non-cash means of payment shall be entered in accordance with the national law of the issuing Member State, for the purposes of discreet checks, inquiry checks or specific checks in accordance with Article 37(3), (4) and (5).

2.   When entering alerts for discreet checks, inquiry checks or specific checks and where the information sought by the issuing Member State is additional to that provided for in points (a) to (h) of Article 37(1), the issuing Member State shall add to the alert all the information that is sought. If that information relates to special categories of personal data referred to in Article 10 of Directive (EU) 2016/680, it shall only be sought if it is strictly necessary for the specific purpose of the alert and in relation to the criminal offence for which the alert has been entered.

3.   Alerts on persons for discreet checks, inquiry checks or specific checks may be entered for the purposes of preventing, detecting, investigating or prosecuting criminal offences, executing a criminal sentence and preventing threats to public security in one or more of the following circumstances:

(a)

where there is a clear indication that a person intends to commit or is committing any of the offences referred to in Article 2(1) and (2) of the Framework Decision 2002/584/JHA;

(b)

where the information referred to in Article 37(1) is necessary for the execution of a custodial sentence or detention order regarding a person convicted of any of the offences referred to in Article 2(1) and (2) of the Framework Decision 2002/584/JHA;

(c)

where an overall assessment of a person, in particular on the basis of past criminal offences, gives reason to believe that that person may commit the offences referred to in Article 2(1) and 2(2) of the Framework Decision 2002/584/JHA in the future.

4.   In addition, alerts on persons for discreet checks, inquiry checks or specific checks may be entered in accordance with national law at the request of the authorities responsible for national security where there is a concrete indication that the information referred to in Article 37(1) is necessary in order to prevent a serious threat posed by the person concerned or other serious threats to internal or external national security. The Member State which entered the alert in accordance with this paragraph shall inform the other Member States of such an alert. Each Member State shall determine to which authorities this information shall be transmitted. The information shall be transmitted through the SIRENE Bureaux.

5.   Where there is a clear indication that the objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) or non-cash means of payment are connected with the serious crimes referred to in paragraph 3 of this Article or the serious threats referred to in paragraph 4 of this Article, alerts on those objects may be entered and linked to the alerts entered in accordance with paragraphs 3 and 4 of this Article.

6.   The Commission shall adopt implementing acts to lay down and develop the technical rules necessary for entering, updating, deleting and searching the data referred to in paragraph 5 of this Article as well as the additional information referred to in paragraph 2 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 37

Execution of the action based on an alert

1.   For the purposes of discreet checks, inquiry checks or specific checks, the executing Member State shall collect and communicate to the issuing Member State all or some of the following information:

(a)

the fact that the person who is the subject of an alert has been located, or that objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) or non-cash means of payment which are the subject of an alert have been located;

(b)

the place, time and reason for the check;

(c)

the route of the journey and destination;

(d)

the persons accompanying the subject of the alert or the occupants of the vehicle, boat or aircraft, or the persons accompanying the holder of the blank official document or issued identity document who can reasonably be expected to be associated with the subject of the alert;

(e)

any identity revealed and any personal description of the person using the blank official document or issued identity document that is the subject of the alert;

(f)

the objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) or non-cash means of payment used;

(g)

objects carried, including travel documents;

(h)

the circumstances in which the person, the objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) or the non-cash means of payment were located;

(i)

any other information being sought by the issuing Member State in accordance with Article 36(2).

If the information referred to in point (i) of the first subparagraph of this paragraph relates to special categories of personal data referred to in Article 10 of Directive (EU) 2016/680, it shall be processed in accordance with the conditions set out in that Article and only if it supplements other personal data processed for the same purpose.

2.   The executing Member State shall communicate the information referred to in paragraph 1 through the exchange of supplementary information.

3.   A discreet check shall comprise the discreet collection of as much information described in paragraph 1 as possible during routine activities carried out by the national competent authorities of the executing Member State. The collection of this information shall not jeopardise the discreet nature of the checks and the subject of the alert shall in no way be made aware of the existence of the alert.

4.   An inquiry check shall comprise an interview of the person, including on the basis of information or specific questions added to the alert by the issuing Member State in accordance with Article 36(2). The interview shall be carried out in accordance with the national law of the executing Member State

5.   During specific checks, persons, vehicles, boats, aircraft, containers and carried objects may be searched for the purposes referred to in Article 36. Searches shall be carried out in accordance with the national law of the executing Member State.

6.   Where specific checks are not authorised by the national law of the executing Member State, they shall be replaced by inquiry checks in that Member State. Where inquiry checks are not authorised by the national law of the executing Member State, they shall be replaced by discreet checks in that Member State. Where Directive 2013/48/EU applies, Member States shall ensure that the right of suspects and accused persons to have access to a lawyer is respected under the conditions set out in that Directive.

7.   Paragraph 6 is without prejudice to the obligation of Member States to make available to end-users information sought under Article 36(2).

CHAPTER X

Alerts on objects for seizure or use as evidence in criminal proceedings

Article 38

Objectives and conditions for entering alerts

1.   Member States shall enter into SIS alerts on objects sought for the purposes of seizure or for use as evidence in criminal proceedings.

2.   Alerts shall be entered on the following categories of readily identifiable objects:

(a)

motor vehicles regardless of the propulsion system;

(b)

trailers with an unladen weight exceeding 750 kg;

(c)

caravans;

(d)

industrial equipment;

(e)

boats;

(f)

boat engines;

(g)

containers;

(h)

aircraft;

(i)

aircraft engines;

(j)

firearms;

(k)

blank official documents which have been stolen, misappropriated, lost or purport to be such a document but are false;

(l)

issued identity documents, such as passports, identity cards, residence permits, travel documents and driving licences which have been stolen, misappropriated, lost or invalidated or purport to be such a document but are false;

(m)

vehicle registration certificates and vehicle number plates which have been stolen, misappropriated, lost or invalidated or purport to be such a document or plate but are false;

(n)

banknotes (registered notes) and false banknotes;

(o)

items of information technology;

(p)

identifiable component parts of motor vehicles;

(q)

identifiable component parts of industrial equipment;

(r)

other identifiable objects of high value, as defined in accordance with paragraph 3.

With regard to the documents referred to in points (k), (l) and (m), the issuing Member State may specify whether such documents are stolen, misappropriated, lost, invalid or false.

3.   The Commission shall be empowered to adopt delegated acts in accordance with Article 75 to amend this Regulation by defining new sub-categories of objects under points (o), (p), (q) and (r) of paragraph 2 of this Article.

4.   The Commission shall adopt implementing acts to lay down and develop technical rules necessary for entering, updating, deleting and searching the data referred to in paragraph 2 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 39

Execution of the action based on an alert

1.   Where a search brings to light an alert on an object which has been located, the competent authority shall in accordance with its national law seize the object and contact the authority of the issuing Member State in order to agree on the measures to be taken. For this purpose, personal data may also be communicated in accordance with this Regulation.

2.   The information referred to in paragraph 1 shall be communicated through the exchange of supplementary information.

3.   The executing Member State shall take the requested measures in accordance with national law.

CHAPTER XI

Alerts on unknown wanted persons for the purposes of identification under national law

Article 40

Alerts on unknown wanted persons for the purposes of identification under national law

Member States may enter into SIS alerts on unknown wanted persons containing only dactyloscopic data. Those dactyloscopic data shall be either complete or incomplete sets of fingerprints or palm prints discovered at the scenes of terrorist offences or other serious crimes under investigation. They shall only be entered into SIS where it can be established to a very high degree of probability that they belong to a perpetrator of the offence.

If the competent authority of the issuing Member State cannot establish the identity of the suspect on the basis of data from any other relevant national, Union or international database, the dactyloscopic data referred to in the first subparagraph may only be entered in this category of alerts as ‘unknown wanted person’ for the purpose of identifying such a person.

Article 41

Execution of the action based on an alert

In the event of a hit with the data entered pursuant to Article 40, the identity of the person shall be established in accordance with national law, together with expert verification that the dactyloscopic data in SIS belong to the person. The executing Member States shall communicate information on the identity and the whereabouts of the person to the issuing Member State through the exchange of supplementary information in order to facilitate timely investigation of the case.

CHAPTER XII

Specific rules for biometric data

Article 42

Specific rules for entering photographs, facial images, dactyloscopic data and DNA profiles

1.   Only photographs, facial images, dactyloscopic data referred to in points (w) and (y) of Article 20(3) which fulfil minimum data quality standards and technical specifications shall be entered into SIS. Before such data are entered, a quality check shall be performed in order to ascertain whether the minimum data quality standards and technical specifications have been met.

2.   Dactyloscopic data entered in SIS may consist of one to ten flat fingerprints and one to ten rolled fingerprints. It may also include up to two palm prints.

3.   A DNA profile may only be added to alerts in the situations provided for in point (a) of Article 32(1), only following a quality check to ascertain whether the minimum data quality standards and technical specifications have been met and only where photographs, facial images or dactyloscopic data are not available or not suitable for identification. The DNA profiles of persons who are direct ascendants, descendants or siblings of the subject of the alert may be added to the alert provided that those persons give their explicit consent. Where a DNA profile is added to an alert, that profile shall contain the minimum information strictly necessary for the identification of the missing person.

4.   Minimum data quality standards and technical specifications shall be established in accordance with paragraph 5 of this Article for the storage of the biometric data referred to in paragraphs 1 and 3 of this Article. Those minimum data quality standards and technical specifications shall set the level of quality required for using the data to verify the identity of a person in accordance with Article 43(1) and for using the data to identify a person in accordance with Article 43(2) to (4).

5.   The Commission shall adopt implementing acts to lay down the minimum data quality standards and technical specifications referred to in paragraphs 1, 3 and 4 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 43

Specific rules for verification or search with photographs, facial images, dactyloscopic data and DNA profiles

1.   Where photographs, facial images, dactyloscopic data and DNA profiles are available in an alert in SIS, such photographs, facial images, dactyloscopic data and DNA profiles shall be used to confirm the identity of a person who has been located as a result of an alphanumeric search made in SIS.

2.   Dactyloscopic data may be searched in all cases to identify a person. However, dactyloscopic data shall be searched to identify a person where the identity of the person cannot be ascertained by other means. For that purpose, the Central SIS shall contain an Automated Fingerprint Identification System (AFIS).

3.   Dactyloscopic data in SIS in relation to alerts entered in accordance with Articles 26, 32, 36 and 40 may also be searched using complete or incomplete sets of fingerprints or palm prints discovered at the scenes of serious crimes or terrorist offences under investigation, where it can be established to a high degree of probability that those sets of prints belong to a perpetrator of the offence and provided that the search is carried out simultaneously in the Member State's relevant national fingerprints databases.

4.   As soon as it becomes technically possible, and while ensuring a high degree of reliability of identification, photographs and facial images may be used to identify a person in the context of regular border crossing points.

Before this functionality is implemented in SIS, the Commission shall present a report on the availability, readiness and reliability of the required technology. The European Parliament shall be consulted on the report.

After the start of the use of the functionality at regular border crossing points, the Commission shall be empowered to adopt delegated acts in accordance with Article 75 to supplement this Regulation concerning the determination of other circumstances in which photographs and facial images may be used to identify persons.

CHAPTER XIII

Right of access and review of alerts

Article 44

National competent authorities having a right to access data in SIS

1.   National competent authorities shall have access to data entered in SIS and the right to search such data directly or in a copy of the SIS database for the purposes of:

(a)

border control, in accordance with Regulation (EU) 2016/399;

(b)

police and customs checks carried out within the Member State concerned, and the coordination of such checks by designated authorities;

(c)

the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties, within the Member State concerned, provided that Directive (EU) 2016/680 applies;

(d)

examining the conditions and taking decisions related to the entry and stay of third-country nationals on the territory of the Member States, including on residence permits and long-stay visas, and to the return of third-country nationals, as well as carrying out checks on third country nationals who are illegally entering or staying on the territory of the Member States;

(e)

security checks on third-country nationals who apply for international protection, insofar as authorities performing the checks are not ‘determining authorities’ as defined in point (f) of Article 2 of Directive 2013/32/EU of the European Parliament and of the Council (38), and, where relevant, providing advice in accordance with Council Regulation (EC) No 377/2004 (39).

2.   The right to access data in SIS and the right to search such data directly may be exercised by national competent authorities responsible for naturalisation, as provided for in national law, for the purposes of examining an application for naturalisation.

3.   The right to access data entered in SIS and the right to search such data directly may also be exercised by national judicial authorities, including those responsible for the initiation of public prosecutions in criminal proceedings and for judicial inquiries prior to charging a person, in the performance of their tasks, as provided for in national law, and by their coordinating authorities.

4.   The competent authorities referred to in this Article shall be included in the list referred to in Article 56(7).

Article 45

Vehicle registration services

1.   The services in the Member States responsible for issuing registration certificates for vehicles, as referred to in Council Directive 1999/37/EC (40), shall have access to data entered into SIS in accordance with points (a), (b), (c), (m) and (p) of Article 38(2) of this Regulation for the sole purpose of checking whether vehicles and accompanying vehicle registration certificates and number plates presented to them for registration have been stolen, misappropriated, lost, purport to be such a document but are false or are sought as evidence in criminal proceedings.

Access to the data by the services referred to in first subparagraph shall be governed by the national law and shall be limited to the specific competence of the services concerned.

2.   Services referred to in paragraph 1 that are government services shall have the right to access the data in SIS directly.

3.   Services referred to in paragraph 1 of this Article that are non-government services shall have access to data in SIS only through the intermediary of an authority referred to in Article 44. That authority shall have the right to access the data directly and to pass them on to the service concerned. The Member State concerned shall ensure that the service in question and its employees are required to respect any limitations on the permissible use of data conveyed to them by the authority.

4.   Article 39 shall not apply to access to SIS gained in accordance with this Article. The communication to the police or judicial authorities by services referred to in paragraph 1 of this Article of any information obtained through access to SIS shall be governed by national law.

Article 46

Registration services for boats and aircraft

1.   The services in the Member States responsible for issuing registration certificates or ensuring traffic management for boats, including boat engines, and aircraft, including aircraft engines, shall have access to the following data entered into SIS in accordance with Article 38(2), for the sole purpose of checking whether boats, including boat engines, and aircraft, including aircraft engines, presented to them for registration or subject to traffic management have been stolen, misappropriated, lost or are sought as evidence in criminal proceedings:

(a)

data on boats;

(b)

data on boat engines;

(c)

data on aircraft;

(d)

data on aircraft engines.

Access to the data by the services referred to in first subparagraph shall be governed by the national law and shall be limited to the specific competence of the services concerned.

2.   Services referred to in paragraph 1 that are government services shall have the right to access the data in SIS directly.

3.   Services referred to in paragraph 1 of this Article that are non-government services shall have access to data in SIS only through the intermediary of an authority referred to in Article 44. That authority shall have the right to access the data directly and to pass them on to the service concerned. The Member State concerned shall ensure that the service in question and its employees are required to respect any limitations on the permissible use of data conveyed to them by the authority.

4.   Article 39 shall not apply to access to SIS gained in accordance with this Article. The communication to the police or judicial authorities by services referred to in paragraph 1 of this Article of any information obtained through access to SIS shall be governed by national law.

Article 47

Registration services for firearms

1.   The services in the Member States responsible for issuing registration certificates for firearms shall have access to data on persons entered into SIS in accordance with Articles 26 and 36 and to data on firearms entered into SIS in accordance with Article 38(2). The access shall be exercised for the purpose of checking whether the person requesting registration is wanted for arrest for surrender or extradition purposes or for the purposes of discreet, inquiry or specific checks or whether firearms presented for registration are sought for seizure or for use as evidence in criminal proceedings.

2.   Access to the data by the services referred to in paragraph 1 shall be governed by the national law and shall be limited to the specific competence of the services concerned.

3.   Services referred to in paragraph 1 that are government services shall have the right to access the data in SIS directly.

4.   Services referred to in paragraph 1 that are non-government services shall only have access to data in SIS through the intermediary of an authority referred to in Article 44. That authority shall have the right to access the data directly and shall inform the service concerned if the firearm can be registered. The Member State concerned shall ensure that the service in question and its employees are required to respect any limitations to the permissible use of data conveyed to them by the intermediating authority.

5.   Article 39 shall not apply to access to SIS gained in accordance with this Article. The communication to the police or the judicial authorities by services referred to in paragraph 1 of this Article of any information obtained through access to SIS shall be governed by national law.

Article 48

Access to data in SIS by Europol

1.   The European Union Agency for Law Enforcement Cooperation (Europol), established by Regulation (EU) 2016/794, shall, where necessary to fulfil its mandate, have the right to access and search data in SIS. Europol may also exchange and further request supplementary information in accordance with the provisions of the SIRENE Manual.

2.   Where a search by Europol reveals the existence of an alert in SIS, Europol shall inform the issuing Member State through the exchange of supplementary information by means of the Communication Infrastructure and in accordance with the provisions set out in the SIRENE Manual. Until Europol is able to use the functionalities intended for the exchange of supplementary information, it shall inform issuing Member States through the channels defined by Regulation (EU) 2016/794.

3.   Europol may process the supplementary information that has been provided to it by Member States for the purposes of comparing it with its databases and operational analysis projects, aimed at identifying connections or other relevant links and for the strategic, thematic or operational analyses referred to in points (a), (b) and (c) of Article 18(2) of Regulation (EU) 2016/794. Any processing by Europol of supplementary information for the purpose of this Article shall be carried out in accordance with that Regulation.

4.   Europol's use of information obtained from a search in SIS or from the processing of supplementary information shall be subject to the consent of the issuing Member State. If the Member State allows the use of such information, its handling by Europol shall be governed by Regulation (EU) 2016/794. Europol shall only communicate such information to third countries and third bodies with the consent of the issuing Member State and in full compliance with Union law on data protection.

5.   Europol shall:

(a)

without prejudice to paragraphs 4 and 6, not connect parts of SIS nor transfer the data contained in it to which it has access to any system for data collection and processing operated by or at Europol, nor download or otherwise copy any part of SIS;

(b)

notwithstanding Article 31(1) of Regulation (EU) 2016/794, delete supplementary information containing personal data at the latest one year after the related alert has been deleted. By way of derogation, where Europol has information in its databases or operational analysis projects on a case to which the supplementary information is related, in order for Europol to perform its tasks, Europol may exceptionally continue to store the supplementary information when necessary. Europol shall inform the issuing and the executing Member State of the continued storage of such supplementary information and present a justification for it;

(c)

limit access to data in SIS, including supplementary information, to specifically authorised staff of Europol who require access to such data for the performance of their tasks;

(d)

adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13;

(e)

ensure that its staff who are authorised to process SIS data receive appropriate training and information in accordance with Article 14(1); and

(f)

without prejudice to Regulation (EU) 2016/794, allow the European Data Protection Supervisor to monitor and review the activities of Europol in the exercise of its right to access and search data in SIS and in the exchange and processing of supplementary information.

6.   Europol shall only copy data from SIS for technical purposes where such copying is necessary in order for duly authorised Europol staff to carry out a direct search. This Regulation shall apply to such copies. The technical copy shall only be used for the purpose of storing SIS data whilst those data are searched. Once the data have been searched they shall be deleted. Such uses shall not be considered to be unlawful downloading or copying of SIS data. Europol shall not copy alert data or additional data issued by Member States or from CS-SIS into other Europol systems.

7.   For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, Europol shall keep logs of every access to and search in SIS in accordance with the provisions of Article 12. Such logs and documentation shall not be considered to be unlawful downloading or copying of part of SIS.

8.   Member States shall inform Europol through the exchange of supplementary information of any hit on alerts related to terrorist offences. Member States may exceptionally not inform Europol if doing so would jeopardise current investigations, the safety of an individual or be contrary to essential interests of the security of the issuing Member State.

9.   Paragraph 8 shall apply from the date that Europol is able to receive supplementary information in accordance with paragraph 1.

Article 49

Access to data in SIS by Eurojust

1.   Only the national members of Eurojust and their assistants shall, where necessary to fulfil their mandate, have the right to access and search data in SIS within their mandate, in accordance with Articles 26, 32, 34, 38 and 40.

2.   Where a search by a national member of Eurojust reveals the existence of an alert in SIS, that national member shall inform the issuing Member State. Eurojust shall only communicate information obtained from such a search to third countries and third bodies with the consent of the issuing Member State and in full compliance with Union law on data protection.

3.   This Article is without prejudice to the provisions of Regulation (EU) 2018/1727 of the European Parliament and of the Council (41) and Regulation (EU) 2018/1725 concerning data protection and the liability for any unauthorised or incorrect processing of such data by national members of Eurojust or their assistants, and to the powers of the European Data Protection Supervisor pursuant to those Regulations.

4.   For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, Eurojust shall keep logs of every access to and search in SIS made by a national member of Eurojust or an assistant in accordance with the provisions of Article 12.

5.   No parts of SIS shall be connected to any system for data collection and processing operated by or at Eurojust nor, shall the data in SIS to which the national members or their assistants have access be transferred to such a system. No part of SIS shall be downloaded or copied. The logging of access and searches shall not be considered to be unlawful downloading or copying of SIS data.

6.   Eurojust shall adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13.

Article 50

Access to data in SIS by the European Border and Coast Guard teams, teams of staff involved in return-related tasks, and members of the migration management support teams

1.   In accordance with Article 40(8) of Regulation (EU) 2016/1624, the members of the teams referred to in points (8) and (9) of Article 2 of that Regulation shall, within their mandate and provided that they are authorised to carry out checks in accordance with Article 44(1) of this Regulation and have received the required training in accordance with Article 14(1) of this Regulation, have the right to access and search data in SIS insofar it is necessary for the performance of their task and as required by the operational plan for a specific operation. Access to data in SIS shall not be extended to any other team members.

2.   Members of the teams referred to in paragraph 1 shall exercise the right to access and search data in SIS in accordance with paragraph 1 through a technical interface. The technical interface shall be set up and maintained by the European Border and Coast Guard Agency and shall allow direct connection to Central SIS.

3.   Where a search by a member of the teams referred to in paragraph 1 of this Article reveals the existence of an alert in SIS, the issuing Member State shall be informed thereof. In accordance with Article 40 of Regulation (EU) 2016/1624, members of the teams shall only act in response to an alert in SIS under instructions from and, as a general rule, in the presence of border guards or staff involved in return-related tasks of the host Member State in which they are operating. The host Member State may authorise members of the teams to act on its behalf.

4.   For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, the European Border and Coast Guard Agency shall keep logs of every access to and search in SIS in accordance with the provisions of Article 12.

5.   The European Border and Coast Guard Agency shall adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13 and shall ensure that the teams referred to in paragraph 1 of this Article apply those measures.

6.   Nothing in this Article shall be interpreted as affecting the provisions of Regulation (EU) 2016/1624 concerning data protection or the European Border and Coast Guard Agency's liability for any unauthorised or incorrect processing of data by it.

7.   Without prejudice to paragraph 2, no parts of SIS shall be connected to any system for data collection and processing operated by the teams referred to in paragraph 1 or by the European Border and Coast Guard Agency, nor shall the data in SIS to which those teams have access be transferred to such a system. No part of SIS shall be downloaded or copied. The logging of access and searches shall not be considered to be unlawful downloading or copying of SIS data.

8.   The European Border and Coast Guard Agency shall allow the European Data Protection Supervisor to monitor and review the activities of the teams referred to in this Article in the exercise of their right to access and search data in SIS. This shall be without prejudice to the further provisions of Regulation (EU) 2018/1725.

Article 51

Evaluation of the use of SIS by Europol, Eurojust and the European Border and Coast Guard Agency

1.   The Commission shall carry out an evaluation of the operation and the use of SIS by Europol, the national members of Eurojust and their assistants and the teams referred to in Article 50(1) at least every five years.

2.   Europol, Eurojust and the European Border and Coast Guard Agency shall ensure adequate follow-up to the findings and recommendations stemming from the evaluation.

3.   A report on the results of the evaluation and follow-up to it shall be sent to the European Parliament and to the Council.

Article 52

Scope of access

End-users, including Europol, the national members of Eurojust and their assistants and the members of the teams referred to in points (8) and (9) of Article 2 of Regulation (EU) 2016/1624, shall only access data which they require for the performance of their tasks.

Article 53

Review period for alerts on persons

1.   Alerts on persons shall be kept only for the time required to achieve the purposes for which they were entered.

2.   A Member State may enter an alert on a person for the purposes of Article 26 and points (a) and (b) of Article 32(1) for a period of five years. The issuing Member State shall review the need to retain the alert within the five year period.

3.   A Member State may enter an alert on a person for the purposes of Articles 34 and 40 for a period of three years. The issuing Member State shall review the need to retain the alert within the three year period.

4.   A Member State may enter an alert on a person for the purposes of points (c), (d) and (e) of Article 32 (1) and of Article 36 for a period of one year. The issuing Member State shall review the need to retain the alert within the one year period.

5.   Each Member State shall, where appropriate, set shorter review periods in accordance with its national law.

6.   Within the review period referred to in paragraphs 2, 3 and 4, the issuing Member State may, following a comprehensive individual assessment, which shall be recorded, decide to retain the alert on a person for longer than the review period, where this proves necessary and proportionate for the purposes for which the alert was entered. In such cases paragraph 2, 3 or 4 shall also apply to the extension. Any such extension shall be communicated to CS-SIS.

7.   Alerts on persons shall be deleted automatically after the review period referred to in paragraphs 2, 3 and 4 has expired, except where the issuing Member State has informed CS-SIS of an extension pursuant to paragraph 6. CS-SIS shall automatically inform the issuing Member State of the scheduled deletion of data four months in advance.

8.   Member States shall keep statistics on the number of alerts on persons the retention periods of which have been extended in accordance with paragraph 6 of this Article and transmit them, upon request, to the supervisory authorities referred to in Article 69.

9.   As soon as it becomes clear to a SIRENE Bureau that an alert on a person has achieved its purpose and should therefore be deleted, it shall immediately notify the authority which created the alert. The authority shall have 15 calendar days from the receipt of that notification to reply that the alert has been or shall be deleted or shall state reasons for the retention of the alert. If no reply has been received by the end of the 15-day period, the SIRENE Bureau shall ensure that the alert is deleted. Where permissible under national law, the alert shall be deleted by the SIRENE Bureau. SIRENE Bureaux shall report any recurring issues they encounter when acting under this paragraph to their supervisory authority.

Article 54

Review period for alerts on objects

1.   Alerts on objects shall be kept only for the time required to achieve the purposes for which they were entered.

2.   A Member State may enter an alert on objects for the purposes of Articles 36 and 38 for a period of ten years. The issuing Member State shall review the need to retain the alert within the ten-year period.

3.   Alerts on objects entered in accordance with Articles 26, 32, 34, and 36 shall be reviewed pursuant to Article 53 where they are linked to an alert on a person. Such alerts shall only be kept for as long as the alert on the person is kept.

4.   Within the review period referred to in paragraphs 2 and 3, the issuing Member State may decide to retain the alert on an object for longer than the review period, where this proves necessary for the purposes for which the alert was entered. In such cases paragraph 2 or 3 shall apply, as appropriate.

5.   The Commission may adopt implementing acts to establish shorter review periods for certain categories of alerts on objects. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

6.   Member States shall keep statistics on the number of alerts on objects the retention periods of which have been extended in accordance with paragraph 4.

CHAPTER XIV

Deletion of alerts

Article 55

Deletion of alerts

1.   Alerts for arrest for surrender or extradition purposes pursuant to Article 26 shall be deleted when the person has been surrendered or extradited to the competent authorities of the issuing Member State. They shall also be deleted when the judicial decision on which the alert was based has been revoked by the competent judicial authority in accordance with national law. They shall also be deleted upon the expiry of the alert in accordance with Article 53.

2.   Alerts on missing persons or vulnerable persons who need to be prevented from travelling pursuant to Article 32 shall be deleted in accordance with the following rules:

(a)

concerning missing children and children at risk of abduction, an alert shall be deleted upon:

(i)

the resolution of the case, such as when the child has been located or repatriated or the competent authorities in the executing Member State have taken a decision on the care of the child;

(ii)

the expiry of the alert in accordance with Article 53; or

(iii)

a decision by the competent authority of the issuing Member State;

(b)

concerning missing adults, where no protective measures are requested, an alert shall be deleted upon:

(i)

the execution of the action to be taken, where their whereabouts are ascertained by the executing Member State;

(ii)

the expiry of the alert in accordance with Article 53; or

(iii)

a decision by the competent authority of the issuing Member State;

(c)

concerning missing adults where protective measures are requested, an alert shall be deleted upon:

(i)

the carrying out of the action to be taken, where the person is placed under protection;

(ii)

the expiry of the alert in accordance with Article 53; or

(iii)

a decision by the competent authority of the issuing Member State;

(d)

concerning vulnerable persons who are of age who need to be prevented from travelling for their own protection and children who need to be prevented from travelling, an alert shall be deleted upon:

(i)

the carrying out of the action to be taken such as the person's placement under protection;

(ii)

the expiry of the alert in accordance with Article 53; or

(iii)

a decision by the competent authority of the issuing Member State.

Without prejudice to the national law, where a person has been institutionalised following a decision by a competent authority an alert may be retained until that person has been repatriated.

3.   Alerts on persons sought for a judicial procedure pursuant to Article 34 shall be deleted upon:

(a)

the communication of the whereabouts of the person to the competent authority of the issuing Member State;

(b)

the expiry of the alert in accordance with Article 53; or

(c)

a decision by the competent authority of the issuing Member State.

Where the information in the communication referred to in point (a) cannot be acted upon, the SIRENE Bureau of the issuing Member State shall inform the SIRENE Bureau of the executing Member State in order to resolve the problem.

In the event of a hit where the address details were forwarded to the issuing Member State and a subsequent hit in the same executing Member State reveals the same address details, the hit shall be recorded in the executing Member State but neither the address details nor supplementary information shall be resent to the issuing Member State. In such cases the executing Member State shall inform the issuing Member State of the repeated hits and the issuing Member State shall carry out a comprehensive individual assessment of the need to retain the alert.

4.   Alerts for discreet, inquiry and specific checks pursuant to Article 36, shall be deleted upon:

(a)

the expiry of the alert in accordance with Article 53; or

(b)

a decision to delete them by the competent authority of the issuing Member State.

5.   Alerts on objects for seizure or use as evidence in criminal proceedings pursuant to Article 38, shall be deleted upon:

(a)

the seizure of the object or equivalent measure once the necessary follow-up exchange of supplementary information has taken place between the SIRENE Bureaux concerned or the object becomes the subject of another judicial or administrative procedure;

(b)

the expiry of the alert in accordance with Article 53; or

(c)

a decision to delete them by the competent authority of the issuing Member State.

6.   Alerts on unknown wanted persons pursuant to Article 40 shall be deleted upon:

(a)

the identification of the person;

(b)

the expiry of the alert in accordance with Article 53; or

(c)

a decision to delete them by the competent authority of the issuing Member State.

7.   Where it is linked to an alert on a person, an alert on an object entered in accordance with Articles 26, 32, 34 and 36 shall be deleted when the alert on the person is deleted in accordance with this Article.

CHAPTER XV

General data processing rules

Article 56

Processing of SIS data

1.   The Member States shall only process the data referred to in Article 20 for the purposes laid down for each category of alert referred to in Articles 26, 32, 34, 36, 38 and 40.

2.   Data shall only be copied for technical purposes, where such copying is necessary in order for the competent authorities referred to in Article 44 to carry out a direct search. This Regulation shall apply to those copies. A Member State shall not copy the alert data or additional data entered by another Member State from its N.SIS or from the CS-SIS into other national data files.

3.   Technical copies referred to in paragraph 2 which result in offline databases may be retained for a period not exceeding 48 hours.

Member States shall keep an up-to-date inventory of those copies, make that inventory available to their supervisory authorities, and ensure that this Regulation, in particular Article 10, is applied in respect of those copies.

4.   Access to data in SIS by national competent authorities referred to in Article 44 shall only be authorised within the limits of their competence and only to duly authorised staff.

5.   With regard to the alerts laid down in Articles 26, 32, 34, 36, 38 and 40 of this Regulation, any processing of information in SIS for purposes other than those for which it was entered into SIS has to be linked with a specific case and justified by the need to prevent an imminent and serious threat to public policy and to public security, on serious grounds of national security or for the purposes of preventing a serious crime. Prior authorisation from the issuing Member State shall be obtained for this purpose.

6.   Any use of SIS data which does not comply with paragraphs 1 to 5 of this Article shall be considered as misuse under the national law of each Member State and subject to penalties in accordance with Article 73.

7.   Each Member State shall send to eu-LISA a list of its competent authorities which are authorised to search the data in SIS directly pursuant to this Regulation, as well as any changes to the list. The list shall specify, for each authority, which data it may search and for what purposes. eu-LISA shall ensure that the list is published in the Official Journal of the European Union annually. eu-LISA shall maintain a continuously updated list on its website containing changes sent by Member States between the annual publications.

8.   Insofar as Union law does not lay down specific provisions, the law of each Member State shall apply to data in its N.SIS.

Article 57

SIS data and national files

1.   Article 56(2) shall be without prejudice to the right of a Member State to keep in its national files SIS data in connection with which action has been taken on its territory. Such data shall be kept in national files for a maximum period of three years, except if specific provisions in national law provide for a longer retention period.

2.   Article 56(2) shall be without prejudice to the right of a Member State to keep in its national files data contained in a particular alert entered in SIS by that Member State.

Article 58

Information in the case of non-execution of an alert

If a requested action cannot be performed, the Member State from which action is requested shall immediately inform the issuing Member State through the exchange of supplementary information.

Article 59

Quality of the data in SIS

1.   An issuing Member State shall be responsible for ensuring that the data are accurate, up-to-date, and entered and stored in SIS lawfully.

2.   Where an issuing Member State receives relevant additional or modified data as listed in Article 20(3), it shall complete or modify the alert without delay.

3.   Only the issuing Member State shall be authorised to modify, add to, correct, update or delete data which it has entered into SIS.

4.   Where a Member State other than the issuing Member State has relevant additional or modified data as listed in Article 20(3), it shall transmit them without delay, through the exchange of supplementary information, to the issuing Member State to enable the latter to complete or modify the alert. If the additional or modified data relate to persons they shall only be transmitted if the identity of the person is ascertained.

5.   Where a Member State other than the issuing Member State has evidence suggesting that an item of data is factually incorrect or has been unlawfully stored, it shall, through the exchange of supplementary information, inform the issuing Member State as soon as possible and not later than two working days after that evidence has come to its attention. The issuing Member State shall check the information and, if necessary, correct or delete the item in question without delay.

6.   Where the Member States are unable to reach an agreement within two months of the time when evidence first came to light as referred to in paragraph 5 of this Article, the Member State which did not enter the alert shall submit the matter to the supervisory authorities concerned and to the European Data Protection Supervisor for a decision, by means of cooperation in accordance with Article 71.

7.   The Member States shall exchange supplementary information in cases where a person complains that he or she is not the intended subject of an alert. Where the outcome of the check shows that the intended subject of an alert is not the complainant, the complainant shall be informed of the measures laid down in Article 62 and of the right to redress under Article 68(1).

Article 60

Security incidents

1.   Any event that has or may have an impact on the security of SIS or may cause damage or loss to SIS data or to the supplementary information shall be considered to be a security incident, especially where unlawful access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2.   Security incidents shall be managed in a way as to ensure a quick, effective and proper response.

3.   Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679 or to Article 30 of Directive (EU) 2016/680, Member States, Europol, Eurojust and the European Border and Coast Guard Agency shall notify the Commission, eu-LISA, the competent supervisory authority and the European Data Protection Supervisor without delay of security incidents. eu-LISA shall notify the Commission and the European Data Protection Supervisor without delay of any security incident concerning Central SIS.

4.   Information regarding a security incident that has or may have an impact on the operation of SIS in a Member State or within eu-LISA, on the availability, integrity and confidentiality of the data entered or sent by other Member States or on supplementary information exchanged, shall be provided to all Member States without delay and reported in compliance with the incident management plan provided by eu-LISA.

5.   The Member States and eu-LISA shall collaborate in the event of a security incident.

6.   The Commission shall report serious incidents immediately to the European Parliament and to the Council. Those reports shall be classified as EU RESTRICTED/RESTREINT UE in accordance with applicable security rules.

7.   Where a security incident is caused by the misuse of data, Member States, Europol, Eurojust and the European Border and Coast Guard Agency shall ensure that penalties are imposed in accordance with Article 73.

Article 61

Distinguishing between persons with similar characteristics

1.   Where upon a new alert being entered it becomes apparent that there is already an alert in SIS on a person with the same description of identity, the SIRENE Bureau shall contact the issuing Member State through the exchange of supplementary information within 12 hours to cross-check whether the subjects of the two alerts are the same person.

2.   Where the cross-check reveals that the subject of the new alert and the person subject to the alert already entered in SIS are indeed one and the same person, the SIRENE Bureau shall apply the procedure for entering multiple alerts referred to in Article 23.

3.   Where the outcome of the cross-check is that there are in fact two different persons, the SIRENE Bureau shall approve the request for entering the second alert by adding the data necessary to avoid any misidentifications.

Article 62

Additional data for the purpose of dealing with misused identities

1.   Where confusion may arise between the person intended to be the subject of an alert and a person whose identity has been misused, the issuing Member State shall, subject to the explicit consent of the person whose identity has been misused, add data relating to the latter to the alert in order to avoid the negative consequences of misidentification. Any person whose identity has been misused shall have the right to withdraw his or her consent regarding the processing of the added personal data.

2.   Data relating to a person whose identity has been misused shall be used only for the following purposes:

(a)

to allow the competent authority to distinguish the person whose identity has been misused from the person intended to be the subject of the alert; and

(b)

to allow the person whose identity has been misused to prove his or her identity and to establish that his or her identity has been misused.

3.   For the purpose of this Article, and subject to the explicit consent of the person whose identity has been misused for each data category, only the following personal data of the person whose identity has been misused may be entered and further processed in SIS:

(a)

surnames;

(b)

forenames;

(c)

names at birth;

(d)

previously used names and any aliases possibly entered separately;

(e)

any specific objective and physical characteristic not subject to change;

(f)

place of birth;

(g)

date of birth;

(h)

gender;

(i)

photographs and facial images;

(j)

fingerprints, palm prints or both;

(k)

any nationalities held;

(l)

the category of the person's identification documents;

(m)

the country of issue of the person's identification documents;

(n)

the number(s) of the person's identification documents;

(o)

the date of issue of a person's identification documents;

(p)

address of the person;

(q)

person's father's name;

(r)

person's mother's name.

4.   The Commission shall adopt implementing acts to lay down and develop technical rules necessary for entering and further processing the data referred to in paragraph 3 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

5.   The data referred to in paragraph 3 shall be deleted at the same time as the corresponding alert or earlier where the person so requests.

6.   Only the authorities having a right of access to the corresponding alert may access the data referred to in paragraph 3. They may do so for the sole purpose of avoiding misidentification.

Article 63

Links between alerts

1.   A Member State may create a link between alerts it enters in SIS. The effect of such a link shall be to establish a relationship between two or more alerts.

2.   The creation of a link shall not affect the specific action to be taken on the basis of each linked alert or the review period of each of the linked alerts.

3.   The creation of a link shall not affect the rights of access provided for in this Regulation. Authorities with no right of access to certain categories of alerts shall not be able to see the link to an alert to which they do not have access.

4.   A Member State shall create a link between alerts when there is an operational need.

5.   Where a Member State considers that the creation by another Member State of a link between alerts is incompatible with its national law or its international obligations, it may take the necessary measures to ensure that there can be no access to the link from its national territory or by its authorities located outside its territory.

6.   The Commission shall adopt implementing acts to lay down and develop technical rules for linking alerts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 64

Purpose and retention period of supplementary information

1.   Member States shall keep a reference to the decisions giving rise to an alert at the SIRENE Bureau in order to support the exchange of supplementary information.

2.   Personal data held in files by the SIRENE Bureau as a result of information exchanged shall be kept only for such time as may be required to achieve the purposes for which they were supplied. They shall in any event be deleted at the latest one year after the related alert has been deleted from SIS.

3.   Paragraph 2 shall be without prejudice to the right of a Member State to keep in national files data relating to a particular alert which that Member State has entered or to an alert in connection with which action has been taken on its territory. The period for which such data may be kept in those files shall be governed by national law.

Article 65

Transfer of personal data to third parties

Data processed in SIS and the related supplementary information exchanged pursuant to this Regulation shall not be transferred or made available to third countries or to international organisations.

CHAPTER XVI

Data protection

Article 66

Applicable legislation

1.   Regulation (EU) 2018/1725 shall apply to the processing of personal data by eu-LISA, by the European Border and Coast Guard Agency and by Eurojust under this Regulation. Regulation (EU) 2016/794 shall apply to the processing of personal data by Europol under this Regulation.

2.   Directive (EU) 2016/680 shall apply to the processing of personal data under this Regulation by the national competent authorities and services for the purposes of the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

3.   Regulation (EU) 2016/679 shall apply to the processing of personal data under this Regulation by the national competent authorities and services with the exception of processing for the purposes of the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Article 67

Right of access, rectification of inaccurate data and erasure of unlawfully stored data

1.   Data subjects shall be able to exercise the rights laid down in Articles 15, 16 and 17 of Regulation (EU) 2016/679 and in Article 14 and Article 16 (1) and (2) of Directive(EU) 2016/680.

2.   A Member State other than the issuing Member State may provide to the data subject information concerning any of the data subject's personal data that are being processed only if it first gives the issuing Member State an opportunity to state its position. The communication between those Member States shall be done through the exchange of supplementary information.

3.   A Member State shall take a decision not to provide information to the data subject, in whole or in part, in accordance with national law, to the extent that, and for as long as such a partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the data subject concerned, in order to:

(a)

avoid obstructing official or legal inquiries, investigations or procedures;

(b)

avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)

protect public security;

(d)

protect national security; or

(e)

protect the rights and freedoms of others.

In cases referred to in the first subparagraph, the Member State shall inform the data subject in writing, without undue delay, of any refusal or restriction of access and of the reasons for the refusal or restriction. Such information may be omitted where its provision would undermine any of the reasons set out in points (a) to (e) of the first subparagraph. The Member State shall inform the data subject of the possibility of lodging a complaint with a supervisory authority or of seeking a judicial remedy.

The Member State shall document the factual or legal reasons on which the decision not to provide information to the data subject is based. That information shall be made available to the supervisory authorities.

For such cases, the data subject shall also be able to exercise his or her rights through the competent supervisory authorities.

4.   Following an application for access, rectification or erasure, the Member State shall inform the data subject as soon as possible and in any event within the deadlines referred to in Article 12(3) of Regulation (EU) 2016/679 about the follow-up given to the exercise of the rights under this Article.

Article 68

Remedies

1.   Without prejudice to the provisions on remedies of Regulation (EU) 2016/679 and of Directive (EU) 2016/680, any person may bring an action before any competent authority, including a court, under the law of any Member State to access, rectify, erase, obtain information or obtain compensation in connection with an alert relating to him or her.

2.   The Member States undertake mutually to enforce final decisions handed down by the courts or authorities referred to in paragraph 1 of this Article, without prejudice to Article 72.

3.   Member States shall report annually to the European Data Protection Board on:

(a)

the number of access requests submitted to the data controller and the number of cases where access to the data was granted;

(b)

the number of access requests submitted to the supervisory authority and the number of cases where access to the data was granted;

(c)

the number of requests for the rectification of inaccurate data and for the erasure of unlawfully stored data to the data controller and the number of cases where the data were rectified or erased;

(d)

the number of requests for the rectification of inaccurate data and the erasure of unlawfully stored data submitted to the supervisory authority;

(e)

the number of court proceedings initiated;

(f)

the number of cases where the court ruled in favour of the applicant;

(g)

any observations on cases of mutual recognition of final decisions handed down by the courts or authorities of other Member States on alerts entered by the issuing Member State.

A template for the reporting referred to in this paragraph shall be developed by the Commission.

4.   The reports from the Member States shall be included in the joint report referred to in Article 71(4).

Article 69

Supervision of N.SIS

1.   Member States shall ensure that the independent supervisory authorities designated in each Member State and endowed with the powers referred to in Chapter VI of Re